JFrog acquires Shippable, adding continuous integration and delivery to its DevOps platform

JFrog, the popular DevOps startup now valued at over $1 billion after raising $165 million last October, is making a move to expand the tools and services it provides to developers on its software operations platform: it has acquired Shippable, a cloud-based continuous integration and delivery platform (CI/CD) that developers use to ship code and deliver app and microservices updates, and plans to integrate it into its Enterprise+ platform.

Terms of the deal — JFrog’s fifth acquisition — are not being disclosed, said Shlomi Ben Haim, JFrog’s co-founder and CEO, in an interview. From what I understand, though, it was in the ballpark of Shippable’s most recent valuation, which was $42.6 million back in 2014 when it raised $8 million, according to PitchBook data.  (And that was the last time it had raised money.)

Shippable employees are joining JFrog and plan to release the first integrations with Enterprise+ this coming summer, and a full integration by Q3 of this year.

Shippable, founded in 2013, made its name early on as a provider of a containerized continuous integration and delivery platform based on Docker containers, but as Kubernetes has overtaken Docker in containerized deployments, the startup had also shifted its focus beyond Docker containers.

The acquisition speaks to the consolidation that is afoot in the world of DevOps, where developers and organizations are looking for more end-to-end toolkits not just to help develop, update, and run their apps and microservices, but to provide security and more — or at least, makers of DevOps tools hope they will be, as they themselves look to grow their margins and business.

As more organizations run ever more of their opertions as apps and microservices, DevOps have risen in prominence and are offered both toolkits from standalone businesses as well as those whose infrastructure is touched and used by DevOps tools. That means a company like JFrog has an expanding pool of competitors that include not just the likes of Docker, Sonatype and GitLab, but also AWS, Google Cloud Platform and Azure and “the Red Hats of the world,” in the words of Ben Haim.

For Shippable customers, the integration will give them access to security, binary management and other enterprise development tools.

“We’re thrilled to join the JFrog family and further the vision around Liquid Software,” said Avi Cavale, founder and CEO of Shippable, in a statement. “Shippable users and customers have long enjoyed our next-generation technology, but now will have access to leading security, binary management and other high-powered enterprise tools in the end-to-end JFrog Platform. This is truly exciting, as the combined forces of JFrog and Shippable can make full DevOps automation from code to production a reality.”

On the part of JFrog, the company will be using Shippable to provide a native CI/CD tool directly within JFrog.

“Before most of our users would use Jenkins, Circle CI and other CI/CD automation tools,” Ben Haim said. “But what you are starting to see in the wider market is a gradual consolidation of CI tools into code repository.”

He emphasized that this will not mean any changes for developers who are already happy using Jenkins or other integrations: just that it will now be offering a native solution that will be offered alongside these (presumably both with easier functionality and with competitive pricing).

JFrog today has 5,000 paying customers, up from 4,500 in October, including “most of the Fortune 500,” with marquee customers including the likes of Apple and Adobe, but also banks, healthcare organizations and insurance companies — “conservative businesses,” said Ben Haim, that are also now realizing the importance of using DevOps.

Uber fixes bug that exposed third-party app secrets

Uber has fixed a bug that allowed access to the secret developer tokens of any app that integrated with the ride-sharing service, according to the security researchers who discovered the flaw.

In a blog post, Anand Prakash and Manisha Sangwan explained that a vulnerable developer endpoint on Uber’s back-end systems — since locked down — was mistakenly spitting back client secrets and server tokens for apps authorized by the Uber account owner.

Client secrets and server tokens are considered highly sensitive bits of information for developers as they allow apps to communicate with Uber’s servers. For its part, Uber warns developers to “never share” the keys with anyone.

Prakash, founder of Bangalore-based AppSecure, told TechCrunch that the bug was “very easy” to exploit, and could have allowed an attacker to obtain trip receipts and invoicesBut he didn’t test how far the access could have given him as he immediately reported the bug to Uber.

Uber took a month to fix the bug, according to the disclosure timeline, and was considered serious enough to email developers last week warning of the possible exposure.

“At this time, we have no indication that the issue was exploited, but suggest reviewing your application’s practices out of an abundance of caution,” Uber’s email to developers said. “We have mitigated the issue by restricting the information returned to the name and id of the authorized applications.”

Uber did not respond to a request for comment. If that changes, we’ll update.

Prakash was paid $5,000 in Uber’s bug bounty for reporting the bug, and currently ranks in the top five submitters on Uber’s bug bounty.

The security researcher is no stranger to Uber’s bug bounty. Two years ago, he found and successfully exploited a bug that allowed him to receive free trips in both the U.S. and his native India.

Facebook adds new background location privacy controls to its Android app

Facebook is updating its privacy settings on Android to make it easier for users to control what location data is sent to and stored by the company.

In its announcement, Facebook acknowledged that Android users have expressed concern over the app’s ability to continuously log location data in the background. Due to Android’s all-or-nothing system of location permissions relative to iOS, the Facebook app has historically had the green light for collecting location data whether a user is actively in the app or not.

While the company stopped short of admitting the practice, Facebook for Android users who previously had location services enabled can probably assume that Facebook was extensively tracking their location even when they weren’t actively using the app. Facebook describes the choice to toggle location history on as “[allowing] Facebook to build a history of precise locations received through Location Services on your devices.”

Android users who previously allowed Facebook access to their location data will retain those settings, though they’ll receive an alert about the new location controls. For users who kept the location settings for Facebook disabled, those permissions will remain toggled off. While these changes apply only to Android users, Facebook also noted that it would send out an alert to iOS users to remind them to reevaluate their location history settings.

If your location history isn’t something you’ve thought much about before, it’s worth spending a minute to consider how comfortable you are with that depth of personal data being transmitted continuously to a company with Facebook’s privacy track record. Remember: Once that information is out of your hands, you have little to no control over what happens with it.

HiHello raises $2.5 million to finally fix contact management

HiHello, the latest startup to take aim at business cards with its own digital alternative, has now raised a $2.5 million seed round to continue its efforts in building a better contact management solution designed for the mobile era. The new financing was led by August Capital, K9 Ventures and TenOneTen Ventures, and will see Villi Iltchev from August Capital joining the HiHello board as a result.

The now six-month-old startup was dreamed up by K9 Ventures founder Manu Kumar, along with co-founder and Caltech and Columbia alum Hari Ravi. Notably, Kumar has been trying to solve the problem of contact management for years, having co-founded and sold his startup CardMunch to LinkedIn — a decision he later regretted, saying last year he was “still peeved” at LinkedIn for ruining and eventually killing the product. (LinkedIn later pawned off its ashes to Evernote.)

With HiHello, Kumar is giving contact management and business networking another shot. Version 1 of the app offered a simple solution that lets users exchange contact information by way of scanning a QR code with their phone’s native camera app, or by sharing information using SMS or email. The mobile app lets you create custom profiles in order to share with another person either your work contact information, personal details or any other custom profiles you want.

As HiHello enters its next phase, the company aims to pick up some of the better ideas from past apps in this space — like Plaxo, Bump and even CardMunch — while also overcoming their limitations.

For example, Bump had once required that both people have the app installed in order to work. HiHello today already works if only one person has the app. But it will roll out a more elegant solution for when two HiHello users are present. A “Nearby” screen in the app will allow people to share contact information with one another based on a dual opt-in system.

From Plaxo, HiHello will adopt the idea of automatically updating contact information for everyone who has the user in their address book when information is changed.

The startup is taking a different approach to privacy than Plaxo did, saying it won’t spam or sell user data, nor will it ask permission to access your contacts. Instead, HiHello will act as an address book provider whose database of contacts you can add to your device. This keeps it isolated and separate from other address sources, and ensures it won’t “mess up” your own contacts in the process.

Some of the forthcoming features will be paid features, but the company will continue to offer a free tier as well.

Kumar says he doesn’t want to make the same mistake he did with CardMunch. Instead, he wants the company to be sustainable, “so that we never have to sell HiHello to an acquirer who will then proceed to ruin the service and kill it.”

Yep, that LinkedIn deal still stings, it seems… Hopefully HiHello will meet a better fate.

Instagram’s fundraiser stickers could lure credit card numbers

Mark Zuckerberg recently revealed that commerce is a huge part of the 2019 road map for Facebook’s family of apps. But before people can easily buy things from Instagram etc., Facebook needs their credit card info on file. That’s a potentially lucrative side effect of Instagram’s plan to launch a Fundraiser sticker in 2019. Facebook’s own Donate buttons have raised $1 billion, and bringing them to Instagram’s 1 billion users could do a lot of good while furthering Facebook’s commerce strategy.

New code and imagery dug out of Instagram’s Android app reveals how the Fundraiser stickers will allow you to search for nonprofits and add a Donate button for them to your Instagram Story. After you’ve donated to something once, Instagram could offer instant checkout on stuff you want to buy using the same payment details.

Back in 2013 when Facebook launched its Donate button, I suggested that it could add a “remove credit card after checkout” option to its fundraisers if it wanted to make it clear that the feature was purely altruistic. Facebook never did that. You still need to go into your payment settings or click through the See Receipt option after donating and then edit your account settings to remove your credit card. We’ll see if Instagram is any different. We’ve also asked whether Instagrammers will be able to raise money for personal causes, which would make it more of a competitor to GoFundMe — which has sadly become the social safety net for many facing healthcare crises.

Facebook mentioned at its Communities Summit earlier this month that it’d be building Instagram Fundraiser stickers, but the announcement was largely overshadowed by the company’s reveal of new Groups features. This week, TechCrunch tipster Ishan Agarwal found code in the Instagram Android app detailing how users will be able search for nonprofits or browse collections of Suggested charities and ones they follow. They can then overlay a Donate button sticker on their Instagram Story that their followers can click through to contribute.

We then asked reverse-engineering specialist Jane Manchun Wong to take a look, and she was able to generate the screenshots seen above that show a green heart icon for the Fundraiser sticker plus the nonprofit search engine. A Facebook spokespeople tells me that “We are in early stages and working hard to bring this experience to our community . . . Instagram is all about bringing you closer to the people and things you love, and a big part of that is showing support for and bringing awareness to meaningful communities and causes. Later this year, people will be able to raise money and help support nonprofits that are important to them through a donation sticker in Instagram Stories. We’re excited to bring this experience to our community and will share more updates in the coming months.”

Zuckerberg said during the Q4 2018 earnings call last month that “In Instagram, one of the areas I’m most excited about this year is commerce and shopping . . . there’s also a very big opportunity in basically enabling the transactions and making it so that the buying experience is good.” Streamlining those transactions through saved payment details means more people will complete their purchase rather than abandoning their cart. Facebook CFO David Wehner noted on the call that “Continuing to build good advertising products for our e-commerce clients on the advertising side will be a more important contributor to revenue in the foreseeable future.” Even though Facebook isn’t charging a fee on transactions, powering higher commerce conversion rates convinces merchants to buy more ads on the platform.

With all the talk of envy spiraling, phone addiction, bullying and political propaganda, enabling donations is at least one way Instagram can prove it’s beneficial to the world. Snapchat lacks formal charity features, and Twitter appears to have ended its experiment allowing nonprofits to tweet donate buttons. Despite all the flack Facebook rightfully takes, the company has shown a strong track record with philanthropy that mirrors Zuckerberg’s own $47 billion commitment through the Chan Zuckerberg Initiative. And if having some relatively benign secondary business benefit speeds companies toward assisting nonprofits, that’s a trade-off we should be willing to embrace.

Google Assistant Actions up 2.5x in 2018 to reach 4,253 in the U.S.

In addition to competing for smart speaker market share, Google and Amazon are also competing for developer mindshare in the voice app ecosystem. On this front, Amazon has soared ahead – the number of available voice skills for Alexa devices have grown to top 80,000 the company recently announced. According to a new third-party analysis from Voicebot, Google is trailing that by a wide margin with its own voice apps, called Google Assistant Actions, which total 4,253 in the U.S. as of January 2019.

For comparison, 56,750 of Amazon Alexa’s total 80,000 skills are offered in the U.S.

The report notes that the number of Google Assistant Actions have grown 2.5 times over the past year – which is slightly faster growth than seen on Amazon Alexa, whose skill count grew 2.2 times during the same period. But the total is a much smaller number, so growth percentages may not be as relevant here.

In January 2018, there were 1,719 total Google Assistant Actions in the U.S., the report said. In 2017, the number was in the low hundreds in the beginning of the year, and reached 724 by October 2017.

Voicebot also examined which categories of voice apps were popular on Google Assistant platforms.

It found that three of the eighteen categories accounted for over one-third of all Google Assistant Actions: Education & Reference; Games & Fun; and Kids & Family.

The Education category topped the list with over 15 percent of all Actions, while Games & Fun was 11.07 percent and Kids & Family was 9.29 percent.

Local and Weather were the least popular.

On Alexa, the top categories differ slightly. Though Games & Fun is popular on Google, its Alexa equivalent – Games & Trivia – is the No. 1 most popular category, accounting for 21 percent of all skills. Education was second most popular at around 14 percent.

It’s interesting that these two top drivers for voice apps are reversed on the two platforms.

That could indicate that Alexa is seen to be the more “fun” platform, or one that’s more oriented towards use by families and gaming. Amazon certainly became aware of the trend towards voice gaming, and fanned the flames by making games the first category it paid developers to work on, by way of direct payments. That likely encouraged more developers to enter the space, and subsequently helped boost the number of games – and types of gaming experiences – available for Alexa.

Voicebot’s report rightly raises the question as to whether or not the raw skill count even matters, though.

After all, many of the Alexa skills offered today are of low quality, or more experimental attempts from developers testing out the platform. Others are just fairly basic – the voice app equivalent of third-party flashlight apps for iPhone before Apple built that feature into iOS. For example, there now are handful of skills that turn on the light on Echo speakers so you can have a nightlight by way of the speaker’s blue ring.

But even if these early efforts sometimes fall short, it does matter that Alexa is the platform developers are thinking about, as it’s an indication of platform commitment and an investment on developers’ part. Google, on the other hand, is powering a lot of its Assistant’s capabilities itself, leaning heavily on its Knowledge Base to answer users’ questions, while also leveraging its ability to integrate with Google’s larger suite of apps and services, as well as its other platforms, like Android.

In time, Google Assistant may challenge Alexa further by capitalizing on geographic expansions, but for the time being, Alexa is ahead on smart speakers as well as, it now seems, on content.

 

Stop saying, “We take your privacy and security seriously”

In my years covering cybersecurity, there’s one variation of the same lie that floats above the rest. “We take your privacy and security seriously.”

You might have heard the phrase here and there. It’s a common trope used by companies in the wake of a data breach — either in a “mea culpa” email to their customers or a statement on their website to tell you that they care about your data, even though in the next sentence they all too often admit to misusing or losing it.

The truth is, most companies don’t care about the privacy or security of your data. They care about having to explain to their customers that their data was stolen.

I’ve never understood exactly what it means when a company says it values my privacy. If that were the case, data hungry companies like Google and Facebook, which sell data about you to advertisers, wouldn’t even exist.

I was curious how often this go-to one liner was used. I scraped every reported notification to the California attorney general, a requirement under state law in the event of a breach or security lapse, stitched them together, and converted it into machine-readable text.

About one-third of all 285 data breach notifications had some variation of the line.

It doesn’t show that companies care about your data. It shows that they don’t know what to do next.

A perfect example of a company not caring: Last week, we reported several OkCupid users had complained their accounts were hacked. More likely than not, the accounts were hit by credential stuffing, where hackers take lists of usernames and passwords and try to brute-force their way into people’s accounts. Other companies have learned from such attacks and took the time to improve account security, like rolling out two-factor authentication.

Instead, OkCupid’s response was to deflect, defend, and deny, a common way for companies to get ahead of a negative story. It looked like this:

  • Deflect: “All websites constantly experience account takeover attempts,” the company said.
  • Defend: “There’s no story here,” the company later told another publication.
  • Deny: “No further comment,” when asked what the company will do about it.

It would’ve been great to hear OkCupid say it cared about the matter and what it was going to do about it.

Every industry has long neglected security. Most of the breaches today are the result of shoddy security over years or sometimes decades, coming back to haunt them. Nowadays, every company has to be a security company, whether it’s a bank, a toymaker, or a single app developer.

Companies can start off small: tell people how to reach contact them with security flaws, roll out a bug bounty to encourage bug submissions, and grant good-faith researchers safe harbor by promising not to sue. Startup founders can also fill their executive suite with a chief security officer from the very beginning. They’d be better off than 95 percent of the world’s richest companies that haven’t even bothered.

But this isn’t what happens. Instead, companies would rather just pay the fines.

Target paid $18.5 for a data breach that ensnared 41 million credit cards, compared to full-year revenues of $72 billion. Anthem paid $115 million in fines after a data breach put 79 million insurance holders’ data at risk, on revenues that year of $79 billion. And, remember Equifax? The biggest breach of 2017 led to all talk but no action.

With no incentive to change, companies will continue to parrot their usual hollow remarks. Instead, they should do something about it.

Apple acquires talking Barbie voicetech startup PullString

Apple has just bought up the talent it needs to make talking toys a part of Siri, HomePod, and its voice strategy. Apple has reportedly acquired PullString, also known as ToyTalk, according to Axios’ Dan Primack and Ina Fried. The company makes voice experience design tools, artificial intelligence to power those experiences, and toys like talking Barbie and Thomas The Tank Engine toys in partnership with Mattel. Founded in 2011 by former Pixar executives, PullString went on to raise $44 million.

Apple’s Siri is seen as lagging far behind Amazon Alexa and Google Assistant, not only in voice recognition and utility, but also in terms of developer ecosystem. Google and Amazon has built platforms to distribute Skills from tons of voice app makers, including storytelling, quizzes, and other games for kids. If Apple wants to take a real shot at becoming the center of your connected living room with Siri and HomePod, it will need to play nice with the children who spend their time there. Buying PullString could jumpstart Apple’s in-house catalog of speech-activated toys for kids as well as beef up its tools for voice developers.

PullString did catch some flack for being a “child surveillance device” back in 2015, but countered by detailing the security built intoHello Barbie product and saying it’d never been hacked to steal childrens’ voice recordings or other sensitive info. Privacy norms have changed since with so many people readily buying always-listening Echos and Google Homes.

In 2016 it rebranded as PullString with a focus on developers tools that allow for visually mapping out conversations and publishing finished products to the Google and Amazon platforms. Given SiriKit’s complexity and lack of features, PullString’s Converse platform could pave the way for a lot more developers to jump into building voice products for Apple’s devices.

We’ve reached out to Apple and PullString for more details about whether PullString and ToyTalk’s products will remain available.

The startup raised its cash from investors including Khosla Ventures, CRV, Greylock, First Round, and True Ventures, with a Series D in 2016 as its last raise that PitchBook says valued the startup at $160 million. While the voicetech space has since exploded, it can still be difficult for voice experience developers to earn money without accompanying physical products, and many enterprises still aren’t sure what to build with tools like those offered by PullString. That might have led the startup to see a brighter future with Apple, strengthening one of the most ubiquitous though also most detested voice assistants.

Even years later, Twitter doesn’t delete your direct messages

When does “delete” really mean delete? Not always or even at all if you’re Twitter .

Twitter retains direct messages for years, including messages you and others have deleted, but also data sent to and from accounts that have been deactivated and suspended, according to security researcher Karan Saini.

Saini found years-old messages found in a file from an archive of his data obtained through the website from accounts that were no longer on Twitter. He also filed a similar bug, found a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve direct messages even after a message was deleted from both the sender and the recipient — though, the bug wasn’t able to retrieve messages from suspended accounts.

Saini told TechCrunch that he had “concerns” that the data was retained by Twitter for so long.

Direct messages once let users to “unsend” messages from someone else’s inbox, simply by deleting it from their own. Twitter changed this years ago, and now only allows a user to delete messages from their account. “Others in the conversation will still be able to see direct messages or conversations that you have deleted,” Twitter says in a help page. Twitter also says in its privacy policy that anyone wanting to leave the service can have their account “deactivated and then deleted.” After a 30-day grace period, the account disappears and along with its data.

But, in our tests, we could recover direct messages from years ago — including old messages that had since been lost to suspended or deleted accounts. By downloading your account’s data, it’s possible to download all of the data Twitter stores on you.

A conversation, dated March 2016, with a suspended Twitter account was still retrievable today. (Image: TechCrunch

Saini says this is a “functional bug” rather than a security flaw, but argued that the bug allows anyone a “clear bypass” of Twitter mechanisms to prevent accessed to suspended or deactivated accounts.

But it’s also a privacy matter, and a reminder that “delete” doesn’t mean delete — especially with your direct messages. That can open up users, particularly high-risk accounts like journalist and activists, to government data demands that call for data from years earlier.

That’s despite Twitter’s claim that once an account has been deactivated, there is “a very brief period in which we may be able to access account information, including tweets,” to law enforcement.

A Twitter spokesperson said the company was “looking into this further to ensure we have considered the entire scope of the issue.”

Retaining direct messages for years may put the company in a legal grey area ground amid Europe’s new data protection laws, which allows users to demand that a company deletes their data.

Neil Brown, a telecoms, tech and internet lawyer at U.K. law firm Decoded Legal, said there’s “no formality at all” to how a user can ask for their data to be deleted. Any request from a user to delete their data that’s directly communicated to the company “is a valid exercise” of a user’s rights, he said.

Companies can be fined up to four percent of their annual turnover for violating GDPR rules.

“A delete button is perhaps a different matter, as it is not obvious that ‘delete’ means the same as ‘exercise my right of erasure’,” said Brown. Given that there’s no case law yet under the new General Data Protection Regulation regime, it will be up to the courts to decide, he said.

When asked if Twitter thinks that consent to retain direct messages is withdrawn when a message or account is deleted, Twitter’s spokesperson had “nothing further” to add.

Twitter considering a tweet ‘clarifying’ function

Clarification hasn’t always been Twitter’s strong suit. Fittingly, there’s a bit of confusion around the long standing succession that the service could add an “edit” button in order to save users from silly typos and, well, much much worse.

At a Goldman Sachs event this week, Jack Dorsey clarified that, rather than adding a controversial edit function, Twitter might just let people “clarify” earlier statements. The feature, it seems, is less aimed at the typo part of the equation than the whole on-going thing with people living to regret some horrible thing they said to the world years prior.

“The other thing that we’re seeing more broadly within the culture right now in this particular moment is people quote-unquote ‘being cancelled’ because of past things that they’ve said on Twitter or various other places in social media,” the executive said in quote reported by Recode. “There’s no credible way to kind of go back and clarify or even have a conversation to show the learning and the transition since.”

To clarify the clarification (which, one imagines, would get a slightly punchier name ahead of launch), the feature would essentially add a permanent addition to the original problematic tweet. The idea is to add context that would be lost in all of the retweeted screencaps that went out after the original was deleted.

Users then would only be able to retweet the clarification. Think of it like a quote retweet, albeit one that’s permanently  attached. It could be an interesting feature for news outlets, not to mention all of the now famous folk who might have tweeted something questionable back in the day. More so, certainly, than telling the world that you use the wrong “their” there.

As Dorsey notes, however, “Not saying that we are going to launch that but those are the sorts of questions we are going to ask.”

Thanks for the clarification.