US cuts trade ties to Myanmar, leaving internet access uncertain

The U.S. government has cut trade ties to Myanmar, two months after the country’s military staged a coup overthrowing the country’s president and also its de facto leader, Aung San Suu Kyi, and killed at least 200 protesters resulting from its offensive.

In a statement, U.S. Trade Representative Katherine Tai said the trade suspension would be “effective immediately” and will remain in place “until the return of a democratically elected government.”

“The United States supports the people of Burma in their efforts to restore a democratically elected government, which has been the foundation of Burma’s economic growth and reform,” said Tai. “The United States strongly condemns the Burmese security forces’ brutal violence against civilians. The killing of peaceful protestors, students, workers, labor leaders, medics, and children has shocked the conscience of the international community. These actions are a direct assault on the country’s transition to democracy and the efforts of the Burmese people to achieve a peaceful and prosperous future,” the statement read.

Myanmar (also known as Burma) and the U.S. began trading in 2013 following the easing of U.S. sanctions a year earlier after elections saw Suu Kyi’s party win by a landslide.

The trade suspension is designed to target the ruling military junta, but leaves millions of internet users across Myanmar in uncertainty as U.S. cloud and internet companies wrangle with the U.S. government order, at a time where protesters are struggling to stay online amid government-ordered internet shutdowns across the country.

Myanmar already blocked Facebook, Twitter and Instagram “until further notice.”

Sanctions are designed to prevent the shipping of goods, money and certain services to other countries. Companies operating in the U.S. have to follow U.S. sanctions or face heavy financial penalties. ZTE pleaded guilty in 2017 to violating U.S. sanctions against Iran by knowingly shipping products to the country, and agreed to pay a near-$1 billion fine.

But cloud companies fall into a gray area and have different interpretations of the rules. Quartz reported in 2016 that internet users across Syria, Cuba, and Iran — all subject to U.S. trade sanctions — couldn’t access sites hosted by IBM because the U.S. cloud host blocked visitors from those countries from accessing its services. Rackspace and Linode, two other large cloud providers, do not block internet traffic to users in embargoed countries but instead prevented users from those countries from signing up for their service.

Myanmar has about 17 million internet users, some 30% of the wider population.

Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, product-market fit, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included for audience questions and discussion. Use code “TCARTICLE” at checkout to get 20% off tickets right here.

Amazon’s GameOn app, a platform for sharing mobile gaming clips, launches on iOS

Mobile gaming hasn’t seen the same demand for streaming content in the past as desktop has, but Amazon sees a market there to extend Twitch’s dominance. After launching on Android back in November, the company’s mobile streaming centric app has just launched on Apple’s App Store.

The app lets users record short clips (anywhere from 30 seconds to 5 minutes of content) of gameplay from a variety of titles that support screen recording capture. Users can screen record these clips directly into the GameOn library at which point they can add commentary or additional edits before publishing to the GameOn platform or sharing links to the platform on other sites.

The GameOn platform is interestingly fully disconnected from Twitch with separate branding and different channels. Amazon has been partnering with streamers to wholly focus on mobile gaming while promoting challenges unique to the app.The company says the service is compatible with over 1,000 mobile games.

Developers have been increasingly vigilant about brining more full-featured ports of desktop titles to mobile though the lack of sophisticated controls has made this a challenge. As gaming platforms aim to bring cloud streaming networks to iOS there could end up being more demand for shot-on-mobile content and titles that users control with a gamepad, but this will depend on whether the App Store grows more amenable to these platforms over time.

 

Notion’s hours-long outage was caused by phishing complaints

Last week’s hours-long outage at online workspace startup Notion was caused by phishing complaints, according to the startup’s domain registrar.

Notion was offline for most of the morning on Friday, plunging its more than four million users into organization darkness because of what the company called a “very unusual DNS issue that occurred at the registry operator level.” With the company’s domain offline, users were unable to access their files, calendars, and documents.

Notion registered its domain name notion.so through Name.com, but all .so domains are managed by Hexonet, a company that helps connect Sonic, the .so top-level domain registry, with domain name registrars like Name.com.

That complex web of interdependence is in large part what led to the communications failure that resulted in Notion falling offline for hours.

In an email to TechCrunch, Name.com spokesperson Jared Ewy said: “Hexonet received complaints about user-generated Notion pages connected to phishing. They informed Name.com about these reports, but we were unable to independently confirm them. Per its policies, Hexonet placed a temporary hold on Notion’s domain.”

“Noting the impact of this action, all teams worked together to restore service to Notion and its users. All three teams are now partnering on new protocols to ensure this type of incident does not happen again. The Notion team and their avid followers were responsive and a pleasure to work with throughout. We thank everyone for their patience and understanding,” said Ewy.

There are several threads on Reddit discussing concerns about Notion being used to host phishing sites, and security researchers have shown examples of Notion used in active phishing campaigns. A Notion employee said almost a year ago that Notion would “soon” move its domain to notion.com, which the company owns.

Notion’s outage is almost identical to what happened with Zoho in 2018, which like Notion, resorted to tweeting at its domain registrar after it blocked zoho.com following complaints about phishing emails sent from Zoho-hosted email accounts.

It sounds like there’s no immediate danger of a repeat outage, but Notion did not return TechCrunch’s email over the weekend asking what it plans to do to prevent phishing on its platform in the future.

Read more:

Cloudflare introduces free digital waiting rooms for any organizations distributing COVID-19 vaccines

Web infrastructure company Cloudflare is releasing a new tool today that aims to provide a way for health agencies and organizations globally tasked with rolling out COVID-19 vaccines to maintain a fair, equitable and transparent digital queue – completely free of charge. The company’s ‘Project Fair Shot’ initiative will make its new Cloudflare Waiting Room offering free to any organization that qualifies, essentially providing a way from future vaccine recipients to register and gain access to a clear and constantly-updated view of where they are in line to receive the preventative treatment.

“The wife of one of Cloudflare’s executives in our Austin was trying to register her parents for the COVID-19 vaccine program there,” explained Cloudflare CEO Matthew Prince via email. “The registration site kept crashing. She said to her husband: why doesn’t Cloudflare build a queuing feature to help vaccine sites? As it happened, we had exactly such a feature under development and scheduled to be launched in early February.”

After realizing the urgency of the need for something like this tool to help alleviate the many infrastructure challenges that come up when you’re trying to vaccinate a global population against a viral threat as quickly as possible, Cloudflare changed their release timetable and devoted additional resources to the project.

“We talked to the team about moving up the scheduled launch of our Waiting Room feature,” Prince added. “They worked around the clock because they recognized how important helping with vaccine delivery was. These are the sorts of projects that really drive our team: when we can use our technical expertise and infrastructure to solve problems with broad, positive impact.”

On the technical side, Cloudflare Waiting Room is simple to implement, according to the company, and can be added to any registration website built on the company’s existing content delivery network without any engineering or coding knowledge required. Visitors to the site can register and will receive a confirmation that they’re in line, and then will receive a follow-up directing them to a sign-up page for the organization administering their vaccine when it’s their turn. Further configuration options allow Waiting Room operators to offer wait time estimates to registrants, as well as provide additional alerts when their turn is nearing (though that functionality is coming in a future update).

As Prince mentioned, Waiting Room was already on Cloudflare’s project roadmap, and was actually intended for other high-demand, limited supply allocation items: Think must-have concert tickets, or the latest hot sneaker release. But the Fair Shot program will provide it totally free to those organizations that need it, whereas that would’ve been a commercial product. Interested parties can sign up at Cloudflare’s registration page to get on the waitlist for availability.

“With Project Fair Shot we stand ready to help ensure everyone who is eligible can get equitable access to the COVID-19 vaccines and we, along with the rest of humanity, look forward to putting this disease behind us,” Prince explained.

Google’s parent firm is shutting down Loon internet company

Google’s parent firm, Alphabet, is done exploring the idea of using giant balloons to beam high-speed internet in remote parts of the world.

The firm said on Thursday evening that it was winding down Loon, a nine-year-old project and a two-and-a-half-year-old spin off firm, after failing to find a sustainable business model and partners.

The demise of Loon comes a year after the Android-maker ended Google Station, its other major connectivity effort to bring internet to the next billion users. Through Station, Google provided internet connectivity at over 400 railway stations in India and sought to replicate the model in other public places in more nations.

That said, Alphabet’s move today is still surprising. Just last year, Loon had secured approval from the government of Kenya to launch first balloons to provide commercial connectivity services — something it did successfully achieve months later, giving an impression that things were moving in the right direction.

On its website, Loon has long stated its mission as: “Loon is focused on bringing connectivity to unserved and underserved communities around the world. We are in discussions with telecommunications companies and governments worldwide to provide a solution to help extend internet connectivity to these underserved areas.”

Perhaps the growing interest of SpaceX and Amazon in this space influenced Alphabet’s decision — if not, the two firms are going to have to answer some difficult feasibility questions of their own in the future.

“We talk a lot about connecting the next billion users, but the reality is Loon has been chasing the hardest problem of all in connectivity — the last billion users,” said Alastair Westgarth, chief executive of Loon, in a blog post.

“The communities in areas too difficult or remote to reach, or the areas where delivering service with existing technologies is just too expensive for everyday people. While we’ve found a number of willing partners along the way, we haven’t found a way to get the costs low enough to build a long-term, sustainable business. Developing radical new technology is inherently risky, but that doesn’t make breaking this news any easier.”

The blog post characterised Loon’s connectivity effort as success. “The Loon team is proud to have catalyzed an ecosystem of organizations working on providing connectivity from the stratosphere. The world needs a layered approach to connectivity — terrestrial, stratospheric, and space-based — because each layer is suited to different parts of the problem. In this area, Loon has made a number of important technical contributions,” wrote Westgarth.

What happens next

In a separate blog post, the firm said it had pledged a fund of $10 million to support nonprofits and businesses focussed on connectivity, internet, entrepreneurship and education in Kenya.

Alphabet also plans to “take some of Loon’s technology” forward and share what it learned from this moonshot idea with others.

Additionally, “some of Loon’s technology — like the high bandwidth (20Gbps+) optical communication links that were first used to beam a connection between balloons bopping in the stratosphere — already lives on in Project Taara. This team is currently working with partners in Sub-Saharan Africa to bring affordable, high-speed internet to unconnected and under-connected communities starting in Kenya,” the firm said.

Scores of firms including Google and Facebook have visibly scaled down several of their connectivity efforts in recent years after many developing nations such as India that they targeted solved their internet problems on their own.

It has also become clear that subsidizing internet access to hundreds of millions of potential users is perhaps not the most sustainable way to acquire customers.

A security researcher commandeered a country’s expired top-level domain to save it from hackers

In mid-October, a little-known but critically important domain name for one country’s internet space began to expire.

The domain — scpt-network.com — was one of two nameservers for the .cd country code top-level domain, assigned to the Democratic Republic of Congo. If it fell into the wrong hands, an attacker could redirect millions of unknowing internet users to rogue websites of their choosing.

Clearly, a domain of such importance wasn’t supposed to expire; someone in the Congolese government probably forgot to pay for its renewal. Luckily, expired domains don’t disappear immediately. Instead, the clock started on a grace period for its government owners to buy back the domain before it was sold to someone else.

By chance, Fredrik Almroth, a security researcher and co-founder of cybersecurity startup Detectify, was already looking at nameservers of country code top-level domains (or ccTLDs), the two-letter suffixes at the end of regional web addresses, like .fr for France or .uk for the United Kingdom. When he found this critical domain name was about to expire, Almroth began to monitor it, assuming someone in the Congolese government would pay to reclaim the domain.

But nobody ever did.

By the end of December, the clock was almost up and the domain was about to fall off the internet. Within minutes of the domain becoming available, Almroth quickly snapped it up to prevent anyone else from taking it over — because, as he told TechCrunch, “the implications are kind of huge.”

It’s rare but not unheard of for a top-level domain to expire.

In 2017, security researcher Matthew Bryant took over the nameservers of the .io top-level domain, assigned to the British Indian Ocean Territory. But malicious hackers have also shown interest in targeting top-level domains hack into companies and governments that use the same country-based domain suffix.

Read more on TechCrunch

Taking over a nameserver is not supposed to be an easy task because they are a vital part of how the internet works.

Every time you visit a website your device relies on a nameserver to convert a web address in your browser to the machine-readable address that tells your device where on the internet to find the site you’re looking for. Some liken nameservers to the phone directory of the internet. Sometimes your browser looks no further than its own cache for the answer, and sometimes it has to ask the nearest nameserver for the answer. But the nameservers that control top-level domains are considered authoritative and know where to look without having to ask another nameserver.

With control of an authoritative nameserver, malicious hackers could run man-in-the-middle attacks to silently intercept and redirect internet users going to legitimate sites to malicious webpages.

These kinds of attacks have been used in sophisticated espionage campaigns aimed at cloning websites to trick victims into handing over their passwords, which hackers use to get access to company networks to steal information.

Worse, Almroth said with control of the nameserver it was possible to obtain valid SSL (HTTPS) certificates, allowing for an attacker to intercept encrypted web traffic or any email mailbox for any .cd domain, he said. To the untrained eye, a successful attacker could redirect victims to a spoofed website and they would be none the wiser.

“If you can abuse the validation schemes used to issue certificates, you can undermine the SSL of any domain under .cd as well,” Almroth said. “The capabilities of being in such a privileged position is scary.”

Almroth ended up sitting on the domain for about a week as he tried to figure out a way to hand it back. By this point the domain had been inactive for two months already and nothing had catastrophically broken. At most, websites with a .cd domain might have taken slightly longer to load.

Since the remaining nameserver was running normally, Almroth kept the domain offline so that whenever an internet user tried to access a domain that relied on the nameserver under his control, it would automatically timeout and pass the request to the remaining nameserver.

In the end, the Congolese government didn’t bother asking for the domain back. It spun up an entirely new but similarly named domain — scpt-network.net — to replace the one now in Almroth’s possession.

We reached out to the Congolese authorities for comment but did not hear back.

ICANN, the international non-profit organization responsible for internet address allocation, said country code top-level domains are operated by their respective countries and its role is “very limited,” a spokesperson said.

For its part, ICANN encouraged countries to follow best practices and to use DNSSEC, a cryptographically more secure technology that makes it nearly impossible to serve up spoofed websites. One network security engineer who asked not to be named as they were not authorized to speak to the media questioned whether DNSSEC would be effective at all against a top-level domain hijack.

At least in this case, it’s nothing a calendar reminder can’t solve.

Madrona promotes Anu Sharma and Daniel Li as Partners

Fresh off the announcement of more than $500 million in new capital across two new funds, Seattle-based Madrona Venture Group has announced that they’re adding Anu Sharma and Daniel Li to the team’s list of Partners.

The firm, which in recent years has paid particularly close attention to enterprise software bets, invests heavily in the early-stage Pacific Northwest startup scene.

Both Li and Sharma are stepping into the Partner role after some time at the firm. Li has been with Madrona for five years while Sharma joined the team in 2020. Prior to joining Madrona, Sharma led product management teams at Amazon Web Services, worked as a software developer at Oracle and had a stint in VC as an associate at SoftBank China & India. Li previously worked at the Boston Consulting Group.

I got the chance to catch up with Li who notes that the promotion won’t necessarily mean a big shift in his day-to-day responsibilities — “At Madrona, you’re not promoted until you’re working in the next role anyway,” he says — but that he appreciates “how much trust the firm places in junior investors.”

Asked about leveling up his venture career during a time when public and private markets seem particularly flush with cash, Li acknowledges some looming challenges.

“On one hand, it’s just been an amazing five years to join venture capital because things have just been up and to the right with lots of things that work; it’s just a super exciting time,” Li says. “On the other hand, from a macro perspective, you know that there’s more capital flowing into VC as an asset class than ever before. And just from that pure macro perspective, you know that that means returns are going to be lower in the next 10 years as valuations are higher.”

Nevertheless, Li is plenty bullish on internet companies claiming larger swaths of the global GDP and hopes to invest specifically in “low code platforms, next-gen productivity, and online communities,” Madrona notes in their announcement, while Sharma plans to continue looking at to “distributed systems, data infrastructure, machine learning, and security.”

TechCrunch recently talked to Li and his Madrona colleague Hope Cochran about some of the top trends in social gaming and how investors were approaching new opportunities across the gaming industry.

Germany’s Isar Aerospace raises $91M to get its satellite launch vehicle off the ground

The aerospace industry has seen an explosion of activity from the world of startups, where bright engineers are foregoing jobs at large corporations and opting instead to raise funding from increasingly ambitious venture capitalists to build their own startups to turn moonshots into business realities. In the latest development, a startup out of Munich has raised the largest round to date in European space tech.

Isar Aerospace, which is building a micro-satellite launcher significantly smaller and thus lower in price than bigger launchers on the market today, has picked up €75 million ($91 million) in funding. It plans to use the money to continue its research, development and production en route to its first commercial launches, planned for early 2022.

The launcher is not just significant for its design innovation, but if it proves successful, it would make Isar the first European space company to build a successful satellite launcher to compete in the global satellite market.

The round, a Series B, is being led by Lakestar, with previous backers Earlybird and Vsquared Ventures also contributing significantly, the company said. Earlybird and strategic backer Airbus Ventures led Isar’s previous round of $17 million in December 2019.

The startup is a spinout of TUM — the famous Munich Technical University — where co-founders Daniel Metzler, Josef Fleischmann and Markus Brandl all studied engineering. Fleishmann had a small claim to fame before Isar: he was part of the team from TUM that built the winning vehicle for the famous Hyperloop competition in the U.S. It was an achievement that landed him a very interesting job offer with a high-profile venture in the U.S. that will go unnamed; he opted to come back to Germany to build his own company, which became Isar.

As Metzler described it in an interview, there is a lot of pent-up demand among companies that need or would like to use satellite technology to augment or replace other data sources. This comes from not just the usual suspects of government or communications entities, but also navigation, GPS and mapping specialists, agribusiness interest, media and internet companies, and any organizations that need the kind of high-speed, far-reaching data access that can only be achieved from space.

The issue is that today’s technology makes launching satellites into orbit a costly and time-sucking operation.

Launchers are large and go up infrequently, so reserving space on them takes a lot of lead time and investment, and even then a launch can hit a snag over a technical or weather issue.

That issue has somewhat been addressed by the growth of private companies like SpaceX, which are building more rockets to address demand; and a proliferation of more launch centers in a larger range of locations to increase the number of launch events.

Isar, on the other hand, is taking a very different approach, building not just a new kind of launchpad but a new kind of rocket that will be smaller and less expensive. The idea being that by doing so, it will make it cheaper, easier and more flexible for more organizations to book satellite launches. The aim will be to carry a payload of more than 1,000 kilograms.

As Metzler describes it, the innovations that Isar has built into its system includes the propulsion systems with a design that relies on a different, lighter fuel than what is typically used today in launchers. It’s also taking a different, simplified approach to the design to further reduce the cost of production.

Metzler said that typically the price for a satellite launch today can be in the range of between $30,000 and $40,000 per kilogram. “We aim to go more in the direction of $10,000 per kilogram,” he said.

The proposition is interesting enough that Isar says it has already racked up $500 million in “customer inquiries” — essentially a loose commitment for sales as and when it gets its launchers ready to run.

The company sees satellite launches as an obvious bottleneck that needs addressing.

“Going to space once a week is very different from planning launches three years in advance,” he said of how Isar envisions the future to look, versus how it looks now. And just to note, he said that Isar is building with sustainability in mind: If a piece does not return to earth to be re-used, it’s designed to be broken up and burned in the atmosphere, leaving no trace of the launcher.

Longer term, Isar might also consider space exploration and other areas of development, an ambitious road map (or sky map, as the case may be) that investors seem willing to support.

“We are proud to accompany Isar Aerospace as the largest institutional investor on its way to commercially develop space for Europe. Micro-satellites in the low Earth orbit will become a key platform technology with enormous innovation and business potential in the coming decades. That is why we need a competitive space industry in Europe if we do not want to witness the next technological leaps as a spectator,” said Hendrik Brandis, co-founding partner of Earlybird. “I am particularly pleased that we are able to back a financing round of this magnitude entirely with German money. This is a clear sign of how successfully the startup and VC industry has developed in this country in recent years.”

Cloudflare and Apple design a new privacy-friendly internet protocol

Engineers at Cloudflare and Apple say they’ve developed a new internet protocol that will shore up one of the biggest holes in internet privacy that many don’t know even exists. Dubbed Oblivious DNS-over-HTTPS, or ODoH for short, the new protocol makes it far more difficult for internet providers to know which websites you visit.

But first, a little bit about how the internet works.

Every time you go to visit a website, your browser uses a DNS resolver to convert web addresses to machine-readable IP addresses to locate where a web page is located on the internet. But this process is not encrypted, meaning that every time you load a website the DNS query is sent in the clear. That means the DNS resolver — which might be your internet provider unless you’ve changed it — knows which websites you visit. That’s not great for your privacy, especially since your internet provider can also sell your browsing history to advertisers.

Recent developments like DNS-over-HTTPS (or DoH) have added encryption to DNS queries, making it harder for attackers to hijack DNS queries and point victims to malicious websites instead of the real website you wanted to visit. But that still doesn’t stop the DNS resolvers from seeing which website you’re trying to visit.

Enter ODoH, which decouples DNS queries from the internet user, preventing the DNS resolver from knowing which sites you visit.

Here’s how it works: ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Because the DNS query is encrypted, the proxy can’t see what’s inside, but acts as a shield to prevent the DNS resolver from seeing who sent the query to begin with.

“What ODoH is meant to do is separate the information about who is making the query and what the query is,” said Nick Sullivan, Cloudflare’s head of research.

In other words, ODoH ensures that only the proxy knows the identity of the internet user and that the DNS resolver only knows the website being requested. Sullivan said that page loading times on ODoH are “practically indistinguishable” from DoH and shouldn’t cause any significant changes to browsing speed.

A key component of ODoH working properly is ensuring that the proxy and the DNS resolver never “collude,” in that the two are never controlled by the same entity, otherwise the “separation of knowledge is broken,” Sullivan said. That means having to rely on companies offering to run proxies.

Sullivan said a few partner organizations are already running proxies, allowing for early adopters to begin using the technology through Cloudflare’s existing 1.1.1.1 DNS resolver. But most will have to wait until ODoH is baked into browsers and operating systems before it can be used. That could take months or years, depending on how long it takes for ODoH to be certified as a standard by the Internet Engineering Task Force.

DOJ says it seized over $1 billion in bitcoin from the Silk Road drugs marketplace

Two days ago, about $1 billion worth of bitcoin that had sat dormant since the seizure of the Silk Road marketplace in 2013, one of the biggest underground drug websites on the dark web, suddenly changed hands.

Who took it? Mystery over. It was the U.S. government.

In a statement Thursday, the Justice Department confirmed it had seized the 70,000 bitcoins generated in revenue from drug sales on the Silk Web marketplace. At the time of the seizure, the bitcoin was worth more than $1 billion.

“Silk Road was the most notorious online criminal marketplace of its day. The successful prosecution of Silk Road’s founder in 2015 left open a billion-dollar question. Where did the money go? Today’s forfeiture complaint answers this open question at least in part,” said U.S. Attorney David Anderson in remarks.

“$1 billion of these criminal proceeds are now in the United States’ possession,” he said.

The Justice Department said Thursday that the seized bitcoin would be subject to forfeiture proceedings.

Silk Road was for a time the “most sophisticated and extensive criminal marketplace on the Internet,” per the Justice Department statement. In 2013, its founder and administrator Ross Ulbricht was arrested and the site seized. Ulbricht was convicted in 2015 and sentenced to two life terms and an additional 40 years, for his role in the operation. Prosecutors said the site had close to 13,000 listings for drugs and other illegal services, and generated millions of bitcoin.

More soon…