Why Aren’t there More Paul Grahams?

Paul Graham has an interesting essay “Why There Aren’t More Googles.” In it, he talks about how VC are shying away from doing lots of little deals, and how the bold ideas are the ones that are hardest to fund:

And yet it’s the bold ideas that generate the biggest returns. Any really good new idea will seem bad to most people; otherwise someone would already be doing it. And yet most VCs are driven by consensus, not just within their firms, but within the VC community. The biggest factor determining how a VC will feel about your startup is how other VCs feel about it. I doubt they realize it, but this algorithm guarantees they’ll miss all the very best ideas. The more people who have to like a new idea, the more outliers you lose.

Paul is absolutely right. The more people who have to like a new idea, the more outliers you miss. However, any really good new idea is likely a combination of one really good insight, and several bad ones. It’s hard to dis-entangle them until you engage with the market. There’s a real question of how expensive that will be. There’s also the question of will a really bold new inventor listen enough to make the idea successful?

When I was at Zero-Knowledge, we spent a lot of time exploring ideas which have now come to fruition. Zero-Knowledge, under the name RadialPoint, is thriving. Selling security and privacy to consumers makes sense as part of an ISP package. Making it work, and figuring out what people were ready for, took a while. Some of the bits that they weren’t ready for, and perhaps weren’t ready for the market include the IP level privacy, a problem that the Tor Project is hard at work on. We also worked hard on ‘private credentials, which Credentica launched as U-Prove, and has since been acquired by Microsoft.

We had lots of new ideas at Zero-Knowledge, and a set of happy outcomes (as shareholders know).

But Zero-Knowledge, while bold, wasn’t even absolutely new. It was built on the ideas of the cypherpunks, and we even had a Chief Cypherpunk. Similarly, Google wasn’t the first of the search engines. It was innovative in how it worked, but it was several years after Yahoo!, AltaVista, and Ask. The bold ideas took a while to become profitable ideas.


So I think that it’s absolutely wonderful that we have a creative, chaotic froth of very little companies, and that Paul helps make that happen. I wish there were more. I love seeing what emerges from that chaotic experimentation. But that experimentation can be tremendously expensive, with people chasing many variations of the ideas.

Paul is chasing a variation on how funding happens. He believes passionately in that vision, and is putting his money where his mouth is. Will it work? Who knows? I’m glad there’s chaotic experimentation, and if Paul succeeds, I’m sure he’ll have many imitators.

SmartHippo Launches

Have you ever wondered how banks make so much money in the mortgage business? If you stop to think about it, mortgages are the ultimate commodity product these days. The bank collects information from you, gives you a loan, outsources the customer service to a loan servicing company, and securitizes your loan.

So how do banks make money? It’s ‘easy.’ They sell you a loan at a higher rate than they’d be willing to settle for. A mortgage is a big, unpleasant, complex process that includes some stranger pawing through your financial life. Making a bad choice is worrisome. Most people apparently get very few quotes, and are told that their rate depends on their credit score.

There’s a strong imbalance in the information that each side has, and my friends at SmartHippo have just launched a site to help correct that imbalance.

If you’re getting a mortgage, or just want to compare, check these folks out. I really like what they’re doing and where they’re going.

What would it be like if buying lemonade was as complicated as shopping for mortgage rates? See what happens when little Jenna opens a lemonade stand and tries to maximize profit at the expense of her customers.

“Whatever happened to Zero-Knowledge Systems?”

zeroknowledgeprivacyad.JPGZero-Knowledge Systems was one of the hottest startups of the internet bubble. Unlike internet companies selling pet food or delivering snacks to stoners, Zero-Knowledge was focused on bringing privacy to all internet users. We had some fantastic technology which was years ahead of its time. And people often ask me “whatever happened to them?”

The company has re-focused its business model, changed its name to Radialpoint, become profitable, and become the fastest growing company in Quebec (based on 5 year revenue growth). As Austin Hill writes in “Radialpoint gets some Prophetic Love:”

I want to congratulate my brother Hamnett, father Hammie and the entire team at Radialpoint who were just honored by Profit Magazine as the fastest growing company in Quebec (measured in 5 year revenue growth) and the 32 fastest in Canada.

I’ll join Austin in sending the entire Radialpoint team congratulations.

It’s a great team, and they’ve done a fantastic job transitioning from promise to a reality for their partners and customers.

Carole King said it best

“It’s too late, baby”
Yeah, I’m dating myself, but Tapestry was huge, and she and Goffin had some serious songwriting chops.
Anyway, the “it” about which it’s too late is, yes, a relationship. An important relationship. A relationship which, while admittedly not exclusive, is “open” in a hopefully honest, fulfilling, respectful way. That relationship is the one you have with your personal information.
Well, bad news. That info is all over town, for anybody who can pay the bills, and you don’t know the half of it. That, at least, is the opinion of David Cowan, a VC at Bessemer Venture Partners, blogging about Lifelock:

It would be quite a stretch for you to imagine that somehow your data remain safely stored among all the vendors, doctors, banks, web sites, and government agenices[sic] whom you’ve engaged in your lifetime. More likely, your personal credentials are all for sale in black market exchanges like this one.
In other words, the horses are out of the barn. There’s little point trying to re-tool or regulate the world’s IT infrastructure to contain consumer data. Even if your concern is future generations whose identities are still safe from thieves, there are so many ways for data to leak that it’s futile to expect brittle secrets like our social security numbers to be both useful and sustainably confidential.

Here, Cowan echoes the response I got over a beer when I asked a knowledgeable observer of the financial industry how he’d estimate the number of compromised identities (I figured he’d know about fraud detection and so on). I knew I was in for some fun when his response began with “You’re not going to like the answer…”. It seems that in his opinion all our PII belongs to them. It’s merely a question of monetizing it. (Listen closely — that sound you hear is Lindstrom saying “Yessss!!!”)
I am not qualified to assess whether Lifelock or Debix, or any other player in this space is a sensible investment. I will say that, as I understand it, their value proposition could be obliterated with a stroke of the pen, which leads me to a conclusion, and to a question.
That smart people are willing to attach their names and wallets to these enterprises shows me that US consumers won’t have true control over access to their personal information for the foreseeable future because legislation providing it is seemingly not forthcoming.
To those who argue that the data are already all out there, my question is “Is that a falsifiable hypothesis?”

How to Treat Customers

My friend Austin Hill has a new blog, Billions With Zero Knowledge. He’s got a really good post up “Crowdsourcing or Community Production – An Interview with Hugh McGuire from Librivox.”

What’s most interesting to me is how new companies are trying to tap into customer enthusiasm to build not only value for their customers, but a community. The companies that really succeed at building a community will find it a double edged sword–their communities will be their biggest asset, and the hardest thing to change. At the same time, it’s done great things for companies like Flickr, and it’s a welcome change to be treated as a person, rather than as a monetizable eyeball.

Congratulations to Counterpane and Bruce Schneier

Even though Chris got the news before me, I wanted to add my congratulations. I was involved in Counterpane very early, and made the choice to go to Zero-Knowledge Systems. I stayed involved on the technical advisory board, and was consistently impressed by the quality of the many Counterpane employees and executives who I met. I had to leave the TAB when I joined Microsoft, but, regardless, I’m really happy for everyone involved.

Long Term Impact of Youthful Decisions

risk-evolution.jpgThere’s a fascinating article in the New York Times last week, “Expunged Criminal Records Live to Tell Tales” about how companies like Choicepoint which collect and sell public records don’t pick up orders to expunge those records.

I didn’t have much to add, and figured the Times doesn’t need me to pimp their articles (they get a few more readers each day than we do), so I let it alone.

Then I saw Gunnar Peterson discuss “Brian Chess on Evolving Risk Models:”

When a company starts its life it wants to take on as much risk as it possibly can, do something hard and prove it in the marketplace. If it is not too risky then a big company may take you out or there may be no market. Over time a successful company’s market risk should go down as it gains market share.

Where this becomes interesting from a security standpoint is that early in the company’s lifecycle, the business has high market risk, but little security risk, there is not much in the way of assets to target. But over time as the business gains market share its security risks grow. This puts security in a very interesting position where there have to make up for a lot of lost time even if the decisions to delay security made sense at the time, the risk profile have readjusted to the point where more mature businesses who are established in the market and have relatively little residual market risk, at the same time the business takes on more and more security risk. In general this means the code, the config, data and identity architectures all must play catch up to deal with the risk profile over time.

These design and implementation choices also live to tell tales. I expect over the next few years, a rise of highly effective testing tools will act as a force multiplier for elite researchers, making it less and less possible to expunge evidence or records of security choices made. We’re going to have to start asking questions about security activity during the procurement process. Think of it as background checks for your software.

Debix Launches

debix-logo.jpgI’m also really excited to share the news that my friends at Debix have launched their service, and it’s now available to the public. It is, in my opinion, the best identity theft preventative measure available today, and you should seriously consider signing up.

The way it works is that they put a lock on your credit file, so that creditors opening new accounts need to contact you, through Debix, in order to open a new account. This is better than a standard fraud alert because Debix maintains records. So if someone opens an account and you weren’t contacted, it’s not a matter of he said/she said. There’s a neutral party who can vouch for what didn’t happen. This is better than credit monitoring because you prevent problems, rather than try to clean them up.

As Bo Holland, the CEO, says, there’s nothing like putting the person who knows–you–at the center of your credit transactions.

Disclosure: I have a financial relationship with Debix.

10-second MBA, por favor?

I have read repeatedly, most recently at Bejtlich’s blog, that with the IBM-ISS and now Secureworks/LURHQ deals, Counterpane “must” be looking to get bought out. Why? As with management consultancies, could there not be room for a boutique that does one thing really well? Help me out, here.

Fu-Sec, Dunbar Numbers, and Success Catastrophes

gummi-zombies.jpg
In “I Smell a Movement,” Chris talks about the City-sec movement, of security people getting together for beer, and about groups like ISSA.

So the question I’d like to ask is why do these groups keep emerging so chaotically? Why can’t the extant groups, usually formed for the same reasons, succeed?

I think there are two main reasons, the first involving group dynamics, and the second involving group dynamics success catastrophes.

As a group grows, there are lots of dynamics. One of those is that functional groups can get more done than individuals. There are also communication and alignment costs, which is why adding more programmers to a late project makes it later. Christopher Allen has written extensively about this in his posts on Dunbar numbers, such as “The Dunbar Number as a Limit to Group Sizes.”

As a professional networking group hits some critical mass of interested early adopters, those early adopters put in work and get lots of value. Since a goal of the group is networking, they excitedly invite more people, telling them how great it is. The group grows. Newcomers may not invest the same level of energy (after all, things are working great, let’s drink more!) As that happens, the selection functions that controlled early membership: Did you find out about it because you read the right blogs? Did you make time to attend?


As the group grows, the activities and energy that made it work may no longer suit what the group has become. This is why lots of startup founders leave: They’re great in the early stages, but as they build the company, the very skills that made the early days work become dysfunctional. Startups often do this, at great cost, because there’s a board of directors who are focused on a financial outcome. Professional societies, who take their boards from the enthusiastic membership, may not have that same focus. These groups want more of what made them valuable early on.

Thus, the habits and skills that make a group successful can end up holding it back. It’s the catastrophe that follows success, and its why we have a growing list of professional organizations that don’t do quite what some people want. When the groups don’t serve the purpose, some enthusiastic people will set out to fill that gap, either in a market or in a social setting.

So what can you do about it? Me, I plan to drink lots of beer at the next SeaSec.

Photo: Zombarmy06 by Father.Jack.

Palestinian TV and Regulatory Capture

There’s an article about the chaos of Palestinian TV on Wired News, “Live From the West Bank,” which starts:

Helga Tawil Souri reclines on the couch at a friend’s house in the Palestinian West Bank, getting sucked into an Egyptian movie about a woman in an insane asylum. Right before the climactic face-off, though, the screen goes black, and a different movie pops on. A visitor to the area, Souri is startled and a bit peeved. Her host, a dentist named Abu Mohammed, grins knowingly. He picks up his cell phone and dials the manager of the local television station. After gossiping and speculating about the weather for a few minutes, Mohammed gets to the point: “Look, if it’s not too much trouble, can you put the movie back on?” Five minutes later, televisions across the area flicker, the image on the screen shifts, and the original film’s conclusion airs.

The article discusses how a lack of regulation creates a confused, amateurish, open space for people to experiment with TV, and then concludes:

Fellow journalist Walid Batrawi shares Kuttab’s goals and has helped draft reforms for the Palestinian Authority calling for minimum levels of investment, education, and staffing for each station. The restrictions were supposed to go into effect in 2000 and would have put many small operations out of business.

Indeed, putting small, nimble, responsive organizations out of business is often either an explicit goal or unavoidable side effect of regulation. I’ve been watching the acquisitions of both Sourcefire and NCipher fall victim to regulatory inquiries which move too slowly for the acquirer to wait around. As a startup guy, this worries the heck out of me. You can never have too many opportunities for exit (right, Siteadvisor?). Sarbanes-Oxley has already cut back on the ability of startups to go public, raising that bar. National and international regulators are now exercising another bar. Every opportunity for exit is a chance to value the business, reassess the market, and weigh anticipated growth versus a chance to make value gains liquid. But I digress.

I’m not a big believer in using violence, or the threat of violence, to control a market. I think people should be allowed free speech, even in the case of the Palestinian Authority, which has long funneled US and EU aid into the creation and broadcast of anti-Semetic propaganda on official TV stations. Let a thousand flowers bloom, even if some of them are ugly.

Just don’t use regulation to prevent them from growing.

The Pursuit of Wow and the Virtue of Shipping

wow.jpgI’ve just finished reading “The Pursuit of Wow!” by Tom Peters. The essential message is that if you’re not enthused by what you’re doing, change things until you’re enthused. It’s a great reminder of the importance of passion for delivering great products and services.

Unfortunately, as a startup veteran, there’s a conflict that I run up against often. We need to get a product out the door to get customers to either bring us to profitability, or the next phase of the plan. That getting product out the door — what Microsoft folks mean when they say “shipping is a feature” — people can’t use what you’ve built until you give it to them. Building great stuff requires not only great dedication, but often fast iterative cycles so you can see the responses to what you’re doing.

Often times, those iterative versions aren’t what you want them to be. Sometimes, they fall short of the vision you’ve set out. Learning to balance the virtue of shipping and the pursuit of wow has been one of the hardest lessons in building startups.

Software That Works

dictate.jpgEthan Zuckerman did a great job of blogging from TED. The most interesting post for me was his summary of David Pogue’s talk:

But he’s a big fan of the iPod and the “cult of simplicity”. Despite violating every rule of product design – going up against Microsoft, having fewer features, having a proprietary, closed format – it succeeded because people love simplicity. Simplicity sells – just look at Google.

He shows us Dragon, which he uses to answer email, using voice macros. Responding to hate mail, he says “piss off” and gets a polite paragraph responding to an angry mail. He points out that the most recent version of the software had NO new features – it just worked better, and he thanks Dragon for making it work, not adding more cruft.

That’s courage in a product manager. No new features. Wow.

(Billy photo from Discoveret.)

Patents and Comments

airplane.jpgThe comments on “Patents and Innovation” and “New Products, Emerging from Chaos” have been really good. I want to draw your attention to them, because I’m impressed at how much has been added.

I’m really enjoying the feedback, and the ability to continue a thread that’s emerged from a comment. I’m also curious what I can do to encourage more comments and interaction?

[Update: Speaking of patents, Rob Sama sent me a link to a Wall St Journal editorial that was published this morning, entitled “Patently Absurd:”

The bitter legal fight over BlackBerry patents may soon inconvenience millions of users of that handheld email device. But that’s nothing compared to the damage that a broken U.S. patent system is doing to the larger American economy.]

(Wright Bros patent #831, 393 from First to Fly.)