Imagine if Google Docs was end-to-end encrypted so that not even Google could access your documents. That’s Skiff, in a nutshell.
Skiff is a document editor with a similar look and feel to Google Docs, allowing you to write, edit and collaborate in real-time with colleagues with privacy baked in. Because the document editor is built on a foundation of end-to-end encryption, Skiff doesn’t have access to anyone’s documents — only users, and those who are invited to collaborate, do.
It’s an idea that has already attracted the attention of investors. Skiff’s co-founders Andrew Milich (CEO) and Jason Ginsberg (CTO) announced today that the startup has raised $3.7 million in seed funding from venture firm Sequoia Capital, just over a year since Skiff was founded in March 2020. Alphabet chairman John Hennessy, former Yahoo chief executive Jerry Yang, and Eventbrite co-founders Julia and Kevin Hartz also participated in the round.
Milich and Ginsberg told TechCrunch that the company will use the seed funding to grow the team and build out the platform.
Skiff isn’t that much different from WhatsApp or Signal, which are also end-to-end encrypted, underneath its document editor. “Instead of using it to send messages to a bunch of people, we’re using it to send little pieces of documents and then piecing those together into a collaborative workspace,” said Milich.
But the co-founders acknowledged that putting your sensitive documents in the cloud requires users to put a lot of trust into the startup, particularly one that hasn’t been around for long. That’s why Skiff published a whitepaper with technical details of how its technology works, and has begun to open source parts of its code, allowing anyone to see how the platform works. Milich said Skiff has also gone through at least one comprehensive security audit, and the company counts advisors from the Signal Foundation to Trail of Bits.
It seems to be working. In the months since Skiff soft-launched through an invite-only program, thousands of users — including journalists, research scientists and human rights lawyers — use Skiff every day, with another 8,000 users on a waitlist.
“The group of users that we’re most excited about are just regular people that care about privacy,” said Ginsberg. “There are just so many privacy communities and people that are advocates for these types of products that really care about how they’re built and have sort of lost trust in big companies.”
“They’re using us because they’re really excited about the vision and the future of end-to-end encryption,” he said.
In 2011, a product developer named Fred Davison read an article about inventor Ken Yankelevitz and his QuadControl video game controller for quadriplegics. At the time, Yankelevitz was on the verge of retirement. Davison wasn’t a gamer, but he said his mother, who had the progressive neurodegenerative disease ALS, inspired him to pick up where Yankelevitz was about to leave off.
Launched in 2014, Davison’s QuadStick represents the latest iteration of the Yankelevitz controller — one that has garnered interest across a broad range of industries.
“The QuadStick’s been the most rewarding thing I’ve ever been involved in,” Davison told TechCrunch. “And I get a lot of feedback as to what it means for [disabled gamers] to be able to be involved in these games.”
Erin Muston-Firsch, an occupational therapist at Craig Hospital in Denver, says adaptive gaming tools like the QuadStick have revolutionized the hospital’s therapy team.
Six years ago, she devised a rehabilitation solution for a college student who came in with a spinal cord injury. She says he liked playing video games, but as a result of his injury could no longer use his hands. So the rehab regimen incorporated Davison’s invention, which enabled the patient to play World of Warcraft and Destiny.
Jackson “Pitbull” Reece is a successful Facebook streamer who uses his mouth to operate the QuadStick, as well as the XAC, (the Xbox Adaptive Controller), a controller designed by Microsoft for use by people with disabilities to make user input for video games more accessible.
Reece lost the use of his legs in a motorcycle accident in 2007 and later, due to an infection, lost the use of his upper body. He says he remembers able-bodied life as one filled with mostly sports video games. He says being a part of the gaming community is an important part of his mental health.
Fortunately there is an atmosphere of collaboration, not competition, around the creation of hardware for gamers within the assistive technology community.
But while not every major tech company has been proactive about accessibility, after-market devices are available to create customized gaming experiences for disabled gamers.
At its Hackathon in 2015, Microsoft’s Inclusive Lead Bryce Johnson met with disabled veterans’ advocacy group Warfighter Engaged.
“Controllers have been optimized around a primary use case that made assumptions,” Johnson said. Indeed, the buttons and triggers of a traditional controller are for able-bodied people with the endurance to operate them.
Besides Warfighter Engaged, Microsoft worked with AbleGamers (the most recognized charity for gamers with disabilities), Craig Hospital, the Cerebral Palsy Foundation and Special Effect, a U.K.-based charity for disabled young gamers.
Xbox Adaptive Controller
The finished XAC, released in 2018, is intended for a gamer with limited mobility to seamlessly play with other gamers. One of the details gamers commented on was that the XAC looks like a consumer device, not a medical device.
“We knew that we couldn’t design this product for this community,” Johnson told TechCrunch. “We had to design this product with this community. We believe in ‘nothing about us without us.’ Our principles of inclusive design urge us to include communities from the very beginning.”
There were others getting involved. Like many inventions, the creation of the Freedom Wing was a bit of serendipity.
At his booth at an assistive technology (AT) conference, ATMakers‘ Bill Binko showcased a doll named “Ella” using the ATMakers Joystick, a power-chair device. Also in attendance was Steven Spohn, who is part of the brain trust behind AbleGamers.
Spohn saw the Joystick and told Binko he wanted a similar device to work with the XAC. The Freedom Wing was ready within six weeks. It was a matter of manipulating the sensors to control a game controller instead of a chair. This device didn’t require months of R&D and testing because it had already been road tested as a power-chair device.
ATMakers Freedom Wing 2
Binko said mom-and-pop companies are leading the way in changing the face of accessible gaming technology. Companies like Microsoft and Logitech have only recently found their footing.
ATMakers, QuadStick and other smaller creators, meanwhile, have been busy disrupting the industry.
“Everybody gets [gaming] and it opens up the ability for people to engage with their community,” Binko said. “Gaming is something that people can wrap their heads around and they can join in.”
As the technology evolves, so do the obstacles to accessibility. These challenges include lack of support teams, security, licensing and VR.
Binko said managing support teams for these devices with the increase in demand is a new hurdle. More people with the technological skills are needed to join the AT industry to assist with the creation, installation and maintenance of devices.
Security and licensing is out of the hands of small creators like Davison because of financial and other resources needed to work with different hardware companies. For example, Sony’s licensing enforcement technology has become increasingly complex with each new console generation.
With Davison’s background in tech, he understands the restrictions to protect proprietary information. “They spend huge amounts of money developing a product and they want to control every aspect of it,” Davison said. “Just makes it tough for the little guy to work with.”
And while PlayStation led the way in button mapping, according to Davison, the security process is stringent. He doesn’t understand how it benefits the console company to prevent people from using whichever controller they want.
“The cryptography for the PS5 and DualSense controller is uncrackable so far, so adapter devices like the ConsoleTuner Titan Two have to find other weaknesses, like the informal ‘man in the middle’ attack,” Davison said.
The technique allows devices to utilize older-gen PlayStation controllers as a go-between from the QuadStick to the latest-gen console, so disabled gamers can play the PS5. TechCrunch reached out to Sony’s accessibility division, whose representative said there are no immediate plans for an adaptable PlayStation or controller. However, they stated their department works with advocates and gaming devs to consider accessibility from day one.
In contrast, Microsoft’s licensing system is more forgiving, especially with the XAC and the ability to use older-generation controllers with newer systems.
“Compare the PC industry to the Mac,” Davison said. “You can put together a PC system from a dozen different manufacturers, but not for the Mac. One is an open standard and the other is closed.”
In November, Japanese controller company HORI released an officially licensed accessibility controller for the Nintendo Switch. It’s not available for sale in the United States currently, but there are no region restrictions to purchase one online. This latest development points toward a more accessibility-friendly Nintendo, though the company has yet to fully embrace the technology.
Nintendo’s accessibility department declined a full interview but sent a statement to TechCrunch. “Nintendo endeavors to provide products and services that can be enjoyed by everyone. Our products offer a range of accessibility features, such as button-mapping, motion controls, a zoom feature, grayscale and inverted colors, haptic and audio feedback, and other innovative gameplay options. In addition, Nintendo’s software and hardware developers continue to evaluate different technologies to expand this accessibility in current and future products.”
The push for more accessible hardware for disabled gamers hasn’t been smooth. Many of these devices were created by small business owners with little capital. In a few cases corporations with a determination for inclusivity at the earliest stages of development became involved.
Slowly but surely, however, assistive technology is moving forward in ways that can make the experience much more accessible for gamers with disabilities.
The two founders of Crusoe Energy think they may have a solution to two of the largest problems facing the planet today — the increasing energy footprint of the tech industry and the greenhouse gas emissions associated with the natural gas industry.
Crusoe, which uses excess natural gas from energy operations to power data centers and cryptocurrency mining operations, has just raised $128 million in new financing from some of the top names in the venture capital industry to build out its operations — and the timing couldn’t be better.
Methane emissions are emerging as a new area of focus for researchers and policymakers focused on reducing greenhouse gas emissions and keeping global warming within the 1.5 degree targets set under the Paris Agreement. And those emissions are just what Crusoe Energy is capturing to power its data centers and bitcoin mining operations.
The reason why addressing methane emissions is so critical in the short term is because these greenhouse gases trap more heat than their carbon dioxide counterparts and also dissipate more quickly. So dramatic reductions in methane emissions can do more in the short term to alleviate the global warming pressures that human industry is putting on the environment.
And the biggest source of methane emissions is the oil and gas industry. In the U.S. alone roughly 1.4 billion cubic feet of natural gas is flared daily, said Chase Lochmiller, a co-founder of Crusoe Energy. About two thirds of that is flared in Texas with another 500 million cubic feet flared in North Dakota, where Crusoe has focused its operations to date.
For Lochmiller, a former quant trader at some of the top American financial services institutions, and Cully Cavmess, a third generation oil and gas scion, the ability to capture natural gas and harness it for computing operations is a natural combination of the two men’s interests in financial engineering and environmental preservation.
NEW TOWN, ND – AUGUST 13: View of three oil wells and flaring of natural gas on The Fort Berthold Indian Reservation near New Town, ND on August 13, 2014. About 100 million dollars worth of natural gas burns off per month because a pipeline system isn’t in place yet to capture and safely transport it . The Three Affiliated Tribes on Fort Berthold represent Mandan, Hidatsa and Arikara Nations. It’s also at the epicenter of the fracking and oil boom that has brought oil royalties to a large number of native americans living there. (Photo by Linda Davidson / The Washington Post via Getty Images)
The two Denver natives met in prep-school and remained friends. When Lochmiller left for MIT and Cavness headed off to Middlebury they didn’t know that they’d eventually be launching a business together. But through Lochmiller’s exposure to large scale computing and the financial services industry, and Cavness assumption of the family business they came to the conclusion that there had to be a better way to address the massive waste associated with natural gas.
Conversation around Crusoe Energy began in 2018 when Lochmiller and Cavness went climbing in the Rockies to talk about Lochmiller’s trip to Mt. Everest.
When the two men started building their business, the initial focus was on finding an environmentally friendly way to deal with the energy footprint of bitcoin mining operations. It was this pitch that brought the company to the attention of investors at Polychain, the investment firm started by Olaf Carlson-Wee (and Lochmiller’s former employer), and investors like Bain Capital Ventures and new investor Valor Equity Partners.
(This was also the pitch that Lochmiller made to me to cover the company’s seed round. At the time I was skeptical of the company’s premise and was worried that the business would just be another way to prolong the use of hydrocarbons while propping up a cryptocurrency that had limited actual utility beyond a speculative hedge against governmental collapse. I was wrong on at least one of those assessments.)
“Regarding questions about sustainability, Crusoe has a clear standard of only pursuing projects that are net reducers of emissions. Generally the wells that Crusoe works with are already flaring and would continue to do so in the absence of Crusoe’s solution. The company has turned down numerous projects where they would be a buyer of low cost gas from a traditional pipeline because they explicitly do not want to be net adders of demand and emissions,” wrote a spokesman for Valor Equity in an email. “In addition, mining is increasingly moving to renewables and Crusoe’s approach to stranded energy can enable better economics for stranded or marginalized renewables, ultimately bringing more renewables into the mix. Mining can provide an interruptible base load demand that can be cut back when grid demand increases, so overall the effect to incentivize the addition of more renewable energy sources to the grid.”
Other investors have since piled on including: Lowercarbon Capital, DRW Ventures, Founders Fund, Coinbase Ventures, KCK Group, Upper90, Winklevoss Capital, Zigg Capital and Tesla co-founder JB Straubel.
The company now operate 40 modular data centers powered by otherwise wasted and flared natural gas throughout North Dakota, Montana, Wyoming and Colorado. Next year that number should expand to 100 units as Crusoe enters new markets such as Texas and New Mexico. Since launching in 2018, Crusoe has emerged as a scalable solution to reduce flaring through energy intensive computing such as bitcoin mining, graphical rendering, artificial intelligence model training and even protein folding simulations for COVID-19 therapeutic research.
Crusoe boasts 99.9% combustion efficiency for its methane, and is also bringing additional benefits in the form of new networking buildout at its data center and mining sites. Eventually, this networking capacity could lead to increased connectivity for rural communities surrounding the Crusoe sites.
Currently, 80% of the company’s operations are being used for bitcoin mining, but there’s increasing demand for use in data center operations and some universities, including Lochmiller’s alma mater of MIT are looking at the company’s offerings for their own computing needs.
“That’s very much in an incubated phase right now,” said Lochmiller. “A private alpha where we have a few test customers… we’ll make that available for public use later this year.”
Crusoe Energy Systems should have the lowest data center operating costs in the world, according to Lochmiller and while the company will spend money to support the infrastructure buildout necessary to get the data to customers, those costs are negligible when compared to energy consumption, Lochmiller said.
The same holds true for bitcoin mining, where the company can offer an alternative to coal powered mining operations in China and the construction of new renewable capacity that wouldn’t be used to service the grid. As cryptocurrencies look for a way to blunt criticism about the energy usage involved in their creation and distribution, Crusoe becomes an elegant solution.
Institutional and regulatory tailwinds are also propelling the company forward. Recently New Mexico passed new laws limiting flaring and venting to no more than 2 percent of an operator’s production by April of next year and North Dakota is pushing for incentives to support on-site flare capture systems while Wyoming signed a law creating incentives for flare gas reduction applied to bitcoin mining. The world’s largest financial services firms are also taking a stand against flare gas with BlackRock calling for an end to routine flaring by 2025.
“Where we view our power consumption, we draw a very clear line in our project evaluation stage where we’re reducing emissions for an oil and gas projects,” Lochmiller said.
Cryptocurrency prices continued to tumble Friday with Bitcoin leading the charge, with prices for the internet currency dipping below $50,000 for the first time since early March.
Bitcoin is down roughly 20% week-over-week, around 30% from its all-time-high of nearly $65,000 early last week. The market cap of the coin has dipped below $1 trillion. The tumble has been less severe for Ethereum which hit an all-time-high just yesterday but has since dropped 13% as the broader market has crawled back.
Plenty of altcoins have also taken a beating. Dogecoin erased the breakneck gains of the week and then some, nearly halving its price after a meteoric climb last weekend. XRP is down 35% week-over-week, Stellar is down 30% and Polkadot is down 25% since last week.
Overall, Coinmarketcap estimates the global crypto market has shrunk around 10% in the past 24 hours.
Crypto prices have been on a tear for the past several months, but the past week has been the clearest sign of a correction to climbing prices, though many see news of President Biden’s adjustment to the hikes on the capital gains tax as the most apparent reason for the market’s slide as investors cash out hoping their gains won’t be reached by a retroactive application of the rules.
Coinbase, which went public last week via direct listing, shaved about 10% off its share price this week, but was largely unaffected Friday in intraday trading.
Manhunt, a gay dating app that claims to have 6 million male members, has confirmed it was hit by a data breach in February after a hacker gained access to the company’s accounts database.
In a notice filed with the Washington attorney general’s office, Manhunt said the hacker “gained access to a database that stored account credentials for Manhunt users,” and “downloaded the usernames, email addresses and passwords for a subset of our users in early February 2021.
The notice did not say how the passwords were scrambled, if at all, to prevent them from being read by humans. Passwords scrambled using weak algorithms can sometimes be decoded into plain text, allowing malicious hackers to break into their accounts.
Following the breach, Manhunt force-reset account passwords began alerting users in mid-March. Manhunt did not say what percentage of its users had their data stolen or how the data breach happened, but said that more than 7,700 Washington state residents were affected.
The company’s attorneys did not reply to an email requesting comment.
But questions remain about how Manhunt handled the breach. In March, the company tweeted that, “At this time, all Manhunt users are required to update their password to ensure it meets the updated password requirements.” The tweet did not say that user accounts had been stolen.
Manhunt was launched in 2001 by Online-Buddies Inc., which also offered gay dating app Jack’d before it was sold to Perry Street in 2019 for an undisclosed sum. Just months before the sale, Jack’d had a security lapse that exposed users’ private photos and location data.
Dating sites store some of the most sensitive information on their users, and are frequently a target of malicious hackers. In 2015, Ashley Madison, a dating site that encouraged users to have an affair, was hacked, exposing names, and postal and email addresses. Several people died by suicide after the stolen data was posted online. A year later, dating site AdultFriendFinder was hacked, exposing more than 400 million user accounts.
In 2018, same-sex dating app Grindr made headlines for sharing users’ HIV status with data analytics firms.
In other cases, poor security — in some cases none at all — led to data spills involving some of the most sensitive data. In 2019, Rela, a popular dating app for gay and queer women in China, left a server unsecured with no password, allowing anyone to access sensitive data — including sexual orientation and geolocation — on more than 5 million app users. Months later, Jewish dating app JCrush exposed around 200,000 user records.
Know something, say something. Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.
A court in Houston has authorized an FBI operation to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks.
The Justice Department announced the operation on Tuesday, which it described as “successful.”
In March, Microsoft discovered a new China state-sponsored hacking group — Hafnium — targeting Exchange servers run from company networks. The four vulnerabilities when chained together allowed the hackers to break into a vulnerable Exchange server and steal its contents. Microsoft fixed the vulnerabilities but the patches did not close the backdoors from the servers that had already been breached. Within days, other hacking groups began hitting vulnerable servers with the same flaws to deploy ransomware.
The number of infected servers dropped as patches were applied. But hundreds of Exchange servers remained vulnerable because the backdoors are difficult to find and eliminate, the Justice Department said in a statement.
“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks,” the statement said. “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”
The FBI said it’s attempting to inform owners via email of servers from which it removed the backdoors.
Assistant attorney general John C. Demers said the operation “demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions.”
The Justice Department also said the operation only removed the backdoors, but did not patch the vulnerabilities exploited by the hackers to begin with or remove any malware left behind.
It’s believed this is the first known case of the FBI effectively cleaning up private networks following a cyberattack. In 2016, the Supreme Court moved to allow U.S. judges to issue search and seizure warrants outside of their district. Critics opposed the move at the time, fearing the FBI could ask a friendly court to authorized cyber-operations for anywhere in the world.
Other countries, like France, have used similar powers before to hijack a botnet and remotely shutting it down.
Neither the FBI nor the Justice Department commented by press time.
It’s been a big year for crypto, and Robinhood shared some stats today providing more evidence that the crypto boom is more than just hype — at least for now.
In a blog, Christine Brown, Robinhood’s head of crypto operations, revealed that in the first quarter of 2021, 9.5 million of its customers traded crypto via the company’s platform. That’s up big time from the 1.7 million customers who traded crypto in the 2020 fourth quarter.
Brown says the company’s intent behind launching Robinhood Crypto in the first place was to give its customers the opportunity to buy and sell cryptocurrency in addition to the range of assets offered through its brokerage, Robinhood Financial.
Robinhood Crypto currently offers seven tradeable coins: Bitcoin, Bitcoin Cash, Bitcoin SV, Dogecoin, Ethereum, Ethereum Classic, and Litecoin.
Brown also noted that Robinhood’s crypto team has already more than tripled since the beginning of the year, although it’s not entirely clear how many staffers it currently has on that team. There are a number of crypto-related openings on its careers site, including an open “Crypto CFO” role.
The company is making clear that crypto is an important part of its overall business and part of its mission to democratize access to the masses.
“All it takes to spend, trade, and store cryptocurrency, theoretically, is an internet connection — you don’t need access to a big line of credit, or startup capital,” Brown wrote. “You don’t even have to be awake at a certain time of day to trade. The crypto market doesn’t close. Crypto was born out of a mission to take power away from institutions and return it to the people.”
Last August, Robinhood raised $200 million more at a new, higher $11.2 billion valuation in its third raise of the year before filing to go public in March. The company has had a tumultuous past year or so that was filled with time in front of Congress, bad PR from a user’s suicide, and settlements with the SEC.
Meanwhile, TechCrunch also reported earlier this week that in the first quarter of 2021, American consumer cryptocurrency trading giant Coinbase grew sharply, generating strong profits at the same time. Specifically, the company notched revenue of $1.8 billion in Q1 2021, up from $585.1 million in Q4 2020. Net income totaled “approximately $730 million to $800 million,” up from $178.8 million in Q4 2020.
Duo, the authentication service Cisco acquired for $2.35 billion in 2018, today announced its plans to launch a passwordless authentication service that will allow users to log in to their Duo-protected services through security keys or platform biometrics like Apple’s Face ID or Microsoft’s Windows Hello. The infrastructure-agnostic service will go into public preview in the summer.
“Cisco has strived to develop passwordless authentication that meets the needs of a diverse and evolving workforce and allows the broadest set of enterprises to securely progress towards a passwordless future, regardless of their IT stack,” said Gee Rittenhouse, SVP and GM of Cisco’s Security Business Group. “It’s not an overstatement to say that passwordless authentication will have the most meaningful global impact on how users access data by making the easiest path the most secure.”
If you’re using Duo or a similar product today, chances are that you are using both passwords and a second factor to log into your work applications. But users are notoriously bad about their password hygiene — and to the despair of any IT department, they also keep forgetting them.
In the standard two-factor authentication scheme, the second factor is basically an extra moat around your password. Passwordless is essentially another form of two-factor authentication, but it instead of passwords, it relies on cryptographic key pairs, be that with the help of a hardware security key or biometric authentication.
Duo’s passwordless service relies on the Web Authentication standard which ensures that your data is stored locally and not on a centralized server, too.
According to Duo’s own data, we have now reached a point where the hardware is ready for passwordless, with 80 percent of mobile devices now offering support for biometrics.
“Passwordless is a journey requiring incremental changes in users and IT environments alike, not something enterprises can enable overnight,” said Wolfgang Goerlich, Advisory Chief Information Security Officer, Duo Security at Cisco. “Duo can help enterprises transition their environments and workforces securely and minimize user friction while simultaneously increasing trust in every authentication.”
Tesla made headlines earlier this year when it took out significant holdings in bitcoin, acquiring a roughly $1.5 billion stake at then-prices in early February. At the time, it also noted in an SEC filing disclosing the transaction that it could also eventually accept the cryptocurrency as payment from customers for its vehicles. Now, Elon Musk says they’ve made that a reality, at least for customers in the U.S., and he added that the plan is for the automaker to ‘hodl’ all their bitcoin payments, too.
In terms of its infrastructure for accepting bitcoin payments, Tesla isn’t relying on any third-party networks or wallets — the company is “using only internal & open source software & operates Bitcoin nodes directly,” Musk said on Twitter. And when customers pay in bitcoin, those won’t be converted to fiat currency, the CEO says, but will instead presumably add to the company’s stockpile.
You can now buy a Tesla with Bitcoin
— Elon Musk (@elonmusk) March 24, 2021
In February when Tesla revealed its bitcoin purchase, observers either lauded the company’s novel approach to converting its cash holdings, or criticized the plan for its attachment to an asset with significant price volatility. Many also pointed out that the environmental cost of mining bitcoin seems at odds with Tesla’s overall stated mission, given its carbon footprint. Commenters today echoed these concerns, noting the irony of Tesla accepting the grid-taxing cryptocurrency for its all-electric cars.
As for how the bitcoin payment process works today, Tesla has detailed that in an FAQ. Customers begin the payment process from their own bitcoin wallet, and have to set the exact amount for a vehicle deposit based on current rates, with the value of Tesla’s cars still set in U.S. dollars. The automaker further notes that in the case of any refunds, it’s buyer-beware in terms of any change in value relative to the U.S. dollar from time of purchase to time of refund.
Musk also said that the plan is to expand Bitcoin payments to other countries outside the U.S. by “later this year.” Depending on the market, that could require some regulatory work, but clearly Musk thinks it’s worth the effort. Meanwhile, Bitcoin is up slightly on the news early Wednesday morning.
Move fast, break things, get hacked.
That’s what happened at Roll, the social currency platform that allows creators to mint and distribute their own Ethereum-based cryptocurrency known as social tokens. Last week, Roll disclosed a hacker had stolen $5.7 million from its hot wallet, a little over a year after the company launched.
Roll set up a $500,000 fund to help creators recoup their losses, and the company promised to hire a third-party to audit its security infrastructure.
But the company has so far been unable to contract with security investigators to probe the breach, leaving the startup to look for clues itself. A week has passed since the breach, and the social currency startup says it still doesn’t know how the hacker broke in or stole its private keys.
In a call with TechCrunch this week, Roll executives confirmed its infrastructure never underwent a security audit, a process designed to help find and fix vulnerabilities, prior to its launch.
“We weren’t ready from a security standpoint,” said Roll CEO Bradley Miles.
“This incident was a big setback for us, we will revamp a lot of infrastructure around this that we have in place to prevent something like this from happening again,” said Roll’s chief technology officer Sid Kalla, who oversees cybersecurity because the company does not have dedicated staff.
The executives said while its smart contracts — the technology that underpins the blockchain — were audited by a third-party firm, the rest of the company’s infrastructure was never stress-tested.
“That was a shortcoming on our end, and we should have done this earlier,” said Kalla.
The emptying of Roll’s hot wallet comes as social currency climbs to new levels of popularity. Roll has netted high-profile creators like actor Terry Crews, along with hundreds of other social currency on the platform, many plummeting in value after the hot wallet was hacked.
Some of the larger social currencies, like $WHALE, bounced back fairly quickly after the breach of Roll’s hot wallet. A month earlier, $WHALE “serendipitously withdrew” a large amount of its supply to its cold wallets, which aren’t connected to the internet, in anticipation of community distributions. The social currencies that had measures in place proved some resiliency against the hack.
— Legendary (@Legendary_NFT) March 16, 2021
After the company realized its hot wallet was emptied, the company spent the first two days following the money trail. Miles said the company engaged with forensic blockchain company Chainalysis for help. The company said it was looking at his logs, but says they have not seen any anomalous logins. Roll uses Amazon’s cloud for its infrastructure, and only a handful of employees have access to the private keys, and their accounts are secured with app-based authentication codes, said Kalla.
“We’re a young company, we’re growing extraordinarily quickly,” said Miles, who admitted that the company’s response “could have been better.”
“There’s no scenario in which you can lose that kind of money and not bring in incident response,” said Jake Williams, founder of cybersecurity firm Rendition Infosec. “The idea that you would try to do a DIY incident response, especially if it’s not your core capability, is just ridiculous.”
“To rebuild trust, the company has to come clean on where the failures were at,” said Williams, a former NSA hacker turned incident responder.
Roll is rebuilding its infrastructure, but did not give a timeline for when the work would be completed. The company said it won’t allow users to make withdrawals until it’s confident that its infrastructure is secure. The company says it will engage a security company to audit the changes to its infrastructure. Roll also said it will reduce how many tokens it holds in its hot wallet.
Miles said the company’s relief fund for creators was raised to $750,000, which he said will go directly to affected communities. The company also plans to hire a dedicated chief information security officer when its next financing round closes.
While much of the recent wave of relentless hype around NFTs — or non-fungible tokens — has been most visibly manifested in high-dollar art auctions or digital trading cards sales, there’s also been a relentless string of chatter among bullish investors who see a future that ties the tokens to the future of social media and creator monetization.
Much of the most spirited conversations have centered on a pre-launch project called BitClout, a social crypto-exchange where users can buy and sell tokens based on people’s reputations. The app, which launches out of private beta tomorrow morning, has already courted plenty of controversy inside the crypto community, but it’s also amassed quite a war chest as investors pump tens of millions into its proprietary currency.
Early backers of the platform’s BitClout currency include a who’s who of Silicon Valley investors including Sequoia Capital and Andreessen Horowitz, the startup’s founder tells TechCrunch. Other investors include Chamath Palihapitiya’s Social Capital, Coinbase Ventures, Winklevoss Capital and Reddit co-founder Alexis Ohanian. A report in Decrypt notes that a single wallet connected to BitClout has received more than $165 million worth of Bitcoin deposits suggesting that huge sums have already poured into the network ahead of its public launch.
BitClout falls into an exploding category of crypto companies that are focusing on tokenized versions of social currency. Others working on building out these individual tokens include Roll and Rally, which aim to allow creators to directly monetize their internet presence and allow their fans to bet on them. Users who believe in a budding artist can invest in their social currency and could earn returns as the creator became more famous and their coins accrued more value.
“If you look at people’s existing relationships with social media companies, it’s this very adversarial thing where all the content they produce is not really theirs but it belongs to the corporation that doesn’t share the monetization with them,” BitClout’s founder, who refers to themselves pseudonymously as “diamondhands,” tells TechCrunch. (There’s been some speculation on their identity as a former founder in the cryptocurrency space, but in a call with TechCrunch, they would not confirm their identity.)
The BitClout platform revolves around the BitClout currency. At the moment users can deposit Bitcoin into the platform which is instantly converted to BitClout tokens and can then be spent on individual creators inside the network. When a creator gets more popular as more users buy their coin, it gets more expensive to buy denominations of their coin. Creators can also opt in to receive a certain percentage of transactions deposited into their own BitClout wallets so that they continue to benefit from their own success.
The company’s biggest point of controversy hinges on what has been opt-in and what has been opt-out for the early group of accounts on the platform. Most other social currency offerings are strictly opt-in. Users come to the platform in search of a way to create tokens that allow them to monetize a fanbase and build a social fabric across multiple platforms. The thought being that if the platforms own the audience then you are at their mercy.
BitClout has taken an aggressive growth strategy here, turning that model on its head. The startup has pre-populated the BitClout network with 15,000 accounts after scraping information from popular public Twitter profiles. This means that BitClout users can buy shares of Kim Kardashian’s social coin or Elon Musk’s without those individuals ever having signed up for a profile or agreeing to it. This hasn’t been well-received by all of those who unwittingly had accounts set up on their behalf including many crypto-savvy users who got scooped up in the initial wave of seeding.
The startup’s founder says that this effort was largely an effort to prevent handle squatting and user impersonation but he believes that as the platform opens, a sizable pre-purchase of creator coins reserved for the owners of these accounts will entice those users to verify their handles to claim the funds.
Perhaps BitClout’s most eyebrow raising quirk is that the platform is launching with a way to invest into the platform and convert bitcoin into BitClout, but at launch there’s no way to cash out funds. The project’s founder says that it’s only a matter of time before this is resolved, and points to Coinbase and the Winkelvoss twin’s status as coin holders as a sign of future exchange support to come, but the company has no specifics to share at launch.
While the founders and investors behind the project see a bright future for social currencies on the blockchain, many in the decentralized community have been less impressed with BitClout’s early efforts to achieve viral adoption among creators in a permission-less manner.
“BitClout will make a great case study on how badly crypto projects can mess up incentive engineering when they try to monetize social networks.” Jay Graber, a decentralized platform researcher involved in Twitter’s bluesky effort, said in a tweet. “Trust and reputation are key, and if you create a sketchy platform and mess with people’s reputations without their consent it is not going to go well.”
If BitClout comes out of the gate and manages to convert enough of its pre-seeded early adopter list that there is value in joining its closed ecosystem version of a social token then it may have strong early momentum in an explosive new space that many creators are finding valuable. The concepts explored by others in the social currency space are sound, but this particular execution of it is a high-risk one. The network launches tomorrow morning so we’ll see soon enough.