Elastic isn't good example of good open-source company, like RH was. They have their main product open sourced (ElasticSearch)[1], but other products aren't [2].
From RH I always expected they will open their successful product at some point (e.g. Tower); from Elastic, I'm expecting opposite.
[1] "open source" I mean OSI approved license, not some cryptic text which can get you on court
Good example because their strategy is to move away from consultancy/training/support as their primary business model towards shipping add on services, cloud products, etc.
I was at Elastic.on beginning of the year where they talked a bit about their thinking. They referred to 'other' OSS companies having contradicting goals where in order to sell support/training, they make the base OSS product harder to use and more complicated so that people actually need the support and training. E.g. having great documentation directly conflicts with selling training and consultancy. They did not want to differentiate between a hard to use OSS version and a nicer commercial package. Instead they want users to pay for added value in the form of bundled stuff that is not OSS (but now mostly available for free), or cloud based SAAS products that they run for you. The core product is the same for everyone.
So, their strategy is already exactly as suggested in the article: great OSS that they actively help build complemented by SAAS business and other services where they are making a lot of money.
Looking at their acquisitions, they have been buying companies that do SAAS business on top of their core technology or support that business in some way. Elastic cloud is based on one of their early acquisitions (a company called found.no). Another more recent one is Swiftype which provides easy to integrate search as a service for small websites. Then there's Prelert which provides incident management and analytics tooling. In addition they've been investing in building out geospatial data for the purpose of supporting analytics use cases using their Kibana tool (another of their acquisitions) and now included as part of Elastic cloud. They've bought packetbeat and opsworks that both focus on infrastructure OSS that supports getting data to Elasticsearch and Kibana.
Of course they also still do support, consultancy, training, etc. as well. But that is a tougher business to scale because it involves lots of handholding. That's actually a key problem with this business: you need lots of sales to close deals and then you need lots of consultants to actually keep the customers happy. Looking at IBM and Oracle, you can clearly see that they are struggling there. IBM is looking to buy credibility for their cloud solutions through Red Hat. They've been struggling for years with consultancy as their core business and have been laying off people aggressively as revenues have been disappointing. They have at this point very little in house tech to draw in new customers.
AWS is all about selling their cloud stuff. If it's OSS and widely used, you can bet there's an AWS service from them that you can use (e.g. Elasticsearch, Hadoop, ActiveMQ, Mysql, Postgresql, Redis, etc.).
> they make the base OSS product harder to use and more complicated so that people actually need the support and training. E.g. having great documentation directly conflicts with selling training and consultancy.
Interestingly enough, I've heard the same criticism about OpenLDAP, that it's deliberately hard to set up and poorly-documented because the main developer owns a consulting company and wants people to hire him to set up their OpenLDAP installations. What's ironic is that this is one of the reasons Red Hat is deprecating OpenLDAP in favor of the 389 Directory Server.
The idea is to use private repos on Github, not public ones, which just tell you that yes, someone can read a public repo and misuse a key. Not that your private repos have potentialyl been compromised.
What: We are building a cybersecurity automation platform (IFTTT for security). We have an awesome, technically savvy team that has built multiple products and companies in the infosec space. Work with Go, Docker, and React to build a modern platform for security teams. PS: we're also fun. We routinely make breakfast together in the office, we're a diverse team across a wide age range + genders.
Culture: Team players, world class talent, no brilliant assholes. We have a culture of ownership + responsibility. We are all experienced devs and have great tooling/process even for a company so young.
Jobs: https://angel.co/komand/jobs. We're hiring primarily software engineers. Security background not required, but an interest helps.
Interview Process: We have a very collaborative interview process. We are looking to measure skills, not whiteboard ability. First, after an initial phone call, do a coding exercise offline and then come meet the team and pair with us.
"Imagine doing lots of small allocations - you can cause a lot of fragmentation resulting in needlessly having to resize your heap which in dire scenarios can result in thrashing."
The article repeatedly talks about how managing memory manually increases the risk of fragmentation. And that this risk somehow goes away with gc managed heaps.
...so garbage collectors don't also have to manage their own internal heaps and have fragmentation issues? Hm, not sure I buy this.
Compacting garbage collectors don't have fragmentation issues, but of course Go doesn't have one. A GC isn't even strictly a prerequisite for compaction. Manually combining memory allocations to reduce allocator overhead and fragmentation is a lot of work, but not unheard of.
The Classic Mac OS API (the "toolbox") had a compacting manual memory management scheme. Instead of raw pointers like what malloc might return, you worked with double-pointers called Handles (different from Win32 Handles), which indirected through a global Handle table. System calls may compact or rearrange the blocks of memory referenced by Handles. If you wanted to dereference the Handle across a system call, you had to HLock it to keep it from being moved, similar to object pinning in C#.
In modern OSes, virtual memory plays an analogous role. We still have a double indirection, but it goes through the TLB and page table.
I sympathize with you, having also experienced subtle sexism in both the tech and investment world (I'm a technical co-founder, and I've fundraised successfully). Here's a couple of points I hope are helpful.
- You should look to connect with partners at firms that have female founders (ideally purely female-founding teams) among their portfolio. There are also a few female partners out there as well -- get access to them, with your YC network it should not be hard. Listen hard and press them to get honest, specific feedback when given "no"s.
- While the sexism is unfortunate and it's hard not to get frustrated, you may want to look long and hard at your pitch and company. If you've really talked to 40 investors and sent out ~500 emails, and this is a hot space for disruption, it's very unlikely that all of them are dismissing you due to gender; something isn't connecting. I's very easy to dismiss all feedback ("their feedback means nothing; they are rejecting me because I am a woman") just because you are soured by your bad sexist experiences.
Ask yourself these questions honestly: Are investors giving the same criticisms and feedback for saying no? Are there questions you struggle with in the pitch about your business? Is the value prop clear? Is the product demo well orchestrated? Try to examine all of the feedback you've gotten objectively, and see how can you improve the pitch. Find someone who is ideally involved in the venture community (e.g. as a partner, associate, EIR) that you can trust, that can give you brutally honest feedback on your pitch and business.
- Fundraising is hard for everyone. It's going to be harder for you. It sucks, but that's the truth of life. You are one of those pioneering women who are paving the path for others so hopefully in 20-30 years, it's not even an issue. It would be great if you didn't have to deal with this, but that's not the reality of the world. What doesn't kill your company will make you AND your company stronger.
> You should look to connect with partners at firms that have invested in female founding teams (ideally purely female teams).
Are there seriously investors that only back purely female teams? That seems ridiculously sexist and financially stupid to eliminate so many good startups that aren't all female.
> You are one of those pioneering women who are paving the path for others so hopefully in 20-30 years, it's not even an issue.
I see articles like this as a small step backwards. I don't know what the answer is to discrimination (of any kind), but I think complaining about it in articles like this is not helping to reach equality.
> Are there seriously investors that only back purely female teams? That seems ridiculously sexist and financially stupid to eliminate so many good startups that aren't all female.
That would neither be sexist nor would it necessarily be financially stupid.
As for the sexist part, reverse sexism is not a thing -- if the playing field is so imbalanced, then explicitly favoring the discriminated-against group is a fair measure to level the playing field. It's the same reason we have women's colleges and organizations devoted to advancement of women, and why similar institutions for men would be (generally speaking) incomprehensible.
As for the financial wisdom of investing purely in companies run by female co-founders, the whole point of investing is to find opportunities for investment that have been undervalued by the rest of the market. There are certainly some investors that have discovered that businesses run by women are undervalued in the market; maybe they have even calculated a rough figure for how undervalued they are, perhaps 15%. They may decide not to even look at male-led companies, as they would need to find 15% extra hidden value in order to match the hidden value -- unseen by the rest of the market -- they already know the female companies must (on average) have.
> As for the sexist part, reverse sexism is not a thing -- if the playing field is so imbalanced, then explicitly favoring the discriminated-against group is a fair measure to level the playing field.
You're conflating anti-discriminatory with reverse sexism.
Anti-discriminatory is passing a law that requires any company that gets tax breaks to meet some requirements of diversity.
reverse sexism is coming across a female owner who only hires women (I know of 1 such company).
> Are there seriously investors that only back purely female teams? That seems ridiculously sexist and financially stupid to eliminate so many good startups that aren't all female.
I meant this to mean they have invested in all-female founding teams, not JUST all female teams. I have edited it to hopefully reflect that better.
Regarding your second point: I don't think the author's goal was purely to stop sexism in VC. She was describing her own experience. It's not a waste of time to educate people about the poor behaviors you see, regardless of whether or not she has a solution for it.
Not quite the same thing, but I know of a company in my local town that hires only women. They'll contract out to men when they absolutely must (me, for example), but I shit you not, the owner was female, all of the engineers were female, every single person on the assembly line was female. There was literally 2 males involved in that entire company. Me, as a contract software developer, and another guy as a contract IT person.
That was it. Top to bottom that entire company was female, if I had to guess they had 20-30 employees, but of course I never saw all of them so it's just a guess.
for all the down votes you're getting, just wanted to let you know that I agree with you.
don't let the thought police get you down, and don't let all the other commenters shame you into thinking you are wrong or stupid just because they think your comments aren't politically correct.
you are right: it is sexist to discriminate against males, and these articles are a step back.
Thanks. I'm honestly starting to feel like a crazy person for thinking that men and women should be equal. The fact that I have to get behind a VPN and make a throwaway account to express that I think equality is good and positive-discrimination is bad is upsetting.
IMO as long as the research in these tools are being funded by corporate entities (e.g., Microsoft) then there's little hope of any open research.
Fortunately, there's money to be had for open source and research projects that are willing to organize and look elsewhere for some cash. Look at projects like Bro and Suricata -- commercial security tools which are government and educator funded.
The problem with open source security tools (e.g., bro, suricata, brakeman) is that they require security expertise to operate, continually. In my experience many small/medium organizations who actually care about security don't have such expertise in-house and can't find good security people to hire. This limits them to buying commercial solutions which (also in my experience) tend to blow.
We need more security engineers, but the problem is I don't even know what that job title requires. The author pokes fun at CISSP, but how else can I figure out if someone is 'good' at security? They are already so rare and mostly employed by google (joke).
Your CISSP point has an is/ought flaw. It would indeed be nice if there was a sticker you could look for on a candidate to know if they were qualified to do security work. But that sticker does not exist. The competence of candidates with the CISSP sticker varies wildly, all the way down to barely- computer- literate. Over time, the top end of that range is trending downwards, as well, so to the extent it's a signal, it's a negative signal. (It's such a weak signal that I wouldn't make any kind of decision about it. There are very smart people that have CISSPs.)
>> The author pokes fun at CISSP, but how else can I figure out if someone is 'good' at security?
I'm the author.
If you are hiring a security consultant for your firm and you know how to judge infosec skill, use a work sample and check references.
If you're hiring a security consultant to perform a penetration test or audit for your (non-infosec) company, hire people who have a healthy mix of the following:
1. Public, verifiable work (e.g. bug bounties).
2. Solid references and past experience with clients who themselves understand what to look for in a security consultant. You obviously check these references. Alternatively, a solid reference that the candidate worked at NCC Group, Accuvant, Leviathan, etc.
3. Research in the field, such as discovering a new class of vulnerability, publishing vulnerabilities in ubiquitous software, etc.
Prioritize #2, because not all adept security folks like to conduct research or participate in publicly verifiable work.
Of the certifications you can have, the Offensive Security[1] certs are pretty rigorous. For example, the OSCP is a good indicator that a candidate knows what they're doing to offensively test a client's network. That's about it. Almost all other certifications are run by people who have, at best, textbook knowledge of information security. People who get the CISSP can probably accurately describe a cross-site scripting attack to you in an interview, but there is no guarantee they can practically find it or defend against it.
The other issue is that while some certifications are good, a lot of folks in infosec just don't care for them. They can find high paying jobs in prestigious companies without a degree or a certification of any kind, so they simply don't bother, even though they could pass it. This means that you can't reliably throw out candidates with no certifications...which circles back to my original recommendation. Work samples, references and public work are the best ways to judge a candidate's talent. I'm directly aware that this system is used at Matasano and Accuvant, and it's likely the norm at the other "quality" security consultancies.
'tptacek would have a lot of great advice to contribute on this matter as well.
+1 for anything from OffSec I failed their OSCP once and after some reassessing I will not be taking for another year or so. However, there are many companies that list if not require a CISSP and other CISSP holding individuals are hesitant to degrade the efficacy of the cert.
Generally: a requirement that candidates hold CISSP is a strong negative signal about the job. This observation would have qualified as "insightful" 10 years ago, but in 2015 it's verging on conventional wisdom.
I think a lot of corporate entities have seen value in having security improve for everyone -- including their downstream users or customers (who might be at risk of phishing) and their upstream suppliers or vendors, whose software they use directly or transitively trust. So I don't think they will all see reason to keep their research secret or to avoid funding things that are open.
I was going to suggest this as well. I found it was too difficult for me to apply it totally successfully to my playing, but studying it has been great for just everyday life and computer stuff where I tend to have a lot of unnecessary tension.
