Trustico CEO Leaks HTTPS Certificate Keys Through Email

The CEO of Trustico, a TLS certificate reseller based in the United Kingdom, finds himself at the center of a controversy that raises a number of disturbing questions about browser-trusted security certificates.

The email in question was sent to Jeremy Rowley, an executive Vice President at DigiCert.  The catalyst that prompted the fateful email was that officials at Trustico notified DigiCert that 50,000 certificates originally issued by Symantec and resold by Trustico had been compromised and should be mass revoked due to security concerns.

Mr. Rowley, not wanting to take such drastic action without proof, asked for it.  In response, Trustico’s CEO emailed the private keys of 23,000 certificates, an action which drew shocked reactions from security professionals around the world when news of the email became public.

If you’re not familiar with the inner workings of browser-trusted certificates, there are a few problems here.  First, there’s no good reason why a reseller should have a copy of the private keys to begin with.  Second, even if that were the norm, to simply email them to a third party shows incredibly poor judgement, especially given that there’s no evidence the email in question was encrypted.  Third, customers used Trustico’s website to generate their private keys, which is a service that should never even have been offered.

To make matters even worse, not long after news of the email hit the internet, Trustico’s website went dark, when a security expert posted details about a critical vulnerability on the company’s website.  The flaw resides in a site feature that allows customers to confirm that certificates are properly installed.  Unfortunately, Trustico’s website had been compromised and any time a user would use the feature, the hackers could use the opportunity to run malicious code.  It’s a tangled web, and it paints everyone involved in a very bad light.

Used with permission from Article Aggregator

With great tech success, comes even greater responsibility

As we watch major tech platforms evolve over time, it’s clear that companies like Facebook, Apple, Google and Amazon (among others) have created businesses that are having a huge impact on humanity — sometimes positive and other times not so much.

That suggests that these platforms have to understand how people are using them and when they are trying to manipulate them or use them for nefarious purposes — or the companies themselves are. We can apply that same responsibility filter to individual technologies like artificial intelligence and indeed any advanced technologies and the impact they could possibly have on society over time.

This was a running theme this week at the South by Southwest conference in Austin, Texas.

The AI debate rages on

While the platform plays are clearly on the front lines of this discussion, tech icon Elon Musk repeated his concerns about AI running amok in a Q&A at South by Southwest. He worries that it won’t be long before we graduate from the narrow (and not terribly smart) AI we have today to a more generalized AI. He is particularly concerned that a strong AI could develop and evolve over time to the point it eventually matches the intellectual capabilities of humans. Of course, as TechCrunch’s Jon Shieber wrote, Musk sees his stable of companies as a kind of hedge against such a possible apocalypse.

Elon Musk with Jonathan Nolan at South by Southwest 2018. Photo: Getty Images/Chris Saucedo

“Narrow AI is not a species-level risk. It will result in dislocation… lost jobs… better weaponry and that sort of thing. It is not a fundamental, species-level risk, but digital super-intelligence is,” he told the South by Southwest audience.

He went so far as to suggest it could be more of a threat than nuclear warheads in terms of the kind of impact it could have on humanity.

Taking responsibility

Whether you agree with that assessment or not, or even if you think he is being somewhat self-serving with his warnings to promote his companies, he could be touching upon something important about corporate responsibility around the technology that startups and established companies alike should heed.

It was certainly on the mind of Apple’s Eddy Cue, who was interviewed on stage at SXSW by CNN’s Dylan Byers this week. “Tech is a great thing and makes humans more capable, but in of itself is not for good. People who make it, have to make it for good,” Cue said.

We can be sure that Twitter’s creators never imagined a world where bots would be launched to influence an election when they created the company more than a decade ago. Over time though, it becomes crystal clear that Twitter, and indeed all large platforms, can be used for a variety of motivations, and the platforms have to react when they think there are certain parties who are using their networks to manipulate parts of the populace.

Apple’s Eddie Cue speaking at South by Southwest 2018. Photo: Ron Miller

Cue dodged any of Byers’ questions about competing platforms, saying he could only speak to what Apple was doing because he didn’t have an inside view of companies like Facebook and Google (which he didn’t ever actually mention by name). “I think our company is different than what you’re talking about. Our customers’ privacy is of utmost importance to us,” he said. That includes, he said, limiting the amount of data they collect because they are not worrying about having enough to serve more meaningful ads. “We don’t care where you shop or what you buy,” he added.

Andy O’Connell from Facebook’s Global Policy Development team, speaking on a panel on the challenges of using AI to filter “fake news” said, that Facebook recognizes it can and should play a role if it sees people manipulating the platform. “This is a whole society issue, but there are technical things we are doing and things we can invest in [to help lessen the impact of fake news],” he said. He added that Facebook co-founder and CEO Mark Zuckerberg has expressed it as challenge to the company to make the platform more secure and that includes reducing the amount of false or misleading news that makes it onto the platform.

Recognizing tech’s limitations

As O’Connell put forth, this is not just a Facebook problem or a general technology problem. It’s a social problem and society as a whole needs to address it. Sometimes tech can help, but, we can’t always look to tech to solve every problem. The trouble is that we can never really anticipate how a given piece of technology will behave or how people use it once we put it out there.

Photo: Ron Miller

All of this suggests that none of these problems, some of which we never could have never have even imagined, are easy to solve. For every action and reaction, there can be another set of unintended consequences, even with the best of intentions.

But it’s up to the companies who are developing the tech to recognize the responsibility that comes with great economic success or simply the impact of whatever they are creating could have on society. “Everyone has a responsibility [to draw clear lines]. It is something we do and how we want to run our company. In today’s world people have to take responsibility and we intend to do that,” Cue said.

It’s got to be more than lip service though. It requires thought and care and reacting when things do run amok, while continually assessing the impact of every decision.

Equity podcast: Theranos’s reckoning, BroadQualm’s stunning conclusion and Lyft’s platform ambitions

Hello and welcome back to Equity, TechCrunch’s venture capital-focused podcast where we unpack the numbers behind the headlines.

This week Katie Roof and I were joined by Mayfield Fund’s Navin Chaddha, an investor with early connections with Lyft to talk about, well, Lyft — as well as two bombshell news events in the form of an SEC fine for Theranos and Broadcom’s hostile takeover efforts for Qualcomm hitting the brakes. Alex Wilhelm was not present this week but will join us again soon (we assume he was tending to his Slayer shirt collection).

Starting off with Lyft, there was quite a bit of activity for Uber’s biggest competitor in North America. The ride-sharing startup (can we still call it a startup?) said it would be partnering with Magna to “co-develop” an autonomous driving system. Chaddha talks a bit about how Lyft’s ambitions aren’t to be a vertical business like Uber, but serve as a platform for anyone to plug into. We’ve definitely seen this play out before — just look at what happened with Apple (the closed platform) and Android (the open platform). We dive in to see if Lyft’s ambitions are actually going to pan out as planned. Also, it got $200 million out of the deal.

Next up is Theranos, where the SEC investigation finally came to a head with founder Elizabeth Holmes and former president Ramesh “Sunny” Balwani were formally charged by the SEC for fraud. The SEC says the two raised more than $700 million from investors through an “elaborate, years-long fraud in which they exaggerated or made false statements about the company’s technology, business, and financial performance.” You can find the full story by TechCrunch’s Connie Loizos here, and we got a chance to dig into the implications of what it might mean for how investors scope out potential founders going forward. (Hint: Chaddha says they need to be more careful.)

Finally, BroadQualm is over. After months of hand-wringing over whether or not Broadcom would buy — and then commit a hostile takeover — of the U.S. semiconductor giant, the Trump administration blocked the deal. A cascading series of events associated with the CFIUS, a government body, got it to the point where Broadcom’s aggressive dealmaker Hock Tan dropped plans to go after Qualcomm altogether. The largest deal of all time in tech will, indeed, not be happening (for now), and it has potentially pretty big implications for M&A going forward.

That’s all for this week, we’ll catch you guys next week. Happy March Madness, and may fortune favor* your brackets.

Equity drops every Friday at 6:00 am PT, so subscribe to us on Apple PodcastsOvercast, Pocketcast, Downcast and all the casts.

assuming you have Duke losing before the elite 8.

Cloud security startup Zscaler closes at $33, up 106% on its first day of trading on Nasdaq

The first post-billion, big tech IPO of the year has opened with a bang. Zscaler, a security startup that confidentially filed for an IPO last year, closed out its first day of trading at $33/share, up 106% from its opening price of $16.

The enterprise cloud services company started trading this morning as ZS on Nasdaq at a price of $27.50/share,  a pop of 71.9  percent on its opening price, and its stock today reached a peak of $33.37. The activity on Zscaler could point to a bullish moment for security startups, and potentially public listings for tech companies in general — as well as some pent-up demand in a climate that has been somewhat dry for big tech IPOs after some notable flops.

That could bode well for Dropbox, Spotify and others that are planning or considering public listings in the coming weeks and months.

Zscaler, a cloud-services company, posted revenues of $125.7 million in 2017 with net losses of $35.5 million and said in its S-1 that it expected to “continue to incur net losses for the foreseeable future.” But it priced its IPO modestly, and the result was that there seemed to be more of an appetite for the company than expected.

Initially, Zscaler had expected to sell 10 million shares at a range between $10 and $12 per share, but interest led the company to expand that to 12 million shares at a $13-15 range, which then moved up to $16 and Zscaler last night raising $192 million giving it a valuation of over $1.9 billion — a sign of strong interest in the investor community that it’s now hoping will follow through in its debut and beyond.

Zscaler is a specialist in an area called software-defined perimeter (SDP) services, which allow enterprises and other organizations to better control how they allow employees to access apps and specific services within their IT networks: the idea is that rather than giving access to the full network, employees are authenticated just for the apps that they specifically need for their work.

SDP architectures have become increasingly popular in recent years as a way of better mitigating security threats in networks where employees are using a variety of devices, including their own private mobile phones, to access data and apps in corporate networks and in the cloud — both of which have become routes for malicious hackers to breach systems.

SDP services are being adopted by the likes of Google, and are being built by a number of other tech companies, both those that are looking to provide more value-added services around existing cloud or other IT offerings, and those that are already playing in the area of security, including Cisco, Check Point Software, EMC, Fortinet, Intel, Juniper Networks, Palo Alto Networks, Symantec (which has been involved in IP lawsuits with Zscaler) and more — which speaks both of the opportunity and challenge in the market for Zscaler. Estimates of the value of the market range from $7.8 billion to $11 billion by 2023.

Go here for more on the IPO, and hear from the CEO himself.

Google expands its Cloud Platform region in the Netherlands

Google today announced that it has expanded its recently launched Cloud Platform region in the Netherlands with an additional zone. The investment, which is worth a reported 500 million euros, expands the existing Netherlands region from two to three regions. With this, all four of the Central European Google Cloud Platform zones now feature three zones (which are akin to what AWS would call “availability zones”) that allow developers to build highly available services across multiple data centers.

Google typically aims to have a least three zones in every region, so today’s announcement to expand its region in the Dutch province of Groningen doesn’t come as a major surprise.

With this move, Google is also making Cloud SpannerCloud BigtableManaged Instance Groups, and Cloud SQL available in the region.

Over the course of the last two years, Google has worked hard to expand its global data center footprint. While it still can’t compete with the likes of AWS and Azure, which currently offers more regions than any of its competitors, the company now has enough of a presence to be competitive in most markets.

In the near future, Google also plans to open regions in Los Angeles, Finland, Osaka and Hong Kong. The major blank spots on its current map remain Africa, China (for rather obvious reasons) and Eastern Europe, including Russia.

Small businesses love free stuff, so Gusto is giving them free HR Basics

Gusto, formerly ZenPayroll, is the rare startup unicorn that has stayed relatively mum on its product and growth — its last press release, for instance, was more than a year ago. The company’s core offering remains payroll for small businesses, and it has been working to expand its customer base across the nation, including having its CEO, Joshua Reeves, go on a tour of the country to visit SMBs in an RV.

Now the company is opening up a bit on its recent progress. Gusto hit 60,000 customers nationwide in January, or roughly 1% of all employers in the United States, according to the company.

The company is also working on new products. One challenge small businesses face is getting access to high-quality, yet affordable, software, particularly in HR. “Small businesses actually get that people are the core more than large companies,” Reeves explained to me. “In a 10-person company, you know everyone, your customers are your neighbors, but they never really had access to high-quality software.”

Gusto is hoping to fill that gap, announcing the beta launch of a new product it’s calling HR Basics. The product offers a suite of tools for small businesses to handle the quotidian tasks of HR, including managing vacation time, compiling employee directories and improving the onboarding of new hires. Most importantly, the product is free, and doesn’t require a credit card or a bank account to sign up.

Reeves believes that Gusto has two purposes: to offer “peace of mind” to small business owners around areas like compliance that can lead to negative enforcement actions, and to provide software that can help companies become “great places to work” that are more focused on community. Reeves is particularly passionate about the latter point. “Even the terminology ‘human capital management’ — humans are not capital, humans are not resources, they are people, thank you very much.”

One particular area of focus for HR Basics is around onboarding. Gusto is hoping it can move all HR paperwork online, so that everything required to officially onboard an employee can be done even before the employee walks into work the first day. With that out of the way, Gusto can then focus on helping companies create the right corporate culture. For instance, the product offers a “Welcome Wall” where other employees can write cheerful and encouraging notes for a new employee to make them feel like they belong at the company from day one.

The Welcome Wall is designed to encourage new employees joining a company

This new product is free for businesses, and Gusto obviously hopes that it creates a funnel of potential customers who will eventually sign up for its payroll service and full HR platform, which charge around $6-12 a month per employee based on the specific plan that a business chooses.

One interesting commitment Gusto is making according to Reeves is that an employee’s profile on the platform will be a lifetime account. The company’s vision is that if an employee moves from one company to the next and both use Gusto, all of the preferences and other data required to administer HR would work immediately.

That portability mattered less in a world where employees spent decades at a single company, but now that employees often switch employers as often as every year, the repeated savings of time in the transition can be quite significant. Longer term, Gusto sees that sort of portability as critical for facilitating the changing nature of work in the 21st century.

Gusto, which was founded in 2011, is now entering middle age, and the company has 530 employees across its San Francisco and Denver offices, according to Reeves.

Update: Added the number of customers Gusto currently has.

NexGenT wants to rethink bootcamps with programs for network engineering certifications

Developer bootcamps — several-month training programs that are designed to help people get up to speed with the technical skills they need to become a developer — exploded in popularity in the early part of the decade, but there’s been a bit of a shakedown on the space recently.

And that could be a product of a lot of things, but for Jacob Hess and Terry Kim, it’s just not enough time to become a fully-fledged developer. With training in the Air Force, where both had to work on these kinds of compressed programs for entry-level technicians, both decided to try their own approach. The end result is NexGenT, which is own kind of bootcamp — but it’s for getting a certificate in network management, and not a one-size-fits-all sticker as a developer. That approach, which includes a 16-week class, is considerably more reasonable and helps get people industry-ready with a skill that’s teachable in that compressed period of time, Hess says. The company is launching out of Y Combinator’s winter class this year.

“There are 500,000 open IT jobs, but when you look at that number, what’s more interesting is so many of them are IT operation roles, and the remaining is software development,” Hess said. “The bigger pie in IT is non-software programming jobs. Cyber security is also huge because of the automation and AI. We want to create the stepping stone. Network engineering becomes a foundation for a lot of these jobs, whether you want to be a cloud architect and work for Amazon, it all starts with understanding and building a foundation around networking.”

The end result is a 16-week program where a batch of applicants gets a review, and a percentage of them are accepted into a cohort of students. They go through an engineering module, which teaches them the basics and mechanics of network engineering and learn about the IT industry. Students can go faster if they want — it’s primarily online — and then start working on labs where they are building their own lab, either physical or virtual. The process culminates in a project where the students have to roll out an HQ facility in two branch offices from design to technically implementing it.

The next phase is about getting them certifications for various technologies, which help them basically show that they are ready to start entering the workforce. Think of it as something similar to having a Github account where prospective employers can review the work, except the process is a lot more formalized and you end up with something concrete on the resume. The final phase is around career coaching and helping them get a job, which can last up to 6 months. Throughout this process, students have access to a mentor and live coaching where students can ask whatever questions they wish.

So, the process is not so dissimilar from the notion of a developer bootcamp. But at the same time, there’s a small-ish graveyard of developer bootcamps and some with issues. Galvanize in August said it would lay off around 11% of its staff, while Dev Bootcamp and Iron Yard shut down altogether. The knock on these camps is it’s hard to get developers ready to start shipping code in such a small period of time — but Kim argues that getting them certified and ready to be a network engineer is definitely something that’s doable in around 16 weeks.

“It’s more realistic,” Kim said. “For coding bootcamps, you have to go by off the portfolios and check their Github, and they have to pass that technical interview. In our world of IT operations, it’s not about the bachelor’s degree, it’s about the person having the knowledge. But the industry certifications come from third parties, and when they come out of our program and have two or three certifications. It’s enough to get into that entry-level job.”

It remains to be seen if this kind of an approach is going to work. NexGenT charges a tuition — around $12,000, which with maximum discounts hits around $6,500. The company offers a 36-month payment plan as well that comes with an enrollment fee, which stretches out that very steep ticket price. In reality, these zero-to-60 programs are designed to be for-profit, though there are some different models that take in a percentage of salary among other approaches. With that in mind, though, there’s always an opportunity to build a strong pipeline with certain companies, and if they can identify high-performing students they can offer more of a proof point and potentially use that as an opportunity to offer some variation of scholarship.

While this is more of a bootcamp-ish style program, there are already some IT certification programs through tools like Coursera. Google, in one instance, is offering financial aid for a batch of those students, and companies with deep pockets might be able to build out these kinds of pipeline programs on their own. Hess and Kim hope to offer some kind of high-touch approach, instead of just a class on a platform of many, that will give them an edge to be a preferred option.

Enterprise subscription services provider Zuora has filed for an IPO

Zuora, which helps businesses handle subscription billing and forecasting, filed for an initial public offering this afternoon following on the heels of Dropbox’s filing earlier this month.

Zuora’s IPO may signal that Dropbox going public, and seeing a price range that while under its previous valuation seems relatively reasonable, may open the door for coming enterprise initial public offerings. Cloud security company Zscaler also made its debut earlier this week, with the stock doubling once it began trading on the Nasdaq. Zuora will list on the New York Stock Exchange under the ticker “ZUO.” Zuora CEO Tien Tzuo told The Information in October last year that it expected to go public this year.

Zuora’s numbers show some revenue growth, with its subscriptions services continue to grow. But its losses are a bit all over the place. While the costs for its subscription revenues is trending up, the costs for its professional services are also increasing dramatically, going from $6.2 million in Q4 2016 to $15.6 million in Q4 2017. The company had nearly $50 million in overall revenue in the fourth quarter last year, up from $30 million in Q4 2016.

But, as we can see, Zuora’s “professional services” revenue is an increasing share of the pie. In Q1 2016, professional services only amounted to 22% of Zuora’s revenue, and it’s up to 31% in the fourth quarter last year. It also accounts for a bigger share of Zuora’s costs of revenue, but it’s an area that it appears to be investing more.

Zuora’s core business revolves around helping companies with subscription businesses — like, say, Dropbox — better track their metrics like recurring revenue and retention rates. Zuora is riding a wave of enterprise companies finding traction within smaller teams as a free product and then graduating them into a subscription product as more and more people get on board. Eventually those companies hope to have a formal relationship with the company at a CIO level, and Zuora would hopefully grow up along with them.

Snap effectively opened the so-called “IPO window” in March last year, but both high-profile consumer IPOs — Blue Apron and Snap — have had significant issues since going public. While both consumer companies, it did spark a wave of enterprise IPOs looking to get out the door like Okta, Cardlytics, SailPoint and Aquantia. There have been other consumer IPOs like Stitch Fix, but for many firms, enterprise IPOs serve as the kinds of consistent returns with predictable revenue growth as they eventually march toward an IPO.

The filing says it will raise up to $100 million, but you can usually ignore that as it’s a placeholder. Zuora last raised $115 million in 2015, and was PitchBook data pegged the valuation at around $740 million, according to the Silicon Valley Business Journal. Benchmark Capital and Shasta Ventures are two big investors in the company, with Benchmark still owning around 11.1% of the company and Shasta Ventures owning 6.5%. CEO Tien Tzuo owns 10.2% of the company.

Qualcomm’s former exec chair will exit after exploring an acquisition bid

There’s a new twist in the BroadQualm saga this afternoon as Qualcomm has said it won’t renominate Paul Jacobs, the former executive chairman of the company, after he notified the board that he decided to explore the possibility of making a proposal to acquire Qualcomm.

The last time we saw such a huge exploration to acquire a company was circa 2013, when Dell initiated a leveraged buyout to take the company private in a deal worth $24.4 billion. This would be of a dramatically larger scale, and there’s a report by the Financial Times that Jacobs approached Softbank as a potential partner in the buyout. Jacobs is the son of Irwin Jacobs, who founded Qualcomm, and rose to run the company as CEO from 2005 to 2014. Successfully completing a buyout of this scale would, as a result, end up keeping the company that his father founded in 1985 in the family.

“I am glad the board is willing to evaluate such a proposal, consistent with its fiduciary duties to shareholders,” Jacobs said in a statement. “It is unfortunate and disappointing they are attempting to remove me from the board at this time.”

All this comes following Broadcom’s decision to drop its plans to try to complete a hostile takeover of Qualcomm, which would consolidate two of the largest semiconductor companies in the world into a single unit. Qualcomm said the board of directors would instead consist of just 10 members.

“Following the withdrawal of Broadcom’s takeover proposal, Qualcomm is focused on executing its business plan and maximizing value for shareholders as an independent company,” the company said in a statement. “There can be no assurance that Dr. Jacobs can or will make a proposal, but, if he does, the Board will of course evaluate it consistent with its fiduciary duties to shareholders.”

Broadcom dropped its attempts after the Trump administration decided to block the deal altogether. The BroadQualm deal fell into purgatory following an investigation by the Committee on Foreign Investment in the United States, or CFIUS, and then eventually led to the administration putting a stop to the deal — and potentially any of that scale — while Broadcom was still based in Singapore. Broadcom had intended to move to the United States, but the timing was such that Qualcomm would end up avoiding Broadcom’s attempts at a hostile takeover.

BroadQualm has been filled with a number of twists and turns, coming to a chaotic head this week with the end of the deal. Qualcomm removed Jacobs from his role as executive chairman and installed an independent director, and then delayed the shareholder meeting that would give Broadcom an opportunity to pick up the votes to take over control of part of Qualcomm’s board of directors. The administration then handed down its judgment, and Qualcomm pushed up its shareholder meeting as a result to ten days following the decision.

“There are real opportunities to accelerate Qualcomm’s innovation success and strengthen its position in the global marketplace,” Jacobs said in the statement. “These opportunities are challenging as a standalone public company, and there are clear merits to exploring a path to take the company private in order to maximize the company’s long-term performance, deliver superior value to all stockholders, and bolster a critical contributor to American technology.”

It’s not clear if Jacobs would be able to piece together the partnerships necessary to complete a buyout of this scale. But it’s easy to read between the lines of Qualcomm’s statement — which, as always, has to say it will fulfill its fiduciary duty to its shareholders. The former CEO and executive chairman has quietly been a curious figure to this whole process, and it looks like the BroadQualm saga is nowhere near done.

New Android OS To Improve Lower End Phones

Google has another new product out.  A slimmed down, streamlined version of the Android OS called “Go.”  Unfortunately, it’s release didn’t gather as much press as you’d expect when a new OS is released.  The reason for that is simple.  The new, slimmer, sleeker Android Go was designed for low-end phones with limited storage capacity, which don’t typically get much press either.

Despite the relative lack of fanfare, Android Go is an interesting app that deserves some attention, even if you don’t own a low-end phone.  At first glance, it’s got a lot going for it, although it remains to be seen if users will embrace it and make full use of its capabilities.

The first major noteworthy difference between Go and the standard Android OS is the fact that it doesn’t take up nearly as much space.  Counting the OS itself and the Android default apps, the entire package requires just over 3GB, which is a significant space savings. This makes a real difference on low-end phones, which typically have no more than 8GB of storage to begin with.

Second, it comes with an app called “File Go” that offers users suggestions on files that can be moved to the cloud or safely removed altogether.  Another app known as “Datally” makes tools available to manage how much data other apps on the phone are using, especially helpful for people who have limited data plans.

Third, there’s a special “YouTube Go” version of the standard YouTube app that gives users three different video streaming options: basic, standard, and high quality. This comes with information about how much data each of the three options will eat up.

In addition to those changes, Google has added a special section to its Play Store, highlighting apps that don’t require a lot of space.

Android Go is aimed specifically at users in developing nations, as this is where the highest concentration of low-end smartphones can be found.  As to how successful the new OS will be, only time will tell, but early indications are encouraging.

Used with permission from Article Aggregator