Zoom misses its own deadline to publish its first transparency report

How many government demands for user data has Zoom received? We won’t know until “later this year,” an updated Zoom blog post now says.

The video conferencing giant previously said it would release the number of government demands it has received by June 30. But the company said it’s missed that target and has given no firm new date for releasing the figures.

It comes amid heightened scrutiny of the service after a number of security issues and privacy concerns came to light following a massive spike in its user base, thanks to millions working from home because of the coronavirus pandemic.

In a blog post today reflecting on the company’s turnaround efforts, chief executive Eric Yuan said the company has made “made significant progress defining the framework and approach for a transparency report that details information related to requests Zoom receives for data, records, or content.”

“We look forward to providing the fiscal [second quarter data in our first report later this year,” he said.

Transparency reports offer rare insights into the number of demands or requests a company gets from the government for user data. These reports are not mandatory, but are important to understand the scale and scope of government surveillance.

Zoom said last month it would launch its first transparency report after the company admitted it briefly suspended the Zoom accounts of two U.S.-base accounts and one Hong Kong activist at the request of the Chinese government. The users, who were not based in China, held a Zoom call commemorating the anniversary of the Tiananmen Square massacre, an event that’s cloaked in secrecy and censorship in mainland China.

The company said at the time it “must comply with applicable laws in the jurisdictions where we operate,” but later said that it would change its policies to disallow requests from the Chinese government to impact users outside of mainland China.

A spokesperson for Zoom did not immediately comment.

Decrypted: Police leaks, iOS 14 kills ad-tracking, anti-encryption bill

What would the world look like if encryption were outlawed? If three Republican senators get their way, it might just happen.

Under the guise of national security, the Senate Judiciary Committee pushed through a draft bill that would end “warrant-proof” encryption — that is strong, near-impossible to break encryption that lets only the device owner unlock their data and nobody else. Silicon Valley quickly embraced this approach, not least because it cuts even the tech giants out of the loop so that the feds can’t demand they hand over their users’ data.

Except that didn’t happen. The opposite happened. The FBI cried foul, as did the Justice Department, claiming it makes it harder to solve crimes, while conveniently neglecting to mention its vast array of hacking tools that also makes it easier than ever to get the data that prosecutors seek.

Now a legislative fix to the government’s near-nonexistent problem. The bill, if passed, would create a “backdoor mandate” that would force tech companies to build in “backdoors” to let police, with a warrant, access an encrypted device’s photos, messages, files and more. The same would apply to data “in motion” as it traverses the internet, undermining the security that keeps our emails safe and our online banking secure, and effectively banning end-to-end messaging apps like Signal, WhatsApp and Facebook Messenger.

Experts decried the bill, as expected, and as they have done with every other attempt to undermine the security of the internet. Their argument is simple, and mathematically irrefutable: If police can get a backdoor, so can hackers. There’s no secure way to give one access and not the other.

Lawmakers seem set on changing the law of the land, but they can’t change the laws of mathematics.

More on that in this week’s Decrypted.


THE BIG PICTURE

‘BlueLeaks’ dumps data on decades of police files

Hacking collective Anonymous crashed onto the internet a decade ago by publishing reams of secret files and stolen data from governments and corporations. Last week the collective emerged after a long hiatus, returning with a massive trove of data obtained from hundreds of U.S. police departments in an operation dubbed BlueLeaks.

The data was published by Distributed Denial of Secrets, an alternative to WikiLeaks that’s dedicated to publishing files in the public interest. The data contains a decade’s worth of police training materials and other internal law enforcement data, like protest containment strategies, which have come under fire after tactics used against protesters in the wake of George Floyd’s death.

Apple’s iOS 14 will give users option to decline ad tracking

A new version of iOS wouldn’t be the same without a bunch of security and privacy updates. Apple on Monday announced a ton of new features it’ll bake into iOS 14, expected out later this year with the release of new iPhones and iPads.

Apple said it will allow users to share your approximate location with apps, instead of your precise location. It’ll allow apps to take your rough location without identifying precisely where you are. It’s another option that users have when they give over their location. Last year, Apple allowed users to give over their location once so that apps can’t track a person as they go about their day.

iPhones with iOS 14 will also get a camera recording indicator in the status bar. It’s a similar feature to the camera light that comes with Macs and MacBooks. The recording indicator will sit in the top bar of your iPhone’s display when your front or rear camera is in use.

But the biggest changes are for app developers themselves, Apple said. In iOS 14, users will be asked if they want to be tracked by the app. That’s a major change that will likely have a ripple effect: by allowing users to reject tracking, it’ll reduce the amount of data that’s collected, preserving user privacy.

Apple also said it will also require app developers to self-report the kinds of permissions that their apps ask for. This will improve transparency, allowing the user to know what kind of data they may have to give over in order to use the app. It’s a feature that Android users have been able to see app permissions for years on the Google Play app store.

The move is Apple’s latest assault against the ad industry as part of the tech giant’s privacy-conscious mantra.

The ad industry has frequently been the target of Apple’s barbs, amid a string of controversies that have embroiled both advertisers and data-hungry tech giants, like Facebook and Google, which make the bulk of their profits from targeted advertising. As far back as 2015, Apple CEO Tim Cook said its Silicon Valley rivals are “gobbling up everything they can learn about you and trying to monetize it.” Apple, which makes its money selling hardware, “elected not to do that,” said Cook.

As targeted advertising became more invasive, Apple countered by baking in new privacy features to its software, like its intelligence tracking prevention technology and allowing Safari users to install content blockers that prevent ads and trackers from loading.

Just last year Apple told developers to stop using third-party trackers in apps for children or face rejection from the App Store.

Oracle’s BlueKai tracks you across the web. That data spilled online

Have you ever wondered why online ads appear for things that you were just thinking about?

There’s no big conspiracy. Ad tech can be creepily accurate.

Tech giant Oracle is one of a few companies in Silicon Valley that has near-perfected the art of tracking people across the internet. The company has spent a decade and billions of dollars buying startups to build its very own panopticon of users’ web browsing data.

One of those startups, BlueKai, which Oracle bought for a little over $400 million in 2014, is barely known outside marketing circles, but it amassed one of the largest banks of web tracking data outside of the federal government.

BlueKai uses website cookies and other tracking tech to follow you around the web. By knowing which websites you visit and which emails you open, marketers can use this vast amount of tracking data to infer as much about you as possible — your income, education, political views, and interests to name a few — in order to target you with ads that should match your apparent tastes. If you click, the advertisers make money.

But for a time, that web tracking data was spilling out onto the open internet because a server was left unsecured and without a password, exposing billions of records for anyone to find.

Security researcher Anurag Sen found the database and reported his finding to Oracle through an intermediary — Roi Carthy, chief executive at cybersecurity firm Hudson Rock and former TechCrunch reporter.

TechCrunch reviewed the data shared by Sen and found names, home addresses, email addresses and other identifiable data in the database. The data also revealed sensitive users’ web browsing activity — from purchases to newsletter unsubscribes.

“There’s really no telling how revealing some of this data can be,” said Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation, told TechCrunch.

“Oracle is aware of the report made by Roi Carthy of Hudson Rock related to certain BlueKai records potentially exposed on the Internet,” said Oracle spokesperson Deborah Hellinger. “While the initial information provided by the researcher did not contain enough information to identify an affected system, Oracle’s investigation has subsequently determined that two companies did not properly configure their services. Oracle has taken additional measures to avoid a reoccurrence of this issue.”

Oracle did not name the companies or say what those additional measures were, and declined to answer our questions or comment further.

But the sheer size of the exposed database makes this one of the largest security lapses this year.

The more it knows

BlueKai relies on vacuuming up a never-ending supply of data from a variety of sources to understand trends to deliver the most precise ads to a person’s interests.

Marketers can either tap into Oracle’s enormous bank of data, which it pulls in from credit agencies, analytics firms, and other sources of consumer data including billions of daily location data points, in order to target their ads. Or marketers can upload their own data obtained directly from consumers, such as the information you hand over when you register an account on a website or when you sign up for a company’s newsletter.

But BlueKai also uses more covert tactics like allowing websites to embed invisible pixel-sized images to collect information about you as soon as you open the page — hardware, operating system, browser and any information about the network connection.

This data — known as a web browser’s “user agent” — may not seem sensitive, but when fused together it can create a unique “fingerprint” of a person’s device, which can be used to track that person as they browse the internet.

BlueKai can also tie your mobile web browsing habits to your desktop activity, allowing it to follow you across the internet no matter which device you use.

Say a marketer wants to run a campaign trying to sell a new car model. In BlueKai’s case, it already has a category of “car enthusiasts” — and many other, more specific categories — that the marketer can use to target with ads. Anyone who’s visited a car maker’s website or a blog that includes a BlueKai tracking pixel might be categorized as a “car enthusiast.” Over time that person will be siloed into different categories under a profile that learns as much about you to target you with those ads.

(Sources: DaVooda, Filborg/Getty Images; Oracle BlueKai)

The technology is far from perfect. Harvard Business Review found earlier this year that the information collected by data brokers, such as Oracle, can vary wildly in quality.

But some of these platforms have proven alarmingly accurate.

In 2012, Target mailed maternity coupons to a high school student after an in-house analytics system figured out she was pregnant — before she had even told her parents — because of the data it collected from her web browsing.

Some might argue that’s precisely what these systems are designed to do.

Jonathan Mayer, a science professor at Princeton University, told TechCrunch that BlueKai is one of the leading systems for linking data.

“If you have the browser send an email address and a tracking cookie at the same time, that’s what you need to build that link,” he said.

The end goal: the more BlueKai collects, the more it can infer about you, making it easier to target you with ads that might entice you to that magic money-making click.

But marketers can’t just log in to BlueKai and download reams of personal information from its servers, one marketing professional told TechCrunch. The data is sanitized and masked so that marketers never see names, addresses or any other personal data.

As Mayer explained: BlueKai collects personal data; it doesn’t share it with marketers.

‘No telling how revealing’

Behind the scenes, BlueKai continuously ingests and matches as much raw personal data as it can against each person’s profile, constantly enriching that profile data to make sure it’s up to date and relevant.

But it was that raw data spilling out of the exposed database.

TechCrunch found records containing details of private purchases. One record detailed how a German man, whose name we’re withholding, used a prepaid debit card to place a €10 bet on an esports betting site on April 19. The record also contained the man’s address, phone number and email address.

Another record revealed how one of the largest investment holding companies in Turkey used BlueKai to track users on its website. The record detailed how one person, who lives in Istanbul, ordered $899 worth of furniture online from a homeware store. We know because the record contained all of these details, including the buyer’s name, email address and the direct web address for the buyer’s order, no login needed.

We also reviewed a record detailing how one person unsubscribed from an email newsletter run by an electronics consumer, sent to his iCloud address. The record showed that the person may have been interested in a specific model of car dash-cam. We can even tell based on his user agent that his iPhone was out of date and needed a software update.

The more BlueKai collects, the more it can infer about you, making it easier to target you with ads that might entice you to that magic money-making click.

The data went back for months, according to Sen, who discovered the database. Some logs dated back to August 2019, he said.

“Fine-grained records of people’s web-browsing habits can reveal hobbies, political affiliation, income bracket, health conditions, sexual preferences, and — as evident here — gambling habits,” said the EFF’s Cyphers. “As we live more of our lives online, this kind of data accounts for a larger and larger portion of how we spend our time.”

Oracle declined to say if it informed those whose data was exposed about the security lapse. The company also declined to say if it had warned U.S. or international regulators of the incident.

Under California state law, companies like Oracle are required to publicly disclose data security incidents, but Oracle has not to date declared the lapse. When reached, a spokesperson for California’s attorney general’s office declined to say if Oracle had informed the office of the incident.

Under Europe’s General Data Protection Regulation, companies can face fines of up to 4% of their global annual turnover for flouting data protection and disclosure rules.

Trackers, trackers everywhere

BlueKai is everywhere — even when you can’t see it.

One estimate says BlueKai tracks over 1% of all web traffic — an unfathomable amount of daily data collection — and tracks some of the world’s biggest websites: Amazon, ESPN, Forbes, Glassdoor, Healthline, Levi’s, MSN.com, Rotten Tomatoes, and The New York Times. Even this very article has a BlueKai tracker because our parent company, Verizon Media, is a BlueKai partner.

But BlueKai is not alone. Nearly every website you visit contains some form of invisible tracking code that watches you as you traverse the internet.

As invasive as it is that invisible trackers are feeding your web browsing data to a gigantic database in the cloud, it’s that very same data that has kept the internet largely free for so long.

To stay free, websites use advertising to generate revenue. The more targeted the advertising, the better the revenue is supposed to be.

While the majority of web users are not naive enough to think that internet tracking does not exist, few outside marketing circles understand how much data is collected and what is done with it.

Take the Equifax data breach in 2017, which brought scathing criticism from lawmakers after it collected millions of consumers’ data without their explicit consent. Equifax, like BlueKai, relies on consumers skipping over the lengthy privacy policies that govern how websites track them.

In any case, consumers have little choice but to accept the terms. Be tracked or leave the site. That’s the trade-off with a free internet.

But there are dangers with collecting web-tracking data on millions of people.

“Whenever databases like this exist, there’s always a risk the data will end up in the wrong hands and in a position to hurt someone,” said Cyphers.

Cyphers said the data, if in the hands of someone malicious, could contribute to identity theft, phishing or stalking.

“It also makes a valuable target for law enforcement and government agencies who want to piggyback on the data gathering that Oracle already does,” he said.

Even when the data stays where it’s intended, Cyphers said these vast databases enable “manipulative advertising for things like political issues or exploitative services, and it allows marketers to tailor their messages to specific vulnerable populations,” he said.

“Everyone has different things they want to keep private, and different people they want to keep them private from,” said Cyphers. “When companies collect raw web browsing or purchase data, thousands of little details about real people’s lives get scooped up along the way.”

“Each one of those little details has the potential to put somebody at risk,” he said.


Send tips securely over Signal and WhatsApp to +1 646-755-8849.

Zoom U-turns on no e2e encryption for free users

In a major security U-turn, videoconferencing platform Zoom has said it will, after all, offer end-to-end encryption to all users — including those who do not pay to use its service.

The caveat is that free users must provide certain “additional” pieces of information for verification purposes (such as a phone number where they can respond to a verification link) before being allowed to use e2e encryption — which Zoom says is a necessary check so it can “prevent and fight abuse” on its platform. However it’s a major step up from the prior offer of ‘no e2e unless you pay us‘.

“We are grateful to those who have provided their input on our E2EE design, both technical and philosophical,” Zoom writes in a blog update today. “We encourage everyone to continue to share their views throughout this complex, ongoing process.”

The company faced a storm of criticism earlier this month after Bloomberg reported comments by CEO Eric Yuan, who said it did not intend to provide e2e encryption for non-paying users because it wanted to be able to work with law enforcement.

Security and privacy experts waded it to blast the stance. One notable critic of the position was cryptography expert, Matthew Green — whose name you’ll find listed on Zoom’s e2e encryption design white paper.

“Once the precedent is set that E2E encryption is too ‘dangerous’ to hand to the masses, the genie is out of the bottle. And once corporate America accepts that private communications are too politically risky to deploy, it’s going to be hard to put it back,” Green warned in a nuanced Twitter thread.

Since the e2e encryption storm, Zoom has faced another scandal — this time related to privacy and censorship, after it admitted shutting down a number of Chinese activists accounts at the request of the Chinese government. So the company may have stumbled upon another good reason for reversing its stance — given it’s a lot more difficult to censor content you can’t see.

Explaining the shift in its blog post, Zoom says only that it follows a period of engagement “with civil liberties organizations, our CISO council, child safety advocates, encryption experts, government representatives, our own users, and others”.

“We have also explored new technologies to enable us to offer E2EE to all tiers of users,” it adds.

Its blog briefly discusses how non-paying users will be able to gain access to e2e encryption, with Zoom writing: “Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message.”

“Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse,” it adds.

Certain countries require an ID check to purchase a SIM card so Zoom’s verification provision may make it impossible for some users to access e2e encryption without leaving an identity trail which state agencies could unpick.

Per Zoom’s blog post, a beta of the e2e encryption implementation will kick off in July. The platform’s default encryption remains AES 256 GCM in the meanwhile.

The forthcoming e2e encryption will not be switched on by default — but rather offered as an option. Zoom says this is because it limits some meeting functionality (“such as the ability to include traditional PSTN phone lines or SIP/H.323 hardware conference room systems”).

“Hosts will toggle E2EE on or off on a per-meeting basis,” it further notes, adding that account administrators will also have the ability to enable and disable E2EE at the account and group level.

Today the company also released a v2 update of its e2e encryption design — posting the spec to Github.

Zoom U-turns on no e2e encryption for free users

In a major security U-turn, videoconferencing platform Zoom has said it will, after all, offer end-to-end encryption to all users — including those who do not pay to use its service.

The caveat is that free users must provide certain “additional” pieces of information for verification purposes (such as a phone number where they can respond to a verification link) before being allowed to use e2e encryption — which Zoom says is a necessary check so it can “prevent and fight abuse” on its platform. However it’s a major step up from the prior offer of ‘no e2e unless you pay us‘.

“We are grateful to those who have provided their input on our E2EE design, both technical and philosophical,” Zoom writes in a blog update today. “We encourage everyone to continue to share their views throughout this complex, ongoing process.”

The company faced a storm of criticism earlier this month after Bloomberg reported comments by CEO Eric Yuan, who said it did not intend to provide e2e encryption for non-paying users because it wanted to be able to work with law enforcement.

Security and privacy experts waded it to blast the stance. One notable critic of the position was cryptography expert, Matthew Green — whose name you’ll find listed on Zoom’s e2e encryption design white paper.

“Once the precedent is set that E2E encryption is too ‘dangerous’ to hand to the masses, the genie is out of the bottle. And once corporate America accepts that private communications are too politically risky to deploy, it’s going to be hard to put it back,” Green warned in a nuanced Twitter thread.

Since the e2e encryption storm, Zoom has faced another scandal — this time related to privacy and censorship, after it admitted shutting down a number of Chinese activists accounts at the request of the Chinese government. So the company may have stumbled upon another good reason for reversing its stance — given it’s a lot more difficult to censor content you can’t see.

Explaining the shift in its blog post, Zoom says only that it follows a period of engagement “with civil liberties organizations, our CISO council, child safety advocates, encryption experts, government representatives, our own users, and others”.

“We have also explored new technologies to enable us to offer E2EE to all tiers of users,” it adds.

Its blog briefly discusses how non-paying users will be able to gain access to e2e encryption, with Zoom writing: “Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message.”

“Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse,” it adds.

Certain countries require an ID check to purchase a SIM card so Zoom’s verification provision may make it impossible for some users to access e2e encryption without leaving an identity trail which state agencies could unpick.

Per Zoom’s blog post, a beta of the e2e encryption implementation will kick off in July. The platform’s default encryption remains AES 256 GCM in the meanwhile.

The forthcoming e2e encryption will not be switched on by default — but rather offered as an option. Zoom says this is because it limits some meeting functionality (“such as the ability to include traditional PSTN phone lines or SIP/H.323 hardware conference room systems”).

“Hosts will toggle E2EE on or off on a per-meeting basis,” it further notes, adding that account administrators will also have the ability to enable and disable E2EE at the account and group level.

Today the company also released a v2 update of its e2e encryption design — posting the spec to Github.

Zoom U-turns on no e2e encryption for free users

In a major security U-turn, videoconferencing platform Zoom has said it will, after all, offer end-to-end encryption to all users — including those who do not pay to use its service.

The caveat is that free users must provide certain “additional” pieces of information for verification purposes (such as a phone number where they can respond to a verification link) before being allowed to use e2e encryption — which Zoom says is a necessary check so it can “prevent and fight abuse” on its platform. However it’s a major step up from the prior offer of ‘no e2e unless you pay us‘.

“We are grateful to those who have provided their input on our E2EE design, both technical and philosophical,” Zoom writes in a blog update today. “We encourage everyone to continue to share their views throughout this complex, ongoing process.”

The company faced a storm of criticism earlier this month after Bloomberg reported comments by CEO Eric Yuan, who said it did not intend to provide e2e encryption for non-paying users because it wanted to be able to work with law enforcement.

Security and privacy experts waded it to blast the stance. One notable critic of the position was cryptography expert, Matthew Green — whose name you’ll find listed on Zoom’s e2e encryption design white paper.

“Once the precedent is set that E2E encryption is too ‘dangerous’ to hand to the masses, the genie is out of the bottle. And once corporate America accepts that private communications are too politically risky to deploy, it’s going to be hard to put it back,” Green warned in a nuanced Twitter thread.

Since the e2e encryption storm, Zoom has faced another scandal — this time related to privacy and censorship, after it admitted shutting down a number of Chinese activists accounts at the request of the Chinese government. So the company may have stumbled upon another good reason for reversing its stance — given it’s a lot more difficult to censor content you can’t see.

Explaining the shift in its blog post, Zoom says only that it follows a period of engagement “with civil liberties organizations, our CISO council, child safety advocates, encryption experts, government representatives, our own users, and others”.

“We have also explored new technologies to enable us to offer E2EE to all tiers of users,” it adds.

Its blog briefly discusses how non-paying users will be able to gain access to e2e encryption, with Zoom writing: “Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message.”

“Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse,” it adds.

Certain countries require an ID check to purchase a SIM card so Zoom’s verification provision may make it impossible for some users to access e2e encryption without leaving an identity trail which state agencies could unpick.

Per Zoom’s blog post, a beta of the e2e encryption implementation will kick off in July. The platform’s default encryption remains AES 256 GCM in the meanwhile.

The forthcoming e2e encryption will not be switched on by default — but rather offered as an option. Zoom says this is because it limits some meeting functionality (“such as the ability to include traditional PSTN phone lines or SIP/H.323 hardware conference room systems”).

“Hosts will toggle E2EE on or off on a per-meeting basis,” it further notes, adding that account administrators will also have the ability to enable and disable E2EE at the account and group level.

Today the company also released a v2 update of its e2e encryption design — posting the spec to Github.

Decrypted: The tech police use against the public

There is a darker side to cybersecurity that’s frequently overlooked.

Just as you have an entire industry of people working to keep systems and networks safe from threats, commercial adversaries are working to exploit them. We’re not talking about red-teamers, who work to ethically hack companies from within. We’re referring to exploit markets that sell details of security vulnerabilities and the commercial spyware companies that use those exploits to help governments and hackers spy on their targets.

These for-profit surveillance companies flew under the radar for years, but have only recently gained notoriety. But now, they’re getting unwanted attention from U.S. lawmakers.

In this week’s Decrypted, we look at the technologies police use against the public.


THE BIG PICTURE

Secrecy over protest surveillance prompts call for transparency

Last week we looked at how the Justice Department granted the Drug Enforcement Administration new powers to covertly spy on protesters. But that leaves a big question: What kind of surveillance do federal agencies have, and what happens to people’s data once it is collected?

While some surveillance is noticeable — from overhead drones and police helicopters overhead — others are worried that law enforcement are using less than obvious technologies, like facial recognition and access to phone records, CNBC reports. Many police departments around the U.S. also use “stingray” devices that spoof cell towers to trick cell phones into turning over their call, message and location data.

Security decoy startup CounterCraft closes $5M Series A

Spain-based CounterCraft, which builds b2b tools for gathering counterintelligence on evolving security threats, has closed a $5M Series A. The all cash round is led by Adara Ventures, with eCAPITAL and Red Eléctrica Group joining as new investors, and with participation from existing backers including Evolution Equity, ORZA, and Wayra.

CounterCraft was founded back in 2015 with the aim of helping security chiefs take a more proactive defense stance. The founders went through Telefonica’s Wayra Madrid accelerator — and went on to raise a $1.1M seed round, back in 2016.

While its early focus was on the European market, the startup has expanded to serve clients across Western Europe and North America — with particular focus on national defense and intelligence departments, major financial institutions, and large enterprises.

We understand they have 20 customers at this stage. The new funding will be used to build out CounterCraft’s business in the US, per Adara Ventures .

Commenting on the Series A in a statement, Alberto Gomez, managing partner at the VC firm said: “We continue to be inspired by the combination of engineering ability and vision that CounterCraft has shown in defining a new category of defensive tool that responds to the current threat landscape. Nothing else we have seen effectively uses a Know-Your-Attacker stance to turn the tables on threat actors. We are now excited about CounterCraft’s prospects for expanding its presence with sophisticated, large clients in the U.S. and European markets.”

CounterCraft’s core product is what it bills as a “Threat Deception platform” — supporting its customers’ security function by contributing to three areas: threat detection, intelligence and response; and by using deceptive techniques as a lure to gather better intelligence on threats and attackers for a smarter response.

The platform offers a set of common use cases that can be automatically deployed without further configuration — including ‘Remote Worker Protection’; Pre-Breach Activity; Sphere Phishing Response; and Lateral Movement — with the three strands of ‘detection, intelligence and response’ covered for all use cases.

The platform is also designed to integrate with customers’ incident response workflows, and has the ability to reconfigure defensive systems in real time to mitigate risks from ongoing attacks.

CEO David Barroso notes, for example, that CounterCraft’s platform is fully integrated with the MITRE ATT&CK™ TTP classification project.

In terms of intelligence gathering Barroso says it mines assets such as WiFi, SWIFT, email accounts and social media. “Uniquely, the platform can automatically convert this harvested data into active responses. This puts CISOs back in the driving seat when defending,” he added in a statement.

T-Mobile hit by phone calling, text message outage

T-Mobile appears to be having problems.

Customers are reporting that they can’t make or receive phone calls, although data appears to be unaffected. Some customers say that text messaging is also affected.

DownDetector, which collects outage reports from users, indicates that a major outage is underway. It’s not clear how widespread the issue is, but at the time of writing T-Mobile was trending across the United States on Twitter.

The outage appears to have started around 10am PT (1pm ET) on Monday.

DownDetector reporting outages across the U.S.

In our own tests in New York and Seattle, we found that making calls from a T-Mobile phone would fail almost immediately after placing the call. We also found that the cell service on our phones were intermittent, with bars occasionally dropping to zero or losing access to high-speed data.

In April, Sprint and T-Mobile completed its merger, valued at $26 billion, making the combined cell network the third largest carrier in the United States behind AT&T and Verizon.

A spokesperson for T-Mobile also did not immediately comment on the outage.

Other networks may also be experiencing downtime, per customer reports. But so far Verizon (which owns TechCrunch) and Sprint have not responded to a request for comment. An AT&T spokesperson said that the network is operating normally.

Widespread cell networks are rare but do happen. In 2017, CenturyLink had a network failure that affected all major U.S. carriers and 911 emergency services that rely on the fiber network to route calls. In some U.S. counties, officials sent out emergency alerts to cell phone users to warn that 911 services had been disrupted.

Updated to note that carrier-dependent text messaging also appears to be affected.