Facebook whistleblower Frances Haugen will talk Section 230 reform with Congress this week

Facebook whistleblower Frances Haugen will go before Congress again this week, this time offering her unique perspective on the company’s moderation and policy failures as they relate to Section 230 of the Communications Decency Act, the key legal shield that protects online platforms from liability for the user-created content they host.

The House Energy and Commerce Subcommittee on Communications and Technology will hold the hearing, titled “Holding Big Tech Accountable: Targeted Reforms to Tech’s Legal Immunity,” this Wednesday, December 1 at 10:30 AM ET. Color of Change President Rashad Robinson and Common Sense Media CEO James Steyer will also testify on Wednesday.

The hearing is the latest Section 230-focused discussion from the House committee. In March, the chief executives of Facebook, Google and Twitter went before lawmakers to defend the measures they’ve taken to fight misinformation and disinformation — two major areas of concern that have inspired Democratic lawmakers to reexamine tech’s longstanding liability shield.

In an October Senate hearing, Haugen advocated for changes to Section 230 that would hold platforms accountable for the content that they promote algorithmically. While Haugen isn’t an expert on legislative solutions to some of social media’s current ills, given her time with Facebook’s since-dismantled civic integrity team, she’s uniquely positioned to give lawmakers insight into some of the most dangerous societal outcomes of algorithmically amplified content.

“User-generated content is something companies have less control over. But they have 100% control over their algorithms,” Haugen said. “Facebook should not get a free pass on choices it makes to prioritize growth, virality and reactiveness over public safety.”

Facebook’s former News Feed lead and current Head of Instagram Adam Mosseri is also set to testify before the Senate for the first time next week, addressing revelations in leaked documents that the company knows its business takes a toll on the mental health of some of its youngest, most vulnerable users.

In its announcement, the House Energy and Commerce committee cited four tech reform bills that Congress is currently mulling: the Justice Against Malicious Algorithms Act of 2021, the SAFE TECH Act, the Civil Rights Modernization Act of 2021 and the Protecting Americans from Dangerous Algorithms Act. The first bill, proposed by the committee holding Wednesday’s hearing, would lift Section 230’s liability protections in cases when a platform “knowingly or recklessly” recommends harmful content using algorithms.

AWS Braket gets improved support for hybrid quantum-classical workloads

In 2019, AWS launched Braket, its quantum computing service that makes hardware and software tools from its partners Rigetti, IonQ and D-Wave available in its cloud. Given how quickly quantum computing is moving ahead, it’s maybe no surprise that a lot has changed since then. Among other things, hybrid algorithms that use classical computers to optimize quantum algorithms — a process similar to training machine learning models — have become a standard tool for developers. Today, AWS announced improved support for running these hybrid algorithms on Braket.

Previously, to run these algorithms, developers would have to set up and manage the infrastructure to run the optimization algorithms on classical machines and then manage the integration with the quantum computing hardware, in addition to the monitoring and visualization tools for analyzing the results.

Image Credits: AWS

But that’s not all. “Another big challenge is that [Quantum Processing Units] are shared, inelastic resources, and you compete with others for access,” AWS’s Danilo Poccia explains in today’s announcement. “This can slow down the execution of your algorithm. A single large workload from another customer can bring the algorithm to a halt, potentially extending your total runtime for hours. This is not only inconvenient but also impacts the quality of the results because today’s QPUs need periodic re-calibration, which can invalidate the progress of a hybrid algorithm. In the worst case, the algorithm fails, wasting budget and time.”

With the new Amazon Braket Hybrid Jobs feature, developers get a fully managed service that handles the hardware and software interactions between the classical and quantum machines — and developers will get priority access to quantum processing units to provide them with more predictability. Braket will automatically spin up the necessary resources (and shut them down once a job is completed). Developers can set custom metrics for their algorithms and, using Amazon CloudWatch, they can visualize the results in near real time.

“As application developers, Braket Hybrid Jobs gives us the opportunity to explore the potential of hybrid variational algorithms with our customers,” said Vic Putz, head of engineering at QCWare. “We are excited to extend our integration with Amazon Braket and the ability to run our own proprietary algorithms libraries in custom containers means we can innovate quickly in a secure environment. The operational maturity of Amazon Braket and the convenience of priority access to different types of quantum hardware means we can build this new capability into our stack with confidence.”

AWS launches new robotics programs

To kick of re:Invent, AWS’s flagship conference, the cloud computing giant today announced IoT RoboRunner, a new service for building applications that help large fleets of robots work together. This new service aims to provide the infrastructure necessary to build the work and fleet management applications necessary to run the kind of robot fleets that Amazon itself utilizes in its warehouses, for example.

The company also today announced a new robotics accelerator program.

At its core, RoboRunner helps developers build applications that integrate with robots from different manufacturers and manage the lifecycle of these applications. Currently, AWS argues, it’s too difficult to integrate robots from different vendors into a single system, leaving enterprises with a number of silos where they manage their robots, which in turn makes it hard to build applications where these heterogeneous fleets cooperate.

Image Credits: AWS

RoboRunner provides developers with a centralized data repository for their entire fleet, as well as a registry for modeling all of the destinations in a given facility and a registry for keeping track of all of the tasks performed by these robots.

The target customer for this service is large industrial enterprises that operate fleets of automated guided vehicles, mobile robots and robotic arms.

In addition to RoboRunner, AWS also announced a new robotics startup accelerator, the AWS Robotics Startup Accelerator, in collaboration with MassRobotics.

“Today, there are only a few successful commercial robotics companies, and there are a few big reasons for this,” AWS CTO Werner Vogels writes in today’s announcement. “First, finding a fit in the robotics product market is difficult because real-world environments are dynamic and unpredictable, so pairing the right niche with the right capabilities can be a challenge. Second, building robots with a high degree of autonomy and intelligence requires multidisciplinary skills that are hard to find and recruit for. Third, robotics is capital intensive and requires large up-front investment in sensors, actuators, and mechanical hardware even when they’re already commercially available.”

The new program is open to early-stage startups (less than $10 million in revenue and $100 million raised. The selected companies will get access to specialized training and mentorship from robotics experts and up to $10,000 in AWS credits.  

Apple alerts NSO phone hacking victims in Thailand, El Salvador and Uganda

Image Credits: Bryce Durbin / TechCrunch

Apple has sent threat notification alerts to victims of state-sponsored hackers in Thailand, El Salvador and Uganda, just hours after filing a lawsuit against Israeli spyware maker NSO Group.

At least six Thai activists and researchers who have been critical of the government have received the notification, according to Reuters, including Prajak Kongkirati, a political scientist at Bangkok’s Thammasat University, researcher Sarinee Achananuntakul and Thai activist Yingcheep Atchanont of the legal monitoring group iLaw. Citizen Lab, which tracks illegal hacking and surveillance, identified in 2018 a Pegasus spyware operator active within Thailand.

The alerts — which Apple says are designed to inform and assist users who may have been targeted by state-sponsored attackers — were also sent to a number of users in El Salvador. This includes 12 employees from El Faro, an online digital newspaper that has been notoriously critical of the government, as well as two leaders of civil society organizations and two opposition politicians.

Norbert Mao, the president of the Democratic Party in Uganda, also said on Twitter that he had received the threat notification.

The alert from Apple warns: “Apple believes you are being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID. These attackers are likely targeting you individually because of who you are or what you do. If your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone. While it’s possible this is a false alarm, please take this warning seriously.”

Apple on Tuesday sued NSO Group to seek a permanent injunction to prevent the spyware maker from using any Apple product. This would make it more difficult for the company to find and exploit vulnerabilities in iPhone software and hack its targets.

“The steps we’re taking today will send a clear message: In a free society it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” said Apple’s security chief Ivan Krstić. “Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”

On legal demands and press freedoms

In August 2020, two FBI agents were standing on my doorstep, unannounced, wanting to ask me questions about a TechCrunch story we had published the year before.

The story was about how a hacker took thousands of documents, including visas and diplomatic passports, from a server at Mexico’s Embassy in Guatemala. The hacker said they had contacted Mexican officials about the vulnerable server but were ignored, and so the hacker tweeted out a link to the embassy’s files. “When I don’t get a reply, then it’s going public,” the hacker told me.

I contacted Mexico’s consulate in New York for comment, as is standard practice when reporting a story. A spokesperson said the Mexican government took the matter “very seriously.” We published our story, and that seemed to be the end of it.

The FBI knock at my door a year later suggested it wasn’t. I declined to speak with the agents and closed the door.

After we published our story the Mexican government requested the help of the U.S. Department of Justice through diplomatic channels to investigate the hack and presumably try to identify the hacker. Because I had contact with the hacker, that must have made me a subject of interest to the Mexican authorities, hence the visit a year on.

A month after the house call, the Mexican government provided the FBI with a list of written questions it wanted us to answer, many of which were already answered in the story. Our response to the DOJ declined to provide anything more than what we had already published.

Legal demands against reporters are not uncommon; some even see it as an occupational hazard of working in the media. Demands often come in the form of a threat, almost always compelling the journalist or news outlet to retract a story, or sometimes even to stop a story before it’s published. Journalists covering cybersecurity — a beat rarely known for its chipper and upbeat headlines — are especially prone to legal threats by companies or governments wanting to avoid embarrassing headlines about their poor security practices.

Take the recent public standoff between Missouri Governor Mike Parson and the St. Louis Post-Dispatch newspaper, which the governor accused of illegal hacking after one of its journalists found thousands of Social Security numbers on the state education department’s website. The journalist verified this with three people whose Social Security numbers were exposed, promptly informed the state of the security lapse and held the story until the data could be taken down.

Parson said the reporting violated the state’s hacking laws and ordered law enforcement and a county prosecutor to investigate the paper, claiming the reporting was “an attempt to embarrass the state.” Legal experts, lawmakers and even members of Parson’s own party derided the governor for his rebuke of the newspaper, which was found to have acted entirely ethically. Parson doubled down in a video paid for by his political action committee, which contained several false claims and called the newspaper “fake news.” Earlier this month, the department apologized for the lapse that ultimately affected more than 620,000 state educators.

Claiming illegality or impropriety is a tactic used more broadly against security researchers, who find and disclose exposed personal information and security flaws before malicious hackers can exploit them. Security researchers, much like independent journalists, often work alone and have no choice but to acquiesce to legal threats, fearing high legal costs of taking a case to court, even if their work is entirely legal and helped to prevent a potentially worse security incident down the line. Not all of them have an experienced and willing media legal team to back their play.

We’ve rebuffed spurious legal demands before, but having federal agents on your doorstep simply for doing your job is certainly a new one for me. There has been no suggestion of wrongdoing, though it’s unsettling not knowing what view Mexico would take if I ever stepped foot on its soil.

But it’s the legal threats and demands that don’t make it to print that can have the most damage. Legal demands inherently have a silencing effect. Sometimes they succeed. Journalism can be risky and the newsrooms don’t always win. Left unchecked, legal threats can have a chilling effect that stifles both security research and journalism by making it legally toxic to work. That means the world is less informed and sometimes less secure.

Apple files lawsuit against NSO Group over Pegasus spyware

Apple has launched a lawsuit against NSO Group, the maker of the nation-state spyware Pegasus, seeking a permanent injunction to prevent the spyware maker from using any Apple product or service.

In a statement, Apple said it’s seeking the injunction to “prevent further abuse and harm to its users.”

Israel-based company NSO Group develops Pegasus, a spyware that gives its government customers near-complete access to a target’s device, including their personal data, photos, messages and precise location. The spyware works by exploiting previously unknown vulnerabilities in iPhone software. Many of those targeted, including journalists, activists, and human rights defenders, received malicious links in text messages, but Pegasus more recently has been able to silently hack iPhones without any user interaction.

Several authoritarian governments are known to use Pegasus, including Bahrain, Saudi Arabia, Rwanda, the United Arab Emirates and Mexico; though, NSO has repeatedly declined to name or confirm its dozens of customers, citing non-disclosure agreements.

Apple’s complaint, filed Tuesday, aims to make it far more difficult for NSO to find and exploit vulnerabilities in iPhone software to hack its targets.

Researchers at Citizen Lab found evidence earlier this year that NSO Group had developed a new exploit able to bypass new protections built into iPhone software, known as BlastDoor, which Apple designed in large part to prevent NSO-style attacks by filtering out malicious payloads that could be used to compromise a device. This so-called zero-click vulnerability — named as such because it doesn’t require the victim to click any links to become infected — was dubbed ForcedEntry by Citizen Lab for its ability to skirt Apple’s BlastDoor’s protections. Apple patched the vulnerability in September after it was found to affect all Apple devices, not just iPhones.

Apple said that NSO uses Apple’s own services to deliver its spyware. By seeking a permanent injunction, Apple wants to ban NSO from using any of its services to launch attacks against those targeted by its government customers.

“At Apple, we are always working to defend our users against even the most complex cyberattacks. The steps we’re taking today will send a clear message: in a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” said Apple’s security chief Ivan Krstić. “Our threat intelligence and engineering teams work around the clock to analyze new threats, rapidly patch vulnerabilities, and develop industry-leading new protections in our software and silicon. Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”

Apple said its notifying known victims targeted by the ForcedEntry exploit, and said it notifies victims who it discovers who have been targeted with state-sponsored spyware.

An email to NSO Group’s media email was returned as undelivered.

Apple files lawsuit against NSO Group over Pegasus spyware

Apple has launched a lawsuit against NSO Group, the maker of the nation-state spyware Pegasus, seeking a permanent injunction to prevent the spyware maker from using any Apple product or service.

In a statement, Apple said it’s seeking the injunction to “prevent further abuse and harm to its users.”

Israel-based company NSO Group develops Pegasus, a spyware that gives its government customers near-complete access to a target’s device, including their personal data, photos, messages and precise location. The spyware works by exploiting previously unknown vulnerabilities in iPhone software. Many of those targeted, including journalists, activists, and human rights defenders, received malicious links in text messages, but Pegasus more recently has been able to silently hack iPhones without any user interaction.

Several authoritarian governments are known to use Pegasus, including Bahrain, Saudi Arabia, Rwanda, the United Arab Emirates and Mexico; though, NSO has repeatedly declined to name or confirm its dozens of customers, citing non-disclosure agreements.

Apple’s complaint, filed Tuesday, aims to make it far more difficult for NSO to find and exploit vulnerabilities in iPhone software to hack its targets.

Researchers at Citizen Lab found evidence earlier this year that NSO Group had developed a new exploit able to bypass new protections built into iPhone software, known as BlastDoor, which Apple designed in large part to prevent NSO-style attacks by filtering out malicious payloads that could be used to compromise a device. This so-called zero-click vulnerability — named as such because it doesn’t require the victim to click any links to become infected — was dubbed ForcedEntry by Citizen Lab for its ability to skirt Apple’s BlastDoor’s protections. Apple patched the vulnerability in September after it was found to affect all Apple devices, not just iPhones.

Apple said that NSO uses Apple’s own services to deliver its spyware. By seeking a permanent injunction, Apple wants to ban NSO from using any of its services to launch attacks against those targeted by its government customers.

“At Apple, we are always working to defend our users against even the most complex cyberattacks. The steps we’re taking today will send a clear message: in a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” said Apple’s security chief Ivan Krstić. “Our threat intelligence and engineering teams work around the clock to analyze new threats, rapidly patch vulnerabilities, and develop industry-leading new protections in our software and silicon. Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”

Apple said its notifying known victims targeted by the ForcedEntry exploit, and said it notifies victims who it discovers who have been targeted with state-sponsored spyware.

An email to NSO Group’s media email was returned as undelivered.

Suborbital raises $1.6M for its WebAssembly platform

Suborbital, the company behind the open source Atmo WebAssembly-centric project for building scalable server applications, today announced that it has raised a $1.6 million seed round led by Amplify Partners. A number of angel investors, including Jason Warner (former CTO of GitHub), Sri Viswanath (CTO of Atlassian), Tyler McMullen (CTO of Fastly), Jonathan Beri (founder of Golioth), Vijay Gill (SVP of engineering at RapidAPI) and Mac Reddin (founder of Commsor), also joined this round.

In addition, the company also today announced the public beta launch of Suborbital Compute. At first glance, this may seem like somewhat of an odd product. As SaaS services look to make their products extensible beyond basic drag-and-drop integrations, they need tools that allow developers to write these extensions inside of their products. But these user functions open up a lot of security issues, too. With Suborbital Compute, SaaS developers can give their end-users the ability to write their own functions and extend their products, with the sandboxing properties of WebAssembly — the basis of Atmos and Suborbital’s other open source tools — providing many of the guardrails.

But that’s just the start. Suborbital is nothing if not an ambitious project. Its mission, CEO and founder Connor Hicks told me, is to “the way we as an industry think about and deploy compute.” Hicks previously worked on the 1Password platform team, where he worked on tools like the 1Password command-line interface and its enterprise products, eventually leading the company’s R&D efforts around its enterprise products. But on the side, he started dabbling in building a distributed functions-as-a-service system, first based on Docker, which proved to be too slow, and then, eventually, around WebAssemly. That turned out to be more complicated than he expected, in large part because he had to write all of the glue code to make this work — but about two years ago, things started to click into place.

“I started going down this path a little more seriously, started spending more time on it, and what came out of it was this scheduler for WebAssembly functions, which today is our Reactr project,” Hicks explained. While Reactr is a Go library, people started getting interested in seeing what a pure WebAssembly service would look like, which became the Atmo project that is now at the core of Suborbital’s efforts.

“The grand experiment with Atmo was, ‘hey, let’s see if we can take a declarative description of a web server application and figure out how to run it without the user needing to do any boilerplate,” Hicks explained. “So we could take this declarative description — and a bunch of functions — compile the WebAssembly and we could figure out how to build this web service and make it run, and make it secure, and make it fast automatically, and the user didn’t have to worry about any of the plumbing.”

With Atmo, Suborbital is betting on server-side WebAssembly to allow developers to write code in a language like Rust, Swift or AssemblyScript, which is then compiled to WebAssembly and deployed and managed by Atmo and run in a sandboxed environment. At the core of Atmo is a scheduler that runs the WebAssembly modules and promises to do so with near-native performance.

Over time, Hicks believes, this approach could challenge the role of containers for deploying many applications, especially at the edge. “We think that WebAssembly on bare metal is going to pretty much replace the need for containers in these small, resource-constrained edge environments,” Hicks said.

But why then launch with such a niche product? Something like an “Atmo Pro” may seem like the more logical choice, but Hicks argues that it is still too early for that. Because the idea is still very new, the market wouldn’t have been there for a service like that.

“It doesn’t have the widespread adoption that you would need to make money off of a hosted Atmo service,” Hicks said.”After realizing that I couldn’t just make money selling a pro version of Atmo — or a hosted version of Atmo — I went back and I asked, ‘hey, what could we actually build that people would want to pay money for and actually build a business around?'”

Hicks tells me that the team, which currently consists of four people, has already started to ramp up its efforts around partnerships, but next year, it plans to really scale up its infrastructure and operations capabilities.

Roku customers report streaming issues after 10.5 update

A number of Roku customers are experiencing problems with their Roku TVs following the Roku OS 10.5 update. According to reports published to Roku’s own customer forums and other sites, like Reddit, impacted Roku TV owners say many of their streaming apps — like HBO Max, Disney+, Amazon Prime Video, Paramount+ and others, no longer work while others have more intermittent issues, like Netflix.

Some are also experiencing problems with their screens being frozen and their Roku remote no longer functioning, they said, but it’s unclear for now if these are a related or separate issue.

Roku says it’s aware of the problem and working to resolve it.

While the 10.5 update began rolling out in October, Roku tends to update its streaming players first followed by its Roku TV devices. That means many of the impacted customers only recently received the update, as they own a Roku TV, leading to the flood of consumer complaints when the update resulted in favorite streaming apps not working. In addition, the issues impact Roku Ultra devices, as well.

Though the issue began to blow up on the Roku forums last week, some users said they’ve been dealing with a non-functional TV for multiple weeks, leading them to purchase a Chromecast or Fire TV stick instead.

In an 18-page thread on Roku’s community forums, users reported issues with Westinghouse, TCL, Sharp, and Hisense TVs, among other devices. There are many other threads as well, with dozens of responses. Customers with both hardwired and wireless network connections are impacted, according to consumer complaints. A few users said rebooting their TV or router worked, but others said they tried that, as well as a factory reset, without any resolution.

Roku has been aware of the problem for some time, as a Roku forum moderator has been writing back to forum posters since at least last week, asking for information about their devices like the serial number, Roku device model, device ID, and software OS version.

With no official fix yet available, Roku has been forced to roll back the update for some of its users by downgrading their devices to software version 10.0.0. But this option hasn’t been automatically deployed to all customers. Instead, forum members said a Roku representative had privately messaged them with instructions after they shared their device information.

And, as of last week, users were being asked to private message a Roku employee with their device information to receive the downgrade, indicating the fix is being handled on a one-off basis for the time being. This process is frustrating some Roku customers who think a broader rollback should be underway at this point.

The issues arrive at a time when many U.S. consumers will be taking time off from work over the Thanksgiving holidays — meaning they have a lot more time for watching TV. Tuning into NFL football, for example, is part of the Thanksgiving tradition, but live streaming apps like Sling TV and Hulu are among those impacted by the software issues.

A representative for Roku was reached for comment this afternoon but didn’t yet have a statement available.

Later in the day, Roku shared the following comment with TechCrunch:

A small portion of users that have certain older Roku TV models or older Roku Ultra players are experiencing issues with the latest firmware update, OS 10.5. We are actively investigating and working to resolve this as quickly as possible, and will provide our customers with real-time updates [on our website at support.roku.com/contactus and on twitter at @RokuSupport].

 

US education software company exposed personal data of 1.2M students

SmarterSelect, a U.S-based company that provides software for managing the application process for scholarships, exposed the personal data of thousands of applicants because of a misconfigured Google Cloud Storage bucket.

The data spill, discovered by cybersecurity company UpGuard, contained 1.5 terabytes of data collected by a number of programs that offer financial support to students. The data included documents such as academic transcripts, resumes, and invoices for approximately 1.2 million applications to funding programs, dated from November 2020 to September 21, 2021. SmarterSelect’s website says it has served 1.6 million people to date.

One folder hosted on the public bucket hosted 23,000 spreadsheets and 8,000 ZIP files, according to UpGuard’s analysis. For applicants, these files contained contact information like name, email address, and phone number, as well as much more probing details such as their parents’ education and income, the students’ performance at school, and personal experiences like living in a foster home or abusive situations.

Some files also longer documents such as letters of recommendation and personal essays detailing poverty, physical and sexual abuse, domestic violence, and other personal information, UpGuard said.

Another directory, which contained some 2.79 million files, included even more sensitive data on applicants. This includes student photos where required for application, financial documents such as Free Application for Federal Student Aid (FAFSA) forms that in some cases included full Social Security numbers, proof of COVID-19 vaccinations, and descriptions of hardships.

UpGuard first notified SmarterSelect about the breach on September 15 and then again on September 27. The company acknowledged the warning on September 30, before revoking public access to the bucket on October 5. It’s not known whether any malicious actors accessed the data while it was exposed.

“The contents of the bucket also serve as a reminder of the risks of collecting and retaining sensitive data, particularly for populations like college students,” UpGuard said. “The process of applying to, attending, and securing funding for university education requires young people to provide detailed information about themselves to a complex institutional supply chain.

“Even well-intentioned programs aiming to assist students who have been disadvantaged by circumstances beyond their control — in fact, especially those programs that seek to help those most in need– require a detailed accounting of the facts of one’s life.”

It’s not yet clear whether SmarterSelect has notified those affected by the breach, nor whether it has alerted the relevant state attorney general offices per data breach notification law. TechCrunch asked SmarterSelect for comment but did not immediately hear back.