Temporal raises $18.75M for its microservices orchestration platform

/0 Comments/in /by

Temporal, a Seattle-based startup that is building an open-source, stateful microservices orchestration platform, today announced that it has raised an $18.75 million Series A round led by Sequoia Capital. Existing investors Addition Ventures and Amplify Partners also joined, together with new investor Madrona Venture Group. With this, the company has now raised a total of $25.5 million.

Founded by Maxim Fateev (CEO) and Samar Abbas (CTO), who created the open-source Cadence orchestration engine during their time at Uber, Temporal aims to make it easier for developers and operators to run microservices in production. Current users include the likes of Box and Snap.

“Before microservices, coding applications was much simpler,” Temporal’s Fateev told me. “Resources were always located in the same place — the monolith server with a single DB — which meant developers didn’t have to codify a bunch of guessing about where things were. Microservices, on the other hand, are highly distributed, which means developers need to coordinate changes across a number of servers in different physical locations.”

Those servers could go down at any time, so engineers often spend a lot of time building custom reliability code to make calls to these services. As Fateev argues, that’s table stakes and doesn’t help these developers create something that builds real business value. Temporal gives these developers access to a set of what the team calls “reliability primitives” that handle these use cases. “This means developers spend far more time writing differentiated code for their business and end up with a more reliable application than they could have built themselves,” said Fateev.

Temporal’s target use is virtually any developer who works with microservices — and wants them to be reliable. Because of this, the company’s tool — despite offering a read-only web-based user interface for administering and monitoring the system — isn’t the main focus here. The company also doesn’t have any plans to create a no-code/low-code workflow builder, Fateev tells me. However, since it is open-source, quite a few Temporal users build their own solutions on top of it.

Netlify nabs $53M Series C as microservices approach to web development grows

The company itself plans to offer a cloud-based Temporal-as-a-Service offering soon. Interestingly, Fateev tells me that the team isn’t looking at offering enterprise support or licensing in the near future. “After spending a lot of time thinking it over, we decided a hosted offering was best for the open-source community and long-term growth of the business,” he said.

Unsurprisingly, the company plans to use the new funding to improve its existing tool and build out this cloud service, with plans to launch it into general availability next year. At the same time, the team plans to say true to its open-source roots and host events and provide more resources to its community.

“Temporal enables Snapchat to focus on building the business logic of a robust asynchronous API system without requiring a complex state management infrastructure,” said Steven Sun, Snap Tech Lead, Staff Software Engineer. “This has improved the efficiency of launching our services for the Snapchat community.”

Application security platform NeuraLegion raises $4.7 million seed led by DNX Ventures

/0 Comments/in /by

A video call group photo of NeuraLegion's team working remotely around the world

A video call group photo of NeuraLegion’s team working remotely around the world

Application security platform NeuraLegion announced today it has raised a $4.7 million seed round led by DNX Ventures, an enterprise-focused investment firm. The funding included participation from Fusion Fund, J-Ventures and Incubate Fund. The startup also announced the launch of a new self-serve, community version that allows developers to sign up on their own for the platform and start performing scans within a few minutes.

Based in Tel Aviv, Israel, NeuraLegion also has offices in San Francisco, London and Mostar, Bosnia. It currently offers NexDAST for dynamic application security testing, and NexPLOIT to integrate application security into SDLC (software development life cycle). It was launched last year by a founding team that includes chief executive Shoham Cohen, chief technology officer Bar Hofesh, chief scientist Art Linkov and president and chief commercial officer Gadi Bashvitz.

When asked who NeuraLegion views as its closest competitors, Bashvitz said Invicti Security and WhiteHat Security. Both are known primarily for their static application security testing (SAST) solutions, which Bashvitz said complements DAST products like NeuraLegion’s.

“These are complementary solutions and in fact we have some information partnerships with some of these companies,” he said.

Where NeuraLegion differentiates from other application security solutions, however, is that it was created specifically for developers, quality assurance and DevOps workers, so even though it can also be used by security professionals, it allows scans to be run much earlier in the development process than usual while lowering costs.

Bashvitz added that NeuraLegion is now used by thousands of developers through their organizations, but it is releasing its self-serve, community product to make its solutions more accessible to developers, who can sign up on their own, run their first scans and get results within 15 minutes.

In a statement about the funding, DNX Ventures managing partner Hiro Rio Maeda said, “The DAST market has been long stalled without any innovative approaches. NeuraLegion’s next-generation platform introduces a new way of conducting robust testing in today’s modern CI/CD environment.”

DNX Ventures launches $315 million fund for US and Japanese B2B startups

Breach at Dickey’s BBQ Smokes 3M Cards

/0 Comments/in /by

One of the digital underground’s most popular stores for peddling stolen credit card information began selling a batch of more than three million new card records this week. KrebsOnSecurity has learned the data was stolen in a lengthy data breach at more than 100 Dickey’s Barbeque Restaurant locations around the country.

An ad on the popular carding site Joker’s Stash for “BlazingSun,” which fraud experts have traced back to a card breach at Dickey’s BBQ.

On Monday, the carding bazaar Joker’s Stash debuted “BlazingSun,” a new batch of more than three million stolen card records, advertising “valid rates” of between 90-100 percent. This is typically an indicator that the breached merchant is either unaware of the compromise or has only just begun responding to it.

Multiple companies that track the sale in stolen payment card data say they have confirmed with card-issuing financial institutions that the accounts for sale in the BlazingSun batch have one common theme: All were used at various Dickey’s BBQ locations over the past 13-15 months.

KrebsOnSecurity first contacted Dallas-based Dickey’s on Oct. 13. Today, the company shared a statement saying it was aware of a possible payment card security incident at some of its eateries:

“We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved. We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.”

The confirmations came from Miami-based Q6 Cyber and Gemini Advisory in New York City.

Q6Cyber CEO Eli Dominitz said the breach appears to extend from May 2019 through September 2020.

“The financial institutions we’ve been working with have already seen a significant amount of fraud related to these cards,” Dominitz said.

Gemini says its data indicated some 156 Dickey’s locations across 30 states likely had payment systems compromised by card-stealing malware, with the highest exposure in California and Arizona. Gemini puts the exposure window between July 2019 and August 2020.

“Low-and-slow” aptly describes the card breach at Dickie’s, which persisted for at least 13 months.

With the threat from ransomware attacks grabbing all the headlines, it may be tempting to assume plain old credit card thieves have moved on to more lucrative endeavors. Alas, cybercrime bazaars like Joker’s Stash have continued plying their trade, undeterred by a push from the credit card associations to encourage more merchants to install credit card readers that require more secure chip-based payment cards.

That’s because there are countless restaurant locations — usually franchise locations of an established eatery chain — that are left to decide for themselves whether and how quickly they should make the upgrades necessary to dip the chip versus swipe the stripe.

“Dickey’s operates on a franchise model, which often allows each location to dictate the type of point-of-sale (POS) device and processors that they utilize,” Gemini wrote in a blog post about the incident. “However, given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations.”

While there have been sporadic reports about criminals compromising chip-based payment systems used by merchants in the U.S., the vast majority of the payment card data for sale in the cybercrime underground is stolen from merchants who are still swiping chip-based cards.

This isn’t conjecture; relatively recent data from the stolen card shops themselves bear this out. In July, KrebsOnSecurity wrote about an analysis by researchers at New York University, which looked at patterns surrounding more than 19 million stolen payment cards that were exposed after the hacking of BriansClub, a top competitor to the Joker’s Stash carding shop.

The NYU researchers found BriansClub earned close to $104 million in gross revenue from 2015 to early 2019, and listed over 19 million unique card numbers for sale. Around 97% of the inventory was stolen magnetic stripe data, commonly used to produce counterfeit cards for in-person payments.

Visa and MasterCard instituted new rules in October 2015 that put retailers on the hook for all of the losses associated with counterfeit card fraud tied to breaches if they haven’t implemented chip-based card readers and enforced the dipping of the chip when a customer presents a chip-based card.

Dominitz said he never imagined back in 2015 when he founded Q6Cyber that we would still be seeing so many merchants dealing with magstripe-based data breaches.

“Five years ago I did not expect we would be in this position today with card fraud,” he said. “You’d think the industry in general would have made a bigger dent in this underground economy a while ago.”

Tired of having your credit card re-issued and updating your payment records at countless e-commerce sites every time some restaurant you frequent has a breach? Here’s a radical idea: Next time you visit an eatery (okay, if that ever happens again post-COVID, etc), ask them if they use chip-based card readers. If not, consider taking your business elsewhere.

Hiding in Plain Sight | The IoT Security Headache and How to Fix It

/0 Comments/in /by

Within five years, some suggest there will be 41.6 million IoT devices connected to businesses, according to IDC, and these “things” will generate 79.4 zettabytes of data. The explosion of connected devices in the home, enterprise and industrial environments increase the attack surfaces of these entities many times over. Moreover, many of these devices are insecure by nature, and others, although possessing reasonable security mechanisms, are left exposed due to poor cyber hygiene and lack of IoT security know-how. In this post, we look at some of the dangers posed by IoT devices and how they can be addressed.

Enhanced DDoS Attacks with CallStranger

The quest to make connected devices cheap and easy to install and operate has resulted in the creation of less-than adequate security mechanisms – such is the case with the IP Cameras made by China-based HiChip, for example, which has sold around a 100,000 wireless cameras in the UK, all of which are vulnerable to hacking. But even if a device is made according to desired security standards, the protocols it relies on are sometimes seriously flawed.

Earlier this year, Turkish researcher, Yunus Çadırcı, identified a new vulnerability in UPnP (Universal Plug and Play), a set of networking protocols that permits devices to seamlessly discover each other’s presence on a network and establish functional services for data sharing. The vulnerability – CVE-2020-12695, akaCallStranger” – allows attackers to subscribe to devices and get them to send traffic to any IP address. This enables attackers to launch large-scale amplified TCP DDoS reflection attacks by sending a request to a third-party server, using a spoofed IP address. The response is much larger in size and is returned to the spoofed IP address of the unwitting victim, creating powerful DDoS attacks.

In addition, CallStranger allows attackers to bypass DLP and network security devices to exfiltrate data, and even scan internal network ports, those that are not otherwise exposed to the internet.

This vulnerability affects billions of UPnP devices on local networks and millions of UPnP devices on the Internet, almost all of which need to be updated. The following devices have been identified as among those that are known to be vulnerable to the CallStranger bug, although other devices could also be at risk:

  • Windows 10 (Probably all Windows versions including servers) – upnphost.dll 10.0.18362.719
  • Xbox One- OS Version 10.0.19041.2494
  • ADB TNR-5720SX Box (TNR-5720SX/v16.4-rc-371-gf5e2289 UPnP/1.0 BH-upnpdev/2.0)
  • Asus ASUS Media Streamer
  • Asus RT-N66U Firmware: 3.0.0.4.382_51640-g679a7e3
  • Asus Rt-N11
  • Belkin WeMo
  • Bose SoundTouch 10 (http://x.x.x.x:8091/QPlay/Event)
  • Broadcom ADSL Modems
  • Canon Canon SELPHY CP1200 Printer
  • Cisco X1000 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
  • Cisco X3500 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
  • D-Link DVG-N5412SP WPS Router (OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Denon X3500H (LINUX UPnP/1.0 Denon-Heos/155415)
  • EPSON EP, EW, XP Series (EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0)
  • HP Deskjet, Photosmart, Officejet ENVY Series (POSIX, UPnP/1.0, Intel MicroStack/1.0.1347)
  • Huawei HG255s Router – Firmware HG255sC163B03 (ATP UPnP Core)
  • Huawei MyBox (Linux/3.4.67_s40 UPnP/1.0 HUAWEI_iCOS/iCOS V1R1C00)
  • JRiver DLNA Server 19.0.163 (Windows, UPnP/1.1 DLNADOC/1.50, JRiver/19)
  • LG webOS TV OLED55C9PLA (Linux/i686 UPnP/1,0 DLNADOC/1.50 LGE WebOS TV/Version 0.9)
  • Linksys router (http://x.x.x.x:49152/upnp/event/Layer3Forwarding)
  • NEC AccessTechnica WR8165N Router ( OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Philips 2k14MTK TV – Firmware TPL161E_012.003.039.001
  • Samsung UE55MU7000 TV – Firmware T-KTMDEUC-1280.5, BT – S
  • Samsung MU8000 TV
  • Synology NAS (Linux/3.10.105, UPnP/1.0, Portable SDK for UPnP devices/1.6.21)
  • TP-Link TL-WA801ND (Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.19)
  • TP-Link Archer VR200 (Linux/2.6.32.42, UPnP/1.0, Portable SDK for UPnP devices/1.6.19)
  • Trendnet TV-IP551W (OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Zyxel VMG8324-B10A (LINUX/2.6 UPnP/1.0 BRCM400-UPnP/1.0)

The Ripple20 Supply Chain Vulnerability

A problem that affects IoT devices in particular is the use of third-party code and libraries which may never be updated by the vendor after the device has shipped. In some cases, the vendor may not even have the means of updating such code without a device recall, which is often impossible as devices tend to remain in use for far longer than the minimal vendor support that is typically offered with cheap IoT devices.

Researchers from JSOF research lab discovered a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc. The library, believed to have been first released in 1997, implements a lightweight TCP/IP stack. Companies have been using this library for decades to allow their devices or software to connect to the internet via TCP/IP connections. JSOF named the 19 vulnerabilities “Ripple20” (after the year 2020, not the number of vulnerabilities).

Because the flaw resides within the supply chain of hundreds of millions of IoT devices worldwide, with an unknown number either unpatchable or no longer supported by their manufacturers, this vulnerability is going to be with us for a long time to come. Attackers that discover a Ripple20 vulnerable device on a network can abuse it to achieve remote-code execution, allowing for data theft, malicious takeovers and more.

Botnets | Making The Most Out Of Insecure Devices

It’s not just specific vulnerabilities, however, that make IoT devices such a security concern. It’s also the fact that they tend to suffer from no or poorly configured security configurations, often existing on a network with known default credentials. This was famously exploited by the Mirai botnet back in 2016, which spread through 100s of thousands of IoT devices by using nothing more sophisticated than a hard coded list of known default credentials for particular devices.

In the time since the first Mirai attack, many other botnets have risen, but, even today, Mirai and its variants are still predominant. Mirai variant Echobot has 71 unique exploits, 13 previously unexploited. It surfaced a year ago and seen in the wild multiple times between October and December. Additional botnets, such as the IoTroop botnet, which shares an extensive code base with the leaked Mirai source, is also fairly active, especially in Japan, where it accounts for 87% of all botnet detections. Another botnet Dark Nexus, has also been active in the past year.

More recently, researchers at 360Netlab discovered a new IOT P2P botnet they dubbed, “HEH”. Written in Go and supporting multiple architectures, the HEH botnet is designed for destruction. While researchers say it is still very much in the early stages of development, one feature already built-in is the ability to wipe all data on the infected device. HEH spreads via brute force attacks across Telnet ports 23 and 2323.

That attackers are increasingly targeting IoT devices to recruit into botnets is evident. A recent study found a 46% increase in cyber attacks on smart homes and IoT devices in enterprise and industrial environments. Another study found that more than 50% of IoT devices are “protected” by the default password “12345”. Another research found many sellers on the darknet offering “ready to go” botnets for sale.

A Ponemon Institute study conducted in 2020 suggests that known data breaches caused by insecure devices have doubled since 2017. According to the study, an overwhelming number of security professionals – as many as 90% – expect their company to experience a cyber attack or data breach caused by insecure IoT devices or applications in the next two years. More than three-quarters of respondents in the Ponemon research said that IoT risks pose a serious threat to high-value data assets. Nearly 50% of responders reported that it was not possible to maintain an inventory of IoT devices in the workplace given their current security and auditing tools. From the devices that could have been identified, less than 50% have adequate security.

Solving the IoT Security Headache

In some cases, there are known remediations for specific vulnerabilities. For example, there is specific advice for the CallStranger vulnerability discussed above. You can also run this script to check against the CallStranger (CVE-2020-12695) vulnerability.

In other cases, there’s not much you can do other than take a vulnerable device off the network, assuming you can find it to start with, and of course, no amount of vulnerability patching is going to protect your devices from a botnet if the device configuration uses weak or default security controls.

Due to the complexity of the IoT problem and the amount of human effort required by admins to keep up with the ever-increasing load of new IoT devices joining the network, it’s essential to get some automated help from your security solution.

A solution like SentinelOne’s Ranger, for example, adds global network visibility to your armoury. It allows you to detect and alert on new IoT devices in your network, isolate device-based threats and even hunt for suspicious network devices across the entire network. Just as importantly, it can do this without needing any additional specialty hardware or software as Ranger is already built-in to the SentinelOne agent and uses protected endpoints themselves as distributed network sensors.

Conclusion

The proliferation of IoT ‘smart’ devices is only set to continue, and with a continuing lack of industry standards or government regulations for IoT device security, the risk presented by such devices on enterprise networks is similarly bound to increase. Gaining visibility into your network and having the means to control all devices on it is fundamental to your security posture. If you would like to learn more about how the SentinelOne platform and SentinelOne Ranger can help, contact us for more information or request a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Dataloop raises $11M Series A round for its AI data management platform

/0 Comments/in /by

Dataloop, a Tel Aviv-based startup that specializes in helping businesses manage the entire data life cycle for their AI projects, including helping them annotate their data sets, today announced that it has now raised a total of $16 million. This includes a $5 seed round that was previously unreported, as well as an $11 million Series A round that recently closed.

The Series A round was led by Amiti Ventures, with participation from F2 Venture Capital, crowdfunding platform OurCrowd, NextLeap Ventures and SeedIL Ventures.

“Many organizations continue to struggle with moving their AI and ML projects into production as a result of data labeling limitations and a lack of real-time validation that can only be achieved with human input into the system,” said Dataloop CEO Eran Shlomo. “With this investment, we are committed, along with our partners, to overcoming these roadblocks and providing next generation data management tools that will transform the AI industry and meet the rising demand for innovation in global markets.”

Image Credits: Dataloop

For the most part, Dataloop specializes in helping businesses manage and annotate their visual data. It’s agnostic to the vertical its customers are in, but we’re talking about anything from robotics and drones to retail and autonomous driving.

The platform itself centers around the “humans in the loop” model that complements the automated systems, with the ability for humans to train and correct the model as needed. It combines the hosted annotation platform with a Python SDK and REST API for developers, as well as a serverless Functions-as-a-Service environment that runs on top of a Kubernetes cluster for automating dataflows.

Image Credits: Dataloop

The company was founded in 2017. It’ll use the new funding to grow its presence in the U.S. and European markets, something that’s pretty standard for Israeli startups, and build out its engineering team as well.

With a new focus on marketing software, NewsCred relaunches as Welcome

/0 Comments/in /by

The company formerly known as NewsCred has a new name and a new product: Welcome.

Co-founder and CEO Shafqat Islam explained that this follows a broader shift in the company’s strategy. While previously known as a content marketing business, Islam said NewsCred has been increasingly focused on building a broader software platform for marketers (a platform that it uses itself).

Eventually, this led the company to sell its content services business to business journalism company Industry Dive and its owner Falfurrias Capital Partners over the summer. Now Welcome is officially unveiling its new brand, which it’s also using for its new marketing orchestration software.

“It’s not often that startups like ours get to close one chapter and open another chapter,” Islam said. “We kind of went back to being a Series A, Series B startup, iterating and working very closely with our customers.”

While today is the official launch of the Welcome platform, Islam said the company has been moving the software in this direction for the past year, and that this side of the business has already seen significant growth, with daily average users up 300% year-over-year.

Islam also suggested that while this was the right time to come up with a new company name, it’s something that’s been discussed repeatedly in the past.

Welcome Gantt Calendar

Image Credits: Welcome

“Every time we raised money in last 10 years, the new investor would say, ‘What about the name? Can we change it?’ ” he recalled. “We could never do it, because we had this content heritage built up and enough brand equity. Finally, with this deal, and with the launch of the new software … we came up with the name Welcome.”

While there’s no shortage of marketing software out there already, Islam said marketers need an orchestration system to manage their projects and workflows — most of them, he said, are stuck using “horizontal” project management tools that aren’t really built for their needs, such as Asana or Jira.

“Marketers have very specific needs,” Islam said. “It could be a simple thing like … marketers work with campaigns, so what are your specific campaigns, marketing briefs or marketing-specific workflows? Our approach was: How do we create something that’s really specific to marketers versus all horizontal solutions out there?”

He also noted that “close to half the engineering team works on the interoperability problem,” so that Welcome can integrate all the other tools that marketers are using, like HubSpot and Marketo. The goal, Islam said, is to become “something marketers standardize on,” the way that salespeople log into their Salesforce accounts every day.

Islam also argued Welcome will take advantage of the way that the pandemic has accelerated changes in the enterprise sales process.

“I personally believe the way people buy software is changing,” he said. “The days of wining and dining and selling to the CMO, that still exists, but that’s not how everyone wants to buy anymore.”

To adapt to this new world, Islam said the startup is adopting a more “bottoms up” sales approach, with a free version of the platform due for release next month.

NewsCred Raises $42M As It Sets Its Sights Beyond Content Marketing

Atlassian Smarts adds machine learning layer across the company’s platform of services

/0 Comments/in /by

Atlassian has been offering collaboration tools, often favored by developers and IT for some time with such stalwarts as Jira for help desk tickets, Confluence to organize your work and BitBucket to organize your development deliverables, but what it lacked was a machine learning layer across the platform to help users work smarter within and across the applications in the Atlassian family.

That changed today, when Atlassian announced it has been building that machine learning layer, called Atlassian Smarts, and is releasing several tools that take advantage of it. It’s worth noting that unlike Salesforce, which calls its intelligence layer Einstein or Adobe, which calls its Sensei, Atlassian chose to forgo the cutesy marketing terms and just let the technology stand on its own.

Shihab Hamid, the founder of the Smarts and Machine Learning Team at Atlassian, who has been with the company 14 years, says they avoided a marketing name by design. “I think one of the things that we’re trying to focus on is actually the user experience and so rather than packaging or branding the technology, we’re really about optimizing teamwork,” Hamid told TechCrunch.

Hamid says that the goal of the machine learning layer is to remove the complexity involved with organizing people and information across the platform.

“Simple tasks like finding the right person or the right document becomes a challenge, or at least they slow down productivity and take time away from the creative high-value work that everyone wants to be doing, and teamwork itself is super messy and collaboration is complicated. These are human challenges that don’t really have one right solution,” he said.

He says that Atlassian has decided to solve these problems using machine learning with the goal of speeding up repetitive, time-intensive tasks. Much like Adobe or Salesforce, Atlassian has built this underlying layer of machine smarts, for lack of a better term, that can be distributed across their platform to deliver this kind of machine learning-based functionality wherever it makes sense for the particular product or service.

“We’ve invested in building this functionality directly into the Atlassian platform to bring together IT and development teams to unify work, so the Atlassian flagship products like JIRA and Confluence sit on top of this common platform and benefit from that common functionality across products. And so the idea is if we can build that common predictive capability at the platform layer we can actually proliferate smarts and benefit from the data that we gather across our products,” Hamid said.

Atlassian’s two-year cloud journey

The first pieces fit into this vision. For starters, Atlassian is offering a smart search tool that helps users find content across Atlassian tools faster by understanding who you are and how you work. “So by knowing where users work and what they work on, we’re able to proactively provide access to the right documents and accelerate work,” he said.

The second piece is more about collaboration and building teams with the best personnel for a given task. A new tool called predictive user mentions helps Jira and Confluence users find the right people for the job.

“What we’ve done with the Atlassian platform is actually baked in that intelligence, because we know what you work on and who you collaborate with, so we can predict who should be involved and brought into the conversation,” Hamid explained.

Finally, the company announced a tool specifically for Jira users, which bundles together similar sets of help requests and that should lead to faster resolution over doing them manually one at a time.

“We’re soon launching a feature in JIRA Service Desk that allows users to cluster similar tickets together, and operate on them to accelerate IT workflows, and this is done in the background using ML techniques to calculate the similarity of tickets, based on the summary and description, and so on.”

All of this was made possible by the company’s previous shift from mostly on-premises to the cloud and the flexibility that gave them to build new tooling that crosses the entire platform.

Today’s announcements are just the start of what Atlassian hopes will be a slew of new machine learning-fueled features being added to the platform in the coming months and years.

A pandemic and recession won’t stop Atlassian’s SaaS push

Daily Crunch: Zoom launches its events marketplace

/0 Comments/in /by

Zoom has a new marketplace and new integrations, Spotify gets a new format and we review Microsoft’s Surface Laptop Go. This is your Daily Crunch for October 14, 2020.

The big story: Zoom launches its events marketplace

Zoom’s new OnZoom marketplace allows anyone to host and sell tickets for virtual events. It’s also integrating the ability for nonprofits to accept donations.

The company made a couple other announcements at its Zoomtopia user conference. For one thing, it’s also integrating with a starting lineup of 35 third-party “Zapps,” allowing products like Asana and Dropbox to integrate directly into the Zoom experience.

In addition, Zoom said it will begin rolling out end-to-end encryption (a feature it’s been promising since acquiring Keybase in May) to users next week.

The tech giants

Spotify introduces a new music-and-spoken word format, open to all creators — The new format is designed to reproduce the radio-like experience of listening to a DJ talk about the music, and it also enables the creation of music-filled podcasts.

Microsoft reverse engineers a budget computer with the Surface Laptop Go — Brian Heater writes that the Laptop Go is a strange and sometimes successful mix of Surface design and budget decisions.

Google launches a suite of tech-powered tools for reporters, Journalist Studio — The suite includes a host of existing tools as well as two new products aimed at helping reporters search across large documents and visualizing data.

Startups, funding and venture capital

Getaround raises a $140M Series E amid rebound in short-distance travel — The rebound is real: I took my first Getaround this weekend.

Augury taps $55M for tech that predicts machine faults from vibration, sound and temperature — The startup works with large enterprises like Colgate and Heineken to maintain machines in their production and distribution lines.

Plenty has raised over $500M to grow fruits and veggies indoors — The funding was led by existing investor SoftBank Vision Fund and included the berry farming giant Driscoll’s.

Advice and analysis from Extra Crunch

What the iPhone 12 tells us about the state of the smartphone industry in 2020 — While the iPhone 12 was no doubt in development long before the current pandemic, the pandemic’s global shutdown has only exacerbated many existing problems for smartphone makers.

Databricks crossed $350M run rate in Q3, up from $200M one year ago — The data analytics company scaled rapidly to put itself on an obvious IPO path.

Dear Sophie: I came on a B-1 visa, then COVID-19 happened. How can I stay? — The latest advice from immigration lawyer Sophie Alcorn.

(Reminder: Extra Crunch is our subscription membership program, which aims to democratize information about startups. And we’re having a fall sale!)

Everything else

NASA loads 14 companies with $370M for ‘tipping point’ technologies — NASA has announced more than a third of a billion dollars’ worth of “Tipping Point” contracts awarded to over a dozen companies pursuing potentially transformative space technologies.

Harley-Davidson should keep making e-motorcycles — That’s Jake Bright’s takeaway after three weeks with the LiveWire e-motorcycle.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

Zoom to start first phase of E2E encryption rollout next week

/0 Comments/in /by

Zoom will begin rolling out end-to-end encryption to users of its videoconferencing platform from next week, it said today.

The platform, whose fortunes have been supercharged by the pandemic-driven boom in remote working and socializing this year, has been working on rebooting its battered reputation in the areas of security and privacy since April — after it was called out on misleading marketing claims of having E2E encryption (when it did not). E2E is now finally on its way though.

“We’re excited to announce that starting next week, Zoom’s end-to-end encryption (E2EE) offering will be available as a technical preview, which means we’re proactively soliciting feedback from users for the first 30 days,” it writes in a blog post. “Zoom users — free and paid — around the world can host up to 200 participants in an E2EE meeting on Zoom, providing increased privacy and security for your Zoom sessions.”

Zoom acquired Keybase in May, saying then that it was aiming to develop “the most broadly used enterprise end-to-end encryption offering”.

However, initially, CEO Eric Yuan said this level of encryption would be reserved for fee-paying users only. But after facing a storm of criticism the company enacted a swift U-turn — saying in June that all users would be provided with the highest level of security, regardless of whether they are paying to use its service or not.

Zoom confirmed today that Free/Basics users who want to get access to E2EE will need to participate in a one-time verification process — in which it will ask them to provide additional pieces of information, such as verifying a phone number via text message — saying it’s implementing this to try to reduce “mass creation of abusive accounts”.

“We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our work with human rights and children’s safety organizations and our users’ ability to lock down a meeting, report abuse, and a myriad of other features made available as part of our security icon — we can continue to enhance the safety of our users,” it writes.

Next week’s roll out of a technical preview is phase 1 of a four-stage process to bring E2E encryption to the platform.

This means there are some limitations — including on the features that are available in E2EE Zoom meetings (you won’t have access to join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions); and on the clients that can be used to join meetings (for phase 1 all E2EE meeting participants must join from the Zoom desktop client, mobile app, or Zoom Rooms). 

The next phase of the E2EE rollout — which will include “better identity management and E2EE SSO integration”, per Zoom’s blog — is “tentatively” slated for 2021.

From next week, customers wanting to check out the technical preview must enable E2EE meetings at the account level and opt-in to E2EE on a per-meeting basis.

All meeting participants must have the E2EE setting enabled in order to join an E2EE meeting. Hosts can enable the setting for E2EE at the account, group, and user level and can be locked at the account or group level, Zoom notes in an FAQ.

The AES 256-bit GCM encryption that’s being used is the same as Zoom currently uses but here combined with public key cryptography — which means the keys are generated locally, by the meeting host, before being distributed to participants, rather than Zoom’s cloud performing the key generating role.

“Zoom’s servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents,” it explains of the E2EE implementation.

If you’re wondering how you can be sure you’ve joined an E2EE Zoom meeting a dark padlock will be displayed atop the green shield icon in the upper left corner of the meeting screen. (Zoom’s standard GCM encryption shows a checkmark here.)

Meeting participants will also see the meeting leader’s security code — which they can use to verify the connection is secure. “The host can read this code out loud, and all participants can check that their clients display the same code,” Zoom notes.

Zoom launches its events platform and marketplace, brings apps to your calls

Armory nabs $40M Series C as commercial biz on top of open-source Spinnaker project takes off

/0 Comments/in /by

As companies continue to shift more quickly to the cloud, pushed by the pandemic, startups like Armory that work in the cloud-native space are seeing an uptick in interest. Armory is a company built to be a commercial layer on top of the open-source continuous delivery project Spinnaker. Today, it announced a $40 million Series C.

B Capital led the round, with help from new investors Lead Edge Capital and Marc Benioff along with previous investors Insight Partners, Crosslink Capital, Bain Capital Ventures, Mango Capital, Y Combinator and Javelin Venture Partners. Today’s investment brings the total raised to more than $82 million.

“Spinnaker is an open-source project that came out of Netflix and Google, and it is a very sophisticated multi-cloud and software delivery platform,” company co-founder and CEO Daniel R. Odio told TechCrunch.

Odio points out that this project has the backing of industry leaders, including the three leading public cloud infrastructure vendors Amazon, Microsoft and Google, as well as other cloud players like CloudFoundry and HashiCorp. “The fact that there is a lot of open-source community support for this project means that it is becoming the new standard for cloud-native software delivery,” he said.

Spinnaker is the next big open source project to watch

In the days before the notion of continuous delivery, companies moved forward slowly, releasing large updates over months or years. As software moved to the cloud, this approach no longer made sense and companies began delivering updates more incrementally, adding features when they were ready. Adding a continuous delivery layer helped facilitate this move.

As Odio describes it, Armory extends the Spinnaker project to help implement complex use cases at large organizations, including around compliance and governance and security. It is also in the early stages of implementing a SaaS version of the solution, which should be available next year.

While he didn’t want to discuss customer numbers, he mentioned JPMorgan Chase and Autodesk as customers, along with less specific allusions to “a Fortune Five technology company, a Fortune 20 Bank, a Fortune 50 retailer and a Fortune 100 technology company.”

The company currently has 75 employees, but Odio says business has been booming and he plans to double the team in the next year. As he does, he says that he is deeply committed to diversity and inclusion.

“There’s actually a really big difference between diversity and inclusion, and there’s a great Vernā Myers quote that diversity is being asked to the party and inclusion is being asked to dance, and so it’s actually important for us not only to focus on diversity, but also focus on inclusion because that’s how we win. By having a heterogeneous company, we will outperform a homogeneous company,” he said.

Armory lands $10M Series A to bring continuous delivery to enterprise masses

While the company has moved to remote work during COVID, Odio says they intend to remain that way, even after the current crisis is over. “Now obviously COVID been a real challenge for the world, including us. We’ve gone to a fully remote-first model, and we are going to stay remote-first even after COVID. And it’s really important for us to be taking care of our people, so there’s a lot of human empathy here,” he said.

But at the same time, he sees COVID opening up businesses to move to the cloud and that represents an opportunity for his business, one that he will focus on with new capital at his disposal. “In terms of the business opportunity, we exist to help power the transformation that these enterprises are undergoing right now, and there’s a lot of urgency for us to execute on our vision and mission because there is a lot of demand for this right now,” he said.

Mirantis bets on Spinnaker, Netflix’s open-source continuous delivery platform