Builder.ai let you build a website or an app without coding — but with AI! Allegedly.

Builder was the great hope of Artificial Intelligence for the UK. It scored $450 million in venture funding — mostly from Microsoft and the Qatar Investment Fund.

Customers had mixed experiences with Builder. A lot of positive online reviews turned out to be written by Builder employees. The company also put several logos on their website of companies that were never its customers. [FT, 2024, archive]

Anyway, Builder finally went broke yesterday, after years of interesting financial activities and a few minor accounting scandals, such as allegedly falsified sales figures and an auditor with conflicts of interest.  [FT, archive]

CEO and founder Sachin Dev Duggal had stepped down in February — though he kept the job title “Chief Wizard.” [FT, archive]

Here’s how Builder’s front page — still working for the moment — says the process works: [Builder.ai, archive]

1. Chat to our AI, Natasha
2. Get a fixed price and accurate timings
3. Meet your own dedicated expert
4. AI assembles your app features like a LEGO set
5. Features are customised by human specialists
6. Your app is ready

The most “AI” part of the whole thing is Natasha the keyword bot at the start of the process.

Steps 3 and 5 are where A Guy Inside does the actual work: [builder.ai, archive]

Natasha recommends the best-suited developer for your app project, who then customises your code on our virtual desktop. We also use facial recognition to check that the developer working on your code is the same one Natasha picked.

That’s not AI, that’s outsourcing. Builder.ai was just hiring your work out to A Guy Instead. But it was marketed to its venture funders as “AI.”

Builder claimed that the fabulous Natasha AI did most of the development planning. Builder also claimed that Microsoft wanted to use Natasha to sell customers business app development. [press release, 2024; TFN, 2023]

But there’s no evidence that “Natasha” wasn’t just a human doing all the tricky bits. Because Builder had past form on using A Guy Instead.

Back when Builder was called Engineer.AI, they were caught in 2019 selling “AI” development with a bot called Natasha that turned out to be some guys in India who wrote the app for you. Engineer.AI told the Wall Street Journal at the time that the alleged AI was just “human-assisted.” Yeah, 100% human assisted. [WSJ, 2019, archive]

It’s not clear if anything’s left of Builder.ai. There’s no money and there’s no AI. But the real reward was the wild “off-site company meetings” along the way, where they splashed out the investor cash on a week in a five-star hotel in Vietnam for the employees. And Natasha the keyword bot. [FT, 2024, archive]

• Video version

Free training for displaced government employees

US Government employees (and former employees) are going through a lot of chaos. Many of our colleagues, collaborators, and friends are out of work — suddenly and unexpectedly.

At Shostack + Associates, we can’t fix that. But we can offer something concrete.

In times of uncertainty, we focus on what we know, and what we know is threat modeling and how to teach it. It’s what we do best, and it’s how we can help.

We’re opening a free instance of our Threat Modeling Intensive course — a $3,900 value — no strings attached. This will be a distributed, live instruction instance of the course for people whose government jobs have gone. The course is designed for technologists who have at least a couple years of experience as a software developer, systems operator or technical project manager, and have shipped one or more systems.

This is the full version of our most popular training. It’s practical, focused, and designed to help you move into a new role with in-demand skills. It’s interactive and hands on. You’ll be threat modeling and collaborating to get peer feedback and review. Complete the work and you'll finish the week with new capabilities and a course completion certificate.

The course runs the week of July 7. We don’t want to cap attendance, but our training is interactive, so we need to use the Zoom meeting form, and that leads to participation limits. So if you sign up, please do so with a plan to attend and participate. If you’ve lost your job — sign up. We’ll cover the full cost. You bring your attention and drive, and you can sign up at our Google form. Also, you can learn more about the course on our general Threat Modeling Intensive Course page.

In the spirit of transparency, there’s something in this for us too: one of our major customers is planning a large-scale course, and we want to experiment and see if there’s limits to how many folks we can teach effectively. We're confident in our approach. We believe that our mix of hands-on, small peer group discussions and larger full class discussions can scale. And we love experimentation and learning.

Please share this with anyone you know who’s been impacted. We’ll do our best to make this useful, relevant, and hopefully a step towards something new.

PS: If this sounds good but you’re not an impacted government employee, we have upcoming open trainings at OWASP Global Appsec Barcelona (May) and Blackhat in Las Vegas (Aug 2-3 or 4-5), as well as self-pace trainings and private offerings.

Update: Bolded the descriptions of who the course is for and alternatives after weeding through responses.

Because you, as a person who reads blogs, are dear to me– you get to be among the first to know that the new DC Tech Events site is live.

I’m still tweaking, but I’m pleased with how it works right now– it’s a static site deployed on Github Pages. There’s a form for submitting events, but behind the scenes that just opens a pull request.

Next up: getting the newsletter piece up and running.

by Jennifer Smith Richards and Jodi S. Cohen

ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up for Dispatches, a newsletter that spotlights wrongdoing around the country, to receive our stories in your inbox every week.

A short video taken inside an Illinois school captured troubling behavior: A teacher gripping a 6-year-old boy with autism by the ankle and dragging him down the hallway on his back.

The early-April incident would’ve been upsetting in any school, but it happened at the Garrison School, part of a special education district where at one time students were arrested at the highest rate of any district in the country. The teacher was charged with battery weeks later after pressure from the student’s parents.

It’s been about eight months since the U.S. Department of Education directed Garrison to change the way it responded to the behavior of students with disabilities. The department said it would monitor the Four Rivers Special Education District, which operates Garrison, following a ProPublica and Chicago Tribune investigation in 2022 that found the school frequently involved police and used controversial disciplinary methods.

But the department’s Office for Civil Rights regional office in Chicago, which was responsible for Illinois and five other states, was one of seven abolished by President Donald Trump’s administration in March; the offices were closed and their entire staff was fired.

The future of oversight at Four Rivers, in west-central Illinois, is now uncertain. There’s no record of any communication from the Education Department to the district since Trump took office, and his administration has terminated an antidiscrimination agreement with at least one school district, in South Dakota.

In the April incident, Xander Reed, who has autism and does not speak, did not stop playing with blocks and go to P.E. when he was told to, according to a police report. Xander then “became agitated and fell to the ground,” the report said. When he refused to get up, a substitute teacher, Rhea Drake, dragged him to the gym.

Another staff member took a photo and alerted school leadership. Principal Amy Haarmann told police that Drake’s actions “were not an acceptable practice at the school,” the police report said.

Xander’s family asked to press charges. Drake, who had been working in Xander’s classroom for more than a month, was charged about three weeks later with misdemeanor battery, records show. She has pleaded not guilty. Her attorney told ProPublica that he and Drake did not want to comment for this story.

Tracey Fair, the district’s director, said school officials made sure students were safe following the incident and that Drake won’t be returning to the district. She declined to comment further about the incident, but said school officials take their “obligation to keep students and staff safe very seriously.”

Doug Thompson, chief of police in Jacksonville, where the school is located, said he could not discuss the case.

A screenshot from a recording of a CCTV video shows Xander Reed being dragged down the hallway by a teacher at the Garrison School. (Obtained by ProPublica)

Xander’s mother, Amanda, said her son is fearful about going to Garrison, where she said he also has been punished by being put in a school “crisis room,” a small space where students are taken when staff feel they misbehave or need time alone. “He has not wanted to go to school,” she said. “We want him to get an education. We want him to be with other kids.”

Four Rivers serves an eight-county area, and students at Garrison range from kindergartners through high schoolers. About 70 students were enrolled at the start of the school year. Districts who feel they aren’t able to educate a student in neighborhood schools send them to Four Rivers; Xander travels 40 minutes each way to attend Garrison.

The federal scrutiny of Garrison began after ProPublica and the Tribune revealed that during a five-year period, school employees called police to report student misbehavior every other school day, on average. Police made more than 100 arrests of students as young as 9 during that period. They were handcuffed and taken to the police station for being disruptive or disobedient; if they’d physically lashed out at staff, they often were charged with felony aggravated battery.

Garrison School is part of a special education district that’s supposed to be under federal monitoring for violating the civil rights of its disabled students. (Bryan Birks for ProPublica)

The news organizations also found that Garrison employees frequently removed students from their classrooms and sent them to crisis rooms when the students were upset, disobedient or aggressive.

The Office for Civil Rights’ findings echoed those of the news investigation. It determined that Garrison routinely sent students to police for noncriminal conduct that could have been related to their disabilities — something prohibited by federal law.

The district was to report its progress in making changes to the OCR by last December, which it appears to have done, according to documents ProPublica obtained through a public records request.

But the records show the OCR has not communicated with the district since then and it’s not clear what will come of the work at Four Rivers. The OCR has terminated at least one agreement it entered into last year — a deal with a South Dakota school district that had agreed to take steps to end discrimination against its Native American students. Spokespeople for the Education Department did not respond to questions from ProPublica.

Scott Reed, 6-year-old Xander Reed’s father, said he and Xander’s mother were aware of the frequent use of police as disciplinarians at Four Rivers and of OCR’s involvement. But they reluctantly enrolled him this school year because they were told there were no other options.

“You can say you’ve made all these changes, but you haven’t,” Scott Reed said. For example, he said, even after confirming that Drake had dragged the 50-pound boy down the hall, school leadership sent her home. “They did not call police until I arrived at school and demanded it” hours later, he said.

“If that was a student” that acted that way, “they would have been in handcuffs.”

Scott and Amanda Reed, Xander’s parents, enrolled their son in Garrison School after being told they had no other options. (Bryan Birks for ProPublica)

New ProPublica reporting has found that since school began in August, police have been called to the school at least 30 times in response to student behavior.

Thompson, the police chief, told ProPublica that, in one instance, officers were summoned because a student was saying “inappropriate things.” They also were called last month after a report that a student punched and bit staff members. The officers “helped to calm the student,” according to the local newspaper’s police blotter.

And police have continued to arrest Garrison students. There have been six arrests of students for property damage or aggravated battery this school year, police data shows. A 15-year-old girl was arrested for spitting in a staff member’s face, and a 10-year-old boy was arrested after being accused of hitting an employee. There were at least nine student arrests last school year, according to police data.

Thompson said four students between the ages of 10 and 16 have been arrested this school year on the more serious aggravated battery charge; one of the students was arrested three times. He said he thinks police calls to Garrison are inevitable, but that school staff are now handling more student behavioral concerns without reaching out to police.

“I feel like now the calls for service are more geared toward they have done what they can and they now need help,” Thompson said. “They have attempted to de-escalate themselves and the student is not cooperating still or it is out of their control and they need more assistance.”

Police were called to the school last week to deal with “a disturbance involving a student,” according to the police blotter in Jacksonville’s local newspaper. It didn’t end in an arrest this time; a parent arrived and “made the student obey staff members.”

During the last few weeks I've been consumed with researching TeleMessage, the Israeli firm that makes TM SGNL, the insecure version of Signal that former national security advisor Mike Waltz was photographed using.

After writing a few posts about it, on May 3, an anonymous source told me that they had hacked TeleMessage, and they told me exactly how they did it. When Joseph Cox and I broke the news about the hack for 404 Media, we didn't include any of the juicy details because it would be so trivial for anyone on the internet to reproduce it. Since then, TeleMessage has taken down their service, so this isn't a risk anymore.

Today, I wrote an article for WIRED (my first byline there!) that describes, in detail, exactly how TeleMessage got hacked in "about 15-20 minutes," according to my source. From my article:

“I first looked at the admin panel secure.telemessage.com and noticed that they were hashing passwords to MD5 on the client side, something that negates the security benefits of hashing passwords, as the hash effectively becomes the password,” the hacker said. (Hashing is a way of cryptographically obfuscating a password stored on a system, and MD5 is an inadequate version of the algorithms used to do so.) Drop Site News has since reported that it appears that this admin panel exposed email addresses, passwords, usernames, and phone numbers to the public.

The weak password hashing, and the fact that the TeleMessage site was programmed with JSP—an early 2000s-era technology for creating web apps in Java—gave the hacker “the impression that their security must be poor.” Hoping to find vulnerable JSP files, the hacker then used feroxbuster, a tool that can quickly find publicly available resources on a website, on secure.telemessage.com.

The hacker also used feroxbuster on archive.telemessage.com, another domain used by TeleMessage, which is where they discovered the vulnerable URL: archive.telemessage.com/management/heapdump. When they loaded this URL, the server responded with a Java heap dump, which is a roughly 150 MB file containing a snapshot of the server’s memory at the moment the URL was loaded.

Read my full reporting on WIRED.

There’s not enough spare utility power for the xAI data centre in South Memphis, Tennessee — so it runs off 35 gas turbines with no emission controls. They’re just pumping nitrous oxide out into the air. [Politico]

The gas turbines are “temporary” — which means they’re running off no permits in maximum pollution mode because Musk thinks he can get away with it.

xAI’s environmental consultant, Shannon Lynn, says “there’s rules that say temporary sources can be in place for up to 364 days a year. They are not subject to permitting requirements.”

xAI has applied for permits for the first set of turbines. But it won’t install pollution controls unless and until its permits are approved. At that point, xAI will be “the lowest-emitting facility in the country,” allegedly.

The Southern Environmental Law Center says the gas turbines are just straight-up illegal and is pressuring the authorities to act against them.

In fact, the SELC has discovered xAI’s new plans to build a second data centre in South Memphis. That’ll need 1.1 gigawatts, and they plan to power it with another 40 to 90 gas turbines! [SELC; Capacity; SELC]

Other data centre operators are watching closely to see what Musk gets away with at xAI. If this is allowed to pass, they will all be doing the same. Look forward to an AI smog generator in your town!

• Video version