New Trend? Desktop App is Free, Mobile App Isn’t.

I’ve noticed a new trend (at least, it seems that way to me) that seems to be gaining popularity with Micro-ISVs, and that is to give away your desktop application while charging for the mobile app.  I’ve seen it with Plex, Magento, and I’m suspecting this is the strategy behind last week’s (and my new favorite) GTD piece of software Wunderlist from 6 Wunderkinder.  Their new application is simple, beautiful, and runs on Windows and the Mac, while supporting syncing via the web, which fixes my top two annoyances with my current GTD favorite, Things.  They just announced via Twitter today that they’ve open sourced the entire application, but their mobile application is “coming soon”, and my guess is they’ll charge 10 bucks for it, which I’ll happily pay.If this is a new trend with Micro-ISVs, I think it makes quite a bit of sense.  Get users hooked on your mainline offering, even open source it, become the defacto standard, and then charge for the extra bit of mobile functionality.  It solves the “edge case” problem of increasing costs involved when targeting the Big Three mobile platforms (Blackberry, Android, and iOS) and gets people to fork over money where they’re most comfortable – big shiny app stores that make it easy to buy.I think there are some challenges to overcome, but overall it should be a smart strategy.  We’ll see how it plays out, or even if it’s a trend at all.

An Open Letter to Mint.com: Stop storing my bank credentials!

A lot has changed over the last few years.  It seems like forever ago, and yet, it was only in 2005 that AJAX sprang forth and ushered in the buzzword of Web 2.0.  And it’s great – rich applications that are delivered quickly and efficiently allow me to do things online that I never thought possible. And yet, there’s a dark side to the Web 2.0 craze for APIs and tools and importing and exporting data, and that is that we’ve taught our users to embrace man-in-the-middle attacks.  Every time I see a website asking me for my Facebook password I cringe, but nothing pales in comparison to the nightmare that is Mint.com.

I love Mint.com.  They have spectacular visual design, a great product, an entertaining and informative blog, and a great iPhone app.  I know tons of people who love Mint.com, and yet, when surveying my digital life with a critical eye, I know of no greater security risk than Mint.com.  It’s still astounding to me that Mint could grow from a small startup to being acquired by Intuit in the space of a few years and essentially retain unlimited liability by storing user’s logins and passwords to their entire financial lives.  Yikes. 

If I were turned to the dark side, I would immediately attempt to hit Mint for their millions of users credentials which provide me completely unfettered access to their accounts, most of which are not FDIC insured.  This means that when someone hacks Mint, they’ll be able to pull out all of my money, transfer it, etc., and I’ll be responsible because from the financial institution’s perspective they aren’t liable for me entrusting my credentials to a third party. Sure, Mint encrypts their password database, but somewhere that password is known or stored.  It has to be because they have to use my unencrypted credentials to login.  Sure, there are a bunch of ways they could monitor this access and mitigate risk, but at the end of the day there are usernames and passwords floating away.

There is simply no technical reason the financials institutions out there can’t work with Mint and every other API providers/consumers out there can’t implement an OAuth authentication solution.  For the nontechnical of us who are reading this, an OAuth solution is essentially a token based method of authentication.  A key based authentication mechanism doesn’t necessitate handing over your username and password to a third party, instead, you grant a key (and depending on the API, limited access) to Mint which can then login and grab the information you need.  If Mint gets compromised, your financial details might be stolen, but at least they can’t access the upstream account with the same type of access.  In fact, this is what I was really hoping would come out from the Intuit acquisition: for Quicken you used to have your financial institution give you a separate login or key for Quicken specifically. To be clear: this is originally the financial institution’s problem.  They should be providing OAuth based services for Mint and  others to consume.  However, this has now become Mint’s problem to address.  Also, hindsight is 20-20.  What may have started out as a great application for a developer to track his personal finances with an acceptable risk quotient has ballooned into one of the largest and best avenues for tracking finances in the world.

The simple fact is that today, when you change your financial institution credentials, Mint breaks, which means they’re scraping the content from financial institutions.  Financial institutions are in on it too – it should be easy to see that a large percentage of their traffic is coming from one domain.  Even those sites that use a two-factor “security questions” approach are accessed via Mint by saving all possible security questions!  Financial institutions could easily block Mint by adding CAPTCHAs to their login protocols, but since I personally know several users who have changed banks to use Mint, my guess is there’s sufficient pressure to maintain Mint’s access. Some might say that I’m being overly paranoid because we’re used to saving usernames and passwords on our local machines and while it is true that from a direct comparison perspective Mint probably has the security edge over my Macbook Pro, from a risk management perspective it’s quite a different story.  All of a sudden it pays to hire a team of evil programmers for a million bucks to gain access to Mint’s millions of users.  Consider too the fact that most people re-use a single username or password as much as possible – this means cracking a lower security database (a web forum, etc.) can leapfrog access into those same user’s Mint accounts.  The less we’re using usernames and passwords for services, the better. What’s the solution?  I think a three pronged approach should be considered by any modern technical service that holds data of value:

  • Institutions should provide rich APIs in the first place and aggressively prevent screen scraping.
  • APIs should clearly segregate between “read only” and “read and write” access levels.  Mint.com can “read” my financial data but can’t “write” and pull money out of my account for example.  API access could further be segmented to only allow access to pieces of data (e.g. financial sums only and not transactions, or both, etc.)
  • APIs should use account credentials for access, but instead should be key or token based.

This might sound complicated, but in practice it’s very straightforward.  I simply login to authorize a request made by an application (anyone authorized a Netflix device recently?) and that’s it. In an increasingly networked world, application service providers bear increased responsibility to provide safe computing to users.  The old standards of storing usernames and passwords within applications need to change to reflect a different risk model.  This means both providers (financial institutions) and consumers (Mint.com) of data.  I want to use Mint and recommend it to others so I’m hoping that they can bring their clout to bear and work things out with financial institutions to solve this problem.

The Non-Technical Tech Talk

Two weeks ago (was it three?) I spoke at an ACM sponsored Tech Talk at Purdue University.  My mission was to give perspective on what it takes to run a large and quickly growing software team.  Many startups (including some I’ve been affiliated with in the past) will grow from very small teams to departments of over a hundred in a short time.  That kind of growth is explosive so as I thought about what to say during the presentation, I was struck that very rarely do I hear much about the human element of running a software organization.  I never heard about it in school. Focus on the people side of software construction has been one of my major recurring management themes because, as I told the group of students at Purdue, software development is one of the most human-intensive, human-dependent disciplines/arts/crafts/industries that exist.

To many, this might exemplify a supreme irony, but this has always been a core belief of mine: you can’t build great software without great people.  You can’t build great software without great teams.  Hardware and tools are easy to come by now, and the end result is that in today’s software industry, people are the only variable that means anything.  That’s why software companies should be psychotic about keeping turnover low.  Everywhere I’ve been I try to minimize bureaucracy.   I encourage telecommuting and spend money on great tools.  I like to setup team building, fun activities that appeal to technology workers like playing video games together once a week.  These are all downstream things that I focus on to maintain my upstream asset: people.

What does working on a great team with great people look like?  For students still in school, this is hard to visualize.  Group projects are almost universally hated.  Internships generally involve working as someone’s grunt on some meaningless or semi-solo system or task.  But I got all heads nodding when I asked if while they were doing their horrible group projects with their horrible group members if they remembered that one group who got up in front to present that was clearly happy to be working together, who had enthusiasm for their work product, and had spent an inordinate amount of time on their project.  Did they seem tired or annoyed?  No.  Was their project the best in the class?  Yes.  That is what a well-gelled software team feels like, looks like, and that’s the kind of product it produces. I talked a little more about great teams and how to recruit them and run them as we all munched on pizza.   Afterwards the organizer walked up and stated that I had given the most non-technical tech talk ever, but that he felt it was important and something that often gets missed.  

I definitely agree about the missing piece, and we got invited back for more pizza and another tech talk so we’re grateful for another opportunity.  I’d say that was mission accomplished.

Some Quick Thoughts on Rome

Yesterday and today I’m attending the HIMSS European Health IT Leadership Forum in Rome, Italy.  We flew out from Miami Wednesday afternoon, despite Tropical Storm Nicole’s best efforts to delay things, and arrived in Rome Thursday morning just in time to kick off the conference.  Tight scheduling at its best.  This is my second time to Italy, first to Rome, and here are some thoughts, in no particular order:

  • Our Alitalia (Delta codeshare) flight from Miami to Rome was direct, but the plane was old (a 767) with no movies, and only one working bathroom for all of Economy class.  They also kept the barrage of cartoons and other horrible TV going the entire flight, and the sound was turned on in the cabin just faint enough so it would wake you up at times.  All in all, one of my worst international flying experiences in quite some time.
  • Immigration into Italy was bizarre.  We walked up to the officer who glanced at Sara’s passport, and wave her on, and he didn’t even look at my passport (he could see I was a US citizen from the cover, maybe).  I asked him if Sara could have a stamp in hers, but he said no and waived us on impatiently.
  • I can see how the driving unnerves Americans, but compared to Asia it was pretty tame.  Lots of tailgating and gesticulating, just like the stereotypes would lead you to believe.
  • The coffee is truly amazing.  I’m really surprised you can’t get something like it in the US.
  • The food is similarly amazing, but it’s all carbs, so those of you who have a problem with it are out of luck.
  • This feels true to most Americans about most of Europe, but in Rome you really can be walking around in the city and just find yourself next to a ruin that’s thousands of years old.  This is a much more prevalent experience in Rome it seems than anywhere else I’ve been.

That’s all for now, we’ll post some pictures later.

Book Review: When China Rules the World

Media_httpwwwpeebsorg_egosg

Reading is one of my favorite things to do, and it’s become harder and harder to make time for books over the last few years.  However, over Christmas I was given Martin Jacques’ book  “When China Rules the World” and I read most of it on the six flights we took over the holidays.This is an extremely important book, in that I feel Martin accurately distills and describes a few integral pieces of China and the Chinese mindset that are almost universally missed by Western commentators.  These pieces, when placed in the proper context can often combine to explain the more (to Western eyes) puzzling questions about China, events that happen within China, and China’s reactions to external pressures.One of the reasons why I enjoyed this book is that the author is a master at providing historical context and to illustrate and reinforce his ideas.  With a history as long as China’s this isn’t a small task, but he accurately makes the point that few nations are as cognizant of their history and traditions as China.  Ignoring thousands of years of constant cultural development leads to gross misunderstanding, and is something that is all too easy to do from a Western perspective that’s driven by the acceptance of a Western order that is really only three centuries old.Jacques begins his book with the relevant facts of how China will most likely overtake the US as the largest economy in the world by 2027, and focuses on the central question of the book: What will a modern world dominated by China look like?  The prevailing thought of most attention paid to China is that capitalism, free markets, and Western style economies inevitably echo Western values of freedom, human rights, democracy, and culture.  In other words, free trade begets free societies.  Not necessarily so in China.This misguided belief that a swing towards Western style freedom and government is inevitable is a key miscalculation that negatively affects US foreign policy and undermines true understanding of China and the rest of East Asia.Reasons for China not following the Western model of modernism coalesce around different set of values.  In China, unity and stability is a key value that is reinforced by the strong, hierarchical family unit, the universal acceptance of Confucian thought, and the reality that China is a civilization-state, not a nation state.  The Chinese desire of unity explains the tolerance of the “one state, two systems” approach to Hong Kong, Macau, and Taiwan, and even within the numerous special economic zones found within the country.  This type of duality is almost inconceivable to the West.  Stability is valued highly due to China’s  experiences with turmoil during its history (estimations of 25 million dead during Manchu invasion, 50 million dead during Taiping rebellion, and as many as another 50 million dead during World War II and the ensuing Great Leap Forward and Cultural Revolution), and it’s long experience with a strong central government and its emphasis on a Confucian trained and tested government bureaucracy.  Stability, therefore, is enough of a priority that the Chinese are content with a system that values the group over the individual.History teaches us that the Chinese civilization has never wavered in it’s attitude of superiority towards outsiders.  Indeed, even when conquered by external invaders, which happened often throughout history, the invading groups (Mongols, Manchus) forsook their own identities and adopted Chinese customs, dress, and language while moving their capitals and governments to China.  Today there is an overwhelming sense among the Chinese that China is finally regaining it’s rightful place in the world as the Middle Kingdom.  Most forget that in the 1800s, the Chinese standard of living was slightly higher per capita than that of Europe.  England had a strong navy and easy access to coal close to its urban centers, China did not.  A crippled and weak end of the Qing dynasty, the Japanese invasion, World War II and the disastrous effects of Communism contributed to a net decrease in China’s GDP between 1820 and 1950.The idea that modernism must revolve around the Western model is rejected by the examination of how little modernity has affected Chinese politics.  China has always had a strong central government that was paternalistic in nature and was bound to the collective well being of society.  This is unlike Western governments, which have evolved to the point where they exist as a utilitarian entity in exchange for popular support.Jacques also spends significant time exploring the reasons behind the current Chinese policies towards trade, it’s own citizen’s freedom, and it’s long term goals.  In the light of the many historical and political contributing factors, it’s much easier to understand China’s currency peg (which hurts China more than it hurts the US), it’s continuing support for US debt, and it’s aggressive stance towards opening its own markets.  According to Deng Xiaoping, two things must remain for China to lift its population from poverty: domestic stability and international peace.  Seventy-five percent of China’s economy is accounted for by international trade of some sort, and while this may decrease as China continues to diversify, this is an unprecedented level for a country that is so large.  This precarious balance between its economy and the implicit social bargain (like all Confucian states have) to its citizenry for future standard of living improvement are the key drivers to China’s behavior.This book isn’t without its faults.  Jacques, like the good Marxist he is, glosses over the disastrous effects of Communism for China’s people and its economy.  Like many intelligentsia (Thomas Friedman and almost any other environmentalist) , he finds himself almost in awe of the incredible power that the Chinese Communist Party has to command policies that he wishes or wants to see implemented.  His exploration of China’s tributary system and it’s possible resurgence in the future is incomplete as it doesn’t resonate well with the Western reader.  Some of the book’s information is outdated or at least could have been updated, and some of the statistics feel as though they’ve been cherry picked.  There also doesn’t seem to be enough credit given to the remarkable lever of capitalism: lifting hundreds of millions of people out of poverty in just thirty years is nothing short of a miracle.While the overall message of the book is that China will not become the US or a prototypical Western nation-state, this doesn’t mean that the China of today will exactly mirror the China of tomorrow.  It does mean that we shouldn’t prescribe the Western template to China, and should remain mindful of the powerful historical currents that remain in full force for China.

What do Banks have to offer Healthcare?

Most of the discussion during the Medical Banking Leadership Forum seemed to center around the idea of providing PHRs or processing transactions.  The idea goes that banks should somehow get involved in the Personal Health Record (PHR) space by providing platforms for customers to view their health records since so many of their customers are used to logging in through banks.  The other view is that banks are really good at processing transactions, and bank networks are secure, safe, and fast, and so healthcare transaction processing (many of these transactions being financial after all) should logically be handled by financial institutions.

I take a slightly different view.  First, while I think that banks should get involved in the PHR space, I think it should be in a different capacity than simply providing a spot to store or view health data.  Instead, I think that banks should instead focus on being in the identity management business, an “identity broker” if you will, and provide authentication services to any PHR vendor or hospital that might be interested.  If you think about it from the PHR vendor’s perspective, their service increases in value the more confidence they can have in the validity of the identities they serve.  Correctly identified accounts means you can combine them with other data sources (at the account’s request of course) so that the PHR can serve as the hub of a person’s medical data.  Incorrect data is almost impossible to manage or transfer between systems, and serves to defeat the original stated purpose of a PHR. The financial services industry (read: banks) are one of the few industries that take identity management SERIOUSLY.  Multiple forms of identification are required, addresses are consistently maintained, and people really care about making sure their passwords to their accounts are remembered and treated securely.  Nobody types their username and password to their checking account on their monitor at work, or sends it in an email to their friend who needs it, etc.

If I were a bank, I’d use that asset (the one-time and continuous identity management) and sell it to PHR vendors (again, with the account holder’s consent).  Instead of creating a new account with Google Health, let me authenticate with my Chase username and password, and everyone can feel comfortable.  The PHR can now rest assured it’s got clean data, the account holder trusts Chase and has an interest in maintaining their information. As for the second prevailing view: banks are the best at financial transactions, my response is, “So what?”  Maybe as some claim, everything in healthcare is a financial transaction (or should be a financial transaction) but that’s like saying lets let Visa and Mastercard determine the price of the car I’m buying.  Banks already process all the financial transactions, and without in depth knowledge of the services being rendered, they’re not going to be able to price, process, or provide transparency to healthcare claims. 

A lot of discussion seemed to revolve around the vein of “but we can get paid to move the data” and again, who cares?  If banks really wanted to get involved in the healthcare claims adjudication process, they should invest in technology tools that provide a platform for insurance plans to define and transaction rules related to services and payments.  Not a single bank in the Medical Banking Project (save for one that I talked with) has any desire to do this.  The solution for banks in this area is to get closer to the details, not farther away.  That’s where all the cost savings and the benefit of transparency exists anyway – at the long tail of the bell curve.  Banks should know better anyway, they’ve been preaching this for years.

Distributed Software Teams

At Sentry Data Systems, we have a very distributed technology organization.  The majority of our technical staff does not work from our Deerfield Beach headquarters.  Instead, we have our developers, implementation staff, tech support, and infrastructure personnel spread out across the country, and even a satellite office located in the midwest.  Everyone is an employee, and we don’t do any offshoring, but we are most certainly not geographically close to each other.If you’d asked me five years ago if I thought this would be a good approach to take, I would have rather emphatically told you no.  In fact, I resisted it pretty strenuously for quite a while.  You had to be a senior developer, having spent significant time on site (at least a year), and working remote was a reserved privilege.  While we had a few guys working remotely, it wasn’t the majority you see, so Bad Things couldn’t happen, but we still had folks dialing in right from the beginning.  And yet, in hindsight, it may be one of the factors that helps us squeeze more productivity out of our staff, helps them produce higher quality code, and allows us to get the leg up on competition.For starters, it forced us extremely early on to invest in systems, processes, and a way of working that brought everything we did online.  Project management, change control, bug tracking, issue tracking, source control, testing, collaboration, documentation, document management, communication, all of these things needed to be ubiquitous and consistently used by the entire staff.  If things weren’t accessible online, that meant Bob in Utah wasn’t going to be able to contribute, learn, participate, or even know about it.The second major factor that a distributed team gives us is a national recruiting footprint.  We’re not just going up against Acme Software in our back yard down here in Fort Lauderdale (South Florida has its own disadvantages for hiring technology workers), we’re getting to compete for the top talent across the US in every job market.  Our pool of potential applicants increases by an order of magnitude or more, which really amps up the talent level and allows us to be super picky.Third, I recently came across this article recently which was discussing some research from Microsoft, exploring traditional myths about Software Development, and they touched on the fact that distributed teams in their experience don’t have a negative impact on team performance.  They rightly point out that this flies in the face of a “one of the most cherished beliefs of software development” but they also illustrate how any worker would much rather talk to someone knowledgeable on their team 4,000 miles away than a less knowledgeable guy next door.  Makes sense, and it jives with our experience as well, but I can’t say I expected this outcome at first.Are there drawbacks?  Sure.  It’s nice to have everyone over for a barbeque on a long weekend, and that can’t happen.  It’s fun to walk by and joke with everyone while making the rounds in the morning, and that’s harder to do, but we still manage to interact a good deal as a team.  The flip side is it’s nice for the remote guys to be able to live where they want,  stay in touch with family and friends, and yet still have a great job at a fun company.  This really contributes to retention – we’ve had several guys move several times in the last few years, which I count as a “save” on losing an employee each time.If you’re considering running your organization’s software teams in a distributed fashion, here’s some things you’ll want to make sure you’ve got covered:

  • Excellent communication methods: cell phones, VoIP phones for extension dialing off the corporate network, private instant messaging network, email, and more.
  • Organizational Discipline: People in the organization need to understand that they will often be interacting with remote individuals, and that they can’t cherry pick projects to those who are in the office.  Yes, a phone call is not as nice as face-to-face, but often it’s more productive.
  • Team-Based Activities are Still Key: This is an easy one for us.  We play video games every Friday afternoon/evening.  Combination of shooters (Team Fortress 2) and other games (DoTA and HoN) and the games are part of the employee start up paperwork.
  • Everything Must be Online: Bug tracking, brainstorming, documentation, everything.  A major advantage this gives you is it’s a head start on preparing for audits or other certifications (SAS70, etc.) you might need to complete as an organization as everything will be easily accessible.
  • You Still Need to Be Involved: If you like to walk around and say hi to everyone each day like I do in the office, you still need to do it “online” via instant messenger or phone call.
  • Figure out if a Satellite Office Makes Sense: We found that we had roughly 5 people clustered in one city, so we sprung for a satellite office.  It’s a cheap thing to do and helps our recruiting in that area.
  • One Timezone: We work on US Eastern time.  You can live where you want, but you’re going to work that timezone.  This is critical, in my opinion and while it does mean the guys in California are up at 5AM, it’s not the end of the world and really helps keep things simple from a scheduling and planning perspective, and maintains the ability for quick communication.

It probably isn’t for every organization, but it’s really worked out for us, and it’s definitely something we’ve grown organically and will continue to improve.

    Thoughts on Medical Banking

    This past week, I was in Nashville attending the Medical Banking Project’s Leadership Forum, which was hosted by the Vanderbilt University Center for Better Health.  The Medical Banking Project is a think-tank whose goal is to raise awareness of how banks and healthcare can intersect and drive increased efficiency, visibility, etc.  The goal of the forum was to choose a few projects where the members could work together to pilot some use-case concepts that would demonstrate how these two very different industries could work together.When people hear the term “medical banking” they’re often confused, and that confusion doesn’t improve much even among the medical banking project members.  With such a broad scope and so many different vendors and other organizations involved, everyone’s definition seemed to be different.To pare things down, here’s a few points that most members would agree with:

    • Banks specialize in well defined discrete transaction processing coupled with high visibility.
    • Healthcare organizations specialize in complex decision making that often requires the distillation of large amount of data into generalized care protocols that are often adjusted based on specific peculiarities.
    • Financial organizations are not very well equipped to deal with “creative” or “non-standard” processes or products.  When your only tool for evaluation is a balance sheet, context gets lost very quickly.
    • Healthcare organizations face a really large challenge distilling down their very fluid, complex, customizable environment into financial transactions, and as a result, are really bad at providing visibility to anyone involved in the healthcare spectrum (patients, providers, payors, regulators, etc.).
    • Trends suggest that patients will become more responsible for costs out of pocket, and combined with rising expectations of online access and visibility, will begin demanding more from healthcare providers.

    When you discuss these items with banks, they feel as though they can provide back office support to healthcare institutions and get paid for the transactions that would flow through their already-established networks.  Healthcare providers are generally just desperate to get out of the billing and payment nightmare that has been created for them so they can focus on providing care.The question is, how?This questions is particularly challenging when you have the CIO of Vanderbilt University Medical Center, Dr. Bill Stead, one of the Leadership Forum’s keynote speakers say with certainty that “we have no systems or technology available today that can provide what we need.”  Healthcare providers want more information that’s more accurate more quickly comprised of huge volumes of more data.  Banks and consumers want less information that can be presented as a line item on a statement, priced accordingly, and compared to other options quickly.The key, we all agreed while at the Forum, was a national network for transacting healthcare and financial data.  Where the group didn’t always agree, was whether querying the data in aggregate would be useful.  The bankers in the group pretty much didn’t understand how valuable such analytics could be and how much cost could be wrung from the system by examining the whys behind the transactions.  That’s typical.  Most who haven’t been in healthcare can’t imagine how small variances can introduce magnificent variations in the costs to provide a service or procure a product.  The healthcare entities in the group kept stressing that they wanted to provide the data, but had nowhere to send it and major challenges paying for the applications and training that would facilitate collection of the data.We’ve got a lot going on right now in the industry, what with the healthcare stimulus (ARRA), an increasing drive by Medicare and Medicaid to introduce pay-for-performance measures and more accurate reporting requirements (example: the Deficit Reduction Act of 2005), and a general push by everyone for better technology and better visibility.  Most of what we covered is too long for a single post, so I’ll continue to post thoughts on the Medical Banking Project over the next few days.

    A Cloud is Only as Good as Its Backup Strategy

    Saw this morning where T-Mobile and Microsoft (their subsidiary “Danger”, really) have lost all data stored by users of the Sidekick phone, due to some type of failure with their cloud storage.  We’re starting to see stories like this pop up more and more where so-called clouds fail due to some really simple reasons like not backing up (this instance), not having a redundant data center (the recent Authorize.net issue), or a botched software upgrade (Gmail and Google’s recent issues).Trust is the new currency that really matters in an increasingly distributed and technically delivered world.  Regardless of whether you’re using a “cloud computing” resource or a more traditionally provided computing resource, you’re relying on that provider to fulfill their commitments and think about preventing disasters.Implementing good security, good backup strategies, disaster recover planning…these things are all very difficult.  They are even more difficult when you’re talking about the volumes of data (multiple terrabytes, possibly even petabytes) and users (millions) that clouds are designed for.  The good news is that these are all solvable problems.Here’s what I’d look for in a cloud that I’m using:

    • published disaster recovery policy
    • independent review of some type of outside auditor (SAS70 or an equivalent)
    • published backup strategy
    • multi-homed setup (different geographic regions)
    • a publicly accessible status page that details system health and open issues.

    It looks like in this particular instance a botched SAN upgrade might be to blame.  Not having any backups or a mirrored SAN is really troubling, and even more troubling is the fact that this was the case when the design of the phone is such that it requires the cloud to be up for the phone to retrieve and use any of its contacts, pictures, etc.  Cloud computing isn’t the problem here, but it does make for a grabby headline.Read about it here.

    Update 10/12/2009:

    Apparently there were major issues with employees, morale, and the product that Danger was providing was already two years late.  Read some more anonymous details here.

    Here We Go Again

    Back in the dark old days of the internet, I started an “e-commerce” business.  I was fresh out of high school, the dot com boom was storming its way toward oblivion, and technology talk was everywhere.  I grew up in China, so I thought, why not become the Amazon.com of Chinese stuff?  China has tons of beautiful traditional artforms that are almost all handcrafted and I thought it would sell well.I was right, mostly.The problem was, I was in school, strapped for cash, there was almost no technology that was any good out there, and getting a real site up was expensive.  As in, 300+ bucks a month for a dedicated server, 100+ bucks a month for credit card processing, 50+ bucks a month for a cell phone, etc. etc.And I had to build the software.  So that’s what I did, and I spent 99% of my time building software just so I could have flexibility and be able to run a “real” ecommerce site.  We built up a customer base, sold some stuff, but I never had the time to devote to it that was required in order to build the kind of business with the kind of product line that I wanted.Fast forward a few years, and now I’m married.  With a wife who’s got impeccable tastes and enjoys fashion, someone who likes learning new things and wants to get things done, and is blessed with one or two (psychology and spanish) of those useless degrees.  So we take a trip to China to see the Olympics, and she comes back and announces that she wants to start up the business again.So here it comes: Unique Traditional Chinese and Asian Gifts and Handcrafted Items – Orient Products (.com)This ought to be fun.