New Relic expands its AIOps services

/0 Comments/in /by

In recent years, the publicly traded observability service New Relic started adding more machine learning-based tools to its platform for AI-assisted incident response when things don’t quite go as planned. Today, it is expanding this feature set with the launch of a number of new capabilities for what it calls its “New Relic Applied Intelligence Service.”

This expansion includes an anomaly detection service that is even available for free users, the ability to group alerts from multiple tools when the models think it’s a single issue that is triggering all of these alerts and new ML-based root cause analysis to help eliminate some of the guesswork when problems occur. Also new (and in public beta) is New Relic’s ability to detect patterns and outliers in log data that is stored in the company’s data platform.

The main idea here, New Relic’s director of product marketing Michael Olson told me, is to make it easier for companies of all sizes to reap the benefits of AI-enhanced ops.

Image Credits: New Relic

“It’s been about a year since we introduced our first set of AIops capabilities with New Relic Applied Intelligence to the market,” he said. “During that time, we’ve seen significant growth in adoption of AIops capabilities through New Relic. But one of the things that we’ve heard from organizations that have yet to foray into adopting AIops capabilities as part of their incident response practice is that they often find that things like steep learning curves and long implementation and training times — and sometimes lack of confidence, or knowledge of AI and machine learning — often stand in the way.”

The new platform should be able to detect emerging problems in real time — without the team having to pre-configure alerts. And when it does so, it’ll smartly group all of the alerts from New Relic and other tools together to cut down on the alert noise and let engineers focus on the incident.

“Instead of an alert storm when a problem occurs across multiple tools, engineers get one actionable issue with alerts automatically grouped based on things like time and frequency, based on the context that they can read in the alert messages. And then now with this launch, we’re also able to look at relationship data across your systems to intelligently group and correlate alerts,” Olson explained.

Image Credits: New Relic

Maybe the highlight for the ops teams that will use these new features, though, is New Relic’s ability to pinpoint the probable root cause of a problem. As Guy Fighel, the general manager of applied intelligence and vice president of product engineering at New Relic, told me, the idea here is not to replace humans but to augment teams.

“We provide a non-black-box experience for teams to craft the decisions and correlation and logic based on their own knowledge and infuse the system with their own knowledge,” Fighel noted. “So you can get very specific based on your environment and needs. And so because of that and because we see a lot of data coming from different tools — all going into New Relic One as the data platform — our probable root cause is very accurate. Having said that, it is still a probable root cause. So although we are opinionated about it, we will never tell you, ‘hey, go fix that, because we’re 100% sure that’s the case.’ You’re the human, you’re in control.”

Amid shift to remote work, application performance monitoring is IT’s big moment

The AI system also asks users for feedback, so that the model gets refined with every new incident, too.

Fighel tells me that New Relic’s tools rely on a variety of statistical analysis methods and machine learning models. Some of those are unique to individual users while others are used across the company’s user base. He also stressed that all of the engineers who worked on this project have a background in site reliability engineering — so they are intimately familiar with the problems in this space.

With today’s launch, New Relic is also adding a new integration with PagerDuty and other incident management tools so that the state of a given issue can be synchronized bi-directionally between them.

“We want to meet our customers where they are and really be data source agnostic and enable customers to pull in data from any source, where we can then enrich that data, reduce noise and ultimately help our customers solve problems faster,” said Olson.

Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, product-market fit, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included for audience questions and discussion. Use code “TCARTICLE at checkout to get 20% off tickets right here.

OctoML raises $28M Series B for its machine learning acceleration platform

/0 Comments/in /by

OctoML, a Seattle-based startup that offers a machine learning acceleration platform built on top of the open-source Apache TVM compiler framework project, today announced that it has raised a $28 million Series B funding round led by Addition. Previous investors Madrona Venture Group and Amplify Partners also participated in this round, which brings the company’s total funding to $47 million. The company last raised in April 2020, when it announced its $15 million Series A round led by Amplify

The promise of OctoML, which was founded by the team that also created TVM, is that developers can bring their models to its platform and the service will automatically optimize that model’s performance for any given cloud or edge device.

As Brazil-born OctoML co-founder and CEO Luis Ceze told me, since raising its Series A round, the company started onboarding some early adopters to its “Octomizer” SaaS platform.

Image Credits: OctoML

“It’s still in early access, but we are we have close to 1,000 early access sign-ups on the waitlist,” Ceze said. “That was a pretty strong signal for us to end up taking this [funding]. The Series B was pre-emptive. We were planning on starting to raise money right about now. We had barely started spending our Series A money — we still had a lot of that left. But since we saw this growth and we had more paying customers than we anticipated, there were a lot of signals like, ‘hey, now we can accelerate the go-to-market machinery, build a customer success team and continue expanding the engineering team to build new features.’ ”

Ceze tells me that the team also saw strong growth signals in the overall community around the TVM project (with about 1,000 people attending its virtual conference last year). As for its customer base (and companies on its waitlist), Ceze says it represents a wide range of verticals that range from defense contractors to financial services and life science companies, automotive firms and startups in a variety of fields.

Recently, OctoML also launched support for the Apple M1 chip — and saw very good performance from that.

The company has also formed partnerships with industry heavyweights like Microsoft (which is also a customer), Qualcomm and AMD to build out the open-source components and optimize its service for an even wider range of models (and larger ones, too).

Deep Science: Using machine learning to study anatomy, weather and earthquakes

On the engineering side, Ceze tells me that the team is looking at not just optimizing and tuning models but also the training process. Training ML models can quickly become costly and any service that can speed up that process leads to direct savings for its users — which in turn makes OctoML an easier sell. The plan here, Ceze tells me, is to offer an end-to-end solution where people can optimize their ML training and the resulting models and then push their models out to their preferred platform. Right now, its users still have to take the artifact that the Octomizer creates and deploy that themselves, but deployment support is on OctoML’s roadmap.

“When we first met Luis and the OctoML team, we knew they were poised to transform the way ML teams deploy their machine learning models,” said Lee Fixel, founder of Addition. “They have the vision, the talent and the technology to drive ML transformation across every major enterprise. They launched Octomizer six months ago and it’s already becoming the go-to solution developers and data scientists use to maximize ML model performance. We look forward to supporting the company’s continued growth.”

OctoML raises $15M to make optimizing ML models easier

Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, product-market fit, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included for audience questions and discussion. Use code “TCARTICLE at checkout to get 20% off tickets right here.

Amazon will expand its Amazon Care on-demand healthcare offering US-wide this summer

/0 Comments/in /by

Amazon is apparently pleased with how its Amazon Care pilot in Seattle has gone, since it announced this morning that it will be expanding the offering across the U.S. this summer, and opening it up to companies of all sizes, in addition to its own employees. The Amazon Care model combines on-demand and in-person care, and is meant as a solution from the search giant to address shortfalls in current offerings for employer-sponsored healthcare.

In a blog post announcing the expansion, Amazon touted the speed of access to care made possible for its employees and their families via the remote, chat and video-based features of Amazon Care. These are facilitated via a dedicated Amazon Care app, which provides direct, live chats via a nurse or doctor. Issues that then require in-person care are then handled via a house call, so a medical professional is actually sent to your home to take care of things like administering blood tests or doing a chest exam, and prescriptions are delivered to your door as well.

The expansion is being handled differently across both in-person and remote variants of care; remote services will be available starting this summer to Amazon’s own employees, as well as other companies that sign on as customers, starting this summer. The in-person side will be rolling out more slowly, starting with availability in Washington, D.C., Baltimore, and “other cities in the coming months” according to the company.

As of today, Amazon Care is expanding in its home state of Washington to begin serving other companies. The idea is that others will sign on to make Amazon Care part of an overall benefits package for employees. Amazon is touting as a major strength of the service the speed advantages of testing services, including results delivery, for things including COVID-19.

The Amazon Care model has a surprisingly Amazon twist, too — when using the in-person care option, the app will provide an updated ETA for when to expect your physician or medical technician, which is eerily similar to how its primary app treats package delivery.

While the Amazon Care pilot in Washington only launched a year-and-a-half ago, the company has had its collective mind set on upending the corporate healthcare industry for some time now. It announced a partnership with Berkshire Hathaway and JPMorgan back at the beginning of 2018 to form a joint venture specifically to address the gaps they saw in the private corporate healthcare provider market.

Amazon, JPMorgan and Berkshire Hathaway to build their own healthcare company

That deep pocketed all-star team ended up officially disbanding at the outset of this year, after having done a whole lot of not very much in the three years in between. One of the stated reasons that Amazon and its partners gave for unpartnering was that each had made a lot of progress on its own in addressing the problems it had faced anyway. While Berkshire Hathaway and JPMorgan’s work in that regard might be less obvious, Amazon was clearly referring to Amazon Care.

It’s not unusual for large tech companies with lots of cash on the balance sheet and a need to attract and retain top-flight talent to spin up their own healthcare benefits for their workforces. Apple and Google both have their own on-campus wellness centers staffed by medical professionals, for instance. But Amazon’s ambitions have clearly exceeded those of its peers, and it looks intent on making a business line out of the work it did to improve its own employee care services — a strategy that isn’t too dissimilar from what happened with AWS, by the way.

Healthcare entrepreneurs should prepare for an upcoming VC/PE bubble

Saleor scores $2.5M seed round for its ‘headless’ e-commerce platform

/0 Comments/in /by

Saleor, a Poland and U.S.-based startup that offers a “headless” e-commerce platform to make it easier for developers to build better online shopping experiences, has raised $2.5 million in seed funding.

The round is led by Berlin’s Cherry Ventures, with participation from various angels. They include Guillermo Rauch (Vercel CEO and inventor of Next.js), Chris Schagen (former CMO of Contentful) and Kevin Mahaffey (co-founder of Lookout).

Saleor says the injection of capital will be invested in further developing Saleor‘s headless e-commerce platform, including a soon-to-launch cloud product and GraphQL API for front-end engineers.

Founded in 2020 but with a history going back to 2013, years before founders Mirek Mencel and Patryk Zawadzki spun out the product separate from their agency, Saleor is described as an “API-first” e-commerce platform that takes a “headless” approach. The idea is that the platform does the back-end heavy lifting so that developers can focus on the front end where most of the value is created for users.

“Saleor was born of necessity when our agency work at Mirumee Software required more modular, flexible and scalable e-commerce software,” Saleor co-founder Mirek Mencel recalls. “Most solutions for bigger brands came with proprietary baggage like vendor lock-in, slow adoption of new technologies and commercial certification programs. On the open-source side, we didn’t enjoy Magento’s developer experience and felt alternatives weren’t viable at scale”.

Mind the gap: E-commerce marketers should revise their TAM and SAM estimates

And so Saleor was conceived as an open-source platform focused on “technical excellence and quality” that could deliver greater scalability and extensibility than existing proprietary software. By 2016, the product had grown from something Mencel and Zawadzki’s agency used internally into a platform used by developers around the world.

“We could have stopped there, but saw brands pressing for more revolutionary front-end experiences,” Mencel says. “Decoupling Saleor’s core from its presentation layer was the obvious path to revolutionary front-ends. As difficult as it was, we tore down what was a rather good open-source e-commerce platform and rebuilt it API-first”.

Contentstack raises $31.5M Series A round for its headless CMS platform

Beyond their early headless conviction, the pair also came to the realisation that GraphQL delivered “more power, precision and developer happiness” than REST. Reasoning that most developers prefer “a few things done superbly to many things done well,” they committed exclusively to Saleor’s GraphQL API. “We have never looked back,” says Mencel.

In 2018, the original six-person team shipped Saleor 2.0. Now with a headcount of 20, Mencel says Saleor has a simple vision of developer-first commerce: open-source, GraphQL and “fair-priced” cloud — a vision that Cherry Ventures has clearly bought into.

“We are currently witnessing a paradigm shift with developers switching to headless commerce solutions, allowing more flexible, differentiated shopping experiences,” says Filip Dames, founding partner of Cherry. “Mirek, Patryk, and their team are at the forefront of this development and will enable innovative merchants to build state-of-the-art shopping experiences that scale across all consumer touch points and devices”.

“We decided to pursue venture backing as a way to increase the Saleor core team size and accelerate buildout of Saleor Cloud, which we’ll launch this year,” adds Mencel.

Contentful raises $80M Series E round for its headless CMS

SecurityScorecard snags $180M Series E to measure a company’s security risk

/0 Comments/in /by

SecurityScorecard has been helping companies understand the security risk of its vendors since 2014 by providing each one with a letter grade based on a number of dimensions. Today, the company announced a $180 million Series E.

The round includes new investors Silver Lake Waterman, T. Rowe Price, Kayne Anderson Rudnick, and Fitch Venture along with existing investors Evolution Equity Partners, Accomplice, Riverwood Capital, Intel Capital, NGP Capital, AXA Venture Partners, GV (Google Ventures) and Boldstart Ventures. The company reports it has now raised $290 million.

Co-founder and CEO Aleksandr Yampolskiy says the company’s mission has not changed since it launched. “The idea that we started the company was a realization that when I was CISO and CTO I had no metrics at my disposal. I invested in all kinds of solutions where I was completely in the dark about how I’m doing compared to the industry and how my vendors and suppliers were doing compared to me,” Yampolskiy told me.

He and his co-founder COO Sam Kassoumeh likened this to a banker looking at a mortgage application and having no credit score to check. The company changed that by starting a system of scoring the security posture of different companies and giving them a letter grade of A-F just like at school.

Today, it has ratings on more than 2 million companies worldwide, giving companies a way to understand how secure their vendors are. Yampolskiy says that his company’s solution can rate a new company not in the data set in just five minutes. Every company can see its own scorecard for free along with advice on how to improve that score.

12 top cybersecurity VCs discuss investing, valuations and no-go zones

He notes that in fact, the disastrous SolarWinds hack was entirely predictable based on SecurityScorecard’s rating system. “SolarWinds’ score has been lagging below the industry average for quite a long time, so we weren’t really particularly surprised about them,” he said.

The industry average is around 85 or a solid B in the letter grade system, whereas SolarWinds was sitting at 70 or a C for quite some time, indicating its security posture was suspect, he reports.

While Yampolskiy didn’t want to discuss valuation or revenue or even growth numbers, he did say the company has 17,000 customers worldwide including 7 of the 10 top pharmaceutical companies in the world.

The company has reached a point where this could be the last private fundraise it does before going public, but Yampolskiy kept his cards close on timing, saying it could happen some time in the next couple of years.

In the NYC enterprise startup scene, security is job one

Fintech Giant Fiserv Used Unclaimed Domain

/0 Comments/in /by

If you sell Web-based software for a living and ship code that references an unregistered domain name, you are asking for trouble. But when the same mistake is made by a Fortune 500 company, the results can range from costly to disastrous. Here’s the story of one such goof committed by Fiserv [NASDAQ:FISV], a $15 billion firm that provides online banking software and other technology solutions to thousands of financial institutions.

In November 2020, KrebsOnSecurity heard from security researcher Abraham Vegh, who noticed something odd while inspecting an email from his financial institution.

Vegh could see the message from his bank referenced a curious domain: defaultinstitution.com. A quick search of WHOIS registration records showed the domain was unregistered. Wondering whether he might receive email communications to that address if he registered the domain, Vegh snapped it up for a few dollars, set up a catch-all email account for it, and waited.

“It appears that the domain is provided as a default, and customer bank IT departments are either assuming they don’t need to change it, or are not aware that they could/should,” Vegh said, noting that a malicious person who stumbled on his discovery earlier could have had a powerful, trusted domain from which to launch email phishing attacks.

At first, only a few wayward emails arrived. Ironically enough, one was from a “quality assurance” manager at Fiserv. The automatic reply message stated that the employee was out of the office “on R&R” and would be back to work on Dec. 14.

Many other emails poured in, including numerous “bounced” messages delivered in reply to missives from Cashedge.com, a money transfer service that Fiserv acquired in 2011.

Emails get bounced — or returned to the sender — when they are sent to an address that doesn’t exist or that is no longer active. The messages had been sent to an email address for a former client solutions director at Fiserv; the “reply-to:” address in those missives was “donotreply@defaultinstitution.com”.

The messages were informing customers of CashEdge’s main service Popmoney — which lets users send, request and receive money directly from bank accounts — that Popmoney was being replaced with Zelle, a more modern bank-to-bank transfer service.

Each CashEdge missive included information about recurring transfers that were being canceled, such as the plan ID, send date, amount to be transferred, the name and last four digits of the account number the money was coming from, and the email address of the recipient account.

Incredibly, at the bottom of every message to CashEdge/Popmoney customers was a boilerplate text: “This email was sent to [recipient name here]. If you have received this email in error, please send an e-mail to customersupport@defaultinstitution.com.”

Other services that directed customers to reply to the researcher’s domain included Fiserv customer Netspend.com, a leading provider of prepaid debit cards that require no minimum balance or credit check. The messages from Netspend all were to confirm the email address tied to a new account, and concerned “me-to-me transfers” set up through its service.

Each message included a one-time code that recipients were prompted to enter at the company’s website. But from reading the many replies to these missives, it seems Netspend didn’t make it terribly obvious where users were supposed to input this code. Here’s one of the more profane examples of a customer response:

Many others emailed by Netspend expressed mystification as to why they were receiving such messages, stating they’d never signed up for the service. From the gist of those messages, the respondents were victims of identity fraud.

“My accounts were hacked and if any funding is gone your [sic] sued from me and federal trade commission,” one wrote. “I didn’t create the account. Please stop this account and let me know what’s going on,” replied another. “I never signed up for this service. Someone else is using my information,” wrote a third.

Those messages also concerned me-to-me transfers. Other emails came from Detroit-based TCF National Bank.

New York-based Union Bank also sent customer information to the researcher’s domain. Both of those messages were intended to confirm that the recipient had tied their accounts to those at another bank. And in both cases, the recipients replied that they had not authorized the linkage.

In response to questions from KrebsOnSecurity, Fiserv acknowledged that it had inadvertently included references to defaultinstitution.com as a placeholder in software solutions used by some partners.

“We have identified 5 clients for which auto-generated emails to their customers included the domain name “defaultinstitution.com” in the “reply-to” address,” Fiserv said in a written statement. “This placeholder URL was inadvertently left unchanged during implementation of these solutions. Upon being made aware of the situation we immediately conducted an analysis to locate and replace instances of the placeholder domain name. We have also notified the clients whose customers received these emails.”

Indeed, the last email Vegh’s inbox received was on Feb. 26.

This is not the first time an oversight by Fiserv has jeopardized the security and privacy of its customers. In 2018, KrebsOnSecurity revealed how a programming weakness in a software platform sold to hundreds of banks exposed personal and financial data of countless customers. Fiserv was later sued over the matter by a credit union customer; that lawsuit is still proceeding.

Vegh said he found a similar domain goof while working as a contractor at the Federal Reserve Bank of Philadelphia back in 2015. In that instance, he discovered an unregistered domain invoked by AirWatch, a mobile device management product since acquired by VMWare.

“After registering that domain I started getting traffic from all around the world from Fortune 500 company devices pinging the domain,” Vegh said.

Vegh said he plans to give Fiserv control over defaultinstitution.com, and hand over the messages intercepted by his inbox. He’s not asking for much in return.

“I had been promised a t-shirt and a case of beer for my efforts then, but alas, never received one,” he said of his interaction with AirWatch. “This time, I am hoping to actually receive a t-shirt!”

Update, 12:44 p.m. ET: The lead paragraph has been updated to reflect Fiserv’s 2020 revenues, which were nearly $15 billion.

Docker nabs $23M Series B as new developer focus takes shape

/0 Comments/in /by

It was easy to wonder what would become of Docker after it sold its enterprise business in 2019, but it regrouped last year as a cloud native container company focused on developers, and the new approach appears to be bearing fruit. Today, the company announced a $23 million Series B investment.

Tribe Capital led the round with participation from existing investors Benchmark and Insight Partners. Docker has now raised a total of $58 million including the $35 million investment it landed the same day it announced the deal with Mirantis.

To be sure, the company had a tempestuous 2019 when they changed CEOs twice, sold the enterprise division and looked to reestablish itself with a new strategy. While the pandemic made 2020 a trying time for everyone, Docker CEO Scott Johnston says that in spite of that, the strategy has begun to take shape.

“The results we think speak volumes. Not only was the strategy strong, but the execution of that strategy was strong as well,” Johnston told me. He indicated that the company added 1.7 million new developer registrations for the free version of the product for a total of more than 7.3 million registered users on the community edition.

Docker regroups as cloud-native developer tool company

As with any open-source project, the goal is to popularize the community project and turn a small percentage of those users into paying customers, but Docker’s problem prior to 2019 had been finding ways to do that. While he didn’t share specific numbers, Johnston indicated that annual recurring revenue (ARR) grew 170% last year, suggesting that they are beginning to convert more successfully.

Johnston says that’s because they have found a way to turn a certain class of developer in spite of a free version being available. “Yes, there’s a lot of upstream open-source technologies, and there are users that want to hammer together their own solutions. But we are also seeing these eight to 10 person ‘two-pizza teams’ who want to focus on building applications, and so they’re willing to pay for a service,” he said.

That open-source model tends to get the attention of investors because it comes with that built-in action at the top of the sales funnel. Tribe’s Arjun Sethi, whose firm led the investment, says his company actually was a Docker customer before investing in the company and sees a lot more growth potential.

“Tribe focuses on identifying N-of-1 companies — top-decile private tech firms that are exhibiting inflection points in their growth, with the potential to scale toward outsized outcomes with long-term venture capital. Docker fits squarely into this investment thesis [ … ],” Sethi said in a statement.

Johnston says as they look ahead post-pandemic, he’s learned a lot since his team moved out of the office last year. After surveying employees, they were surprised to learn that most have been happier working at home, having more time to spend with family, while taking away a grueling commute. As a result, he sees going virtual first, even after it’s safe to reopen offices.

That said, he is planning to offer a way to get teams together for in-person gatherings and a full company get-together once a year.

“We’ll be virtual first, but then with the savings of the real estate that we’re no longer paying for, we’re going to bring people together and make sure we have that social glue,” he said.

Where top VCs are investing in open source and dev tools (Part 1 of 2)

After selling enterprise biz, Docker lands $35M investment and new CEO

Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, product-market fit, PR, marketing and brand building. Each session also has audience participation built in — there’s ample time included for audience questions and discussion. Use code “TCARTICLE at checkout to get 20% off tickets right here.

Rising Team, with $3 million seed, is a platform that combines management tools with training

/0 Comments/in /by

Jennifer Dulski has held her fair share of leadership positions, from being president and COO of Change.org to serving as head of product for Google’s shopping and product ads to leading the team responsible for Facebook Groups.

But she’s identified a problem that most people managers will all too clearly understand: training and tools to be a great manager are at a shortage.

That’s why she founded Rising Team, which is today announcing the raise of a $3 million seed round led by Female Founders Fund, with participation from Peterson Ventures, Burst Capital, Xoogler Ventures, 500 Startups, Roble Ventures, Supernode Ventures and several angels.

Dulski explained that there are some tools for managers, like surveys from Gallup and Glint, and there are training options, like executive coaches. But there aren’t many options out there that combine the two.

“I was lucky enough to have the benefit of getting executive coaches or being sent to training, and those felt like being taught how to fish,” said Dulski. “But then it was like being dropped off at the lake with no fishing pole or bait, because I had learned all these things about how to be a good leader but I had no tools to implement what I had learned.”

Rising Team is a platform that combines tools and training to help managers motivate, organize and ultimately effectively lead their team.

The first layer of the platform is the tools suite, which includes proprietary assessments and 1:1 templates. Most employee surveys focus so heavily on the actual job, with questions about where employees can do their best work. With Rising Team, the assessments are geared toward who team members are personally, with a look at how they want to be appreciated or what they believe their talents and skills are.

This helps managers understand how to pair team members together, what tasks they should be assigned to and truly grasp what motivates each individual that works for them. Alongside these assessment tools, Rising Team also offers training in the form of videos, articles and audio resources. In the future, the company plans to add AI-based custom training tips that are powered by data from the assessments.

Rising Team is also building out a community that lets managers communicate with one another.

Interestingly, the startup is taking a bottom-up approach when it comes to revenue, pricing the product in a way that will allow individual managers to personally purchase the software, hopefully spreading the word to the rest of their team. But the door is open for organizations to get their full employee base on the product as well.

For now, Rising Team is in a free beta, so pricing has not yet been announced.

The team is currently made up of eight people, 60% of whom are female and 50% of whom are BIPOC.

“It’s really, really important to me and to our team as a whole that we build a diverse team from the start,” said Dulski. “I believe in that so firmly and all the data is really clear that more diverse teams are more successful.”

On the diversity front, 2020 may prove a tipping point

Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, product-market fit, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included for audience questions and discussion. Use code “TCARTICLE” at checkout to get 20% off tickets right here.

A crypto company’s journey to Data 3.0

/0 Comments/in /by
Michael Li
Contributor

Michael Li is VP of Data at Coinbase.

Data is a gold mine for a company.

If managed well, it provides the clarity and insights that lead to better decision-making at scale, in addition to an important tool to hold everyone accountable.

However, most companies are stuck in Data 1.0, which means they are leveraging data as a manual and reactive service. Some have started moving to Data 2.0, which employs simple automation to improve team productivity. The complexity of crypto data has opened up new opportunities in data, namely to move to the new frontier of Data 3.0, where you can scale value creation through systematic intelligence and automation. This is our journey to Data 3.0.

The complexity of crypto data has opened up new opportunities in data, namely to move to the new frontier of Data 3.0, where you can scale value creation through systematic intelligence and automation.

Coinbase is neither a finance company nor a tech company — it’s a crypto company. This distinction has big implications for how we work with data. As a crypto company, we work with three major types of data (instead of the usual one or two types of data), each of which is complex and varied:

  1. Blockchain: decentralized and publicly available.
  2. Product: large and real-time.
  3. Financial: high-precision and subject to many financial/legal/compliance regulations.

Image Credits: Michael Li/Coinbase

Our focus has been on how we can scale value creation by making this varied data work together, eliminating data silos, solving issues before they start and creating opportunities for Coinbase that wouldn’t exist otherwise.

Having worked at tech companies like LinkedIn and eBay, and also those in the finance sector, including Capital One, I’ve observed firsthand the evolution from Data 1.0 to Data 3.0. In Data 1.0, data is seen as a reactive function providing ad-hoc manual services or firefighting in urgent situations.

Can We Stop Pretending SMS Is Secure Now?

/0 Comments/in /by

SMS text messages were already the weakest link securing just about anything online, mainly because there are tens of thousands of employees at mobile stores who can be tricked or bribed into swapping control over a mobile phone number to someone else. Now we’re learning about an entire ecosystem of companies that anyone could use to silently intercept text messages intended for other mobile users.

Security researcher “Lucky225” worked with Vice.com’s Joseph Cox to intercept Cox’s incoming text messages with his permission. Lucky225 showed how anyone could do the same after creating an account at a service called Sakari, a company that helps celebrities and businesses do SMS marketing and mass messaging.

The “how they did it” was sickeningly simple. It cost just $16, and there was precious little to prevent someone from stealing your text messages without your knowledge. Cox writes:

Sakari offers a free trial to anyone wishing to see what the company’s dashboard looks like. The cheapest plan, which allows customers to add a phone number they want to send and receive texts as, is where the $16 goes. Lucky225 provided Motherboard with screenshots of Sakari’s interface, which show a red “+” symbol where users can add a number.

While adding a number, Sakari provides the Letter of Authorization for the user to sign. Sakari’s LOA says that the user should not conduct any unlawful, harassing, or inappropriate behavior with the text messaging service and phone number.

But as Lucky225 showed, a user can just sign up with someone else’s number and receive their text messages instead.

Lucky told KrebsOnSecurity that Sakari has since taken steps to block its service for being used with mobile telephone numbers. But he said Sakari is just one part of a much larger, unregulated industry that can be used to hijack SMS messages for many phone numbers.

“It’s not a Sakari thing,” Lucky225 replied when first approached for more details. “It’s an industry-wide thing. There are many of these ‘SMS enablement’ providers.”

The most common way thieves hijack SMS messages these days involves “sim swapping,” a crime that involves bribing or tricking employees at wireless phone companies into modifying customer account information.

In a SIM swap, the attackers redirect the target’s phone number to a device they control, and then can intercept the target’s incoming SMS messages and phone calls. From there, the attacker can reset the password of any account which uses that phone number for password reset links.

But the attacks Lucky225 has been demonstrating merely require customers of any number of firms to sign a sworn “letter of authorization” or LOA stating that they indeed do have the authority to act on behalf of the owner of the targeted number.

Allison Nixon is chief research officer at Unit221B, a New York City-based cyber investigations firm. An expert on SIM-swapping attacks who’s been quoted quite a bit on this blog, Nixon said she also had Lucky225 test his interception tricks on her mobile phone, only to watch her incoming SMS messages show up on his burner phone.

“This basically means the only thing standing between anyone and the equivalent of a SIM swap is a forged LOA,” Nixon said. “And the ‘fix’ put in seems to be temporary in nature.”

The interception method that Lucky225 described is still dangerously exposed by a number of systemic weaknesses in the global SMS network, he said.

Most large and legacy telecommunications providers validate transfer requests related to their customers by consulting NPAC, or the Number Portability Administration Center. When customers want to move their phone numbers — mobile or otherwise — that request is routed through NPAC to the customer’s carrier.

That change request carries what’s known as an ALT-SPID, which is a four-digit number that enables NPAC to identify the telecommunications company currently providing service to the customer. More importantly, as part of this process no changes can happen unless the customer’s carrier has verified the changes with the existing customer.

But Lucky225 said the class of SMS interception he’s been testing targets a series of authentication weaknesses tied to a system developed by NetNumber, a private company in Lowell, Mass. NetNumber developed its own proprietary system for mapping telecommunications providers that is used by Sakari and an entire industry of similar firms.

NetNumber developed its six-digit ALT SPIDs (NetNumber IDs) to better organize and track communications service providers that were all using other numbering systems (and differing numbers of digits). But NetNumber also works directly with dozens of voice-over-IP or Internet-based phone companies which do not play by the same regulatory rules that apply to legacy telecommunications providers.

“There are many VoIP providers that offer ‘off net’ ‘text enablement’,” Lucky225 explained. “Companies such as ZipWhip that promise to let you ‘Text enable your existing business phone number’ so that customers can text your main business line whether it be VoIP, toll-free or a landline number.”

As Lucky225 wrote in his comprehensive Medium article, there are a plethora of wholesale VoIP providers that let you become a reseller with little to no verification, many of them allow blanket Letters of Authorization (LOAs), where you as the reseller promise that you have an LOA on file for any number you want to text enable for your resellers or end-users.

“In essence, once you have a reseller account with these VoIP wholesalers you can change the Net Number ID of any phone number to your wholesale provider’s NNID and begin receiving SMS text messages with virtually no authentication whatsoever. No SIM Swap, SS7 attacks, or port outs needed — just type the target’s phone number in a text box and hit submit and within minutes you can start receiving SMS text messages for them. They won’t even be alerted that anything has happened as their voice & data services will continue to work as usual. Surprisingly, despite the fact that I publicly disclosed this in 2018, nothing has been done to stop this relatively unsophisticated attack.”

NetNumber declined to comment on the record, but instead referred to a statement from the CTIA, a trade association representing the wireless industry, which reads:

“After being made aware of this potential threat, we worked immediately to investigate it, and took precautionary measures. Since that time, no carrier has been able to replicate it. We have no indication of any malicious activity involving the potential threat or that any customers were impacted. Consumer privacy and safety is our top priority, and we will continue to investigate this matter.”

Lucky225 told KrebsOnSecurity many of the major mobile companies have moved to ensure none of their customers can be affected by changes requested through NetNumber or its partners. But he suspects some of the smaller wired and wireless telecommunications firms may still be vulnerable.

“I’m pretty sure it’s only the big carriers that they’re protecting now,” he said. “But there’s just so much we don’t know about what they patched because everyone is being so tight lipped about this right now.”

Nixon said it’s time for federal regulators to step up and protect consumers.

“Its clear this is a lot of foundational infrastructure mucky muck and some fundamental changes are going to need to happen here,” she said. “Regulators really need to get involved.”

WHAT CAN YOU DO?

Given the potentially broad impact of fraudsters abusing this and other weaknesses in the vast mobile ecosystem to completely subvert the security of SMS based communications and multi-factor authentication, it’s probably a good idea to rethink your relationship to your phone number. It’s now plainer than ever how foolish it is to trust SMS for anything.

My advice has long been to remove phone numbers from your online accounts wherever you can, and avoid selecting SMS or phone calls for second factor or one-time codes. Phone numbers were never designed to be identity documents, but that’s effectively what they’ve become. It’s time we stopped letting everyone treat them that way.

Any online accounts that you value should be secured with a unique and strong password, as well the most robust form of multi-factor authentication available. Usually, this is a mobile app like Authy or Google Authenticator that generates a one-time code. Some sites like Twitter and Facebook now support even more robust options — such as physical security keys.

Removing your phone number may be even more important for any email accounts you may have. Sign up with any service online, and it will almost certainly require you to supply an email address. In nearly all cases, the person who is in control of that address can reset the password of any associated services or accounts– merely by requesting a password reset email.

Unfortunately, many email providers still let users reset their account passwords by having a link sent via text to the phone number on file for the account. So remove the phone number as a backup for your email account, and ensure a more robust second factor is selected for all available account recovery options.

Here’s the thing: Most online services require users to supply a mobile phone number when setting up the account, but do not require the number to remain associated with the account after it is established. I advise readers to remove their phone numbers from accounts wherever possible, and to take advantage of a mobile app to generate any one-time codes for multifactor authentication.