The recent SolarWinds incident has managed to grab headlines outside of our security ecosystem. The many (many) headlines and columns inches dedicated to the event are testament to the security worries that continue to reverberate around the globe.  But we think that most of these articles have buried the lede. 

Most discussions take the position that our enterprises are horribly exposed because of supply chain issues and that any network running SolarWinds should consider themselves compromised. 

We think it’s actually more dire than that (and suspect it’s going to get worse). Let us lay out the case for why SolarWinds should concern you even if their tools are nowhere near your networks.

It’s easy to whip up a think-piece in the wake of a public security incident, especially as a vendor. The multitude of vendor mails riding the SolarWinds incident are overflowing our inboxes. But even a stopped clock is right twice a day, and this is one of those times.

An abstracted, low resolution summary for those (very few) who haven’t paid attention to the incident:

• SolarWinds make a network management product called Orion, which is deployed on tens of thousands of organisations worldwide;
• Attackers broke into SolarWinds and made their way to the SolarWinds build environment;
• They compromised the build pipelines, to inject malicious code into the SolarWinds update process;
• Organisations  all over the world updated themselves with this poisoned update;
• (Now) Compromised SolarWinds servers worldwide attacked internal networks of selected organizations;
• Almost nobody discovered any of this for months till a security company discovered their own compromise.

Because we can

One of our great pleasures and privileges at Thinkst is that every year we set aside a full week for pure hacking/building. The goals for our “Hackweek” are straightforward: build stuff while learning new things. Last week was the 2020 Hackweek work-from-home edition, and this post is a report on how it went.

Now in its the fourth year, our Hackweek has come to serve as a kind of a capstone to our year, and folks start thinking about their projects months in advance. The previous editions produced some truly awesome projects, and topping would be was a serious challenge. Without question this has been our finest so far.

We run Hackweek for multiple reasons. We’re a company of tinkerers and builders, and dedicating time towards scratching that itch just feels right to us. Of course, there’s sometimes downstream benefits to the Thinkst, either in terms of the projects folks worked on, or skills they’ve picked up. (Replacing our Redmine with Phabricator was a project in Hackweek ’17 that brought us much value and is still in use.) But that’s a pleasant side-effect, and not the objective. A key underpinning to Hackweek is that the projects don’t need to be related to Canary or other work projects. When we say “build something”, it can literally be anything and some folks steered far from tech (as we’ll see shortly). We want folks to continually learn, and this sets the tone. While we provide training through the year for topics in our day-to-day work, Hackweek gives the team a chance to stretch themselves in directions they hadn’t previously considered.

Hackweek format

The structure of the Hackweek is that on Monday we kick-off, and on Friday afternoon everyone demos their project. Following that, we vote on projects in three separate categories:

• Most Joyful
• Most Useful
• Most Hacky

The progression of Hackweek over the years tracks well with the team growth we’ve seen at Thinkst. In first few editions, an afternoon was more than sufficient for all the demos, but we had 20 projects this year and that’s tricky to squeeze in. It’s apparent that a rethink is needed for the next edition. Nice problems to have!

The three winning projects

The prizes are secondary to the aim of the week, and mostly provide a fun incentive for folks to aim in different directions. Here’s a run through of the winning projects, plus a report on the others below.

Most Hacky

Jay and Max decided that their years of gaming experience weren’t enough of an edge when playing Counter-Strike: Global Offensive. To make up the gap, they created a series of game hacks for CS:GO. Their hacks run as a separate program which accesses the CS:GO game’s memory, and changes values on the fly. Hit a key shortcut, and other players become visible through the walls. Hit another shortcut and the crosshairs snap onto the nearest enemy’s head to get a guaranteed headshot every time, even taking into account recoil patterns. Yet another shortcut, and enemies show up on your game radar, so you know wherever they are. No fair!

See-through walls? Sure, why not.

Most Joyful

Louise taught herself how to crochet this week, starting from scratch. Crocheting has a bunch of technical details in how the knots are tied, the different patterns, and putting them together to produce articles. But she didn’t just limit herself to 2D articles, she went all out and produced three separate 3D birds, plus a crocheted Canary device. To top it off, she took them on a hike near Stonehenge for this final shot:

Early morning birds

Expect to see more from the “Inyarnis” in our weekly mails.

Most Useful

Sherif decided to hit a problem near and dear to his heart. We use Salesforce as a CRM, and for the Customer Support and Success teams, switching to Salesforce to lookup details is a common daily task. But there’s friction in performing this, and he wanted to file down that edge. Slack is our internal comms tool of choice, and Sherif built a Slackbot which interfaces to Salesforce to assist with querying customer details from directly within Slack. The Support and Success teams are thrilled!

Slack command to quickly get an overview of a customer

Great projects

Here’s a rundown of the other projects.

Anna created CN-D, a machine to forge signatures (or draw anything in pen). She built a CNC machine, replaced the drill with a pen holder, and figured a workflow to take SVGs to CNC files. With an SVG of someone’s signature or a scan of a written page, she could sign documents as them 🤦‍♀️. She also had it draw our logo in pen. It’s an amazing project to hit in one week.

Haroon writes “remotely”

Nick mostly stepped away from tech, and built a wooden arcade cabinet called Birdbox to house a monitor, joysticks, and a RetroPie. However he had one tech addition: a Flappy Bird clone with a Canary theme and Haroon’s voice!

The logo rounds it off beautifully

Bradley revisited a topic we’ve looked at previously: how to automatically grab a fingerprint of a production server and produce a Canary configuration which mimics that server. Mimic Rebooted sets up a Canary to imitate a server already live in your environment, to save having to manually configure each detail.

Generating a Canary configuration by scanning a production machine

Shereen repaired and repurposed a toy crane to add a remote control function to the previous wired design. Using MicroPython running on two Microbits, she had one drive the crane motors, and the other serve as the remote control, with wireless comms between the two.

Parts and the finished crane

Lissa put together a Raspberry-Pi gaming console, her first foray into a Hackweek project and one guaranteed to bring hours of fun.

Retro-gaming is best gaming

Matt also took a crack at a carpentry project by building an infinity table. He added a distinctly tech twist by using a bunch of individually addressable LED’s (as opposed to a single LED strip), then wrote a Python-based webserver to set the LED colours!

This demo had the viewers clamouring for Shopify links

Todor re-implemented the fundamental Canary functionality by imagining what a “home-use” Canary might look like, where the hardware platform is super lightweight (ESP32), and the bird talks directly to Firebase. He then wrote a mobile apps for receiving the Canary alerts, to build a PoC for a new kind of Canary.

Alerts direct from bird to phone

Mike designed a 3-in-1 projector from phones and tablets. It literally had three separate projection lenses, which is some kind of record for projectors. He could wirelessly stream content to the three separate lenses.

I see your one projector lens, and raise you three! In different directions!

Benjamin solved a problem which had previously vexed him (and me): some models of Suburus don’t have a temperature gauge but only display a warning light when the oil temperature is too high. So he built a device to plug in to his car’s OBD-II port, grab the temperature measurement, and stream the data via Bluetooth to an app on his phone.

Homemade temperature monitor

Az leveraged the T2 chip on his Mac to develop a custom tool for cryptographically signing things with a single tap on the TouchID pad. He targeted two separate actions: the firmware images we produce, and the code we commit.

Code signing and verification in commit logs

Deena also attacked Salesforce, and setup a flow so that when new Customer are created in Salesforce, we’re alerted in Slack. This solves a particular problem we see, which is that as new customers are signed up, parts of our org are simply unaware of the flow of new customers. This gives everyone a chance to see who the new logos in our customer stable are.

New customers in Salesforce show up in Slack

Yusuf learned the lesson from last year, and set his sights on a manageable problem this time around. However he finished sooner than expected so kept going on other projects 🙂 He built a custom Canary link shortener usable from Slack (expect to see this in Customer mails soon), a voice note app for Slack, and an in-browser video-to-GIF conversion tool leveraging ffmpeg and Wasm.

CanaryLinker: create short URLs in Slack

CanaryCaster: send voice notes in Slack

CanaryGifyfier: Convert videos to GIFs directly in-browser

Caleb added a new platform to the six we already support for Canary, by producing a Canary that runs on Open Stack. This is still early days, but if the interest is there we can consider adding Open Stack as a supported platform.

Virtual Canary running on Open Stack

Keagan built and published a Chrome extension called Re-chord to assist folks in their music practise. It tracks links for music pieces, and will recall them when you want to practise at a later date.

Tracking your music practise links with Re-chord

Riaan made a device for discreetly defacing public displays. A Pi-Zero is plugged into the HDMI port of any compatible display. It then polls a public DNS record, and when the trigger value is returned in the DNS response, the Pi-Zero switches the HDMI input to the Pi and plays a video, before switching back to the original display input. He tested on his family, and suitably freaked everyone!

Surprise Rick!

Haroon built love.pl (a golang tool without go in its name) and turned his constrained attention to needlework, and produced pillows with the Canary logo on them as a pleasing backdrop for his Zoom calls. Keep an eye out for them next time you vidchat with him!

So tasteful

Lastly, I delved into Terraform, Packer, and Saltstack to automated a particular environment we’ve pondered for a little while.

Wrapping up

Hackweek was a great success, and as a yardstick for our growth it demonstrated some of the logistics we need to improve on. But that’s a key part of why we do it: growth in Thinkst is dependent on growth in Thinksters, and a learning org is what we are. Onwards to next year!

One of the big disconnects in infosec lies between people who build infosec products and people who end up using them on the ground.

On the one hand, this manifests as misplaced effort: features that are used once in a product-lifetime get tons of developer-effort, while tiny pieces of friction that will chaff the user daily are ignored as insignificant. On the other, this leaves a swath of problems that are considered “solved” that really aren’t.

Customers don’t buy security products because we generate alerts. They buy security products because they want us to stop badness (or catch bad actors). If we are generating ten thousand alerts, and customers can’t separate Alice from Carol, then to butcher analogies, they wanted a quarter-inch hole and we sold them 500 drill-bits and a power cord. (Some assembly required).

Solving “alerting” isn’t easy. There’s a ton of academic work done on Alert-Fatigue and humans have spent a long time trying to figure out how to protect our flocks without crying wolf. Consider this example from our own Canary product:

1. We see an attacker brute-forcing a service (let’s say an internal admin interface).
2. We alert our customer with: “Attacker at IP:10.11.2.45 tried admin:secret to login to the NewYork-Wan”

Simple!

There are a bunch of simple options, but in this case, most are pretty sub-optimal. 10k alerts are a pain, but throwing away the information is also silly (It makes a huge difference to me if the attacker is throwing random usernames and passwords at the site or if she is using real usernames and passwords from my Active Directory).

On our Canary Console, we would generate a single event: “Admin thing being Brute Forced” and we would update the event continually. So you’d have one alert, and when you looked at it, you’d have the extra context you need.

But how to best handle the SMS alerts? We cant update the SMS with new information the way we can on other channels. We could hold back the alert for a bit, to gain more context and send one summary alert but that’s a dangerous trade-off. Do we delay screaming “fire” so we can be more accurate about the spread of the blaze?

We could send n-sms’es and then throttle them, but thats pretty arbitrary too. There’s tons of little niggly details to be solved here. (The same is true for sending alerts via Syslog or webhooks).

A few years ago, Slack posted their flowchart for deciding when and where you get a notification if you’re tagged in a message.

It’s clear that lots of thought has gone into this relatively straightforward feature. It’s also obvious that all messaging apps will claim to handle “Notifications”.

You can see here where Pareto thinking back-fires. Generating an alert when you see an event is easy. You can totally ship the feature at that point. It demos well and if your sales team is making sales based on a list of features, they probably want you to move onto a new feature anyway. But this is how we end up here:

This month we’re ready to release our first major Canary Console overhaul. We’ve obviously pushed updates to Canary and the Console weekly for almost 5 years but this is the first time we’ve dramatically reworked the Console.

Contrary to a bunch of other products, we don’t want to be your single  pane of glass, and work really hard to make sure that most customers never have to spend time in their Console at all. But our beefed up Console offers you a bunch of  fresh possibilities, and we figured we’d introduce some of them here.

What’s different?

The first thing that a new user should notice, is that it doesn’t feel that different to the old Console. It has a new coat of paint, and some things look slicker, but it feels like just a slight visual upgrade on the original Console.

This is completely by design, and belies a bunch of changes beneath the surface. It’s practically a trope that just as users become familiar with a product, the vendor drastically alters the user interface forcing users to re-learn flows which were previously easy. We hate this. Tools are supposed to make our lives easier, not periodically give us pop-quizzes.

 

We know that there’s a fine-line between keeping the product familiar, and introducing new features (or refreshing the look). Throughout this process we’ve tried to keep a clear view of this line. We’re really excited to show a few of the enhancements that are deployed to customers as of today.

From the screenshot above, you can see a few of these right off the bat. 

Search

The new search-box at the top means that you never have to hunt for things again. When we first built Canary, customer Consoles had 5–10 birds in them (and no Canarytokens). Today, we have Consoles with hundreds of birds and tens of thousands of active Canarytokens. The search-box allows us to find things, even if we aren’t really sure what we are looking for. The search feature will let you find Bird, Incidents, Canarytokens and more without having to hunt, and you can search on pretty much any data tied to them.

A better graph-view

We’ve made a heap of improvements to our graph-view, which displays your alerts graphically rather than in table form. This is especially useful if you get a bunch of alerts; a quick click on the graph-view button will immediately clarify if it’s an attack sourced from a single or multiple locations in your network, and show you the birds involved. 

Birds of a Feather

The biggest improvement with the new Console is the ability to group birds into flocks. We spent heaps of time making this simple and intuitive so using it should feel pretty natural.

Once you’ve created a flock, any birds or tokens you previously had enrolled will be sitting in your “Default Flock”. These can be moved over to new flocks if you choose.

Of course the point (and joy) of having different flocks, is that you can treat them differently, so all of your flocks can have different settings, different users, and even different alerting rules.

User Management

Although we’ve supported the ability to add and remove users from your Console for a while, you now have much finer grained control of your users and their permissions. You can add users, restrict them to just a single flock, allow them to only deal with alerts, and delegate managing the actual birds to further users. The permissions model is simple: you can watch flocks, or manage them.

Canarytokens

Canarytokens also gets a refresh in the new Console but it brings a bunch of utility that is deserving of its own post (next week). It’s especially useful to be able to place them in different groups. Shortly we’ll be releasing updates to the Console API alongside helper utilities to make it easier to deploy them by the dozen (or dozen dozen) inside your networks.

Audit Trail

If you’re an admin user, you now have access to the Audit Trail, which gives you detailed information on all activities performed on the Console. (You can also download a JSON dump of all activity if needed). The audit trail backend code has been in place for a while, so your audit trail is already populated with a bunch of your activity.

Support and our Knowledge Base

We try hard to make sure that Canary is easy to use, and where options need explanations, we usually build this into the app. However it’s still possible for users to lose their way. The Console now includes a constantly visible link to “help” that’s backed by a heavily populated Knowledge Base and a pretty decent search. You can still use the interface to send us a support request, and our helper elves will be super-quick to respond, but the KB should make things easier.

Email Changes

The new look also means that things like your weekly newsletter get a much-awaited visual upgrade but some changes are also functional.

Emails now include single-use buttons, to Acknowledge or Delete alerts (or to add them to your ignore list) which don’t require you to login. (This allows you to react quickly from your phone/mailbox. We really mean it when we say we don’t want to be your single pane of glass.)

Easy copy & paste

We’ve added a bunch of convenience functions to make sure that getting data out of the Console is quick and simple. Most data fields have a neatly hidden Copy button you can hit to grab data into your clipboard.

Authentication

We already support SSO and you’ve always been able to make use of Duo / Google Authenticator / Authy for MFA. The new Console adds the awesomeness that is WebAuthn to our authentication defense lineup.

More to come

There’s  a bunch of other features that we can’t wait to share with you, and in the coming days will release more blogposts. For now, take it for a spin. It should be all Canary: Simple, and easy to use. Drop us a note with your thoughts!

INTRODUCTION

A decade ago, Steve Jobs sat down at the D8 conference for an interview with Kara Swisher and Walt Mossberg. What followed was a masterclass in both company and product management. The whole interview is worth watching, but I thought there were a few segments that stood out.

Caveat:

Any time someone talks about a tech-titan, there’s reflexive blowback from parts of the tech community: “He wasn’t really an engineer”, “He wasn’t really…” – This post will ignore all of that. Even if you strongly dislike him, there are lessons to be learnt here.

Let’s begin…

What matters most:

The interview starts with Kara and Walt congratulating Jobs, because Apple had just bypassed Microsoft in Market Capitalization. Right out of the gate, Jobs makes it clear:

It’s surreal to anyone who knows the history, but:

Jobs: It doesn’t matter very much… it’s not what’s important.. it’s not why any of our customers buy our products.. It’s good for us to keep that in mind, remember what we’re doing and why we doing it.

Even if he is just saying it for the crowds (and I don’t believe he is), he’s making it clear what they are about. He’s making it clear what will be celebrated in the company. It’s not about their market-cap, it’s about making things that their customers love.

On the importance of focus:

Literally the first question (after discussing market-cap) was asking Jobs about their decision to drop Flash, and their “war with Adobe”. His response on Flash alone makes this whole interview worth it. He starts with something subtle:

Jobs: Apple is a company that doesn’t have the most resources of everybody in the world, and the way we’ve succeeded is by choosing what horses to ride really carefully

This is an amazing answer, especially when it follows immediately from the discussion of their market-cap. They were not yet the Trillion Dollar Apple, but they were no slouches. The combination in 2010 of an ascendant Steve Jobs, their market-cap, and the halo around Macs and iPhones was a virtually irresistible magnet for just about any technical staff they wanted. They could have doubled their workforce in an instant and aimed to do everything, but you see a deep, deep understanding from Jobs that just adding people doesn’t mean you can do more great things.

Great products need great people and great focus. Every product manager in the world will voice approval for the Dieter Rams aesthetic and will talk about the importance of saying “no”. Very few people commit to it (and fewer still stand by their guns when people start calling them crazy for it).

It would have been trivial for Apple at that point to hire a team or two to shoehorn a so-so version of Flash onto their devices. (This seemed like an even bigger mistake on the iPad which had just launched). But he is clear and adamant. They are going to make calls they believe are best to shape great products.

On “Courage” (and choosing):

Mossberg pushes with a question many of us had at the time:

Mossberg: What if ppl say the iPad is crippled in this respect?

Jobs: Things are packages of emphasis…

Some things are emphasized in a product, some things are not done as well in a product, somethings are chosen not to be done at all in a product, and so different people make different choices and if the market tells us we making the wrong choices we listen to the market, we’re just people running this company, we trying to make great products for people, and we have at least the courage of our convictions to say we don’t think this is part of what makes a great product, we going to leave it out

…

We’re going to take the heat, because we want to make the best product in the world for customers.

It’s become something of a running joke when Apple-today talks about “courage”, but it really does take courage to swim against the tide this way. It takes courage to make a choice instead of simply adding a toggle and making the customer choose. It takes courage to look at a feature that lots of people “want” and make the call to exclude it. (This seems obvious and easy to sell, but suffers from the same perverse-incentive problem we see in infosec: excluding something gets you immediate, loud feedback but you seldom, if ever, get feedback that you did this right. It’s why people default to throwing in everything, and it’s why we end up with generic, unremarkable software.)

On putting in the hours:

There was an interesting discussion on the relatively new phenomena of Jobs mailing people. They were discussing a specific event (Steve Jobs to Valleywag at 2:20 AM: “Why are you so bitter?” | VentureBeat), but I think again, it was revealing and insightful.

There’s been a huge push in recent times for balance, wellness and rest. People are quick to point out how burning the midnight oil translates to diminished capacity and actually increases your rate of errors, but I’ve never seen consistently great work from people unless they too, were working deep into the night on projects they believe in. 

It’s super telling that this 55 year old billionaire would be “working on a presentation he was giving” at 02h00 in the morning. It is probably possible to do great things without burning the midnight oil, I’ve just never seen it personally, or been able to do it that way myself.

Why would a CEO need to work that hard anyway?

Dug Song often laments the lack of CEO’s who can demo their own products. Any random 10 minutes of the interview should convince you that Jobs is smart, but it’s worth paying attention to the depth of his understanding on almost every topic raised.

When the topic of Foxconn comes up you see him rattle off details on the foreign factory that you wouldn’t expect him to have at his fingertips:Suicide rates per capita, details of their investigations. He then effortlessly swaps to phone market share splits and technical details on Adobe products. Swap again into mobile-ads and he’s talking about Flurry-Analytics by name and describing his hatred of mobile ads and what’s wrong with them. Swap again and he’s talking browser share and how Open-Sourcing WebKit might make inroads against IE (WebKit powering Chrome went on to overtake IE in (2012)).

I’ve no doubt he had teams of smart people driving teams of smart people, but it’s also clear that he was deeply involved with every aspect that ends up touching a customer. It demands obsession, and it demands time, and I’d hypothesise that one of the main reasons we are able to talk about his depth of involvement, is because we’ve already discussed him “putting in the hours”.

On taking yourself too seriously.

It’s clear that Jobs is focused (and a little tightly wound). Stories abound of terrifying elevator rides with him, but at the quarter-mark of the interview, he gives us a tasty morsel.  Mossberg begins by saying that Jobs spent a good chunk of his career fighting a platform war with Microsoft. Jobs actually doesn’t concede this.

In a moment of self-deprecation/levity he quips “We never saw ourselves as in a platform war with Microsoft and maybe that’s why we lost”. It’s a quick flash of him taking himself less-seriously and it’s disarming.

Of course he immediately gets back onto his core message:

Jobs:We always thought about how can we build a much more better product than them, and I think that’s still how we think about it

Nobody can listen to this and have doubts as to what’s their North Star.

On the Consumer market vs The Enterprise market:

In 2008 (two years earlier), Google launched its Android phone and started competing with Apple on mobile. Swisher asked if Apple planned to remove Google apps from the iPhone? 

The Jobs answer is almost predictably monotonous:

Jobs: No… we want to build a better product than they do, and we do…

That’s what we are about

He goes further though, and opens up an interesting topic: the difference between making/selling products in the consumer and enterprise spaces:

Jobs: We are about making better products, and what I love about the consumer market that I always hated about the enterprise market, is that: we come up with a product, we try to tell everybody about it and every person votes for themselves. They go yes or no, and if enough of them say yes, we get to come to work tomorrow. You know that’s how it works. It’s really simple.

Whereas with the enterprise market, it’s not so simple, the people that use the products don’t decide for themselves, the people that make those decisions sometimes are confused.

We love just trying to make the best products in the world for ppl and having them tell us by how they vote with their wallets whether we’re on track or not.

This was always a horrible trend and it’s why organizations have suffered for so long with horrible enterprise software.

Ten years later, we know this is changing, and it’s devices like the iPhone and iPad proliferating into the enterprise that spurred this change. At Thinkst Canary, we are huge beneficiaries of it. We build a cyber security product that’s used by some of the biggest names on the internet, but our look and feel is as “consumer” as it gets.

When a16z’s Martin Casado spoke about the latest trends in good guys favour in Cyber Security last year, he touched on our Canaries, and pointed out that while we are used by some of the best names in the valley, we are simple enough for him to install us at home.

Casado: Every sophisticated logo that you know use these. They have over 700 customers and yet they are simple enough for you and I to buy over the web and install. So it just goes to show you to what level sophisticated security is being consumerized (and you should know about it)

We think Jobs called it absolutely right in 2010, and are pretty convinced that those ugly enterprise-walls are crumbling… 

On putting things back on the shelf:

One of the highlights of the interview (for me) was Jobs’ discussion on what came first: the iPhone or the iPad?. Until this point, it was always assumed that Apple built the iPhone, saw success, and then said: “let’s make another one, but bigger”.

The truth holds more lessons for us:

Mossberg: Did you consider doing a tablet when you did the iPhone?

Jobs: I’ll actually tell you kind of a secret, I actually started on the tablet first.

I had this idea of getting rid of the keyboard and  type on a multitouch glass display…and I asked our folks could we come up with a multitouch display that we could type on that I could rest my hands on and about 6 months later they called me in and showed me this prototype display and it was amazing and.. I gave it to one of our brilliant UI folks and he called me back a few weeks later and he had inertial scrolling working and a few other things. Now we were thinking of building a phone at that time and when I saw that rubber band inertial scrolling and a few of the other things, I said “my god.. we can build a phone out of this”. I put the tablet project on the shelf because the phone was more important and we took the next several years and did the iPhone.and when we got our wind back, and thought we could take on something next, we took the tablet off the shelf, took everything we learned from the phone, and went back to work on the tablet.

So.much.goodness.

The first thing worth noting is that they didn’t rush out a tablet as soon as they could. They knew there was a need, but they were doing the work to figure out if they could fill that need. 

Microsoft fans will often point out how they had a Windows tablet before an iPad, and a Windows smartphone before an iPhone, but both will have to admit that those devices took the PC, and attempted to shrink it down to smaller form factors. So you could totally run MS Excel on your Windows phone, if you could use a stylus to give you the pin-point accuracy of your mouse pointer…

This is not an argument against launching early and iterating, but it does remind us that like all aphorisms, it misses some nuance. Apple wants a tablet, they see its promise, but they believe there’s a few problems that need solving before their MVP is V enough.

We also see Apple sticking to their guns. It’s easy to say “we say ‘no’ to things” when you are striking off a bunch of mediocre ideas. Saying  no to the tablet you really want to build (to focus on the Phone you think you can build now), is where you see this choice play out for real. (That I’m writing this on an iPad while many of you are reading it on an iPhone is the next order effect of making those choices).

On gratitude:

We have a pretty great record as a young software company. Our NPS scores are consistently north of 70 and we have a page on our website dedicated to unsolicited feedback from customers who talk about loving Canary. A fair bit of that feedback notes that people have loved interacting with other parts of our business: Support; Admin; even billing! 

We used to find it odd, that people found it odd! 

To us, it seems like the most natural way for this to be. We know that there’s a zillion products in the marketplace, but someone chose us. We know that on an Internet filled with people saying stuff, our customers have listened to our voice. Every single person in the company is aware of this, and is deeply grateful to our customers for it.

The customer has choices, and the customer chose us. Seen through this lens, gratitude seems like the obvious response but it disappears when customers are seen as just a prop to help you “make the quarter”.

Jobs makes it clear, that this doesn’t have to dull as your market-cap grows:

Jobs: I have one of the best jobs in the world I’m incredibly lucky I thank all of our customers and employees for letting me do what I do, I get to come in and work every morning and I get to hang around some of the most wonderful, brightest committed people I’ve ever met in my life and together we get to play in the best sandbox I’ve ever seen and try to build great products for people.

Market-share, and profit totally matter because they let us go on doing what we love. They are a tangible feedback of customers liking what we are building and can be a proxy for customer happiness, but it’s super important for us to make sure we don’t fall foul of Goodhart’s law, making the measure our actual target instead.

On Humility and Hubris:

Jobs was often pilloried for telling people they were wrong. Just months earlier Apple went through Antenna-Gate where it was discovered that their new iPhone dropped calls when gripped a certain way. He famously quipped that people didn’t know what they wanted till you showed it to them. But several times during the interview he makes it clear that this doesn’t translate to ignoring your users forever: You do your homework, you make your choices, and then you pay attention to see how your users respond.

For a person with so many phenomenal products under his belt, he also doesn’t assume they are infallible. A few times during the talk he makes it clear, “we are just humans trying our best to do what we think people will love”. Someone uses the Q&A session to remind him that sharing content between devices was still painful. He’s quick to point out:

Jobs: we need to work harder on that. We need to do better. We’re working on it.

Product design (and running a company) bring Jim Collins’ “the Genius of the AND” to the fore as much as anything. You need the courage to make choices, AND you need to be able to listen to customers and use their feedback. It’s just the nature of the beast.

On pragmatism and “seeing the whole product”:

In one of his great twitter threads on the difference between Good Product Managers and Great Product managers, @Shreyas Doshi says:

9/
Good PMs are detail-obsessed, making sure that the product meets the desired quality bar for launch. Great PMs pay this degree of attention to the entire customer experience: they know that the docs, the API, blog post, website, support emails, etc. are also “the product”.— Shreyas Doshi (@shreyas) April 11, 2020

A clear Apple/Jobs fan implores him to save TV. “You did it with the iPhone, now save TV”. Jobs gives an answer that encapsulates so many of the thoughts discussed earlier.

Jobs: The problem with the television market, the problem with innovation in the television industry is the go-to-market strategy. The TV industry fundamentally has a subsidized business model that gives everybody a set top box for free, or for $10 a month and that pretty much squashes any opportunity for innovation because nobody’s willing to buy a set top box. Ask Tivo, ReplayTV, Roku, ask Vudu, ask Google in a few months.

Sony’s tried as well, Panasonic’s tried, lots of people have tried, they all failed.

So all you can do, … is go back to square 1, redesign the set top box, with a consistent UI, across all these different functions, and get that to the consumer in a way that they are willing to pay for it.

And right now there’s no way to do that. So that’s the problem with the TV market. 

We decided what product do we want the most, better TV or a better phone? Well the phone won out, but there was no chance to do a better TV because there was no way to get it to market.

What do we want more, a tablet or a better TV? Well probably a tablet, but it doesn’t matter because if we wanted a better TV, there’s no way to get it to market.

The TV is going to lose until there’s a better, until there is a viable go-to-market strategy. Otherwise you just making another TiVo. That’s the fundamental problem. It’s not a problem of technology, it’s not a problem of vision, it’s a fundamental go-to-market problem.

Question: In the phone area u were able to recreate that go-to-market strategy by working with the carrier, so does it make sense to partner with the cable operator.

Jobs: Well then you run into another problem, there isn’t a cable operator that’s national. There’s a bunch of cable operators and then there’s not a GSM standard where you build a phone in the US and it works in all these other countries, no, every single country has different standards and different government approvals . It’s very […] Balkanized, but when we say AppleTV is a hobby, that’s why we use that phrase.

The market place is filled with products that were built because they technically could be. Notice that he isn’t just talking about building a good product, he’s considering how they will stock it, how they will distribute it. They know it’s an area that has some promise (which is why they maintain their Apple-TV hobby) but he has no delusions that because they are Apple they can make a channel where one does not yet exist. (You see this in sharp relief when he shares a stage with Bill Gates and is asked questions on the future of computing. While Gates happily talks of 3d VR interfaces, Jobs is more grounded, considering what people are used to and how they will operate it).

In “The Innovation Stack”, Square’s co-founder Jim McKelvey talks about how he struggled to find mentors till he realised that he didn’t need to confine himself to people he could call on the phone.

Jobs produced a string of hits across a raft of products and managed to generate such maniacal love that his top customers almost define the term “fan-boys”. If we want to build great products, it would be smart to take a closer look at how he did it.

Ben Horowitz often starts his posts with a choice phrase from a contemporary hip-hop song. I’m going to go the other way, ending with with a line from Kenny Roger’s “The Gambler”.

“And somewhere in the darkness

The gambler he broke even

But in his final words

I found an ace that I could keep”