Symantec Endpoint Detection & Response, prior to 4.5, may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data.
Apple is making a big shift in App Store fees, Duolingo raises more funding and Pfizer releases updated vaccine results. This is your Daily Crunch for November 18, 2020.
The big story: Apple cuts App Store fees
Apple is cutting the 30% fee it normally charges for App Store transactions to 15% for some developers — specifically, those who, after Apple’s commission, earn less than $1 million per year.
The company estimates that this will impact the “vast majority” of apps, with more details about eligibility coming in December, before the change takes effect on January 1. Apple has faced increasingly vocal criticism over these fees from companies like Epic Games (whose founder Tim Sweeney compared Epic’s legal battle to “civil rights fights”), and the issue has also come up during antitrust hearings.
“The App Store has been an engine of economic growth like none other, creating millions of new jobs and a pathway to entrepreneurship accessible to anyone with a great idea,” Apple CEO Tim Cook said in a statement. “Our new program carries that progress forward — helping developers fund their small businesses, take risks on new ideas, expand their teams, and continue to make apps that enrich people’s lives.”
The tech giants
Trump will lose protected Twitter status after his presidency — Twitter has at various times acknowledged that Donald Trump isn’t bound by the same rules that govern the rest of us, but CEO Jack Dorsey said that won’t be the case after he vacates the White House.
Google Pay gets a major redesign with a new emphasis on personal finance — With today’s update and redesign, Google is keeping all the core features intact but also taking the service in a new direction.
Facebook launches E.gg, an experimental collage-making app — The company has described the app as a “digital zine creator” and “GIF collage bonanza.”
Startups, funding and venture capital
Marissa Mayer’s startup launches its first official product, Sunshine Contacts — It’s designed to improve the process of organizing, updating and sharing contact information with others.
Language-learning app Duolingo confirms it has raised $35M on a $2.4B valuation — This is a sizable jump from Duolingo’s $1.65 billion valuation earlier this year, when General Atlantic quietly put $10 million into the company.
Quid raises $320M to loan money to startup employees using their equity as collateral — Quid has already provided loans to employees at 24 companies, including Unity, Palantir, Crowdstrike, Uber and Lyft.
Advice and analysis from Extra Crunch
What China’s fintech market can teach the world — In China, digital payments through mobile phones are ubiquitous, and there is incredible innovation around lending, investments and digital currencies.
With a 2021 IPO in the cards, what do we know about Robinhood’s Q3 performance? — Robinhood’s payment for order flow rose only modestly during Q3, according to a TechCrunch analysis of the company’s disclosures.
Dear Sophie: Can an H-1B co-founder own a Delaware C Corp? — The latest edition of attorney Sophie Alcorn’s advice column answering immigration-related questions about working at tech companies.
(Reminder: Extra Crunch is our membership program, which aims to democratize information about startups. You can sign up here.)
Pfizer says its COVID-19 vaccine is 95% effective in final clinical trial results analysis — This is an even better efficacy rate than Pfizer reported previously.
Trump fires top US cybersecurity official Chris Krebs for debunking false election claims — Last week, Krebs’ agency released a statement noting that there was “no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”
The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.
General Motors is launching an insurance service, returning to a business that it abandoned more than a decade ago, but this time more in step with the connected-car era.
The service, called OnStar Insurance, will offer bundled auto, home and renters’ insurance, starting this year with GM employees in Arizona. GM’s new insurance agency, OnStar Insurance Services, will be the exclusive agent for OnStar Insurance. Homesite Insurance Group, an affiliate of American Family Insurance, will underwrite the program.
The services will be available to the public nationwide by the end of 2022, including people who drive vehicles outside of GM’s portfolio of Buick, Cadillac, Chevrolet and GMC branded cars, trucks and SUVs. The aim, however, is to leverage the vast amounts of data captured through its OnStar connected car service, which today has more than 16 million members in the United States.
GM’s pitch is that this data can be an asset to drivers and help them cash in on lower insurance rates based on safe driving habits.
“Our goal is really to create greater transparency and greater control for our customers in influencing what they pay for insurance and their total cost of ownership on the vehicles,” Russell Page, GM’s head of business intelligence said in a recent interview.
The data play is substantial. The company has logged more than 121 million GB of data usage across the Buick, Cadillac, Chevrolet, and GMC brands since the launch of 4G LTE in 2014.
The increase in internet-connected vehicles has in turn, produced loads of data. GM has been one of the data collection leaders, thanks to its long-established OnStar platform that launched in 1996. But GM is not the first, nor certainly the last automaker, to seek out ways to use that data to provide services such as insurance. Tesla, for instance, launched an insurance service in 2019 that promised to deliver rates 20% and even as high as 30% lower than other insurance providers. Earlier this year, TechCrunch reported that Rivian was hiring an insurance agency data manager, a job posting that suggested the all-electric automaker is planning to offer its own insurance to customers.
GM faces competition from the bevy of smartphone apps and dongle devices that plug into a vehicle’s OBD-II port that track a vehicle’s performance as well as driver data and are tied to discounts on insurance.
GM does have experience in the industry dating back to 1925. The automaker spun off its insurance business in 2008. GM contends that its telematics data coupled with its knowledge of the vehicle and its features will allow it to offer deep discounts to drivers.
“And we’re going to then leverage that as we learn and move forward in order to bring novel products to bear, over the next few years,” Page said. “Think of it as an iterative development process.”
A new Mac-optimized fork of machine learning environment TensorFlow posts some major performance increases. Although a big part of that is that until now the GPU wasn’t used for training tasks (!), M1-based devices see even further gains, suggesting a spate of popular workflow optimizations like this one are incoming.
Announced on both TensorFlow and Apple’s blogs, the improved Mac version shows in the best case more than a 10x improvement in speed for common training tasks.
That’s worth celebrating on its own for anyone who works in ML and finds themselves constantly waiting for their models to bake. But the fact that previous versions of TF only utilized the CPU on Macs and not the powerful parallel processors in the GPU probably limited the pool of people who inflict that problem on themselves in the first place. (Most large-scale ML training is done using cloud computing.)
The change from CPU-only to CPU+GPU could account for a great deal of the improvement, as the benchmarks on an Intel-based Mac Pro show huge gains on the same hardware. Training times once in the 6-8 second range are now measured in fractions of a second.
That’s not to say the M1 isn’t capable, but the new M1 Macs also have new GPUs, meaning the jump from nearly 10 seconds for a task on a 2019 MacBook Pro to less than 2 on a new M1 machine can only be partly attributed to Apple’s fancy first-party silicon.
I’ve asked Apple for a bit more information on how to break down these performance improvements, and will update if I hear back.
Perhaps more important for developers will be the improved battery life and heat management of the M1 devices. Performance bumps are all well and good, but if it made your machine into a hot plate, blasted your fan and made you run for the outlet in under an hour — not so good. Fortunately the M1 seems to be demonstrating remarkable efficiency under load, neither draining its reserves or heating up too much.
You can probably expect a lot of these “now works better on M1” stories now that the new Macs are out and all the major companies can ship the updates they’ve been sitting on for the last few months.
In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3.
A cross-site scripting (XSS) vulnerability in Beijing Liangjing Zhicheng Technology Co., Ltd ljcmsshop version 1.14 allows remote attackers to inject arbitrary web script or HTML via user.php by registering an account directly in the user center, and then adding the payload to the delivery address.
SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.
Western Digital iNAND devices through 2020-06-03 allow Authentication Bypass via a capture-replay attack.
SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.
Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet. The issue is patched in version 6.1.5.