FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Today — April 22nd 2021Your RSS feeds

First findings with Apple’s new AirTag location devices

By Matthew Panzarino

I’ve been playing around with Apple’s new AirTag location devices for a few hours now and they seem to work pretty much as advertised. The setup flow is simple and clean, taking clear inspiration from the one Apple developed for AirPods. The precision finding feature enabled by the U1 chip works as a solid example of utility-driven augmented reality, popping up a virtual arrow and other visual identifiers on the screen to make finding a tag quicker.

The basic way that AirTags work, if you’re not familiar, is that they use Bluetooth beaconing technology to announce their presence to any nearby devices running iOS 14.5 and above. These quiet pings are encrypted and invisible (usually) to any passer by, especially if they are with their owners. This means that no one ever knows what device actually ‘located’ your AirTag, not even Apple.

With you, by the way, means in relative proximity to a device signed in to the iCloud account that the AirTags are registered to. Bluetooth range is typically in the ~40 foot range depending on local conditions and signal bounce. 

In my very limited testing so far, AirTag location range fits in with that basic Bluetooth expectation. Which means that it can be foiled by a lot of obstructions or walls or an unflattering signal bounce. It often took 30 seconds or more to get an initial location from an AirTag in another room, for instance. Once the location was received, however, the instructions to locate the device seemed to update quickly and were extremely accurate down to a few inches.

The AirTags run for a year on a standard CR2032 battery that’s user replaceable. They offer some water resistance including submersion for some time. There are a host of accessories that seem nicely designed like leather straps for bags, luggage tags and key rings.

So far so good. More testing to come. 

Some protections

As with anything to do with location, security and privacy are a top of mind situation for AirTags, and Apple has some protections in place.

You cannot share AirTags — they are meant to be owned by one person. The only special privileges offered by people in your iCloud Family Sharing Group is that they can silence the ‘unknown AirTag nearby’ alerts indefinitely. This makes AirTags useful for things like shared sets of keys or maybe even a family pet. This means that AirTags will not show up on your family Find My section like other iOS devices might. There is now a discrete section within the app just for ‘Items’ including those with Find My functionality built in. 

The other privacy features include a ‘warning’ that will trigger after some time that a tag is in your proximity and NOT in the proximity of its owner (aka, traveling with you perhaps in a bag or car). Your choices are then to make the tag play a sound to locate it — look at its information including serial number and to disable it by removing its battery. 

Any AirTag that has been away from its owner for a while — this time is variable and Apple will tweak it over time as it observes how AirTags work — will start playing a sound whenever it is moved. This will alert people to its presence. 

You can, of course, also place an AirTag into Lost Mode, offering a choice to share personal information with anyone who locates it as it plays an alert sound. Anyone with any smart device with NFC, Android included, can tap the device to see a webpage with information that you choose to share. Or just a serial number if you do not choose to do so. 

This scenario addresses what happens if you don’t have an iOS device to alert you to a foreign AirTag in your presence, as it will eventually play a sound even if it is not in lost mode and the owner has no control over that.

It’s clear that Apple has thought through many of the edge cases, but some could still crop up as it rolls out, we’ll have to see.

Apple has some distinct market advantages here:

  • Nearly a billion devices out in the world that can help to locate an AirTag.
  • A built-in U1 wideband chip that communicates with a similar U1 chip in iPhones to enable super precise (down to inches) location.
  • A bunch of privacy features that don’t appear on competing tags.

Important to note that Apple has announced the development of a specification for chipset makers that lets third-party devices with Ultra Wideband radios access the U1 chip onboard iPhones ‘later this Spring’. This should approximate the Precision Finding feature’s utility in accessories that don’t have the advantage of having a U1 built in like the AirTags do. And, of course, Apple has opened up the entire Find My mesh network to third party devices from Belkin, Chipolo and VanMoof that want to offer a similar basic finding function as offered by AirTags. Tile has announced plans to offer a UWB version of its tracker as well, even as it testified in Congress yesterday that Apple’s advantages made its entry into this market unfair. 

It will be interesting to see these play out once AirTags are out getting lost in the wild. I have had them for under 12 hours so I’ve not been able to test edge cases, general utility in public spaces or anything like that. 

The devices go on sale on April 23rd.

Window Snyder’s new startup Thistle Technologies raises $2.5M seed to secure IoT devices

By Zack Whittaker

The Internet of Things has a security problem. The past decade has seen wave after wave of new internet-connected devices, from sensors through to webcams and smart home tech, often manufactured in bulk but with little — if any — consideration to security. Worse, many device manufacturers make no effort to fix security flaws, while others simply leave out the software update mechanisms needed to deliver patches altogether.

That sets up an entire swath of insecure and unpatchable devices to fail, and destined to be thrown out when they break down or are invariably hacked.

Security veteran Window Snyder thinks there is a better way. Her new startup, Thistle Technologies, is backed with $2.5 million in seed funding from True Ventures with the goal of helping IoT manufacturers reliably and securely deliver software updates to their devices.

Snyder founded Thistle last year, and named it after the flowering plant with sharp prickles designed to deter animals from eating them. “It’s a defense mechanism,” Snyder told TechCrunch, a name that’s fitting for a defensive technology company. The startup aims to help device manufacturers without the personnel or resources to integrate update mechanisms into their device’s software in order to receive security updates and better defend against security threats.

“We’re building the means so that they don’t have to do it themselves. They want to spend the time building customer-facing features anyway,” said Snyder. Prior to founding Thistle, Snyder worked in senior cybersecurity positions at Apple, Intel, and Microsoft, and also served as chief security officer at Mozilla, Square, and Fastly.

Thistle lands on the security scene at a time when IoT needs it most. Botnet operators are known to scan the internet for devices with weak default passwords and hijack their internet connections to pummel victims with floods of internet traffic, knocking entire websites and networks offline. In 2016, a record-breaking distributed denial-of-service attack launched by the Mirai botnet on internet infrastructure giant Dyn knocked some of the biggest websites — Shopify, SoundCloud, Spotify, Twitter — offline for hours. Mirai had ensnared thousands of IoT devices into its network at the time of the attack.

Other malicious hackers target IoT devices as a way to get a foot into a victim’s network, allowing them to launch attacks or plant malware from the inside.

Since device manufacturers have done little to solve their security problems among themselves, lawmakers are looking at legislating to curb some of the more egregious security mistakes made by default manufacturers, like using default — and often unchangeable — passwords and selling devices with no way to deliver security updates.

California paved the way after passing an IoT security law in 2018, with the U.K. following shortly after in 2019. The U.S. has no federal law governing basic IoT security standards.

Snyder said the push to introduce IoT cybersecurity laws could be “an easy way for folks to get into compliance” without having to hire fleets of security engineers. Having an update mechanism in place also helps to keeps the IoT devices around for longer — potentially for years longer — simply by being able to push fixes and new features.

“To build the infrastructure that’s going to allow you to continue to make those devices resilient and deliver new functionality through software, that’s an incredible opportunity for these device manufacturers. And so I’m building a security infrastructure company to support that security needs,” she said.

With the seed round in the bank, Snyder said the company is focused on hiring device and back-end engineers, product managers, and building new partnerships with device manufacturers.

Phil Black, co-founder of True Ventures — Thistle’s seed round investor — described the company as “an astute and natural next step in security technologies.” He added: “Window has so many of the qualities we look for in founders. She has deep domain expertise, is highly respected within the security community, and she’s driven by a deep passion to evolve her industry.”

Before yesterdayYour RSS feeds

Medtronic partners with cybersecurity startup Sternum to protect its pacemakers from hackers

By Marcella McCarthy

If you think cyberattacks are scary, what if those attacks were directed at your cardiac pacemaker? Medtronic, a medical device company, has been in hot water over the last couple of years because its pacemakers were getting hacked through their internet-based software updating systems. But in a new partnership with Sternum, an IoT cybersecurity startup based in Israel, Medtronic has focused on resolving the issue.

The problem was not with the medical devices themselves, but with the remote systems used to update the devices. Medtronic’s previous solution was to disconnect the devices from the internet, which in and of itself can cause other issues to arise.

“Medtronic was looking for a long-term solution that can help them with future developments,” said Natali Tshuva, Sternum’s founder and CEO. The company has already secured about 100,000 Medtronic devices.

Sternum’s solution allows medical devices to protect themselves in real-time. 

“There’s this endless race against vulnerability, so when a company discovers a vulnerability, they need to issue an update, but updating can be very difficult in the medical space, and until the update happens, the devices are vulnerable,” Tshuva told TechCrunch. “Therefore, we created an autonomous security that operates from within the device that can protect it without the need to update and patch vulnerabilities,” 

However, it is easier to protect new devices than to go back and protect legacy devices. Over the years hackers have gotten more and more sophisticated, so medical device companies have had to figure out how to protect the devices that are already out there.  

 “The market already has millions — perhaps billions — of medical devices connected, and that could be a security and management nightmare,” Tshuva added.

In addition to potentially doing harm to an individual, hackers have been taking advantage of device vulnerability as the gateway of choice into a hospital’s network, possibly causing a breach that can affect many more people. Tshuva explained that hospital networks are secured from the inside out, but devices that connect to the networks but are not protected can create a way in.

In fact, health systems have been known to experience the most data breaches out of any sector, accounting for 79% of all reported breaches in 2020. And in the first 10 months of last year, we saw a 45% increase in cyberattacks on health systems, according to data by Health IT Security.

In addition to Sternum’s partnership with Medtronic, the company also launched this week an IoT platform that allows, “devices to protect themselves, even when they are not connected to the internet,” Tshuva said.

Sternum, which raised about $10 million to date, also offers cybersecurity for IoT devices outside of healthcare, and according to Tshuva, the company focuses on areas that are “mission-critical.” Examples include railroad infrastructure sensors and management systems, and power grids.

Tshuva, who grew up in Israel, holds a master’s in computer science and worked for the Israeli Defense Force’s 8200 unit — similar to the U.S.’s National Security Alliance — said she always wanted to make an impact in the medical field. “I looked to combine the medical space with my life, and I realized I could have an impact on remote care devices,” she said.

Facebook brings software subscriptions to the Oculus Quest

By Lucas Matney

Subscription pricing is landing on Facebook’s Oculus Store, giving VR developers another way to monetize content on Facebook’s Oculus Quest headset.

Developers will be allowed to add premium subscriptions to paid or free apps, with Facebook assumedly dragging in their standard percentage fee at the same time. Oculus and the developers on its platform have been riding the success of the company’s recent Quest 2 headset, which Facebook hasn’t detailed sales numbers on but has noted that the months-old $299 headset has already outsold every other Oculus headset sold to date.

Subscription pricing is an unsurprising development but signals that some developers believe they have a loyal enough group of subscribers to bring in sizable bits of recurring revenue. Facebook shipped the first Oculus Rift just over five years ago, and it’s been a zig-zagging path to finding early consumer success during that time. A big challenge for them has been building a dynamic developer ecosystem that offer something engaging to users while ensuring that VR devs can operate sustainably.

At launch, there are already a few developers debuting subscriptions for a number of different app types, spanning exercise, meditation, social, productivity and DJing. In addition to subscriptions, the new monetization path also allows developers to let users try out paid apps on a free trial basis.

The central question is how many Quest users there are that utilize their devices enough to justify a number of monthly subscriptions, but for developers looking to monetize their hardcore users, this is another utility that they likely felt was missing from the Oculus Store.

Building tech for worker safety, Guardhat Technologies is a company that could only come from Detroit

By Jonathan Shieber

Saikat Dey, the founder of Detroit’s own Guardhat Technologies, got his start working in the steel industry. His last job, before founding Guardhat, was serving as the chief executive officer of Severstal International, the multinational steel conglomerate whose headquarters were in Dearborn, Mich.

There, managing the global business of the fourth largest steelmaker by volume and revenue, with 3,600 employees in Mississippi, Michigan, and the coal mines of West Virginia, Dey became obsessed with safety, he said.

Beyond tracking cash flow and EBITDA, the typical numbers companies use, Dey said that worker safety was another measurement that effected compensation. “One of the key metrics is how well and how safe we keep our frontline workers,” Dey said. 

Dey’s concerns over safety at his plants is what led him to reach out to union leadership and begin developing the technology that would form the core of Guardhat’s offerings.

The company pitches a multi-product intelligent safety system that integrates wearable technology and proprietary software to detect, alert, and prevent hazardous industrial work-related incidents.

Investors including Dan Gilbert’s Detroit Venture Partners, General Catalyst, and RTP Ventures, the venture investment firm led by Ru-Net Holdings co-founder, Leonid Boguslavsky, are backing Dey’s vision, which also has buy-in from the most important audience of all, the unions representing the workers that use the company’s tech.

Notes on the first day brainstorming session for Guardhat’s industrial wearable. Image Credit: Guardhat

Made in Detroit, built for the world’s industrial workers

Roughly fifteen workers are killed every day on the job in industrial jobs like mining, metals and oil and gas and another 3 million people are injured every year. For executives in the industry, the issue is as much a financial concern as it is an ethical one. At Severstal, 40 percent of Dey’s salary was tied to worker safety, he said.

In fact, the idea for Guardhat hit Dey while he was walking the floor of the company’s Detroit-area steel plant. On one of his regular walks through the factory Dey said he wandered past a man working on a piece of equipment when the employee’s carbon monoxide alarm started to buzz. Instead of trying to find the source of the leak, the man turned off his monitor.

“You’re taking about a steel facility in the heart of Detroit having the largest blast furnace in North America,” said Dey. “Whatever that individual was doing, it could have led to a catastrophic accident.”

That’s what inspired Guardhat’s technology that Dey said was designed to answer a few simple, situational questions that apply to any factory anywhere in the world: Where are you? What conditions do you face? When can help get to you? Those are the questions that Guardhat’s technology is designed to answer.

“We didn’t have effective means to prevent or if an accident happens to intervene with timely information,” Dey said. 

The technology may have been designed by executives, but it was made in consultation with the heads of the Detroit area unions, to ensure that workers would actually use the product.

We decided that we wanted to do this in September 2014,” Dey said. “And when I was struggling with whether to scratch that itch and start the business, the union guys said go for it and do it…. I was a person of color with a $6 billion P&L running one of the six largest steelmakers in the U.S. building this literally out of the garage. It took a lot of guts, stupidity, and it took a lot of support from regular friends at the UAW.” 

That collaboration ensured that the union’s workers were comfortable that the information wasn’t being generated and stored in a way that employees would not feel that they were being monitored unnecessarily or punitively.

Guardhat Technologies wearable safety helmet. Image Credit Guardhat Technologies

From prototype to product

The company’s first product was the HC1 — a helmet that comes jam-packed with sensor equipment. “You want to put it on something that everyone wears and is mandated to wear,” Dey said.

Initially the thought was to just create the wearable, but over time Dey and his team realized that the device alone wouldn’t be enough. “The helmet is just another form factor… [and] whatever the form factor, you need to know how you make this information the single source of truth for the platform of all things that surround the worker.”

Like dozens of other Detroit-area startups that came before them, when Dey and his team needed to raise cash, they first turned to Dan Gilbert.

Gilbert tested the prototype by running around a building and asking the GuardHat team if they could find him and tell him where they thought he was.

With Gilbert on board, the product design firm frog labs came into the picture and so did 3M. By then, it was time to test the prototype.

“I still remember the first day we were in testing in a third party certified lab in Akron, Ohio,” sad Dey. These guys were dropping a metal ball from 5 meters and each one of those puppies was $3,000 a-piece and 27 of those hats got ground down to powder,” Dey said. “We failed every test because we didn’t know how to build a helmet.”

Assistance from frog and others brought the device over the finish line and it’s now being used by over 5,000 workers and prevented or alerted workers to at least 2,000 potentially dangerous incidents. 

For Dey, the business could only have come from Detroit. “The Detroit thing is symbolic,” he said. It’s a symbol of the school of hard knocks that educated its founding team in the ways these heavy industries.

Grocery startup Mercato spilled years of data, but didn’t tell its customers

By Zack Whittaker

A security lapse at online grocery delivery startup Mercato exposed tens of thousands of customer orders, TechCrunch has learned.

A person with knowledge of the incident told TechCrunch that the incident happened in January after one of the company’s cloud storage buckets, hosted on Amazon’s cloud, was left open and unprotected.

The company fixed the data spill, but has not yet alerted its customers.

Mercato was founded in 2015 and helps over a thousand smaller grocers and specialty food stores get online for pickup or delivery, without having to sign up for delivery services like Instacart or Amazon Fresh. Mercato operates in Boston, Chicago, Los Angeles, and New York, where the company is headquartered.

TechCrunch obtained a copy of the exposed data and verified a portion of the records by matching names and addresses against known existing accounts and public records. The data set contained more than 70,000 orders dating between September 2015 and November 2019, and included customer names and email addresses, home addresses, and order details. Each record also had the user’s IP address of the device they used to place the order.

The data set also included the personal data and order details of company executives.

It’s not clear how the security lapse happened since storage buckets on Amazon’s cloud are private by default, or when the company learned of the exposure.

Companies are required to disclose data breaches or security lapses to state attorneys-general, but no notices have been published where they are required by law, such as California. The data set had more than 1,800 residents in California, more than three times the number needed to trigger mandatory disclosure under the state’s data breach notification laws.

It’s also not known if Mercato disclosed the incident to investors ahead of its $26 million Series A raise earlier this month. Velvet Sea Ventures, which led the round, did not respond to emails requesting comment.

In a statement, Mercato chief executive Bobby Brannigan confirmed the incident but declined to answer our questions, citing an ongoing investigation.

“We are conducting a complete audit using a third party and will be contacting the individuals who have been affected. We are confident that no credit card data was accessed because we do not store those details on our servers. We will continually inform all authoritative bodies and stakeholders, including investors, regarding the findings of our audit and any steps needed to remedy this situation,” said Brannigan.


Know something, say something. Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

Google’s FeedBurner moves to a new infrastructure but loses its email subscription service

By Frederic Lardinois

Google today announced that it is moving FeedBurner to a new infrastructure but also deprecating its email subscription service.

If you’re an internet user of a certain age, chances are you used Google’s FeedBurner to manage the RSS feeds of your personal blogs and early podcasts at some point. During the Web 2.0 era, it was the de facto standard for feed management and analytics, after all. Founded in 2004, with Dick Costolo as one of its co-founders (before he became Twitter’s CEO in 2010), it was acquired by Google in 2007.

Ever since, FeedBurner lingered in an odd kind of limbo. While Google had no qualms shutting down popular services like Google Reader in favor of its ill-fated social experiments like Google+, FeedBurner just kept burning feeds day in and day out, even as Google slowly deprecated some parts of the service, most notably its advertising integrations.

I don’t know that anybody spent a lot of time thinking about the service and RSS has slowly (and sadly) fallen into obscurity, yet the service was probably easy enough to maintain that Google kept it going. And despite everything, shutting it down would probably break enough tools for publishers to create quite an uproar. The TechCrunch RSS feed, to which you are surely subscribed in your desktop RSS reader, is http://feeds.feedburner.com/TechCrunch/, after all.

So here we are, 14 years later, and Google today announced that it is “making several upcoming changes to support the product’s next chapter.” It’s moving the service to a new, more stable infrastructure.

But in July, it is also shutting down some non-core features that don’t directly involve feed management, most importantly the FeedBurner email subscription service that allowed you to get emailed alerts when a feed updates. Feed owners will be able to download their email subscriber lists (and will be able to do so after July, too). With that, Blogger’s FollowByEmail widget will also be deprecated (and hey, did you start this day thinking you’d read about FeedBurner AND Blogger on TechCrunch without having to travel back to 2007?).

Google stresses that other core FeedBurner features will remain in place, but given the popularity of email newsletters, that’s a bit of an odd move.

PlexTrac raises $10M Series A round for its collaboration-centric security platform

By Frederic Lardinois

PlexTrac, a Boise, ID-based security service that aims to provide a unified workflow automation platform for red and blue teams, today announced that it has raised a $10 million Series A funding round led by Noro-Moseley Partners and Madrona Venture Group. StageDot0 ventures also participated in this round, which the company plans to use to build out its team and grow its platform.

With this new round, the company, which was founded in 2018, has now raised a total of $11 million, with StageDot0 leading its 2019 seed round.

PlexTrac CEO and President Dan DeCloss

PlexTrac CEO and President Dan DeCloss

“I have been on both sides of the fence, the specialist who comes in and does the assessment, produces that 300-page report and then comes back a year later to find that some of the critical issues had not been addressed at all.  And not because the organization didn’t want to but because it was lost in that report,” PlexTrac CEO and President Dan DeCloss said. “These are some of the most critical findings for an entity from a risk perspective. By making it collaborative, both red and blue teams are united on the same goal we all share, to protect the network and assets.”

With an extensive career in security that included time as a penetration tester for Veracode and the Mayo Clinic, as well as senior information security advisor for Anthem, among other roles, DeCloss has quite a bit of first-hand experience that led him to found PlexTrac. Specifically, he believes that it’s important to break down the wall between offense-focused red teams and defense-centric blue teams.

Image Credits: PlexTrac

 

 

“Historically there has been more of the cloak and dagger relationship but those walls are breaking down– and rightfully so, there isn’t that much of that mentality today– people recognize they are on the same mission whether they are internal security team or an external team,” he said. “With the PlexTrac platform the red and blue teams have a better view into the other teams’ tactics and techniques – and it makes the whole process into an educational exercise for everyone.”

At its core, PlexTrac makes it easier for security teams to produce their reports — and hence free them up to actually focus on ‘real’ security work. To do so, the service integrates with most of the popular scanners like Qualys, and Veracode, but also tools like ServiceNow and Jira in order to help teams coordinate their workflows. All the data flows into real-time reports that then help teams monitor their security posture. The service also features a dedicated tool, WriteupsDB, for managing reusable write-ups to help teams deliver consistent reports for a variety of audiences.

“Current tools for planning, executing, and reporting on security testing workflows are either nonexistent (manual reporting, spreadsheets, documents, etc…) or exist as largely incomplete features of legacy platforms,” Madrona’s S. Somasegar and Chris Picardo write in today’s announcement. “The pain point for security teams is real and PlexTrac is able to streamline their workflows, save time, and greatly improve output quality. These teams are on the leading edge of attempting to find and exploit vulnerabilities (red teams) and defend and/or eliminate threats (blue teams).”

 

New Quest 2 software brings wireless PC streaming, updated ‘office’ mode

By Lucas Matney

After a relatively quiet couple of months from Oculus on the software front, Facebook’s VR unit is sharing some details on new functionality coming to its Quest 2 standalone headset.

The features, which include wireless Oculus Link support, “Infinite Office” functionality and upcoming 120hz support will be rolling out in the Quest 2’s upcoming v28 software update. There’s no exact word on when that update is coming but the language in the blog seems to intimate that the rollout is imminent.

The big addition here is a wireless version of Oculus Link which will allow Quest 2 users to stream content from their PCs directly to their standalone headsets, enabling more graphics-intensive titles that were previously only available on the now pretty much defunct Rift platform. Air Link is a feature that will enable users to ditch the tethered experience of Oculus Link, though many users have been relying on third-party software to do this already, utilizing Virtual Desktop.

It appears this upgrade is only coming to Quest 2 users in a new experimental mode, but not owners of the original Quest headset. Users will need to update the Oculus software on both their Quest 2 and PC to the v28 version in order to use this feature.

Accompanying the release of Air Link in this update is new features coming to “Infinite Office” a VR office play that aims to bring your keyboard and mouse into VR and allow users to engage with desktop-style software. Facebook debuted it back at their VR-focused Facebook Connect conference, but they haven’t said much about it since.

Today’s updates include added keyboard support that not only allows users to link their device but see it inside VR, this support is limited to a single model from a single manufacturer (the Logitech K830) but Facebook says they’ll be adding support down the road to other keyboards. Users with this keyboard will be able to see outlines of their hands as well as a rendering of the keyboard in its real position, enabling users to accurately type (theoretically). Infinite Office will also allow users to designate where their real world desk is, a feature that will likely help users orient themselves. Even with a keyboard, there’s not much users can do at the moment beyond accessing the Oculus Browser it seems.

Lastly, Oculus is allowing developers to sample out 120hz frame rate support for their titles. Facebook says that there isn’t actually anything available with that frame rate yet, not even system software, but that support is here for developers in an experimental fashion.

Oculus says the new software update will be rolling out “gradually” to users.

FBI launches operation to remove backdoors from hacked Microsoft Exchange servers

By Zack Whittaker

A court in Houston has authorized an FBI operation to “copy and remove” backdoors from hundreds of Microsoft Exchange email servers in the United States, months after hackers used four previously undiscovered vulnerabilities to attack thousands of networks.

The Justice Department announced the operation on Tuesday, which it described as “successful.”

In March, Microsoft discovered a new China state-sponsored hacking group — Hafnium — targeting Exchange servers run from company networks. The four vulnerabilities when chained together allowed the hackers to break into a vulnerable Exchange server and steal its contents. Microsoft fixed the vulnerabilities but the patches did not close the backdoors from the servers that had already been breached. Within days, other hacking groups began hitting vulnerable servers with the same flaws to deploy ransomware.

The number of infected servers dropped as patches were applied. But hundreds of Exchange servers remained vulnerable because the backdoors are difficult to find and eliminate, the Justice Department said in a statement.

“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks,” the statement said. “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”

The FBI said it’s attempting to inform owners via email of servers from which it removed the backdoors.

Assistant attorney general John C. Demers said the operation “demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions.”

The Justice Department also said the operation only removed the backdoors, but did not patch the vulnerabilities exploited by the hackers to begin with or remove any malware left behind.

It’s believed this is the first known case of the FBI effectively cleaning up private networks following a cyberattack. In 2016, the Supreme Court moved to allow U.S. judges to issue search and seizure warrants outside of their district. Critics opposed the move at the time, fearing the FBI could ask a friendly court to authorized cyber-operations for anywhere in the world.

Other countries, like France, have used similar powers before to hijack a botnet and remotely shutting it down.

Neither the FBI nor the Justice Department commented by press time.

SpaceX’s Falcon Heavy rocket to deliver an Astrobotic lander and NASA water-hunting rover to the moon in 2023

By Darrell Etherington

SpaceX is set to send a payload to the moon in 2023, using its larger (and infrequently used) Falcon Heavy launch vehicle. The mission will fly a lander built by space startup Astrobotic, which itself will be carrying NASA’s VIPER, or Volatiles Investigating Polar Exploration Rover (this is the agency that loves torturing language to come up with fun acronyms, after all).

The launch is currently set for later in the year, and this would be Falcon Heavy’s first moon mission if all goes to plan. It would not, however, be SpaceX’s first lunar outing, since the company has booked missions to launch lunar landers as early as 2022 on behalf of both Masten and Intuitive Machines. Those would both employ Falcon 9 rockets, however, at least according to current mission specs. Also, all of the above timelines so far exist only on paper, and in the business of space, delays and schedule shifts are far from unusual.

This mission is an important one for all involved, however, so they’re likely to prioritize its execution. For NASA, it’s a key mission in its longer-term goals for Artemis, the program through which it seeks to return humans to the moon, and eventually establish a more permanent scientific presence there both in orbit and on the surface. Part of establishing a surface station will rely on using in-situ resources, of which water would be a hugely important one.

Astrobotic's Griffin lunar lander in development.

Image Credits: Astrobotic

Astrobotic won the contract to deliver VIPER on behalf of NASA last year. The mission profile includes landing the payload on the lunar South Pole, which is the intended target landing area for NASA’s Artemis missions involving human astronauts. The lander Astrobotic is sending for this task is its Griffin model, which is a larger craft vs. its Peregrine lander, giving it the extra space required to carry the VIPER, and making it necessary to use SpaceX’s heavier lift Falcon Heavy launch vehicle.

NASA’s ambitious target of landing astronauts back on the moon by 2024 is in flux as the new administration looks at timelines and budgets, but it still seems committed to making use of public-private partnerships to pave the way, whenever it does attain that goal. This first Griffin mission, along with an earlier planned Peregrine landing, are part of NASA’s Commercial Lunar Payload Services (CLPS) program, which sought private sector partners to build and deliver lunar landers with NASA as one customer.

Meroxa raises $15M Series A for its real-time data platform

By Frederic Lardinois

Meroxa, a startup that makes it easier for businesses to build the data pipelines to power both their analytics and operational workflows, today announced that it has raised a $15 million Series A funding round led by Drive Capital. Existing investors Root, Amplify and Hustle Fund also participated in this round, which together with the company’s previously undisclosed $4.2 million seed round now brings total funding in the company to $19.2 million.

The promise of Meroxa is that can use a single platform for their various data needs and won’t need a team of experts to build their infrastructure and then manage it. At its core, Meroxa provides a single Software-as-a-Service solution that connects relational databases to data warehouses and then helps businesses operationalize that data.

Image Credits: Meroxa

“The interesting thing is that we are focusing squarely on relational and NoSQL databases into data warehouse,” Meroxa co-founder and CEO DeVaris Brown told me. “Honestly, people come to us as a real-time FiveTran or real-time data warehouse sink. Because, you know, the industry has moved to this [extract, load, transform] format. But the beautiful part about us is, because we do change data capture, we get that granular data as it happens.” And businesses want this very granular data to be reflected inside of their data warehouses, Brown noted, but he also stressed that Meroxa can expose this stream of data as an API endpoint or point it to a Webhook.

The company is able to do this because its core architecture is somewhat different from other data pipeline and integration services that, at first glance, seem to offer a similar solution. Because of this, users can use the service to connect different tools to their data warehouse but also build real-time tools on top of these data streams.

Image Credits: Meroxa

“We aren’t a point-to-point solution,” Meroxa co-founder and CTO Ali Hamidi explained. “When you set up the connection, you aren’t taking data from Postgres and only putting it into Snowflake. What’s really happening is that it’s going into our intermediate stream. Once it’s in that stream, you can then start hanging off connectors and say, ‘Okay, well, I also want to peek into the stream, I want to transfer my data, I want to filter out some things, I want to put it into S3.”

Because of this, users can use the service to connect different tools to their data warehouse but also build real-time tools to utilize the real-time data stream. With this flexibility, Hamidi noted, a lot of the company’s customers start with a pretty standard use case and then quickly expand into other areas as well.

Brown and Hamidi met during their time at Heroku, where Brown was a director of product management and Hamidi a lead software engineer. But while Heroku made it very easy for developers to publish their web apps, there wasn’t anything comparable in the highly fragmented database space. The team acknowledges that there are a lot of tools that aim to solve these data problems, but few of them focus on the user experience.

Image Credits: Meroxa

“When we talk to customers now, it’s still very much an unsolved problem,” Hamidi said. “It seems kind of insane to me that this is such a common thing and there is no ‘oh, of course you use this tool because it addresses all my problems.’ And so the angle that we’re taking is that we see user experience not as a nice-to-have, it’s really an enabler, it is something that enables a software engineer or someone who isn’t a data engineer with 10 years of experience in wrangling Kafka and Postgres and all these things. […] That’s a transformative kind of change.”

It’s worth noting that Meroxa uses a lot of open-source tools but the company has also committed to open-sourcing everything in its data plane as well. “This has multiple wins for us, but one of the biggest incentives is in terms of the customer, we’re really committed to having our agenda aligned. Because if we don’t do well, we don’t serve the customer. If we do a crappy job, they can just keep all of those components and run it themselves,” Hamidi explained.

Today, Meroxa, which the team founded in early 2020, has over 24 employees (and is 100% remote). “I really think we’re building one of the most talented and most inclusive teams possible,” Brown told me. “Inclusion and diversity are very, very high on our radar. Our team is 50% black and brown. Over 40% are women. Our management team is 90% underrepresented. So not only are we building a great product, we’re building a great company, we’re building a great business.”  

ConsenSys raises $65M from JP Morgan, Mastercard, UBS to build infrastructure for DeFi

By Mike Butcher

ConsenSys, a key player in crypto and a major proponent of the Ethereum blockchain, has raised a $65 million funding round from J.P. Morgan, Mastercard, and UBS AG, as well as major blockchain companies Protocol Labs, the Maker Foundation, Fenbushi, The LAO and Alameda Research. Additional investors include CMT Digital and the Greater Bay Area Homeland Development Fund. As well as fiat, several funds invested with Ethereum-based stablecoins, DAI and USDC, as consideration.

Sources told TechCrunch that this is an unpriced round because of the valuation risk, and the funding instrument is “full”, so the round is being closed now.

The fundraise looks like a highly strategic one, based around the idea that traditional institutions will need visibility into the increasingly influential world of ‘decentralized finance’ (DeFi) and the Web3 applications being developed on the Ethereum blockchain.

In a statement on the fundraise, ConsenSys said it has been through a “period of strategic evolution and growth”, but most outside observers would agree that this is that’s something of an understatement.

After a period of quite a lot of ‘creative disruption’ to put it mildly (at one point a couple of years ago, ConsenSys seemed to have everything from a VC fund, to an accelerator, to multiple startups under its wing), the company has restructured to form two main arms: ConsenSys, the core software business; and ConsenSys Mesh, the investment arm, incubator, and portfolio. It also acquired the Quorum product from J.P. Morgan which has given it a deeper bench into the enterprise blockchain ecosystem. This means it now has a very key product suite for the Etherum platform, including products such as Codefi, Diligence, Infura, MetaMask, Truffle, and Quorum.

This suite allows it to serve both public and private permissioned blockchain networks. It can also support Layer 2 Ethereum networks, as well as facilitate access to adjacent protocols like IPFS, Filecoin, and others. ConsenSys is also a major contributor to the Ethereum 2.0 project, for obvious reasons.

Commenting on the fundraise, Joseph Lubin, founder of ConsenSys and co-founder, Ethreum said in a statement: “When we set out to raise a round, it was important to us to patiently construct a diverse cap table, consistent with our belief that similar to how the web developed, the whole economy would join the revolutionaries on a next-generation protocol. ConsenSys’ software stack represents access to a new automated objective trust foundation enabled by decentralized protocols like Ethereum. We are proud to partner with preeminent financial firms alongside leading crypto companies to further converge the centralized and decentralized financial domains at this particularly exciting time of growth for ConsenSys and the entire industry.”

With financial institutions able to see, ‘in public’ DeFi happening on Ethereuem, because of the public chain, they can see how much of the financial system is gradually starting to merge with the blockchain world. So it’s becoming clearer what attracts these major institutions.

Mike Dargan, Head of Group Technology at UBS said: “Our investment in ConsenSys adds proven expertise in distributed ledger technology to our UBS Next portfolio.”

For MasterCard this appears to be not just a pure investment – Consensys has been working with it on a private permissioned network.

Raj Dhamodharan, executive vice president of digital asset and blockchain products and partnerships at Mastercard said: “Enterprise Ethereum is a key infrastructure on which we and our partners are building payment and non-payment applications to power the future of commerce… Our investment and partnership with ConsenSys helps us bring secure and performant Enterprise Ethereum capabilities to our customers.”

Colleen Sullivan, Co-Founder and CEO of CMT Digital said: “ConsenSys is the pioneer in bridging the gaps across traditional finance, centralized crypto, and DeFi, and more broadly, between Web 2.0 and Web 3.0. We are proud to participate in this funding round as the ConsenSys team continues to pave the way for global users  — retail and institutional — to easily access the crypto ecosystem.”

TechCrunch understands that the fundraise was started around the time of the Quorum acquisition, last June. The $65 million round is in majority fiat currency as opposed to cryptocurrency and is an adjunct to the round done with JP Morgan last summer.

The presence of significant crypto players such as Maker Protocol Labs shows the significance of the fund-raise, beyond the simple transaction. The announcement also comes just ahead of the Coinbase IPO, which makes for interesting timing.

ConsenSys’ products have become highly significant in the world where developers, enterprises, and consumers meet blockchain and crypto. In its statement, the company claims MetaMask now has over three million monthly active users across mobile and desktop, a 3x increase in the last five or six months, it says. This is roughly the same amount of monthly active customers as Coinbase.

The ConsenSys announcement comes just ahead of the Coinbase IPO. While Coinbase is acting as an exchange to turn fiat into crypto and vice versa, it has also been getting into DeFi of late. Where there are also resemblances with ConsenSys, is that Coinbase, with 3 million users, is used as a wallet, and MetMask, which also has 3 million users, can also be used as a wallet. The comparison ends there, but it’s certainly interesting, given Coinbase’s $100 billion valuation.

As Jeremy Millar, Chief Development Officer, told me: “Coinbase has pioneered an exchange, in one of the world’s was regulated financial markets, the US. And it has helped drive significant interest in the space. We enjoy a very positive relationship with Coinbase, trying to further enable the ecosystem and adoption of the technology.”

The background to this raise is that a lot of early-stage blockchain and crypto companies have been raising a lot of money recently, but much of this has been through crypto investment firms. Only a handful of Silicon Valley VCs are backing blockchain, such as Andreessen Horowitz.

What’s interesting about this announcement is that these incumbent financial giants are not only taking an interest, but working alongside ConsenSys to both invest and build products on Ethereum.

It’s ConsenSys’ view that every payment service provider, banks will need this financial infrastructure in the future, especially for DeFI.

Given there is roughly $43 billion collateralized in DeFi, it’s increasingly the case that major investors are involved, and there are increasingly higher returns than traditional yield and bond or bond yields.

The moves by Central Banks into digital currencies is also forcing companies and governments to realize digital currency, and the ‘blockchain rails’ on which it runs, is here to stay. This is what is suggested by the Greater Bay Area Homeland Development Fund’s (a Shenzhen / Hong Kong joint partnership) decision to get involved.

Another aspect of this story is that ConsenSys is sitting on some extremely powerful products. Consensys has six products that serve three different types of people.

Service developers who are building on Ethereum are using Truffle to develop smart contracts. Users joining the NFT hype are using MetaMask underneath it all.

The MetaMask wallet allows users to swap one token for another. This has proved quite lucrative for ConsenSys, which says it has resulted in $1.8 billion in volume in decentralized exchange use. ConsenSys takes a 0.875 percent cut on every swap that it serves.

And institutions are using Consensys’ products. The company says more than 150,000 developers use Infura’s APIs, and 4.5 million developers create and deploy smart contracts using Truffle, while its Protocols group — developer of Hyperledger Besu and ConsenSys Quorum — are building Central Bank Digital Currencies (CBDCs) for six central banks, says Consensys.

Consensys is also making hay with the NFT boom. Developers are using Consensys products for the nodes and infrastructure on Ethereum which stores the NFT files.

Consensys is also riding two waves. One is the developer eave and the other is the financial system wave.

As a spokesperson said: “Where the interest in money and invention started happening was on public networks like Ethereum. So we really believe that these are converging and they will continue to, and every one of our products offers public main net compatibility because we think this is the future.”

Millar added: “If we want to help the world adopt the technology we need to meet it at its adoption point, which for many large enterprises means inside the firewall first. But similarly, we think, just like the public Internet, the real value – the disruptive value – changes the ability to do this on a broader permissionless basis, especially when you have sufficient privacy and authentication available.”

Clim8 raises $8M from 7pc Ventures, launches climate-focused investing app for retail investors

By Mike Butcher

Ethical investing remains something of a confusing maze, with a great deal of ‘greenwashing’ going on. A new UK startup is hoping to fix that with the launch of its new app and platform for retail investors.

Clim8 Invest has raised $8 million from 7pc Ventures (early backers of Oculus, acquired by Facebook),  British Business Bank Future Fund and a numbers of technology entrepreneurs and executives including Marcus Exall (Monese), Marcus Mosen (N26),  Paul Willmott (Lego Digital, McKinsey), Doug Scott (Redbrain), Matt Wilkins (Thought Machine), Andrew Cocker (Skyscanner), Steve Thomson (Redbrain), Monica Kalia (Neyber, Goldman Sachs), Doug Monro (Adzuna), Erik Nygard (Limejump).

Consumers will be able to invest in companies and supply chains that are focused on tackling climate change. It will be competing with similar startups in the space such as London-based Tickr (backed by $3m from Ada Ventures), Helios in Paris, and Yova in Zurich.

Duncan Grierson, CEO of Clim8 said in a statement: “We are launching at an exciting time for sustainable investing. 2020 was an exceptional year for environmentally-focused investment offerings, as investors looked harder at climate-related opportunities. Sustainable investments have continued to outperform markets since the beginning of the Covid-19 Crisis and we believe this will continue.”

Grierson has 20 years of experience in the green space and was a winner of the EY Entrepreneur of Year Cleantech award.

The startup will take advantage of new, higher EU rules around the disclosure requirements for sustainable investment funds. Users can choose between either stocks and shares ISAs (up to £20k) or a taxable general investment account.

❌