Hack
Auto Added by WPeMatico
Auto Added by WPeMatico
Over the past half a decade, the tidal wave of niche brands delivering new kinds of products to consumers and doing so online has changed the retail and CPG landscapes forever.
This shift has in some way caused a shakeout in traditional retail, with once-popular retailers announcing store closures (JCPenney, Sears) or even liquidation (Payless, Toys R Us) and has sent fashion houses and CPG brands on a soul-searching journey. The changing demographics and desires of shoppers have also fueled the decline of traditional brands and their distribution mechanisms.
This bleak scenario of incumbent consumer brands is in stark contrast to the rapid emergence of a host of digitally-native Direct to Consumer (D2C) brands. A few D2C brands have been successful enough to become unicorns! Retailers like Walmart, Nordstrom, and Target have quickly adapted to the D2C era.
Walmart has made a string of acquisitions beginning with Jet.com and Bonobos. Nordstrom has broadened its assortment to include D2C brands, Target has partnered with Harry’s, Quip, and Flamingo – all of which have rolled out their products in Target’s stores across the country. Target has also invested in Casper, which is the latest D2C brand to become a Unicorn.
Venture capital firms have invested over four billion dollars in D2C brands since 2012, with 2018 alone accounting for over a billion. With investment comes pressure to scale and deliver profits. And this pressure is bringing the focus on some pertinent questions – How are these D2C brands going to evolve and how could they sustain as businesses?
Like always, the pioneering companies find their path and we then derive the playbooks out of them. From PipeCandy’s analysis of several D2C brands, we see the following approaches taken by D2C brands.
We discuss the market size and capital availability factors that influence the paths and the outcomes.
Many of these D2C brands that have experienced early success owe their rise largely to an authentic relationship with consumers that is built on the promise of one product. In many ways, focusing on one product line and a small set of SKUs makes total business sense.
Design, Production, Marketing & Customer Support complexities can stay manageable with such deliberate narrowing down of focus.
In some categories, you could stay focused on one product line for a long time and build a successful company.
Powered by WPeMatico
Artificial intelligence applied to information security can engender images of a benevolent Skynet, sagely analyzing more data than imaginable and making decisions at lightspeed, saving organizations from devastating attacks. In such a world, humans are barely needed to run security programs, their jobs largely automated out of existence, relegating them to a role as the button-pusher on particularly critical changes proposed by the otherwise omnipotent AI.
Such a vision is still in the realm of science fiction. AI in information security is more like an eager, callow puppy attempting to learn new tricks – minus the disappointment written on their faces when they consistently fail. No one’s job is in danger of being replaced by security AI; if anything, a larger staff is required to ensure security AI stays firmly leashed.
Arguably, AI’s highest use case currently is to add futuristic sheen to traditional security tools, rebranding timeworn approaches as trailblazing sorcery that will revolutionize enterprise cybersecurity as we know it. The current hype cycle for AI appears to be the roaring, ferocious crest at the end of a decade that began with bubbly excitement around the promise of “big data” in information security.
But what lies beneath the marketing gloss and quixotic lust for an AI revolution in security? How did AL ascend to supplant the lustrous zest around machine learning (“ML”) that dominated headlines in recent years? Where is there true potential to enrich information security strategy for the better – and where is it simply an entrancing distraction from more useful goals? And, naturally, how will attackers plot to circumvent security AI to continue their nefarious schemes?
The year AI debuted as the “It Girl” in information security was 2017. The year prior, MIT completed their study showing “human-in-the-loop” AI out-performed AI and humans individually in attack detection. Likewise, DARPA conducted the Cyber Grand Challenge, a battle testing AI systems’ offensive and defensive capabilities. Until this point, security AI was imprisoned in the contrived halls of academia and government. Yet, the history of two vendors exhibits how enthusiasm surrounding security AI was driven more by growth marketing than user needs.
Powered by WPeMatico
Three million dollars. That’s the largest amount of money I’ve ever walked away from in terms of a customer contract that I decided we shouldn’t take.
It sucked. It was, at the time, more than half of the total amount of funds we had raised and it also represented just a shade more than the previous year’s revenue. It was a Fortune 500 company and the market leader in their industry. This was pocket money to them — which was part of the problem.
Good entrepreneurs spend a lot of time worrying about customers. We worry about the customers we have, the ones we don’t have, the ones we lost, and the ones we’re in danger of losing. We worry so much about where the next customer is going to come from that we never think twice about whether we should take on, or keep, a customer that’s more trouble than they’re worth.
As entrepreneurs, we need to be unflinchingly customer-first. We are the drivers, but the customers are holding the map. We should spend copious amounts of time listening, usually through data, to figure out our next move. We should know the risks when we go off-road, not only the setbacks that come with making the wrong choice, but the fact that we’ll hear about it from all sides until we right the ship.
Powered by WPeMatico
Houzz, a $4 billion-valued home improvement startup that recently laid off 10 percent of its staff, has admitted a data breach.
A reader contacted TechCrunch on Thursday with a copy of an email sent by the company. It doesn’t say much — such as when the breach happened, or if a hacker is to blame or if it was a data exposure that the company could’ve prevented.
Houzz spokesperson Gabriela Hebert would not comment beyond an FAQ posted on the company’s website, citing an ongoing investigation.
In that FAQ, the company said it “recently learned that a file containing some of our user data was obtained by an unauthorized third party.” It added: “We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment, and remediation efforts.”
The company said it was notifying all of its users who may have been affected.
An email from a Houzz user (Image: supplied)
Houzz said some publicly visible information from a user’s Houzz profile could be affected, such as name, city, state, country and profile description, along with internal identifiers and fields “that have no discernible meaning to anyone outside of Houzz,” such as the region and location of the user and if they have a profile image, for example, the company said.
The company also said that usernames and scrambled passwords were also taken.
Houzz said that the passwords were scrambled and salted using a one-way hashing algorithm, but did not provide specifics on what kind of hashing algorithm was used. Some algorithms, like MD5, are old and outdated but still in use, while newer hashing algorithms — like bcrypt — are stronger and can be more difficult to crack, depending on the number of rounds the passwords go through.
Regardless, the company recommended users change their passwords.
No financial information was taken, according to the FAQ.
The company last year was among many mocked for sending out emails to users alerting them of mandatory changes to their privacy policies ahead of the 2018-introduced EU General Data Protection Regulation (GDPR) law, saying it “value[s]” its customers privacy. “Their opening lines offer a glimpse of the way legal policy and user experience are colliding under the new regulations,” said Fast Company.
But it’s not clear if the company will face penalties — up to four percent of its global revenue — as a result of the regulation, only that the company “notified EU authorities within the statutory period,” said the spokesperson.
Another day, another breach.
Powered by WPeMatico
With one click, any semi-skilled hacker could have silently taken over a Fortnite account, according to a cybersecurity firm that says the bug is now fixed.
Researchers at Check Point say the three vulnerabilities chained together could have affected any of its 200 million players. The flaws, if exploited, would have stolen the account access token set on the gamer’s device once they entered their password.
Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password.
The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games’ own domain and steal an access token needed to break into an account.
Check Point’s Oded Vanunu explains how the bug works. (Image: supplied)
“It’s important to remember that the URL is coming from an Epic Games domain, so it’s transparent to the user and any security filter will not suspect anything,” said Oded Vanunu, Check Point’s head of products vulnerability research, in an email to TechCrunch.
Here’s how it works: The user clicks on a link, which points to an epicgames.com subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker.
“If the victim user is not logged into the game, he or she would have to log in first,” said Vanunu. “Once that person is logged in, the account can be stolen.”
Epic Games has since fixed the vulnerability.
“We were made aware of the vulnerabilities and they were soon addressed,” said Nick Chester, a spokesperson for Epic Games. “We thank Check Point for bringing this to our attention.”
“As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others,” he said.
When asked, Epic Games would not say if user data or accounts were compromised as a result of this vulnerability.
Powered by WPeMatico
The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here:
1. Microsoft Bing not only shows child pornography, it suggests it
A TechCrunch-commissioned report has found damning evidence on Microsoft’s search engine. Our findings show a massive failure on Microsoft’s part to adequately police its Bing search engine and to prevent its suggested searches and images from assisting pedophiles.
2. Unity pulls nuclear option on cloud gaming startup Improbable, terminating game engine license
Unity, the widely popular gaming engine, has pulled the rug out from underneath U.K.-based cloud gaming startup Improbable and revoked its license — effectively shutting them out from a top customer source. The conflict arose after Unity claimed Improbable broke the company’s Terms of Service and distributed Unity software on the cloud.
Just when you thought things were going south for Improbable the company inked a late-night deal with Unity competitor Epic Games to establish a fund geared toward open gaming engines. This begs the question of how Unity and Improbable’s relationship managed to sour so quickly after this public debacle.

WeChat boasts more than 1 billion daily active users, but user growth is starting to hit a plateau. That’s been expected for some time, but it is forcing the Chinese juggernaut to build new features to generate more time spent on the app to maintain growth.
5. Bungie takes back its Destiny and departs from Activision
The creator behind games like Halo and Destiny is splitting from its publisher Activision to go its own way. This is good news for gamers, as Bungie will no longer be under the strict deadlines of a big gaming studio that plagued the launch of Destiny and its sequel.
6. Another server security lapse at NASA exposed staff and project data
The leaking server was — ironically — a bug-reporting server, running the popular Jira bug triaging and tracking software. In NASA’s case, the software wasn’t properly configured, allowing anyone to access the server without a password.
7. Is Samsung getting serious about robotics?
This week Samsung made a surprise announcement during its CES press conference and unveiled three new consumer and retail robots and a wearable exoskeleton. It was a pretty massive reveal, but the company’s look-but-don’t-touch approach raised far more questions than it answered.
Powered by WPeMatico
The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here:
1. Facebook is the new crapware
Well Facebook, you did it again. Fresh off its latest privacy scandal, the troubled social media giant has inked a deal with Android to pre-install its app on an undisclosed number of phones and make the software permanent. This means you won’t be able to delete Facebook from those phones. Thanks, Facebook.
2. The world’s first foldable phone is real
Chinese company Royole has beaten Samsung to the market and has been showing off a foldable phone/tablet this week at CES. While it’s not the most fluid experience, the device definitely works at adapting to your needs.
3. CES revokes award from female-founded sex tech company
Outcries of a double-standard are pouring out of CES after the Consumer Tech Association revoked an award from a company geared toward women’s sexual health.

4. Everything Google announced at CES 2019
Google went all in on the Assistant this year at CES. The company boasted that the voice-enabled AI will make its way onto a billion devices by the end of the month — up from 400 million last year. But what’s most exciting is the expanded capabilities of Google’s Assistant. Soon you’ll be able to check into flights and translate conversations on the fly with a simple “Hey Google.”
5. Rebranding WeWork won’t work
The company formerly known as WeWork has rebranded to the We Company, but its new strategy has the potential to plunge the company further into debt.
6. Despite promises to stop, US cell carriers are still selling your real-time phone location data
Last year a little-known company called LocationSmart came under fire after leaking location data from AT&T, Verizon, T-Mobile and Sprint users to shady customers. LocationSmart quickly buckled under public scrutiny and promised to stop selling user data, but few focused on another big player in the location tracking business: Zumigo.
7. The best and worst of CES 2019
From monster displays to VR in cars, we’re breaking down the good, the bad and the ugly from CES 2019.
Powered by WPeMatico

There’s a lot you can make with a 3D printer: from prosthetics, corneas, and firearms — even an Olympic-standard luge.
You can even 3D print a life-size replica of a human head — and not just for Hollywood. Forbes reporter Thomas Brewster commissioned a 3D printed model of his own head to test the face unlocking systems on a range of phones — four Android models and an iPhone X.
Bad news if you’re an Android user: only the iPhone X defended against the attack.
Gone, it seems, are the days of the trusty passcode, which many still find cumbersome, fiddly, and inconvenient — especially when you unlock your phone dozens of times a day. Phone makers are taking to the more convenient unlock methods. Even if Google’s latest Pixel 3 shunned facial recognition, many Android models — including popular Samsung devices — are relying more on your facial biometrics. In its latest models, Apple effectively killed its fingerprint-reading Touch ID in favor of its newer Face ID.
But that poses a problem for your data if a mere 3D-printed model can trick your phone into giving up your secrets. That makes life much easier for hackers, who have no rulebook to go from. But what about the police or the feds, who do?
It’s no secret that biometrics — your fingerprints and your face — aren’t protected under the Fifth Amendment. That means police can’t compel you to give up your passcode, but they can forcibly depress your fingerprint to unlock your phone, or hold it to your face while you’re looking at it. And the police know it — it happens more often than you might realize.
But there’s also little in the way of stopping police from 3D printing or replicating a set of biometrics to break into a phone.
“Legally, it’s no different from using fingerprints to unlock a device,” said Orin Kerr, professor at USC Gould School of Law, in an email. “The government needs to get the biometric unlocking information somehow,” by either the finger pattern shape or the head shape, he said.
Although a warrant “wouldn’t necessarily be a requirement” to get the biometric data, one would be needed to use the data to unlock a device, he said.
Jake Laperruque, senior counsel at the Project On Government Oversight, said it was doable but isn’t the most practical or cost-effective way for cops to get access to phone data.
“A situation where you couldn’t get the actual person but could use a 3D print model may exist,” he said. “I think the big threat is that a system where anyone — cops or criminals — can get into your phone by holding your face up to it is a system with serious security limits.”
The FBI alone has thousands of devices in its custody — even after admitting the number of encrypted devices is far lower than first reported. With the ubiquitous nature of surveillance, now even more powerful with high-resolution cameras and facial recognition software, it’s easier than ever for police to obtain our biometric data as we go about our everyday lives.
Those cheering on the “death of the password” might want to think again. They’re still the only thing that’s keeping your data safe from the law.
Powered by WPeMatico
A Utah man has pleaded guilty to computer hacking charges, after admitting to knocking several gaming services offline five years ago.
Austin Thompson, 23, launched several denial-of-service attacks against EA’s Origin, Sony PlayStation and Valve’s Steam gaming services during the December holiday season in 2013.
At the time, those denial-of-service attacks made it near-impossible for some gamers to play — many of whom had bought new consoles or games in the run-up to Christmas, including League of Legends and Dota 2, because they required access to the network.
Specifics of Thompson’s plea deal were not publicly available at the time of writing, but prosecutors said Thompson — aged 18 at the time of the attacks — flooded the gaming giants’ networks “with enough internet traffic to take them offline.”
Thompson would take to his Twitter account, @DerpTrolling, to announce his targets ahead of time, and posted screenshots of downed services in the aftermath of his attacks. Thompson’s attacks caused upwards of $95,000 in damages, prosecutors said.
“The attacks took down game servers and related computers around the world, often for hours at a time,” said Adam Braverman, district attorney for Southern California, in a statement.
“Denial-of-service attacks cost businesses millions of dollars annually,” said Braverman. “We are committed to finding and prosecuting those who disrupt businesses, often for nothing more than ego.”
Thompson faces up to 10 years in prison and is scheduled to be sentenced in March.
Powered by WPeMatico
“You can’t hack what isn’t there,” Very Good Security co-founder Mahmoud Abdelkader tells me. His startup assumes the liability of storing sensitive data for other companies, substituting dummy credit card or Social Security numbers for the real ones. Then when the data needs to be moved or operated on, VGS injects the original info without clients having to change their code.
It’s essentially a data bank that allows businesses to stop storing confidential info under their unsecured mattress. Or you could think of it as Amazon Web Services for data instead of servers. Given all the high-profile breaches of late, it’s clear that many companies can’t be trusted to house sensitive data. Andreessen Horowitz is betting that they’d rather leave it to an expert.
That’s why the famous venture firm is leading an $8.5 million Series A for VGS, and its partner Alex Rampell is joining the board. The round also includes NYCA, Vertex Ventures, Slow Ventures and PayPal mafioso Max Levchin. The cash builds on VGS’ $1.4 million seed round, and will pay for its first big marketing initiative and more salespeople.

“Hey! Stop doing this yourself!,” Abdelkader asserts. “Put it on VGS and we’ll let you operate on your data as if you possess it with none of the liability.” While no data is ever 100 percent unhackable, putting it in VGS’ meticulously secured vaults means clients don’t have to become security geniuses themselves and instead can focus on what’s unique to their business.
“Privacy is a part of the UN Declaration of Human Rights. We should be able to build innovative applications without sacrificing our privacy and security,” says Abdelkader. He got his start in the industry by reverse-engineering games like StarCraft to build cheats and trainer software. But after studying discrete mathematics, cryptology and number theory, he craved a headier challenge.
Abdelkader co-founded Y Combinator-backed payment system Balanced in 2010, which also raised cash from Andreessen. But out-muscled by Stripe, Balanced shut down in 2015. While transitioning customers over to fellow YC alumni Stripe, Balanced received interest from other companies wanting it to store their data so they could be PCI-compliant.
Very Good Security co-founder and CEO Mahmoud Abdelkader
Now Abdelkader and his VP from Balanced, Marshall Jones, have returned with VGS to sell that as a service. It’s targeting startups that handle data like payment card information, Social Security numbers and medical info, though eventually it could invade the larger enterprise market. It can quickly help these clients achieve compliance certifications for PCI, SOC2, EI3PA, HIPAA and other standards.
VGS’ innovation comes in replacing this data with “format preserving aliases” that are privacy safe. “Your app code doesn’t know the difference between this and actually sensitive data,” Abdelkader explains. In 30 minutes of integration, apps can be reworked to route traffic through VGS without ever talking to a salesperson. VGS locks up the real strings and sends the aliases to you instead, then intercepts those aliases and swaps them with the originals when necessary.
“We don’t actually see your data that you vault on VGS,” Abdelkader tells me. “It’s basically modeled after prison. The valuables are stored in isolation.” That means a business’ differentiator is their business logic, not the way they store data.
For example, fintech startup LendUp works with VGS to issue virtual credit card numbers that are replaced with fake numbers in LendUp’s databases. That way if it’s hacked, users’ don’t get their cards stolen. But when those card numbers are sent to a processor to actually make a payment, the real card numbers are subbed in last-minute.

VGS charges per data record and operation, with the first 500 records and 100,000 sensitive API calls free; $20 a month gets clients double that, and then they pay 4 cent per record and 2 cents per operation. VGS provides access to insurance too, working with a variety of underwriters. It starts with $1 million policies that can be much larger for Fortune 500s and other big companies, which might want $20 million per incident.
Obviously, VGS has to be obsessive about its own security. A breach of its vaults could kill its brand. “I don’t sleep. I worry I’ll miss something. Are we a giant honey pot?,” Abdelkader wonders. “We’ve invested a significant amount of our money into 24/7 monitoring for intrusions.”
Beyond the threat of hackers, VGS also has to battle with others picking away at part of its stack or trying to compete with the whole, like TokenEx, HP’s Voltage, Thales’ Vormetric, Oracle and more. But it’s do-it-yourself security that’s the status quo and what VGS is really trying to disrupt.
But VGS has a big accruing advantage. Each time it works with a clients’ partners like Experian or TransUnion for a company working with credit checks, it already has a relationship with them the next time another clients has to connect with these partners. Abdelkader hopes that, “Effectively, we become a standard of data security and privacy. All the institutions will just say ‘why don’t you use VGS?’”
That standard only works if it’s constantly evolving to win the cat-and-mouse game versus attackers. While a company is worrying about the particular value it adds to the world, these intelligent human adversaries can find a weak link in their security — costing them a fortune and ruining their relationships. “I’m selling trust,” Abdelkader concludes. That peace of mind is often worth the price.
Powered by WPeMatico