Year: 2019

Every year the great and good (and bad) of the hacker/information-security world descend on Las Vegas for a week of conferences, in which many present their latest discoveries, and every year I try to itemize the most interesting (according to me) Black Hat talks for TechCrunch. Do not assume I attended all or even most of these. There are far too many for anyone to attend. But hopefully they’ll give you a sense of the state of the art.

First, though, let me just note that this post title is intended as sardonic. Yes, there is a lot of sloppy software out there, and yes, a lot of smart people keep finding holes, bugs, exploits, and design flaws even in good software, but we are not actually all doomed, and the belief that we are, and that anything connected to the Internet can be and probably has been hacked — an attitude which I like to call “security nihilism” — is spectacularly counterproductive.

In truth there is a lot of extremely good security out there, especially amid the big tech companies, and it keeps getting better, as the market for 0-days (previously undiscovered exploits) indicates. Most (though certainly not all) of the exploits below have already been reported and fixed, and patches have been rolled out. That said, much of the world has a lot of work to do to catch up with, say, Apple and Google’s security teams. Without further ado, the best-sounding talks of 2019:

---

Liveness Detection Hacking, from Tencent’s Xuanwu Security Lab, discusses how to trick “liveness” detectors for face or voice ID (or, perhaps, cryptocurrency KYC) by injecting fake video or audio streams, or, better yet, ordinary glasses with ordinary tape attached, which, best of all, they have named X-glasses.

---

All the 4G Modules Could Be Hacked, from Baidu’s Security Lab, recounts the researchers’ investigation of 4G modules for IoT devices — the components which connect machines to the Internet via cell networks, basically. As their summary memorably puts it, “We carried out this initiative and tested all the major brand 4G modules in the market (more than 15 different types). The results show all of them have similar vulnerabilities” and ends with the equally memorable “how to use these vulnerabilities to attack car entertainment systems of various brands and get remote control of cars.” Extra points for the slide with ‘Build Zombie cars (just like Furious 8)’, too.

---

Arm IDA and Cross Check: Reversing the Boeing 787’s Core Network by Ruben Santamarta of IOActive talks about how, after discovering an accidentally public directory of sensitive Boeing information online(!), Santamarta developed a chain of exploits that could conceivably lead from the Internet to the “Common Data Network” of a 787. Boeing strongly disputes this.

I have considerable respect for Santamarta, whose work I’ve written about before, and as he put it: “Boeing communicated to IOActive that there are certain built-in compiler-level mitigations [author’s note: !!] that, in their point of view, prevent these vulnerabilities from being successfully exploited. IOActive was unable to locate or validate the existence of those mitigations in the CIS/MS firmware version we analyzed. When asked, Boeing declined to answer whether these mitigations might have been added on a later version … We hope that a determined, highly capable third party can safely confirm that these vulnerabilities are not exploitable … We are confident owners and operators of these aircraft would welcome such independent validation and verification.” Indeed. But hey, if you can’t trust Boeing, who can you trust, right?

---

Reverse Engineering WhatsApp Encryption for Chat Manipulation, from researchers at Check Point Software, described how to abuse WhatsApp group chat to put words into others’ mouths, albeit only in quote texts, and send private messages which look like group-chat messages. (Note however that this is post-decryption, so you have to already be a legitimate member of the chat.)

---

In Behind the scenes of iOS and Mac Security, Ivan Krstić, Apple’s Head of Security Engineering, publicly spoke about Apple security. That’s remarkable enough right there! In particular, it’s worth noting his exegesis of how Find My works while preserving privacy, and that Apple is going to start to offer rooted iPhones to security researchers.

---

Simultaneously, an organization almost as devoted to secrecy as Apple revealed more about their security practices too. Kudos! I refer of course to the NSA, who came onstage to discuss their reverse-engineering framework Ghidra, and how it came to be open-sourced.

---

In Critical Zero Days Remotely Compromise the Most Popular Real-Time OS, researchers from Armis Security explained how VxWorks, a real-time OS you’ve never heard of but which runs on over 2 billion machines including aircraft, medical devices, industrial control systems, and spacecraft, also boasts vulnerabilities in esoteric corners of its TCP/IP stack that could lead to remote code execution. So that’s not good.

---

Finally, in Exploring the New World : Remote Exploitation of SQLite and Curl, Tencent’s Blade Team (yes, Chinese researchers have been absolutely killing it this year) showed how we actually are all doomed. I kid, I kid. But while you’ve probably never heard of them, SQLite and Curl are two absolutely fundamental software components — an incredibly widely used compact single-file database and a command-line networking tool, respectively — and used an exploit of the former to successfully remote attack Google Home, and the latter to attack curl clients such as PHP/Apache as well as Git. Ouch.

New research into how European consumers interact with the cookie consent mechanisms which have proliferated since a major update to the bloc’s online privacy rules last year casts an unflattering light on widespread manipulation of a system that’s supposed to protect consumer rights.

As Europe’s General Data Protection Regulation (GDPR) came into force in May 2018, bringing in a tough new regime of fines for non-compliance, websites responded by popping up legal disclaimers which signpost visitor tracking activities. Some of these cookie notices even ask for consent to track you.

But many don’t — even now, more than a year later.

The study, which looked at how consumers interact with different designs of cookie pop-ups and how various design choices can nudge and influence people’s privacy choices, also suggests consumers are suffering a degree of confusion about how cookies function, as well as being generally mistrustful of the term ‘cookie’ itself. (With such baked in tricks, who can blame them?)

The researchers conclude that if consent to drop cookies was being collected in a way that’s compliant with the EU’s existing privacy laws only a tiny fraction of consumers would agree to be tracked.

The paper, which we’ve reviewed in draft ahead of publication, is co-authored by academics at Ruhr-University Bochum, Germany, and the University of Michigan in the US — and entitled: (Un)informed Consent: Studying GDPR Consent Notices in the Field.

The researchers ran a number of studies, gathering ~5,000 of cookie notices from screengrabs of leading websites to compile a snapshot (derived from a random sub-sample of 1,000) of the different cookie consent mechanisms in play in order to paint a picture of current implementations.

They also worked with a German ecommerce website over a period of four months to study how more than 82,000 unique visitors to the site interacted with various cookie consent designs which the researchers’ tweaked in order to explore how different defaults and design choices affected individuals’ privacy choices.

Their industry snapshot of cookie consent notices found that the majority are placed at the bottom of the screen (58%); not blocking the interaction with the website (93%); and offering no options other than a confirmation button that does not do anything (86%). So no choice at all then.

A majority also try to nudge users towards consenting (57%) — such as by using ‘dark pattern’ techniques like using a color to highlight the ‘agree’ button (which if clicked accepts privacy-unfriendly defaults) vs displaying a much less visible link to ‘more options’ so that pro-privacy choices are buried off screen.

And while they found that nearly all cookie notices (92%) contained a link to the site’s privacy policy, only a third (39%) mention the specific purpose of the data collection or who can access the data (21%).

The GDPR updated the EU’s long-standing digital privacy framework, with key additions including tightening the rules around consent as a legal basis for processing people’s data — which the regulation says must be specific (purpose limited), informed and freely given for consent to be valid.

Even so, since May last year there has been an outgrown in cookie ‘consent’ mechanisms popping up or sliding atop websites that still don’t offer EU visitors the necessary privacy choices, per the research.

“Given the legal requirements for explicit, informed consent, it is obvious that the vast majority of cookie consent notices are not compliant with European privacy law,” the researchers argue.

“Our results show that a reasonable amount of users are willing to engage with consent notices, especially those who want to opt out or do not want to opt in. Unfortunately, current implementations do not respect this and the large majority offers no meaningful choice.”

The researchers also record a large differential in interaction rates with consent notices — of between 5 and 55% — generated by tweaking positions, options, and presets on cookie notices.

This is where consent gets manipulated — to flip visitors’ preference for privacy.

They found that the more choices offered in a cookie notice, the more likely visitors were to decline the use of cookies. (Which is an interesting finding in light of the vendor laundry lists frequently baked into the so-called “transparency and consent framework” which the industry association, the Internet Advertising Bureau (IAB), has pushed as the standard for its members to use to gather GDPR consents.)

“The results show that nudges and pre-selection had a high impact on user decisions, confirming previous work,” the researchers write. “It also shows that the GDPR requirement of privacy by default should be enforced to make sure that consent notices collect explicit consent.”

Here’s a section from the paper discussing what they describe as “the strong impact of nudges and pre-selections”:

Overall the effect size between nudging (as a binary factor) and choice was CV=0.50. For example, in the rather simple case of notices that only asked users to confirm that they will be tracked, more users clicked the “Accept” button in the nudge condition, where it was highlighted (50.8% on mobile, 26.9% on desktop), than in the non-nudging condition where “Accept” was displayed as a text link (39.2% m, 21.1% d). The effect was most visible for the category-and vendor-based notices, where all checkboxes were pre-selected in the nudging condition, while they were not in the privacy-by-default version. On the one hand, the pre-selected versions led around 30% of mobile users and 10% of desktop users to accept all third parties. On the other hand, only a small fraction (< 0.1%) allowed all third parties when given the opt-in choice and around 1 to 4 percent allowed one or more third parties (labeled “other” in 4). None of the visitors with a desktop allowed all categories. Interestingly, the number of non-interacting users was highest on average for the vendor-based condition, although it took up the largest part of any screen since it offered six options to choose from.

The key implication is that just 0.1% of site visitors would freely choose to enable all cookie categories/vendors — i.e. when not being forced to do so by a lack of choice or via nudging with manipulative dark patterns (such as pre-selections).

Rising a fraction, to between 1-4%, who would enable some cookie categories in the same privacy-by-default scenario.

“Our results… indicate that the privacy-by-default and purposed-based consent requirements put forth by the GDPR would require websites to use consent notices that would actually lead to less than 0.1 % of active consent for the use of third parties,” they write in conclusion.

They do flag some limitations with the study, pointing out that the dataset they used that arrived at the 0.1% figure is biased — given the nationality of visitors is not generally representative of public Internet users, as well as the data being generated from a single retail site. But they supplemented their findings with data from a company (Cookiebot) which provides cookie notices as a SaaS — saying its data indicated a higher accept all clicks rate but still only marginally higher: Just 5.6%.

Hence the conclusion that if European web users were given an honest and genuine choice over whether or not they get tracked around the Internet, the overwhelming majority would choose to protect their privacy by rejecting tracking cookies.

This is an important finding because GDPR is unambiguous in stating that if an Internet service is relying on consent as a legal basis to process visitors’ personal data it must obtain consent before processing data (so before a tracking cookie is dropped) — and that consent must be specific, informed and freely given.

Yet, as the study confirms, it really doesn’t take much clicking around the regional Internet to find a gaslighting cookie notice that pops up with a mocking message saying by using this website you’re consenting to your data being processed how the site sees fit — with just a single ‘Ok’ button to affirm your lack of say in the matter.

It’s also all too common to see sites that nudge visitors towards a big brightly colored ‘click here’ button to accept data processing — squirrelling any opt outs into complex sub-menus that can sometimes require hundreds of individual clicks to deny consent per vendor.

You can even find websites that gate their content entirely unless or until a user clicks ‘accept’ — aka a cookie wall. (A practice that has recently attracted regulatory intervention.)

Nor can the current mess of cookie notices be blamed on a lack of specific guidance on what a valid and therefore legal cookie consent looks like. At least not any more. Here, for example, is a myth-busting blog which the UK’s Information Commissioner’s Office (ICO) published last month that’s pretty clear on what can and can’t be done with cookies.

For instance on cookie walls the ICO writes: “Using a blanket approach such as this is unlikely to represent valid consent. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard.” (The regulator goes into more detailed advice here.)

While France’s data watchdog, the CNIL, also published its own detailed guidance last month — if you prefer to digest cookie guidance in the language of love and diplomacy.

(Those of you reading TechCrunch back in January 2018 may also remember this sage plain english advice from our GDPR explainer: “Consent requirements for processing personal data are also considerably strengthened under GDPR — meaning lengthy, inscrutable, pre-ticked T&Cs are likely to be unworkable.” So don’t say we didn’t warn you.)

Nor are Europe’s data protection watchdogs lacking in complaints about improper applications of ‘consent’ to justify processing people’s data.

Indeed, ‘forced consent’ was the substance of a series of linked complaints by the pro-privacy NGO noyb, which targeted T&Cs used by Facebook, WhatsApp, Instagram and Google Android immediately GDPR started being applied in May last year.

While not cookie notice specific, this set of complaints speaks to the same underlying principle — i.e. that EU users must be provided with a specific, informed and free choice when asked to consent to their data being processed. Otherwise the ‘consent’ isn’t valid.

So far Google is the only company to be hit with a penalty as a result of that first wave of consent-related GDPR complaints; France’s data watchdog issued it a $57M fine in January.

But the Irish DPC confirmed to us that three of the 11 open investigations it has into Facebook and its subsidiaries were opened after noyb’s consent-related complaints. (“Each of these investigations are at an advanced stage and we can’t comment any further as these investigations are ongoing,” a spokeswoman told us. So, er, watch that space.)

The problem, where EU cookie consent compliance is concerned, looks to be both a failure of enforcement and a lack of regulatory alignment — the latter as a consequence of the ePrivacy Directive (which most directly concerns cookies) still not being updated, generating confusion (if not outright conflict) with the shiny new GDPR.

However the ICO’s advice on cookies directly addresses claimed inconsistencies between ePrivacy and GDPR, stating plainly that Recital 25 of the former (which states: “Access to specific website content may be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose”) does not, in fact, sanction gating your entire website behind an ‘accept or leave’ cookie wall.

Here’s what the ICO says on Recital 25 of the ePrivacy Directive:

• ‘specific website content’ means that you should not make ‘general access’ subject to conditions requiring users to accept non-essential cookies – you can only limit certain content if the user does not consent;
• the term ‘legitimate purpose’ refers to facilitating the provision of an information society service – ie, a service the user explicitly requests. This does not include third parties such as analytics services or online advertising;

So no cookie wall; and no partial walls that force a user to agree to ad targeting in order to access the content.

It’s worth point out that other types of privacy-friendly online advertising are available with which to monetize visits to a website. (And research suggests targeted ads offer only a tiny premium over non-targeted ads, even as publishers choosing a privacy-hostile ads path must now factor in the costs of data protection compliance to their calculations — as well as the cost and risk of massive GDPR fines if their security fails or they’re found to have violated the law.)

Negotiations to replace the now very long-in-the-tooth ePrivacy Directive — with an up-to-date ePrivacy Regulation which properly takes account of the proliferation of Internet messaging and all the ad tracking techs that have sprung up in the interim — are the subject of very intense lobbying, including from the adtech industry desperate to keep a hold of cookie data. But EU privacy law is clear.

“[Cookie consent]’s definitely broken (and has been for a while). But the GDPR is only partly to blame, it was not intended to fix this specific problem. The uncertainty of the current situation is caused the delay of the ePrivacy regulation that was put on hold (thanks to lobbying),” says Martin Degeling, one of the research paper’s co-authors, when we suggest European Internet users are being subject to a lot of ‘consent theatre’ (ie noisy yet non-compliant cookie notices) — which in turn is causing knock-on problems of consumer mistrust and consent fatigue for all these useless pop-ups. Which work against the core aims of the EU’s data protection framework.

“Consent fatigue and mistrust is definitely a problem,” he agrees. “Users that have experienced that clicking ‘decline’ will likely prevent them from using a site are likely to click ‘accept’ on any other site just because of one bad experience and regardless of what they actually want (which is in most cases: not be tracked).”

“We don’t have strong statistical evidence for that but users reported this in the survey,” he adds, citing a poll the researchers also ran asking site visitors about their privacy choices and general views on cookies. 

Degeling says he and his co-authors are in favor of a consent mechanism that would enable web users to specify their choice at a browser level — rather than the current mess and chaos of perpetual, confusing and often non-compliant per site pop-ups. Although he points out some caveats.

“DNT [Do Not Track] is probably also not GDPR compliant as it only knows one purpose. Nevertheless  something similar would be great,” he tells us. “But I’m not sure if shifting the responsibility to browser vendors to design an interface through which they can obtain consent will lead to the best results for users — the interfaces that we see now, e.g. with regard to cookies, are not a good solution either.

“And the conflict of interest for Google with Chrome are obvious.”

The EU’s unfortunate regulatory snafu around privacy — in that it now has one modernized, world-class privacy regulation butting up against an outdated directive (whose progress keeps being blocked by vested interests intent on being able to continue steamrollering consumer privacy) — likely goes some way to explaining why Member States’ data watchdogs have generally been loath, so far, to show their teeth where the specific issue of cookie consent is concerned.

At least for an initial period the hope among data protection agencies (DPAs) was likely that ePrivacy would be updated and so they should wait and see.

They have also undoubtedly been providing data processors with time to get their data houses and cookie consents in order. But the frictionless interregnum while GDPR was allowed to ‘bed in’ looks unlikely to last much longer.

Firstly because a law that’s not enforced isn’t worth the paper it’s written on (and EU fundamental rights are a lot older than the GDPR). Secondly, with the ePrivacy update still blocked DPAs have demonstrated they’re not just going to sit on their hands and watch privacy rights be rolled back — hence them putting out guidance that clarifies what GDPR means for cookies. They’re drawing lines in the sand, rather than waiting for ePrivacy to do it (which also guards against the latter being used by lobbyists as a vehicle to try to attack and water down GDPR).

And, thirdly, Europe’s political institutions and policymakers have been dining out on the geopolitical attention their shiny privacy framework (GDPR) has attained.

Much has been made at the highest levels in Europe of being able to point to US counterparts, caught on the hop by ongoing tech privacy and security scandals, while EU policymakers savor the schadenfreude of seeing their US counterparts being forced to ask publicly whether it’s time for America to have its own GDPR.

With its extraterritorial scope, GDPR was always intended to stamp Europe’s rule-making prowess on the global map. EU lawmakers will feel they can comfortably check that box.

However they are also aware the world is watching closely and critically — which makes enforcement a very key piece. It must slot in too. They need the GDPR to work on paper and be seen to be working in practice.

So the current cookie mess is a problematic signal which risks signposting regulatory failure — and that simply isn’t sustainable.

A spokesperson for the European Commission told us it cannot comment on specific research but said: “The protection of personal data is a fundamental right in the European Union and a topic the Juncker commission takes very seriously.”

“The GDPR strengthens the rights of individuals to be in control of the processing of personal data, it reinforces the transparency requirements in particular on the information that is crucial for the individual to make a choice, so that consent is given freely, specific and informed,” the spokesperson added. 

“Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.”

All of which suggests that the movement, when it comes, must come from a reforming adtech industry.

With robust privacy regulation in place the writing is now on the wall for unfettered tracking of Internet users for the kind of high velocity, real-time trading of people’s eyeballs that the ad industry engineered for itself when no one knew what was being done with people’s data.

GDPR has already brought greater transparency. Once Europeans are no longer forced to trade away their privacy it’s clear they’ll vote with their clicks not to be ad-stalked around the Internet too.

The current chaos of non-compliant cookie notices is thus a signpost pointing at an underlying privacy lag — and likely also the last gasp signage of digital business models well past their sell-by-date.

Hello and welcome back to Startups Weekly, a weekend newsletter that dives into the week’s noteworthy startups and venture capital news. Before I jump into today’s topic, let’s catch up a bit. Last week, I wrote about DoorDash’s acquisition of Caviar, which no one saw coming. Before that, I jotted down some notes on SoftBank’s second Vision Fund.

Remember, you can send me tips, suggestions and feedback to kate.clark@techcrunch.com or on Twitter @KateClarkTweets. If you don’t subscribe to Startups Weekly yet, you can do that here.

What’s new?

Alternative funding mechanisms, like Clearbanc’s revenue share model, may be on the rise but most Silicon Valley startups still turn to venture capital to get their company off the ground. As I’ve previously said in this newsletter, VC spending in 2019 is reaching record-highs, already surpassing $62 billion. Angel investment, for its part, also continues to occupy a meaningful portion of private investment. So far this year, individual angels and angel groups in the U.S. have doled out $10 billion to startups. 

Angel investors are not traditional venture capitalists bogged down by processes, quotas and fund economics. Rather, they’re deep-pocketed former operators (often) with expansive networks. For some, their capital is superior to VCs; for others, a VC’s ability to write larger checks and participate in additional fundings as their company grows makes VC the only viable option. 

So how do early-stage startups decide who’s money to take (if they have that luxury)? Here’s what Jana Messerschmidt, both an investor at Lightspeed Venture Partners and a founding partner of the angel network #ANGELS, had to say: “It’s dependent on who the individual angel is, as well as who the individual partner is. In these frothier times, I encourage founders to interview investors who take a slot on their cap table with the same rigor they would a potential employee.”

Ben Ling, an early Facebook executive who spent years angel investing only to launch his own institutional venture capital fund, Bling Capital, tells TechCrunch the plus side of angel investors is that they are oftentimes less sensitive to valuations. Angels, while they can’t usually invest as much capital as a VC, tend to offer better terms and be approving of less rigid deal structures.

But being an investor isn’t an angel’s full-time job, typically. The limited amount of time an angel can give each company may be problematic for a founder seeking mentorship but a non-issue for a more experienced founder, who is simply seeking an individual passionate about her or his vision. 

Given the rise in venture capital investment overall, more founders and former operators are running into wealth and opting to try on the VC hat for size. And more and more, those people are becoming professional investors with an appetite for a bigger pool of capital. Ling, as mentioned, decided last year to raise his first institutional fund, a $60 million effort, for example: “I think it’s rare for super angels to ‘beat’ firms for most regular financings but it certainly can happen,” Ling tells TechCrunch.

Presumably, that’s why he and many others (Cyan Banister, Keith Rabois, Ron Conway, James Currier) made the switch to “real” VC — to win over the best deals. As angels turn into VCs, whether your startup’s money came from one person’s wallet or an institutional fund matters a whole lot less. Just make sure you have good people investing in your company, and while you are it, make sure they’re diverse too.

That’s all for now… Onto the news.

WeWork IPO update

Bloomberg reported Friday that WeWork was expected to make its IPO filing available next week. Soon, we can all finally get an inside look at the co-working giant’s financials. A reminder, WeWork was last valued at an eye-popping $47 billion and it wants to raise some $3.5 billion in the IPO. Skeptical? Me too.

#Equitypod

If you enjoy this newsletter, be sure to check out TechCrunch’s venture-focused podcast, Equity. In this week’s episode, available here, Equity co-host Alex Wilhelm and I discuss a new trend in venture capital: sperm storage startups. Equity drops every Friday at 6:00 am PT, so subscribe to us on Apple Podcasts, Overcast and Spotify.

Big Deals

• FlixMobility is now worth $2B, plans to add cars to its network of buses and trains
• Proterra, the Tesla of electric buses, nears $1B valuation
• Klarna raises $460M, looks to expand its payment presence in the U.S.
• Cybereason nabs $200M for its enterprise security platform
• LanzaTech gets $72M to expand its carbon capture tech

Little Deals

• Keith Rabois, BoxGroup back New York-based Brex competitor
• Squad, the ‘anti-bro startup,’ lands $5M from First Round Capital
• Statespace picks up $2.5M to help gamers train
• Glow raises $2.3M to help podcasters make money
• Spaceflow, the tenant experience platform, scores $1.8M

M&A

Airbnb announced its acquisition of Urbandoor, a platform that offers extended stays to corporate clients, earlier this week. The terms of the deal were not disclosed, though an SEC filing connected with the deal emerged Friday, indicating the deal was worth more than $80 million in what’s likely a combination of cash and stock. We’ve got all the details on the deal here.

Healthtech & VC

Now it’s time for your weekly reminder to sign up for Extra Crunch. For a low price, you can learn more about the startups and venture capital ecosystem through exclusive deep dives, Q&As, newsletters, resources and recommendations and fundamental startup how-to guides. Here’s a passage from my personal favorite EC post of the week:

“Why is tech still aiming for the healthcare industry? It seems full of endless regulatory hurdles or stories of misguided founders with no knowledge of the space, running headlong into it, only to fall on their faces. Theranos is a prime example of a founder with zero health background or understanding of the industry — and just look what happened there! The company folded not long after founder Elizabeth Holmes came under criminal investigation and was barred from operating in her own labs for carelessly handling sensitive health data and test results…”

Read the rest of Sarah Buhr’s piece, ‘What leading healthtech VCs are interested in,’ here.

Just For Fun

• This charming little camera prints instantly to receipt paper [TechCrunch]
• How VCs Win Deals: Comic Books, Big Meals and Baked Goods [The Information]
• Sex And The Subway Ad [The New York Times]
• Car-sharing’s seedier side: Criminal activity linked to LimePods in Seattle [GeekWire]

If you can’t trust your bank, government or your medical provider to protect your data, what makes you think students are any safer?

Turns out, according to one student security researcher, they’re not.

Eighteen-year-old Bill Demirkapi, a recent high school graduate in Boston, Massachusetts, spent much of his latter school years with an eye on his own student data. Through self-taught pen testing and bug hunting, Demirkapi found several vulnerabilities in a his school’s learning management system, Blackboard, and his school district’s student information system, known as Aspen and built by Follett, which centralizes student data, including performance, grades, and health records.

The former student reported the flaws and revealed his findings at the Def Con security conference on Friday.

“I’ve always been fascinated with the idea of hacking,” Demirkapi told TechCrunch prior to his talk. “I started researching but I learned by doing,” he said.

Among one of the more damaging issues Demirkapi found in Follett’s student information system was an improper access control vulnerability, which if exploited could have allowed an attacker to read and write to the central Aspen database and obtain any student’s data.

Blackboard’s Community Engagement platform had several vulnerabilities, including an information disclosure bug. A debugging misconfiguration allowed him to discover two subdomains, which spat back the credentials for Apple app provisioning accounts for dozens of school districts, as well as the database credentials for most if not every Blackboard’s Community Engagement platform, said Demirkapi.

Another set of vulnerabilities could have allowed an authorized user — like a student — to carry out SQL injection attacks. Demirkapi said six databases could be tricked into disclosing data by injecting SQL commands, including grades, school attendance data, punishment history, library balances, and other sensitive and private data.

Some of the SQL injection flaws were blind attacks, meaning dumping the entire database would have been more difficult but not impossible.

In all, over 5,000 schools and over five million students and teachers were impacted by the SQL injection vulnerabilities alone, he said.

Demirkapi said he was mindful to not access any student records other than his own. But he warned that any low-skilled attacker could have done considerable damage by accessing and obtaining student records, not least thanks to the simplicity of the database’s password. He wouldn’t say what it was, only that it was “worse than ‘1234’.”

But finding the vulnerabilities was only one part of the challenge. Disclosing them to the companies turned out to be just as tricky.

Demirkapi admitted that his disclosure with Follett could have been better. He found that one of the bugs gave him improper access to create his own “group resource,” such as a snippet of text, which was viewable to every user on the system.

“What does an immature 11th grader do when you hand him a very, very, loud megaphone?” he said. “Yell into it.”

And that’s exactly what he did. He sent out a message to every user, displaying each user’s login cookies on their screen. “No worries, I didn’t steal them,” the alert read.

“The school wasn’t thrilled with it,” he said. “Fortunately, I got off with a two-day suspension.”

He conceded it wasn’t one of his smartest ideas. He wanted to show his proof-of-concept but was unable to contact Follett with details of the vulnerability. He later went through his school, which set up a meeting, and disclosed the bugs to the company.

Blackboard, however, ignored Demirkapi’s responses for several months, he said. He knows because after the first month of being ignored, he included an email tracker, allowing him to see how often the email was opened — which turned out to be several times in the first few hours after sending. And yet the company still did not respond to the researcher’s bug report.

Blackboard eventually fixed the vulnerabilities, but Demirkapi said he found that the companies “weren’t really prepared to handle vulnerability reports,” despite Blackboard ostensibly having a published vulnerability disclosure process.

“It surprised me how insecure student data is,” he said. “School data or student data should be taken as seriously as health data,” he said. “The next generation should be one of our number one priorities, who looks out for those who can’t defend themselves.”

He said if a teenager had discovered serious security flaws, it was likely that more advanced attackers could do far more damage.

Heather Phillips, a spokesperson for Blackboard, said the company appreciated Demirkapi’s disclosure.

“We have addressed several issues that were brought to our attention by Mr. Demirkapi and have no indication that these vulnerabilities were exploited or that any clients’ personal information was accessed by Mr. Demirkapi or any other unauthorized party,” the statement said. “One of the lessons learned from this particular exchange is that we could improve how we communicate with security researchers who bring these issues to our attention.”

Follet spokesperson Tom Kline said the company “developed and deployed a patch to address the web vulnerability” in July 2018.

The student researcher said he was not deterred by the issues he faced with disclosure.

“I’m 100% set already on doing computer security as a career,” he said. “Just because some vendors aren’t the best examples of good responsible disclosure or have a good security program doesn’t mean they’re representative of the entire security field.”

You may not have heard of Kobalt before, but you probably engage with the music it oversees every day, if not almost every hour. Combining a technology platform to better track ownership rights and royalties of songs with a new approach to representing musicians in their careers, Kobalt has risen from the ashes of the 2000 dot-com bubble to become a major player in the streaming music era. It is the leading alternative to incumbent music publishers (who represent songwriters) and is building a new model record label for the growing “middle class’ of musicians around the world who are stars within niche audiences.

Having predicted music’s digital upheaval early, Kobalt has taken off as streaming music has gone mainstream across the US, Europe, and East Asia. In the final quarter of last year, it represented the artists behind 38 of the top 100 songs on U.S. radio.

Along the way, it has secured more than $200 million in venture funding from investors like GV, Balderton, and Michael Dell, and its valuation was last pegged at $800 million. It confirmed in April that it is raising another $100 million to boot. Kobalt Music Group now employs over 700 people in 14 offices, and GV partner Avid Larizadeh Duggan even left her firm to become Kobalt’s COO.

How did a Swedish saxophonist from the 1980s transform into a leading entrepreneur in music’s digital transformation? Why are top technology VCs pouring money into a company that represents a roster of musicians? And how has the rise of music streaming created an opening for Kobalt to architect a new approach to the way the industry works?

Gaining an understanding of Kobalt and its future prospects is a vehicle for understanding the massive change underway across the global music industry right now and the opportunities that is and isn’t creating for entrepreneurs.

This article is Part 1 of the Kobalt EC-1, focused on the company’s origin story and growth. Part 2 will look at the company’s journey to create a new model for representing songwriters and tracking their ownership interests through the complex world of music royalties. Part 3 will look at Kobalt’s thesis about the rise of a massive new middle class of popular musicians and the record label alternative it is scaling to serve them.

Table of Contents

• Early lessons on the tough road of entrepreneurship
• From band leader to music label founder
• Leaving music behind… but not for long
• So what exactly is Kobalt?
• The wind (finally) in Kobalt’s sails: music is booming again
• What Kobalt is today
• How I’ll assess Kobalt over the next two posts

Early lessons on the tough road of entrepreneurship

It’s tough to imagine a worse year to launch a music company than 2000. Willard Ahdritz, a Swede living in London, left his corporate consulting job and sold his home for £200,000 to fully commit to his idea of a startup collecting royalties for musicians. In hindsight, his timing was less than impeccable: he launched Kobalt just as Napster and music piracy exploded onto the mainstream and mere months before the dot-com crash would wipe out much of the technology industry.

The situation was dire, and even his main seed investor told him he was doomed once the market crashed. “Eating an egg and ham sandwich…have you heard this saying? The chicken is contributing but the pig is committed,” Ahdritz said when we first spoke this past April (he has an endless supply of sayings). “I believe in that — to lose is not an option.”

Entrepreneurial hardship though is something that Ahdritz had early experience with. Born in Örebro, a city of 100,000 people in the middle of Sweden, Ahdritz spent a lot of time as a kid playing in the woods, which also holding dual interests in music and engineering. The intersection of those two converged in the synthesizer revolution of early electronic music, and he was fascinated by bands like Kraftwerk.

As companies collect increasingly large amounts of data about customers, the end game is about improving the customer experience. It’s a term we’re hearing a lot of these days, and we are going to be discussing that very topic with Amit Ahuja, Adobe’s vice president of ecosystem development, next month at TechCrunch Sessions: Enterprise in San Francisco. Grab your early-bird tickets right now – $100 savings ends today!

Customer experience covers a broad array of enterprise software and includes data collection, analytics and software. Adobe deals with all of this including the Adobe Experience Platform for data collection, Adobe Analytics for visualization and understanding and Adobe Experience Cloud for building applications.

The idea is to begin to build an understanding of your customers through the various interactions you have with them, and then build applications to give them a positive experience. There is lots of talk about “delighting” customers, but it’s really about using the digital realm to help them achieve what they want as efficiently as possible, whatever that means to your business.

Ahuja will be joining TechCrunch’s editors along with Qualtrics chief experience officer Julie Larson-Green and Segment CEO Peter Reinhardt to discuss the finer points of what it means to build a customer experience, and how software can help drive that.

Ahuja has been with Adobe since 2005 when he joined as part of the $3.4 billion Macromedia acquisition. His primary role today involves building and managing strategic partnerships and initiatives. Prior to this, he was the Head of Emerging businesses and the GM of Adobe’s Data Management Platform business, which focuses on advertisers. He also spent 7 years in Adobe’s Corporate Development Group where he helped complete the acquisitions of Omniture, Scene7, Efficient Frontier, Demdex and Auditude.

Amit will be joining us on Sept 5 in San Francisco along with some of the biggest influencers in enterprise including Bill McDermott from SAP, Scott Farquhar from Atlassian, Aparna Sinha from Google, Wendy Nather from Duo Security, Aaron Levie from Box and Andrew Ng from Landing AI.

Early-bird savings end today, August 9. Book your tickets today and you’ll save $100 before prices go up.

Bringing a group? Book our 4+ group tickets and you’ll save 20% on the early-bird rate. Bring the whole squad here.

Much of Silicon Valley mythology is centered on the founder-as-hero narrative. But historically, scientific founders leading the charge for bio companies have been far less common.

Developing new drugs is slow, risky, and expensive. Big clinical failures are all too common. As such, bio requires incredibly specialized knowledge and experience. But at the same time, the potential for value creation is enormous today more than ever with breakthrough new medicines like engineered cell, gene, and digital therapies.

What these breakthroughs are bringing along with them are entirely new models—of founders, of company creation, of the businesses themselves—that will require scientists, entrepreneurs and investors to reimagine and reinvent how they create bio companies.

In the past, biotech VC firms handled this combination of specialized knowledge + binary risk + outsized opportunity with a unique “company creation” model. In this model, there are scientific founders, yes; but the VC firm essentially founded and built the company itself—all the way from matching a scientific advance with an unmet medical need, to licensing IP, to having partners take on key roles such as CEO in the early stages, to then recruiting a seasoned management team to execute on the vision.

You could call this the startup equivalent of being born and bred in captivity—where great care and feeding early in life helps ensure that the company is able to thrive. Here the scientific founders tend to play more of an advisory role (usually keeping day jobs in academia to create new knowledge and frontiers), while experienced “drug hunters” operate the machinery of bringing new discoveries to the patient’s bedside. This model’s core purpose is to bring the right expertise to the table to de-risk these incredibly challenging enterprises—nobody is born knowing how to make a medicine.

But the ecosystem this model evolved from is evolving itself. Emerging fields like computational biology and biological engineering have created a new breed of founder, native to biology, engineering and computer science, that are already, by definition, the leading experts in their fledgling fields. Their advances are helping change the industry, shifting drug discovery away from a highly bespoke process—where little knowledge carries over from the success or failure of one drug to the next—to a more iterative, building-block approach like engineering.

Take gene therapy: once we learn how to deliver a gene to a specific cell in a given disease, it is significantly more likely we will be able to deliver a different gene to a different cell for another disease. Which means there’s an opportunity not only for novel therapies but also the potential for new business models. Imagine a company that provides gene delivery capability to an entire industry — GaaS: gene-delivery as a service!

Once a founder has an idea, the costs of testing it out have changed too. The days of having to set up an entire lab before you could run your first experiments are gone. In the same way that AWS made starting a tech company vastly faster and easier, innovations like shared lab spaces and wetlab accelerators have dramatically reduced the cost and speed required to get a bio startup off the ground. Today it costs thousands, not millions, for a “killer experiment” that will give a founding team (and investors) early conviction.

What all this amounts to is scientific founders now have the option of launching bio companies without relying on VCs to create them on their behalf. And many are. The new generation of bio companies being launched by these founders are more akin to being born in the wild. It isn’t easy; in fact, it’s a jungle out there, so you need to make mistakes, learn quickly, hone your instincts, and be well-equipped for survival. On the other hand, given the transformative potential of engineering-based bio platforms, the cubs that do survive can grow into lions.

So, which is better for a bio startup today: to be born in the wild—with all the risk and reward that entails—or to be raised in captivity

The “bred in captivity” model promises sureness, safety, security. A VC-created bio company has cache and credibility right off the bat. Launch capital is essentially guaranteed. It attracts all-star scientists, executives and advisors — drawn by the balance of an innovative, agile environment and a well-funded, well-connected support network. I was fortunate enough to be an early executive in one of these companies, giving me the opportunity to work alongside industry luminaries and benefit from their well-versed knowledge of how to build a world-class bio company with all its complex component parts: basic, translational, clinical research, from scratch. But this all comes at a price.

Because it’s a heavy lift for the VCs, scientific founders are usually left with a relatively small slug of equity—even founding CEOs can end up with ~5% ownership. While these companies often launch with headline-grabbing funding rounds of $50m or above, the capital is traunched — meaning money is doled out as planned milestones are achieved. But the problem is, things rarely go according to plan. Traunched capital can be a safety net, but you can get tangled in that net if you miss a milestone.

Being born in the wild, on the other hand, trades safety for freedom. No one is building the company on your behalf; you’re in charge, and you bear the risk. As a recent graduate, I co-founded a company with Harvard geneticist George Church. The company was bootstrapped — a funding strategy that was more famine than feast -— but we were at liberty to try new things and run (un)controlled experiments like sequencing heavy metal wildman Ozzy Osbourne.

It was the early, Wild West days of the genomics revolution and many of the earliest biotech companies mirrored that experience — they weren’t incepted by VCs; they were created by scrappy entrepreneurs and scientists-turned-CEO. Take Joshua Boger, organic chemist and founder of Vertex Pharmaceuticals: starting in 1989 his efforts to will into existence a new way to develop drugs, thrillingly captured in Barry Werth’s The Billion-Dollar Molecule and its sequel The Antidote in all its warts and nail-biting glory, ultimately transformed how we treat HIV, hepatitis C and cystic fibrosis.

Today we’re in a back-to-the-future moment and the industry is being increasingly pushed forward by this new breed of scientist-entrepreneur. Students-turned-founder like Diego Rey of in vitro diagnostics company GeneWEAVE and Ramji Srinivasan of clinical laboratory Counsyl helped transform how we diagnose disease and each led their companies to successful acquisitions by larger rivals.

Popular accelerators like Y Combinator and IndieBio are filled with bio companies driven by this founder phenotype. Ginkgo Bioworks, the first bio company in Y Combinator and today a unicorn, was founded by Jason Kelly and three of his MIT biological engineering classmates, along with former MIT professor and synthetic biology legend Tom Knight. The company is not only innovating new ways to program biology in order to disrupt a broad range of industries, but it’s also pioneering an innovative conglomerate business model it has dubbed the “Berkshire for biotech.”

Like the Ginkgo founders, Alec Nielsen and Raja Srinivas launched their startup Asimov, an ambitious effort to program cells using genetic circuits, shortly after receiving their PhDs in biological engineering from MIT. And, like Boger, renowned machine learning Stanford professor Daphne Koller is working to once again transform drug discovery as the founder and CEO of Instiro.

Just like making a medicine, no one is born knowing how to build a company. But in this new world, these technical founders with deep domain expertise may even be more capable of traversing the idea maze than seasoned operators. Engineering-based platforms have the potential to create entirely new applications with unprecedented productivity, creating opportunities for new breakthroughs, novel business models, and new ways to build bio companies. The well-worn playbooks may be out of date.

Founders that choose to create their own companies still need investors to scrub in and contribute to the arduous labor of company-building — but via support, guidance, and with access to networks instead. And like this new generation of founders, bio investors today need to rethink (and re-value) the promise of the new, and still appreciate the hard-earned wisdom of the old. In other words, bio investors also need to be multidisciplinary. And they need to be comfortable with a different kind of risk: backing an unproven founder in a new, emerging space. As a founder, if you’re willing to take your chances in the wild, you should have an investor that understands you, believes in you, can support you and, importantly, is willing to dream big with you.

By-the-minute car rental service Car2go is raising its rates for short trips under the guise of variable pricing, the company announced to its users today. As we’ve seen with other variably priced services like delivery and ride hailing, in practice this means you never really know what it will cost but will have little choice but to pay.

In an email to users of its service, Car2go said that as a result of “constantly evaluating our product, packages, and pricing strategies” it had arrived at the new system, under which price will depend on time, location, and day. The new cost structure takes effect next month.

For Car2go users, this will generally mean paying more. The company highlighted a new cheaper possible per-minute rate of 35 cents, significantly lower than the current $0.45 rate. But it’s easy to guess when that lower rate will be available: “times, locations, and days” that no one is using the service. Meanwhile, it’s also possible to encounter a new higher per-minute rate of up to 49 cents when cars are in demand or in a high-use location.

Blocks of time from half and hour to four hours are all increasing in price: The current flat rates are now floor rates, with the possibility you’ll be paying as much as a third more than before. For example, a two-hour block currently costs $29; soon it will cost somewhere between $30 and $39. Again, you won’t know until you open the app to check it out, at which point you’re probably already committed.

Day-length packages are actually cheaper under the new system, but no longer include miles, so while a 24-hour pass used to be $79, now it’s $70 — but at 19 cents per mile, you’ll be in the red after less than 50 miles. And the price only goes up from there. Still, it’s conceivable you’ll pay less for a 2- or 3-day rental if you’re not actually going anywhere distant, but just need a car for the weekend.

A newly instituted zone-based charge and refund system punishes drivers for leaving the city center and rewards those at the periphery for driving back towards heavy usage areas. There’s a $5 charge if you leave the central zone, and $5 refund — or the price of the trip, if less — if you bring a car in from the outer one. (Consult your local Car2go to see what the zones are in your city.)

Count the cards here and you can see the house always wins. If you’re going out, the full $5 fee always applies. If you’re coming in, it will be very difficult to nail that $5 ride — go under and Car2go is reimbursing less than the $5 (and thus comes out ahead), go over and you end up paying money anyway. It’s just one of those clever little traps businesses set up.

You can see the full changes in the chart below:

Oh, and your first 200 trips this calendar year have an additional $1 fee. You’re welcome!

In case you can’t tell, this is bad news for consumers, though it would be too much to expect that these prices would stay stable for years. But variable pricing is fundamentally anti-consumer because of a lack of transparency under which the companies controlling it can pull all kinds of shenanigans. Sadly, that makes it a great choice for the bottom line.

These unwelcome changes come six months after Car2go joined the BMW-Daimler joint venture Share Now, which has a variety of car-share services around the world it intends to unify under a single brand soon (it already killed ReachNow, rather abruptly). Apparently larger scale and reduced competition don’t actually lead to lower prices — unfortunate for their customers. But overall the floating car-share services are an important one. Just not as cheap as they used to be.

There’s no shortage of AirPower knockoffs on the market. Many have been in the works since Apple took the wraps off its in-house version, positioned as more affordable alternatives. Since the company unceremoniously pulled the plug on the project, however, they’re the only game in town.

We reviewed a $99 one a while ago. It seemed fine, and Amazon is currently overloaded with even more affordable options. It’s probably unfair to lump Mophie in the knockoff. The accessory maker produces pretty premium products at price to match. And unlike the competition, it’s got the Apple seal of approval.

That means the company’s new 3-in-1 charging pad is most likely as close as you’re ever going to get to marching into an Apple Store and leaving with AirPower. Here’s the official description, per Mophie,

The 3-in-1 wireless charging pad conveniently charges iPhone, AirPods and Apple Watch from one central location. To ensure a seamless charging experience for all three devices, it features a dedicated cavity for AirPods, and an integrated charging stand for Apple Watch that holds it at the ideal angle for Nightstand Mode with an unobstructed view of the screen.

Sounds about right, right? The black charging pad operates similarly to most competitors, with designated slots from the three Apple products. That, after all, seems to be the source of the issues with the original AirPower product, making a pad that was capable of charging three different products with different charging needs.

At $140, it’s in line with the AirPower’s price. As stated above, you can get an alternative for much cheaper, but maybe there’s something in the peace of mind of getting the device from a trusted name like Mophie.