Author: azeeadmin

A code repository used by the New York state government’s IT department was left exposed on the internet, allowing anyone to access the projects inside, some of which contained secret keys and passwords associated with state government systems.

The exposed GitLab server was discovered on Saturday by Dubai-based SpiderSilk, a cybersecurity company credited with discovering data spills at Samsung, Clearview AI and MoviePass.

Organizations use GitLab to collaboratively develop and store their source code — as well as the secret keys, tokens and passwords needed for the projects to work — on servers that they control. But the exposed server was accessible from the internet and configured so that anyone from outside the organization could create a user account and log in unimpeded, SpiderSilk ‘s chief security officer Mossab Hussin told TechCrunch.

When TechCrunch visited the GitLab server, the login page showed it was accepting new user accounts. It’s not known exactly how long the GitLab server was accessible in this way, but historic records from Shodan, a search engine for exposed devices and databases, shows the GitLab was first detected on the internet on March 18.

SpiderSilk shared several screenshots showing that the GitLab server contained secret keys and passwords associated with servers and databases belonging to New York State’s Office of Information Technology Services. Fearing the exposed server could be maliciously accessed or tampered with, the startup asked for help in disclosing the security lapse to the state.

TechCrunch alerted the New York governor’s office to the exposure a short time after the server was found. Several emails to the governor’s office with details of the exposed GitLab server were opened but were not responded to. The server went offline on Monday afternoon.

Scot Reif, a spokesperson for New York State’s Office of Information Technology Services, said the server was “a test box set up by a vendor, there is no data whatsoever, and it has already been decommissioned by ITS.” (Reif declared his response “on background” and attributable to a state official, which would require both parties agree to the terms in advance, but we are printing the reply as we were not given the opportunity to reject the terms.)

When asked, Reif would not say who the vendor was or if the passwords on the server were changed. Several projects on the server were marked “prod,” or common shorthand for “production,” a term for servers that are actively use. Reif also would not say if the incident was reported to the state’s Attorney General’s office. When reached, a spokesperson for the Attorney General did not comment by press time.

TechCrunch understands the vendor is Indotronix-Avani, a New York-based company with offices in India, and owned by venture capital firm Nigama Ventures. Several screenshots show some of the GitLab projects were modified by a project manager at Indotronix-Avani. The vendor’s website touts New York State on its website, along with other government customers, including the U.S. State Department and the U.S. Department of Defense.

Indotronix-Avani spokesperson Mark Edmonds did not respond to requests for comment.

Read more:

• Volkswagen says a vendor’s security lapse exposed 3.3 million drivers’ details
• Peloton and Echelon profile photo metadata exposed riders’ real-world locations
• Zocdoc says ‘programming errors’ exposed access to patients’ data
• Amazon’s Ring Neighbors app exposed users’ precise locations and home addresses
• How Jamaica failed to handle its JamCOVID scandal

Snap today announced a multi-year deal with Universal Music Group, one of the largest music companies in the world. From Queen to Justin Bieber, users can clip songs from the expansive UMG catalog to use in their Snaps and on Spotlight, the app’s TikTok competitor. This announcement comes after Snapchat added its Sounds feature in October, which lets users enhance their Snaps with music that Snap has licensed. Snap says that since then, over 521 million videos have been created using Sounds, which have been viewed over 31 billion times.

Of course, Snapchat’s investment in music is a direct response to the growth of music on TikTok. Last year, Fleetwood Mac’s 1977 album “Rumours” re-entered the Billboard charts after “Dreams,” a song on the record, went viral on TikTok. Dance trends also often go viral on TikTok, which can correlate with a boost in sales for the artist whose song is featured. So, the more music that’s licensed by apps like TikTok and Snapchat, the more opportunity there is for another Nathan Apodaca moment, which means free publicity for the platform.

Already, gen Z artists like Olivia Rodrigo have leveraged these social platforms to promote their new music. On Snap, over 10 million videos were created using her song “Driver’s License,” Snap reports. Rodrigo was also the first artist to use AR Lenses on Snapchat to promote her record-breaking debut “Sour,” but to be fair, she also shared AR effects on Instagram.

Olivia Rodrigo sings about “deja vu” on her new album, and you might also be getting deja vu from Snap’s announcement. TikTok also struck a deal with UMG in February. And before that, in November, TikTok announced a new licensing agreement with Sony. Meanwhile, Snap’s portfolio of music partners include Warner Music Group, Sony Music Publishing, and more. These deals aren’t exclusive — you can make a video with “deja vu” on Snapchat, TikTok, and Instagram alike. When it comes to deals like these, it’s a constant battle of reactionary one-upmanship. If TikTok makes a deal with UMG, Snapchat needs to strike a deal with UMG as well to remain competitive, which is what we’re seeing today. As our friend Olivia would say, it’s brutal out here.

Digital media outfit BuzzFeed announced today that it will go public via a SPAC, or blank check company. BuzzFeed also disclosed that it will purchase Complex, another media company, for $300 million in cash and shares in BuzzFeed itself; the SPAC deal will help finance its purchase of Complex.

The transaction will see BuzzFeed merge with 890 Fifth Avenue Partners Inc., a public company, with the combined entity sporting an enterprise valuation of around $1.5 billion after its completion.

BuzzFeed’s SPAC partner is bringing $288 million in cash to the table, and BuzzFeed intends to raise another $150 million in a convertible debt offering.

In raw numbers, BuzzFeed is a large company with hundreds of millions of dollars in yearly revenue and a roughly break-even business in recent years. The company’s investor presentation anticipates a return to growth after a mostly flat 2020, and rising profitability over time.

So let’s get into the company’s investor presentation. We want to know about its historical growth, anticipated growth, revenue mix and profitability, as well as how the company thinks about its news division. Let’s go!

I’ve broken each of our points into its own mini-section, so if you want to skate ahead to any particular point, feel free!

Historical revenue growth

Why is BuzzFeed buying Complex? In part, because it adds audience scale to its platform, a key to the company’s expected future advertising revenue growth (more on that in a moment). But also because Complex adds a lot of revenue to its overall top-line picture.

For example, in BuzzFeed’s historical revenue figures we see the following numbers:

• 2019: $425 million
• 2020: $421 million

But the company’s historical results are inclusive of Complex. Here’s the breakdown of the company’s historical revenues (gray) and Complex’s own (black). The combined figures are what BuzzFeed notes in its trailing metrics:

Image Credits: BuzzFeed SPAC deck

From this breakdown, we can see that BuzzFeed anticipates 19% growth from Complex in 2021, and just under 23% growth from the group it’s acquiring in 2022.

Per a later slide, BuzzFeed grew 4% in 2019, inclusive of historical Complex numbers. That figure fell to -1% in 2020.

Our read of the company’s historical revenue growth is that it weathered a turbulent 2020 in reasonable health; digital advertising took a huge hit in the first half of the year, likely impacting BuzzFeed’s operating results. To see it manage an essentially flat revenue result last year feels pretty OK.

Future revenue growth

SmartAsset, a marketplace that connects consumers to financial advisors, announced today that it has raised $110 million in a Series D round of funding.

The financing values New York-based SmartAsset at over $1 billion, and brings its total raised since its 2012 inception to just over $161 million, according to Crunchbase.

TTV Capital led SmartAsset’s Series D, which also included participation from Javelin Venture Partners, Contour Venture Partners, Citi Ventures, New York Life Ventures, North Bridge Venture Partners and CMFG Ventures.

The company last raised in June of 2018 – a $28 million Series C led by Focus Financial Partners. Since then, it says it has grown revenue “by 10 times” and is now on the cusp of reaching $100 million in ARR (annual recurring revenue). It recently made its one millionth consumer/advisor match on its SmartAdvisor platform. Also in 2020, SmartAsset says it referred $10 billion in new, closed assets under management (AUM) to financial advisors and firms across the U.S.

Besides pairing consumers with advisors with its Automated Financial Modeling software, SmartAsset claims to reach over 100 million people each month through its personal finance content, tools and “personalized” calculators.

Prior to starting the company, Carvin worked in finance. In an interview with Y Combinator (one of its backers), he shared how his frustration in finding information about buying a home and getting a mortgage “that was useful, accurate and unbiased” led him to join forces with Philip Camilleri to found SmartAsset.

“Calculators had obvious errors and the content seemed like it was all written by people that wanted me to take out the largest mortgage possible,” he added. So the pair launched SmartAsset in an effort to provide people with the tools and content to help them make better decisions around topics such as retirement, taxes, savings, homeownership and insurance.

The company plans to use the new capital to invest in new product offerings, technology infrastructure and data partnerships. It also plans to boost its current headcount of 202 by more than 75% this year.

TTV Capital Partner Mark Johnson said the company “is quickly expanding its lead in one of the largest markets in the U.S. by providing an incredibly valuable resource for both consumers and financial advisors alike.”

The funding and its flashy valuation comes with a certain weight, even in the growing world of unicorn companies.

The company claims that, with today’s news, co-founder Michael Carvin now becomes the fourth Black founder and CEO of a company valued at over $1 billion. Others include Compass CEO and founder Robert Reffkin, whom we recently profiled here, and Calendly CEO and founder Tope Awotona, who we have also profiled.

While exciting, the unfortunate rarity of Black-led unicorns is a symptom of historical underfunding in Black or African-American startup founders. Crunchbase estimates that in 2020, 1% of total venture capital funding, or $1 billion, went to this cohort of founders.

A number of Black-led venture capital firms have closed investments in the past year, which could change this number, including Collab Capital’s $50 million investment vehicle, Harlem Capital, which closed a $134 million seed fund earlier this year; Cleo Capital, which set a $20 million target for Fund II; and MaC VC, which landed $103 million for its inaugural fund.

HBCUvc and Google for Startups also announced this month two separate efforts to provide non-dilutive capital to early-stage, underrepresented founders.

With a Series D under its belt, SmartAsset is working on taking out the bias from personal finance – while it itself is a case study in how overlooked founders, which routinely suffer from this exact phenomenon, continue to lead strong businesses.

In the U.S, after you get vaccinated against COVID-19 you are given a small paper card issued by the CDC that is essentially the only evidence that you’ve received your shots. It might seem like a flimsy level of proof, one that you could easily lose, but replacing that paper copy with a digital one has become a political lightning rod in America.

In spite of that, many companies are attempting to attack the problem to produce a viable form of digital proof, sometimes called vaccine passports. For all intents and purposes, what many call a vaccine passport is simply proof you’ve been vaccinated that you can carry on your smartphone, rather than on a card in your wallet.

Some have argued against the digital approach for privacy reasons. Others have claimed it is a civil liberties issue, and some have pointed to equity issues related to not having equal access to appropriate technology or the internet.

That lack of consensus along with the open ethical questions, has led some states including Florida and Georgia to ban the use of electronic passport records, at least as far as requiring them to conduct state business or to create a centralized vaccination record keeping system. In Iowa, the governor signed a law last month that prohibits businesses and the state from requiring any proof to access services, whether the card is physical or digital.

These are just a few examples of the patchwork of state laws and executive orders that has resulted in even more complexity for companies trying to develop products to solve this problem. But not every state is banning digital vaccination records. Earlier this month, California opened a registration system to request a digital record of your vaccination and New York announced a system earlier this year to download proof of vaccination to your smartphone. More on these approaches later.

We spoke to several experts to get their take on moving your vaccine card to the digital world to find out how this could work in spite of the obvious friction.

Practical issues

According to Dr. Shira I. Doron from Tufts Medical Center in Boston, whose specialties include infectious diseases and hospital epidemiology, it’s not as simple a matter as may sound.

For starters she says, states have not kept records in a consistent way. People have been getting vaccinated in all kinds of places from school gyms to pharmacies to stadiums, and it’s not clear if those records have made their way to people’s primary care physicians, assuming they even have one.

“[Vaccine passports could work] if [a system] had been rolled out that way [with central record keeping in mind] from December 15th [when we started vaccinating], but it was not. So, if somebody takes it on to go backwards and issue that kind of proof to people, maybe a system like that could work — and of course there are a lot of people that have taken issue with the ethics of that,” she said.

For her, it comes down to infection rates. As they drop with more people getting vaccinated, it could alleviate the need for any kind of proof at all because we would be safer simply because the infection rate fell below 10%. “I think that more ideally we get down to such a low infection rate and such high rate of vaccination that there is no longer a concern about people walking into a building,” she said.

Putting it in on the blockchain

If the infection rate remains higher than desirable, or certain entities like universities want to require it, how do we offer proof of vaccination beyond the paper card? Some people are pointing to the blockchain, but the approach isn’t without controversy. New York State is using IBM’s blockchain technology for its proof of vaccination called Excelsior Pass, but privacy advocates worry that doing so could expose people’s personal medical information.

The idea with the IBM approach is that you to go to your physician’s healthcare portal or some other place that has your vaccine records, and which has partnered with IBM. The portal will present you with a QR code which you can take a picture of with your phone and store in your phone’s digital wallet. The person then presents the QR code at a venue, which uses a companion scanning application to view it to see proof of vaccination (or a recent negative test). Finally the venue would verify the identity of that person with a secondary form of ID like a driver’s license.

The question then is why use the blockchain at all in this instance. IBM Global VP of Payer and Emerging Business Networks Eric Piscini, says that there are three main reasons. “The first is that the immutability of the blockchain is extremely important, and that’s [a big reason] why we use it. The second piece, which is also very important is the decentralization of that platform so that [all of the vaccine data] is not just in one place. It’s decentralized and managed by different parties. […] The third piece […] is the audit trail, and not just for me as a consumer, but as an [entity] that is trying to verify me,” he explained.

But are those reasons enough to justify its use? Steve Wilson, an analyst at Constellation Research, who specializes in end user privacy thinks the blockchain is an inappropriate technology to use for digital proof of vaccination. “Basically, I don’t see how blockchain adds anything to the digitizing of COVID vaccinations or tests. The purpose of blockchain is to crowd-source agreement on the ordering of some events, and logging that order in a shared record. What problem in vaccination management does that address,” he asked.

An open-source approach to the problem

When California released a digital vaccination record app last week, it went a different route, using an open-source framework called the Smart Health Cards Framework. The framework was developed by an organization called The Commons Project (TCP) along with a broad coalition of health and technology organizations including Oracle, Microsoft, Salesforce, Epic and others.

JP Pollack, co-founder of The Commons Project, Senior Researcher-in-Residence at Cornell Tech, and Assistant Professor at Weill Cornell Medicine, says that since the government has made clear it won’t be compiling vaccine records in a central database, and because the vaccine administration system itself is so fragmented, it’s even more challenging to create digital records. His organization is working to create a solution to that problem.

“What we’re working on at The Commons Project is a steering group called the Vaccination Credential Initiative or VCI. And the purpose of that group is basically to design and advocate for a specification, someday hopefully a standard, that makes it so that all of those disparate issuers of vaccines can issue the same vaccine record in a signed and portable format,” he said.

That comes in the form of a Smart Health Card app that TCP has developed. “The additional layer that we have built is what turns [your vaccine] information into what we’re calling the Smart Health Card. And basically it’s all of the information that goes on your CDC card — so your name, your date of birth, the type of vaccine that you received, the dates of your doses, lot numbers and where you received it. All of those kinds of things get packaged up into this credential, and that credential is then signed by the issuer,” he said.

In addition to California, the state of Louisiana also went live with the The Commons Project solution this week, and Walmart recently announced that anyone that received their vaccine through them is now able to download a digital version of their vaccine record directly to the CommonHealth app (available on Android) or CommonPass app (available on iOS or Android). The company also hinted that other companies that have administered the vaccine would be following Walmart’s lead in the coming weeks and providing access to digital records through the same apps.

The approach doesn’t necessarily solve all of the criticisms around equitable access to technology, privacy or the ethics of being asked to show proof vaccination, but it does provide a means to deliver the information digitally for those that want it in an open way.

Regardless of the method your state chooses, if it indeed chooses any approach at all,  it will come with its own set of pros and cons. The paper CDC card, as Wilson points out, is similar in many ways to the “Yellow Card” vaccination record that people traveling overseas have been carrying for decades, and that has worked fine.

But it seems that in 2021 when approximately half the world’s population owns a smartphone, while two-thirds have some sort of mobile phone, smart or otherwise, it makes sense to make this record available in a digital form. For the many startups and large companies trying to solve that problem, they will have to do more than come up with a clever solution. They will also need to figure out how to convince individuals, businesses and governments that it makes sense to even offer this approach, and that may be the biggest hurdle of all.

As we become more and more aware of the kind of impact we are having on this planet we call our home, just about everything is having its CO2 impact measured. Who knew, until recently, that streaming Netflix might have a measurable impact on the environment, for instance. But given vast swathes of the Internet are populated by Web sites, as well as streaming services, then they too must have some sort of impact.

It transpires that a new service has identified how to gauge that, and now it’s raised Venture capital to scale.

Ryte raised €8.5 million ($10M) in a previously undisclosed round led by Bayern Kapital out of Munich and Octopus Investments out of London earlier this year for its Website User Experience Platform.

It has now launched the ‘Ryte Website Carbon KPI’, which claims to be able to help make 5% of all websites carbon neutral by 2023.

Ryte says it worked with data scientists and environmental experts to develop the ability to accurately measure the carbon impact of client’s websites. According to carbon transition thinktank, the Shift Project, the carbon footprint of our gadgets, the internet, and the systems supporting them accounts for about 3.7% of global greenhouse emissions. And this trend is rising rapidly as the world digitizes itself, especially post-pandemic.

Ryte has now engaged its Data Scientist, Katharina Meraner, who has a PhD in climate science and global warming, and input from Climate Partner, to launch this new service.

Andy Bruckschloegl, CEO of Ryte said: “There are currently 189 million active websites. Our goal is to make 5% of all active websites, or 9.5 million websites, climate neutral by the end of 2023 with the help of our platform, strong partners, social media activities, and much more. Time is ticking and making websites carbon neutral is really easy compared to other industries and processes.”

Ryte says it is also collaborating with a reforestation project in San Jose, Nicaragua, to allow its customers to offset their remaining emissions through the purchase of climate certificates.

Using a proprietary algorithm, Ryte says it measures the code of the entire website, average page size, as well as monthly traffic by channel then produces a calculation of the amount of CO2 it uses up.

Admittedly there are similar services but these are ad-hoc and not connected to a platform. A simple Google search will bring us sites like Websitecarbon, Ecosistant, and academic papers. But as far as I can tell, a startup like this hasn’t put this kind of service into their platform yet.

“Teaming up with Ryte will help raise awareness on how information technology contributes to climate change – while at the same time providing tools to make a difference. Ryte’s industry-leading carbon calculator enables thousands of website owners to understand their carbon footprint, to offset unavoidable carbon emissions and thus lay a basis for a comprehensive climate action strategy,” commented Tristan A. Foerster, Co-CEO ClimatePartner.

Bad meetings are the fast food of the knowledge worker; it’s so deliciously quick and easy to throw a 60-minute default meeting on everyone’s schedule, but the long-term costs are extremely unhealthy.

Busy meeting organizers drive-thru schedule meetings because they think they don’t have time to plan. They expect good outcomes to come from little preparation, which doesn’t happen. The meetings are being held and progress is stilted.

One way to save everyone significant time (and win lots of friends) would be to just get rid of all meetings, but a well-prepared and well-run session can expedite communication and get a team closer to its goals. Unfortunately, most meetings are lazily planned and poorly run, imprisoning attendees and halting productivity.

So how can you separate the good meetings from the bad?

Measure your meeting waistline

No one measures the impact of their meetings. So the first step is to start keeping meeting metrics so that you can identify the bad meetings on your teams’ calendars.

My company has created a calendar assistant that automatically measures and stops bad meetings before they occur, but if you can’t automate the prevention of bad meetings, survey and learn from attendees after the meeting to record and measure them.

Create taxonomies and quantify the types of meetings that are being held — for example: “information sharing,” “brainstorming,” “1:1,” “decision-making,” etc.

After several months (ideally a year) of collecting metrics, you can grade the quality and look for patterns. You will probably find something along these lines:

• Very few employees decline meetings, even when it’s obvious that the meeting is going to be a doozy.
  
  

What are the most important factors when you’re pitching your startup for fundraising? What questions come to the minds of the VCs you’re pitching? How do you get the deal across the finish line? Or choose the right investors for your company to begin with?

Extra Crunch Live looks to answer all these questions and more. Thus far, Coda’s Shishir Mehrotra and investor S. Somasegar have told us what sings in Coda’s pitch doc (not deck). We’ve heard how important it is to be customer-obsessed from Toast’s Aman Narang and BVP’s Kent Bennett. And Fifth Wall’s Brendan Wallace laid out all the biggest opportunities in prop tech. And that was just in the last month or so.

In July, we have more top-notch speakers on the roster, including big-name founders and seasoned investors. What’s more, these speakers are ready to hear about your startup. ECL features the Extra Crunch Live Pitch-off, where founders in the audience can pitch their products to speakers and get live feedback.

So without any further ado, here is a look at the amazing speakers we have joining us in July.

Jordan Nof (Tusk Venture Partners) + Michelle Davey (Wheel)

July 14 – 12pm PT/3pm ET

Jordan Nof, co-founder and general partner at Tusk Venture Partners, led early investments in companies like Lemonade, Bird and Sunday. He also invested in Wheel, co-founded by Michelle Davey, an infrastructure company focused on virtual care. Join in a conversation with them on Extra Crunch Live about what it takes to raise funding and use it to the greatest effect.

REGISTER FOR TUSK VENTURE PARTNERS AND WHEEL

Extra Crunch Live: Startup Alley Edition w/ Alexa von Tobel

July 21 – 12pm PT/3pm ET

Check out the Startup Alley companies that will exhibit at TechCrunch Disrupt 2021 in an episode dedicated to the art of the pitch.

REGISTER FOR STARTUP ALLEY EDITION

Stephanie Zhan (Sequoia Capital) + Nick Fajt (Rec Room)

July 28 – 12pm PT/3pm ET

Sequoia Capital is one of the biggest names in VC. On this episode of ECL, Sequoia partner Sephanie Zhan and Rec Room CEO Nick Fajt talk about how the two came together for the startup’s seed round, why Zhan also led the Series A, and how it’s gone on to raise nearly $150 million in funding.

REGISTER FOR SEQUOIA CAPITAL AND REC ROOM

As a reminder, Extra Crunch Live is accessible to anyone and everyone who wants to come hang out. However, only Extra Crunch members get access to the content on-demand. If you’re not already an Extra Crunch member, what are you waiting for? 

Having read more SPAC investor decks in the last twelve months than I’d like to admit to, I thought I was over being irked by their bullishness. Call me conservative, but public companies shouldn’t be full of shit, and companies going public should probably aim for a similar target.

That’s why S-1 filings for traditional IPOs are great. When it comes to numbers, they are honest. The filings don’t include forecasts for the next year, let alone the next half decade. Sure, companies will make a pitch for their model and methods, but S-1 filings are pretty good from an honesty perspective. Mostly.

SPAC investor decks are the opposite. I mean, look at this chart:

Historical revenue? Who needs it! Look at the growth that could maybe, possibly, theoretically happen! 201% CAGR!

Here’s another favorite:

Sure, Bob.

Here’s a super-grainy image from the Local Bounti SPAC investor deck. It’s the least-blurry version I could find. Enjoy the charts!

I’m going to change the numbers on these, label them “Alex’s future blogging output” and turn them in before my next performance review.

Here’s another great one, this time from Pear Therapeutics:

And one more, this time from the recent Embark deal that TechCrunch covered here:

What about historical revenues? Or expectations from 2021, 2022 or 2023? Who knows!

Given what we’ve learned about the accuracy of SPAC performance predictions, I think we need a Godzilla-sized Salt Bae to make all of this palatable.

Ecosystems make strange bedfellows. Here’s one of the stranger in recent memory – and one of the most unexpected bits of news from today’s Windows 11 event. Microsoft announced today that it will be making Android apps available on the next major version of its operating system.

Chief Product Officer Panos Panay called the addition, “just one more small surprise,” noting that the mobile apps can be integrated into the Start menu and taskbar. They’ll also tile or “window” as part of the OS’s new application placement UI.

Image Credits: Microsoft

The apps will be available through the Microsoft Store by way of the Amazon Appstore. The company highlighted TikTok running on a demo of the operating system. The app is presented in a vertical, portrait orientation, as you would expect from an mobile-first design.

With 1.85 million Android apps, it’s currently a way to flood the Microsoft app store with a whole bunch of new content – and make sure the latest popular mobile apps are suddenly available on the platform. Though time will tell how good the experience (built on top of Intel Bridge) ultimately is.

Windows 11 arrives this holiday season.