StrictlyVC: March 2, 2018

Hope you have a fantastic weekend, everyone.:)

YouTube last year stopped hiring white and Asian males for technical positions because they didn’t help the world’s largest video site achieve its goals for improving diversity, according to a civil lawsuit filed by a former recruiter for the company. The suit could embolden other critics of Google’s efforts to promote workforce diversity. The WSJ has more here.

What do Even, EARN, EarnUp, EverSafe, and Everlance have in common? ALL are alumni of the Financial Solutions Lab virtual accelerator (and ostensibly, all like the letter E), which is now accepting application for its next class. Selected companies get $250,000 plus access to resources that can help them find their way through fintech regs and consumer pain points, helping them to scale and thrive. Check out FinLab’s Impact Report, and apply now.

In November, Uber disclosed that a year earlier, in 2016,  hackers had stolen 57 million driver and rider accounts and that it paid them a $100,000 ransom to delete the information. The breach was reportedly part of Uber’s bug bounty program, wherein it pays hackers to test its software for vulnerabilities. But the amount was exorbitant by typical standards, and the episode has fueled criticism over the bug bounty practice, which is seen by some as funding criminal activity.

At our StrictlyVC event in San Francisco this week, Marten Mickos, the CEO of HackerOne — which runs Uber’s bug bounty program — answered questions about Uber’s hacking, which is now the subject of at least four lawsuits. His interviewer, cybersecurity reporter Kate Conger, also pressed him on the definition of a good versus bad hacker — and whether there’s much of a difference.

Excerpts from their sit-down follow, edited for length.

KC: For those who don’t know, what does HackerOne do?

MM: The simple truth today is that every single system will get hacked. And the only question is, who do you want to get hacked by? People you trust or criminals? If you choose the former, you swallow that pill, you come to us. We have 160,000 ethical hackers in our network who will hack you within 24 hours. They’ll tell you how they broke in and you’ll pay them a lot of money, but it’s much, much less than if you swallow the other pill.

KC: You were in the news recently and maybe not for the most positive reasons: You administered Uber’s bug bounty program and it got wrist-slapped for [losing the data] of 57 million people and paying out $100,000 to the hacker to keep him quiet. Do you think that behavior muddies the water between ethical hackers and bug bounty programs and bribery?

MM: I’m not here to comment on any particular case. I can note, however, that it hasn’t been shown than 57 million records have been lost forever. They might have been lost for a short time only, but we’ll leave that to others to figure out. But it’s clear that in the world of hacking, if there is intrusion and data exfiltration or extortion, it has nothing to do with ethical hacking or bug bounty programs.

The line there is very clear. We’re very fortunate to run Uber’s bug bounty program and many other really large programs [including for the U.S.] Air Force, Army, and Pentagon. So sure, with technology always, it’s the same technology used for good and bad purposes, and technology itself doesn’t have an opinion about what it’s being used for.

KC: So is that the ethical line between a good and bad hacker — data exfiltration? You can break in as long as you don’t take anything?

MM: The difference between the hacker and the criminal is intent. If you’re an ethical hacker and you’re looking for vulnerabilities in order to report them, you must break in. If you have a neighborhood watch and you ask your neighbors to see if they can break into your house, they have to break in to show you that they can do it. Once inside the house, they shouldn’t take anything, though.

The same idea applies [with bounty programs]. [Hackers] have to show that it’s possible to break in. That’s where you get to the question of authorized versus unauthorized conduct, and then again, it’s the owner of the house who decides which is which. When you break into the house, how much do you need to do? Do you need to bring something outside to show it was possible or not? And that’s an individual decision for every customer of ours, who determines what they need as proof. The more proof you need, the deeper the hackers need to go to find it.

KC: In the security industry in particular, a lot of things that are considered best practices seem from the outside sketchy, for lack of a better word.

More here.

Ascent Technologies, a three-year-old, Chicago-based regulatory technology company, has raised $6 million in Series A funding led by Alsop Louie Partners, with participation from individual investors, including Randall Kroszner, who previously served as a governor of the Federal Reserve. More here.

C2FO, an eight-year-old, Kansas City, Ks.-based online marketplace where buyers – including Amazon, Costco, and Nordstrom — can negotiate with suppliers, has raised a whopping $100 million in fresh capital. Munich-based Allianz X and Abu Dhabi-based Mubadala Investment Company co-led the round, with participation from earlier backers Temasek, Union Square Ventures and Mithril Capital. Regional outlets believe it’s the largest venture-backed funding round the region has seen.More here.

Chehaoduo, a Bejing, China-based online car-trading platform, has closed on nearly $820 million(!) in its latest round of fundraising from a consortium led by internet giant Tencent Holdings. Other investors in the Series C round include Sequoia Capital, Yunfeng Capital, ICBC International and IDG Capital. China Money Network has more here.

EnsoData, a three-year-old, Madison, Wi.-based artificial intelligence company that caters to the sleep medicine community, has raised $1.5 million in seed funding led by Colle Capital, with participation from HealthX Ventures, Sternhill Associates, Wisconsin Investment Partners, and M25 Group. More here.

FreshAddress, a 19-year-old, Newton, Ma.-based email marketing database services company, has raised an undisclosed amount of funding from TZP Growth Partners. More here.

Finch Therapeutics, a four-year-old, Somerville, Ma.-based microbiome therapeutics company that uses machine learning algorithms to reverse engineer successful fecal transplantations and other clinical datasets, has raised $36 million in Series B financing. Investors included Shumway Capital, Willett Advisors,Morgan Noble and Avenir Growth Capital. More here.

Magazino, a four-year-old, Munich, Germany-based maker of mobile warehouse robots, has raised $24.8 million in funding. Körber Group led the round, with participation from other investors, including Cellcom, Zalando and Fiege Logistics. More here.

NestAway, a nearly four-year-old, Bengaluru, India-based home rental startup, has raised $51 million in Series D funding from Goldman Sachs and UC-RNT Fund. Earlier investors IDG India and Tiger Global Management also participated in the round. The Hindu has more here.

Saturas, a nearly five-year-old, Israel-based agricultural startup whose sensing system collects real-time data and transmits it to farmers’ automated irrigation control systems, has raised $4 million in funding. Investors include Hubei Forbon Technology Co., Gefen Capital and the Israeli collective farm Ramat Magshimim. AgFunder News has more here.

Scalefast, a four-year-old, Manhattan Beach, Ca.-based direct-to-consumer digital commerce platform that helps lifestyle brands with everything from design to customer service to back-office accounting, has raised $8 million in Series A funding. BGV led the round; other participants included Adara Ventures, B&Y, French Partners and CIC Capital. More here.

Tagnos, an eight-year-old, Irvine, Ca.-based company whose SaaS platform analyzes data from clinical systems to facilitate patient flow through the hospital, has raised $5 million in funding, including from Benhamou Global Ventures, Morpheus Ventures and Zebra Ventures. More here.

TickX, a three-year-old, Manchester, U.K.-based startup behind a search engine and discovery platform for events and other “attractions” tickets, has raised £3 million ($4.1 million) in Series A funding. BGF Ventures led the round, with participation from earlier backers Ministry of Sound and 24Haymarket. TechCrunch has more here.

Trizic, a 5.5-year-old, San Francisco-based cloud based platform that enables its wealth management clients to interact with financial firms, has raised $10 million in Series A funding. Sorenson Ventures led the round, and was joined by investorsFIS, Freestyle Capital, Broadhaven Capital Partners, PEAK6 and Commerce Ventures. More here.

ABC News and The Atlantic are among several finalists interested in purchasing Nate Silver’s statistics and data analysis blog FiveThirtyEight from ESPN, says the WSJ.

An investor group led by former Obama official Maria Contreras-Sweet and billionaire Ron Burkle has agreed to an eleventh-hour $500 million takeover of The Weinstein Co. More here.

Publicly traded storage company Box fell 23 percent yesterday, after giving weak revenue guidance for the coming year. Its decline could dampen the prospects for competitor Dropbox, which is right now planning its IPO, says Seeking Alpha.

Garrett Camp, best known for being a co-founder of Uber and founder of the accelerator and venture fund Expa, is launching his own cryptocurrency.

Industry Ventures has promoted Lindsay Sharma and Ira Simkhovitch to principals on its secondaries investment team. Sharma joined the firm three-and-a-half years ago after working in corporate development at Intuit. Simkhovitch joined around the same time after working as an associate with the Carlyle Group.

Uber cofounder and former CEO Travis Kalanick is joining the board of his friend’s medical office software company, Kareo.

Brian Koo’s offshoot of Formation 8 is done investing out of its debut fund and doesn’t plan new fundraising.

China is using a recent tweet from Elon Musk as a propaganda tool to promote its infrastructure development.

Terminator-style artificial intelligence scenarios are just “one to two decades away,” former Alphabet chairman Eric Schmidt told a terrified audience at a security conference in Munich this week.

Zenreach, a WiFi marketing startup that has raised $80 million from high-profile investors, including Joe Lonsdale, Peter Thiel and Marc Andreessen, just laid off 20 percent of its employees. Its CEO has also been replaced.

Touchdown Ventures, the nearly four-year-old outfit that partners with corporations and helps them manage their own venture capital platforms, is hiring a venture capital analyst in Philadelphia and an associate in San Francisco. It’s also looking for an MBA intern to help it out this spring and summer. (That role is in San Francisco, too.)

Instagram might add video and voice calling.

Ride-hailing giants Uber and Lyft are delivering pitiful levels of take-home pay to the hundreds of thousands of U.S. independent contractors, according to an MIT CEEPR study.

Last week, three-year-old social network Vero had fewer than 150,000 downloads. Now it has nearly 3 million. But as the app has grown in popularity, the company and its founder have come under scrutiny.

Seth Meyer takes a closer look at Jared Kushner.

EcoCamp.