Entrepreneur, executive, and investor; octo-dad; former Googler, now VP Product at

ZDNet recently quoted security expert Eugene Kaspersky commenting on a recent rare piece of OS X malware in the wild:

“I think [Apple] are ten years behind Microsoft in terms of security,” Kaspersky told CBR. “For many years I’ve been saying that from a security point of view there is no big difference between Mac and Windows. It’s always been possible to develop Mac malware, but this one was a bit different. For example it was asking questions about being installed on the system and, using vulnerabilities, it was able to get to the user mode without any alarms.”

It is true that OS X benefits enormously from obscurity relative to Windows’ ubiquity by presenting less opportunity to criminals. But what’s driven me to expend the energy to write this blog posting is Kaspersky’s apparent ignorance of Apple’s protracted efforts to redefine the operating system contract in a dramatic way–with security no doubt as one of the foremost motives (and if not, certainly a material by-product).

This game-changer is (as anyone paying attention knows) the introduction of the app sandbox in Snow Leopard and Lion via the Mac App Store, and identified developers aka Gatekeeper, coming in Mountain Lion. If you’re in the consumer software business, I’m not sure how you’d miss these developments, but ignorance of them is even less excusable in the light of the success of iOS, which has pioneered OS X’s sandbox architecture on the world’s most popular smartphone. It’s done a pretty good job, given the complete absence of malware on iOS combined with the world’s largest app ecosystem (by at least one order of magnitude).

It is somewhat valid to point out that Gatekeeper hasn’t shipped yet and the app sandbox on OS X is opt-in and partial, but these are clearly initial, concrete steps towards migrating OS X from Unix openness to a consumer-grade, iOS-ish platform (that will presumably always let the power users opt back out into the wild west).

So yeah, Apple may not have setup a robust mechanism to respond to vulnerabilities in third-party code they modify and distribute (i.e., Java) as fast as we would like, and they may not have something as high-profile as Microsoft’s SDL to market security-consciousness to the world, but given how squeaky clean the platform has been traditionally, this seems rather forgivable (and solvable).

But it should be noted that while Microsoft has simply reacted tactically to insecurity for nearly a decade, causing untold misery and chaos for their users, Apple is taking steps to change the game. It seems that’s how they roll.

A decade behind? Hardly. But then, it’s not to hard to see how self-interest may have colored genuine perspective in this case. After all, the expert in question now has the opportunity to create a new market for their wares in a world where Windows’ dominance is finally on the wane.

UPDATE: Friday, April 27, 8:30 am

In the comments, Dan “dfabulich” writes:

I was right with you up until this point: “Microsoft has simply reacted tactically to insecurity for nearly a decade”

Vista was a huge step forward for platform security. ASLR, NX/DEP, Mandatory Integrity Control, and IE Protected Mode were huge at the time.

The problem is that Vista was late, and so buggy that nobody upgraded. Windows 7 security may be better than OSX Lion, but lots of people are still on Windows XP; their only real upgrade path is to buy a new computer.

I agree with Dan; I shouldn’t have written what I did about Microsoft. Whether Microsoft has reacted appropriately to the massive sea change in internet safety and security that occurred at some point in the 90’s / 2000’s is a separate issue and one I would have been wise to avoid.

But since I did step in it, let me expand on what was going on in my head when I wrote that:

While Microsoft is great at creating security patches and has introduced various technologies to make new versions of Windows more secure, they haven’t been at all effective at incentivizing people to upgrade to these versions of Windows nor at incentivizing software providers to require newer versions of Windows. It would seem that this latter point–putting secure software in users’ hands–is at least as important as introducing the new security features to begin with.

“see7” writes:

Regarding the Microsoft windows XP situation, this is where apple is now too. OSX 10.5 already ignored albeit still used by quite a few people (e.g. Some in our company) and I don’t think gatekeeper or whatever “magic” apple builds will be backported to even 10.6 or 10.7.

Consider that Windows XP was released in 2001; its Apple peer was OS X 10.0. 10.5 was released in 2007; that makes it contemporary was Windows Vista. Take a look at the relative marketshare between the two; Apple has done a fantastic job of migrating their users forward by any measure, certainly relative to Microsoft.

Is this because Apple users are fanatics under the thrall of a charismatic salesman? Maybe, but there’s a lot more to the Apple upgrade cycle than that. Consider all that Apple does in this regard:

  • regularly introduce innovative operating system features that incentivize users to upgrade
  • block developers from supporting older operating system releases without going out of their way (by regularly updating their developer tools and gradually removing older OS libraries and docs)
  • dropping support for older hardware in OS releases
  • aggressively pricing OS releases, making them extremely affordable relative to Microsoft
  • rapidly refreshing the hardware line, which takes older hardware out of the system and brings an OS upgrade along for the ride

In my view, Microsoft is not as effective or aggressive as Apple in these points (though obviously the last one doesn’t apply to them directly at all, though given their leverage and influence with OEMs, they cannot be completely exonerated from the last point).

But is it really fair to hold Microsoft accountable for today’s massive Windows XP install base or claim that they aren’t viewing the problem strategically?

That’s a different point and not one I had intended to explore with this post. I’ll just leave it where I should have and say that I don’t think it’s at all accurate to characterize Apple’s position as ten years behind Microsoft.

Thanks Dan for calling that out.

I admire Steve Jobs. I’ve been aware of him for most of my life, having grown up near “The Valley” and played with computers from my youngest years. However, I wasn’t particularly interested in Jobs until about when most of society became interested in him. In recent years, I harbored a secret desire to work for him at some point in my career. Obviously, that will remain an unfulfilled wish.

So I came to this book with quite a bit of existing knowledge of Jobs. As many have observed, if you’ve already read a few books on Apple or Jobs, you will heard much of the material in the book. That, coupled with the fact that Isaacson seems to have designed the chapters to stand alone and thus repeated himself a large number of times, led to the general feeling that the book was less about learning about Jobs and more about celebrating his life by reviewing what I and any Jobs fan has heard time and time again.

Still, the new insights (and to be fair, there were many) are worth the price of admission. I also enjoyed the strong editorial voice of Mr. Isaacson, casting Objective-Voice-of-God judgment throughout the book. Maybe it’s because I studied history in college, but I’m comfortable with biographers taking a point of view, especially when they’ve cut their teeth so thoroughly as this one has.

The book ends with an essay by Jobs himself, recounting the lessons of his life. This was a sweet, intimate way to close out the narrative–and I think stands as a testament to the respect Isaacson developed for Jobs.

Ultimately, I think we’re left at the end of the book with ambiguity. Yes, Steve built an amazing company, and certainly if a life is judged by the things one creates and nothing else, Steve’s legacy is tough to beat. But his callous regard for others–including his own family–is heart-breaking. If this is the cost of building attractive widgets, I would hope most would not pay the price. And so it is left to all of us to work out whether we can achieve career greatness at a level of Jobs whilst also investing in and achieving greatness in the areas of life that matter most.

I think that’s how nearly all of us view Steve Jobs: as a stereotype–a template–of career success that is so comically exaggerated that it is not for any of us to attempt to emulate, but rather, for all of us to study and from which to extrapolate small lessons for our own lives, adapted to the contexts of our own situations. His life seems like a fairy tale of the modern age in classic three-act play format, with achievements of such heights as to defy man to best them with imaginary ones, these accompanied by extreme character traits at home alongside the strongest characterizations of great fiction. It’s as if life decide to write the Great American Novel–and succeeded.

For all that, I have enormous affection for Steve as a person. Rest in peace, thanks for the memories, and thanks for the Macs.

(I bought both the audiobook and the hardcover edition of this book. I mostly listened to the book, but I did read some portions. The fact I listened to this may have contributed to my view of the book. I appreciated the introduction from Isaacson, but the narrator–an actor whose name escapes me–would not have been my choice. I also wish they had been able to use Steve’s own recorded voice for the last chapter, but perhaps that was not possible.)

About one month ago, Walmart’s Global Electronic Commerce division (i.e., acquired our entire Set Direction team–the start-up that Dion and I created in late 2010. We’re now anxiously engaged in a multi-year effort to energize Walmart’s efforts in mobile e-commerce.

If you had told me six months ago this would be Set Direction’s outcome, I wouldn’t have believed you. Dion goes into some of the details surrounding the deal, including how we came to know the folks over at Walmart and the steps that led us here.

Joining was a no-brainer once we grasped the size and scope of the opportunity. In my role as Vice-President of Mobile Engineering and Dion’s as Chief Mobile Architect, we’ll tackle together the challenge of creating the world’s best mobile retail applications for some of the biggest and most exciting markets in the world, such as the US, China, Brazil, and many others.

How are we going to create top-quality products for a variety of mobile platforms across all these markets? How will we be able to evolve the apps fast enough to out-maneuver our formidable competitors when we have a gaggle of platforms and markets to support? Will Node.js scale to our needs? 🙂 These are some of the interesting problems we’ll be solving. Sound fun? We think so too.

While Walmart is the world’s largest company and has an army of people already hard at work on managing its extensive software systems, we’ve been given the opportunity to build our own mobile team with a start-up culture within the Global E-commerce group. Think small teams of incredibly talented people being supported by the resources of the world’s largest company.

Want to join us? Drop me a line.

A Road Leading to the Clouds

Whoa. It seems to me only a few weeks have passed since I previously posted on my blog back during those first few crazy days at Palm when I jumped onto the moving train; somehow, it also feels like ten years ago. Being a part of the Palm story has been a whirlwind adventure. And now, that adventure takes a new form.

Starting Monday, Dion and I are leaving HP / Palm as full-time employees but staying involved with HP webOS in a consulting capacity. Our post on the Palm Developer Blog goes into more detail on this transition and look to Dion’s blog for his own perspective.

As for me, “bittersweet” perfectly describes my feelings at this juncture. Working alongside the talented team at Palm has been a tremendous opportunity, and the chapter being written now with HP is ripe with extraordinary potential. Leaving the company of this crew is certainly a bitter cup to swallow.

At the same time, I couldn’t be more excited to be starting a new venture with my good friend and colleague of many years, Dion Almaer. We’ll post more on the details of our new company soon, but we plan on spending our time creating quality software and helping others to do the same. A particular focus of ours will be to help folks realize high-quality mobile and desktop app and web experiences using HTML5, JavaScript, and related technologies.

What a fascinating time of change for our industry! The Web has been challenged as the dominant platform for mainstream consumer software experiences–though the contest with apps is far from over. The predicted mobile convergence (with the desktop) is happening now. Independent software developers are now re-empowered to earn a living at their craft in a new and interesting way–they join musicians, directors, writers, and other artists whose products command the attention of large swaths of the general public. The opportunity has always been there, but now the complexity of so much infrastructure required to distribute those experiences has been swept away (though the trade-off has not been without cost).

While at present we see a diverse set of incompatible software platforms competing for the right to distribute the produce of these new and revitalized app artisans and businesses, history tells us that consolidation of these platforms cannot be far in the distance. Reducing the number of app platforms in the marketplace–the “content formats” of the app world–is unquestionably a good thing for developers in the short-term. However, I hope that we can evolve to a place where the content format and device manufacturer are not irrevocably coupled. When you think about it, the status quo is comparable to a sort of bizarro world where, say, Sony MiniDiscs achieved unparalleled ubiquity but Sony never licensed the format to other device manufacturers.

Of course, this “bizarro world” I described is how the world played out in the last set of consumer software platform wars, but perhaps this time around a large set of developers will choose portable content formats and ensure that competition and innovation thrive for the next exciting decades to come. And hopefully, Dion and I can play a role in shaping that outcome.

More soon.

(* The analogies above aren’t perfect, of course; cut me some slack. 🙂 I’d love to write another post that goes into detail on the similarities and differences between traditional content media and interactive content, etc.)

There’s no better way to start our careers at Palm than by getting reamed by open-source pioneer and legend Jamie Zawinski, one of the driving forces behind the release of the Mozilla source code and someone we’ve talked about in recent months in another context.

While a blog post isn’t the right avenue to talk about all of the issues that Jamie brought up, we’re following-up with him directly and will bring it to a conclusion. We obviously goofed in how we communicated with Jamie, and Dion and I take some of the blame here as our staff had been waiting for us to come on-board to get to some of these items.

We do want to take this opportunity to clarify a few things and share with you a bit about where we at Palm are with our developer program.

Our App Catalog is very much in beta right now, precisely because we want to take time to get it right prior to a full consumer launch. We have been collecting a bunch of feedback from developers and it is helping us prioritize and structure the program. In the brief three months since the launch of the Palm Pre, we have learned a great deal from the community!

We’ve seen some folks assert that Jamie’s case indicates a general pattern at Palm that we don’t really care about developers and aren’t operating in a developer-friendly manner. While we undoubtedly have some work to do here, we hope that people do notice how we treat the “homebrew” community (e.g. PreCentral) and how our current SDK agreement calls out the inspectability and reusability of our own Palm applications. (By the way, several applications from the homebrew community have already made it into our App Catalog.)

While we have yet to finalize and announce our developer program, we hope these points demonstrate our general attitude of embracing developers and empowering them. We’re trying to strike the right balance between locking down our device and making it a free-for-all. Like all great things, this will be an iterative process and we are eager and open to your participation and input to make it better for everyone.

We are sorry that Jamie feels the way he does, but we’ll fix what’s broken and are going to deliver a fantastic opportunity to developers as they in turn help create a fantastic experience to users.

We have a lot more to say on this topic, so watch this space. Dion and I are part of the developer community; we’re listening to what y’all say and we’ll speak up and participate in discussions.

And hey, look for an announcement soon that goes into more details on our developer program.

Do you remember how much the Web used to suck?

Not so long ago, we Web developers would have to constantly educate product managers and other business stakeholders about the limitations of HTML; we would often contrast it with so-called “rich client” technologies.

Over the past few years, we’ve all watched with wonder as these boundaries have disappeared and the Ajax revolution brought us a never-ending supply of rich web applications.

And while Ajax started out as web developers leveraging little-used so-called “latent” browser technologies, browser makers haven’t been sitting idle. Modern browsers are acquiring new abilities at a pace not seen since the early years of the Web–most of which are largely unused by today’s web applications.

Dion and I started a few years back when we like many others felt that a revolution was about to take place, and we’ve been fortunate to be able to chronicle a bit of it as it happened. We feel like the Web is similarly positioned today, ready for another expansion as developers discover and leverage the next generation of browsers.

Bespin Logo

We’ve been fortunate to do a bit of that expansion ourselves at Mozilla with the Bespin project. What Dion and I started as an experiment to see if we could create a code editor on the Web as responsive as the desktop has turned into a full-fledged project team aiming to revolutionize the way the world writes code.

At the same time the Web has been expanding, we’ve all been blown away as desktop computers have somehow shrunk down to pocket size. Clearly a revolution in hardware is taking place and it doesn’t take a prophet to work out that the future of computing lies along this new trajectory.

However, my enthusiasm for this amazing new world is tempered by some unfortunate decisions made by some of the players in this space. It seems that some view this revolution as a chance to seize power in downright Orwellian ways by constraining what we as developers can say, dictating what kinds of apps we can create, controlling how we distribute our apps, and placing all kinds of limits on what can do to our computing devices.


And so as my good friend and long-time collaborator Dion so eloquently explains over at his blog, he and I have taken an opportunity to work at Palm–at the very intersection of these two exciting technology arcs–and we have the opportunity to run Palm’s developer program and to do things quite a bit differently than some others in the industry have done.

Dion and I believe in the Web platform–an open platform that no single vendor controls–and we believe in empowering and enabling developers. We have been honored to work with so many who feel the same way at Mozilla, we will continue to advocate those values as members of the Mozilla community, and we can’t wait to put these ideals into practice in our work at Palm.

Chuck Finley

As prognosticated earlier, the next release of Bespin (named “Chuck Finley”) schlepped out the door this week. One half maintenance release and the other half feature release, Chuck Finley adds a “deploy” command and support for SVN commands while fixing various glitches with the once-shiny-now-lusterless “H. E. Pennypacker” release we put out in late August. The deploy command takes Bespin one step closer to the vision of developing entirely in the cloud and we’re absolutely thrilled to move in that direction.

Kevin Dangoor goes into Chuck Finley’s new features over on his blog, including a look at an enhancement to collaboration that shows you the current location of your collaborators’ cursors (a fancier version of this is coming soon).

Named Cursors

Next up is 0.4.5 “Bubba Ho-Tep”, a planned maintenance release for next week that may gain a few features as well.