Decrypted: DEA spying on protesters, DDoS attacks, Signal downloads spike

This week saw protests spread across the world sparked by the murder of George Floyd, an unarmed Black man, killed by a white police officer in Minneapolis last month.

The U.S. hasn’t seen protests like this in a generation, with millions taking to the streets each day to lend their voice and support. But they were met with heavily armored police, drones watching from above, and “covert” surveillance by the federal government.

That’s exactly why cybersecurity and privacy is more important than ever, not least to protect law-abiding protesters demonstrating against police brutality and institutionalized, systemic racism. It’s also prompted those working in cybersecurity — many of which are former law enforcement themselves — to check their own privilege and confront the racism from within their ranks and lend their knowledge to their fellow citizens.


THE BIG PICTURE

DEA allowed ‘covert surveillance’ of protesters

The Justice Department has granted the Drug Enforcement Administration, typically tasked with enforcing federal drug-related laws, the authority to conduct “covert surveillance” on protesters across the U.S., effectively turning the civilian law enforcement division into a domestic intelligence agency.

The DEA is one of the most tech-savvy government agencies in the federal government, with access to “stingray” cell site simulators to track and locate phones, a secret program that allows the agency access to billions of domestic phone records, and facial recognition technology.

Lawmakers decried the Justice Department’s move to allow the DEA to spy on protesters, calling on the government to “immediately rescind” the order, describing it as “antithetical” to Americans’ right to peacefully assembly.

Cloudflare partners with JD to expand its network in China

Cloudflare today announced a new partnership with JD Cloud & AI that will see the company expand its network in Chinato an additional 150 data centers. Currently, Cloudflare is available in 17 data centers in mainland China, thanks to a long-standing partnership with Baidu, but this new deal is obviously significantly larger.

CloudFlare’s original partnership with Baidu launched in 2015. The idea then, as now, was to give Cloudflare a foothold in one of the fastest-growing internet markets by providing Chinese companies better reach customers inside and outside of the country, but also — and maybe more importantly — to allow foreign companies to better reach the vast Chinese market.

“I think there are very few Western technology companies that have figured out how to operate in China,” Matthew Prince, the CEO and co-founder Cloudflare told me. “And I think we’re really proud of the fact that we’ve done that. What I’ve learned about China — certainly in the last six years that we’ve been directly working with partners there, […] has been that while it’s an enormous market and an enormous opportunity […], it’s still a very tight-knot technology community there — and one with a very long memory.”

GettyImages 489573216

SAN FRANCISCO, CA – SEPTEMBER 22: (L-R) Matthew Prince and Michelle Zatlyn of CloudFlare speak onstage during day two of TechCrunch Disrupt SF 2015 at Pier 70 on September 22, 2015 in San Francisco, California. (Photo by Steve Jennings/Getty Images for TechCrunch)

He attributes the fact that Cloudflare was a good partner to Baidu for so many years to JD’s interest in working with the company as well. That partnership with Baidu will continue (Prince called them a “terrific partner”). This new deal with JD, however, will now also give Cloudflare the ability to reach another set of Chinese enterprises, too, that are currently betting on that company’s cloud.

“As we got to know them, JD really stood out,” Prince said. “I think they’re first of all really one of the up and coming cloud providers in China. And I think that then means that marrying Cloudflare’s services with JD’s services makes their overall cloud platform much more robust for Chinese customers.” He also noted that JD has relationships with many large Chinese businesses that are increasingly looking to go global.

To put this deal into perspective, today, Cloudflare operates in about 200 cities. Adding another 150 to this — even if it’s through a partner — marks a major expansion for the company.

As for the deal itself, Prince said that its structure is similar to the deal it made with Baidu. “We contribute the technology and the know-how to build a network out across China. They introduce capital in order to build that network out and also have some financial guarantees to us and then we share in the upside of what happens as we’re both able to sell the China network or as JD is able to sell Cloudflare’s services outside of China.”

When the company first went to China through Baidu, it was criticized for going into a market where there some obvious issues around free speech. Prince, who has been pretty outspoken about free speech issues, seems to be taking a rather pragmatic approach here.

“[Free speech] is certainly something we thought about a lot when we first made the decision to go into China in 2014,” he said. “And I think we’ve learned a lot about it. Around the world, whether it’s China or Turkey or Egypt or the United Kingdom or Brazil or increasingly even the United States, there are rules about what content can be accessed there. Regardless of what my personal feelings might be — and I grew up as a son of a journalist and in the United States and have seen the power of having a very free press and really, really, really strong freedom of expression protection. But I also think that every country doesn’t have the same tradition and the same laws as the United States. And I think that what we have tried to do everywhere that we operate, is comply with whatever the regional laws are. And it’s hard to do anything else.”

Cloudflare expects that it will take three years before all of the data centers will go online.

“I’m thrilled to establish this strategic collaboration with Cloudflare,” said Dr. Bowen Zhou, President of JD Cloud & AI. “Cloudflare’s mission of ‘helping to build a better Internet,’ closely aligns with JD Cloud & AI’s commitment to provide the best service possible to global partners. Leveraging JD.com’s rich experience across vast business scenarios, as well as its logistics and technological capabilities, we believe that this collaboration will provide valuable services that will transform how business is done for users inside and outside of China.”

Decrypted: Post-coronavirus, Auth0’s close call, North Korea warning, Awake’s Series C

Welcome to a look back at the past week in security and what it means for you. Each week we’ll look at the big news of the week and why it matters.

What will the world look like after the coronavirus pandemic subsides?

Some of us are now in our fifth week of sheltering in place, but there’s no fixed end-date in sight. We’ve gone from a period of confusion and concern to testing and mitigation. Now we’re starting to look ahead at the world post-coronavirus. Things still have to get done. But how do we regain a semblance of normality in the middle of a pandemic?

Tech can be the answer but it’s not a panacea; Apple and Google have explained more about their contact tracing efforts to help better understand the spread of the virus seems promising. But privacy concerns and worries that the system could be abused have raised justified concerns. On the other hand, with a U.S. presidential election slated for later this year, many experts want tech out of the picture in favor of a secure solution that uses paper ballots.

Will tech save the day, or will it kick us while we’re down? Let’s dive in.


THE BIG PICTURE

Voting by mail should be having its moment. Will it?

This year’s U.S. presidential election will still go ahead — it’s in the constitution as an immutable fact — but a pandemic throws a wrench in the works.

But security experts say electronic voting isn’t secure or resilient enough to protect from foreign interference. Even the more established mobile voting offerings have been shown to be deeply flawed.

Cloudflare is giving away its security tools to US political campaigns

Network security giant Cloudflare said it will provide its free security tools and services to U.S. political campaigns, as part of its efforts to secure upcoming elections against cyberattacks and election interference.

The company said its new Cloudflare for Campaigns offering will include distributed denial-of-service attack mitigation, load balancing for campaign websites, a website firewall, and anti-bot protections.

It’s an expansion of the company’s security offering for journalists, civil rights activists and humanitarian groups under its Project Galileo, which aims to protect against disruptive cyberattacks. The project later expanded to smaller state and local government sites in 2018, with an aim of protecting servers containing voter registration data and other election infrastructure from attacks.

Now the company is offering its security services to 11 of the 17 presidential campaigns, it said, but wants to ensure that its offering is “available to the largest campaigns are also available to smaller campaigns as well.”

Cloudflare’s co-founder and chief executive Matthew Prince said there was a “clear need” to help campaigns secure not only their public facing websites but also their internal data security.

The company said it’s working with the non-partisan, non-profit organization Defending Digital Campaigns to provide its services to campaigns. Last year the Federal Elections Commission changed the rules to allow political campaigns to receive discounted cybersecurity assistance, which was previously a campaign finance violation.

Why CEOs should spend up to half their time recruiting

Hiring the right people may be the most important thing you do when you start a new company. But how much time should founders spend on hiring when there are so many other competing demands?

Last week, we discussed team-building and several other issues during a panel on the Extra Crunch stage at Disrupt Berlin with Cloudflare CEO Matthew Prince and Red Points CEO Laura Urquizu.

“I was looking through early emails the other day,” said Prince . “I had forgotten how hard it was to hire people in the very beginning. I think that [Cloudflare co-founder] Michelle [Zatlyn] and I spent probably at least 70% of our time in the first two years just begging people to work for us.”

While it’s a hard job to get right, Prince said he didn’t believe that this was a job he should have outsourced to recruiters. “Fundamentally, as the founder and leader of an organization, your job is to attract and retain the best best possible people,” Prince argued. “And so even to this day, at least a third of my time is spent on recruiting.”

Red Points co-founder Urquizu agreed, noting that she also spends at least a third of her time on recruiting. But she also argued that as you grow as a company, your needs may change and you may need to let some people go.

“I usually say that what brought us here is not going to bring us to the next stage — and that includes people,” she said. “It’s not pleasant and it is very hard when you have to say ‘bye’ to people that have been with you in the journey for two years, or for one year, or three years, but then you need to find the next people that are gonna come along with you in the next stage.”

Cloudflare says cutting off customers like 8chan is an IPO ‘risk factor’

Networking and web security giant Cloudflare says the recent 8chan controversy may be an ongoing “risk factor” for its business on the back of its upcoming initial public offering.

The San Francisco-based company and former Battlefield finalist, which filed its IPO paperwork with the U.S. Securities and Exchange Commission on Thursday, earlier this month took the rare step of pulling the plug on one of its customers, 8chan, an anonymous message board linked to recent domestic terrorist attacks in El Paso, Texas and Dayton, Ohio, which killed 31 people. The site is also linked to the shootings in New Zealand, which killed 50 people.

8chan became the second customer to have its service cut off by Cloudflare in the aftermath of the attacks. The first and other time Cloudflare booted one of its customers was neo-Nazi website The Daily Stormer in 2017, after it claimed the networking giant was secretly supportive of the website.

Cloudflare, which provides web security and denial-of-service protection for websites, recognizes those customer cut-offs as a risk factor for investors buying shares in the company’s common stock.

“Activities of our paying and free customers or the content of their websites and other Internet properties could cause us to experience significant adverse political, business, and reputational consequences with customers, employees, suppliers, government entities, and other third parties,” the filing said. “Even if we comply with legal obligations to remove or disable customer content, we may maintain relationships with customers that others find hostile, offensive, or inappropriate.”

Cloudflare had long taken a stance of not policing who it provides service to, citing freedom of speech. In a 2015 interview with ZDNet, chief executive Matthew Prince said he didn’t ever want to be in a position where he was making “moral judgments on what’s good and bad,” and would instead defer to the courts.

“If a final court order comes down and says we can’t do something… governments have tanks and guns,” he said.

But since Prince changed his stance on both The Daily Stormer and 8chan, the company recognized it “experienced significant negative publicity” in the aftermath.

“We are aware of some potential customers that have indicated their decision to not subscribe to our products was impacted, at least in part, by the actions of certain of our paying and free customers,” said the filing. “We may also experience other adverse political, business and reputational consequences with prospective and current customers, employees, suppliers, and others related to the activities of our paying and free customers, especially if such hostile, offensive, or inappropriate use is high profile.”

Cloudflare has also come under fire in recent months for allegedly supplying web protection services to sites that promote and support terrorism, including al-Shabaab and the Taliban, both of which are covered under U.S. Treasury sanctions.

In response, the company said it tries “to be neutral,” but wouldn’t comment specifically on the matter.

Cloudflare files for initial public offering

After much speculation and no small amount of controversy, Cloudflare, one of the companies that ensures that websites run smoothly on the internet, has filed for its initial public offering.

The company, which made its debut on TechCrunch’s Battlefield stage back in 2010, has put a placeholder value of the offering at $100 million, but it will likely be worth billions when it finally trades on the market.

Cloudflare is one of a clutch of businesses whose job it is to make web sites run better, faster and with little to no downtime.

Recently the company has been at the center of political debates around some of the customers and company it keeps, including social media networks like 8chan and racist media companies like the Daily Stormer.

Indeed, the company went so far as to cite 8chan as a risk factor in its public offering documents.

As far as money goes, Cloudflare is — like other early-stage technology companies — losing money. But it’s not losing that much money, and its growth is impressive.

As the company notes in its filing with the Securities and Exchange Commission:

We have experienced significant growth, with our revenue increasing from $84.8 million in 2016 to $134.9 million in 2017 and to $192.7 million in 2018, increases of 59% and 43%, respectively. As we continue to invest in our business, we have incurred net losses of $17.3 million, $10.7 million, and $87.2 million for 2016, 2017, and 2018, respectively. For the six months ended June 30, 2018 and 2019, our revenue increased from $87.1 million to $129.2 million, an increase of 48%, and we incurred net losses of $32.5 million and $36.8 million, respectively.

Cloudflare sits at the intersection of government policy and private company operations and its potential risk factors include a discussion about what that could mean for its business.

The company isn’t the first network infrastructure service provider to hit the market. That distinction belongs to Fastly, whose shares likely have not performed as well as investors would have liked.

Screen Shot 2019 08 15 at 10.10.17 AM

Cloudflare has raised roughly $332 million to date from investors, including Franklin Templeton Investments, Fidelity, Union Square Ventures, New Enterprise Associates, Pelion Venture Partners and Venrock. Business Insider reported that the company’s last investment gave Cloudflare a valuation of $3.2 billion.

The company will trade on the New York Stock Exchange under the ticker symbol “NET.” Underwriters on the company’s public offering include Goldman Sachs, Morgan Stanley, JP Morgan, Jefferies, Wells Fargo Securities and RBC Capital Markets.

Apple expands its bug bounty, increases maximum payout to $1M

Apple is finally giving security researchers something they’ve wanted for years: a macOS bug bounty.

The technology giant said Thursday it will roll out the bug bounty program to include Macs and MacBooks, as well as Apple TV and Apple Watch, almost exactly three years after it debuted its bug bounty program for iOS.

The idea is simple: you find a vulnerability, you disclose it to Apple, they fix it — and in return you get a cash payout. These programs are wildly popular in the tech industry as it helps to fund security researchers in exchange for serious security flaws that could otherwise be used by malicious actors, and also helps fill the void of bug finders selling their vulnerabilities to exploit brokers, and on the black market, who might abuse the flaws to conduct surveillance.

But Apple had dragged its feet on rolling out a bug bounty to its range of computers. Some security researchers had flat-out refused to report security flaws to Apple in absence of a bug bounty.

At the Black Hat conference in Las Vegas, head of security engineering and architecture Ivan Krstić announced the program to run alongside its existing iOS bug bounty.

Patrick Wardle, a security expert and principle security researcher at Jamf, said the move was a “no brainer.”

Wardle has found several major security vulnerabilities and dropped zero-days — details of flaws published without allowing the companies a chance to fix — citing the lack of a macOS bug bounty. He has long criticized Apple for not having a bug bounty, accusing the company of leaving a void open for security researchers to sell their flaws to exploit brokers who often use the vulnerabilities for nefarious reasons.

“Granted, they hired many incredible talented researchers and security professionals — but still never really had a transparent mutually beneficial relationship with external independent researchers,” said Wardle.

“Sure this is a win for Apple, but ultimately this a huge win for Apple’s end users,” he added.

Apple said it will open its bug bounty program to all researchers and increase the size of the bounty from the current maximum of $200,000 per exploit to $1 million for a zero-click, full chain kernel code execution attack with persistence — in other words, if an attacker can gain complete control of a phone without any user interaction and simply by knowing a target’s phone number.

Apple also said that any researcher who finds a vulnerability in pre-release builds that’s reported before general release will qualify for up to 50% bonus on top of the category of vulnerability they discover.

The bug bounty programs will be available to all security researchers beginning later this year.

The company also confirmed a Forbes report, published earlier this week, saying it will give a number of “dev” iPhones to vetted and trusted security researchers and hackers under the new iOS Security Research Device Program. These devices are special devices that give the hackers greater access to the underlying software and operating system to help them find vulnerabilities typically locked away from other security researchers — such as secure shell.

Apple said that it hopes expanding its bug bounty program will encourage more researchers to privately disclose security flaws, which will help to increase the protection of its customers.

Read more:
Apple restricts ads and third-party trackers in iPhone apps for kids
New book looks inside Apple’s legal fight with the FBI
Apple has pushed a silent Mac update to remove hidden Zoom web server
Many popular iPhone apps secretly record your screen without asking
Apple rebukes Australia’s ‘dangerously ambiguous’ anti-encryption bill
Apple Card will make credit card fraud a lot more difficult

Capital One’s breach was inevitable, because we did nothing after Equifax

Another day, another massive data breach.

This time it’s the financial giant and credit card issuer Capital One, which revealed on Monday a credit file breach affecting 100 million Americans and 6 million Canadians. Consumers and small businesses affected are those who obtained one of the company’s credit cards dating back to 2005.

That includes names, addresses, phone numbers, dates of birth, self-reported income and more credit card application data — including over 140,000 Social Security numbers in the U.S., and more than a million in Canada.

The FBI already has a suspect in custody. Seattle resident and software developer Paige A. Thompson, 33, was arrested and detained pending trial. She’s been accused of stealing data by breaching a web application firewall, which was supposed to protect it.

Sound familiar? It should. Just last week, credit rating giant Equifax settled for more than $575 million over a date breach it had — and hid from the public for several months — two years prior.

Why should we be surprised? Equifax faced zero fallout until its eventual fine. All talk, much bluster, but otherwise little action.

Equifax’s chief executive Richard Smith “retired” before he was fired, allowing him to keep his substantial pension packet. Lawmakers grilled the company but nothing happened. An investigation launched by the former head of the Consumer Financial Protection Bureau, the governmental body responsible for protecting consumers from fraud, declined to pursue the company. The FTC took its sweet time to issue its fine — which amounted to about 20% of the company’s annual revenue for 2018. For one of the most damaging breaches to the U.S. population since the breach of classified vetting files at the Office of Personnel Management in 2015, Equifax got off lightly.

Legislatively, nothing has changed. Equifax remains as much of a “victim” in the eyes of the law as it was before — technically, but much to the ire of the millions affected who were forced to freeze their credit as a result.

Mark Warner, a Democratic senator serving Virginia, along with his colleague since turned presidential candidate Elizabeth Warren, was tough on the company, calling for it to do more to protect consumer data. With his colleagues, he called on the credit agencies to face penalties to the top brass and extortionate fines to hold the companies accountable — and to send a message to others that they can’t play fast and loose with our data again.

But Congress didn’t bite. Warner told TechCrunch at the time that there was “a failure of the company, but also of lawmakers” for not taking action.

Lo and behold, it happened again. Without a congressional intervention, Capital One is likely to face largely the same rigmarole as Equifax did.

Blame the lawmakers all you want. They had their part to play in this. But fool us twice, shame on the credit companies for not properly taking action in the first place.

The Equifax incident should have sparked a fire under the credit giants. The breach was the canary in the coal mine. We watched and waited to see what would happen as the canary’s lifeless body emerged — but, much to the American public’s chagrin, no action came of it. The companies continued on with the mentality that “it could happen to us, but probably won’t.” It was always going to happen again unless there was something to force the companies to act.

Companies continue to vacuum up our data — knowingly and otherwise — and don’t do enough to protect it. As much as we can have laws to protect consumers from this happening again, these breaches will continue so long as the companies continue to collect our data and not take their data security responsibilities seriously.

We had an opportunity to stop these kinds of breaches from happening again, yet in the two years passed we’ve barely grappled with the basic concepts of internet security. All we have to show for it is a meager fine.

Thompson faces five years in prison and a fine of up to $250,000.

Everyone else faces just another major intrusion into their personal lives. Not at the hands of the hacker per se, but the companies that collect our data — with our consent and often without — and take far too many liberties with it.

Internet group brands Mozilla ‘internet villain’ for supporting DNS privacy feature

An industry group of internet service providers has branded Firefox browser maker Mozilla an “internet villain” for supporting a DNS security standard.

The U.K.’s Internet Services Providers’ Association (ISPA), the trade group for U.K. internet service providers, nominated the browser maker for its proposed effort to roll out the security feature, which they say will allow users to “bypass UK filtering obligations and parental controls, undermining internet safety standards in the U.K.”

Mozilla said late last year it was planning to test DNS-over-HTTPS to a small number of users.

Whenever you visit a website — even if it’s HTTPS enabled — the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. The security standard is implemented at the app level, making Mozilla the first browser to use DNS-over-HTTPS. By encrypting the DNS query it also protects the DNS request against man-in-the-middle attacks, which allow attackers to hijack the request and point victims to a malicious page instead.

DNS-over-HTTPS also improves performance, making DNS queries — and the overall browsing experience — faster.

But the ISPA doesn’t think DNS-over-HTTPS is compatible with the U.K.’s current website blocking regime.

Under U.K. law, websites can be blocked for facilitating the infringement of copyrighted or trademarked material or if they are deemed to contain terrorist material or child abuse imagery. In encrypting DNS queries, it’s claimed that it will make it more difficult for internet providers to filter their subscribers’ internet access.

The ISPA isn’t alone. U.K. spy agency GCHQ and the Internet Watch Foundation, which maintains the U.K.’s internet blocklist, have criticized the move to roll out encrypted DNS features to the browser.

But the ISPA’s nomination quickly drew ire from the security community. Amid a backlash on social media, the ISPA doubled down on its position. “Bringing in DNS-over-HTTPS by default would be harmful for online safety, cybersecurity and consumer choice,” but said it encourages “further debate.”

When reached, a Mozilla spokesperson did not immediately comment.

Mozilla isn’t the first to roll out DNS-over-HTTPS. Last year Cloudflare released a mobile version of its 1.1.1.1 privacy-focused DNS service to include DNS-over-HTTPS. Months earlier Google-owned Jigsaw released its censorship-busting app Infra, which aimed to prevent DNS manipulation.

Mozilla has yet to set a date for the full release of DNS-over-HTTPS in Firefox.