Hello and welcome back to Equity, TechCrunch’s venture capital-focused podcast (now on Twitter!), where we unpack the numbers behind the headlines.
The whole crew was back, with Natasha Mascarenhas and Danny Crichton and myself chattering with Chris Gates behind the scenes making it all work. An extra shoutout to Natasha this week as we spent a lot of time talking about edtech, a category that she spearheads for us and has brought to the show. It’s a big deal!
We’re on YouTube now, don’t forget, and with that, let’s get into the news:
What else? This a16z post on IPOs that we fangirl/fanboy’d over as it is good. And we forgot to mention this Fred Wilson post, but it is also good.
And with that, we are nearly at the weekend which is a long one thanks to a holiday, so expect Equity Monday to be, in fact, Equity Tuesday next week. Hugs and good vibes from the Equity Crew!
Equity drops every Monday at 7:00 a.m. PT and Thursday afternoon as fast as we can get it out, so subscribe to us on Apple Podcasts, Overcast, Spotify and all the casts.
Cygilant, a threat detection cybersecurity company, has confirmed a ransomware attack.
Christina Lattuca, Cygilant’s chief financial officer, said in a statement that the company was “aware of a ransomware attack impacting a portion of Cygilant’s technology environment.”
“Our Cyber Defense and Response Center team took immediate and decisive action to stop the progression of the attack. We are working closely with third-party forensic investigators and law enforcement to understand the full nature and impact of the attack. Cygilant is committed to the ongoing security of our network and to continuously strengthening all aspects of our security program,” the statement said.
Cygilant is believed to be the latest victim of NetWalker, a ransomware-as-a-service group, which lets threat groups rent access to its infrastructure to launch their own attacks, according to Brett Callow, a ransomware expert and threat analyst at security firm Emsisoft .
The file-encrypting malware itself not only scrambles a victim’s files but also exfiltrates the data to the hacker’s servers. The hackers typically threaten to publish the victim’s files if the ransom isn’t paid.
A site on the dark web associated with the NetWalker ransomware group posted screenshots of internal network files and directories believed to be associated with Cygilant.
Cygilant did not say if it paid the ransom. But at the time of writing, the dark web listing with Cygilant’s data had disappeared.
“Groups permanently delist companies when they’ve paid or, in some cases, temporarily delist them once they’ve agreed to come to the negotiating table,” said Callow. “NetWalker has temporarily delisted pending negotiations in at least one other case.”
When we leaked Palantir’s S-1 IPO filing a week and a half ago, one of the more bizarre components that came out of that document was the company’s corporate governance. In a unique three-class voting structure, Palantir founders Alex Karp, Stephen Cohen, and Peter Thiel will be given a special “Class F” share that will ensure they hold 49.999999% of the ownership of the company in perpetuity — even if they sell the underlying shares.
While founders of startups in recent years have often had special shares with extra votes (typically 10 votes for their special shares compared to one vote for standard shares), those votes dissipate if the underlying shares are sold. Palantir’s model is unique in allowing founders to have a commanding vote even if they were to sell their shares — in other words, voting power without underlying shareholder power, in direct contradiction to modern shareholder theory.
That strange controlling provision has clearly caught the attention of the SEC and the NYSE. In an amended S-1 filing with the SEC submitted this afternoon, Palantir made changes to its documents that made clear that its corporate governance will be more opaque far after its public debut.
First, Palantir has added a new risk factor to its original prospectus, which we will copy here in full because it really tells you a lot about where the company is headed on corporate governance:
Although we currently are not considered to be a “controlled company” under the NYSE corporate governance rules, we may in the future become a controlled company due to the concentration of voting power among our Founders and their affiliates.
Although we currently are not considered to be a “controlled company” under the NYSE corporate governance rules, we may in the future become a controlled company due to the concentration of voting power among our Founders and their affiliates resulting from the issuance of our Class F common stock. See “—The multiple class structure of our common stock, together with the Founder Voting Trust Agreement and the Founder Voting Agreement, have the effect of concentrating voting power with certain stockholders, in particular, our Founders and their affiliates, which will effectively eliminate your ability to influence the outcome of important transactions, including a change in control.” above. A “controlled company” pursuant to the NYSE corporate governance rules is a company of which more than 50% of the voting power is held by an individual, group, or another company. In the event that our Founders or other stockholders acquire more than 50% of the voting power of the Company, we may in the future be able to rely on the “controlled company” exemptions under the NYSE corporate governance rules due to this concentration of voting power and the ability of our Founders and their affiliates to act as a group. If we were a controlled company, we would be eligible to and could elect not to comply with certain of the NYSE corporate governance standards. Such standards include the requirement that a majority of directors on our board of directors are independent directors and the requirement that our compensation committee and nominating and corporate governance committee consist entirely of independent directors. In such a case, if the interests of our stockholders differ from the group of stockholders holding a majority of the voting power, our stockholders would not have the same protection afforded to stockholders of companies that are subject to all of the NYSE corporate governance standards, and the ability of our independent directors to influence our business policies and corporate matters may be reduced.
In other words, public shareholders in the company will likely legally have zero input into the governance of the company. The key line here is “If we were a controlled company, we would be eligible to and could elect not to comply with certain of the NYSE corporate governance standards.”
Will Palantir be a controlled company? The answer is almost certainly yes, given another subtle change the company made in its amended filing today.
In its original filing, the company wrote that the Class F stock given to Karp, Cohen, and Thiel “will give these Founders the ability to control up to 49.999999% of the total voting power of our capital stock” (emphasis mine). Now in its restated filing, the company notes that the shares “will give these Founders the ability to control up to 49.999999% of the total voting power of our capital stock, and the Founders may, in certain circumstances, have voting power that, in the aggregate, exceeds 49.999999%” (emphasis again mine).
The reason of course is that Karp, Cohen, and Thiel own other classes of shares that when added to these special Class F “founder” shares, will give them a controlling stake in the company.
According to the filing, these new Class F shares were approved by existing shareholders on August 24. In the company’s prospectus sent to existing shareholders (a leaked copy of which was obtained by TechCrunch), the company explained across more than a dozen pages the rationale and the timeline for why existing shareholders should approve not having any further say in their company’s governance.
Given the diminished voting power of employee and investor shares, it is possible that these voting provisions will negatively impact the final price of those shares.
The company in its amended filing noted that it has finally determined that Alexander Moore, Spencer Rascoff, and Alexandra Schiff, who were recently hired as new independent directors of the company, are in fact independent.
That said, Palantir also admitted that it doesn’t intend to have independent governance for a while at the company. From its amended filing and changed from its original filing:
Certain phase-in periods with respect to director independence will be available to us under the applicable NYSE rules. These phase-in periods allow us a period of one year from our listing date to have a Board of Directors with a majority of independent directors. Our Board of Directors will have a majority of independent directors within one year of our listing on the NYSE.
It also won’t have independent board governance of its audit committee either:
We intend to rely on the phase-in provisions of Rule 10A-3 of the Exchange Act and the NYSE transition rules applicable to companies completing an initial listing, and we plan to have an audit committee comprised entirely of at least three directors that are independent for purposes of serving on an audit committee within one year after our listing date.
Currently, the company has only two independent directors on its audit committee, Moore and Rascoff.
The SEC and NYSE seem to be pushing back against Palantir on its corporate governance, but let’s just be clear: we have never seen anything like this before with a startup IPO.
It has always been considered a matter of if, and not when, Nintendo would begin capitalizing in earnest on content from beyond the SNES generation. The company has finally showing its intent to do so today — but with an uneven approach that leaves some fans worried about its intentions for other all-time gaming classics from the 64-bit era and beyond.
In a celebratory video of 35 years of Super Mario Bros. history, Nintendo announced a litter of new and old games starring its iconic plumber protagonist.
Some of its announcements were very Nintendo in a good way. Making a Mario Kart that, like the Labo DIY projects, bridges the gap between reality and game is a brilliant idea and very unlike what others in console gaming are doing. And the retro-style “Game & Watch” handheld pre-loaded with Super Mario Bros. and the Lost Levels will no doubt be a popular gift this holiday season.
Nintendo also demonstrated a willingness to experiment with its oldest and in some ways most conservative franchise with Super Mario Bros. 35, a sort of battle royale version of the original game where 35 players compete on the same level, sending hazards to one another and attempting to finish with a variety of win conditions. A logical sequel to Tetris 99, which applied a similar transformation to everyone’s favorite block-based puzzler, and potentially a lot of fun.
But when it came to bringing fan favorites from the N64 and Gamecube to the Switch, the company left much to be desired.
Nintendo’s approach to resurrecting its back catalog has been haphazard: Giving away NES and SNES games for free to Nintendo Online subscribers is a nice bonus in a way, but many players have already paid for those games on previous consoles, perhaps multiple times. Why, players have asked, can’t someone just bring their purchase of Kid Icarus over from the Wii’s Virtual Console to the Switch and play it without a subscription? Nintendo has never provided a good answer to this; In the SNES Mini it has provided an excellent alternative — though of course it means buying the game yet again.
The question on countless players’ minds was: Will Nintendo add N64 titles to the library of past-generation games for anyone to access, or gussy them up and sell them separately? With both Mario and Zelda’s 35th anniversaries approaching, this was a very material concern.
As it turns out, Nintendo has somehow threaded the needle with a solution seemingly made to leave everyone wanting something more.
Image Credits: Ninendo
The Super Mario 3D All-Stars collection includes Super Mario 64, Super Mario Sunshine, and Super Mario Galaxy, from the N64, Gamecube, and Wii respectively, and has a full-size $60 price tag. These are all great games, obviously. But being classics doesn’t mean there’s no way to update them for modern audiences.
Take Mario 64. Universally beloved and hugely influential, it is nevertheless a bit long in tooth in some ways. But the Mario 64 in All-Stars is only brought up to the barest standard of playability on modern consoles: It works with current Switch controllers and runs at an updated resolution. They didn’t even bother changing the original 4:3 aspect ratio!
Amazingly, Nintendo didn’t even include the substantial upgrades it made itself for the DS re-release of the game. As with the original All-Stars for SNES, which included re-drawn sprites and other improvements, this was an opportunity to show the quality of these games while also doing right by fans who have for years had to resort to emulators and mods to make the games suitable for 21st-century consumption.
Instead Nintendo has opted to do the absolute minimum while charging the absolute maximum. What’s more, there seems to be some kind of limited availability that the company hasn’t quite made clear — what goes on sale in a couple weeks will only be available until March of next year. Then what? Nintendo hasn’t said. (I’ve asked for clarification and will update this article if I hear back.)
Image Credits: Nintendo
Long-time customers will not be surprised by Nintendo’s oblique strategy and seeming lack of ambition here. The company has institutionalized a unique combination of extreme conservatism and eye-popping risk-taking. Overdeliver with one hand and underdeliver with the other is Nintendo’s approach, and it was hoped by many players that the former hand would be the one with the Mario anniversary content in it.
It’s troubling not simply because there’s one game that doesn’t justify its price tag good value, but because it signals an underwhelming approach to the entire library of Nintendo classics. With the 35th anniversary of other beloved franchises on the horizon — Zelda and Metroid, for a start — it is a legitimate worry that Nintendo may likewise let down the fan base.
Sure, it may sound a bit like the notorious entitlement expressed by gamers over things like microtransactions, exclusivity agreements, and so on. But with Nintendo and these very important titles from its vault, expectations are justifiably different.
With almost no releases on third party platforms and an aggressive approach to shutting down what it views as IP offenses, Nintendo exercises an iron grip over its content, especially its crown jewels, Mario and Zelda. If we are ever to receive an improved version of Mario 64, or Sunshine, or for that matter Ocarina of Time, not to speak of dozens of other classics, Nintendo is the only one that can provide it.
Sometimes that means a beautiful total redo of a game like Link’s Awakening. But at other times it means we must make do with scraps from the table, as with the arbitrary trickle of NES and SNES games coming to Nintendo Switch Online (itself a bundle of scraps compared with other console subscriptions, it must be said). Everyone right now is thinking that the inevitable Zelda collection will be equally barebones (and expensive).
The dream players have for decades cherished for example, a multiplayer Mario 64, will never emerge in the wilds of the internet because Nintendo will swoop in with a cease and desist in record time. So they must rely on the company to make those dreams come true, and it is remarkably inconsistent in doing so.
The treasure chest of games Nintendo has just opened the lid on is potentially a source for years of content and will partly define the company’s overarching strategy going forward. But it makes gamers nervous to see Nintendo aiming at their wallets instead of their hearts. Usually it’s at least both.
Quick, what was the first portable gaming system Nintendo made?
If you said “Game Boy”… solid guess, but not quite. For nearly a decade before Nintendo released that iconic gray beast, it was making the Game & Watch — a collection of handheld devices, each dedicated to playing just one or two simple games and, occasionally, doubling as a clock.
Hammering that nostalgia button in a way that few other companies can, Nintendo announced this morning that the Game & Watch will be making a modernized, but limited edition, return.
Released as part of the celebration around the 35th anniversary of Super Mario Bros., it’s fully Mario themed — and, appropriately, called “Game & Watch: Super Mario Bros.”
As with the original Game & Watch lineup, it seems like this one is meant to be pretty limited in the number of different titles it can play. On the official product page, Nintendo mentions Super Mario Bros., Super Mario Bros. 2: The Lost Levels (or just ‘Super Mario Bros. 2’, as it was known in Japan), and a Mario-skinned remake of Ball, the first Game & Watch title that shipped back in April of 1980. So three games in all… but given what we’ve seen happen with previous devices like this, I wouldn’t be surprised if the fans crack it open and have it running a whole lot more than that in no time flat.
A lot has changed in forty(!) years, so Nintendo is sneaking a few upgrades into this Game & Watch that probably seem like givens today. Its got a full color LCD, for example, whereas the original displays were black and white — and you’ll be able to charge it over USB-C, rather than having to burn through a stack of button cell batteries. Nintendo says it should last around 8 hours per charge.
Clock Mode!
When you’re not playing one of the included games, this thing turns into a little portable clock (thus the “& Watch” part of its name), with 35 different Mario-themed scenes in all. If Nintendo does that clock feature right, I can see these things earning a permanent spot on a lot of people’s desks.
While Nintendo notes that it’ll be a “limited” run, they haven’t said exactly how many of these they’ll be making… and while pre-order details are “coming soon”, they’re not getting more specific than that. They do say it’ll ship on November 13th with an MSRP of $50… but beyond that, if you’re worried about getting one of these, you’ll want to keep an eye out for more details.
Apple announces a surprising delay, Facebook bans new political ads for the week before the U.S. election and SpaceX is testing its Starlink internet system. This is your Daily Crunch for September 3, 2020.
The big story: Apple delays ad-tracking changes
At this year’s Worldwide Developers Conference, Apple announced that in iOS 14 (currently in public beta), app developers would have to ask users whether they wanted to be tracked for ad purposes.
The move seems like a straightforward win for privacy, but some developers and advertisers have been pretty worried — Facebook, for example, predicted that this could render its Audience Network ad network completely ineffective. So Apple announced today that it’s delaying the changes until early next year.
“We want to give developers the time they need to make the necessary changes, and as a result, the requirement to use this tracking permission will go into effect early next year,” Apple said in a statement.
Optimizely acquired by content management company Episerver — In a statement, Episerver CEO Alex Atzberger said this is “the most significant transformation in our company’s history – one that will set a new industry standard for digital experience platforms.”
India’s Zomato raises $62 million from Temasek — The food delivery startup announced in January that Ant Financial had committed to provide it with $150 million, but apparently the firm has yet to deliver two-thirds of that capital.
The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.
Discount carrier Spirit Airlines today announced that it is introducing biometric check-ins in its ticket lobby at Chicago’s O’Hare airport to streamline the check-in process and reduce face-to-face interactions between its employees and passengers during the pandemic.
The new process is straightforward, though it still involves one customer service agent at the beginning, who will check the flier’s ID before approaching the new check-in/bag drop units. If passengers opt in to the biometric procedure — and this remains optional — they scan their ID and the system will compare the photo with a facial scan captured by the machine.
Over time, Spirits hopes to do away with the first step of having an agent check the ID, but it is waiting for TSA approval to do so.
If everything works according to plan, the passenger can then drop of their bags and go their merry way (until they hit the TSA checkpoint, but that’s not the airline’s fault).
Image Credits: Spirit / Getty Images
“We started looking at ways to improve the check-in experience in 2019 as part of our pledge to invest in the Guest,” Spirit President and CEO Ted Christie explained in today’s announcement. “We knew early on that automation and biometric photo-matching would make the check-in process smoother. Now in 2020, we’re realizing those same elements are just as valuable when it comes to helping people feel comfortable flying. Limiting touchpoints and unnecessary face-to-face interactions will change the way airports operate.”
Before the pandemic, this would have looked like an obvious effort to save money by reducing the number of employees needed to run the check-in counters (with self-service bag drops having already become somewhat of a standard procedure). Now, it feels like just the right move, even as the number of travelers remains at record lows.
Image Credits: Spirit Airlines
Currently, 600 passengers use Spirit’s bag drop at O’Hare. In its tests, the airline found that the new process drops the average processing time by 70 seconds.
Spirit stresses that none of the data is transmitted to the government and that it doesn’t leave Spirit’s possession. Biometrics and especially facial recognition have long been good for controversy at airports, at least in the U.S., with Homeland security testing biometric scans before boarding international flights, for example, and the TSA now testing self-service checkpoints to get passengers through its security lines. And while a lot of fliers now feel comfortable using CLEAR to get through security with only their fingerprints or a facial scan, there is still a large chunk of the flying public that will feel somewhat uncomfortable with this, even during a pandemic and despite the airline’s argument that it doesn’t share data with the government.
Facebook-owned WhatsApp has revealed six previously undisclosed vulnerabilities, which the company has now fixed. The vulnerabilities are being reported on a dedicated security advisory website that will serve as the new resource providing a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVE).
WhatsApp said five of the six vulnerabilities were fixed in the same day, while the remaining bug took a couple of days to remediate. Although some of the bugs could have been remotely triggered, the company said it found no evidence of hackers actively exploiting the vulnerabilities.
Around one-third of the new vulnerabilities were reported through the company’s Bug Bounty Program, while the others were discovered in routine code reviews and by using automated systems, as would be expected.
WhatsApp is one of the world’s most popular apps with more than two billion users around the world. But it’s also a persistent target for hackers, who try to find and exploit vulnerabilities in the platform.
The new website was launched as part of the company’s efforts to be more transparent about vulnerabilities targeting the messaging app, and in response to user feedback. The company says the WhatsApp community has been asking for a centralized location for tracking security vulnerabilities, as WhatsApp isn’t always able to detail its security advisories in an app’s release notes due to app store policies.
The new dashboard will update monthly, or sooner if it has to warn users of an active attack. It will also offer an archive of past CVEs dating back to 2018. While the website’s main focus will be on CVEs in WhatsApp’s code, if the company files a CVE with the public database MITRE for a vulnerability it found in third-party code, it will denote that on the WhatsApp Security Advisory page, as well.
Last year, WhatsApp went public after fixing a vulnerability allegedly used by Israeli spyware maker NSO Group. WhatsApp sued the spyware maker, alleging the company used the vulnerability to covertly deliver its Pegasus spyware to some 1,400 devices — including more than 100 human rights defenders and journalists.
NSO denied the allegations.
John Scott-Railton, a senior researcher at Citizen Lab, whose work has included investigating NSO Group, welcomed the news.
“This is good, and we know that bad actors make use of extensive resources to acquire and weaponize vulnerabilities,” he told TechCrunch. “WhatsApp sending the signal that it’s going to move regularly to identify and patch in this way seems like yet another way to raise the cost for bad actors.”
In a blog post, WhatsApp said: “We are very committed to transparency and this resource is intended to help the broader technology community benefit from the latest advances in our security efforts. We strongly encourage all users to ensure they keep their WhatsApp up-to-date from their respective app stores and update their mobile operating systems whenever updates are available.”
Facebook also said Thursday that it has codified its vulnerability disclosure policy, allowing the company to warn developers of security vulnerabilities in third-party code that Facebook and WhatsApp rely on.
Facebook has announced a policy change that will see the company notify third-party developers if it finds a security vulnerability in their code.
Facebook said it “may occasionally find” critical bugs and vulnerabilities in third-party code and systems, in a blog post announcing the change. “When that happens, our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems.”
Facebook has previously notified third-party developers of vulnerabilities, but the policy shift formally codifies the company’s policy towards disclosing and revealing security vulnerabilities.
Vulnerability disclosure programs, or VDPs, allow companies to set the rules of engagement for finding and disclosing security bugs. VDPs also help guide the disclosure and publication of vulnerabilities once a bug is fixed. Companies often use a bug bounty to pay hackers who follow the company’s reporting and disclosure rules.
The policy change is not entirely altruistic. Facebook, like many other tech companies, rely on a ton of third-party code and open-source libraries. But by putting the change in writing, it also puts third-party developers on notice if they don’t fix vulnerabilities in a timely fashion.
Casey Ellis, founder and chief technology officer at vulnerability disclosure platform Bugcrowd, said the policy shift was becoming increasingly popular for companies with a “large, user-centric, third-party attack surface,” and echoes similar efforts by Atlassian, Google, and Microsoft.
Facebook said when it finds a vulnerability, it will give third-party developers 21 days to respond to report and 90 days to fix the issues, a widely accepted timeframe to report and remediate security issues. The company says it will make a reasonable effort to find the right contact for reporting a vulnerability including, but not limited to, emailing security reporting emails, filing bugs without confidential details in bug trackers, or filing support tickets. But the company said it reserves the right to disclose sooner if the vulnerability is actively being exploited by hackers, or delay its disclosure if it’s agreed that more time is needed to fix an issue.
Facebook said it will generally sign an non-disclosure agreement (NDA) specific to the security issues it reports.
Katie Moussouris, founder of Luta Security, told TechCrunch that the “devil will be in the details.”
“The test will be the first time they have to pull the trigger and drop a zero-day — with mitigation guidance — on a competitor,” she said, referring to unpatched vulnerabilities where companies have zero days to patch them.
The new policy is focused specifically on how Facebook handles disclosure of issues in third-party code. If researchers find a security vulnerability on Facebook, or within its family of apps, they will continue to report it through the existing Bug Bounty Program.
As part of the policy change, Facebook said it would also disclose vulnerabilities once they are fixed. In a separate blog post, Facebook, which owns WhatsApp, disclosed six vulnerabilities in the messaging app — since fixed.
Oracle was never fond of the JEDI cloud contract process, that massive $10 billion, decade-long Department of Defense cloud contract that went to a single vendor. It was forever arguing to anyone who would listen that that process was faulty and favored Amazon.
Yesterday it lost another round in court when the U.S. Court of Appeals rejected the database giant’s argument that the procurement process was flawed because it went to a single vendor. It also didn’t buy that there was a conflict of interest because a former Amazon employee was involved in writing the DoD’s request for proposal criteria.
On the latter point, the court wrote, “The court addressed the question whether the contracting officer had properly assessed the impact of the conflicts on the procurement and found that she had.”
Further, the court found that Oracle’s case didn’t have merit in some cases because it failed to meet certain basic contractual criteria. In other cases, it didn’t find that the DoD violated any specific procurement rules with this bidding process.
This represents the third time the company has tried to appeal the process in some way, four if you include direct executive intervention with the president. In fact, even before the RFP had been released in April 2018, CEO Safra Catz brought complaints to the president that the bid favored Amazon.
It’s worth noting that for all its complaints that the deal favored Amazon, Microsoft actually won the bid. Even with that determination, the deal remains tied up in litigation as Amazon has filed multiple complaints, alleging that the president interfered with the deal and that they should have won on merit.
As with all things related to this contract, the drama has never stopped.
