The Threat That the US Can't Ignore: Itself

At its annual worldwide threat assessment hearing on Tuesday, top national security officials gave the Senate Intelligence Committee a rundown from top intelligence officials of the dangers the United States will face in 2019 and beyond. The adversaries were familiar, with China, Russia, North Korea, and Iran mentioned alongside evolving situations like Brexit and the power struggle in Venezuela. But if any common theme emerged, it’s the number of assessments the officials shared that seem to directly contradict positions touted by the Trump administration.

That tension hinted at another threat, one that didn’t come up directly in Tuesday’s hearing but appeared prominently in a report last week from director of national intelligence Dan Coats: That various recent actions by the United States may be undermining its own security.

That report, the “National Intelligence Strategy,” usually has both a public and classified version. But this year, ODNI elected to create only one public document in an effort, Coats said in remarks announcing the report, to promote transparency about intelligence community activities and goals. While similar in many ways to the Worldwide Threat Assessment ODNI released alongside Tuesday’s Senate hearing, last week’s NIS took more direct aim at the abstract, yet fundamental threat of a shifting geopolitical order.

“Traditional adversaries will continue attempts to gain and assert influence, taking advantage of changing conditions in the international environment—including the weakening of the post-WWII international order and dominance of Western democratic ideals, increasingly isolationist tendencies in the West, and shifts in the global economy,” last week’s report said.

This simple statement can also be read as a bombshell, articulating a trend that most politicians would be wary of admitting publicly. That isolationism stems in large part from Trump; his trade war with China has caused ripples in the global economy. But in Tuesday’s Senate testimony, intelligence officials including Coats, NSA director Paul Nakasone, CIA director Gina Haspel, and FBI director Christopher Wray brought none of that up directly.

The hearing instead focused on questions from senators about anti-terrorism efforts, nuclear proliferation, infrastructure hacking, and foreign intelligence and counter-intelligence-gathering. The discussion also touched on questions about defending big data and information-gathering risks from digital manipulations like “deepfakes,” compelling videos created by machine-learning programs that seem to depict something that didn’t actually happen.

Trump, meanwhile, has regularly called into question the findings of US intelligence agencies. These differences of opinion were on full display on Tuesday. Officials warned the Senate committee, for example, that election interference from Russia or other adversaries poses a real danger to the 2020 US elections, a threat Trump has frequently downplayed since he took office.

“We assess that foreign actors will view the 2020 US elections as an opportunity to advance their interests,” Coats said. “We expect them to refine their capabilities and add new tactics as they learn from each other’s experiences and efforts in previous elections.”

Officials also concluded that North Korea is “unlikely” to scale down or eliminate its nuclear capabilities, despite Trump’s insistence that he is making progress on a disarmament agreement. Trump and North Korean leader Kim Jong Un met last summer, and the president tweeted at the time that, “There is no longer a Nuclear Threat from North Korea.” The administration has organized another summit between the two leaders next month.

On the subject of the Iranian nuclear threat, intelligence officials said Tuesday that the country seems to be holding off on weapons development for now, but the officials warned that Iran has made credible threats about abandoning its commitments from the 2015 nuclear deal if it doesn’t see the economic benefits promised under the agreement. Trump withdrew the US from the accord last year, and reimposed sanctions on the country.

Meanwhile, in contrast to president Trump’s December proclamation that, “We have won against ISIS,” intelligence officials testified on Tuesday that the group is still active and threatening. “ISIS very likely will continue to pursue external attacks from Iraq and Syria against regional and Western adversaries, including the United States,” Coats said in his prepared remarks.

Both recent intelligence community threat and strategy reports also mention climate change as a looming security factor on the international stage. President Trump disputes the existence of climate change and the extent of its impact. As recently as Monday, he implied that winter weather, specifically a cold snap in the Midwest, casts doubt on the existence of global warming. This is incorrect.

The US faces a diverse and very real array of external threats, but intelligence community statements and conclusions over the past week hint that the Trump administration has exacerbated many of them itself, through policies and public statements.

For Senate Intelligence Committee members there was plenty to latch onto in Tuesday’s hearing. But perhaps the most dangerous threat that emerged from the meeting was subtly in plain sight and on display on Tuesday: An administration in denial about the real threats to the US, and deeply divided with the intelligence community about how best to avoid disaster.


More Great WIRED Stories

The Phone Number Ashton Kutcher Tweeted Comes From a Startup

First, I saw the tweet.

“I miss having a real connection w/ real people. My Community. From now on you can just text me. I won’t be able to respond to everyone but at least we can be real w/ each other & I can share the unedited latest & greatest in my world,” wrote Ashton Kutcher, the celebrity and tech world adjacentist, on Tuesday afternoon. And then he posted his phone number: 10 digits that held the promise of so much more.

I threw the link into Slack and then did it. I texted Ashton Kutcher.

“Hi Ashton Kutcher (or the person who hacked his Twitter account)”—look, I may have been throwing words into the void but I didn’t want to look gullible—“my name is Caitlin Kelly and I’m a journalist at Wired Magazine. Hope everything is going well! We here at Wired are curious: How many texts have you gotten since publishing this number online? And if you feel comfortable sharing: roughly what percentage of them have contained indecent photographs and/or proposals? Thanks.” And then I prepared to wait.

I didn’t have to. I immediately received a reply.

“hey it’s Ashton. this is an autotext to let you know I got your message, everything else will be from me. make sure you click the link and add yourself to my phone so I can respond to you.” This bizarrely capitalized message was followed by a url: in.community.com/lotsofrandomnumbers.

Caitlin Kelly

Wait, what?

“Ashton …” I texted back. “Are you launching a social media platform or a phishing scam?”

Sadly, the former appears closer to what’s going on.

Met with silence this time, I threw caution to the wind and clicked the link. It took me to a sign-up screen—”powered by community,” it read at the bottom—confirming my phone number and asking for my name, birthday, city, the usual. Now, Community.com’s homepage is currently useless if you want to know anything beyond what the word looks like in sans serif. But the Terms of Service more helpfully reveal that Community “provides its clients (including influencers, musicians, athletes, brands, actors, their agents, and others, collectively, ‘Clients’) the ability through a non-exclusive, revocable license to send and receive text messages from users of the Service by using a ten-digit phone number provided by COMMUNITY (the ‘COMMUNITY Phone Number’).”

The TOS also told me, “You understand and acknowledge that conversations using the Service are not private conversations with Clients but are intended as messages sent and interactions solely for purposes of promoting and/or advertising the Client and the Client’s products and service.”

Oh, OK.

Turns out, Community is the new name of Shimmur, Inc., which launched in 2014 to connect social media celebs with their fans. After downloading the Shimmur app, users could find their favorite YouTubers and Instagram stars, join their “Tribes,” and create posts aimed at that particular influencer (henceforth known as a “Tribe Leader”). Then, according to Shimmur’s FAQ, “The Tribe Leader will see the MOST UPVOTED posts in their Tribe FIRST – so the more upvotes your post gets, the higher the chance that your favorite star will respond!”

In other words, if Reddit and the thirstiest Instagram comment had a baby, it might look like Shimmur; a Forbes contributor described it as “a Gen-Z focused media company” in June 2017. According to Crunchbase, Shimmur raised $100,000 in three rounds, but the app no longer appears to be available to download. Its Twitter feed and Squarespace blog have not been updated since 2017. Shimmur.com now redirects to digits.chat, which is something in Private Beta. Between that and Community, it seems like a pivot to SMS.

Matthew Peltier is listed as co-founder of Shimmur (until November 2018) and founder and CEO of Community (as of December 2018) on LinkedIn. I messaged Peltier for more information about his company and Kutcher’s involvement over LinkedIn and email, but did not immediately hear back.

Obviously I should have known better when I texted Ashton Kutcher. “My Community” alone should have tipped me off—rather than a mark of the importance of community to Ashton, that capital-C “Community” carries the whiff of a trademark. OK, yes, fine, in retrospect I should have been skeptical that a celebrity with an estimated $200 million net worth would just tweet out his personal number to 18 million followers. In my defense, though, private messaging is making a comeback, as WIRED’s Lauren Goode noted earlier this week. Confronted with the wilderness of our howling feeds, people seek shelter in the warm fires of group chats and private DMs. And if any Hollywood celebrity wanted to do that on a national scale, why not the guy who played Kelso on That 70s Show?

But for those same reasons, the text is potentially valuable real estate for brands, politicians, spammers, and anyone else with a message they really want you to hear. And apparently that includes Ashton Kutcher.

Caitlin Kelly

As of this writing, no one has gotten back to me about how many messages the masses have texted to Ashton Kutcher. Which leaves me no choice but to speculate that it was so many people, it crashed the whole system. Three hours after he shared “his number” on Twitter, Ashton Kutcher had an update. He had taken down his original tweet sharing the phone number. “I will repost soon,” he tweeted. (Repost what? His number? The reason he did this to us?) “sms is a fragile beast.”


More Great WIRED Stories

1 Simple Way to Increase Employee Participation

Engagement experts know that if employees are sitting in the bleachers, they’re not in the game.

That’s why smart leaders work hard to involve employees in strategy development, change management and problem solving. Doing so is time-consuming and sometimes challenging, but the result–motivated employees who feel valued–is worth the effort.

You should continue to do the heavy lifting to encourage employee participation. But also consider another way to involve employees–a communication method that’s easy, effective and even fun.

The concept: invite employees to express themselves about an important topic through photography. 

Yes, that means holding a contest and inviting employees to submit their work. But this is not about vacation photos or snaps of puppies. To make these experiences meaningful, focus on a subject–like this year’s strategy or a core initiative such as improving customer service–that matters to the organization. 

For example, Terracon, a consulting and engineering firm with 4,000 employees, holds a photo contest that “highlights our employee owners’ passion, creativity, and dedication to the diverse work we do.” The images represent Terracon’s service lines (including geotechnical, environmental and materials) and the unique project locations the company serves. 

Some of the winning photos were not artistic or even pretty. But that wasn’t the point: The idea was to give participants the chance to show where they work and what they do. And the result was that all employees had the opportunity to see Terracon in action.

How do you organize a photo contest? Here are a few guidelines:

Set parameters. If the contest is too open-ended, it’s harder for employees to understand what to do–and makes judging difficult. Create an overall theme (like How We’re Meeting Our Customers’ Needs) and consider establishing subcategories like:

  • All about people. Colleagues doing great work.
  • Go big or go small. Capture a (literally) big-picture view of the topic . . . or something very small (but still significant).
  • Just a metaphor. Instead of taking a photo of something specific, use a metaphor (water? fire? wind?) to convey an idea.
  • Black and white. Go retro.
  • Selfie. All about you (doing something awesome).
  • Taking action. We move fast, so capture us in action.
  • Instagram-worthy. Use effects and filters to put fun in your photo.

Decide on prizes. You want to find the right balance here–the prize should be significant enough to invite participation, but you don’t have to break the bank. After all, employees will be motivated by the chance to win the contest and to be recognized.

Make the rules clear, but not too technical. Try not to get the lawyers involved; this is supposed to be a friendly competition.

Recruit judges. Assemble a team of employees from various functions and locations to serve as judges. (After all, judging is another opportunity to encourage participation.)

Follow best practices in communicating about the contest–and make a big splash when the winners are announced. I think it’s great that Terracon posted winners on YouTube; after all, why shouldn’t you recognize employees publicly for sharing their work?

Tencent shares jump 3 percent after Chinese regulators approve new games

FILE PHOTO: A Tencent Games logo from an app is seen on a mobile phone in this illustration picture taken Nov. 5, 2018. REUTERS/Florence Lo/Illustration/File Photo

HONG KONG (Reuters) – Tencent Holdings Ltd saw its shares jump more than 3 percent on Friday as investors cheered Chinese regulators’ approval of mobile games published by the industry leader for the first time since a freeze on approvals imposed in March.

The State Administration of Press, Publication, Radio, Film and Television on Thursday approved 95 games in its fourth list since December, with two mobile games from Tencent and a first from NetEase Inc.

Tencent, Asia’s biggest listed firm by market value, has been reeling from increased scrutiny of online gaming amid calls to tackle child addiction in the world’s largest gaming market.

Shares of the firm have lost roughly 20 percent of their market value since March. They were up as much as 3.2 percent early on Friday, beating a 1.3 percent rise in the benchmark Hang Seng Index and a 2.7 percent gain in Hang Seng sub-index tracking information technology firms.

China started resuming gaming approvals in December, though Tencent’s games had been absent from the three batches approved until Thursday, unnerving investors.

The impact of online games on the country’s youth has attracted scrutiny from Chinese President Xi Jinping, who last year urged all levels of government to implement effective schemes to prevent and treat the high incidence of myopia that authorities suspect is linked to game addiction.

China’s largest gaming and social media firm has imposed a playtime restriction since July, allowing a maximum of one hour a day for children 12 years old and under, and a maximum of two hours for those aged 13 to 18.

Founded in 1998, Shenzhen-based Tencent enjoyed uninterrupted growth from when it went public in 2004 until last year when it saw more than $200 billion wiped off its market value from a peak hit in January.

Last week, Tencent released a test version of a third-party developed smartphone game in China based on U.S. hit television show Games of Thrones, bolstering its pipeline.

Reporting by Donny Kwok; Editing by Christopher Cushing

Microsoft says Bing search engine blocked in China

(Reuters) – Microsoft Corp’s (MSFT.O) Bing search engine has been blocked in China, the company said on Wednesday, making it the latest foreign technology service to be shut down behind the country’s Great Firewall.

A sign of Microsoft Corp’s Bing search engine is seen at the World Artificial Intelligence Conference (WAIC) in Shanghai, China September 21, 2018. Picture taken September 21, 2018. REUTERS/Stringer

“We’ve confirmed that Bing is currently inaccessible in China and are engaged to determine next steps,” the company said in a statement.

It is the U.S. technology giant’s second setback in China since November 2017 when its Skype internet phone call and messaging service was pulled from Apple and Android app stores.

A search performed on Bing’s China website – cn.bing.com – from within mainland China directs the user to a page that says the server cannot be reached.

The Financial Times, citing a source, reported on Wednesday that China Unicom (0762.HK), a major state-owned telecommunication company, had confirmed the government order to block the search engine.

Cyberspace Administration of China (CAC), a government watchdog, did not respond to faxed questions about Bing’s blocked website.

Bing was the only major foreign search engine accessible from within China’s so-called Great Firewall. Microsoft censored search results on sensitive topics, in accordance with government policy.

Microsoft also has a partnership with Chinese data center provider 21Vianet to offer its products Azure and Office 365 to clients in the country.

Alphabet’s (GOOGL.O) Google search platform has been blocked in China since 2010. Google CEO Sundar Pichai said in December it has “no plans” to relaunch a search engine in China though it is continuing to study the idea amid increased scrutiny of big tech firms.

President Xi Jinping has accelerated control of the internet in China since 2016, as the ruling Communist Party seeks to crack down on dissent in the social media landscape.

In a statement on Wednesday, CAC said it had deleted more than 7 million pieces of online information and 9,382 mobile apps. It also criticized technology company Tencent’s news app for spreading “vulgar information.”

Reporting by Josh Horwitz in Shanghai and Gaurika Juneja in Bengaluru; additional reporting by Cate Cadell and Stephen Nellis; Editing by Sandra Maler, Grant McCool and Darren Schuettler

Google, Facebook spend big on U.S. lobbying amid policy battles

SAN FRANCISCO (Reuters) – Alphabet Inc’s Google disclosed in a quarterly filing on Tuesday that it spent a company-record $21.2 million on lobbying the U.S. government in 2018, topping its previous high of $18.22 million in 2012, as the search engine operator fights wide-ranging scrutiny into its practices.

FILE PHOTO – The outside of the Google offices is seen in Manhattan in New York City, New York, U.S., January 18, 2019. REUTERS/Mike Segar

In its filing to Congress on Tuesday, Facebook Inc disclosed that it also spent more on government lobbying in 2018 than it ever had before at $12.62 million. That was up from $11.51 million a year ago, according to tracking by the nonpartisan Center for Responsive Politics.

Google’s spent $18.04 million on lobbying in 2017, according to the center’s data.

Google and Facebook declined to comment beyond their filings.

U.S. lawmakers and regulators have weighed new privacy and antitrust rules to rein in the power of large internet service providers such as Google, Facebook and Amazon.com Inc. Regulatory backlash in the United States, as well as Europe and Asia, is near the top of the list of concerns for technology investors, according to financial analysts.

Microsoft Corp spent $9.52 million on lobbying in 2018, according to its disclosure on Tuesday, up from $8.5 million in 2017 but below its $10.5 million tab in 2013.

Apple Inc spent $6.62 million last year, compared to its record of $7.15 million in 2017, according to center data going back to 1998.

Apple and Microsoft did not respond to requests to comment. A filing from Amazon was expected later on Tuesday.

Google disclosed that new discussion topics with regulators in the fourth quarter included its search technology, criminal justice reform and international tax reform. The company is perennially among the top spenders on lobbying in Washington along with a few cable operators, defense contractors and healthcare firms.

Google Chief Executive Sundar Pichai, who testified in December before a U.S. House of Representatives panel for the first time, has said the company backs the idea of national privacy legislation. But he has contested accusations of the company having a political bias in its search results and of stifling competition.

Susan Molinari, Google’s top U.S. public policy official, stepped down to take on an advisory role this month.

Facebook said discussing “election integrity” with national security officials was among its new lobbying areas in the fourth quarter. The filing said the company continued to lobby the Federal Trade Commission, which is investigating its data security practices.

Reporting by Paresh Dave; Additional reporting by Diane Bartz in Washington; Editing by Bill Berkrot and Sonya Hepinstall

Cyber Saturday—Challenging Facebook’s ‘#10YearChallenge,’ Tim Cook’s Privacy Plea, Mega Password Leak

Dumpster diving. A huge trove of data spilled onto the web and has been helpfully uploaded to HaveIBeenPwned, a leaked password-checking database for consumers, by security researcher Troy Hunt, the site’s proprietor. The leak, dubbed “Collection #1,” contains nearly 773 million unique email addresses and more than 21 million unique passwords—making it Hunt’s largest-ever upload. It’s unclear where exactly the data originated, although the anonymous person(s) who posted them online claim they came from many different sources. Best use the opportunity to clean up your password hygiene.

Be yourself. Facebook is still combatting disinformation. Nathaniel Gleicher, Facebook’s head of cybersecurity policy, said the media giant booted two Russian operations—including one involving Sputnik, a Moscow-based news agency—off Facebook and Instagram on Thursday. Facebook suspended hundreds of accounts and pages that he said engaged in “coordinated inauthentic behavior.” He noted that the fight against fakers is “an ongoing challenge.”

Chinese finger trap. Federal prosecutors are probing Huawei for allegedly stealing intellectual property from U.S. companies, including components from a T-Mobile phone-testing robot called “Tappy,” reports the Wall Street Journal. The investigation is “at an advanced stage and could lead to an indictment soon,” the Journal’s unnamed sources said. Add this development to the mess of controversies entangling the Chinese company.

Demand a recount. The Financial Times said it discovered evidence of “huge fraud” in the Democratic Republic of Congo’s December presidential election. The paper claims that its own independent tally of votes, based on data leaked by an unnamed source close to Martin Fayulu, the contest’s loser (but actual winner?), exposes the fraud. The report corroborates the view of the Catholic Church, which earlier denounced the election’s “results” after conducting its own audit.

Look; don’t touch. A California judge recently ruled that police officers are not authorized, even in possession of a search warrant, to force suspects to unlock their phones using biometrics, like a fingerprint or facial scan, Forbes reports. Judges had already ruled that passcodes were protected against such coercion, meaning people could refuse to supply them, thereby preventing self-incrimination. The judge, who called the original law enforcement request “overbroad,” wrote, “If a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.”

Just your friendly neighborhood NSA

Share today’s Cyber Saturday with a friend:

http://fortune.com/newsletter/cybersaturday/

Looking for previous Data Sheets? Click here

Google Is Paying Employees for Six Months of Charity Work

Google’s philanthropic arm, Google.org, has launched a new program that will pay its employees to do pro bono work for nonprofit groups for up to six months.

Google announced the new program, called the Google.org Fellowship, on Tuesday. The purpose is to let Google employees take on full-time pro bono work for the organization’s nonprofit partners, which include groups like the National Domestic Workers Alliance, Girls Who Code, and Amnesty International.

The company aims to achieve 50,000 hours of pro bono work this year.

The fellowship extends Google’s community service outreach and adds to a growing list of volunteer-based initiatives offered by tech companies. It also helps Google accomplish two goals: aid the community with the company’s expertise—as well as motivate employees and help them sharpen their skills, according to the company’s blog.

The launch of Google’s fellowship came after the company piloted a six-month program in which it sent five Googlers to work with Thorn, a nonprofit founded by Ashton Kutcher that develops technology to protect children from sexual abuse. Through the partnership, Google employees helped build tools to find patterns in data that would assist law enforcement in identifying and locating child victims faster.

Since then, seven Google.org fellows, including software engineers and data scientists, started working with Goodwill Industries International, to which Google.org gave $10 million in 2017. Googlers will help the organization get better insight about what works best in their job training programs.

Prior to this program, Google had already offered employees volunteer hours, though a much smaller number, for community service projects.

Google launched GoogleServe in 2008, aiming to encourage employees to participate in community service projects for a day in June. The program also helps match employees’ skillsets to nonprofits’ needs and allows them to spend up to 20 hours of work time volunteering. Last year, more than 5,000 employees volunteered more than 50,000 hours across 400 project, according to Google’s website.

Along the same lines, Salesforce.org, the philanthropic arm of business software company Salesforce, has a Pro Bono Program that offers employees 56 hours of paid volunteer time annually. Between the program’s debut in 2014 and October 2017, Salesforce employees had volunteered 166,000 pro bono hours with 5,700 organizations.

Twitter also offers a community service day. The #TwitterForGood Day, a biannual event at the company, gives employees the chance to do community service at partnering organizations.

Apple premiered its employee volunteer program in 2015. The Apple Global Volunteer Program helps employees organize and support organizations and events in their communities. The program offers training and tools to help them create and promote volunteer events.

An Astonishing 773 Million Records Exposed in Monster Breach

There are breaches, and there are megabreaches, and there’s Equifax. But a newly revealed trove of leaked data tops them all for sheer volume: 772,904,991 unique email addresses, over 21 million unique passwords, all recently posted to a hacking forum.

The data set was first reported by security researcher Troy Hunt, who maintains Have I Been Pwned, a way to search whether your own email or password has been compromised by a breach at any point. (Trick question: It has.) The so-called Collection #1 is the largest breach in Hunt’s menagerie, and it’s not particularly close.

The Hack

If anything, the above numbers belie the real volume of the breach, as they reflect Hunt’s effort to clean up the data set to account for duplicates and to strip out unusable bits. In raw form, it comprises 2.7 billion rows of email addresses and passwords, including over a billion unique combinations of email addresses and passwords.

The trove appeared briefly on MEGA, the cloud service, and persisted on what Hunt refers to as “a popular hacking forum.” It sat in a folder called Collection #1, which contained over 12,000 files that weigh in at over 87 gigabytes. While it’s difficult to confirm exactly where all that info came from, it appears to be something of a breach of breaches; that is to say, it claims to aggregate over 2,000 leaked databases that contain passwords whose protective hashing has been cracked.

“It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers,” Hunt tells WIRED. “There’s no obvious patterns, just maximum exposure.”

That sort of Voltron breach has happened before, but never on this scale. In fact, not only is this the largest breach to become public, it’s second only to Yahoo’s pair of incidents—which affected 1 billion and 3 billion users, respectively—in size. Fortunately, the stolen Yahoo data hasn’t surfaced. Yet.

Who’s Affected?

The accumulated lists seem designed for use in so-called credential-stuffing attacks, in which hackers throw email and password combinations at a given site or service. These are typically automated processes that prey especially on people who reuse passwords across the whole wide internet.

The silver lining in Collection #1 going public is that you can definitively find out if your email and password were among the impacted accounts. Hunt has already loaded them into Have I Been Pwned; just type in your email address and keep those fingers crossed. While you’re there you can also find out how many previous breaches you’ve been a victim of. Whatever password you’re using on those accounts, change it.

Have I Been Pwned also introduced a password-search feature a year and a half ago; you can just type in whatever passwords go with your most sensitive accounts to see if they’re out in the open. If they are, change them.

And while you’re at it, get a password manager. It’s well past time.

How Serious Is This?

Pretty darn serious! While it doesn’t appear to include more sensitive information, like credit card or Social Security numbers, Collection #1 is historic for scale alone. A few elements also make it especially unnerving. First, around 140 million email accounts and over 10 million unique passwords in Collection #1 are new to Hunt’s database, meaning they’re not just duplicates from prior megabreaches.

Then there’s the way in which those passwords are saved in Collection #1. “These are all plain text passwords. If we take a breach like Dropbox, there may have been 68 million unique email addresses in there, but the passwords were cryptographically hashes making them very difficult to use,” says Hunt. Instead, the only technical prowess someone with access to the folders needs to break into your accounts is the ability to scroll and click.

And lastly, Hunt also notes that all of these records were sitting not in some dark web backwater, but on one of the most popular cloud storage sites—until it got taken down—and then on a public hacking site. They weren’t even for sale; they were just available for anyone to take.

The usual advice for protecting yourself applies. Never reuse passwords across multiple sites; it increases your exposure by orders of magnitude. Get a password manager. Have I Been Pwned integrates directly into 1Password—automatically checking all of your passwords against its database—but you’ve got no shortage of good options. Enable app-based two-factor authentication on as many accounts as you can, so that a password isn’t your only line of defense. And if you do find your email address or one of your passwords in Have I Been Pwned, at least know that you’re in good company.


More Great WIRED Stories

Bracing for a Hazy Robo-Future, Ford and VW Join Forces

Sensor partnerships. Subsidiary acquisitions. Software collaborations. The autonomous driving world is about as incestous a place as Caligula’s palace, and it got a little more so today, when Ford and Volkswagen announced a formal and long-anticipated alliance.

“The alliance we are now building, starting from first formal agreement, will boost both partners’ competitiveness in an era of rapid change,” Herbert Diess, the CEO of Volkswagen, said on a call with reporters. He and Ford CEO Jim Hackett said the partnership—which is not a merger—will begin with the companies jointly developing and building medium-sized pickups and commercial vans, to debut as early as 2022. The automakers said the arrangement should “yield improved annual pre-tax operating results” by 2023. So hopefully, this makes everyone richer.

After that, well, the companies have signed a “memorandum of understanding” to collaborate on electric vehicles, autonomous vehicles, and mobility services. The shape and details of those partnerships are yet to be determined.

Diess is right about that “rapid change” bit. The automotive industry has shifted remarkably in the last decade, with new vehicle and vehicle-adjacent tech players—Tesla, Waymo, Aurora, Argo AI—injecting fresh blood (and panic) into the business of building cars. Ford and VW seem to believe that banding together will help them not only survive, but thrive.

The companies will need to do that in a world where, eventually, someday, the human driver is obsolete. The path to self-driving domination is not yet clear. What services will automotive manufacturers manage for themselves? Which technologies will they build and own? Ford and VW have spent the last few years toying with different answers to these questions, and by joining forces, each has diversified its AV portfolio. It might be evidence, as automotive writer Pete Bigelow points out, that the companies are making smart, strategic decisions about how to spend their R & D dollars in this confusing, in-between time. Or that they’re flailing. Maybe both.

Both VW and Ford already have (quasi) in-house automated vehicle software teams. VW has built up a 150-person “Autonomous Intelligent Driving” unit as part of its Audi brand, which is building a full AV software stack. (Audi itself has pledged to spend $16 billion on electric and self-driving vehicles through 2023.) And the German automaker is working on self-driving with the AV developer Aurora, which is headed up by self-driving tech veterans.

Ford has a large stake in Pittsburgh-based AV software company Argo AI, whose work is a key element of the automaker’s pledge to have a fully automated robotaxi in operation by 2021. And it has spent time and money boning up on “mobility” tech, purchasing companies like transit software-maker TransLoc, transportation cloud platform Autonomic, (recently killed) shuttle service Chariot, and scooter-share company Spin. It’s trying to figure out how best to connect customers to transportation, and what they’d like to see out of a transportation service, anyway.

It’s not clear yet how these various minglings will affect Ford and VW’s work. Argo AI is involved in the discussions between the companies, but specifics are scarce. “We’re not going to speculate on the details of the advanced discussions that are ongoing,” says Alan Hall, a spokesperson for Ford.

Khobi Brooklyn, a spokesperson for Aurora, did not say what role the company might play in the alliance. “As we continue to build relationships across the transportation ecosystem with providers of vehicles, transportation networks and fleet management operations, we are confident that we will be able to deliver the benefits of self-driving technology safely, quickly, and broadly,” she wrote in a statement. Aurora has said that it has not ruled out working with other automotive manufacturers on self-driving cars; it also has partnerships with Hyundai and EV startup Byton.

Another element of this “diversification” that should benefit both companies: They get easier access to the others’ regional strengths—and regulatory environments. VW has invested serious money in South America, Africa, and China. But despite a new plan to establish a plant in Tennessee, the German carmaker is weaker in the US, Ford’s home turf. “From Volkswagen’s perspective, it would make a lot of sense to cooperate with an American player given that the regulatory conditions for preparing the breakthrough of autonomous driving are more advanced in the US than they are in Europe,” Diess told reporters. Break out those German-English dictionaries.


More Great WIRED Stories

Ockam provides easy to deploy identity, trust, and interoperability for IoT developers

Featured stories

Maybe you’re not going to buy a $7,000 smart toilet, but the Internet of Things (IoT) is on its way to your home and office. Silly gadgets aside, IoT device inventors face many programming challenges. It’s hard adding identity, trust, and interoperability to IoT hardware. The Ockam startup will change this for the better.

Customers want IoT devices to be trustworthy and work with other vendors gear. Programmers know that’s easier said than done. Many IoT vendors’ answer is to not bother to add sufficient security or interoperability to their gadgets. This leads to one IoT security problem after another.

Ockam’s answer is to make it easy to add identity, trust, and interoperability by providing programmers with the open-source, Apache-licensed Ockam Software Developer Kit (SDK). With it, developers can add these important features to their devices without a deep understanding of secure IoT network architecture or cryptographic key identity management.

Also: Internet of Things (IoT): Cheat sheet TechRepublic

This is provided by a Golang library and a Command Line Interface (CLI). Additional languages, features, and tools will be supported in future releases.

Once properly embedded within a device’s firmware, the Ockam SDK enables the device to become an Ockam Blockchain Network (OBN) client. OBN provides a decentralized, open platform with high throughput and low latency. It also provides the infrastructure and protocols underpinning Ockam’s SDK.

Devices are assigned a unique Decentralized ID (DID). The DID is cryptographically secure identities for an array of entities. While used primarily to identify devices, it can also represent people, organizations, or other entities. With this, developers can codify complex graph relationships between people, organizations, devices, and assets.

Once on OBN, devices can can share data as verified claims with any other registered network device. This is secured by Ockam-provided, blockchain-powered Public Key Infrastructure (PKI).  Devices can also verify data that they receive from other registered OBN IoT devices. OBN is free of charge for developers until its general availability release later this year.

This may all sound complex, but the complexities are hidden away behind its serverless architecture: A developer only needs the SDK. OBN’s complications, such as PKI, are abstracted away.

Some of Ockam’s structure may sound familiar. That’s because it’s taking a page from Twilio. Just like Twilio provides a common layer between telecommunications infrastructure and developers, to make it easy to incorporate messaging into applications, Ockam provides a “common rail” for adding secure identify to IoT devices. With a single line of code, Ockam enables developer to provision an immutable identity to a device.

Also: 7 ways to use Alexa around the office CNET

OBN is built on Microsoft Azure confidential compute. Microsoft Engineering is a dedicated technical partner, and Ockam CEO Matthew Gregory led Azure’s open-source software developer platform strategy.

Together, Ockam and OBN provides a backbone for the next generation of high performance IoT ecosystems. Ockam is interoperable and built for multi-party IoT networks. So, in theory, your devices will be able to work with other vendor’s gear.

According to Yorke Rhodes, co-founder of blockchain at Microsoft Azure: “Ockam’s team is best in class, bringing together skills and experience in enterprise, IoT, secure compute, scale-up, and Azure. We are thrilled to be collaborating with them on their innovative solution for the IoT developer community.”

I don’t know about “thrilled,” but I do know if I were building IoT devices, which I want to work and play well and securely with other devices, I’d be working with Ockam. It promises to make high-quality IoT development much easier.

Related Stories:

Will Microsoft Break the Internet?

When the Internet became popular in early 1990s, Microsoft was late to the partly. In a desperate catch-up move, Microsoft decided to drive Netscape (the most popular browser of the time) out of business by grafting Internet Explorer onto Windows.

The U.S. government slapped Microsoft with an anti-monopoly lawsuit, which hung around in court for about a decade, by which time Netscape had become an historical footnote, rendering the issue moot.

By that time, though, Microsoft no longer dominated high tech. Industry growth was shifting to up-and-comers like Google and Facebook, as well as a resurgent Apple. And so it remains today: Microsoft is too big to ignore but, frankly, about as exciting as IBM.

All that might change in the next few years, though, according to a recent article in Business Insider. Turns out that Microsoft is quietly testing a product, code-named “Bali,” that would completely disrupt and even destroy the business models of its chief rivals.

Today, online firms gather information about us, and use that information to increase the effectiveness of the ads they display by better targeting them to prospective buyers. Under this business model, Facebook and Google get 90% of the world’s online ad revenue.

Microsoft’s Bali turns that equation around. With Bali, you own your personal online data, which you can (if you choose) sell to the companies that want to target you with ads. Facebook and Google would only know what you want them to know.

Everything about you would, by default, be private. If you wanted it to remain so, fine. But you’d also have the choice to tell Facebook, Google and other online firms that “you can track me and sell ads to me but only if I get a piece of the action.”

In short, you’d get paid to use the Internet.

Will it work? Well, in the wake of multiple privacy scandals, this seems like an idea whose time has definitely come. And there’s no question whatsoever that Microsoft has the technical chops to develop and bulletproof the environment.

On the downside, though, Microsoft’s most successful products (Windows, Xbox, Azure, etc.) are imitations of innovations from other firms. The company’s track record launching something completely new is spotty, at best.

Still, if Microsoft pulls this off and Bali catches on, Microsoft might easily find itself in the same enviable position of massive market dominance it had back before the Internet upended their erstwhile Windows monopoly.

Frankly, I’m not sure I want Microsoft to have that kind of power. I am sure of this, though: if a single company is destined to dominate the future of the Web, I’d damn sight rather it be Microsoft than Facebook.

Before You Quit Your Day Job for a Startup, Make Sure You Can Answer These 7 Questions

I’ve heard pitches from more than 20,000 entrepreneurs over the last two decades.  The top question I’m asked (other than “Will you invest in me?”) is, “Is my idea any good?”

Wantreprneuers from far and wide track me down to get my blessing before they quit their well-paying job to start a startup. Over the decades and in conjunction with other angel investors and venture capitalists, I’ve developed a seven-question list that potential founders should ask themselves before coming to ask me.

If your answer to all seven of these questions is “yes,” your idea is probably excellent. If not, you have some work to do.

1. Are you obsessed with the industry, customers, or problem?

Successful founders love what they do. They would learn about the industry, customer segment or problem even if they weren’t being paid. To be successful, you must be obsessive about your startup opportunity.

The difference between obsessive and caring is quite large. Caring is a given, and it’s not enough. Being obsessive means that you think about something dozens a time a day. If you aren’t obsessive, you won’t be able to accumulate the insights needed to garner strategic advantage–insights that only come from focusing on something for thousands of hours. 

2. Can you build the solution? 

Ideas are worthless until combined with relentless execution. You must be able to execute both your idea and your product. At the very least, you need to be able to create a prototype or minimum viable product, something you can get into the hands of early adopters and generate early proof of concept traction.

3. How elastic is demand?

Pain killer or vitamin? Cost saver or revenue generator? The best opportunities solve unmet market needs where demand is inelastic. This yields better margins in the long run and quicker traction in the short run.

Your opportunity must satisfy a need, not a want. A need is something you can’t live without. Air, water, and food are the classic examples. A want is something you can live without, like fancy shoes or expensive cars.

As the price of wants go up, demand for them peters out. Startups that satisfy needs will always have easier times attracting early adopters and generating revenue. 

4. Is the market large and growing?

Today, the market for anti-hacker security is hot. The market for thoroughbred horseshoes is not. Why focus on a small win? You’re investing your blood, sweat, and tears. Make sure the win is worth it.

By the way, the risk is actually much greater when you focus on a niche. Since you have less pool to swim in, you have less chance to learn through iteration. Always focus on bringing your solution into a market that is large and growing. It’s OK to start with a niche, but there must be lots of room to grow.

5. Are you exponentially better?

If you’re entering an extant market, you’re automatically at a disadvantage with sunk costs and less brand recognition than your competitors. To overcome that, you must be ten times faster, cheaper, stronger, and lighter than every other company in your industry to get people to switch from incumbent products.

Netflix killed Blockbuster by offering ten times the quantity of content at one-tenth the cost. Your solution must be exponentially better than any alternatives.

6. Are you ready to go all in? 

Design thinking and the Lean Startup method allow you to start most businesses as a side hustle. Your long-term goal still needs to be full time, all the time, all in. No one has ever changed the world with half measures.

7. Do you have frictionless access to early adopters?

Early adopters are customers who have the problem you solve, and are currently trying to solve that problem with a radically less efficient method. Before spell-check software, we used third party proofreaders, which were ten times more expensive and time consuming.

To be successful, you need a clear and low cost to get early adopters and turn them into your beachhead. Make sure you’re able to get your product directly to customers.

The Simple Engineering That Will Keep NYC's L Train Rolling

Ever since the last of the brackish water slithered out of the Canarsie Tunnel in the aftermath of 2012’s Superstorm Sandy, New Yorkers have been bracing for the pain. Public transit officials have long warned that the water damage to the 94-year-old tunnel, full of just-as-old subway equipment, would eventually require a long, painful, deeply inconvenient rehabilitation. That’s the tunnel that runs under the East River, carrying many of the L subway train’s 400,000 daily riders from popular Brooklyn neighborhoods like Williamsburg and Bushwick into Manhattan.

The surgery was scheduled for April 2019, when the stretch of L train that takes New Yorkers across Manhattan and into Brooklyn was scheduled to shut down for a 15-month repair job. Ahead of what they officially deemed the “L-pocalypse,” local officials created piles of plans to ramp up bus service, encourage biking, and run new ferry routes, and everything else they could think of to keep all those commuters from taking to cars and making already bad traffic fully catastrophic.

Those plans (as well as wilder ones proposed by concerned citizens) became a lot less necessary Thursday morning, when Governor Andrew Cuomo called a surprise press conference to proclaim that no, the L train won’t close completely, and yes, it will still be fixed for the future.

The new plan for the next few years is to keep the train open and running as normal during weekdays, whilst doing repairs on nights and weekends (the details remain fuzzy). The board of the Metropolitan Transportation Authority, which runs the subway, has yet to adopt the new plan, which was proposed by a commission of half a dozen engineers based at Columbia and Cornell Universities that Cuomo assembled last month, two years after the decision was made to close the line. But the agency put out a press release Thursday afternoon saying it “accepted the recommendations.”

Curious politics are clearly at work here, but New Yorkers are unlikely to care, as long as the subway keeps running. And if it does, it’ll be thanks to two bits of subway engineering infrastructure: benchwalls and cable racking.

Let’s start with benchwalls. If the train stopped in the tunnel and you had to get out, these are the stretches of concrete, running along each wall and resembling big benches, that you’d be walking on. Facilitating emergency exits is one of their main functions—without them, you’d have to jump out of the train, onto the ground and risk hitting the third rail. Benchwalls also hold most of the goodies that make the subway work, including the power and communications cables. When workers were building the line, which started service in 1924, putting the cables in the concrete was the best way to protect them from things like hungry rats and water damage.

Over the past century, those benchwalls have started to deteriorate, a process accelerated by the flooding from Hurricane Sandy. Explaining its full shutdown plan in 2016, the MTA said the tunnel’s bench walls “must be replaced to protect the structural integrity of the two tubes [east and west] that carry trains through the tunnel.”

Replacing these things involves jackhammering away concrete, removing the rubble, replacing the cabling inside, setting new concrete, and having it dry. It’s work you can’t do overnight or on weekends, because any one section takes several days. And you can’t run trains without leaving a walkway to lead people to safety in an emergency.

The new plan involves giving those benchwalls a bit of a demotion. They’ll still be used for emergency egress, but they won’t hold the cables anymore. Instead, the L train will use a “cable racking” system, in which new power and comms lines will be strung up and attached to the sides of the tunnel, above the benchwalls. Turns out, their protective jacketing has advanced since the Prohibition Era. “We’ve had tremendous progress in materials,” says Peter Kinget, a Cornell electrical engineer who served on the panel. , If the jacketing catches fire, it doesn’t produce noxious fumes. It’s impervious to vermin and H2O, obviating the need for the concrete armor. The workers will also shore up the sections of benchwall that are crumbling with fiber reinforced polymer, Cuomo says, leaving the old, inactive cables entombed inside.

That decoupling of the benchwall’s duties is a big deal, because it makes the work much easier to execute. You can cut back service at night and on weekends (by running trains in just one of the tunnel’s twin tubes) and have workers slip underground, setting up the racks and new cables segment by segment. During normal hours, the train operates as it usually does, pulling power from the cables already in the benchwalls. Once the work is done, the MTA will switch the trains over to the new set of cords.

Cable racking has been used for new metro lines in London, Hong Kong, and the Saudi capital of Riyadh, Cuomo says. This would be its first use in the US, and the first time it’s been used to fix up an existing line.

“It’s a clever solution,” says Matt Cunningham, a civil engineer and global director of infrastructure for Canadian engineering firm IBI. It’s cheaper and easier than replacing all the cable-filled benchwalls, and it’s a proven method. “It’s going to work.”

Which brings up the unanswered question of why this idea is just surfacing now. Why not before the MTA decided on the full shutdown, then spent two years preparing for it? It makes Cuomo the politician who averted the traffic-spewing L-pocalypse—but it also makes one wonder why he didn’t come to the rescue earlier. (He’s been governor of New York since 2011.) In his press conference, he presented this as new solution, which is true if you compare it to the techniques used to build the subway in the previous century, but not if you take a slightly narrower view. “It’s not new technology that’s only now become available,” Cunningham says.

Of course, limiting service during nights and weekends to make this fix will still inflict some suffering, and the MTA has a terrible record of mismanaging this sort of operation, so any promises about deadlines or costs should be doubted. “You’re not getting a root canal on five teeth, you’re getting a root canal on three teeth,” says Allan Rutter, of Texas A&M’s Transportation Institute. “There’s gonna be pain.”

In infrastructure as well as in dental surgery, you’ve got to accept some drilling and discomfort. But less is definitely more.


More Great WIRED Stories