Had this sitting around in my Google Docs for some time. Good idea to share these Linux security tips to help others secure their boxes. So here it is peeps.
Linux security – paranoid check-list
For direct access to your box, only use ssh. SSH is the most secure standard for both authentication (both host and user) and data protection (everything strongly encrypted, end-to-end).
Enable key-pairs as the only way to access your box. Don’t allow passworded logins. Most passwords are too short and sit (even if in hashed form) on many databases: your bank, your favorite retailer etc. My guide on SSH setup will guide you through this by setting in sshd_config.
PasswordAuthentication no
Run ssh on a high port. The reason is that a lot of security scanners will only scan the standard known-service ports or the lower range (1-1024 are privileged ports that only superuser can bind/listen to, so they are more attractive to hackers) So running on 43256 (there are 2^16 =~ 65k ports) is much safer.
In the firewall rules, limit access to your (and your customers) IP blocks, i.e. instead of 0.0.0.0/0 (all the internet) allow only from (say) 12.167.110.0/24 (specific block)
Control the users who are allowed entry to your server.
All administrative stuff is done as a known user (accountability) which used ‘sudo’ after you have authenticated in via SSH.
Use a second layer firewall (software firewall) in case the first goes down. On Linux you can use iptables with Gufw, one of the easiest firewall in the world, to manage the iptables.
sudo apt-get install gufw
Run logcheck, a periodic system log scanning that will email you any unusual event. logcheck comes with a very large rule-set of what can be safely ignored so it only emails when something really new and different shows up in the logs.
sudo apt-get install logcheck
sudo nano /etc/logcheck/logcheck.conf
# Add your email to SENDMAILTO
sudo -u logcheck logcheck # run a test
Open SSH is the most widely used SSH server on Linux. Using SSH, one can connect to a remote host and gain a shell access on it in a secure manner as all traffic is encrypted.
A neat feature of open SSH is to authenticate a user using a public/private key pair to log into the remote host. By doing so, you won’t be prompted for the remote user’s password when gaining access to a protected server. Of course you have to hold the key for this to work. By using key based authentication and by disabling the standard user/password authentication, we reduce the risk of having someone gaining access to our machine/s. For more info on data access management, visit sites like https://cyral.com/data-access-governance/. And if you need comprehensive visibility to enable compliance and secure data sharing, you might want to read more here to learn more. Moreover, if you need Cyber Security Solutions in charge of data protection of your company, you may look for a time-limited privileged access management system that evaluates each access request. You may click here to find out more.
Implement NIST Cybersecurity Framework in 3 weeks using CyberArrow. CyberArrow is a technology first solution that automates the evidence collection for NIST CSF controls. CyberArrow can be used by any type of organization.
So if you are not using SSH with public/private key pair, here is how to get this rolling. If you are using AWS (Amazon Web Services) you would have been forced to use this method. This is great! The instructions below will teach you a bit about this and provide insight into setting this up on your dev VM or a server which doesn’t have this level of security turned on.
Useful commands to note
Accessing server using key
ssh -i ./Security/PRIVATEKEY USERNAME@SERVER -p PORT
Make sure you change your server (and firewall is present) it to listen on port 22345 (or similar port of your liking in the high range) vs the standard unsecure 22.
By default the public key is saved in the file:~/.ssh/id_rsa.pub,
while private key is:~/.ssh/id_rsaeg.
3. Copy the generated myname_rsa.pub file to the remote host. Use SFTP and from:
/Users/name/.ssh/myname_rsa.pub drop it into remote host path:
/root/.ssh/myname_rsa.pubNote: If that folder doesn’t exist then create it.
sudo mkdir /root/.ssh/
On your Server (remote host)
Locally on your box
4. SSH into remote host and append it to ~/.ssh/authorized_keys by entering:
4.1. Check the permissions on the authorized_keys file.Only the authenticated user should have read and write permissions. If the permissions are not correct change them by:
chmod 600 ~/.ssh/authorized_keys
5. Enable SSH public/private key pair access.
sudo nano /etc/ssh/sshd_config
Make sure you have the following:RSAAuthentication yesPubkeyAuthentication yesSave when exiting.
6. Reload new configuration.
/etc/init.d/ssh reload (or)
service ssh reload
On your Server (remote host)
Locally on your box
7. Protect your private key file.Locally on your machine assuming you moved the private key file to folder ./Security/
chmod 0600 ./Security/myname_rsa
8. Test your new setup.Login to your remote host from your machine:
You should be granted access immediately without password requirements.Also test using the old method which should prohibit access.
ssh root@1.1.1.1 -p 22345
Should yield: Permission denied (publickey).
Server is now protected against brute-force attacks.
Finally make sure you adjust your development tools so they tool can gain access to your secured server.
Tools
Your choice of tools my vary but the process is very similar. The following are my most used tools and how to tweak them to allow SSH key entry to my secured server.
FileZilla – SFTP
To enable FileZilla to access the server under the new configuration do this:
FileZilla > Preferences…
Settings window opens. Select “Connection > SFTP” (left hand navigation).
In the right pane, click on “Add keyfile…”. Navigate to your private keyfile and click on it to add.
You may be asked by FileZilla to “Convert keyfile” to a supported FileZilla format. This is fine and just click “Yes”. Save the output file to the same location as your private key file.
Click OK on the Settings file to save final changes.
SublimeText2 – IDE
To enable SublimeText2 to access the server under the new configuration do this.
In your solutions sftp-settings.json configuration file enable key file access like this:
As I sit here working on my new startup Medlert at RocketSpace on a lovely Sunday afternoon I look out the window and see the new Department of Transportation SF project under way. They are building out San Francisco’s Transbay Transit Center. The duration and amount of working going into this made me reflect back on my career in the startup space. Here are a few of those thoughts I captured today running around in my mind.
“Solid products always start with Solid Foundations”
This isnt just a lesson from the work of high tech companies. This is what I am seeing out the window (pics below). The drilling and piping going in to build out a solid foundation for the San Francisco’s Transbay Transit Center. This has now been going on for few months. To the untrained eye not much progress has occurred. A big hole with pipes. This is the progress rarely acknowledge in the startup space but yet forms the back bone of what comes next. The stuff that happens behind the scenes. Once the foundation is built, well the rest will follow like lightning.
Looking back at technology I have seen founders take short cuts and slap products together without much thought given to the technology foundation driving their core platform. Instead of thinking about software as a service they couple the front end to the back-end. This typically results with major chaos once they start to grow fast and those short cuts quickly become technical dept. Band-aided due to lack of time to go back and fix them for good. For some humour on this point read my prior post on PHP and excuses would be leaders make.
“While it’s desirable to build a rock solid foundation you still must walk the fine line between solid foundation and over engineering before you get to MVP.” ~ Mark McCubbin
Take the time to understand your domain, the tools & technologies that will allow you to move fast and efficient from A to B and build out a kickass foundation before declaring victory. Having a virtual CIO to formulate strategic IT goals for your company, and then manage an IT strategy and budget that meets those goals can also help tremendously.
“The Devil is in the Detail”
Jared would constantly remind me this. Over and over as we built Couponstar from a 2 man shop in Sydney Australia into an International business with offices in London, Sydney & The Bay Area . Fruits of our labor were acknowledge later when Couponstar got acquired by Coupons.com in Mountain View, CA.
Day in day out Jared was on my case with the reminder. “The Devil is in the Detail”. Heck I heard it so often it would make me angry. From an email I sent to a prospect to design work to a new product/feature I built. “The devil is in the detail Ernest. Never forget that.” He would say. It got coded, burned in & stamped onto my cortex. I lived and breathe that now.
Back when we started working together in 2004 I had zero startup experience. Fresh out of a corporate world and few consulting gigs under my belt I realized quickly my attention to detail sucked. Bad. As time went on I realized how important that feedback from Jared was. I think without me accepting that The Devil is in the Detail I would never have upped my ante and built a successful business. Just like when following the many tips you can find at Islandnow, a news source for business. Top-notch roofing company seo services are designed to enhance your visibility and grow your clientele.
Detail is everything today. We see it so often that there is a strong push for cofounders with Design skills and startups building out sexy User Experiences in their products. The detail is in everything from communication to how we present, express & sell ourselves. Products with high attention to detail give users a comfy, warm, fuzzy feel. Because they are designed & built with the customer & perfection in mind. (think Apple) Get sloppy and contact a client with a poorly written email, newsletter, product demo and immediately you will get placed into the loser bucket. There is no excuse for lack of detail apart from laziness.
The idiom “the devil is in the detail” derives from the earlier phrase, “God is in the detail;” expressing the idea that whatever one does should be done thoroughly; i.e. details are important.
“Ideas alone are worthless. It is mostly about the Execution”
If you have been working, living & breathing in the tech space in Silicon Valley/SF you would have heard this being mentioned many times over. Ideas alone are worthless. It is mostly about the Execution. It is also why people are not reluctant in the valley to share ideas because everyone knows good fast execution of a good idea with a killer team is the killer combo. This great idea you have, there are probably 50 other people in the world with the same idea. What separates you from them is who can execute the fastest.
@ernestsemerda Yup and that can be more important than the idea in some cases (not always though).
— Sean Percival (@Percival) January 9, 2013
Also remember that ideas change fast. Once you start executing the idea the subsequent pivots will evolve the seed idea until you get famous for an idea that resembles nothing like the one you started with. This is exactly what Jessica Livingstone (YCombinator partner) concluded in her famous book Founders at Work which surveys tech success stories in Silicon Valley.
It is a rat race in the tech space. Everything moves fast in Silicon Valley and you need to be moving super fast executing on your idea. Get your MVP (minimum viable product) out the door into the marketplace then go and speak with your users to see whether it is what they want. Iterate. Speak to them again. Dont sit in front of your computer. Get out there and get feedback from your users. There are no answers sitting in front of a computer. Run experiments, designs test and get more data from your users. And make sure you sell sell sell.
Eric Ries from The Lean Startup and Steve Blank (Customer Development Process) share the same approach on how to build a startup by getting out and learning from your customers. Of course you alone cannot do all of this but having a kickass founding team where responsibilities are divided and everyone is generating results works wonders!
And when you think you have something which reflects a sustainable business, build a fortress of protection around it. This usually comes in 2 forms – patents and/or distribution. I highly encourage you to watch Paul Willard‘s talk at Atlassian on Growth Hacking and how startups die due to poor distribution. All of this requires Execution. Not sitting on your ass day dreaming. Get a move on. The world isn’t waiting for you.
“No excuses! Ever.”
As an entrepreneur there are no excuses for “I don’t have the skills.”. Bad fuckin luck. If you chose to be an entrepreneur and dragged others into working with you, believing in you and your idea, you need to stand up and fit into those shoes. As an entrepreneur you do everything in the early days. Everything. I was folding coupons and putting them into envelopes on the floor with Jared in the early days at Couponstar. Later we got machinery to do it but hey someone had to do the dirty work to get traction in the early days.
There is no such thing as I am not good at it so I wont do it. Get better. Life is a life long journey of education. It never stops.
There is no such thing as I don’t know. Go and find out. Speak to people. Attend tech events like customer contact week and learn.
There is no such thing as I will wait for good luck. We make our own luck by getting out and about. The harder I work the luckier I get. Hence, those who own pest control companies and are contemplating the pros and cons of contract services may seek advice from articles of companies like FieldRoutes.
Look, you can make excuses or your can change the world. Well maybe not the world but definitely the industry you are focusing on to make a difference in. You decide.
~ Ernest
Thanks to Mark McCubbin for reading draft of this and providing input.
Outsourcing part of software engineering is not for everyone. Outsourcing requires a lot of micromanagement and software engineering background to make sure that what you ask for is what you get.
What follows is my own experience over the last 10 years in many outsourcing contracts working across India, China and Eastern Europe outsources both independent and agencies.
Are you sure it’s for you?
Never “palm off” the job in the form of outsourcing. Otherwise you will be heading down a spiral. Because the important piece of outsourcing is both micromanaging and understanding what the fuck is getting delivered. This way you can either pull the plug on crappy code or influence the right sort of implementation.
If you outsource too early or the core IP you lose the power to radically change the design of your product. Early design is constantly changing especially if you are building something which has never been done before. You want the flexibility to change fast. You need to be under control and know what is going on with all the moving pieces. Read more on this how bad outsourcing impacted Boeing’s Dreamliners (787’s).
This leads me to some key points on what skills you should have if you are going to outsource. Mind you I said “you” because it cannot be someone else you palm it off to.
1. Have a strong background in software engineering.
Loose coupling, Less code, Don’t repeat yourself (DRY), explicit is better than implicit, Test-driven development (TDD), Distributed Version Control System (DVCS), and what .Net develops is all important. Did you understand any of those? If not then you are going to get a piece of crap code. Why is code important? Because it determines the type of engineering culture you build out internally & future maintenance (this is where the hard costs nail you down) and local hiring – quiet frankly great engineers do not like working in a pile of mess.
If you do not know how to code move on or go and learn to code. Anyone with the right attitude and time today can learn to code. See http://www.codecademy.com/, http://www.udacity.com/, https://developers.google.com/university/, etc… plenty of resources online for free. No excuses.
If the outsources delivers crap code you tell them to fix it. If they continue to deliver crap code. You break the contract and provide constructive feedback to them.
Detail detail detail.“The devil is in the detail.”my previous biz partner stressed this to a point where it is now embedded into my psyche and into how I work.
If you are outsourcing make sure that you or the person working 1:1 with the outsourcer are very detail orientated. This way errors are caught fast and stopped at the front line, and where appropriate move fast and fire the outsourcer.
2. People skills
If you have a background working with people (we all do right) and managing those people (oh here we go) then this part will also get smoother. You need to understand you are working with people who have their own lives, family, goals and ambitions etc… so don’t be an ass because you outsourced a piece of work to a “cheaper” labor country.
Look, you are going to have to micromanage them. Yes micromanagement ain’t ideal for your immediate employees but for contractors it is a must. They are paid to do a certain job and usually move on. You need to receive quality (refer to point 1 on engineering) and also make sure commitments are completed on time and within budget. Hence the micromanagement.
I also like to emphasize to build a good relationship so you can work with them again. Obviously pending the results of your encounter. Results is all that matter at the end of the day. But, never lose sight of maintaining that level of expected quality. If it drops, give them a chance to correct it by providing constructive feedback. If nothing changes again, then cut the tie immediately.
Remember:“Once shame on you, twice shame on me” (in 1st person)
Right so you have the necessary skills to get moving. Here is where the harder stuff begins.
The checklist!
1. Automate.
As much as you can. Outsourcing isn’t just relationship management. There are a number of balls in the air from managing the relationship to code review & feedback to product questions that need to be answered and/or fleshed out.
Use DVCS (ref my previous blog post) with email alerts enabled for code checkins, comments and issue tracking. Have everyone involved with the job on email alerts so you know when code is checked in or issues logged. I like using Bitbucket for all of this.
I also recommend you put them on HipChat for Private group chat and IM, business and team collaboration. This way you will maintain all communication in the one place.
2. The standards list.
Send the contractor your “standards list” of what you expect out of the engagement. Use Google Apps to write one up & share it if you do not have now. Put a line in the sand. A bar in front on:
Expected quality – DRY baby!,
Naming conventions,
Daily status updates – email or via HipChat,
Use of standard industry engineer practices like TDD else you will get code without unit tests!!
How everyone can reach each other for questions on product spec or similar ie. Skype, emails, cell #, HipChat etc. Include timezones everyone is working on.
3. Requirements.
Fuck sake man. More detail. Stipulate any API calls, use cases, designs, standards as mentioned above etc.. If you have an engineering background you will appreciate and say “fuck yeah” to what I just said.
No one likes to document things but this small initial investment will weigh in its worth when the final product is delivered to spec. Do not leave anything for misinterpretation.
Have a Balsamiq design illustrating all the screens you expect and how they should look.
Where applicable provide designs for every screen. Do not let the contractor try to work out for themselves what you want. Never ends well and you get billed for that time.
Technical detail around API calls (request & response) with examples, use cases, high levee flow diagram etc..
4. Understand it before you open your mouth.
If you are developing for a channel you have no experience in, ie. Android. Then spend time learning it from at least a “high level” understanding so you can speak the lingo and know when you are getting lied to in the face. If you level out with the lingo then you will get respected more and the contractor will not be able to pull a “shifty” on you.
5. Hiring.
Never straight forward and always requires a ton of work. But this pays off when you have the right contractor on board working with you.
Spend time writing up a detailed job spec and list it on oDesk/eLance and wait for the flood of offers. Immediately decline those that have not met all 5 stars criteria.
Setup a spreadsheet of all those that applied to keep track of who you short list, their contact details, your last communication with them etc… From the 100 narrow it down to top 20.
Interview the top 20 via Skype video (yes you need to see them) and listen for something that will differentiate one from the rest. For me it was getting asked questions I did not have an immediate answer to. Smart switched on engineers are like that and you know you got a winner there.
Remember that at every point in the interview/communication you need to be prepared with a series of questions so you can use those as a base for quality and comparison.
Tip: And when you do engage the outsourcer make sure you stay working via oDesk or similar tool. As much as you may be conned into believing working outside oDesk is worth 10% discount it isn’t oDesk provides great tools to track your contractors time (with videos) and in the end you get to provide feedback on them. Bad business means bad comments means no future business. So it is in everyone’s favor to be on best terms and get the job done right.
6. Have fun!
Not a long-term strategy
Outsourcing is great when you first kick off a startup and need to fill in skill or time restraint gaps like kicking off a new channel which will interface with your in-house platform (your IP – which you built and are evolving) or design work. But that is where it stops.
Remember that outsourcing is work for hire. Your own company / startup is a labor of love which only you and those that live and breathe it each day share in the office. So if you have high expectations of the outsourcer to care and be on the ball with something they are building or have built then you most likely skipped the crucial part. The part where I told you to own the whole process and be laser focused on the work getting outsourced. You fucked up. You’re at fault not them.
Never outsource your core business. Only channels. Those that are not what I call IP (intellectual property). Your IP always stays in-house managed by you and your cofounder.. and ultimately a kickass in-house team. For example; a business that’s attractive to investors typically has some sort of IP that’s hard to clone by competitors. That thing that makes it unique. It could be a unique algorithm or even data. You’d never outsource that. Stuff that can be outsourced might be a channel eg. a mobile app as long as the IP (say that algorithm) is in the API your local team manages. For a smoother system consider using SD-WAN software as it gives you a better application system and more efficient business operations.
Final note
You are not looking for a “sweat shop”. Find rock stars! That have a history of delivering quality code on time while communicating effectively. Communication decides if you get an apple or an orange when all you wanted is an apple.
If you have any stories (good or bad) please share with me them below in the comments.
Like last year I attended it again to learn from fellow developers and industry leaders on the latest in the tech & business scene in Silicon Valley. Silicon Valley Code Camp is a weekend (Saturday & Sunday) community event where developers learn from fellow developers. There are around 200 sessions over those 2 days on every hot topic in the tech industry and it pulled in around 2,500 attendees at Foothill College in Lost Altos. Impossible to attend every session but you get to pick before hand which lectures interest you the most. Then it is a matter of showing up.
So instead of covering the usual tech stuff in this post, like in my last year’s post, this time round I will focus on the most impactful presentation on The Art of Raising Capital for Technology Startup Leaders by Bruce Schechter from Band of Angels. If you are an active software engineer you are already capable of building products. The next step is how to turn that into a business with some acceleration in the form of capital. Having done it before (built an international business and sold it to a $1B silicon valley company), this presentation by Bruce was a nice reminder with more new knowledge (for me) on what it takes to validate a product and turn it into a business.
The Art of Raising Capital for Technology Startup Leaders
Everyone has ideas but few execute on them
The room was packed with attendees. At the start of the session Bruce asked the folks in the room to put their hands up who is thinking about an idea. Everyone raised their hands. Then to keep their hands raised if they have started working on it. A 30% drop. And then who has an MVP out testing the waters, a 85% drop. Yap, as we have heard it before from the likes of YCombinator, 500Startups and other investors.. ideas are dime a dozen in the valley.. Execution is where it’s all at! Using an ai photo generator can be part of that execution, helping quickly visualize concepts and bring ideas to life.
“I saw the angel in the marble and carved until I set him free” ~ Michelangelo
Inside an investors mind
When you get a chance to present to investors, the questions running inside their mind which you should aim to answer in your presentation are:
Will I achieve a vast return?
Is she capable of growing a business?
Nail the answers to these and you are one step closer to getting funded.
Fundraising Tools
Make sure you have the following ready in this order. Be prepared.
Elevator Pitch
Email to investor via a trusted source.
GDay from a friend of the investor introducing the company
Who the team is and
Ask whether exec summary can be forwarded
Executive Summary
One pager – just text, no graphs.
“People don’t buy what they don’t understand.”
“Investors don’t fund products, they fund businesses.”
Never tell what is good about your company (features) until you have fundamentally explained what you do = “foundation”.
Preferred executive summary format
Problem/Solution Overview
Clarity of pain: credibility
“must-have” not “like to have” in the eyes of the customers
Tie solution back to pain
Market Opportunity
Total market and available market – reference data source.
Narrative equation: “If we sell X to Y at $Z we’ll achieve $N”
Competition
Be honest and open
Worst possible response: “We don’t really have competition.”
Why are you better than your competitors?
Business Model
How do you make money?
Define unit economics – individual transaction cost.
“Go To Market” Strategy
Customer Acquisition – direct sales, channels, word of mouth
Key marketing tactics including Social media and Buy Backlinks. Work with marketing firms for lawyers if you are launching your own law office or practice. This will help you build a good online reputation and reach potential clients.
Learn from Steve Jobs– watch his presentations on how to present. The stories!
How technology can engage customers in an emotional way.
Detailed Financials & DD (due diligence)
If you are asking for money make sure you can show where that money will go. eg. additional engineering, marketing, sales team, and don’t forget to also look at the crowdfunding options, where can also raise a lot money.
Create emotional engagement through stories
“People are story tellers.”
In the old days before internet & TV people would sit around fires telling stories. Those that spoke and gathered a large audience are what is referred to as a “Leaders”. Leaders create an emotional engagement. This still applies today. Learn to create emotional engagement around your service and people are you selling to. Inc. the investors. Find out what you have in common with a VC before you deep dive into your business pitch.
In Review
Tell ’em how they’ll make a fortune.
Investors fund companies, not products.
They don’t fund what they don’t understand.
Watch & learn from Steve Jobs presentations. He is the master story-teller.
Hidden at the edge of Soma 181 Fremont in San Francisco is a kickass community of over 100 startups working in a funky environment changing the world. This place is called Rocket Space. It is situated in Soma, as is known as the Silicon Valley of San Francisco.
Rocket Space is best described as follows:
“RocketSpace is an accelerator for high-growth, seed-funded tech startups. We provide the fuel that every startup needs to accelerate: access to top talent, tier 1 venture capital, and blue-chip brands representing millions of users. Startup. Blast off.”
What is Rocket Space
So as mentioned above, Rocket Space is an accelerator for high-growth seed-funded tech startups. Started in 2011 today hosts around 130 hot startups in two 3 level builds – plenty of room. Rocket Space provides fuel that every startup needs to accelerate: access to top talent, tier 1 venture capital, and blue chip brands representing millions of users. More about Rocket Space here. And it is open 24×7 to members.
Unlike HackerDojo which I have blogged about in the past Rocket Space is for the next level in a startup’s life cycle. Still lean but “after” the idea has been developed into a product and a minimum viable product (MVP) launched.
“If you’re offered a seat on a rocket ship, don’t ask what seat. Just get on.” ~ Eric Schmidt, CEO, Google
What I find cool about Rocket Space
The environment is kickass. From the decor to the energy. There is just a great vibe being there. It feels like Facebook inside but everyone is working on their own startups.
Let me touch on energy again. With over 100 startups here there are plenty of smart folks to hang with, learn from and collaborate. Just being around smart people changing the world is inspiring and motivating to get things done. Beats sitting at home listening to the fridge buzzing.
Plenty of meeting rooms scattered around the edges of the large open working space.
Conveniently located between Soma and the Financial District in San Francisco. Around 20 minutes walking distance from San Francisco Caltrain station.
Plenty of fuel (food) around Rocket Space. My favorite is the SF Soup Company since it is light and doesn’t generate any brain drain. They have great Clam Chowder. Yum!
Finally Rocket Space offers access to weekly community events, founder mentoring sessions, access to talent and education program called RocketSpace Academy (RSA).
Rocket Space and GTDfaster (my productivity app) both contain a “rocket” in the logo – I thin Rocket Space was meant to be! GTDfaster logo comes from the fact of getting stuff done fast – accelerating. Rocket Space is Startup and Blast off!
Nope. You must be at the right stage in your company’s life cycle to get accepted.
See the table below to see if you are at the right stage to gain the most value out of being a part of Rocket Space community.
Phase
Funding
Team size
Space
Exploring
None
Founders
Home / HackerDojo
Hacking that idea
None
Founders
HackerDojo
MVP out
Seed
Founders
Rocket Space
Scaling
Series A
Founders + 10 to 20
Rocket Space
Finally, if you see me at Rocket Space say GDay! I am disrupting the health industry and saving lives at medlertapp.com via leading edge mobile technology powered by high-tech event-driven python platform. If you want to learn more about Medlert say GDay! See you around.
Having coded in PHP for 7 years I feel I can give a balanced feedback on PHP. Today I mainly focus on Python & .NET because these languages have stood the test of time and allow me to attract great talent. I find it amusing that engineering leaders in established companies make backward decisions today to use PHP to power their business/core sites. Not to mention software engineer newbies falling prey to using it as their 1st language to experience software development & put theory into practice. So let’s explore this in more detail.
A quick story
Few years back while attending a Python class a young chap put up his hand, introduced himself as a long time PHP developer and asked the lecturer a question. “What is the difference between Python’s dictionary & lists to PHP’s arrays.”. Bang. This is exactly why I do not want newbies to go down that route. Data structures are fundamental to any software design. PHP will NOT force you to think about data structures when coding.. instead just stick a boot in your face and say walk.
As a leader
As a smart fast paced technology leader, you should NOT be suggesting or advising PHP as the company’s “language of choice”. If a company is using optimized wordpress hosting it’s typically for its blog (yes WordPress rocks), due to legacy reasons (we all learn right) or a variant of it. PHP is not even a great presentation language (so famous for years ago) lacking good support for a real templating engine. Going LAMP stack, as in Linux stack, is not about moving to PHP. Matter of fact LAMP stack is an old, beaten, used & abused lingo which means little today with the range of open source stacks that run on the Linux OS.
Let’s first look at what makes a good language. And if you are a leader looking at starting or moving to a new language this post should be enough to tell you what to avoid. Learn from other’s mistakes so you don’t have to make them yourself.
What makes a good language
Predictable
Consistent
Concise
Reliable
Debuggable
Check out the philosophies behind Python in Zen of Python on what a good language encourages.
PHP fails miserably here.
PHP is full of surprises: mysql_real_escape_string, E_ALL
PHP is inconsistent: strpos, str_rot13
PHP requires boilerplate: error-checking around C API calls, ===
PHP is flaky: ==, foreach ($foo as &$bar)
PHP is opaque: no stack traces by default or for fatals, complex error reporting.
PHP is NOT an enterprise language
An enterprise language is one that has good corporate support. Best example is Microsoft and their .NET platform.
Look at the support behind the PHP language. No corporation supports PHP’s growth & maturity like Sun & Google do for Java, Google (Guido van Rossum) for Python (jnc Django framework), Ruby (inc RoR) by 37 signals etc…
PHP is not supported by Yahoo. They failed to launch a version with Unicode support in the hyped up PHP6. And the father of PHP Rasmus Lerdorf is no longer based at Yahoo. Nor is PHP supported by Facebook. Facebook has been trying hard to move away from it’s aged roots and now compile PHP into C via HipHop – more on that below.
The mess that is PHP
There are plenty of websites covering the mess that is PHP. Just go and read them if you are still doubtful.
Unsatisfactory and inconsistent documentation at php.net.
PHP is exceptionally slow unless you install a bytecode cache such as APC or eAccelerator, or use FastCGI. Otherwise, it compiles the script on each request. It’s the reason Facebook invented HipHop (PHP compiler) to increase speed by around 80% and offer a just-in-time (JIT) compilation engine.
Unicode: Support for international characters (mbstring and iconv modules) is a hackish add-on and may or may not be installed. An afterthought.
Arrays and hashes treated as the same type. Ref my short story above.
No closures or first-class functions, until PHP 5.3. No functional constructs. such as collect, find, each, grep, inject. No macros (but complaining about that is like the starving demanding caviar.) Iterators are present but inconsistently used. No decorators, generators or list comprehension.
The fact that == doesn’t always work as you’d expect, so they invented a triple-equals === operator that tests for true equality.
include() can generate circular references and yield many unwanted and hard to debug problems. Not to mention its abuse to execute code that gets included.
Designed to be run in the context of Apache. Any back-end scripts have to be written in a different language. Long-running background process in PHP have to overwrite the global php ini.
PHP lacks standards and conventions.
There’s no standard for processing background tasks, such as Python’s Celery.
Extensions are hard to write for most PHP developers.
Dont use Facebook as an excuse to have PHP as your core language.
Excuses for poor decision to use PHP
“But Facebook is all PHP.”
Boo hoo. Is that what your decision was based on? Seriously? It is well documented that Facebook uses PHP due to legacy reasons. It is what Mark Zuckerberg used in his dorm nearly a decade ago and somehow it stuck around. Later a top FB engineer called Haiping Zhao released HipHop literally rewriting the entire PHP language thus avoiding the worst attributes of the language. Since 2007 alone, Haiping named four failed attempts to move to Python (twice), to Java, to C++. The reason this did not work is due to incumbent inertia (it’s what’s there).
So you see it is not the same PHP you are coding in but a far superior subset of it customized for Facebook process & development efforts. PHP at Facebook was a mistake that had been corrected to some degree. Today the preferred strategy at Facebook is to write new components in a de-coupled manner using a better language of choice (C++, python, Erlang, Java, etc); this is easily facilitated by Facebook’s early development of thrift, an efficient multi-language RPC framework.
“But Yahoo is all PHP.”
Seriously? Shall we even go into this. A sinking Titanic that started its life as a manually maintained directory site. Today’s online apps are more advanced, demand high concurrency and dynamic nature – something more advanced languages are capable of delivering.
“But Zynga (a large gaming company) uses PHP.”
At the time Zynga started developing for the platform, there was no other official Facebook SDK available except for the PHP one. Naturally Zynga started its life on Facebook. The rest is history.
Technology breeds culture
Bring a bunch of core PHP developers (those that only know this language) on board and you get what you pay for. Someone that can hack a script and not really understand the fundamentals of software design & engineering.
Think about this. Your valued assets are the staff (people in your company). And the staff will naturally come from companies and/or backgrounds/experiences will align with the technology decisions you made.
How about rewriting your code base in another language?
There is also a lot of industry precedent (Netscape case or Startup Suicide) indicating that re-writing an entire codebase in another language is usually one of the worst things you can do. Either don’t make the mistake to go down the PHP route in today’s era or start thinking about introducing a new language into the stack for new projects. Having a hybrid setup is OK and actually allows you to iterate fast, gives something new to play for your engineering crew and should you ever need to switch stacks you are already half way there. Dont make the same mistakes Facebook did.
The only bits I like in PHP are its “save file, refresh page and there are your changes”. The language is “easy to use”, yes. It’s hard to figure out what the fuck it’s doing, though.
It was very hard to do. I had a comfortable 6 figure job at Coupons.com leading the International Engineering team. My core responsibility was to make sure the International business is supported and everyone is happy there. The company I built (Couponstar Ltd) got acquired by Coupons.com and that is how I ended up in Silicon Valley. I was fortunate enough to experience a lot of change there and rub shoulders with many smart folks from Yahoo, Microsoft, Google, MySpace etc… I also got to run internally Python & Django classes (“Snake Wrangling for Couponians” as I called it) and build out the International products in that stack. It was a fun journey and maybe too comfortable.
And then I quit.
Why I quit
Mainly for 2 reasons:
The Silicon Valley Entrepreneurial bug and
Large company syndrome of being cubed – I will leave this point for another post.
Moving on is about change
… but not the way you may initially imagine it.
Change works best from within and the environment. Just like when I moved from Sydney (Australia) to Silicon Valley (USA). This was a major environmental change. It also changed the network of people around me.
“You’re the average of the five people you spend the most time with” ~ Jim Rohn
So moving on from the comfort of a job changes:
Your environment and
Your professional & personal network.
Change is not comfortable because it goes against the automatic programming known as the habit. But it becomes comfortable after a while and then your back into auto pilot mode.. again habit. To understand this and how to modify habits check out The Power of Habit: Why We Do What We Do in Life and Business.
Change is difficult but you adjust and move to auto pilot. Just like when you first learnt to drive a car. It was tough but now you don’t even bother to pay attention to it. That part of you is in auto pilot mode. It’s a gift we humans all have. Just need to embrace it.
So lets say you have made a decision to move on from being an employee to an entrepreneur. After a while you will never want to go back to being an employee not because it may be more financially beneficial but because your mind no longer associates with that environment, network and habit of being a cog inside a machine.
This is why children of entrepreneurs end up being entrepreneurs because they too have grown up in that sort of mindset and moving to being an employee (the norm for most) just doesn’t comply. It doesn’t feel right. However coming from an employee’s mindset moving to an entrepreneur feels scary because you have yet not embraced the new way of living. You have a choice to embrace it and wait for the change to become a part of you or fall back into your old patterns. You choose.
Before, I was just another cog in the comfort machine. Now I will be rubbing shoulders with fellow entrepreneurs and business folks. Have full visibility across the whole business, full technology accountability and be responsible for making major impact and disrupting the medical space. Knowing that the technology we build and scale internationally is saving lives. I think I will enjoy the new journey ahead as the CTO of Medlert Inc.
If you are ever in SF ping me and drop in for the famous Samovar tea brewing & a cuppa! Medlert is located in 4 Embarcadero, San Francisco.
The awesome team I worked with at Coupons.com
Finally thank you to the team I got to work with at Coupons.com. And all those that attended Snake Wrangling for Couponians classes and my tech talks.
The 1-day conference about unsexy tech companies that…Just Make Money was organized by 500Startups and hosted at an unsexy company, Microsoft, on August 9th in Mountain View.
I got an opportunity to attend after helping secure Coupons.com CEO Steven Boal to speak at the conference. Steven and I have a good long 8 year history going back to Australia/UK when he first invested in our company Couponstar Ltd and later acquired us to extend the International arm of Coupons, Inc.
The day kicked off with Jeff Lawson, CEO from Twilio speaking on Self-Service Models for Growth followed by Steven Boal, CEO, from Coupons on Disrupting unSEXY: The Tale of a $1 Billion Company that Changed an Industry. Concluding the morning session with Sexy time with PowerPoint: Hacking growth for SlideShare by Rashmi Sinha, CEO, Slideshare.
The jist of the morning talks was ~ sexy or not there is plenty of opportunity to disrupt an industry and make money. Believe and keep on pushing.
Morning session
Jeff Lawson, CEO of Twilio highlighted important points around doers and how to sell to them. Doers are power users. “Make a hero out of your doers” and they will live and breathe your passion. Empower them via your site by giving them:
a tour – what your product does,
pricing – does it solve their problem at a reasonable price and
how to get started – empower them to start playing around. Self service.
No shenanigans. Internet sheds light so they do not have to put up with shenanigans.
Finally invert the traditional sales model. First success, then transaction.
Steven Boal, CEO of Coupons.com (a 13-year-young company) gave everyone insights into an industry which coupons.com has disrupted. Coupons.com was built without taking any funding. Recently receiving a $200m infusion of capital valuing the company at $1B. Couponing is now becoming more digital than ever before. The old paper industry is fading into the distance and getting replaced by online channels. Coupons is at the forefront of digital couponing with its leading suite of digital channels like GroceryIQ, Coupons.com, Brandcaster (whitelabel solutions) et al. Frugal is the new black.
“If you think it is an overnight success… it is a long night” ~ Steven Boal
Rashmi Sinha, from Slideshare finished off the morning session with an interactive presentation describing their early days to growth to Microsoft acquisition. Rashmi’s message was Build, Solve problem/s THEN get Distribution. The slides from the presentation are located here.
Aaron Levie, CEO, Box.net did an onstage debate on How Box Arrived, Survived & Thrived in a Hype-Driven World with Dave McClure, Founding Partner of 500 Startups.
Wrapping up the morning session was a comical, slightly weird in a good way presentation by the CEO of MailChimp, Ben Chestnut. He bootstrapped the company without any funding whatsoever.
Ben’s 3 lessons to the hungry entrepreneurs in the room were:
Stop obsessing about the competition or you will become and copy them.
Fight really, really weird – creativity is just connecting things. You do well if you make it different but you kill it if you make it funny.
Always. Be. Creating. (things) – encourage everyone to build fun projects on top of your API to show what is possible. No project should take longer than 2 weeks.
Afternoon session
The afternoon session was made up of 2 Tracks in 2 different rooms. Track 1 was all about Product & Customer and Track 2 on Distribution & Marketing with speakers like Jive, Yammer, Zendesk, Uservoice, Kissmetrics, Cloudera, SurveyMonkey etc. I must admit I wanted to hear both tracks but it was hard when they ran in different rooms at the same time.
Zendesk have an Exclusive Offer for qualified startups to get Zendesk for FREE for 12 months! Start a trial now.
Some notable lessons:
“Use distribution hacks like Dropbox’s upgrade, refer, tweet for more space to reduce the cost of acquisition.” – Kissmetrics
“Before you do anything ask ‘Why’ NOT ‘No’.” – Yammer
“Features should announce themselves. Imagine a world without corporate training where no one has read a manual.” – Yammer
“Don’t anger a customer over pennies or they will try to destroy you.” – ZenDesk
“Do the math on how many $20 accounts you need to be a $100m business.” – UserVoice
The day concluded with presentations from the last 500Startups batch of startups like…
Happy Inspector – Fixing the way inspections are done. Led by thunder from down-under Jindou Lee,
Teamly – People management made easy. Led by Scott Allison.
Etc.
I got a chance to talk to many interesting people, learn about great products and service and make new friends. Through this experience I meet Aussie founders of ScriptRock, Happy Inspector and Flightfox whom are all working on exciting products & services. Aussie Aussie Aussie, Oi Oi Oi! Good to see Aussie power in Silicon Valley making a difference.