Homeland Security issues rare emergency alert over ‘critical’ Windows bug

Homeland Security’s cybersecurity advisory unit has issued a rare emergency alert to government departments after the recent disclosure of a “critical”-rated security vulnerability in server versions of Microsoft Windows.

The Cybersecurity and Infrastructure Security Agency, better known as CISA, issued an alert late on Friday requiring all federal departments and agencies to “immediately” patch any Windows servers vulnerable to the so-called Zerologon attack by Monday, citing an “unacceptable risk” to government networks.

It’s the third emergency alert issued by CISA this year.

The Zerologon vulnerability, rated the maximum 10.0 in severity, could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers, the servers that manage a network’s security. The bug was appropriately called “Zerologon,” because an attacker doesn’t need to steal or use any network passwords to gain access to the domain controllers, only gain a foothold on the network, such as by exploiting a vulnerable device connected to the network.

With complete access to a network, an attacker could deploy malware, ransomware, or steal sensitive internal files.

Security company Secura, which discovered the bug, said it takes “about three seconds in practice” to exploit the vulnerability.

Microsoft pushed out an initial fix in August to prevent exploitation. But given the complexity of the bug, Microsoft said it would have to roll out a second patch early next year to eradicate the issue completely.

But the race is on to patch systems after researchers reportedly released proof-of-concept code, potentially allowing attackers use the code to launch attacks. CISA said that Friday that it “assumes active exploitation of this vulnerability is occurring in the wild.”

Although the CISA alert only applies to federal government networks, the agency said it “strongly” urges companies and consumers to patch their systems as soon as possible if not already.

JupiterOne raises $19M Series A to automate cyber asset management

Asset management might not be the most exciting talking topic, but it’s often an overlooked area of cyber-defenses. By knowing exactly what assets your company has makes it easier to know where the security weak spots are.

That’s the problem JupiterOne is trying to fix.

“We built JupiterOne because we saw a gap in how organizations manage the security and compliance of their cyber assets day to day,” said Erkang Zheng, the company’s founder and chief executive.

The Morrisville, N.C.-based startup, which spun out from healthcare cloud firm LifeOmic in 2018, helps companies see all of their digital and cloud assets by integrating with dozens of services and tools, including Amazon Web Services, Cloudflare, and GitLab, and centralizing the results into a single monitoring tool.

JupiterOne says it makes it easier for companies to spot security issues and maintain compliance, with an aim of helping companies prevent security lapses and data breaches by catching issues early on.

The company already has Reddit, Databricks and Auth0 as customers, and just secured $19 million in its Series A, led by Bain Capital Ventures and with participation from Rain Capital and its parent company LifeOmic.

As part of the deal, Bain partner Enrique Salem will join JupiterOne’s board. “We see a large multibillion dollar market opportunity for this technology across mid-market and enterprise customers,” he said. Asset management is slated to be a $8.5 billion market by 2024.

Zheng told TechCrunch the company plans to use the funds to accelerate its engineering efforts and its go-to-market strategy, with new product features to come.

How to respond to a data breach

I cover a lot of data breaches. From inadvertent exposures to data-exfiltrating hacks, I’ve seen it all. But not every data breach is the same. How a company responds to a data breach — whether it was their fault — can make or break its reputation.

I’ve seen some of the worst responses: legal threats, denials and pretending there isn’t a problem at all. In fact, some companies claim they take security “seriously” when they clearly don’t, while other companies see it merely as an exercise in crisis communications.

But once in a while, a company’s response almost makes up for the daily deluge of hypocrisy, obfuscation and downright lies.

Last week, Assist Wireless, a U.S. cell carrier that provides free government-subsidized cell phones and plans to low-income households, had a security lapse that exposed tens of thousands of customer IDs — driver’s licenses, passports and Social Security cards — used to verify a person’s income and eligibility.

A misconfigured plugin for resizing images on the carrier’s website was blamed for the inadvertent data leak of customer IDs to the open web. Security researcher John Wethington found the exposed data through a simple Google search. He reported the bug to TechCrunch so we could alert the company.

Make no mistake, the bug was bad and the exposure of customer data was far from ideal. But the company’s response to the incident was one of the best I’ve seen in years.

Take notes, because this is how to handle a data breach.

Their response was quick. Assist immediately responded to acknowledge the receipt of my initial email. That’s already a positive sign, knowing that the company was looking into the issue.

LA gets a big SAAS exit as Fastly nabs the Culver City-based Signal Sciences for $775M

Los Angeles was always more than a one industry town, even when it comes to technology startups, but media and entertainment (and social networking) were always the big draws in tinseltown.

Now the city’s enterprise tech scene can claim a really big winner with Signal Sciences, the security monitoring and management company that is getting bought by Fastly, a provider of content delivery networking services, for $775 million.

“Our team couldn’t be more excited about the opportunity to join Fastly to continue to drive forward security protections that empower developers. But we also believe this is a great moment to showcase the diversity of the LA technology scene,” wrote Signal Sciences chief executive, Andrew Peterson, in a direct message. “Being the largest enterprise tech outcome ever here, we’re just one of so many great deep technology companies who are paving the way for the next generation of SoCal based start ups. We’re thrilled to help lead the way for the broader tech community in Los Angeles.”

Content delivery and security go hand-in-hand and some of the biggest companies online use businesses like Fastly and its competitor, Cloudflare, to ensure that their online presence doesn’t go offline — and that browsers can quickly download and deliver websites.

Fastly said that the acquisition of Signal Sciences’ business will boost its ability to provide better security for applications and APIs — the connective fabric between different services that knit different technologies together behind the scenes.

With the acquisition, Fastly is planting a flag as a new competitor in the cybersecurity market, even as companies like Amazon, Microsoft, and Google offer a wider array of services under their Internet as a service business lines.

Application security is a higher value piece of the services stack and it takes advantage of the natural position that a company like Fastly has as a content distribution network.

“Fastly was founded to meet developers’ need for greater visibility and control. Now, as the digital transformation movement continues to accelerate, DevOps teams are struggling with inadequate and inflexible security tools,” said Joshua Bixby, Chief Executive Officer of Fastly, in a statement. “Together with Signal Sciences, we will give developers modern security tools designed for the way they work.”

Under the terms of the agreement Fastly is buying Signal Sciences for $200 million in cash and approximately $575 million worth of stock, subject to customary adjustments for transactions, according to a statement.

Fastly is also setting up a $50 million retention pool of restricted stock units to give out to Signal Sciences employees.

Signal Sciences employees aren’t the only winners in the deal. The company raised $63 million in venture financing from investors including CRV, Harrison Metal, Index Ventures, Oreilly Alphatech Ventures, Lead Edge Capital, and individual investors including former Facebook security officer Alex Stamos, and Etsy chief executive Chad Dickerson.

The company’s last round was a $35 million investment raised about two years ago, and one investor with knowledge of the company’s cap table called it a “pretty efficient exit” for its backers.

Morgan Stanley & Co. and Union Square Advisors are acting as financial advisors to Fastly, and Cooley LLP is acting as its legal advisor with regard to the transaction, according to a statement. Qatalyst Partners is acting as financial advisor to Signal Sciences, while Goodwin Procter was the company’s lawyer.

How Have I Been Pwned became the keeper of the internet’s biggest data breaches

When Troy Hunt launched Have I Been Pwned in late 2013, he wanted it to answer a simple question: Have you fallen victim to a data breach?

Seven years later, the data-breach notification service processes thousands of requests each day from users who check to see if their data was compromised — or pwned with a hard ‘p’ — by the hundreds of data breaches in its database, including some of the largest breaches in history. As it’s grown, now sitting just below the 10 billion breached-records mark, the answer to Hunt’s original question is more clear.

“Empirically, it’s very likely,” Hunt told me from his home on Australia’s Gold Coast. “For those of us that have been on the internet for a while it’s almost a certainty.”

What started out as Hunt’s pet project to learn the basics of Microsoft’s cloud, Have I Been Pwned quickly exploded in popularity, driven in part by its simplicity to use, but largely by individuals’ curiosity.

As the service grew, Have I Been Pwned took on a more proactive security role by allowing browsers and password managers to bake in a backchannel to Have I Been Pwned to warn against using previously breached passwords in its database. It was a move that also served as a critical revenue stream to keep down the site’s running costs.

But Have I Been Pwned’s success should be attributed almost entirely to Hunt, both as its founder and its only employee, a one-man band running an unconventional startup, which, despite its size and limited resources, turns a profit.

As the workload needed to support Have I Been Pwned ballooned, Hunt said the strain of running the service without outside help began to take its toll. There was an escape plan: Hunt put the site up for sale. But, after a tumultuous year, he is back where he started.

Ahead of its next big 10-billion milestone mark, Have I Been Pwned shows no signs of slowing down.

‘Mother of all breaches’

Even long before Have I Been Pwned, Hunt was no stranger to data breaches.

By 2011, he had cultivated a reputation for collecting and dissecting small — for the time — data breaches and blogging about his findings. His detailed and methodical analyses showed time and again that internet users were using the same passwords from one site to another. So when one site was breached, hackers already had the same password to a user’s other online accounts.

Then came the Adobe breach, the “mother of all breaches” as Hunt described it at the time: Over 150 million user accounts had been stolen and were floating around the web.

Hunt obtained a copy of the data and, with a handful of other breaches he had already collected, loaded them into a database searchable by a person’s email address, which Hunt saw as the most common denominator across all the sets of breached data.

And Have I Been Pwned was born.

It didn’t take long for its database to swell. Breached data from Sony, Snapchat and Yahoo soon followed, racking up millions more records in its database. Have I Been Pwned soon became the go-to site to check if you had been breached. Morning news shows would blast out its web address, resulting in a huge spike in users — enough at times to briefly knock the site offline. Hunt has since added some of the biggest breaches in the internet’s history: MySpace, Zynga, Adult Friend Finder, and several huge spam lists.

As Have I Been Pwned grew in size and recognition, Hunt remained its sole proprietor, responsible for everything from organizing and loading the data into the database to deciding how the site should operate, including its ethics.

Hunt takes a “what do I think makes sense” approach to handling other people’s breached personal data. With nothing to compare Have I Been Pwned to, Hunt had to write the rules for how he handles and processes so much breach data, much of it highly sensitive. He does not claim to have all of the answers, but relies on transparency to explain his rationale, detailing his decisions in lengthy blog posts.

His decision to only let users search for their email address makes logical sense, driven by the site’s only mission, at the time, to tell a user if they had been breached. But it was also a decision centered around user privacy that helped to future-proof the service against some of the most sensitive and damaging data he would go on to receive.

In 2015, Hunt obtained the Ashley Madison breach. Millions of people had accounts on the site, which encourages users to have an affair. The breach made headlines, first for the breach, and again when several users died by suicide in its wake.

The hack of Ashley Madison was one of the most sensitive entered into Have I Been Pwned, and ultimately changed how Hunt approached data breaches that involved people’s sexual preferences and other personal data. (AP Photo/Lee Jin-man, File)

Hunt diverged from his usual approach, acutely aware of its sensitivities. The breach was undeniably different. He recounted a story of one person who told him how their local church posted a list of the names of everyone in the town who was in the data breach.

“It’s clearly casting a moral judgment,” he said, referring to the breach. “I don’t want Have I Been Pwned to enable that.”

Unlike earlier, less sensitive breaches, Hunt decided that he would not allow anyone to search for the data. Instead, he purpose-built a new feature allowing users who had verified their email addresses to see if they were in more sensitive breaches.

“The purposes for people being in that data breach were so much more nuanced than what anyone ever thought,” Hunt said. One user told him he was in there after a painful break-up and had since remarried but was labeled later as an adulterer. Another said she created an account to catch her husband, suspected of cheating, in the act.

“There is a point at which being publicly searchable poses an unreasonable risk to people, and I make a judgment call on that,” he explained.

The Ashely Madison breach reinforced his view on keeping as little data as possible. Hunt frequently fields emails from data breach victims asking for their data, but he declines every time.

“It really would not have served my purpose to load all of the personal data into Have I Been Pwned and let people look up their phone numbers, their sexualities, or whatever was exposed in various data breaches,” said Hunt.

“If Have I Been Pwned gets pwned, it’s just email addresses,” he said. “I don’t want that to happen, but it’s a very different situation if, say, there were passwords.”

But those remaining passwords haven’t gone to waste. Hunt also lets users search more than half a billion standalone passwords, allowing users to search to see if any of their passwords have also landed in Have I Been Pwned.

Anyone — even tech companies — can access that trove of Pwned Passwords, he calls it. Browser makers and password managers, like Mozilla and 1Password, have baked-in access to Pwned Passwords to help prevent users from using a previously breached and vulnerable password. Western governments, including the U.K. and Australia, also rely on Have I Been Pwned to monitor for breached government credentials, which Hunt also offers for free.

“It’s enormously validating,” he said. “Governments, for the most part, are trying to do things to keep countries and individuals safe — working under extreme duress and they don’t get paid much,” he said.

“There have been similar services that have popped up. They’ve been for-profit — and they’ve been indicted.”
Troy Hunt

Hunt recognizes that Have I Been Pwned, as much as openness and transparency is core to its operation, lives in an online purgatory under which any other circumstances — especially in a commercial enterprise — he would be drowning in regulatory hurdles and red tape. And while the companies whose data Hunt loads into his database would probably prefer otherwise, Hunt told me he has never received a legal threat for running the service.

“I’d like to think that Have I Been Pwned is at the far-legitimate side of things,” he said.

Others who have tried to replicate the success of Have I Been Pwned haven’t been as lucky.

“There have been similar services that have popped up,” said Hunt. “They’ve been for-profit — and they’ve been indicted,” he said.

LeakedSource was, for a time, one of the largest sellers of breach data on the web. I know, because my reporting broke some of their biggest gets: music streaming service Last.fm, adult dating site AdultFriendFinder, and Russian internet giant Rambler.ru to name a few. But what caught the attention of federal authorities was that LeakedSource, whose operator later pleaded guilty to charges related to trafficking identity theft information, indiscriminately sold access to anyone else’s breach data.

“There is a very legitimate case to be made for a service to give people access to their data at a price.”

Hunt said he would “sleep perfectly fine” charging users a fee to access their data. “I just wouldn’t want to be accountable for it if it goes wrong,” he said.

Project Svalbard

Five years into Have I Been Pwned, Hunt could feel the burnout coming.

“I could see a point where I would be if I didn’t change something,” he told me. “It really felt like for the sustainability of the project, something had to change.”

He said he went from spending a fraction of his time on the project to well over half. Aside from juggling the day-to-day — collecting, organizing, deduplicating and uploading vast troves of breached data — Hunt was responsible for the entirety of the site’s back office upkeep — its billing and taxes — on top of his own.

The plan to sell Have I Been Pwned was codenamed Project Svalbard, named after the Norweigian seed vault that Hunt likened Have I Been Pwned to, a massive stockpile of “something valuable for the betterment of humanity,” he wrote announcing the sale in June 2019. It would be no easy task.

Hunt said the sale was to secure the future of the service. It was also a decision that would have to secure his own. “They’re not buying Have I Been Pwned, they’re buying me,” said Hunt. “Without me, there’s just no deal.” In his blog post, Hunt spoke of his wish to build out the service and reach a larger audience. But, he told me, it was not about the money

As its sole custodian, Hunt said that as long as someone kept paying the bills, Have I Been Pwned would live on. “But there was no survivorship model to it,” he admitted. “I’m just one person doing this.”

By selling Have I Been Pwned, the goal was a more sustainable model that took the pressure off him, and, he joked, the site wouldn’t collapse if he got eaten by a shark, an occupational hazard for living in Australia.

But chief above all, the buyer had to be the perfect fit.

Hunt met with dozens of potential buyers, and many in Silicon Valley. He knew what the buyer would look like, but he didn’t yet have a name. Hunt wanted to ensure that whomever bought Have I Been Pwned upheld its reputation.

“Imagine a company that had no respect for personal data and was just going to abuse the crap out of it,” he said. “What does that do for me?” Some potential buyers were driven by profits. Hunt said any profits were “ancillary.” Buyers were only interested in a deal that would tie Hunt to their brand for years, buying the exclusivity to his own recognition and future work — that’s where the value in Have I Been Pwned is.

Hunt was looking for a buyer with whom he knew Have I Been Pwned would be safe if he were no longer involved. “It was always about a multiyear plan to try and transfer the confidence and trust people have in me to some other organizations,” he said.

Hunt testifies to the House Energy Subcommittee on Capitol Hill in Washington, Thursday, Nov. 30, 2017. (AP Photo/Carolyn Kaster)

The vetting process and due diligence was “insane,” said Hunt. “Things just drew out and drew out,” he said. The process went on for months. Hunt spoke candidly about the stress of the year. “I separated from my wife early last year around about the same time as the [sale process],” he said. They later divorced. “You can imagine going through this at the same time as the separation,” he said. “It was enormously stressful.”

Then, almost a year later, Hunt announced the sale was off. Barred from discussing specifics thanks to non-disclosure agreements, Hunt wrote in a blog post that the buyer, whom he was set on signing with, made an unexpected change to their business model that “made the deal infeasible.”

“It came as a surprise to everyone when it didn’t go through,” he told me. It was the end of the road.

Looking back, Hunt maintains it was “the right thing” to walk away. But the process left him back at square one without a buyer and personally down hundreds of thousands in legal fees.

After a bruising year for his future and his personal life, Hunt took time to recoup, clambering for a normal schedule after an exhausting year. Then the coronavirus hit. Australia fared lightly in the pandemic by international standards, lifting its lockdown after a brief quarantine.

Hunt said he will keep running Have I Been Pwned. It wasn’t the outcome he wanted or expected, but Hunt said he has no immediate plans for another sale. For now it’s “business as usual,” he said.

In June alone, Hunt loaded over 102 million records into Have I Been Pwned’s database. Relatively speaking, it was a quiet month.

“We’ve lost control of our data as individuals,” he said. But not even Hunt is immune. At close to 10 billion records, Hunt has been ‘pwned’ more than 20 times, he said.

Earlier this year Hunt loaded a massive trove of email addresses from a marketing database — dubbed ‘Lead Hunter’ — some 68 million records fed into Have I Been Pwned. Hunt said someone had scraped a ton of publicly available web domain record data and repurposed it as a massive spam database. But someone left that spam database on a public server, without a password, for anyone to find. Someone did, and passed the data to Hunt. Like any other breach, he took the data, loaded it in Have I Been Pwned, and sent out email notifications to the millions who have subscribed.

“Job done,” he said. “And then I got an email from Have I Been Pwned saying I’d been pwned.”

He laughed. “It still surprises me the places that I turn up.”

Related stories:

Decrypted: DEA spying on protesters, DDoS attacks, Signal downloads spike

This week saw protests spread across the world sparked by the murder of George Floyd, an unarmed Black man, killed by a white police officer in Minneapolis last month.

The U.S. hasn’t seen protests like this in a generation, with millions taking to the streets each day to lend their voice and support. But they were met with heavily armored police, drones watching from above, and “covert” surveillance by the federal government.

That’s exactly why cybersecurity and privacy is more important than ever, not least to protect law-abiding protesters demonstrating against police brutality and institutionalized, systemic racism. It’s also prompted those working in cybersecurity — many of which are former law enforcement themselves — to check their own privilege and confront the racism from within their ranks and lend their knowledge to their fellow citizens.


THE BIG PICTURE

DEA allowed ‘covert surveillance’ of protesters

The Justice Department has granted the Drug Enforcement Administration, typically tasked with enforcing federal drug-related laws, the authority to conduct “covert surveillance” on protesters across the U.S., effectively turning the civilian law enforcement division into a domestic intelligence agency.

The DEA is one of the most tech-savvy government agencies in the federal government, with access to “stingray” cell site simulators to track and locate phones, a secret program that allows the agency access to billions of domestic phone records, and facial recognition technology.

Lawmakers decried the Justice Department’s move to allow the DEA to spy on protesters, calling on the government to “immediately rescind” the order, describing it as “antithetical” to Americans’ right to peacefully assembly.

Cloudflare partners with JD to expand its network in China

Cloudflare today announced a new partnership with JD Cloud & AI that will see the company expand its network in Chinato an additional 150 data centers. Currently, Cloudflare is available in 17 data centers in mainland China, thanks to a long-standing partnership with Baidu, but this new deal is obviously significantly larger.

CloudFlare’s original partnership with Baidu launched in 2015. The idea then, as now, was to give Cloudflare a foothold in one of the fastest-growing internet markets by providing Chinese companies better reach customers inside and outside of the country, but also — and maybe more importantly — to allow foreign companies to better reach the vast Chinese market.

“I think there are very few Western technology companies that have figured out how to operate in China,” Matthew Prince, the CEO and co-founder Cloudflare told me. “And I think we’re really proud of the fact that we’ve done that. What I’ve learned about China — certainly in the last six years that we’ve been directly working with partners there, […] has been that while it’s an enormous market and an enormous opportunity […], it’s still a very tight-knot technology community there — and one with a very long memory.”

GettyImages 489573216

SAN FRANCISCO, CA – SEPTEMBER 22: (L-R) Matthew Prince and Michelle Zatlyn of CloudFlare speak onstage during day two of TechCrunch Disrupt SF 2015 at Pier 70 on September 22, 2015 in San Francisco, California. (Photo by Steve Jennings/Getty Images for TechCrunch)

He attributes the fact that Cloudflare was a good partner to Baidu for so many years to JD’s interest in working with the company as well. That partnership with Baidu will continue (Prince called them a “terrific partner”). This new deal with JD, however, will now also give Cloudflare the ability to reach another set of Chinese enterprises, too, that are currently betting on that company’s cloud.

“As we got to know them, JD really stood out,” Prince said. “I think they’re first of all really one of the up and coming cloud providers in China. And I think that then means that marrying Cloudflare’s services with JD’s services makes their overall cloud platform much more robust for Chinese customers.” He also noted that JD has relationships with many large Chinese businesses that are increasingly looking to go global.

To put this deal into perspective, today, Cloudflare operates in about 200 cities. Adding another 150 to this — even if it’s through a partner — marks a major expansion for the company.

As for the deal itself, Prince said that its structure is similar to the deal it made with Baidu. “We contribute the technology and the know-how to build a network out across China. They introduce capital in order to build that network out and also have some financial guarantees to us and then we share in the upside of what happens as we’re both able to sell the China network or as JD is able to sell Cloudflare’s services outside of China.”

When the company first went to China through Baidu, it was criticized for going into a market where there some obvious issues around free speech. Prince, who has been pretty outspoken about free speech issues, seems to be taking a rather pragmatic approach here.

“[Free speech] is certainly something we thought about a lot when we first made the decision to go into China in 2014,” he said. “And I think we’ve learned a lot about it. Around the world, whether it’s China or Turkey or Egypt or the United Kingdom or Brazil or increasingly even the United States, there are rules about what content can be accessed there. Regardless of what my personal feelings might be — and I grew up as a son of a journalist and in the United States and have seen the power of having a very free press and really, really, really strong freedom of expression protection. But I also think that every country doesn’t have the same tradition and the same laws as the United States. And I think that what we have tried to do everywhere that we operate, is comply with whatever the regional laws are. And it’s hard to do anything else.”

Cloudflare expects that it will take three years before all of the data centers will go online.

“I’m thrilled to establish this strategic collaboration with Cloudflare,” said Dr. Bowen Zhou, President of JD Cloud & AI. “Cloudflare’s mission of ‘helping to build a better Internet,’ closely aligns with JD Cloud & AI’s commitment to provide the best service possible to global partners. Leveraging JD.com’s rich experience across vast business scenarios, as well as its logistics and technological capabilities, we believe that this collaboration will provide valuable services that will transform how business is done for users inside and outside of China.”

Decrypted: Post-coronavirus, Auth0’s close call, North Korea warning, Awake’s Series C

Welcome to a look back at the past week in security and what it means for you. Each week we’ll look at the big news of the week and why it matters.

What will the world look like after the coronavirus pandemic subsides?

Some of us are now in our fifth week of sheltering in place, but there’s no fixed end-date in sight. We’ve gone from a period of confusion and concern to testing and mitigation. Now we’re starting to look ahead at the world post-coronavirus. Things still have to get done. But how do we regain a semblance of normality in the middle of a pandemic?

Tech can be the answer but it’s not a panacea; Apple and Google have explained more about their contact tracing efforts to help better understand the spread of the virus seems promising. But privacy concerns and worries that the system could be abused have raised justified concerns. On the other hand, with a U.S. presidential election slated for later this year, many experts want tech out of the picture in favor of a secure solution that uses paper ballots.

Will tech save the day, or will it kick us while we’re down? Let’s dive in.


THE BIG PICTURE

Voting by mail should be having its moment. Will it?

This year’s U.S. presidential election will still go ahead — it’s in the constitution as an immutable fact — but a pandemic throws a wrench in the works.

But security experts say electronic voting isn’t secure or resilient enough to protect from foreign interference. Even the more established mobile voting offerings have been shown to be deeply flawed.

Cloudflare is giving away its security tools to US political campaigns

Network security giant Cloudflare said it will provide its free security tools and services to U.S. political campaigns, as part of its efforts to secure upcoming elections against cyberattacks and election interference.

The company said its new Cloudflare for Campaigns offering will include distributed denial-of-service attack mitigation, load balancing for campaign websites, a website firewall, and anti-bot protections.

It’s an expansion of the company’s security offering for journalists, civil rights activists and humanitarian groups under its Project Galileo, which aims to protect against disruptive cyberattacks. The project later expanded to smaller state and local government sites in 2018, with an aim of protecting servers containing voter registration data and other election infrastructure from attacks.

Now the company is offering its security services to 11 of the 17 presidential campaigns, it said, but wants to ensure that its offering is “available to the largest campaigns are also available to smaller campaigns as well.”

Cloudflare’s co-founder and chief executive Matthew Prince said there was a “clear need” to help campaigns secure not only their public facing websites but also their internal data security.

The company said it’s working with the non-partisan, non-profit organization Defending Digital Campaigns to provide its services to campaigns. Last year the Federal Elections Commission changed the rules to allow political campaigns to receive discounted cybersecurity assistance, which was previously a campaign finance violation.

Why CEOs should spend up to half their time recruiting

Hiring the right people may be the most important thing you do when you start a new company. But how much time should founders spend on hiring when there are so many other competing demands?

Last week, we discussed team-building and several other issues during a panel on the Extra Crunch stage at Disrupt Berlin with Cloudflare CEO Matthew Prince and Red Points CEO Laura Urquizu.

“I was looking through early emails the other day,” said Prince . “I had forgotten how hard it was to hire people in the very beginning. I think that [Cloudflare co-founder] Michelle [Zatlyn] and I spent probably at least 70% of our time in the first two years just begging people to work for us.”

While it’s a hard job to get right, Prince said he didn’t believe that this was a job he should have outsourced to recruiters. “Fundamentally, as the founder and leader of an organization, your job is to attract and retain the best best possible people,” Prince argued. “And so even to this day, at least a third of my time is spent on recruiting.”

Red Points co-founder Urquizu agreed, noting that she also spends at least a third of her time on recruiting. But she also argued that as you grow as a company, your needs may change and you may need to let some people go.

“I usually say that what brought us here is not going to bring us to the next stage — and that includes people,” she said. “It’s not pleasant and it is very hard when you have to say ‘bye’ to people that have been with you in the journey for two years, or for one year, or three years, but then you need to find the next people that are gonna come along with you in the next stage.”