The magic of making hard things easy

I wrote earlier this week about how life is, generally, hard.  There’s no question about that.

One of my favorite things about the Internet, and probably the most exciting thing about working in venture capital, is being around people who are working to re-architect the world to make hard things easier.  And by easier, I mean: by designing clever social / technical / collaborative hacks that redesign the problem and the solution.

Yesterday, I was out in SF for USV’s semiannual Trust, Safety and Security summit — Brittany runs USV portfolio summits twice a month and one of the ones I don’t miss is this one.  It brings together folks working on Trust and Safety issues (everything from fraud, to bullying, to child safety, to privacy) and Security issues (securing offices & servers; defending against hacker attacks, etc.).  Everyone learns from everyone else about how to get better at all of these important activities.

Trust, Safety and Security teams are the unsung heroes of every web platform.  What they do is largely invisible to end users, and you usually only hear about them when something goes wrong.  They are the ones building the internal systems that make it possible to buy from a stranger online, to get into someone’s car, to let your kid use the internet.  If web platforms were governments, they would be the legislature, law enforcement, national security, and social services.

Often times at these summits, we bring in outside guests who have particular expertise in some area.  At yesterday’s summit, our guest was Alex Rice, formerly head of Product Security at Facebook, and now founder of HackerOne.  Side note: it was fascinating to hear about how Facebook bakes security into every product and engineering team — subject for a later post.  For today: HackerOne is a fascinating platform that takes something really hard — security testing — and architects it to be (relatively) easy, by incentivizing the identification and closing out of security holes in web applications and open source projects.

The magic of HackerOne is solving for incentives and awkwardness, on both sides (tech cos and security researchers).  Security researchers are infamous for finding flaws in web platforms, and then, if the platforms don’t respond and fix it, going public.  This is only a semi-effective system, and it’s very adversarial.  HackerOne solves for this by letting web platforms sign up (either in public or private) and attract hackers/researchers, and mediating the process of identifying, fixing, and publicizing bugs, and paying out “bug bounties” to the hackers.  Platforms get stronger, hackers get paid.  In the year that it’s been operating, HackerOne has solved over 5,000 bugs and paid out over $1.6mm in bug bounties.

Thinking about this, it strikes me that there are a few common traits of platforms that successfully re-architect something from hard –> easy:

Structure and incentives: The secret sauce here mediating the tasks in a new way, and cleverly building incentives for everyone to participate.  Companies don’t like to admit they might have security holes. They don’t like to engage with abrasive outside researchers.  Email isn’t a very accountable mode of communication for this.  But HackerOne is figuring out how to solve for that — if every company has a HackerOne page, there’s nothing to fear about having one.  Building a workflow around bug finding / solving / publicizing solves a lot of practical problems (like making payments and getting multi-party sign off on going public).  Money that’s small for a big company is big for an individual researcher — one hacker earned $20k in bug bounties in a single month, for a single company, recently  Essentially, HackerOne is doing to security bugs what StackOverflow has done for technical Q&A: take a messy, hard, unattractive problem with a not-very-effective solution and re-architect it to be easy, attractive and magical.

Vastly broadening the pool of participants:  After the summit, I asked Alex how old the youngest successful bug finder on the platform is.  Any guesses?  11.  Right: an 11 year old found a security hole in a website and got paid for it.  Every successful hard –> easy solution on the internet does this.  Another of my favorite examples is CrowdMed, where a community of solvers makes hard medical diagnoses that other specialists could not — 70% of the solvers are not doctors.  (They typically solve it with an “oh, my friend has those symptoms; maybe it’s ____” approach, which you can only do at web scale).

Deep personal experience: It takes a lot of subject matter expertise to get these nuances right.  It makes sense that Alex was a security specialist, that Joel at stack overflow has been building developer tools for nearly two decades, and that Jared at CrowdMed was inspired by his own sister’s experience with a rare, difficult-to-diagnose disease.  I would like to think that it’s also possible to do this without that deep expertise, but it seems clear that it helps a lot.

The fact that it’s not only possibly to make hard things easy, but that smart people everywhere are building things that do it right now, is what gets gets me going every day.

Everyone is broken and life is hard

That’s a pretty depressing and fatalistic post title, but I actually mean it in a positive and encouraging way.  Let me explain. It’s easy to go about your life, every day, feeling like everyone else has their shit together and that the things you struggle with are unique to you. But then, when you get… Read more »

Anti-workflow apps

“Workflow” apps hold so much promise.  Whether it’s a CRM, project management tool, to-do list, or some other tool, the promise in each case is to clean up our messy lives and help us be more organized and effective. The problem, though, is that getting people to adopt a workflow is really really hard.  That’s… Read more »

Finding Flow: writing vs. coding

When I first started to learn programming, about 15 years ago, I remember being surprised at how easy it was for me to get focused and stay focused.  I loved (and still love) the feeling of getting lost in a project, and could easily spend hours upon hours “in the zone”. No procrastination, no resistance, only focus… Read more »

Crowdsourcing patent examinations

Yesterday I spent part of the afternoon at a US Patent & Trademark Office roundtable discussion on using crowdsourcing to improve the patent examination process.  Thanks to Chris Wong for looping me in and helping to organize the event.  If you’re interested, you can watch the whole video here. I was there not as an… Read more »

Support services for the Indie Economy

Over the course of the past year, I’ve been interviewed a bunch of times about the “peer economy” or the “sharing economy” (Fastco, Wired, NY Times, PBS Newshour), with most of the focus on the public policy considerations of all this, specifically public safety regulations and the impact on labor. A question that comes up every… Read more »

The Professional Amateur

One way I have described myself is as a “professional amateur”.  I am both deeply proud and deeply ashamed of that.  Let me explain. For basically my whole career, I’ve been learning new fields and professions from the outside-in.  While I have an undergrad degree in Urban Studies, which ostensibly prepared me for interdisciplinary work regarding… Read more »

Half, not half-assed

My favorite book on product development and startups is Getting Real, published in 2006 by the folks at 37signals (now Basecamp).  If you haven’t read it (it’s freely available online), it’s essentially a precursor to The Lean Startup (2011). Back when I was leading a team and running product and OpenPlans, it was like my bible…. Read more »

This is what an Internet Candidate looks like

I just donated to Christina Gagnier‘s campaign for congress. I’ve gotten to know Christina recently, and I really hope she’s able to pull through this race and make it.  We need smart people in DC who understand technology, tech issues, and tech policy. She is without a doubt one of those people.  She’s an entrepreneur… Read more »


I got this in the mail: It’s an ad for an extended warranty, disguised as an urgent extension of existing coverage. This makes we want to throw up.  A business blatantly based on tricking people. “Immediate response to this notice required…. Our records indicate that you have not contacted us to have your vehicle service… Read more »

Becoming a leader of men

In terms of leadership, I’ve done some hard things.  Building teams, reorganizing a company, dealing with failure (and success), letting people go, navigating competition, etc. But I suspect all of that will pale in comparison to what’s up next: this weekend I begin my career as a little league coach.  Starting Sunday, I’ll be leading… Read more »

Dropbox and personal data

More and more, recently, I’ve been noticing web services that use Dropbox for storing user data.  For example,1Password, OneName and Diaro. With all the talk about user control of data, data liberation, privacy, etc — I actually feel like this is is a super nice approach, at least for some use cases. I am more comfortable… Read more »

The sweetest pitbull

I had crazy week last week. On Monday, I went to NYC for the day for work, and was overcome by a strange dizzy feeling.  Walls spinning; hard to concentrate; nauseous.  I thought — maybe I’m just dehydrated. I took a rest during the middle of the day; I drank a lot of fluids.  I made… Read more »

The open internet and the freedom to innovate

I spent the last two days in meetings with FCC Chairman Tom Wheeler and his staff, discussing their proposed Open Internet rules (aka net neutrality).  Monday’s meeting was with a group of NYC VCs, and Tuesday’s meeting was with group of NYC startup CEOs and GCs. Coming out of these meetings, and after working on this over the past several months, a… Read more »

Joi’s 9 principles of open innovation

I spent the day Tuesday at the Civic Media conference, put on annually by the MIT Center for Civic Media and the Knight Foundation.  In addition to being a gathering of a fabulous community of civic hackers and builders, it’s also where Knight announces the winners of the NewsChallenge grant contest each year (here are… Read more »

The FCC open internet vote

Yesterday, the FCC met to vote on its notice of proposed rulemaking regarding the Open Internet.  As was generally expected, the commission voted, along partisan lines, to move forward with their plan for Open Internet rules — a plan that, as currently designed, would allow for fast lanes and slow lanes on the Internet.  (You can see the summary fact… Read more »

FCC’s response to the VC open internet letter

Over the weekend, FCC Chairman Tom Wheeler sent a response to the letter that over 100 VCs and angel investors submitted last week.  In the letter, we stressed the importance of an open internet as a foundation for the stunning levels of investment and innovation we’ve seen in the internet applications sector over the past… Read more »

Defending the open internet

Over the past few weeks, the future of the open internet has come into sharp focus, as the FCC’s 2010 open internet rules were struck down in court, and then plans for new rules from the FCC came into public view.  Amidst fears that the internet is f**ked, debate has raged about what this all… Read more »