Why aren’t we using SSH for everything?

Why aren’t we using SSH for everything?

(Previous title: SSH, how does it even?)

A few weeks ago, I wrote ssh-chat.

The idea is simple: You open your terminal and type,

$ ssh chat.shazow.net

Unlike many others, you might stop yourself before typing “ls” and notice — that’s no shell, it’s a chat room!

While the little details sink in, it dawns on you that there is something extra-special going on in here.

SSH knows your username

When you ssh into a server, your client shares several environment variables with the server, among them is the $USER variable. You can overwrite this, of course, by specifying the user you’re connecting as such:

$ ssh [email protected]

Well look at that, you’re the one. So special. What else can we mess with? By default, the server gets your $TERM variable too.

$ TERM=inator ssh chat.shazow.net

If ssh-chat was smart, it would recognize that your custom terminal might not support colours and skip sending those extra formatting characters.

You can even push your own environment variables with a SendEnv option flag, but we won’t get into that.

SSH validates against your key pair

There are several supported authentication methods in SSH: none, password, keyboard-interactive, and publickey. They each have interesting properties, but the last one is especially handy.

When your SSH client connects to a server, it negotiates an acceptable authentication method that both support (typically the reverse order of the above). If you’ve specified the identity flag or have some keys lying around in your ~/.ssh/ directory, your client will offer up some public keys to authenticate against. If the server recognizes one of those keys, such as if they’re listed in authorized_keys, then a secure handshake will begin verifying that you hold the private key to that public key but without revealing what the private key is. In the process, the client and server securely agree on a temporary symmetric session key to encrypt the communication with.

What does this mean? It means that SSH has authentication built into the protocol. When you join ssh-chat, not only do I know who you claim to be, but I can also permanently and securely attach an identity to your connection without any user intervention on your part. No signup forms, no clicking on links in your email, no fancy mobile apps.

A future version of ssh-chat will allow you to create a permanent account which is validated against your key pair, and these permanent accounts might have all kinds of special features like username ownership, always-online presence, and push notifications over Pushover or email.

SSH connections are encrypted

The server uses the same kind of key pair as a client would. When you connect to a new SSH host, you get a message that presents a “key fingerprint” for you to validate. The fingerprint is the hex of a hash of the server’s public key.

What does it mean if you try to connect to chat.shazow.net and you see a different fingerprint hash? You’re being man-in-the-middle’d.

Your local neighbourhood clandestine security agency could make an SSH server that just acts as a proxy in front of another SSH server you frequent (using something like sshmitm) and log everything that is going on while passing it through. Fortunately, as long as the proxy doesn’t have the original server’s private key, then the key fingerprint will be different.

Once you accept a fingerprint, it will be added to your ~/.ssh/known_hosts where it will be pinned to that host. This means if the key for the host ever changes, you’ll be greeted with this appropriately-scary message:

A host you’ve connected to previously is advertising a different public key than it did before. If you can’t account for this change (maybe you launched a new VPS on the same IP address as before and it generated a fresh SSH key pair?) then it’s worth being worried. Try connecting to this host from another network, see if the problem persists — if not, then someone is hijacking your local connection rather than the server’s connection.

SSH supports multiplexing

When your client connects to a server, it opens a channel where it requests a specific feature. There are many fun things your client can request like pty-req (a pseudo-terminal), exec (run command), or even tcpip-forward (port forwarding). There are many others, and there is nothing stopping you from inventing your own type for a custom client/server implementation. Maybe we’ll see a chat channel someday?

The best part is that you can do all of these things concurrently: Start port forwarding while opening a shell while having some command run in the background.

Once your pipeline is opened, you can send more commands within it. When your client opens a pty-req, it sends event updates such as window-change whenever your terminal size changes.

SSH is ubiquitous

“Is it mobile-friendly?” you may joke, but it is! Every platform you can imagine, there is an SSH client available, including iOS, Android, even Windows! OSX and every Linux distro ships with a client. There are even browser extension SSH clients.

SSH is one of the most accessible secure protocols ever, second only to HTTPS of course.

SSH sounds awesome, and familiar…

Let’s see what we have so far: Binary protocol, mandatory encryption, key pinning, multiplexing, compression (yes, it does that too).

Aren’t these the key features for why we invented HTTP/2?

Admittedly, SSH is missing some pieces. It’s lacking a notion of virtual hosts, or being able to serve different endpoints on different hostnames from a single IP address.

On the other hand, SSH does have several cool features over HTTP/2 though, like built-in client authentication which removes the need for registration and remembering extra passwords.

More factlets to fill your stockings

  • SSH server and client specification is fairly symmetric. Per the protocol, most of what the client can ask of a server, a server could ask of the client. This includes things like run commands, but mainstream clients don’t implement this (as is recommended against in the specification).
  • Every keystroke is sent over the TCP connection. This is why you might notice lag in your typing.
  • To see what your OpenSSH client is doing, use -v to enable verbose debugging output. Use another -v to see per-keystroke debugging, and another -v to further increase the silliness.
  • There is a protocol called MOSH which uses SSH to bootstrap but uses client-side predictive rendering and a UDP state synchronization protocol to remove the effects of latency. I wish there were more third-party implementations of it.
  • Since SSH supports port forwarding and a SOCKS proxy interface, you can build a VPN on top of it by using something like sshuttle.
  • SSH can authenticate using a certificate authority scheme, similar to x.509 certificates used in TLS. Also, many clients can verify server fingerprints against an SSHFP DNS entry.

Some provocative SSH ideas

Chat over SSH was fun, but that’s just the tip of what we can come up with.

Multi User Dungeon (MUD)

Someday, you’ll be able to ssh into mud.shazow.net and you’ll get a little ASCII RPG world to explore. Not yet, but it just might happen.

Distributed Hash Table (DHT)

This gets technical but the possibilities are striking… https://twitter.com/shazow/status/549348566972370944

Programmatic Data Streams

Or better yet, ZeroMQ-style sockets with proper security and encryption? Check out Jeff Lindsay’s Duplex. Still a proof of concept, but lots of really cool demos.

RPC API

SSH’s built-in authentication and encryption makes it really convenient for things like APIs. No complicated OAuth2 handshakes or HMACs and signatures.

ssh api.example.com multiply a=4 b=5

Someday we’ll have good libraries which make connecting over SSH just as easy as HTTP. At that point, your code will look exactly like today’s run-of-the-mill REST API, but use SSH underneath.

Either way, the days of curl examples in API docs would be behind us.

File Server

If we have an RPC API, why not serve static files while we’re at it?

ssh static.example.com get /images/header.png

Remember, SSH supports persistent connections just as well, so your browser could sit there connected to an SSH channel named get for the host and send concurrent get requests for assets. We could even implement ETAGs, and whatever else.

And finally, HTTP

At this point, there’s no reason we couldn’t build a version of HTTP/1 or HTTP/2 on top of SSH. Let’s add a header channel to specify things like Host for virtual host support, throw in some Cookie headers too. Want to add some method verbs? Why not, let’s make a bunch of channels like post or maybe http-post if we want to be polite.

Why aren’t we using SSH for everything?

Great question.


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/hqk6JeZm8H4/ssh-how-does-it-even-9e43586e4ffc

Original article

iOS e-reader app review: Marvin and Gerty

marvin-pageFor my first major iOS app review in years, I’ve been looking into a pair of e-book apps by developer Appstafarian. First of all, I’ve heard good things about the Marvin EPUB reader. Juli Monroe reviewed it for the iPad, discussed how it works with Calibre, and looked at the iPhone version over the last few years.

However, I never had the chance to take a look at it—it came out after iOS 6 launched, so it was never compatible with my first-generation iPad. Since I now have an iPad Mini 2, I decided to remedy that.

But did you know that Marvin also has a sister? (Or cousin, or wife, or something. It’s not a perfect metaphor.) Appstafarian makes a another EPUB app called Gerty, which is very similar to Marvin except for a couple of interesting differences. But I’ll look at Marvin first.

Marvin

With a name like Marvin, I have to admit that my first thought was to wonder if the developer only made it for iOS because he was paranoid about Android. But all joking aside, just a few minutes of use convinced me that I’d found a suitable replacement for the long-departed Stanza e-reader that used to be my go-to iOS e-book app. Some of the features that most impressed me most about Stanza, Marvin takes and goes one better.

The Interface

For starters, Marvin offers a nice, clean, simple reading interface. A wide variety of fonts are available, both serif and sans serif, including the Open Dyslexic font that Amazon only recently added to the Kindle. There are formatting options for adjusting font size, margin width, line spacing, depth of paragraph indent, paragraph spacing, full or left justification, and even enabling or disabling hyphenation. There’s also a “Switch to publisher’s formatting” option that reverts the book back to how it was originally formatted.

There are three color themes available—normal, night, and “other”—and these themes can be customized by setting the foreground color and the background color or pattern of your choice. If you want burgundy foreground text on an electric blue background, you just have to scroll the text color and background color/texture listing up until you find what you want and tap on it.

My one complaint about the color selection screen is that the basic simple options, such as “black” and “white,” are a screen and a half of scrolling down, below all the different shades of grey. I’d rather have black and white right at the top, but that’s just me.

marvin-landscapeThe reading process is simple. Just as with the Kindle, you tap on the right side of the screen to page forward, or on the left to page back. (Though you can change that under the “Gestures” controls if you want.) Tapping in the middle brings up the top and bottom status bars. By default, you only get one column of text in either portrait or landscape, but there’s a configuration option to change it to two columns in landscape, or even two columns in portrait and landscape. (You have to rotate the screen before the changes take effect.)

Page turns are swift and responsive, the text is clear and easy to read, and the myriad of font and formatting options means you can make the book look pretty much however you want it to. It also retained the blank lines separating sections, which I noted Moon+ on Android didn’t when I tried it. You don’t get the skeuomorphic page-turn effect of iBooks, but then you don’t get that with the Kindle or most other e-reading applications either—and some people don’t like it from iBooks.

Even if that were as far as it went, Marvin would still be a useful EPUB e-book app—plain, straightforward, and self-contained, not requiring you to upload books into the cloud and re-download them to read them the way Google Books does, and not full of fancy features you may not want or need like iBooks. But there were a couple of other features that did impress me.

Deep Reading

deep-readingFirst of all, there’s Marvin’s “Deep Reading” mode. Activated by tapping on a pair of eyeglasses in the top status bar, Deep Reading is a sort of automatic concordance program—it quickly catalogs all the character names and other important words that appear in a book, and lists them by order of appearance, importance, or alphabetically. It takes about a minute or so to process a given novel.

Deep Reading could be very useful when reading a book with so many character names that it’s hard to keep them all straight in your head. If you’re wondering, “Wait, who was that person?” you can pull up Deep Reading and get a list of every place his or her name has been mentioned so far. I’ve read a number of books where I’ve had that problem, especially with regard to foreign or alien-sounding names, and I’m already looking forward to seeing how Marvin could make reading such books easier.

There are also Deep Reading tabs where you can look up and import Wikipedia and other articles about the book or its author, and where you can build a summary on selected names—Marvin excerpts just the paragraphs in which that name is mentioned and incorporates them into a separate e-book file. This could make a handy reference for obscure characters. For that matter, it could be an excellent way of making study guides for subjects in non-fiction books.

Overall, it may not be quite as useful as a manually-compiled Cliff’s Notes on a given book, but it’s a lot more nuanced and flexible than just doing a text search. It’s basically an index of text searches for every major character or concept, accessible with just a tap or two.

Dropbox Integration

The other feature is, if anything, even more impressive. I keep my Calibre library in Dropbox, and every so often use Calibre2OPDS to update an OPDS catalog file for remote access. I originally used that format with Stanza, though Stanza is no longer around anymore.

Marvin also offers the ability to read an OPDS catalog, though I haven’t been able to get it to work as yet—apparently it uses a different OPDS format than the XML files Calibre2OPDS makes. But that’s all right, because it offers alternatives. You can download books from Project Gutenberg or Mobileread, or link up directly to Calibre and pull books down that way, or even pull them from your iCloud account.

marvin-dropboxBut the most useful option for me is that it can link to the Dropbox app on your device, then list all the EPUBs you’re keeping in Dropbox for you to download. It does it pretty quickly, too—it found the 1,375 e-books I have in my Dropbox over the course of about a minute or so. Then I could sort or search them however I wanted. It was simple enough to do that I might not even need to keep using OPDS to download my books anymore.

Conclusion

And all of these features are available in the free version of Marvin, as far as I can tell. The only difference between the free and paid versions are that the free version only lets you keep a library of one downloaded e-book at a time, while the one that costs $3.99 will let you load as many as you want.

This seems like a reasonable price to me, and a reasonable division of features—if you’re the sort of person who only reads one e-book at a time, the free version might be just fine for you, and it won’t bombard you with advertisements like some free e-readers. But $3.99 isn’t bad at all for such a good application. (You can also add on an app theme pack for $4.99, but this seems less necessary to me.)

Gerty

We apparently haven’t ever covered the other Appstafarian e-reader yet, which is a little surprising. Gerty resembles a simplified version of Marvin, with a number of similar features—in fact, I suspect it uses a lot of the same code base. But there are some important key differences that might make it a more useful reader for people with different needs than Marvin users.

The Interface

Unlike Marvin, Gerty works on a scrolling principle. Instead of tapping left or right to turn a page, you slide the screen up or down by swiping your finger—just like scrolling on a web page. Tapping anywhere on the screen brings up the top and bottom status bars. Since you’re scrolling, you don’t have the ability to split the screen into separate columns either. I personally prefer the pagination method, but I can still appreciate that Gerty’s scrolling is smooth and simple. And there are people who would rather have a scrolling e-reader app.

Gerty doesn’t have as many customization options as Marvin. You can select the font, make the font bigger or smaller, switch between narrow or wide margins and vertical line spacing, and change the orientation lock settings (lock to portrait, lock to landscape, don’t lock) and that’s pretty much it. You also don’t get as many fonts to choose from as Marvin, and Open Dyslexic isn’t among them. (Though, weirdly enough, the info page on Appstafarian’s web site claims it is.) There are only six preset color themes, which you can’t customize beyond choosing the one you want.

The text still looks just as crisp and clear as in Marvin. In fact, it looks basically exactly the same as Marvin when you’re reading it, which is why I’m not bothering to throw in another screenshot here.

One of the features that you have to pay to add is auto-scrolling. Once you’ve added it, you can set the scroll rate and then the text will slide up the page at a steady rate of speed, teleprompter-style, without you doing anything. This could be useful for reading while your hands are busy with other things, like exercising or eating messy food.

Book Journaling and Other Features

book-journalGerty doesn’t feature the “Deep Reading” mode of its sibling Marvin, but it has its own features that Marvin doesn’t. In particular, it has a private blog or journal feature built in, where you can note down thoughts on the book as you’re reading it, even including the ability to snap photos with the device camera to attach to it, and to attach a map showing exactly where you are at the time. You can export your entries into an EPUB, or share entries via iOS’s share-to-other-apps menu.

reserved-catBut Gerty isn’t just for reading e-books. It also allows you to keep track of your paper books, and write journal entries to associate with them. It’ll even scan the book’s barcode via your device’s camera and look up the author and title for you, if it can. It’s a clever idea for people who like to read a lot and share their feelings on what they read, and it might also be useful for taking notes on e-textbooks for class. I don’t think I’d be inclined to get much use out of it myself, though. It will also keep track of statistics on how much and how often you read.

Like Marvin, Gerty can read your Dropbox account so you can download e-books from it, and does so just as quickly as Marvin. It also has the option to read from your Google Drive account. However, it doesn’t seem to read directly from Calibre, OPDS, or iCloud.

Conclusion

Like Marvin, Gerty costs only $3.99 to unlock all its premium features. That’s not a bad price to pay for a full-featured e-book app, even one I don’t expect to use all that often. I found it a little odd that Marvin’s paid version is a separate app, whereas Gerty’s premium features are unlocked via an in-app purchase. But I suppose the way the premium features are set up makes in-app purchase work better for Gerty.

I’m sure I’ve barely scratched the surface of the features that are available in both Marvin and Gerty, but I can say this for sure—they’re both going to be permanent fixtures on my iPad, and very possibly Marvin is going to supplant iBooks as the way I read all the DRM-free EPUBs in my Calibre library, at least when I’m reading from my iPad rather than one of my Android devices.

I can’t see getting into book journaling a la Gerty, but I could see how frequent journal-writers and note-takers could get a lot of use out of it. Whichever one better suits your style of reading, they’re both great little e-reader apps, and both are well worth the $3.99 price.

The post iOS e-reader app review: Marvin and Gerty appeared first on TeleRead News: E-books, publishing, tech and beyond.


Original URL: http://www.teleread.com/ios-e-book-app-review-marvin-and-gerty/

Original article

Micro – a command line text editor in Go

README.md

Build Status
Go Report Card
MIT License

Micro is very much a work in progress

Micro is a command line text editor that aims to be easy to use and intuitive, while also taking advantage of the full capabilities
of modern terminals.

Here is a picture of micro editing its source code.

Screenshot

  • Easy to use
  • Common keybindings (ctrl-s, ctrl-c, ctrl-v, ctrl-z…)
  • Extremely good mouse support
  • Cross platform
  • Syntax highlighting (in over 75 languages!)
  • Colorscheme support
  • True color support (set the MICRO_TRUECOLOR env variable to 1 to enable it)
  • Search and replace
  • Undo and redo
  • Unicode support
  • Small and simple
  • Configurable

If you’d like to see what has been implemented, and what I plan on implementing soon-ish, see the todo list

Prebuilt binaries

Once you have downloaded the file, you can install the runtime files by running ./install.sh
in the directory you downloaded. This will place all the runtime files in ~/.micro.

To run the micro binary just run ./bin/micro (you may want to place the binary on your path for ease of use).

Building from source

Micro is made in Go so you must have Go installed on your system to build it, and make sure your GOPATH is set.

$ git clone https://github.com/zyedidia/micro
$ cd micro
$ make

This will build micro and put the binary in the current directory. It will also install syntax highlighting files to ~/.micro/syntax.

Alternatively you can use make install instead of make if you want the binary to be added to you GOBIN (make sure that it is set).

Once you have built the editor, simply start it by running micro path/to/file.txt or simply micro to open an empty buffer.

Micro also supports creating buffers from stdin:

$ ifconfig | micro

You can move the cursor around with the arrow keys and mouse.

Keybindings

  • Ctrl-q: Quit
  • Ctrl-s: Save
  • Ctrl-o: Open file
  • Ctrl-z: Undo
  • Ctrl-y: Redo
  • Ctrl-f: Find
  • Ctrl-n: Find next
  • Ctrl-p: Find previous
  • Ctrl-a: Select all
  • Ctrl-c: Copy
  • Ctrl-x: Cut
  • Ctrl-v: Paste
  • Ctrl-h: Open help
  • Ctrl-u: Half page up
  • Ctrl-d: Half page down
  • PageUp: Page up
  • PageDown: Page down
  • Ctrl-e: Execute a command

You can also use the mouse to manipulate the text. Simply clicking and dragging will select text. You can also double click
to enable word selection, and triple click to enable line selection.

At this point, there isn’t much you can configure.
Micro has a few options which you can set:

  • colorscheme
  • tabsize
  • syntax

To set an option run Ctrl-e to execute a command, and type set option value, so to set the tabsize to 8 it would be set tabsize 8.

Any option you set in the editor will be saved to the file ~/.micro/settings.json so, in effect, your configuration file will be created
for you. If you’d like to take your configuration with you to another machine, simply copy the settings.json to the other machine.

If you find any bugs, please report them! I am also happy to accept pull requests from anyone.


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/E3CUq17kVoU/micro

Original article

Org as a Word Processor

I like some of the ideas in the EMagicians Starter Kit, particularly
how the headers are larger, instead of different colors. My code in
this case is particular nasty and needs a major simplification, but
here is the gist for you:

(let* ((variable-tuple (cond ((x-list-fonts "Source Sans Pro") '(:font "Source Sans Pro"))
                             ((x-list-fonts "Lucida Grande")   '(:font "Lucida Grande"))
                             ((x-list-fonts "Verdana")         '(:font "Verdana"))
                             ((x-family-fonts "Sans Serif")    '(:family "Sans Serif"))
                             (nil (warn "Cannot find a Sans Serif Font.  Install Source Sans Pro."))))
       (base-font-color     (face-foreground 'default nil 'default))
       (headline           `(:inherit default :weight bold :foreground ,base-font-color)))

  (custom-theme-set-faces 'user
                          `(org-level-8 ((t (,@headline ,@variable-tuple))))
                          `(org-level-7 ((t (,@headline ,@variable-tuple))))
                          `(org-level-6 ((t (,@headline ,@variable-tuple))))
                          `(org-level-5 ((t (,@headline ,@variable-tuple))))
                          `(org-level-4 ((t (,@headline ,@variable-tuple :height 1.1))))
                          `(org-level-3 ((t (,@headline ,@variable-tuple :height 1.25))))
                          `(org-level-2 ((t (,@headline ,@variable-tuple :height 1.5))))
                          `(org-level-1 ((t (,@headline ,@variable-tuple :height 1.75))))
                          `(org-document-title ((t (,@headline ,@variable-tuple :height 1.5 :underline nil))))))

First step in the above code decides on a font. You should probably
trim this down to your favorite variable space font.


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/KDbnBE7yP38/orgmode-wordprocessor.html

Original article

JavaScript API for 1999.io

I haven’t yet talked about the API for 1999.io. It’s inspired by Facebook’s JavaScript API, which is excellent, with an important additional feature, storage. Without that you can’t build real apps. 

This API does what the XML-RPC interface did for Manila, WordPress and Blogger in the 1999 version of the blogosphere. This time around it’s JSON over HTTP. The browser-based editor for 1999.io is implemented on top of this API, which is open to any other developer to use. 

I’ll be demoing this first on the 1999-server list hopefully in the next few days.


Original URL: http://scripting.com/2016/04/17/1191.html

Original article

The next version of OS X could be called ‘MacOS’

big-mac-stack-side It’s a small branding change, but it would make a lot of sense. Many different signs point to Apple abandoning the name “OS X” in favor of “MacOS”, or maybe “macOS” without a capital letter.
Apple SVP of Worldwide Marketing Phil Schiller first hinted at this change last year at WWDC in an interview with John Gruber. Then a configuration file <a… Read More


Original URL: http://feedproxy.google.com/~r/Techcrunch/~3/IeeVtoZI4g4/

Original article

Show HN: XMoto.js

README.md

DEMO

This project is a HTML5 Port of XMoto using CoffeeScript, 2D Canvas and Box2DWeb.

Image

This is the first part of a 2-parts project:

  1. XMoto.js (this project!): JavaScript port of the game that need to be compatible with a lot of pre-existing levels (XML files) from the original game.
  2. XMoto.io: social XMoto game with a backend for scores, replays, etc.

XMoto.io will be built on top of XMoto.js, using Ruby on Rails, and both the projects will co-evolve and interact in some parts.

More about the project development on http://xmoto.io

Demo

Master branch is frequently deployed here: http://js.xmoto.io

Click on the “debug mode” button and have fun with the simulation parameters. You can copy-paste the generated URL to keep the custom physics.

Examples: Tractor,
Rodeo,
Ugly Mode,
Big Head,
Moon,
Furious

Usage

  • Upload “data”, “lib” and “bin” folders on a static web server (put ‘data’ folder on the root directory)
  • Include all the JavaScript files of /lib/ and /bin/xmoto.js on your web page.
  • Call $.xmoto('l1.lvl') or $.xmoto('l1.lvl', options) where “l1.lvl” is the name of the level and the options are:
{
  canvas:  '#xmoto'   # canvas selector
  loading: '#loading' # loading selector
  chrono:  '#chrono'  # chrono selector
}

Developpment

Installation

  • brew install nodejs: install NodeJS (on MacOS)
  • sudo npm install -g coffee-script: install CoffeeScript
  • npm install express: install Express

Working environnement

  • coffee -j bin/xmoto.js -wc src/*.coffee src/*/*.coffee to compile to JavaScript in real-time.
  • node server.js to launch HTTP Server (http://localhost:3000).

Don’t forget to restart the coffee command if you create new COFFEE files.

TODO

Improve XML levels compatibility!

and other stuffs


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/_SzzKadxZZM/xmoto.js

Original article

Startup Investors Hit the Brakes

Updated April 14, 2016 8:12 p.m. ET

Venture-capital investors hit the brakes on investing in the first quarter, following a funding bonanza the past two years that pushed valuations of once-hot technology startups to soaring heights.

Funding for U.S. startups fell 25% from the fourth quarter to $13.9 billion, the largest quarterly decline on record since the dot-com bust, according to data from Dow Jones VentureSource. The numbers of deals also hit a four-year low of 884.

The drop threatens to hasten a slump rippling through Silicon Valley that is pushing startups to slash marketing budgets, lay off staff and dial back lofty ambitions. Investors such as mutual funds and big banks that pumped money into startups on the promise of big returns have since retrenched, as a punishing market for initial public offerings has spoiled the runaway optimism.

The sky-high valuations of last year have retreated as a result. In the first quarter, the median value of U.S. startups plummeted to $18.5 million after hitting a peak of $61.5 million in last year’s third quarter.

“I think investors are nervous, sitting on the sidelines waiting to see what happens,” said Brian Mulvey, co-founder and managing partner at PeakSpan Capital, which recently raised a venture fund of $150 million.

Investors caution the first-quarter data spans a relatively small period and that capital tends to fluctuate widely throughout the year. VentureSource counts funding rounds for U.S.-based companies with at least one venture-capital firm as an investor. It doesn’t include startups only backed by individuals or majority-owned by corporations or private-equity firms. Several other data providers with varying methodologies show less of a decline.


Still, many startups are struggling to raise capital at higher valuations, especially companies in competitive areas that require large budgets to outduel rivals.

On-demand food-delivery service DoorDash Inc. had been seeking a large valuation uptick in its latest financing round, but was instead forced to sell its shares in February at a 16% discount to its price last March. Location-sharing mobile-app maker Foursquare Inc. had its valuation shaved 69% in a financing round in January, corporate documents show.

Others startups, such as meal-delivery service SpoonRocket Inc., weren’t as lucky and went belly up. The company called it quits in March after raising $13.5 million in funding.

“Good idea, but food is hard,” said David Fialkow, a managing director at SpoonRocket investor General Catalyst Partners, adding that the business was liked by customers but it was hard to make money.

Another startup, Shuddle Inc., a ride-hailing service for children, said Thursday it is shutting down operations after failing to raise more venture capital.

Investors were swooning over the success of ride-hailing service Uber Technologies Inc., funding just about any business that turned a smartphone into a remote control mechanism to order goods and services. Optimism waned after few such firms demonstrated they could operate profitably. Funding to consumer services companies, which include the myriad of on-demand apps, spiraled 63% from the fourth quarter, according to VentureSource.

“A year or year-and-a-half ago, on-demand [service] was going crazy,” said Rafael Corrales, a general partner at Charles River Ventures. “Now no one wants to touch them.”

The growing pains aren’t limited to services for consumers. Database developer Couchbase Inc., for instance, took in $30 million in financing in the quarter that pinched its valuation 40.7%. Couchbase declined to comment.

A frozen IPO market for new tech issues in the first quarter has posed problems. Not a single venture-backed tech company went public in the first quarter, the first time that has happened in the past seven years. The darkening mood in the public markets, through which venture capitalists cash in their investments via IPOs, is forcing them to acknowledge that private market valuations got out of hand.

“There’s a general sentiment among VCs that there are fewer opportunities for exits with the IPO market pulling back and larger companies doing significantly less acquisitions,” said Wesley Chan, managing director at Felicis Ventures.

Public-stock trading also continued to dog investor prospects for companies in some sectors whose valuation multiples track public peers. The Nasdaq Stock Market was clawing back in the quarter from steep declines over concerns about global economic uncertainty and China in particular. Salesforce Inc.’s stock took a dive in January, casting a pall across cloud-services startups, and its shares are only now regaining ground.

The cooling funding period arrives after investors stepped up the pace in 2015, investing about $75 billion in startups, the most on record since 2000 when about $94 billion was raised.

To be sure, funding for information technology—companies that develop computer hardware, networking and software—fared better than other sectors, rising 3% from the fourth quarter. Another bright point was biopharmaceutical startups, which gained 7% more funding in the quarter. Biotech investors’ prospects were buoyed by the fact that the sector managed six venture-backed U.S. IPOs in the first quarter in an otherwise unreceptive market.

—Deborah Gage and Rolfe Winkler contributed to this article.

Write to Scott Martin at Scott.Martin@wsj.com


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/ncc6Wj3mzpg/startup-investors-hit-the-brakes-1460676478

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: