Hacker News new | comments | ask | show | jobs | submit login
16 Things (a16z.com)
371 points by dannynemer on Jan 22, 2015 | hide | past | web | favorite | 125 comments

Their "Security" section is a bit naive. The questions it poses go all the way back to the 1990s. If the Jericho Forum had started a VC fund, this page would be their investment thesis. The 2000s saw a wave of companies try to capitalize on "deperimiterization", some with huge capex requirements (one NAC startup had designed and contract fabbed their own MIPS core). They all flopped.

Maybe it's true that firewalls are less effective in 2015 than they were in 1998. The problem is: customers don't buy on effectiveness, they buy on cost-benefit. Firewall effectiveness can drop by 90% and they will still have a better cost-benefit than the alternatives. There's a reason for that: firewalls are the most straightforward network implementation of Saltzer & Schroeder's principles, and those principles are probably Right. Everywhere. In code. On the network. In identity and access management.

Why is 2015 different? "The cloud"? If "the cloud" is what's changed, that should be the thesis: we need security solutions for the cloud. Unfortunately, that is also a tired thesis.

Similarly: the shift from prevention to recovery seems like a manifestation of the narrative bias. Sure, there are lots of newsworthy cleanups, and one very successful consulting- to- product- to- consulting pivot company in that space. But customers don't derive the same value from recovery as from prevention. The dirty secret of "recovery" work --- forensics, attribution, &c --- is that it's driven largely by legal compliance concerns, and probably doesn't have a great intrinsic ROI.

Maybe there's an opportunity for a "full stack" vertically integrated insurer informed by a compliance and forensics practice.

There are markets that seem to work the way VCs want security to work. For instance, mobile happens, and all the sudden you can build and 10+x a company that just does for mobile apps what Google Analytics does for web pages. Security just doesn't get valued by customers that way.

Also: "if you fight fire with fire, you're just going to get burned"... what does that even mean? P(burn|fighting-with-fire) ≥ P(burn|fighting-without-fire).

Yep. Information security is a nonalgorithmic problem. Much as people might like to disagree or pretend otherwise, it is fundamentally at odds with a service that can scale to meet the needs of clientele in an automated manner. The most successful companies in that space are consultancies that can deliver personalized results to every client on every engagement, and while they are very successful, they will never be what venture capitalists want.

It feels good to try and form a business model on prevalent security themes like, "Think like an attacker" and "How do we develop preventative measures before we get hacked?" but that doesn't actually stop incidents from happening. There's no perfect security, just good enough security based on what a company can invest and how much risk it wants to manage.

This is something I've found most startup folks are really resistant to, because it means that they can't commercialize security services in the same way you can commercialize web hosting. That's understandably upsetting to them, when you see how trendy security has become in the media, and how successful a company could become by capitalizing on it.

I think the section any VC or investor has on security potential is going to remain naive for a long time. Semantic desires like "I don't want my mail to be read by other people" simply don't map very well to purely mathematical operations encapsulating privacy and security in software. Organizing security vulnerabilities into neat taxonomies makes security folks sleep well at night and gives the appearance of an ordered checklist you can build a product on, but in practice that's never the case.

Personally, I don't think security should be the sole product or service anyone tries to base a startup on. I am really excited about virtual reality and machine learning companies, however. I'd really love to see some hard innovations and improvements in that space. It'd be nice to have more hardware companies in general.

Something I used to think about during my tenure as a graduate student in computer security: has anyone written the definitive book/study/dissertation on why security incidents happen?

As mentioned elsewhere in this thread, it's a very complex problem involving operational, economic, and technical factors, suggesting (as others have mentioned) it's not something that really can be "sold". Watching bugtraq for a while, I saw a lot of pure tech exploits (buffer overflows, SQL injection, other silly things like that) but also quite a lot of misconfiguration -- insecure passwords, lack of an enforced password policy, employees leaving the company without revocation of their credentials, etc.

Maybe a good commercial opportunity would be policy compliance checking tools. Imagine a simple policy like "the corporate network should not be accessible from the outside world". Would it be possible to check all firewalls/routers/NATs/etc. for compliance with this policy?

For your example, this happens to be relatively simple. The design is boolean - "Let the corporate network be accessible to the outside world? Y/N" and this is almost universal to implement because network access works the same way almost everywhere. What you're doing is essentially whitelisting access - you can simplify that to an algorithmic problem and solution space.

Web applications are not the same way. For example, enforcing policy restrictions between users of different permission levels suddenly becomes a custom project depending on what each user can do, what the application does, what functionality is mapped to different permissions, etc...it is not as simple as whitelisting. It is highly contextual.

Unfortunately, web applications are also where most vulnerabilities are found, not the network (at least not anymore).

>Maybe a good commercial opportunity would be policy compliance checking tools. Imagine a simple policy like "the corporate network should not be accessible from the outside world". Would it be possible to check all firewalls/routers/NATs/etc. for compliance with this policy?

This is already a very big part of the security industry. Countless companies and products (claim to) do this.

CISO budgets are exploding at large companies; in '98 most of these companies didn't even have a CISO.

Firewalls have proven to be ineffective and companies are willing to pay for solutions that are more effective. Attackers have also gotten a lot more professional and sophisticated.

There's certainly been plenty of billion dollar security companies been built outside of the firewall space in recent years (FireEye, Varonis, Lifelock, Trusteer, Cloudflare, etc) and there's undoubtedly going to be many more.

Security also has played out in mobile the way you suggested can't happen. Companies like Lookout and BYOD management companies are well on the way to building billion dollar businesses in spaces traditionally controlled by entrenched vendors enabled by the shift to mobile.

(incidentally the security section was written by Scott Weiss who founded IronPort and later ran Cisco's Security Technology Group; so not someone unfamiliar with the security space)

FireEye is the firm I alluded to in my comment.

Varonis, Lifelock, Trusteer, and Cloudflare aren't reactions to deperimeterization and the declining effectiveness of firewalls. (Ironically, Cloudflare is if anything a cause of the declining effectiveness of firewalls, not a solution). Also: my argument isn't that it's impossible to build a billion dollar security company! It's that the dynamics of doing so aren't isomorphic to those of other startups.

I think you missed the point of my comparison to mobile, which was not that there wouldn't be viable mobile security products, but rather than shifts in technology produce explosive returns for things like adtech and video, but tend not to do that for security. Lookout is I think the closest you come to an example of a breakout success for security, amidst the most important shift in computing since the personal computer, one that has minted a bigger number of larger successes outside security.

The STG has been beating the drum on post-firewall broad-scale deployment of security technology (= more blue pizza boxes) since Jayshree Ulal started it a decade ago. Have you read a lot of Jericho Forum stuff? If you found Weiss' piece interesting, I think you'd find Jericho especially interesting. Maybe even lucrative. ;)

(Voted you back up)

Varonis and Trusteer essentially deal with the issue of "the bad guys are already inside" and Lifelock the damage control element of post-compromise.

I'd say in mobile security space Good Techonologies, OpenPeak, Ionic, Telesign and Okta all probably have valuations in the mid-hundreds of million of dollars.

The big winners in mobile have been gaming and advertising, but I'd suspect that in terms of enterprise software security companies are probably out-performing the average.

Which of Trusteer's product lines tapped a market opportunity that wasn't already addressed by RSA or Symantec in 2003? If the answer is "most of their revenue came from products that refined value propositions that RSA and Symantec already had products for", then what does Trusteer have to do with Weiss' investment thesis?

What do you think of software like Bromium, Qubes, etc. which creates enclaves within endpoints?

I've worked implementing both, and Bromium is basically as good of a solution to this problem as you're going to get, in the sense that it requires the least modification of user behavior (the user's Windows machine mostly behaves like a normal one).

Even Bromium was pretty upfront about the use case for their product though (high-value targets like executives who travel to China). They were very honest about it being overkill for an entire enterprise.

I think securing endpoints is basically a lost cause though (I'm happy to consider that a minority opinion however). My company spent many years trying to get TPM's to be the solution to this problem, and I'm pretty sure that ship has now sailed; with the only 2 sectors of the industry that are continuing to grow being completely unsuited to TPMs (virtualization and mobile).

I think we'll eventually realize that much like networks, devices have to assumed to be untrustworthy, and we have to route accordingly.

> the only 2 sectors of the industry that are continuing to grow being completely unsuited to TPMs (virtualization and mobile)

A counterpoint is that mobile platforms often have some form of secure enclave, but sadly not standardized. Even AMD's low cost x86 CPUs are adding an ARM coprocessor, which could in theory be used for functionality similar to TPM, DRM, or AMT. Some of those are more useful than others. On the Intel side, SGX will add more enclave options, and complexity, but hopefully will be open and well documented.

I take issue with "often", as the vast majority of mobile phones don't have anything (even if there exist specific models which could have them).

There was a brief window in time when you had to go out of your way to buy an Intel laptop "without" a TPM (even Macs had them for a time, even if Apple never made use of them). The Trusted Computing Group failed to capitalize on that timeframe by providing both a "reason" and decent solutions to that problem.

There's a lot of reasons why that was, if I've been drinking I'd happily go into many of them.

On the mobile side, I agree, it's a hodgepodge. Apple has their secure enclave (which doesn't quite act like a TPM, even though it theoretically could), and there exist vendors who could theoretically include a TEE in their phones (right now they're almost entirely limited to special "government-specific" use cases).

And I'm ignoring Samsung's solution (which is basically snake oil).

Intel's SGX would be great, provided that the industry suddenly switches to X86 for mobile (which I don't think is going to happen).

The mobile industry is way too fragmented from a hardware perspective for any type of trusted computing platform to achieve even a modicum of install base. That might change in the future, but I wouldn't bet on it.

Intel is slowly inching their way onto smaller devices (compute stick, 7" fanless tablets with TPM & TXT). While Google's Project Ara may look like a lab experiment, the Panasonic FZ-M1 is shipping with multiple peripheral "modules", so there's at least one proof point for modular devices with a radio.

If modular mobile architectures succeed, there will be a better chance of combining one's preferred hardware TCB with one's preferred sensors. Sometimes, it only takes one counterexample to move entire markets, look at the time interval between the first Galaxy Note and Apple iPhone 6.

Secure enclaves are very useful tools for OS design, but that's not the kind of security we're talking about here. Enterprises can't easily exploit processor protected VMs and address spaces to, say, prevent PII from leaking. By and large, companies aren't losing data to VMWare jailbreaks; they're losing it to much, much more prosaic attacks.

If every endpoint could support at least two isolated enclaves, it would be feasible for enterprises to isolate some high-value info assets to an internal VPN that is isolated to one of the enclaves, with the other exposed to risky public channels and attacks.

Very cool and very difficult to operationalize. If I was a VC, I would (cruelly) sum them up as "features of Citrix". Also, if you want to sell an enterprise security team a security product, saying that it reduces the need for stuff like Citrix would be a pretty good pitch.

In '96 or so, I went to my first Internet security conference. The attendees were a motley crew - junior programmers like myself, schoolteachers, old-school sysops, etc. Lots of us worked for companies that wanted unfettered access to this new Internet thing, but it had to be absolutely secure - and of course, it can't cost anything! There was hardly such thing as a network security professional then.

Things have changed a lot.

What bothers me are things like this which appear to be marketing messages aimed at CYA types or to simply lather up grandpa and the media:

"The threat of people getting into our systems today is so great that every company in the world has to embrace the notion that not only are they going to get hacked, there’s a good chance hackers are already inside … and they just don’t know it."

...and this:

"This set of companies comprise a very interesting category because everybody’s going to get hacked, so now it’s just a question of how quickly we respond when we see odd stuff going on within the company."

Specifically "everybody" and "every company". [1]

The idea that "everybody" is going to get "hacked" reminds me of the early days of the internet when newspapers were confused by what a "hit" to a website was. Not only would they print whatever you told them but they didn't recognize that serving up a graphic file which created a log entry wasn't significant in the way they thought it was. So we can just change the definition of "company" to suit our purpose and goal.

The fact is not even close to "everybody" is going to get hacked at least in a way that actually matters. Correct me if I am wrong (you would know the answer to this better) but are there even enough bodies to take advantage of all the targets assuming they had the skills and motivation to break into the targets and do something with the information?

[1] Is this the Valley's idea of saying that they can define things in a way that suits their purpose in other words only what they think is a company is a company?

Well, customer data isn't stolen by actual hacking, in my experience it's humans.

So many companies, particularly younger ones, have zero interest in putting up barriers to access as the company grows because in the early days, everybody was trustworthy and "because bureaucracy bad". So all the customer emails, phones, addresses, birth dates (and, I'm guessing, in the US SSNs) routinely fly around in Excel files called something like "Order Metadata Report" and sent to 50 people in 5 departments each of whom has their own use for it (like counting customers). Judging by the Sony hack it's not just SMEs.

If you want to steal data from a company, just pay a student a few hundred bucks to take up an unpaid internship in marketing (particularly anything to do with emails or customer segmentation) and give him a USB key and teach him some VBA and basic SQL (making him useful for reporting). The interns always end up running the reports so have a lot of access, usually complete access - financial information is the only thing that's not shared around. More advanced companies have a shared database access built into the excel files with a single login for everybody which never changes (hello 300 angry users) so with a copy of this file, you have perpetual up to date information long after you're gone.

Then you try to stop them from doing this and the C-level folks will say something like "it's OK just this time" and "please stop slowing us down". Most of them will be gone to the next thing by the time the black swan lawsuit hits - if there even is one. How would customers know? Why would they care?

Cf http://xkcd.com/538/ and http://www.commitstrip.com/en/2014/10/28/security-checklist/

So genuine question: How should one manage their marketing intern so data doesn't leak?

Well, the simple answer is don't have marketing interns. Really, you should not have people in the company manually doing work that could be automated in minutes - I've even seen people manually do joins (yes, two Excel sheets open, look up one product manually on the right, copy the value over on the left, next product, next, next...). It's bewildering that tech companies who should know better and who have people who know better still insist that there be people who day in, day out, 6 hours a day, process files by hand.

Next best thing is to sanitize your data; hash any personal information like emails or phones, take a day or two to build a rudimentary BI database that has sanitized information on it before giving people access, use work emails to manage access to everything and log it (my team built https://github.com/zalora/sproxy for this purpose), silo access, teach people SQL, and so on.

But honestly, to most management teams security is dead last on the list of priorities; it's just another tail risk that probably won't happen, if it happens it doesn't matter that much, doesn't cost that much, and there are a thousand other things on their mind like growing the company which are more important ('compliance is for when we'll be profitable' or 'we're not a bank, it's ok'). You can't do very much when working in such a company.

The idea is that you shouldn't focus on making yourself "unhackable", because that is not possible. It's not possible to have 100% security. A skilled and determined attacker will likely get inside to some extent, even if it's just malware or access to an old unused server.

The point is to make detection and remediation important parts of risk management as well, not just prevention. Prevention is spell check, it's not always going to catch everything. Because the reality is, anyone (to your point, not necessarily everyone, but certainly anyone) can be hacked. Rather than focusing exclusively on a hard crunchy shell, make sure you can detect someone already inside and lock them down when you do. Corporate security needs to be right 100% of the time. The attacker only needs to be right once.

But yes, it's certainly possible that everyone can be hacked, and for certain definitions, it's completely likely that every company will or has been hacked (if you include malware, and information disclosure). How much malware is on your network that you don't know about?

Couldn't the view simply be one of pragmatism? That one can't ONLY focus on prevention, but look at the full lifecycle of prevention, detection, response / remediation, etc.?

Kind of an electronic view of "it won't happen to me"?

Assuming it's not everybody, are consumers/enterprises equipped with the risk management and actuarial tools to assess and influence their chances of being attacked?

"Assuming it's not everybody, are consumers/enterprises equipped with the risk management and actuarial tools to assess and influence their chances of being attacked?"

I think those are separate questions. Consumers largely are not.

Enterprises are getting wiser on the risk management side and are starting to use things like "Factor analysis of information risk" (FAIR) to create a framework around the effect of various incidents. Assessing chances of being attacked quantitatively is probably much more difficult than influencing their chances of being attacked (which includes the various best practices tptacek alludes to such as firewalls, having a SOC, utilizing proper controls, AV, etc. (the implementations of the S&S 8 principles.))

As to chances of being attacked, I think it could be examined similar to something like a health issue. What are my chances of getting cancer? Well, I can read the literature and follow behaviors which should reduce my chances of getting it (in the risk world that would things such as using antivirus, not sharing passwords / SSNs / etc in plaintext, over the phone, etc.); however, I should also be preparing for what do should I contract cancer.

> Why is 2015 different?

NSA/North Korea/China/Eastern Europe/Anonymous and Sony/Target/Home Depot.

I think far less has changed about what we're trying to secure. Far more has changed about who we're trying to secure it from and, as others have pointed out, the consequences of not securing it. In 1998, hackers didn't represent an existential threat to the company. I'm not sure you can say the same today.

>The dirty secret of "recovery" work --- forensics, attribution, &c --- is that it's driven largely by legal compliance concerns, and probably doesn't have a great intrinsic ROI.

This is true of a lot of security work. Maybe even most of it.

What's changed is the Benefit side of Cost/Benefit.

Now the leading Benefit is "not having embarrassing company documents on the front page of newspapers every day for a month".

That's quite a "new" Benefit.

P(burn|fighting-fire-with-fire) ≥ P(burn|fighting-something-else-with-fire).?

I think putting Big Data & ML in one Bucket is a Big Mistake, pun intended. From where I am (DS at a sv startup), I see a few discrete Big Buckets -

1. Offline Big Data - This is mostly the ETL crowd - Scalding, Cascading, Spark & associated novel startups, who provide technology to run Map Reduce jobs on TBs & PBs of data. This isn't going away anytime soon. Investment Banks & enterprise, financial institutions are the big customers with risk analysis( Var, CVar) & large scale monte-carlo scenarios on diverse financial instruments being commonplace.

2. Online Big Data - Storm, Summingbird & friends - continually ingesting high volume realtime data streams to provide realtime insights, which can be substantiated by #1 later, as and when those jobs run. For eg. say you ingest tweets realtime via a Storm pipeline & give me a running time series of how many tweets were from which city. Meanwhile, you squirrel away these tweets in hdfs so the offline MR job runs later & gives you exact counts.

3. Small-data ML - The result of #1 is typically a dataset of modest size ( few MB - few GB ) that can be ingested into your favorite ML solution ( too numerous to mention) for predictive analysis & BI purposes.

4. Soft "AI" - Using #2 + #3 in intelligent ad serving, traffic routing, realtime pricing to match inventory ( eg. there are several hotels in Las Vegas who reprice rooms based on number of passengers from commercial flights arriving into Vegas, local weather (sunny,rainy etc.), industry convention dates & such - all the ML + AI done out of a tiny office in SF), electricity regulation (https://news.ycombinator.com/item?id=8280315) etc.

5. AI without the quotes - tiny startups using rnn's to predict time series, using cnn's for image captioning & other really nifty AI applications not currently commercially exploitable at scale but definitely primed for acqui-hire.

I agree. I don't care so much about grouping different disciplines of big data together, so much as putting it into the same category as machine learning.

The two definitely complement each other, but they are not the same.

Considering how much is happening in the 3D printing space this year, I'm surprised that it isn't on this list. It is an enabler of IoT and Crowdfunding, drones, and even the "Sensorification of the Enterprise".

Cdixon even retweeted this recently: "Holograms are like print preview for 3D printing."

Also where is Drones on this list?

Seems to me they are focused on use cases and problem areas than implementations, and 3d printing and drones are means to some end as you've also mentioned. A category for 3dprinting or drones could mislead founders to fetishize technology than to have the problem guide the solution.

But at the end of the day, it's still a16z list and subject to their interpretations.

"Also where is Drones on this list?"

I second that, that was the first missing item that popped into my head as I scanned over it.

Which is weird because A16Z invested in AirWare (and they, as all VCs, love to talk to their book!)

It's probably not the section that most of you will be focusing on, but the "Insurance" section seems to be written by someone who doesn't know the industry. Insurers are absolutely already starting to monitor driving habits[1] and offering discounts for home monitoring devices[2]. Large property/casualty insurance companies are sophisticated competitors that don't hesitate to invest in promising new technologies or techniques many years before they pay dividends. The industry is anything but "stodgy".

The idea of a crowdsourced insurance company is not a good one (to put it mildly). The expected returns of an insurer are highly correlated with the returns of the broader market[3], because a typical large insurance company makes little to no money writing policies and generates most or all of its income from investments[4]. But maybe he's thinking about crowdsourcing the insurance risk itself, not the whole insurance company with its massive portfolio of stocks and bonds (although that's not what he said). In that case, you get an investment that yields X% a year until and unless the underlying insurance contract is triggered, in which case you lose your principal. These securities actually exist[5], but as you might imagine they are not typically purchased by individuals.

I do think the insurance industry can be disrupted. It's harder for a startup to gain traction because economies of scale work differently in insurance than they do in other industries, but a Google or an Amazon could do some real damage if they wanted to invest the resources to do so. There are a lot of interesting problems to solve. But this article totally misses the point.

[1] http://www.progressive.com/auto/snapshot/ [2] https://www.statefarm.com/insurance/home-and-property/homeow... [3] http://pages.stern.nyu.edu/~adamodar/New_Home_Page/datafile/... [4] https://static1.st8fm.com/en_US/content_pages/1/pdf/us/2013-... [5] http://en.wikipedia.org/wiki/Catastrophe_bond

I couldn't possibly agree more in general, though of course I'd quibble with many of the specifics...

As to stodginess, I'd say there's a big difference between personal/small commercial lines and the big ticket enterprise-type stuff -- the underwriting process goes from something data-driven to something relationship-driven very quickly indeed. The bigger the commercial line, the more likely it's all about who throws the best yacht parties (reinsurance in particular suffers from this massively).

Crowdsourced insurance is indeed a terrible idea, though you could imagine 'web of trust' insurance that almost made sense -- say my ten thousand best friends and I know that we're all great actuarial risks, perhaps because we have some kind of information on which it's illegal to select (that we're all in the same gym, say). We could then try to write ourselves health insurance for cheap, because our plan would select only us gym members. You can sort of make it work, as long as you're prepared to make the regulators hate you.

Which is the real problem, of course -- most people buy insurance because they have to, not because they want to. Auto insurance that wouldn't pass muster with the police, or home insurance that wouldn't satisfy the bank holding your mortgage, doesn't solve the problem.

Do good problems exist? Sure. A web-based Managing General Agency, for instance, could do very well for itself, but the expressed ideas in this section are pretty terrible.

In the 'Online Video' section he calls out podcasts as an emerging/trending medium. I'd love to hear more about where people in HN community feel it's moving. Of course there's the obvious Serial momentum, and as a passionate consumer of podcasts I'd love to think through with you guys a little more where we think it'll go.

For example a YouTube-like podcast portal seems like a potential option (i.e. moving away from the need for dedicated apps/clients for a more mainstream audience), but I'm sure this isn't a novel idea.

I run https://sysadmincasts.com/, which is a weekly bite sized screencast for sysadmins. Also posted to Show HN a while ago [1]. I can tell you that my inbox is flooded with "Thank You" messages, and requests to put out more content, I am struggling to keep up! As patio11 put it, if you can say: "I'll save you 12 hours of Googling and reading Free Information On The Internet (TM) and it will cost you $50" [2], you can make money. There is just so much text content out there, and not very many high quality videos, so there is a major void in the market. Shane Smith (creator of VICE) talks about how he is creating tons of video content, and text is pretty much toast [3], well worth a watch, just think about how this applies to the tech education space.

I am not doing anything unique or novel though, there are countless sites that I have learned from, railscasts.com, railstutorial.org, egghead.io, laracasts.com, gorails.com, etc. Granted, so far this has all been free, and I have not started to monetize yet, but I do have traction, and see a clear need. So, take that for what it's worth. Very happy to have any feedback, or answer questions, just shoot me an email (see profile). Also, if you have a talent in a particular area, I would highly suggest thinking about how to share that via video with other people.

[1] https://news.ycombinator.com/item?id=8011081

[2] https://news.ycombinator.com/item?id=8508187

[3] https://www.youtube.com/watch?v=3qHjln3yZFs

Just listened to the ZFS on Linux episode. I was sceptical about watching a command-line narrative, but this was incredibly well executed, with episode transcript and mini-reviews of related sites. As the episode started, the speech pattern was so slow I wondered if it was a TTS robot aimed at non-English listeners, but then the voice quickly picked up speed to reach excited-hacker cadence.

How long does it take to write and produce each episode? Would you care to share the toolchain being used for screencasts?

I miss the lost promise of SMIL which would have allowed in-context video links to URLs for related sites, or deep-linking to related video snippets in other episodes. If your project continues, you will quickly grow a library which will benefit from cross-indexing. You will also find that a subset of content will need to be refreshed, as tools and environments change. Metadata for modular snippets will improve discovery, reuse and update.

Rails Tutorial has generated six-figure revenue from screencasts combined with an ebook, so there is precedent for monetizing self-service video training.

Thanks for the kind words ;)

> How long does it take to write and produce each episode?

Rough guide is about ~2-3 hours per minute of video. Research, playing around with ideas, demos, writing, recording video, recording audio, editing, etc. So, ZFS part one was 12 min, that's about 24 hours, and part two is 18 min, so about 36 hours. Those two episodes are about 60+ hours of solid work. ZFS did take a little longer than 60 though, since I ended up doing tons of research, but I rather error on a better quality video, than putting out sub optimal content. These figures are shocking to many people, but I have honestly not found a quicker way. As I learn to use the editing software a little more, I have been able to shave an hour here and there, so that is nice!

> Would you care to share the toolchain being used for screencasts?

Sure, here is a basic dump of the tools I use:

  Ubuntu (deskop)
  Kazam (desktop recording)
  Audacity (audio recording)
  Kdenlive (edit the audio/video together)
  Screenkey (keystrokes on screen)
  Decrypt (intro screen)
  OpenOffice Writer (transcripts)
  Shaky (ascii diagram to png file)
  Asciiflow (diagram tool input for shaky)
  Gimp (graphics)

> Rough guide is about ~2 hours per minute of video.

That makes sense, given the high quality result. A 2003 thread estimated production cost for training videos at $1000-$3000/minute, http://answers.google.com/answers/threadview?id=254620 and that range still seems relevant, https://forums.creativecow.net/thread/17/871420

> here is a basic dump of the tools I use

Great that you were able to achieve this level of quality with FLOSS tools. Have you considered pay-what-you-want pricing, with a suggested anchor? Or creating (for pay) screencasts for commercial software? I've often felt that training material should be included in the marketing budget, as it increases the size of the market. E.g. a portion of donations/fees could go towards the OSS project.

Thanks for the links! At least I am not going crazy ;)

> Have you considered pay-what-you-want pricing, with a suggested anchor?

As of late 2014, I am working on this full-time. Scary, but I think I can pull it off. I am shooting for a $12 monthly subscription fee (auto-renewing), that will give you blanket access to everything for 30 days. My thinking is that, I am targeting sysadmins, devops folks, and developers who want to learn about ops. So, if I can save you even 1 hour per month, then it more than pays for itself. I am hoping to push this out in a few days actually, so I will have more data soon! I don't think it will be an overnight success, but hope to build it over a couple years. At least that is the plan.

> Or creating (for pay) screencasts for commercial software?

I have looked at this. Even brokered a deal, but ended up backing out. It just takes way too much time and I needed to focus on putting out my own content. I just need to get some funds coming in rather quickly, or go get a job again. So, I am putting everything I have into this. Once I have some money coming in, then I might look at this again.

You can have more than one distribution channel, e.g. your own monthly subscription site, plus a bundle of transcripts (reformatted as an ebook) + a package of screencasts, sold via https://www.softcover.io/ which takes 10%. Use 80/20 rule to figure out which topics are in high purchase demand and could benefit from a deeper dive. Lower-cost channels can feed demand for deeper/premium products/channels.

Background: https://news.ycombinator.com/item?id=8224896 & https://news.ycombinator.com/item?id=7350265

Thanks for all the links. I will definitely be checking this out! I had watched Nathan Barry's screencasts with Michael Hartl, but I didn't know he was active on HN, these links look pretty good, so I'll want to read these over! Thanks again.

Hey, what kind of computer do you run with those programs? Apple or PC?

Hey, your site is great, just a suggestion, you might consider submitting your site to PocketCasts (email support@shiftyjelly.com), it's the most popular podcasting app on Android, and you don't seem to be in their directory. I've added your feed to their app, but it would help people discover your show.

I have been working over ideas recently on how to solve the problem of people podcasting in different geographic locations. I think the big problem is latency and audio quality. The audio quality one seems like it is easily solvable with local recordings on both ends adjusted for said latency.

The other thing I think would be cool is if with something like the oculus rift you could tune is and sit as the third person or at the table that it was happening at and actually look around. For example imagine sitting at the table with Charlie Rose interviewing Bill Gates.

Out of curiosity, are you using the term "podcast" to refer to something more like a Shoutcast stream? I may be behind the times but I always thought the term "podcast" essentially referred to mp3s (or other pre-recorded audio files) delivered via an RSS-type feed. Kind of the audio equivalent of setting a TV show to record and only watching them as they show up on your DVR.

I messed with live streaming audio quite a bit back in the 90's and early 00's and bandwidth/latency definitely could cause issues but I haven't seen a whole lot of interest in that format for quite a while. For better or worse, people seem to prefer that DVR/on-demand format where you get something delivered to your computer or device and then watch or listen when convenient.

The Joe Rogan Experience podcast is a reference point for me. It is streamed live on uStream. Video is put on youtube and Vimeo and audio is pushed to RSS feeds. It might be content a little less suitable to HN so Ill let you find a episode of it to see the video format but I think being the third person sitting at the table in VR would be amazing.

> with local recordings on both ends

This is what Jason Snell & co. do with The Incomparable. They also do a significant amount of editing to cut out people talking over each other, and make everything sound nice. The result is great, but it's a lot of manual effort:


I want to automate this.

I still think that people need to be told about the medium and often convinced why they should care. I think we'll probably start seeing more networks of podcasters that can pool their resources to produce better content, kind of like what npr has done and what http://gimletmedia.com is trying to do. I'm not really convinced that podcasts will be able to be entirely supported through ads in the future so I think there will have to be some innovation on that front, maybe an all-you-can-eat service like Spotify will emerge...

I wonder if soundcloud will become a major player in this space since a lot of the podcasts I listen to end up being hosted by them.

It would certainly make sense for Soundcloud to leverage their position beyond the hosting standpoint yeah. I wonder what are their thoughts on this manner.

I see podcasts moving to a space where a person can consume in more than one way. Video, audio, and text.

Depending on what you're doing at the time, you'd be able to 1) watch the hosts talk along with guests, relevant images and all that, basically a youtube show, 2) Just listen to the audio like "normal", or 3) read a transcription of the audio just as you would a blog post.

Allowing a person to choose how they get the podcast's information depending on what they're doing seems very logical to me.

And I don't think there's anything special about podcasts. You can get the same information through blogs currently. What's different is the passiveness of listening. It allows me to listen to something interesting when I'm working out rather than just music. But sometimes I would want to watch, and other times I would want to read the text. That's why having the content that's currently on podcasts move multiple formats makes the most sense for the future.

"I see podcasts moving to a space where a person can consume in more than one way. Video, audio, and text."

I feel like a site like Grantland is pretty much there.

Of course, they do a much better job than just providing a transcript. Bill Simmons or Zack Lowe might write a long article about a topic, then discuss it on a podcast, then maybe extract some video clips and add some animation to spice it up.

The key, I think, is the creative people driving the process. Having the right instincts for what deserves a long form piece, a tweet, a blog length take, a podcast, or even a short documentary.

To follow on to your YouTube analogy, does anyone know of a place where someone can make a playlist of podcast (or radio) excerpts? To me a one hour commitment to a podcast seems daunting, especially if it hasn't been well recommended. Is there a place where I can find 3-5 minute "best of" clips for given episodes, maybe arranging those together to form a playlist about a topic? Like "Today we have Bob Smith on the SoandSo show talking about Big Data, John Doe talking about something on the BlahBlah show, followed by..." and I could easily listen to the whole show if the excerpt sounded interesting.

Might be a stupid idea as I'm not a big podcast consumer.

I listened to the most recent episode of 'Welcome to Nightvale', and the hosts said that their listeners actually asked for their podcast to be on youtube which is interesting.


Personally as a huge consumer of podcasts, the only thing I've been curious about is if they could do custom ads. So say you click play on your favorite player, it would stich a relevant ad immediately during that play.

I'm not in the podcasting biz, but I do listen to a lot of them, both from established radio players like NPR, and from people who got started by "casting pod." Radio is terrible, because you can't decide when to listen to what you want. However, radio producers have vast experience making audio content that people like. My guess is that people who know how to make radio will move over to podcasting and make money via "native advertising," the same way they make money via "advertising" today.

The subscription/download orientation of podcasting is so ridiculous. With music and video you just find what you want and consume. I don't want to subscribe and I don't want to download!

Subscriptions make sense with Podcasts. It's kind of like a season pass for a TV show on iTunes. They tend to be something you follow and want each episode of rather than something you listen to once. I think this is mainly because finding something you like is difficult (good content, good hosts, good length, good production values) so you stick with it when you find it.

That's not how Hulu, Netflix and Amazon handle it. The subscribe thing is unnecessary.

I'd like to see it on those services. Besides, you don't have to subscribe with podcasts. You can easily just search and download a specific episode.

You _can_ on some of them but they're still subscribe/download oriented. Which I think is one of the reasons podcasts have remained in the background (also the word "podcast" is tired).

Podcasts can be two people and a mic, or something that a team of talented people make over a year or so, like Serial. You can't put both of these types in the same bucket.

Yeah I agree, it's sort of the 'early adopter' version of where it'll be in a few years hopefully. That said because it's sort of a different medium model, I can see why this is hard to change or move past.

Subscription is available (and popular) on YouTube for video, and the content of Podcasts is generally episodic, lending itself to a subscription model. What about this do you find to be 'so ridiculous'?

Not to mention that most podcatchers I've messed with also allow you to search for content and listen on demand as the file is downloading (which is all a stream really is anyway).

The other ridiculous thing about subscribing is that way overstates listenership. Podcasters routinely overstate their audiences by 10x or more and get away with it. Good for them, I guess.

For instance, the cost of an endpoint CPU and memory is a 1000x cheaper than the cost of CPU and memory in the server.[1]

What do they mean? How was that calculated? It sounds completely wrong.

[1] http://a16z.com/2015/01/22/cloud-client-computing/

I think this "thing" is insane.

First of all, battery life. He specifically calls out phones, and "not just phones, they could be wearables and other...", as targets for this. Every bit of computing you do on my device is battery life I lose. You're welcome-in-theory to use some compute on my CPU, but stay the hell away from my battery life, which in practice means stay off my CPU. So there's that.

Second, latency is a big thing in user experience. Go ahead, follow this author's advice, and do your JSON-to-HTML rendering on the client. See how it affects your latency. See how it affects your user experience. See how the latency affects your SEO standings. Try it out.

So once you realize you don't want to use client battery life, and you don't want to use client computing anywhere it would make the user experience perceptibly more latent, what're you left with? Yeah, sure, you could use some background computing power in the style of SETI-at-home and so on... but if you want users' explicit consent, you're competing with those existing for-the-betterment-of-humanity projects, and if you don't get explicit consent, you'd better tread mighty carefully.

"Second, latency is a big thing in user experience. Go ahead, follow this author's advice, and do your JSON-to-HTML rendering on the client. See how it affects your latency. See how it affects your user experience. See how the latency affects your SEO standings. Try it out."

I think this _is_ actually worth trying out (albeit as an experiment). If you can send JSON to the client (and have already cached the templates) rather than full rendered (uncacheable) HTML, you can (hopefully) reduce the amount of data that's being transmitted. This saves you in

* latency - downloading a small JSON file will take less time than downloading a large HTML file (although with 4G and later high-bandwidth mobile data this becomes less relevant) - at what point does the additional download time offset the template-rendering CPU time?

* CPU usage (and hence battery life) - if we assume HTTPS for the download, the TLS decryption isn't free - at what point does it use less CPU to render your JSON client-side than to download a big file?

* radio usage (and hence battery life) - downloading more content means your radio must be on for longer, which is likely to use more power - at what point does the additional radio usage offset the CPU usage?

In each case, I don't know where the balance lies, but I don't think it's clear cut that server-side HTML rendering is always a better thing on mobile devices.

Having said that, I definitely agree with you on the battery life for general computation point - I'm not going to be bitcoin-mining on my cellphone! ;)

For web stuff and just generally using mobile phones as "dumb" computing devices I agree. However there are other examples where computing on the phone makes more sense than computing in the cloud:

A) Whenever data volume is large and it would take forever to shove it up to some server.

B) Whenever offline service availability is crucial (i.e. you don't want to be dependent on network service availability)

C) Whenever you want to be in control over where your data ends up.

For example Computer Vision is an instance where these criteria are usually met.

My guess:

Not in a law-of-physics point of view, but I suppose, it is from the perspective of the entity that pays for the server.

If you can push the computation to the end point, and simply spend fewer resources (let's say, 1000x fewer resources) to coordinate the task, then, behold 1000x cost reduction!

From later in the post: "The key is nobody has to cool these devices, so it’s almost like free computing at the endpoint."

Also, you don't have to buy it! (the user bought their phone/computer and pays for the power)

I agree its a bit handwavy. I suppose the remaining cost is the cost of transmitting more data?

But regardless, it is a good point - we are absolutely crazy to not be taking advantage of all the free computing and power that our users have purchased for us to use (and are paying the costs up upgrades and maintenance). I've felt this way for a while (especially when OnLive came out), but it seems that servers have so far been cheap enough that its been cheaper to buy more servers than spend valuable engineering time making your app distributed.

Yes, but it needs to be done very carefully. As soon as your app is draining my battery or running my fans inappropriately, your app is gone. The key word, of course, is inappropriately. This puts caps on how much you can use, but it is still an essentially free resource.

I think that's a major issue. The best way we know how to save battery live on devices now is not all these fancy computing techniques or what have you, it is the finish a computation and shut the device off as quickly as possible. So this strategy seems to run counter to that basic idea of power saving.

Also applies to desktop browsers, e.g. https://crowdprocess.com

If you make people bag their own groceries, it's 1000x cheaper to the grocery store.

More like, if you make your employees buy their own computers, the company saves lots of money!

I doubt that the trend is moving to the endpoints. I think it is moving towards the cloud.

Enterprise software is definitely an area where there is plenty of opportunity. They're aching for good software; they pay exorbitant amounts for software that just isn't very good.

If someone can find a vertical where they can penetrate and provide real business value, they'll do well.

The bad state of enterprise software has been obvious for decades. The fact that it has persisted in being bad despite everyone knowing it should tell you that there are reasons why it remains bad.

Those reasons have also been widely known for many years. They boil down that enterprise software companies optimize for their ability to sell to decision makers who never actually use the software. See https://www.mail-archive.com/kragen-tol@canonical.org/msg001... for a detailed description. See http://futureofwork.glider.com/why-enterprise-software-sucks... for verification that this is not simply an isolated disgruntled developer's opinion.

There's a lot of opportunity in enterprise, but it's really hard. I spent 20 years in enterprise myself before founding my own startup in that space. The sales cycle just kills you. I can have a product that would save enterprises hundreds of thousands a year, but it takes weeks, months, years to make a sale!

And modern B2C-oriented startup thinking doesn't get it. The sort of Lean/MVP/failfast thinking doesn't work so well when you're building for a half-dozen meetings spaced out over weeks, to match arcane localization requirements for the target customer. The reason startups rarely penetrate is because it's slow, hard, and painful - the sort of thing where big deep-pockets entrenched companies have a huge advantage.

Worse, young startup founders don't have the enterprise experience to grok why everything is so slow and so hard. It's easy to look from the outside and think those silly enterprise people must be stupid and/or malicious to make such an opaque maze of red tape. Hardly! The enterprise is filled with smart, committed, hardworking people who almost inevitably wind up in the same boat, across the many enterprise verticals.

Enterprise is valuable because it's expensive. It's expensive because it's really, really hard. Don't forget that.

On the other hand, if I can make it work as a founder, it's going to work huge.

One of the problems is the ingrained mentality that "enterprise" is defined by "if you throw enough money at the vendor, they'll add features and make changes for you." That's bollocks, in general, but because a lot of modern "good" software companies don't work that way, it's hard to make inroads.

As an example, according to a software engineer's review on Glassdoor, Concur's web app is about a million lines of classic ASP (and as a user of it, I can vouch for how crappy it is)... yet their mobile app is really slick and user-friendly. Netsuite is another company gaining momentum, with their premise essentially being that companies want an ERP that doesn't require the infrastructure or overhead that Oracle or SAP do. Netsuite, however, doesn't do the same kind of "consulting" as the big guys and you basically get what you get.

Big companies tend to be risk averse, and taking a risk on good software that can't be molded to existing business processes can sometimes mean it's not actually good software for that company ... or so the perception goes.

I wonder if they are including Augmented Reality with their Virtual reality "Thing."

Y Combinator breaks the two out as two parts of the same RFS [1]

[1] https://www.ycombinator.com/rfs/#vrar

> Crash or no crash, we should expect a significant increase in the level of institutional adoption this year. Specifically, a large number of companies will put together groups focused on what Bitcoin means to them — and as early as next year we’ll start to hear people ask “What’s your Bitcoin strategy?” in much the same way people asked “What’s your social media strategy?”…

This could be great news for social media consultants who have seen their wells run dry. Now these consultants can set their sights on convincing companies to add We Accept Bitcoin buttons to their websites.

But I believe a16z is thinking too small. Companies need to look beyond Bitcoin. Personally, I'm tired of the Benjamin Franklin branding on the $100 bill. Bring on the modern brands. I for one am looking forward to the day when I can convert all of my hard-earned money into LouisVuittonCoin and PepsiCoin.

Isn't a bingo sheet supposed to be 5 x 5?

American or Commonwealth? Most Americans play with 5x5, but in principle you could do 3x3, 7x7, or 9x9. Commonwealth is typically 3x9, often sold in lots of six.

'patio11 is our resident expert on bingo sheets.

Notably missing: drones. This is a seriously expanding new industry.

The majority of their portfolio companies are based in the US, where regulation will likely stifle the growth of commercial drones, at least during 2015.

Another field the US will lag behind the rest of the world, then..

I don't know why these 16 things are more important than the other 16000 things start-ups could be working on.

Bitcoin is the interesting one, as I would love to know in 10 years time if we look back at that with a wry smile as a fad, or if it ends up being something everyone uses.

> We don’t invest in themes; we invest in special founders with breakthrough ideas. Which means we don’t make investments based on a pre-existing thesis about a category. That said, here are a few of the things we’ve been observing or thinking about.

The list is nothing more than some of the things they find interesting.

> The list is nothing more than some of the things they find interesting.

If that is true, I don't see the point of the article or that it warrants much discussion.

I don't think that is the intent of the article though.

I took it as they expect these 16 themes to yield a lot of the new ideas they will invest in. If that is the case then these 16 are quite arbitrary and I don't see why these were chosen.

That would be PG point on his RFS https://www.ycombinator.com/rfs

The majority of VC companies have investiment thesis. In those thesis they put the kind of market and companies they would like to invest and why. It helps to guide the new associates and partner on where and what to look.

List of investment trends, or Black Mirror bingo card?

I found a typo on the homepage: "You never need to share the car strangers and we can pick you up and drop you off at your front door."

I assume you meant to say: "You never need to share the car WITH strangers..."

I love the idea, though.

Coming from a smaller town it's pretty hard to fathom a helicopter for hire service ever taking off the ground where I live. So it really made me think!

If you can really cut a 2 hour commute to 6 minutes for the cost of $99 USD and make money doing it, I imagine you will do quite well. There are many people in NYC who value their time much higher than $49.50 an hour.

I think you posted on the wrong thread by mistake.

That I did indeed! Thanks for pointing it out.

I have feeling that "16 big things that VC will fund" is different that "16 big things companies/people/users will pay for".

VCs dont care about users. They care about exit, and that usually involves bigger sucker buying you out.

When you have gotten lucky with a couple of investments, you make a lot of money, when you have a lot of money, a lot of people listen to what you say, they argue with each other about what you say, this keeps them occupied and stay out of troubles like original thinking and such, so you need to come up with things to say, otherwise what will people do?

Talking about "Online Video", I'd like to explicitly mention https://www.vessel.com, which Jeff Jordan implicitly mention here: http://a16z.com/2015/01/22/online-video/

I'm not sure what they want to accomplish with this edict(?).

Maybe it's an attempt to influence entrepreneurs to create ideas in those 16 areas.

I mean, only those 16 areas? We are in the middle of some unprecedented cultural shifts, and those are the 16 areas to focus on?

For we, the readers, I think we should look at it more as kind of a brainstorm, something to get us thinking. I think looking for more in it than that is not what is most useful for us. Just my two cents.

Those 16 are likely to be strategically aligned with existing/planned a16z investments.

It would be interesting to see potential tech investment areas related to your list of unprecedented cultural shifts.

I just want to know who the fuck has $6000 worth of food in their freezer?

(See Internet of Things category)

Food suppliers, possibly restaurants.

Yep, good call. I didn't think outside of "consumer" headspace...

Restaurants, perhaps?

No mention of media, which seems odd considering their investments in Buzzfeed and Genius.

Buzzfeed is mentioned in Full-Stack Startup.

Barely mentioned

Can a single VC fund more than one full-stack startup in the same market?

Loved the 'Failure'

Could anybody please explain that to me? It's super hand-wavy.

I think he is saying focus on success rather than failing quickly (i.e. pivoting).

Which at a more abstract level means focus on the goal not the process.

I don't see selfie sticks anywhere in that list.

"Cloud-client computing"

> http://a16z.com/2015/01/22/digital-health/

LOL, I love these stories, especially when featuring games like these:

> [...] Tomorrow? To understand your personal diagnostic data, you might soon depend more upon an iPhone app developed in a garage than on your local MD.

<rant> This garage theme is annoying. The fact that Jobs and Woz had a garage ruined garages... Seriously. They literally changed use in the post-jobs era. If your father owned a garage and you didn't come up with (at least) Dropbox, you're a loser!!!! </rant>

On a more serious note now.. The author seems to prefer applications written in a garage to measure things like blood glucose levels instead of machine-based lancets. If he were diabetic, I wonder, would he use an iPhone application to measure his blood glucose levels, or the MD?

Well if I were diabetic, I certainly wouldn't go to my doctor every time I needed to check my glucose. That would get really expensive. I would instead rely upon a home glucose checker, which could easily be integrated with an iPhone using Bluetooth or as an attachment ala Square. Even moreso, if it integrated with HealthKit, I could have my glucose levels over time and have them shared with my doctor using the integration with Epic's MyChart app.

So, not as silly as you might think.

> If he were diabetic, I wonder, would he use an iPhone application to measure his blood glucose levels, or the MD

Actual diabetics I know do occasional in-office tests, but for routine testing use at-home personal testing kits, which one could easily imagine syncing to devices and online services the way personal fitness trackers do. With severe diabetes, you need monitoring more frequently than is practical with in-office-only testing.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact