Archive for July, 2010


My 3 rules about reading

I read a fair amount of books. The time commitment is hard for me as I’m not the fastest reader in the world, but I have an insatiable desire to learn new things and there’s nothing like a good book to exercise your mind and expose you to new ideas. Here are a few of the rules I’ve developed to help me figure out what to read and make the most of my time.

1) I don’t read anything that isn’t recommended to me

Amazon has literally millions of books available. I figured out a long time ago that I needed some filter to decide what to read. For me, that filter is my friends and their recommendations. I’m lucky to have a large group of smart people around me whose opinions I trust. There are one or two authors who I will read everything they write regardless, but other than that, I make few exceptions to this rule and so far it has worked out well for me. I always have a steady backlog of books to read. If you have any recommendations, let me know!

2) It’s okay to leave a book unfinished

If a book doesn’t capture my attention within the first chapter or two, I have no problem dropping it. I view my time as my most valuable asset. I’m not going to keep reading something just to say I finished it. I’ve also found that a lot of authors say everything they have to say in the first half of the book and then spend the second half rehashing all the same points as they strive to hit a certain word count. The minute I recognize this is happening, I set the book down and move on to the next one. I don’t leave books unfinished very often, but having a rule around this helps me not feel guilty about it when it does happen.

3) I give away every book I read

Moving sucks. Moving with massive stacks of books sucks worse. I’ve made it a habit to give away every book that I read once I’m done with it. Not only does it make moving easier, it gives me a fun way to share what I’m learning with my friends. I give away about half my books on twitter and the other half I give to specific people that come to mind as I’m reading through them. That said, I’m starting to read more on my iPad so that might put a dent in my book give-aways.

I’m currently reading Switch: How to Change Things When Change Is Hard by Dan Heath and I’m enjoying it a lot. This one was recommended to me by Rob Lafave and a lot of the ideas in the book have really resonated with me. While the book is about understanding the mechanics of change, I’ve found a lot of the concepts apply to software design as well. For example, Heath talks a lot about decision paralysis and how we tend to freeze up when we’re given too many choices. One of the tactics we can use to overcome this is to make the decision before we have to make the decision by setting up overarching principles that guide our decision making. It’s fascinating stuff. If you’re looking for a good book, check it out.

 8 comments

Boulder will be less without you

Today I learned that two of my favorite people in Boulder are leaving this town.

Matt Galligan is a good friend. We went through TechStars together and have been friends ever since. Matt has decided to double down on SimpleGEO and sadly that means moving to San Francisco so their exec team can all be together in one place. Matt is an incredibly smart guy who has an impeccable talent for sniffing out new opportunities before the rest of us do. It’s been fun watching Matt take the lessons he learned from Socialthing and apply them to SimpleGEO.  He’s a great networker and someone I am continually learning from and look up to.

Andrew Hyde is another guy I respect a lot. Between Startup Weekend, Ignite and his work with TechStars, few people have done so much for the tech community in Boulder as Andrew. He’s given his time freely over and over again and I know there are countless startups in Boulder that are forever indebted to him for his help. When Rob and I shut down EventVue, Andrew was the one guy who took us out to the nicest restaurant in town for a ‘non-acquisition dinner’. I won’t forget that.  But that’s just the kind of guy Andrew is.   Andrew has decided to go travel the world and I couldn’t be happier for him.

Matt and Andrew, I couldn’t be more excited for you but know that Boulder will be less without you. I’m honored to be your friends. I just wanted to take a minute to say publicly that I’m going to miss you guys and remind you that you better get your butts back here soon.

 1 comment

Live dangerously! It’s safer.

I was honored to speak at Ignite Boulder 11. For those unfamiliar with the format, Ignite is a national public speaking event where each speaker gets 5 minutes and 20 slides that auto-advance every 15 seconds. Topics tend to be quite geeky and the audience can get quite harsh to people who fail to entertain, educate and inspire. Ignite Boulder is the largest Ignite in the world and I set a new personal record of speaking to around 1,400 people.

It was a fun event and I’ve got to give huge props to Andrew Hyde and all the organizers for pulling off such an incredible event. Chautauqua is a beautiful venue and the fact that 1,400 people would show up to a predominately-geek event is quite a testament to the community we have here in Boulder.

My title of my talk was Snakes and Staircases and the idea was to point out the disparity between the things that scare us and the things are actually dangerous. In general we tend to be scared of a lot of the wrong things. My goal was to make us to take a step back and reevaluate our fears to see which ones make sense and which ones don’t.

My slides are also available on Slideshare if you want them.

I borrowed a lot of my statistics from a bunch of various sources. If you’re interested in this topic, you might enjoy checking out some of these books:

One of the most challenging things about a 5 minute talk is figuring how to cut stuff out.  Here are a few other statistics that I find quite fascinating that didn’t make the cut:

  • 15 times more people die from disease than from accidents
  • 1% chance of dying in outer space (assuming you go)
  • 1 in 4 odds of dying from attempting to climb k2
  • 1/112,000,000 chances of being killed in a vending machine accident
  • 1/5,913,000 chances of being killed by lightning
  • 1/477,300 falling out of bed

Live dangerously!

 11 comments

Why you should never use a CAPTCHA

I hate CAPTCHAs (you know, those squiggly bits of impossible to read text you have to fill out before you can do anything on some websites). I think all of us can relate to the experience of trying to register for a service or comment on a blog only to be stopped cold by an impossible CAPTCHA. Maybe you got it on the second or third try, but chances are you’ve also had occasions when you’ve bailed and decided it just wasn’t worth the effort.  Today I want to convince you to never add a CAPTCHA to your site.

Let’s start by looking at why CAPTCHAs were invented. The acronym stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Quite a mouthful, eh? The idea is to have something that a computer can create but only a human can read. Whether or not humans can read CAPTCHAs is debatable, but that’s the idea anyway.  Lots of sites use these things to attempt to stop automated requests. For example, you’ve got to fill out a CAPTCHA to get a Gmail account, send a message with a link on Facebook or even just email directions on Mapquest. CAPTCHAs are most often used to stop abuse around systems where there is a high incentive for automated systems to be used, like spamming everyone on Facebook. There are also a lot of people using CAPTCHAs where an alternative solution would suffice.

My biggest beef with CAPTCHAs is that they are so freaking annoying for users. They add an incredible amount of friction to the process — friction that you probably can’t afford. Sure, some CAPTCHA’s are better than others, but none are great. I understand you want to protect your site from spam and abuse, but are you ready to lose potential users over it?  The trade off just isn’t worth it, especially if you are a startup!

One of the things I’ve noticed is that many people use CAPTCHAs when a simple non-intrusive spam-stopper would suffice. For example, say you have a blog and notice you are starting to get a large amount of spam comments. You decide to add a CAPTCHA to fix the problem. The thing is, you’re not big enough to be a victim of a targeted attack, you’re just getting generic spam bots. You don’t need a CAPTCHA.

It’s far easier to stop generic spam bots than a targeted attack. There are a lot of different techniques you can employ, but a simple option is to add an extra field with a tempting name like “email” to your form that is then hidden using CSS. Humans can’t see the field and as a result will never fill it out. Any request that comes in with the field completed can easily be eliminated as spam. The beauty of this is you have a pretty effective spam-stopper without ruining the user experience or adding any friction to the process. A simple technique like this is probably enough to stop the majority of spam bots.

But what if you really are big enough to be at the receiving end of a targeted attack? What if you’re Facebook or Google? They might not be fun, but aren’t CAPTCHAs a necessary evil?  I don’t think so. CATCHAs still aren’t going to protect you. The bad news is that most CAPTCHA systems have already been cracked using OCR software making it trivial for your system to be compromised. For the rest, hackers have been known to set up porn sites that require you to enter a CAPTCHA in exchange for access to the adult content. What are you going to do to prevent that? Not to mention, there’s a booming business in India right now for breaking CAPTCHAs. The going rate is $2 per 1,000. Can you compete with that? If someone wants into your site, I’m sorry, but your annoying little CAPTCHA isn’t going to stop them.

Some people have taken more creative approaches to the CAPTCHA problem.  Joe Stump tweeted the other day about one solution he discovered. You’ll see a lot of these around the web, often added by people who hate CAPTCHAs but haven’t stopped to think through the details. I remember seeing one approach that Hot or Not used that asked users to pick the 3 most attractive people out of 9 pictures. While these sort of solutions are more fun for users than a traditional CATPCHA, they are usually still pretty worthless at providing any real security. For example, with Hot or Not, the odds of a computer correctly guessing the 3 attractive people are 1 in 84. While those aren’t great odds for a human, they’re not bad for a computer — especially if you have a botnet at your disposal! Other approaches like the ones that ask you to do simple math or ask simple questions like “what is known as man’s best friend?” are vulnerable too. In most cases, all you’d need to do to crack the CAPTCHA is throw the question at Google and analyze the responses that come back.  These systems are often also vulnerable by having a limited list of questions to ask so it doesn’t take long for a hacker to build up a dictionary of correct answers to feed to the bot.

reCAPTCHA from Google is another anti-bot alternative.  They proudly talk about all the good they are doing by using the technology to help digitize books. But even reCAPTCHA can be broken with 23% accuracy and it’s just as frustrating for users as the other alternatives.

So where does that leave us?  CAPTCHAs are annoying, you probably don’t need one and even if you did it could still be broken pretty easily.

A balanced approach would be to add some basic security to stop generic bots but get rid of the CATPCHA altogether. Instead, watch out for suspicious IP’s and monitor for nefarious behavior (like spam links being sent to multiple users, large # of requests from one IP, etc).

There are services like Ellipsis Human Presence that offer non-intrusive human behavior analytical modeling to attempt to identify non-human site traffic. They use other heuristics like how you navigate the site or how you move your mouse to detect whether you act human or not. I’m sure their detection system can be circumvented with enough effort, but they significantly increase the cost for bad actors without pissing off your actual guests.

We live in a world where spammers are a real problem and must be addressed, but CAPTCHAs are not the answer. You simply can not afford the friction. By using a CAPTCHA you are making the internet a whole lot less fun for all of us.

 78 comments