Month: August 2018

European consumer electronics retailer Dixons Carphone’s apologetic admission yesterday that a 2017 data breach was in fact considerably worse than it first reported suggests disclosures of major breaches could get a bit more messy — at least under the early reign of the region’s tough new data protection framework, GDPR — as organizations scramble to comply with requirements to communicate serious breaches “without undue delay”.

Although, to be clear, it’s not the regulation that’s the problem. Dixons’ handling of this particular security incident has come in for sharp criticism — and is most certainly not a textbook example of how to proceed.

Dixons Carphone disclosed a breach of 5.9M payment cards and 1.2M customer records in mid June, saying it had discovered the unauthorized access to its systems during a security review.

However this week the company revised upwards the number of customer records affected — to around 10M. The breach itself occurred sometime last year.

“They are clearly concerned about regulatory enforcement but they seem completely unprepared to handle customer reactions. With privacy and security awareness increasing exponentially, it will not be long before we see customer churn, reputational damage, and further decrease in the value of the business as a result of such a poor response to a very large breach,” says Enza Iannopollo, a security expert at the analyst Forrester, responding to Dixon’s revised report of the security incident in a statement yesterday. 

The ballooning size of the Dixons breach is interesting in light of Europe’s strict new data protection regulation, which put the onus on data controllers to disclose breaches rapidly. Rather than — as has all-too-often been the case — sitting like broody hens waiting for the most opportune corporate moment to hatch a confession, yet leaving their users in the dark in the meanwhile, unwittingly shouldering all the risk.

In the case of this Dixons 2017 breach (NB: it’s not the only breach the Group has suffered), it’s not yet clear whether the EU’s new regulation will apply (given the incident was publicly disclosed after GDPR had come into force); or whether it will fall under the UK’s prior data protection regime — given the hack itself occurred prior to May 25, when GDPR came into force.

A spokesperson for the UK’s Information Commissioner’s Office (ICO) told us: “Our investigation has not yet concluded which data protection law applies in this case — DPA98 or the GDPR.”

While the UK’s Data Protection Act 1998 encouraged data controllers to disclose serious data breaches, the EU’s General Data Protection Regulation (transposed into national law in the UK via the DPA 2018) goes much further, putting in place a universal obligation to report serious breaches of personal data within 72 hours of becoming aware of an incident. And of course this means not just personal data that’s been actually confirmed as lost or stolen but also when a security incident entails the risk of unauthorized access to customer data.

The exception to ‘undue delay within 72 hours’ is where a personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Which, while it’s clear that not every breach will require disclosure (say for example if personal data was robustly encrypted a company may deem it unnecessary to disclose a breach), is a caveat that still sets a pretty low disclosure bar. At least where a breach entails a risk of personal information being extracted from compromised data. (Which is yet another reason why strong encryption is good for everyone.)

Certainly, any companies discovering a breach that puts their customers at risk, and which took place on or after May 25, 2018, but which then decide to ‘do an Uber’ — i.e. sit on it for the best part of a year before ‘fessing up — will put themselves squarely in EU regulators’ crosshairs for an equally major penalty. (GDPR has supersized fines for data violations — and therefore also something that the bloc’s DP law has sorely lacked for years: Teeth to encourage compliance.)

If a breach is likely to result in a “high risk of adversely affecting individuals’ rights and freedoms” the regulation also urges data controllers to communicate the incident to the people affected — and do so without “undue delay”.

Dixons said in June that it was contacting “those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take”. But at that time it only thought 1.2M people had been affected.

More than a month later it now puts the number of records swiped at ~10M — and yet is only now contacting the millions more customers whose data was also compromised last year.

Clearly, this is not a good look. Customers who got faux reassurance in June, when the company did not write to them to warn them their data was at risk, will feel rightly angry about any delay in communicating with them.

It will be up to the UK’s data protection watchdog to decide whether Dixons’ security practices and response to the breach of its systems meets the standards it expects from data controllers. And a lot will depend upon whether the incident falls under the DPA98, which encourages discloses of serious breaches but does not legally require them to deadline, vs GDPR which absolutely does.

The maximum possible penalties under the two regimes are also very different: With the ICO capable of issuing a maximum fine of just £500k under the DPA98 (it recently announced it would be issuing a fine of this size to Facebook, for instance, for data misuse related to the Cambridge Analytica incident — which took place in 2014); and up to €20M (or 4% of the total worldwide annual turnover of the preceding financial year) under GDPR.

For a sense of what a GDPR level fine would mean for Dixons Carphone, the company’s 2017/18 revenue is around £10.5BN so — if GDPR were indeed to apply — it would be facing a maximum possible penalty of £420M. Which would surely get the shareholders talking.

But Iannopollo argues it’s not even the risk of major financial penalties that companies are most worried about when it comes to GDPR compliance — rather it’s damage to their reputation and to customer trust that’s really making them sweat.

In a recent Forrester survey, asking companies about their biggest concerns vis-a-vis the consequences of failure to comply with the regulation, Iannopollo says the main worries reported to it were loss of customer trust and reputational damage, followed by regulatory enforcement — with fines coming lower down the list.

“It’s interesting the point about regulatory enforcement — I remember working with a number of banks and actually they were very worried about enforcement action,” she adds. “You don’t want a regulator to impose on you a specific process to handle data. You don’t want a regulator to impose on you a limitation on some processing activities. And they understand that the effect of such an enforcement action can probably be even more detrimental than a fine in some ways.”

Whatever the particular driver, security must now be front of mind for any (well run) organization routinely handling the personal data of EU people. Because the risks for screwing up are getting real.

It’s also clear that consumers are waking up to the fact their personal information is at risk — doubtless in large part because of how poorly their data has been protected before now — and also waking up to the fact they have enhanced data rights they can exercise to help manage and shrink their personal risk.

“Probably the biggest push to GDPR enforcement is coming from customers themselves, both end users and business customers,” says Iannopollo.

Discussing Dixons’ breach response, she is very critical of the company’s lack of customer focus in its public comments. “I saw a lot of emphasis around whether the breach happened before GDPR — so hoping that there was not this standard. And also there was something else that was said about ‘there is no evidence that our customers suffered any financial loss’ as a result of the breach. And again it’s interesting because until a few days ago they didn’t even know the breadth of the breach and now they are saying there wasn’t a financial loss so we’re not prepared to provide compensation. This is not exactly what we see as a constructive way to tackle the breach and help your customers figure out how they can be safe even if you lost their data,” she says.

“In the UK customers can ask for compensation even if they have emotional distress as a result of a breach — there is a potential to develop class action for the mishandling of customer data,” she adds. “And also they said well we are now finally sending some letters to our customers to try and explain what happened — well it’s way too late. Your customers are already very worried. There is no way this company can now show in any way the customers that they have competency over what happened because clearly we all doubt that actually there is some competency there. And actually I don’t think that they are showing there is a remediation strategy in place for their customers.

“All they did was to say that we don’t have any evidence of financial losses so we are not ready to compensate. Are you really taking care of your customers in this instance? Are you really showing that there is a commitment to make sure that they still feel that you are responsible for their data, doing your best to protect this data? I don’t think so. The executive team were involved but I don’t think they were doing really a good job from their customer sentiment and customer trust point of view.”

In its statement yesterday, the company’s CEO Alex Baldock said he was “disappointed in having fallen short” — and apologized “for any distress we’ve caused our customers”, adding that the company is “fully committed” to safeguarding customers’ personal data.

A month earlier, when the company disclosed a much smaller sized breach, he had said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here.”

Does Iannopollo believe GDPR’s breach disclosure requirements could lead to more disclosures that similarly inflate in size after the fact — i.e. because an initial disclosure put out to hit the GDPR 72-hour disclosure window gets revised upwards later — at least in the short term, as companies that perhaps have not yet doubled down on their security investments, let alone rearchitected any data processes, are caught on the hop?

“It remains a technical challenge to understand what happened, quantify the number of records that were lost — so all that forensics work and the classic incident response immediately after you discover the breach cannot necessarily provide a full answer, a full picture immediately after — so definitely there is a part of that [that] is a genuine delay. And the regulation accounts for this,” she replies on that.

“Regulators do expect organizations to do a first disclosure, but also they give an opportunity to organizations to come back and provide additional details as they become available. Again it’s very genuine, the idea here — it’s not a strategy to avoid a potential fine; the regulator understands companies might need more time.”

We asked the ICO how it’s likely to respond to breach reports that are revised upwards a considerable time after the initial disclosure (such as one month+ in Dixons’ case).

A spokeswoman for the watchdog told us the regulation does allow for phased breach reporting, as more information is uncovered during an investigation. However she also emphasized that it expects the investigation to be prioritized — so, again, that there be no additional “undue” delays in any follow-on disclosures.

“In general terms the GDPR’s rules around personal data breach reporting recognize that it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. So Article 34(4) allows organizations to provide the required information in phases, as long as this is done without undue further delay,” the ICO told us. 

“However, we expect controllers to prioritise the investigation, give it adequate resources, and expedite it urgently. They must still notify us of the breach when they become aware of it, and submit further information as soon as possible. If they know they won’t be able to provide full details within 72 hours, it is a good idea to explain the delay to us and tell us when to expect more information.”

The watchdog has more guidance on how data controllers should handle breach disclosures here.

Iannopollo reckons organizations won’t (or shouldn’t) struggle to make a breach disclosure to their regulator within the GDPR timeframe — pointing to rising numbers of reports being made to DPAs in the wake of GDPR coming into force. (Late last month Ireland’s Data Protection Commission said it had received more than 1,100 reports of data breaches since May 25 vs an average of just 230 prior to GDPR, for instance.)

What she argues is more challenging for organizations to get right is not to lose sight of the impact of a breach on your users/customers — in the midst of needing to make (awkward) public pronouncements and communicate with those affected by the incident.

“You might feel that as an organization you want just to undermine the kind of breach that you have suffered, you may say that the less people were involved the less records where involved, but the point is that if you are the one communicating to the affected customers in the very first place, and you have an opportunity to explain to them what happened, and to explain in which way you are taking care of them and their data even after the breach, then you have an opportunity to manage their response in a way that doesn’t destroy the trust that your customers have in you,” she says.

“If you instead decide to go very small, and say ‘well nothing really happened’, and you do what [Dixons did] and say, well it’s about 1M and then we discover that actually it’s 10M records that they lost, at that point you have lost your opportunity to manage the breach with your customers because it means that they might realize that they were part of the data breach — they might be affected… without the business being in touch with them… So this is really the risk. So whatever they can do to have a full picture of what happened, as soon as possible, that will help them managing their response of the breach… with your customers so that — hopefully — it doesn’t become a breach of trust.”

“A breach of trust has consequences that are well beyond a fine,” she adds. “The challenge to me is really communicating to the public, communicating to customers — this is something that for European customers this is something new. We are not used to receive these sorts of communication.

“And what I see from the data that we have is customers that are really becoming much more aware of these sorts of incidents, what it means for them, and they know that they have rights when it comes to privacy. And it’s not just compensation — it’s ‘I want to get control over my data and I expect a business to respect these sorts of rights that I have and to be able to give me that control over my data’.

“The incident response team cannot be just a technical team or a legal team, it has to be marketing team, PR, it has to be the executive team. You need to have a plan about what we say to these customers, which is the remediation that we offer — is it going to be credit monitoring, identity protection… are we setting up a call center to be able to respond to questions if there are questions from customers.”

Of course GDPR also puts strong emphasis on practices that should — in theory — minimize the chances of risky data breaches happening in the first place, because the law now encourages good practices like data minimization, privacy by design, and indeed investment in strong security.

So, over the longer term, the theory is that data controllers’ priorities and processes will be re-worked in a way that makes data breaches — if not as rare as hens’ teeth then (hopefully) a whole lot less common than they’ve become in recent years, when another major breach has seemingly hit the headlines every few weeks.

But Iannopollo is under no illusions that that sort of transformational shift will happen overnight.

“Ideally we would see that. That would be the best outcome,” she says, discussing the possibility of GDPR leading to fewer data breaches in future, if it’s successful in transforming attitudes and approaches to data processing and security across multiple industries and sectors. “There is no question that GDPR has driven a lot of investment into specific security technologies… Many companies have made improvements… in terms of the controls that they are using.

“Hopefully also they’ve thought about the processes that underpins the deployment of these technologies. The changes around data minimization, the management around third parties, the ability to build data architectures that are really flexible and transparent in the same way — it will take some time.”

She also says there are companies now starting to offer managed services to help organizations respond effectively at the point of a breach disclosure — such as by supplying additional call center resource. So there are startup opportunities there.

GDPR triggering a comprehensive reorganization of organizations’ data processing is certainly “not the rule” yet though. “What we have seen is more organizations backing one or two requirements — heavily relying on technology, as much as they could, but not taking enough time to think about changes to their governance, and the processes and also people skills, as an element of compliance with GDPR,” she adds.

“So, again, ideally — and for those organizations that really have taken this comprehensive approach — we might see those results in the medium term: A decrease of these sorts of incidents, and better discipline around data handling practices. But the reality is that many organizations have just taken this very piecemeal approach to GDPR. So for that sort of overall outcome we will need to wait some time to see.”

The strength of the regulation’s impact will depend most on two things: How much push there is below, i.e from users and customers — so how people feel; what they say; and via specific legal redress actions they could choose to take, such as class action style actions seeking compensation.

And also of course on the regulatory enforcement — when that lands.

That all important piece of the compliance puzzle remains to be seen, given we’re only in the first months after GDPR came into force — when regulators are likely allowing organizations a bit of time to get their compliance ducks in order.

How DPAs ultimately respond to all the extra complaints they’re getting will be very important in setting the tone of the new regime because it will end up shaping data controllers’ perception of and response to GDPR.

Rules without enforcement quickly stop being worth the paper they’re written on. And a watchdog that barks but doesn’t bite will soon get treated like a pet.

However, given EU consumers are increasingly aware and even active when it comes to their data rights, it would be a major misstep if the region’s regulators fell short by failing to listen to rising concerns.

In the meanwhile, it’s likely there will be a period where information about data breaches gets a bit more dynamic — with news of a breach emerging with less delay than it might have, prior to GDPR, but perhaps also with a greater possibility that an initial disclosure does not paint the full picture because an investigation is still in train. So, in short, compliance, like security, is an ongoing process.

On-demand delivery is painfully difficult. The margins are usually razor thin, each market is wildly different, and the business can be largely dependent on retailers’ willingness to jump into the digital age.

But DoorDash, which launched in 2013 out of Y Combinator, has been a dominant force in the space.

That’s why we’re absolutely thrilled to have DoorDash CEO Tony Xu join us at Disrupt SF in September.

In the five years since it’s launched, DoorDash has expanded to hundreds of markets in the U.S. The company, which offers delivery services for restaurants, liquor stores, and even gadget retailers like b8ta, has also penned partnerships with big retailers like Walmart for grocery delivery.

In fact, DoorDash has raised more than $700 million and has achieved unicorn status in its relatively short life.

Much of that success can be attributed to founder and CEO Tony Xu. The son of immigrants, Xu worked in his parents’ restaurant before heading off to Stanford. He then worked at McKinsey, eBay, and Square before bringing his knowledge and experience into the entrepreneurial realm.

This isn’t the first time we’ve hung out with Xu on the Disrupt stage. In 2016, Xu’s biggest focus was balance.

“Hardest part is keeping everything in balance,” he said. “There’s a couple dimensions to this: how do you invest the company’s capital effectively; how do you best serve the marketplace of three audiences, consumers/merchants/dashers; and how do you keep that in check. If you have too many of one, it’s a challenge, and we have the unique challenge where we have to solve product market fit across three audiences.”

While that challenge will always be a factor in DoorDash’s business, we’re particularly interested to hear about the company’s move into the evolving world of grocery delivery. There is plenty to discuss with Xu, and we hope you will join us at the conference, which runs September 5 to September 7.

The full agenda is here. Passes for the show are available here.

Martin Tripp, the former Tesla employee who was fired and then sued by the electric vehicle automaker, has filed a lawsuit, alleging statements made by CEO Elon Musk in recent weeks (many in tweet form) defamed him.

Tripp is asking for $1 million in damages from the electric automaker. Tripp, who has hired an Arizona-based law firm, has a GoFundMe page aiming to raise $500,000 to pay for his legal bill. Tripp has raised more than $15,000, according to the GoFundMe page.

The filing is the latest blow in a bout between Tesla, Musk and Tripp that kicked off about six weeks ago. The case, filed in the U.S. District Court in Nevada, is Tesla Inc. v. Tripp, 3:18-cv-00296.

Here’s a timeline, so saddle up and follow along.

June 20: Tesla files a lawsuit against Tripp for $1 million, alleging the man, who worked as a process technician at the massive battery factory near Reno, hacked the company’s confidential and trade secret information and transferred that information to third parties, according to court documents. The lawsuit also claims the employee leaked false information to the media.

24 hours later: A combative email exchange between Musk and Tripp unfolds.

Tesla also notifies police based on a tip to its customer service line that Tripp had allegedly told a friend he was going to attack the company’s Gigafactory in Sparks, Nev. Tripp has denied this and the Storey County Sheriff’s department, which investigated, told TechCrunch they found no credible threat.

July 6: Tripp, who has retained Meissner Associates, a whistleblower, securities, investment fraud and employment law firm, files a formal whistleblower tip to the U.S. Securities and Exchange Commission alleging the company has misled investors and put its customers at risk.

Tripp’s whistleblower tip alleges that Tesla knowingly manufactured batteries with punctured holes, possibly impacting hundreds of cars on the road; misled the investing public as to the number of Model 3s actually being produced each week by as much as 44 percent; and lowered vehicle specifications and systemically used scrap and waste material in vehicles, all so as to meet production quotas.

July 31: Tripp’s counterclaim is filed.

Today WhatsApp launches its first revenue-generating enterprise product and the only way it currently makes money directly from its app. The WhatsApp Business API is launching to let businesses respond to messages from users for free for up to 24 hours, but will charge them a fixed rate by country per message sent after that.

Businesses will still only be able to message people who contacted them first, but the API will help them programatically send “shipping confirmations, appointment reminders or event tickets. Clients can also use it respond to manually respond to customer service inquiries through their own tool or apps like Zendesk, MessageBird, or Twilio. And small businesses who are one of the 3 million users of the WhatsApp For Business app can still use it to send late replies one-by-one for free.

After getting acquired by Facebook for $19 billion in 2014, it’s finally time for the 1.5 billion-user WhatsApp to pull its weight and contribute some revenue. If Facebook can pitch the WhatsApp Business API as a cheaper alternative to customer service call centers, the convenience of asynchronous chat could compel users to message companies instead of phoning.

Only charging for slow replies after 24 hours since a user’s last message is a genius way to create a growth feedback loop. If users get quick answers via WhatsApp, they’ll prefer it other channels. Once businesses and their customers get addicted to it, WhatsApp could eventually charge for all replies or any that exceed a volume threshold, or cut down the free window. Meanwhile, businesses might be too optimistic about their response times and end up paying more often than the expect, especially when messages come in on weekends or holidays.

WhatsApp first announced it would eventually charge for enterprise service last September when it launched its free WhatsApp For Business app that now has 3 million users and remains free for all replies, even late ones.

Importantly, WhatsApp stresses that all messaging between users and businesses, even through the API, will be end-to-end encrypted. That contrasts with the Washington Post’s report that Facebook pushing to weaken encryption for WhatsApp For Business message is partly what drove former CEO Jan Koum to quit WhatsApp and Facebook’s board in April. His co-founder Brian Acton had ditched Facebook back in September and donated $50 million to the foundation of encrypted messaging app Signal.

Today WhatsApp is also formally launching its new display ads product worldwide. But don’t worry, they won’t be crammed into your chat inbox like with Facebook Messenger. Instead, businesses will be able to buy ads on Facebook’s News Feed that launch WhatsApp conversations with them…thereby allowing them to use the new Business API to reply. TechCrunch scooped that this was coming last September, when code in Facebook’s ad manager revealed the click-to-WhatsApp ads option, and the company confirmed the ads were in testing. Facebook launched similar click-to-Messenger ads back in 2015.

Finally, WhatsApp also tells TechCrunch its planning to run ads in its 450 million daily user Snapchat Stories clone called Status. “WhatsApp does not currently run ads in Status though this represents a future goal for us, starting in 2019. We will move slowly and carefully and provide more details before we place any Ads in Status” a spokesperson told us. Given WhatsApp Status is over twice the size of Snapchat, it could earn a ton on ads between Stories, especially if it’s willing to make some unskippable.

Together, the ads and API will replace the $1 per year subscription fee WhatsApp used to charge in some countries but dropped in 2016. With Facebook’s own revenue decelerating, triggering a 20 percent, $120 billion market cap drop in its share price, it needs to show it has new ways to make money now more than ever.

Snapchat is today launching new lenses that respond to voice commands. The company says it’s now rolling out a series of lenses that will animate when users speak simple, English words like “hi,” “love,” “yes,” “no,” and “wow,” as opposed to taking some other action – like opening their mouth or raising their eyebrows, as has been the trigger for some of the company’s prior lenses that animate with special effects.

For example, saying “hi” in the new lens will launch an animation that surrounds you with a flock of chatty birds; “love” will play cheesy jazz music; “yes” creates a zoom effect; “no” puts you in an infinite photo tunnel; and “wow” puts a bow on your head and surrounds you with the word.

While the company has offered lenses that involve audio before, this is the first time it has created lenses that actually recognize words, then use its understanding of what was said as a marker that kicks off the lens animation.

Snapchat says it will begin to make around five to six of these new lenses available to users within the next week. They’ll appear periodically in the Lens carousel along with the others, starting today, Wednesday August 1st.

The lenses will prompt users how to trigger the animation, when launched, Snapchat says.

Unique lenses have always been one of Snapchat’s biggest differentiators. And it has continually pushed the bar forward in this area by creating those that take advantage of camera technology and augmented reality in new ways. For example, it has launched things like World Lenses that add AR elements to any scene – including, more recently, Bitmoji – plus selfie games, lenses that can change the sky, paint the world around you, and more.

In May, it also launched the first lenses that react to sounds – but not particular words. The company says it’s possible for the new speech recognition lenses to be combined with its other lens technology, but it declined to say if that’s something it had planned.

The new lenses are also remarkably similar to the speech recognition triggered AR stickers found in the Panda video app, we should also note.

New lenses like this help to keep Snapchat users engaged, and could potentially turn into a technology that’s opened to advertisers further down the road, too.

The company may not have the size and scale of Facebook’s app empire (including also Messenger, Instagram and WhatsApp), but it does have the younger audience, who are increasingly ditching Facebook for other apps like Snapchat, YouTube and Instagram.

The convertible tablet space is a tricky one. After several years, no one’s managed to precisely nail it — no device will ever manage to straddle the line as the perfect laptop and tablet. But the category is a rare bright spot in an otherwise stagnant tablet market, and Samsung’s never been one to stand down from a challenge.

If nothing else, the Tab S4 represents Samsung’s most aggressive approach to the category yet. The company appears fairly confident that it will fulfill the need for both laptop and tablet for a certain segment of the population, at least — which would go a ways toward justifying that $650 starting price.

To accomplish this, the company is reinventing DeX. Formerly used to refer to the smartphone docking station, it’s now the name of the company’s desktop mode for Android. DeX is the key to the Tab’s convertibility. The S4 defaults to standard Android mode, switching over to DeX as soon as it docks in the keyboard case.

It’s an interesting choice. Rather than go with Windows 10, Chrome or any other operating systems designed specifically for the desktop environment, Samsung’s doubling down on the environment it introduced for the original DeX docks.

Why? I suspect it’s a control thing, at least in part. Windows 10 would have required surrendering more functionality to Microsoft (not the mention the consistency complications of the Android-centric Galaxy brand). With Android, Samsung can effectively run roughshod over the operating system as it sees fit. That means, no doubt, the eventually addition of things like the S-Pen’s Air Command interface and other proprietary Samsung differentiators.

I took a Chromebook as my sole computer on a recent trip to China. As such, I feel pretty confident in speaking to the limitations of attempting to rely on apps that aren’t optimized for desktop mode. It’s not impossible, but it’s certainly clumsy. When you launch them, they open in a small window.

You can make them full screen, but have to restart them in the process. I suspect the discrepancies won’t be as pronounced on the 10.5-inch as they would be on, say the Pixelbook, but there are still some kinks to work out. That includes the fact the Play Store doesn’t specialize in desktop apps, which cuts out a certain number of speciality programs. In my case, I had the damnedest time trying to find a fill in for Audacity, so I could edit podcasts on the 13 hour flight (cue the emails from 800 developers telling me that they have the solution). 

The good news on this front is that Samsung has worked with some key developers to offer up programs in the “App for Samsung DeX” section of the app menu. The biggest here is Microsoft, which worked with Samsung to create a DeX version of Office. There are some other key apps here as well, like Tripadvisor. For things like games, on the other hand, you’ll mostly be stuck running the mobile version.

The Tab S4 represents an interesting sort of cross section of a number of different Samsung offerings. The Galaxy Tab line meets DeX, with a side of S-Pen, which is large and optimized for the bigger form factor. There’s a slot for the stylus on the side of the keyboard case — a nice touch that has been absent in a number of these kinds of devices, including ones from Samsung itself. I can never figure out what to do with that damn pen when I’m not using it.

Live Messages — the animated Gif drawing app introduced on mobile — is here. Air Commands are present in Android mode as well. That they don’t carry over into DeX mode feels like a strange sort of oversight on Samsung’s part, but the company tells me it’s something they’re considering, so there’s that.

Also interesting is the absence of a trackpad on Samsung’s keyboard case. Touch and pen functionality are the primary methods for cursor manipulation here. I suspect that will ultimately serve most users just fine, but you’ll have to re-program your brain a bit in the process. When your hands assume typing position, habit draws them down to the trackpad, like some peripheral version of a phantom limb.

The keyboard is pretty okay, so far as keyboard cases go. I honestly prefer it to the kind of soft version you get with a Surface. There’s more tactile feedback here, and the keys are raised. They’re soft but springy. I’m in no rush to replace my full-time laptop with the device, but I write words for a living. For those whose typing is largely limited to Facebook updates and email, it’s probably just fine.

It’s also worth mentioning that the case is robust enough in keyboard mode to actually sit in your lap without collapsing. Not every convertible can say that. Surface Go, I’m looking at you.

The battery is a bright spot here. At 7,300mAh, Samsung says it should get you around 16 hours of video playback. That seems like a fairly optimistic estimate compared to the 10 hours Apple quotes on the 10-inch iPad Pro but at the very least, it should get you through just about any flight.

The rest of the specs are pretty solid as well, including an octa-core Snapdragon 835, 4GB of RAM and either 64- or 256GB of storage, plus expandable memory via microSD. You can also get the Tab with built-in LTE (for an added cost/monthly fee, of course). That should serve you pretty well for most of what you need to do tablet or otherwise.

The port situation, on the other hand, is another pain point for replacing your desktop outright. There’s the Pogo dock for the keyboard and a single USB-C — so good luck with those accessories. Of course, you can also just get Bluetooth mouse — Samsung makes one of those specially for the Galaxy Tab, naturally.

The WiFi version of the Tab S4 arrives August 10th, along with the Verizon LTE version. Other carriers (Sprint and US Cellular) will get their models at some point later in Q3. Pricing will likely vary, based on carrier.

The Galaxy Tab S4 isn’t quite the end-all, be-all laptop replacement, Samsung was no doubt hoping for, but it does represent an interesting new paradigm for the company in the wild world of convertible tablets.

YaDoggie, the dog food and wellness startup founded by Yahoo’s former VP of Mobile, has teamed up with kitchen appliance maker Instant Pot to launch its fresh dog food product. Called YaDoggie Fresh, it’s “human-grade” fresh dog food that is specifically designed to be cooked in an Instant Pot.

The fresh product, which comes in turkey and salmon, takes 20 minutes to cook using the Instant Pot. YaDoggie says the formulas were designed by a licensed veterinary nutritionist and are 100 percent grain free. The product starts shipping October 1.

“We know lots of our customers would love to make their own healthy food for their dogs but they just don’t have the time to find a recipe and buy and prep ingredients – Fresh does that for them,” YaDoggie CEO Sol Lipman said in a press release. “Fresh aligns with our goal of making it easy for Pet Parents to give their dogs the best food possible, and it’s a great complement to our kibble.”

YaDoggie’s core offerings are healthy, grain-free kibble, treats and a smart scoop, which will cost $49. The food comes in three recipes, buffalo/duck, lamb and sweet potato and limited ingredient turkey and pea — none of which include rice, corn, wheat or soy.

YaDoggie aims to help dog parents take a holistic approach to caring for their pups. But instead of defining itself as a dog tech company, YaDoggie is positioning itself as a dog wellness company using technology to make things better.

All you last-minute shoppers, world-class procrastinators and all-around slow-pokes listen up! You have until midnight tonight to buy your passes to Disrupt San Francisco 2018 at the early-bird price. We’re talking real savings: up to $1,200.

We really do want you to join us at Moscone Center West on September 5-7, but why the heck would you pay full freight when you could simply buy your ticket now?

Every Disrupt offers an incredible amount of value, top-notch programming and unparalleled networking opportunities. Come for our roster of renowned speakers, including Megan Quinn, a general partner at Spark Capital; Whitney Wolfe Herd, the founder and CEO at Bumble; and Dara Khosrowshahi, the CEO at Uber.

Don’t miss our Virtual Hackathon — where thousands of the best hackers, developers, designers and programmers around the world compete to create something spectacular. We’ll scrutinize every submission and bring the top 30 teams to display their hacks at Disrupt. The best hack wins $10,000 and, thanks to our generous sponsors, we also have a bunch of very cool hack contests that offer thousands of dollars in cash and prizes.

Some great companies got their start in our premier pitch competition, Startup Battlefield. Companies like TripIt, Box, Yammer and Mint to name a few. This year, the startups really bring the heat as they compete for investor love, media attention and $100,000 in non-equity cash.

You’ll find more than 1,200 outstanding startups and exhibitors showcasing an incredible array of tech products, platforms and talent on our show floor in Startup Alley. It’s a breeding ground for innovation, inspiration and opportunity.

Looking for more good reasons to go? Check out the full conference agenda.

Disrupt San Francisco 2018 takes place on September 5-7 at Moscone Center West. Your chance to save on ticket pricing runs out at midnight tonight, so stop what you’re doing and get your ticket now.

Editor’s note: This post was done in partnership with Wirecutter. When readers choose to buy Wirecutter’s independently chosen editorial picks, Wirecutter and TechCrunch may earn affiliate commissions.

Heading back to college with the best gear is the only push that some students need to get things moving in the right direction. While students are expected to take lecture notes during class, power through study sessions and, if necessary, do assignments on the go, there are tech essentials better suited than others for getting these jobs done.

Whether it’s time for a new laptop and protective gear or a few new accessories, we’ve got the recommendations covered.

Chromebook: Chromebook Flip C302CA

A Chromebook is a great choice for a simple notebook with a cloud-based storage system, and we think the Chromebook Flip C302CA is the best option. You’ll work predominantly in a browser and across apps — and whichever way is most comfortable, as the Chromebook Flip C302CA’s 360-degree hinge allows it to be used as a laptop or tablet.

It only comes with a few ports (a headphone jack, two USB-C ports and a microSD slot) but you can use an adapter to plug in additional peripherals. We like its backlit keyboard, touchscreen, Android app support and that its build feels more like a pricier Ultrabook. If portability is at the top of your list, it’s lightweight and compact, which makes carrying it around campus and doing work on the go more manageable.

Laptop for creative work: Dell XPS 15 & Apple MacBook Pro with Touch Bar (15-inch, 2017)

For film, photography and design students who can’t always use on-campus labs and want a capable machine of their own, we recommend the Dell XPS 15. This Windows laptop has a powerful graphics card and processor that contribute to quick upload and rendering speeds. The is an alternative for students who prefer macOS.

It’s also equipped with a powerful processor, and both machines have excellent displays and responsive trackpads. Either laptop can handle heavy editing projects and demanding creative work that would otherwise slow down a basic laptop.

Anti-malware software: Malwarebytes Premium

In addition to antivirus software, secure passwords, data logins and two-factor authentication, a reliable anti-malware program will help ensure that your computer is protected against vulnerabilities. While antivirus software typically works against worms, viruses and Trojans, anti-malware tackles newer exploits that aren’t spread by email, USB drives or older avenues.

We recommend Malwarebytes Premium for macOS and Windows computers because it runs well with Windows Defender and doesn’t get in the way of other programs. It’s simple to set up and use, plus it performs real-time scanning and doesn’t require you to make special adjustments to settings in order to get the best coverage.

Bluetooth keyboard: Logitech K380 Multi-Device Bluetooth Keyboard

For students who like working across different setups, a Bluetooth keyboard provides the option to take a break from a laptop and work with a desktop computer, smartphone or tablet. The Logitech K380 Multi-Device Bluetooth Keyboard can connect to three devices at once and switch between them with the press of a button.

It’s light, sturdy and small enough to stash in a backpack and use in class, at a library or anywhere else on the go. The combination of its rounded springy keys and the angle of its slope make it comfortable to use over long periods of time. Aside from outperforming other models that we tested, it’s inexpensive and offers two years of battery life with heavy use.

Sanho HyperDrive USB Type-C Hub (left)Type-C Multiport Adapter: Sanho HyperDrive USB Type-C Hub

With every school year that comes around, an updated batch of laptops are released — many of which come with the latest ports. The Sanho HyperDrive USB Type-C Hub pairs best with MacBooks that have a single USB-C port. It adds a single HDMI port, two USB 3.0 ports and a USB-C port for passthrough charging.

You’ll be able to connect to HDMI displays that support 4K video while charging your computer at the same time. It’s small, durable and, like other USB-C port laptop adapters that connect devices with “legacy” ports or transfer data, it can be a lifesaver when you’re in a pinch.

These picks may have been updated by Wirecutter. 

Kidbox, a subscription clothing box similar to Stitch Fix – but aimed at parents who dislike kids’ clothes shopping (aka all of us) – is now launching its own private label kids’ brands. At launch, the three clothing brands – Miki B., Kid’s Club, and Baby Basics – will join the startup’s over 130 existing brand partners, such as Adidas, DKNY, 7 for All Mankind, Puma, Jessica Simpson, Reebok, Diesel and others.

The company had said earlier this year that it would soon be branching out into its own brands with the arrival of its fall 2018 back-to-school box.

Having sent out its first box of clothing during the back-to-school shopping season in 2016, Kidbox now has two years of data under its belt to inform its designers what kids clothing is selling. Its boxes, similar to Stitch Fix, are put together after parents fill out a profile. The offer their kids’ sizing information, age, and what sort of styles, colors and patterns, they like and hate. Kidbox then preps a box accordingly, and anything the child doesn’t want – or mom or dad don’t want to buy, that is – can be sent back.

However, Kidbox heavily incentives its customers to keep the whole box – it’s around half a dozen items for under $100, which is reasonable. In fact, it can cost more to return items, as you then pay the price on the tag instead of receiving the whole-box discount.

With its new private labels, Kidbox aims to grow its margins further.

“We believe we’ve identified a void in the children’s apparel marketplace,” Kidbox CEO Miki Berardelli told TechCrunch this spring, when referencing its plans to sell its own clothing. “The style sensibility of our exclusive brands will all have a unique personality, and a unique voice that’s akin to how our customers describe themselves. It’s all really based on customer feedback. Our customers tell us what they would love more of; and our merchandising team understands what they would like to be able to procure more of, in terms of rounding out our assortment,” she said.

The company at the time was fresh on the heels of a $15.3 million Series B focused on scaling the business, which included bringing the new lines to its customers.

Kidbox’s brands will focus on the four main personality types of Kidbox shoppers, the company now explains. Miki B. represent a sort of “city cool” aesthetic, while Kid’s Club will encompass sporty athletic, modern casual, and classic preppy styles. Baby Basics, of course, includes baby items.

The lines were created by Kidbox’s own design team, which includes designers from brands like Tory Burch, Burberry, Bonobos, and J.Crew. The team focused on every aspect – like  fabric, color, pattern, and cut. They decided on using 100 percent cotton jersey, so the clothes will hold up and become wardrobe staples.

Each Kidbox shipment will now feature at least one of its own brands, the company says.

In addition to the new brands, Kidbox also teamed up with French Toast on a $68 uniform box for boys and girls that caters to kids whose schools enforce dress codes.

Kidbox today competes with other kids clothing subscription boxes like Rockets of Awesome, Kidpik, Mac & Mia, fabKids, and others. As a parent and customer of a couple of these, what I like about Kidbox is the wearability its items, which tend to be more practical choices, and its affordability. My child likes that the Kidbox often comes with a small surprise – and always includes crayons and stickers, too.

The company declines to share subscriber numbers, but touts 1.2+ million members of its “community” which encompasses social media fans, email subscribers, and paying customers.

The New York-based startup has $28 million to date from Canvas Ventures, Firstime Ventures, HDS Capital, plus strategic partners Fred Langhammer, former CEO of The Estée Lauder Companies Inc., and The Gindi Family, owners of Century 21 department stores.