Less Minimal, More Viable – Creating Better MVPs

I had the exceptional luck to work with Eric Ries at both the company that was his inspiration for The Lean Startup, as well as the company that was his catalyst for the change needed to build companies differently (and I hope someday I can convince Eric to release his insightful yet unpublished manuscript “The Bloated Startup” – maybe your tweets can help #EricPleasePublishTheBloatedStartup).

One of the fundamental ideas from The Lean Startup embraced by startups is the Minimum Viable Product (MVP), a product strategy that minimizes investment while maximizing learning and market validation. And while MVP is a great and seemingly simple concept, many startups fail to execute it successfully.

There was a time not too long ago when startups regularly burned many millions of dollars in years of stealth mode, building massive projects anticipating the use cases for all of their future customers, and the concept of releasing anything that wasn’t robust being heresy. A combination of those companies spectacularly imploding, investor expectations that companies achieve validation faster,  and the embrace of accepting failure while chanting the mantra “fail fast”, made the pendulum swing the other way.

The most common criticism of MVP is too often it is actually Mvp, where minimal is emphasized and viable is highly subjective, but leans towards not viable. It’s not that MVP is a bad concept, it’s simply difficult in practice. As a result, others have looked to redefine MVP – Jason Cohen proposed the SLC (Simple, Lovable and Complete), and Laurence McCahill proposed the MLP (Minimum Loveable Product), both emphasizing the importance of delighting customers to being “viable”, and reducing the opportunity to simply ship a broken experience to customers using “learning” as an excuse.

Rather that create another TLA, I’m offering guidance to make the implementation of MVPs more effective:

  1. The MVP Delivers Your Value Proposition
  2. The MVP is a Functional Product
  3. The MVP Provides Validation or Valuable, Intentional Learning

Let’s dig into each of these a little more..

The MVP Delivers Your Value Proposition

The MVP must deliver the customer value proposition for a subset of customers that will be early adopters. Delivering on your value proposition may seem obvious, but in the interest of trying to achieve the minimum investment, it can be overlooked.

Core to IMVU’s value proposition was connecting people through expressive avatars, which was initially delivered via a 3D client on the PC. IMVU had an early mobile product that connected customers by enabling messaging from their phone, and while we called it a mobile MVP, it wasn’t. Specifically, the messaging was text-based, so it didn’t deliver on avatars or expressive communication. Since it didn’t include avatars, it also didn’t test the business model, which involved selling items to stylize an avatar. Many existing customers liked the functionality provided, enabling them to perform some basic functions while not at a PC, but nobody would become a new customer on this product – is was simply a helpful add-on.

Later IMVU built a real mobile MVP, starting with the very basic set of functionality that enabled expression via your avatar, and the ability to purchase items for customization (also important to expression). Knowing the PC offering, the mobile MVP felt pretty bare bones, didn’t include 3D (something we knew customers wanted), but the customized avatar was present, enabling self expression. We gained new customers that only knew of IMVU as a mobile experience, and we validated that the business model worked. Eventually full 3D was added with a lot of other features that did an even better job at reinforcing the value proposition, but it was a pretty humble beginning.

The MVP is a Functional Product

The need to be minimal yet completely functional is where great product design comes in, recognizing that the best products are fully functional without being complex – simplicity delights customers.

The test I’m proposing is, without adding additional functionality, does your MVP continue to deliver value to your early adopters? Asking another way, can you imagine walking away from the MVP and seeing your early adopters still using it in 24 months?

When it comes to applying MVP to new product functionality for an established product, this simple but complete requirement is even more critical. I witnessed many MVP projects that shipped in half-done limbo as some customers liked it sort of, but it was broken, but not valuable enough to finish… the result is many rough edges and missed opportunities to delight customers.

The MVP Provides Validation or Valuable, Intentional Learning

One of the most disappointing results to hear from a failed MVP is, “we learned it didn’t work”. Aside from the obvious desire for projects to be successful and delight customers, this result represents a failure to intentionally learn. A great indicator this is happening is a product manager presenting data harvested after the fact, hand picking metrics that were not identified before the product was built, creating learning theater.

The MVP should reduce uncertainty, either by validating previous decisions or providing information necessary to make specific future decisions.

When building the MVP, there should be a clear hypothesis, identification of the metrics that will be used to gauge progress, the ability to capture those metrics, and an understanding of the critical decisions that will be influenced by the results. In addition to creating a discipline around honest assessment of progress, these requirements guide the team’s product development decisions.

 

Have you learned something valuable from building a MVP? I’d love to hear your story! Please leave a reply in the comment section.

Congratulations Successful Entrepreneur: You’re Fired

Most startup entrepreneurs understand that the odds of success are not in their favor… only about 1 in 10 startups will survive. Of course, most startup entrepreneurs don’t believe they fall into the 9 out of 10… a healthy amount of self delusion is required to go down down the startup path in the first place. But there is that 1 in 10 that does make it… and, if you are lucky enough to be the CEO that delivers that success story, the odds are you’ll be fired.

Before explaining why being fired is the most likely outcome for a startup CEO, it’s necessary to explain the startup journey…

Your Mission as a Startup

Investment-backed startups are created to discover scalable businesses, usually by inventing a new product or service that can become a large business, or by creating substantial efficiencies that take customers away from an existing large business. There is no clear, obvious path to doing either of these, otherwise success would be the expectation, not the exception. So success requires reasonable self delusion that you will succeed, as well as experimentation / rapid iteration necessary to adjust to the challenges of discovering the successful business. In practice, this can often manifest itself as the CEO coming in with the crazy idea of the day saying, “let’s try this… can we ship it by tonight?” If you like the excitement that comes from working through challenges with great uncertainty, this process can be a rewarding experience.

Through this process of discovery, a few things can happen. If the company runs out of money before a scalable business is discovered, most likely everybody loses their job, although it is possible that the board still believes in the company but sees execution or leadership as the problem, fires the CEO, and then puts in new money to support a new leader. From the CEO perspective all of these paths lead to the same place… you’re effectively fired.

But wait, Brett… those are failure scenarios… I’m that 1 in 10! I discovered product market fit! I delivered on my mission! I found the scalable business!

You’re probably fired anyway.

It’s Not Us, It’s You

You’ve done something truly amazing… you’ve lead people down a crazy path, likely engaged in some mixture of know-how, magic, luck, skill, and insanity, and came out the other side with a scalable business. It takes a particular type of person to do that successfully.

Unfortunately, that particular type of person is usually the exact opposite of the particular type of person you want growing a scalable business. Growing a scalable business is more about efficiencies and optimization, much less about discovery. That same crazy idea of the day behavior that miraculously lead to discovering the scalable business is exactly what derails the consistency a company’s organizations need, and what customers will expect. As the organization grows, process and management becomes necessary to handle the challenges that come with simply trying to get hundreds of people to work towards the same goal. The needs of operating a scalable business probably contributed to the CEO quitting their previous job and creating the startup in the first place.

The board has a responsibility to driving shareholder value (including their own investment) and, seeing how maximizing the value of the business now requires a different expertise, likely determines that it’s time to get somebody best for that job. It’s possible that the startup CEO has the rare set of skills to transition, or it’s possible that the board will bring in supporting executives to help. In these cases the same end result is usually just delayed.

Of course, getting fired doesn’t happen every time… you can look at examples like Mark Zuckerberg, Drew Houston, Jeff Bezos, and Steve Jobs and, using that healthy amount of self delusion, say “I’ll be like them” (forgetting, of course, the first run of Steve Jobs at Apple). But if you look at all of the companies in the valley that scaled successfully, you’ll find most had the founding CEO “step aside”.

Yikes! How Do I Prevent This?

Your gut response as a startup entrepreneur is likely something like, “I’m going to make sure that doesn’t happen to me.” However, I encourage looking at it a different way… this happens, you’re probably going to be replaced, and that’s probably okay. It’s better to prepare for the possibility rather than assume it can’t happen. You may find being replaced is actually be the desired outcome if you prefer building new things rather than optimizing existing ones.

The most reliable way to avoid being replaced is by not giving the board (or anybody else) the power to replace you. In practice this is usually only possible if you don’t take outside investment… venture capital investors will usually take board seats and almost always retain the ability to replace the CEO. The tradeoff you make for getting extra cash to accelerate your progress comes with the price of forfeiting some control.

Assuming you’re taking investment, the best path is likely making accommodations for a transition as part of that investment. Address things like an ongoing role post-handoff (operational and board), vesting of stock, participation in success rewards, and your treatment for liquidity events (acquisition, IPO, secondary offerings). Also account for variations to the plan… while you may want to maintain a significant operating role after a transition, it may be determined that the new CEO can’t be successful while employees still look to their founding CEO hero for direction.

Finally, if you do get to the point where you are being fired after successfully delivering on your mission, make sure you recognize your truly amazing accomplishments… you knowingly engaged in a difficult challenge, with all odds against you, and you were a success. Many people, employees and customers, will be better off because of what you built.

Congratulations.

 

This posting was greatly inspired by over 20 years of stories from many friends that have been founding CEOs, and by Steve Blank’s great presentation, Why Accountants Don’t Run Startups.

 

Have you been a startup CEO and been through this journey? I’d love to hear your story! Please leave a comment.

Joining Social Starts as a Venture Partner

My short-lived backpacking career is in jeopardy… I’m a Venture Partner at Social Starts.

Why a Venture Partner Role

Most recently I spent several years growing a company from startup to millions of customers. In each role of the company, from technical executive to CEO, I needed to spend time deeply understanding the technology and markets related to the business (social, expressive communication, VR, avatars, communities, virtual goods, scalability, digital currency, and virtual economies). While being able to get a deep understanding of subject matters was great, it left little time to explore the breadth of ideas powering innovation, and I missed that.

So, one of the ways I’ve spent my down time over the last few months is getting exposure to a wide range of companies doing things I’ve never done before. In addition to some advisory work for startups, I went to a few sources of amazing entrepreneurs with great ideas. Steve Blank generously invited me to sit in on his Lean Launchpad class at UC Berkeley’s Haas School of Business, where entrepreneurs formed and iterated businesses around IoT, energy management, and medical devices. I also spent some time at Obvious Ventures getting exposure to some really impressive companies in areas ranging from consumer packaged goods to gene therapy and wellness.

I found I really enjoyed the exposure to new companies, especially those outside of my fields of expertise… seeing how people are applying new technology towards opportunities drove my natural curiosity to research topics that were new to me.

I also found satisfaction in my advisory work, helping startups by sharing what I’ve learned, both from my successes, and my failures. Surprisingly, many companies deal with the same patterns of challenges – it’s great to help people get past those so they can move on to newer, more exciting challenges unique to their situation (I wish I could write “eliminating challenges”, but businesses just move from challenge to challenge… you’re fortunate when you’re working on the challenges with possible outcomes ranging from “good” to “great”).

When the opportunity came up to research and help fund all sorts of great startups while providing me with the flexibility to work more deeply with a few companies, I knew this role was right for me.

Why Social Starts

There are many reasons I joined Social Starts, and two factors that most greatly influenced my decision are the team and the deal flow.

In regards to deal flow, Social Starts focuses on very early stage funding, from moment of inception to Series A. The closer you are to the top of the funding funnel, the larger the pool of companies to consider. And, Social Starts considers a lot of companies… it’s been named the top fund under $100M since 2013, the 5th most active early stage fund worldwide of any size in 2015, and the 6th most active early stage fund in US tech in 2016.

For any organization I would join, it’s a requirement that I respect and appreciate the team. In my discussions with partners, I experienced many characteristics I value, including candor, humility, thoughtfulness, and pragmatism. As a bonus, the COO is a friend that is on my short list of “people I would work with at any company, any time”.

Let’s Work Together!

If you’re working at an early stage company in fields like VR / AR, health care technology, AI, work platforms, internet of things software, mobile commerce, blockchain, security, content, wellness, analytics, or human-brain interface, I’d love to hear more about your company.

I also have some availability for advisory / consulting roles for companies that need somebody with executive-level experience successfully scaling startups, helping execute through the challenges that come with growth.

Leadership Requires Taking a Stand

For reasons I’ll cover in the future, I took a break from blogging. I did not intend to resume this week, and I did not expect that this would be my returning topic, but recent events have been a catalyst for me, and silence wasn’t really an option.

“We must take sides. Neutrality helps the oppressor, never the victim. Silence encourages the tormentor, never the tormented” – Elie Wiesel

I had no intention of covering politics on this blog. In speaking to the importance of leaders taking a stand, the public and obvious failure of Donald Trump was an example that could not be avoided. Further, it would be hypocritical for me to cover this topic without taking a stand myself.

A Leadership Softball

History’s losing flags on display in Charlottesville

Last weekend Nazis rallied in Charlottesville, spouting words of hatred and eventually murdering Heather Heyer. As much as the “Unite the Right” mob wants to claim that they are non-hateful and simply defending white heritage, chants like “Jews will not replace us”, “Fuck you, faggots”, and “Blood and soil” (which comes from Nazi roots), combined with marching under the flags and other imagery of Nazi Germany, clearly reveals the true intent. Describing these people as Nazis is not hyperbole – they are literally marching under the flag that many of our grandfathers gave their lives to defeat.

Denouncing the actions of Nazis is a leadership softball. In my home town of Berkeley, which is frequently (and sometimes fairly) considered socialist and crazy, Top Dog, an establishment that is staunchly libertarian and pro-free-market, fired an employee participating in the Nazi rally. The owner of Top Dog is not a delicate snowflake with hurt feelings, he took a stand against what was morally wrong and backed it up with actions.

In contrast, Donald Trump failed to even take a swing at this leadership softball. His initial comments appeared sympathetic or even supportive of the Nazis, receiving praise from former KKK leader David Duke. In an uncharacteristic two day delay to ensure, “what I said was correct, not make a quick statement”, Trump denounced the Nazi groups, in what appeared to be a forced reading of a prepared statement, days after most leaders (and bipartisan elected officials) took a firm stance against the Nazis. After what would have simply been considered a disastrous display of failed leadership,  yesterday Donald Trump destroyed what little credibility he may have garnered, when he effectively backtracked on his condemnation of Nazis, and seemed to equate our founding fathers to people that committed acts of treason waging war against the United States.

The Nazis in Charlottesville were largely Trump supporters, so Donald Trump making a clear and decisive statement against these hate groups may have come at a cost of losing some of their support. If you assume Donald Trump was simply attempting to remain neutral, the lack of a commitment against something so obviously anti-American (Nazis), was largely interpreted as support for the hate groups – this interpretation was echoed by politicians from both sides of the isle and from the hate groups themselves. After Trump’s impromptu shit show on Tuesday in which he doubled-down on his “many sides” to blame, it left little doubt where he really stands, although he still hasn’t displayed the leadership to clearly define his position.

Taking a Clear Stand

It’s necessary for leaders to take a clear stand on issues that impact their organizations, both to act as a beacon for what is expected for the organization, and to enable people to leave the organization if it is inconsistent with their own values.

A good way to test whether a company is committed to its cultural values is looking at how the company acts when holding to those values comes at a real cost. Similarly, leaders should be judged by their actions as they face adversity… are they willing to make personal sacrifices to maintain their integrity and live by their values.

In 2015, as CEO of IMVU, I made the decision to not allow the confederate flag in IMVU’s products. Some customers reacted unfavorably, some directed hostile remarks at me, and customer service received complaints. There was also some impact resulting from customers that had purchased or sold the products. I had expected all of that. And as much as I value freedom of speech, ultimately the value of IMVU being an inclusive community for millions of customers outweighed the impact of eliminating the emblem representing a war waged on the United States to defend the right to own humans. My actions were not big and bold, they were simply doing what I thought was the right thing given the values of the company and its community.

Regarding Donald Trump’s failed leadership, six business leaders have stepped down from presidential advisory councils, citing their own values as the primary motivation for distancing themselves from Trump. These leaders have clearly taken actions consistent with their personal values, and did so at a cost, as Trump quickly attacked and belittled these leaders the moment they stepped down. Those remaining on the presidential advisory councils may not explicitly support Trump’s defense of hate groups, but their continued support of him as a leader acts as an enabler, and casts doubts on their values or the ability to act consistently with their values. Trump’s top economic adviser Gary Cohn is reportedly ‘disgusted’ and ‘appalled’ by Trump’s responses this week, yet plans to remain in the administration, implicitly supporting Trumps behavior. Gary Cohn, who was born into an Eastern European Jewish family, continues to support a man that can’t denounce Nazis – as a citizen (a member of the US organization) I draw the conclusion that Cohn values tax reform and deregulation above what I would consider a non-starter, supporting somebody that can’t condemn hate groups.

Live Your Values

An organization’s culture and values are just pleasant little phrases in the employee handbook unless the organization reinforces the values in all actions, especially in tough times.

As a leader, if you are unwilling to state a position consistent with your values or sacrifice to take actions supporting those values, you don’t actually hold those values, or you are not a leader.

 

Firing People Respectably

Firing people is perhaps the most unpleasant responsibility that comes with being a manager.  I’ve read many articles on “the right way” to handle firing, but my experience has taught me every case is different, and even following the best advice can result in a challenging interaction.

I’ve created guidelines for myself that feel fair (this is how I want to be fired), and I accepted that firing is unpleasant for everybody involved, so it’s ultimately about making the best out of a shitty situation.

My guidelines come from the perspective of a culture I want to see in a company, not the legal perspective (which tends to err on the side of corporate protection over recognizing the human components).

Guidelines for a Firing Manager

My guiding principle, be respectful, helping the employee retain their dignity, drives these guidelines:

  1. Always remember you’re firing a person, not a resource.  In almost every case being fired is an emotionally painful situation, and being mindful that you are firing a person, with feelings, fears, and personal responsibilities that will be compromised as a result of job loss.  People react unpredictably in emotion-filled situations.  As the firing manager it is important to be respectful through the whole process and be balanced in responses to the other person’s (re)actions.
  2. Don’t get into a detailed discussion.  A common pattern is the person being fired will want to get into the details about the decision to fire.  The firing discussion should be efficient (there is nuance in balancing not being insensitively fast vs. dragging out the pain).  The manager should absolutely provide a high-level explanation, and the next steps (ideally the company has a standard document that explains the issues that will be important to the employee), but the person being fired is very unlikely to actually hear a detailed discussion – they are too emotional to process it.  If a person being fired wants to get into details, I suggest scheduling coffee the following week, giving them enough time to figure out what questions are really important and getting past the initial shock so they can be receptive to the answers.
  3. Never discuss individual details with others.  When a person is fired, other employees frequently want to understand more details.  It can be tempting to want to bring others into the loop or calm an underlying “am I next?” fear they may have by sharing the details, but it is disrespectful to the person being fired (it’s also probably a liability for the company). Instead, have a culture that is transparent about the process (why and how) people are fired, while never discussing an individual’s specific situation.

Reasons for Firing

The reasons for firing an employee generally fall into three categories: performance, role eliminated, and violating the company relationship. Each impact the person being fired, other employees, and possible outcomes differently.

Performance Problems

When an employee is under-performing it is their manager’s responsibility to make that employee successful and, if that fails, fire the employee. An employee’s performance should be a regular discussion with their manager, and missing expectations should be made explicitly clear, along with clarity around the exact expectations and a plan to improve.  If the improvement doesn’t happen, the firing discussion should be more of a final conclusion to the mutual recognition of the problem, with both parties aligned on the shared data.  My rule is, “if the employee was surprised they were fired for performance reasons, this is a failure of their manager”.

Role Change

The role change scenario is one where the company’s requirements or constraints have changed and an employee is no longer appropriate for the role.  I’m including layoffs / downsizing in this category (not being able to pay people is a constraint).  A commonality in these firings is it includes qualified, successful employees.  This is the one firing scenario where additional insights into the decision can be shared with other employees, as the decision is not about an individual (but be sure that the role change is the real reason for the firing, otherwise it will eventually result in distrust from employees).

A role change specific to an individual feels the most personal for the person being fired and can be hardest for other employees to understand. The message of “great for previous role, wrong skills for what the company needs going forward” is easy to say, harder for employees to process, often because a good employee will be leaving, and many employees won’t have the insights into the need for the change (or may simply disagree).  The best analogy I’ve been able to come up with is sports teams, where a great player may be traded to make room for a player that has different skills that make the team better as a whole (as in Moneyball, where trading stars for players that just got on base resulted in a better team).

When a role change is impacting many people (typically driven by financial situations or discontinuing a product / service), explaining to the people impacted can be more comforting than when it is a single role, since the reasons don’t feel as personal (make no mistake, for the people being fired the impact will feel very personal, it just won’t feel like they were individually targeted).

Violating the Company Relationship

Every company has it’s own unique culture, principles, rules, and expectations in the relationship with each employee, and between employees.  I’ll use “don’t steal” as an example, since I this is probably a common deal-breaker even in the most toxic environments.

When there is a violation of the relationship, the employee needs to be fired, otherwise the company is signaling that it isn’t an actual expectation of the relationship, or perhaps worse, that enforcement is selectively applied. In this firing the employee should not be surprised, however an employee willing to violate the relationship in one dimension is likely willing to double down and deny their responsibility in the situation. Unfortunately, this is one of those nobody wins outcomes that, as a manager, you simply need to get thorough it, look for the learning opportunity, and move-on.

A particular challenge in this type of situation is the inability to offer an explanation to other employees, especially if the violation was concealed. Using the stealing example, the company could have liability is disclosing the violation to others, so employees just see somebody fired for no apparent reason.  As recommended in my guidelines above,  if your company has a (trusted) transparent culture around how and why people get fired, many may infer that it was either a performance problem or violation, which a better outcome than the firing feeling random.

Management Failures

Employment is a relationship, and the manager and company have to acknowledge their responsibility in the failed relationship, both in why it failed and the importance of properly handling the failure.

Passing the Buck

If there are other existing opportunities where the employee could be successful at the company, that can provide a solution that is both a win for the employee and the company.  However, since firing is so unpleasant, managers should be challenged to understand if they are diverting the problem to somebody else or do they really feel the employee is best for the opportunity.  Ask the question, “if the employee didn’t work here but was applying for the new opportunity, would you hire them?”  If the answer isn’t a confident, “yes”, the manager is likely passing the problem to somebody else. Another red flag is the creation of a new role for an employee that would otherwise be fired… in almost every case I’ve experienced, this is a manager avoiding a tough (and necessary) decision.

Performance Improvement Plans

Performance Improvement Plans (known as “PIPs” in HR speak) are formal documentation explaining the employee’s performance problem, the expectations, a process to improve and a success evaluation date. On the surface this is all great – issues that should have been discussed in 1:1 meetings. When used as a tool with the intention of making the employee successful, PIPs can be really helpful in providing clear expectations.

The dark side of PIPs is when they are used as an HR cover your ass maneuver, in which the employee’s fate has already been decided but, because of risk or liability, there is a desire fore the company to have ample documentation around the termination. Don’t do this.  When a firing outcome has been determined, fire the employee.  Dragging-out a process or giving false hope is disrespectful, and arguably cruel.

Learning from Failure

A firing may not reflect a failure, it might actually be the best decision for the company and perhaps even for the person being fired.  However, all firings can be an opportunity for the company to learn and improve its processes. If it was a new employee, try to understand how the interview / hiring process could have identified the issue.  With longer-term employees, look for training opportunities (for the employee or management) that could have resulted in a more successful outcome.  Understand when the firing should have happened and what should be done next time. Since firing has such a big impact to both the employee and the company, there is value in continually improving the process to reduce or avoid any firings that could have been saves.

Have you been on either end of the firing process and have suggestions for improving how it gets handled?  Please leave a comment!

Fairness in Employee Intellectual Property Rights

Silicon Valley is still in the Jurassic age when it comes to employee intellectual property rights.  It’s not that Silicon Valley has lagged behind others in this regard, but there has been no innovative leadership while there is ample opportunity to set an example for fair employee policies.

Before I was the CEO of IMVU, I was SVP Engineering, and in 2011 I drove an initiative to change the company’s policy regarding the ownership of employee side projects. At the time my basic argument was we were actively looking to hire employees that are builders, creators, tinkerers and then had a policy (like every other company) that oppresses the same qualities we actively sought.  The new policy created a path for employees to have guaranteed ownership of their side projects and be protected against any future claims from the company.  I detailed the outcome in my article IMVU’s Employee-Friendly Policy on Side Projects.  My hope was other companies would embrace and improve on this first step.

6 Years of Progress!

In the 6 years that followed,  there has been a massive wave of companies acknowledging that some of the best employees they can recruit are passionate builders that actively contribute to open source and hack on pet projects to feed their creativity and passion for learning new skills.  These same companies have changed their culture and employment agreements to support these employees by recognizing that traditional intellectual property assignment agreements are over-reaching.  Actually, none of that happened.

For the most part, the state of employment agreements and employee intellectual property rights hasn’t changed.  Many companies still have policies with far-reaching claims on anything the employee creates, at any time, even if not directly related to the business and whether or not company resources were utilized.  It doesn’t matter that some of these claims are not enforceable (in particular, California has much more employee-friendly laws), many employees would simply give up rather than incur the legal costs to defend their rights.

The result of the continued inconsistency between company policies and employee behavior is an awkward cultural and legal situation, where employees have side projects and sometimes kind of keep them secret and the company sort of doesn’t acknowledge the side work when it knows about it… a wink wink, nudge nudge arrangement until it isn’t, and the company decides it owns the employee’s thoughts.

I’ll take a moment to call out (and praise) a recent exception… GitHub recently introduced a policy to let employees keep their intellectual property.  GitHub’s policy is called Balanced Employee IP Agreement (BEIPA) and recognizes that the employee has rights to projects that are not related to the company business, and also that “free time” and “company time” is fuzzy (the policy doesn’t explicitly state that employees can use company resources, but it also doesn’t claim rights either).

The Challenge of Change

As I went through the process of changing an industry-standard policy, I gained a much better understanding of the challenges. Ultimately the challenge of innovation in these policies comes down to no perceived upside for the company with fear of embarrassing failures from the innovation

Standard Employee Agreements (which include assignment of intellectual property) are heavily weighted in favor of the employer and, since they are pretty much the same at every company, there is no competitive market and little reason to change. The company’s fear of losing out on an amazing invention can also come into play, with concerns that the company will forfeit rights to what could have been a game-changing development (who wants to be the idiot that let go of the billion dollar idea?). And finally, lawyers… corporate counsel provides tried-and-true boilerplate Employee Agreements, and the same corporate counsel that reviews the policy change is typically risk-averse, seeing rights-releasing changes as mostly downside with unknown benefits.

I found that most of the challenges in changing this policy were key stakeholders taking a “why we can’t” approach instead of a “how can we” attitude.  Now having 6 years of experience with the policy, I can unequivocally state that it resulted in no downside for the company and only goodwill for the employees.

Getting to Fair Employee IP Rights

I believe the first critical step in getting to fair employee intellectual property rights is bringing awareness that change is desired and possible.  Without a push from employees, it’s too easy for employers to just keep doing things the way they’ve always been done.

If you are an employee that would value a more equitable arrangement around intellectual property rights, let your employer know!  As a starting point for what is possible, point them to the improvements made at IMVU or GitHub.  Make an offer to your employer to promote the company’s leadership in this area and use it as a recruiting tool for creative talent.  If you are interviewing with a company, ask about employee IP rights – if this becomes a common topic from candidates, HR (recruiting) will see the value in making a fair policy be a benefit.

We’re seeing progress in other areas that have similar challenges around change… I am excited that some Silicon Valley companies are establishing or updating their policies to consider employee fairness around stock option plans that actually help employees keep the rewards from their contributions.  As these companies intentionally make the choice to not just do the same thing every company has done before, I encourage them to use that same open-minded process to examine their employment agreements and create policies that are fair to the employees they strive to attract.

This guy wrote your boilerplate IP Agreement

As a leader in a company, consider whether the policy you have today was intentional, reflecting the culture and values of what you are trying to build, or if the policy is just a generic hand-me-down from the corporate dinosaurs of the past. If you experience too many challenges around making sweeping changes, at least make incremental changes and try to use them as a differentiator for your company (really, go on Quora or Hacker News – potential employees looking for companies with fair IP policies are left with almost no good examples… your company could stand out).

As more companies show that employee fairness is a differentiator that attracts and retains great talent, it will push others to do improve their policies to be competitive.

 

Know of other companies that have great Employee IP rights?  Think Brett is crazy and giving away all of a company’s value?  Leave a comment!

How to Stop Me From Spying on Your Internet Usage

Yesterday Congress voted to erase privacy protections for consumers by passing a law making it illegal for the FCC to have rules to protect consumer privacy online. Specifically, this vote allows your ISP (Internet Service Provider, the company you pay for your Internet access) to collect and sell your Internet usage information without your permission. To be fair, you didn’t yet have these protections… they were just about to go into effect, and now they won’t.

Most people appreciate the right to keep private what they do in their own home and are unhappy with a violation of this privacy, but many don’t understand the potential impact on their lives, or how to protect themselves from these privacy violations.

What You Reveal Using the Internet

In your day-to-day usage of the Internet you expose to your ISP an enormous amount of data that enables them to target and classify you in ways that are valuable to advertisers, employers, insurance companies, and financial institutions.  Your ISP has the ability to sell to companies data to classify you based on health issues, financial status, sexual interests, religion, hobbies, and political views.

Every web search you make and every web page you visit is an opportunity for your ISP to understand you a little better. Searching information about depression?  Looking at the most recent coupon you got from BevMo?  Congratulations, you’re now part of the “risk of alcoholism” demographic that might be of interest to future employers or insurance companies.  Reading a medical site to figure out if that mole on your arm looks funny?  You are flagged as a cancer risk.  Searching for an anniversary present and looking at a dating site in the same week?  Divorce attorneys and real estate agents might pay handsomely to know who you are (or, more accurately, who your spouse is).

But wait, Brett – I use “Incognito” or “Privacy” mode on my browser… doesn’t that protect me?  Actually, no… these options prevent websites from permanently storing information on your browser that can later be used by that website to re-identify and track you, but they don’t do anything to secure the traffic that goes between your computer and the website, which always passes through your ISP.

But Brett, I know the little “https:” in the web address bar means secure, so I’m safe on those sites, right?  You’re better off, but you’re still leaking a ton of information… Secure websites do a great job of ensuring that the traffic sent between the website and your computer is encrypted and secure – so the contents of the interaction should be private.  However, your ISP will still have access to watching the Internet addresses you visit, so if you look at the Suicide Prevention Hotline, your ISP can’t see the specific data but they know you are interested in content about suicide. This site-identifying information is also revealed through your DNS queries (how your computer turns a URL into an IP address), and most consumers have their DNS handled by their ISP.

Okay, Brett… fine, ISPs can do this shifty stuff, but this sounds like tinfoil hat territory.  Well, maybe, but these large ISPs have a history of doing some really shady things with your data, ranging from hijacking (and replacing) your search results, inserting ads into your web pages, and secretly sending your web history back to the ISP.  The big name ISPs (Cox, Comcast, Time Warner, AT&T, and Verizon) spent money lobbying and buying votes because they are most capable of turning your private information into their profits (and they probably want a return on that investment).

You are the Product

Of course, collecting and selling information about users is the way many Internet companies (Google, Facebook) become powerful cash machines.  As a general rule, if you use a free service that doesn’t sell its products, you are actually the product being sold to other companies.  The primary difference is these privacy-selling services are optional (you don’t have to use Facebook), and you are not paying for them.

An ISP is closer to the phone company as a utility – while you may have some choice in which ISP you use, frequently these choices are very limited and, if selling private customer information is a standard practice, your only alternate choice is not having Internet access.  If you found out that the phone company listened in on your conversations and sold transcripts to other companies, you’d likely be outraged.

Which brings up the question, what protections will you have that you are not highly targeted?  You filled out a request for health insurance online, can that insurance company acquire the data to make coverage liability decisions about you based on requesting data for your IP address, if not for your name specifically?  Can I go to my local ISP and buy data because I want to understand what news my neighbors read, what dating sites they use, and what movies they watch?

Keeping Your Internet Usage Private

For the more technically inclined, there are a several options available (e.g. centralized VPN at the router, or TOR servers), but these are not really accessible for the average consumer, so I’m going to cover what I think are the two best options accessible to most people that don’t have a system administrator living in their household.

VPN

A VPN (virtual private network) establishes an encrypted connection between your computer and another server, and that server accesses the Internet and relays the data back to your computer.  A VPN prevents your ISP from seeing anything you access – they only see a single connection to the VPN server.  While the VPN does conceal your data from your ISP, you need to find a trusted VPN provider as they now have access to your data.  As an additional challenge, if you are interested in making all Internet access from your home private, a VPN is unlikely to work with all of your devices (e.g. Tablets, Roku, Apple TV, Alexa / Echo, and Amazon Fire TV).  Finally, some Internet sites (like Netflix) specifically block VPNs, adding additional frustration to this solution.

Choose an ISP That Values Your Privacy

All ISPs have the ability to take advantage of Congress voting away your online privacy rights.  The big names (Cox, Comcast, Time Warner, AT&T, and Verizon) have the most capability of leveraging your private data, but this doesn’t mean that smaller ISPs won’t also use your private data – it is quite likely that bigger companies will offer an easy revenue-generating solution that allows smaller ISPs to provide access to your data, bringing in some extra cash (tempting for small ISPs that are typically at a significant disadvantage over the big names).

However, smaller ISPs can be more committed to respecting customer desires, and may be more receptive to customer requests to maintain privacy.  For example, since the early 1990’s I’ve worked with LMi.net, who has always been a great partner for my business and personal Internet needs.  I called the owner and he told me several customers called after Congress voted and he responded, “It’s easy. We never have sold user data, and we never will.”  While big ISP’s send me weekly junk mail trying to lure me in on some great Internet package (usually including TV), I understand the value of my ISP consistently making decisions that consider the best interest of the customer.

 

Do you have other suggestions for keeping your Internet usage private? Think I’m a paranoid crackpot?  Please leave a comment!

More Things You Don’t Know About Stock Options

I’ve generally found that every time I have dealt with stock options I’ve learned something new, and usually in somewhat painful ways.  It’s one of the few areas where I actually hope I’ll someday understand every aspect and stop learning, but changes to how options are handled and complicated (and changing) tax laws promise to make stock options a topic that will never be mastered.

In my most recent experiences, I learned a few things that I don’t seem to be common knowledge, even by many people that have been in the stock option rodeo for a long time.

Companies Can Outlive Their Stock Plans

The stock options granted to employees, directors, advisors, or other parties are done so pursuant to a stock plan that is typically created around the time of incorporation.  When one receives an option grant, the grant will reference the stock plan and a copy of the plan should be made available to the recipient of the grant.  These stock plans have a lifetime, with 10 years being pretty common, and the ability to exercise options typically expires with the stock plan.

And for what I’m guessing is more than 99% of Silicon Valley companies, the 10 year life of the stock plan is irrelevant because, within 10 years the company most likely fails or has a major restructuring of the cap table (making the options worthless), gets acquired, or goes public (resulting in some conversion or liquidity of the options).  In almost every case the stock options either get flushed down the toilet or become liquid within 10 years.  But, there is a less common scenario… a company substantially increases in value and remains private and independent, celebrating 10 years and outliving the initial stock plan.

In this situation, most people granted options under the original stock plan need to exercise or forfeit their stock (there is typically a way to handle current employees as a new plan is adopted).  And, that’s the big gotcha.  When granted stock options, a lot of people will chose to not exercise their options until there is a liquidity event, so they don’t risk any up-front expense and only purchase when they can immediately sell the stock for the gains (this strategy eliminates up-front risk, trading for a less favorable tax liability later, assuming the company doesn’t fail).

So let’s put some numbers behind this… Ned joins the advisory board of a startup company during the seed round and gets 100,000 options valued at $0.01 (one cent) each, so Ned can purchase these 100,000 shares for a total of $1,000, but doesn’t do so at the time of the grant.  Against all odds, the startup does well, survives 10 years without a liquidity event and the shares are now worth $1.25 each – 125x return!  Ned gets a call and is told that the stock plan is about to expire and he must exercise his options or lose the grant.  The good news is, $1000 to get $125,000 in stock is a pretty good deal.  However, that purchase is going to be a taxable short-term gain of $124,000 (10% – 39.6%, depending on Ned’s total taxable income, so up to $49,104 to be paid in taxes).  But, the company is still private so there is not necessarily a market where Ned can get liquidity, so in rough numbers Ned just spent $50,000 in cash to buy $125,000 in stock that can’t be sold – that doesn’t sound all that bad, but there are a lot of factors that prevent it from being an easy decision.  Another big rub for many is, instead of the company getting the money from the stock purchase, it goes to the government.

While there are plenty of stock option scenarios that present a similar dilemma,  the stock plan end-of-life scenario is unique in the lack of flexibility – even if the company and grant holder want to find a solution, there isn’t a clean way to update paperwork or give extensions for exercising at the end of the stock plan’s life.

There is a very easy way to avoid this early on… if Ned exercised when he received the grant, he would have paid $1,000, the fair market value for the stock, with no tax consequence, and 10 years later he would already own that stock, now worth $125,000 (but still not liquid).

My best advice (worth everything you just paid for it, so consult a lawyer or tax expert before following it) is to exercise as early as possible, especially in a startup where the stock barely has value.  Your time is the most valuable thing you have, so if you’re willing to bet on the startup by investing your time, you should be willing to bet some cash, too.

Most Job Seekers Don’t do the Math

At this point in my life I’ve overseen more than a thousand job offers, and one aspect that surprises me is how frequently prospective employees don’t ask for the information necessary to understand the value of the stock options offered as part of their compensation package (sometimes as a very material component of that package).  I’ve had conversations where job seekers told me another company offered them twice as many options as I was offering (seeking more from my offer), but they didn’t know the total options in either company or recent valuations, so they didn’t understand the percentage of ownership (if you’re offered 1 share of Berkshire Hathaway or 1000 shares of Apple, you’ll make $117,000 more taking the Berkshire Hathaway).  Seeing so many people not doing this math has lead me to joke that my next company will start with one trillion shares of stock so that I can offer more stock than every other company.

Employees not understanding this component of their compensation creates an interesting challenge for an employer… I believe companies should help employees understand the value of stock options and the various nuances of how options work.  However, I also believe that it wastes a limited resource to provide stock options when an employee doesn’t value them.  I like everybody to have a stake in the outcome of the company, but options should be weighted so they are the most valuable to the recipient, and other forms of compensation should be used when options are not valued.

If you’re interested in the details about understanding stock option compensation and what questions to ask when comparing offers, there are some detailed guides I reference below.

Small Business Stock Capital Gains Exclusion

Another (very pleasant) surprise I learned about was Section 1202,  which excludes from gross income at least 50% of the gain recognized on the sale or exchange of qualified small business stock (QSBS) that is held more than five years.  The latest amendment to Section 1202 provides for 100% of any capital gain (up to $10 million) to be excluded if the small business stock was acquired after September 27, 2010.

Section 1202 is surprisingly not well known – four Bay Area tax advisors I contacted were unaware of it when I referenced it.  Fortunately it was mentioned in Piaw Na’s book, An Engineer’s Guide to Silicon Valley Startups, where the talented and helpful Chad Austin discovered it and shared the knowledge.

I won’t go into details, but if you sell startup stock that you held for 5 years, this can be a material tax savings for you.  This is yet another reason to exercise early, since you need to hold the stock, not the options.

Great Resources for Learning About Stock Options

If you’re looking for a comprehensive overview of stock options – I suggest the very excellent Introduction to Stock & Options by David Weekly, or the also very excellent The Open Guide to Equity Compensation by Joshua Levy and Joe Wallin.

 

 

Did I get it wrong?  Is there another stock option gotcha that I missed?  Please leave a comment!

In Defense of Not Doing a Startup

Recently (and quite accidentally) I talked an entrepreneur into abandoning his year-old startup.  That wasn’t my intention – we had planned an hour long meeting where I was acting in an advisory role on the product and pitch deck, but the meeting ended up taking over three hours and getting to a very hard question, “why do you want to do this?”

The pivotal moment in our discussion was when it became clear to me that the CEO saw the company as a way of obtaining some short term financial success, and that the startup demands were unlikely to be compatible with what he expressed and being important to him for his personal success.  After walking through the various likely outcomes and startup life expectations, he recognized there were better ways to achieve the personal success he wanted.  The discussion was tough – it’s hard to confront letting go of a dream, especially after sacrificing a year of sweat equity, but as we concluded our discussion he shared that he felt a great sense of relief.

All Hail the Startup

In most of the news and feeds I follow the startup is celebrated, almost so much that it can feel like the act of creating or being a startup is disproportionately more important than the significance of achieving a successful business.  More importantly, the glorification of startup life can lead people to feel discontent with a career path that may actually be far better for delivering personal satisfaction.

Startup Cheerleaders

For the most part we recognize and celebrate successful startups, and with the exception of the startups that have a prominent rise and fall, the majority of startups that exist, struggle and fail are below the radar.  It’s pretty easy to read industry news and think everybody with a startup is on the fast track to a win.

There are also several blogs and speakers working as cheerleaders for those that would take the risks to change the world.  Most respected in this group are serial entrepreneurs that have had the good fortune to have a successful exit from a previous startup, which becomes a shining example that success is possible, and the reason they continue the startup path.  These thought leaders are great for inspiration, but it is also good to have the context that the previously-successful entrepreneur risk is substantially different than the new entrepreneur, both in terms of their chance of success on their next startup, and the likelihood that they are risking a small fraction of their wealth.  If you are new to starting a company, you are likely “all in”.

A Startup is Not a Reliable Path to Wealth

It is easy to look around at the stories of the startup millionaires (or even better, billionaires) and think that starting a company is a good way to ensure a retirement in your twenties.  If the ability to retire is your goal, you’re probably better off working at established companies.  If your goal is to retire with a billion dollars then yes, a startup (or lottery ticket) provides that opportunity, with very slim odds.  Looking at my contact list, almost all of the people that are financially well-off got that way by joining companies well past the startup phase.  However, my very few contacts with obscene amounts of f-you money did obtain it from being very early at companies with large liquidity events.

As an example, one friend easily ranks in the top 5 engineers I’ve encountered in my career and any company would want him as the technical founder.  After four years of doing the startup grind of 60-hour weeks, he ended up with a lot of great experience and a bunch of stock that was worth pennies.  He made the decision to join a very large, more well-established company and forgo the dream of vast riches for continued technical growth and reasonable work-life balance.  What he didn’t understand at the time, but told me later, was how much a big company would pay for good technical talent.  For people of his caliber the total compensation is well over a million dollars a year and as a result he has a reliable path to retirement in his early forties.  His story isn’t the glamorized Silicon Valley success… you won’t see him featured in a PR-driven TechCrunch article, but you might see him enjoying life on a beach with his family.

In contrast, another friend lived the entrepreneurial startup life for 15 years, is well-known and highly regarded in the startup community (yes, you know his name), and most people assume he’s achieved financial success as a result.  Two years ago he had a company that came very close to being favorably acquired, but the acquisition fell through.  The company was later dissolved and over a dinner one evening he expressed the frustration of being in his mid-thirties, driving a 15-year old car and not being able to afford a house.  He has since joined a large Internet company, owns a house and is even able to comfortably support two children and some relatively expensive hobbies.

But wait, Brett… so you have a few friends that did better taking a traditional career path, but I see all of these Silicon Valley 20-something millionaires all over the Interwebs… what makes you think that won’t be me?

It might be you, and I am sincerely happy for anybody that is able to achieve financial success by building a company.  Let’s look at the (extremely general and simplified) math to see expected outcomes…

Some Quick Startup Lottery Math

To make things simple, we’ll assume your startup is just you and a single co-founder, so you each have 50% of a company.  And using this Quora response as reference for founder equity, after completing your Series B, you and your founder share 40%, making your ownership 20%.  The average price of successful liquidity is hard to assess (many sources suffer from survivorship bias, excluding many failed startups) but $30M at Series B would probably be considered generous (there are many examples way higher, far more examples way lower).  A $6M piece of that pie is pretty appealing.  Now we adjust for the risk… again, 90% startup failure rate is generous, especially considering Y Combinator companies representing the hand-picked cream of the crop fail at 93%.  Risk adjusted, you’re now looking at $600K as your upside, so assuming you’re able to go from zero to liquidity in three years, it’s $200K per year (of course this is on top of your well-below-market startup salary).  That doesn’t sound too bad except when you remember, you have a 90% chance of ending-up with only your well-below-market startup salary and your chair.  Again, these are generous assumptions and there are plenty of examples of successful acquisitions in the hundreds of millions where founders received substantially smaller percentages of the purchase price.

Google Director Salaries

And let’s compare that to the alternative, joining a large Silicon Valley company…  It’s fuzzy math, but I’m going to assume that the person that is capable of leading a startup with the generous odds in their favor also has the experience to get a good leadership role at one of the big companies.  According to Glassdoor, the average Director at Google has a base salary of $247K and total compensation of $399K (on a side note, most colleagues I talked to believe the Glassdoor compensation is extremely inaccurate based on first-hand observations, and Directors are frequently making 2-4x what is presented).  Using the same 3-year time frame we assumed would get to liquidity at the startup, the expected outcome is closer to $1.2M.  There are a ton of arguments to adjust these assumptions, but none are going to change the lottery-ticket nature of achieving big liquidity from a startup.

So yeah, the odds of financial success may be working against me, but what about getting to experience the glamorous life of a startup founder out to change the world?

Startups Overshadow your Personal Life

For everybody that asks me what it is like to run a startup, I tell them to read The Struggle, by Ben Horowitz.  I first read The Struggle as part of Ben’s book, The Hard Thing About Hard Things, and I immediately handed the chapter to my wife and said, “you always ask what it’s like to run a company… it’s this!”

A day in the life of a startup founder

A startup is a significant commitment and your business is typically dealing with an environment of extreme uncertainty; startups are either creating something new or believe they can do something better than an established business.  In this environment, and typically with limited resources, working longer and harder provides more opportunities to eliminate the uncertainty.  Assume working nights and weekends are sort of a regular necessity.

And as a leader in a startup, you will always have another challenge or problem driving head-on towards you.  The world owes you nothing, plenty of other companies are fighting hard to take the market that you need to succeed, and the odds of survival are very much not in your favor.  This means business will almost always be imposing on your mind share that you would normally dedicate to things like dinner, sleep, exercising, vacation, relationships, family time, and bathing (assuming you are able to work any of these into your startup life).  Your startup will permeate all aspects of your life.

Finally, there is the emotional toll of a startup.  The successes feel amazing, but they are typically few and far between the challenges and setbacks.  Failure is the expected outcome, and each failure wears you down a little bit, creating uncertainty and making you second guess your capabilities and fitness as a startup leader.  You feel the weight not just for yourself, but for the people that follow you, also making the sacrifices.  And, if you’re unlucky enough to be the CEO, you’re in the lonely position where there is almost nobody you can share your struggles with… you can’t push things down into the company and frequently the board above you is a bad choice as a counselor for issues of personal uncertainty.    

After writing all of this out, I am beginning to understand how I accidentally talked somebody out of their startup.

But… There are Many Great Reasons

I don’t hate startups.  All of my career I have either created startups or joined them at or near founding, and I expect to do it again.  I would hate to feel responsible for taking passionate entrepreneurs and shuffling them into beige and gray office spaces in corporate America.  If you understand the likely financial outcome, and you are in a place where your personal life can sustain the needs of a startup, and you are emotionally prepared for the struggle, there are great reasons to do a startup.

If you are early in your career, the economics and life impact may make more sense.  Your ability to get a job at one of the big name companies may be more difficult, and if you do you’re probably looking at the lower end of the salary spectrum.  The difference between your startup pay may not be that significant in your day-to-day life (especially if you are fine eating rats and ramen).

Startups are also a great way to learn before you earn.  Large companies have established processes and roles that have been optimized for business performance, you are less likely to get a breadth of experience or have an emphasis on innovation.  Startups frequently require everybody to have multiple roles and find innovative solutions to problems.  Learning how to deliver results with limited resources in environments with great uncertainty is a skill that will be valuable for a lifetime.

Working at a startup (even a failed one) can also often allow faster career progression than just joining a big company out of college and following the typical path of advancement.  As an example, a Software Engineer (SWE) hired right out of school at Google would be an L3.  Assuming about 3 years for each promotion, it’s 15 years until Director, L8.  If you’ve proven yourself and established solid startup experience, five years later you might be L6 material (your mileage might vary).

The Best Reason

I believe the best reason for doing a startup in the burning need to build something you are passionate about, and an organization like an established company or non-profit isn’t the best way to create it.  Maybe your passion is a product or maybe it’s a culture, but it keeps you up at night and every time you return to the idea you become more passionate about making it real.  It’s an idea you think it would be so meaningful that you would find the journey of pursuing it to be hugely rewarding.  You’re not thinking about the exit, you’re thinking about the satisfaction that comes from building the thing that drives your passion.

Do it.  Build it.  Make it happen.

 

Feedback, complaints or suggestions?  Please leave a comment!

You Are Wrong About Your Stupid Account

You’re wrong – hackers are interested in your boring personal account, you are making it easy for them to get access, and it will likely end up being a bigger problem than you imagine.

Those are the stern words I want to use whenever I witness a friend doing the online equivalent of parking and leaving a stack of $100 bills on their car dashboard in a crime-ridden neighborhood.  Instead I tend to suggest some easy steps to take to be more secure, which are almost invariably met with “it’s not a big deal”.  I decided to write up my thoughts, so I can just point friends to this article and hopefully help others.  This is absolutely not for altruistic reasons… I’ve had multiple experiences where somebody else’s bad online security habits resulted in nights and weekends of work for me and entire teams of people.  I just want to sleep.

Hackers Want Your Stupid [insert lame service] Account

It seems absurd that your Lint Sculptures Discussion Forums password is of value to anybody… it’s just you and people you’ve met over the last 15 years that love to talk about dryer lint sculpting… security doesn’t matter.  However, it was 15 years ago, so you chose a really lame password at the time (like “123456”), and now that an elite hacker has broken that code, they see your basic account details (your email, IP address, real name and city you live in).  Again, who cares… that’s useless.  Well, except you used the same password for everything back then, so with your email and password they can run a script to check 100,000 other sites and hey… looks like your genealogy, old photo sharing, and that antique Hotmail account you abandoned had the same password.  Unfortunately, that banking thing you signed up for 12 years ago used that Hotmail address, and you forgot to unlink the Hotmail address from a few other accounts, including Paypal and LinkedIn.  Now the hacker has the ability to access your LinkedIn account, change account credentials on your banking and possibly access accounts you don’t even remember you had.  You can imagine how this gets problematic… the ability to send and receive from your email address typically provides the ability to get access to all other accounts, if by no other means than requesting a password reset.  And this is just the annoying scenario where you have to deal with correcting identify theft on your own… at least you didn’t drag your friends down.

Instead the Hacker could exploit your Lint Sculptures Discussion Forums friends of 15 years.  Does everybody need a direct message and 10,000 forum posts offering black market Viagra?  No problem.  Or how about a few messages to trusted friends to install this Lint Sculpting Simulation program… you know it doesn’t have a virus because your trusted friend of 15 years swears it’s great.  Everybody wants to be part of a botnet, right?  All of these acts may seem pointless to you, but hackers have a way of generating value (and money) from these pointless acts, and it isn’t much effort (a lot of it is automated), so it happens.

These scenarios may sound ridiculous, but two years ago I was contacted by a long-time friend that was traveling abroad and all of his possessions has been stolen, his family was stranded and he needed me to send money.  What was true is he was traveling with family, the rest was made up by a hacker that got enough information to know I was a friend that would help, knew when the family was traveling, and when the story might make sense.  Everything hackers needed to make this happen came from accessing worthless accounts.

Steps to Making Yourself More Secure

Security must be balanced with convenience.  When being secure is a hassle, people naturally find (unfortunate) workarounds that make things less secure.  If you require a password that is 20 characters long and random, look around the person’s desk for the PostIt (or possibly worse, in their “passwords.txt” file on their desktop).  The sweet spot is a mild inconvenience that dramatically improves security.  I find there’s a few easy practices that fit into this sweet spot…

Two-factor Authentication

Systems that require two components to authenticate are substantially more secure than password-only systems.  To access an account, it requires something you know (e.g. the password), and something you have, like a key.  The “key” today is typically an application like Google Authenticator, or an SMS message with a code sent to your phone, both of which provide a unique code that is only valid for 1-5 minutes.  Many services offer this, including Gmail, Facebook, Twitter, Dropbox, and a few banks (seriously banks, WTF?)

The beauty of Two-factor Authentication is, even if your password is breached, it doesn’t allow the hacker to access your account.  So when you are are that hotel and using the guest computer with a key-logger to print your flight itinerary from your Gmail account, it doesn’t matter… the hacker only has 50% of what they need.

The inconvenience of addingTwo-factor Authentication is typically an additional 20 seconds and, since many services allow you to say “remember me for 30 days”, it’s less than a minute a month (and… don’t use “remember me” on any shared machine).

Unique Passwords

If I told you I had every lock I use in my life (home, office, safety deposit box, cars, bike lock, vacation house) re-keyed to use the exact same key, you’d probably agree that it would be disproportionately bad if somebody found my bike key.  When you apply this to online habits, people seem oddly comfortable with one key for almost everything, and a special key for their bank account (but online, weak keys often provide access to special keys).

Use a different (and strong) password for everything.  This, of course, is a hassle… nobody can remember 150 different strong passwords, especially when you have to change them all every 3 weeks when you get the latest exploit notice from Yahoo!

One solution is to have a hard password that is modified in a way that you know for each service.  As an example, my password is “nS72!la^mq” and I add the first four letters of the website it uses, in reverse… so for Yahoo! it becomes “nS72!la^mqohaY” and for Google it is “nS72!la^mqgooG”.  This has a few flaws, including making it hard to change passwords, but it’s a substantial improvement over “swordfish” for everything.

A better solution is a password manager.   Services like LastPass and Passpack provide a secure way for you to store and retrieve complicated passwords.  Legitimate services encrypt your data in a way where they don’t actually know or even have access to your password, so a hacker that steals their database ends-up with a ton of encrypted files and no keys.  While there are ways that could be exploited, these services are certainly better than any other options available at a consumer-level (and if you’re really paranoid, some make the source code available for you to keep the encrypted data only on your computer).

Whatever you do, never, ever, ever keep a password file on you computer, even if you think you’re clever by naming it “groceries.doc”.

Don’t Share Accounts

Sharing accounts invariably leads to other poor security practices, like the need to email everybody when a password changes or having a shared password file somewhere.  And, when one of the people sharing your account gets hacked, this means the shared account gets hacked (and probably every other account in that shared password file so cleverly named “groceries.doc”)

This isn’t 1997 -these days there are very few reasons why each person can’t have their own credentials, especially for email.  Only share accounts when separate accounts are not possible (I’m looking at you, Netflix).  If you do need to share accounts, use a password manager that offers sharing of specific entries, which means that only the minimum exposure is shared and it is simple to update credentials (Passpack does this nicely).

Don’t Click Links

Okay, so the Interwebs sort of suck if you follow this rule exactly and dead-end on a website.  However, for any site you are going to access and provide your credentials, enter the URL directly.

Did you just receive a weird email from PayPal telling you that Ned just paid you $42 for a lint sculpture you don’t remember selling?  Instead of clicking on the “collect your money” link in the email, type “paypal.com” in your browser bar directly and see if the transaction is in your account history.  Many phishing emails look and smell like the real thing because it is pretty simple to copy the real thing and send you to “paypaI.com” (see what I did there?  that was a capital “i”, not an “l” in that URL) to steal your password.  Of course, if you’re using Two-factor Authentication, a stolen password is less of a problem.

Secure Your Family

I used to get sick a couple of times a year… no big deal, just a sniffle every now and then.  When I had kids, my health status flipped and it seemed like a couple of times a year I wasn’t infected with whatever was festering in the cesspool of Cheerios, finger paint, juice boxes and runny noses known as preschool.

My point is, there is almost certainly going to be an overlap of your family’s online account footprint, and when one person gets hacked it will likely be a vector for the rest of your family.  Sharing documents in Dropbox, G Suite (Google Docs), or Amazon family all provide opportunities for a hack to spread.  Protect your accounts by having those close to you keep their accounts secure (and… that is the real reason I wrote this post – pure selfishness as I protect my own accounts).

Do you have other tips or suggestions to help make the average person more secure?  Share them in the comments section!