You Are Wrong About Your Stupid Account

You’re wrong – hackers are interested in your boring personal account, you are making it easy for them to get access, and it will likely end up being a bigger problem than you imagine.

Those are the stern words I want to use whenever I witness a friend doing the online equivalent of parking and leaving a stack of $100 bills on their car dashboard in a crime-ridden neighborhood. Instead I tend to suggest some easy steps to take to be more secure, which are almost invariably met with “it’s not a big deal”. I decided to write up my thoughts, so I can just point friends to this article and hopefully help others. This is absolutely not for altruistic reasons… I’ve had multiple experiences where somebody else’s bad online security habits resulted in nights and weekends of work for me and entire teams of people. I just want to sleep.

Hackers Want Your Stupid [insert lame service] Account

It seems absurd that your Lint Sculptures Discussion Forums password is of value to anybody… it’s just you and people you’ve met over the last 15 years that love to talk about dryer lint sculpting… security doesn’t matter. However, it was 15 years ago, so you chose a really lame password at the time (like “123456”), and now that an elite hacker has broken that code, they see your basic account details (your email, IP address, real name and city you live in). Again, who cares… that’s useless. Well, except you used the same password for everything back then, so with your email and password they can run a script to check 100,000 other sites and hey… looks like your genealogy, old photo sharing, and that antique Hotmail account you abandoned had the same password. Unfortunately, that banking thing you signed up for 12 years ago used that Hotmail address, and you forgot to unlink the Hotmail address from a few other accounts, including Paypal and LinkedIn. Now the hacker has the ability to access your LinkedIn account, change account credentials on your banking and possibly access accounts you don’t even remember you had. You can imagine how this gets problematic… the ability to send and receive from your email address typically provides the ability to get access to all other accounts, if by no other means than requesting a password reset. And this is just the annoying scenario where you have to deal with correcting identify theft on your own… at least you didn’t drag your friends down.

Instead the Hacker could exploit your Lint Sculptures Discussion Forums friends of 15 years. Does everybody need a direct message and 10,000 forum posts offering black market Viagra? No problem. Or how about a few messages to trusted friends to install this Lint Sculpting Simulation program… you know it doesn’t have a virus because your trusted friend of 15 years swears it’s great. Everybody wants to be part of a botnet, right? All of these acts may seem pointless to you, but hackers have a way of generating value (and money) from these pointless acts, and it isn’t much effort (a lot of it is automated), so it happens.

These scenarios may sound ridiculous, but two years ago I was contacted by a long-time friend that was traveling abroad and all of his possessions has been stolen, his family was stranded and he needed me to send money. What was true is he was traveling with family, the rest was made up by a hacker that got enough information to know I was a friend that would help, knew when the family was traveling, and when the story might make sense. Everything hackers needed to make this happen came from accessing worthless accounts.

Steps to Making Yourself More Secure

Security must be balanced with convenience. When being secure is a hassle, people naturally find (unfortunate) workarounds that make things less secure. If you require a password that is 20 characters long and random, look around the person’s desk for the PostIt (or possibly worse, in their “passwords.txt” file on their desktop). The sweet spot is a mild inconvenience that dramatically improves security. I find there’s a few easy practices that fit into this sweet spot…

Two-factor Authentication

Systems that require two components to authenticate are substantially more secure than password-only systems. To access an account, it requires something you know (e.g. the password), and something you have, like a key. The “key” today is typically an application like Google Authenticator, or an SMS message with a code sent to your phone, both of which provide a unique code that is only valid for 1-5 minutes. Many services offer this, including Gmail, Facebook, Twitter, Dropbox, and a few banks (seriously banks, WTF?)

The beauty of Two-factor Authentication is, even if your password is breached, it doesn’t allow the hacker to access your account. So when you are are that hotel and using the guest computer with a key-logger to print your flight itinerary from your Gmail account, it doesn’t matter… the hacker only has 50% of what they need.

The inconvenience of adding Two-factor Authentication is typically an additional 20 seconds and, since many services allow you to say “remember me for 30 days”, it’s less than a minute a month (and… don’t use “remember me” on any shared machine).

Unique Passwords

If I told you I had every lock I use in my life (home, office, safety deposit box, cars, bike lock, vacation house) re-keyed to use the exact same key, you’d probably agree that it would be disproportionately bad if somebody found my bike key. When you apply this to online habits, people seem oddly comfortable with one key for almost everything, and a special key for their bank account (but online, weak keys often provide access to special keys).

Use a different (and strong) password for everything. This, of course, is a hassle… nobody can remember 150 different strong passwords, especially when you have to change them all every 3 weeks when you get the latest exploit notice from Yahoo!

One solution is to have a hard password that is modified in a way that you know for each service. As an example, my password is “nS72!la^mq” and I add the first four letters of the website it uses, in reverse… so for Yahoo! it becomes “nS72!la^mqohaY” and for Google it is “nS72!la^mqgooG”. This has a few flaws, including making it hard to change passwords, but it’s a substantial improvement over “swordfish” for everything.

A better solution is a password manager. Services like LastPass and Passpack provide a secure way for you to store and retrieve complicated passwords. Legitimate services encrypt your data in a way where they don’t actually know or even have access to your password, so a hacker that steals their database ends-up with a ton of encrypted files and no keys. While there are ways that could be exploited, these services are certainly better than any other options available at a consumer-level (and if you’re really paranoid, some make the source code available for you to keep the encrypted data only on your computer).

Whatever you do, never, ever, ever keep a password file on you computer, even if you think you’re clever by naming it “groceries.doc”.

Don’t Share Accounts

Sharing accounts invariably leads to other poor security practices, like the need to email everybody when a password changes or having a shared password file somewhere. And, when one of the people sharing your account gets hacked, this means the shared account gets hacked (and probably every other account in that shared password file so cleverly named “groceries.doc”)

This isn’t 1997 -these days there are very few reasons why each person can’t have their own credentials, especially for email. Only share accounts when separate accounts are not possible (I’m looking at you, Netflix). If you do need to share accounts, use a password manager that offers sharing of specific entries, which means that only the minimum exposure is shared and it is simple to update credentials (Passpack does this nicely).

Don’t Click Links

Okay, so the Interwebs sort of suck if you follow this rule exactly and dead-end on a website. However, for any site you are going to access and provide your credentials, enter the URL directly.

Did you just receive a weird email from PayPal telling you that Ned just paid you $42 for a lint sculpture you don’t remember selling? Instead of clicking on the “collect your money” link in the email, type “paypal.com” in your browser bar directly and see if the transaction is in your account history. Many phishing emails look and smell like the real thing because it is pretty simple to copy the real thing and send you to “paypaI.com” (see what I did there? that was a capital “i”, not an “l” in that URL) to steal your password. Of course, if you’re using Two-factor Authentication, a stolen password is less of a problem.

Secure Your Family

I used to get sick a couple of times a year… no big deal, just a sniffle every now and then. When I had kids, my health status flipped and it seemed like a couple of times a year I wasn’t infected with whatever was festering in the cesspool of Cheerios, finger paint, juice boxes and runny noses known as preschool.

My point is, there is almost certainly going to be an overlap of your family’s online account footprint, and when one person gets hacked it will likely be a vector for the rest of your family. Sharing documents in Dropbox, G Suite (Google Docs), or Amazon family all provide opportunities for a hack to spread. Protect your accounts by having those close to you keep their accounts secure (and… that is the real reason I wrote this post – pure selfishness as I protect my own accounts).

Do you have other tips or suggestions to help make the average person more secure? Share them in the comments section!

Interviewed on #ModernAgileShow

I recently had the pleasure of being interviewed by Joshua Kerievsky on the #ModernAgileShow, where we talked about a lot of my experience working at IMVU, ranging from the early days of Continuous Deployment (without all of those fancy automated tests or cluster immune systems) to changes in experiment systems and challenges of building a culture where people feel safe.  I also provide some insights into the sausage making of The Lean Startup.

In the interest of accuracy, my title in the video should be “former CEO of IMVU“.

For more information about Josh’s work to setup agile processes and cultures independent of a specific framework, check out the Modern Agile website.

On a semi-related note, Josh mentioned that the original video of Timothy Fitz presenting on Continuous Deployment at IMVU: Doing the impossible fifty times a day was lost as the result of server corruption…. if anybody happens to have a local copy please let me know – it would be great to restore this historic presentation for the Interwebs!

 

I’m a Free Agent

After more than 11 years at IMVU (the equivalent of three Silicon Valley lifetimes), I’m a free agent.

My experiences at IMVU were hugely rewarding – I had the privilege of working with truly exceptional people, evolving through different roles (from VP to CEO), solving some really challenging problems, learning, growing, and helping create a successful business.

IMVU is Much Deeper Than Most People Realize

I worked on products that made a meaningful difference in the lives of many customers.  In my customer interviews, I talked to people that met their best friends, people that found their life partner, people that could only find acceptance for who they really are because their community was intolerant, people that found families and support groups, and people that just found a little delight in what IMVU provided.

IMVU also has Creators that make and sell content, and for some of these people IMVU provided everything from a little extra spending money to a full time job.  I met a woman that covered her medical bills with the money she made as a Creator.

There are a lot of people in the world that are better off because of their experiences on IMVU.

IMVU Has a Great Future

I am excited and optimistic about the future of the company.  2016 was a record year and the company is transitioning from a PC only product to mobile – in December IMVU for iPhone was 7th best grossing in the Social category and 125th top grossing in all of the app store.

The new products have a great design focus with content and features that are relevant to how people communicate today.  And the team is amazing – I have 100% confidence in their ability to deliver great product experiences.  If anybody is looking for a great company with a lot of opportunities, I highly recommend considering joining the team at IMVU.

Next Steps for Brett

As for what’s next for me, I’m looking forward to the opportunity to catch-up with friends and do some much-needed backpacking.  I need to be sure about what I’m really passionate about before I jump into anything, so I’ll be looking at the cool things people are working on and what interesting problems need to be solved.  If you hear about either, please let me know!

 

3 Things You Can (and Should) Change In Vendor Agreements

Over the last 10+ years I reviewed and negotiated all sorts of vendor agreements for technical operations.  Companies that are starting to build out their production environments occasionally contact me looking for advice.  Being on vacation (and having time to write), I decided to share some of the more common problems I see in vendor agreements.

In almost all cases you can (and should) get better terms on what are presented as these “standard” clauses.

SLA

The Service Level Agreement (SLA) is probably the most critical to the availability of your business.  For vendors providing services like DNS or bandwidth, any vendor failure can result in failure of your business.  In other words, your uptime is no better than their uptime. The SLA is typically expressed and a percentage of availability.  If the SLA is 99.9% uptime, you are accepting 45 minutes of downtime per month.  Failure to meet the SLA usually means reimbursement for the cost of the service, not for the cost of your lost revenue resulting from the failure.   For example, if you pay a DNS service $31 per month and they are down for a full day, your reimbursement would be $1, not the revenue you lost during that full day.  Also, when the failure begins is usually defined as your notification to the vendor, not by the actual beginning of the failure.  In other words, if you didn’t report it, the problem never happened.

The availability percentages for an SLA are usually difficult to alter but there are a few things in that you can change to limit your liability.  Most (all) services have occasional failures, but it’s how they fail that become problematic for your business.  An occasional failure might be okay but if this is a pattern you want the option of moving to a new vendor.  You can usually add a clause that allow a termination of the agreement if the vendor fails to provide service more than N times in a 1-month period.  Also, you can usually require that SLA failure begin at the time of the actual failure (when it is detected by either party) rather than your notification to the vendor.

Term and Renewal

Automatic renewals are also common in agreements, in which the duration of the agreement is automatically extended by the length of the initial term.  Typically these require you to opt-out of the renewal by providing written notice within a narrow window of time.    For example, your initial duration is a 1-year after which the contract will automatically renews under the same terms for an additional year unless notice is provided in writing 30 – 45 days prior to the automatic renewal.  Vendors generally don’t contact you to remind you that your opt-out window is approaching and that you might want to negotiate a better deal while you can.

In most cases you want to avoid this simply because the prices for the service are almost always cheaper at the end of the initial term.  This is especially true for things like CDN and bandwidth.   If you’re not good at remembering to do things 11 months in the future, you may find yourself stuck in an agreement with the least favorable pricing.

The initial duration of the agreement is usually a requirement, or at least a requirement for favorable pricing.  However, you should be able to change the automatic renewal to transition into a month-to-month agreement instead of the initial term.  This will provide a better negotiation position when the agreement is up for renewal and will allow you flexibility in the timing.

Change of Terms

It is not uncommon to have a clause in the agreement that sates something to the effect of, “these terms are subject to change” with a link to the vendor website with the current terms.  In effect, this says “you agree to whatever we decide to publish on our website”.  I find these clauses ridiculous… I would love to respond with a clause stating, “our payment terms are subject to change subject to the amount I decide to write on the check”.

In these cases I find it useful to add a clause that requires notification (in writing) of any changes with a short period allowing an opt-out if the changes are seen as a material change.  If you are unable to get a clause to allow termination of the agreement you should be able to get the option to stick with the original terms.

It’s worth noting that with any change to an agreement, a vendor may not have systems helping them enforce or react to the change.  For example, if you are the only customer requiring written notice of changes, this may require manual work that they forgot shortly after signing the contract.  You should consider this and word your changes in a way where a failure on the part of the vendor does not put you at a disadvantage.

Being a Great Engineer != Being a Great Engineering Manager

I just read Google’s Quest to Build a Better Boss, describing “Project Oxygen”, which analyzed Google’s performance and review data to determine which characteristics are most important to being a successful manager at Google.  This was summarized into eight key success behaviors and three common pitfalls.  The big surprise?  Google “…found that technical expertise — the ability, say, to write computer code in your sleep — ranked dead last among Google’s big eight.

This is not a surprise to me and supports what I have come to believe after years of engineering management – being a great engineer does not necessarily prepare you for being a good manager.  This is not to say that great engineers can’t also be great managers, but the process many companies use of taking their best engineers and “promoting” them to management is flawed.  In many cases, it leads to a company losing a great engineer and gaining an ineffective (or worse, harmful) manager.  Many companies compound this problem by creating career ladders that effectively force engineers to choose between a career ceiling and a management path.

There are many characteristics that I see in successful managers.  First and foremost, good managers have to always be working to ensure the success of the team and their individual reports.  Success goes beyond just getting projects and tasks done – it also means helping their individual reports understand their strengths and opportunities for growth.  It requires taking a real interest in where each person wants to go in their career and creating opportunities for them to reach their goals.  Good managers need a lot of block and tackle type skills to unblock people and ensure they have an environment that helps them remain productive.  Good managers encourage growth for their employees by giving direction when needed but empowering them to try (and sometimes fail) in the interest of helping them learn and improve.  Of course, good managers must also be proactive about confronting tough issues and addressing performance problems to maintain a high-quality team.

Those characteristics are not necessarily the same characteristics necessary to be a great engineer.   It is not uncommon to see great engineers also be really great mentors and solve problems (beyond just engineering) in creative ways, but it is not typically their focus.  Also, the way they work is typically different.  Most managers have a tremendous amount of context switching during their day and need to make themselves available and interruptible to unblock others – this can be highly detrimental to an engineer that typically pays a high cost for context switching and getting back into the flow.

Another critical characteristic of good managers is knowing how to get problems solved.  This is very different than knowing the solution to a problem. The manager adds value by unblocking their report, not by being smarter than their report.  Many times I see very technical employees go to a much less technical manager with a technical problem.  While the manager may not be able to solve the problem directly, they can usually identify the steps (and people) required to get a solution.   This is where I see many organizations make mistakes when looking for managers – they assume that a manager can’t manage engineers if she is less technical that the engineers in the organization.   As an example of how this can manifest itself, at my company we were looking for an additional engineering manager and the bar was set pretty high based on the performance and 360 feedback of our existing manager – engineers thought he was great.  The engineers interviewing the candidate used the exact same very technical questions we use to identify great engineers.  The candidate did not do well.  In the wrap-up meeting I asked if they had ever needed their great manager to to answer these types of technical problems and the response was, “no – we have really solid tech leads for that”.  We quickly adjusted the engineering manager candidate questions to stop looking for successful engineer skills and instead identify manager skills that make other engineers successful.

For most of my life I have had the privilege of working with some truly exceptional programmers (far better than myself).  It did not take long for me to realize that the value I could create for each company as an engineer was much less significant than the value I could create by ensuring that other (better) engineers were effective and successful.  However, some companies make management the only option for career progression, which encourages great engineers that are passionate about coding to switch to a role for which they are less passionate and probably less capable (yes this is a generalization and I apologize to the truly amazing individuals that are both deeply technical and exceptional managers).  More companies should have parallel career ladders that allow engineers to remain with their hands on the keyboard and heads in the code while obtaining a career level as high (or higher) than management positions.

On a side note, one of the things I really liked about Project Oxygen is the approach of using data to analyze business processes.  I find that many companies that are data driven and have a deep understanding of their customer metrics many times don’t have the same understanding of how they work and what make them (in)effective.  We regularly collect data at my company and use it as an input to redefine how we work and constantly benefit from that evaluation.

Here is a summary of Google’s findings from Project Oxygen:

Here are the 8 top behaviors of managers in order of importance:

  1. Be a good coach
  2. Empower your team and don’t micromanage
  3. Express interest in team members’ success and personal well-being
  4. Don’t be a sissy: Be productive and results-oriented
  5. Be a good communicator and listen to your team
  6. Help your employees with career development
  7. Have a clear vision and strategy for the team
  8. Have key technical skills so you can help advise the team

Here are an additional 3 manager pitfalls:

  1. Have trouble making a transition to the team
  2. Lack a consistent approach to performance management and career development
  3. Spend too little time managing and communicating

Simple Chai Tea Gelato Recipe

I recently got rid of my old ice cream maker.  It was electric but it still required filling (and re-filling) with ice and salt, which does not seem like that big of a deal but it proved to be a barrier to wanting to make ice cream, so it came out of its box about once per year.  Instead I got the KitchenAid Ice Cream Maker Attachment for my stand mixer.   It has a bowl you keep in the freezer for about 15 hours and then you just add your ice cream mixture and 20 minutes later you have ice cream.  Setup and cleanup are about 20 minutes total and as a result, I have been making ice cream about every other week.  Good for tasty treats, bad for my recent attempts to lose my girlish figure.

Since it is now easy to make ice cream, I started to experiment.  The first success is my “Simple Chai Tea Gelato Recipe” which would probably be best with Indian food but it isn’t too sweet and has a light enough flavor to be pretty versatile.

2 cups of milk (I used 1%)
2 cups of heavy whipping cream
3/4 cup granulated sugar
4 tea bags of chai tea (I used Tazo brand)

Heat the milk until it is just about to boil, stirring frequently.  Slightly reduce the heat, add the tea bags and continue stirring for 5 minutes.  Turn off the heat and remove the tea bags, squeezing them to extract the remaining milk before discarding.  Stir in the heavy whipping cream and chill in the refrigerator for a few hours until cold.

When freezing the mixture (in an ice cream maker), it will not have as much of an increase in volume as a typical ice cream – this produces a denser consistency more like gelato.  Immediately move the frozen mixture to the freezer for 3-4 hours to harden.

This makes about 8 servings and if you are counting calories, it works out to 206 calories per serving.

Four Great Cocktails You Should Try (Only Three Ingredients Each)

As summer approaches and people look for cool, refreshing beverages to serve, I thought I would do some promotion of a few cocktails that I don’t see getting enough attention.  I’m not going to advocate any particular recipe over another (use your favorite search engine to find hundreds of recipes), but I do recommend you use only fresh ingredients (get out your citrus juicer) and quality alcohol.  If you are doing anything with a plastic bottle you have probably gone down the wrong path.

The best part is you don’t need much to make these cocktails – each requires only three ingredients!

Caipirinha

The caipirinha is a Brazilian drink made with limes, sugar (or simple syrup) and cachaça, a liquor made from sugarcane that is sometimes compared to rum (but they are different, so don’t substitute).  It is important to note that you don’t use only lime juice, you use limes and you muddle them.  The oils released from the skin of the lime add a tremendous amount of flavor to the drink.  I have had recipes made with sugar (typically a coarse, large grain) and with simple syrup and both are tasty, although I have heard what seem like religious arguments from caipirinha aficionados so be careful if you are serving at a Capoeira tournament.

I have tried a few brands of cachaça,and some bottles that were from roadside distillers.  I found the cheap brands were a bit too harsh so spending a little more is probably worthwhile.  If you are new to cachaça and unsure what to get, try Leblon – it seems to be of decent quality and makes a good drink.  Some of the roadside cachaça I had was actually pretty good, although I was too stressed about possibly going blind or getting poisoned to enjoy it fully.

Basin Street (a Bourbon Sidecar)

Technically this cocktail is a Basin Street, although few bartenders recognize the name, so it is easier to think of as a simple variant of the Sidecar in which the brandy is replaced with bourbon.  The ingredients are bourbon, orange liquor and lemon juice.   Cointreau or Grand Marnier are both good options for the orange liquor and a generic Triple Sec will do in a pinch (okay, technically Cointreau and Grand Marnier are name brands of Triple Sec).  As for the lemon juice, I prefer a more tangy lemon over the sweeter varieties like the Meyer lemon.  Use a good bourbon… if you are new to bourbon and need an introduction, try Maker’s Mark – its widely available, won’t offend anybody and it has a fancy seal on the bottle.

In my opinion this is a drink that does well when it is vigorously shaken… its perfect when you strain it into a glass and see a very thin layer of ice floating across the top.

Daiquiri

This cocktail happens to be my test for whether a bartender knows their stuff.  Go into a bar, order a daiquiri cocktail and see if you get the response “we don’t have a blender” (or worse, you hear a blender start whirring).  I am not talking about the horrible abomination that is a frozen daiquiri, I am talking about the original, pure, simple cocktail enjoyed in excess by Ernest Hemingway.  The daiquiri is simply light rum, lime juice and a sweetener, typically simple syrup.  So you may be saying, “hey, isn’t that the same thing as the caipirinha but with rum, that you just told me not to use”?  Not at all.. this is lime juice, not limes and the flavor is completely different.

Oh, if you need an excuse to try this drink, supposedly July 19 is National Daiquiri Day.

Mint Julep

I don’t spend a lot of time back East so maybe this drink gets the attention it deserves, at Kentucky Derby time if no other.  I find that it is not uncommon for a bartender to mess-up this drink because they think it is a mojito with rum as a substitute for the bourbon.  It’s sort of close, but the mint julep does not have lime, so this mistake leads to a pretty nasty tasting drink.  The ingredients of a mint julep are sugar, bourbon, mint and water (okay, that’s four ingredients but I am counting ice and water as the same thing).  When you muddle the mint, make sure you simply crush it to release the essence… you are not trying to grind it into a pulp.  I have also had the mint julep using simple syrup instead of sugar and it makes the flavor more consistent by distributing the sweetness equally, but it is not as fun as drinking the sugar from the bottom of the glass with a straw and adjusting the sweetness in real-time.  Traditionally the mint julep is served in a pewter or silver cup but it tastes just as good in glass.

IMVU’s Startup Lessons Learned Conference Presentation

IMVU presented at the Startup Lessons Learned Conference in San Francisco on April 23rd, 2010. The event highlighted several companies that are being built using the “Lean Startup” framework created by Eric Ries, IMVU’s former CTO, largely based on his experiences at IMVU.

The conference was great and I had the opportunity to meet many smart entrepreneurs trying to build businesses out of great ideas. I heard many stories about the challenges early startups encounter and could remember when IMVU was in that stage. I also talked to some people from companies that are now considered “big and successful” and heard a few comments along the lines of “been there, barely survived that”.

At the conference I had the realization that IMVU as a business is not exactly a “startup” anymore. The goal of an early startup is discovering the right product and achieving a sustainable business model. IMVU has been successful at this and is now all about building a growing, enduring business that is a high value for our customers and employees. Though we still feel like a startup in many ways and hold onto the lean principles that proved to be so valuable, we now have new challenges to address that are typically not considered startup challenges.

A successful startup grows into a bigger business. At IMVU, we heavily invest in our company so we can get more people working on features that delight our customers and build up the business. With more people many of the ways you used to work don’t work anymore. For example, frequent meetings to get feedback from everybody in the company can work when you have fewer than 15 people… when you get to 50+ people this becomes a very expensive meeting. The overhead of making sure everyone in the meeting has background data and context to make an informed decision simply does not scale. Joel Spolsky explained this well and provides good examples in his article, “A Little Less Conversation”.

There are a whole range of challenges in these transitions, from process to culture and all have to be accommodated as a company grows. At the conference I was approached by several people that had gone through the same experience, some successfully, some not. I hope that some of what IMVU shared will help others to learn from our experience and allow more people to fall into the successful category.

Check out IMVU’s video presentation available at http://bit.ly/bBpUcm