2013: Year in Review

Wow, that was an incredible year! Easily in the top five years of my life, which is saying something seeing as how 2012 was also a great year.

It’s worth saying that if you’re reading this and 2013 was not a great year for you, don’t be discouraged! I have a clear memory of standing in Zurich on December 31st, 2010 as it drew near midnight, turning to The Wife and saying, “Well, that was about the worst year ever!”  We read so many vapid accounts of great years online, and if you’re in the camp that I was a few years ago, know that it can and will get better.  Find a few things.  Focus on them.  Make some changes.  You can do it.

Travel in 2013

  • Paris, France (twice – once to visit family and see the French Open, and once to take The Wife to Euro Disney for her birthday)
  • Inverness, Scotland (twice)
  • Zurich, Switzerland (speaking)
  • Dallas, USA
  • Dubai, UAE
  • New York City, USA
  • Auckenlich, Scotland
  • Pitlochry, Scotland
  • Sutherland County, Scotland

Best Books I Read
Ultimately, I didn’t read quite as many books as I wanted to (goal of 24 last year), but I did manage to read a few. Here are some of the best. Non-cyclists won’t care about the cycling books.

  • The Dark Tower (Books 1-3)
  • Endurance: Shackleton’s Incredible Voyage
  • Strange Stones: Dispatches from East to West (best book of the year)
  • Seven Years in Tibet
  • Christians and Politics: Uneasy Partners
  • The Great Train Robbery (re-read)

Cycling Books

  • The Story of the Tour de France Volume 1
  • Lanced: The Shaming of Lance Armstrong
  • The Rider
  • The Secret Race: Inside the Hidden World of the Tour de France

Books I Hated

  • The Museum of Innocence
  • Cloud Atlas (loved the movie though)

Highlights of the Year

  • Attending the Edinburgh Fringe Festival (again)
  • Spending Thanksgiving in a 18th century Scottish estate (again)
  • Three cycling events: Tour of the Borders, Caledonian Etape, and Lafuga trip to Tuscany
  • Attending the French Open
  • Our success at work – Administrate doubled its revenue in 2013

Cycling

This became my main hobby in 2013, despite the concern I’d not stick with it. I bought my first road bike in January, not really knowing what to expect, with a goal of riding the Caledonian Etape (81 miles), and trying to stick with it, mainly for health reasons.

I ended up riding and finishing the Tour of the Borders, which was one of the worst (best) events I could imagine, in the worst possible weather conditions I’ll probably ever ride in again. I finished.

Went on to ride a 50 mile sportive in Aviemore, attempted a 110 mile sportive from Glasgow to Edinburgh (DNF – destroyed tire), attempted a 100 mile Glasgow sportive (couldn’t make it due to rental car issues), and booked a three day cycling trip in Tuscany.

Overall for the year, I rode more than 1,800 miles and climbed more than 104,000 feet of elevation. Pretty happy about that.

Speaking

One of the big goals I had last year was to speak more. It’s something I really enjoy, it helps us recruit top notch developers, and I love hearing from other speakers at conferences, so for me, it’s a win-win-win. Two things I love to discuss are teamwork and great products, and I developed two talks around these topics which I gave several times around Europe. I also began to speak more and more (mostly locally) on why I believe Scotland is an incredible place to run a startup.

I spoke in Edinburgh four times (Lean Agile Scotland, Scotch on the Rocks, Turing Festival, and University of Edinburgh), London once (Digital Shoreditch), Zurich (FrontEndConf), and I was invited to speak in Poland, but just couldn’t make it due to some unfortunate scheduling issues. I’m hoping I can make that conference this coming year instead. I was really happy with the opportunities I received, and hope to continue the trend in 2014.

Work
In some ways we had a very challenging year at work, but almost every challenge ultimately paved the way for a really rewarding and successful year of growth. We wrote more about the success our team had on our company blog, and I was really proud of everyone pulling together to achieve our second year in a row of doubling in size.

Family

We added a “real” niece this year, and a “fake” niece to our collection of “fake nephews” in our third family.  And for Christmas this year, my family came over to Edinburgh to spend a few days which meant we all got to be together, explore the city and surrounding towns, and The Wife and I didn’t have to fly home for a manic tour of the States.  That was a huge relief.  Speaking of The Wife, she and I celebrated our seventh wedding anniversary and spent most of the month of December celebrating her birthday which was a lot of fun.

Summary

2014 should be interesting, like every year. I’ve got some goals, but they’re mostly progressions of what I’m already focused on: work, cycling, speaking, and travel. I’m incredibly lucky, and blessed, and hope you have a great start to your year.  Stay tuned!

HSBC Anti-Fraud Measures Vulnerable to Phishing Attacks

I’ve been an HSBC customer for roughly two years and have complained about these practices probably more than a dozen times without any real acknowledgement or change.

HSBC, like most banks in the UK, provides every customer a 2 factor security token to make sure that logging in requires something you know (your password) and something you have (your token’s time-limited code). So far so good. They even have a signing procedure for sending money (personal accounts only, strangely) that requires you to hash the transaction amount with your token, and put in the corresponding code as part of the transaction. A nice touch.

A Horrible Anti-Fraud Algorithm

Where HSBC has a glaring security hole is their fraud detection and prevention. As near as I can tell, the HSBC fraud algorithm is essentially “IF online transaction AND/OR foreign origination AND/OR amount is greater than [some nominal amount] THEN fraud”.

There’s no history taken into account, and they routinely ignore travel advisories called in ahead of time. So for example, if you signup to a monthly recurring charge for a software service outside of the UK (many of them) it doesn’t matter that the charge has occurred every month for a year, they’ll still pop an alert. This is particularly problematic for subscriptions billed annually, as it seems that their fraud team can perform a manual override on most things, but not on infrequent subscriptions.

An Outsourced Anti-Fraud Team

Foreign can often mean “somewhat far away” too. There’s no concept of accepting a card present, pin verified transaction as maybe worth the benefit of the doubt either, so I’ve had my card declined for sandwich shop purchases in towns less than fifty miles away from my home address.

A Dangerous Fraud Verification Process

But all of this could maybe be lived with, if not for the horrific fraud verification procedures employed by one of the largest banks in the world.

Here’s how it works:

  1. Their horrible fraud algorithm pops an alert. This can occur on a subscription charge, a pin verified card present charge, or a verified by visa online charge.
  2. You will receive a phone call from an unknown number (blocked).
  3. An Indian call centre rep will tell you they’re calling from HSBC and they’ll need to verify some important information before they speak to you. So far, this has been my birth date or post code (enough to get your full address in the UK). If you refuse to speak to them, your card is blocked. If you call them back, it will take roughly 25 minutes on hold being transferred around to clear the block.
  4. If you don’t answer the phone, they will leave a voicemail. Again, an Indian call centre rep will preface the voicemail with an urgent request for contact, then they will play a recorded message. Often there will be a problem here, and they’ll have to call back to get the recording playing right.

It’s important to note that the phone connection quality is invariably terrible. This means you can’t understand the person, and the recording is garbled as well.  I also don’t care if the representative is a native English speaker or not.  I do care that the cut-rate policies of HSBC mean they have chosen an outsourcing provider who can’t seem to get decent phone service, thus making the entire thing more vulnerable to phishing (it’s easy and cheap to sound just like HSBC or even worse, do a better job by having a nice fluent British accent  via a clear connection).

An Active Phishing Threat?

For the past two years I’ve been uncomfortable with this process. It leaves you open to phishing attacks, particularly spear fishing. It relies on data that could be publicly obtained fairly easily (birthdate and post code) and even if you can’t get this data, you can easily phish it by impersonating a representative then using that information to escalate privilege elsewhere.

A better solution would be to mimic the procedures in place at other banks. Chase for example has an app that will securely message you the details of a questionable transaction which you can approve or deny in a few seconds. They’ll also SMS you the details of the charge, which you can respond to. Lastly, if you don’t have a smart phone or can’t receive text messages, they’ll call you and use a challenge response procedure to verify yourself, or leave you a voicemail instructing you to call the number on the back of the card. The entire process is safe, easy, and quick not matter what mechanism you use (I use all three depending on the situation).

It appears that these weaknesses in HSBC’s procedures have now caught the attention of others. A couple of days ago I was called by someone who mumbled around that they were from HSBC, and asked me for information. I declined, like normal. I called the bank back like normal. Except this time, nobody from HSBC had called and no suspicious charges were flagged. Apparently someone had attempted to phish me! I wonder how long it will take HSBC to address this now that their customers are being actively targeted?

Lets review how we got here:

  1. A poor anti-fraud algorithm means false positives are common.
  2. A lot of alerts means you need a large customer service staff.
  3. You outsource this, you don’t automate it, and put in place procedures that are fraught with security problems.
  4. Your frustrated and desensitised customers lose respect for the process.
  5. Phishers take note, and begin to capitalise.

HSBC Customers, Be Careful!

Be careful out there! Never give any personal information to anyone calling you, no matter who they claim to be and no matter how annoying the procedure is.

We Need Viable Search Engine Competition, Now

It’s become clear to me that we desperately need a viable competitor (or two) in the search engine space. A somewhat related thought I’ve been having is the (probably inaccurate) sensation that bringing out a viable competitor to Google may not be nearly as hard as it has appeared for the last decade.

We need competitors now. Most websites see more than 80% of their search engine traffic arriving from just Google, and this is not a good long term recipe for a vibrant internet.

Inherent Conflict of Interest
Google’s revenue model of placing paid ads next to organic search results operates under the (publicly accepted) belief that there’s a secure “Chinese wall” between the paid and organic functions. It was even more secure, some argued, because ultimately the short-term conflict between receiving revenue for rankings (paid) vs. displaying the best rankings (organic) was not a long-term conflict. Better organic results were always in Google’s interest, because these competitive results maintained their dominance and user’s trust. And so we believed. To be fair, I feel that Google does a somewhat decent job in this area, but I continue to feel that the user experience of Adwords exhibits various dark patterns (more about this here) and Google’s corporate inertia seems to be focused on a walled garden approach with G+ and Android. Lets just say that I’m no longer going to blindly trust Google in the face of a worrying conflict of interest that’s central to their most valuable product. Declining empires under siege are the ones you have to be careful of, after all.

Vulnerabile to Manipulation
Is there anything worse than “SEO”? The very idea of this industry, filled with people whose sole job is to attempt to manipulate Google is bad enough, but the fact that “black hat” SEO can produce material gains is genuinely worrying. Having had to clean up a mess created by a black hat (who insisted he wasn’t) and now in the middle of another mess of toxic back links that may or may not be generated by a competitor, the whole thing is just annoying, wasteful, and embarrassing for Google. I get that they’re trying to clean this up with Penguin and Panda and the various versions therein.

Arbitrary and Corrupt
When RapGenius violated Google’s SEO guidelines, they were only caught due to a public revelation on Hacker News, then immediately penalised by a human (to compensate for where their algorithm failed), then they were permitted to communicate directly with google to discuss ways out of this mess. Not it appears they’ve been fast-tracked back into the listings, albeit at somewhat of a disadvantage.

All aspects of this rub me the wrong way –

  1. Google is making arbitrary rules on how sites should behave, because they have a monopoly. If they didn’t have a monopoly, they might not be able to make these arbitrary rules, and others might not follow them.
  2. Google needs these rules, because Google’s rankings are apparently trivial to game. Build a ton of links and make sure you don’t over-optimise your link text. That’ll do it for most key phrases, apparently, as long as you’re not completely obvious. There’s a clear incentive for “Bad Guys” to win using“Bad Ways”, that penalises good sites just trying to get on with business. Does anyone actually believe that the ridiculously obvious, poorly written link farms that Google catches periodically are the only examples out there? Smarter people doing a better job are gaming google all the time, and it appears to be getting worse.
  3. Google feels the right to at any time, and with zero due process, transparency, or appeal, to manually penalise sites who successfully ignore their rules yet exhibit a high ranking. This is not transparent, fair, or reliable. It is scary for legitimate businesses, and this kind of instability should not be the norm, but it is.
  4. The only organisations or individuals who can actually engage with Google over a penalisation or problem in any meaningful way are Silicon Valley favourites or companies backed by influential VCs, or [insert some other not-avaible-to-the-public recourse here]. This is the definition of corruption.

We Need A Competitive Alternative
Competition could provide a healthy response to many of these items. I don’t think regulation is the answer, but it may become one if these trends continue and intensify. A different revenue model could remove the conflict of interest, a better or different algorithm could be less prone to manipulation, and a search engine that prided itself on a transparent and efficient arbitration process for disputes with regards to rankings could win users trust. Of course, Google could also work on these problems themselves, but it seems like they’re more or less happy with the current state of affairs.

Is PageRank really the indomitable tech of our generation? Nobody can do better algorithmically, or integrate some kind of crowd sourced feedback, or measure browsing time and habits, or simply hand tune some of the most competitive key phrases? I’m sure I’m oversimplifying, but I wonder if we haven’t all been hypnotised by the complexity, much of which is marketing hype, and have missed the enormous opportunity that exists right in front of our noses. Does the next search engine have to be as big, involved in as many things, employ as many people, and fight on the same footing to be accomplish the goal of providing a counterpoint to Google?

Time will tell.

Turn Your Digital Photos Into Tintypes

Tintype of a TreeAbout a year ago, I remember watching a video on Vimeo about a guy who was out photographing landscapes using a large format camera to take wet plate photographs, also known as melainotype photographs, also known as a “tin types”. My brother in law is a talented photographer, and when I saw him a few weeks later in Atlanta we got to talking about it, and I found out he’d been interested in this process as well. Instead of just watching a video, he’d actually started building a camera and researching the required materials. First efforts led to many more and as his skills improved he began to take tintype photographs at fairs, events, his studio, and even instruct fellow photographers on the methods.

If you’ve seen photographs taken from between 1865 and the early 1920s you’ve probably seen a tintype. You could say they were the original Instagram images. They have an otherworldly, high contrast monochromatic look to them, and because the photograph is also the film (a sheet of metal) they’re extremely durable. You know those photos in the intro of Boardwalk Empire? Tintypes. You know those photos from the civil war with unsmiling men sporting huge moustaches, beards, and/or sideburns? Tintypes.

Visiting Josiah’s studio is essentially participating in an anti-digital act of defiance. You have one shot. You get what you get. Don’t move. Don’t blink.

Have you ever heard of anything more hipster than this?

There was only one problem – unless you were in the Greater Atlanta area, you were essentially out of luck. Living in Scotland meant we could offer encouragement but not much else. And so we joined quite a few friends, family members, and would-be clients clamouring for an option to send in our photographs to be retaken as tintypes. Now, after a few months of testing and retesting the process, he’s ready.

digital_tintypes
Forget Instagram. Create a TinType.

This, therefore, is the ultimate hipster achievement. You can go online right now, upload your digital photos, wait a few weeks, and receive back a genuine tintype, which will last a lifetime. Like most non-artists, I have this deep desire to be artistic, so I was excited to be graciously involved in some of the early testing and feedback phases of their website. I think the site turned out really well, particularly for a first effort, and the ordering process couldn’t be more simple. Choose a size, upload a photo, pay, and then wait for the package in the mail.

Who knows? Maybe you just found the perfect gift (or gift certificate) for that special someone in your life who thinks your taste and preferences are lame!

I’ve Never Wished I Was Less Technical

I got an early-ish start with computers when I was about 6 or 7 years old.  My dad created an MS-DOS boot disk that got me to a DOS prompt on the one of the hard diskless IBM clones in his office.  Once I had booted to the command line, I’d put another floppy disk (these were 5.25 inch floppies, the ones that really flopped) in the B drive, type in the commands which I quickly memorised, and my six year old self would be ready for some hardcore word processing.  Using Multimate at first, but then moving on to PC Write, I penned a few short stories and would love to visit the office and use the computers.  My Dad’s staff even gave me access to the holy of holies – the one real IBM PC (not a clone) which had a 5 megabyte hard disk, and was protected by a password.  I was solemnly lectured to never disclose the password, not to anyone, and I never have, even to this day.

And so it was against this backdrop that I became interested in computers.  When I was nine my family bought our first computer from a back alley vendor in the Philippines.  It was an IBM compatible XT Turbo, which was technically an 8088, with a twenty megabyte hard disk and a monochrome CGA monitor.  It was outdated when we bought it, as the 386 had just been released, but I loved it.  I spent hours learning different software packages like Norton Commander, PC-Tools, and playing games like the Commander Keen trilogy.  We kept it until I was twelve, and then gave it to a Chinese friend when we replaced it with a 486 DX-33 we picked up in Hong Kong.  Built like a tank, it is probably still in operation somewhere.

Despite this early introduction to computers, I didn’t get started programming until I was sixteen.  It was harder then – we had just got the internet but the tutorials and blogs and wealth of easy information we have now didn’t exist.  It was also difficult to get the necessary software you needed – thanks to living in China I could buy a pirated copy of Borland C++ or Microsoft Visual C++ for about a dollar, but they were a bit overwhelming to setup.  I finally found someone who knew how to program and begged him into giving me a few sessions.  He had a book, helped me setup my compiler, and agreed to meet with me once a week to teach me.  I even managed to get these sessions accepted as school credit during my junior and senior year.  I still keep in touch with Erik now, and he was one of the groomsmen in my wedding.  Together we even managed to cobble together two “junk systems” from spare parts and after a few weeks of constant trial and error, we got Slackware running in 1998, still one of my proudest technical achievements.

Every American college bound student knows that their junior year of high school is crucial for getting accepted into their university of choice, and I began targeting computer science as my major.  I was heavily advised that I should focus on a business degree instead.  At the forefront of that group were several of my math teachers, who knew that I didn’t do well in that subject, but there were also many others who thought that I shouldn’t “waste” my people skills in a technical role.

But I was really enjoying programming!  My first real project was a string indexing program which could accept a block of text (much like this blog) and then create an alphabetical index of all the strings (words) and the number of times they appeared.  Written in C, I had to learn about memory management, debugging, data structures, file handling, functions, and a whole lot more.  It was way more mentally taxing than anything I’d ever done in school, and it required a ton of concentration.  I wasn’t bored like I often was in classes.  It was hard.  Erik would constantly challenge, berate, laugh at me, and most importantly, accurately assess me using an instructional style that I’d never been exposed to before – he only cared about the results, not the trying.

Although I was dead set on computer science, I really liked making money too.  My parents noticed this and for one semester during that crucial junior year they offered me financial rewards for grades achieved.  After I’d hosed my dad for over a hundred bucks due to my abnormally high grades that semester, he announced that “grades should be my own reward” and immediately discontinued the program.  There were plenty of people telling me that a degree in business would better suit these talents of mine, and if I was honest, at the time I knew they were probably right.  I was great in my non-science subjects, I could mail it in on papers and still get an A, and I knew that diligence, attention to detail, and math were weaknesses.  Getting a business degree would be stupidly easy.  Getting a computer science degree would be pretty hard, at least for me.

I was close to changing my mind when Erik mentioned, “You know, I’ve never wished I was less technical.”

This is advice that I really took to heart.  It rung true when I was seventeen.  It’s even more true today.

For me, the advantage that I incurred by getting a computer science degree meant that I could start my own consulting company and be one of the technical contributors while also being responsible for the business stuff.  It helped me obtain positions of leadership because I didn’t need technical middle men to explain things to me.  If things were going poorly, I could help manage the crisis effectively, and when things were going well I could explain why and point out the technical decisions that had carried us to success.

Guess what?  I got to do all the business stuff too!  Having a technical background has never limited my business acumen or hampered me in any way.  I haven’t coded for money since 2007, but I use my knowledge and experience every day, and I stay up to date with technology as much as possible.  I love it when our technical lead shows me the code behind the latest feature.  If anything, having an appreciation for complexity, code, and systems design has only helped me design and implement better budgets, business models, and pricing schemes.  I’ve never met any “business person” who is better than me at Excel, the language of business, and much of that stems from just knowing how to program.  This has made me the goto guy in almost every planning or budget meeting I’ve ever been in.

Unfortunately, it doesn’t work the other way.  People who aren’t technical will always struggle in any technically related environment.  I’ve met so many people who have struggled and struggled to make their great idea a reality chiefly because they weren’t technical, couldn’t contribute, couldn’t cut through the bullshit, and therefore couldn’t effectively manage their way to success.  Sometimes, they’ll try to fake it and just lose the respect of the programmers.  As many times as I’ve thought to myself how glad I am that I have a technical background, I’ve had others voice to me the frustration that they just wish they knew more about technology.

If you’re reading this, and you’re trying to figure out which way to go in life, make sure you get technical first.  If you didn’t choose that path, there’s still plenty of time – get out there and learn to code.  There are so many resources.

This is what the “everyone should learn to code” movement is really saying – not that everyone should be a coder, but that everyone could benefit from understanding the environment, pressures, and disciplines that drive a huge part of our economy.  It’s not just business either – artists can benefit from more creative displays and better performing websites, not-for-profits could benefit from volunteers who know how to help out in technical areas, and it’s just nice sometimes to be the guy who can get the projector working in a foreign country!

So get technical.  You’ll never regret it.  And if you’re a programmer and you ever see a kid who wants to learn, help them out, you may just find a friend for life.

Awesome Cycling Nutrition from Suki Bakes, Now Available in Edinburgh

Nutrition while out cycling is important.  Really important.  Ignoring nutrition is probably one of the most common mistakes to make when you’re first tackling longer rides, and I don’t fondly remember the few times I didn’t eat enough and ran out of energy.  Cyclists call this “bonking”, and to combat it we take food along with us.  Gels, bananas, granola bars, and energy drinks (not to be confused with electrolyte drinks) are all ways that cyclists use to keep energised on longer rides.

torq cycling gelAnd that works pretty well, except that the most common format (gels) get really old really fast.  By your third or fourth gel, you tend to start craving “real” food.  I’ve used Cliff bars and other granola bars, but even they can taste a bit stale, and bizarrely, most of the energy bar companies seem to make their wrappers indestructible and difficult to open while riding.  This means that even if you’re being conscious of keeping your trash (you are keeping your trash while riding, right?) sometimes you can lose little corners of plastic packaging while you’re tearing things open on the bike.

So, I was really excited when Suki Bakes got an order to supply some flapjacks (what we call granola bars here) from our awesome local bike shop Ronde, who also serve one of the best coffees in Edinburgh.  I’m a very slow member of the Ronde cycling club that rides every Saturday morning, and while I’m biased in favour of anything Suki Bakes makes, these flapjacks are great for cycling for a couple of reasons:

  • They’re real food that’s really fresh and they taste great.  There aren’t any preservatives in them, and they’ll have been made just a few days before you get them, most likely.  They also don’t have that kind of soggy-yet-dry feel that Cliff bars have.
  • They’re made in a mostly vertical shape which easily fits into your jersey pocket.
  • They’re packaged in a fully biodegradable, extremely easy to open paper wrapper that won’t destroy the environment.  Make sure you still keep your trash though!

sukibakes_flapjack_cycling

If you’re curious, take a quick trip down to Ronde, grab a coffee and a flapjack, and if you’re like me you’ll probably end up perusing and buying something else at the shop along the way.  Enjoy!

Focus on Systems, Not Goals

DilbertI had the pleasure of reading a recent article by Scot Adams (creator of Dilbert) on the secret to success.  One of the points he made really resonated with me as it’s something we’ve been stressing (with increasing success) for the last few months at Administrate:  Don’t focus on goals, focus on systems.

In short, rather than focus everyone on your Key Performance Indicators (although these are important to know and track), focus instead on systems and processes that breed success.  For example, like most organisations with a customer services team, we have a lot of data about tickets, resolution times, how long issues sit in different status states, and a whole lot more.  It’s really easy to get caught up on “how many tickets we have open!” when zero bugs or zero open issues isn’t really the point.  Instead, we’ve been focused on perfecting the systems and processes we use to tackle these metrics.  Instead of feeling successful when we reach an arbitrary (and impossible) goal of zero outstanding issues or problems, we’re focusing on improving the systems we have in place to tackle these issues.  Now we feel successful when we can know that issues will be triaged, attacked, and solved in a correct and repeatable manner.  See the difference?

Get the system right, and your KPIs and other indicators will fall in line.  Get the system wrong, and you’ll be chasing an increasingly dismal looking set of metrics that never seem to improve.

As we continue to grow and scale, focus on systems and our values becomes more and more important.  I’m really proud of how far we’ve come as a team, and am very excited at what’s still to come!