16 October, 2024
US bans sale of Kaspersky software citing security risk from Russia
The U.S. government announced on Thursday that it is banning the sale of Kaspersky antivirus software in the country, and is asking Americans who use the software to switch to a different provider.
The Commerce Department’s Bureau of Industry and Security said it imposed the “first of its kind” ban, arguing that Kaspersky threatens U.S. national security and users’ privacy because the company is based in Russia.
“Russia has shown it has the capacity, and even more than that, the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans. And that’s why we are compelled to take the action that we’re taking today,” U.S. Commerce Secretary Gina Raimondo said in a call with reporters.
News of the ban was first reported by Reuters ahead of the announcement.
Kaspersky will be banned from selling its software to American consumers and businesses starting on July 20, but the company will be able to provide software and security updates to existing customers until September 29. After that, Kaspersky will no longer be permitted to push software updates to U.S. customers, according to Raimondo.
“That means your software and services will degrade. That’s why I strongly recommend that you immediately find an alternative to Kaspersky,” Raimondo said.
Raimondo said that U.S. consumers who already use Kaspersky’s antivirus are not violating the law.
In a statement shared with TechCrunch, Kaspersky spokesperson Sawyer VanHorn said the company plans to challenge the U.S. government’s decision.
“Kaspersky does not engage in activities which threaten U.S. national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted U.S. interests and allies,” the company said in a statement. “The company intends to pursue all legally available options to preserve its current operations and relationships.”
“U.S. individuals and businesses that continue to use or have existing Kaspersky products and services are not in violation of the law, you have done nothing wrong and you are not subject to any criminal or civil penalties,” said Raimondo. “However, I would encourage you in the strongest possible terms, to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”
To inform consumers, Raimondo said the Department of Homeland Security and the Justice Department will work to notify U.S. consumers, and the U.S. government will set up a website, “so people who are impacted can find the information they need to understand why we’re doing what we’re doing, and help them take next steps.”
A senior U.S. Commerce Department official said during the press call that federal cybersecurity agency CISA will do outreach to critical infrastructure organizations that use Kaspersky software in their operations to help them find alternatives. The official also said that they don’t plan on naming any specific action by Kaspersky that led to today’s decision. (The Commerce Department asked reporters not to name the official.)
The ban announced Thursday is the latest escalation in a long series of U.S. government actions against the Moscow-headquartered Kaspersky.
In September 2017, the Trump administration banned U.S. federal agencies from using Kaspersky software over fears that the company could be compelled to help Russian intelligence agencies. Earlier in the year, it was reported that Russian government hackers had stolen U.S. classified documents stored on an intelligence contractor’s home computer because it was running Kaspersky’s antivirus, marking the first known incident of espionage resulting from use of the company’s software.
The decision to ban Kaspersky has been in the works since last year, according to a report by The Wall Street Journal in April 2023.
According to Kaspersky, the company has more than 400 million individual customers, and over 240,000 corporate customers worldwide. The senior official declined to say how many U.S. customers Kaspersky has, but said there is a significant number, including critical infrastructure organizations, and state and local government entities.
UPDATE, Friday June 21, 10:45 a.m. ET: This story has been updated to include Kaspersky’s comment.
U.S. government sanctions Kaspersky executives
TigerBeetle is building database software optimized for financial transactions
After doing some consulting for Microsoft to develop protections against zero-day exploits, software engineer Joran Dirk Greef worked with Coil, a web monetization startup in San Francisco, to help build its payments infrastructure. At the time, Coil was using a traditional database to store and process transactions. But Greef had the insight that a specialized database could prove to be much more nimble — and powerful.
The idea morphed into a skunkworks project at Coil, and Greef became a staff engineer working full-time on a new database design called TigerBeetle. Two years into the project, after customers started requesting enterprise support for the database, Greef spun out TigerBeetle as a startup.
TigerBeetle’s open source database is engineered for financial online transaction processing, Greef says, capable of handling more than 8,000 debit and credit card transactions in a single query. One query for 8,000 transactions might not sound like a lot. But most general-purpose databases would require 1 to 10 queries per transaction. And more queries translates to more latency — especially if the database is hosted on a remote server somewhere.
“TigerBeetle is a financial transactions database that provides debit/credit primitives out of the box and enforces financial consistency in the database without requiring a developer to cobble together a system of record from scratch,” Greef said.
“TigerBeetle is ideal for use cases where you need to count anything of value — not necessarily money, but including money — moving from one person or place to another,” Greef said. A common application is an internal ledger for a company like Transferwise, he added, which has to keep track of lots of money moving between accounts.
Spinning out TigerBeetle was a wise decision in hindsight. TigerBeetle recently closed a $24 million Series A round led by Spark Capital’s Natalie Vais with participation from Amplify Partners and Coil, bringing its total raised to more than $30 million. A source familiar with the matter tells TechCrunch that TigerBeetle is valued at around $100 million post-money.
“We had planned to raise later in the year,” Greef said. “However, after a surge in community growth at the beginning of 2024, and growing commercial interest, we decided to bring the raise forward to invest in engineering, go-to-market and TigerBeetle’s cloud platform, which is under development.”
TigerBeetle, which only has eight employees at present and plans to double the size of its team by 2025, provides its database technology in the form of a managed service. Greef claims that TigerBeetle has had paying customers “since day one” and that the TigerBeetle community — folks using or contributing to the open source release — has grown over 200% year-over-year.
Vais told TechCrunch that TigerBeetle is one of the more exciting database projects that she’s seen recently.
“TigerBeetle rethinks every component from the ground up to handle modern transactional workloads,” she said. “In a world where everything is becoming more online and more transactional, there’s a huge opportunity for TigerBeetle to become a foundational piece of infrastructure for modern systems of record.”
TigerBeetle’s managed service is currently available by invitation only, and the database reached its first production release just in March. But Greef says that growth — in particular acquiring new customers — will be the focus for the foreseeable future.
“TigerBeetle’s use cases extend beyond fintech,” he continued. “Think usage-based billing with real-time spend caps, gaming live ops and energy smart meters, as well as instant payments, core banking, brokering, inventory, shopping carts, trucking and shipping, warehousing, crowdfunding, voting and reservation systems.”
How to prevent your software update from being the next CrowdStrike
CrowdStrike released a relatively minor patch on Friday, and somehow it wreaked havoc on large swaths of the IT world running Microsoft Windows, bringing down airports, healthcare facilities and 911 call centers. While we know a faulty update caused the problem, we don’t know how it got released in the first place. A company like CrowdStrike very likely has a sophisticated DevOps pipeline with release policies in place, but even with that, the buggy code somehow slipped through.
In this case it was perhaps the mother of all buggy code. The company has suffered a steep hit to its reputation, and the stock price plunged from $345.10 on Thursday evening to $263.10 by Monday afternoon. It has since recovered slightly.
In a statement on Friday, the company acknowledged the consequences of the faulty update: “All of CrowdStrike understands the gravity and impact of the situation. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority.”
Further, it explained the root cause of the outage, although not how it happened. That’s a post mortem process that will likely go on inside the company for some time as it looks to prevent such a thing from happening again.
Dan Rogers, CEO at LaunchDarkly, a firm that uses a concept called feature flags to deploy software in a highly controlled way, couldn’t speak directly to the CrowdStrike deployment problem, but he could speak to software deployment issues more broadly.
“Software bugs happen, but most of the software experience issues that someone would experience are actually not because of infrastructure issues,” he told TechCrunch. “They’re because someone rolled out a piece of software that doesn’t work, and those in general are very controllable.” With feature flags, you can control the speed of deployment of new features, and turn a feature off, if things go wrong to prevent the problem from spreading widely.
It is important to note however, that in this case, the problem was at the operating system kernel level, and once that has run amok, it’s harder to fix than say a web application. Still, a slower deployment could have alerted the company to the problem a lot sooner.
What happened at CrowdStrike could potentially happen to any software company, even one with good software release practices in place, said Jyoti Bansal, founder and CEO at Harness, a maker of DevOps pipeline developer tools. While he also couldn’t say precisely what happened at CrowdStrike, he talked generally about how buggy code can slip through the cracks.
Typically, there is a process in place where code gets tested thoroughly before it gets deployed, but sometimes an engineering team, especially in a large engineering group, may cut corners. “It’s possible for something like this to happen when you skip the DevOps testing pipeline, which is pretty common with minor updates,” Bansal told TechCrunch.
He says this often happens at larger organizations where there isn’t a single approach to software releases. “Let’s say you have 5,000 engineers, which probably will be divided into 100 teams of 50 or so different developers. These teams adopt different practices,” he said. And without standardization, it’s easier for bad code to slip through the cracks.
How to prevent bugs from slipping through
Both CEOs acknowledge that bugs get through sometimes, but there are ways to minimize the risk, including perhaps the most obvious one: practicing standard software release hygiene. That involves testing before deploying and then deploying in a controlled way.
Rogers points to his company’s software and notes that progressive rollouts are the place to start. Instead of delivering the change to every user all at once, you instead release it to a small subset and see what happens before expanding the rollout. Along the same lines, if you have controlled rollouts and something goes wrong, you can roll back. “This idea of feature management or feature control lets you roll back features that aren’t working and get people back to the prior version if things are not working.”
Bansal, whose company just bought feature flag startup Split.io in May, also recommends what he calls “canary deployments,” which are small controlled test deployments. They are called this because they hark back to canaries being sent into coal mines to test for carbon monoxide leakage. Once you prove the test roll out looks good, then you can move to the progressive roll out that Rogers alluded to.
As Bansal says, it can look fine in testing, but a lab test doesn’t always catch everything, and that’s why you have to combine good DevOps testing with controlled deployment to catch things that lab tests miss.
Rogers suggests when doing an analysis of your software testing regimen, you look at three key areas — platform, people and processes — and they all work together in his view. “It’s not sufficient to just have a great software platform. It’s not sufficient to have highly enabled developers. It’s also not sufficient to just have predefined workflows and governance. All three of those have to come together,” he said.
One way to prevent individual engineers or teams from circumventing the pipeline is to require the same approach for everyone, but in a way that doesn’t slow the teams down. “If you build a pipeline that slows down developers, they will at some point find ways to get their job done outside of it because they will think that the process is going to add another two weeks or a month before we can ship the code that we wrote,” Bansal said.
Rogers agrees that it’s important not to put rigid systems in place in response to one bad incident. “What you don’t want to have happen now is that you’re so worried about making software changes that you have a very long and protracted testing cycle and you end up stifling software innovation,” he said.
Bansal says a thoughtful automated approach can actually be helpful, especially with larger engineering groups. But there is always going to be some tension between security and governance and the need for release velocity, and it’s hard to find the right balance.
We might not know what happened at CrowdStrike for some time, but we do know that certain approaches help minimize the risks around software deployment. Bad code is going to slip through from time to time, but if you follow best practices, it probably won’t be as catastrophic as what happened last week.
Checkly tests software by mimicking the way people use it
It’s not uncommon for developers working at companies of a certain size to have trouble keeping track of all the software dev-related tasks and bugs that need to be addressed. According to a 2024 survey by Dynatrace, 88% of tech leaders say that the complexity of their tech stacks increased in the past year and that this increased complexity has made it difficult to deliver a satisfactory customer experience.
There’s no shortage of observability vendors out there offering up their products as a fix. But Hannes Lenke, the CEO and co-founder of observability and monitoring company Checkly, makes the case that many are too expensive to use at scale and charge unreasonable additional fees for specific capabilities, support and maintenance.
“Very few engineers have access to full observability and monitoring tools, and many of these tools still run in silos,” Lenke, who launched Checkly with Tim Nolet and Timo Euteneuer in 2018, told TechCrunch. “Moreover, legacy monitoring tools cost companies a fortune, and cutting costs is one of the primary drivers for tool migration.”
Nolet created Checkly as a side project to help devs get signals about an app’s performance and downtime, offering a set of subscription-based synthetic monitoring tools. Synthetic monitoring, also known as active monitoring or proactive monitoring, tests software by simulating how a person uses that software, mimicking how a user might behave and then using this data to evaluate performance metrics such as response times and error rates.
Checkly’s platform, which can monitor APIs in addition to software, runs scheduled or continuous automated test scripts to detect potential problems. Users can define the monitoring as code in an existing codebase and keep it version-controlled, and leverage a “traces” feature to connect back-end failures to alerts.
“Our aim is to help developers find issues and fix them 10x faster,” Lenke said. “A synthetic monitoring setup means that you’re the first to know when an issue has occurred, enabling you to resolve it before it reaches your customer.”
Lenke sees not only observability incumbents like Datadog, Splunk and New Relic as rivals but also Pingdom, Runscope and Catchpoint. But he says that Checkly’s business is quite robust: The company has more than 1,000 paying customers, including 1Password, Vercel and Yext, and it’s performing 32.5 million checks on APIs and software every day.
That’s gotten investors’ attention.
This week, Checkly announced that it raised $20 million in a Series B funding round led by Balderton Capital with participation from Accel and CRV. Bringing Checkly’s total raised to $32.25 million, the new cash will be put toward product development, expanding Berlin-based Checkly’s 35-person team and opening a satellite office in New York.
“We are seeing an accelerated customer demand for Checkly,” Lenke said. “In response to that, we want to grow our go-to-market teams to onboard even more customers to Checkly.”
Reddit back online after a software update took it down
Reddit’s mobile and web applications went down on Wednesday afternoon, with more than 150,000 users reporting outages on Downdetector as of 1:30 p.m. in San Francisco. When trying to access Reddit’s homepage, users were met with the message, “Server error. Try again later.”
The company itself reported a “degraded status” for Reddit.com as of 1:16 p.m. PT on its status page, but now says its systems are operational roughly an hour later. After investigating the issue, the company says a software update pushed out to the platform was to blame.
“Earlier today we shipped an update that unintentionally impacted platform stability,” said Reddit spokesperson Tim Rathschmidt in an email to TechCrunch. “We deployed a fix and are back up and running.”
As of 2:16 p.m., Reddit’s status page was updated to show that the issue had been resolved after a fix was implemented.
In the past 90 days, Reddit has had very few major outages like this, according to its status page. Some users may still be having difficult accessing the platform, but services should trickle back online shortly, according to the company.
GM cuts 1,000 software jobs as it prioritizes quality and AI
General Motors is cutting around 1,000 software workers around the world in a bid to focus on more “high-priority” initiatives like improving its Super Cruise driver assistance system, the quality of its infotainment platform and exploring the use of AI.
The job cuts are not about cost cutting or individual performance, GM spokesperson Stuart Fowle told TechCrunch. Rather, they are meant to help the company move more quickly as it tries to compete in the world of “software-defined vehicles.”
For example, Fowle said, that could mean moving away from developing many different infotainment features and instead focusing on ones that matter most to consumers.
The shuffle comes after GM has struggled with recent software problems. The automaker temporarily halted sales of its new Blazer EV in late 2023 after early vehicles encountered glitches. In June, GM promoted two former Apple executives to run its software and services division. The promotions were meant to fill the gap left by Mike Abbott, another Apple veteran who had joined GM as its executive vice president of software and services. Abbott left GM in March for health reasons.
The cuts are being made around the world, though the majority will be in Michigan, according to CNBC and Bloomberg, which first reported the news.
“As we build GM’s future, we must simplify for speed and excellence, make bold choices, and prioritize the investments that will have the greatest impact. As a result, we’re reducing certain teams within the Software and Services organization,” the company said in a statement. “We are grateful to those who helped establish a strong foundation that positions GM to lead moving forward.”
Checkly tests software by mimicking the way people use it
It’s not uncommon for developers working at companies of a certain size to have trouble keeping track of all the software dev-related tasks and bugs that need to be addressed. According to a 2024 survey by Dynatrace, 88% of tech leaders say that the complexity of their tech stacks increased in the past year, and that this increased complexity has made it difficult to deliver a satisfactory customer experience.
There’s no shortage of observability vendors out there offering up their products as a fix. But Tim Nolet, the CEO and co-founder of observability and monitoring company Checkly, makes the case that many are too expensive to use at scale and charge unreasonable additional fees for specific capabilities, support and maintenance.
“Very few engineers have access to full observability and monitoring tools, and many of these tools still run in silos,” Nolet, who launched Checkly with Hannes Lenke and Timo Euteneuer in 2018, told TechCrunch. “Moreover, legacy monitoring tools cost companies a fortune, and cutting costs is one of the primary drivers for tool migration.”
Nolet created Checkly a side project to help devs get signals about an app’s performance and downtime, offering a set of subscription-based synthetic monitoring tools. Synthetic monitoring, also known as active monitoring or proactive monitoring, tests software by simulating how a person uses that software, mimicking how a user might behave and then using this data to evaluate performance metrics such as response times and error rates.
Checkly’s platform, which can monitor APIs in addition to software, runs scheduled or continuous automated test scripts to detect potential problems. Users can define the monitoring as code in an existing codebase and keep it version-controlled, and leverage a “traces” feature to connect backend failures to alerts.
“Our aim is to help developers find issues and fix them 10x faster,” Nolet said. “A synthetic monitoring setup means that you’re the first to know when an issue has occurred, enabling you to resolve it before it reaches your customer.”
Nolet sees not only observability incumbents like DataDog, Splunk and New Relic as rivals but also Pingdom, Runscope and Catchpoint. But he says that Checkly’s business is quite robust: The company has more than 1,000 paying customers including 1Password, Vercel and Yext, and it’s performing 32.5 million checks on APIs and software every day.
That’s gotten investors’ attention.
This week, Checkly announced that it raised $20 million in a Series B funding round led by Balderton Capital with participation from Accel and CRV. Bringing Checkly’s total raised to $32.25 million, the new cash will be put toward product development, expanding Berlin-based Checkley’s 35-person team and opening a satellite office in New York.
“We are seeing an accelerated customer demand for Checkly,” Nolet said. “In response to that, we want to grow our go-to-market teams to onboard even more customers to Checkly.”
US bans sale of Kaspersky software citing security risk from Russia
The U.S. government announced on Thursday that it is banning the sale of Kaspersky antivirus software in the country, and is asking Americans who use the software to switch to a different provider.
The Commerce Department’s Bureau of Industry and Security said it imposed the “first of its kind” ban, arguing that Kaspersky threatens U.S. national security and users’ privacy because the company is based in Russia.
“Russia has shown it has the capacity, and even more than that, the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans. And that’s why we are compelled to take the action that we’re taking today,” U.S. Commerce Secretary Gina Raimondo said in a call with reporters.
News of the ban was first reported by Reuters ahead of the announcement.
Kaspersky will be banned from selling its software to American consumers and businesses starting on July 20, but the company will be able to provide software and security updates to existing customers until September 29. After that, Kaspersky will no longer be permitted to push software updates to U.S. customers, according to Raimondo.
“That means your software and services will degrade. That’s why I strongly recommend that you immediately find an alternative to Kaspersky,” Raimondo said.
Raimondo said that U.S. consumers who already use Kaspersky’s antivirus are not violating the law.
In a statement shared with TechCrunch, Kaspersky spokesperson Sawyer VanHorn said the company plans to challenge the U.S. government’s decision.
“Kaspersky does not engage in activities which threaten U.S. national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted U.S. interests and allies,” the company said in a statement. “The company intends to pursue all legally available options to preserve its current operations and relationships.”
“U.S. individuals and businesses that continue to use or have existing Kaspersky products and services are not in violation of the law, you have done nothing wrong and you are not subject to any criminal or civil penalties,” said Raimondo. “However, I would encourage you in the strongest possible terms, to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”
To inform consumers, Raimondo said the Department of Homeland Security and the Justice Department will work to notify U.S. consumers, and the U.S. government will set up a website, “so people who are impacted can find the information they need to understand why we’re doing what we’re doing, and help them take next steps.”
A senior U.S. Commerce Department official said during the press call that federal cybersecurity agency CISA will do outreach to critical infrastructure organizations that use Kaspersky software in their operations to help them find alternatives. The official also said that they don’t plan on naming any specific action by Kaspersky that led to today’s decision. (The Commerce Department asked reporters not to name the official.)
The ban announced Thursday is the latest escalation in a long series of U.S. government actions against the Moscow-headquartered Kaspersky.
In September 2017, the Trump administration banned U.S. federal agencies from using Kaspersky software over fears that the company could be compelled to help Russian intelligence agencies. Earlier in the year, it was reported that Russian government hackers had stolen U.S. classified documents stored on an intelligence contractor’s home computer because it was running Kaspersky’s antivirus, marking the first known incident of espionage resulting from use of the company’s software.
The decision to ban Kaspersky has been in the works since last year, according to a report by The Wall Street Journal in April 2023.
According to Kaspersky, the company has more than 400 million individual customers, and over 240,000 corporate customers worldwide. The senior official declined to say how many U.S. customers Kaspersky has, but said there is a significant number, including critical infrastructure organizations, and state and local government entities.
UPDATE, Friday June 21, 10:45 a.m. ET: This story has been updated to include Kaspersky’s comment.
U.S. government sanctions Kaspersky executives
TigerBeetle is building database software optimized for financial transactions
After doing some consulting for Microsoft to develop protections against zero-day exploits, software engineer Joran Dirk Greef worked with Coil, a web monetization startup in San Francisco, to help build its payments infrastructure. At the time, Coil was using a traditional database to store and process transactions. But Greef had the insight that a specialized database could prove to be much more nimble — and powerful.
The idea morphed into a skunkworks project at Coil, and Greef became a staff engineer working full-time on a new database design called TigerBeetle. Two years into the project, after customers started requesting enterprise support for the database, Greef spun out TigerBeetle as a startup.
TigerBeetle’s open source database is engineered for financial online transaction processing, Greef says, capable of handling more than 8,000 debit and credit card transactions in a single query. One query for 8,000 transactions might not sound like a lot. But most general-purpose databases would require 1 to 10 queries per transaction. And more queries translates to more latency — especially if the database is hosted on a remote server somewhere.
“TigerBeetle is a financial transactions database that provides debit/credit primitives out of the box and enforces financial consistency in the database without requiring a developer to cobble together a system of record from scratch,” Greef said.
“TigerBeetle is ideal for use cases where you need to count anything of value — not necessarily money, but including money — moving from one person or place to another,” Greef said. A common application is an internal ledger for a company like Transferwise, he added, which has to keep track of lots of money moving between accounts.
Spinning out TigerBeetle was a wise decision in hindsight. TigerBeetle recently closed a $24 million Series A round led by Spark Capital’s Natalie Vais with participation from Amplify Partners and Coil, bringing its total raised to more than $30 million. A source familiar with the matter tells TechCrunch that TigerBeetle is valued at around $100 million post-money.
“We had planned to raise later in the year,” Greef said. “However, after a surge in community growth at the beginning of 2024, and growing commercial interest, we decided to bring the raise forward to invest in engineering, go-to-market and TigerBeetle’s cloud platform, which is under development.”
TigerBeetle, which only has eight employees at present and plans to double the size of its team by 2025, provides its database technology in the form of a managed service. Greef claims that TigerBeetle has had paying customers “since day one” and that the TigerBeetle community — folks using or contributing to the open source release — has grown over 200% year-over-year.
Vais told TechCrunch that TigerBeetle is one of the more exciting database projects that she’s seen recently.
“TigerBeetle rethinks every component from the ground up to handle modern transactional workloads,” she said. “In a world where everything is becoming more online and more transactional, there’s a huge opportunity for TigerBeetle to become a foundational piece of infrastructure for modern systems of record.”
TigerBeetle’s managed service is currently available by invitation only, and the database reached its first production release just in March. But Greef says that growth — in particular acquiring new customers — will be the focus for the foreseeable future.
“TigerBeetle’s use cases extend beyond fintech,” he continued. “Think usage-based billing with real-time spend caps, gaming live ops and energy smart meters, as well as instant payments, core banking, brokering, inventory, shopping carts, trucking and shipping, warehousing, crowdfunding, voting and reservation systems.”