On Donna’s Acquisition

Early last year (2013) I was in one of the most comfortable places I’ve been in my life. I was working at a very great job, for an wonderful company, and was surrounded by some of my favorite people. Even more so, I was working remotely from Bend, Oregon, where I had moved my family a year previous. There was literally nothing to complain about. I was earning a great living, had a very flexible schedule, and got to work on some of the most interesting problems I had yet tackled.

But something was wrong. I had been with Ancestry for 5 years, and something was stirring in me. I resonated a lot with Tim Van Damme when he describes leaving Instagram:

At a certain point after we shipped video for Instagram, it felt a bit as if life was too easy … I didn’t want to slow down yet…

I knew in my gut that it was time to leave. I spent a lot of time wrestling with this decision. It’s tough, deciding these things, weighing the pros and cons. On one hand, I had a great blessing in a job which provided for my family. Would leaving that be selfish? On the other hand, I knew I wasn’t ‘done’ yet, and I wanted to continue being challenged.

When I started looking for a different path, I immediately started latching on to the idea of working for an earlier-stage company. There was something very enticing about being on the ground level. Defining strategy and controlling the experience from the ground up sounded like a dream come true.

Along the way, I met Kevin Cheng. Kevin is to this day one of the most genuine people I’ve ever met. I was immediately struck by 2 things. First, he was kind and humble. I can’t tell you how rare and inspiring it is to meet a founder of a software startup in the Bay Area who exudes humility. I immediately realized Kevin was the kind of leader that I wanted to follow. The second thing that struck me was the vision for Donna.

A big vision

When I was first becoming obsessed with all things design, like most of my peers, Apple had a lot of influence on my thinking. One thing in particular that I really respected the company for was their ability to focus on problems and solve them each individually well. As an example of this, Apple’s product line on Mac OS X included Mail.app, Calendar.app, and Address Book.app. I loved the stark contrast of how each of these apps were designed to solve specific problems vs. the other common approach.

But over time, as our space has evolved, I’ve felt that all these individual products and “Apps” we use every day have become less connected with each other. Where once I saw great design choices in solving problems individually, I was now seeing a world in which things were unnecessarily and frustratingly disjoined from each other. Even Apple has made things far worse over time with both iOS and Mac OS’ sandboxing.

When I first met with Kevin, he explained the vision for Donna. We now have more access to data than we ever have before. We carry around in our pocket something that has access to weather, location, maps, traffic, messaging, calendar, contacts, etc… And yet there’s nothing that’s making sense of all this.

If you’ve ever witnessed executive assistants in action, you’ll recognize that this is precisely their job. They take a variety of inputs about a person’s life and organize it in to structured information. There’s a bunch of subtle details about why this is so effective, from their relationship with the person they’re assisting to the timing of delivery.

But not everyone can afford the luxury of a personal assistant. What if we could use technology to solve this for everyone? What if there was something that could make sense of all this data and deliver it in the same way a personal assistant would? Well, that would be magical. And that was Donna’s vision.

It was a big problem. And an even bigger vision. There were a number of risks, including that a much larger company with access to greater resources would be working on solving it in parallel. But in the end, after meeting and connecting with the team, I joined Incredible Labs to help solve this.

A quick exit

After a few short months, I grew painfully aware that Incredible Labs wasn’t the right place for me. I was continually frustrated by the speed at which we could execute and the travel down to SF took a toll on me and my family. I made a tough decision once again to leave and pursue something different. But my time at Incredible Labs taught me some incredibly valuable lessons. Getting to learn from both Scott and Kevin will always be one of my most valuable experiences in my professional career. And even though I was there a short time, I was able to lead a number of design projects including a complete redesign of the App’s interface. It was a very different style than I had ever executed on before and I’ll always be very proud of the work I was able to do there.

The end for Donna

I kept a close eye on the space even after I left. It was interesting to me to see how many players popped up. Beyond the startups that were working on a similar product execution, both Apple and Google had begun to get closer on solutions that were “close enough” to Donna’s first offering. From my very outside perspective, I began to see the writing on the wall for Donna. Could a vision this big really be solved by such a small team and a limited amount of capital? I was sad when I heard that they were cutting staff, the opposite of what I was hoping would happen.

Today, it was announced that Yahoo has acquired Incredible Labs. Yahoo intends to shut down the product and roll the team up into the Yahoo Mail organization. I’m excited for the founders and team and send them all a huge congratulations. I’m also really happy that Donna’s great investors will see a return from the company. But, there remains a part of me that’s sad that we never got to see Donna reach her full potential.

Most of the other competitors in this space that get listed in articles about Donna feel to me as “just a better” X. Whether that’s “just a better calendar” or “just a better mapping app”. Donna’s vision stood out to me as a glimpse in to the future where all this data we have available make our lives easier, more productive and better — not more disconnected. I’m optimistic that Kevin and the team will continue to plant this vision into Yahoo’s products and that we’ll see Donna after all, someday later, just wearing different clothes.

What I took away

When Levi and I decided to commit to Droplr full time, one of the considerations we thought a lot about is that transferring things from A to B still today remains just as difficult and silly as it ever has been. There are so many great companies out there who are trying to make this better, but we couldn’t help feel the itch that we’re just not there yet. And on the whole, technology and products still feel very disjointed. I fell in love with the Incredible Labs team’s maniacal focus on making people’s live easier … and I’ll continue to work towards that with my own company. I’ll continue to strive towards an ecosystem in which things work well together. I don’t think Donna was going to save lives or solve world hunger. I don’t think Droplr will either. But these products we work on every day can help the people who do those things do their job better and be more efficient. We’re not there yet. And that’s part of what still gets me up every morning.

How I Almost Lost My $500,000 Twitter Username

If you haven’t yet, start by reading Naoki Hiroshima’s account of how he was blackmailed into giving his Twitter account away.

I read this tonight, and sadly, the story was all to familiar to me. My version also has a few implications that are far worse. I thought I’d share the story in case anyone is interested.

I’m @jb on both Twitter and Instagram. My username is a very heavy target for these types of attacks. It used to be primarily because of the Jonas Brothers but of course now it’s all related to Justin Bieber. As you can imagine, with the marketing power behind his name, there’s thousands if not more companies/hackers/etc… who’d love to get their grubby hands on it for profit. Like Naoki, I too have been offered inordinate sums of money for my username and receive a regular stream of forgot password emails to my inbox.

Last May, I received a forgot password email from Amazon. Although I see a lot of these from Twitter and Instagram, this was the first I had ever received from Amazon. “Why in the world would someone want that?”

I ignored the first email from Amazon like I normally do with any of these that I didn’t initiate. Imagine my surprise when I received a second email about a half hour later saying that my password had been successfully reset! In the same amount of time, I also received 3 fresh forgot password emails from Apple. It was clear I was being targeted with some kind of attack.

I got lucky. Because I still had access to my email account, I was able to quickly do another forgot password request with Amazon and reset it myself. I had caught it just in time — the limbo between when the attacker had gained access to Amazon but had yet to gain access to my email. After I changed my password through their website, I called Amazon, where I learned they had given access to the attacker over the phone. I promptly asked them to lock my account and make a note not to allow any requests to change it again over the phone.

My next step was to call iCloud support and ask them if they had given out any of my information. Sure enough, I finally was able to talk to a representative who was able to tell me that there had been 4 support calls in the last hour regarding my account. The attacker was clearly calling Apple, pretending to be me by giving them my information, and attempting to gain access. I gave them the same instructions I gave Amazon, that this was not me and to please not allow any requests over the phone.

As I was on the phone with them, I received an email from iCloud support with instructions on how to reset my password. It was clearly an email from a representative and not an automated message. And what stood out to me was that the email was “To” a random gmail address and my iCloud address was only CC’d. That was it, I now had the email address the attacker was using. I quickly sent an email to the attacker, assuming I would never hear a response. But I did get a reply a few minutes later.

The attacker was very open about what he was doing. He was after my Twitter username, @jb. He explained that he first started by doing a little research and learning every piece of information he could find on me through public records. My Twitter profile linked to my website, my website had WHOIS information. I use a very very old address on all my public WHOIS records, but it happens to be the address of my parents, and since I’ve shipped gifts to my parents through Amazon, they had that address on file.

He then called Amazon with what little information he had gained and complained that he had lost his password and didn’t have access to that email address anymore. The representative eventually caved and reset the password over the phone giving him full access to my Amazon account. His plan was to then gain as much information he could with Amazon (last four of credit card numbers, current and previous addresses, etc…) and use that as ammunition to do the same thing with Apple. And it almost worked. He had an email in his gmail inbox with instructions on how to reset my iCloud account.

Luckily I had been online when all this was happening and was able to call Amazon and Apple respectively to lock my accounts and prevent access. Had I been even 5 minutes later, well…

The scary thing was that I only thought of the true implications of this attack days later. As I was contemplating what had happened and how I could prevent it in the future, a very frightening thought occurred to me. This attacker started with Amazon because he knew that an commerce shopping site’s customer support would be relatively easy to convince and gain access. However, that same site offers cloud services that many startups (including mine) rely on to host their data. Droplr, the startup that I am a founder of, is completely based on Amazon’s stack, from using EC2 servers where we host all of our technology to S3 which we use for file storage. This attacker had access to all of it. I was extremely lucky that in his rush to gain access to @jb, he didn’t think to check if my account had anything under AWS.

I was obviously infuriated with Amazon. I spoke to someone on the phone and they promised that it was a priority for them to train their representatives better. There were a couple other very public cases of this happening around the same time so they were just at the beginning of a PR fallout from their lack of security.

So what did I learn?

  1. Even though Amazon encourages you to only have one identity, don’t. Use completely separate accounts for your AWS services and your Amazon.com shopping account.

  2. Always use a private WHOIS service with domains that you own.

  3. Naoki’s thesis was that you shouldn’t use personally owned domain-based email addresses for your logins to these services. Unfortunately, this isn’t a guarantee. The problem is, all the big email providers like Gmail and iCloud are so big that they deal with thousands of requests on a daily basis from people who have genuinely forgot their password, and the only way they have to grant them access again is “verifying” their identity over the phone. If someone can fake being “you” over the phone, they’re even more likely to succeed with these large providers.

  4. Some of the biggest companies in the world have security that is only as good as a minimum-wage phone support worker who has the power to reset your account. And they have valid business reasons for giving them this power.