It's About the Developers, Stupid!

Last week’s continued equity market shakeups were made even more volatile by a few headscratchers:  Google purchasing Motorola Mobility for USD$12.5 billion (nearly $735 thousand per issued patent held by the company), and HP musing about spinning off its PC manufacturing business and potentially buying Autonomy to become a software and consulting house, an apparent IBM redux.  Endless articles and commentaries are focusing on Google’s purchase of MMI, but the more interesting story to me is HP, and how their shift in business model is less about focusing on higher margin lines of business, but rather admitting failure in their purchase of Palm, and more generally, in building sustainable developer ecosystems.

When big companies spend big money on massive acquisitions, they take on huge amounts of explicit, intrinsic, and opportunity risk that only a carefully designed strategy will vindicate.  When the stakeholders discuss only the balance sheet terms of deals they agree to, without really understanding the cultures of the external environments they depend upon, there’s a lot of unmitigated risk, and ultimately, a lot of avoidable waste.  Arguably, Palm faltered and became an acquisition target for HP not because they had a inferior product or platform, but because they failed to nurture a strong developer ecosystem after Jeff Hawkins and Donna Dubinsky left to form Handspring.  When iterations of the Palm OS failed to deliver critical platform feature requests to keep the offering competitive, Palm addressed the problem by releasing webOS, years later, and with a cavalier attitude that they could build a new developer community around the offering without needing to mend their fences with their long-time supporters.

We know what happened there - Palm stumbled, and HP picked up a compelling technology offering in webOS.  But HP made the same competitive mistake as Palm - it failed to foster a developer community to propel WebOS forward as the mobile operating system oligarchy was taking shape.  It, like Nokia with Symbian, did not appreciate the role of a thriving developer ecosystem in building a mobile brand, nor did they continue to continuously invest into it. Great technologies attract bright developers, who in turn make direct contributions to the ecosystem in the forms of apps, frameworks, and cloud services, and indirect contributions by recommending technologies to ‘the suits’ who invest resources in leveraging them for their own ends.  This generates a current of innovation that can become self-sustaining, and this fills out direct to consumer ‘app stores’ with features that intrigue consumers who make the ultimate platform selection through their purchases.  Let’s face it, when you walk into a brick and mortar mobile phone store, you’re not confronted by displays that put “smart phones” on one wall, “camera phones” on another, with old-style candy bar phones somewhere in the back - that was so four years ago!  Consumers today are targeted with marketing to compel them to choose an ecosystem – Android vs. iOS vs. Windows Mobile 7.  The hardware is become less relevant as a purchasing decision, because there’s few physical differentiators other than form factor (which Apple continues to win, hands-down).

Microsoft has understood this concept extremely well for decades, and they embrace their strategy by focusing on delivering excellent tool chains for developing applications that function on platforms (operating systems) they sell.  Despite Steve Ballmer’s fanatical espoused enthusiasm on the matter, the company actually does make good on their word on investing in developers who invest in their technology.  They virtually give away expensive integrated development environments to secondary and post-secondary schools and create extensive supportive curriculum, documentation, and living communities that attract bright people and encourage other young minds seeking to connect with the brightest of their peers working on their technology.

Microsoft’s not alone in this strategy, but they’re notable for how well they execute it.  Apple is one of the only notable exceptions to this process: attracting developers by rapidly building amazing market share.  Apple is a force to be reckoned with, for sure, but at the end of the day, “suits” decide to support iOS because of it’s market share, not because their technologists and in-house developers extol the “amazing development experience” of iOS.  Nokia tried this and failed.  RIM is failing despite having a great market share position, at one time, for a mixture of technology capability and community support reasons.

The lesson here, though, isn’t restricted to the multinational, large-cap platform developers – even small, agile start-ups must quickly understand the importance and formulate strategies for building synergies to succeed.  Whether they’re implemented through open source software, direct-to-the-community adoption initiatives, or strategic partnerships between peer companies, small businesses depend upon the rich technological feedback for continous improvement they cannot generate internally due to constrained early-stage resources.

HP, though, doesn’t understand or doesn’t appreciate the “how” of building a real, working platform ecosystem is critical not only for innovative start-ups, but also for large-cap software firms.  And though HP may be throwing in the towel for mobile devices, this is a lesson critically important for any software company no matter what their distribution channel is: mobile, tablet, desktop, or enterprise servers.  The fact HP doesn’t get it or is too encumbered to act on it, is the biggest threat to HP spinning off their low-margin, but reliable revenue generating manufacturing segment and plugging ahead.

Ballmer should do his good deed for 2011 and ring them up with a tip: It’s all about the developers, stupid!

P2P DNS: Not solving the real problem of centralized control

The more tech-savvy probably noted with passing interest the news blip this last week by Peter Sunde, co-founder of The Pirate Bay, a notorious website for finding BitTorrent .torrent files for everything from public domain books to copyrighted music, video, and warez of a new peer-to-peer Domain Name System in response to recent US authoritarian action in seizing domain names.  The specific instance that is causing so much cyberangst is the Department of Homeland Security and Immigration and Customs Enforcement bowing to the pressures of media giants have shut down RapGodfathers.com.  By “shut down”, these enforcement agencies didn’t just confiscate server equipment, they actually seized DNS hostnames assigned by their registrar, through ICANN.  Long has the rest of the world complained that IANA and ICANN, bodies that assign all sorts of global numbering and addressing schemes, are puppets of the U.S. Government, and even a number of the American tech crowd that the actions of these bodies over time are counter to the perceived free and open nature of the Internet.

While DNS isn’t that important from a purely technological networking perspective, that is, it is simply a redirection service, almost no denizens of the web could find Google, Facebook, or Bing without it.  DNS is a protocol that allows a simple name, such as example.com to be translated into an IP address, serving the role of a phone book of sorts.  I’ll have to admit, just as I’d probably lose all my friends if I lost my EVO, since I depend on my address books over memorized phone numbers these days – I only know some of Google’s servers, my work, and my home IP address by heart, but for everything else, I’m dependent on DNS to tell me (and my browser) where to find things.  In response to ICE’s attack on the perception that domain names should not be commandeered by governments, Sunde has started a project to offer up an alternative DNS service over peer-to-peer networks, to remove the ability for corporations or governments to seize domains.  Unlike failed ‘alternate root’ schemes in the past, this shift in technology would, as the thought goes, allow the domain name resolution service to be operated by consensus.  In such a world, ICE couldn’t have seized RapGodfathers.com domain, nor could any corporation with a similar name as a private individual file a copyright claim to take a domain name away from them.  Do we have a fundamental right to allow the public to sign off on who gets to hold what URL properties?

The rhetoric on the issue has been amusing at best and eye-rolling at worst, when people like Keir Thomas make outlandish claims that an alternate DNS scheme will be ‘heartily embraced by terrorists and pedophiles’.  Sadly, such claims showcase the true lack of technical understanding about how the networking protocols of the Internet actually work.  Coming back to my phone book analogy, a P2P DNS scheme would be akin to GOOG-411 providing phone numbers instead of my local phonebook (which sits unused, now 5 years old, mind you):  Anyone can one a phone number or IP address, but the way you resolve a name to a number doesn’t really, on a true technical level, change anything about who controls access and availability to resources.  If I could configure my computer to point cocacola.com to illegal content, that doesn’t change the fact the content was out there to point to in the first place, nor does it make it any easier to find for those not seeking how to access it.

The real threat is when governments start mandating control over a protocol that hasn’t yet become a household name – BGP.  Around in some form since 1982, BGP doesn’t translate human-recognizable names into network numbers, it actually describes where to route those numbers.  When the Great (Fire)wall of China censors where its citizens can go, it does so by dictating that the numbers it doesn’t want you to dial call non-existent places, or more realistically in the network world, that the paths to route your request to are wrong or dead-end.  Back to the analogy, controlling BGP is the end-game on the Internet– instead of taking over the phone book’s printing presses, you take over the phone company’s switching stations themselves.  For those wishing to make the Internet more autonomous and decentralized, the future to securing the existing global communications network from superpowers' total control lies in alternatives to BGP, not DNS.

However, P2P BGP isn’t going to happen, because as DNS instructs your computers where to go to find information, an attribute you can control yourself, BGP instructs your ISP’s routers where to get their information, and you won’t ever control their hardware.  And really, the fundamental issue is there’s no clear way to keep the current networking stack of protocols we collectively call the Internet free and open, as we like to believe it should be.  Instead, for those wanting to leverage the crowd to free the Internet from tyrannous regimes or powerful special interests, your best bet for the future is Freenet or Tor, layers that sit on top of the Internet’s infrastructure and provide their own.  They route requests and traffic through a “tunnel-atop-the-tunnels” approach that cannot be easily discerned nor controlled.  If the history of Internet governance has taught us anything, it’s that if something can be controlled, the wrong entities end up controlling it.  The approach that Freenet and similar onion routing networks take is to remove control and technologically favor independent voices.  Instead of writing new technologies like P2P DNS to address yesterday’s problems, I heartily recommend those with the interest and aptitude look into key-routing networks like Freenet, which by their very design prevent eavesdropping and circumvent traditional control mechanisms.  Just in their awkward teenage years, these will be the technology tools of digital patriots in the future, not P2P DNS on a network protocol stack that is increasingly being pulled out of the grasps of its grandfathers and architects.

I will have to commend Sunde’s efforts though, on the principal that if you do some Google keyword searching, ICE’s seizure of RapGodfathers.com was only a spec on the web’s map until Sunde’s project was announced.  Raising awareness of who holds the keys to the words we write, read, and share is paramount in a world where most of the people who write, read, and share their thoughts over the Internet are generally otherwise without a clue to how their ideas are allowed or blocked by the powers above.

The Long Overdue Case for Signed Emails

A technology more than a decade-old is routinely ignored by online banking vendors despite a sustained push to find technology that counteract fraud and phishing: S/MIME.  For the unaware, S/MIME is a set of standards that define a way to sign and encrypt e-mail messages using a public key infrastructure (PKI) to either provide a way to prove the identity of the message sender (signing), to encrypt the contents of the message so that only the recipient can view the message (encryption), or both (signing and encrypting).  The use of a PKI scheme to create secure communications is generally implemented with asymmetric sets of public and private keys, where in a signing scenario, the sender of messages makes their public key available to the world which can be used to validate that only the corresponding private key was used to craft a message.

This secure messaging scheme offers a way for financial institutions to digitally prove any communication dressed up to look like it came from the institution in fact was crafted by them.  This technology can both thwart the falsification of the ‘from address’ from which a message appears to be sent as well as ensures the content of the message, it’s integrity, is not compromised by any changing of facts or figures or the introduction of other language, links, or malware by any of the various third-parties that are involved with transferring an e-mail from the origin to the recipient.  The application for financial institutions is obvious in a world where over 95% of all e-mail sent worldwide is spam or a phishing scam.  Such gross abuse of the system threatens to undermine the long-term credibly medium, which, in a “green” or paperless world, is the only cost-effective way many financial institutions have to maintain contact with their customers.

So, if the technology is readily available and the potential benefits are so readily apparent, why hasn’t digital e-mail signatures caught on in the financial services industry?  I believe there are several culprits here:

  1. Education. End-users are generally unaware of the concept of “secure e-mail”, since implementing digital signatures from a sender’s perspective requires quite a bit of elbow grease, today colleagues don’t send secure messages between each other.  Moreover, most financial institution employees are equally untrained in the concept of secure e-mail, how it works, and much less, how to explain it to their customers to make it understandable as well as a competitive advantage.  Financial institutions have an opportunity to take a leadership role with digital e-mail signatures, since as one of the most trusted vendors any retail customer will ever have, creating a norm of secure e-mail communications across the industry can drive both education and technology adoption.  Even elderly users and young children understand the importance of the “lock icon” in web broswers before typing in sensitive information such as a social security number, a credit card number, or a password – with proper education, users can learn to demand the same protection afforded by secure e-mail.

  2. Lack of Client Support.  Unfortunately, as more users shift from desktop e-mail clients to web-based e-mail clients like Gmail and Yahoo Mail, they lose a number of features in these stripped down, advertising-laden SaaS apps, one of which is often the ability to parse a secure e-mail.  The reasons of this are partially technological (it does take a while to re-invent the same wheel desktop client applications like Outlook and Thunderbird have mastered long ago), partially a lack of demand due to the aforementioend ‘education’ reason, and partially unscrupulous motives of SaaS e-mail providers.  The last point I want to call special attention to because of the significance of the problem:  Providers of SaaS applications “for free” are targeted advertising systems, which have increasingly used not just the profile and behavior of end-users to develop a targeted promotional experience, but the content of their e-mails themselves to understand a user’s preferences.  Supporting S/MIME encryption is counter to the aim of scanning the body of e-mails to determine context, when in a secure e-mail platform, Hotmail for instance, would be unable to peek into messages.  Unfortunately, this deliberate ommission of encryption support in online e-mail clients has meant that digital signatures, the second part of the S/MIME technology, is often also omitted.  In early 2009, Google experimented with adding digital signature functionality to Gmail; however, it was quickly removed after it was implemented.,   If users came to demand secure e-mail communications from their financial institutions, these providers would need to play along.

  3. Lack of Provider Support.  It’s no secret most online banking providers have a software offering nearly a decade old, which is increasingly a mishmash of legacy technologies, stitched together with antiquated components and outdated user interfaces to create a fragile, minimally working fabric for an online experience.  Most have never gone back to add functionality to core components, like e-mail dispatch systems to incorporate technologies like S/MIME.  Unfortunately, because their customers who are technologically savvy enough to request such functionality represents a small percentage of their customer base, even over ten years later, other online banking offerings still neglect to incorporate emerging security technologies.  While a bolt-on internet banking system has moved from a “nicety” to a “must have” for large financial services software providers, the continued lack of innovation and continuous improvement in their offers is highly incongruent with the needs of financial institutions in an increasingly connected world where security is paramount.

S/MIME digital e-mail signatures is long over-due in the fight against financial account phishing; however, as a larger theme, financial institutions either need to become better drivers of innovation in stalwart online banking companies to ensure their needs are met in a quickly changing world, or they need to identify the next generation of online banking software providers, who embrace today’s technology climate and incorporate it into their offerings as part of a continual improvement process.