Cyber Saturday—The War on InfoWars

Good evening, Cyber Saturday readers.

A number of tech companies excised the rantings and ravings of Alex Jones, a pundit known for promulgating deranged conspiracy theories, from their digital repositories this past week.

On his website, InfoWars, Jones has been known to push baseless, detestable claims; for example, that the Sandy Hook massacre was a hoax and the September 11th attacks were orchestrated by the government. Fed up with Jones’ antics, Apple, Facebook, Spotify, and YouTube—with the notable exception of Twitter—corked his megaphone.

Add this confrontation to the longstanding tug-of-war between free speech and censorship on the web. One of my favorite contributions to this dialogue was supplied last year by Matthew Prince, CEO and cofounder of Cloudflare, a startup offering services that improve website performance and security. By policy, Prince’s firm chooses to protect all comers, whether that’s the webpage of an ecommerce startup or a black market site. Cloudflare has long maintained that policing the Internet is a job for, well, the police—not for itself.

Until Prince broke his own rule. As the CEO described it in a blog post, one day he felt a customer crossed the line. The Daily Stormer, a neo-Nazi sympathizing site, said that Prince’s company was a secret supporter of its ideology. That went too far—and to prove the point, Prince gave the site the boot.

“Now, having made that decision, let me explain why it’s so dangerous,” Prince wrote. “Without a clear framework as a guide for content regulation, a small number of companies will largely determine what can and cannot be online.”

Subverting his own decision, Prince continued: “Law enforcement, legislators, and courts have the political legitimacy and predictability to make decisions on what content should be restricted. Companies should not.”

I don’t have an easy answer for these predicaments. But as I considered Facebook’s move, the words of the company’s parting security chief, Alex Stamos, rang in my ears. “We need to be willing to pick sides when there are clear moral or humanitarian issues,” he said in March, part of a letter addressed to Facebook that leaked publicly. “And we need to be open, honest and transparent about our challenges and what we are doing to fix them.”

Amen to that. What do you make of this debate, dear reader? I would like to hear from you. What is the right course of action for these companies? Is Twitter CEO Jack Dorsey in the right for keeping Jones afloat, or not?

Do write. I welcome your thoughts.

Have a great weekend.

Robert Hackett

@rhhackett

[email protected]

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

At DefCon, the Biggest Election Threat Is Lack of Funding

Now in its second year, the Voting Machine Hacking Village at the DefCon security conference in Las Vegas features a new set of voting machines—all of which will actually be used in the 2018 midterm elections—for attendees to analyze and attack. But as eager attendees get to work familiarizing themselves with the devices and revealing their weaknesses, another call has emerged from the Village as well: Finding bugs is great. But you also need the money to fix them.

Election officials can’t act on findings about voting machine and voting infrastructure vulnerabilities, DefCon speakers noted on Friday, if they don’t have the money to replace obsolete equipment, invest in network improvements, launch post-election audit programs, and hire cybersecurity staff. Some progress has come, but not enough, and too slowly.

“While I thank the United States Congress for appropriating $340 million last month, let me be abundantly clear, we need more resources,” said Alex Padilla, the secretary of state of California and the state’s top election official. “All the things that we know we have to do, all the things that I’m going to learn and observe when I go down to the Village after this panel, to implement and act on all of these findings, recommendations, and discoveries we need official resources.”

After all, it took nearly two decades for Congress to appropriate that recent election security windfall; it came from the 2002 Help America Vote Act. “That’s butterfly ballot hanging chad money, not cyberthreats 2016, 2018, 2020 money,” Padilla says. In recent months, Congress has failed to pass various bills that would fund election security and infrastructure improvements ahead of the midterms. And though the bipartisan Secure Elections Act has been steadily gaining momentum in the Senate—and was introduced through a companion bill in the House on Friday—it is likely still months away from potentially becoming law.

After months of silence on the topic, the Trump Administration said at the end of July that it would “continue to provide the support necessary to the owners of elections systems—state and local governments—to secure their elections.” Department of Homeland Security top cybersecurity official Jeanette Manfra echoed that sentiment at DefCon on Friday, noting that election officials “do a lot with not a lot of resources, and now they’re on the front lines trying to deal with a lot of these issues. They can’t do it alone.”

Jake Braun, a co-organizer of the Voting Village and a former White House and public liaison for DHS, pointed out on Friday that even a project like the DefCon research workshop is costly and would be out of reach for many organizations. “This is a volunteer operation,” he said. “None of us make a dime off of this; we actually lose money.”

The findings that come out of the Voting Village this weekend, and those from researchers more broadly, continue to provide crucial information, as security advocates work to raise the bar of voting machine defense around the US and shape guidelines for vendors. But knowledge can only go so far without the resources required to act on it.

“Most election officials have one or two people in their office,” says Noah Praetz, the director of elections for Cook County, Illinois, who also attended the Voting Village last year. “They outsource most of the work they do, and it’s really difficult” to keep up with the constant stream of election system-related vulnerability advisories.

Voting infrastructure desperately needs vetting from hackers. But now that that idea has more widespread support, the next item on the punch list is funding.


More Great WIRED Stories

Bugs in Mobile Credit Card Readers Could Expose Buyers

The tiny, portable credit card readers you use to pay at farmer’s markets, bake sales, and smoothie shops are convenient for consumers and merchants alike. But while more and more transactions are passing through them, devices sold by four of the leading companies in the space—Square, SumUp, iZettle, and PayPal—turn out to have a variety of concerning security flaws.

Leigh-Anne Galloway and Tim Yunusov from the security firm Positive Technologies looked at seven mobile point of sale devices in all. What they found wasn’t pretty: bugs that allowed them to manipulate commands using Bluetooth or mobile apps, modify payment amounts in magstripe swipe transactions, and even gain full remote control of a point of sale device.

“The very simple question that we had was how much security can be embedded in a device that costs less than $50?” Galloway says. “With that in mind we started off quite small by looking at two vendors and two card readers, but it quickly grew to become a much bigger project.”

All four manufacturers are addressing the issue, and not all models were vulnerable to all of the bugs. In the case of Square and PayPal, the vulnerabilities were found in third-party hardware made by a company called Miura. The researchers are presenting their findings Thursday at the Black Hat security conference.

The researchers found that they could exploit bugs in Bluetooth and mobile app connectivity to the devices to intercept transactions or modify commands. The flaws could allow an attacker to disable chip-based transactions, forcing customers to use a less secure magstrip swipe, and making it easier to steal data and clone customer cards.

Alternatively, a rogue merchant could make the mPOS device appear to decline a transaction to get a user to repeat it multiple times, or to change the total of a magstripe transaction up to the $50,000 limit. By intercepting the traffic and clandestinely modifying the value of the payment, an attacker could get a customer to approve a normal-looking transaction that is really worth much more. In these types of frauds, customers rely on their banks and credit card issuers to insure their losses, but magstripe is a deprecated protocol, and businesses who continue to use it now hold the liability.

The researchers also reported issues with firmware validation and downgrading that could allow an attacker to install old or tainted firmware versions, further exposing the devices.

The researchers found that in the Miura M010 Reader, which Square and Paypal formerly sold as a third-party device, they could exploit connectivity flaws to gain full remote code execution and file system access in the reader. Galloway notes that a third-party attacker might particularly want to use this control to change the mode of a PIN pad from encrypted to plaintext, known as “command mode,” to observe and collect customer PIN numbers.

The researchers evaluated accounts and devices used in the US and European regions, since they’re configured differently in each place. And while all of the terminals the researchers tested contained at least some vulnerabilities, the worst of it was limited to just a few of them.

“The Miura M010 Reader is a third-party credit card chip reader that we initially offered as a stopgap and today is used by only a few hundred Square sellers. As soon as we became aware of a vulnerability affecting the Miura Reader, we accelerated existing plans to drop support for the M010 Reader,” a Square spokesperson told WIRED. “Today it is no longer possible to use the Miura Reader on the Square ecosystem.”

“SumUp can confirm that there has never been any fraud attempted through its terminals using the magnetic stripe-based method outlined in this report,” said a SumUp spokesperson. “All the same, as soon as the researchers contacted us, our team successfully removed any possibility of such an attempt at fraud in the future.”

“We recognize the important role that researchers and our user community play in helping to keep PayPal secure,” a spokesperson said in a statement. “PayPal’s systems were not impacted and our teams have remediated the issues.”

iZettle did not return a request from WIRED for comment, but the researchers say that the company is remediating its bugs as well.

Galloway and Yunusov were happy with the proactive response from vendors. They hope, though, that their findings will raise awareness about the broader issue of making security a development priority for low cost embedded devices.

“The kind of issues we see with this market base you can see applying more broadly to IoT,” Galloway says. “With something like a card reader you would have an expectation of a certain level of security as a consumer or a business owner. But many of these companies haven’t been around for that long and the products themselves aren’t very mature. Security isn’t necessarily going to be embedded into the development process.”


More Great WIRED Stories

Qualcomm settles with Taiwan antitrust regulator for T$2.73 billion

TAIPEI (Reuters) – Mobile chipmaker Qualcomm Inc is settling an antitrust case brought against it by Taiwan regulators by paying T$2.73 billion ($89 million), the island’s Fair Trade Commission said on Friday.

FILE PHOTO: Visitors are seen by a booth of Qualcomm Inc at the China International Big Data Industry Expo in Guiyang, Guizhou province, China May 27, 2018.   REUTERS/Stringer

The commission said Qualcomm also agreed to bargain in good faith with other chip and phone makers in patent-licensing deals.

In 2017, the commission fined Qualcomm $778 million for refusing to sell chips to mobile handset makers that wouldn’t agree to its patent-licensing terms and for cutting iPhone maker Apple Inc a royalty discount in exchange for the exclusive use of Qualcomm’s modem chips in the past.

Reporting By Yimou Lee in TAIPEI and Stephen Nellis in SAN FRANCISCO; Editing by Muralikumar Anantharaman

Dun & Bradstreet to go private for $5.38 billion

(Reuters) – Data and analytics company Dun & Bradstreet Corp said on Wednesday it would be acquired by a group of investors led by CC Capital, Cannae Holdings and funds affiliated with Thomas H. Lee Partners LP, for $5.38 billion in cash.

Dun & Bradstreet shareholders will receive $145 in cash for each common share, the company said.

The price represents a premium of 18 percent to the stock’s Wednesday close. The deal value is based on 37.1 million shares outstanding, according to Thomson Reuters data.

Including debt of $1.5 billion, the deal is valued at $6.9 billion.

The deal will be financed through a combination of committed equity financing provided by the investor group, as well as debt financing, the company said.

J.P. Morgan is serving as financial adviser to Dun & Bradstreet, and Cleary Gottlieb Steen & Hamilton LLP is serving as its legal counsel.

Reporting by Shubham Kalia in Bengaluru; Editing by Gopakumar Warrier

These 5 Simple Strategies Helped This CEO Grow His Startup Into a Multibillion-Dollar Company

Plenty of tech companies these days are able to go public without being profitable. That’s because investors keep driving up their shares due to their ability to grow faster than expected.

Needless to say, the strategy of investing in fast-growing, money-losing companies works well until investors are gripped by the fear that such companies will bleed out.

Avoiding this danger is what’s behind my four-stage scaling model:

One of the possible flaws in the market for financing startups is that some companies can go public despite losing buckets of money. In my way of looking at things, they skip the second stage in my scaling model — which is to lower a company’s costs to sell and provide service to a customers as it gets bigger — and investors are happy to let them get away with being unprofitable as long as they grow quickly.

A good example of this is San Jose, Calif.-based data storage supplier Nutanix which has enjoyed expectations-beating revenue growth but has never managed to make a profit. However, this has not stopped its stock from rising from $16 at its September 2016 IPO to about $52 on August 6th, 2018. 

Co-founder and CEO Dheeraj Pandey helped illustrate five lessons that can help you achieve greater startup success.

1. Set investor’s expectations on your own terms.

Most public companies operate on the premise that they should beat analyst’s revenue and earnings targets and raise their expectations every quarter. But CEOs of private companies are usually more focused on rapid revenue growth and less on profits.

A CEO who succeeds in taking a company public and runs it successfully thereafter ought not to be too shackled by the beat and raise mentality. Instead, such CEOs should offer investors a different way to think about this tradeoff. Nutanix does this.

As Pandey told me, “We believe that the right balance between the two is measured by the rule of 40: our revenue growth rate plus free cash flow as a percent of revenue should be at least 40 — ours is 49.”

2. Focus on your employees and customers.

I believe that if a company hires people who want to give customers great products and excellent service, the customers will keep buying from the company and shareholders will benefit.

Pandey agrees. As he said, “When you have to stay connected to [your customers], you have to be humble, you have to be hungry and you have to be paranoid, and be very honest about things. Because [your customer base] doesn’t give a hoot about what your stock price is.”

3. Redefine your job every year.

Very few get to take their companies public and keep running them. These rare CEOs I called marathoners in my book, Startup Cities. Such CEOs usually start off as product innovators and morph into organization builders. Founders who can’t do that get replaced by CEOs who do.

Pandey has changed his role over the years. “In year one, I wrote 20,000 lines of code to get the product out the door. In year two, I was acting as the VP of engineering and writing code, and in year three, I was acting more like a CEO — as a generalist. Even today part of my role is as a product manager and architect.”

4. Think of every day as if it were the first.

As I wrote in my book, Value Leadership, companies must fight complacency by thinking about every day as if it was the first and putting talented people with entrepreneurial potential in charge of a key parts of the business.

Pandey says he does this. As he said, “The paradox of growth is that growth creates complexity which kills growth. We always think of it being day one — we keep our scrappiness.”

5. Build a culture that keeps you in everyone’s mind.

Culture is important because the CEO can’t make all the decisions. It’s the values that a CEO believes are essential to the company’s success and the actions it expects people to take without having to ask permission.

Nutanix has a culture. “We are launching the 12 cultural principles and putting them in the hallways and meeting rooms. Even though I cannot physically be in every room, with these principles I will be there mentally,” said Pandey.

If you are not following these five principles now, doing so could make you more successful.

Salesforce appoints Keith Block as co-CEO

(Reuters) – U.S. sales and marketing software company Salesforce.com Inc (CRM.N) on Tuesday said its board appointed Chief Operating Officer Keith Block as its co-chief executive officer.

Block served as the company’s vice chairman, president and a director since joining Salesforce in June 2013. He has been the company’s COO since February 2016.

Salesforce also appointed its co-founder and Chief Technology Officer Parker Harris to the board, it said in a separate statement.

Reporting by Shubham Kalia in Bengaluru; Editing by Sandra Maler

Apple, YouTube, and others drop conspiracy theorist Alex Jones

(Reuters) – Apple Inc, Alphabet Inc’s YouTube, Facebook Inc and Spotify all took down podcasts and channels from U.S. conspiracy theorist Alex Jones, saying on Monday that the Infowars author had broken community standards.

The sweeping moves are the broadest actions yet by internet companies that previously have suspended or removed some of the conspiracy-driven content produced by Infowars.

Since founding Infowars in 1999, Jones has built a vast audience. Among the theories he has promoted is that the Sept. 11, 2001, attacks on New York and Washington were staged by the government.

Facebook said it removed Alex Jones pages “for glorifying violence, which violates our graphic violence policy, and using dehumanizing language to describe people who are transgender, Muslims and immigrants, which violates our hate speech policies.”

The Infowars app remained available on the app stores hosted by Apple and Alphabet’s Google Play, however, while Twitter Inc said that Infowars accounts were not currently in violation of its rules.

Alphabet and Apple did not immediately respond to questions about why the app remained available on their platforms.

Infowars editor-at-large Paul Joseph Watson said in a tweet here that the broad take-downs amounted to censorship and were intended to help Democrats in congressional elections due in November.

“Infowars is widely credited with having played a key role in electing Donald Trump. By banning Infowars, big tech is engaging in election meddling just three months before crucial mid-terms,” Watson wrote on the Infowars website.

FILE PHOTO: Alex Jones from Infowars.com speaks during a rally in support of Republican presidential candidate Donald Trump near the Republican National Convention in Cleveland, Ohio, U.S., July 18, 2016. REUTERS/Lucas Jackson/File Photo

Neither Jones nor a representative for Infowars was available for additional comment. None of the companies that took down the content commented on whether they had coordinated their actions.

The Alex Jones Channel on YouTube on Monday displayed a banner saying the account had been terminated for violating community guidelines, and a spokesperson added by email that repeated violation of policies such as those prohibiting hate speech and harassment led to termination of accounts.

Apple deleted most Infowars podcasts and a spokeswoman said in a statement that the company “does not tolerate hate speech” and publishes guidelines that developers and publishers must follow.

“Podcasts that violate these guidelines are removed from our directory making them no longer searchable or available for download or streaming,” Apple said in a statement. “We believe in representing a wide range of views, so long as people are respectful to those with differing opinions.”

Only one program provided by Infowars, “RealNews with David Knight,” remained on Apple’s podcasts platforms on Monday. BuzzFeed earlier reported that Apple had removed the library for five of Jones’s six Infowars podcasts, including the shows “War Room” and the daily “The Alex Jones Show.”

Twitter said in an email that content posted to other websites often was not put on Twitter and that tweets from Infowars typically were replied to by people rebutting and challenging it. If Infowars violates Twitter rules in the future, it will take action, it added.

Music and podcast company Spotify said on Monday that it had now removed all of Jones’s Infowars programs from its platform, after last week removing some programs.

A representative said that Spotify took seriously reports of hate content. “Due to repeated violations of Spotify’s prohibited content policies, The Alex Jones Show has lost access to the Spotify platform,” the representative said.

In late July, Facebook had suspended Jones’s personal profile for 30 days for what the company said was bullying and hate speech.

Jones has also promoted a theory that the 2012 Sandy Hook school massacre was faked by left-wing forces to promote gun control. The shooting left 26 children and adults dead at a Connecticut elementary school.

FILE PHOTO: An Apple logo hangs above the entrance to the Apple store on 5th Avenue in the Manhattan borough of New York City, July 21, 2015. REUTERS/Mike Segar

He is being sued in Texas by two Sandy Hook parents, seeking at least $1 million, claiming that they have been the subject of harassment driven by his programs.

Reporting by Rich McKay in Atlanta; Additional reporting by Sonam Rai, Ishita Chigilli Palli and Arjun Panchadar in Bengaluru and Peter Henderson, Paresh Dave and Stephen Nellis in San Francisco; Editing by Nick Zieminski and Rosalba O’Brien

FCC Admits Its Website Wasn’t Hacked During Net Neutrality Commenting. Ajit Pai Blames Obama Hire

The FCC’s inspector general said that the agency’s commenting system was not hacked by distributed denial of service (DDoS) attacks on May 7, 2017, despite claims by FCC officials then and a refusal to address the issue by FCC Chair Ajit Pai and others in intervening months. This included the FCC failing to respond to congressional demands for more information. The comments related to the Pai’s plan to overturn network neutrality rules clarified during the Obama administration.

The actual cause? A technical failure to handle many people simultaneously heeding John Oliver on HBO’s Last Week Tonight to post comments in favor of net neutrality.

Pai now states that he was misled, despite ample time within the agency to review the information and made a determination separate from the Office of the Inspector General (OIG), especially after it admitted to Gizmodo in July 2017 in response to a Freedom of Information Act request that it had no record of an analysis that led to the conclusion of an attack, nor any written record of the IT staff documenting that an attack had occurred.

Separately, the issue that as many as 94% of the 23 million comments successfully submitted were clogged with duplicates and contained mostly forgeries remains unaddressed, and has also dogged the credibility of Pai and others at the FCC. The attorney general of New York at the time opened an investigation. In May 2018, two Democratic senators demanded new security measures for commenting and accountability for previous failures in a letter to Pai.

The OIG report denying an attack in May 2017 has not yet appeared, but FCC Chair Ajit Pai released a statement to try to set the news coverage agenda, ascribing all blame on one person, David Bray: “I am deeply disappointed that the FCC’s former Chief Information Officer (CIO), who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people.”

This wasn’t the first time the comment system locked up, nor the first time Bray was fingered as making an unsupportable statement. In 2014, Oliver also asked viewers to post comments supporting net neutrality and the system went down. According to reporting in August 2017 from Gizmodo, Bray allegedly leaked information to Motherboard in 2014, following that crash, claiming that malicious activity was responsible.

Gizmodo reported that no information emerged showing an attack in 2014. Pai’s statement purports that the contents of the FCC’s Office of the Inspector General (OIG) reveals the same.

The FCC voted December 14, 2017, in a party-line 3-2 split, to repeal rules set in 2015 that prohibited Internet service providers from throttling, prioritizing, or discriminating data based on site, service, or device, among other regulations.

What Is Snapchat Dysmorphia And How It May Lead To More Plastic Surgery

Model Lindsey Pelas (L) and rapper Danny Boy of HardNox take a selfie at the Sapphire Pool & Day Club. (Photo by Gabe Ginsberg/Getty Images)

Feeling too good about your looks? Think that you are just too darn hot? Worried that your sexiness and self-confidence will intimidate far too many people? Not spending enough time obsessing over your appearance? Well, there is always Snapchat, Instagram, or other photo-sharing platforms to take your self-esteem down a few pegs.

In fact, doctors are worried that the spread of photo-editing technology and photo-sharing can really screw up the way you view yourself. There is even an unofficial new term, Snapchat dysmorphia, to describe what may happen. The term is a riff on body dysmorphic disorder (BDD), a mental health condition where you have a very distorted view of your own appearance. You focus obsessively on what you perceive as flaws in your appearance and exhibit accompanying compulsive behaviors such as excessively checking yourself in the mirror, grooming, and asking others about your looks and even getting unnecessary plastic surgery. Snapchat dysmorphia is essentially some form of BDD triggered by seeing too many unrealistic pictures on social media. Of course, the problem is not Snapchat specific. One could also coin the terms “Instagram Ick” or Can’t Stand My Face On Facebook.”    

As Susruthi Rajanala, Mayra B. C. Maymone, MD, DSc, and Neelam A. Vashi, MD from Boston University explained in a recent JAMA Facial and Plastic Surgery opinion pieceit used to be that only models and actors could regularly have their faces and bodies altered by photo-editing technology. Not anymore. With the flood of such photo-altering apps and filters and photo sharing platforms, now you and practically anyone else can be like a celebrity, in that way, minus the fame and the money. Thus, you can now choose from many, many more people to make you feel bad about your looks.

This may have real, serious consequences. I’ve written previously for Forbes about how digitally altered photos may be leading to more eating disorders and emotional issues. Additionally, as the opinion piece indicated, improving appearance in selfies seems to be an increasing reason why people are seeking plastic surgery. The availability of filters and other digital editors allows more people to edit their own selfies and then show dermatologists and plastic surgeons what they “want” to look like. Of course, there is a big difference between editing your selfie on a smartphone and editing yourself with a knife and chemicals.

Nowadays, there is a plethora of photo editing and sharing apps to choose from on your smartphone. (Photo Illustration by Chesnot/Getty Images)

What then can be done about this growing problem? When it comes to photo-editing, the cat is already out of the bag and also being painted on people’s faces. (No, your friends probably don’t really have cat ears and noses.) Society will never return to a time where only analog photographs existed. Digital technologies will only get more and more advanced to the point where reality will harder and harder to discern.

Thus, the solution will be in the people and not the photos or technology. Our society has become way too obsessed with appearance and arbitrarily chosen standards for appearance. If you are like many others, you may be choosing whom you work with, whom you befriend, whom you date, and even whom you listen to based simply on superficial appearance. But unless you are a face mask manufacturer, chances are you are placing way too much emphasis on the wrong things.

Instead, try to focus on and develop real talents, abilities, and skills. To my knowledge, Snapchat and Instagram still don’t have filters that can add thinking ability, insight, compassion, and personality to people. As a general rule, if you can easily change something on Snapchat or Instagram, it probably wasn’t worth that much in the first place.