Nearly a decade ago, there was a website called thehunt.com that basically ran out of money and some employees were acqui-hired by pinterest.
All of the assets were left to rot and at the time the company was a good match for another startup of mine. So I reached out to the investors I found on crunchbase and asked if I could acquire everything. We worked out a deal and I did. The issue was the complete lack of people from the old company willing to assist and the complete lack of data for alot of things. There was 1 or 2 people who we could ping from the old company to ping who were super helpful, but the big thing was many things were just lost to time- passwords, history, code repos, etc..
Simply creating a new google apps account allowed us to get full access back to everything - We could even read old slack messages (even DMs!) by resetting each accounts password. The whole thing was shocking to say the least, but with that access we got back into literally every service they used and managed to get it up and running again within a week, which was a good thing because nearly every service it was using was threatening to shut it down every day for lack of payment.
I think the solution here is actually way simpler than most make it out to be and could easily be a startup for someone:
Create a startup that lets customers simply enter in domains. If the domain EVER goes into the "pendingDelete" status, inform the customer. The customer would be random SAAS's that want to protect against this type of attack and could simply choose to disallow access to any account that has had their domain go into that status.
Huh - it's almost like the mere existence of a pendingDelete in the history of a domain should make every email existing on that domain at that time eligible for https://haveibeenpwned.com/ .
Far more likely is Google was not willing to complete the deal and was pulling the plug after looking at internal data. Wiz, fearing the bad press of Google backing out rushes to tell journalists that THEY are walking away because they are worth more.
Wiz's valuation is insane. Most people havent even heard of them. I think it was a > 60x ARR multiple on this deal. Id actually be kinda pissed if I was a google shareholder and they went through with it.
Something very strange is going on with Wiz. My gut tells me if they ever IPO to go big on puts.
AD is incredibly more popular than Kerberos despite part of it using the protocole. Microsoft is everywhere in the corporate world and most people know of AD but have never heard of neither LDAP nor Kerberos.
And to be honest, it's fairly understandable. AD manages to be somewhat turnkey while doing the same thing on Linux systems is a major pain.
OpenLDAP and SSSD via PAM. It’s - well - let’s leave it at not very nice to put in place. It does the job once there however.
I am fairly convinced that Redhat, Novel and Oracle probably have a nice interface on top of it all to make it manageable and therefore have a vested interested in keeping it as awful as possible for the rest of the world.
Using ‘ldap+kerberos’ is like saying your api is ‘rest+tls’. It is a protocol/format. The value in AD is how the format is used and its impact on systems and users.
So yes, Samba sounds more sensible.
When I played with it I stayed away from self-managing something like it for linux-only systems and for mixed/cloud/online systems I use Entra Id
I don't know what Active Directory, LDAP, Kerberos, or AD DC are. I've at least heard of Active Directory though! The programming industry is vast. I've never touched webdev so I don't know countless things that most programmers know.
It can be when you're supporting AD authentication on an intranet site. I did a bunch of these for government type web apps. Not the most fun to be sure.
Yup the world is big and even though we think we have heard stuff, there are more things beyond that. For example, I know a dev who makes mobile apps and clears 500_000 / month in profit and yet their app isn't really "popular". It is crazy.
What sector is the app in, what are some other interesting (non-identifying) aspects of the app that stand in contrast to revenue? Is that in ads, or does the app have in-app purchases et al?
The only way to make that much of money is with dating apps, IMHO. There’s a million out there and some of them make really good money in certain niches.
I hadn't heard of either Wiz or Crowdstrike before... while reading the article I was thinking "$23B? Probably AI! And called Wiz? Yeah, must be AI...". Turns out I was wrong after all...
This is exactly how I felt as a shareholder. There is no real reason to pay this much and it seems like Google is the one that walked away from the deal.
While I don't have any comment on this instance, in general I think it's easier to hype the public markets who have limited information than it is to type a bunch of people doing due diligence on an acquisition, even if ultimately the latter is still a case of public market valuation through the acquiring public company. This is particularly true in the current age of extremely hype driven retail investing.
> a bunch of people doing due diligence on an acquisition
Granted, it was nowhere near this scale, but I've gone through this process as the head of Engineering for the company being acquired. At that point, the business had already decided to acquire, so the process felt more about finding any red flags and/or identifying reasons to adjust the price.
For the process itself, the company looked at nearly everything over the course of a few months. Every detail of finances, sales, tech, operations, etc. was scrutinized, culminating with 16 hours (4 for business and 12 for tech/ops) over two days of standing in front of a room with 30 people.
At the SVP level, sure, but at the IC level, I doubt any accountant gets promoted for saying "looks fine", whereas highlighting details that superiors can use to make a decision like this might be something that gets you promoted.
This is a misunderstanding I think many non-googlers have, thinking people only get promoted for launches (or in this case acquisitions). It's more nuanced than that: people get promoted for impact and while launches are one obvious form, you can sell pretty much anything useful as impact if you can show how it's useful. In the case of M&A, avoiding a bad acquisition, if you can justify it, would be impact.
If only that were the case. I can think of many instances where someone pushing for a bad deal/acquisition/product were rewarded for the visible outcome. Killing a bad idea is incredibly valuable, but I am struggling to think of an instance where that was used to justify kudos. Especially if you are the one who torpedoes a big wigs initiative.
I think the argument is that it's much easier to show impact when you go with the flow and launch a product or complete an acquisition no matter how shitty. It's a lot harder to get promoted for saying that you need to delay launch by 6 months because of some metrics or details even if that would eventually prove to be the right decision.
Having done compartmentalized (I wasn't on the team acquiring) technical due diligence two times, my job had nothing to do with if the acquisition was a good idea or not. My job was to vet if they had what they were saying they had or if it was all smoke and mirrors. As others have said, the decision was already made to buy them, I was just vetting that we were buying what we thought we were buying. I also would look for the smouldering tech debt and cost out moving to our tech platforms (AWS). And I'd answer risk but not IP questions for the acquiring manager.
The only way I'd tank a deal was by identifying that it was in fact smoke and mirrors.
On the one hand, even with the post-crash dip, CRWD has a $60.9 billion market cap, there's certainly marketshare to be taken from them. On the other hand, Wiz doesn't have an endpoint protection product (which is what failed for CRWD). They'd have to build one from scratch, which requires dedicated talent (engineers with kernel experience) that they might not have.
If anyone is going after CRWD it'll be one of their other competitors.
These numbers sound like a complete out of world fantasy to me. CRWD has a product that the user is not going to notice, best case. Now you said Wiz doesn't even have that one (what does it have then?)
And their valuation is on par with the whole annually Western support of Ukraine. A country at war and with 30M people in it. That for some completely invisible product.
It is also 17 millions of these most expensive brand new 155m artillery shells.
I think this is just a representation of where the money is in the world. Two things:
- stocks are called stocks for a reason, they're not flows. $60bn is effectively an estimate of all future profits of the company over its lifetime
- Crowdstrike generates a return by charging enterprises huge amounts of money to feel secure and tick security boxes (Actual security is questionable). Big enterprises have a lot of money to waste, but they feel they're getting a return on it
- hardly anyone outside Ukraine gets a specific return from backing Ukraine. The same goes for all sorts of other worthy projects of the "end world hunger" kind - there's huge benefits, but not to the people actually spending the money.
Pretending that being geopolitical superpower has no direct economic benefits is just silly. If USD lost the status of world's reserve currency it would have pretty catastrophic consequences for US economy.
How do I, as an individual investor, capture the return of sending a shell to Ukraine?
> If USD lost the status of world's reserve currency it would have pretty catastrophic consequences for US economy
.. but for everyone at once. Collective action problem. You've argued why it's in the interest of the US government to tax people and send shells to Ukraine, but this is not an argument for Blackrock to divert VC funding to individual armored brigades.
It's hard to make a leap from war to company valuation. Also Ukraine support is highly inflated number. If say Ukraine gets supplied with an old design MLRS rockets from US that was slated to be replaced in a few years and had very limited shelf life remaining the number counted is not the market cost of that old rocket (which would be a few 100K) but the 3 mil new top of the line replacement thing that US is producing for itself and Ukraine will never see.
At the very least I would expect to see a 5 billion market cap, and if their growth rate is good (4 year old company, seems to be) it should be higher than that
It is an entirely different problem with almost nothing in common with their existing product, and there are a ton of incumbents, some of whom are even quite good (Carbon Black, SentinelOne, etc)
You’re trying to prove a point with no point. Yes, anyone can build anything. There is always room for more contenders when there are existing incumbents. The sky is still blue, and the grass is still green.
But it would make no sense for Wiz to do that, as they don’t have any “secret sauce” as it comes to endpoint security. They haven’t solved the problems that took Crowdstrike down.
It is not in their wheelhouse. It would be a waste of money and time.
Could they? Sure. Should they? Definitely not. It’s a commoditized space at this point, unless they have some new ideas which, if they did, they’d have already begun discussing.
Carbon Black did well because it turned endpoint security on its head. Not because it was a “better AV”
I work for a smaller player and we have solved the problem that took crowdstrike down from the get go agent will rollback to previous content version if it crashes on the content related steps. That had 0 value for marketing till now. Crowdstrike has never being at the top of the pile on efficacy of detection either so your idea that market position is even remotely related to some secret sauce is a fantasy.
Hang on, please don’t misread what I wrote as implying that Crowdstrike had some “secret sauce.” They suck, so much. I have been beating that drum for the better part of a decade. (My former boss founded Carbon Black, and my background is in vuln RE and exploit dev/weaponization)
I agree - them being at the top of the market implies exactly nothing about whether their product is any good or has any special moat or differentiator.
All I am saying is to beat them, you’d need something new. “The same as Crowdstrike but we use 2-stage recoverable updates” is fine, but not enough of a compelling pitch to swap vendors en masse. Not even now.
And given that it’s a pretty commoditized space (to which I think you’d agree, at least for “classic” tools), it may not be worth beating if you don’t have anything new.
They’d be competing with Crowdstrike, SentinelOne, Microsoft Defender, and Trend Micro not to mention existing CNAPP/CSPM offerings that have an agent for cloud runtime security as well as other cloud runtime security focused startups.
Adding a runtime security and EDR offering is not going to get them to a $23B valuation.
Honestly you just need to have good marketing and a passable product. The "secret" none talks much about all top tier APT groups run labs and test their exploit families agains all top tier Endpoint solutions. So none of them can stop a determined well resourced adversary but that not in any of the marketing booklets.
Oh, of course. I was that well-resourced adversary (through the USG) for some time. :)
I just mean that if you want to own the market, you will not be able to do that unless you provide something fresh, and it will be a race to the bottom otherwise, in the long run. The same as dynamic web app scanning is today.
At Wiz's valuation, if they were to enter that space, they couldn't be 'just another player.' They'd have to own the space. And I don't think they can do that purely through marketing, as others are already much more entrenched.
They’ve had some really nice writeups but I always thought they were your generic security firm doing some bug hunting. Recently I happened upon their domain submissions to HN and saw they raised $1b+ and was like wtf? What do they actually do? I mean what are their products that people pay for?
Maybe there are obvious answers to these questions, but if a company is worth $23bn I’d expect that as somebody in the industry, I could answer them without doing in depth research.
This is exactly the kind of gut feeling of “something’s off” that I’ve learned to pay attention to.
> Wiz combines a graph search for asset management with agentless vuln and malware scanning that clones EBS volumes and scans them on their infrastructure. That's a great combo for vuln management, but has some downsides like delays between scans and cloud costs. They have a sensor with solid detection rules, and are okay at a bunch of other stuff like cloud log threat detection and sensitive data detection. They've basically pushed what you can do without an agent to the limit.
From the explanation here it sounds completely opposite concept, they download the server and check it rather than doing the checks on production environment
This sounds uselessly crippled, as it's not going to catch malware that doesn't drop anything to disk, or that adequately cleans up after itself if it does.
I would assume they could also dump memory, i.e. `/dev/mem`. Agreed they would need to also do frequent memory snapshots, but lots of malware will also run in the background waiting indefinitely, and often as the same name as common Linux processes but different hashes.
Even if it’s sitting in the background under a spoofed process name, it can be caught with memory dumps.
Memory dumps are obnoxiously useful for detecting stealthy malware, especially if you do the memory dumps from the hypervisor instead of from the VM itself.
> For Wiz, a $23 billion sale price was irresistible. Google would value the startup at 46 times the $500 million in annual recurring revenue it currently generates, a person familiar with the matter said.
> Far more likely is Google was not willing to complete the deal and was pulling the plug after looking at internal data
Wouldn't it be more likely that they would have lowered their offer after seeing the internal data - perhaps so much that Wiz would certainly walk away.
The destruction of synapse is because of one thing: They were way, way too reliant on mercury, who was there far and away largest client. Mercury woke up one day, chose violence and left synapse to work directly with evolve.
My understanding from folks familiar was the Evolve decided to cut Synapse out, not Mercury (prioritizing direct relationships with non bank entities vs via middleman). Is that not accurate? Evolve recently sunset many fintech relationships over the last 18 months, so it being their decision would not be surprising.
All the existing databroker remover tools are flawed because they make use of manual labor to remove you from sites, primarily done by people in third world countries.
We @ https://redact.dev are working on a pure software mechanism for doing these optouts directly from your own device. We already have full mass deletions for over 40 social media and utilitys.
I really dislike the trend of making everything a subscription service. I can imagine a niche market that wants to continuously delete content older than an arbitrary window but isn't this the sort of service that most users would need only need sporadically?
The pricing seems to implicitly acknowledge this: $35/m billed monthly vs $8/m billed annually! Would you really expect anyone to intentionally renew monthly? I can't argue that people forgetting to unsubscribe pays the bills, but as a business model it leaves a bad taste.
Not really. There's a fairly small and stable number of companies that actually collect and resell information about you. There is also about a zillion ephemeral web front ends that republish this data, however. I suspect this is done for a reason, but a bit of sleuthing quickly reveals who the big players are.
These "data removal" services spend a lot of effort going after the frontends, which is pretty self-serving: they can show the customer that there's something new to remove every single month or quarter, so you have to keep paying forever.
What else could they do? They're working within a system that the government designed, and the government always designs things to keep people running on the hamster wheel.
OK so if Optery reports 330 removals, how many removals did they actually have to do on their end? A hundred? Thirty? Ten? Why should we care? If you pay a man to remove the snow from your driveway, would you be upset if he used a plow rather than a shovel?
Wouldn't you be upset if you paid him hourly so he used a spoon and went slowly enough that snow accumulates faster than he'll ever clear your driveway ?
Parent's argument is that current approach leads to an endless cat and mouse game the user ends up paying, when there would be ways to end it faster and cheaper.
Yes but how is that the fault of removal services? They can't do anything to stop the usual suspects from filing for a fresh corporation from Delaware each week.
Does that mean the user keeps paying just to have someone somewhere do "something" ?
And that, even if fundamentally it can't solve the sutiation, can't prove it's even improving in any specific ways (telling you it removes hundreds of instances doesn't tell you how many have been added in the meantime), and they also have no incentives to be too zealous as the numbers in the reports would be going down and the motivation to subscribe also diminish.
Ps: perhaps the way out of this is to make it a non profit that provides jobs to people in need, and have the subscription a recurring donation ?
there are a handful of large data brokers like lexisnexis, they’ll sell their scraped public data to anyone
random companies will buy the data, do a little collation and merge datasets from multiple sources, start their own frontend, and resell it to consumers doing google searches for phone numbers, names, etc
because they’re not directly affiliated with the primary brokers, there are hundreds of these independent frontends… and unless you contact each one, they can all resell their data (even to each other)
so if you miss one removal, it’s possible your data gets picked up by a new frontend from that frontend… your data can kind of proliferate through this gross ether forever
This explains some trends where posts are being edited on Reddit with nonsense then deleted. Personally, I think this kind of behavior makes the web poorer as a knowledge base. Yes you have a right to do it with your own content, but doing it at scale makes the internet a less useful tool and it makes me a bit sad since the scrapers will already have the data anyway.
Those are mostly in response to reddit's API changes. By editing the comments before deletion, the archives also get wiped and it takes a bit more effort for reddit to restore deleted comments behind users' backs.
Yes, it makes the web poorer as a knowledge base, but it's in response to companies like reddit ruining the internet by baiting in users, changing the agreement and then trying to keep the content that was written under the previous agreements.
Hopefully it just makes sites remove the ability to edit or delete things once they've been published. Especially forums where things have been referenced by other things.
As much as I routinely fine-tune and fix up a comment after initially writing, I will happily go back to the old days before such ability became common, in trade for the sanity of references that don't disappear or change meaning after the fact. The typos don't hurt as much as the swiss cheese and schitzo conversations.
> Privacy: Archivists recognize that privacy is an inherent fundamental right and sanctioned by law. They establish procedures and policies to protect the interests of the donors, individuals, groups, and organizations whose public and private lives and activities are documented in archival holdings. As appropriate and mandated by law, archivists place access restrictions on collections to ensure that privacy and confidentiality are maintained, particularly for individuals and groups who have had no voice or role in collections’ creation, retention, or public use. Archivists should maintain transparency when placing these restrictions, documenting why and for how long they will be enacted. Archivists promote the respectful use of culturally sensitive materials in their care by encouraging researchers to consult with those represented by records, recognizing that privacy has both legal and cultural dimensions. Archivists respect all users’ rights to privacy by maintaining the confidentiality of their research and protecting any personal information collected about the users in accordance with their institutions’ policies.
The problem with the wholesale deletion of comments is that it also affects other people. For example if we have a back-and-forth constructive conversation here and one of us deletes all comments, then the value of the other person's comments are diminished, and sometimes even incomprehensible.
It's pretty clear you're putting something in the public when you're commenting on HN; this isn't a surprise and nothing is done surreptitiously. If you contribute to a debate in some TV discussion programme then you can't have that deleted later either.
And there are options without wholesale deletion: specific comments can be deleted or edited for specific reasons, and your account can be "soft-deleted" by changing your username to something random.
If you want to have more ephemeral temporary conversations then that's fair! But HN is not the right platform for that, IMHO.
a real flaw is that companies in this niche are actually centralizing data to re-sell while adding a new line in the dataset that says "wanted to remove their data footprints"
easyoptouts.com, which I work on, doesn't use manual labor - everything is automated! It's definitely important to avoid giving more people access to the data.
edit: and as a result of automation, our prices are also way lower than most similar services
Many databrokers make it very difficult to remove your info, on purpose, of course. That is why the legit removal providers have to rely on manual labor for some. I'd love to see it fully automated, but I'll believe it when I see it. Last I checked, Optery was removing 325+. Best of luck-- you have a long way to go.
Edit: this looks like a totally different service. Mass deletion of old posts is one thing, removing PII from data brokers is another.
We are working on a fully local version of this @ https://redact.dev - Beta should be out within a month or so. Huge (obvious) advantages for doing it locally
You can trust them only as much as you think they have self interest in not being sued for doing something nefarious.
That said, they could very easily have a data breach and every customers full info would then be out in the wild.
Were not talking about ordinary payment details either, just full on dox - every address you have lived at, your license scan, all emails, phone numbers, its crazy. Id be willing to bet all these services are targeted quite alot as well because the people who would be willing to pay for this stuff are likely the ones with the most to lose.
I made a post lower in this thread but in general this entire model is flawed. Deletions should happen directly between your device and the service in question.
Also, its just as important to wipe the data YOU create as the data other people create about you. Just like databrokers, you can either do it manually or automated.
Check out https://redact.dev if you want to automate that part at least (I'm on the team)
> they could very easily have a data breach and every customers full info would then be out in the wild
Based on the many notifications I've received from hospitals and insurance providers telling me they've allowed my private information to get repeatedly pilfered, at this point I operate under the assumption that if any organization collects information about me, it's going to leak within the next 5-ish years.
The first and most effective line of defense is to not let the data brokers collect your information in the first place.
All of the assets were left to rot and at the time the company was a good match for another startup of mine. So I reached out to the investors I found on crunchbase and asked if I could acquire everything. We worked out a deal and I did. The issue was the complete lack of people from the old company willing to assist and the complete lack of data for alot of things. There was 1 or 2 people who we could ping from the old company to ping who were super helpful, but the big thing was many things were just lost to time- passwords, history, code repos, etc..
Simply creating a new google apps account allowed us to get full access back to everything - We could even read old slack messages (even DMs!) by resetting each accounts password. The whole thing was shocking to say the least, but with that access we got back into literally every service they used and managed to get it up and running again within a week, which was a good thing because nearly every service it was using was threatening to shut it down every day for lack of payment.
I think the solution here is actually way simpler than most make it out to be and could easily be a startup for someone:
Create a startup that lets customers simply enter in domains. If the domain EVER goes into the "pendingDelete" status, inform the customer. The customer would be random SAAS's that want to protect against this type of attack and could simply choose to disallow access to any account that has had their domain go into that status.