Tuesday, May 22, 2012

Enough Facebook, Anyone Remember AOL?

Tl;dr AOL is operating at near FB levels of P/E, on tiny earnings, and this is probably unsustainble.

Tim Armstrong, CEO of AOL, did a talk at Techcrunch Disrupt. In it, Mr. Armstrong said, inter alia, that AOL was “becoming a house of strong brands” as it transitions to be more of a content company:

He admitted that despite having some dissident shareholders that “don’t believe”, in the content strategy, most of AOL’s shareholders do believe in it.
I'm not particularly interested in Mr. Armstrong's claims about what AOL is doing. However, I would like to examine the financials of AOL, especially now that we are all in stock-markety-valuation-y moods given FB's bump. Here's AOL's chart, as of close today, 5/22/12:
Just to reiterate, that is a Mkt Cap of 2.54B and PE of 85.38 which translates to earnings of $29.75M. That is very sincerely not a whole lot of money. Again, assuming a 'healthy' PE is somewhere around 13, AOL needs to post earnings of around $195M, or roughly a 650% increase in earnings. This seems... unlikely, to put it mildly.

So, Mr. Armstrong, it may well be that the shareholders do believe in the current strategy... but they may well be delusional. A PE of 85 on earnings of $30M is just unsustainable for a company with 5,660 employees, and I just do not see that AOL is going to be the company to solve the content-monetization crisis. Incredible to believe that AOL Time Warner was once a hundred billion dollar company.

From Techcrunch: How the Media is Wrong About Facebook's IPO -- But I'm Still Bearish

Tl;dr Though the FB IPO may have gone of a lot more smoothly than many critics are saying, FB needs to post consistent, high growth in order to justify its valuation, which looks unlikely.

Techcrunch contributor and VC member Dan Scholnick has makes three very astute points about the Facebook IPO, worth reiterating:

1. The best IPOs maximize capital raised by the company while minimizing dilution for existing shareholders and employees.
2. The best IPOs minimize the fees paid and value transferred to third parties.
3. The best investments are determined over months and years, not hours and days.

In general, I agree. And by these metrics, FB's IPO was pretty good. Additionally, now that NASDAQ:FB has closed at precisely 31, as of 5/22/12, I think one could argue that the underlying value of FB is actually pretty well within the range predicted by bankers. That is, it seems counterintuitive to me that one would price a stock as lower than its value when planning an IPO, especially as Mr. Scholnick points out, the 'pop' associated with such undervaluations mostly benefits bankers and investors, and not the company. To put it another way, the actual price of FB, purely as a function of what the market will bear, turns out to be pretty close to its IPO, so that seems pretty good. If it has been way undervalued or way overvalued, this would be a problem, as it means the bankers would have improperly estimated the value of the company. So, by the above metrics, and judging by the price the market will bear, FB's IPO seems to have gone off relatively smoothly. However, all this aside, I am still bearish on FB, for the following reasons.

FB's PE is now 99.22, with a Mkt Cap of 66.28B, translating to earnings of 668M. Assuming that a 'healthy' PE would be somewhere around 13, this means that investors are expecting FB to be able to post earnings of 5.01B within the not-too-distant future.

On the one hand, given that FB has 900M users, that comes out to a total user-year value of about $5.66 a year. Given that it looks like FB is on track for something like 80 hours per user, per year it doesn't seem unreasonable to think that FB could get five bucks and five bits out of 80 hours of user usage. On the other hand, this would also represent a 750% increase in revenue, which is, as they say, substantially non-trivial.

So we will see. Personally, I think unless FB can start to show some really meaningful headway toward a 5B revenue in the near future, it's price will continue to go down. Also, given the negative QoQ revenue growth, FB may be in for a rocky road.

Password Security: When the Problem Exists Between Keyboard and Chair

Tl;dr When a third party asks for information that allows them to reset your passwords for other services, you should be very wary.

Technology Review has an interesting story about a potential security hole in gmail. Basically, it works like this:

1. Hacker site offers a user a discount/teaser/whatever and asks them to enter their gmail address.
2. Hacker site sends request to gmail to have an account verification code to the cellphone of the user.
3. Hacker site requests user to enter the verification code sent by gmail into their site.
4. Hacker uses verification code to hijack gmail account.

As the comments in that article point out, this is not actually a technical loophole. It is a prime example of PEBKAC: Problem Exists Between Keyboard And Chair. Specifically, one would hope that your average user would be smart enough not to give a password reset verification code to a third party that they had only just encountered.

Unfortunately, there is no foolproof way to protect gullible users from themselves, and it is far more important that the millions of gmail users who do properly use SMS password reset protocols have access to this functionality than it is to simply disable it for everyone. In other words, this is not really a security flaw, so much as an unfortunate externality of a very useful password reset system. In the same way that a bank safe cannot be secure if the bank manager writes the combination on the front door, no password security protocol can stand up to a user divulging sensitive information.

Moral of the story: anytime a third party requests secure information from another service you use, whether that is login info, password info, security questions, etc., alarm bells should go off. Before you supply any such information, try your hardest to determine the provenance of the requesting party.

Friday, May 18, 2012

Gmail, Why Do You Choose to Spite Me So?

I used to do a lot of front end development, so I find bad user controls to be particularly vexing. I doubt this makes me special, as it probably annoys most other humans, too. However, some things just pop off the page at me. The below is one of them.

Gmail, despite the fact that it is my lifeblood, is a frequent perpetrator of bad UI. This is often exacerbated by the fact that Gmail loves to push interface changes on its users without warning, explanation, and frequently without the ability to undo. I understand the necessity of this, but sometimes they get something infuriatingly wrong. Like this:
This is an image from my Gmail user pane (yes, everything of mine is space themed -- wanna fight about it?) where there used to be a button that allowed me to scroll to the second page of my Inbox. It looked rather like this:
In fact, I can get to those controls by clicking on the words "1-25 of many", which transports me to another Inbox view. However, from my default Inbox view itself, there is simply no way I can get to the second page of emails. I can think of reasons why someone might argue that this interface change is obvious, intuitive or helpful, but those reasons are all bad.

So, why in the name of Great Odin's Beard these controls are no longer in the default view is just flabbergasting to me. This may be a minor point, but it is still really sloppy user experience for a product that I spend hundreds of hours using, per year. If it is confusing to me (and it was), I can only imagine how less savvy internet users will react when this change percolates through to their inboxes.

Wednesday, May 16, 2012

Free Does Not Mean Valueless

Tl;dr People are unwilling to pay for baseline content; make your baseline content free and use it as a loss-leader to sell naturally scarce premium services crafted to engage your target audience.

A coworker forwarded me this article today, entitled "The Emperor has no Content."

It is a short read, and worth reading. Let me say that I am taking this opportunity, as prompted by Mr. Rutledge, to in fact, comment on my own site.

I disagree pretty emphatically with the conclusion that Rutledge seems to make, which is this:
If the content is valuable people should pay to read it.
This is a very common misconception. First off, it utterly conflates 'value' with 'money.' Many things that have value have non-monetary value. Second, it assumes that if something does not have a pricetag, it is worthless. This is also obviously incorrect.

More importantly, however, it misses the point: while I fully agree that advertisers probably do not have the interests of content producers at heart, and that online ads can be really intrusive and weaken online content user experience, I think that simply saying that you should charge for access is the exact wrong attitude. People are unwilling to pay for baseline content, and that is not going to change. What you can charge for is for additional services or goods on top of the free content, as a freemium model. People have no problem paying for things that are genuinely scarce, and online content is not scarce. If you charge me for access to news, I will simply read my news at a free source. There is a stronger argument for charging for access to creative material, as good stories are non-fungible. However, I sincerely cannot remember the last time I actually bought a book from an author who I had not previously read, and liked, and was given that original book by a friend.

It is interesting to note that intellectual property law actually gets this one right: You cannot own news items, nor can you own facts. That is outside the scope of copyright, as it should be. As a result, anyone who is arguing that newspapers should have paywalls is really headed down the wrong avenue: news is fungible. No matter what you are reporting, I can find out about it somewhere else for free. So charging for it just limits your audience.

However, if the NYTimes wanted to charge me for access to message boards that story authors actively contribute to, for the ability to ask questions directly of columnists, for the ability to upvote or downvote proposed story topics -- yes, I would pay for these things. Because they offer me some real value above and beyond merely charging me for something that has literally zero marginal cost to distribute.

Also, please note that Mr. Rutledge's car analogy totally, totally misses the point on this whole debate: Cars are a naturally scarce resource. Each one costs money to manufacture and uses physical material. Online news is not a scarce resource. Once you have written down a news story, it costs no more to send it to five people than to five hundred million. So this is the point that Mr. Rutledge has missed: rather than charging for access to something that is not naturally scarce, Mr. Rutledge should be focusing his energy on providing naturally scarce services or goods to his customers/clients which can then be charged for†. It's that simple. Mike Masnick, of Techdirt, has written literally dozens of articles on this exact topic. I'll link a few choicer ones here. Suffice it to say, I think that despite the fact Mr. Rutledge has very astutely come to some deep, and correct, conclusions about advertising, his underlying point is really misguided.

An Economic Explanation For Why DRM Cannot Open Up New Business Model Opportunities
Saying You Can't Compete With Free Is Saying You Can't Compete Period
In Which I Debate A Media Mogul Who Insists It's Crazy To Give Content Away For Free
Evidence Shows You Can, In Fact, 'Compete' With 'Free'
Economist: Copyright Is An Antiquated Relic That Has No Place In The Digital Age

So, basically, in conclusion, the attitude that things that do not cost money have no value is pretty vexing to me, not only because it is wrongheaded, but because it is so depressingly common amongst content producers, and it is an attitude that leads directly to shooting yourself in the foot. Because instead of figuring freemium services to offer that people would actually be willing to pay for, it is thumping on your pre-existing product and yelling at your consumers for not wanting to pay for it. So instead of being forward thinking and productive, one becomes interested in restricting access to pre-existing work. That, to me, is absurd.

† There are examples of people willing to pay high premiums for infinite goods. HBO is a prime example. So is a subscription to World of Warcraft. However, there is still natural scarcity in both these models: HBO's shows are really, really good and WoW is also really, really good (so I've heard). They are way better than the quality of many of their competitors, and I'm willing to pay for that. However, you will never get a similar disparity in news reporting. This doesn't mean that you cannot charge for premium access to elite content production of one form or another, but, again, it is really, really rare that you can successfully charge for pure content access. Additionally, WoW is not even really an infinite resource, because you are actively leasing server time and directly interacting with other people, who are themselves expending energy in their participation. Finally, ad-supported models can and do work. I'm perfectly willing to sit through Ads on Hulu to get my daily Colbert fix, and as Hulu grows, some of the ads are actually relevant to me.

Tuesday, May 15, 2012

Three Digit PE! / How much bigger can Facebook get?

Apparently, Facebook's IPO will put it in the fabled faery lands of companies with three digit P/E ratios. Specifically, it looks like Facebook may well have a P/E of 100 when it goes public. For reference, Apple's P/E is currently 13.6 and Google's is 18.55. If Apple's P/E was 100, it's market cap would roughly be 3.8 TRILLION dollars, and similarly, Google would be valued at 1.07T. Granted, P/Es that high are not unheard of, but, typically, they are very big when a company is still very early in its growth curve, or, on the way down, when earnings are particularly low but there is still fundamental underlying value to the company. For instance, EA currently has a P/E of ~66. This honestly is probably not great for EA, and, in fact, earnings are way, way down for the gaming industry as a whole right now, apparently to the tune of 25% March 2011 v. March 2012, and 32% April 2011 to April 2012.

So, no matter how you look at it, Facebook's valuation is really, really high. Given it currently has 900,000,000 users, and given that 80% of the world's 7B residents live on less than ~$3600 a year, it looks like the total addressable market for facebook is 1.4B... meaning that, globally, there are only around 500M potential users left. Accordingly Facebook can only realistically grow another 15.5%, if one just assumes linear extrapolation and ignores a whole lot of other details. I think that, in broad strokes, however, this rough estimate is actually quite telling. Facebook is so huge it already probably has the majority of its global addressable market. So unless it can start to figure out how to get a whole lot more money per user, they cannot rely on additional growth to justify their P/E, because they are approaching total market saturation. Update: Apparently, GM has just stopped buying paid ads on Facebook. According to the WSJ:
General Motors Co. plans to stop advertising on Facebook after the company's marketing executives determined their paid ads had little impact on consumers, people familiar with the matter said, a move that comes as more companies question the effectiveness of advertising on the social networking site.
I'm still betting on a first day bump for Facebook, but, hey, I may be wrong.

Tl;dr Facebook's valuation is 100x its yearly earnings, which is unsustainable given that they don't have much more room to grow, and that multiple is way, way higher than other tech giants.

Edit/update: A friend of mine pointed out that a mere $9 profit a year, per user, for Facebook, would generate 8.1B in yearly earnings. This would put their multiple at 12.34, which is actually pretty solid. So, that raises the following questions about ceilings:

1. If Facebook has 900M users, and is generating ~1B in year profits, is it possible to get to 8B in profits? To put it another way, is the way in which Facebook users interact with the site worth $9 per year, above costs, as opposed to the current $1 per year?
2. Of those 900M users, how many are actually active accounts? More specifically, is it already possible that Facebook has already reached a maxima of user-hours?

To reiterate, that's two questions: the first is about the value of user hours, the second is about whether Facebook can increase the number of user hours. Only time will tell.

Better Math on Online v. TV / Forgive Me, for I am Mortal

In an earlier post, I did a very rough comparison of the economics of television v. online users. I committed a pretty big mathematical blunder, and, also, found some better data. So let me correct myself.

Apparently, Pinterest users spend about 15 hours a year using the service, which would give a per-hour valuation of ~$1. This would value Mad Men at $42M, using the same math I did in the previous post. However, if you just calculated that Mad Men viewers have the same value as Pinterest users, instead of doing my elaborate (and probably useless) per-user-hour-valuation, that number is $57.5M

It is important to note that these are really from-the-hip estimates. In fact, the mistake I made in the previous post actually demonstrates quite well the problem with doing this sort of comparison: in order to get the value of 37¢ an hour, I just divided user value (16.50) by 50% of the hours spent on Facebook per year (48)†. The fallacy here is assuming that the value is unrelated to the amount of time users spend on the site; in other words, by this logic, if users were to spend more time on the sites, and the user value were held constant, the per hour value would drop. This is almost certainly wrong, as sites that users spend a lot of time on are inherently more valuable than those with a high bounce rate. In other words, the value of a site increases with time spent on it.

So, my point is that this is a really roughshod way of comparing apples to oranges, but it was the easiest way to do a back-of-the-envelope comparison between TV ratings and online users. I think my conclusion stands, however: it is amazing that a show like Mad Men, with 2,640,000-3,500,000 weekly viewers, would be a Network Television failure, in a world where having a few million users for an online service means you have a pretty big success on your hands. Many will say "sure, but internet companies are overvalued," and while I agree that this is probably true, I think the counterpoint is that the dated, legacy ways in which television shows make money undervalues them.

† The mistake I made was using the lower, not the upper, bound of estimated user hours to determine this value. I said I was being disfavorable in this calculation, which means I should have used the upper bound, not the lower one.

Tl;dr If online startups are overvalued, tv shows are probably undervalued, likely as a result of their aging business model.

Orwell's Armchair

A former Professor of Mine, Derek Bambauer, has recently written a very interesting article on on-line censorship. You can read it here. Abstract reproduced below:
America has begun to censor the Internet. Defying conventional scholarly wisdom that Supreme Court precedent bars Internet censorship, federal and state governments are increasingly using indirect methods to engage in “soft” blocking of on-line material. This Article assesses these methods and makes a controversial claim: hard censorship, such as the PROTECT IP Act, is normatively preferable to indirect restrictions. It introduces a taxonomy of five censorship strategies: direct control, deputizing intermediaries, payment, pretext, and persuasion. It next makes three core claims. First, only one strategy - deputizing intermediaries - is limited significantly by current law. Government retains considerable freedom of action to employ the other methods, and has begun to do so. Second, the Article employs a process-based methodology to argue that indirect censorship strategies are less legitimate than direct regulation. Lastly, it proposes using specialized legislation if the U.S. decides to conduct Internet censorship, and sets out key components that a statute must include to be legitimate, with the goal of aligning censorship with prior restraint doctrine. It concludes by assessing how soft Internet censorship affects current scholarly debates over the state’s role in shaping information on-line, sounding a skeptical note about government’s potential to balance communication.
It will take me some time to fully digest all this and form my own opinion, but suffice it to say, I have tremendous respect for Derek's opinions and really enjoyed being his student (so much so that I had four classes with him while at law school). It wouldn't be too much of an exaggeration to say that he taught me nearly everything I know about internet law (one of the classes I had with him was actually titled "Internet Law"), but I don't want to somehow imply that my opinions are his or that I am in any way his spokesperson. Whereas Derek is a professional academic, I'm a dude who's homepage links to Zombo.com. 'Nuff said.

Cheers, Derek!

Tuesday, May 8, 2012

Last One on Apple Passwords... For Now

In previous posts, I have complained, at length, about Apple's new password policy.

This weekend, the first time I wanted to use my new Apple password, after nine attempts, I discovered I could not remember it. Then I went back to my security questions, and, once again, on my first attempt, I got one wrong.

I sincerely wonder if the Steve would have allowed a password policy that is such an infuriatingly poor user experience to have been pushed to production.

"Cyber" Attacks on America's Pipelines

Disclaimer: I am not a security expert. However, this guy is, and he posted that story just about a week before this one hit the net-waves.

Summary: DHS has issued a statement saying that what they suspect was a single entity made a bunch of so-called 'spear-phishing' attacks at companies that control oil pipelines. It is being played up by all the standard press, including that media outlet, as a reason we should pump more money into 'cybersecurity.' This is false. Here's why.

1. This was not a "cyber" attack: it may have been perpetrated with email, but it is essentially fraud. It relies on weaknesses in the humans at these organizations, in an effort to get their passwords, thus giving the antagonists access to the corporate networks. 'Phishing' -- the type of attack employed -- is explained aptly by Wikipedia. Please note the distinction between trying to get humans to trip up and give you their passwords vs. engineering your way into the system by exploiting vulnerabilities in the underlying software.

2. There is simply no reason for (a)people who are unsophisticated enough to fall for phishing scams to be in technically sensitive positions for major, critical infrastructure projects and (b)for the networks that connect to these infrastructures to be accessible from any machine that is connected to the internet. (a) is a personnel issue. (b) is an engineering issue: though it may be convenient to have our nation's infrastructure hooked up to the www, for this extremely obvious reason, that convenience is astronomically outweighed by the risks associated with it. We want the folks who control the nation's pipelines to have to be a bit inconvenienced by physical and technological security protocols before they start tinkering with those control systems.

3. This situation was resolved perfectly well under current law.

So, in totality, my opinion is that our system is working just fine, that this 'crime' was not so cyber, and that the 'solution' (if there can be one to a problem I believe is largely illusory) is to make sure infrastructure critical systems are not on the web. To bring it back full-circle, here is Schneier 're-tweeting' a NYTimes Guest Piece about the overblown the threat of cybercrime.

Wednesday, May 2, 2012

Value: Television Ratings v. Online Users

I'm a huge fan of the Nerdist Podcast. I only found it a couple months ago, but I've listened to multiple dozens since then. Great interviews, great banter, great stuff. However, a warning: it often runs very, very blue, so, if you go and listen and are offended, don't say I didn't tell you.


Kevin Smith was on in a very recent episode, in fact, his second appearance.

A fair part of the discussion was about TV ratings. I found it interesting because they referred to (albeit without explanation†) the arcane, and, in my eyes, utterly, fantastically, and absurdly outdated measurement system that is called TV Ratings, and their discussion was very telling. In essence, let me just say that I am not the first person, nor shall I be the last, to say that the Nielsen box system is a living incarnation of the inductive fallacy.

Kevin smith pointed out that a show with a "seven share" is considered a network failure of such astouding proportions that it would be considered a strike-out. To translate, a "seven share" means that 7% of televisions, in America, that are actually turned on in the relevant time-frame are tuned to your show. There are approximately 116 million households in America with televisions. There are approximately 2.6 people per household in America currently. So, let's be generous, round down a bunch, and figure out a lower bound for what "seven share" means.

Let's say that, simultaneously, the Moon has burst into flames and the night sky has turned into an unusually compelling fast food advertisement. This would mean that probably only 25% of American households are watching TV. Then let's say that, in these households, 50% of the people are asleep or trembling under their beds.

Doing the math through, this means that ~2,640,000 people are watching a show that the networks would consider to be a dive-bombing failure.

Following through on the Nerdist discussion, they pointed out that Mad Men, which I am a big fan of, and is culturally an extremely influential show, maxes out at something like 3,500,000 viewers per episode, and this is after years of building a fan base.

Let's compare that to this handy chart, about the value of Internet companies, based on user count. Pinterest, a tiny company with no revenue stream I've ever heard about, has a per user value of ~$16.50.

Obviously, this is not an apples-to-apples comparison, as TV ratings and online user subscriptions are different beasts. However, in this comparison, they are about eyeball-time, and are driven by advertising dollars. If a service that literally offers no products can be worth $16.50 per user, what is the value of eyeballs on television shows? Why is it that a show that demands the attention of 3,500,000 eyeballs for a full hour, on Sunday evening, every week for 12 weeks straight, would be considered a network failure?

Let's use Facebook user-time as a rough gaussian, and estimate that Pinterest users are on Pinterest between 50% and 150% of the the average time, per user, on Facebook. This puts their yearly use at a total of 48 to 144 hours, as an over-under, per user, so let's call it total of 37.5 cents per user hour (Edit/Note: I messed up my math, [particularly unforgivable for someone with my background] and, additionally, I found better numbers; post to come and will be linked here, but, in fact, the number are even more favorable to Mad Men). The average Mad Men 'user' spends precisely 12 hours on Mad Men per year, so, doing a completely economically baseless, linear tranlastion, this values Mad Men at $15.75M. Mad men costs about $2.5M per episode, so a season costs approximately $30M. For ref, the most expensive TV shows max out at $100M per 12 episode season, and are black swans. So, in essence, by these very basic (and tell me if they are wrong) numbers, if you valued Mad Men as a flash in the pan Internet startup, it probably wouldn't be that far off from being able to take out a 100% equity loan to cover an entire season of production costs. If one assumes that TV ads for this incredibly relevant, culturally important drama with an extremely dedicated fan base (one that probably runs into the demographic gold of educated folks with disposable income) are sold and placed by people who actually know what they are doing, it should not be that hard to get more ad revenue in that. I mean, come one, Sterling is doing ads for Lincoln cars. There has to be some dough in that. Also, note, Mad Men is famous for having incredibly high production values. These guys probably spend like, I dunno, $30,000 per episode? And they are hilarious. The first episode of It's Always Sunny cost $50,000.

To me, the idea fact Mad Men would be a network failure is an indication that the cable distribution mechanism is beyond broken. If you cannot make money off of roughly ~42,000,000 eyeball hours, even with the premium budget that Mad Men demands, and deserves, something is utterly broken about your business model. The commentators on the Nerdist Podcast pointed out that only a show like AMC could take the 'risk' of promoting a show with such low ratings, and that AMC could 'work with those numbers' in order to keep the show going. That, to me, is insane. Totally, totally insane.

To be fair, I am going to make the counterpoint to my own argument. It is entirely possible that online companies are way overvalued, and that the true value of advertising supported fare is actually way, way lower than either TV shows or give-away-and-pray based Internet companies demonstrate.

However, I think it is somewhere in between.

I think that, historically, TV and dead-tree-print ads were way, way overvalued, largely because they were kitchen-sink style broadcast ads, targeted at broad demographics determined by systems measured by Nielsen, and because distribution media was rather expensive to produce. Originally, Internet advertising was similarly overvalued. Now, we have the flipside, with generic, kitchen-sink Internet ads pulling in a CPM of something like ~$1.00. However, I think that as web services become better at targeting their customer base, demonstrating that their users are not weirdos (which they probably aren't), and that they are willing to spend money on goods and services (which they probably are), that number will rise, as demonstrated very clearly by the per user value chart linked above. Similarly, if a TV show cannot sustain itself with 3.5M viewers per week, they are getting a pathetically tiny fraction of their advertising-dollar pie, or the people selling their ads are doing a bad job. In any event, I think that it is pretty clear that the TV industry is in a ridiculous mess if a show that demands 42M eyeball hours in a single quarter is considered a risky venture. So, the arbitrage that is occurring is this: TV broadcast ads are way overvalued, and only a small percentage actually goes back to the content producers; un-targeted Internet ads probably represent the true value of un-targeted ads in any medium, and ~90% go to the content producers; precisely targeted advertising to a dedicated fan-base is probably valued somewhere in the middle, if not even higher than TV broadcast ads, and ~90% of that revenue should be going to the content producers, because distribution is no longer a value added service.

So, folks, feel free to disagree. I'm always open to evidence and arguments proving that I'm wrong.

†Nerdists, I am a huge fan. But forgive me for pointing out a technical omission, which, frankly, is the most important kind of omission.

Tuesday, May 1, 2012

Note on LLC Publication Requirements in New York State

Read the standard disclaimer, in the right column.

Recently, I was forwarded this blog post by a colleague.

In summary, these guys are starting a service that lets you order coasters with photos from your instagram account. Seems like a great idea and
I wish them the best of luck and success. However, they have included a pretty serious legal error in their advice.

Fundamentally, they suggest that by forming an LLC in Delaware, you can circumvent the New York State LLC Publication Requirement. This is 100% false. No matter where your LLC is formed, if it is DBINY, you have to publish, as well as apply for an "Application for Authority."

The New York Secretary of State Guide to forming a New York LLC is here.

Citizen's Media Law Project has a pretty good looking checklist here. Please note, I have not fully checked the veracity of this checklist, but, upon first glance, it looks pretty thorough. As always, read my disclaimer.

Though I've never used their service, so cannot offer an opinion about the quality of their service, these guys seem to have pretty good prices for LLC Publication.

So, in conclusion, beware of relying on advice from the internet from legal matters, this author included. However, especially so from people who are not lawyers, no matter how well intentioned and otherwise awesome they are.

Apple Doubles Down on Bad Password Policy

A coworker had her iPhone stolen this morning, so I thought it would be an appropriate time to update my "Find my Phone" settings. In the process, I wanted to create a new, more secure password for my Apple account. I don't know if it was the fact it was first thing in the morning, that I had low blood sugar or that this policy is genuinely idiotic, but seeing Apple's new password requirements put me into a near apoplectic rage.

Requirements: 1 capital letter, 1 lowercase letter, 1 number.

Honestly, this is just awful. The chances I will now forget this nonsense password are now very, very high, and I will have to rely on the horrid security questions I filled out just last week. Which, for the record, I got wrong today when I was prompted by iCloud. Proving my point rather well, I'd argue.

Also, for the record, I'd like to point out that, in particular, the uppercase lowercase distinction is extremely poor password policy. First off, it does not substantially add to the complexity of brute forcing a password. Testing a possible character set of 62 (a-z + A-Z + 0-9) against an 8 character password is not much more computationally burdensome than testing a possible character set of 36 (a-z + 0-9): (62^8)/(36^9) = 2.14†. This means, that for ALL the added security of requiring one capital letter in an 8 character password, that effect is almost negated by adding a single additional character to a password without capital requirements. Let's take this math further. If you add two characters to a password that is only alphabetic, without a numeric requirement, a 10 character password is almost exactly as secure as an 8 character password with these absurd requirements((62^8) / (26^10) = 1.55). Compound this with the fact that, truly, there is no consistent way to attach meaning to capitals, and you have a truly ridiculous requirement. What capitalization schema are people supposed to use so that they will remember what characters to capitalize? camelCaps? StrictCamelCaps? evEryThiRd? No one will ever remember this, and, additionally, if you are smart, rather than trying to brute force a password, you will run through these common capitalization schemes and reduce the time to guess a password. So, in other words, the only meaningful way to include capitalization in a password, in order to make brute force attacks harder, is for it to follow no pattern whatsoever. Good luck remembering that.

So, in conclusion, a message to Apple: a 10 character, plain english password is almost identically as secure as an 8 character password that meets your absurd requirements. So, do us a favor: up the minimum password length, rather than make us type L1k3tHIs.

†When rules are added to password requirements, they should introduce something like an order of magnitude more complexity, ideally, two. A single digit factor increase in computational complexity, especially in the neighborhood of 2, is just not worth it. The time frame (hours, days, months) to brute force a password won't be changed by a factor like this. So, if the goal is to make brute forcing not worthwhile, you need something that changes the time frame dramatically, i.e., from hours to weeks or from days to months. A factor of ~2 will simply not accomplish this.