A U.K. company behind digital addressing system What3Words has sent a legal threat to a security researcher for offering to share an open-source software project with other researchers, which What3Words claims violate its copyright.
Aaron Toponce, a systems administrator at XMission, received a letter on Thursday from a law firm representing What3Words, requesting that he delete tweets related to the open source alternative, WhatFreeWords. The letter also demands that he disclose to the law firm the identity of the person or people with whom he had shared a copy of the software, agree that he would not make any further copies of the software, and to delete any copies of the software he had in his possession.
The letter gave him until May 7 to agree, after which What3Words would “waive any entitlement it may have to pursue related claims against you,” a thinly-veiled threat of legal action.
“This is not a battle worth fighting,” he said in a tweet. Toponce told TechCrunch that he has complied with the demands, fearing legal repercussions if he didn’t. He has also asked the law firm twice for links to the tweets they want deleting but has not heard back. “Depending on the tweet, I may or may not comply. Depends on its content,” he said.
The legal threat sent to Aaron Toponce. (Image: supplied)
U.K.-based What3Words divides the entire world into three-meter squares and labels each with a unique three-word phrase. The idea is that sharing three words is easier to share on the phone in an emergency than having to find and read out their precise geographic coordinates.
But security researcher Andrew Tierney recently discovered that What3Words would sometimes have two similarly-named squares less than a mile apart, potentially causing confusion about a person’s true whereabouts. In a later write-up, Tierney said What3Words was not adequate for use in safety-critical cases.
It’s not the only downside. Critics have long argued that What3Words’ proprietary geocoding technology, which it bills as “life-saving,” makes it harder to examine it for problems or security vulnerabilities.
But the project’s website was nevertheless subjected to a copyright takedown request filed by What3Words’ counsel. Even tweets that pointed to cached or backup copies of the code were removed by Twitter at the lawyers’ requests.
Toponce — a security researcher on the side — contributed to Tierney’s research, who was tweeting out his findings as he went. Toponce said that he offered to share a copy of the WhatFreeWord code with other researchers to help Tierney with his ongoing research into What3Words. Toponce told TechCrunch that receiving the legal threat may have been a combination of offering to share the code and also finding problems with What3Words.
In its letter to Toponce, What3Words argues that WhatFreeWords contains its intellectual property and that the company “cannot permit the dissemination” of the software.
Regardless, several websites still retain copies of the code and are easily searchable through Google, and TechCrunch has seen several tweets linking to the WhatFreeWords code since Toponce went public with the legal threat. Tierney, who did not use WhatFreeWords as part of his research, said in a tweet that What3Words’ reaction was “totally unreasonable given the ease with which you can find versions online.”
We asked What3Words if the company could point to a case where a judicial court has asserted that WhatFreeWords has violated its copyright. What3Words spokesperson Miriam Frank did not respond to multiple requests for comment.
Australian security software house Click Studios has told customers not to post emails sent by the company about its data breach, which allowed malicious hackers to push a malicious update to its flagship enterprise password manager Passwordstate to steal customer passwords.
Last week, the company told customers to “commence resetting all passwords” stored in its flagship password manager after the hackers pushed the malicious update to customers over a 28-hour window between April 20-22. The malicious update was designed to contact the attacker’s servers to retrieve malware designed to steal and send the password manager’s contents back to the attackers.
In an email to customers, Click Studios did not say how the attackers compromised the password manager’s update feature, but included a link to a security fix.
But news of the breach only became public after Danish cybersecurity firm CSIS Group published a blog post with details of the attack hours after Click Studios emailed its customers.
Click Studios claims Passwordstate is used by “more than 29,000 customers,” including in the Fortune 500, government, banking, defense and aerospace, and most major industries.
In an update on its website, Click Studios said in a Wednesday advisory that customers are “requested not to post Click Studios correspondence on Social Media.” The email adds: “It is expected that the bad actor is actively monitoring Social Media, looking for information they can use to their advantage, for related attacks.”
“It is expected the bad actor is actively monitoring social media for information on the compromise and exploit. It is important customers do not post information on Social Media that can be used by the bad actor. This has happened with phishing emails being sent that replicate Click Studios email content,” the company said.
Besides a handful of advisories published by the company since the breach was discovered, the company has refused to comment or respond to questions.
It’s also not clear if the company has disclosed the breach to U.S. and EU authorities where the company has customers, but where data breach notification rules obligate companies to disclose incidents. Companies can be fined up to 4% of their annual global revenue for falling foul of Europe’s GDPR rules.
Click Studios chief executive Mark Sandford has not responded to repeated requests (from TechCrunch) for comment. Instead, TechCrunch received the same canned autoresponse from the company’s support email saying that the company’s staff are “focused only on assisting customers technically.”
TechCrunch emailed Sandford again on Thursday for comment on the latest advisory, but did not hear back.
Cybersecurity nightmares like the SolarWinds hack highlight how malicious hackers continue to exploit vulnerabilities in software and apps to do their dirty work. Today a startup that’s built a platform to help organizations protect themselves from this by running threat detection and response at the network level is announcing a big round of funding to continue its growth.
Vectra AI, which provides a cloud-based service that uses artificial intelligence technology to monitor both on-premise and cloud-based networks for intrusions, has closed a round of $130 million at a post-money valuation of $1.2 billion.
The challenge that Vectra is looking to address is that applications — and the people who use them — will continue to be weak links in a company’s security set-up, not least because malicious hackers are continually finding new ways to piece together small movements within them to build, lay and finally use their traps. While there will continue to be an interesting, and mostly effective, game of cat-and-mouse around those applications, a service that works at the network layer is essential as an alternative line of defense, one that can find those traps before they are used.
“Think about where the cloud is. We are in the wild west,” Hitesh Sheth, Vectra’s CEO, said in an interview. “The attack surface is so broad and attacks happen at such a rapid rate that the security concerns have never been higher at the enterprise. That is driving a lot of what we are doing.”
Sheth said that the funding will be used in two areas. First, to continue expanding its technology to meet the demands of an ever-growing threat landscape — it also has a team of researchers who work across the business to detect new activity and build algorithms to respond to it. And second, for acquisitions to bring in new technology and potentially more customers.
(Indeed, there has been a proliferation of AI-based cybersecurity startups in recent years, in areas like digital forensics, application security and specific sectors like SMBs, all of which complement the platform that Vectra has built, so you could imagine a number of interesting targets.)
The funding is being led by funds managed by Blackstone Growth, with unnamed existing investors participating (past backers include Accel, Khosla and TCV, among other financial and strategic investors). Vectra today largely focuses on enterprises, highly demanding ones with lots at stake to lose. Blackstone was initially a customer of Vectra’s, using the company’s flagship Cognito platform, Viral Patel — the senior MD who led the investment for the firm — pointed out to me.
The company has built some specific products that have been very prescient in anticipating vulnerabilities in specific applications and services. While it said that sales of its Cognito platform grew 100% last year, Cognito Detect for Microsoft Office 365 (a separate product) sales grew over 700%. Coincidentally, Microsoft’s cloud apps have faced a wave of malicious threats. Sheth said that implementing Cognito (or indeed other network security protection) “could have prevented the SolarWinds hack” for those using it.
“Through our experience as a client of Vectra, we’ve been highly impressed by their world-class technology and exceptional team,” John Stecher, CTO at Blackstone, said in a statement. “They have exactly the types of tools that technology leaders need to separate the signal from the noise in defending their organizations from increasingly sophisticated cyber threats. We’re excited to back Vectra and Hitesh as a strategic partner in the years ahead supporting their continued growth.”
Looking ahead, Sheth said that endpoint security will not be a focus for the moment because “in cloud there is so much open territory”. Instead it partners with the likes of CrowdStrike, SentinelOne, Carbon Black and others.
In terms of what is emerging as a stronger entry point, social media is increasingly coming to the fore, he said. “Social media tends to be an effective vector to get in and will remain to be for some time,” he said, with people impersonating others and suggesting conversations over encrypted services like WhatsApp. “The moment you move to encryption and exchange any documents, it’s game over.”
Apple has spent years reinforcing macOS with new security features to make it tougher for malware to break in. But a newly discovered vulnerability broke through most of macOS’ newer security protections with a double-click of a malicious app, a feat not meant to be allowed under Apple’s watch.
Worse, evidence shows a notorious family of Mac malware has already been exploiting this vulnerability for months before it was subsequently patched by Apple this week.
Over the years, Macs have adapted to catch the most common types of malware by putting technical obstacles in their way. macOS flags potentially malicious apps masquerading as documents that have been downloaded from the internet. And if macOS hasn’t reviewed the app — a process Apple calls notarization — or if it doesn’t recognize its developer, the app won’t be allowed to run without user intervention.
But security researcher Cedric Owens said the bug he found in mid-March bypasses those checks and allows a malicious app to run.
Owens told TechCrunch that the bug allowed him to build a potentially malicious app to look like a harmless document, which when opened bypasses macOS’ built-in defenses when opened.
“All the user would need to do is double click — and no macOS prompts or warnings are generated,” he told TechCrunch. Owens built a proof-of-concept app disguised as a harmless document that exploits the bug to launch the Calculator app, a way of demonstrating that the bug works without dropping malware. But a malicious attacker could exploit this vulnerability to remotely access a user’s sensitive data simply by tricking a victim into opening a spoofed document, he explained.
The proof-of-concept app disguised as a harmless document running on an unpatched macOS machine. (Image: supplied)
Fearing the potential for attackers to abuse this vulnerability, Owens reported the bug to Apple.
Apple told TechCrunch it fixed the bug in macOS 11.3. Apple also patched earlier macOS versions to prevent abuse, and pushed out updated rules to XProtect, macOS’ in-built anti-malware engine, to block malware from exploiting the vulnerability.
Owens asked Mac security researcher Patrick Wardle to investigate how — and why — the bug works. In a technical blog post today, Wardle explained that the vulnerability triggers due to a logic bug in macOS’ underlying code. The bug meant that macOS was misclassifying certain app bundles and skipping security checks, allowing Owens’ proof-of-concept app to run unimpeded.
In simple terms, macOS apps aren’t a single file but a bundle of different files that the app needs to work, including a property list file that tells the application where the files it depends on are located. But Owens found that taking out this property file and building the bundle with a particular structure could trick macOS into opening the bundle — and running the code inside — without triggering any warnings.
Wardle described the bug as rendering macOS’ security features as “wholly moot.” He confirmed that Apple’s security updates have fixed the bug. “The update will now result in the correct classification of applications as bundles and ensure that untrusted, unnotarized applications will (yet again) be blocked, and thus the user protected,” he told TechCrunch.
With knowledge of how the bug works, Wardle asked Mac security company Jamf to see if there was any evidence that the bug had been exploited prior to Owens’ discovery. Jamf detections lead Jaron Bradley confirmed that a sample of the Shlayer malware family exploiting the bug was captured in early January, several months prior to Owens’ discovery. Jamf also published a technical blog post about the malware.
“The malware we uncovered using this technique is an updated version of Shlayer, a family of malware that was first discovered in 2018. Shlayer is known to be one of the most abundant pieces of malware on macOS so we’ve developed a variety of detections for its many variants, and we closely track its evolution,” Bradley told TechCrunch. “One of our detections alerted us to this new variant, and upon closer inspection we discovered its use of this bypass to allow it to be installed without an end user prompt. Further analysis leads us to believe that the developers of the malware discovered the zero-day and adjusted their malware to use it, in early 2021.”
Shlayer is an adware that intercepts encrypted web traffic — including HTTPS-enabled sites — and injects its own ads, making fraudulent ad money for the operators.
“It’s often installed by tricking users into downloading fake application installers or updaters,” said Bradley. “The version of Shlayer that uses this technique does so to evade built-in malware scanning, and to launch without additional ‘Are you sure’ prompts to the user,” he said.
“The most interesting thing about this variant is that the author has taken an old version of it and modified it slightly in order to bypass security features on macOS,” said Bradley.
Wardle has also published a Python script that will help users detect any past exploitation.
It’s not the first time Shlayer has evaded macOS’ defenses. Last year, Wardle working with security researcher Peter Dantini found a sample of Shlayer that had been accidentally notarized by Apple, a process where developers submit their apps to Apple for security checks so the apps can run on millions of Macs unhindered.
Those of us who read a lot of tech and business publications have heard for years about the cybersecurity skills gap. Studies often claim that millions of jobs are going unfilled because there aren’t enough qualified candidates available for hire.
I don’t buy it.
The basic laws of supply and demand mean there will always be people in the workforce willing to move into well-paid security jobs. The problem is not that these folks don’t exist. It’s that CIOs or CISOs typically look right past them if their resumes don’t have a very specific list of qualifications.
In many cases, hiring managers expect applicants to be fully trained on all the technologies their organization currently uses. That not only makes it harder to find qualified candidates, but it also reduces the diversity of experience within security teams — which, ultimately, may weaken the company’s security capabilities and its talent pool.
At Netskope, we take a different approach to staffing for security roles. We know we can teach the cybersecurity skills needed to do the job, so instead, there are two traits we consider more important than specific technical expertise: One is a hunger to learn more about security, which suggests the individual will take the initiative to continuously improve their skills. The other is possession of a skill set that no one else on our security team has.
To understand why I believe our approach has helped us build a stronger security team, think about the long-term benefits of hiring someone with a specific security skill set: How valuable will that exact knowledge be in several years? Probably not very.
The problem is not that these folks don’t exist. It’s that CIOs or CISOs typically look right past them if their resumes don’t have a very specific list of qualifications.
Even the most basic security technologies are incredibly dynamic. In most companies, the IT infrastructure is currently in the midst of a massive transition from on-premises to cloud-based systems. Security teams are having to learn new technologies. More than that, they are having to adopt an entirely new mindset, shifting from a focus on protecting specific pieces of hardware to a focus on protecting individuals and applications as their workloads increasingly move outside the corporate network.
More M&A activity is underway in the red-hot field of cybersecurity. In the latest development, private equity giant Thoma Bravo is buying Proofpoint, the SaaS security vendor, for $12.3 billion in cash.
Proofpoint is traded publicly on the Nasdaq exchange and as of its closing price on Friday, it had a market cap of $7.5 billion. This bid, which will see the company go private, is a big hike on its latest share price. The deal has been endorsed by Proofpoint’s board. If approved by shareholders, it will close in Q3 of this year.
The news comes at the same time that Proofpoint released its Q1 earnings, in which it reported revenues of $287.8 million, up 15% versus $249.8 million for the quarter a year ago — and also beating analysts’ expectations, which on average were expecting revenues of $281.6 million, according to Yahoo Finance data.
It also, however, reported a GAAP net loss of $45.3 million, working out to a loss per share of $0.79. That’s narrowed from a net loss of $66.8 million a year ago, but is still a net loss. Non-GAAP net income for the first quarter of 2021 was $31.5 million, or $0.49 per share, the company said.
The acquisition news is coming in the wake of Proofpoint making a number of acquisitions of its own over the years. Its deals have included Cloudmark, Weblife, OberserveIT and Meta Networks, all deals valued in the hundreds of millions of dollars. But at the same time, it is also facing up against not only a growing pool of cybersecurity competitors, but also cyber threats — exacerbated in no small part by the huge shift the world has seen to cloud services, remote working and more transactions carried out online.
Proofpoint CEO Gary Steele said in a statement the acquisition to go private will allow the company to be “more agile with greater flexibility to continue investing in innovation, building on our leadership position and staying ahead of threat actors.”
The company is probably best known for email-based security tools, which remains a very significant business, especially when you consider how so many breaches start with what appear to be innocent emails but are in reality malicious intent vectors, hiding bad actors, dodgy links and more for malicious hackers to worm their way into bigger networks via unassuming individuals.
But as those who watch the security space know, the threat goes well beyond those kinds of breaches, and so Proofpoint has also increasingly moved into other applications and services managed in the cloud.
Its competitors include the likes of Symantec, Mimecast, Trend Micro and Barracuda. Analysts project that security-as-a-service (the other kind of SaaS) will be worth some $26 billion by 2025, growing at a rate of 19% on average in the years between now and then.
Thoma Bravo has tapped into that trend, as a significant acquirer of security businesses over the years. It will be worth watching how and if it leverages that in relation to this latest deal to acquire Proofpoint.
Its acquisitions have included the likes of Sophos for $3.9 billion, a majority stake in LogRhythm and paying $544 million for Imprivata — an asset it planned to exit last year reportedly for $2 billion until it called off the sale (it had been proceeding just as the COVID-19 pandemic was taking off).
Alongside Silver Lake, Thoma Bravo took SolarWinds private in a $4.5 billion deal before listing it again. It also attracted some controversy for selling shares just ahead of SolarWinds disclosing a supply chain attack, affecting nine federal agencies and hundreds of companies, later attributed to Russia’s SVR foreign intelligence service. Thoma Bravo said it was unaware of the information at the time.
“Proofpoint has achieved tremendous outcomes for customers around the world, and we’re excited to partner with this talented team at a moment when organizations need innovative solutions to navigate an increasingly treacherous cybersecurity environment,” said Seth Boro, a managing partner at Thoma Bravo, in a statement. “Proofpoint’s opportunity as a privately held company is incredibly compelling, and we look forward to working closely with them to drive continued business growth and deliver world-class advanced threat protection to even more customers in even more ways.”
“Proofpoint has established itself as a true powerhouse in the cybersecurity sector due to its innovative suite of market-leading products and impressive customer base of leading companies around the world,” added Chip Virnig, a partner at Thoma Bravo. “As the sophistication of cyberattacks continues to increase, Proofpoint is delivering the most effective solutions to help organizations protect their data and people across digital platforms. We look forward to partnering with the talented Proofpoint team and leveraging Thoma Bravo’s significant security and operational expertise to help accelerate the Company’s growth.”
An alleged database of about 20 million BigBasket users has leaked on a well-known cybercrime forum, months after the Indian grocery delivery startup confirmed it had faced a data breach.
The database includes users’ email address, phone number, address, scrambled password, date of birth, and scores of interactions they had with the service. TechCrunch confirmed details of some customers listed in the database — including those of the author.
BigBasket co-founders did not respond to texts requesting comment.
Infamous threat actor "ShinyHunters" just leaked the database of "BigBasket, a famous Indian online grocery delivery service. (@bigbasket_com)
20,000,000+ clients affected and information such as emails, names, hashed passwords, birthdates and phone numbers were leaked. pic.twitter.com/tD5TMxNkH7
— Alon Gal (Under the Breach) (@UnderTheBreach) April 25, 2021
TechCrunch has asked one BigBasket co-founder whether the startup ever disclosed the data breach to customers.
A hacker who goes by the name ShinyHunters published the alleged BigBasket database — and made it available for anyone to download — on a popular cybercrime forum over the weekend. In newer posts on the forum, several threat actors claimed that they had decoded the hashed passwords and were selling it. ShinyHunters didn’t immediately respond to a text requesting comment.
The incident comes weeks after Indian conglomerate Tata Group agreed to acquire BigBasket, valuing the Indian startup at over $1.8 billion. The acquisition proposal is currently awaiting approval by the Indian regulator.
Experts believe the data-lake market will hit a massive $31.5 billion in the next six years, a prediction that has led to much concern among large enterprises. Why? Well, an increase in data lakes equals an increase in public cloud consumption — which leads to a soaring amount of notifications, alerts and security events.
Around 56% of enterprise organizations handle more than 1,000 security alerts every day and 70% of IT professionals have seen the volume of alerts double in the past five years, according to a 2020 Dark Reading report that cited research by Sumo Logic. In fact, many in the ONUG community are on the order of 1 million events per second. Yes, per second, which is in the range of tens of peta events per year.
Now that we are operating in a digitally transformed world, that number only continues to rise, leaving many enterprise IT leaders scrambling to handle these events and asking themselves if there’s a better way.
Why isn’t there a standardized approach for dealing with security of the public cloud — something so fundamental now to the operation of our society?
Compounding matters is the lack of a unified framework for dealing with public cloud security. End users and cloud consumers are forced to deal with increased spend on security infrastructure such as SIEMs, SOAR, security data lakes, tools, maintenance and staff — if they can find them — to operate with an “adequate” security posture.
Public cloud isn’t going away, and neither is the increase in data and security concerns. But enterprise leaders shouldn’t have to continue scrambling to solve these problems. We live in a highly standardized world. Standard operating processes exist for the simplest of tasks, such as elementary school student drop-offs and checking out a company car. But why isn’t there a standardized approach for dealing with security of the public cloud — something so fundamental now to the operation of our society?
The ONUG Collaborative had the same question. Security leaders from organizations such as FedEx, Raytheon Technologies, Fidelity, Cigna, Goldman Sachs and others came together to establish the Cloud Security Notification Framework. The goal is to create consistency in how cloud providers report security events, alerts and alarms, so end users receive improved visibility and governance of their data.
Here’s a closer look at the security challenges with public cloud and how CSNF aims to address the issues through a unified framework.
A few key challenges are sparking the increased number of security alerts in the public cloud:
The first two challenges go hand in hand. In March of last year, when companies were forced to shut down their offices and shift operations and employees to a remote environment, the wall between cyber threats and safety came crashing down. This wasn’t a huge issue for organizations already operating remotely, but for major enterprises the pain points quickly boiled to the surface.
Numerous leaders have shared with me how security was outweighed by speed. Keeping everything up and running was prioritized over governance. Each employee effectively held a piece of the company’s network edge in their home office. Without basic governance controls in place or training to teach employees how to spot phishing or other threats, the door was left wide open for attacks.
In 2020, the FBI reported its cyber division was receiving nearly 4,000 complaints per day about security incidents, a 400% increase from pre-pandemic figures.
Another security issue is the growing intelligence of cybercriminals. The Dark Reading report said 67% of IT leaders claim a core challenge is a constant change in the type of security threats that must be managed. Cybercriminals are smarter than ever. Phishing emails, entrance through IoT devices and various other avenues have been exploited to tap into an organization’s network. IT teams are constantly forced to adapt and spend valuable hours focused on deciphering what is a concern and what’s not.
Without a unified framework in place, the volume of incidents will spiral out of control.
CSNF will prove beneficial for cloud providers and IT consumers alike. Security platforms often require integration timelines to wrap in all data from siloed sources, including asset inventory, vulnerability assessments, IDS products and past security notifications. These timelines can be expensive and inefficient.
But with a standardized framework like CSNF, the integration process for past notifications is pared down and contextual processes are improved for the entire ecosystem, efficiently reducing spend and saving SecOps and DevSecOps teams time to focus on more strategic tasks like security posture assessment, developing new products and improving existing solutions.
Here’s a closer look at the benefits a standardized approach can create for all parties:
Working together, all groups can effectively reduce friction from security alerts and create a controlled cloud environment for years to come.
CSNF is in the building phase. Cloud consumers have banded together to compile requirements, and consumers continue to provide guidance as a prototype is established. The cloud providers are now in the process of building the key component of CSNF, its Decorator, which provides an open-source multicloud security reporting translation service.
The pandemic created many changes in our world, including new security challenges in the public cloud. Reducing IT noise must be a priority to continue operating with solid governance and efficiency, as it enhances a sense of security, eliminates the need for increased resources and allows for more cloud consumption. ONUG is working to ensure that the industry stays a step ahead of security events in an era of rapid digital transformation.
Click Studios, the Australian software house that develops the enterprise password manager Passwordstate, has warned customers to reset passwords across their organizations after a cyberattack on the password manager.
An email sent by Click Studios to customers said the company had confirmed that attackers had “compromised” the password manager’s software update feature in order to steal customer passwords.
The email, posted on Twitter by Polish news site Niebezpiecznik early on Friday, said the malicious update exposed Passwordstate customers over a 28-hour window between April 20-22. Once installed, the malicious update contacts the attacker’s servers to retrieve malware designed to steal and send the password manager’s contents back to the attackers. The email also told customers to “commence resetting all passwords contained within Passwordstate.”
Manager haseł PasswordState został zhackowany a komputery klientów zainfekowane.
Producent informuje ofiary e-mailem.
Ten manager haseł jest "korporacyjny", więc problem będzie dotyczyć przede wszystkim firm… Auć!
(Informacja od Tajemniczego Pedro) pic.twitter.com/PGHhmEKpje
— Niebezpiecznik (@niebezpiecznik) April 23, 2021
Click Studios did not say how the attackers compromised the password manager’s update feature, but emailed customers with a security fix.
The company also said the attacker’s servers were taken down on April 22. But Passwordstate users could still be at risk if the attacker’s are able to get their infrastructure online again.
Enterprise password managers let employees at companies share passwords and other sensitive secrets across their organization, such as network devices — including firewalls and VPNs, shared email accounts, internal databases, and social media accounts. Click Studios claims Passwordstate is used by “more than 29,000 customers,” including in the Fortune 500, government, banking, defense and aerospace, and most major industries.
Although affected customers were notified this morning, news of the breach only became widely known several hours later after Danish cybersecurity firm CSIS Group published a blog post with details of the attack.
Click Studios chief executive Mark Sanford did not respond to a request for comment outside Australian business hours.
A university student is suing exam proctoring software maker Proctorio to “quash a campaign of harassment” against critics of the company, including accusations that the company misused copyright laws to remove his tweets that were critical of the software.
The Electronic Frontier Foundation, which filed the lawsuit this week on behalf of Miami University student Erik Johnson, who also does security research on the side, accused Proctorio of having “exploited the DMCA to undermine Johnson’s commentary.”
Twitter hid three of Johnson’s tweets after Proctorio filed a copyright takedown notice under the Digital Millennium Copyright Act, or DMCA, alleging that three of Johnson’s tweets violated the company’s copyright.
Schools and universities have increasingly leaned on proctoring software during the pandemic to invigilate student exams, albeit virtually. Students must install the school’s choice of proctoring software to grant access to the student’s microphone and webcam to spot potential cheating. But students of color have complained that the software fails to recognize non-white faces and that the software also requires high-speed internet access, which many low-income houses don’t have. If a student fails these checks, the student can end up failing the exam.
Despite this, Vice reported last month that some students are easily cheating on exams that are monitored by Proctorio. Several schools have banned or discontinued using Proctorio and other proctoring software, citing privacy concerns.
Proctorio’s monitoring software is a Chrome extension, which unlike most desktop software can be easily downloaded and the source code examined for bugs and flaws. Johnson examined the code and tweeted what he found — including under what circumstances a student’s test would be terminated if the software detected signs of potential cheating, and how the software monitors for suspicious eye movements and abnormal mouse clicking.
Johnson’s tweets also contained links to snippets of the Chrome extension’s source code on Pastebin.
Proctorio claimed at the time, via its crisis communications firm Edelman, that Johnson violated the company’s rights “by copying and posting extracts from Proctorio’s software code on his Twitter account.” But Twitter reinstated Johnson’s tweets after finding Proctorio’s takedown notice “incomplete.”
“Software companies don’t get to abuse copyright law to undermine their critics,” said Cara Gagliano, a staff attorney at the EFF. “Using pieces [of] code to explain your research or support critical commentary is no different from quoting a book in a book review.”
The complaint argues that Proctorio’s “pattern of baseless DMCA notices” had a chilling effect on Johnson’s security research work, amid fears that “reporting on his findings will elicit more harassment.”
“Copyright holders should be held liable when they falsely accuse their critics of copyright infringement, especially when the goal is plainly to intimidate and undermine them,” said Gagliano. “We’re asking the court for a declaratory judgment that there is no infringement to prevent further legal threats and takedown attempts against Johnson for using code excerpts and screenshots to support his comments.”
The EFF alleges that this is part of a wider pattern that Proctorio uses to respond to criticism. Last year Olsen posted a student’s private chat logs on Reddit without their permission. Olsen later set his Twitter account to private following the incident. Proctorio is also suing Ian Linkletter, a learning technology specialist at the University of British Columbia, after posting tweets critical of the company’s proctoring software.
The lawsuit is filed in Arizona, where Proctorio is headquartered. Proctorio CEO Mike Olson did not respond to a request for comment.
The Internet of Things has a security problem. The past decade has seen wave after wave of new internet-connected devices, from sensors through to webcams and smart home tech, often manufactured in bulk but with little — if any — consideration to security. Worse, many device manufacturers make no effort to fix security flaws, while others simply leave out the software update mechanisms needed to deliver patches altogether.
That sets up an entire swath of insecure and unpatchable devices to fail, and destined to be thrown out when they break down or are invariably hacked.
Security veteran Window Snyder thinks there is a better way. Her new startup, Thistle Technologies, is backed with $2.5 million in seed funding from True Ventures with the goal of helping IoT manufacturers reliably and securely deliver software updates to their devices.
Snyder founded Thistle last year, and named it after the flowering plant with sharp prickles designed to deter animals from eating them. “It’s a defense mechanism,” Snyder told TechCrunch, a name that’s fitting for a defensive technology company. The startup aims to help device manufacturers without the personnel or resources to integrate update mechanisms into their device’s software in order to receive security updates and better defend against security threats.
“We’re building the means so that they don’t have to do it themselves. They want to spend the time building customer-facing features anyway,” said Snyder. Prior to founding Thistle, Snyder worked in senior cybersecurity positions at Apple, Intel, and Microsoft, and also served as chief security officer at Mozilla, Square, and Fastly.
Thistle lands on the security scene at a time when IoT needs it most. Botnet operators are known to scan the internet for devices with weak default passwords and hijack their internet connections to pummel victims with floods of internet traffic, knocking entire websites and networks offline. In 2016, a record-breaking distributed denial-of-service attack launched by the Mirai botnet on internet infrastructure giant Dyn knocked some of the biggest websites — Shopify, SoundCloud, Spotify, Twitter — offline for hours. Mirai had ensnared thousands of IoT devices into its network at the time of the attack.
Other malicious hackers target IoT devices as a way to get a foot into a victim’s network, allowing them to launch attacks or plant malware from the inside.
Since device manufacturers have done little to solve their security problems among themselves, lawmakers are looking at legislating to curb some of the more egregious security mistakes made by default manufacturers, like using default — and often unchangeable — passwords and selling devices with no way to deliver security updates.
Snyder said the push to introduce IoT cybersecurity laws could be “an easy way for folks to get into compliance” without having to hire fleets of security engineers. Having an update mechanism in place also helps to keeps the IoT devices around for longer — potentially for years longer — simply by being able to push fixes and new features.
“To build the infrastructure that’s going to allow you to continue to make those devices resilient and deliver new functionality through software, that’s an incredible opportunity for these device manufacturers. And so I’m building a security infrastructure company to support that security needs,” she said.
With the seed round in the bank, Snyder said the company is focused on hiring device and back-end engineers, product managers, and building new partnerships with device manufacturers.
Phil Black, co-founder of True Ventures — Thistle’s seed round investor — described the company as “an astute and natural next step in security technologies.” He added: “Window has so many of the qualities we look for in founders. She has deep domain expertise, is highly respected within the security community, and she’s driven by a deep passion to evolve her industry.”