Does Asana’s planned direct listing reveal the company’s true value?

Hello and welcome back to our regular morning look at private companies, public markets and the gray space in between.

Asana, a well-known workplace productivity company, announced yesterday it has filed privately to go public. The San Francisco-based company is well-funded, having raised more than $200 million; well-known, due in part to its tech-famous founding duo; and valuable, having last raised at a $1.5 billion valuation.

Each of those factors — plus the fact that Asana is going public — makes the company worth exploring, but its plans to offer a direct listing instead of a traditional initial public offering make it irresistible.

Today, we’ll rewind through Asana’s fundraising and valuation history. Then, we’ll mix in what we know about its financial performance, growth rates and capital efficiency to see how much we can tell about the company as we count down to its public S-1 filing. The Asana flotation is going to be big news, so let’s get all our facts and figures straightened out.

Valuations and revenue

macOS Security Updates Part 3 | Apple’s Whitelists, Blacklists and Yara Rules

In the previous two posts, we looked at how to keep yourself informed when Apple make silent updates to macOS’s built-in security tools and how to run diffs on the MRT.app to get an understanding of what’s new. In this final post on macOS security updates, we’ll take a look at how Apple use whitelisting, blacklisting and Yara rules in XProtect and Gatekeeper and how to see what’s new.

Blacklists in XProtect

The XProtect bundle is located at

/Library/Apple/System/Library/CoreServices/XProtect.bundle

on 10.15 and above. For earlier versions, it’s the same path but without the /Library/Apple at the beginning.

Within the bundle, the items we are interested in are in the Resources folder. Be sure to use a local copy either by downloading from Apple’s sucatalog as described in Part 1, or copying the XProtect bundle inside CoreServices to a working directory in your home folder.

image of files in xprotect

Let’s begin with the XProtect.meta.plist. This file appears to have two functions. The first is to block legitimate plug-ins such as Flash Player that fall below a specified minimum version. These older versions have generally been found to contain known security flaws that could potentially undermine the security of the OS. Whether an update is available or not is also recorded for each entry.

image of plug-in blacklist

The second function of XProtect.meta.plist is to blacklist known malicious extensions. This is done by specifying both the extension’s bundle identifier and the developer ID.

image of extensions blacklist

As the images above show, this file is not obfuscated in any way, and a simple diff will show us the difference from one version to another. This file has burgeoned from a mere 6.5K a year ago to 23K today, with 129 developer IDs added to the blacklist since Dec 2018. However, in general, changes are infrequent, and since Safari extensions are now bundled as part of an Application, we suspect that the function of this file may entirely or partially have been superseded by the gk.db file that began to appear in the Resources folder with macOS 10.15 Catalina. Let’s take a look at that next.

If we dump this database, we can see that it consists of a bunch of entries for blocking certain Apple developer “Team IDs”.

image of gk.db dump

Currently, there are 133 entries.

$ sqlite3 gk.db .dump | grep blocked_teams | wc -l

This is actually shorter by about nine entries than earlier versions, but note that some of the bundle identifiers match those found in the earlier XProtect.meta.plist.

First, let’s extract all the Developer Ids from the meta.plist and dump to a text file:

$ grep -A1 'Developer Identifier' XProtect.meta.plist | grep string | sed 's/[]//g' | sort -u > metaIDs

Now let’s do the same thing with the gk database:

$ sqlite3 gk.db .dump | grep -i values | cut -d' -f2 | sort -u > gkIds

Inspection of these files shows that many of the same Team IDs exist in both, but there are also additional entries and omissions in each, too, making it difficult to determine exactly how these two files interrelate. One theory is that the entries in gk.db represent Developer IDs that have failed malware scans after attempting Notarization, but at the moment that remains unconfirmed. The gk.db is a much blunter tool than the meta.plist as it appears to blacklist all products signed by Team ID alone, whereas the meta.plist appears to be specifically focused on products that match both the Team ID and bundle identifier for each entry.

Discerning Changes to XProtect’s YARA Rules

The other two files in the XProtect. bundle function as detection rules or signatures for the built-in macOS “AV” engine. Both are lightly obfuscated but easily reversed. Of the two, the most important is the XProtect.yara file, which is an ASCII document containing a list of Yara rules. If you scroll through this document, you’ll see a bunch of signature definitions like this:

example xprotect yara rules

If you’re not familiar with how YARA rules work start here, but the basic idea is easy to understand, Each rule specifies some data that may exist in the file to be scanned, usually strings, and some conditions about how the data should be matched. The strings themselves are hex encoded ASCII or data bytes from a sample of the malware that the rule is intended to match.

Reversing individual strings is simple enough just by echoing the string on the command line and piping it through XXD or Rax2:

$ echo '6C61756E636863746C206C6F6164207E2F4C6962726172792F4C61756E63684167656E7473' | xxd -r -p

I use a short AppleScript in BBEdit’s Scripts folder to convert individual strings of interest:

tell application "BBEdit"
	set n to ""
	set t to contents of (selection of its front window)
	set x to (do shell script "echo " & t & "| xxd -r -p") as text
	set selection to x
end tell

 

You could adapt that to convert the entire file instead of a selection, or use Python and a BBEdit text filter is another option. For the most part, we only want to see the changes since the previous version, and so to do that, we’ll first run a diff on the old and new version, and pipe that into a new document.

$ diff old_XProtect.yara new_XProtect.yara | grep > > changedXProtect.yara

If we grep that file for the “rule ” we get a nice count of how many new rules have been added. We can then check out what strings each rule detects by using our script or text filter to reverse the hex back into ASCII.

image of new rules added

The remaining file is the XProtect.plist file, which appears to contain much of the same information as the .yara file, but in a different format. This file also does simple hash matching on files as well as string pattern matching.

image of xprotect plist

Although it’s worth keeping an eye on, I haven’t seen any changes to this file in more than 12 months, and I strongly suspect that it’s been abandoned by Apple in favor of the YARA file. This file remains unchanged from at least Dec 2018 (XProtect version 2101 is the oldest one I still have on file) to Feb 2020 (XProtect version 2112). A BBEdit text filter for decoding the patterns is available here.

Whitelisting through Gatekeeper

That pretty much covers inspecting changes in XProtect, but the gk.db we looked at above – despite the initials, is not the same as the whitelisting functions provided by Gatekeeper, which live at the following path:

/private/var/db/

Herein there are two relevant bundles, gke.bundle and gkopaque.bundle.

image of gatekeeper files

The gkopaque.bundle has been around in some form or another since 10.9 Mavericks. Inside its resources folder we’ll find the gkopaque.db. Let’s look at the schema first:

image of gkopaque

We can examine the .tables to see what kind of data it holds.

image of database tables

There are three tables, but conditions only holds two entries related to Google Chrome and the merged table is empty. In contrast, if we “SELECT” everything from the whitelist table, we’ll find there’s over 70,000 entries. Each entry is two SHA1 hash blobs, that the table says represent “current” and “opaque”. Other researchers have found that this is either partially or entirely a list of legacy apps that Apple have deemed to be “OK”, but which due to changes in code signing format would not pass Gatekeeper on more modern versions of the operating system. If that’s correct, then the whitelisting in gkopaque is probably of little more than historical interest.

The new-to-Catalina gke.bundle contains two files, gke.auth and gk.db and its function is not entirely clear. Yes, that’s the same name as the file we earlier investigated inside the XProtect bundle, but despite the name, the two are not identical and it’s more likely that this bundle is involved in whitelisting rather than blacklisting. The gk.db here holds only two tables:

image of gke.bundle

The timestamp_exceptions table is a data file, while the settings table is fairly sparse, with a single entry:

image of settings

The Gke.auth file turns out to be an XML file and is straightforward to read.

image of gke.auth file
image of gke auth plist

Each entry includes a SHA1 cdhash that likely matches the same hash used in code signing. The file currently contains over 30,000 lines with some 2,623 individual entries. A cursory attempt to match any of the cdhashes from signed software in the Applications folder on my own machine did not find any matches, but given what we know of the overall structure of the security tools used in macOS, it seems fair to say that this file is used to allow applications that match the rule to pass Gatekeeper without further hindrance. Precisely why these two thousand or so exceptions need to be hardcoded is a mystery we will save for another day. The end of the file contains a UUID and a version number, which makes it easy to diff and check for updates.

image of gke.auth version

Wrapping Up

As we have seen, macOS uses a combination of whitelisting, blacklisting and simple Yara rules to fight malware through XProtect and Gatkeeper. Earlier in this series we looked at the MRT.app, which Apple uses for post-infection clean up. Keeping an eye on changes to these technologies is useful for security researchers to ensure that any threat actors that Apple have detected are known to the rest of the security community. This is vital, for while Apple make a brave attempt to block and detect malicious threats, the nature of their tools means that they can be and regularly are bypassed.

We hope this series has given you some tools and examples to help you investigate those changes for yourself if you’re interested in doing so. And if you enjoyed this series of posts, sign up to any of our social media feeds (below the line) or the weekly blog newsletter (to the left) to find out when we post our next macOS content.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Microsoft Teams has been down this morning

Microsoft Teams, the collaboration platform that competes with Slack, has been down since about 8:30 am ET. Microsoft reports the outage was due to an expired certificate.

Microsoft first posted that an outage was in progress on its Office 365 Status Twitter feed about 9:00 am ET, stating the company was looking into the problem.

At approximately 10:00 am ET, the company posted the reason for the problem, an expired certificate, which frankly, has to be pretty embarrassing for the group responsible for keeping the Teams service running.

About an hour ago, the company updated the status again, indicating it had begun deploying the updated certificate.

Some customers have begun reporting on Twitter that service has been restored.

Microsoft has kept the status updates pretty business like, but has not apologized to its 20 million users as of publication. The company is in the midst of a battle for hearts and minds in the enterprise collaboration space with Slack, and a preventable outage has to be awkward for them.

The company will no doubt do a post-mortem to figure out how this mistake happened and how to prevent this kind of issue from taking down the site again. While every service is going to experience an outage from time-to-time, it’s up to the organization to understand why it happened and put systems in place to keep a preventable incident like this one from happening again in the future.

Ginni Rometty leaves complex legacy as she steps away as IBM CEO

When Ginni Rometty steps down as CEO at IBM in April and her replacement Arvind Krishna takes the helm, more than eight years will have passed since she took the reins at Big Blue. The executive helped lead a massive transformation, but IBM has had a bumpy financial ride throughout her tenure — at one time recording an astonishing 22 straight quarters of declining revenue.

To be fair, Rometty took over at a tumultuous time when technology was shifting from on-prem software stacks to the cloud. She saw what was coming and used the company’s considerable cash position to buy what she needed to make that switch while taking advantage of IBM’s extensive R&D to build other pieces in-house. But the transition took time, which resulted in some financial missteps.

She deserves credit for trying to move the battleship in a new direction — culminating with the $34 billion purchase of Red Hat — even if the results were ultimately mixed.

Leading the way

Rometty was the first woman to lead IBM in an industry where female CEOs are scarce. When she came on board in 2012, there were just 21 women running Fortune 500 companies; last year, that number had risen to 33, still a paltry 6.6%. Along with Safra Catz at Oracle and Lisa Su of Advanced Micro Devices, Rometty has been part of a small group of female CEOs at large technology companies.

What Nutanix got right (and wrong) in its IPO roadshow

Back in 2016, Nutanix decided to take the big step of going public. Part of that process was creating a pitch deck and presenting it during its roadshow, a coming-out party when a company goes on tour prior to its IPO and pitches itself to investors of all stripes.

It’s a huge moment in the life of any company, and after talking to CEO Dheeraj Pandey and CFO Duston Williams, one we better understood. They spoke about how every detail helped define their company and demonstrate its long-term investment value to investors who might not have been entirely familiar with the startup or its technology.

Pandey and Williams reported going through more than 100 versions of the deck before they finished the one they took on the road. Pandey said they had a data room checking every fact, every number — which they then checked yet again.

In a separate Extra Crunch post, we looked at the process of building that deck. Today, we’re looking more closely at the content of the deck itself, especially the numbers Nutanix presented to the world. We want to see what investors did more than three years ago and what’s happened since — did the company live up to its promises?

Plan of attack

Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security

On Sept. 11, 2019, two security experts at a company that had been hired by the state of Iowa to test the physical and network security of its judicial system were arrested while probing the security of an Iowa county courthouse, jailed in orange jumpsuits, charged with burglary, and held on $100,000 bail. On Thursday Jan. 30, prosecutors in Iowa announced they had dropped the criminal charges. The news came while KrebsOnSecurity was conducting a video interview with the two accused (featured below).

The courthouse in Dallas County, Iowa. Image: Wikipedia.

Gary DeMercurio, 43 of Seattle, and Justin Wynn, 29 of Naples, Fla., are both professional penetration testers employed by Coalfire Labs, a security firm based in Westminster, Colo. Iowa’s State Court Administration had hired the company to test the security of its judicial buildings.

Under the terms of their contract (PDF), DeMercurio and Wynn were permitted to impersonate staff and contractors, provide false pretenses to gain physical access to facilities, “tailgate” employees into buildings, and access restricted areas of those facilities. The contract said the men could not attempt to subvert alarm systems, force-open doors, or access areas that require protective equipment.

When the duo’s early-morning Sept. 11 test of the security at the courthouse in Dallas County, Iowa set off an audible security alarm, they followed procedure and waited on-site for the police. DeMercurio and Wynn said when the county’s sheriff deputies arrived on the scene just a few minutes later, they told the officers who they were and why they were there, and that they’d obtained entry to the premises via an unlocked door.

“They said they found a courthouse door unlocked, so they closed it from the outside and let it lock,” Dan Goodin of Ars Technica wrote of the ordeal in November. “Then they slipped a plastic cutting board through a crack in the door and manipulated its locking mechanism. (Pentesters frequently use makeshift or self-created tools in their craft to flip latches, trigger motion-detected mechanisms, and test other security systems.) The deputies seemed impressed.”

To assuage concerns they might be burglars, DeMercurio and Wynn produced an authorization letter detailing the job they’d been hired to do and listing the names and mobile phone numbers of Iowa state employees who could verify their story.

After contacting some of the court officials listed in the letter, the deputies seemed satisfied that the men weren’t thieves. That is, until Dallas County Sheriff Chad Leonard showed up.

“The pentesters had already said they used a tool to open the front door,” Goodin recounted. “Leonard took that to mean the men had violated the restriction against forcing doors open. Leonard also said the men attempted to turn off the alarm—something Coalfire officials vehemently deny. In Leonard’s mind that was a second violation. Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn’t answer the deputies’ calls, while another said he didn’t believe the men had permission to conduct physical intrusions.”

DeMercurio and Wynn were arrested, jailed, and held for nearly 24 hours before being released on a $100,000 bail. Initially they were charged with felony third-degree burglary and possessing burglary tools, although those charges were later downgraded to misdemeanor trespass.

What initially seemed to Coalfire as a momentary lapse of judgment by Iowa authorities quickly morphed into the surreal when state lawmakers held hearings questioning why and how someone in the state’s employ could have so recklessly endangered the safety and security of its citizens.

DeMercurio and Wynn, minus the orange jumpsuits.

Judicial Branch officials in Dallas County said in response to this grilling that they didn’t expect Coalfire’s physical penetration testing to be conducted outside of business hours. State Sen. Amy Sinclair was quoted as telling her colleagues that “the hiring of an outside company to break into the courthouses in September created ‘significant danger, not only to the contractors, but to local law enforcement, and members of the public.’”

“Essentially a branch of government has contracted with a company to commit crimes, and that’s very troubling,” lamented Iowa state Sen. Zach Whiting. “I want to find out who needs to be held accountable for this and how we can do that.”

Those strong words clashed with a joint statement released Thursday by Coalfire and Dallas County Attorney Charles Sinnard:

“Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges,” the statement reads. “Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the judicial branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing.

Matthew Linholm, an attorney representing DeMercurio and Wynn in the case, said the justice system ceases to serve its crucial function and loses credibility when criminal accusations are used to advance personal or political agendas.

“Such a practice endangers the effective administration of justice and our confidence in the criminal justice system,” Linholm told The Des Moines Register, which broke the news of the dropped charges.

While the case against Coalfire’s employees has rallied many in the cybersecurity community around the accused, not everyone sees this dispute in black-and-white. Chris Nickerson, a digital intrusion specialist and founder of LARES Consulting, said in a Twitter post Thursday that “when a company puts us in harm’s way due to their poor planning, failed sales education, inadequate project management and deplorable contract management…We shouldn’t celebrate them. We should hold them accountable.”

Asked to elaborate, Nickerson referred to a recent podcast which touched on the arrests.

“The things that concern me about this situation are more of the pieces of safety that exist across how the industry instruments doing these types of engagements,” Nickerson said. “They seem very, very reasonable and obvious once they become obvious but until then they’re completely foreign to people.”

“It’s really on the owners of the organization to educate the customer of those potential pitfalls,” Nickerson continued. “Because there isn’t a good standard. We haven’t all gotten together and institutionalized the knowledge that we have in our heads and dump it down to paper so that someone who is new to the field being tasked with this can go through and say, ‘Hey, did you ask them if the city versus the state versus the building owner and the real estate people…are all of these people in lock step?’”

Coalfire CEO Tom McAndrew seemed to address this point in our interview Thursday, saying there were two unique aspects of this particular engagement. First, although the client in this case said they did not want Coalfire to make local law enforcement aware of the ongoing engagement prior to testing the physical security of the site, it was clear after the fact that state officials never did that on their own.

More importantly, McAndrew said, there was ambiguity around who actually owned the buildings that they were hired to test.

“If you’re doing a test for the state and you walk into the building and it’s the courthouse and you’re doing a test for the court system, you’d think that they would have jurisdiction or own it, and that turned out not to be the case in this scenario because there’s some things the state owns and some things the county owns, and that was something we weren’t aware of as we did some of this work,” he said. “We didn’t understand the nuances.”

Asked what Coalfire has learned from this ordeal, McAndrew said his company is likely to insist that local, state and even federal law enforcement be informed in advance of any penetration tests, at least as far as those engagements relate to public entities.

“When we look at the contracts and we look at who’s authorized to do what…typically, if a [chief security officer] says test these IP addresses, we would say okay that’s enough,” he said. “But we’re questioning from a legal perspective at what point does that need to have legal counsel review.”

McAndrew said it’s probably time for experts from various corners of the pen testing community to collaborate in documenting best practices that might help others avoid a repeat of the scenario in Dallas County.

“There’s no standard in the industry,” he said. “When it comes to these sorts of issues in red teaming — the legal challenges and the contracts — there’s really nothing out there. There are some things that can’t be undone. There’s the mugshots that are out there forever, but even as we get the charges dropped, these are permanently going to be in the federal database. This is a permanent thing that will reside with them and there’s no legal way we’re aware of to get these charges removed from the federal database.”

McAndrew said while he remains frustrated that it took so long to resolve this dispute, he doesn’t believe anyone involved acted with malicious intent.

“I don’t think there were any bad people,” he said. “Everyone was trying to do the right things — from law enforcement to the sheriff to the judges to the county — they all had the right intentions. But they didn’t necessarily all have the right information, and possibly people made decisions at levels they weren’t really authorized to do. Normally that’s not really our call, but I think people need to be thinking about that.”

The Good, the Bad and the Ugly in Cybersecurity – Week 5

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

This past week, the Indonesian National Police held a joint press conference with Interpol to announce the outcome of Operation Night Fury. This effort ultimately led to the arrest of three suspects responsible for a wave of Magecart attacks. It is alleged that these actors were behind several hundred (and possibly more) attacks on e-commerce sites, spanning the globe. The suspects were arrested in December and could face up to 10 years in prison. According to intelligence gathered, the criminals ran a multi-stage operation. At first they would compromise the e-commerce site to syphon off credit card data and personal details. They would then turn around and use the ill-gotten funds to purchase various goods before cashing-out by reselling the goods on local (Indonesian) sites.  

image of magecart press statement

Magecart attacks have been traced back to at least 2016 and have hit a number of high-traffic e-commerce sites. Some of these include Ticketmaster, NewEgg, British Airways, and MyPillow.com, so seeing these actors brought down is great win in the ongoing battle for e-commerce security.

The Bad

Emotet has not slowed down this year. As usual, we are finding that their social-engineering tactics and lures are as timely as ever. Some of the latest campaigns to come to light are taking advantage of the fears and uncertainties surrounding the latest coronavirus outbreak. Phishing and malspam campaigns which masquerade as official notifications from public sources about the health scare are being used to entice targets into downloading Emotet trojans. We have observed several versions of this campaign, all tailored to different locations, languages or dialects. They all basically entice the user into opening malicious attachments which appear to be official notices or information from health officials. During this time of uncertainty surrounding the outbreak of coronavirus, these lures are proving to be particularly successful.

The actors behind these campaigns show no restraint or tact when it comes to preying on the fear of the public. Be careful when opening email attachments (or don’t) and ensure that you are protected by an Active EDR solution that is able to protect against this and all other Emotet campaigns.

image of mask

The Ugly

By now we are all (hopefully) aware of the reason that popular social media platforms and apps are “free”. These services don’t ask for payment because they monetize your personal details and behavior patterns in return. That data is then worth large amounts of money to interested buyers. That being said, the last entity you would expect to meddle in this practice would be your security or AV vendor. Enter AVAST…

This week it was unveiled that the free anti-virus product AVAST was using its browser extension component to harvest user data. Their “Jumpshot” division would then sell this data to interested buyers. When news broke of this practice, AVAST stated that the information had been fully “de-identified” and therefore should not be of concern. To quote them directly:

“The data is fully de-identified and aggregated and cannot be used to personally identify or target you,”

However, a joint investigation by PCMag and Vice/Motherboard found that large collections of data can in fact be matched to individuals. According to VICE, some big-name companies are listed as buyers of the data scraped by “Jumpshot”, including Microsoft, Pepsi, Google and Home Depot. Even more troubling is that reportedly, most of AVAST’s user base had no idea that this practice was occurring.

image of avast jumpshot icon

The revelations about AVAST and Jumpshot’s practices have been long coming. In December of 2019, Senator Ron Wyden publicly investigated the company and specifically went after them on their troubling practices. Also, in December 2019, Mozilla removed AVAST products from their extension portal due to invasive practices. Others have followed suit.

Note: AVAST issued a press release on January 30, stating that they will be “winding down” the Jumpshot subsidiary.   

At the end of the day, you get what you pay for. But at the same time, the folks giving you free stuff usually want something in return. We all need to take time to become painfully aware of and familiar with how our data is being “ingested” during our day-to-day travels on the information superhighway. We don’t all like to take the time to understand that, but it is critical, and for the sake of privacy, an unfortunate necessity.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Arvind Krishna will replace Ginni Rometty as IBM CEO in April

IBM announced today that the board of directors has elected IBM senior vice president for Cloud and Cognitive Software Arvind Krishna to replace current CEO Ginni Rometty. He will take over on April 6th after a couple of months of transition. Rometty will remain with the company as chairman of the board.

Krishna reportedly drove the massive $34 billion acquisition of Red Hat at the end of 2018, and there was some speculation at the time that Red Hat CEO Jim Whitehurst was the heir apparent, but the board went with a more seasoned IBM insider for the job, while naming Whitehurst as president.

In a statement Rometty called Krishna the right man for the job, as she steps back after more than eight years on the job. “Through his multiple experiences running businesses in IBM, Arvind has built an outstanding track record of bold transformations and proven business results, and is an authentic, values-driven leader. He is well-positioned to lead IBM and its clients into the cloud and cognitive era,” she said in a statement.

She added that in choosing Krishna and Whitehurst, the board chose a technically and business savvy team to lead the company moving forward. It’s clear that the board went with two men who have a deep understanding of cloud and cognitive computing technologies, two areas that are obviously going to be front and center of technology for the foreseeable future, and areas where IBM needs to thrive.

Ray Wang, founder and principal analyst at Constellation Research, sees the CEO-president model as a sound approach. “It’s and inside-outside model. To truly understand IBM, you have to come from the inside [like Krishna], but to truly innovate you need someone on the outside [like Whitehurst] and that CEO-president model is helping,” he said.

Patrick Moorhead, founder and principal analyst at Moor Insights & Strategies, says that he was surprised by the timing of the announcement, which seemed to come out of nowhere. “I am a bit surprised at the speed of this announcement as I don’t believe there was a formal succession plan with a named successor. IBM has always had these and it was always apparent who the next CEO would be,” he said. That was not the case this time.

But like Wang, Moorhead likes the approach of having an “outsider” and long-time IBMer working in tandem. “Krishna spearheaded many of the next-generation IBM initiatives like the Red Hat acquisition, blockchain and quantum. I am also very pleased to see Whitehurst appointed president as now there’s an outsider and a long-time IBMer running the company in the number one and two spots,” he said.

Wang believes the new leaders have to honestly assess the company’s strengths and weaknesses and find ways to compete with today’s cloud companies for the hearts and minds of the enterprise customers.

“Today IBM is in an interesting position where the world has changed, and people go to Amazon or Salesforce or they go to Google or Workday or Microsoft. Companies still have a lot of IBM, they still trust IBM, but the new leadership team needs to figure out where the technology gaps are, which ones they need to build, which ones they need to partner, and in some cases say, this is not our market,” he said.

Daily Crunch: IBM names new CEO

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.

1. Arvind Krishna will replace Ginni Rometty as IBM CEO in April

Krishna, IBM’s senior vice president for cloud and cognitive software, will take over on April 6 after a couple months of transition. Rometty will remain with the company as chairman of the board.

Krishna reportedly drove the massive $34 billion acquisition of Red Hat at the end of 2018, and there was some speculation at the time that Red Hat CEO Jim Whitehurst was the heir apparent. Instead, the board went with a more seasoned IBM insider for the job, while naming Whitehurst as president.

2. Apple’s redesigned Maps app is available across the US, adds real-time transit for Miami

The redesigned app will include more accurate information overall as well as comprehensive views of roads, buildings, parks, airports, malls and other public places. It will also bring Look Around to more cities and real-time transit to Miami.

3. Social media boosting service exposed thousands of Instagram passwords

The company, Social Captain, says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. But TechCrunch learned this week Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext.

4. Elon Musk just dropped an EDM track on SoundCloud

That is a real headline and I probably don’t need to say much else. Listen to the track, or don’t.

5. Being a child actress prepared me for a career in venture capital

Crystal McKellar played Becky Slater on “The Wonder Years,” and she writes about how that experience prepared her to be a managing partner at Anathem Ventures. (Extra Crunch membership required.)

6. Moda Operandi, an online marketplace for high-end fashion, raises $100M led by NEA and Apax

High-end fashion might not be the first thing that comes to mind when you think about online shopping, but it has actually been a ripe market for the e-commerce industry.

7. Why Sony’s PlayStation Vue failed

Vue launched in March 2015, offering live and on-demand content from more than 85 channels, including many local broadcast stations. But it failed to catch on with a broader audience, despite — or perhaps, because of — its integration with Sony’s PS3 and PS4 devices, and it shut down this week. (Extra Crunch membership required.)

Even as Microsoft Azure revenue grows, AWS’s market share lead stays strong

When analyzing the cloud market, there are many ways to look at the numbers; revenue, year-over-year or quarter-over-quarter growth — or lack of it — or market share. Each of these numbers tells a story, but in the cloud market, where aggregate growth remains high and Azure’s healthy expansions continues, it’s still struggling to gain meaningful ground on AWS’s lead.

This has to be frustrating to Microsoft CEO Satya Nadella, who has managed to take his company from cloud wannabe to a strong second place in the IaaS/PaaS market, yet still finds his company miles behind the cloud leader. He’s done everything right to get his company to this point, but sometimes the math just isn’t in your favor.

Numbers don’t lie

John Dinsdale, chief analyst at Synergy Research, says Microsoft’s growth rate is higher overall than Amazon’s, but AWS still has a big lead in market share. “In absolute dollar terms, it usually has larger increments in revenue numbers and that makes Amazon hard to catch,” he says, adding “what I can say is that this is a very tough gap to close and mathematically it could not happen any time soon, whatever the quarterly performance of Microsoft and AWS.”

The thing to remember with the cloud market is that it’s not even close to being a fixed pie. In fact, it’s growing rapidly and there’s still plenty of market share left to win. As of today, before Amazon has reported, it has a substantial lead, no matter how you choose to measure it.