Chrome's WebUSB Feature Leaves Some Yubikeys Vulnerable to Attack

There’s no better way to protect yourself from the universal scourge of phishing attacks than with a hardware token like a Yubikey, which stymies attackers even if you accidentally hand them your username and password. But while Yubikey manufacturer Yubico describes its product as “unphishable,” a pair of researchers has proven the company wrong, with a technique that allows clever phishers to sidestep even Yubico’s last bastion of login protection.

Two weeks ago, in a little-noticed presentation at the Offensive Con security conference in Berlin, security researchers Markus Vervier and Michele Orrù detailed a method that exploits a new and obscure feature of Google’s Chrome browser to potentially bypass the account protections of any victim using the Yubikey Neo, one of the most popular of the so-called Universal Two-Factor, or U2F, tokens that security experts recommend as the strongest form of protection against phishing attacks.

With a sufficiently convincing phishing site and a feature in Chrome known as WebUSB, a hacker could both trick a victim into typing in their username and password—as with all phishing schemes—and then also send a query directly from their malicious website to the victim’s Yubikey, using the response it provides to unlock that person’s account. (A disclaimer: WIRED partners with Yubico to give free Yubikeys to subscribers. According to Vervier and Orrù, the model WIRED offers is not susceptible to their attack.)

Vervier and Orrù, who work for the security consultancy X41, are careful to note that their technique doesn’t demonstrate a flaw in Yubico’s products so much as a very unintended byproduct of Chrome’s WebUSB feature, which the browser added just last year. “U2F is technically not broken, but it’s still phishable, which many people thought was impossible,” says Vervier. “It’s a great example of how new interfaces allow ways to attack technology that were believed to be unbreakable.”

When WIRED reached out to Google, security product manager Christian Brand responded that the company became aware of the researchers’ attack after their Offensive Con presentation. While Google considers the attack an edge case, the company is working with U2F standards body the FIDO Alliance to fix the problem. “We are always appreciative of researchers’ work to help protect our users,” Brand wrote in a statement. “We will have a short term mitigation in place in the upcoming version of Chrome, and we’re working closely with the FIDO Alliance to develop a longer-term solution as well. We aren’t aware of any evidence that the vulnerability has been exploited.”

Beware WebUSB

Let’s be clear: Vervier and Orrù’s findings don’t change the fact that adding two-factor authentication remains one of the most basic and crucial steps to protecting your sensitive accounts, and a U2F token like a Yubikey is the most secure form of that protection you can use. Even two-factor authentication methods like text messages or Google Authenticator still rely on temporary codes that the user enters when they log in; a convincing phishing site can simply trick you into handing over those codes along with your username and password. A U2F token like the Yubikey instead performs an authentication handshake with a website that not only proves to a website that it’s your unique key, but requires that the website prove its identity too, preventing lookalike sites from stealing credentials.

But a crack in those safeguards may have appeared last year when Chrome added WebUSB, a feature that allows websites to directly connect to USB devices, from VR headsets to 3-D printers. Vervier and Orrù found that they could code a website to connect to the Yubikey Neo with that WebUSB feature, instead of with the usual Chrome API for U2F that it’s designed to use. In doing so, they could circumvent the checks that the browser performs before querying the Yubikey—the checks that confirm that websites are the ones they claimed to be.

That could enable, the researchers warn, a “man-in-the-middle” attack. If a victim logs into a fake Google site, the phishing site passes on their username and password to the real Google login page. Then the spoofed site passes back Google’s request for the user’s U2F token and collects the Yubikey’s unique answer, all via WebUSB. When that answer is then presented to the real Google site, the attackers gain access to the victim’s account.

“The browser developers put a proper API in place that makes careful use of whatever U2F token is in the computer,” says Joern Schneeweisz, a security researcher for Recurity Labs who reviewed Vervier and Orrù’s findings. “And then they put in another feature that subverts all the security they’d put in place.”

A Sophisticated Phish

The attack Vervier and Orrù imagine isn’t exactly easy to pull off, and would likely only be used by sophisticated hackers targeting high-value accounts. Aside from first requiring that a phishing site trick a victim into typing in their username and password as usual, the phishing site would also have to ask the user’s permission to enable WebUSB access to their Yubikey, and then tap the physical button on the key. But all of that could be achieved by phishers who trick users with a prompt requiring them to “update” their U2F token, or some other scam. After all, the only change from the usual login process would be that one added permissions prompt. “You could come up with a pretty plausible pretext,” says Orrù. “The user only has to click once.”

Vervier and Orrù note that their technique would only work with U2F keys that offer protocols for connecting to a browser other than the usual way U2F tokens communicate with a computer, known as the Human Interface Device or HID, which isn’t vulnerable to the attack. The Yubikey Neo, for instance, can also connect via the CCID interface used by smartcard readers, offering another avenue of exploitation, but the Yubikey Nano, 4 Series, and the original, cheaper Yubikey aren’t vulnerable, they say—nor, based on their testing, were the Feitian keys recommended by Google for its locked-down Advanced Protection setting.

“This sounds like an assumption was made by Chrome that all U2F is HID, which doesn’t hold for the Neo, whereas Yubico made an assumption that USB will never be accessible by web pages directly,” explains Jonathan Rudenberg, an independent security researcher who has focused on U2F implementations in the past. The combination of those two assumptions adds up to a significant security vulnerability.

A Larger Problem

A long-term fix could take the form of tweaks to Chrome to block WebUSB connections to certain devices like the Yubikey Neo. But the problem could go much further than Yubikeys alone, potentially exposing a whole new class of devices to unexpected interactions with websites. Vervier and Orrù say they believe smartcard authentication systems could also be vulnerable, for instance, though they haven’t yet tested them.

“Google should have never shipped WebUSB in its current form,” says Rudenberg. “Users cannot be expected to understand the security implications of exposing their USB devices to potentially malicious code…I don’t think this is the last time that we’ll see WebUSB used to break things.” Rudenberg went so far as to quickly code a Chrome extension that disables WebUSB, which he recommends everyone install and use until they have a reason to enable the feature. Rudenberg says there’s no other easy way to disable the feature.

When WIRED reached out to Yubico for comment, spokesperson Ronnie Manning essentially placed the blame on Google’s browser. “Per the U2F protocol, the security key is not responsible for doing that verification” of the origin of authentication requests, Manning said in a statement. “In fact, they cannot do so effectively as they would have to rely on data passed by the browser, and if the browser is not trustworthy, neither is the data.”

Manning also noted that Chrome could give users the option to turn off WebUSB, or blacklist vulnerable devices like the Yubikey Neo. But he adds that “unless such a blacklist is complete and perfect, issues like this are possible with the current WebUSB implementation.”

As for Vervier and Orrù themselves, they say concerned Yubikey users should disable WebUSB, and that IT administrators should even consider setting a policy blocking it for all their employees. And they suggest a simpler solution, too: That users remain wary online, and think twice about where they enter their passwords. Despite Yubico’s “unphishable” marketing, it’s no substitute for some healthy skepticism.

Phishing License

Why Etsy’s Stock Jumped 24% Amid Some Complaints From Sellers and Buyers

Artisan craft marketplace Etsy has had its ups and downs since going public almost three years ago, but new CEO Josh Silverman appears to have convinced investors that sales are on track for solid growth in 2018.

Etsy’s stock price jumped as much as 24% in midday trading on Wednesday, and has now more than doubled from a year ago, thanks to Silverman’s turnaround strategy that got the company out of Amazon’s long shadow. Silverman, a veteran of eBay’s (ebay) Shopping.com site, has emphasized simple improvements like adding “best seller” badges and site-wide sales for Labor Day and Cyber Monday last year, as well as deeper changes that improved customer searches using artificial intelligence and machine learning with a program Etsy calls “Context Specific Search ranking.”

The results pleased Wall Street. Etsy reported solid fourth quarter results on Tuesday evening, including sales on the site increasing 15% to $1 billion—the company’s first billion dollar quarter ever—while Etsy’s own revenue, which includes its cut of the sales plus other services it sells, increased 21% to $136 million. Earnings per share of 36 cents reversed a loss of 19 cents per share last year and beat Wall Street’s expectations of just 13 cents (though the latest quarter included a one-time benefit from the new tax law).

Analysts also cheered Etsy’s forecast for 2018, including overall sales on the site increasing 14% to 16% to as much as $3.8 billion and its own revenue growing 21% to 23% to as much as $543 million. Analysts had forecast Etsy’s 2018 revenue would hit only $519 million.

Get Data Sheet, Fortune’s technology newsletter.

Silverman explained the improvements that led to last year’s growing sales, while also offering more ideas that will boost growth this year. “There’s still much work to do to improve the shipping experience on Etsy and this will be an area of strong focus in 2018,” he told analysts on a call on Tuesday.

Still, there were complaints from some sellers and buyers last year that Etsy was losing its identity as a craft marketplace focused on individual artisans amid all the changes. Silverman said the latest results were proof that, on the whole, his strategy was working for most.

“You know as a platform our job is to make the experience better for all of our buyers and sellers,” he said. “On any given day, there will be individual winners and losers because that’s the nature of the marketplace–you know, is the product that a particular seller is selling, is it in fashion or not, how is it resonating with the marketplace, that’s up to each of our sellers.”

Under prior CEO Chad Dickerson, Etsy stumbled in the face of growing pressure from Amazon (amzn), which introduced its own handmade craft-oriented platform just a few months after Etsy went public. Dickerson was pushed out last May after a disastrous first quarter that led to layoffs

Further improvements at Etsy this year will come from giving sellers better data analytics tools, making it easier for buyers to have items shipped quickly, and further optimizing search results, among other initiatives, Silverman said. The company will also look at hosting more site-wide events with discounting, though Etsy (etsy) doesn’t want to become known as a discount site, he said.

In many cases, “these are things that are perhaps best practices already used in other parts of the web that we haven’t yet adopted,” Silverman said. “We also want to make sure that we’re stretching ourselves and we’re thinking about bolder bigger events.”

Pinterest hires former Google executive as its first COO

(Reuters) – Photo pin-up website Pinterest on Tuesday appointed Francoise Brougher, a former executive at Alphabet Inc, as its first chief operating officer.

Brougher, most recently the business lead at Square Inc, will be responsible for supervising Pinterest’s operations around the world and will lead its sales.

Brougher, whose appointment is effective March 12, will be based out of Pinterest’s headquarters in San Francisco and report to Chief Executive Officer Ben Silbermann.

The first COO announcement is part of the maturation of a company as it nears an initial public offering.

Pinterest has more than 200 million monthly active users worldwide collecting and pinning photos related to cooking, designing, travel and other interests on its website.

The company, backed by Andreessen Horowitz, Fidelity Investments and Goldman Sachs among others, has a market valuation of more than $12 billion.

Reporting by Heather Somerville in San Francisco and Laharee Chatterjee in Bengaluru; Editing by Maju Samuel

Supreme Court wrestles with Microsoft data privacy fight

WASHINGTON (Reuters) – Supreme Court justices on Tuesday wrestled with Microsoft Corp’s dispute with the U.S. Justice Department over whether prosecutors can force technology companies to hand over data stored overseas, with some signaling support for the government and others urging Congress to pass a law to resolve the issue.

Chief Justice John Roberts and Justice Samuel Alito, both conservatives, hinted during an hour-long argument in the case at support for the Justice Department’s stance that because Microsoft is based in the United States it was obligated to turn over data sought by prosecutors in a U.S. warrant.

As the nine justices grappled with the technological complexities of email data storage, liberals Ruth Bader Ginsburg and Sonia Sotomayor questioned whether the court needed to act in the data privacy case in light of Congress now considering bipartisan legislation that would resolve the legal issue.

A ruling is due by the end of June.

“Wouldn’t it be wiser to say let’s leave things as they are. If Congress wants to regulate this ‘Brave New World,’ let them do it,” Ginsburg said.

Alito agreed that Congress should act but added that “in the interim, something’s got to be done.”

Roberts appeared concerned that companies like Microsoft could enable customers to evade the reach of U.S. prosecutors by deliberately storing data overseas.

The case pits the interests of tech companies and privacy advocates in protecting customer data against the demands of law enforcement in gaining information vital to criminal and counterterrorism investigations.

It started with a 2013 warrant obtained by U.S. prosecutors for emails of a suspect in a drug trafficking investigation that were stored in Microsoft computer servers in Dublin. Microsoft challenged whether a domestic warrant covered data stored abroad. The Justice Department said prosecutors were entitled to the data because Microsoft is headquartered in the United States.

Microsoft President and Chief Legal Officer Brad Smith (R) and his lawyer Josh Rosenkranz make their way to the news media to make a statement outside of the U.S. Supreme Court in Washington, U.S., February 27, 2018. REUTERS/Leah Millis

The New York-based 2nd U.S. Circuit Court of Appeals in 2016 sided with Microsoft, handing a victory to tech firms that increasingly offer cloud computing services in which data is stored remotely. President Donald Trump’s administration appealed that ruling to the Supreme Court.

The appeals court said the emails were beyond the reach of domestic search warrants obtained under a 1986 U.S. law called the Stored Communications Act.

Bipartisan legislation has been introduced in Congress to update the 1986 statute, a move backed by both Microsoft and the administration. The measure would let U.S. judges issue warrants while giving companies an avenue to object if the request conflicts with foreign law. If Congress were to pass the bill before the Supreme Court rules, the case would likely become moot.

FILE PHOTO: A Microsoft logo is seen a day after Microsoft Corp’s $26.2 billion purchase of LinkedIn Corp, in Los Angeles, California, U.S., on June 14, 2016. REUTERS/Lucy Nicholson/File Photo

Senator Orrin Hatch, a Republican who has led the efforts to rework the law, was in the courtroom to hear Tuesday’s argument, and afterward noted that various justices had referred to the importance of Congress acting.

“Our bill, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, would resolve the question currently before the Court in a way that balances consumer, law enforcement, and privacy interests. This commonsense legislation has the full-throated support of both law enforcement and the tech community and deserves swift enactment,” Hatch said in a statement afterward.

Globally dominant American tech companies have expressed concern that customers will go elsewhere if they think the U.S. government’s reach extends to data centers all around the world without changes being made to the law.

Microsoft, which has 100 data centers in 40 countries, was the first American company to challenge a domestic search warrant seeking data held outside the United States.

The Microsoft customer whose emails were sought told the company he was based in Ireland when he signed up for his account.

Other companies including IBM Corp, Amazon.com Inc, Apple Inc, Verizon Communications Inc and Alphabet Inc’s Google filed court papers backing Microsoft.

The administration has the support of 35 states led by Vermont.

Reporting by Lawrence Hurley and Dustin Volz; Editing by Will Dunham

Famed ‘Pivot’ Strategy of Startups May Not Work For GE

This article first appeared in Data Sheet, Fortune’s daily newsletter on the top tech news. Sign up here.

While I was out last week Fortune published my feature on Eric Ries, author of the wildly popular book for entrepreneurs , The Lean Startup. Ries is a whirling dervish of the startup and innovation world. He’s an author, speaker, coach, consultant, and even CEO of an ambitious if quixotic startup of his own, the Long-Term Stock Exchange, which aims to combat short-termism on Wall Street.

Ries is a prophet in Silicon Valley, and his first book is its Bible. The thrust of my feature is the 39-year-old’s pivot to helping big companies find their inner startup and the book he has published as their field manual, The Startup Way. Ries and his teachings have been valuable to numerous companies—P&G and ING have had promising successes—and his work is an inspiration to a veritable cottage industry of innovation consultants.

That said, it might not be clear for some time if concepts like “pivoting” and “minimum viable product” can ever move the needle for big companies. (Buzzwordery meets cliché in a Ries-inspired firm that’s actually called Moves The Needle, which boasts: “We are innovation architects.”) Ries’s primary example in his new book is GE, where he was deeply embedded and coached at the highest levels.

Ries says he is “cautiously optimistic” about GE. He might be the only one. When I read The Wall Street Journal’s impressive reporting on GE’s yes-man culture, I couldn’t help but wonder if the tens of thousands of workers trained in lean-startup methods and hundreds of projects that followed its techniques were part of the “success theater” the paper describes.

Incidentally, The Startup Way is making less of a dent in the world than its predecessor. According to Nielsen Bookscan, which measures only U.S. physical book sales, seven-year-old The Lean Startup sold three times as many books last week than The Startup Way, which came out in October. The Lean Startup is ranked No. 1,832 of all books on Amazon, a phenomenal ranking for such an old book; its heavily promoted successor is at No. 10,028.

***

My vacation reading: Anyone who writes should read this lovely and erudite essay by Amy Chozick of The New York TimesThe Economist competently sums up a thesis we at Fortune have been hammering for a year, that Chinese tech companies no longer are copycats—and that Silicon Valley has been arrogantly slow to figure this out … Onetime Time writer Joshua Cooper Ramo, supposedly an expert on Asian affairs, ought to pick up the haunting novel Pachinko, by Min Jin Lee. It’d be impossible to read it and not understand how Koreans feel about Japan … This stunning narrative in New York magazine about a young ex-Air Force linguist accused of disclosing top-secret information is all the more powerful for not having pointed out the central irony of the crime for which its subject will soon stand trial.

EU plans new tax for tech giants up to 5 percent of gross revenues

BRUSSELS (Reuters) – The European Commission wants to tax large digital companies’ revenues based on where their users are located rather than where they are headquartered at a common rate between 1 and 5 percent, a draft Commission document showed.

The proposal, seen by Reuters, aims at increasing the tax bill of firms like Amazon [AMZN.O], Google [GOOGL.O] and Facebook [FB.O] that are accused by large EU states of paying too little by re-routing their EU profits to low-tax countries such as Luxembourg and Ireland.

The plan resembles a French proposal on an equalization tax that was supported by several big EU states. However, it is likely to face opposition from small countries that fear becoming less attractive to multinational firms.

The document says the tax should be applied to companies with revenues above 750 million euros ($922 million) worldwide and with EU digital revenues of at least 10 million euros a year.

The proposal is subject to changes before its publication which is expected in the second half of March. Some of the key figures on rates and thresholds are in brackets, showing that work is still ongoing to define the final numbers.

Firms selling user-targeted online ads, such as Google, or providing advertisement space on the internet, such as Facebook, Twitter or Instagram, would be subject to the tax, the document said, citing these companies.

Digital marketplaces such as Amazon and gig economy giants such as Airbnb and Uber also fall under the scope of the draft proposal, the Commission said.

Online media, streaming services like Netflix, online gaming, cloud computing or IT services would instead be exempt from the tax.

The levy would be raised in the EU countries where users are located, rather than where companies are headquartered, reducing the appeal of smaller low-tax states.

“This would entail additional reporting requirements so that the tax authorities of member states can calculate how much tax is due in their jurisdiction,” the document said.

In the case of online advertisers, the tax should be levied “where the advertisement is displayed” and “where the users having supplied the data which is being sold are located.”

For online shopping, the tax would be collected in countries “where the user paying for being able to access the platform (or to conclude a transaction within the platform) is located,” the document said.

The levy would be calculated on the “aggregated gross revenues” of a business and should have a single EU rate “in the region of 1-5 percent.” It would be possible to deduct this tax as a cost from national corporate taxes.

The tax would be a temporary measure that would be applied only until a more comprehensive solution to fair digital taxation is approved, the Commission said.

The long-term solution would entail the adoption of new rules on a “digital permanent establishment”.

The proposal, once finalised, would need the approval of all EU states.

Editing by Matthew Mpoke Bigg

Week 9 Breakout Forecast: Short-Term Picks To Give You An Edge

Breakout Forecast Selections for Week 9:

Market conditions continue to show signs of recovery. Readers are cautioned that negative conditions are still strong, but have been significantly reduced. My momentum gauge is based on the size of the list of screened momentum stocks. The negative momentum indicator list is showing above average numbers at 35, but down from the prior week with 40. The positive momentum indicator has moved up significantly from all time lows. All time low for positive momentum selections is 10 (during week 6) and all time high is 120 (last August). The current positive momentum measure is still quite low at 35, but up from 30 in the prior week.

Additional selections from last week’s separate technical articles also showed double-digit returns in a short trading week: AGEN +16.32% and DRNA +19.98%

This week I have selected 8 breakout stocks from the following sectors: 5 healthcare, 2 basic materials, and 1 services. I continue to see strong signals of breakouts across the biotech sector as I described in my last sector report.

The two new selections of positive momentum stocks for this week include:

  1. Oasis Petroleum, Inc. (OAS) – Basic Materials / Independent Oil & Gas
  2. Senseonics Holdings, Inc. (SENS) – Healthcare / Medical Appliances

These stocks are not necessarily recommended for long term buy/hold unless you are comfortable with very large price swings. As I continue to observe, strong momentum events usually last from one to three weeks and may encounter some substantial decline before returning again to positive gains.

These are the most volatile selections I offer from among all the different Value & Momentum portfolios. Proposed entry points for each of the selected stocks are as close to the highlighted prices in yellow on the charts at market open. All stocks are selected for high short-term breakout results over one to three weeks.

Breakout Stock Charts for Week 9


Pick #1: Oasis Petroleum, Inc. (OAS)
– Basic Materials / Independent Oil & Gas

Significant institutional ownership increases in latest 13F filings:

Target price: $11.00

Pick #2: Senseonics Holdings, Inc. (SENS) – Healthcare / Medical Appliances

Significant institutional ownership increases in latest 13F filings:

Target price: $3.40


Breakout Forecast Performance Results:

Total Return Chart: +52.77%


Total Breakout portfolio returns by week for the past 5 weeks are listed below through the end of last week to illustrate the rolling returns of prior top performers and total portfolio returns:

Breakout Forecast Portfolio gains past 5 weeks / Top 3 Performing Stocks
Week 8 +3.79% / (FATE) +34.71%, (DRNA) +19.98%, (RUN) +0.51%
Week 7 +8.19% / (EGAN) +36.60%, (FLDM) +11.09%, (EROS) +10%
Week 6 +1.47% / (SRNE) +18.95%, (HAIR) +18.64%, (PIRS) +6.44%
Week 5 -2.79% / (QNST) +37.72%, (STAA) -5.47%, (CNAT) -5.50%
Week 4 -1.39% / (AGEN) +27.46%, (INVA) +8.56%, (WK) +0.45%

For those who are new to this short-term selection method I would highly recommend that you review the end of year performance summary and the links to methodology articles about how these high volatility, typical low cap, breakout selections work. Basically, I am trying to maximize the frequency of substantial positive returns using the parameters that resulted from my published doctoral research by focusing on the most volatile sector of stocks.

2018 YTD Chart: +11.58%
Cumulative return with 1-Week holding period.


The next charts shows the cumulative return for a longer fixed 2-week holding period instead of the 1 week holding period charted above. Because 2-week holding periods overlap with weekly selections, I have separated it into two charts, Odd and Even weeks:

  1. Using 2-week holding periods, the ODD Weekly Breakout portfolios have returned 12.77% compared to 5.39% for the S&P 500 YTD over the same holding periods.
  2. The EVEN Weekly Breakout portfolios have returned 1.12% compared to -0.86% of the S&P 500 in the equivalent 2-week holding period.

Chart 1. Chart 2.

Additional Value & Momentum Portfolio Returns:

Full portfolio composition reports are exclusive to members, however additional articles on the different categories of portfolios and samples of research provided to subscribers are listed in my public research profile.

If you are interested in subscribing to any of the Value & Momentum Breakout portfolios offered you can visit my subscription page here. Otherwise please click the “Follow” button at the top of the page and enjoy free updates on the progress of each of the different portfolios I offer that are outperforming the S&P 500 in each of their respective time periods.

As always, I wish you the very best in all your investments!

JD Henning, PhD, MBA, CFE, CAMS

Disclosure: I am/we are long DRNA, EROS, FATE, EGAN, FLDM, PIRS.

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.

Vote Against The Rite Aid/Albertsons Merger

Grocer Albertsons signed an agreement to buy all Rite Aid (RAD) stores not bought by Walgreens (WBA). The deal is unusual, to say the least. Rite-Aid shareholders will effectively get $2.50 a share, which is a far below amount Walgreens paid for the 1,932 stores it bought. Shareholders should demand more than the low-ball offer.

RAD

Walgreens bought 1,932 stores for $4.4 billion, which values the stores at $2.28 million a store. Conversely, Albertsons will get the approximately 2,670 Rite Aid stores for $1.83 of cash plus a share of Albertson’s, for every 10 shares of Albertson’s. The exact terms of the deals are as follows:

Under the terms of the agreement, in exchange for every 10 shares of Rite Aid common stock, Rite Aid shareholders will have the right to elect to receive either (I) one share of Albertsons Companies common stock plus approximately $1.83 in cash or (ii) 1.079 shares of Albertsons Companies stock. Depending upon the results of cash elections, upon closing of the merger, shareholders of Rite Aid will own a 28.0 percent to 29.6 percent stake in the combined company, and current Albertsons Companies shareholders will own a 70.4 percent to 72.0 percent stake in the combined company on a fully diluted basis.

Source: Rite Aid

The approximately $2.50 per RAD stock values the buyout at $2.6 billion, or just $970,000 for each store. Paying less than half what Walgreens paid is wholly inadequate for shareholders. If an activist investor like Elliot steps in, as contributor Seven Corners Capital Management suggests, it would have a strong case in forcing Cerberus to raise its offer.

RAD Stock:

Chart
RAD data by YCharts

Take Cash and New Share or No Cash and More Shares

If no activist investor gets involved to get more for each RAD stock, then shareholders may either take the $1.83 in cash plus 1/10 Albertsons shares or take a bit more Albertsons shares only. As you will notice, the deal is structured to give very little money to shareholders. Investors need to consider how weak the combined company will be when it merges. Finding $375 million in synergies is hardly assured. As author Vince Martin calculated, assigning a 5x multiple to EBITDA and the combined Rite Aid/Albertsons would have a market cap of $7 billion. That would imply a share value of just $2 a share.

Speculating on Rite Aid

Author Daniel Jones believes the merger is good for shareholders. The bullishness is based on the combined firm achieving the cost synergies, $400 million in free cash flow from Rite Aid, and a P/FCF of just 4.2 times. The problem with this view is that Albertson’s stores are all dated and are in need of a major refresh. Prior to the merger, Rite Aid had walked through a more innovative business model that would embrace technology in its business. It would have focused more on delivering a better customer experience. This merger sets Rite Aid’s turnaround back.

Reader Sean Livingstone figures Amazon.com (AMZN) could swoop in to buy some of Rite Aid’s stores. The online retailer is working with Berkshire Hathaway and JPMorgan Chase to partner on health care. Yet the new company will focus only on the technology solutions. It will need a physical storefront to deliver easily accessible drugs.

Merger Sets Too Low a Value for Rite Aid Stock

Chart
CVS data by YCharts

The merger values RAD stock at just 0.2x EV/Fwd Revenue. CVS Caremark (CVS) is worth 0.5x while Walgreens (WBA) is valued at 0.6 times.

Source: finbox.io

Rite Aid is worth north of $3.50 a share at a 0.3x EV/Fwd. Revenue and that excludes assuming management succeeds in fixing the business and generating higher revenue in the future:

Source: finbox.io

Final Word

Rite Aid shareholders should vote against the merger and, should the deal go through, sell the stock before the Albertsons shares are issued. Cerberus failed to take Albertsons public through an IPO for over three years. This backdoor entry into the stock market is a troubling deal that hurts the RAD shareholder. Rite Aid had a fundamentally better chance of turning around its business as a pure-play pharmacy chain. The merged firm has two bifurcating goals of growing in the supermarket business and in pharmacy. The synergies between the two businesses are limited. Post-merger, the firm will suffer from low p rofitability and extra costs needed to put the two operations together.

Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.

Australian Dollar Is A Sell, But A Risky One

There are serious downside risks to the Australian dollar. Generally, I believe that you should sell AUDUSD (or trade the bearish thesis through related ETFs: FXA, CROC, DAUD, UAUD), but I want you to be aware of the risks.

First, let’s discuss why you should sell the Aussie. Then, I will explain why you should be cautious.

Technicals

Consider the weekly chart.

Source: Trading View

Since 2016, the AUDUSD has been moving in a strict Fibonacci channel, with remarkable discipline. Every single level that was previously a resistance later became a support and vice versa. The general trend was up, but it was not until 2018 that the currency finally managed to break above 200-SMA and hold above it. Now, however, it is at risk of sliding below that critical level and possibly setting a new monthly low. Indeed, this week’s candle (see the chart below) nearly engulfs the previous candle, which is a sign of a strong bearish pressure. Indeed, last week, AUDUSD failed to hold above 0.382 Fibo trend-channel line and history shows that over the past two years, every time the currency failed to hold above that level, it then retreated towards 0.236 level and sometimes fell below it.

On a daily chart, the exchange rate has dropped below its weekly pivot level (0.7890) as well as below all key short-term moving averages (5, 10 and 21). Furthermore, relative strength index is weakening.

Fundamentals

I believe two themes will be weighing on the Aussie on the fundamental side of things: divergent monetary policy between the Fed and the RBA and structural weaknesses in the domestic economy.

The Fed minutes from the meeting, held Jan. 30-31, were released on Wednesday. They indicated the Fed sees increased economic growth and an uptick in inflation as justification to continue to raise interest rates. Some analysts actually believe that the Fed is even more hawkish today than it was three weeks ago, when it held that meeting. David Kelly of JPMorgan predicts “unless there is some shock” there will be four rate hikes this year.

By contrast, the Reserve Bank of Australia (the RBA) is likely to follow a more gradual rate rise path, due to low wage growth and high household debt. Thus, divergent monetary policy will ensure that any rallies in AUDUSD will be hard to sustain. Indeed, the average monthly spread between two-year bond yields dropped below zero in February. In other words, the spread is now negative because the yield on U.S. Treasuries is higher compared to Australian bonds. This has not happened since July 2000. Yes, you read it correctly. The monthly average two-year yield spread between the U.S. and Australia has not dropped below zero for almost 18 years. But now it is below zero, which makes long positions on AUDUSD even costlier.

Source: Federal Reserve, Reserve Bank of Australia, personal calculations

Now to Australia’s domestic issues.

As already said, the combination of low wage growth and high debt means the RBA will stand pat on rates for a while yet. The problem, however, is that the debt is not only high, but that it is also getting higher. RBA data shows that the average household mortgage debt-to-income has risen to around 140% at the end of 2017 from nearly 120% in 2012.

Simultaneously, employment situation is just not getting better fast enough. Wage growth remains stubbornly low (too close to inflation level), while unemployment rate remains persistently high (it has been above 5.0% since 2012).

Source: Australian Bureau of Statistics

On balance, divergent monetary policy between the Fed and the RBA and structural weaknesses in the Australian economy (notably, debt-income situation) compels me to look for opportunities to short AUDUSD. However, there is one issue that dents my confidence – commodities.

Commodities

Australia is a resource-rich country, which is exporting a lot of commodities – specifically, iron ore, coal, wheat and liquefied natural gas. The price of commodities has been going up lately as global demand improved. As a result, Australia’s trade balance went into surplus (see the chart below). Although that surplus already started to shrink in November last year, it was probably only a temporary adjustment. Indeed, oil price is up 4% year-to-date, and because energy is a major component of Australia’s exports mix, I expect to see further improvements in its trade balance in January and February.

Source: Australian Bureau of Statistics

Stronger exports will improve current-account balance and will drive the demand for the Australian dollar. This factor is making me a bit more cautious in my trading strategy.

Overall, I will be looking for opportunities to short AUDUSD – especially if I see any rallies, but my targets will be relatively modest. I doubt we will see 0.7000 in the nearest future, but 0.7500 is possible.

Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.

?Red Hat introduces updated decision management platform

Troubleshoot a network? No problem. Write a 3,000 word article on Kubernetes cloud container management? When do you want it. Talk to a few hundred people about Linux’s history? Been there, done that. Manage a business’s delivery routing and shift scheduling? I’ll break out in a cold sweat.

If you too find the nuts and bolts of business processing management a nightmare, you’ll want to check out Red Hat‘s latest program: Red Hat Decision Manager 7.

This program is the next generation of JBoss business rules management system (BRMS). This is a salable, open-source business rules management system. It includes both business resource planning and complex event processing (CEP) technology.

By helping your organization or business capture your business logic, it enables you to automate business decisions across heterogeneous physical, virtual, mobile, and cloud environments using a modern microservices architecture. The Decision Manager 7 is fully compatible with Red Hat’s Middleware portfolio and Red Hat OpenShift Container Platform so you can deploy it in hybrid cloud environments.

Tools such as this often require a lot of customizing coding before they’re useful. This is a low-code development tool, which enables business users to work smoothly with the application development team. If you think of it as a DevOps tool for management and developers, you won’t be far wrong.

There’s a real need for such programs. According to industry analyst firm IDC, non-traditional developers are expected to build 20 percent of business applications and 30 percent of new application features by 2021. If we want to avoid creating useless business process programs — and boy haven’t we all seen some of those! — Decision Manager could be quite useful.

According to Mike Piech, Red Hat’s VP and general manager of Middleware, “The notion of low-code development is less about eliminating code or cutting traditional programmers out of the application development process, and more about helping business and IT users to do what they need to do quickly and efficiently, and in a complementary manner. Ultimately, what low-code tools should offer — and what we have built with Red Hat Decision Manager — is not a platform geared toward one or the other, but rather a rich and tightly integrated feature set designed to provide a better user experience regardless of whether you are a business analyst or hardcore developer.”

Red Hat built this platform for both traditional and cloud-native applications. It can create rules-based decision and planning microservices that can be deployed on-premises within a customer’s datacenter, or as containerized services on Red Hat OpenShift Container Platform.

OpenShift, an OpenStack and Docker cloud-based technology — what does that have to do with business processes, you ask. Remember what I said about DevOps? It enables your business to enhance your processes with such DevOps tricks in trade as automated testing and continuous integration and delivery (CI/CD).

Companies want business process management (BPM). A Red Hat survey found over half of Red Hat customers, 57 percent, want BPM software to automate internal processes. Others, 46 percent, want it to help support new applications, while 41 percent want it to automate external processes, e.g., processes that touch customers, partners, or suppliers. Finally, a substantial minority, 29 percent, want it to support self-service applications.

Want to give Red Hat Decision Manager a try? Red Hat Decision Manager is available for download by members of the Red Hat Developers community. Customers can get the latest updates from the Red Hat Customer Portal. Just don’t ask me to work out your business processes before you try to automate them. I have enough trouble organizing my small business workflow.

Related Stories: