You can now buy AWS’ $99 DeepComposer keyboard

AWS today announced that its DeepComposer keyboard is now available for purchase. And no, DeepComposer isn’t a mechanical keyboard for hackers but a small MIDI keyboard for working with the AWS DeepComposer service that uses AI to create songs based on your input.

First announced at AWS re:Invent 2019, the keyboard created a bit of confusion, in part because Amazon’s announcement almost made it seem like a consumer product. DeepComposer, which also works without the actual hardware keyboard, is more of a learning tool, though, and belongs to the same family of AWS hardware like DeepLens and DeepRacer. It’s meant to teach developers about generative adversarial networks, just like DeepLens and DeepRacer also focus on specific machine learning technologies.

Users play a short melody, either using the hardware keyboard or an on-screen one, and the service then automatically generates a backing track based on your choice of musical style. The results I heard at re:Invent last year were a bit uneven (or worse), but that may have improved by now. But this isn’t a tool for creating the next Top 40 song. It’s simply a learning tool. I’m not sure you need the keyboard to get that learning experience out of it, but if you do, you can now head over to Amazon and buy it.

Google Cloud launches a managed Memcached service

Google today announced the beta of Memorystore for Memcached, a new service that provides a fully managed in-memory datastore that is compatible with the open-source Memcached protocol. It will join Redis in the Memorystore family, which first launched in 2018.

As Gopal Ashok, Google’s product manager for Memorystore notes in today’s announcement, Redis remains a popular choice for use cases like session stores, gaming leaderboard, stream analytics, threat detection and API rate limiting, while Memcached is typically used as a caching layer for databases. Developers also regularly use Memcached as a session store and with this new service, developers can scale their clusters up to 5TB of memory per instance.

Since the service is fully compatible with Memcached, developers should be able to take any of their applications that use the protocol and migrate them over to Google Cloud and its Memorystore platform. As a fully managed service, Google will handle all of the routine tasks like monitoring and patching. Figuring out the right size of a cache remains a bit of an art, though, but Google Cloud argues that its detailed metrics will allow developers to easily scale their instances up and down as needed to optimize the service for their specific use cases. Those metrics, the company notes, are exposed in Cloud Monitoring, Google Cloud’s centralized monitoring dashboard, and the Cloud Console.

Currently, Memorystore for Memcached can be used for applications that run on Compute Engine, Google Kubernetes Engine (GKE), App Engine Flex, App Engine Standard and Cloud Functions.

It’s worth noting that Amazon, with ElastiCache for Memcached, and specialized startups like MemCachier. And Redis Labs, too, is offering a fully managed Memcached service that can run on AWS, Azure and Google Cloud.

A bug bounty alone won’t save your startup — here’s why

In this world, there is no such thing as perfect security.

Every app or service you use — even the websites you visit — have security bugs. Companies go through repeated rounds of testing, code reviews and audits — sometimes even bringing in third-parties. Bugs get missed — that’s life, and it happens — but when they are uncovered, companies can get hacked.

That’s where a bug bounty comes into play. A bug bounty is an open-door policy to anyone who finds a bug or a security flaw; they are critical for channeling those vulnerabilities back to your development team so they can be fixed before bad actors can exploit them.

Bug bounties are an extension of your internal testing process and incentivize hackers to report bugs and issues and get paid for their work rather than dropping details of a vulnerability out of the blue (aka a “zero-day”) for anyone else to take advantage of.

Bug bounties are a win-win, but paying hackers for bugs is only one part of the process. As is usually the case where security meets startup culture, getting the right system in place early is best.

Why you need a vulnerability disclosure program

A bug bounty is just a small part of the overall bug-hunting and remediating process.

Microsoft Edge is getting smart copy and paste, a password monitor and vertical tabs

Microsoft announced a ton of new features for its productivity apps today, but it also used today’s release to highlight a few new features that are coming to its Chromium-based Edge browser in the near future.

Most of these are pretty straightforward and expected, like its Collections bookmarking feature coming to mobile later this year, but some are quite a surprise. Edge is getting vertical tabs, for example. A lot of browsers have experimented with this in the past but it has often been seen as a niche feature for advanced users. Microsoft clearly doesn’t think of it that way. But you’ll have to wait a bit to try this out, as it’s currently scheduled to roll out to the preview channels in the next few months (or to get a taste of it today, you could try an alternative browser like Vivaldi, which has a number of other advanced tab management features, too).

Also coming to an Edge browser near you in the next few months is Smart Copy. If you’ve ever tried to copy and paste a table from a website in the past, you know that the result is always messy. With Smart Copy, Edge can preserve the formatting when you paste the table into a document. It’ll launch in the Edge Insider channels in the next month.

Also coming in the next few months is a new Password Monitor in Edge, which Microsoft built from the ground up. Like similar features in other browsers and extensions like Google’s Password Checkup, Password Monitor constantly scans the web to make sure your credentials haven’t been stolen. One nifty feature here is that you don’t just get a notification but that this notification will also take you right to the respective service’s site for changing your password.

It’s no secret that Microsoft is very excited about collections in Edge. You can think of them as a tool for bookmarking related sites, images and even text snippets. That’s a useful feature for when you are planning a trip, organizing a dinner or researching anything online. It’s a bit more ephemeral than bookmarks yet more durable than simply keeping a bunch of tabs open. As Microsoft today announced, Collections are coming to the mobile version of Edge, too, and users will be able to sync their Collections between devices.

Security lapse exposed Republican voter firm’s internal app code

A voter contact and canvassing company, used exclusively by Republican political campaigns, mistakenly left an unprotected copy of its app’s code on its website for anyone to find.

The company, Campaign Sidekick, helps Republican campaigns canvass their districts using its iOS and Android apps, which pull in names and addresses from voter registration rolls. Campaign Sidekick says it has helped campaigns in Arizona, Montana, and Ohio — and contributed to the Brian Kemp campaign, which saw him narrowly win against Democratic rival Stacey Abrams in the Georgia gubernatorial campaign in 2018.

For the past two decades, political campaigns have ramped up their use of data to identify swing voters. This growing political data business has opened up a whole economy of startups and tech companies using data to help campaigns better understand their electorate. But that has led to voter records spilling out of unprotected servers and other privacy-related controversies — like the case of Cambridge Analytica obtaining private data from social media sites.

Chris Vickery, director of cyber risk research at security firm UpGuard, said he found the cache of Campaign Sidekick’s code by chance.

In his review of the code, Vickery found several instances of credentials and other app-related secrets, he said in a blog post on Monday, which he shared exclusively with TechCrunch. These secrets, such as keys and tokens, can typically be used to gain access to systems or data without a username or password. But Vickery did not test the password as doing so would be unlawful. Vickery also found a sampling of personally identifiable information, he said, amounting to dozens of spreadsheets packed with voter names and addresses.

Fearing the exposed credentials could be abused if accessed by a malicious actor, Vickery informed the company of the issue in mid-February. Campaign Sidekick quickly pulled the exposed cache of code offline.

One of the Campaign Sidekick mockups, using dummy data, collates a voter’s data in one place. (Image: supplied)

One of the screenshots provided by Vickery showed a mockup of a voter profile compiled by the app, containing basic information about the voter and their past voting and donor history, which can be obtained from public and voter records. The mockup also lists the voter’s “friends.”

Vickery told TechCrunch he found “clear evidence” that the app’s code was designed to pull in data from its now-defunct Facebook app, which allowed users to sign-in and pull their list of friends — a feature that was supported by Facebook at the time until limits were put on third-party developers’ access to friends’ data.

“There is clear evidence that Campaign Sidekick and related entities had and have used access to Facebook user data and APIs to query that data,” Vickery said.

Drew Ryun, founder of Campaign Sidekick, told TechCrunch that its Facebook project was from eight years prior, that Facebook had since deprecated access to developers, and that the screenshot was a “digital artifact of a mockup.” (TechCrunch confirmed that the data in the mockup did not match public records.)

Ryun said after he learned of the exposed data the company “immediately changed sensitive credentials for our current systems,” but that the credentials in the exposed code could have been used to access its databases storing user and voter data.

Social Bluebook was hacked, exposing 217,000 influencers’ accounts

A social media platform used to match advertisers with thousands of influencers has been hacked.

Social Bluebook, a Los Angeles-based company, allows advertisers to pay social media “influencers” for posts that promote their products and services. The company claims it has some 300,000 influencers on its books.

But in October 2019, the company’s entire backend database was stolen in a data breach.

TechCrunch obtained the database, which contains some 217,000 user accounts — including influencer names, email addresses, and passwords hashed, which had been scrambled using the strong SHA-2 hashing algorithm.

It’s not known how the database was exfiltrated from the company’s systems or who was behind the breach.

We contacted several users who when presented with their information confirmed it as accurate. We also provided a portion of the data to Social Bluebook co-founder Sam Michie for verification.

“We have just now become aware of this data breach that occurred in October 2019,” he told TechCrunch in an email Thursday.

He said affected users will be informed of the breach by email. The company also informed the California attorney general’s office of the breach, per state law.

Social media influencers are a constant target for hackers, who often try to hijack accounts with popular handles or high follower counts. Some influencers have relied on white-hat hackers to get their hijacked accounts back.

Last year, an Indian social media firm left a database of Instagram influencers online, which included phone numbers and email addresses scraped from their profiles.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. 

Microsoft acquires 5G specialist Affirmed Networks

Microsoft today announced that it has acquired Affirmed Networks, a company that specializes in fully virtualized, cloud-native networking solutions for telecom operators.

With its focus on 5G and edge computing, Affirmed looks like the ideal acquisition target for a large cloud provider looking to get deeper into the telco business. According to Crunchbase, Affirmed had raised a total of $155 million before this acquisition and the company’s over 100 enterprise customers include the likes of AT&T, Orange, Vodafone, Telus, Turkcell and STC.

“As we’ve seen with other technology transformations, we believe that software can play an important role in helping advance 5G and deliver new network solutions that offer step-change advancements in speed, cost and security,” writes Yousef Khalidi, Microsoft’s corporate vice president for Azure Networking. “There is a significant opportunity for both incumbents and new players across the industry to innovate, collaborate and create new markets, serving the networking and edge computing needs of our mutual customers.”

With its customer base, Affirmed gives Microsoft another entry point into the telecom industry. Previously, the telcos would often build their own data centers and stuff it with costly proprietary hardware (and the software to manage it). But thanks to today’s virtualization technologies, the large cloud platforms are now able to offer the same capabilities and reliability without any of the cost. And unsurprisingly, a new technology like 5G with its promise of new and expanded markets makes for a good moment to push forward with these new technologies.

Google recently made some moves in this direction with its Anthos for Telecom and Global Mobile Edge Cloud, too. Chances are, we will see all of the large cloud providers continue to go after this market in the coming months.

In a somewhat odd move, only yesterday Affirmed announced a new CEO and President, Anand Krishnamurthy. It’s not often that we see these kinds of executive moves hours before a company announces its acquisition.

The announcement doesn’t feature a single hint at today’s news and includes all of the usual cliches we’ve come to expect from a press release that announces a new CEO. “We are thankful to Hassan for his vision and commitment in guiding the company through this extraordinary journey and positioning us for tremendous success in the future,” Krishnamurthy wrote at the time. “It is my honor to lead Affirmed as we continue to drive this incredible transformation in our industry.”

We asked Affirmed for some more background about this and will update this post once we hear more.

IBM and The Weather Channel launch detailed local COVID-19 maps and data tracking

There are already a number of resources available for mapping the spread of confirmed COVID-19 cases both in the U.S. and globally, but IBM and its subsidiary The Weather Company have launched new tools that bring COVID-19 mapping and analysis to more people via their Weather Channel mobile app and weather.com.

Existing tools are useful, but come from fairly specialized sources including the World Health Organization (WHO) and Johns Hopkins University. This new initiative combines data fro these same sources, including global confirmed reported COVID-19 cases, as well as reported data from sources at both the state and county level. This is collected on a so-called “incident map” that displays color-coded reported case data for states and counties, as well as on state-wide trend graphs and through reporting of stats including relative percentage increase of cases week-over-week.

On top of these sections built into the core, consumer-facing Weather.com products, IBM has also launched a Watson and Cognos Analytics tools, are intended for use by both researchers and public officials – but they’re also meant for general public consumption. IBM is also providing resources including fact-checking resources and practical guidance for both COVID-19 patients and the general public, to help not only inform people about the spread of the virus, but also the steps they can take to protect themselves and others.

One of the key elements of COVID-19 mitigation is making sure that the average American has access to reliable and accurate information, including the most up-to-date guidelines about social distancing and isolation from trusted experts including the WHO and the Centers for Disease Control and Prevention (CDC). That makes this a key resource in the ongoing efforts to curb the spread of the coronavirus, since it resides in an app that is among the most popular pieces of software available for smartphones. There are around 45 million or so monthly active users of the Weather Channel app, which means that this information will now be readily accessible by a large percentage of the U.S. population.

Microsoft says hackers are attacking Windows users with a new unpatched bug

Microsoft says attackers are exploiting a previously undisclosed security vulnerability found in all supported versions of Windows, including Windows 10.

But the software giant said there is currently no patch for the vulnerability.

The security flaw, which Microsoft deems “critical” — its highest severity rating — is found in how Windows handles and renders fonts, according to the advisory posted Monday. The bug can be exploited by tricking a victim into opening a malicious document. Once the document is opened — or viewed in Windows Preview — an attacker can remotely run malware, such as ransomware, on a vulnerable device.

The advisory said that Microsoft was aware of hackers launching “limited, targeted attacks,” but did not say who was launching the attacks or at what scale.

Microsoft said it was working on a fix but that the advisory should serve as a warning until a patch is released. In the meantime, the advisory offered a temporary workaround for affected Windows users to mitigate the flaw until a fix is available.

The software giant typically releases its security fixes on the second Tuesday of each month, but occasionally issues out-of-band patches in severe cases.

A spokesperson for Microsoft did not immediately comment on the timing of a patch.

Google Cloud launches Game Servers, a managed cloud backend for games

Google Cloud today announced the beta launch of Game Servers, a managed service that provides game developers with the usual backend services for running their games, including multi-player games, in the company’s cloud. It’s worth stressing that these are not game streaming servers but solely meant to make it easier for game developers to build, scale and manage the backend services for their games.

The service sits on top of the Agones open-source game server, a project Google and Ubisoft first announced in 2018, and the Kubernetes container orchestration platform. As Google Cloud product manager Scott Van Woudenberg also told me, the team is also reusing some parts of Anthos, Google’s service for managing multi-cloud Kubernetes clusters. And while Game Servers can currently only run on the Google Kubernetes Engine, the plan is to allow for hybrid and multi-cloud support later this year.

Quite a few gaming companies have already built their own on-premises server fleets, so just like in the enterprise, having hybrid-cloud capabilities is a must-have for a tool like this. Google will also make it easy for developers who already use Agones outside of Game Servers today to bring those servers into the same managed Game Servers ecosystem by registering them with the Game Servers API.

As Van Woudenberg noted, virtually every game now needs some kind of cloud backend, be that for multi-player features, match-making or keeping persistent game stats, for example. That’s true for indie developers and major game studios. Game Servers, ideally, will make it easier for these companies to scale their clusters up and down as needed. Game Servers also provides for A/B testing and canary tests, and in future updates, it will include integrations with the Open Match matchmaking framework.

To get started, developers still have to containerize their game servers. For those companies that already use Agones, that’s a pretty straightforward exercise, Van Woudenberg said. Others, though, need a bit more help with that and Google is working with partners to walk them through this.