Tech Brew Ride Home - Tue. 07/02 – Single Points Of Failure For Cyberattacks
Episode Date: July 2, 2024A recent Evolve Bank and Trust cyberattack might impact a lot of tech customers. Why single points of failure impact cyberattacks. YouTube will soon let you take down videos like you’re a Hollywood ...studio. And big tech’s playbook for AI acquisitions that the regulators can’t frown at. Sponsors: CleanMyMac X Promocode: techmeme Links: Fintech company Wise says some customers affected by Evolve Bank data breach (TechCrunch) CDK Global Hack Shows Risk of One Software Vendor Dominating an Industry (WSJ) Supreme Court orders new look at social media laws in Texas and Florida (CBSNews) Exclusive: Nvidia set to face French antitrust charges, sources say (Reuters) YouTube now lets you request removal of AI-generated content that simulates your face or voice (TechCrunch) This is Big Tech’s playbook for swallowing the AI industry (The Verge) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
On April 4th, 2023, around 2 in the morning, a man was found stabbed multiple times on a sidewalk in downtown San Francisco.
Hey, who did this to you?
What happened next turned the story into a political firestorm.
Reports have identified the victim as Bob Lee, the founder of Cash App.
From Bloomberg Podcasts, this is Foundering, the Killing of Bob Lee, beginning April 16.
Welcome to the Tech meme right home for Tuesday, July 2nd, 2024. I'm Brian McCullough today. A recent
evolved bank and trust cyber attack might impact a lot of tech customers. Why single points of failure
impact cyber attacks? YouTube will soon let you too take down videos like you're a big Hollywood
studio and big tech's playbook for AI acquisitions that the regulators can't frown at.
Here's what you missed today in the world of tech. Wise, affirm, Mercury, and,
and other companies say they're investigating how a recent ransomware attack by LockBit on Evolve Bank
and Trust has impacted their customers. If you're not familiar with these customers,
aside from a firm being a major buy-now pay-later company, their customers are a lot of tech
startups and crypto folks, quoting TechCrunch. The Money Transfer and FinTech Company Wise announced
on Friday that some of its customers' personal data may have been stolen in the recent
data breach at Evolve Bank and Trust. The news highlights that the fallout from the Evolved data breach
on third-party companies and their customers and users is still unclear, and it's likely that
it includes companies and startups that are yet unknown. In a statement published on its official
website, Wise wrote that the company worked with Evolve from 2020 to 2023, quote,
to provide USD account details. And given that Evolve was breached recently, quote,
some wise customers' personal information may have been involved, end quote.
So far, a firm, earn-in, Marquetta, Melio, and Mercury, all evolved partners have acknowledged
that they are investigating how the evolved breach impacted their customers.
On Monday, FinTech reporter Jason McCullough shared on X a notification that Branch,
another evolved partner, had sent to a customer.
Branch has yet to respond to repeated requests for comment from TechCrunch.
when reached by TechCrunch for comment, asking whether Evolve knows how many partner companies, old and current, and end users have been affected by the breach, and whether Evolve has already contacted all of them. Evolve, spokesperson Eric Helvey, declined to comment and referred to the company's official statement on its website. As of this writing, the statement says, Evolve, quote, continues to work around the clock to respond to the recent cybersecurity incident and promises to provide further updates. The company said the breach was a ransomware attack by the lock,
it cybercrime gang due to an employee clicking on a malicious link in May of this year, end quote.
See if this one doesn't rhyme with that previous one. Other security incidents I haven't told you about
include cyber attacks against change health care and especially against CDK Global, which has hampered
the operations of around 15,000 car dealerships. I'm mentioning and rounding up these incidents
to highlight how, just like in that previous segment, for some industries, there seems to be
worryingly, a single point of failure when it comes to cyber attacks.
Quoting the Wall Street Journal.
Airlines, banks, and health care providers all use a handful of niche software providers,
many of which have been dominant for decades, for key functions such as booking flights,
processing payments, and managing patient data.
The arrangements reflect the highly specialized fields they serve, as well as a hesitancy
among customers to shift their mission-critical operations away from industry-specific software,
considered the brains or heart of their businesses.
These software tools become familiar over time,
and doctors, bankers, and airline operators prefer to stick with them.
There are no easy fixes.
Adding more software suppliers to the mix can actually introduce new avenues for cyber attacks.
But relying on a single vendor can lead to an attack or other outage
that swamps an entire industry like the one that took down car dealers across the country.
Though the auto dealer industry is unique in relying so heavily on one supplier, it is common for software makers in the airline banking and healthcare sectors to each control about one-third of the market.
That is still a risk because those core systems connect to many other functions, such as completing wire transfers, digitally communicating with patients, and checking in for flights.
There's a huge risk that somebody, a core processor, their core system might get compromised, said Carlos Nodon, Chief Executive of New York,
Ponce Bank? Then how do you protect? How do you isolate that core that got nailed with all of the
other systems? End quote. For U.S. auto dealers, it could be too late. Dealerships across the country
resorted to workarounds to keep track of sales, repairs, and orders last week after software provider
CDK said it was hit by two cyber attacks. The company's software is essential for all functions
inside a dealership, from managing websites to tracking inventory and customer data. CDK controls nearly
50% of the dealership software market in the U.S. by some estimates. The vendor concentration
that allowed such a catastrophic event to happen was years in the making, according to Gartner
auto technology analyst Mike Ramsey, founded 50 years ago. CDK was spun out of the Human Resources
software firm ADP in 2014 and acquired by Brookfield Business Partners in 2022. It was one of the first
to offer car dealers software to manage their operations, Ramsey said, and automakers have since
push dealers to use CDK because its software was designed to meet their specifications.
That first mover advantage has been hard to crack. Microsoft attempted to enter the market by
introducing a product in 2006, but it never really found its footing, he added.
Similar scenarios could be playing out in other industries where dominant software vendors like
CDK control large swaths of the market for critical business functions. If I was a cybercriminal,
of course I would go after CDK, they're the biggest, Ramsey said, end quote.
You might have heard there were some big Supreme Court rulings yesterday, though you might have missed a big one for the tech industry, or maybe more accurately, the lack of a ruling.
The Supreme Court of the United States ordered lower courts to take another look at Texas's and Florida's social media laws,
saying neither lower court conducted proper analysis of the First Amendment challenges involved in those laws.
Quoting CBS News, Justice Elena Kagan delivered the court's opinion, which tossed out,
lower court rulings and sent the two cases back for the proceedings. The court said neither lower court
conducted the proper analysis of the First Amendment challenges to the laws regulating major social
media platforms. There were no noted dissents, although some justices concurred in part.
The question in such a case is whether a law's unconstitutional applications are substantial
compared to its constitutional ones. To make that judgment, a court must determine a law's
full set of applications, evaluate which are constitutional and which are not,
and compare the one to the other, Kagan wrote. Neither court performed that necessary inquiry, end quote.
The case concerns a Republican-backed law in Texas that regulates platforms with more than 50 million active monthly users.
The law imposes rules for content moderation and requires platforms to notify users when posts are removed and provide an explanation.
The platforms are also required to disclose how they moderate their content and make clear how they prioritize posts through their algorithms.
Two online trade associations, whose members include Google, Meta, and X challenged the law in federal district court in 2021.
That court blocked enforcement of certain provisions of the law and the U.S. Court of Appeals for the Fifth Circuit halted the order, allowing the law to take effect.
The Trade Associations then sought emergency relief from the Supreme Court, which voted five to four to block the Texas law, while legal proceedings continued.
The Fifth Circuit Court later reversed the district court's preliminary injunction, finding that the social media platform,
efforts to moderate content are not speech protected by the First Amendment. Despite ordering the
cases back to lower courts, that didn't stop the justices from delivering criticism and making
suggestions about the deeper issues. Kagan wrote that in some applications the Texas law is
unlikely to withstand First Amendment scrutiny, adding that the Fifth Circuit's decision,
quote, rested on a serious misunderstanding of First Amendment precedent and principle. In a concurring
opinion, Justice Bartlett stated that even more clearly the, quote, 11th Circuit
understanding of the First Amendment's protection of editorial discretion was generally correct,
referring to the Florida case, while in the Texas case the Fifth Circuit's was not, end quote.
Justice Samuel Alito, though he concurred in the judgment, wrote that the court's description
of the Florida and Texas laws and the litigation, quote, leaves much to be desired,
calling its broader suggestions unnecessary and unjustified.
Justice Gorsh and Justice Clarence Thomas joined Alito's concurring opinion, end quote.
sources say French antitrust regulators are preparing to charge Nvidia for allegedly anti-competitive practices after raids in the GPU sector back in September of 2023 that I think we noted at the time, quoting Reuters.
The French so-called statement of objections or charge sheet would follow Don raids in the graphics card sector in September last year, which sources said targeted Nvidia.
The raids were the result of a broader inquiry into cloud computing.
The French watchdog in a report issued last Friday on competition in generative AI cited the risk of abuse by chip providers.
It voiced concerns regarding the sector's dependence on Nvidia's Kuda chip programming software,
the only system that is 100% compatible with the GPUs that have been essential for accelerating computing.
It also cited unease about Nvidia's recent investments in AI-focused cloud service providers such as Coriave.
companies risk fines as much as 10% of their global annual turnover for breaching French antitrust
rules, although they can also provide concessions to stave off penalties. The U.S. Department of Justice
is taking the lead in investigating NVIDIA as it divvies up big tech scrutiny with the Federal Trade
Commission, a source familiar with the matter has told Reuters, end quote. You know how YouTube has
long had this comprehensive policy where rights holders, you know, Hollywood studios, music companies
and like, can request videos be taken down from YouTube if they feel their content is being
used in ways they don't want? Well, now you too can do this, as YouTube has rolled out a policy
change that will let people request the takedown of AI-generated or other synthetic content
that simulates their face or voice, quoting TechCrunch. Instead of requesting the content
be taken down for being misleading like a deep fake, YouTube wants the affected parties to request
the contents removal directly as a privacy violation. According to YouTube's recently updated
help documentation on the topic, it requires first party claims outside a handful of exceptions,
like when the affected individual is a minor, doesn't have access to a computer, is deceased,
or other such exceptions. Simply submitting the request for a takedown doesn't necessarily mean
the content will be removed, however, YouTube cautions that it will make.
its own judgment about the complaint based on a variety of factors. For instance, it may consider if the
content is disclosed as being synthetic or made with AI, whether it uniquely identifies a person,
and whether the content should be considered parity, satire, or something else of value in the
public's interests. The company additionally notes that it may consider whether the AI content
features a public figure or other well-known individual and whether or not it shows them engaging
in, quote, sensitive behavior like criminal activity, violence, or endorsing a product or political
candidate. The latter is particularly concerning in an election year where AI-generated endorsements
could potentially swing votes. YouTube says it will also give the contents uploader 48 hours to act on the
complaint. If the content is removed before that time is passed, the complaint is closed. Otherwise,
YouTube will initiate a review. The company also warns users that removal means fully removing the
video from the site and, if applicable, removing the individual's name and personal information
from the title, description, and tags of the video as well. Users can also blow
out the faces of people in their videos, but they can't simply make the video private to comply
with the removal request, as the video could be set back to public status at any time, end quote.
Well, it's happening again. Amazon has hired the CEO and co-founders of Adept, a startup which
builds AI agents that automate enterprise workflows. It's going to have these people join its
AGI team, and will use some of Adap's tech.
More on that in a second. Notably, Amazon did not acquire Adept itself. Adept has raised $350 million
at a greater than $1 billion valuation, reminiscent here of what Microsoft did with inflection when it
hired Mustafa Solomon, but left inflection to limp along as a zombie company after again paying a license
for its technology. Over at the verge, Alex Heath outlines this sort of reverse aqua hire, what indeed
seems to be Big Tech's newest method for swallowing the AI industry without dealing with pesky regulators.
Quote, Alexander Miller, an Amazon spokesperson, told the verge that the company had hired close to 66%
of Adep's employees.
In an internal memo published by Geekwires Taylor Soper, SVP Roheet Prasad said that,
like Microsoft with inflection, Amazon will also be licensing Adep's technology to, quote,
accelerate our roadmap for building digital agents that can automate software workflow.
Adep's corporate blog posts about the news suggests that it was running out of money.
Quote, continuing with Adep's initial plan of building both useful general intelligence
and an enterprise agent product would have required spending significant attention on fundraising
for our foundation models rather than bringing to life our agent vision.
Recent reports say the company has been looking to sell itself.
The reality is that building leading AI models is extremely costly,
and raising $400 million isn't even enough to compete these.
days. Big Tech, meanwhile, is flushed with cash and looking to get in on what everyone perceives
to be the next big thing. It's logical for more AI startups to go the way of inflection and
adept as the industry consolidates. The problem for big tech is that they are no longer
allowed to buy companies like they once did. The current antitrust enforcement regime
would most certainly try to block an Amazon acquisition of adept, whether there is a strong
legal argument for doing so or not. Amazon execs are still seething about not being allowed to buy a robot
vacuum cleaner company. Even still, capitalism finds a way. What Microsoft did to inflection and what
Amazon just did to adapt is the new big tech playbook for swallowing the AI industry and getting away
with it. Silicon Valley has a storied history of aqua hires where a startup is gutted for its people
and left for dead. Microsoft and Amazon have done what are essentially reverse aqua hires where the
hiring of people and a corresponding licensing deal is designed to disguise what is actually an
acquisition, end quote. So if that wasn't clear, here's the playbook outlined. You hire the founders
and the talent of the company. You offer them hefty salaries and signing bonuses and equity. Why?
Because those folks had equity in the startup they had founded. Maybe they see the writing on the
wall. Their startup was maybe in trouble of running out of money, so they'll take your checks.
They may not make the millions or billions they hoped had the company succeeded, but something is
better than nothing, maybe a lot of some things in this case. Then you offer to license the technology
from the zombie company for roughly what the most recent valuation of the startup was,
or at least some number of pennies on the dollar. Why? Well, number one, you still get the technology
that that startup had. You get to use it. You just pay a license for it. And in a best case scenario,
the startup pockets that license fee, pays it out to investors, who are then, in theory, made,
whole, and then you either shut down the startup or recapitalize it with a new team to pivot,
hopefully to something new. In the case of the earliest investors, this could even be a very good
deal, as they'd be making multiples on what they would have made had this acquisition been a
normal acquisition, as we would understand it. And regulators don't have a chance to intervene
or even frown. Is this a loophole? Sure. But unless something changes, I don't see how this
isn't also perfectly legal. But I guess we'll see, as we know, the regulators are taking a hard look
at that inflection deal. Yeah, it's that licensing deal that is the key there. I could never
figure out how the original investors were being made whole, but it's that licensing deal
that provides the cash to then make everybody happy about this arrangement. Quick note that the show
could be a bit late tomorrow. We're taking the car ferry across Lake Michigan. Unclean,
what my Wi-Fi availability will be on the boat in the middle of Lake Michigan.
So if it's an hour or too late, that's why. Talk to you tomorrow.