Uber investigating cybersecurity incident after hacker breaches its internal network

Uber confirmed on Thursday that it’s responding to a cybersecurity incident after reports claimed a hacker had breached its internal network.

The ride-hailing giant discovered the breach on Thursday and has taken several of its internal communications and engineering systems offline while it investigates the incident, according to a report by The New York Times, which broke the news of the breach. 

Uber said in a statement given to TechCrunch that it’s investigating a cybersecurity incident and is in contact with law enforcement officials, but declined to answer additional questions.

The sole hacker behind the beach, who claims to be 18 years old, told the NYT that he compromised Uber because the company had weak security. The attacker reportedly used social engineering to compromise an employee’s Slack account, persuading them to hand over a password that allowed them access to Uber’s systems. This has become a popular tactic in recent attacks against well-known companies, including Twilio, Mailchimp, and Okta.

Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach”, the NYT reports. The hacker also reportedly said that Uber drivers should receive higher pay. 

According to Kevin Reed, CISO at cybersecurity company Acronis, the attacker found high privileged credentials on a network file share and used them to access everything, including production systems, Uber’s Slack management interface, and the company’s EDR portal.

“If you had your data in Uber, there’s a high chance so many people have access to it,” Reed said, noting that it’s not yet clear how the attacker bypassed two-factor authentication (2FA) after obtaining the employee’s password. 

The attacker is also believed to have gained administrative access to Uber’s cloud services including on Amazon Web Services (AWS) and Google Cloud (GCP), where Uber stores its source code and customer data, as well as the company’s HackerOne bug bounty program. 

Sam Curry, a security engineer at Yuga Labs who described the breach as a “complete compromise”, said that the threat actor likely had access to all of the company’s vulnerability reports, which means they may have had access to vulnerabilities that have not been fixed. HackerOne has since disabled the Uber bug bounty program. 

In a statement given to TechCrunch, Chris Evans, HackerOne CISO and Chief Hacking Officer said the company “is in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation.”

This is not the first time that Uber has been compromised. In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete their copy of the data. Uber arranged the payment but kept the breach a secret for more than a year.

Uber investigating cybersecurity incident after hacker breaches its internal network by Carly Page originally published on TechCrunch

Wordle is now integrated in The New York Times Crossword app

The spelling puzzle app phenomenon, Wordle, is making its debut on The New York Times Crossword application, The Times announced today. After tons of doppelgangers and wannabes of the infamous app, the NYT Crossword app is now appearing at the top of iOS and Android app store searches. 

Users won’t have to worry about losing their scores and streaks because The NYT will allow consumers to create an account to track their gameplay. Though the app itself is free to download, this so-called “free account” is only available for a seven-day trial where users are then prompted to either pay $4.99 per month or $39.99 for the year. The subscription would also include access to puzzles like Spelling Bee, The Mini and The Crossword. 

Image Credits: New York Times


The move to further integrate Wordle comes after The NYT acquired the rights to the game earlier this year at an undisclosed price. According to first-quarter financial results, the publication said the game drove the company’s best quarter ever, in relation to net subscribers for Games. Since its acquisition, the publication has advertised its other games through Wordle.

Though the game was created to be a pass time for the creator Josh Wardle and his partner, its popularity has become a daily habit for some. Back in July, The Times announced the WordleBot to help users strengthen their skills. The tool gives word enthusiasts a score from 0-99 based on skills and luck, but also provides advice on how they can improve their search. 

As The NYT tries to capitalize on the game’s popularity, they announced the online word game would be turned into a board game. The company has partnered with toymaker Hasbro to release Wordle: The Party Game in October. 

TechCrunch previously reported, that upwards of two million players were playing Wordle and was mentioned in over 32 million tweets since its launch. According to The Times, “10% of active players have played 145 or more games of Wordle.”

Crypto, where the fallen seek a fresh start

Welcome back to Chain Reaction.

Last week, we talked about privacy in crypto and how it’s sometimes at odds with regulation. This week, we’re covering a larger-than-life founder who is perhaps seeking redemption through web3.

If someone forwarded you this message, you can subscribe on TechCrunch’s newsletter page.

there’s always a crypto angle

A weekly window into the thoughts of senior crypto reporter Anita Ramaswamy:

It’s a lesson we all learned over the last crypto bull run — crypto is a well-known refuge for those looking to reinvent themselves. WeWork founder Adam Neumann is no exception. Neumann made waves in the tech world this week when it was revealed that his new startup, focused on residential real estate communities, had just received a $350 million investment from Andreessen Horowitz — the largest check the VC firm has ever written, though it was unclear how much of that was equity versus debt. The company, Flow, earned a $1 billion valuation before, well, actually doing anything (aside from buying up apartment units), according to The New York Times.

In a bit of an ironic twist, the new venture aims to attempt to solve the housing crisis, a plan touted by Marc Andreessen himself in a blog post announcing the deal. Andreessen is the VC who, earlier this month, was found to have fought tooth and nail to prevent affordable housing units from being built in his wealthy hometown of Atherton, California. Initial details, though, were scant as to how exactly Neumann’s company would actually address the crisis, outside of some vague commentary about renters not being able to benefit from owning their home equity.

As if all that wasn’t enough to take in, now, there’s a crypto angle.

Forbes reported this week that Neumann’s startup, called Flow, plans to launch a digital wallet for cryptocurrencies. But there seems to be little to no overlap between the wallet product and the firm’s stated focus in real estate tech, as the wallet won’t allow people to make rental payments on their Flow-owned apartments through crypto.

The company has, according to Forbes, been recruiting candidates by describing its business as a “next generation multi-family property management system” that would include a tokenized rewards program and crypto payment capabilities. A Flow spokesperson later told Forbes that the job description was largely false and blamed the snafu on an external recruiter the company had worked with.

It’s still not clear how big of a role crypto is to play on Flow’s roadmap, but the spokesperson provided Forbes with a new job description that simply focused on “technology” in residential real estate rather than crypto or web3 specifically.

This isn’t Neumann’s first rodeo in the wild west of web3. He raised $70 million, also led by a16z, for Flowcarbon in May, a startup that intended to tokenize carbon credits on the blockchain. Flowcarbon has since halted a planned token sale, citing averse market conditions, and seems to have removed references to Neumann from its team page despite listing him as a co-founder of the venture at the time the a16z investment was announced. Curiously, the Flow announcement this week from a16z cited Flow as Neumann’s first venture since WeWork, as though he was never involved with Flowcarbon at all.

While plenty of founders with substance and potential continue to be overlooked by today’s VC ecosystem, a16z’s choice to make such a big bet on the notorious Neumann is telling of investors’ priorities. Though if one good thing comes out of this venture, perhaps it’ll be a gripping TV series.

the latest pod

Jacquelyn and Anita took the reins on this week’s news once again while Lucas was out, and the first item on their agenda was pretty juicy.

Do Kwon, the disgraced founder behind the Terra stablecoin collapse, gave his first interview since he went into hiding after losing billions of dollars on behalf of investors. He sat down with Coinage, an NFTV show from startup Trustless Media, to talk about his role in triggering crypto’s biggest crash.

After recapping the highlights reel from the Do Kwon interview, Anita and Jacquelyn talked about Galaxy Digital trying to say “jk lol” after it agreed to acquire crypto custodian BitGo, and ran through both bad and potentially good news for Crypto.com.

Be sure to tune in for our guest interview next Tuesday in which Anita will be chatting with Devin Lewtan, cofounder of web3 media production studio Mad Realities.

Subscribe to Chain Reaction on AppleSpotify or your alternative podcast platform of choice to keep up with us every week.

follow the money

Where startup money is moving in the crypto world:

  1. Decentralized communications platform Satellite IM closed a $10.5 million round led by Framework Ventures and Multicoin Capital.
  2. Rocketplace raised $9 million in seed funding to build the “Fidelity for crypto.”
  3. Tencent veterans at .bit secured $13 million to build cross-chain decentralized identities.
  4. Binance Labs made a strategic investment in web3 infrastructure protocol Ankr.
  5. Solana-focused Jito Labs raised $10 million in a Series A led by Multicoin Capital and Framework Ventures.
  6. Gaming studio Murasaki closed a €1.5 million seed round led by Japanese Incubate Fund.
  7. B2B web3 data analysis firm Datawisp brought in $3.6 million in a seed round led by Coinfund.
  8. Animation studio Invisible Universe raised $12 million in Series A funding led by Alexis Ohanian’s Seven Seven Six to launch new web3 IP.
  9. Fractional NFT platform Tessera (fka Fractional) raised a $20 million Series A led by Paradigm.
  10. Starknet-based gaming DAO MatchboxDAO raised $7.5 million led by Starkware.

This list was compiled with information from Messari as well as TechCrunch’s own reporting.

TC+ analysis

Here’s some of this week’s crypto analysis available on our subscription service TC+ from senior reporter Jacquelyn Melinek

Polygon’s head of investments remains ‘highly bullish on web3’

The crypto market may be in limbo between a deep bear market and recovery, but that hasn’t stopped investors from deploying capital into the space. “In the grand scheme of things, nothing has changed regarding Polygon’s long-term mission, bear markets or not,” Shreyansh Singh, head of investments at Polygon, said to TechCrunch. 

Anthony Hopkins sees NFTs as ‘art in a new format’ 

As celebrities and athletes alike dip into the crypto sphere to endorse tokens or companies, others are looking to NFTs as a way to engage with fans. The newest entrant is two-time Academy Award-winning actor Sir Anthony Hopkins, who partnered with NFT digital collectible company Orange Comet to launch his own series, The Eternal Collection. “NFTs, for me, are a blank canvas to create art in a new format,” Hopkins shared with TechCrunch. 

Crypto scams have declined, but hackers remain resilient in bearish markets 

When it comes to crime, illicit activity is still abundant regardless of crypto volatility, according to a new Chainalysis report. But there’s nuance in the apparent downturn in illicit activity — some subsectors of crypto-based crime have increased in 2022, while others declined.

Open source software is needed to prevent future crypto hacks, Polygon CISO says 

As 2022 continues to rack up expensive exploits, many people in the crypto space are wondering what can be done to prevent these hacks in the future. Sure, they can emphasize the importance of education and protecting your own digital assets — but what else? The answer might be through projects employing open source software, Mudit Gupta, chief information security officer at Polygon, told TechCrunch.

Thanks for reading! And — again — to get this in your inbox every Thursday, you can subscribe on TechCrunch’s newsletter page.

Serena Williams’ next act in venture capital is essential in this moment

Lights, camera, another backhand winner down the line. It’s hard to imagine that in two weeks, Serena Williams is playing what could — and most likely will be — her last tennis tournament after 23 Grand Slams and decades of dazzling on center courts.

She announced her retirement in the latest issue of Vogue magazine, writing that she will be “evolving” away from the sport to focus on family and her career as a venture capitalist. Williams founded her own firm, Serena Ventures, in 2014 and raised a $111 million inaugural fund this year to invest in “founders with diverse points of view,” she previously told The New York Times.

When Serena Williams steps from away tennis, she’ll be walking into an arena as white as the one she just left.

LPs include CapitalG, LionTree Partners and Norwest Venture Partners, and with a team of six, the firm’s already invested in 20 companies with that capital, Fortune reported.

In tennis, she and her sister, Venus Williams, helped break the color barrier for Black girls looking to play a sport still associated with whiteness and privilege. Following the trail they blazed includes Naomi Osaka, Madison Keys, Sloane Stephens and countless others preparing for the day when they too can walk into the blinding lights of Arthur Ashe Stadium.

a16z says ‘WeBack’ to WeWork’s Neumann with its biggest check ever

Andreessen Horowitz (a16z) seems determined to keep the capital flowing to controversial WeWork founder Adam Neumann. The storied venture firm wrote its largest individual check ever, at $350 million, to Flow, Neumann’s new residential real estate company focused on rentals, the New York Times reported today.

The funding round values Flow at over $1 billion, making it a unicorn before it even commences operations, which it plans to do in 2023, according to the Times. The startup is set to operate over 3,000 apartment units Neumann has purchased in Miami, Fort Lauderdale, Atlanta and Nashville as part of its vision to bring community-oriented features to the rental market, the Times added.

In a blog post on a16z’s website today, Marc Andreessen described Neumann as a “visionary leader” and credits him with “revolutionizing” real estate. Andreessen’s post did not address any of the financial terms of the investment.

The investment marks a16z’s second show of support for a Neumann-founded company this year: In May, the firm put $70 million into the entrepreneur’s blockchain-based carbon credit platform, Flowcarbon, which appears to have no relation to Flow besides its shared co-founder. Curiously, Andreessen’s blog post today calls Flow Neumann’s “first venture since WeWork,” although he is listed as a co-founder of Flowcarbon in a16z’s earlier post about that investment.

“We understand how difficult it is to build something like this and we love seeing repeat-founders build on past successes by growing from lessons learned,” Andreessen wrote in today’s blog post, implicitly referring to Neumann’s time at WeWork.

WeWork’s attempt at an IPO under Neumann (remember community-adjusted EBITDA?) was so calamitous that its Silicon Valley and Wall Street investors ended up paying Neumann an enormous exit package, worth ~$1 billion, just to leave the company.

Neumann managed to get that handsome payout despite that under his reign, the company tanked in value from ~$47 billion to ~$8 billion and gained a reputation for mismanagement and poor treatment of employees.

Throughout Neumann’s tenure, missteps abounded. He famously trademarked the word “We” and sold it back to his own company for nearly $6 million, though he ended up returning the money to the company after this arrangement was revealed during the company’s IPO attempt and subsequently lambasted by investors and the public.

After Neumann burned investors’ cash on copious amounts of booze for the office, a school for his wife’s vanity project and a wave pool, it’s somewhat surprising to see Silicon Valley coming back for seconds. a16z’s deal with Flowcarbon may well have been negotiated before the rout in the equity markets but its deal with Flow announced today likely was not, meaning today’s deal is an even bigger sign of the investor’s confidence in Neumann’s leadership amid broadly difficult market conditions.

To be sure, WeWork’s approach to co-working spaces was prescient in a pre-pandemic world, regardless of the company’s other controversies. As remote work rises in popularity, there may well be a tremendous opportunity in building community among renters — an idea Neumann has been keen to pursue for years. He took a pass at this concept before with WeLive, a set of residential communities he planned to build under the WeWork brand that fizzled out after opening just two locations.

In his blog post today, Andreessen mused at length about how Flow is poised to solve the nation’s housing crisis, writing that “limited access to home ownership continues to be a driving force behind inequality and anxiety,” though details in the post about exactly how Flow will set out to achieve this were scant.

Today’s investment in Flow comes just after reports surfaced that Andreessen fought against a proposal to build new affordable housing units in his ultra-wealthy hometown of Atherton, CA.

Felicis, Lux Capital and Upfront Ventures tackle TAM at Disrupt

Perception is everything — especially when it comes to the value of software startups and total addressable markets (TAM). During 2020 and 2021, as COVID bit into the economy, tech products turned out to be more recession-resistant than expected. What’s more, tech companies grew faster than previously anticipated.

Those conditions combined to make TAM feel huge last year, which, in turn, led investors to pay far more for startup shares, calculated against their existing revenues. However, the growth rates of companies that caught a demand tailwind from COVID have dropped sharply, meaning that some TAM expectations were, perhaps, misplaced.

Where does that leave startups trying to measure their TAM today? Exploring the answer to that question is just one reason we’re thrilled that Kara Nortman, managing partner at Upfront Ventures; Aydin Senkut, founder and managing partner of Felicis Ventures; and Deena Shakir, a partner at Lux Capital, will join us onstage at TechCrunch Disrupt on October 18–20.

In a conversation called “Taking the BS Out of Your TAM,” these three experts will discuss how founders and investors should think about TAM and readjust their perceptions to avoid deluding themselves or their colleagues.

Kara Nortman is a managing partner at Upfront Ventures. Her portfolio includes investments in Parachute Home, Time by Ping, Endgame, Writer, Open Raven, Britive and Fleetsmith (acquired by Apple in 2020).

Prior to joining Upfront, Nortman co-founded Moonfrye, a children’s e-commerce company. She also spent seven years at IAC, where she co-led the M&A group, oversaw the initial investment in Tinder, and served as SVP and GM of Urbanspoon and Citysearch.

Nortman, a founding member of All Raise — a VC-led group dedicated to increased diversity in funders and founders — is also a founder of LA’s professional women’s soccer team, Angel City Football Club.

Aydin Senkut, the founder and managing partner of Felicis Ventures, is a super-angel turned multistage investor. Senkut has appeared on Forbes’ Midas List nine times and on the New York Times’ Top 20 Venture Capitalists list four times.

Since founding Felicis in 2006, he has earned notoriety as an early backer of iconic companies, including Credit Karma (acquired by Intuit), Fitbit, Guardant Health, Guideline, Notion, Opendoor, Pluralsight, Rovio, Shopify and Soundhound. Currently, his areas of focus include infrastructure, security and the future of health.

Deena Shakir is a partner at Lux Capital, where she seeks out extraordinary, mission-driven founders and invests in transformative technologies that improve lives and livelihoods.

Her portfolio investment areas include women’s health (Maven Clinic, Alife, Gameto, Adyn), digital health infrastructure (SteadyMD, H1, AllStripes, Everly Health), health equity (Waymark, Galileo, Miga), food tech (Shiru) and fintech (Mos, Ramp, Neo.Tax).

Prior to Lux, Shakir was a partner at GV, where she led product partnerships at Google (for health, search and AI/ML) and directed social impact investments at Google.org. As a Presidential Management Fellow at the U.S. Department of State, Shakir helped launch President Barack Obama’s first Global Entrepreneurship Summit.

TechCrunch Disrupt takes place on October 18–20 in San Francisco. Buy your pass now and save up to $1,100. Student, government and nonprofit passes are available for just $295. Prices increase September 16.

Is your company interested in sponsoring or exhibiting at TechCrunch Disrupt 2022? Contact our sponsorship sales team by filling out this form.

Apple invests in original podcasts to turn into Apple TV+ shows, report says

Apple has inked a deal with Futuro Studios to develop original podcasts, a Bloomberg report states. Apple’s TV studio reportedly led the investment, which will support the Pulitzer Prize-winning, non-profit media company in exchange for first dibs on any on-screen adaptations of new shows. Existing Futuro podcasts like “Suave” and “La Brega” use investigative journalism and non-fiction storytelling to explore topics like criminal justice and Latinx experiences.

Although Apple literally created the idea of the “podcast,” it’s no longer the industry leader. Now, more listeners in the U.S. get their podcasts from Spotify than Apple Podcasts. This could be because Spotify has invested over a billion dollars into acquisitions of studios like Gimlet and The Ringer, distribution tools like Anchor, and advertising and monetization companies like Megaphone, Whooshkaa and more. Meanwhile, SiriusXM owns Stitcher, and the New York Times acquired Serial Productions.

Apple’s commitment to podcasting hasn’t been as intense. Apple ramped up its creator-facing tools in an attempt to woo podcasters, but its investment in original content has mostly come from its TV arm, spurring non-fiction podcasts like “Hooked,” “Missed Fortune” and “Run, Bambi, Run.” Though Apple hasn’t shared many details about the progress of its TV streaming network, analysts estimate that Apple TV+ may have between 20 and 40 million subscribers, generating at least $1 billion in revenue, which is only a small fraction of Apple’s $400 billion annual revenue.

Like Apple, Amazon also has its own streaming platform, Prime Video, but its podcast investments seem to be relatively separate. Amazon acquired the studio Wondery, as well as some shows from Exactly Right Media like “My Favorite Murder.

According to Bloomberg’s report, Apple has spent up to $10 million on deals with studios like Futuro. Compared to Spotify’s hundred million dollar investments in individual studios, that number doesn’t seem too staggering.

Runa Sandvik’s new startup Granitt secures at-risk people from hackers and nation states

A newsroom in Europe with computer screens

For much of her career, hacker Runa Sandvik has worked to protect journalists and newsrooms from powerful adversaries who want to keep wrongdoing and corruption out of the public eye. Journalists and activists are increasingly targeted by the wealthy and resourceful who seek to keep the truth hidden, from nation-state aligned hackers hacking into journalist’s inboxes to governments deploying mobile spyware to snoop on their most vocal critics.

Few know the threats that journalists face better than Sandvik, a native Norwegian. She defended The New York Times newsroom from hackers and nation-state adversaries, trained reporters to cloak their online activity in anonymity at the Tor Project, and helped organizations like the Freedom of the Press Foundation to build tools that allow journalists, like us at TechCrunch, securely communicate with sources and receive sensitive source documents. Sandvik is also a renowned hacker and security researcher and, as of recently, a founder.

With her new startup, Granitt — with Sandvik as its principal — aims to help at-risk people, like journalists and activists but also politicians, lawyers, refugees and human rights defenders, from threats they face doing their work.

“At any point someone finds themselves in a category where there might be some repercussions for them doing whatever it is they’re doing, that’s something I would consider ‘at risk’ and something that I can help with,” Sandvik told me when we spoke in New York City this week.

Sandvik told me about her work and her new bootstrapped startup, how leaders should prioritize their cybersecurity efforts, and, what piece of security advice she would give that every person should know.

Our chat, which has been lightly edited and condensed for clarity, follows.

ZW: You’ve been laying the groundwork for Granitt for the past decade. Tell me how you got here.

RS: If you look at a decade ago when I worked for the Tor Project and they got funding, we set out to teach reporters how to use the Tor Browser. And very quickly realized that it’s not super impactful to just teach someone how to use the Tor Browser if they’re not also familiar with good passwords, two-factor authentication and software updates — things to consider when they’re traveling to conflict zones, for example. And we started building out a curriculum around what you should do to be safe online. I later consulted for the Freedom of the Press Foundation doing somewhat similar work, and also then working on SecureDrop. And my role at The New York Times was building on that type of work as well. And after the Times eliminated my role, I worked with ProPublica, Radio Free Europe, and the Ford Foundation to look at not just security for individuals but also how to help the business side of media organizations to support the newsroom.

Headshot of Runa Sandvik

Runa Sandvik, founder of Granitt. Image: (supplied)

Some of the work that I’ve done has sort of been workshops directly for the newsroom. I’ve had one-on-one chats with reporters about some project that they’re about to take on. But I’ve also had a lot of conversations with the IT and security folks on the business side to help them understand what are the challenges that the newsroom is facing. How can I best solve them? What should they be aware of? And also, how do they go about getting up to speed, and how do they then later on educate staff in the newsroom? There’s sort of been some “train the trainer” type of work as well, because 10 years ago Tor was around but the user experience was clunky. Now in 2022, we have a lot of really neat tools that are very user friendly for being safe online for doing research in safe ways.

One thing that I saw at the Times is that you had a team to do cybersecurity. You had someone focusing on physical security, you had human resources taking care of emotional safety, and you had legal taking care of any sort of legal challenges that might pop up. But if we look at what it’s going to take for a journalist to be safe, it’s really the combination of those four groups — and that means those four groups that need to come together and have a working group, talk to each other, understand what each person brings to the table, and what can actually be done holistically to better support staff.

Right, and we’re starting to see that across newsrooms when it comes to targeted harassment and doxing, but supporting journalism is a team effort and it takes a village and everyone working from the same page. So, why the name Granitt?

The name is the Norwegian spelling of granite. It is really that simple. Over the years I’ve had close friends who have encouraged me to do something on my own, and have pointed out how the work that I do doesn’t really exist anywhere else and that I’m in a good position to do it.

What kind of work will you be doing with your new startup and how do you plan to solve both the security aspect and getting different teams communicating and collaborating with the aim of supporting journalists?

It’s still consultancy, so, I think training workshops and public speaking are still going to be a part of it. There’s still going to be everyday security guidance for newsrooms, guidance around specific projects, so whether it’s someone who’s about to take on a sensitive project, travel, or someone wants to set up a tips channel, how do you create the process to support that internally? That’s definitely still a part of what I do. But then also working more with different teams on the business side to ensure that those four groups of people can actually come together in a working group and better understand what the staff really need, and to understand what are the threats that they’re facing, how do they actually work, and what do we need to figure out to better support them?

There’s a lot of bridge building. I don’t think it’s a case that people don’t care about this, I think that some are not necessarily aware of the challenges that certain people are facing. And also, in many ways, how easy it can be to spin up that kind of effort internally. If you’re The New York Times, you’ll have the resources. But if you’re a smaller newsroom, you can still have a working group of dedicated reporters who can figure out how we can best support our staff with online threats and harassment, or what to do if someone gets phished. If you’re a smaller newsroom, there’s still a lot you can do, and something is better than nothing.

Was there an impetus for you starting this company? Was there a single event that made you think, ‘I have to do this,’ or was it more akin to a gradual series of events over the course of years?

I’ve always been aware that there aren’t a lot of people that do what I do. There aren’t a lot of people that focus on security for reporters. And over the years that has changed and there are more people doing this type of work, educating newsrooms and educating the business side at media organizations. I think that part of my reluctance to just start something on my own was I thought it would just be just this thing I do on the side, and I think I was just getting in the way of myself. Now it’s an official thing with a name, a logo, and website. It’s something that I’m more excited about and ready to invest in. For me, it’s the thing that I’ve always done, but having a company plants the flag that this is something that’s needed, important, and worth investing in.

Tell me more about the threats that you seek to counter and who you are trying to protect. What makes these kinds of individuals a higher risk or a greater target than the average citizens?

I’ve been shifting from talking about people as “high risk” and just talking about it as “at risk.” I’ve found that it’s easier for some to understand or relate to. Just the recent overturning of Roe v. Wade is a good example. A lot of people suddenly became “at risk,” but not necessarily high risk. And while I have certainly focused my work on security for newsrooms and for reporters — that’s still what I am very passionate about — the guidance that I give at the end of the day is good guidance for anyone who’s trying to do whatever it is that they want to do, but in a safe way. At any point someone finds themselves in a category where there might be some repercussions for them doing whatever it is they’re doing, that’s something I would consider “at risk” and something that I can help with.

My goal is to help you work safely and help you do whatever it is that you’re trying to do in a safe way. That means we have to talk about, and take into account, any sort of threat that you’re aware of. We need to come up with a plan for you, it becomes very contextual driven, and it’s about coming up with the right mitigations for you and the work that you’re trying to do at that point in time. Whether the concern is NSO-style spyware, phishing, or traveling and you’re worried about losing your laptop, we can talk about the risks, the challenges, what you can do and come up with something that actually works for you.

It sounds like a very collaborative process between you and your clients; a mix of technical, and education and teaching your clients what to do and what not to do by way of threat modeling and determining what risks you may face.

I could tell you that you should work on a laptop that runs Tails [a highly secured operating system] and a persistent volume and only ever use Tor. But if even the idea of moving to a different browser is something you’re not comfortable with, that whole example is just going out the window. Yes, from a security perspective, it’s a good option, but if it does not fit your workflow or lifestyle as an individual, it’s not guidance that’s likely to stick. In some cases, it really just comes down to figuring out what is actually going to work for you so that we can help you work more safely.

The threats out there vary wildly, depending on the kinds of activities of at-risk individuals, and every person’s threat model is different, if not unique. How does that collaboration work for finding what works for them and what they need as part of the threat model?

I’m sure you’ve seen this post before. “Your threat model is not my threat model.” It’s just fantastic and it’s worth sharing again and again. In some cases, I’ll communicate directly with a person that needs assistance, and in others it will be an individual and one or two other people, like an editor or the security person or lawyer at the company, and it’s very specific to the individual. In other scenarios, it could be a conversation with the teams on the business side supporting the newsroom trying and figure out what guidance that we give to everyone. What would we consider our everyday security guidance that everyone should just know? And then you can build out both a baseline security level for the organization and find ways to then level up year after year, but you also then figure out exactly what are the challenges that you’ve had to date, what do the slightly more complex or sophisticated threats look like, and how do you go about addressing that? And to your question, security guidance and context-specific security guidance is really hard, if not impossible to scale. I think at some point, you do need to invest in having people talk to each other.

You and I both know that attacks are getting smarter and more complex with new capabilities. Is there a single cybersecurity issue that concerns you today more than anything else?

In May I gave a talk at Paranoia 2022 titled “How the Media Gets Hacked.” And instead of looking at how reporters get hacked — because we can talk about anything from your typical scam or phishing, to nation-state backed spyware and zero-click exploits — if you look at how media organizations get hacked, I give several examples in my talk. When The New York Times was hacked by China in 2012, that was phishing. Tribune Publishing in 2018 got ransomware, also because of phishing or outdated systems. Dagbladet [Norwegian newspaper] and Schibsted [Norwegian media giant] had some issues with someone who found credential dumps and decided to try them against their systems, no two-factor authentication was enforced, and they got access. And the last one, Amedia [Norwegian newspaper] again got ransomware, so again, phishing or outdated systems.

We know how to address all of these. So what is happening? It’s interesting that what it really comes down to is: we know what best practices are, so why are they so hard to do? We need to have more of a conversation around that. Every single day, leadership at different organizations have to make choices around what to focus on, what to invest in, where to spend money, and what risks they choose to accept at that point in time. But if the end result is that organizations are compromised as a result of something as foundational as phishing and lacking two-factor, it really begs the question — are we actually prioritizing the right things?

And before we end. If you could give one key piece of security advice that every person should know. What would that be?

Turn on two-factor authentication!

Lead image credits: Jean-Philippe Ksiazek/AFP via Getty Images.

The New York Times is turning Wordle into a board game

The New York Times is turning the popular online word game Wordle into a board game by teaming up with toymaker Hasbro. The media firm said Thursday that the board game, called Wordle: The Party Game, will be released this October in North America. You can pre-order it on Amazon, Target, and Hasbro Pulse for $19.99.

While the online version of Wordle is a single-player game where you have to guess a five-letter word in six attempts, the offline game tries to recreate the same experience while also pitting you against other players.

Image Credits: NYT

“In each round, a player designated as the Wordle Host writes down a Secret Word. Just like the original Wordle game, players have six attempts to guess a five-letter word. But in this game, players are competing against others,” NYT said in a press release.

“The fewer tries a player needs, the fewer points they score. The player with the fewest points at the end of the game wins.” For those who have always wanted more Wordle than you might get in the online format — it’s designed to be only one word per day — the board game has a distinct advantage: you can set as many Secret Words as you want.

The board game announcement comes days after the NYT announced that players will be able to link their Wordle online game stats to their NYT accounts.

NYT acquired the rights to Wordle from the creator Josh Wardle in January at an undisclosed price in the “low seven figures.” In an interview with TechCrunch just before the acquisition, Wardle mentioned that close to 2 million players were playing the game. In May, Twitter published a study saying the game had been mentioned in 32.2 million tweets since its launch in mid-October 2021, with a peak of 500,000 tweets per day in December.

Since then NYT ported the game to its own domain. The firm has benefitted from buying the game as “tens of millions of users” visited its site in Q1 2022. While playing Wordle remains free, NYT said it saw a record quarter for its $5 a month (or $40 a year) NYT Games service, which includes titles like The Crossword and The Spelling Bee, in terms of net subscriber addition.

Wordle’s success has also had an impact on other games inspired by it. Earlier this week, Spotify acquired a song guessing game called Heardle to improve music discovery.

As Coinbase falters, Binance.US is waiting in the wings

As the largest publicly traded crypto exchange in the United States, Coinbase has become something of a household name. But as the going gets tough in the crypto markets, the company seems to be fumbling the bag, leaving it vulnerable to competition.

Coinbase’s stock price is down nearly 80% from where it started the year and it recently made headlines for laying off one-fifth of its staff. The company posted a $430 million loss in the first quarter of 2022, underperforming Wall Street analysts’ expectations. Its trading volumes and number of monthly transacting users were both down from Q4 last year — bad news for a company that depends heavily on transaction fees for its revenue.

The exchange got over its skis quicker than even Coinbase itself probably imagined, a point evidenced by its decision to rescind job offers last month from candidates who had already accepted them. Its competitors, though, have been lying in wait for their moment to close in on the U.S. market. Now, sensing Coinbase’s moment of weakness, the two largest crypto exchanges in the world by volume (Coinbase is third globally) — Binance and FTX — are hoping to seize their opportunity stateside.

The three crypto giants all have different established customer bases and are trying to steal each other’s market share. Retail investors comprise around 95% of Coinbase’s transaction revenue, according to its latest quarterly filing. FTX, in contrast, already has a strong institutional trading business anchored in its founder and chief executive Sam Bankman-Fried’s background working at a quant hedge fund.

SBF, as he’s known in the crypto world, has been pulling out all the stops to gain retail customers, including introducing zero-fee U.S. stock trading in May, to try to turn FTX into a one-stop shop for the retail investor’s needs. After all, if Coinbase ascended to the No. 3 spot buoyed almost entirely by U.S. retail investors, its decline presents a valuable opportunity for global, institutionally focused exchanges to poach its users and boost their own trading volumes.

It makes sense, then, that Binance has its sights set on luring more retail investors, but the largest global exchange is still a bit of a dark horse in the race for the U.S. market as it battles against FTX for customers. Its Binance.US division saw spot trading volumes below $300 million as of July 12. That’s a drop in the bucket compared to its global business, which saw volumes of $10 billion for the same period — about seven times higher than volumes at both FTX and Coinbase.

Today, 70% of trading volume on Binance.US, the American offshoot of the global exchange, comes from institutional customers, its CEO Brian Shroder told TechCrunch in an interview. Still, retail investors bring in more revenue overall, in part because of the steep discounts Binance.US offers to its highest-volume customers, he added.

Binance is also taking a markedly different approach from FTX in luring U.S. retail investors, focusing on its core competency in crypto.

“Some exchanges want to go back to stock trading and target that market. That’s, again, not a wrong or right approach. We are a pure web3 company. We’re not going back; we’re moving forward. We want to build more web3 tools,” Binance founder Chanpeng Zhao told Decrypt in an interview this week.

The exchange is also taking a less flashy tack when marketing in the U.S. While other competitors including Coinbase, FTX and Crypto.com were spending millions of dollars on Super Bowl ads during the crypto bull run, Binance.US stayed relatively quiet.

Under Shroder’s tenure, Binance.US seems to be reversing its reputation, once marred by rapid management turnover and ongoing regulatory battles, and pulling ahead in the fight to win over the U.S. retail investor. From a customer perspective, its strategy is undeniably appealing — undercut competitors by offering lower fees.

Coinbase’s fees are notoriously high at up to 3.99% for certain spot trades compared to FTX.US, which charges up to 0.20%. Binance.US, meanwhile, reaffirmed its commitment to keeping costs low for its customers last month when it launched fee-free bitcoin spot trading for all users, saying it is the first U.S. crypto exchange to have done so, though it’s worth noting that exchanges still make money from the spread on trades even if they don’t charge an upfront fee. It also rolled out a staking product last month that it claims provides some of the highest APY rates compared to its competitors and said it plans to add fee-free trading for more currencies in the future.

“On the cost side, it is unquestionable that we are the lowest-cost provider in this space,” Shroder said.

When asked about how Binance.US is able to provide above-market yields from its staking product, Shroder’s response was: “My guess is that when you look at the other firms having much lower APYs, it’s just that they are taking that themselves, and we are passing it on to the customer.”

Naturally, investors gravitate toward lower fees and higher returns, giving the deep-pocketed Binance a potential advantage over Coinbase in that it can afford to sacrifice profits in the U.S. to attract users as long as it makes them elsewhere. The same goes for FTX, which is able to offer no-fee equity trading only because it’s making money in other parts of its business.

Customers have shown enthusiasm for Binance.US, although investors, at times, have seemed more hesitant. Still, this April, the company was able to raise its first external funding from investors in a $200 million round valuing it at $4.5 billion. The fundraise marked a crucial first step on its path to an IPO — a milestone Shroder told TechCrunch he sees happening in the next two to three years.

Armed with the new cash and an extension to the round that Shroder says is coming soon, the company seems well positioned to weather a choppy market. It is actively hiring for 80+ new roles to add to its current employee base of ~400, TechCrunch reported last month.

“What I experienced at Uber, I’m living through again”

Despite Binance’s recent efforts in the U.S. market, its messy history with local regulators makes it easy to underestimate. The company is currently under investigation by the U.S. Commodities and Futures Trading Commission for allegations that it engaged in market manipulation. The U.S. Justice Department and IRS are also reportedly examining whether the exchange engaged in money laundering and tax evasion.

For context, Binance.US launched in 2019 as a standalone entity that licenses its branding and core technology from Binance itself. Zhao is said to have spun off the division in a bid to appeal to U.S. regulators who refused to greenlight the global exchange.

Zhao still wields significant influence over the U.S. exchange today as a major shareholder, although he told Decrypt this week that Binance “is no longer top-down driven” by him. The New York Times reported last August that Zhao held 90% of Binance.US shares.

Zhao’s ownership stake, according to the Times, became a sticking point with outside investors when former Binance.US CEO Brian Brooks tried to raise a venture round for the company as a step to an eventual IPO. Brooks ended up leaving the company just three months after taking over the top job, perhaps in part because the deal fell through.

Brooks isn’t the only top exec at Binance.US who has left unexpectedly. The company’s founding CEO, Catherine Coley, left the company so quietly last May that numerous unconfirmed rumors began swirling regarding her whereabouts. Last October, when Shroder took over the company as its next permanent CEO after Coley, Binance.US’s founding CFO Joshua Sroge made his exit. Last week, after nine months of searching, the company finally filled Sroge’s role, appointing former Acorns exec Jasmine Lee as its new permanent CFO.

In addition to its troubles in the U.S., Binance has also faced heavy regulatory scrutiny in Japan, the EU, Germany, Thailand and other regions. Shroder, who previously led Uber’s Asia-Pacific strategy, likened the exchange to the controversial ride-share startup.

“What I experienced at Uber, I’m living through again,” Shroder said. “When I was at Uber, we were bad boy No. 1, you know? We were the big bad guys picking on the taxi industry and hurting the taxi employees and things like that.”

“What was true about Uber is also true about Binance, globally, and then Binance in the U.S., which is that basically there was an entrepreneur who had an innovative approach to expanding technology that has never been contemplated by regulators,” he continued. “To support that, the regulators had to play catch-up to the technology, and I think that’s exactly what we’re experiencing now in the crypto space.”

Shroder is determined to shepherd Binance.US to its longstanding goal of going public, a milestone he believes it will achieve in the next two to three years. He said Binance.US is strong enough to continue growing even amid tough market conditions, citing the firm’s plans to hire some employees who were let go by Coinbase and competing crypto exchange Gemini as evidence that his company is better positioned for the challenges ahead.

“Coinbase and Gemini have multiple products and services, and they have them out there; they’ve been out there for a while. We historically have only had spot [trading] up until really this [quarter]. So as we add more products and services, which we have a very aggressive roadmap to do. We require more products and tech talent; we require more operations people to actually run those new business units. With the infusion of capital that we just got from our very first seed round, we’re taking all the funding, and we’re plowing it back into growth,” Shroder said.

Only time will tell if Shroder’s ambitious plan will work, but he is determined to reshape the narrative surrounding Binance.US in the public eye. One of the biggest misperceptions the public has about Binance.US, he said, is around its “desire to be a fully compliant and regulated entity,” a goal Shroder said has been central to the company since its founding.

“In the vacuum of you telling your own story, your story is being told by your competitors, or your story is being told based on your click rate. And to the extent that negative headlines drive views more than positive ones, I think that that just creates a misperception in the market that is not based on reality,” Shroder said.