Researchers disclose new zero-day Microsoft Exchange vulnerability – Protocol

Researchers disclose new zero-day Microsoft Exchange vulnerability – Protocol

Researchers disclose new zero-day Microsoft Exchange vulnerability – Protocol 0 0 Alan Dickson

While details are still emerging, security researchers say there’s good reason to expect that exploitation of the flaw in Exchange email servers could be substantial.
A troubling new vulnerability affecting Microsoft Exchange email servers has been disclosed by researchers, though details are still emerging on the severity and exploitability of the flaw.
The vulnerability, disclosed by researchers at cybersecurity vendor GTSC, could enable remote execution of commands on a compromised server, according to the company. It appears to be a “zero-day” vulnerability, which means it was not disclosed to the software vendor before spreading in the wild and before a patch could be created.
Trend Micro said Thursday that the vulnerability was submitted to Microsoft via its Zero Day Initiative program. Protocol has reached out to Microsoft for comment.
Researcher Kevin Beaumont, who was among the first to discuss GTSC’s findings in a series of tweets Thursday, said he is aware of the vulnerability being “actively exploited in the wild” and that he “can confirm significant numbers of Exchange servers have been backdoored.”
Remote code execution vulnerabilities are considered a serious security risk due to the potential for attackers to take full control of a compromised system. Log4Shell, a critical vulnerability that was discovered in the Apache Log4j logging software component in December 2021, fell into the category of a remote code execution flaw.

Travis Smith, vice president of malware threat research at cybersecurity vendor Qualys, told Protocol that he expects exploitation of the vulnerability to escalate in the next few days. Exchange servers must be connected directly to the internet, and are a key function for many businesses since email can’t be turned off without causing a major disruption, Smith noted. For those reasons, Exchange “is a juicy target for threat actors to exploit,” he said in an email.
On Thursday, the initial reaction among security researchers was that it wasn’t clear from GTSC’s original disclosure whether this was in fact a brand-new, zero day vulnerability in Microsoft Exchange, or if it might just be a new version of a previously disclosed vulnerability known as “ProxyShell.” Beaumont noted in a blog post that a key portion of the exploit process detailed by the vendor “looks exactly like ProxyShell,” which was disclosed in 2021.
However, GTSC subsequently updated its blog post, making it clear that the vulnerability affected Exchange servers that had already been patched with the latest updates. As a result, “an exploitation using Proxyshell vulnerability was impossible,” the researchers said in the blog post update.
John Hammond, a well-known researcher at cybersecurity vendor Huntress, tweeted that the update makes clear that this “is in fact a new 0-day” remote code execution vulnerability.
Mike Parkin, a senior technical engineer at Vulcan Cyber, told Protocol that he had reached the same conclusion.
The fact that the compromised system was up to date before it was breached “indicates the attack leveraged a new vulnerability, not the one that was previously known,” Parkin said in an email. Still, GTSC “hasn’t released many details, so we are having to extrapolate from what they have said,” he said.
This story was updated to correct the description of ProxyShell.

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at
The gas-powered vehicle ban dominoes have begun to fall.
New York Gov. Kathy Hochul announced on Thursday that the state will follow California’s lead in banning the sale of new gas- or diesel-powered cars beginning in 2035. Like the Golden State, New York has also set interim targets: 35% of new cars sold must be zero-emissions by 2026, and 68% by 2030.
The plan is still not quite finalized, though. Hochul directed the state’s Department of Environmental Conservation to implement the new rules, and it will still have to hold a public hearing and open comment period before finalizing them.
This comes just a month after California threw down the gauntlet and restricted future internal combustion vehicle sales. Given that more than a dozen states — including New York — have adopted California’s previous tailpipe standards, it was likely at least some of those states would follow the Golden State’s lead on zero-emissions vehicle sales. New York is the first state to do so, though others such as Massachusetts, Washington, and Virginia are likely to follow suit in the near future.

“We had to wait for California to take a step because there’s some federal requirements that California had to go first — that’s the only time we’re letting them go first,” Hochul said at a press conference, in reference to a Clean Air Act provision that allows California alone to set its own vehicle emissions standards. A policy quirk allows other states to adopt those standards, but not to lead the way.
In addition to the gas-powered car sales ban, Hochul also announced that the state will invest $10 million in its existing Drive Clean Rebate program to encourage New Yorkers to purchase EVs. The program offers a point-of-sale rebate of up to $2,000 off a car’s sticker price, and can be combined with federal rebates like the $7,500 tax credit on new EVs. In its five years of existence, the program has handed out $92 million in rebates statewide, according to a press release. The state is also making $5.75 million available to local governments to transition their fleets to zero-emission vehicles and install public EV chargers and hydrogen fueling stations.
New York, along with 49 other states plus Puerto Rico and Washington, D.C., also had its EV charging plan approved by the Biden administration. That will unlock some of the $175 million in funding for EV charging set aside for the state as part of the bipartisan infrastructure law. Building out charging infrastructure could help make it that much easier for the state to meet its zero-emissions vehicle sales mandate.
Tech industry groups are once again pleading with the Supreme Court to block HB 20, Texas’ on-again, off-again social media law, which a 5th Circuit court recently allowed to take effect.
In an unopposed motion filed Thursday, the plaintiffs in the ongoing legal battle, NetChoice and the Computer & Communications Industry Association, asked the court to “preserve the status quo” until the Supreme Court has a chance to review the issues raised in the case. The Texas law aims to prohibit online platforms from moderating content on the basis of viewpoint, a limitation that tech companies argue infringes on their First Amendment rights and conflicts with broad authority they have under Section 230 to moderate content.
This is not the first time NetChoice and CCIA have gone running to the Supreme Court. Earlier this year, the 5th Circuit lifted an injunction on the same law, though its decision on the underlying case between tech groups and the state of Texas was still pending at the time. The tech groups argued that the 5th Circuit’s actions would wreak havoc on companies operating in Texas and pushed for the Supreme Court to add the case to its shadow docket and re-institute the block on the law. Weeks later, the Supreme Court obliged, with a majority voting in NetChoice and CCIA’s favor.

But the 5th Circuit decision earlier this month put the law back in play. Now, tech groups are hoping their luck with the Supreme Court will strike twice.
In their motion, NetChoice and CCIA noted that even the three conservative justices who voted to keep the law in effect in May said that HB 20 “concerns issues of great importance that will plainly merit the [Supreme] Court’s review.” The plaintiffs are asking the court to block the law from being implemented until the justices have had a chance to conduct that review.
That chance may come sooner rather than later: While the 5th Circuit gave the Texas social media law a green light, the 11th Circuit blocked a similar law in Florida earlier this year. That circuit split has created a rare opportunity for the Supreme Court to decide on issues related to online speech and the First Amendment rights of private platforms once and for all. Earlier this month, Florida filed a petition with the court asking it to take up its case surrounding SB 7072, a law that would limit tech platforms’ ability to moderate certain political speech. Now, both sides of the debate are awaiting an answer as to whether they’ll have a chance to fight it out in the highest court.
Until the Supreme Court provides that answer, though, NetChoice and CCIA are arguing that the court shouldn’t allow a disruptive — if not outright disastrous — law for so many businesses to go into effect. “If Supreme Court review was ‘plainly merit[ed]’ even before this circuit split,” the motion reads, “it certainly is now.”
Sometimes a major “hack” isn’t really a hack at all, such as with some breaches caused by the mishandling of APIs.
The latest such breach attributed to negligence with APIs, or application programming interfaces that are used for exchanging data across applications, is the massive theft of customer data from Australian telecom Optus.
First disclosed by Optus on Sept. 22, the data exposed in the breach of 9.8 million customer records includes driver’s licenses, passports, and Medicare ID numbers, in addition to names, phone numbers, and email addresses.
Optus has attempted to characterize the cyberattack as “sophisticated,” but according to Australian Minister for Cybersecurity Clare O’Neil, it was actually just a “basic” attack. Optus “effectively left the window open” for customer data to be stolen, she said.
The incident reportedly started with the attacker accessing an API server that was not protected with any type of authentication. In other words, the attacker didn’t even have to log in. Anyone from the internet could have theoretically done the same thing, said Filip Verloy, technical evangelist at Noname Security, a vendor that offers API security products.

“This should be a wake-up call for a lot of organizations about how easy it was to get this data,” said Nick Rago, field CTO at another API security vendor, Salt Security.
The use of APIs has grown widely as companies of all sorts have morphed into software providers, with API services enabling much of the key functionality for modern apps and websites.
Optus executives have not denied that an API was leveraged by the attacker to steal the customer records, according to reports. Protocol has reached out to the company for comment.
Based on the information that has come out so far, it appears that the API in question was actually “doing exactly what it was meant to do” when it called up the Optus customer records, Rago said. That means the API wasn’t “hacked” in any sense of the word, but was just used for an unintended purpose, he said — what’s sometimes referred to as an “API abuse” attack.
It’s likely that Optus just didn’t know about the existence or functionality of this particular API, according to Rago. It would appear there was a “lack of visibility and a lack of governance, in terms of not knowing this API existed in the first place and why it was exposed in this manner,” he said
In general, it’s recommended that businesses take a “layered security” approach to protecting APIs, using a firewall or API security product, identity authentication, authorization for governing access to data, and encryption for sensitive personal data, said Yotam Segev, co-founder and CEO of data security vendor Cyera. “It appears that Optus failed on every front,” Segev said.
By way of analogy, even if the front door of your house was left open or broken into, you could still have a locker inside of your house to protect your sensitive documents, said Anshu Sharma, co-founder and CEO of data privacy technology vendor Skyflow. “Even if the bad guys get in, they won’t get your [sensitive] data,” he said. But it appears that Optus did not have this type of capability, either.

The neobank MoneyLion charged service members excessive fees for loans and often refused to cancel paid memberships, according to a lawsuit filed Thursday by the Consumer Financial Protection Bureau.
The CFPB is accusing MoneyLion of violating the Military Lending Act by charging above a 36% rate cap on loans to service members and their families, through a combination of interest rates and monthly membership fees.
“MoneyLion targeted military families by illegally extracting fees and making it difficult to cancel monthly subscriptions,” CFPB Director Rohit Chopra said in a statement announcing the lawsuit. “Companies are breaking the law when they require monthly membership fees to obtain loans and then create barriers to canceling those memberships.”
MoneyLion went public last year through a SPAC deal and is worth about $227 million after its shares fell almost 18% today. Ahead of its public debut, the company’s leadership disclosed that it had received investigative demands from the CFPB related to its membership model.

The company did not immediately respond to a request for comment Thursday.
The lawsuit cites a pair of personal loan products, including one focused on credit building, that require a membership for access, with recurring fees between $19.99 and $29 each month.
The CFPB said that MoneyLion refused customers’ requests to cancel memberships if they had outstanding loan balances. The company also refused to cancel memberships even after the loan was paid off if the customer still owed previous membership fees, according to the agency.
Through the lawsuit, the CFPB is seeking monetary relief for customers, an “end to MoneyLion’s unlawful practices,” and a civil money penalty.
The lawsuit is the fourth enforcement action the CFPB has taken related to the Military Lending Act in the past two years, the agency said.
Google is shutting down its Stadia cloud gaming service, nearly three years after its launch and roughly 18 months since the company shut down its internal game development division.
In a blog post, Stadia chief Phil Harrison said the platform “hasn’t gained the traction with users that we expected so we’ve made the difficult decision to begin winding down our Stadia streaming service.”
Harrison wrote that the company intends to refund all Stadia purchases, including hardware purchases of Stadia controller and Chromecast bundles through the Google Store and all software through the Stadia store, and plans to do so by January. After January 18, 2023, the service will become unavailable, the blog post reads. Harrison noted that this isn’t the end of the road for Google’s gaming ambitions, and the company intends to apply the technology learnings elsewhere.
“The underlying technology platform that powers Stadia has been proven at scale and transcends gaming. We see clear opportunities to apply this technology across other parts of Google like YouTube, Google Play, and our Augmented Reality (AR) efforts — as well as make it available to our industry partners, which aligns with where we see the future of gaming headed,” he wrote. “We remain deeply committed to gaming, and we will continue to invest in new tools, technologies and platforms that power the success of developers, industry partners, cloud customers and creators.”

Amazon announced pay raises and the rollout of new benefit programs to warehouse employees Wednesday. But one of those products may pose increased risks to the company’s most precarious workers: the expanded rollout of Amazon’s Anytime Pay Program.
The program, first announced in October 2020, allows employees to access a portion of their checks in advance of a regular pay date. Such products are typically referred to as “earned-wage access” and position themselves as a lower-fee and thus less predatory alternative to payday loans. Amazon is using Wisely, a product offered by payroll company ADP, for the service.
Employees load their wages in advance onto a Visa debit card and are then able to use that card wherever Visa cards are accepted, or can withdraw cash at some ATMs. When Amazon first rolled out the program to some workers, those workers could obtain up to 50% of their paycheck in advance. Now, more workers have access to the program, and can cash out on 70% of their paycheck in advance by transferring funds to their Wisely Pay Visa card.

The benefits for low-wage workers are obvious: Having access to wages in advance of payday can be helpful in handling unexpected expenses, particularly when an employee lives paycheck to paycheck. And, as has been well-covered, most Amazon warehouse workers don’t make enough money to have ample emergency savings, despite the company’s campaigning about a livable minimum wage and Wednesday’s pay increase.
But earned-wage access products also carry risks for consumers. The products are not currently regulated as loans, due to a Trump-era CFPB advisory opinion that carved out a special exemption for earned-wage access should providers fit certain criteria, like not charging fees. Wisely claims to offer earned-wage access “at no cost,” so it fits these requirements and hence is exempt from regulatory disclosures required of credit cards or payday loans.
However, the fine print of Wisely’s terms and conditions say there are some fees associated with the card: They just aren’t mandatory charges. The company charges $5.95 should customers want to load an additional $20 to $500 out of their own checking account onto the cards, for example, and says that fees may be charged at certain ATMs where the card is used. It then says that users should log in to their account to see a list of other applicable fees.
Consumer groups asked the CFPB to review its oversight of these types of products last fall, because they fear fees could harm consumers who aren’t expecting them. The CFPB also revoked a special regulatory exemption for Payactiv to experiment with earned-wage access products, signaling the agency will soon tighten regulations on these types of products.
ADP’s partner bank, Fifth Third Bank, has run into trouble with the CFPB before. The bureau sued Fifth Third in 2020 for automatically enrolling customers in products they did not consent to and opening unauthorized accounts. According to a press release, this was implicitly encouraged because employees of the bank were subject to ambitious sales goals.

Amazon, ADP, and Fifth Third Bank did not respond to requests for comment.
More pay transparency is coming to California. The Golden State is joining New York City, Colorado, and Washington in requiring employers to disclose pay ranges in job ads.
Gov. Gavin Newsom signed Senate Bill 1162 into law on Tuesday, according to statements from the California Legislative Women’s Caucus and the TechEquity Collaborative.
Under the law, employers with 15 or more workers will be required to include pay ranges in job postings, and those with 100 or more employees or contractors will have to report median and mean hourly pay rates by job category and “each combination of race, ethnicity, and sex.”
“This is a big moment for California workers, especially women and people of color who have long been impacted by systemic inequities that have left them earning far less than their colleagues,” said state Sen. Monique Limón (D-Santa Barbara) in a statement. Limón introduced the bill in February.
The TechEquity Collaborative’s chief programs officer, Samantha Gordon, praised the law in a statement as “an important step in equalizing the playing field for the 1.9 million contractors, temps, vendors, and contingent workers” in California.

The bill received pushback from the California Chamber of Commerce and the Society for Human Resources Management. The chamber called the bill a “job killer” because the pay reports were going to be published online, but that provision was later removed from the bill, SHRM noted earlier this month.
“You are grouping together workers in very broad categories, as broad as ‘professionals,’” CalChamber policy advocate Ashley Hoffman said in a chamber podcast. “If you think of a hospital, that would encompass nurses, but it would also encompass someone who just graduated college and starting in your HR department. It’s truly a broad category.”
According to Forbes, SHRM argued that pay transparency would increase compression between newer and more experienced employees and could deter candidates from applying before learning about other fringe benefits.
SB 1162 doesn’t make clear how the law applies to companies that employ workers remotely.
Cost-cutting in tech is officially hitting the industry’s titans. After years of ruthless staffing up, both Meta and Google have told some employees to find new jobs within the company or leave, according to a report in The Wall Street Journal.
These actions at Meta, via departmental reorganizations, have affected a “significant number” of employees. Cuts aren’t unexpected, a Meta spokesperson pointed out: Mark Zuckerberg told investors on the company’s July earnings call that he planned to “steadily reduce head count” over the coming year, and that “many teams are going to shrink so we can shift energy to other areas.”
The changes reported out of Google have apparently hit around half of the employees of the company’s 100-plus-employee startup incubator, Area 120, where a number of projects have been canceled. Google didn’t immediately return Protocol’s request for comment, but Sundar Pichai has spoken publicly about plans to cut costs, slow hiring, and make the company 20% more productive. On Friday, he reportedly told employees at an all-hands meeting that announcing job cuts to the whole company was “not a scalable way to do it,” but that he would “try and notify the company of the more important updates,” CNBC reported.

To find out what this all means for Big Tech and the rest of the industry, I spoke with Colleen McCreary, Nolan Church, and Steve Cadigan — three people-leaders who have led HR at companies like Credit Karma, DoorDash, Carta, and LinkedIn.
Moves like these are common in Big Tech. Giving employees 60 days to find another role is a “pretty normal big-company proposition,” said McCreary, the chief people, places, and publicity officer at Credit Karma. “Projects get spun up, projects get wound down.”
Big Tech has plenty of reasons to keep job cuts quiet.
For at least eight years, big tech companies have been hoarding talent — both from startups and from each other — as a competitive strategy, said Church.
One thing we know: More performance management is coming. McCreary said she gets a call from a CEO or head of HR “once a week” on how to do a layoff — but she’s also “hearing a lot more about, ‘How do you do performance management?’”
Calendly, the $3 billion scheduling startup that everyone likes to periodically fight about, has made its first acquisition: Prelude, a startup specializing in the hiring process. Prelude is specifically geared toward scheduling job interviews or other types of recruitment-related meetings.
“What makes this acquisition especially exciting is that it accelerates our vision to holistically solve external scheduling challenges for individuals and teams in companies of all sizes, from SMB to enterprise,” CEO Tope Awotona wrote in a blog post announcing the acquisition.
Calendly has been focused on companies, not just individual users, for the past few years now. It released a group meeting feature to help teams schedule across time zones back in December 2021. The Prelude acquisition shows Calendly’s interest in the HR software space and hints at its desire to build out other specific use cases. Awotona told TechCrunch that this is unlikely to be its last acquisition or its only dive into catering to specific industries.

Celsius Network CEO Alex Mashinsky resigned from the embattled cryptocurrency lender Tuesday morning. The lender is in the middle of bankruptcy proceedings after pausing withdrawals in June.
“I regret that my continued role as CEO has become an increasing distraction, and I am very sorry about the difficult financial circumstances members of our community are facing,” the resignation letter reads.
In a press release, Mashinsky added that he “will continue to maintain [his] focus on working to help the community unite behind a plan that will provide the best outcome for all creditors.”
Celsius said it had named CFO Chris Ferraro its chief restructuring officer and interim CEO Tuesday. Ferraro joined the company in March and became CFO in July, according to his LinkedIn profile. He previously spent 18 years in various roles at JPMorgan Chase.
Celsius became emblematic of the crypto liquidity crisis earlier this summer, leading it to pause all transactions in June. A rogue employee had also leaked thousands of users’ email addresses, adding to suspicions about the company’s stability. Another lender, Voyager, also filed for bankruptcy amid market turmoil in the same period after hedge fund Three Arrows Capital defaulted on a loan.

Several leaked reports in recent weeks showed that Celsius was plotting risky actions to save the company with Mashinsky at the helm. A leaked call showed that, rather than returning customers’ assets, the company considered selling customers a new token representing their debt as a form of IOU. The call also revealed that employee assets would be returned on the same timeline as customers’. A customer leaked the audio, saying it was sent to her by an unnamed Celsius employee.
In the leaked call, CTO Guillermo Bodnar also said the company was creating a transaction management system. The company had been using an Excel spreadsheet before to track assets.
Meanwhile, the CEL token faced a short squeeze, largely organized by supporters on Twitter. The currency jumped 300% from its price after the transaction pause, despite reports suggesting that the lender was likely insolvent. Cryptic messages from Mashinsky and his wife Krissy — including a picture of Krissy Mashinsky wearing short-shorts — were interpreted by some as support for the squeeze.
Update: This story has been updated to include Celsius’s comment about Chris Ferraro’s appointment as interim CEO.
Brett Harrison announced on Twitter Tuesday morning that he would be stepping down from his role as president of FTX US and moving to an advisory role. He said he will continue working in the industry.
Harrison assumed the role with FTX just 16 months ago. Previously, he worked as an operations manager of multiple technology groups at Citadel Securities and as a developer at Headlands Technology. Harrison and FTX CEO Sam Bankman-Fried overlapped at Jane Street between 2014 and 2017, when Harrison led systems trading technology and Bankman-Fried was a cryptocurrency trader. FTX has not responded to requests for comment as to why he is leaving the firm, though Bankman-Fried told Bloomberg the announcement would not have been made so publicly if FTX hadn’t known in advance.
During his tenure at FTX, Harrison saw the trading platform grow from three to over 100 employees, build a U.S. brokerage, and acquire multiple other crypto firms including LedgerX and Embed. “I don’t doubt my experiences in this role will be among the most cherished of my career,” he said in a tweet.

The departure may be part of a broader theme of executive churn in crypto exchanges’ U.S. affiliates. Binance, the world’s largest exchange by trading volume, has also suffered management churn with its U.S. affiliate, Binance.US.
In order to shield the exchanges from scrutiny in other countries and to ensure regulatory compliance with U.S. law, both exchanges have created separate American affiliates responsible for domestic licensing, data storage, and currency trading. International scrutiny of both platforms has accelerated in the past two years, putting considerable pressure on executives who must defend the companies’ practices in the U.S. and convince lawmakers there is no risk of influence or control from foreign operators. However, Bankman-Fried himself has typically represented FTX before Congress — while Binance CEO Changpeng Zhao has not, instead leaving U.S. executives to manage D.C. relationships.
Several other crypto firms have seen high-profile departures recently amid the industry’s “crypto winter.” Celsius CEO Alex Mashinsky also resigned Tuesday in the middle of that company’s bankruptcy proceedings, and Kraken CEO Jesse Powell stepped down last week.
Harrison said he will continue working in the cryptocurrency industry after his departure. The industry is “at a crossroads,” he said, voicing his concern about large companies entering the market. His goal, according to the Twitter thread, will be “removing technological barriers to full participation in and maturation of global crypto markets, both centralized and decentralized.”
Russia set up a sprawling and sophisticated network of websites impersonating mainstream media outlets, which it used to spread anti-Ukrainian messaging that was amplified via fake social media accounts, Meta has found. In a new report published Tuesday, Meta called it Russia’s “largest and most complex” influence operation since the war in Ukraine began.
According to the report, between June and September, Russian agents set up more than 60 websites that spoofed actual news sites, including those of The Guardian and German publishers Der Spiegel and Bild. (Disclosure: Bild and Protocol are both owned by Axel Springer.) The sites, which primarily targeted users in Germany, France, Italy, Ukraine, and the U.K., were meticulous imitations of the real thing, borrowing not just the format and design of the actual news sites, but in some cases also the photos and bylines of real reporters.
The Russian actors used these sites and fake online petitions to push false narratives — including that Ukraine had staged the murder of civilians in Bucha — and then promoted their work on Facebook, Instagram, YouTube, Telegram, Twitter,, Avaaz, “and even LiveJournal,” the report reads. All told, Facebook and Instagram removed nearly 2,000 accounts, more than 700 pages, and one group, and detected some $105,000 in advertising. As Facebook and Instagram worked to shut the network down, more websites continued popping up.

“This suggests a persistence and a continued investment in the cross-internet activity,” David Agranovich, Meta’s director of global threat disruption, said on a call with reporters. In some cases, the posts were boosted by official Russian diplomatic pages.
But while the network of websites was developed with care, the fake accounts were more of a “smash-and-grab,” the report said. Many of them were detected by the company’s automated systems, before Meta even began its investigation. “It presents as a really unusual combination of sophistication and brute force,” Agranovich said.
In addition to the Russian network, Meta also detected a Chinese influence operation targeting the U.S. and Czechia. While less expansive than the Russian network, the Chinese operation was noteworthy, Meta executives said, for the way it tried to stake out both sides of contentious topics, like gun rights and abortion access. “While it failed, it’s important, because it’s a new direction for Chinese influence operations,” said Ben Nimmo, Meta’s global information operations threat intelligence lead.
Meta has shared its findings with other companies that were targeted by these information networks, as well as with governments and law enforcement. The company is also making the list of fake domains public “to enable further research,” Agranovich said.
Meta’s report comes one day after Google researchers said pro-Russian hackers are coordinating with the Russian military to carry out cyberattacks in connection with the war in Ukraine. “We have never previously observed such a volume of cyberattacks, variety of threat actors, and coordination of effort within the same several months,” the Google report read, according to The Wall Street Journal.
In some ways, the Russian playbook now mirrors the one it used in the run-up to the 2016 election, when Russia’s Internet Research Agency created phony news sites that focused on race relations and other heated topics in the U.S., then pushed them on U.S. social media. But the intricate impersonations of actual news sites demonstrates a new level of investment by the Russians.

And yet, Agranovich said one encouraging sign was the relative lack of traction Russia’s information operation got on Facebook and Instagram this time. “They were kind of throwing everything at the wall and not a lot of it’s sticking,” he said. But he cautioned, “That doesn’t mean we can say mission accomplished.”
Eight states, led by California and New York, have taken legal action against Nexo highlighting growing concerns about companies that offer unregistered crypto lending products.
The states are accusing Nexo of allowing consumers to deposit crypto assets in exchange for interest as high as 36% without registering its products as securities and providing material information to customers.

The “aggressive enforcement efforts against unregistered interest-bearing cryptocurrency accounts” are aimed at enforcing “investor protections under the law, including adequate disclosure of the risk involved,” Clothilde Hewlett, commissioner of the California Department of Financial Protection and Innovation, said in a statement.
More than 18,000 California residents have signed up for Nexo’s Earn Interest Product accounts, which collectively hold total investments of at least $174 million, according to the California “desist and refrain order.”
The California legal move comes shortly after the crypto industry won a significant victory in the state when Gov. Gavin Newsom vetoed a bill that would have required crypto companies to get a state license. The proposal passed overwhelmingly in the California Assembly and Senate.

The New York attorney general’s office said Nexo “failed to register and misrepresented to investors that they are a licensed and registered platform.”
“Cryptocurrency platforms are not exceptional; they must register to operate just like other investment platforms,” Attorney General Letitia James said in a statement. “Nexo violated the law and investors’ trust by falsely claiming that it is a licensed and registered platform.”
Nexo also faces legal challenges in Washington, Maryland, South Carolina, Oklahoma, Vermont, and Kentucky, according to a California DFPI representative.
Nexo said in a statement that the company has been “working with U.S. federal and state regulators and understand their urge, given the current market turmoil and bankruptcies of companies offering similar products, to fulfill their mandates of investor protection by examining past behavior of providers of earn interest products.”
“Nexo has always been dedicated to running a sustainable and compliant business and welcomed, even proactively sought, regulatory clarity,” the company said, adding that it has “voluntarily ceased” signing up new U.S. clients for the Earn Interest Product.
Nexo described itself as “a very different provider” of such products,” noting that “it did not engage in uncollateralized loans, had no exposure to luna/UST, did not have to be bailed out or needed to resort to any withdrawal restrictions.”
Put a few key words into a tool like Midjourney, Stable Diffusion, or DALL-E and it’s easy to see why the whimsical (and often wacky) images have captured investors’ imagination. An AI-generated artwork even recently won an art competition at the Colorado State Fair, a result that didn’t go over well among more traditional artists. It’s become disruptive enough that this week Getty announced a ban of AI-generated images on its platform, following similar moves by some online art communities.
What looks like an interesting art tool has become a prime feeding ground for investors. Investor interest has been nearly overwhelming for Poly’s Abhay Agarwal, who is building a “DALL-E for design assets” company. “It has literally been like dropping yourself into the Ganga River and fully being bathed in it,” Agarwal said of the interest. He’s already had over 80 meetings with VCs and is only halfway done following YC’s Demo Day.

The hype wave is similar to GPT-3, a generative AI text tool with an API that businesses can build off of. The problem is that investors can easily fall into the trap of thinking the two generative models are the same.
Just because it’s magical doesn’t mean it can magic away its shortcomings. As Charlie Warzel pointed out in a smart piece, “What feels like magic is actually incredibly complicated and ethically fraught.”
Creating a future for generative AI startups won’t be as easy as painting a picture of the opportunity. Founders and investors will have to both take responsibility for understanding the shortcomings of generative AI and solving them. It takes more than “hustling and flipping when you see a quick opportunity to leverage an open-source technology,” said Agarwal. Instead, he argued technologists need to become stewards of the technology and build it for whatever business application is needed. For Poly, that means creating and training its models around textures and design elements so that it can responsibly tailor the model in a way that allows it to build a business. “I don’t believe that once a model was released into the open-source public that somehow that means that everybody can jump on that and start using it for whatever use case,” Agarwal said.
A version of this story appeared in Protocol’s Pipeline newsletter. Sign up here to get it in your inbox every Saturday.
We know there’s no such thing as a free lunch. Still, the idea that many corporate benefits aren’t always a benefit recently touched a nerve on Twitter.
“Been thinking about anti-perks in tech jobs. What perks *sound* good but are a hard no from you?”
The tweet came from Jessica Rose, a developer relations advocate, founder of a meetup series for programmers and aspiring programmers and co-founder of Trans*Code, a hacker org devoted to drawing attention to transgender issues and opportunities.
Rose’s “hard no” was to those so-called benefits that have been around since time immemorial (or at least since the dot-com era). “Don’t give me food or hammocks or video games, just let me work remotely or go home on time,” said Rose.
‘Don’t touch me’
The tweet thread was full of varied responses, but the paradox of unlimited vacation was the clear favorite. “Wow, people are just so suspicious about unlimited paid time off,” Rose told Protocol when we caught up with her to ask about the tweet.

Other workers balked at in-office massages (“don’t touch me”), free booze, open-plan offices (did anyone in the history of the world ever call this a benefit?), fitness rooms, nap rooms, escape rooms (really any rooms), and something called “blameless retrospectives.” Um, what?
If employees are going to be suspicious of whatever perks you offer, why offer any perks at all?
“So I’m aware of how wonderfully spoiled it is to complain about perks being given out in some kinds of tech workplaces,” said Rose. “I’m the most unimpressed by ‘perks’ which either directly undermine employment rights (like unlimited paid time off can do in some regions) or are intended to throw work/life balance out of kilter in the workplace’s favor.”
Unlimited or flexible vacation time can work, but it helps when the culture is one where people are encouraged to take time off and experts agree that mandatory minimums go a long way in helping create that kind of culture.
Your best interests or mine? Why can’t it be both? ¯_(ツ)_/¯
A director of engineering at Google who formerly worked at Microsoft and Zillow called employer-sponsored coaching an anti-perk. “I’ll spring for a coach who is looking out for my best interests, not the company’s, thanks,” she said, adding, “I know I am lucky to be offered this, but it always feels like a trap.”
There’s good reason to be at least a little wary of these programs. Last year Protocol reported that when tech companies work with coaching programs like BetterUp and Bravely the conversations themselves are confidential, but the company often receives aggregated reports on the issues workers are expressing in general, the topics they’re discussing, what’s going well for them at work, and what’s not.
When Protocol spoke to Twilio’s VP of talent management Andrew Wilhelms about the company’s coaching partnership, Wilhelms explained that BetterUp provides a set of Twilio-specific priorities to coaches and Twilio can update those priorities and goals based on what kind of culture change the company needs to see.

This might feel overly controlling, or it might be a great way to help change a company’s culture for the better, especially if a majority of employees are feeling stressed and burned out and are more likely to tell this to a coach than their manager. Twilio told Protocol that 99% of the employees who used the coaching service last year said the sessions were a valuable use of their time, and that 94% said the sessions made them more effective at their job.
“Thoughtful, meaningful perks can benefit both employers and team members, by helping keep their team members happy and hopefully keep them in their role for longer,” Rose said.
Free SunChips < values-based work culture
Research shows that today’s employees don’t want snacks as much as they want work that aligns with their values, and that extends to benefits.
What your ‘perks’ say about your corporate culture
Some “anti-perks” are just common decency and respect, such as believing your employees are telling the truth when they call in sick. In response to Rose’s prompt, one senior system admin pointed out a job listing that offers an “honor-based sick leave policy” in addition to its “commitment to an open, inclusive and diverse work culture.”
And think twice about listing your game room in your job description, tweeted a product designer from Miro:
“When they advertise a ping-pong table in the job listing, it’s a huge 🚩 for me. And I love ping-pong. If a silly perk like this [is] such a relevant part of your benefits package, that says a lot about what the company values, and likely its culture.”
A version of this story appeared in Protocol’s Workplace newsletter. Sign up here to get it in your inbox three times a week.
To protect against cybersecurity vulnerabilities and exploitation of Americans’ data, President Joe Biden signed an executive order on Sept. 15 directing the Committee on Foreign Investment in the United States, or CFIUS (pronounced “sif-ee-us” by foreign investment watchers), to consider scrutinizing foreign investments through the lens of national security risks.
“Everybody recognizes the need to protect U.S. national security. But as Congress and the administration consider new tools, like an outbound investment review regime, it is critical that they get real input from the business community and be precise in what they’re trying to cover,” Rory Murphy, vice president of Government Affairs at the US-China Business Council, told Protocol yesterday.
The oft-stated mission of ensuring U.S. leadership in emerging tech is at the heart of this potential shift. During a press briefing, a senior administration official listed a “handful of priority emerging and critical technologies, like semiconductors, quantum technologies, biotechnology, and artificial intelligence, as well as supply chain considerations” as areas where investment reviews could happen.

The elephant in the room here is China, a country “of special concern” that has tech strategies that many in U.S. government believe threaten U.S. leadership in areas related to national security.
But because AI is intertwined with all industries and the technologies they use, AI deals could be subject to excessive review if a CFIUS rule is written too broadly. “How AI is defined will be important in determining what types of transactions are covered,” Murphy said.
A version of this story appeared in Friday’s Enterprise newsletter. Sign up here to get it in your inbox each morning.
This year is on track to be a record for global electric vehicle adoption. EVs are expected to make up 13% of light duty vehicle sales, and the world is on track to hit a 2030 milepost en route to net zero by mid-century. Yet the road ahead is far from smooth in other industries.
In 2021, EV sales doubled and made up 9% of the car market by the year’s end. This year’s surge is due to more being sold in European and Chinese markets, according to the new installment of the International Energy Agency’s Tracking Clean Energy Progress report released this week. However, the report notes that “electric vehicles are not yet a global phenomenon” and sales in the Global South have lagged due to both high sticker prices and a charging infrastructure deficit. (Exported gas-powered cars are also keeping many emerging countries stuck on fossil fuels.)

The IEA’s scenario for reaching net zero by 2050 sets out a milestone of EVs making up 60% of new car sales by 2030, with more than 300 million EVs on the road by that point. To reach that goal, EVs as a share of new car sales will have to increase by roughly 6% annually for the rest of the decade, which the IEA finds is doable.

Yet the report found that progress is insufficient in 53 of the 55 elements of the energy system. (Outside EV adoption, only lighting is on track.) Of those, 30 received an assessment of “more efforts needed,” and 23 are “not on track.” Take energy efficiency, for example. The report found the rate of improvement in energy intensity — which it dubs the “single largest measure to avoid energy demand” in the IEA net zero scenario — needs to at least double by 2030.
Despite the lack of progress, there are reasons to think the sectors lagging behind EV adoption and lighting are in for a boost. The report flags the Inflation Reduction Act and the European Union’s RePowerEU plan as promising policy developments that should add momentum to the energy transition. And new clean infrastructure and technologies are on the horizon, suggesting that progress for even hard-to-decarbonize areas like heavy industry is likely to accelerate.
That includes the growing interest and financing for green hydrogen as well as a particularly promising 2021 green steel pilot project. The IEA also noted that 2022 is likely to see a new record for renewable electricity capacity added to the grid, with roughly 340 gigawatts coming online.
“This reaffirms my belief that today’s global energy crisis can be a turning point towards a cleaner, more affordable, and more secure energy system,” said IEA executive director Fatih Birol about the report’s findings. “But this new IEA analysis shows the need for greater and sustained efforts across a range of technologies and sectors to ensure the world can meet its energy and climate goals.”
The popularity of VAs has grown dramatically over the past couple of years. And we’re not talking about virtual assistant tech; we’re talking about real people.
Who needs a virtual assistant the most? Laith Masarweh, who founded and runs the virtual assistant company Assistantly, told me that people just getting their businesses off the ground — those he called “solo-prenuers” — need one most often.
And what can they do for you? Masarweh broke down the responsibilities for virtual assistants into about five different categories: administrative operations, sales, marketing, social media, and more “niche” areas of expertise.
Masarweh added that if you’re going to hire a VA, make sure you treat them as part of the team. “I hire as if I was hiring an employee,” he said.
A version of this story appeared in Friday’s Source Code. Sign up here to get it in your inbox each morning.
Apple called its employees back to the office as the company’s three-day-per-week hybrid schedule finally began in early September. Many tech companies have eased up on requiring office work, making Apple somewhat of an outlier when it comes to RTO.

Another outlier, Google, has been in hybrid mode since April, reportedly leading to outbreaks of COVID-19 at the office. Yet for all the talk about Google’s three-day-a-week RTO policy, two workers who spoke to Protocol anonymously say it’s not much of a mandate. An employee and a contractor both told Protocol that the hybrid policy doesn’t seem to be imposed across the board.
“The impression I have is that it’s basically not enforced,” the employee said. The Google contractor said attendance varied across different teams, noting that while some of their teammates go to the office three days a week, most only go in once. (Neither Google nor Apple returned emails inquiring about how their hybrid policies are enforced.)

Sundar Pichai’s plan to make Google “20% more efficient” may lead nervous workers to choose to go to the office more often. (An August survey found that CBRE tenants were “evenly split” on whether a recession would drive more workers to the office out of anxiety for their job security.)
As of now, most companies’ hybrid requirements are only enforced as a “very soft mandate,” said Brian Kropp, distinguished VP of research at Gartner. About half of companies with a hybrid mandate are tracking office attendance, Kropp said, but even those that are doing so “have no real plans to fire people for not coming to the office, as long as they’re getting their work done.”
More than 40% of HR leaders surveyed by Gartner last month said they weren’t tracking office attendance. Thirty-five percent said they were gathering attendance data from key fob or badge swipes, while 22% said managers were tracking their teams’ attendance. Another 10% said employees were self-reporting their attendance.
Companies that selectively enforce attendance requirements may wind up with unfair outcomes, Kropp said.
“If you have a mandated set of days where you have to come to the office, but it’s unevenly enforced across the company, then you run into issues of fairness,” Kropp said. “That just creates more variability across the company, which then creates more risk as well in terms of that inconsistency.”
And while flexibility puts companies at an advantage when it comes to competing for talent, it also requires more sophisticated management, Kropp said. “The question you should really be asking is: Does our managerial population, on average, have the capability to manage much more flexibility, or not?” Kropp said. “If the answer is ‘yes, they do,’ you should push for as much flexibility as you can.”
To run high-performing teams in a flexible environment, managers need to be “half social worker, half engineer,” Kropp said. That means more empathy and more capacity for planning and organization.
While companies may seem settled into their hybrid ways of working, many leaders are leaving policies open to change with time rather than overcommitting themselves. The world is unpredictable, as we’ve learned in the last 2.5 years. “A lot of these executives — the way that they’re framing it now is, ‘This is our hybrid strategy for now, and it could evolve and could change,’” Kropp said.

Amazon falls into that category. As Andy Jassy put it at the Code Conference on Wednesday, Amazon doesn’t have a plan to force employees back to the office: “We’re going to proceed adaptively as we learn.”
A version of this story appeared in Protocol’s Workplace newsletter. Sign up here to get it in your inbox three times a week.
If you truly want to gauge a company’s culture before accepting a job offer, you have to become a bit of a sleuth. A journalist, even. Troll Blind and Glassdoor. Browse LinkedIn for current employees who seem trustworthy, or former employees who seem not to have an agenda.
But not everyone has the time to investigate companies in this way. Instead, they may rely on company-sponsored chats with current employees.
Steve McElfresh, founder of HR Futures, said it’s worth it for employers to offer to connect candidates with current employees. The more information, the more helpful to candidates. Still, it’s impossible for company-sponsored candidate-employee chats to be completely candid. Those chats are not entirely trustworthy.
For those who want to connect with employees on their own, scouring LinkedIn and similar sites might be the best option. Professional platform Candor, a new startup trying to be the “more authentic LinkedIn,” was built with job sleuthing in mind.

Bishop added that anonymous platforms can quickly turn toxic, hence Candor’s model with private profiles. But without anonymity, how candid will someone really be?
The most prepared candidates will do all of the above. Just perusing Glassdoor or talking to one company-sponsored employee won’t give you the full picture. You’ve got to really do your research to figure out the fit.
A version of this story appeared in Protocol’s Workplace newsletter. Sign up here to get it in your inbox three times a week.
The SEC reportedly will not push for a total ban on payment for order flow, a proposal that chair Gary Gensler said was “on the table” just a year ago.
The regulator is expected to announce changes to the way payment for order flow is conducted, but it will not involve a total prohibition of the controversial system used in processing stock trades, Bloomberg said in a report on Thursday.
The SEC plan is good news for retail stockbrokers like Robinhood, whose revenue model relies heavily on the rebates it receives for sending trade orders to market makers, known as payment for order flow.
Critics have argued that payment for order flow gives brokers an incentive to encourage retail investors to make as many trades as possible, exposing them to financial risks. Robinhood and payment for order flow came under heavy scrutiny early last year during the GameStop trading frenzy.

In August 2021, Gensler told Barron’s that the regulator was considering a total ban on the system. Wall Street analysts cited the potential ban as a major headwind for Robinhood, which has already taken hits from the broad market downturn. Canada and the U.K. have banned payment for order flow, and Australia has instituted temporary prohibitions on the practice as it considers a ban.
The company has been forced to make dramatic cuts this year. Just a few months after announcing that it was slashing 9% of its workforce, Robinhood said it was cutting another 23% because the first round of reductions “did not go far enough,” CEO Vlad Tenev said in a letter to employees.
Tenev also pointed to “additional deterioration of the macro environment, with inflation at 40-year highs accompanied by a broad crypto market crash.” The company also acknowledged that it essentially overshot staffing needs for 2022 based on the “assumption that the heightened retail engagement we had been seeing with the stock and crypto markets in the COVID era would persist into 2022.”
Robinhood rallied briefly on Thursday trades on news that payment for order flow would not be banned. But the stock was off more than 2% midday. TD Ameritrade, a subsidiary of Charles Schwab, also makes heavy use of payment for order flow; Schwab shares also leapt early in the day and then fell.
The SEC could not immediately be reached for comment.
The FDA this week announced that cooking chicken in NyQuil isn’t safe, which seems obvious; it came from a “NyQuil cooking challenge” video that went viral — more than a year ago.
Government warnings about viral online fads may come too late to be effective. The NyQuil chicken challenge resurfaced in January after starting as a joke on 4chan in 2017.
Government leaders need a lesson on virality. The timing of these warnings highlights the difficulty of staying on top of potentially dangerous challenges, which can go viral in a matter of days. “The FDA is always playing catch-up with these things,” Jeffrey Blevins, a professor at the University of Cincinnati’s journalism department, told me. “It’s impossible for them to be ahead of it. Who in their right mind would have thought of NyQuil chicken?”
It’s not just the government; pediatricians, schools, and other organizations are aware of the dangers of social media trends and are trying to catch on to them quickly. But word spreads fast, and in order for the government’s warnings to be effective, they need to happen sooner.

A version of this story appeared in Thursday’s Source Code. Sign up here to get it in your inbox each morning.
Kraken CEO Jesse Powell is stepping down and will be replaced by chief operating officer David Ripley, the company announced Wednesday.
Powell, who co-founded Kraken in 2011, will become the crypto marketplace’s board chairman. Ripley will take over after Kraken finds a new COO.
Ripley’s leadership and experience “give me great confidence that he’s the ideal successor and the best person to lead Kraken through its next era of growth,” Powell said in a blog post.
He also said that he will be “spending more of my time on the company’s products, user experience and broader industry advocacy.”
Ripley, who joined Kraken through its 2016 acquisition of Glidera, is credited with growing Kraken from 50 to 3,000 employees.
Powell is giving up the CEO post at a critical time when the crypto industry is still reeling from a major downturn that wiped out about $2 trillion in value.
Kraken has managed to weather the storm like other major crypto players, FTX, Binance and Ripple, that have continued expanding, even as rivals like Coinbase pulled back on growth plans.

But Kraken’s workplace culture came under scrutiny after a New York Times report based on leaked Slack messages and employee interviews accused Powell of making insensitive comments on gender and race, sparking heated conversations within Kraken. Powell defended the company’s culture and policies in an interview with Protocol.
Kraken began as a bitcoin exchange before emerging as one of crypto’s biggest marketplaces. Kraken is currently the fourth-largest crypto exchange, after Binance, FTX and Coinbase, according to CoinMarketCap.
Tuesday’s “Made On YouTube” event was basically a competition to see how many ways creators and YouTube execs could talk about beating TikTok without actually saying the word “TikTok.”
YouTube is rolling out ad revenue-sharing for Shorts and lowering the barrier to join its partner program, which execs said will bring more “sustainability and inclusivity” to creators. Previously, both TikTok and YouTube paid short-form creators through a set fund.
The announcement is an obvious jab at TikTok, which has been a frontrunner in the short-form video race. And by the way, YouTube didn’t mention the word “TikTok” once.
Will YouTube’s moneymaking strategy for Shorts turn people away from TikTok? It’s likely too soon to tell, and many new creators have already built huge communities on TikTok. But if people can make money from short-form video elsewhere, don’t be surprised if they start flocking to Shorts. “Other platforms are focused on getting people their 15 seconds of fame, which is great. But YouTube is taking a different approach,” Collins said.

A version of this story appeared in Wednesday’s Source Code. Sign up here to get it in your inbox each morning.
Coinbase is launching a new product to connect developers to the Ethereum blockchain as part of its effort to offer a full stack of crypto infrastructure technology and diversify its business away from consumer trading revenue.
The new Node product provides APIs for developers to connect to the Ethereum blockchain, the most popular system for smart contracts. Its free plan gives up to 120,000 daily requests. It also has an API specifically for developers building NFTs.
“We think the product that we’re [launching today] is the most fundamental piece for anybody building in the ecosystem,” said Luv Kothari, a product manager overseeing Node at Coinbase. “It’s almost like going to AWS and getting an EC2 instance so you can start writing code and then deploying your code.”
That idea of becoming the AWS of blockchain infrastructure is a goal for many companies and the investors backing them.
Part of Coinbase Cloud, Node is Coinbase’s first major free self-serve developer product. Coinbase’s Query & Transact service connecting enterprise customers to blockchains launched in 2020, but the new product is free and adds NFT functionality and other new ways to query the blockchain.

It also fits into Coinbase’s long-stated goal to diversify its business from just trading revenue to other types of businesses.
While there are already large startups competing with Coinbase in areas such as custody and node infrastructure, Coinbase is seeking to leverage its existing products that connect to Node, such as its Pay SDK for fiat-to-crypto transfers, trading APIs and Commerce API for accepting payments.


    Would you like to receive notifications on latest updates? No Yes