If your boss tells you to move company money to a new account, you may want to double-check with him IRL.

Whaling attacks—during which phishers pretend to be high-level executives to trick employees into sending them money—appear to be on the rise, security firm Mimecast warned Wednesday.

"Emails appearing to be sent from the CEO or CFO are used to trick finance staff into making illegitimate wire transfers to the attackers," the company said in an advisory. "Whaling emails can be more difficult to detect because they don't contain a hyperlink or malicious attachment, and rely solely on social-engineering to trick their targets."

Attackers can figure out who to contact and who to impersonate using LinkedIn, Twitter, and other social media services, and don't have to rely on technical sophistication, according to the advisory.

They'll often create fake domain names that sound similar to those of their corporate targets, and start with a simple message to a member of the target company's finance team, according to Mimecast.

"The email is typically well structured, with correct grammar and spelling, making it look as innocuous as possible," the company warns. "Typically the initial contact will be brief and to the point; something similar to 'I need you to complete a task ASAP, are you in the office?'"

They'll then follow with instructions to wire money to an account controlled by the attackers.

Mimecast reports a recent survey found that more than half of companies have seen an increase in whaling attacks in the past three months, with the majority impersonating company CEOs. The company advises executives to warn their staff about the possibility of such attacks and to take technical precautions, like having software clearly flag emails originating from outside genuine corporate domains.

"Carry out tests within your own business," Mimecast suggests. "Build your own Whaling attack as an exercise to see how vulnerable your staff are."

IBM's Watson computer has branched out into social media consulting.

IBM recently worked with NPR tech reporter Aarti Shahani to analyze Shahani's personality based on her Facebook and Twitter posts with its Personality Insights API, and Shahani says the results were extremely accurate.

"It feels so spot on to me that I don't actually want to publish the pie chart that I got from Watson," she told Fast Company.

But Shahani was willing to share a sample of the computer's findings, which translated her social media writings into numerical measurements of the strength of dozens of her personality traits.

"It's a pie chart with about 50 traits, each with a percentile score: kind of like the SAT, ranking you compared to others," she said in an NPR segment discussing the experiment.

One clear result the computer found: a tendency to challenge authority. Watson gave her an 83% rating along that axis, something she says she found hard to disagree with.

"I guess that's a very consistent part of who I am, and even as it gets older it doesn't seem to fade," she says. "It's one of the findings that made me feel there's something to this."

Watson even picked up on some traits she feels might not be entirely obvious to those around her: Measuring extraversion, for example, the computer gave her a rating of just 35%, something she says might not be immediately obvious to those who see her interacting with others socially or professionally.

"I do need a lot of alone time, so it puts me in the lower end of extraversion in the universe of people that it's analyzed, and that seems to me actually pretty accurate, and even something that people who are close to me wouldn't necessarily get about me," she says.

The scientists behind Watson have trained the computer to use statistical models to map online writings to personality traits, something that's useful, not just for armchair psychology, but for other areas like targeted marketing.

"IBM also found that people with high openness and low emotional range (neuroticism) as inferred from social media language responded more favorably (for example, by clicking an advertisement link or following an account), results that have been corroborated with survey-based, ground-truth checking," according to the company. "For example, targeting the top 10% of users in terms of high openness and low emotional range resulted in increases in click rate from 6.8% to 11.3%, and in follow rate from 4.7% to 8.8%."

People who measure highly for "modesty, openness, and friendliness" are also more likely to retweet information when asked, company researchers have found.

Shahani says she was surprised to find Watson gave pretty similar assessments of her personality from both Twitter and Facebook.

"I really thought Facebook is the place where I'm myself, and Twitter is the place where I'm a snarky know-it-all," she says. "I really thought there would be a difference, but they were pretty consistent, so that surprised me."

It is, however, in line with studies that say personality is basically fixed after young adulthood, which Shahani says might also dissuade anyone who'd try to turn a Watson-style analysis into a guide for self-improvement.

It's also not clear how easy it would be to manipulate posts to change Watson's assessment, though it seems likely that if the stakes get high enough—if similar algorithms were being used for, say, hiring purposes, or something more dystopian still like China's proposed "social credit" ratings—someone will give it a try.

"If I knew that a potential employer could use this kind of tool to analyze me, would I then start to think about what kind of self am I portraying online, because there's certain kinds of jobs I want?" asks Shahani. "I could totally see people doing that."

Right now, IBM says some of its commercial partners are already working with Personality Insights and other Watson APIs to build tools around them.

"For example, StatSocial is a social data company that enables brands and publishers to understand, segment, and target their audiences on the web," an IBM spokesperson wrote in an email to Fast Company. "Using the Watson Personality Insights API, StatSocial analyzes social and blog content to identify the personality types, values, and needs of hundreds of millions of consumers across the world."

And for those who want to see how their personalities are reflected in their own writings—or anyone else's—the company offers a free online demo.

Though headlines about bitcoin this year have focused on the challenges facing the cryptocurrency, it's still booming with some of the highest mining and transaction rates in its history, according to recent statistics.

The digital currency has yet to find the "killer app" that would make it an essential part of the average consumer's Internet toolkit. Several bitcoin-related services shut down in recent months, some amid allegations of fraud, which only highlighted the continued risks that deals tied to the currency can pose for casual investors. As a result, some companies are building alternative networks based on the technology behind bitcoin.

But the bitcoin network's hash rate—a measurement of the amount of computing power being devoted to mining the currency—reached an all-time high this month, and the week ending Tuesday saw the most bitcoin transactions of any seven-day period since bitcoin's inception, according to statistics from the bitcoin data service Kaiko.

Each of those transactions is automatically disseminated to the global bitcoin network and recorded by bitcoin miners to a shared transaction ledger known as the blockchain. Miners use specialized, high-powered servers to group new transactions into sets called blocks that meet certain mathematical specifications when looked at in combination with blocks that have previously been formed.

For that, they're rewarded with newly created bitcoin, plus small transaction fees, for each mathematically valid block added to the transaction chain. In order to keep new bitcoin flowing at a steady rate, the network automatically adjusts the range of values of a mathematical hash function that valid blocks can produce as the amount of computing power devoted to mining increases or decreases.

At present, the global network of miners computes about 700 quadrillion hashes, or 700 petahashes, per second. Valery Vavilov, the CEO of bitcoin mining technology company BitFury, predicted in an email to Fast Company the network will soon enter the "exahash era," computing more than one quintillion hashes every second, thanks in part to new speedier mining chips it's set to release early next year.

While BitFury conducts its own mining operations on a grand scale—the company just opened a massive new data center in Tbilisi, Georgia, last week that Vavilov says will on its own ultimately transform 40 megawatts of power into between 400 and 650 petahash—it also offers its chips for sale to other miners. For while controlling more mining capacity generally means more blocks added to the chain and more bitcoin revenue, the bitcoin community is inherently fearful of any one organization controlling more than half of the world's mining capacity.

"As a responsible player in the Bitcoin community, we will be working with integration partners and resellers to make our unique technology widely available ensuring that the network remains decentralized and we move into the exahash era together," Vavilov said in a recent statement.

Having any one company controlling the majority of mining capacity would give it too much power to manipulate which transactions get recorded to the permanent chain and in which order and could trigger a bitcoin sell-off if users come to distrust the currency.

At present, bitcoin's trading roughly 35% higher against the dollar than at this point last year, at roughly $435 per bitcoin, though that's still far from its peak just over two years ago, when it briefly traded for more than $1,200 per coin. The currency fell from those highs after the collapse of troubled Tokyo-based bitcoin exchange Mt. Gox.

And while this year bitcoin became easier than ever to buy and sell, thanks to an expanding network of bitcoin ATMs, bitcoin exchanges, and peer-to-peer trades through services like the classified advertising site LocalBitcoins, the currency's backers have yet to find a way to make it indispensable to the average Internet user.

The past year also saw the collapse of a number of bitcoin-related businesses, from mining companies affected by the currency's decline in value to consumer-facing businesses that failed to gain traction.

The bitcoin mining pool BTC Guild, which enabled miners to share the risks and rewards of mining the digital currency, shut down this summer citing increased competition and regulatory uncertainty. Dutch firm Mining ASICS Technology declared bankruptcy in January after being unable to deliver pre-ordered mining hardware, according to bitcoin news service CoinDesk. Connecticut-based mining company GAW Miners fell into disarray amid controversy over its own bitcoin alternative, called PayCoin, and a lawsuit by the Securities and Exchange Commission alleging it fraudulently oversold stakes in its Hashlets mining operation.

"There was no computer equipment to back up the vast majority of Hashlets that defendants sold," the SEC alleges.

On the consumer side, bitcoin-based crowdfunding site Swarm shut down amid disputes between its founders and a lack of funds, according to news service CoinTelegraph. Bitcoin exchanges Yacuna, Harborly, and Vault of Satoshi , each of which allowed customers to trade bitcoin for conventional currency, all also ceased operations in 2015, according to CoinDesk.

In the meantime, a wide variety of financial and tech companies have begun to look seriously at harnessing the underlying blockchain technology—and, in some cases, even the bitcoin network itself—for recording other types of financial transactions.

"Advancement in distributed ledgers can provide tremendous evolutionary opportunities in financial services, and drive new opportunities and efficiencies in institutional investing," said Antoine Shagoury, global chief information officer at State Street, in a recent statement.

State Street joined banks like JPMorgan and Wells Fargo, along with tech companies like IBM and Intel, last week in announcing a joint effort to pursue open source enterprise blockchain technology, managed through the nonprofit Linux Foundation.

The companies are betting that the same basic data structures that enable bitcoin users to track how that digital currency is transferred can also be used to track ownership of more traditional assets. Similar cryptographically secure hash functions can ensure shared ledgers stay tamper-proof, and the standardized block formats can take some of the pain out of transactions that now require updating differently formatted databases across multiple institutions.

"Distributed ledger technology will unlock the full 'digital' potential of capital markets and the wider financial services industry by enabling a shift away from the current reconciliation based systems that are very expensive and highly inefficient," said David Treat, the managing director of financial services at Accenture, in a statement announcing the company's participation.

And Overstock.com, which experimented with the sale of special bonds whose ownership was recorded on the actual bitcoin blockchain earlier this year, announced this month that it obtained approval from the Securities and Exchange Commission to offer additional securities transferred through that same shared ledger.

"Unless otherwise described in the applicable prospectus supplement, transactions in our digital securities on the [new trading system] will utilize the Bitcoin blockchain as the relevant distributed ledger, thereby capitalizing on Bitcoin's established algorithm-based consensus approach to validating ownership records," the company said in a November SEC filing.

A security researcher with a knack for uncovering data breaches says he's discovered a trove of information including names, addresses, phone numbers, and dates of birth for more than 191 million U.S. voters on a publicly available server.

Researcher Chris Vickery says the database, which appears to be stored on a server accidentally configured to be accessible to the public, doesn't contain information like Social Security numbers or driver's license numbers, according to a Monday post on DataBreaches.net, an anonymously published watchdog site that frequently shares his findings. The database lists whether voters are registered with a particular party but not how they've actually voted in particular elections.

Vickery has previously reported millions of accounts' worth of data mistakenly stored in publicly accessible databases by insurance claim management software company Systema Software, security software firm Kromtech, HIV-positive dating app Hzone and a Hello Kitty fan community. He told Fast Company last week that he's reported about two dozen such leaks to companies since this summer, often finding unlocked database servers through the search engine Shodan, which lets users search for services running on particular ports.

Vickery and DataBreaches.net say they've been unable to locate the owner of the vulnerable server in order to have the database taken down, "despite countless hours" of effort contacting political consulting firms who could be connected. They say they've also reported the server to the FBI and to the California Attorney General's Office, since the database includes records from that state.

Security columnist Steve Ragan also wrote Monday that he was unable to track down the origin of the data, despite contacting a number of political organizations.

The apparent leak follows a data dispute earlier this month between the Hillary Clinton and Bernie Sanders presidential campaigns, after Democratic National Committee officials accused Sanders campaign workers of improperly taking advantage of a malfunction in a shared voter database to access confidential information stored by the Clinton campaign. The Sanders campaign has since fired the staffer said responsible for the breach.

Many states do provide some access to their voter data but generally limit its use and distribution to protect voter confidentiality, according to DataBreaches.net. The site's editor, who writes under the name Dissent, urged readers Monday to lobby their elected officials for stronger restrictions.

"It's too easy to upload a database with all of our contact details, our date of birth, and our political affiliations and voting history to the Internet where anyone can grab it," the DataBreaches editor wrote. "Tweet them a link to this article with #ProtectMyPrivacy."

Despite widespread criticism, FedEx appears to have had better on-time performance this holiday season than in either of the past two years, according to delivery tracking firm ShipMatrix.

The carrier had come under fire for breaking delivery guarantees, particularly after bad weather swept much of the South last week, including around FedEx's Memphis hub.

"Yay #fedex you did such a great job not delivering my packages on time," tweeted one customer on Christmas, using the then-trending hashtag #FedExFail. "My kids thank you for getting far less presents."

But overall, according to ShipMatrix, which manages package tracking for thousands of shippers and uses their data to provide aggregate on-time performance ratings, FedEx met one-day, two-day, and three-day guarantees 97.8% of the time this holiday season, compared to 97.3% in the 2014 season and 95.4% in 2013.

UPS, on the other hand, did better last year, according to ShipMatrix: It had a 95.5% on-time rate this year, compared to 98.1% last year and 93.9% in 2013, when the services also saw weather-related issues. The ShipMatrix data covers each year's holiday season from Cyber Monday through Christmas. ShipMatrix says UPS improved its performance after Cyber Monday week, averaging about 97% on-time rates later in the season.

"The majority of their problems were in the first week of the month," says ShipMatrix research analyst Mark D'Amico.

Of course, consumers likely mind delays more when they cause packages to arrive after the Christmas holiday—something some Twitter users pointed out could also be avoided by ordering gifts earlier in the season.

Microsoft is disputing a report that it failed to notify more than 1,000 users that they were victims of a hacking attack that Reuters says the company's own investigators determined was sponsored by the Chinese government.

The victims included activists from China's Tibetan and Uighur minority groups who used Microsoft's Hotmail email service from 2009 to 2011, according to Reuters. The company said in an email to Fast Company that it never concluded the Chinese government was to blame.

The attackers exploited a since-fixed flaw in Hotmail's security to obtain copies of the victims' emails, according to a previous report describing the malware behind the hack. Microsoft says it required the affected customers to reset their passwords and warned them it had detected suspicious activities tied to their accounts.

"We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. Government were able to identify the source of the attacks, which did not come from any single country," a Microsoft spokesperson wrote. "We also considered the potential impact on any subsequent investigation and ongoing measures we were taking to prevent potential future attacks."

Still, Microsoft said on Wednesday that it will start alerting users if it believes they're victims of state-sponsored hacks—a policy that has already been adopted by Facebook, Google, and Yahoo.

"We will now notify you if we believe your account has been targeted or compromised by an individual or group working on behalf of a nation state," the company said in a statement.

In the China case, two former Microsoft employees told Reuters that the company required affected users to change their passwords, but didn't disclose that they were victims of a state attack. Some of the victims believed the password-change prompts were routine security measures, according to the report.

A Chinese Foreign Ministry spokesperson expressed skepticism about the report, saying at a daily news briefing that the government is "a resolute defender of cyber security and strongly opposes any forms of cyberattacks."

The maker of brain game app Lumosity has agreed to pay $2 million to settle charges brought by the Federal Trade Commission, which alleged it deceived consumers about the product's brain-training benefits.

The FTC said Tuesday that Lumosity made "unfounded claims" that its games could help users do better at work and school and help reduce the effects of conditions including Alzheimer's, attention deficit hyperactivity disorder, and traumatic brain injury.

"Lumosity preyed on consumers' fears about age-related cognitive decline, suggesting their games could stave off memory loss, dementia, and even Alzheimer's disease," said Jessica Rich, the director of the FTC's Bureau of Consumer Protection, in a statement. "But Lumosity simply did not have the science to back up its ads."

The San Francisco-based company, founded in 2005, says it has more than 70 million registered users around the world, who are able to play its games on the web and on apps for iPhone and Android devices. Lumosity said in a statement Tuesday that it intends to continue offering its products to users.

"Neither the action nor the settlement pertains to the rigor of our research or the quality of the products—it is a reflection of marketing language that has been discontinued," the company said. "Our focus as a company has not and will not change: We remain committed to moving the science of cognitive training forward and contributing meaningfully to the field's community and body of research."

The company also allegedly failed to notify customers that some testimonials on its website "had been solicited through contests that promised significant prizes, including a free iPad, a lifetime Lumosity subscription, and a round-trip to San Francisco," according to the FTC.

Under the terms of the settlement, the company agreed to notify customers who signed up for auto-renewal subscriptions between Jan. 1, 2009 and Dec. 31, 2014, about the FTC's allegations and give them the opportunity to cancel their subscriptions. The company also agreed not to make further scientific claims without "competent and reliable scientific evidence."

Lumosity, which provides brain researchers free access to its brain-training tools through its Human Cognition Project, says it intends to continue to support research into the effectiveness of its product.

In a statement to Fast Company, a Lumosity spokeswoman said:

The recent peer-reviewed clinical test published in the journal PLOS One is a large, randomized, active-controlled trial of our cognitive training program. The study reported that participants who trained with Lumosity for 10 weeks improved on an aggregate assessment of cognition. Going forward, a key focus of our ongoing research is to build on these studies to better understand how training-driven improvements on tests of cognition translate to performance in participants' everyday lives.

Snapchat is working on an application-programmer interface that would let brands buy more targeted and sophisticated ads on the popular mobile messaging platform, according to a Digiday report.

The new advertising platform would likely let advertisers target particular groups of consumers, automate ad buys, and measure how users interact with their ads. It could also allow for more advanced types of ads, like those that direct users to install apps, or buy particular online products, according to the report.

Snapchat declined to comment on the report.

The platform would likely be similar to existing APIs deployed by other social networking services such as Facebook, Instagram, and Pinterest. It would also be a potentially significant change for Snapchat, which in the past has relied on old-fashioned direct ad buys, working directly with brands interested in reaching its young, tech-savvy audience.

Snapchat also traditionally hasn't offered advertisers the same degree of precise ad success metrics that other apps and websites have provided—something that advertisers have been willing to accept as they experiment with ways to reach the messaging platform's coveted base of young users. Last year, though, Snapchat found that 60% to 70% of its users stopped watching ads on the app just three seconds in.

The new API would also make it possible for ad tech firms to work with Snapchat's platform to build more advanced ads for their advertiser clients, letting Snapchat take less of a hands-on role in the development of individual marketing posts.

According to the Digiday report, Snapchat is talking to a number of such companies with the hopes of developing a trial platform that could be ready as soon as this spring.

Media giant 21st Century Fox will take a minority stake in San Francisco augmented reality startup Osterhout Design Group, the companies announced Wednesday.

The deal will make 21st Century Fox the principal outside investor in ODG, and the companies will enter a strategic partnership to combine ODG's augmented reality and smartglasses technology with the studio's content, the companies said.

"Our agreement with ODG underscores the innovation we are bringing to market through our Fox Innovation Lab, most recently with VR experiences for The Martian and Wild," said Jim Gianopulos, chairman and CEO of 20th Century Fox Film, in a statement. "We look forward to partnering with ODG and serving as its lead outside investor as the ODG team pushes the film experience into the future with its high-definition, cinema-wide field of view technology."

21st Century Fox is the parent of 20th Century Fox Film and of the Fox television networks.

ODG's latest model of augmented reality smartglasses, the R-7, include 3D stereoscopic displays and require no external computing power.

"We're excited to have 21st Century Fox join our family and help extend our considerable leadership in AR head-worn computing," said Ralph Osterhout, CEO of ODG, in a statement. "This space is ultimately heading towards widespread consumer adoption and by having 21st Century Fox onboard, we'll be able to deliver immersive and interactive entertainment experiences that transform how users consume content."

A group of Fitbit customers filed a class-action suit against the company Tuesday, alleging the Fitbit Charge HR and Surge fitness-tracking wristbands don't accurately measure heart rates during exercise.

"Fitbit marketed these products through aggressive and widespread advertising to consumers who were not only deceived in the devices' true functionality, but who also were put at a safety risk by trusting the Fitbit Heart Rate Monitors' inaccurate measurements," Robert Klonoff, one of the customers' lawyers, said in a statement. "Many thousands of consumers paid a premium to get accurate heart rate monitors, and instead got devices that do not work as promised."

According to a complaint filed in California federal court, a cardiologist compared the wristbands' readings to a standard electrocardiogram, and found a "significant degree" of variation.

"At intensities over 110 [beats per minute], the Heart Rate Trackers often failed to record any heart rate at all," according to the complaint. "And even when they did record heart rates, the Heart Rate Trackers were inaccurate by an average of 24.34 bpm, with some readings off by as much as 75 bpm."

In an email to Fast Company, a Fitbit spokeswoman says the company "strongly disagrees with the statements made in the complaint and plans to vigorously defend the lawsuit." Fitbit says its wristbands provide "better overall heart rate tracking than cardio machines at the gym, as it tracks your heart rate continuously even while you're not at the gym or working out" and aren't intended to be scientific or medical devices.

The company's terms of service require that disputes be resolved through arbitration, but the customers say those contract clauses are hidden in Fitbit's terms of service and not disclosed to customers who buy the wristbands from third-party merchants.

"They are brought to the attention of consumers who purchased at third-party websites and retail locations only after they buy their Fitbits and visit Fitbit's website to register them," lawyer Jonathan D. Selbin, also representing the Fitbit customers, said in a statement. "Fitbit recently admitted in court documents in an unrelated case that the Fitbit devices cannot function properly without registering them on Fitbit's website. And just by visiting that website, Fitbit purports to bind you to the arbitration clause and class action ban."

The customers are seeking actual and punitive damages on behalf of customers who bought the devices through third-party merchants and didn't sign on to the arbitration terms.

The same PurePulse-branded heart rate tracking is used in Fitbit's new Blaze smartwatch-like fitness tracker, according to the lawsuit. The Blaze was unveiled earlier this week to a mixed reception and a decline in Fitbit's stock price, as analysts compared it unfavorably to the similar-looking Apple Watch.

ISIS is likely to launch a cyberattack on a major corporation this year, security firm PKWare predicted this week.

"These extreme terrorist groups are just unconstrained, and we know the destructive nature of their physical attacks; I don't discern any distinction between those motives physically and in the cyberwarfare realm," says PKWare CEO Miller Newton.

In its annual list of computer security predictions, the company also anticipated that hackers—not necessarily related to terrorist groups—will target systems related to law enforcement, health devices, and the electric power grid, and even breach the network of a U.S. presidential election campaign.

"Every campaign has huge teams of staff that are dedicated to digging up lots of sensitive information," Newton warns, making their systems a ripe target for attackers.

The amount of voter information stored by campaigns became clear last month, when staffers for the Bernie Sanders campaign ran afoul of the Democratic National Committee after apparently accessing data uploaded to a party data system by the Hillary Clinton campaign.

Similarly, Newton says, health data uploaded to the cloud by implantable devices like pacemakers or FitBit-style wearables will be a likely target for hackers looking for leverage over providers or individual users.

"Both kinds of devices are connected to the Internet and feeding all of that collected information back to a website some place," says Newton.

And databases storing police records and uploads of footage from increasingly prevalent officer body cameras are another likely target, he says.

The company says it correctly predicted last year that hackers would infiltrate transportation systems, health care records, and the records of a professional sports franchise. A breach of flight plan systems grounded planes at a Warsaw airport in June, an Anthem database with millions of customers' health care records was reportedly breached in March, and a former St. Louis Cardinals official recently pleaded guilty in connection with a hack on the Houston Astros' network.

"We're trying to call attention to the fact that these attacks are causing significant damage to our nation—and that they're largely preventable," Newton said in a statement. "If we're going to win today's emerging cyberwar, our government, businesses, and citizenry must get serious about protecting our data."

Bitcoin developer Mike Hearn said the cryptocurrency has "failed" in a widely circulated Medium post this week, announcing an end to his involvement with bitcoin.

"The fundamentals are broken and whatever happens to the price in the short term, the long term trend should probably be downwards," Hearn wrote. "I will no longer be taking part in Bitcoin development and have sold all my coins."

His post, coupled with an announcement by bitcoin exchange and storage service Cryptsy that it was freezing customer withdrawals after allegedly losing millions of dollars in cryptocurrency in a cyberattack, appeared to contribute to a nearly 10% decline in the dollar value of bitcoin Friday.

Hearn was among the chief developers of Bitcoin XT, a controversial new version of the currency's underlying code designed to boost the speed at which the bitcoin network could record transactions to the shared ledger called the blockchain. New bitcoin transactions are circulated first to a peer-to-peer network, then grouped by power users called miners into mathematical structures called blocks that form the permanent blockchain.

Only blocks that meet certain mathematical properties in relation to the existing chain are deemed valid, and miners are rewarded with new bitcoin and generally small transaction fees for assembling transactions into proper blocks. The requirements for a valid block automatically adjust based on active miners' total computing power to ensure new blocks are added to the chain roughly every 10 minutes.

The problem, Hearn and others argue, is that blocks are also limited in size to roughly 1 megabyte—placing a limit on the number of transactions that miners can record in a given amount of time and creating the potential for a transaction backlog as bitcoin becomes more popular.

It also drives up transaction fees, Hearn writes, since bitcoin users are effectively forced to bid for the limited space available in the blocks that miners add to the chain.

"Once upon a time, Bitcoin had the killer advantage of low and even zero fees, but it's now common to be asked to pay more to miners than a credit card would charge," Hearn wrote.

He argues that a small group of bitcoin's miners and developers have failed to accept Bitcoin XT or other proposals that would solve the block size issue, even censoring forum posts advocating for changes, or "forks," to the currency's Bitcoin Core software, and that the rising fees and transaction delays will make the currency untenable.

Still, others in the bitcoin world remain more optimistic about the currency's prospects.

"I'm still worried about reliability of the network in the short term, which is why I've been so vocal on the block size limit issue, and which is part of the reason I'm supporting alternatives to Bitcoin Core," wrote developer Gavin Andresen, who has contributed to Bitcoin XT and other potential new versions of the software, in a blog post of his own. "In the long run, I think everything will work out fine, no matter what happens with the block limit."

Andresen argued that while the uncertainty and network issues might slow the adoption of bitcoin, engineers would manage to find ways around the block size limit, such as larger blocks called "extension blocks" used by some users on a voluntary basis, or supplemental networks or chains, to keep transactions flowing.

"I'd prefer a nice, simple, clean solution, but I'm old enough to know that most of the world's great technologies are built on top of horrifying piles of legacy cruft, and they work just fine pretty much all of the time," he wrote.

A recent pair of "Scaling Bitcoin" conferences led to a number of widely accepted proposals to enable bitcoin to handle a larger transaction volume, including some already undergoing testing, says Austin Hill, CEO of bitcoin startup Blockstream. That includes "segregated witness"—a controversial method suggested by Blockstream developer Pieter Wuille that would pull some block information into separate data structures to make room for more transactions without introducing incompatibilities with existing bitcoin software.

Regardless of the ultimate solution, Hill says, the need to handle increased transaction volume is ultimately a positive sign for bitcoin.

"I think one of the points that gets lost in all this is, yes, transactions are growing on the network because bitcoin is becoming more popular," he says. "It's succeeding."

Similarly, venture capitalist Fred Wilson, of Union Square Ventures, wrote that he's "not ready to declare that bitcoin has failed" in a Friday blog post. Wilson, who wrote that he's invested in bitcoin-related businesses and owns some actual bitcoin, argued it's more likely that the bitcoin mining community will accept a new version of the code sometime in 2016, along with changes to how decisions are made by the currency's developers.

"But it could well take a massive collapse in the price of Bitcoin, breakdowns in the Bitcoin network, or worse to get there," he warned. "And all of that could cause the whole house of cards to come crashing down. Anything is possible."

Of course, even a complete collapse of bitcoin might not mean the end of blockchain technology as a whole. Even bitcoin skeptic Hearn, who previously held technical positions at Google and Andreessen Horowitz, announced in November that he was joining R3 CEV—a company working with dozens of major banks and tech companies to build and standardize blockchains for the mainstream financial world.

Since financial industry blockchains would be used by a relatively small group of players to record standardized financial transactions to a shared database, they could likely avoid some of the complexity of bitcoin, which is developed to be secure with large numbers of untrusted users, and move more quickly to implement necessary technical upgrades.

And while bitcoin is the most popular cryptographic currency, users could potentially move to any of a number of alternative currencies, popularly dubbed altcoins, should bitcoin fail altogether.

But, as Wilson argues, existing bitcoin exchanges, miners, and other companies working with the currency have a strong financial incentive to find a solution to keep bitcoin itself viable.

"These companies have a lot to gain or lose if Bitcoin survives or fails," he wrote. "So I expect that there will be some rationality, brought on by capitalist behavior, that will emerge or maybe is already emerging."

Users of password manager LastPass should beware of phishing attempts that impersonate the program's browser extension pop-ups to steal their passwords, warns security expert Sean Cassidy.

Cassidy presented a proof-of-concept demonstration this week at the ShmooCon security convention, showing how malicious websites can generate in-browser pop-ups that mimic—in some cases, down to the individual pixels—LastPass's login prompts.

"I was using LastPass, and I was on some random website, and it popped up a notification that I had been logged out, and I went to go click the notification, because it was just displayed at the top of the web page," says Cassidy, who is the CTO of security firm Praesidio. "I clicked it, and then I verified that it was actually LastPass, and then I thought, 'You know what? I can do this same thing.'"

LastPass stores login credentials for multiple websites locked behind a single master password, so users don't have to memorize or write down individual usernames and passwords. When visiting a site with credentials stored in LastPass and not logged in to the program, LastPass will generate an in-browser pop-up prompting the user to enter the LastPass password.

And since the pop-up is generated with the same kind of code used to build websites, there's nothing to prevent hackers from generating an identical-looking prompt and stealing users' LastPass passwords—potentially giving them access to each of the user's other passwords, Cassidy says.

"The problem with most defenses for phishes is you train your users to say, this is what a phishing email looks like, don't click it," he says. "But in this case, the phish is exactly the same HTML and CSS, so there's no way to tell which is real and which is fake."

Cassidy says LastPass has told him they're taking steps to make such phishing attacks harder, which the company confirmed in an email to Fast Company on Thursday.

"We did work directly with Sean Cassidy, and can confirm this is a phishing attack, not a vulnerability in LastPass," a company spokeswoman wrote. "However, we've released an update that will prevent a user from being logged out by the phishing tool, thereby mitigating the risk of the phishing attack. In addition, LastPass has a built-in security alert to let you know when you've entered your master password into a non-LastPass web form."

Cassidy says he felt an obligation to make the vulnerability known, particularly since it's relatively easy to construct a phishing attack based on the issue, though he's not aware of any such attacks yet.

"Unlike a very advanced buffer overflow, or something that only a few people would know how to exploit, instead, anyone who knows HTML and CSS could exploit this, and very little coding is involved," he says.

He recommends that IT departments make sure their users are aware of the issue and urge users to always interact with LastPass by clicking on the program's icon, rather than responding to its pop-ups—just as users concerned about phishing might navigate directly to a bank's site or app rather than clicking on emailed links.

Nevada casino operator Affinity Gaming is suing cybersecurity firm Trustwave, alleging that Trustwave failed to contain or detect the extent of a 2013 cyberattack. The breach led to customer credit card numbers being stolen.

The lawsuit is among the first to be filed against a cybersecurity firm for failure to properly secure a system, according to the Financial Times.

"Shortly after Trustwave's engagement ended, and after Trustwave had promised that the data breach had been 'contained' and the suspected backdoor(s) 'inert,' Affinity Gaming learned that its data systems still were compromised," Affinity said in a complaint filed last month in Nevada federal court.

In reality, Affinity alleges, a backdoor into its systems "was very real and accessible." The casino company says Trustwave also failed to detect malware used to steal passwords on at least one of its systems, and an "open communication link" created by the unidentified hackers.

Trustwave denied the allegations in an email to Fast Company on Tuesday. "We dispute and disagree with the allegations in the lawsuit, and we will defend ourselves vigorously in court," wrote a company spokesman.

Affinity, which operates casinos including the Silver Sevens Hotel and Casino in Las Vegas and the Mark Twain Casino in Missouri, says in the complaint that it was forced to hire another security firm to investigate further and end the breach, incurring additional expenses. Affinity was required to cover fraudulent credit card charges and other bank costs when the hackers returned to steal customer credit card information, the company says.

"Affinity Gaming would have avoided these costs had Trustwave not misrepresented its work and performed its investigation properly," according to the complaint.

Security firm Mandiant is known for its role in containing security breaches at big companies, including high-profile hacks at Sony, Target, and the New York Times.

So, there was plenty of interest in a speech by the firm's incident responders at last weekend's digital security conference—ShmooCon—in Washington, D.C., where they described how they tackled one of the "largest and most advanced" cybersecurity breaches they've ever encountered. Matt Dunwoody and Nick Carr said that at its peak the breach infected as many as 10 systems per day across an unnamed client's 100,000-system network.

"We identified at least 50,000 stolen emails and that's probably just a fraction of what they actually took," says Dunwoody, who, along with Carr, also spoke to Fast Company on Tuesday.

The pair says it took eight months to fully analyze, contain, and repair the breach—which taught them and also confirmed for them some key lessons about responding to security incidents.

One surprising piece of advice: Keep potentially compromised systems online to the extent possible until you're sure of the extent of the breach. That can help keep attackers from realizing you're aware of their presence and changing tactics to hide their approach, says Dunwoody.

"They attacker will know that you found them, and they'll know what you found, and they'll know what you didn't find, and they'll start to leverage that against you to make that more difficult in the future," he says.

Often, as in the case of this breach, which they say took place within the past three years, attackers first gain access to a network through a tried-and-true technique like a malware-laden phishing email. But if security teams act too quickly to clean up a compromised workstation, they can miss where attackers have penetrated more deeply into a company's systems.

"We believe they do a lot of loud activity followed by a lot of purposely stealthy activity," says Carr of the attackers encountered in the breach.

The two declined to comment in detail about the identity of the attackers, who Carr says deliberately used different-looking malware files on different targeted machines, with each receiving commands from different web domains to avoid easy detection.

"Each of those domains are compromised, legitimate web infrastructure that the attacker has co-opted on their end," he says. "You have legitimate SSL connections to seemingly legitimate websites that have good reputation scores, for instance."

The team was ultimately able to track the breach by monitoring for certain telltale clues, like Windows registry entries for utility software installed by the hackers, even when they deleted other evidence.

The Mandiant team also boosted the client's ability to monitor network traffic and log use of the Windows PowerShell command line environment. They also built tools to track the attackers' exploitation of the Windows Management Instrumentation API to compromise systems—tools Carr says they continue to use in subsequent investigations.

That kind of automation helps investigators move quickly and avoid fatigue, he says.

"All the tech is an enabler, but on both sides it's a battle of resources with a breach like this," Carr says.

The pair advises working with a vendor experienced in handling security breaches once one is detected—"You need people that have been doing this everyday for years and have the backend infrastructure to support them," says Dunwoody—and making sure security measures are in effect well beforehand.

Logging activity, like PowerShell commands, can help detect a breach, and taking steps like limiting how workstations connect to each other can keep one in check, he says.

And some security measures like maintaining a whitelist of permitted applications can help detect a breach even if hackers manage to circumvent them, says Carr.

"You make them have to take certain actions to evade the system you have in place, and then with those actions sometimes that they're taking, there's a higher chance that you'll be able to catch that activity," he says.

Russian President Vladimir Putin's recently appointed special advisor on Internet matters has ties to a Russian torrent site listing pirated content, which is illegal in Russia, according to a report by file-sharing news site TorrentFreak.

Torrent site Torrnado.ru, which prominently displays listings for recent Hollywood movies, is registered to a company with ties to Russian Internet mogul and newly appointed advisor German Klimenko. Russian media have reported Klimenko actually controls the site, according to TorrentFreak.

Klimenko, whose first name is sometimes spelled Herman in English, was appointed to his position by executive order earlier this month, according to a brief announcement from the Kremlin.

Klimenko told Russian media that he doesn't own the site "in a legal sense," and that the site complies with requests from copyright holders to take down pirated material, according to The Moscow Times.

According to TorrentFreak, Klimenko also controls the Russian portal site LiveInternet.ru and analytics platform MediaMetrics.ru. LiveInternet displays a prominent link to Torrnado.ru.

Klimenko recently urged copyright holders not to push too hard on piracy issues until the economy is doing better, according to the TorrentFreak report.

As local police departments turn more to digital systems to manage evidence and communicate with the public, they become increasingly vulnerable to cyberattacks, experts warn.

"U.S. law enforcement will be breached," security firm PKWare said earlier this month in its list of digital security predictions for this year. "From body cameras to police databases, cyberattacks against law enforcement could become widespread in 2016."

Hackers have targeted agencies involved in political controversies in recent years, with police departments and other local agencies in Baltimore, Cleveland, and Madison, Wisconsin, all seeing various forms of digital attacks by groups like political hacker collective Anonymous after controversial shootings by police.

"You can expect that if you have a questionable shooting that occurs, you're gonna get hacked," says Terry Sult, chief of police in Hampton, Virginia. Sult has written and spoken about cybersecurity for the International Association of Chiefs of Police (IACP).

Sophisticated attackers could access police systems to learn the identities of witnesses, tamper with evidence, or try to blackmail the targets of investigations, says Winnie Callahan, the director of the University of San Diego Center for Cyber Security Engineering and Technology. "It does require being extremely careful, and assuming that someone wants to get in, and that you're very, very up to date on the cyberhacking techniques," says Callahan, who's worked on efforts to teach law enforcement officers about electronic crime. "The thing is that their records that they're holding really do have tremendous impact on the people—the victims of crime and the criminals themselves."

Once hacked, police information can be leaked. An Arizona state police agency was hacked multiple times by political hacker groups in 2011, with information about officers leaked to the public, and multiple police departments in Maine paid hackers to restore files held ransom by malware last year, according to the Portland Press Herald.

Those kinds of risks mean that it's essential for officers who are interacting with digital systems to know the basics of digital evidence preservation—like not turning off a computer at a crime scene that could have encryption enabled—and security, like not putting thumb drives that could have malware on them into police computers, says Callahan.

Departments also need to make sure that digital tools they use are properly secure, which often means bringing in outside experts to evaluate vendors' promises and audit police IT systems, she says.

"Get a third party that doesn't have an axe to grind or a dog in the fight, so to speak, to take a look at what a vendor is selling, and be sure that you can verify that what they say a particular piece of equipment can do, does that, and nothing more," she says. "Sometimes you can put things in, and they do a particular activity for you, but they do other things in their spare time, and that's extremely dangerous, and that happens quite a bit."

A security audit at a police department where Sult previously worked was an "eye opener," he recalls, turning up vulnerabilities like former employees who still had active accounts on departmental systems.

"We found some surprising things, and I don't think it's unique to police departments," he says. "We found out that what we thought we had, and what we actually had, were not the same thing."

In other cases, police departments have apparently unintentionally left sensitive data accessible to the public at large. The Electronic Frontier Foundation (EFF) reported last year that more than 100 license plate recognition systems were misconfigured, making live footage and plate information available on publicly accessible websites. And the weekly newspaper DigBostonreported last fall that Boston authorities had made license plate information, including people's addresses, available on another public server.

"Law enforcement agencies love to get new technological toys, but what they don't necessarily keep in mind as they purchase this is that there's an ongoing cost of upgrading, making sure it's security tested—there's a lot of upkeep that goes into it," says Dave Maass, an investigative researcher at the EFF.

If systems aren't patched and maintained, they can become vulnerable over time, and insecure systems can be more easily discovered, thanks to search engines like Shodan that index Internet-connected devices.

"It could be all sorts of stuff that are just out there and connected to the Internet and nobody thought to lock down, or at least when they installed it, there weren't the kind of threats that there are now," he says.

Ideally, Maass says, police departments think carefully about how to protect data before they collect or store it—including taking into account the risk of insiders abusing legitimate access rights—and lawmakers should make sure agencies budget for maintenance, not just the initial installation of new tools, he says.

"You don't approve it just based on the initial pilot program or initial expenditure—you need to make sure the police officers have a five- or 10-year [plan] for updating the system or maintaining the system, with all of those costs built in," he says.

Police departments are themselves becoming more aware of the risks, says Sult, thanks in part to efforts by groups like the IACP, which maintains its own Law Enforcement Cyber Center, and agencies like the Federal Bureau of Investigation, which offers training and tools to state and local agencies through its Cyber Shield Alliance program.

"It's individual—agency by agency," he says. "Some agencies are more prepared than others."

U.S. and European Union negotiators reached an agreement on Tuesday to preserve European users' privacy when data is transferred to servers in the United States, and maintains the ability of U.S. tech companies to legally store European data on their U.S. servers.

The new rule is set to replace a 2000 "safe harbor" agreement between the U.S. and E.U. that set minimum standards for data privacy and allowed thousands of companies a streamlined way to certify they were in compliance with those standards. That agreement was invalidated last year by the European Court of Justice, after a complaint by Austrian privacy activist Max Schrems, who argued that Facebook's compliance with the safe harbor rules wasn't enough to protect European users' data from U.S. mass surveillance programs.

"Mr Schrems referred in this regard to the revelations made by Edward Snowden concerning the activities of the United States intelligence services, in particular those of the National Security Agency," the European court wrote in its decision.

U.S. and E.U. officials had agreed to a grace period, where companies could still transfer data to the U.S. at least through Jan. 31 under standardized privacy-protecting contract terms known as "model clauses." But when that date passed without an agreement on new safe harbor rules, big tech companies like Apple, Facebook, Google and Microsoft, as well as thousands of smaller organizations, began to risk costly individual scrutiny by European privacy regulators for their routine transfers of European user information to U.S. data centers.

The U.S. agreed to create a new ombudsman position to review European privacy concerns and to limitations on governmental access to European data.

"The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the U.S. under the new arrangement," the European Commission said in a statement. "To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access."

As in the previous safe harbor rules, routine privacy complaints will also be reviewed by the Federal Trade Commission.

A Congressional committee has begun to investigate the potential impact of a Juniper Networks firewall security flaw discovered in December on government systems—even as some researchers suggest the hole may be the unintended consequence of a National Security Agency backdoor into the systems.

The House Oversight Committee has asked 24 federal agencies to explain whether they used any systems running Juniper's ScreenOS, the operating system with the vulnerabilities, and whether they've installed Juniper's patch or taken other steps to protect their systems.

"The federal government has yet to determine which agencies are using the affected software or if any agencies have used the patch to close the backdoor," wrote Rep. Will Hurd, R-Tex., in an op-ed published in the Wall Street Journal and on the committee's website last week. "Without a complete inventory of compromised systems, lawmakers are unable to determine what adversaries stole or could have stolen."

Hurd is the chairman of the IT Subcommittee on Oversight and Government Reform and a member of the House Homeland Security Committee.

Juniper announced in December it had discovered "unauthorized code" introducing vulnerabilities into its Netscreen firewalls, potentially foreign hackers trying to secretly decrypt VPN traffic through the firewalls. The company said last month that its investigation into the origin of the code is still underway, and a spokesperson declined to comment further Tuesday.

Since the security flaw was discovered, researchers have suggested it could be the work of the NSA or another spy agency, or the unintended consequence of a backdoor placed by the NSA. The firewalls encrypt VPN traffic using randomized keys generated by an algorithm called Dual_EC_DRBG, which was developed by the National Institute of Standards and Technology with the help of the NSA. Reports in 2013, based on materials leaked by Edward Snowden, suggested the agency had inserted a backdoor into the algorithm, letting it predict random numbers generated by the routine and thus decode messages the keys are used to encrypt.

Juniper has said that it uses different values of a particular mathematical parameter, known as Q, than that recommended in the NSA-influenced standard, making it immune to that particular attack, according to a December blog post by Matthew Green, an assistant professor of Computer Science at Johns Hopkins University. Researchers have found that eavesdroppers with control over the value of Q can potentially break codes based on keys generated by the algorithm, Green wrote.

And part of the effect of Juniper's patch was apparently to revert the value of Q to one used in previous versions of the firewall software, implying that the unauthorized code may have changed the parameter's value to a vulnerable one, Green wrote. But even the newly restored, previous value of Q could be of concern to Juniper's customers, he said at the time, since it was unclear how it had been chosen.

Since then, Juniper has pledged to replace the Dual_EC algorithm altogether with one used in other software that it's determined is not vulnerable.

The uncertainty around the origin of the vulnerability seems to highlight the risks of the kind of security backdoors some politicians and law enforcement officials have said are necessary to enable government surveillance of encrypted communication. Security researchers and privacy advocates have long argued that it's effectively impossible to build a backdoor letting government officials eavesdrop without jeopardizing the privacy of everyday users and businesses.

So far, the Obama administration has declined to take steps to require makers of encryption software to install such backdoors, and companies from consumer device makers like Apple to commercial networking suppliers like Cisco have adamantly declined to insert them voluntarily. And the Juniper flaw, regardless of the details, shows that such backdoors are "extremely dangerous," Hurd wrote.

"There is no way to create a backdoor that is not vulnerable to this kind of breach," he wrote. "Encryption is essential to our national security and economy; we should be focused on strengthening it not weakening it."

Increasingly Internet-connected office heating and lighting systems could be a target for hackers seeking a backdoor into corporate networks, warns IBM's X-Force security research group.

A recent survey of building automation system managers found that 84% of managers run at least one system connected to the Internet, and nearly half had systems connected to a traditional corporate IT network, says Chris Poulin, a research strategist with IBM X-Force. And with some automation vendors still figuring out how best to secure their systems, these systems can provide an entry path for hackers looking to steal data from company networks—or even an avenue to cause physical damage by tampering with climate control systems themselves.

"For example, you could affect the temperature of a data center, and cause not just a standard denial of service attack," says Poulin. "You could actually melt down the systems by heating up the computer room."

In a recent test, IBM researchers were able to exploit a series of security holes, from software bugs to passwords stored unencrypted and used across multiple systems, to gain access to an office building's automation system that managed thermostats and other sensors, the company said in a white paper released this week. The researchers were even able to obtain passwords giving them access to a server managing several buildings under the same management, the company says.

IBM worked with building management and the affected vendors to fix the security holes, Poulin says.

"We always consider that a success when we can find something before anyone else and help the vendor to patch it up," he says.

The company advises building automated system managers to take basic precautions such as keeping up to date with software patches and avoiding password reuse and configuring firewalls to limit remote access to automation systems as much as business requirements allow.

Companies can also use techniques like two-factor authentication to make it harder for attackers to gain access to automation systems and monitor network traffic and login attempts to catch suspicious activity quickly, according to the white paper.