Less than two years after he was named co-CEO of Salesforce alongside founder Marc Benioff, the company announced Tuesday that Keith Block would be stepping down, leaving Benioff as sole CEO.
Tom Krazit
Tom Krazit ( @tomkrazit) is Protocol's enterprise editor, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire, and served as executive editor of Gigaom and Structure.
Latest Bulletins
More pay transparency is coming to California. The Golden State is joining New York City, Colorado, and Washington in requiring employers to disclose pay ranges in job ads.
Gov. Gavin Newsom signed Senate Bill 1162 into law on Tuesday, according to statements from the California Legislative Women’s Caucus and the TechEquity Collaborative.
Under the law, employers with 15 or more workers will be required to include pay ranges in job postings, and those with 100 or more employees or contractors will have to report median and mean hourly pay rates by job category and “each combination of race, ethnicity, and sex.”
“This is a big moment for California workers, especially women and people of color who have long been impacted by systemic inequities that have left them earning far less than their colleagues,” said state Sen. Monique Limón (D-Santa Barbara) in a statement. Limón introduced the bill in February.
The TechEquity Collaborative’s chief programs officer, Samantha Gordon, praised the law in a statement as “an important step in equalizing the playing field for the 1.9 million contractors, temps, vendors, and contingent workers” in California.
The bill received pushback from the California Chamber of Commerce and the Society for Human Resources Management. The chamber called the bill a “job killer” because the pay reports were going to be published online, but that provision was later removed from the bill, SHRM noted earlier this month.
“You are grouping together workers in very broad categories, as broad as ‘professionals,’” CalChamber policy advocate Ashley Hoffman said in a chamber podcast. “If you think of a hospital, that would encompass nurses, but it would also encompass someone who just graduated college and starting in your HR department. It’s truly a broad category.”
According to Forbes, SHRM argued that pay transparency would increase compression between newer and more experienced employees and could deter candidates from applying before learning about other fringe benefits.
SB 1162 doesn’t make clear how the law applies to companies that employ workers remotely.
Keep Reading
Show less
Cost-cutting in tech is officially hitting the industry’s titans. After years of ruthless staffing up, both Meta and Google have told some employees to find new jobs within the company or leave, according to a report in The Wall Street Journal.
These actions at Meta, via departmental reorganizations, have affected a “significant number” of employees. Cuts aren’t unexpected, a Meta spokesperson pointed out: Mark Zuckerberg told investors on the company’s July earnings call that he planned to “steadily reduce head count” over the coming year, and that “many teams are going to shrink so we can shift energy to other areas.”
The changes reported out of Google have apparently hit around half of the employees of the company’s 100-plus-employee startup incubator, Area 120, where a number of projects have been canceled. Google didn’t immediately return Protocol’s request for comment, but Sundar Pichai has spoken publicly about plans to cut costs, slow hiring, and make the company 20% more productive. On Friday, he reportedly told employees at an all-hands meeting that announcing job cuts to the whole company was “not a scalable way to do it,” but that he would “try and notify the company of the more important updates,” CNBC reported.
To find out what this all means for Big Tech and the rest of the industry, I spoke with Colleen McCreary, Nolan Church, and Steve Cadigan — three people-leaders who have led HR at companies like Credit Karma, DoorDash, Carta, and LinkedIn.
Moves like these are common in Big Tech. Giving employees 60 days to find another role is a “pretty normal big-company proposition,” said McCreary, the chief people, places, and publicity officer at Credit Karma. “Projects get spun up, projects get wound down.”
- Cadigan, the first CHRO at LinkedIn and author of the book “Workquake,” agreed, noting that he’s seen companies use this practice throughout his career. It “raises the employability” of affected workers “if you really believe they’re good people and you really did just cancel that project — it’s not about poor performance.”
- That said, a 30-day deadline to find a new job “feels pretty aggressive in a big company,” said McCreary, who sees 60 days as “much more normal.” Sixty days also allows companies to avoid triggering WARN requirements, which — depending on how many employees are let go in a given location — can require 60 days of pay, McCreary said.
- “Deeper cuts” are expected to follow these 30-day notices at Meta, WSJ reported, citing anonymous sources. Indeed, Zuck told investors in July that he expected the company to “get more done with fewer resources.” (Since last year, Meta has cut its 2022 expense guidance to between $85 billion and $88 billion, down from between $91 billion and $97 billion.)
Big Tech has plenty of reasons to keep job cuts quiet.
- Layoffs are a huge threat to an employer’s brand and hurt morale internally; they leave companies “scarred for a long period of time, both internally and externally,” McCreary said.
- Large tech companies are “really good with controlling the narrative” and know that the word layoff is “a hot button for the press,” said Church, the former chief people officer at Carta, who co-founded the executive talent marketplace Continuum.
- Still, quietly cutting jobs carries its own reputational risks. “Your staff knows if you’re not treating people fairly — if you’re taking people out with sniper shots in the night, metaphorically speaking,” Cadigan said.
For at least eight years, big tech companies have been hoarding talent — both from startups and from each other — as a competitive strategy, said Church.
- That has meant tolerating some bad hires and underperformance — the “bunch of people at the company who shouldn’t be here,” as Zuck put it bluntly over the summer.
- “That was an OK trade-off in the previous macro environment,” Church said. Now, even Big Tech is feeling the pressures of a worsening economic situation, and leaders are “trying to stay on this high wire between public market investors who care about cost cutting and winning the war on talent on the other.”
One thing we know: More performance management is coming. McCreary said she gets a call from a CEO or head of HR “once a week” on how to do a layoff — but she’s also “hearing a lot more about, ‘How do you do performance management?’”
- Giving underperforming employees honest feedback leads some to quit on their own, helping companies avoid terminations and other methods of reducing head count, said Cadigan.
- While serving as LinkedIn’s CHRO a decade ago, Cadigan championed managing underperforming employees out of the company as an alternative to involuntary terminations (while butting heads with the board, which wanted to see more employees fired, he said).
- Offering this kind of straightforward feedback is “something very few companies are good at,” Cadigan said. “If we’re doing this right, we’re helping people figure it out on their own without having to fire.”
A version of this story appeared in Protocol's Workplace newsletter. Sign up here to get it in your inbox three times a week.
Keep Reading
Show less
Calendly, the $3 billion scheduling startup that everyone likes to periodically fight about, has made its first acquisition: Prelude, a startup specializing in the hiring process. Prelude is specifically geared toward scheduling job interviews or other types of recruitment-related meetings.
"What makes this acquisition especially exciting is that it accelerates our vision to holistically solve external scheduling challenges for individuals and teams in companies of all sizes, from SMB to enterprise," CEO Tope Awotona wrote in a blog post announcing the acquisition.
Calendly has been focused on companies, not just individual users, for the past few years now. It released a group meeting feature to help teams schedule across time zones back in December 2021. The Prelude acquisition shows Calendly's interest in the HR software space and hints at its desire to build out other specific use cases. Awotona told TechCrunch that this is unlikely to be its last acquisition or its only dive into catering to specific industries.
Keep Reading
Show less
Celsius Network CEO Alex Mashinsky resigned from the embattled cryptocurrency lender Tuesday morning. The lender is in the middle of bankruptcy proceedings after pausing withdrawals in June.
“I regret that my continued role as CEO has become an increasing distraction, and I am very sorry about the difficult financial circumstances members of our community are facing,” the resignation letter reads.
In a press release, Mashinsky added that he “will continue to maintain [his] focus on working to help the community unite behind a plan that will provide the best outcome for all creditors.”
Celsius said it had named CFO Chris Ferraro its chief restructuring officer and interim CEO Tuesday. Ferraro joined the company in March and became CFO in July, according to his LinkedIn profile. He previously spent 18 years in various roles at JPMorgan Chase.
Celsius became emblematic of the crypto liquidity crisis earlier this summer, leading it to pause all transactions in June. A rogue employee had also leaked thousands of users’ email addresses, adding to suspicions about the company’s stability. Another lender, Voyager, also filed for bankruptcy amid market turmoil in the same period after hedge fund Three Arrows Capital defaulted on a loan.
Several leaked reports in recent weeks showed that Celsius was plotting risky actions to save the company with Mashinsky at the helm. A leaked call showed that, rather than returning customers' assets, the company considered selling customers a new token representing their debt as a form of IOU. The call also revealed that employee assets would be returned on the same timeline as customers'. A customer leaked the audio, saying it was sent to her by an unnamed Celsius employee.
In the leaked call, CTO Guillermo Bodnar also said the company was creating a transaction management system. The company had been using an Excel spreadsheet before to track assets.
Meanwhile, the CEL token faced a short squeeze, largely organized by supporters on Twitter. The currency jumped 300% from its price after the transaction pause, despite reports suggesting that the lender was likely insolvent. Cryptic messages from Mashinsky and his wife Krissy — including a picture of Krissy Mashinsky wearing short-shorts — were interpreted by some as support for the squeeze.
Update: This story has been updated to include Celsius's comment about Chris Ferraro's appointment as interim CEO.
Keep Reading
Show less
Brett Harrison announced on Twitter Tuesday morning that he would be stepping down from his role as president of FTX US and moving to an advisory role. He said he will continue working in the industry.
Harrison assumed the role with FTX just 16 months ago. Previously, he worked as an operations manager of multiple technology groups at Citadel Securities and as a developer at Headlands Technology. Harrison and FTX CEO Sam Bankman-Fried overlapped at Jane Street between 2014 and 2017, when Harrison led systems trading technology and Bankman-Fried was a cryptocurrency trader. FTX has not responded to requests for comment as to why he is leaving the firm, though Bankman-Fried told Bloomberg the announcement would not have been made so publicly if FTX hadn't known in advance.
During his tenure at FTX, Harrison saw the trading platform grow from three to over 100 employees, build a U.S. brokerage, and acquire multiple other crypto firms including LedgerX and Embed. “I don’t doubt my experiences in this role will be among the most cherished of my career,” he said in a tweet.
The departure may be part of a broader theme of executive churn in crypto exchanges’ U.S. affiliates. Binance, the world’s largest exchange by trading volume, has also suffered management churn with its U.S. affiliate, Binance.US.
In order to shield the exchanges from scrutiny in other countries and to ensure regulatory compliance with U.S. law, both exchanges have created separate American affiliates responsible for domestic licensing, data storage, and currency trading. International scrutiny of both platforms has accelerated in the past two years, putting considerable pressure on executives who must defend the companies’ practices in the U.S. and convince lawmakers there is no risk of influence or control from foreign operators. However, Bankman-Fried himself has typically represented FTX before Congress — while Binance CEO Changpeng Zhao has not, instead leaving U.S. executives to manage D.C. relationships.
Several other crypto firms have seen high-profile departures recently amid the industry's "crypto winter." Celsius CEO Alex Mashinsky also resigned Tuesday in the middle of that company's bankruptcy proceedings, and Kraken CEO Jesse Powell stepped down last week.
Harrison said he will continue working in the cryptocurrency industry after his departure. The industry is “at a crossroads,” he said, voicing his concern about large companies entering the market. His goal, according to the Twitter thread, will be “removing technological barriers to full participation in and maturation of global crypto markets, both centralized and decentralized.”
Keep Reading
Show less
Russia set up a sprawling and sophisticated network of websites impersonating mainstream media outlets, which it used to spread anti-Ukrainian messaging that was amplified via fake social media accounts, Meta has found. In a new report published Tuesday, Meta called it Russia’s “largest and most complex” influence operation since the war in Ukraine began.
According to the report, between June and September, Russian agents set up more than 60 websites that spoofed actual news sites, including those of The Guardian and German publishers Der Spiegel and Bild. (Disclosure: Bild and Protocol are both owned by Axel Springer.) The sites, which primarily targeted users in Germany, France, Italy, Ukraine, and the U.K., were meticulous imitations of the real thing, borrowing not just the format and design of the actual news sites, but in some cases also the photos and bylines of real reporters.
The Russian actors used these sites and fake online petitions to push false narratives — including that Ukraine had staged the murder of civilians in Bucha — and then promoted their work on Facebook, Instagram, YouTube, Telegram, Twitter, Change.org, Avaaz, “and even LiveJournal,” the report reads. All told, Facebook and Instagram removed nearly 2,000 accounts, more than 700 pages, and one group, and detected some $105,000 in advertising. As Facebook and Instagram worked to shut the network down, more websites continued popping up.
“This suggests a persistence and a continued investment in the cross-internet activity,” David Agranovich, Meta’s director of global threat disruption, said on a call with reporters. In some cases, the posts were boosted by official Russian diplomatic pages.
But while the network of websites was developed with care, the fake accounts were more of a "smash-and-grab," the report said. Many of them were detected by the company’s automated systems, before Meta even began its investigation. “It presents as a really unusual combination of sophistication and brute force,” Agranovich said.
In addition to the Russian network, Meta also detected a Chinese influence operation targeting the U.S. and Czechia. While less expansive than the Russian network, the Chinese operation was noteworthy, Meta executives said, for the way it tried to stake out both sides of contentious topics, like gun rights and abortion access. “While it failed, it’s important, because it’s a new direction for Chinese influence operations,” said Ben Nimmo, Meta’s global information operations threat intelligence lead.
Meta has shared its findings with other companies that were targeted by these information networks, as well as with governments and law enforcement. The company is also making the list of fake domains public “to enable further research,” Agranovich said.
Meta’s report comes one day after Google researchers said pro-Russian hackers are coordinating with the Russian military to carry out cyberattacks in connection with the war in Ukraine. “We have never previously observed such a volume of cyberattacks, variety of threat actors, and coordination of effort within the same several months,” the Google report read, according to The Wall Street Journal.
In some ways, the Russian playbook now mirrors the one it used in the run-up to the 2016 election, when Russia's Internet Research Agency created phony news sites that focused on race relations and other heated topics in the U.S., then pushed them on U.S. social media. But the intricate impersonations of actual news sites demonstrates a new level of investment by the Russians.
And yet, Agranovich said one encouraging sign was the relative lack of traction Russia’s information operation got on Facebook and Instagram this time. “They were kind of throwing everything at the wall and not a lot of it’s sticking,” he said. But he cautioned, “That doesn’t mean we can say mission accomplished.”
Keep Reading
Show less
Eight states, led by California and New York, have taken legal action against Nexo highlighting growing concerns about companies that offer unregistered crypto lending products.
The states are accusing Nexo of allowing consumers to deposit crypto assets in exchange for interest as high as 36% without registering its products as securities and providing material information to customers.
The “aggressive enforcement efforts against unregistered interest-bearing cryptocurrency accounts” are aimed at enforcing “investor protections under the law, including adequate disclosure of the risk involved,” Clothilde Hewlett, commissioner of the California Department of Financial Protection and Innovation, said in a statement.
More than 18,000 California residents have signed up for Nexo’s Earn Interest Product accounts, which collectively hold total investments of at least $174 million, according to the California “desist and refrain order.”
The California legal move comes shortly after the crypto industry won a significant victory in the state when Gov. Gavin Newsom vetoed a bill that would have required crypto companies to get a state license. The proposal passed overwhelmingly in the California Assembly and Senate.
The New York attorney general’s office said Nexo “failed to register and misrepresented to investors that they are a licensed and registered platform.”
“Cryptocurrency platforms are not exceptional; they must register to operate just like other investment platforms,” Attorney General Letitia James said in a statement. “Nexo violated the law and investors’ trust by falsely claiming that it is a licensed and registered platform.”
Nexo also faces legal challenges in Washington, Maryland, South Carolina, Oklahoma, Vermont, and Kentucky, according to a California DFPI representative.
Nexo said in a statement that the company has been “working with U.S. federal and state regulators and understand their urge, given the current market turmoil and bankruptcies of companies offering similar products, to fulfill their mandates of investor protection by examining past behavior of providers of earn interest products."
“Nexo has always been dedicated to running a sustainable and compliant business and welcomed, even proactively sought, regulatory clarity,” the company said, adding that it has “voluntarily ceased” signing up new U.S. clients for the Earn Interest Product.
Nexo described itself as “a very different provider” of such products,” noting that “it did not engage in uncollateralized loans, had no exposure to luna/UST, did not have to be bailed out or needed to resort to any withdrawal restrictions.”
Keep Reading
Show less
It’s a famous startup saying that the next big thing will start out looking like a toy. And there’s no toy that VCs have been more excited about playing around with recently than DALL-E and other generative AI image tools.
Put a few key words into a tool like Midjourney, Stable Diffusion, or DALL-E and it’s easy to see why the whimsical (and often wacky) images have captured investors’ imagination. An AI-generated artwork even recently won an art competition at the Colorado State Fair, a result that didn’t go over well among more traditional artists. It’s become disruptive enough that this week Getty announced a ban of AI-generated images on its platform, following similar moves by some online art communities.
What looks like an interesting art tool has become a prime feeding ground for investors. Investor interest has been nearly overwhelming for Poly’s Abhay Agarwal, who is building a “DALL-E for design assets” company. “It has literally been like dropping yourself into the Ganga River and fully being bathed in it,” Agarwal said of the interest. He’s already had over 80 meetings with VCs and is only halfway done following YC’s Demo Day.
- The challenge now for investors is finding the business case in AI-generated imagery. Already, some companies like Stitch Fix have been experimenting with the technology, but with mixed success. “I feel quite strongly that these technologies are quite world-changing,” Khosla Ventures partner Kanu Gulati told me. “They’re still early. A lot of their shortcomings are known, but the community is super, super active and trying to resolve them.”
- Perhaps unsurprisingly, the initial startup applications have been around design, marketing and e-commerce, like a company doing AI-generated stock imagery or a startup building AI models for fashion brands so they can skip photoshoots. Gulati has invested in startups like Rosebud, which is doing AI-generated photos and videos (including NFTs), while Khosla Ventures has directly backed research lab OpenAI, the creator of DALL-E. Poly is pitching itself as a way for designers to use AI to generate textures.
- Already looking ahead, Gulati thinks AI imagery will be used with other forms of generative AI-like text, and that’s where more value can be created. “There will be huge industries out there giving Adobe a run for their money because of using these latest technologies,” Gulati said. “And these will be built on a new stack of AI-first companies.”
The hype wave is similar to GPT-3, a generative AI text tool with an API that businesses can build off of. The problem is that investors can easily fall into the trap of thinking the two generative models are the same.
- For generative text, there can be a lower bar for quality and also a lower bar for utility. If the AI makes mistakes, it’s easy to clean up typos. But plenty of people can also write their own mediocre copy if needed, so the value of some tools is diminished if replacing a human with AI doesn’t really save much cost or work.
- The bar for images is much higher, because if an image comes back where something is wrong, then it has to be tossed — you can’t correct it easily. But at the same time, the utility is high because, frankly, most humans can’t create a drawing anywhere near the quality of the output of the AI, Agarwal explained.
- “For text modeling, someone can do a mediocre job of it on their own,” Agarwal said. “With image modeling, you can't. 99.9% of people in this world cannot create a convincing illustration, even given an infinite amount of time.”
Just because it’s magical doesn’t mean it can magic away its shortcomings. As Charlie Warzel pointed out in a smart piece, “What feels like magic is actually incredibly complicated and ethically fraught.”
- The black box algorithms behind much of the programs have already raised serious concerns about copyright and other legal claims as it’s not known what imagery the models were trained off of. Stable Diffusion recently did release its training model, and much of it came from Pinterest imagery and Thomas Kinkade’s art, per Andy Baio’s analysis.
- Already, there’s a lot of bias in the models. Run a search for a startup founder or venture capitalist and it almost always returns a white man as the image. Even a search that included “teacher,” a predominantly female profession, returned images of men. “Bias will continue to be a big challenge, which investors and founders have to solve before these become sustainable enterprises,” Gulati said.
- And with every tool on the internet, what can be used for good can also be used for evil. Stable Diffusion recently open-sourced its technology in a way that could allow people to circumvent safeguards and create pornography, deepfakes, and violent imagery — something tools like DALL-E block. There are websites and Discord forums popping up specifically around AI-generated pornography already, and people posting images of Bernie Sanders in a “Mad Max” deepfake.
Creating a future for generative AI startups won’t be as easy as painting a picture of the opportunity. Founders and investors will have to both take responsibility for understanding the shortcomings of generative AI and solving them. It takes more than “hustling and flipping when you see a quick opportunity to leverage an open-source technology,” said Agarwal. Instead, he argued technologists need to become stewards of the technology and build it for whatever business application is needed. For Poly, that means creating and training its models around textures and design elements so that it can responsibly tailor the model in a way that allows it to build a business. “I don't believe that once a model was released into the open-source public that somehow that means that everybody can jump on that and start using it for whatever use case,” Agarwal said.
A version of this story appeared in Protocol's Pipeline newsletter. Sign up here to get it in your inbox every Saturday.
Keep Reading
Show less
We know there’s no such thing as a free lunch. Still, the idea that many corporate benefits aren’t always a benefit recently touched a nerve on Twitter.
“Been thinking about anti-perks in tech jobs. What perks *sound* good but are a hard no from you?”
The tweet came from Jessica Rose, a developer relations advocate, founder of a meetup series for programmers and aspiring programmers and co-founder of Trans*Code, a hacker org devoted to drawing attention to transgender issues and opportunities.
Rose’s “hard no” was to those so-called benefits that have been around since time immemorial (or at least since the dot-com era). “Don't give me food or hammocks or video games, just let me work remotely or go home on time,” said Rose.
'Don’t touch me'
The tweet thread was full of varied responses, but the paradox of unlimited vacation was the clear favorite. “Wow, people are just so suspicious about unlimited paid time off,” Rose told Protocol when we caught up with her to ask about the tweet.
Other workers balked at in-office massages (“don’t touch me”), free booze, open-plan offices (did anyone in the history of the world ever call this a benefit?), fitness rooms, nap rooms, escape rooms (really any rooms), and something called “blameless retrospectives.” Um, what?
If employees are going to be suspicious of whatever perks you offer, why offer any perks at all?
“So I'm aware of how wonderfully spoiled it is to complain about perks being given out in some kinds of tech workplaces,” said Rose. “I'm the most unimpressed by ‘perks’ which either directly undermine employment rights (like unlimited paid time off can do in some regions) or are intended to throw work/life balance out of kilter in the workplace's favor.”
Unlimited or flexible vacation time can work, but it helps when the culture is one where people are encouraged to take time off and experts agree that mandatory minimums go a long way in helping create that kind of culture.
Your best interests or mine? Why can’t it be both? ¯\_(ツ)_/¯
A director of engineering at Google who formerly worked at Microsoft and Zillow called employer-sponsored coaching an anti-perk. “I’ll spring for a coach who is looking out for my best interests, not the company’s, thanks,” she said, adding, “I know I am lucky to be offered this, but it always feels like a trap.”
There’s good reason to be at least a little wary of these programs. Last year Protocol reported that when tech companies work with coaching programs like BetterUp and Bravely the conversations themselves are confidential, but the company often receives aggregated reports on the issues workers are expressing in general, the topics they’re discussing, what's going well for them at work, and what's not.
When Protocol spoke to Twilio’s VP of talent management Andrew Wilhelms about the company's coaching partnership, Wilhelms explained that BetterUp provides a set of Twilio-specific priorities to coaches and Twilio can update those priorities and goals based on what kind of culture change the company needs to see.
This might feel overly controlling, or it might be a great way to help change a company’s culture for the better, especially if a majority of employees are feeling stressed and burned out and are more likely to tell this to a coach than their manager. Twilio told Protocol that 99% of the employees who used the coaching service last year said the sessions were a valuable use of their time, and that 94% said the sessions made them more effective at their job.
“Thoughtful, meaningful perks can benefit both employers and team members, by helping keep their team members happy and hopefully keep them in their role for longer,” Rose said.
Free SunChips < values-based work culture
Research shows that today’s employees don’t want snacks as much as they want work that aligns with their values, and that extends to benefits.
- “I love work perks that demonstrate an employer's ethics and commitment to meaningfully supporting their team members,” said Rose.
- These benefits can include big structural benefits like location-agnostic pay and support for different kinds of employee leave, but also smaller things like “sending people a small bonus on their birthday to buy a cake,” Rose added.
- Rose also looks for “employers who don't subcontract out cleaning or security staff, to make sure that all of their team members get access to the same kinds of pay and support.”
What your 'perks' say about your corporate culture
Some “anti-perks” are just common decency and respect, such as believing your employees are telling the truth when they call in sick. In response to Rose’s prompt, one senior system admin pointed out a job listing that offers an “honor-based sick leave policy” in addition to its “commitment to an open, inclusive and diverse work culture.”
And think twice about listing your game room in your job description, tweeted a product designer from Miro:
“When they advertise a ping-pong table in the job listing, it's a huge 🚩 for me. And I love ping-pong. If a silly perk like this [is] such a relevant part of your benefits package, that says a lot about what the company values, and likely its culture."
A version of this story appeared in Protocol's Workplace newsletter. Sign up here to get it in your inbox three times a week.
Brisk political winds are chilling tech business relations between the U.S. and China, and perhaps more than anything right now, companies with business in China are fretting over one thing the U.S. government could do: change the rules for investments flowing from China into the U.S.
To protect against cybersecurity vulnerabilities and exploitation of Americans’ data, President Joe Biden signed an executive order on Sept. 15 directing the Committee on Foreign Investment in the United States, or CFIUS (pronounced “sif-ee-us” by foreign investment watchers), to consider scrutinizing foreign investments through the lens of national security risks.
“Everybody recognizes the need to protect U.S. national security. But as Congress and the administration consider new tools, like an outbound investment review regime, it is critical that they get real input from the business community and be precise in what they’re trying to cover,” Rory Murphy, vice president of Government Affairs at the US-China Business Council, told Protocol yesterday.
The oft-stated mission of ensuring U.S. leadership in emerging tech is at the heart of this potential shift. During a press briefing, a senior administration official listed a “handful of priority emerging and critical technologies, like semiconductors, quantum technologies, biotechnology, and artificial intelligence, as well as supply chain considerations” as areas where investment reviews could happen.
The elephant in the room here is China, a country “of special concern” that has tech strategies that many in U.S. government believe threaten U.S. leadership in areas related to national security.
But because AI is intertwined with all industries and the technologies they use, AI deals could be subject to excessive review if a CFIUS rule is written too broadly. “How AI is defined will be important in determining what types of transactions are covered,” Murphy said.
A version of this story appeared in Friday's Enterprise newsletter. Sign up here to get it in your inbox each morning.
Keep Reading
Show less
This year is on track to be a record for global electric vehicle adoption. EVs are expected to make up 13% of light duty vehicle sales, and the world is on track to hit a 2030 milepost en route to net zero by mid-century. Yet the road ahead is far from smooth in other industries.
In 2021, EV sales doubled and made up 9% of the car market by the year’s end. This year's surge is due to more being sold in European and Chinese markets, according to the new installment of the International Energy Agency’s Tracking Clean Energy Progress report released this week. However, the report notes that “electric vehicles are not yet a global phenomenon” and sales in the Global South have lagged due to both high sticker prices and a charging infrastructure deficit. (Exported gas-powered cars are also keeping many emerging countries stuck on fossil fuels.)
The IEA’s scenario for reaching net zero by 2050 sets out a milestone of EVs making up 60% of new car sales by 2030, with more than 300 million EVs on the road by that point. To reach that goal, EVs as a share of new car sales will have to increase by roughly 6% annually for the rest of the decade, which the IEA finds is doable.
Yet the report found that progress is insufficient in 53 of the 55 elements of the energy system. (Outside EV adoption, only lighting is on track.) Of those, 30 received an assessment of “more efforts needed,” and 23 are “not on track.” Take energy efficiency, for example. The report found the rate of improvement in energy intensity — which it dubs the “single largest measure to avoid energy demand” in the IEA net zero scenario — needs to at least double by 2030.
Despite the lack of progress, there are reasons to think the sectors lagging behind EV adoption and lighting are in for a boost. The report flags the Inflation Reduction Act and the European Union’s RePowerEU plan as promising policy developments that should add momentum to the energy transition. And new clean infrastructure and technologies are on the horizon, suggesting that progress for even hard-to-decarbonize areas like heavy industry is likely to accelerate.
That includes the growing interest and financing for green hydrogen as well as a particularly promising 2021 green steel pilot project. The IEA also noted that 2022 is likely to see a new record for renewable electricity capacity added to the grid, with roughly 340 gigawatts coming online.
“This reaffirms my belief that today’s global energy crisis can be a turning point towards a cleaner, more affordable, and more secure energy system,” said IEA executive director Fatih Birol about the report’s findings. “But this new IEA analysis shows the need for greater and sustained efforts across a range of technologies and sectors to ensure the world can meet its energy and climate goals.”
Keep Reading
Show less
The popularity of VAs has grown dramatically over the past couple of years. And we’re not talking about virtual assistant tech; we’re talking about real people.
Who needs a virtual assistant the most? Laith Masarweh, who founded and runs the virtual assistant company Assistantly, told me that people just getting their businesses off the ground — those he called “solo-prenuers” — need one most often.
- Tons of companies that have laid off employees in recent months have also tapped VAs to offset the workload of their existing employees, Masarweh said.
- Masarweh said those without the resources to hire full-time employees should look into VAs. “The knowledge and the quality of these virtual assistants is high,” he said. “They can get the ball rolling after two weeks or sooner to start with whatever you need.”
And what can they do for you? Masarweh broke down the responsibilities for virtual assistants into about five different categories: administrative operations, sales, marketing, social media, and more “niche” areas of expertise.
- You can hire one to take on anything, really, like managing calendars and executive-level tasks. Masarweh has 15 VAs who help with tasks ranging from sales to operations.
- Masarweh said VAs also have the potential to turn into full-time employees down the line. The person he hired to help with recruitment eventually became his client success manager and later his COO. “And he might be the CEO of the company,” he added. “I would have no problem having him do that.”
Masarweh added that if you’re going to hire a VA, make sure you treat them as part of the team. “I hire as if I was hiring an employee,” he said.
A version of this story appeared in Friday's Source Code. Sign up here to get it in your inbox each morning.
Keep Reading
Show less
Apple called its employees back to the office as the company’s three-day-per-week hybrid schedule finally began in early September. Many tech companies have eased up on requiring office work, making Apple somewhat of an outlier when it comes to RTO.
Another outlier, Google, has been in hybrid mode since April, reportedly leading to outbreaks of COVID-19 at the office. Yet for all the talk about Google’s three-day-a-week RTO policy, two workers who spoke to Protocol anonymously say it’s not much of a mandate. An employee and a contractor both told Protocol that the hybrid policy doesn’t seem to be imposed across the board.
“The impression I have is that it’s basically not enforced,” the employee said. The Google contractor said attendance varied across different teams, noting that while some of their teammates go to the office three days a week, most only go in once. (Neither Google nor Apple returned emails inquiring about how their hybrid policies are enforced.)
Sundar Pichai’s plan to make Google “20% more efficient” may lead nervous workers to choose to go to the office more often. (An August survey found that CBRE tenants were “evenly split” on whether a recession would drive more workers to the office out of anxiety for their job security.)
As of now, most companies’ hybrid requirements are only enforced as a “very soft mandate,” said Brian Kropp, distinguished VP of research at Gartner. About half of companies with a hybrid mandate are tracking office attendance, Kropp said, but even those that are doing so “have no real plans to fire people for not coming to the office, as long as they’re getting their work done.”
More than 40% of HR leaders surveyed by Gartner last month said they weren’t tracking office attendance. Thirty-five percent said they were gathering attendance data from key fob or badge swipes, while 22% said managers were tracking their teams’ attendance. Another 10% said employees were self-reporting their attendance.
Companies that selectively enforce attendance requirements may wind up with unfair outcomes, Kropp said.
“If you have a mandated set of days where you have to come to the office, but it’s unevenly enforced across the company, then you run into issues of fairness,” Kropp said. “That just creates more variability across the company, which then creates more risk as well in terms of that inconsistency.”
And while flexibility puts companies at an advantage when it comes to competing for talent, it also requires more sophisticated management, Kropp said. “The question you should really be asking is: Does our managerial population, on average, have the capability to manage much more flexibility, or not?” Kropp said. “If the answer is ‘yes, they do,’ you should push for as much flexibility as you can.”
To run high-performing teams in a flexible environment, managers need to be “half social worker, half engineer,” Kropp said. That means more empathy and more capacity for planning and organization.
While companies may seem settled into their hybrid ways of working, many leaders are leaving policies open to change with time rather than overcommitting themselves. The world is unpredictable, as we’ve learned in the last 2.5 years. “A lot of these executives — the way that they’re framing it now is, ‘This is our hybrid strategy for now, and it could evolve and could change,’” Kropp said.
Amazon falls into that category. As Andy Jassy put it at the Code Conference on Wednesday, Amazon doesn’t have a plan to force employees back to the office: “We’re going to proceed adaptively as we learn.”
A version of this story appeared in Protocol's Workplace newsletter. Sign up here to get it in your inbox three times a week.
If you truly want to gauge a company’s culture before accepting a job offer, you have to become a bit of a sleuth. A journalist, even. Troll Blind and Glassdoor. Browse LinkedIn for current employees who seem trustworthy, or former employees who seem not to have an agenda.
But not everyone has the time to investigate companies in this way. Instead, they may rely on company-sponsored chats with current employees.
- Ian Royer, a public relations specialist with Amazon Canada, took Amazon up on its “Candid Chats” program that connects candidates with members of employee resource groups.
- He was on a mission to determine whether he fit with Amazon’s culture. “I am at a point in my career where when I do interviews, I interview for my fit, not the company,” Royer said.
- Royer spoke with representatives from Amazon’s Black Employee Network and LGBTQ group Glamazon after encouragement from his recruiter. Those conversations ultimately won him over.
Steve McElfresh, founder of HR Futures, said it’s worth it for employers to offer to connect candidates with current employees. The more information, the more helpful to candidates. Still, it’s impossible for company-sponsored candidate-employee chats to be completely candid. Those chats are not entirely trustworthy.
- “In most cases you’ve got to assume they’re using a stable of people who are prepped and primed to be positive about the company,” McElfresh said. “There’s nothing fundamentally wrong with that, but I think you've got to take it with a grain of salt.”
For those who want to connect with employees on their own, scouring LinkedIn and similar sites might be the best option. Professional platform Candor, a new startup trying to be the “more authentic LinkedIn,” was built with job sleuthing in mind.
- “Especially in a remote world, it's so hard to figure out and so hard to get to know people and know if that culture fit is going to be there at your next opportunity,” said Candor founder Kelsey Bishop.
- Candor profiles look kind of like corporate mood boards, with descriptors like “my core values,” “teammates that really inspire me” and “things that motivate me.” Bishop said the service is meant for casual networking, and to help people suss out the working styles of their potential future co-workers.
Bishop added that anonymous platforms can quickly turn toxic, hence Candor’s model with private profiles. But without anonymity, how candid will someone really be?
- “As a candidate, you have to dig beyond what’s publicly available,” McElfresh said. “I would certainly be looking for more of the anonymous material.”
- On the other hand, you can’t verify the identity, and therefore validity, of anonymous reviews. “The problem with anonymous material is you get the extremes,” McElfresh said. “You get people who are clearly unhappy, resentful and are almost assuredly overrepresented.”
The most prepared candidates will do all of the above. Just perusing Glassdoor or talking to one company-sponsored employee won’t give you the full picture. You’ve got to really do your research to figure out the fit.
A version of this story appeared in Protocol's Workplace newsletter. Sign up here to get it in your inbox three times a week.
The SEC reportedly will not push for a total ban on payment for order flow, a proposal that chair Gary Gensler said was "on the table" just a year ago.
The regulator is expected to announce changes to the way payment for order flow is conducted, but it will not involve a total prohibition of the controversial system used in processing stock trades, Bloomberg said in a report on Thursday.
The SEC plan is good news for retail stockbrokers like Robinhood, whose revenue model relies heavily on the rebates it receives for sending trade orders to market makers, known as payment for order flow.
Critics have argued that payment for order flow gives brokers an incentive to encourage retail investors to make as many trades as possible, exposing them to financial risks. Robinhood and payment for order flow came under heavy scrutiny early last year during the GameStop trading frenzy.
In August 2021, Gensler told Barron's that the regulator was considering a total ban on the system. Wall Street analysts cited the potential ban as a major headwind for Robinhood, which has already taken hits from the broad market downturn. Canada and the U.K. have banned payment for order flow, and Australia has instituted temporary prohibitions on the practice as it considers a ban.
The company has been forced to make dramatic cuts this year. Just a few months after announcing that it was slashing 9% of its workforce, Robinhood said it was cutting another 23% because the first round of reductions “did not go far enough,” CEO Vlad Tenev said in a letter to employees.
Tenev also pointed to “additional deterioration of the macro environment, with inflation at 40-year highs accompanied by a broad crypto market crash.” The company also acknowledged that it essentially overshot staffing needs for 2022 based on the “assumption that the heightened retail engagement we had been seeing with the stock and crypto markets in the COVID era would persist into 2022.”
Robinhood rallied briefly on Thursday trades on news that payment for order flow would not be banned. But the stock was off more than 2% midday. TD Ameritrade, a subsidiary of Charles Schwab, also makes heavy use of payment for order flow; Schwab shares also leapt early in the day and then fell.
The SEC could not immediately be reached for comment.
Keep Reading
Show less
The FDA this week announced that cooking chicken in NyQuil isn’t safe, which seems obvious; it came from a “NyQuil cooking challenge” video that went viral — more than a year ago.
Government warnings about viral online fads may come too late to be effective. The NyQuil chicken challenge resurfaced in January after starting as a joke on 4chan in 2017.
- In June, the FDA warned of the dangers of keeping avocados fresh by placing them in water. That video was popular a couple years ago.
- Schools and lawmakers took a few weeks to catch wind of, and warn parents about, a “devious licks” video that resulted in students damaging school property.
- The Tide Pod challenge, which started as a joke on Twitter in late 2017 before making its way to YouTube and elsewhere, got the Consumer Product Safety Commission’s attention about a month after it went viral.
- And French lawmakers needed a few months to warn against the 2018 “InMyFeelings” challenge, which involved getting out of a moving car and dancing.
Government leaders need a lesson on virality. The timing of these warnings highlights the difficulty of staying on top of potentially dangerous challenges, which can go viral in a matter of days. “The FDA is always playing catch-up with these things,” Jeffrey Blevins, a professor at the University of Cincinnati’s journalism department, told me. “It’s impossible for them to be ahead of it. Who in their right mind would have thought of NyQuil chicken?”
- But the fact that the FDA and other government agencies need months — even years — to identify and warn people about dangerous viral trends defeats the purpose of the warning. Once the alert comes around, the damage may have already been done.
- The way in which the FDA responds to harmful viral videos might not be that effective anyway: The ones making the posts go viral — kids — probably aren’t following government alerts, Blevins said. “I would really encourage these agencies to think about being a little more creative in how they respond,” he said.
- The FDA could post TikToks or poke fun at the absurdity of cooking chicken with NyQuil while also explaining the harms, for example. (The FDA didn’t immediately return a request for comment.)
It’s not just the government; pediatricians, schools, and other organizations are aware of the dangers of social media trends and are trying to catch on to them quickly. But word spreads fast, and in order for the government’s warnings to be effective, they need to happen sooner.
A version of this story appeared in Thursday's Source Code. Sign up here to get it in your inbox each morning.
Kraken CEO Jesse Powell is stepping down and will be replaced by chief operating officer David Ripley, the company announced Wednesday.
Powell, who co-founded Kraken in 2011, will become the crypto marketplace’s board chairman. Ripley will take over after Kraken finds a new COO.
Ripley’s leadership and experience “give me great confidence that he’s the ideal successor and the best person to lead Kraken through its next era of growth,” Powell said in a blog post.
He also said that he will be “spending more of my time on the company’s products, user experience and broader industry advocacy.”
Ripley, who joined Kraken through its 2016 acquisition of Glidera, is credited with growing Kraken from 50 to 3,000 employees.
Powell is giving up the CEO post at a critical time when the crypto industry is still reeling from a major downturn that wiped out about $2 trillion in value.
Kraken has managed to weather the storm like other major crypto players, FTX, Binance and Ripple, that have continued expanding, even as rivals like Coinbase pulled back on growth plans.
But Kraken’s workplace culture came under scrutiny after a New York Times report based on leaked Slack messages and employee interviews accused Powell of making insensitive comments on gender and race, sparking heated conversations within Kraken. Powell defended the company’s culture and policies in an interview with Protocol.
Kraken began as a bitcoin exchange before emerging as one of crypto’s biggest marketplaces. Kraken is currently the fourth-largest crypto exchange, after Binance, FTX and Coinbase, according to CoinMarketCap.
Keep Reading
Show less
Tuesday's “Made On YouTube” event was basically a competition to see how many ways creators and YouTube execs could talk about beating TikTok without actually saying the word “TikTok.”
YouTube is rolling out ad revenue-sharing for Shorts and lowering the barrier to join its partner program, which execs said will bring more “sustainability and inclusivity” to creators. Previously, both TikTok and YouTube paid short-form creators through a set fund.
- Ads will run in between Shorts, similar to the way ads appear as standalone videos between TikToks. Creators can earn 45% of the ad revenue collected on Shorts.
- This is the first time creators can earn ad revenue from short-form video, a change that influencers like Hank Green have called on TikTok to implement.
The announcement is an obvious jab at TikTok, which has been a frontrunner in the short-form video race. And by the way, YouTube didn’t mention the word “TikTok” once.
- Execs instead emphasized that they don’t want creators to be “multiplatform,” meaning they hop from TikTok to YouTube depending on what video they make or audience they intend to reach. They want creators to be “multiformat,” which means they do everything on one platform.
- “This is a huge incentive for me to put all of my work into one place, which means my audience doesn't have to jump between apps to see all of my videos,” said Kris Collins, who originally found fame on TikTok, during the event.
Will YouTube’s moneymaking strategy for Shorts turn people away from TikTok? It’s likely too soon to tell, and many new creators have already built huge communities on TikTok. But if people can make money from short-form video elsewhere, don’t be surprised if they start flocking to Shorts. “Other platforms are focused on getting people their 15 seconds of fame, which is great. But YouTube is taking a different approach,” Collins said.
A version of this story appeared in Wednesday's Source Code. Sign up here to get it in your inbox each morning.
Keep Reading
Show less
Coinbase is launching a new product to connect developers to the Ethereum blockchain as part of its effort to offer a full stack of crypto infrastructure technology and diversify its business away from consumer trading revenue.
The new Node product provides APIs for developers to connect to the Ethereum blockchain, the most popular system for smart contracts. Its free plan gives up to 120,000 daily requests. It also has an API specifically for developers building NFTs.
“We think the product that we’re [launching today] is the most fundamental piece for anybody building in the ecosystem,” said Luv Kothari, a product manager overseeing Node at Coinbase. “It's almost like going to AWS and getting an EC2 instance so you can start writing code and then deploying your code.”
That idea of becoming the AWS of blockchain infrastructure is a goal for many companies and the investors backing them.
Part of Coinbase Cloud, Node is Coinbase’s first major free self-serve developer product. Coinbase’s Query & Transact service connecting enterprise customers to blockchains launched in 2020, but the new product is free and adds NFT functionality and other new ways to query the blockchain.
It also fits into Coinbase's long-stated goal to diversify its business from just trading revenue to other types of businesses.
While there are already large startups competing with Coinbase in areas such as custody and node infrastructure, Coinbase is seeking to leverage its existing products that connect to Node, such as its Pay SDK for fiat-to-crypto transfers, trading APIs and Commerce API for accepting payments.
Keep Reading
Show less
The tech industry is way ahead of the curve when it comes to setting climate goals, particularly compared to other major industries.
A new report out today from Climate Impact Partners, an organization that develops carbon market solutions, found that only 42% of Fortune Global 500 companies have taken climate action or committed to doing so by 2030. By contrast, more than 80% of tech companies within that group have done so, the highest percentage of any sector.
The report defines actions or commitments as one of four publicly stated aims: going carbon neutral, reaching net zero, setting science-based targets or securing 100% renewable energy.
The report analyzed the climate commitments of the 500 largest companies in the world by annual revenue. Together, they're responsible for at least 15% of global emissions (or more than 5.6 billion tons of carbon dioxide equivalent) annually. That means that the commitments they make — or don't — have a major impact on the climate.
The tech industry is more consumer-facing than some other sectors in the analysis, and public pressure may factor into why companies are more likely to set climate targets. In many cases, there are also readily available solutions, such as switching data center operations to run on renewables, compared to other industries. Industries like aerospace and defense, for example, have a much steeper path to decarbonization and under 20% of companies in those sectors have set a 2030 or sooner goal.
Still, some of the biggest tech companies haven't set 2030 climate goals. Though nearly 90% have made a major climate commitment for mid-century, under 10% have set goals between 2031 and 2050.
"Setting targets well beyond 2030, a critical decade to align with the goals of the Paris Agreement and limit warming to 1.5 degrees Celsius, indicates a lack of urgency and ambition," the report authors wrote.
“We’re encouraged to see more and more companies from this prestigious group put a stake in the ground and make climate commitments," Saskia Feast, Managing Director of Global Client Solutions at Climate Impact Partners said in a statement. "There are some signals, however, that ambition and urgency might be waning. Much of the growth in commitments this year has been driven by targets set well beyond 2030, which we know is a critical decade for the planet."
Indeed, the report also found that Fortune Global 500 companies that made climate commitments within the last year were more likely to have set 2050 goals than 2030 goals. And although almost 40% of these companies have any sort of net zero target, nearly a third of them exclude Scope 3 emissions from those targets. Scope 3 emissions include those from companies' supply chain partners and typically make up the bulk of companies' footprints. A serious climate plan needs to address these emissions, yet more than 20% of the world's biggest tech companies only include Scope 1 and 2 emissions in their net zero targets, omitting Scope 3 entirely.
The good news is that things are moving in the right direction, although perhaps not quickly enough. This is the fourth year of Climate Impact Partners' analysis of Fortune Global 500 companies and their climate commitments, and an increasing number of these companies are making specific and achievable climate commitments compared to years past. The group observed an 11% increase in companies with a 2030 commitment, 22% increase in companies with a 2050 target and 50% increase in companies making a net zero commitment.
Now, companies actually need to follow through.
Keep Reading
Show less
Privacy groups are outraged at New York's plan to install cameras in all subway cars in a bid to stop crime. The proposal, announced by Gov. Kathy Hochul on Tuesday, is an expansion of an earlier pilot project that the governor said was “working very well.” Under her expanded plan, there will be two cameras in each of New York’s 6,455 subway cars.
But civil liberties groups are raising alarms about the imminent plan, saying it is yet another example of an erosion of privacy. In a statement shortly after the speech, Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, condemned Hochul’s approach, describing it as “surveillance theater” that would put New Yorkers on “an express train to authoritarianism.”
The ACLU in New York also criticized Gov. Hochul's plans. "New York City is already home to tens of thousands [of] surveillance cameras and there’s no evidence this massive expansion of subway cameras will improve safety," it said in statement. "Real public safety comes from investing in our communities, not from omnipresent government surveillance."
Hochul, who made the announcement in a subway maintenance facility in Queens, said as ridership of the subway continues to slowly return to pre-pandemic levels, many remain concerned about transit crime. “That is why we are leaning into finding strategies and technologies to make sure that we address [it] just as we are doing here today,” she said. “If you think Big Brother is watching you on the subways, you are absolutely right, that is our intent,” she added.
But Cahn argues the proposal is "ripe for abuse by the NYPD."
"Big Brother’s spying never prevented crime before, and it won’t start now," his statement read. Earlier this month, Cahn's New York-based organization expressed concern about another plan, which would phase out the iconic MetroCard in 2023 and replace it with the digital OMNY vending machine and cards. The group called for the subway operator to guarantee that riders would still be able to use cash to pay for OMNY cards and shield riders' data from agencies such as Immigration and Customs Enforcement.
The subway system already has about 10,000 cameras, but until now, their reach has been contained to the platform and mezzanine. The city’s buses also have cameras installed. The mayor has also deployed more police officers on subways. But critics have pointed to the fact that during April's subway shooting, in which 10 people were injured by gunfire, existing cameras did not stop the crime, and it was later revealed the cameras in some stations were faulty. "This tech has failed us too many times to count," Cahn wrote. "In April, when the cameras were supposed to keep us safe, they couldn’t even capture the subway shooter’s image."
Despite being based in New York City, the governor of New York, not the mayor, has had overall responsibility for the subway system since 1968. During her speech, Hochul said the cameras would be paid for with a grant from the federal Department of Homeland Security and the subway’s operator, Metropolitan Transportation Authority. The cameras would not be monitored live, but footage will be used to conduct investigations.
Although Hochul said that transit crime in New York was down compared to pre-pandemic levels, recent high-profile killings on the subway — including the fatal shooting of a man in May and fatal pushing of a woman onto the tracks in Times Square in January — have contributed to the public perception that New York's transit system is unsafe.
Hochul, a Democrat, is currently running for re-election in New York. Her opponent, Republican Lee Zeldin, has made addressing crime a key part of his campaign.
This story was updated to include comment from the ACLU.
Keep Reading
Show less
Microsoft is hoping that adoption of its latest version of Windows 11 will wipe out a popular technique for stealing credentials, thanks to the company's move to turn on certain security features by default in the operating system.
The Windows 11 2022 update is generally available today. Among the on-by-default security features in the new version of Windows 11 is Credential Guard, which protects against the theft of login and password data stored in Windows.
The technique for stealing login and password information is known as "credential dumping," and it's widely used by attackers ranging from ransomware operators to nation-state hackers. Credential dumping entails copying credentials from several different areas within Windows, often with the help of a software tool such as Mimikatz.
Organizations will automatically be protected against this tactic by updating to the latest Windows 11 version, as Credential Guard will be turned on by default for the first time, according to David Weston, vice president for enterprise and OS security at Microsoft.
Ultimately, the new Windows 11 update "eradicates the most common techniques from a credential-dumping standpoint," Weston told Protocol.
Illegitimate use of credentials is the largest source of data breaches by far, according to Verizon, which found that credentials usage was responsible for 48% of breaches in 2021.
While Microsoft has offered Credential Guard as an optional feature since Windows 10, few organizations have used the feature because it wasn't on by default, Weston said.
For Microsoft to turn the feature on by default, the company had to ensure that the underlying technology used by Credential Guard, known as virtualization-based security, could run without delivering an outsized hit to PC performance, he said. Microsoft now feels confident that it's able to do that as part of the new version of Windows 11, according to Weston. (The ability to run virtualization-based security features by default was a main driver for the higher CPU requirements for Windows 11, Weston has said.)
Other security features will be on by default in the new Windows 11 version as well. Those include hypervisor-protected code integrity, which prevents the modification of Windows kernel code such as drivers (as occurred in the WannaCry attack), and another feature aimed at thwarting credential theft (credential isolation with Local Security Authority protection).
Meanwhile, Microsoft is also introducing features aimed at preventing malware (Smart App Control) and phishing (Microsoft Defender SmartScreen) in the latest Windows 11 update.
All in all, "I would say Windows 11 is substantially more secure than [Windows] 10 at this point, from a feature standpoint," Weston said. "I expect a lot of the momentum — particularly in commercial — for Windows 11 will be driven by security."
The successor to the Windows 10 operating system, Windows 11 was first introduced in October 2021. As of June, 23.1% of Windows PCs were running Windows 11, according to a report from AdDuplex.
Keep Reading
Show less
Leading U.S. companies including Amazon, Pfizer and PepsiCo have pledged to hire 20,000 refugees over the next three years.
The commitment was made at a summit organized by the Tent Partnership for Refugees, which was founded in 2016 by Hamdi Ulukaya, CEO of Chobani. The announcement comes at a time when the U.S. government expects to welcome more Ukrainian refugees as the war with Russia continues, with several thousand who fled from the Taliban in Afghanistan already in the country.
Amazon said it would hire 5,000 refugees in the next three years, the largest commitment among the 45 companies that pledged. PepsiCo and Pfizer will each hire 500 refugees.
“Being displaced from your homeland and having to start again somewhere is never easy,” Janet Saura, vice president of employee relations, WW Amazon Stores and Corporate, said. “Which is why we are committed to helping where we can, by providing refugees and other displaced people with access to meaningful employment.”
LinkedIn and Coursera pledged to work with refugee support agencies to offer training and networking for 6,000 and 7,500 refugees, respectively, so that they can find jobs in the U.S.
In 2021, Uber, Mastercard and Facebook made commitments to hire 95,000 Afghan refugees. That plan initially faced some hurdles, including the uncertain status of the Afghan people airlifted to U.S. bases around the world and a government bureaucracy gutted by the Trump administration’s anti-immigration policies.
Although significant, the commitments pale in comparison to the number of refugees already in the U.S., with more set to arrive. Nearly 90,000 Afghans have been resettled in the U.S., and in July, the Department of Homeland Security said 100,000 Ukrainians had been admitted in the country in the five months since the invasion and war with Russia began.
Correction: An earlier version of this story misstated the month in which DHS said 100,000 Ukrainians had been admitted. This story was updated on Sept. 20, 2022.
Keep Reading
Show less
The Department of the Treasury issued a request for comment Monday on Biden’s March executive order on cryptocurrency, creating a formal process around an issue that has already generated significant discussion. The Treasury is accepting comments through Nov. 3.
The order specifically directs the Treasury, along with other applicable agencies, to assure that laws and regulations prevent national security and financial risks. The Treasury is to use law enforcement and other measures to compel crypto entities to comply with anti-money laundering and counter the financing of terrorism best practices. Now, it’s requesting comment on how the agency alone and through private-public partnerships can best mitigate risks.
Though commenters can provide input as they see fit, the Treasury listed specific questions it would like addressed in the report. Most important for DeFi include questions about what risks are attached to peer-to-peer payments, how to maximize public-private information sharing for the purposes of monitoring illicit activity and how financial institutions offering cryptocurrencies can better integrate know-your-customer controls.
The agency also asked what “additional steps” it should take in order to prevent the use of digital assets by criminals. The Treasury is currently being sued by six plaintiffs, supported by Coinbase, over sanctions against cryptocurrency trader Tornado Cash. Tornado Cash was sanctioned because, according to the Treasury, it had been used to launder over $7 billion.
Now, the agency appears to be inviting comment on the move, though the phrasing implies that the agency is more interested in adding restrictions than removing sanctions. The agency also asked for “specific areas” where it can provide further clarity on AML/CFT and sanctions obligations, and how it should address “mixers and other anonymity-enhancing technologies.”
Keep Reading
Show less
It's still unclear whether the breach of Uber's internal IT systems, revealed on Thursday, was anything more than embarrassing for the company.
But for businesses everywhere, the attack should serve as yet another reminder that certain security controls that we once thought were a panacea are no such thing.
Specifically, multifactor authentication. This security control, which requires a second form of verification for a user to log into a corporate network, is considered essential for keeping the hackers out. But lately, hackers have been finding clever ways to beat it.
In the Uber breach, the method employed by the hacker appears to be what's known as an "MFA fatigue" attack: The attacker (posing as someone from IT) sends repeated login notifications to an employee until the employee approves it. Basically, the attacker wears the employee down. But once approved, the attacker is in.
"We thought MFA was always the silver bullet," said Bryan Murphy, senior director for consulting services and incident response at identity security vendor CyberArk.
In the past, "the conversation was always 'MFA everything,'" Murphy said. "Now we're starting to see that attackers are finding ways around it."
Another recent high-profile breach, the attack on Twilio, was a different version of the same story.
According to a blog from Cloudflare, which experienced a similar attack to Twilio, the attackers who targeted Twilio most likely tricked employees into giving them the one-time password that was used as the second factor for verification. That's because the employees were actually entering the code into a fake site maintained by the attackers, allowing the attackers to intercept the code and bypass the MFA protections.
Notably, there is one form of MFA that is still considered "unphishable." Hardware security keys that comply with the latest authentication standard, known as FIDO2, serve as a second factor that can't be thwarted because they require the user to physically touch the key. Cloudflare, which provides its employees with YubiKey hardware keys, said the attackers were unable to get around its use of MFA through the use of the keys, preventing the company from getting breached.
Uber said Monday that it doesn't appear the attackers, which it claimed were operating as part of the Lapsus$ group, were able to access any personal customer data or make any changes to its source code.
This story was updated with Uber's blog post on some of the details behind the breach.
Keep Reading
Show less
Most Popular
Bulletins