I Told You So, Alyssa Milano!

According to the Wall Street Journal, now Google Wants Its Own Fast Track to the internet. So much for Eric Schmidt's public call for network neutrality.

While everyone's who anyone was jumping on the bandwagon (sorry, Alyssa Milano), remember the one maverick blog that called it egregious hypocrisy from the start.... WhoHasTimeForThis?

Blogged with Flock

Mardi Bas

Mazal Tov to my niece Valerie, who is celebrating her Bas Mitzva in New Orleans. We arrived last night in time to watch Kobe score 26 points as the Lakers trounced the Hornets. 

I'm obviously not a big fan of religious ceremonies, but Val's family has a funny way of celebrating that bucks the trend of over-the-top parties. Instead of congregating all week in synagogue to worship you-know-Who, we're spending the week repairing Katrina-damaged neighborhoods. Today we built and stocked a library for a local public school (I built the shelves in the photo below and my 6-year-old sanded them down). Tomorrow we're installing floors in a condemned home in the lower 9th Ward -- apparently we don't get the day off for either Christmas or Hanukah. Oy.

Blogged with Flock

Tilera: "The Startup To Watch"

This month the Global Semiconductor Alliance recognized Tilera as the Startup To Watch for 2009. Congratulations to founder Vijay Agarwal and his co-founders Devesh Garg (now a partner in Bessemer's Mumbai office) and MIT Professor Anant Agarwal! And kudos to my partner Rob Chandra, who funded and incubated the company in our Massachusetts office.

Tilera has transformed multicore computing by designing a truly distributed chip architecture where each processing core (or "tile") has its own resources such as caches and network nodes. This architecture solves major problems around performance (centralized resources are a bottleneck) and scalability (we're already running 64 tiles on a chip and we'll soon double that). We use industry standard programming tools, running C and C++ code on SMP Linux so it's easy to migrate an existing application to our fully parallel platform. Simply put, Tilera has extended the benefits of distributed computing from PCs down to the chip level.

I'm personally most excited about the impact Tilera will have on security appliances, which increasingly need to process large streams of packets in real time in order to prevent malware, identify predatory behavior, and combat terrorism. Replacing all the FPGAs, DSPs and ASICs in such an appliance, a single Tilera chip is perfect for high volume computational tasks like packet filtering that can be processed in parallel. (Devesh had first recognized this need when he was GM of Broadcom's Security Business Unit.) Tilera fits many other applications as well in processing communications and video (e.g. H.264 codecs) --in fact, we have nearly 50 customers in various stages of design.

The distributed architecture also leads to a greener power profile. By replicating and distributing the circuits, the electron pathways are much shorter, which consumes less power and generates less heat.

Blogged with Flock

Ocarina: World's Bestselling Mobile App

Congrats to the Smule team, whose Ocarina has topped the charts for two weeks now (and especially to CTO Ge Wang who is currently profiled on apple.com/pro).

Anyone can quickly learn to play the Ocarina -- hundreds of song sheets for the Ocarina are now available on Smule.com, thanks to users who have composed and uploaded their scores.

Click on the image to hear my son jamming at the Sonic Mule headquarters...

Blogged with Flock

Nov 29: A Capella Holiday Concert

I discovered last winter that the Bay Area is home to one of the world's premier A Capella choruses. Voices in Harmony sings jazz, pop, contemporary, barbershop, and traditional choral music under the direction of Dr. Greg Lyne, a professor from Arizona State and the St Petersburg Conservatory, and guest conductor for the Mormon Tabernacle Choir. Oddly, the group isn't well known locally, but they've been collecting international accolades and acclaim -- most recently winning the bronze medal at the BHS World Championship in July (BHS has 34,000 members worldwide).



Next Saturday afternoon at 3pm on Nov. 29 Voices in Harmony (joined by the Late Show quartet and Pride of the Pacific women's chorus) will perform a holiday concert at the California Theatre in San Jose. There are still a few tickets available, and my friends at the chorus have offered to invite the first group of 4+ people who buy tickets through my blog to a pre-concert VIP wine and cheese reception. (Just leave a comment with your email and name if you think you qualify.)

I have no affiliate code or any other financial interest in this event or the group (it's actually non-profit). I'm just sharing my love for their music. You have to hear them to understand, but if you go, you'll thank me.

Blogged with Flock

Why I Just Invested in Goodmail

How many letters have you snail mailed lately? I think I send about 10,000 emails for every letter I write. So why do enterprises who communicate with millions of customers continue to cut down trees and pay to print letters and envelopes have them physically carried around the world with hundreds of times the cost and latency of email?

The reason for this financial, environmental and logistical absurdity is that you'd have to be nuts to open an email from Bank of America, since most emails that are purportedly from Bank of America are not from Bank of America. They're actually from The I-Need-A-New-Mercedes Bank of Leningrad (or Budapest, or Tel Aviv, or Shanghai...). Furthermore, the ISP who delivers consumer email has no idea which hyperlinks and images are safe, and so as a policy the ISP strips all links, media and scripts from the email, rendering the medium rather useless to you and Bank of America.

The textbook solution to this problem is nearly impossible. You'd have to set up auditing procedures to authenticate all legitimate senders, and monitor the senders' behavior to ensure that they never engage in bad practices like spreading malware or spam. You'd have to examine every script and media object they wish to transmit. You'd have to set up and operate cryptographic infrastructure to establish the integrity of the message from the sender's computer all the way to the inbox (i.e. no added viruses or such). You'd have to convince the ISP's who provide web interfaces to change the way they process their email streams based on the cryptographic tokens attached to the messages. The ISP's would then have to explicitly distinguish for users in their web UI which messages are trusted. And then you'd have to convince businesses that they should pay a transaction fee per email to fund all this infrastructure.

Only one startup was crazy enough to try this. With some amusement, I watched Daniel Dreymann's team for three years trying to line up all these ducks. Suddenly, in September, I heard quacking. Mountain View-based Goodmail had actually signed up ISP's representing over 300 million users (including most of the consumer ISP inboxes in the US and Europe), deployed the necessary cryptographic infrastructure, and delivered over three billion CertifiedEmail messages that month on behalf of Time, StubHub and other commercial and non-profit senders.

That's what I call an industry standard solution to a big problem. So last week I invested in Goodmail and joined the board, alongside Scott Kurnit, Don Hutchison, VCs from DCM, Emergence and Softbank, and GoodMail's new CEO Peter Horan (former CEO of About.com).

It was a pretty easy decision for me, having done okay funding email security companies in the past. Worldtalk, Tumbleweed and ON developed email security and each went public before being acquired. Cyota and Postini developed anti-phishing and anti-spam services, and they sold for great prices to RSA and Google, respectively. And in 1995 I started a little company in our offices called Digital Certificate Inc. to build a similarly ambitious cryptographic infrastructure and ecosystem for securing web sessions (we later changed the name to Verisign).

The cost of sending CertifiedEmail is 0.1% that of sending a paper statement, invoice or brochure, not to mention the environmental imperative. Thanks to Goodmail, businesses can now send CertifiedEmails, and we can all safely open them without wearing rubber gloves.

Blogged with Flock

My Halloween Treat: OpenCandy

Despite rumors to the contrary, venture investors are still funding innovative and disruptive startups. My latest Series A investment, announced today, is OpenCandy, which I co-funded with Tim O'Reilly and Reid Hoffman.

Not every (any?) great software application comes from Redmond. Today more than ever individuals and small teams of programmers in every country of the world develop great applications that wither on the vine for lack of visibility and a business model. OpenCandy's technology promises revenue, cheap distribution and free analytics to programmers who may not have their own big marketing departments.

OpenCandy's first product is a recommendations engine that operates in the install wizard of downloaded software. While working for their prior employer DivX, the OpenCandy team discovered that users are far more likely to consider downloading new software while they're in the middle of downloading something else. This observation led them to embed software offers in DivX downloads that now generate $20 million annually for their former employer.

"OpenCandy is taking a proven Web 2.0 model--the ad network--and applying it to software installation. It's very clever. And it will probably work." -- CNET

OpenCandy's recommendations include a mix of free and paid recommendations, depending upon the preferences of the publisher. They do not interfere with the original download, commencing only after the current installation has completed. Here's an example of OpenCandy at work for Miro (a BitTorrent player for RSS video) and Audacity (by far the the best sound recording/mixing tool I've ever used):


Software developers who wish to participate as either a recommender or recommendee should contact co-founder Chester Ng at OpenCandy. He and OpenCandy CEO Darrius Thompson started the company earlier this year. They run a talented but scrappy team in the true tradition of Get Big Cheap. And I'm betting they'll prove that great software is like Halloween candy: you can't eat just one!

Blogged with Flock Browser

It's a Smule World After All

Having realized a 30X gain on my 1997 investment in Tumbleweed, I'm delighted to be incubating Jeff Smith's next venture, Sonic Mule. After taking Tumbleweed public, Jeff retreated to Stanford in pursuit of his doctorate in classical music; he then joined Bessemer as an EIR, where he conceived Sonic Mule (aka Smule). Jeff recruited Ge Wang (Stanford) and Perry Cook (Princeton) -- two of the world's the most prominent professors in computer-music integration and the inventors of Chuck, an open source language that processes and renders sound in real time.

When Jeff's team isn't cleaning out Bessemer's kitchen, they're churning out ass-kicking Chuck-on-iPhone (CHiP) apps. Sonic Lighter (now in the Campaign edition), Sonic Vox (read Apple's review), and Sonic Boom all exceeded our sales projections -- check out the Sonic Lighter's adoption curve in the video below (this is the coolest board update I've ever gotten).



Today Sonic Mule is releasing their latest and greatest app yet-- the Ocarrina. This is the first fully functional and expressive iPhone musical instrument. A true Occarina, it responds to breath, fingerings, and position. It is easy to learn but allows for nuance and mastery. And you can navigate the globe to listen in on Occarina performances around the world. Check out the video and then buy Ocarina for 99 cents.



And this one's for Legend of Zelda fans...


Update: "Smule has done it again," according to This Is How You Build a Great iPhone App at TechCrunch.

Blogged with Flock Browser

The Prospects for SaaS

On Thursday night Bessemer's SaaS practice team Byron Deeter and Philippe Botteri hosted a CFO dinner at John Bentley's in Redwood City, where we discussed the prospects for SaaS in the context of a global recession. My squash gnocchi was delectable, but the portion size was stingy (a sign of the times). Fifteen CFO's participated, about half of whom work at Bessemer portfolio SaaS companies (Cornerstone On Demand, Intacct. Lifelock, LinkedIn, OneStop, Perimeter and Retail Solutions).

The mood could best be described as cautiously pessimistic. Despite hypergrowth in the SaaS industry, the outlook for 2009 is sobering. Among the 13 public SaaS companies, the multiple of enterprise value over current year sales has dropped from 6.6 one year ago to 2.2 today, shaving 60% off market caps year to date. Obviously the market expects growth rates to fall dramatically. SaaS companies grew on average 48% in 2008 but in 2009 Omniture will lead the pack with only 14% growth, according to Goldman Sachs uber analyst Sasa Zorovic, who joined us for the dinner. (Yes, Goldman's SaaS analyst is really named Sasa.)

With slower growth and expensive capital, SaaS companies need to adjust expenses to optimize for cash efficiency, not growth. It's especially important now to assess the profitability of new business, which is tricky in SaaS companies. For each customer, the inflows are the time-discounted billings including expected upsells to the point of expected churn. The outflows equal the sum of upfront sales costs and the time-discounted cost of service delivery and any sales cost for renewals and upsells.

Although we're planning for the worst,  we at Bessemer still believe that the shift to SaaS represents the most important secular shift in enterprise computing since the advent of client-server. The SaaS value proposition of reducing capital expenses as well as total cost of ownership should ring even louder as corporate budgets come under pressure. That's why we predict the downfall of software companies whose addiction to license revenue discourage them from embracing SaaS...

Blogged with the Flock Browser

Take Back the Web!

When Tim Berners-Lee conceived the web, he dreamed of inter-connected documents, of surfing along from one person's page to the next, following a fluid path rich with information and discovery.

Instead what we we got is a big honkin' billboard, as commercial interests hijacked Tim's vision. Just look at any popular web site today and you'll find only two kinds of hyperlinks -- paid ones and self-referential ones (that keep traffic from leaving the domain). The only relevant links come from portals like Google that monetize search. So instead of deeply browsing the web, we search and click, search and click, search and click... So much for friction-free information and serendipitous discovery.

The web will remain captive to publishers until users exercise control over the hyperlinks that define the web's structure. GreaseMonkey, an open source platform for Firefox scripts, promised some relief to users who want control of their web content and links, but it proved far too esoteric and insecure for mainstream use. The startup Hyperwords also provides some relief to users who wish to right-click on words in web pages to perform an operation like search, blog or email, but Hyperwords requires new user behavior, and does not provide any element of discovery.

So 18 months ago my partner Justin Label and I started cooking up a startup to save the web. We conceived of a platform for creating and distributing mash-ups transparently and securely so that you can pick the news sources, e-commerce vendors, reference materials, social networks, media stores, etc. to which your web pages link. We even hoped to mash your web content with personalized objects (e.g. how closely are you LinkedIn to people you read about?), in-page media (e.g. streaming music) and fewer ads. We called it MashLogic.

Bessemer funded the newco, and we recruited search jock Ranjit Padmanabhan (right) and GreaseMonkey scripter Johan Sundstrom as co-founders. After 15 months in development, we're very excited to release a Beta product today, with 100 invites available here. Beta invites are also available on TechCrunch, where just this morning Arrington reviewed the product quite favorably:

"It's a frickin' swiss army knife for hyperlinks... So far in my testing, they've nailed it... I'm putting this on my must-have list of Firefox add-ons."

Obviously there are still wrinkles to iron out. Today we support both major browsers -- Firefox and Flock :-) -- but of course we'll import the plug-in to IE and Chrome.

To be clear, Mashlogic is NOT like Snap, Flyswat, Adaptive Blue, or any of the other startups who try to convince publishers to embed their javascript. We 're not in this to help publishers by giving them better pages full of ads and self-referential links. We're here for users. Which means that we never inject ads or sponsored links into our callouts, and we never add or remove hyperlinks to suit a publisher. We even let users prioritize sources of information, so that a Wikipedia link might trump TechCrunch, or vica versa. The publisher's original links are kept on by default, but you can subordinate them to the other mashes or turn them off altogether. We don't expect mercenary publishers to like us much.

So how do we plan to make money? Once we restore benevolent hyperlinking to the web, many of the links people choose to embed will relate to e-commerce that pays us affiliate revenue for enabling those links. For example, if you like the Expedia mash that displays and links you to the best fares from your location to any destination you read about on the web, we'll get affiliate consideration. So we're motivated to offer up mashes that you'll want to activate.

We know it's unconventional for big VC's to start with an idea and money and then find the team, but every once in a while the opportunity is important enough to warrant the work. As a plus, this approach means that we get to pick the best team in the world to execute the concept, rather than the team that happened to think of it. (This worked for me once before, when I started VeriSign the same way.)

I could show you screen shots but you really have to try it to get a sense for how MashLogic changes the web (you can partially preview the experience here but today our web site may be super busy). Please do comment with your feedback on the product, and let us know how else you might like to mash the web. Not only will we add lots of new mashes, but we're going to open the platform so that even non-programmers can create and share their own mashes in 5 minutes.

I hope you enjoy the new web on MashLogic, and if you see Tim Berners-Lee, tell him that we've got his back.

Blogged with the Flock Browser

Militant Avampirists Are So Irritating

Tuesday's post Skeptics Sellout to Christians provoked "M" to comment:

As an agnostic I have read your posts on religion with amusement. Has it occurred to you that a strident atheist is no less dogmatic and irritating than a strident Christian or a strident [your religion goes here]? Who has time for this?

Before I could respond, Peter Harrington commented:

M -- I am also an agnostic, but I think you err deeply in comparing an Atheist to a strident religious person. The worst that a "militant Atheist" will ever do is scoff at religion -- they are far too busy enjoying their one and only life.
In contrast, the worst a militant believer will do is kill you and your family, for the crime of having chosen a different myth (or no myth at all, in the case of agnostics/atheists). Furthermore, I know many Atheists who call themselves that as shorthand for "insofar as I can be sure of anything, I am sure that there is no God" -- this conclusion is not dogma (which implies argumentation by authority), but one based in logic and self-skeptical analysis. I myself prefer the term Tooth-Fairy agnostic as short hand for the same position. Be that as it may, give me a world filled with Atheists any day over Religulous people -- true morality can be achieved only by the non-religious.

Thank you, Peter, for saving me the keystrokes. As for you, M, I love your use of my catch phrase at the end of your comment, but c'mon, am I really no less irritating than dogmatic Christians like Sarah Palin? I would never prevent the use of stem cell therapy to cure disease, or fight wars to spread Christian ideals, or deny loving couples the same rights as their heterosexual neighbors, or legally compel rape victims to bear the children of their violent tormenters. These assaults on people's lives don't irritate you even a tad more than my strident blog (which you can always choose not to read)?

It's simply unfair to characterize atheists as arrogant, militant know-it-alls simply because we believe that deities are as mythical as easter bunnies and vampires. M, don't you ever think someone somewhere is wrong about something, or are you agnostic about everything?

I offer up the following words to describe people based on their beliefs. M, I would be most curious which of these labels describe you...

Paschalepist -- one who believes that on the Sunday following the full moon closest in time to the vernal equinox, a fluffy white mountain hare (of the species lepus timidus) hides chocolate eggs.

Apaschalepist -- a person who does not believe that the Easter Bunny is real.

Vampirist -- one who believes that pale, fanged immortals stalk the night, sometimes in the form of bats.

Avampirist -- a person who thinks that un-dead, bloodthirsty demons are mythical.

Pastafarian -- one who believes that the universe has been created and tended by the great Flying Spaghetti Monster, blessed be His name.

Antipasta -- a person who doesn't believe that the Flying Spaghetti Monster exists.

So are you indeed an apaschalepist, avampirist, or antipasta? If so, how can you be so sure of yourself? How can you be so dogmatic? Wouldn't it be more polite to just profess agnosticism about the Easter Bunny?

Now how would you feel if people derided you for being one of those arrogant militant avampirists? You'd probably think, "Huh? I don't think I'm arrogant. I know I'm not militant. And I'm certainly not trying to distinguish myself as an avampirist. I just don't buy supernatural fairy tales, and frankly I'm surprised that avampirist is even a word."

M, welcome to my world.

Blogged with the Flock Browser

Skeptics Sellout to Christians

I spent the weekend at CalTech to attend a Skeptics Society conference. This particular event was titled “Origins: the Big Questions," addressing whether science renders divine faith obsolete. The speakers who drew me there were quantum physicist Leonard Susskind, entertainer Keith Dalton (creator and star of the hilarious and irreverent online series Mr. Deity), and of course Michael Shermer, who founded the society and edits the great Skeptic Magazine.

The Good Part

The conference began with a real bang – the Big one of course, and a lesson on what preceded that singularity as best understood today by physicists. Susskind condensed his Stanford undergraduate cosmology course into a beautiful one-hour primer on the universal constants (Planck’s, gravitational constant, speed of light…) that support life. It turns out that life can only evolve and survive in a narrow window of values for these constants, a fact that Christians have recently embraced as proof of an intelligent designer. But Susskind explained how quantum mechanics support the existence of a multiverse that regularly spawns new universes with different sets of constants, making it inevitable that our comfy universe should appear. (I asked him whether a future day Dr. Strangelove could create the conditions that spawn a new universe in our own – he said no, but without a compelling explanation.)

The other highlight of the day was Dr. Donald Prothero, who summarized his undergraduate Caltech course on evolution. Prothero first debunked the Christian claims that there are evidentiary gaps in the theories of early evolution on Earth. He walked us through the Fox-Miller-Urey experiments conducted in the 1970’s in which amino acids formed in a simulation of the primordial soup, and identified exactly which elements on earth would have catalyzed the binding of those molecules into proteins and nucleic acids (most likely RNA). He showed us photographs of three billion year old fossils in which these nucleic acids are evident. He then shared Amherst professor Lynn Margulis’ widely accepted theory of how single celled organisms evolved into our cellular organelles like mitochondria, which have their own unique DNA and reproductive processes.

Then he debunked the Christian claim that most modern species appeared “all at once” during the period known as the Cambrian explosion half a billion years ago (hmm, I thought the Lord had dispatched Noah only four thousand years ago). The Cambrian explosion is a dramatic misnomer, referring to a period of above average mutations that actually lasted over 20 million years.

Caltech physicist Sean Carroll delivered a great talk on time’s arrow – how time fits into the universe and how it cannot exist without fluctuations in entropy. He explained how the physical constants give our universe just the right amount of clumpiness so that time can flow, and he presented an alternative theory – consistent with quantum mechanics – on how universes can bear “babies” with differing constants.

We heard from Caltech biologist Christoff Koch on the mystery of consciousness. Although he’s not a Christian, he is arguably a dualist who believes that consciousness may in fact entail a new force not yet discovered by physicist, consistent with the claims of my friend and AI researcher Steven Ericsson-Zenith.

The Bad Part

Had the lunch break in fact marked the end of the event, it would have been perfect. The afternoon sessions were dominated by Christians whose presentations ranged from nefariously clever to stupidly juvenile.

Why did Michael Shermer waste the time of 400 people who traveled to Pasadena on pilgrimage for real science? The only reason I can fathom is that the Skeptic Society could not produce the event without the financial backing of the event’s sponsor, the John Templeton Foundation. This foundation funds programs and prizes that promote the application of science to spirituality. In other words, it’s a Christian I.D. think tank. They obviously insisted on featuring Christian speakers like Paul Davies, to whom they had awarded the Templeton Prize.

For example, Hugh Ross presented the science behind reasons.org, a web site alleging to prove that Jesus is our savior. Hugh’s presentation was colorful and fun, but the logic was about on par with Johnny Cochrane’s “If the glove don’t fit, you must acquit!” Among other “proofs” Ross claimed that Genesis’ 6-day Creation tale jives with evidence of a 14 billion year old universe, since the Hebrew word for day (“yom”) also means a very long time. Except that it doesn’t. (Good thing I attended yeshiva.)

The lowlight of the day was surely the talk by theologian Dr. Nancey Murphy, and the debate that followed between her and Michael Shermer. Apparently she got her current position because she sat in her “prayer chair” and specifically told her god what kind of position she wanted. It’s very important, she counsels, to be specific with Jesus (after all he’s pretty busy).

During the debate Michael asked her why God hates amputees, since He refuses to answer anyone’s prayer to heal them. Her answer was that she doesn’t know anyone who has prayed on behalf of amputees. Amputation isn’t fatal and doesn’t seem prone to cure, and so limb growth just isn’t something that people pray for. A heckler clarified, “Oh, so it’s Christians who hate amputees!"

In response to a question from the audience, Shermer expressed disappointment that so many scientists fail to think critically. While he said this, Murphy nodded in agreement, completely unaware that Shermer was talking about her.

The conference picked up at the end, when the cast of Mr. Deity -- directed by former Mormon Keith Dalton -- performed live episodes of the brilliant online series that really nails the Big Questions (with no input from the Templeton Foundation). If you haven’t watched it, start with Episode 1…

Update: Gary Rosen from the Templeton Foundation emailed me to correct my impressions of Templeton. He, and the commenters below, did persuade me that Templeton is not an "ID think tank", and Davies is a Deist but not necessarily Christian. Rather, Templeton tries to reconcile faith with science. Clever, but still nonsense. Faith is belief without evidence, and so pushing it into a skeptics agenda leads to absurdity.

Update 2: One of the commenters on this post finds me irritating and strident because I'm a "militant atheist". I responded in this post (one of my better ones): Military Avampirists Are So Irritating!

Update 3: PZ Myers at Pharyngula evokes a rich discussion on the evils of the Templeton Foundation. (i.e. they funded the Prop 8 anti-gay amendment in California)

Blogged with the Flock Browser

Rocket Man

Last weekend I took my boys to Hiller Aviation Museum, which hosted a demonstration of an actual jetpack at work. I had thought this was the stuff of science fiction, but this dude actually lifted off , flew down the runway a bit, hovered, returned, and landed. Cool!

Before taking off, he did have to get clearance for his flight plan. As you can see from the vantage of my photo to the left, we stood right near the liftoff point--I was surprised that there was no smoky plume from the rocket fuel, but the noise at ignition was painfully impressive. The operator has to be quite strong to carry the device on his back, and even so he's limited to 30 seconds of rocket fuel.

They wouldn't let me fly the thing, but the museum did bring in a jetpack simulator for the day. Balancing the side-by-side rockets is trickier than I thought, and so my virtual flights all ended in explosive, head-first crashes.

Neverthleless, as the central theme of her energy plan Sarah Palin is now pushing the jetpack as a replacement for automobiles, which "burn all that smelly gasoline." Fortunately, the jetpack I saw burns hydrogen peroxide, which she seems to have in good supply.

Meanwhile, the trip to Hiller inspired my 6 year old to become a pilot himself.

Blogged with the Flock Browser

McCain: Creationist Chameleon

Why did McCain select a VP candidate from the state with the fewest electoral votes? Because Sarah Palin is just the religious fanatic he needs to mobilize the Republican vote. Palin, potentially one step away from the Presidency, rejects science at every turn. She would teach creationism in schools, appoint judges who federally outlaw abortion ("even if my own daughter was raped" [sic]), and reject policies that "assume" pollution causes global warming. McCain found the one governor even more Christian than George Bush! Oh, and she won a beauty pageant.

Palin reminds us that despite some hostile court rulings, the intelligent design movement continues to thrive and (ironically) evolve. Louisiana and Texas are currently debating legislation to join the states that teach ID in public schools. If this trend worries you, mark your calendar for Sept 20 from 11am to noon. Cal State science professor Larry Lerner will lecture on "The Creationist Chameleon: Past, Present, and Maybe a Bit of the Future" at the Lucie Stern Community Center, 1305 Middlefield Road in Palo Alto.

I believe there is some kind of supervised children's activity during the lecture, but you can direct questions to Paul Gilbert at 650-906-6704. This event is co-sponsored by the Humanist Community in Silicon Valley and Americans United for the Separation of Church & State.

Blogged with the Flock Browser

Internet: Threat Level Red

Yesterday a Bessemer company rescued 42% of the internet...

As you probably read about in news coverage of the recent Black Hat conference, Dan Kaminsky brilliantly discovered a catstrophic vulnerability in the internet's Domain Name System (DNS). The vulnerability permits a hacker to "poison the cache" of DNS servers with incorrect IP addresses -- a phisher's dream come true. Even better for hackers, the vulnerability allows them to intercept email traffic so that they can collect our passwords simply by asking the bank's login screen to email forgotten passwords. They can fool Certificate Authorities into issuing them valid SSL certificates so they can spoof your bank with compelling authority. And lots of other nasties, too.

The Domain Name System is a distributed network of directories residing in programs like BIND and Nominum that respond to queries from network clients (browsers, email, VOIP...). By far the most common query is "What is the IP address of the domain name AAA.BBB ?" Thanks to DNS you can remember names (amazon.com) instead of an address (66.98.140.0). If your DNS server doesn't have the answer, it asks another DNS server, and then remembers the answer in its cache for some specified period of time before that record expires.

The "Kaminsky Attack" starts with a request for a DNS lookup and follows up with a message to your ISP's DNS server posing to be from an authoritative server. The fake message poisons the server's cache with an incorrect IP address, such as that of the hacker's fake Citibank web site. While cache posioning had been theorized before, it had always been an impractical attack, since the hacker never knew exactly when the DNS server would need to refresh an expired record. Kaminsky observed, however, that if a client asks a DNS server for the address of foobar.citibank.com (a non-existent sub-domain of citibank that the DNS server doesn't have in its cache), the server will ask its authoritative server for the address, and get tricked into using that fake IP address for all variants of citibank.com. To spoof the authoritative server, the hacker's fake DNS message has to have the right transmission ID, but there are only 65,536 possibilities. Each time the hacker tries, she can probably send 200 different guesses before the real server can respond for real, so if you attack once every four seconds as Kaminsky tried doing, it takes an average of ten minutes to steal a domain.

Prior to announcing at Black Hat, Kaminsky worked responsibly, diligently and quietly with several vendors to prepare for the announcement. I'm familiar with the effort because one of my portfolio companies, Nominum, is among the teams who prepared for the announcement. Nominum's chief scientist Paul Mockapetris had in fact invented the Domain Name System, and the NY Times has recently reported that his company's industrial strength DNS software now serves 120 million broadband internet subscribers through nearly 100 ISPs. In his presentation to Black Hat, Kaminsky graciously called out Nominum for moving quickly to protect 42% of all broadband internet subscribers from exposure to the Kaminsky Attack.
The other 58% of the internet is not so fortunate. The vast majority of those DNS servers run the antiquated freeware called BIND. The International Software Consortium moved fast to patch BIND, but the patch is not very effective, mostly undeployed, and reportedly unstable. (On July 28 BIND's lead architect Paul Vixie issued an email bulletin warning of performance issues with the patch.)

The BIND security patch randomizes the port used to ask other servers for help, so the attacker has to guess the port as well as the transmission ID. But hackers do have, you know, computers that can make lots of fast guesses. So the patch simply extends the attack from minutes to hours - still pretty easy for the bad guys. Sure enough, John Markoff reported in the NY Times last week ("Leaks in Patch for Web Security Hole") that Russian physicist Evgeniy Polyakov broke the patched security in 10 hours. (You can run Polyakov's exploit yourself.)

In addition, most DNS servers live behind routers, firewalls and load balancers that run Network Address Translation, which converts the randomized into an orderly sequence. You don't have to be a Russian physicist to break that scheme.

Unfortunately, there's about an even chance that you're reading this from an ISP running BIND. Patched or not, you're exposed to pharming, and many carriers and enterprises lack the awareness or motivation to act. Indeed, I heard one CIO of a major brand name financial institution declare immunity from Kaminsky attacks because he has "three layers of firewalls," as if his firewalls block the DNS ports.

The good news is that yesterday Nominum announced a new release of their DNS server that layers on several new defenses on top of port randomization. For example, Nominum's server treats the flood of wrong guesses as an attack, so instead of waiting for a the right transmission ID and accepting the spoofer's poisonous payload, Nominum logs the IP address of the sender.

Here's how Dan Kaminsky reportedly responded to Nominum's announcement:

"Layered defenses in the DNS system are an effective way to address serious attack scenarios that aren't covered by UDP Source Port Randomization alone. As new DNS vulnerabilities are discovered, a layered approach such as Nominum's will help in ensuring ongoing Internet security."

Blogged with the Flock Browser

Wet Shaving: Sinfully Joyful

27 כז לֹא תַקִּפוּ, פְּאַת רֹאשְׁכֶם; וְלֹא תַשְׁחִית, אֵת פְּאַת זְקָנֶךָ

Ye shall not round the corners of your heads,
neither shalt thou mar the corners of thy beard.

-- Leviticus

Thus was I commanded as a boy never to touch a razor to my face, lest I provoke The Lord's wrath for so offending His creation. (Reportedly, He's okey-dokey with electric razors.) So please forgive the ignorance of my 2006 blog post "Read This Only If You Shave" hailing the Schick Quattro razor, confidently published as though I knew even the first thing about shaving.

Fortunately, the blogosphere worked, as helpful comments on my post humbled me with links and advice. One reader in particular, Jay Batson, set me on a new, resolute mission that I've traveled every day (except weekends and holidays) to recapture the facial smoothness of my infancy.

I remember Jay Batson from my days as a director of ON Technology (acquired by Symantec), where Jay ran engineering sometime around 1996 when we went public. (ON, at the time, was the leading seller of Novell Netware based apps, which turned out to be unfortunate...) I hadn't kept in touch with Jay, but i'm grateful that he somehow stumbled upon my blog and introduced me to the art of wet shaving:

Jay Batson said...

IMHO, the razor is a second-order factor. You'll see an order of magnitude difference if you focus on the prep instead.

Go buy yourself a silver-tip badger hair shaving brush. Buy the most expensive bristles you can find, in a handle that matches your taste. Then, be *sure* to buy a glycerin-based shaving soap. Pop for a nice nickel soap dish, too, David -- you can afford it. Go here: Emsplace isn't the most sophisticated ecommerce site on the net, but ignore the amateur look of the site; they have the goods, and they're great help if you need to call them.

Then, before you shave, run the hottest water you can get into the cup (warming the soap), and wet the brush with it, too. Lightly shake the water out of the brush (leaving just a touch in), dump out the water, and lather up the brush.

Then lather your face. Two things:
1) You'll fall in love with the way the brush feels. It's almost as good as sex. And you can do it before you go to work and not be late for work.
2) You won't get a 1/2" thick lather like you do with shaving foam/gel. Don't sweat it; just make sure you've rubbed the brush bristles into your facial bristles for 15-30 seconds.

Then shave. Pick your razor -- it almost doesn't matter. The shave will be the most comfortable, luxurious shave you've ever had, and your shave will be as close and smooth as anything you've tried - ever.

I'm not kidding.

He's not kidding. I tried out Jay's advice and it was all goodness. I bought a beautiful silver-tipped badger hair brush, a stand, a nickel bowl, and glycerin soap. I get a much closer shave now, and the rate of bloody injury has dropped from once a month to once a year. It feels great (not quite "as good as sex" -- maybe I'm still doing one of them wrong). And once you get the hang of whipping up a lather, it doesn't take any longer than shaving with canned foam.

It now seems laughable to pump foamy cream from a can. The manufacturers tout the thickness of their shaving cream, and thick foam is great if it comes from brushing up a lather, but most of the canned foam never even touches your skin.

Compared to canned foam, the cost of wet shaving is "a wash". There is a capital expenditure for the brush, but the glycerin soap consumables last longer than canned foam. Em's is indeed the place to stock up.

Selecting the Right Razor

Although Jay dismissed the importance of selecting the right razor, straight blades have a very big following, so I recently tried switching from my vibrating 5-blade Gillette Fusion to Merkur's highly acclaimed, platinum-coated, double-edged safety razor (image right). To properly assess the new equipment, I conducted a study comparing straight blades to the mass market
disposables.

This iPhone shot (right) portrays the beard I shaved off as part of this investigation--one side with a fresh stainless steel Merkur blade and the other with Gilette's state of the art Fusion. I also collected data on other days with a cleaner face, switching the left and right sides. (Unfortunately I couldn't conduct a double blind study without risking serious blood loss.)

The costs are comparable. The Merkur razor handle is more expensive but the blades are cheaper. Neither razor nicked my skin more frequently or worse than the other. How close a shave did I get? The two razors performed equally well, but the Gillette "shaved off" a few seconds of work each time, perhaps because one needn't be so cautious with it around the corners. In addition, the Merkur blade takes at least an extra minute during the tri-weekly process of installing a new blade. So at the end of the day I'm back to the Fusion. Jay was right again.

Recommended Accessories

As Jay had pointed out, the warmer the water the better. I went so far as to equip my bathrooms with a $14 Proctor and Silex fast-acting water heater for hotter, faster and more energy efficient water.

LEGAL DISCLAIMER: Never apply boiling water to your skin. Submerge the brush, shake it out, swirl it along the soap surface, and test the temperature gently before rubbing it on your cheek. Better yet, forget the water heater and never put anything but ice water on your litigious face.

I also recommend a travel size shaving brush with cover. Soap bowls can get messy so I travel with a TSA-compliant 2 ounce cream pump (lots of choices here) that works only with brushes.

Other ideas that have been suggested to me over the years include:

• Nick-relief styptic powder, available for $3 (hat tip to Rob Chandra). Sure beats the toilet paper method.

• My Philips Norelco Ear/Nose Hair trimmer was a gift from Brad. He also gave me a Philips Norelco BodyGroomer. I'm not sure why. The instructions specifically warn against facial use, but when I had my beard I used the thingy as a trimmer with great results.

• The lip wipe. Woody Allen taught me this move in one of his early films (Bananas, I think). Once your face is lathered up with soap, wet a finger and outline your lips with it to prevent accidental ingestion.

Once you get the hang of wet shaving, both you and your wife will enjoy the change. Just don't tell your rabbi.

Blogged with the Flock Browser

My Internet Law

The time and money required to produce (design, develop, secure, test, launch, scale) a typical data-oriented form application on the web drops in half every 2 years.

This seems to have held true since the public emergence of the web in 1994. Do you agree? I don't have much hard data, but McCain proposes new internet laws with far less.

For example, I recall the large systems integration firms charging as much as $20 mlllion to completely outsource development of a web application. (I forget the name but I recall a DFJ-backed pay-me-to-advertise-to-me startup that spent as much in 1996 with someone like Perot Systems and the app still never worked.) Is there any doubt that most apps today can be launched with as much scalability for $300,000? The implied factor of improved efficiency is 0.5 to the sixth power over a 12 year period.

Cheaper hardware (Moore's Law) accounts for only a small fraction of this effect. The real gains seem to come from decoupling and automating specific steps of the process. Major disruptions that come to mind: Microsoft FrontPage, SSL, Exodus hosting, Apache, Java, ActiveX, Javascript, Shockwave, Flash, load balancers, PHP,  XML, Ruby on Rails, web service APIs, AJAX, Amazon S3, DIY communities (Ning).

Blogged with the Flock Browser

So Proud of My Sister Jill

and her husband David...

Needham Times
CANCER FAILS TO 'CLICK OUT' LOCAL PMC TEAM
by Will Bradford

    Jillian Segal won't be riding in the Pan-Mass Challenge for the first time in four years.
    Segal, 44, beat ovarian cancer in 1982 as an 18-year-old. After keeping the disease at bay for more than 20 years, she was diagnosed again in 2003. When Segal received treatment at the Dana Farber Cancer institute and the cancer went into remission, she decided she would take part in the Pan-Mass Challenge, the fundraising bike-a-thon that has raised more than $200 million for cancer research since 1980.
    "I've had cancer for a long time, and I've had people I know riding," she said about her initial decision to participate. "Everyone would ask if they could list me as someone they were riding for, so when I finished my chemo in 2004, I told my husband I was going to do it for myself."
    Segal's husband David, 45, also committed to ride and Team "Click Out. CLICK OUT!" was born. Consisting of, among others, the Segals, David's brother , sister and father, and one of Jillian's best friends, the team gets its name from what they yell to one another when braking, reminding each other to detach their shoes from the bike pedals.
    "The first time we rode, everyone was kind of teary every time we thought about it," said Jillian Segal. "I think out of the 5,000 riders there are 150 survivors who ride, so it's always kind of special because at the beginning of the race, they say if you're a survivor, raise your hand, and everyone gets choked up."



    As riders in this year's PMC made their way down Charles River Street in Needham Saturday, however, Jillian Segal was a spectator for the first time in four years. This past spring, her cancer came back, forcing her to withdraw from this year's event. So the team had no choice but to ride on without Jillian, although it was admittedly not the same.
    "I was worried about that," said David Segal. "All the other years she has been my pace car. I have the tendency to go out too quickly. But we didn't do that. I think we were all in tun, making sure went out at a good pace. We had her in our thoughts the whole way."
    According to Jillian Segal, the team has raised around $100,000 for finding a cure for ovarian cancer in four years.
    "Breakthroughs are being made every day," she said. "As my doctor says, it's not weeks away, but it's not generations away either."
    The Segals currently see no end for their careers as PMC cyclists. Since the doctors found the newest cancer in an early stage, Jillian has already turned her focus on next year's PMC.
    "It's disappointing," she said of not being able to ride this year. "But I've got next year to look forward to. it's a good goal for me."


--
The Pan-Mass Challenge funnels 100% of the funds raised to cancer research. Contributions can be made here in support of team "Click Out. CLICK OUT!"

Blogged with the Flock Browser

Taking Down Airborne

More bad news for Airborne in the form of federal penalties. And all this started because of the blog post I wrote.  (Seriously, Scientific American reported and validated my blog post, constituting authoritative scientific evidence that sparked and won the consumer class action lawsuit for deceptive advertising.)

Plus, yesterday I bowled a 231. Hoo-wah!

Blogged with the Flock Browser

Firefox 3 is Almost Here

But early adopters can experience the new Mozilla code base now by trying out Flock 2.0, released in Beta1 today to great reviews. Flock needs a new trophy shelf, having recently added a Webby and the #6 slot on PC World's top 100 Products for 2008. (Also would have won a WhoHas if not disqualified by my vested interest!)

And now Flock runs even faster, with major enhancements to the news reader and media bar. Alana at Mashable wrote, "If people start getting used to using Flock to keep up with their different social networking profiles and to share and discover media easier, I don’t see how they could ever go back to Internet Explorer or regular Firefox."

Blogged with the Flock Browser

How Culture Evolves

I had the perfect holiday today, nestled in New England with lots of family, including my father. My 9-year-old kicked our butts at Risk, heeding his uncle's advice to always occupy Australia from the start.

But an unfortunate slip of the tongue may have forever changed our annual celebration. As my 5-year-old brought me breakfast in bed, he blurted out with excitement, "Happy Farter's Day!!"

The third Sunday in June will never be the same.

Blogged with the Flock Browser

More WhoHas Awards!

The WhoHas Award for Best Consumer Electronics

The Panasonic PtAE2000U Projector blasts out 1500 lumens of 1080P magic, with a contrast ratio of 15,000:1. Not only is it 40%+ brighter than any other 1080P projector on the market, but with most new HDMI projectors priced at or above $10,000, the Panasonic's $2,500 price tag is frankly suspicious. (Did these beauties "fall off a truck" on the way from the SONY plant?) Since I replaced my old Runco with this projector, my neighbors have been camping out in my basement.


The WhoHas Award for Best Security Product

I've experimented with just about every home automation gizmo available. Most of the time they languish unused due to complexity, bugs, or low utility. For example, I'm not sure I'll ever really get around to controlling my irrigation system through my browser. (Who has time for this?)

But my latest pet project has worked out just great. I've replaced the key locks on my doors with numeric keypads. Access is now faster, and no longer dependent upon carrying a key around. Keypad codes, unlike physical key locks, can be changed immediately. You can provision multiple key codes, and each with access at different times of day. A log is kept of which keys are used when.

I've got my keypads working off a server that connects to digital locks on the doors, which has the added feature of locking and unlocking doors around the house on demand or on schedule. But the core value can be had without the central server--just retrofit your old fashioned door with a locally controlled mechanism. They range in price from $100-400, depending upon quality and programmability.


The WhoHas Award for Best Pen

Why pay $500 for a shiny Montblanc when the same price will buy you a LiveScribe Pulse? The Pulse's internal memory stores every word you've written, and it even stores an audio recording of the conversation that took place in the room right at the time you wrote those words. It's so simple--you just take notes as usual in their spiral paper notebooks. Later on you click on a word and the pen's internal speaker starts playing the conversation!

The Pulse has an LED display, speaker, headset port, camera, and connector for transferring all its visual and audio contents to a PC or shared web space. It comes with some other very cool but not really practical apps, like the ability to play music (with accompanying repercussion!) on a hand-drawn piano keyboard, and real time language translation of what you're writing (both written and aural).



The WhoHas Award for Best Culinary Product

For our anniversary last year, Nathalie surprised me with a Citrus Press grapefruit juice squeezer from Williams Sonoma. It quickly captures every drop, enabling my juice addiction. This beautiful steel machine evokes the power of a '73 Buick--you'll want to park it on open counter right there between the Sub-Zero and the Thermador.


The WhoHas Award for Best Car

I own three cars: an electric GEM and two Odyssey minivans. Odyssey is the perfect family vehicle. It drives like a car, the third row seats and second row center seat can disappear into the floor, and it has all the bells and whistles you need with kids--like a rear-view cam and dual power sliding doors. It's affordable, fuel efficient, Honda-reliable, and damned sporty-lookin.


The WhoHas Award for Best Fashion Product

Even if you don't have frail Ashkenazi skin like mine, you need to ward off the skin cancer. So when you swim outdoors, consider wearing a sun shirt to partially obviate the sunscreen regimen. (Who has time for this?)

Coolibar has a great line. My favorite is the one on the right that zips off easily when wet and, more importantly, qualifies for Star Fleet as a Star Trek TNG uniform.


The WhoHas Award for Best Pharmaceutical

Sonata (or the generic zaleplon) sleeping pills are shorter acting than Ambien or Lunesta, so you don't wake up tired.

Legal disclaimer: Ignore my advice--I know nothing. I'm a blogger, not a doctor. Medicine has risks. For example, the manufacturer of Sonata advises:

"...discontinuation of Sonata should be strongly considered for patients who report a 'sleep-driving' episode."

Now that's good advice!

Blogged with the Flock Browser

Diving in Hawaii

With our streets blocked by the triathlon yesterday, there was only one way off the island...




Son snorkeling





Nathalie's the best swimmer in the family.




I'm feeling at one with the Spaghetti Monster.



Thank you Robert for taking us on this dive!

Blogged with the Flock Browser