ParsePort gives you the flexibility to use Parse when first developing an app while providing an option to migrate away from Parse should your needs change, all without shipping a new binary or changing a line of code.
Parse is an incredible platform that removes a lot of headache for building backend services for your apps. As great as Parse is, using it unfortunately locks you into their platform in perpetuity, i.e. As long as you have users in the wild with app binaries using the Parse SDK you’re stuck with Parse.
There are a number of reasons for wanting to avoid vendor lock in including:
Parse is great today, but there are no guarantees the same team will be there in the future delivering a service of the same quality.
Parse can change their pricing at anytime making it catastrophically expensive for your app overnight.
Parse or its owner Facebook could begin to abuse their priveleged access to all Parse app metrics to act anti-competitively, e.g. by using the information unfairly in M&A. For more on this see http://swaggadocio.com/post/60416244109
Post with 4 notes
I read a quote from Mike Vernal, VP of Platform at Facebook on the Y Combinator blog re Facebook’s motive for acquiring Parse earlier this year:
I think about Facebook’s mission as helping people connect, wiring up the world. For our developer mission, we want to extend the same thing to them. We want them to be able to build apps and reach everyone in the world. On the build side, we know from our own experience how painful it is to have to maintain five or six apps. One of the things we want to do is make it easy to build for all platforms and reach all people on Earth. The biggest challenge today is supporting all the different platforms that exist, and Parse makes that really easy.
Of course this is probably not the reason that drove the acquisition, it was more likely to be about data. Earlier this year Parse crossed the 100,000 app mark. Parse is a PaaS, not a consumer app, so that’s great growth for less than two years out of the trap. Imagine how many users those apps have and extrapolate out to five years from now. That’s a shit ton of apps and even more users using them. All that transactional user data being beamed straight into Facebook. How many times a user opens an app, when, what they do, and for how long. Parse user objects have an email field, so Facebook could trivially reconcile Parse user data with that of its own. My inner Zuckerberg is salivating at the possibilities. Is this cool? I don’t know. Is it allowed? I suspect right now the answer is no, but what is stopping Facebook changing the Parse ToS tomorrow and make it completely free at the same time, or simply rolling Parse into the Facebook platform where this is already de facto expected?
Another use I can see for Parse data is giving Facebook the jump on fast growing apps they can acquire before anyone else even knows what has happened. Facebook will know the metrics of any app using Parse, so when they see they have the next Instagram on their hands they can swoop in early and get it for a knockdown price before breakfast. If Facebook could acquire the next Instagram for half off by being early to the party, the Parse acquisition will have paid for itself many times over. This is genius, diabolical genius but genius nonetheless. Similarly they could use the data to reveal distressed teams to acqui-hire. Developers should expect the data to be used, and not to their advantage.
I’m not making any judgment as to whether the aforementioned is legal or ethical, but I don’t expect that to stop it from happening now or later. Even though those are my thoughts I will probably continue to use Parse, it’s such a great platform. However, I have been working on a way to avoid being locked in to Parse, i.e. still use the Parse SDK (ViewControllers, PFObject, etc) but build in a kill switch to have the Parse SDK suddenly communicate with one’s own servers instead of Parse’s. Then to migrate out of Parse all one would need to do would be to build an API server endpoint that quacks like Parse. This would be a much less daunting task than getting every user to upgrade to a new app binary that didn’t use Parse. I thought of the name Parseport, i.e. leave when you want. A proof of concept is here. I class dumped the Parse SDK private headers and used Objective-C categories and method swizzling to decorate the HTTP client class the Parse SDK uses to talk to foreign hosts without changing the SDK’s public API. I’d like to tidy this up a lot, and provide a simple API to do achieve the same result, and then it would be simple to use GroundControl to remotely flip the switch.
If you know a lot about Objective-C, its runtime and would like to help me please find me on the twitters.
Video with 2 notes
Shredding at home 😝😎🔥💃🎼🎸🎵🎶 at Great Marlborough St – Watch on Path.
Post with 21 notes
HTTP Basic Auth remains a popular method for API authentication for various reasons, but mainly because it’s dead simple; placing the username and password in the url, e.g.
http://user:firstname.lastname@example.org is widely supported, allowing new users to familiarise themselves with APIs by pasting URLs into their web browser, especially “REST” APIs.
As well as being tremendously simple, HTTP Basic by itself is also tremendously insecure, i.e. it is implemented by simply Base64 encoding the username and password concatenated with a colon “:” character. It then follows that HTTP Basic should only be used, if at all, over securely encrypted connections. Let’s take a look at Stripe, who has chosen HTTP Basic for their API authentication.
Nice. If we make a request, Stripe returns an error informing us of our mistake. However, there is one fly in the ointment. Note the Authorization header.
Oh look. Our authentication credentials were transmitted over the Internet in clear text one time. Oops. The possibility of an attacker obtaining an unwitting user’s API token in this way is probably extremely low, but just because I can not imagine a way to trick a user into doing this and exploit it does not mean a much smarter, seasoned attacker also could not.
Stripe is not the most egregious case. It’s not that bad, as the error is caught straight away and at most credentials are only likely to be inadvertently leaked once following user error. The following is really bad. Let’s try the same with Twilio’s API.
Oh. Dear. Lord. “
X-Shenanigans: none" you say? None, apart from the shenanigans where each request is simply silently redirected to the HTTPS endpoint. This means a user could spray their credentials over the public internet in perpetuity without ever knowing.
What could happen if an attacker somehow obtained Twilio or Stripe API keys in this way? Well, in the case of Stripe how about making fraudulent charges to every vaulted card, cancelling recurring billing, or refunding every charge ever made by that merchant. This exposes Stripe, the merchant, the underwriters, and any consumer having paid for something using Stripe and the compromised merchant to inordinate risk and distress. In Twilio’s case how about DOSing the compromised user by buying 100s of telephone numbers, exhausting their account balance, or maybe start an illegal telemarketing robocall operation in their name and at their expense?!
Aside from abandoning HTTP Basic altogether there is an easy fix. close port 80 on your API host. This stops a connection being made dead in its tracks, preventing any credentials being sent in the clear. Around 3 months ago I reached out to the security teams at Stripe, Twilio, and Plivo to tell inform them each of this problem. Stripe was the first to respond saying they would not fix as they did not want anyone to misinterpret port 80 being closed as Stripe itself being down (a payments company opting for API UX over security, who would have thought?). Twilio responded saying that they were aware of the issue but also would not fix because they did not want to break their user’s apps(!). Here’s a free tip, grep your logs to identify the users that are making calls via plain HTTP and reach out to them, let them know and provide support migrating them to HTTPS. Finally, Plivo actually replied and closed port 80 although inexplicably
api.plivo.com:80 is open again and 301 redirecting to
api.plivo.com:443 I hope this is an oversight on their part.
Let’s be clear here. All of these companies provide 1st party API helper libraries in a variety of languages. There is absolutely no reason to have port 80 listening for incoming connections. Granted closing port 80 is not ideal, but in my opinion that’s a trade off you have to accept for making a poor design decision when implementing your API.
So if you don’t want to close port 80 for UX reasons, the solution is an authentication scheme that does not involve the transmission of a secret key. My favourite is HMAC-SHA, which is a good blend of security and ease of implementation. Essentially the request is hashed with as shared secret as a key, a nice side effect of this is you can add in the time of the request as a parameter, thereby sending a different signature each time, making it possible to expire keys, and prevent replay attacks. As an example, given the request:
auth_version=1.0 to the params then hash the whole thing like so
Companies such as Stripe and Twilio are seen as de facto reference APIs which many companies rush to copy, n.b. similarities between Plivo and Twilio APIs. What we don’t want are more API vendors copying these bad design choices. Stripe doesn’t want to close port 80 on their API host, I guess because they feel not enough people are aware of this problem, so I hope this blog post raises enough awareness so that they can change their mind.
P.S. Don’t use HTTP Basic. Thanks.
Photo with 2 notes
"A cup of death"
I sketched this image of Death on a McDonald’s cup as commentary on how quickly and unexpectedly death can appear in our lives. The roughness of the drawing caused by the speed of my illustration symbolises how quickly death often appears. The McDonald’s cup, an irreverent found object was chosen for how arbitrary it seemed in context of the subject matter; I thought this to be morbidly emblematic of the unexpected nature of death.
I just made all that up. I actually sketched it for no reason other than boredom while doing laundry. Last weekend I visited the Tate and was struck by the sometimes absurdity of the curator comments on the small placards that appear adjacent to each work. As I worked my way through, I encountered people sitting on fold up chairs, watching a video installation while nodding sagely as if they were deeply attuned to some profound insight that was simply beyond my grasp. I couldn’t help but feel that there’s a touch of the emperor’s new clothes when it comes to modern art (FWIW I didn’t feel this way about the whole of the Tate Modern. I very much enjoyed the Lichtenstein retrospective, and “A Bigger Splash” by David Hockney).
Still bored and with my Tate Modern visit fresh in my mind, I decided to see if I could backwards rationalise this “work” and contrive the inspiration that could plausibly have been its genesis. It was trivially easy to do and with the pretentious curator commentary and nodding aficionados in mind, I thought to myself that maybe the key to being a successful artist is creating work that allows critics to feel intelligent when interpreting it?
Photo with 1 note
boris - tfl bus stop, boris bike, and tube platform status from ruby or the command line.
coming soon to https://github.com/stevegraham/boris
shout out to mayor of london, boris johnson, tho!
Post with 20 notes
I’m currently 30,000 feet up in the sky, flying home after interviewing unsuccessfully for the W13 batch. I would like to share my experiences with you, illustrating what I did right, i.e. to be one of the select few to be invited to Mountain View as a solo founder; and what I did wrong, i.e. why PG et al passed on me this time around. Hopefully this post-mortem analysis will be of use for those planning to apply for future batches.
YC is extremely competitive. I heard around 3000 companies applied for S12 and it’s reasonable to assume that a similar number applied this time around, especially considering the historic trend of more applicants each batch. With the 40 or so companies admitted for W13 makes for roughly a 1% acceptance rate. I knew my application would have to be particularly impressive to even get an interview, especially considering the bias against solo applications. I had to get across that I’m smart, determined and will get stuff done no matter what. I wrote about Slanger, a black box reimplementation of Pusher that I largely wrote in a hotel room during RubyConf. I was also the first international employee at Twilio, and effectively launched Twilio into Europe alone. Sure, I had some support from HQ but I did all the heavy lifting for the first year when (to my great relief) my Twilio EU “co-founder” James Parton came along! This subtly demonstrated a track record of execution, and that I can handle a massive task alone and still deliver results, essential if YC was to take a punt on me as a solo founder. Bosh, that went straight on my application too. The person who hired me at Twilio, and who co-signed this was Danielle Morrill, now CEO of Refer.ly (YC S12). This helped no end, I’m sure.
Earlier this year when I decided to leave Twilio to work on my own thing, I chose my idea (mobile payments) and what I wanted to call it. I chose the name ‘Zap’, because it’s a short, English verb, and the dot com domain name is languishing unused. After some digging I went from staring at a private WHOIS entry to discovering the domain was owned by Harbinger Capital Partners, a hedge fund in NYC. Great, even 10x what that domain is worth is not going to move the needle for a hedge fund with tens of billions USD under management, but I didn’t give up there, it’s a great domain. I couldn’t just shoot off an email speculatively asking to buy the domain, I reasoned I’d have to do something extraordinary in order to get their attention. I asked around my network for an introduction, found one or two people that could connect me but they were reluctant to help me out. It was extremely frustrating, but I did not give up.
Instead, I ponied up for a LinkedIn premium account and tried to identify someone at the fund with enough juice to authorise the disposal of that domain. Unfortunately those folks were too smart for that and had their privacy settings maxed out, however the P.A. to the CEO had her profile semi-public. I sent her an inMail requesting a 10 minute meeting with the CEO, Philip Falcone and outlined what I wanted to do, i.e. something huge enough to pique the interest of someone already sitting plum on the Forbes billionaire list. She didn’t reply, so a couple of days later I jumped on the horn, called the switchboard, and asked for her by name. She didn’t pick up, I left her a voice mail and later on she replied to my inMail. Man, she shut me down hard; pressed Ctrl-Alt-Del on your boy. But still, I did not give up.
I went to a stationer and bought the most beautiful paper, typed out a short proposal for Falcone what I wanted to do with zap.com, and printed it out many times. The slightest smear of toner, or anything less than perfect penmanship when I signed it meant that copy was consigned to the trash. 60 copies later and I had one I was happy with. I was about to FedEx it when I thought to myself “Fuck it, I’m going to hand deliver it”, and with that I booked a ticket on the first thing smoking out of London Heathrow to JFK.
When I landed, I took my laptop ready to pitch at the drop of a dime, and hopped in a cab to the hedge fund’s office. It’s near the UN, so security is tight. I saw blacked out, unmarked SUVs with flashing police lights, the kind you see when you get a 5 star wanted level in Grand Theft Auto, and maximally militarised NYPD carrying disproportionately large guns; it was massively intimidating, I distinctly remember asking myself WTF was I doing. I walked into the lobby of the building and was immediately stopped by security, “Can I help you, sir?” I looked the dude right in the back of his eye and replied “Yes actually, you can. I’m here to see Trish McAndrews of Harbinger Capital Partners. Can you let her know Stevie Graham from London is here to see her please?” Now, just as one does not simply walk into Mordor, one also does not simply walk into a hedge fund and demand to see the CEO. Instead I asked for the gatekeeper, i.e. his P.A. by name. I didn’t have an appointment, but the sound my huge balls made as I sauntered into the building probably threw him off. He checked my ID and called the elevator.
I emerged from the elevator into the opulent reception of Harbinger Capital Partners. “Can I help you, sir?” asked one of the Amazonian receptionists. She could have easily had a career as a runway model, this only added to the intimidation factor. I gave her the same schtick as I did in the lobby, when she spotted the envelope in my hand and made a play for it. I calmly explained that I had flown 3,700 miles specifically to hand deliver this letter, and would be OK if I saw Trish in person? She looked at me for a while, but “something surprising or amusing that I have discovered” is unbroken eye contact with strangers is immensely disconcerting for most people. So I didn’t say anything more, I just looked her in the eye, implicitly expecting compliance. After a few uncomfortable seconds (for her), she acquiesced and picked up the phone to call Trish.
Trish came down and we spoke. She informed me that El Jefe was out of town speaking at a conference. I asked where, saying I would fly anywhere he was for a 10 minute meeting. Trish firmly but politely insisted he was busy, but she would make sure he received my letter. I thanked Trish for her time and left. I went straight to the Apple Store on 5th ave to find out about this conference, it was in Aspen and unfortunately I wouldn’t have made it there before it ended.
Back at my hotel I was thinking how to get Falcone’s P.A. on my team, after checking with some female friends that it wasn’t egregiously creepy, I sent a dozen cupcakes from an upscale Manhattan bakery the next day along with a handwritten note thanking her for seeing me the day before and containing my contact details in case Falcone suddenly became available. I thought maybe she might send a thank you note via email at least. Radio silence. Still, I did not give up.
A few thousand quid in the hole, I sat in despair in my hotel room contriving ways to circumvent the gatekeepers, but how? There was no email address on Harbinger’s website that I could take the format from and use to extrapolate what Falcone’s email address might be. I picked up the phone again and called Harbinger, pretending to be a graduate student researching another Harbinger investment that’s been in the news for all the wrong reasons lately, LightSquared. I was hoping to get the email address of someone I could send some questions to, and use that address to work out Falcone’s. It didn’t work, I was simply given a telephone number to call. STILL, I DID NOT GIVE UP. In a last ditch attempt I opened up Mail.app and began typing an email with no one to send it to. I guess it was catharsis, but when I finished I filled the BCC with as many permutations of what his email address could be and then hit send. Instantly I received hard bounces from the Exchange server, but crucially the amount of undelivered recipients was one less than the addresses I sent it to. 3 minutes later Philip Falcone himself replied to my email from his iPhone asking for a business plan. I annotated my presentation deck and sent it to him and over the following weeks it was downloaded 5 times. I followed up with him but didn’t get a reply… I have not given up(!) I’m just not bothering him until I have something more substantive to show him. However, if you’re reading this Mr Falcone, feel free to give me a call!
I didn’t get the domain (yet) but I did get a massively baller story to put on my YC application. The system I hacked was life itself, and in the process demonstrated that I’m an insanely determined hustler that does not embrace failure lightly. All those times I was shut down, Falcone himself vindicated my persistence by being interested enough to reply to my email and download my deck several times.
Before applying to YC I went out to Mountain View for Startup School, mainly because I was invited (n.b. randomly selected) to a reception at YC the day before. I knew this would be a great time to get some face time with and stand out to the partners; that would be worth the airfare alone to me. I was introduced to Harj and managed to tell him the entire story I just told you.
Startup School itself turned out to be awesome too. The talks were informative and inspirational, I remember Jessica’s talk in particular inspiring me. I also met a ton of smart people during the week I was there, and it really drove home to me that the Valley is the place to be.
I understand the average successful application has the recommendation of a few YC alumni. I had at least 6, and I got an interview so I’d say it definitely helps. I strongly suspect all recommendations are not equal either. Expect YC to follow up to see exactly how strongly alumni actually recommend you and it’s not unreasonable to assume that the recommendation (as any other) is weighted according to how respected the recommender is by YC too.
I imagine YC also weighting recommendations according to how accurate the recommender has been at picking successful applicants/companies in the past. I’d put money on YC doing this or something similar. PG loves empirical data.
The bottom line is to work hard to get quality recommendations from quality alumni.
PG has said himself that he loves the idea of funding something that has a tiny chance of success but massive upside if it comes off.
The key to getting into YC is to read PG’s essays. He lays down in black and white what kind of entrepreneurs and companies he wants to fund. The answer to every single question on the YC application form is within PG’s essays. Read them.
Largely disregard YC alumni advice when it comes to the application and the interview. I received so much conflicting advice that it was ultimately harmful to my performance. Not to denigrate the advice given to me by alumni - I’m very grateful for it - it’s my own fault for weighting it too heavily when synthesising my own strategy. I imagined a barrage of questions, constantly being cut off by the partners, having to maintain and track several conversational threads. I expected to vigorously defend being a solo founder. I was told PG does not suffer fools gladly, and shuts them down in record time. That is what I was told to expect, but was nothing like what happened. It was actually like what I imagine office hours to be, albeit heavily abbreviated. Oh, and surprise, surprise! PG actually says this somewhere. Again, read what PG writes!
I sat waiting for my interview at one of the long tables in the main area at YC. I was not nervous, I did not expect to be accepted so there was nothing to fear. Suddenly, Jessica appeared with the most incredibly warm smile and an outstretched hand, I could not help but reciprocate with a similarly beaming smile. As I went into the room Jessica, PG, Trevor, and RTM all introduced themselves with massive smiles on their faces. That really put me at ease within seconds. Wonderful, considering how gruelling the interview process must be for them too. They clearly do YC because they love it.
PG began asking me questions before I had even taken my coat off, I jumped right in, PG and I riffing on ideas. Every YC alum I’ve spoken to testified how smart PG is. I knew he was smart, I’d read his essays, but the feedback was so universally exultant it felt a bit cult like. However, PG knew exactly what I wanted to do, it was the quickest anyone has grokked my idea. I could almost see this divide conquer algorithm working in his brain as he traversed the idea space, it was spectacular to behold. The back and forth between PG and I continued, I saw Trevor nodding his head in my peripheral vision, Jessica watched us all while taking notes, PG seemed to really dig my idea, the interview overran, man that 10 minutes felt like 30 seconds. It seemed to be going well… then PG hit me with a particular question about acquiring a particular type of user, one I should have been able to answer, one I’d practiced dozens of times over the past few days, one I had several strong answers to. I don’t understand why, but my mind simply went blank. The interview ended a minute or two after.
I went outside and the answer popped into my head instantly. I feverishly banged out an email with the answer to the interviewing partners immediately. I told the alumni milling around outside how it went, including tanking the question. They all still thought I would get in, but I knew deep down I had torpedoed my chances. Later on I got the rejection email, PG didn’t think I had enough of the idea figured out yet. I was so mad at myself because I knew that I did. I can never know why I didn’t make it in. I can only take my evaluation of my own performance and reconcile that with PG’s email.
I wallowed in self loathing for a day and then remembered the Instacart story. Inspired, I hacked out the feature that was the answer to the flunked question and used it on the partners. Not one of them clicked through the email, but by this time I felt extremely motivated anyway, getting back to work on that feature was exactly what I needed to pull me out of the pit of despair.
In hindsight, I spent too much time preparing the demo and not enough time on interview prep. I wanted to rock in and say “Hell yea I have a demo. Can I have your credit card? I’ll use Zap to get my 800 coins for the flight over!” The partners didn’t even ask to see it, that was a shame because it was absolutely beautiful.
Even though I didn’t get in to this batch, it’s not a big deal. I will continue ahead regardless, I might even apply again in the summer. I think I may have even found myself a cofounder too. PG’s advice was also extremely helpful and worth the trip alone. It was an honour just to discuss my idea for 10 minutes with someone I greatly admire.
Some cornball hanging around YC after his interview
Hope this is useful for someone. If you want to stay up to date with what I’m up to, drop me your email address at http://paywithzap.com/
I’m @stevegraham on twitter, and my email address is sjtgraham <-at-> mac D0T com.
EDIT: HN commenters seem to be unfortunately fixated with the cost of my NYC jaunt. Have they not considered that I might have actually tried to raise money from Falcone? When I get him in a room, you can bet that I’ll be trying to get the domain and some capital from him before I’ll try to buy it off of him with my own cash. What do you think is more likely to be successful, a billionaire throwing down a relatively small amount of coin to invest or him hearing out an offer to acquire the domain for 5-6 figures without laughing me out of the room. 2-3 grand for a holiday and a roll of that dice makes that worth a punt in my eyes.
Twilio Developer Evangelist Carter Rabasa uses twilio-js (a node.js module I wrote for Twilio) at Lisbon JS Conf.
Post with 3 notes
This past few years I have focussed on building. Everyday I strive to be a better person than I was the day before. It’s gone pretty well so far, I’ve gone from being in debt and going nowhere in life to having a nice gaff in Soho, cash in the bank and an awesome career. A side effect of this is friends of mine often ask me for advice, sometimes what they really want is positive reinforcement. The other day a friend of mine emailed asking if he should move across the country to L.A. to develop his career. In my eyes this man is already a huge success story, but he was apprehensive about the life change. I replied:
a pearl is made when a piece of grit irritates a clam; it smothers the irritation with something beautiful. we should always be forcing ourselves outside of our comfort zone, from discomfort comes beauty.
That was all he needed. I went on to ask him if he saw anything that I should be working on. Something that would make me uncomfortable, yet ultimately cause me to grow as a person.
that’s a tough question. I have to think about that for a minute. you asking me that, is making me think about stuff i should do too. Maybe mend a relationship with someone. When I think about you, I can’t really envision things that are hindering growth because you essentially do whatever you want and succeed.
do you find anything challenging? if so, attempt to reduce the apprehension you’re faced when you think of it as a challenge and tackle that. weather it’s socially, financially, physical, emotional, musically etc.
do the same with a fear.
It was at this moment I realised something. I had focussed so intently on improving my financial position, I’d neglected more the important things in life.
When I was growing up my relationship with my parents became very strained. We gradually became more distant due to the difficulties of transitioning into manhood and at some point I stopped telling them i loved them. When I moved out things became better, and I started to tell my mum I loved her again, but something stopped me saying it to my dad. There was this unexplainable fear of opening up like that always holding me back, stopping the words from coming out of my mouth. I suddenly realised how stupid this was. One of us will die soon and then it would be too late. I immediately phoned my dad to tell him I love him for the first time in years. My mum cried.
Leave your comfort zone behind.
Video with 3 notes
something i made during midem hack day in cannes. named after the famous mpc2000 drum machine.
love this flick from the hacker news demo last nite. credit: @stanimirroff (Taken with instagram)
me giving a talk to 500 of the smartest hackers in london #hnlondon (Taken with Instagram at Central Foundation Boys’ School)
Page 1 of 3