Amazon is quietly doubling down on cryptographic security

The growth of cloud services — with on-demand access to IT services over the Internet — has become one of the biggest evolutions in enterprise technology, but with it, so has the threat of security breaches and other cybercriminal activity. Now it appears that one of the leading companies in cloud services is looking for more ways to double down and fight the latter. Amazon’s AWS has been working on a range of new cryptographic and AI-based tools to help manage the security around cloud-based enterprise services, and it currently has over 130 vacancies for engineers with cryptography skills to help build and run it all.

One significant part of the work has been within a division of AWS called the Automated Reasoning Group, which focuses on identifying security issues and developing new tools to fix them for AWS and its customers based on automated reasoning, a branch of artificial intelligence that covers both computer science and mathematical logic and is aimed at helping computers automatically reason completely or nearly completely.

In recent times, Amazon has registered two new trademarks, Quivela and SideTrail, both of which have connections to ARG.

Classified in its patent application as “computer software for cryptographic protocol specification and verification,” Quivela also has a Github repository within AWS Labs’ profile that describes it as a “prototype tool for proving the security of cryptographic protocols,” developed by the AWS Automated Reasoning Group. (The ARG also has as part of its mission to share code and ideas with the community.)

SideTrail is not on Github, but Byron Cook, an academic who is the founder and director of the AWS Automated Reasoning Group, has co-authored a research paper called “SideTrail: Verifying the Time Balancing of Cryptosystems.” However, the link to the paper, describing what this is about, is no longer working.

The trademark application for SideTrail includes a long list of potential applications (as trademark applications often do). The general idea is cryptography-based security services. Among them: “Computer software, namely, software for monitoring, identifying, tracking, logging, analyzing, verifying, and profiling the health and security of cryptosystems; network encryption software; computer network security software,” “Providing access to hosted operating systems and computer applications through the Internet,” and a smattering of consulting potential: “Consultation in the field of cloud computing; research and development in the field of security and encryption for cryptosystems; research and development in the field of software; research and development in the field of information technology; computer systems analysis.”

Added to this, in July, a customer of AWS started testing out two other new cryptographic tools developed by the ARG also for improving an organization’s cybersecurity. Tiros and Zelkova, as the two tools are called, are math-based techniques that variously evaluate access control schemes, security configurations and feedback based on different setups to help troubleshoot and prove the effectiveness of security systems across storage (S3) buckets.

Amazon has not trademarked Tiros and Zelkova. A Zelkova trademark, for financial services, appears to be registered as an LLC called “Zelkova Acquisition” in Las Vegas, while there is no active trademark listed for Tiros.

Amazon declined to respond to our questions about the trademarks. A selection of people we contacted associated with the projects did not respond to requests for comment.

More generally, cryptography is a central part of how IT services are secured: Amazon’s Automated Reasoning Group has been around since 2014 working in this area. But Amazon appears to be doing more now both to ramp up the tools it produces and consider how it can be applied across the wider business. A quick look on open vacancies at the company shows that there are currently 132 openings at Amazon for people with cryptography skills.

“Cloud is the new computer, the Earth is the motherboard and data centers are the cards,” Cook said in a lecture he delivered recently describing AWS and the work that the ARG is doing to help AWS grow. “The challenge is that as [AWS] scales it needs to be ever more secure… How does AWS continue to scale quickly and securely?

“AWS has made a big bet on our community,” he continued, as one answer to that question. That’s led to an expansion of the group’s activities in areas like formal verification and beyond, as a way of working with customers and encouraging them to move more data to the cloud.

Amazon is also making some key acquisitions also to build up its cloud security footprint, such as Sqrrl and Harvest.ai, two AI-based security startups whose founding teams both happen to have worked at the NSA.

Amazon’s AWS division pulled in over $6 billion in revenues last quarter with $1.6 billion in operating income, a healthy margin that underscores the shift that businesses and other organizations are making to cloud-based services.

Security is an essential component of how that business will continue to grow for Amazon and the wider industry: more trust in the infrastructure, and more proofs that cloud architectures can work better than using and scaling the legacy systems that businesses use today, will bolster the business. And it’s also essential, given the rise of breaches and ever more sophisticated cyber crimes. Gartner estimates that cloud-based security services will be a $6.9 billion market this year, rising to nearly $9 billion by 2020.

Automated tools that help human security specialists do their jobs better is an area that others like Microsoft are also eyeing up. Last year, it acquired Israeli security firm Hexadite, which offers remediation services to complement and bolster the work done by enterprise security specialists.

OpenStack’s latest release focuses on bare metal clouds and easier upgrades

The OpenStack Foundation today released the 18th version of its namesake open-source cloud infrastructure software. The project has had its ups and downs, but it remains the de facto standard for running and managing large private clouds.

What’s been interesting to watch over the years is how the project’s releases have mirrored what’s been happening in the wider world of enterprise software. The core features of the platform (compute, storage, networking) are very much in place at this point, allowing the project to look forward and to add new features that enterprises are now requesting.

The new release, dubbed Rocky, puts an emphasis on bare metal clouds, for example. While the majority of enterprises still run their workloads in virtual machines, a lot of them are now looking at containers as an alternative with less overhead and the promise of faster development cycles. Many of these enterprises want to run those containers on bare metal clouds and the project is reacting to this with its “Ironic” project that offers all of the management and automation features necessary to run these kinds of deployments.

“There’s a couple of big features that landed in Ironic in the Rocky release cycle that we think really set it up well for OpenStack bare clouds to be the foundation for both running VMs and containers,” OpenStack Foundation VP of marketing and community Lauren Sell told me. 

Ironic itself isn’t new, but in today’s update, Ironic gets use-managed BIOS settings (to configure power management, for example) and RAM disk support for high-performance computing workloads. Magnum, OpenStack’s service for using container engines like Docker Swarm, Apache Mesos and Kubernetes, is now also a Kubernetes certified installer, meaning that users can be confident that OpenStack and Kubernetes work together just like a user would expect.

Another trend that’s becoming quite apparent is that many enterprises that build their own private clouds do so because they have very specific hardware needs. Often, that includes GPUs and FPGAs, for example, for machine learning workloads. To make it easier for these businesses to use OpenStack, the project now includes a lifecycle management service for these kinds of accelerators.

“Specialized hardware is getting a lot of traction right now,” OpenStack CTO Mark Collier noted. “And what’s interesting is that FPGAs have been around for a long time but people are finding out that they are really useful for certain types of AI, because they’re really good at doing the relatively simple math that you need to repeat over and over again millions of times. It’s kind of interesting to see this kind of resurgence of certain types of hardware that maybe was seen as going to be disrupted by cloud and now it’s making a roaring comeback.”

With this update, the OpenStack project is also enabling easier upgrades, something that was long a daunting process for enterprises. Because it was so hard, many chose to simply not update to the latest releases and often stayed a few releases behind. Now, the so-called Fast Forward Upgrade feature allows these users to get on new releases faster, even if they are well behind the project’s own cycle. Oath, which owns TechCrunch, runs a massive OpenStack cloud, for example, and the team recently upgraded a 20,000-core deployment from Juno (the 10th OpenStack release) to Ocata (the 15th release).

The fact that Vexxhost, a Canadian cloud provider, is already offering support for the Rocky release in its new Silicon Valley cloud today is yet another sign that updates are getting a bit easier (and the whole public cloud side of OpenStack, too, often gets overlooked, but continues to grow).

InVision deepens integrations with Atlassian

InVision today announced a newly expanded integration and strategic partnership with Atlassian that will let users of Confluence, Trello and Jira see and share InVision prototypes from within those programs.

Atlassian’s product suite is built around making product teams faster and more efficient. These tools streamline and organize communication so developers and designers can focus on getting the job done. Meanwhile, InVision’s collaboration platform has caught on to the idea that design is now a team sport, letting designers, engineers, executives and other shareholders be involved in the design process right from the get-go.

Specifically, the expanded integration allows designers to share InVision Studio designs and prototypes right within Jira, Trello and Confluence. InVision Studio was unveiled late last year, offering designers an alternative to Sketch and Adobe.

Given the way design and development teams use both product suites, it only makes sense to let these product suites communicate with one another.

As part of the partnership, Atlassian has also made a strategic financial investment in InVision, though the companies declined to share the amount.

Here’s what InVision CEO Clark Valberg had to say about it in a prepared statement:

In today’s digital world creating delightful, highly effective customer experiences has become a central business imperative for every company in the world. InVision and Atlassian represent the essential platforms for organizations looking to unleash the potential of their design and development teams. We’re looking forward to all the opportunities to deepen our relationship on both a product and strategic basis, and build toward a more cohesive digital product operating system that enables every organization to build better products, faster.

InVision has been working to position itself as the Salesforce of the design world. Alongside InVision and InVision Studio, the company has also built out an asset and app store, as well as launched a small fund to invest in design startups. In short, InVision wants the design ecosystem to revolve around it.

Considering that InVision has raised more than $200 million, and serves 4 million users, including 80 percent of the Fortune 500, it would seem that the strategy is paying off.

Google steps back from running the Kubernetes infrastructure

Google today announced that it is providing the Cloud Native Computing Foundation (CNCF) with $9 million in Google Cloud credits to help further its work on the Kubernetes container orchestrator and that it is handing over operational control of the project to the community. These credits will be split over three years and are meant to cover the infrastructure costs of building, testing and distributing the Kubernetes software.

Why does this matter? Until now, Google hosted virtually all the cloud resources that supported the project like its CI/CD testing infrastructure, container downloads and DNS services on its cloud. But Google is now taking a step back. With the Kubernetes community reaching a state of maturity, Google is transferring all of this to the community.

Between the testing infrastructure and hosting container downloads, the Kubernetes project regularly runs over 150,000 containers on 5,000 virtual machines, so the cost of running these systems quickly adds up. The Kubernetes container registry served almost 130 million downloads since the launch of the project.

It’s also worth noting that the CNCF now includes a wide range of members that typically compete with each other. We’re talking Alibaba Cloud, AWS, Microsoft Azure, Google Cloud, IBM Cloud, Oracle, SAP and VMware, for example. All of these profit from the work of the CNCF and the Kubernetes community. Google doesn’t say so outright, but it’s fair to assume that it wanted others to shoulder some of the burdens of running the Kubernetes infrastructure, too. Similarly, some of the members of the community surely didn’t want to be so closely tied to Google’s infrastructure either.

“By sharing the operational responsibilities for Kubernetes with contributors to the project, we look forward to seeing the new ideas and efficiencies that all Kubernetes contributors bring to the project operations,” Google Kubernetes Engine product manager William Deniss writes in today’s announcement. He also notes that a number of Google’s will still be involved in running the Kubernetes infrastructure.

“Google’s significant financial donation to the Kubernetes community will help ensure that the project’s constant pace of innovation and broad adoption continue unabated,” said Dan Kohn, the executive director of the CNCF. “We’re thrilled to see Google Cloud transfer management of the Kubernetes testing and infrastructure projects into contributors’ hands – making the project not just open source, but openly managed, by an open community.”

It’s unclear whether the project plans to take some of the Google-hosted infrastructure and move it to another cloud, but it could definitely do so — and other cloud providers could step up and offer similar credits, too.

Box builds a digital hub to help fight content fragmentation

The interconnectedness of the cloud has allowed us to share content widely with people inside and outside the organization and across different applications, but that ability has created a problem of its own, a kind of digital fragmentation. How do you track how that piece of content is being used across a range of cloud services? It’s a problem Box wants to solve with its latest features, Activity Stream and Recommended Apps.

The company made the announcements at BoxWorks, its annual customer conference being held this week in San Francisco,

Activity Stream provides a way to track your content in real time as it moves through the organization, including who touches it and what applications it’s used in, acting as a kind of digital audit trail. One of the big problems with content in the cloud age is understanding what happened to it after you created it. Did it get used in Salesforce or ServiceNow or Slack? You can now follow the path of your content and see how people have shared it, and this could help remove some of the disconnect people feel in the digital world.

As Jeetu Patel, Box’s Chief Product and Chief Strategy Officer points out, an average large company could have more than a thousand apps and there is no good way to connect the dots when it comes to tracking unstructured content and getting a unified view of the digital trail.

“We integrate with over 1400 applications, and as we integrate with those applications, we thought if we could surface those events, it would be insanely useful to our users,” he said. Patel sees this as the beginning of an important construct, the notion of a content hub where you can see the entire transaction record associated with a piece of content.

Activity Stream sidebar inside Box. Photo: Box

But Box didn’t want to stop with just a laundry list of the connections. It also created deep links into the applications being used, so a user can click a link, open the application and view the content in the context of that other application. “It seems like Box was a logical place to get a bird’s eye view of how content is being used,” Patel said, explaining Box’s thinking in creating this feature.

A related feature is a list of Recommended Apps. Based the Box Graph, and what Box knows about the user, the content they use, and how it’s interconnected with other cloud apps, it also displays a list of recommended apps right in the Box interface. This lets users access those applications in the context of their work, so for instance, they could share the content in Slack right from the document.

Recommended Apps bar inside Box. Photo: Box

For starters, Recommended Apps integrations include G Suite apps, Slack, Salesforce, DocuSign and Netsuite, but Patel says anyone who is integrated with the web app via the API will start showing up in Activity Stream.

While the products were announced today, Box is still working out the kinks in terms of how this will work. They expect these features to be available early next year. If they can pull this off, it will go a long way toward solving the digital fragmentation problem and making Box the content center for organizations.

Storage provider Cloudian raises $94M

Cloudian, a company that specializes in helping businesses store petabytes of data, today announced that it has raised a $94 million Series E funding round. Investors in this round, which is one of the largest we have seen for a storage vendor, include Digital Alpha, Fidelity Eight Roads, Goldman Sachs, INCJ, JPIC (Japan Post Investment Corporation), NTT DOCOMO Ventures and WS Investments. This round includes a $25 million investment from Digital Alpha, which was first announced earlier this year.

With this, the seven-year-old company has now raised a total of $174 million.

As the company told me, it now has about 160 employees and 240 enterprise customers. Cloudian has found its sweet spot in managing the large video archives of entertainment companies, but its customers also include healthcare companies, automobile manufacturers and Formula One teams.

What’s important to stress here is that Cloudian’s focus is on on-premise storage, not cloud storage, though it does offer support for multi-cloud data management, as well. “Data tends to be most effectively used close to where it is created and close to where it’s being used,” Cloudian VP of worldwide sales Jon Ash told me. “That’s because of latency, because of network traffic. You can almost always get better performance, better control over your data if it is being stored close to where it’s being used.” He also noted that it’s often costly and complex to move that data elsewhere, especially when you’re talking about the large amounts of information that Cloudian’s customers need to manage.

Unsurprisingly, companies that have this much data now want to use it for machine learning, too, so Cloudian is starting to get into this space, as well. As Cloudian CEO and co-founder Michael Tso also told me, companies are now aware that the data they pull in, no matter whether that’s from IoT sensors, cameras or medical imaging devices, will only become more valuable over time as they try to train their models. If they decide to throw the data away, they run the risk of having nothing with which to train their models.

Cloudian plans to use the new funding to expand its global sales and marketing efforts and increase its engineering team. “We have to invest in engineering and our core technology, as well,” Tso noted. “We have to innovate in new areas like AI.”

As Ash also stressed, Cloudian’s business is really data management — not just storage. “Data is coming from everywhere and it’s going everywhere,” he said. “The old-school storage platforms that were siloed just don’t work anywhere.”

Microsoft will soon automatically transcribe video files in OneDrive for Office 365 subscribers

Microsoft today announced a couple of AI-centric updates for OneDrive and SharePoint users with an Office 365 subscription that bring more of the company’s machine learning smarts to its file storage services.

All of these features will launch at some point later this year. With the company’s Ignite conference in Orlando coming up next month, it’s probably a fair guess that we’ll see some of these updates make a reappearance there.

The highlight of these announcements is that starting later this year, both services will get automated transcription services for video and audio files. While video is great, it’s virtually impossible to find any information in these files without spending a lot of time. And once you’ve found it, you still have to transcribe it. Microsoft says this new service will handle the transcription automatically and then display the transcript as you’re watching the video. The service can handle over 320 file types, so chances are it’ll work with your files, too.

Other updates the company today announced include a new file view for OneDrive and Office.com that will recommend files to you by looking at what you’ve been working on lately across the Microsoft 365 and making an educated guess as to what you’ll likely want to work on now. Microsoft will also soon use a similar set of algorithms to prompt you to share files with your colleagues after you’ve just presented them in a meeting with PowerPoint, for example.

Power users will also soon see access statistics for any file in OneDrive and SharePoint.

Very Good Security makes data ‘unhackable’ with $8.5M from Andreessen

“You can’t hack what isn’t there,” Very Good Security co-founder Mahmoud Abdelkader tells me. His startup assumes the liability of storing sensitive data for other companies, substituting dummy credit card or Social Security numbers for the real ones. Then when the data needs to be moved or operated on, VGS injects the original info without clients having to change their code.

It’s essentially a data bank that allows businesses to stop storing confidential info under their unsecured mattress. Or you could think of it as Amazon Web Services for data instead of servers. Given all the high-profile breaches of late, it’s clear that many companies can’t be trusted to house sensitive data. Andreessen Horowitz is betting that they’d rather leave it to an expert.

That’s why the famous venture firm is leading an $8.5 million Series A for VGS, and its partner Alex Rampell is joining the board. The round also includes NYCA, Vertex Ventures, Slow Ventures and PayPal mafioso Max Levchin. The cash builds on VGS’ $1.4 million seed round, and will pay for its first big marketing initiative and more salespeople.

“Hey! Stop doing this yourself!,” Abdelkader asserts. “Put it on VGS and we’ll let you operate on your data as if you possess it with none of the liability.” While no data is ever 100 percent unhackable, putting it in VGS’ meticulously secured vaults means clients don’t have to become security geniuses themselves and instead can focus on what’s unique to their business.

“Privacy is a part of the UN Declaration of Human Rights. We should be able to build innovative applications without sacrificing our privacy and security,” says Abdelkader. He got his start in the industry by reverse-engineering games like StarCraft to build cheats and trainer software. But after studying discrete mathematics, cryptology and number theory, he craved a headier challenge.

Abdelkader co-founded Y Combinator-backed payment system Balanced in 2010, which also raised cash from Andreessen. But out-muscled by Stripe, Balanced shut down in 2015. While transitioning customers over to fellow YC alumni Stripe, Balanced received interest from other companies wanting it to store their data so they could be PCI-compliant.

Very Good Security co-founder and CEO Mahmoud Abdelkader

Now Abdelkader and his VP from Balanced, Marshall Jones, have returned with VGS to sell that as a service. It’s targeting startups that handle data like payment card information, Social Security numbers and medical info, though eventually it could invade the larger enterprise market. It can quickly help these clients achieve compliance certifications for PCI, SOC2, EI3PA, HIPAA and other standards.

VGS’ innovation comes in replacing this data with “format preserving aliases” that are privacy safe. “Your app code doesn’t know the difference between this and actually sensitive data,” Abdelkader explains. In 30 minutes of integration, apps can be reworked to route traffic through VGS without ever talking to a salesperson. VGS locks up the real strings and sends the aliases to you instead, then intercepts those aliases and swaps them with the originals when necessary.

“We don’t actually see your data that you vault on VGS,” Abdelkader tells me. “It’s basically modeled after prison. The valuables are stored in isolation.” That means a business’ differentiator is their business logic, not the way they store data.

For example, fintech startup LendUp works with VGS to issue virtual credit card numbers that are replaced with fake numbers in LendUp’s databases. That way if it’s hacked, users’ don’t get their cards stolen. But when those card numbers are sent to a processor to actually make a payment, the real card numbers are subbed in last-minute.

VGS charges per data record and operation, with the first 500 records and 100,000 sensitive API calls free; $20 a month gets clients double that, and then they pay 4 cent per record and 2 cents per operation. VGS provides access to insurance too, working with a variety of underwriters. It starts with $1 million policies that can be much larger for Fortune 500s and other big companies, which might want $20 million per incident.

Obviously, VGS has to be obsessive about its own security. A breach of its vaults could kill its brand. “I don’t sleep. I worry I’ll miss something. Are we a giant honey pot?,” Abdelkader wonders. “We’ve invested a significant amount of our money into 24/7 monitoring for intrusions.”

Beyond the threat of hackers, VGS also has to battle with others picking away at part of its stack or trying to compete with the whole, like TokenEx, HP’s Voltage, Thales’ Vormetric, Oracle and more. But it’s do-it-yourself security that’s the status quo and what VGS is really trying to disrupt.

But VGS has a big accruing advantage. Each time it works with a clients’ partners like Experian or TransUnion for a company working with credit checks, it already has a relationship with them the next time another clients has to connect with these partners. Abdelkader hopes that, “Effectively, we become a standard of data security and privacy. All the institutions will just say ‘why don’t you use VGS?'”

That standard only works if it’s constantly evolving to win the cat-and-mouse game versus attackers. While a company is worrying about the particular value it adds to the world, these intelligent human adversaries can find a weak link in their security — costing them a fortune and ruining their relationships. “I’m selling trust,” Abdelkader concludes. That peace of mind is often worth the price.

VMware acquires CloudHealth Technologies for multi-cloud management

VMware is hosting its VMworld customer conference in Las Vegas this week, and to get things going it announced that its acquiring Boston-based CloudHealth Technologies. They did not disclose the terms of the deal, but Reuters is reporting the price is $500 million.

CloudHealth provides VMware with a crucial multi-cloud management platform that works across AWS, Microsoft Azure and Google Cloud Platform, giving customers a way to manage cloud cost, usage, security and performance from a single interface.

Although AWS leads the cloud market by a large margin, it is a vast and growing market and most companies are not putting their eggs in a single vendor basket. Instead, they are looking at best of breed options for different cloud services.

This multi-cloud approach is great for customers in that they are not tied down to any single provider, but it does create a management headache as a consequence. CloudHealth gives multi-cloud users a way to manage their environment from a single tool.

CloudHealth multi-cloud management. Photo: CloudHealth Technologies

VMware’s chief operating officer for products and cloud services, Raghu Raghuram, says CloudHealth solves the multi-cloud operational dilemma. “With the addition of CloudHealth Technologies we are delivering a consistent and actionable view into cost and resource management, security and performance for applications across multiple clouds,” Raghuram said in a statement.

CloudHealth began offering support for Google Cloud Platform just last month. CTO Joe Kinsella told TechCrunch why they had decided to expand their platform to include GCP support: “I think a lot of the initiatives that have been driven since Diane Greene joined Google [at the end of 2015] and began really driving towards the enterprise are bearing fruit. And as a result, we’re starting to see a really substantial uptick in interest.”

It also gave them a complete solution for managing across the three of the biggest cloud vendors. That last piece very likely made them an even more attractive target for a company like VMware, who apparently was looking for a solution to buy that would help customers manage across a hybrid and multi-cloud environment.

The company had been planning future expansion to manage not just the public cloud, but also private clouds and data centers from one place, a strategy that should fit well with what VMware has been trying to do in recent years to help companies manage a hybrid environment, regardless of where their virtual machines live.

With CloudHealth, VMware not only gets the multi-cloud management solution, it gains its 3000 customers which include Yelp, Dow Jones, Zendesk and Pinterest.

CloudHealth was founded in 2012 and has raised over $87 million. Its most recent round was a $46 million Series D in June 2017 led by Kleiner Perkins. Other lead investors across earlier rounds have included Sapphire Ventures, Scale Venture Partners and .406 Ventures.

Rebuilding employee philanthropy from the bottom up

In tech circles, it would be easy to assume that the world of high-impact charitable giving is a rich man’s game where deals are inked at exclusive black tie galas over fancy hors d’oeuvre. Both Mark Zuckerberg and Marc Benioff have donated to SF hospitals that now bear their names. Gordon Moore has given away $5B – including $600M to Caltech – which was the largest donation to a university at the time. And of course, Bill Gates has already donated $27B to every cause imaginable (and co-founded The Giving Pledge, a consortium of billionaires pledging to donate most of their net worth to charity by the end of their lifetime.)

For Bill, that means he has about $90B left to give.

For the average working American, this world of concierge giving is out of reach, both in check size, and the army of consultants, lawyers and PR strategists that come with it. It seems that in order to do good, you must first do well. Very well.

Bright Funds is looking to change that. Founded in 2012, this SF-based startup is looking to democratize concierge giving to every individual so they “can give with the same effectiveness as Bill and Melinda Gates.” They are doing to philanthropy what Vanguard and Wealthfront have done for asset management for retail investors.

In particular, they are looking to unlock dollars from the underutilized corporate benefit of matching funds for donations, which according to Bright Funds is offered by over 60% of medium to large enterprises, but only used by 13% of employees at these companies. The need for such a service is clear — these programs are cumbersome, transactional, and often offline. Make a donation, submit a receipt, and wait for it to churn through the bureaucratic machine of accounting and finance before matching funds show up weeks later.

Bright Funds is looking to make your company’s matching funds benefit as accessible and important to you as your free lunches or massages. Plus, Bright Funds charges companies per seat, along with a transaction fee to cover the cost of payment processing, sparing employees any expense.

It’s a model that is working. According to Bright Fund’s CEO Ty Walrod, Bright Funds customers see on average a 40% year-over-year increase in funds donated through the platform. More importantly, Bright Funds not only transforms an employee’s relationship to personal philanthropy, but also to the company they work for.

Grassroots Giving

This model of bottoms-up giving is a welcome change from the big foundation model which has recently been rocked by scandal. The Silicon Valley Community Foundation was the go-to foundation for The Who’s Who of Silicon Valley elite. It rode the latest tech boom to become the largest community foundation in eleven short years with generous stock donations from donors like Mark Zuckerberg ($1.8 billion), GoPro’s Nicholas Woodman ($500 million), and WhatsApp co-founder Jan Koum ($566 million). Today, at $13.5 billion, it surpasses the 80+ year old Ford Foundation in endowment size.

However, earlier this year, their star fundraiser Mari Ellen Loijens (credited with raising $8.3B of the $13.5B) was accused of repeatedly bullying and sexually harassing coworkers, allegations that the Foundation had “known about for years” but failed to act upon. In 2017, a similar case occurred when USC’s star fundraiser David Carrera  stepped down on charges of sexual harassment after leading the university’s historic $6 billion fundraising campaign.

While large foundations and endowments do important work, their structure relies too much on whale hunting for big checks, giving an inordinate amount of power to the hands of a small group of talented fund raisers.

This stands in contrast to Bright Funds’ ethos — to lead a grassroots movement in empowering individual employees to make their dollar of giving count.

Rebuilding charitable giving for the platform age

Bright Funds is the latest iteration of a lineup of workplace giving platforms. MicroEdge and Cybergrants paved the way in the 80s and 90s by digitizing the giving experience, but was mainly on-premise, and lacked a focus on user experience. Benevity and YourCause arrived in 2007 to bring workplace giving to the cloud, but they were still not turnkey solutions that could be easily implemented.

Bright Funds started as a consumer platform, and has retained that heritage in its approach to product design, aiming to reduce friction for both employee and company adoption. This is why many of their first customers were midsized tech startups with limited resources and looking for a turnkey solution, including Eventbrite, Box, Github, and Contently. They are now finding their way upmarket into larger, more established enterprises like Cisco, VMWare, Campbell’s Soup Company, and Sunpower.

Bright Funds approach to product has brought a number of innovations to this space.

The first is the concept of a cause-focused “fund.” Similar to a mutual fund or ETF, these funds are portfolios of nonprofits curated by subject-matter experts tailored to a specific cause area (e.g. conservation, education, poverty, etc.). This solves one of the chief concerns of any donor — is my dollar being put to good use towards the causes I care about? Passionate about conservation? Invest with Jim Leape from the Stanford Woods Institute for the Environment, who brings over three decades of conservation experience in choosing the six nonprofits in Bright Fund’s conservation portfolio. This same expertise is available across a number of cause areas.

Additionally, funds can also be created by companies or employees. This has proven to be an important rallying point for emergency relief during natural disasters, where employees at companies can collectively assemble a list of nonprofits to donate to. In 2017, Cisco employees donated $1.8 million (including company matching) through Bright Funds to Hurricanes Harvey, Maria, and Irma as well as the central Mexico earthquakes, the current flooding in India and many more.

The second key feature of their product is the impact timeline, a central news feed to understand where your dollars are going across all your cause areas. This transforms giving from a black box transaction to an ongoing dialogue between you and your charities.

Lastly, Bright Funds wants to take away all the administrative burden that might come with giving and volunteering — everything from tracking your volunteer opportunities and hours, to one-click tax reporting across all your charitable donations. In short, no more shoeboxes of receipts to process through in April.

Doing good & doing well

Although Bright Funds is focused on transforming the individual giving experience, it’s paying customer at the end of the day is the enterprise.

And although it is philanthropic in nature, Bright Funds is not exempt from the procurement gauntlet that every enterprise software startup faces — what’s in it for the customer? What impact does workplace giving and volunteering have on culture and the bottom line?

To this end, there is evidence to show that corporate social responsibility has a an impact on recruiting the next generation of workers. A study by Horizon Media found that 81% of millennials expect their companies to be good corporate citizens. A separate 2015 study found that 62% of millennials said they’d take a pay cut to work for a company that’s socially responsible.

Box, one of Bright Fund’s early customers, has seen this impact on recruiting firsthand (disclosure: Box is one of my former employers). Like most tech companies competing for talent in the Valley, Box used to give out lucrative bonuses for candidate referrals. They recently switched to giving out $500 in Bright Funds gift credit. Instead of seeing employee referrals dip, Box saw referrals “skyrocket,” according to Box.org Executive Director Bryan Breckenridge. This program has now become “one of the most cherished cultural traditions at Box,” he said.

Additionally, like any corporate benefit, there should be metrics tied to employee retention. Benevity released a study of 2 million employees across 118 companies on their platform that showed a 57% reduction in turnover for employees engaged in corporate giving or volunteering efforts. VMware, one of Bright Fund’s customers, has seen an astonishing 82% of their 22,000 employees participate in their Citizen Philanthropy program of giving and volunteering, according to VMware Foundation Director Jessa Chin. Their full-time voluntary turnover rate (8%) is well below the software industry average of 13.2%.

Towards a Brighter Future

Bright Funds still has a lot of work to do. CEO Walrod says that one of his top priorities is to expand the platform beyond US charities, finding ways to evaluate and incorporate international nonprofits.

They have also not given up their dream of becoming a truly consumer platform, perhaps one day competing in the world of donor-advised funds, which today is largely dominated by big names like Fidelity and Schwab who house over $85B of assets. In the short term, Walrod wants to make every Bright Funds account similar to a 401K account. It goes wherever you work, and is a lasting record of the causes you care about, and the time and resources you’ve invested in them.

Whether the impetus is altruism around giving or something more utilitarian like retention, companies are increasingly realizing that their employees represent a charitable force that can be harnessed for the greater good. Bright Funds has more work to do like any startup, but it is empowering the next set of donors who can give with the same effectiveness as Gates, and one day, at the same scale as him as well.

Amazon isn’t the only tech company getting tax breaks

Amazon has a big target on its back these days, and because of its size, scope and impact on local business, critics are right to look closely at tax breaks and other subsidies they receive. There is nothing wrong with digging into these breaks to see if they reach the goals governments set in terms of net new jobs. But Amazon isn’t alone here by any means. Many states have a big tech subsidy story to tell, and it isn’t always a tale that ends well for the subsidizing government.

In fact, a recent study by the watchdog group, Good Jobs First, found states are willing to throw millions at high tech companies to lure them into building in their communities. They cited three examples in the report including Tesla’s $1.25 billion 20-year deal to build a battery factory in Nevada, Foxconn’s $3 billion break to build a display factory in Wisconsin and the Apple data center deal in Iowa, which resulted in a $214 million tax break.

Good Jobs First executive director Greg LeRoy doesn’t think these subsidies are justifiable and they take away business development dollars from smaller businesses that tend to build more sustainable jobs in a community.

“The “lots of eggs in one basket” strategy is especially ill-suited. But many public leaders haven’t switched gears yet, often putting taxpayers at great risk, especially because some tech companies have become very aggressive about demanding big tax breaks. Companies with famous names are even more irresistible to politicians who want to look active on jobs,” LeRoy and his colleague Maryann Feldman wrote in a Guardian commentary last month.

It doesn’t always work the way you hope

While these deals are designed to attract the company to an area and generate jobs, that doesn’t always happen. The Apple-Iowa deal, for example, involved 550 construction jobs to build the $1.3 billion state-of-the-art facility, but will ultimately generate only 50 full-time jobs. It’s worth noting that in this case, Apple further sweetened the pot by contributing “up to $100 million” to a local public improvement fund, according to information supplied by the company.

One thing many lay people don’t realize, however, is that in spite of the size, cost and amount of real estate of these mega data centers, they are highly automated and don’t require a whole lot of people to run. While Apple is giving back to the community around the data center, in the end, if the goal of the subsidy is permanent high-paying jobs, there aren’t very many involved in running a data center.

It’s not hard to find projects that didn’t work out. A $2 million tax subsidy deal between Massachusetts and Nortel Networks in 2008 to keep 2200 jobs in place and add 800 more failed miserably. By 2010 there were just 145 jobs left at the facility and the tax incentive lasted another 4 years, according to a Boston.com report.

More recent deals come at a much higher price. The $3 billion Foxconn deal in Wisconsin was expected to generate 3000 direct jobs (and another 22,000 related ones). That comes out to an estimated cost of between $15,000 and $19,000 per job annually, much higher than the typical cost of $2457 per job, according to data in the New York Times.

Be careful what you wish for

Meanwhile states are falling all over themselves with billions in subsidies to give Amazon whatever its little heart desires to build HQ2, which could generate up to 50,000 jobs over a decade if all goes according to plan. The question, as with the Foxconn deal, is whether the states can truly justify the cost per job and the impact on infrastructure and housing to make it worth it?

What’s more, how do you ensure that you get a least a modest return on that investment? In the case of the Nortel example in Massachusetts, shouldn’t the Commonwealth have protected itself against a catastrophic failure instead of continuing to give the tax break for years after it was clear Nortel wasn’t able to live up to its side of the agreement?

Not every deal needs to be a home run, but you want to at least ensure you get a decent number of net new jobs out of it, and that there is some fairness in the end, regardless of the outcome. States also need to figure out the impact of any subsidy on other economic development plans, and not simply fall for name recognition over common sense.

These are questions every state needs to be considering as they pour money into these companies. It’s understandable in post-industrial America, where many factory jobs have been automated away that states want to lure high-paying high tech jobs to their communities, but it’s still incumbent upon officials to make sure they are doing due diligence on the total impact of the deal to be certain the cost is justified in the end.

Mixmax launches IFTTT-like rules to help you manage your inbox

Mixmax, a service that aims to make email and other outbound communications more usable and effective, today announced the official launch of its new IFTTT-like rules for automating many of the most repetitive aspects of your daily email workflow.

On the one hand, this new feature is a bit like your standard email filter on steroids (and with connections to third-party tools like Slack, Salesforce, DocuSign, Greenhouse and Pipedrive). Thanks to this, you can now receive an SMS when a customer who spends more than $5,000 a month emails you, for example.

But rules can also be triggered by any of the third-party services the company currently supports. Maybe you want to send out a meeting reminder based on your calendar entries, for example. You can then set up a rule that always emails a reminder a day before the meeting, together with all the standard info you’d want to send in that email.

“One way we think about Mixmax is that we want to do for externally facing teams and people who talk a lot of customers what Github did for engineering and what Slack did for internal team communication,” Mixmax co-founder and CEO Olof Mathé told me. “That’s what we do for external communication.”

While the service started out as a basic Chrome extension for Gmail, it’s now a full-blown email automation system that offers everything from easy calendar sharing to tracking when recipients open an email and, now, building rules around that. Mathé likened it to an executive assistant, but he stressed that he doesn’t think Mixmax is taking anybody’s jobs away. “We’re not here to replace other people,” he said. “We amplify what you are able to do as an individual and give you superpowers so you can become your own personal chief of staff so you get more time.”

The new rules feature takes this to the next level and Mathé and his team plan to build this out more over time. He teased a new feature called ‘beast mode’ that’s coming in the near future and that will see Mixmax propose actions you can take across different applications, for example.

Many of the new rules and connectors will be available to all paying users, though some features, like access to your Salesforce account, will only be available to those on higher-tier plans.

Mixmax raises $10.35M to improve email

Armory lands $10M Series A to bring continuous delivery to enterprise masses

Armory, a startup that has built a CI/CD platform on top the open source Spinnaker project, announced a $10 million Series A today led by Crosslink Capital. Other investors included Bain Capital Ventures, Javelin Venture Partners, YCombinator and Robin Vasan.

Software development certainly has changed over the last several years, going from long cycles between updates to a continuous delivery model. The concept is actually called CI/CD or continuous integration/continuous delivery. Armory’s product is designed to eliminate some of the complexity associated with deploying this kind of solution.

When they started the company, the founders made a decision to hitch their wagon to Spinnaker, a project that had the backing of industry heavyweights like Google and Netflix. “Spinnaker would become an emerging standard for enabling truly multi-cloud deployments at scale. Instead of re-creating the wheel and building another in-house continuous delivery platform, we made a big bet on having Spinnaker at the core of Armory’s Platform,” company CEO and co-founder Daniel R. Odio wrote in a blog post announcing the funding.

The bet apparently paid off and the company’s version of Spinnaker is widely deployed enterprise solution (at least according to them). The startup’s ultimate goal is to help Fortune 2000 companies deploy software much faster — and accessing and understanding CI/CD is a big part of that.

As every company out there becomes a software company, they find themselves outside their comfort zones. While Google and Netflix and other hyper-scale organizations have learned to deploy software at startling speed using state of the art methodologies, it’s not so easy for most companies with much smaller engineering teams to pull off.

That’s where a company like Armory could come into play. It takes this open source project and it packages it in such a way that it simplifies (to an extent) the complex world that these larger companies operate in on a regular basis, putting Spinnaker and CI/CD concepts in reach of organizations whose core competency might not involve sophisticated software deployment.

All of this relates to multi-cloud and cloud-native approaches to software development, which lets you manage your applications and infrastructure wherever they live across any cloud vendor or even on-prem in consistent way. Being able to manage continuous deployment is part of that.

Armory launched in 2016 and is based in the Bay area. It has raised a total of $14 million with a $4 million seed round coming last year. They were also a member of the Y Combinator Winter 2017 class and count Y Combinator as an investor in this round.

ServiceNow-Box integration brings together two enterprise cloud stalwarts

It used to be a one-vendor, stack-driven world in the enterprise. Today, the cloud has changed that and best of breed and interoperability are the watchwords of the day. Two enterprise cloud stalwarts have announced a new integration that brings Box content directly into ServiceNow.

For ServiceNow customers, it means that they can access Box content without leaving a ServiceNow application and changing focus. Company CTO Allan Leinwand says the two share a lot of common customers, and it made sense to bring them together.

“When you’re inside of a ServiceNow record, for example, you’re looking at an incident or problem or a knowledge base article, you are going to link to directly with a Box document or save files directly to Box from ServiceNow. There’s a lot of very practical things that help people get their work done faster,” he explained.

Jeetu Patel, Box’s Chief Strategy and Chief Product officer says the two companies are working to drive innovation inside organizations and that means working with multiple products to solve organizational issues.

“Our goal has been to be a neutral central content layer for every business process. Part of that ambition is to be able to plug into best of breed applications like ServiceNow. Companies already use these tools, and use Box, and they want to be sure they work seamlessly with each other,” Patel said.

On a practical level, customers can grab the Box plug-in from the ServiceNow Store. It comes with some prebuilt workflows fpr typical ServiceNow product usage scenarios, but the integration is flexible and allows customization. As an example, in an HR scenario, the ServiceNow administrator might build a workflow for onboarding a new employee in ServiceNow’s HR application. Using the company’s Flow Designer workflow-building tool, they can pull in all the documents a new employee needs to sign with other tasks into a single workflow.

Contract workflow with Box content in ServiceNow Flow Designer. Screenshot: ServiceNow

It comes down to helping customers work more efficiently. “We’re both cloud companies, and we’re both driving digital transformation for our customers. And we’ve really seen a lot of synergy between the way people work in Box, and how people are working in ServiceNow. We think we can integrate together and make work get done better,” Leinwand said.

Wickr teams up with Psiphon to ensure your packets arrive safely no matter where you are

Encrypted collaboration app Wickr has added a feather to its cap with a partnership with Psiphon, provider of smart VPN tools. Wickr will use Psiphon’s tech to guarantee your packets get where they need to go regardless of whether you’re at home, at a cafe with bad wi-fi, or at a cafe with bad wi-fi in China.

The idea is that the user shouldn’t have to be auditing their own connection to be sure their apps will work properly. That can be a matter of safety, such as a poorly secured access point; connectivity, such as one where certain ports or apps are inoperable; or censorship, like requesting data from a service banned in the country you’re visiting.

Wickr already encrypts all your traffic, so there are no worries on that account, but if the connection you’re using were to block video calls or certain traffic patterns, there’s not much the company can do about that.

Psiphon, however, is in the business of circumventing deliberate or accidental blockages with a suite of tools that analyze the network and attempt to find a way to patch you through. Whether that’s anonymizing your traffic, bouncing it off non-blocked servers, doing automatic port forwarding, or some other method, the idea is the packets get through one way or another.

There’s a cost in latency and throughput, of course, but while that may matter for online gaming or video streaming, it’s far less important for something like uploading an image, chatting with colleagues, and the other functions that Wickr provides. At all events you can turn the feature on or off at will.

There will be a monetary cost too, of course, in the form of premiums added to paid plans. Enterprise customers will be the first to receive the Psiphon-powered traffic handling, today in fact, and the feature will then trickle its way down to other paid users and free users over the next few weeks.

Slack must use cash hoard to find new ways to keep competition at bay

It was quite a week for Slack, wasn’t it? The enterprise communications platform confirmed this publication’s earlier report that it had scored another $427 million investment on an over-the-moon valuation of over $7 billion. Slack took a market that had once been in the doldrums and turned it into something significant by making itself more than a communications tool.

It changed the game by making itself a work hub. Through APIs and UI updates, it has made it simple for countless third parties (like Evernote) to integrate with Slack and provide the long-sought workplace hub for the enterprise. Instead of task switching, you can work mostly in one place and keep your focus on your work.

It’s quite a value proposition and it has enabled Slack to raise $1.2 billion (with a b) across 11 funding rounds, according to data on Crunchbase. They have grown to 8 million daily active users. They boast 70,000 teams paying to use it. Whatever they are doing, it’s working.

Competing with corporate behemoths

That said, Slack’s success has always been a bit surprising because it’s facing off against giants like Microsoft, Facebook, Google, Cisco, Salesforce and many others, all gunning for this upstart’s market. In fact, Microsoft is giving Teams away for free to Office 365 customers. You could say it’s hard to compete with free, yet Slack continues to hold its own (and also offers a free version, for the record).

Perhaps that’s because it doesn’t require customers to use any particular toolset. Microsoft Teams is great for Microsoft users. Google Hangouts is great for G Suite users. You’re already signed in and it’s all included in the package, and there is a huge convenience factor there, but Slack works on anything and with anything and companies have shown there is great value in that.

The question is can Slack continue to play David to these corporate behemoths or will patience, bushels of cash on hand and a long view allow these traditional tech companies to eventually catch up and pass the plucky newbie. Nobody can see into the future, but obviously investors recognize it takes a lot of capital to keep up with what the competition is bringing to the table.

Expanding their reach

They also clearly have some confidence in the company’s ability to keep growing and keep the titans at bay or they wouldn’t have thrown all of that moolah at them. Up until now, they seem to have always found a way, but they need to step up if they are going to keep it going.

Alan Lepofsky, an analyst with Constellation Research, who keeps a careful eye on the enterprise collaboration market, says in a recent video commentary that it’s great they got all this money, but now that someone has shown them all of this dough, they have to prove they know what to do with it.

“For Slack to continue to be successful, they need to expand beyond what they are currently doing and really, truly redefine the way people communicate, collaborate, coordinate around their work. They need to branch out to project management, task management, content creation — all sorts of things more than just collaboration.”

What comes next?

Lepofsky says this could happen via a build or buy scenario, or even partnering, but they need to use their money strategically to differentiate the product from the hefty competition and stay ahead in this market.

The other elephant in the room is the idea that one of the competing mega corporations could make a run at them and try to acquire them. It would take a boat load of money to make that happen, but if someone had the cojones to do it, they would be getting the state of the art, the market share, the engineering, the whole package.

For now, that’s pure speculation. For now, Slack is sitting comfortably on a huge cash pile, and perhaps they should go shopping and expand their product set with their newly found wealth, as Lepofsky suggests. If they can do that, maybe they can keep the technology wolves from the door and make their way down the path to their seemingly inevitable IPO.

Evernote refines integrations with Slack and Salesforce

When you’re working in a key business tool like Slack or Salesforce, you don’t want to switch focus by opening up another application to pull additional information. Evernote Business has let you access Evernote content from these applications for some time, and today it announced some refinements to enhance those integrations.

The Slack integration had worked with the old slash commands to display Evernote content directly within Slack, but Slack has changed that to allow you to access applications like Evernote in a more visual way, says Eric Wrobel, chief product officer at Evernote.

“Earlier this year, Slack announced something called Slack Actions. It allows you to surface an application in a more visual way, so discoverability and ease of use is better to reduce friction,” he said.

Evernote embedded inside Slack. Screenshot: Evernote

Evernote has take advantage of this new capability in this release to get away from the command interface style that Slack had previously used and make it easier for their core knowledge workers to access Evernote content inside of Slack.

Users can take an Evernote note in Slack, which will then show up in Evernote automatically in a “Notes from Slack” folder. From there, users can edit the notes and move them to other folders (or tag them) to further organize them in any way they see fit. Similarly you can save a conversation you’re having in Slack to Evernote as a note and move it or edit from Evernote later on.

The Salesforce Connection

While Salesforce deals with structured systems of record, Evernote works with unstructured content and bringing the two together can be useful and powerful for users. Typically, a team member interacting with the customer on the phone or in the field, will take notes in Evernote, and they want to share that information with other members of the team in the Salesforce record, Wrobel explained.

The user who took the note can link one or more notes inside Salesforce, so they essentially become part of the customer record. The newer version improves the technical connections between the two cloud applications including the ability to “pin” a note to a record. What’s more, once a note is linked there is two-way sync, which means regardless of whether you change that note in Salesforce or Evernote, it will update in both places (because the integration is a live version of Evernote).

Evernote notes embedded in Salesforce record. Screenshot: Evernote

Evernote also surfaces related content automatically at the bottom of the customer record to help users find other Evernote subject matter connected to the record. While you can’t link a note to Salesforce directly from Evernote yet, that is a requested feature and Wrobel said they are working on it for a future release.

These updates are available today for Slack and Salesforce customers using Evernote Business.

Talla builds a smarter customer knowledge base

Talla is taking aim at the customer service industry with its latest release, an AI-infused knowledge base. Today, the company released version 2.0 of the Talla Intelligent Knowledge Base.

The company also announced that Paula Long, most recently CEO at Data Gravity, has joined the company as SVP of engineering.

This tool combines customer content with automation, chatbots and machine learning. It’s designed to help teams who work directly with customers get at the information they need faster and the machine learning element should allow it to improve over time.

You can deploy the product as a widget on your website to give customers direct access to the information, but Rob May, company founder and CEO says the most common use case involves helping sales, customer service and customer success teams get access to the most relevant and current information, whether that’s maintenance or pricing.

The information can get into the knowledge base in several ways. First of all you can enter elements like product pages and FAQs directly in the Talla product as with any knowledge base. Secondly if an employee asks a questions and there isn’t an adequate answer, it exposes the gaps in information.

Talla Knowledge Base gap list. Screenshot: Talla

“It really shows you the unknown unknowns in your business. What are the questions people are asking that you didn’t realize you don’t have content for or you don’t have answers for. And so that allows you to write new content and better content,” May explained.

Finally, the company can import information into the knowledge base from Salesforce, ServiceNow, Jira or wherever it happens to live, and that can be added to a new page or incorporated into existing page as appropriate.

Employees interact with the system by asking a bot questions and it supplies the answers if one exists. It works with Slack, Microsoft Teams or Talla Chat.

Talla bot in action in Talla Chat. Screenshot: Talla

Customer service remains a major pain point for many companies. It is the direct link to customers when they are having issues. A single bad experience can taint a person’s view of a brand, and chances are when a customer is unhappy they let their friends know on social media, making an isolated incident much bigger. Having quicker access to more accurate information could help limit negative experiences.

Today’s announcement builds on an earlier version of the product that took aim at IT help desks. Talla found customers kept asking for a solution that provided similar functionality with customer-facing information and they have tuned it for that.

May launched Talla in 2015 after selling his former startup Backupify to Datto in 2014. The company, which is based near Boston, has raised $12.3 million.

Foundries.io promises standardized open source IoT device security

IoT devices currently lack a standard way of applying security. It leaves consumers, whether business or individuals, left to wonder if their devices are secure and up-to-date. Foundries.io, a company that launched today, wants to change that by offering a standard way to secure devices and deliver updates over the air.

“Our mission is solving the problem of IoT and embedded space where there is no standardized core platform like Android for phones,” Foundries.io CEO George Grey explained.

What Foundries has created is an open and secure solution that saves everyone from creating their own and reinventing the wheel every time. Grey says Foundries’ approach is not only secure, it provides a long-term solution to the device update problem by providing a way to deliver updates over the air in an automated manner on any device from tiny sensors to smart thermostats to autonomous cars.

He says this approach will allow manufacturers to apply security patches in a similar way that Apple applies regular updates to iOS. “Manufacturers can continuously make sure their devices can be updated with the latest software to fix security flaws or Zero Day flaws,” he said.

The company offers two solutions, depending on the size and complexity of your device. The Zephyr RTOS microPlatform is designed for smaller, less complex devices. For those that are more complex, Foundries offers a version of Linux called the Linux OE microPlatform.

Diagram: Foundries.io

Grey claims that these platforms free manufacturers to build secure devices without having to hire a team of security experts. But he says the real beauty of the product is that the more people who use it, the more secure it will get, as more and more test it against their products in a virtuous cycle.

You may be wondering how they can make money in this model, but they do it by charging a flat fee of $10,000 per year for Zephyr RTOS and $25,000 per year for Linux OE. These are one-time prices and apply by the product, regardless of how many units get sold and there is no lock-in, according to Grey. Companies are free to back out any time. “If you want to stop subscribing you take over maintenance and you still have access to everything up to the point,. You just have to arrange maintenance yourself,” he said.

There is also a hobbyist and education package for $10 a month.

The company spun off from research at Linaro, an organization that promotes development on top of ARM chips.

To be successful, Foundries.io needs to build a broad community of manufacturers. Today’s launch is the first step in that journey. If it eventually takes off, it has the potential to provide a consistent way of securing and updating IoT devices, a move which would certainly be welcome.

Semmle, startup that makes code searchable, hauls in $21M Series B

Semmle, a startup that originally spun out of research at Oxford, announced a $21 million Series B investment today led by Accel Partners. It marked the second time Accel has led an investment in the company.

Other investors include Work-Bench, Capital One, Credit Suisse, Google, Microsoft, NASA and Nasdaq Trust. Today’s investment brings the total to $31 million.

Semmle has warranted this kind of interest by taking a unique approach to finding vulnerabilities in code. “The key idea behind our technology is to treat code as data and treat analysis problems as simple queries against a database. What this allows you to do is very easily encode domain expertise, security expertise or any other kinds of specialist knowledge in such a way it can be easily easily and automatically applied to large amounts of code,” Pavel Avgustinov, Semmle co-founder and VP of platform engineering told TechCrunch.

Screenshot: Semmle

Once you create the right query, you can continuously run it against your code to prevent the same mistakes from entering the code base on subsequent builds. The key here is building the queries and the company has a couple of ways to deal with that.

They can work with customers to help them create queries, although in the long run that is not a sustainable way of working. Instead, they share queries, and encourage customers to share them with the community.

“What we find is that the great tech companies we work with have the best security teams in the world, and they are giving back what they created on the Semmle platform with other users in an open source fashion. There is a GitHub repository where we publish queries, but Microsoft and Google are doing the same thing,” Oege de Moor, company CEO and co-founder explained.

In fact, the Semmle solution is freely available to open source programmers to use with their applications, and the company currently analyzes every commit of almost 80,000 open source projects. Open source developers can run shared queries against their code or create their own.

They also have a paid version with customers like Microsoft, Google, Credit Suisse, NASA and Nasdaq. They have relied mostly on these strategic partners up until now, all of which are also investors. With today’s investment they plan to build out their sales and marketing departments to expand their customer base into a wider enterprise market.

The company spun out of research at Oxford University in 2006. They are now based in San Francisco with 60 employees, a number that should go up with this investment. They received an $8 million Series A in 2014 and $2 million seed round in 2011.

Distributed teams are rewriting the rules of office(less) politics

When we think about designing our dream home, we don’t think of having a thousand roommates in the same room with no doors or walls. Yet in today’s workplace where we spend most of our day, the purveyors of corporate office design insist that tearing down walls and bringing more people closer together in the same physical space will help foster better collaboration while dissolving the friction of traditional hierarchy and office politics.

But what happens when there is no office at all?

This is the reality for Jason Fried, Founder and CEO of Basecamp, and Matt Mullenweg, Founder and CEO of Automattic (makers of WordPress), who both run teams that are 100% distributed across six continents and many time zones. Fried and Mullenweg are the founding fathers of a movement that has inspired at least a dozen other companies to follow suit, including Zapier, Github, and Buffer. Both have either written a book, or have had a book written about them on the topic.

For all of the discussions about how to hire, fire, coordinate, motivate, and retain remote teams though, what is strangely missing is a discussion about how office politics changes when there is no office at all. To that end, I wanted to seek out the experience of these companies and ask: does remote work propagate, mitigate, or change the experience of office politics? What tactics are startups using to combat office politics, and are any of them effective?

“Can we take a step back here?”

Office politics is best described by a simple example. There is a project, with its goals, metrics, and timeline, and then there’s who gets to decide how it’s run, who gets to work on it, and who gets credit for it. The process for deciding this is a messy human one. While we all want to believe that these decisions are merit-based, data-driven, and objective, we all know the reality is very different. As a flood of research shows, they come with the baggage of human bias in perceptions, heuristics, and privilege.

Office politics is the internal maneuvering and positioning to shape these biases and perceptions to achieve a goal or influence a decision. When incentives are aligned, these goals point in same direction as the company. When they don’t, dysfunction ensues.

Perhaps this sounds too Darwinian, but it is a natural and inevitable outcome of being part of any organization where humans make the decisions. There is your work, and then there’s the management of your coworker’s and boss’s perception of your work.

There is no section in your employee handbook that will tell you how to navigate office politics. These are the tacit, unofficial rules that aren’t documented. This could include reworking your wardrobe to match your boss’s style (if you don’t believe me, ask how many people at Facebook own a pair of Nike Frees). Or making time to go to weekly happy hour not because you want to, but because it’s what you were told you needed to do to get ahead.

One of my favorite memes about workplace culture is Sarah Cooper’s “10 Tricks to Appear Smart in Meetings,” which includes…

• Encouraging everyone to “take a step back” and ask “what problem are we really trying to solve”
• Nodding continuously while appearing to take notes
• Stepping out to take an “important phone call”
• Jumping out of your seat to draw a Venn diagram on the whiteboard

Sarah Cooper, The Cooper Review

These cues and signals used in physical workplaces to shape and influence perceptions do not map onto the remote workplace, which gives us a unique opportunity to study how office politics can be different through the lens of the officeless.

Friends without benefits

For employees, the analogy that coworkers are like family is true in one sense — they are the roommates that we never got to choose. Learning to work together is difficult enough, but the physical office layers on the additional challenge of learning to live together. Contrast this with remote workplaces, which Mullenweg of Automattic believes helps alleviate the “cohabitation annoyances” that come with sharing the same space, allowing employees to focus on how to best work with each other, versus how their neighbor “talks too loud on the phone, listens to bad music, or eats smelly food.”

Additionally, remote workplaces free us of the tyranny of the tacit expectations and norms that might not have anything to do with work itself. At an investment bank, everyone knows that analysts come in before the managing director does, and leave after they do. This signals that you’re working hard.

Basecamp’s Fried calls this the “presence prison,” the need to be constantly aware of where your coworkers are and what they are doing at all times, both physically and virtually. And he’s waging a crusade against it, even to the point of removing the green dot on Basecamp’s product. “As a general rule, nobody at Basecamp really knows where anyone else is at any given moment. Are they working? Dunno. Are they taking a break? Dunno. Are they at lunch? Dunno. Are they picking up their kid from school? Dunno. Don’t care.”

There is credible basis for this practice. A study of factory workers by Harvard Business School showed that workers were 10% to 15% more productive when managers weren’t watching. This increase was attributed to giving workers the space and freedom to experiment with different approaches before explaining to managers, versus the control group which tended to follow prescribed instructions under the leery watch of their managers.

Remote workplaces experience a similar phenomenon, but by coincidence. “Working hard” can’t be observed physically so it has to be explained, documented, measured, and shared across the company. Cultural norms are not left to chance, or steered by fear or pressure, which should give individuals the autonomy to focus on the work itself, versus how their work is perceived.

Lastly, while physical workplaces can be the source of meaningful friendships and community, recent research by the Wharton School of Business is just beginning to unravel the complexities behind workplace friendships, which can be fraught with tensions from obligations, reciprocity and allegiances. When conflicts arise, you need to choose between what’s best for the company, and what’s best for your relationship with that person or group. You’re not going to help Bob because your best friend Sally used to date him and he was a dick. Or you’re willing to do anything for Jim because he coaches your kid’s soccer team, and vouched for you to get that promotion.

In remote workplaces, you don’t share the same neighborhood, your kids don’t go to the same school, and you don’t have to worry about which coworkers to invite to dinner parties. Your physical/personal and work communities don’t overlap, which means you (and your company) unintentionally avoid many of the hazards of toxic workplace relationships.

On the other hand, these same relationships can be important to overall employee engagement and well-being. This is evidenced by one of the findings in Buffer’s 2018 State of Remote Work Report, which surveyed over 1900 remote workers around the world. It found that next to collaborating and communicating, loneliness was the biggest struggle for remote workers.

Graph by Buffer (State of Remote Work 2018)

So while you may be able to feel like your own boss and avoid playing office politics in your home office, ultimately being alone may be more challenging than putting on a pair of pants and going to work.

Feature, not a bug?

Physical offices can have workers butting heads with each other. Image by UpperCut Images via Getty Images.

For organizations, the single biggest difference between remote and physical teams is the greater dependence on writing to establish the permanence and portability of organizational culture, norms and habits. Writing is different than speaking because it forces concision, deliberation, and structure, and this impacts how politics plays out in remote teams.

Writing changes the politics of meetings. Every Friday, Zapier employees send out a bulletin with: (1) things I said I’d do this week and their results, (2) other issues that came up, (3) things I’m doing next week. Everyone spends the first 10 minutes of the meeting in silence reading everyone’s updates.

Remote teams practice this context setting out of necessity, but it also provides positive auxiliary benefits of “hearing” from everyone around the table, and not letting meetings default to the loudest or most senior in the room. This practice can be adopted by companies with physical workplaces as well (in fact, Zapier CEO Wade Foster borrowed this from Amazon), but it takes discipline and leadership to change behavior, particularly when it is much easier for everyone to just show up like they’re used to.

Writing changes the politics of information sharing and transparency. At Basecamp, there are no all-hands or town hall meetings. All updates, decisions, and subsequent discussions are posted publicly to the entire company. For companies, this is pretty bold. It’s like having a Facebook wall with all your friends chiming in on your questionable decisions of the distant past that you can’t erase. But the beauty is that there is now a body of written decisions and discussions that serves as a rich and permanent artifact of institutional knowledge, accessible to anyone in the company. Documenting major decisions in writing depoliticizes access to information.

Remote workplaces are not without their challenges. Even though communication can be asynchronous through writing, leadership is not. Maintaining an apolitical culture (or any culture) requires a real-time feedback loop of not only what is said, but what is done, and how it’s done. Leaders lead by example in how they speak, act, and make decisions. This is much harder in a remote setting.

A designer from WordPress notes the interpersonal challenges of leading a remote team. “I can’t always see my teammates’ faces when I deliver instructions, feedback, or design criticism. I can’t always tell how they feel. It’s difficult to know if someone is having a bad day or a bad week.”

Zapier’s Foster is also well aware of these challenges in interpersonal dynamics. In fact, he has written a 200-page manifesto on how to run remote teams, where he has an entire section devoted to coaching teammates on how to meet each other for the first time. “Because we’re wired to look for threats in any new situation… try to limit phone or video calls to 15 minutes.” Or “listen without interrupting or sharing your own stories.” And to “ask short, open ended questions.” For anyone looking for a grade school refresher on how to make new friends, Wade Foster is the Dale Carnegie of the remote workforce.

To office, or not to office

What we learn from companies like Basecamp, Automattic, and Zapier is that closer proximity is not the antidote for office politics, and certainly not the quick fix for a healthy, productive culture.

Maintaining a healthy culture takes work, with deliberate processes and planning. Remote teams have to work harder to design and maintain these processes because they don’t have the luxury of assuming shared context through a physical workspace.

The result is a wealth of new ideas for a healthier, less political culture — being thoughtful about when to bring people together, and when to give people their time apart (ending the presence prison), or when to speak, and when to read and write (to democratize meetings). It seems that remote teams have largely succeeded in turning a bug into a feature. For any company still considering tearing down those office walls and doors, it’s time to pay attention to the lessons of the officeless.