Adam Wiggins: [01:21:49.13] Because your kids are all grown up and out in the world doesn’t mean you don’t still love them and have emotional reactions to things transpiring in their lives, right? Yeah, for sure, that that one was tough for me to see, because it was part of our original vision, or somewhere in that early vision, that it’s quick to get started. And it’s not about it being free exactly. It’s that you don’t need to make too many decisions to start a new project, and get it on the internet. And that’s something that – actually, I think open source was the thing that really kind of opened my mind to that originally, which is… I remember years ago when you wanted to - or at least my early experience with SQL databases was things like Informix, where you needed to go get a license before you could even use the software. So if you have an idea for a project late at night, you’re not just going to like spin it up out of nowhere. There’s this whole ritual that is involved. Now there’s the money, of course, and then that leads you into “Okay, is this project really important enough to spend the money?” and like needing to frontload that decision. So for sure, being able to like just get something up and running quickly and frictionlessly, and the free is part of that… So yeah, I was quite sad to see that.

I have a lot of sympathy for the business decision, because having been on the inside of that machine, even all those years ago - I’m sure it’s changed a lot since then, but it is a huge amount of… “Work” doesn’t even capture it. “Responsibility”, “stress”, I’m not quite sure. But being responsible, or a steward in some way for all these applications is just this huge job, and there’s really a lot of clutter with the free apps. And I probably, looking back, would have done it a little differently. Actually, we did make some big changes… This was kind of right around the time I left… Actually, I’ll give a shout-out to my colleague, Peter van Hardenberg, who’s now running the Ink & Switch research lab… But he was one of the ones that helped lead the project of setting up these hobby dynos, and something where there was like a little bit more restrictions on the free stuff… So if you’re like “Okay, yes, you get started with a quick side project, but if you really are going to make it be a longer-term thing, and you’re getting value from it, you should pay some amount. It doesn’t have to be a lot; just a little bit.” And that’s a way – it’s less about the money in the sense of like paying for the runtime or whatever, and it’s more about just sorting out what’s really important to people and what’s not. And that sorting is important, because you end up with all these junk apps that were like one-off experiments, or someone just kicking the tires, or whatever, but you can’t tell those apart from the ones that are important to people. And so it makes just the running and the maintenance of the platform a lot harder.

And then, you throw in the whole like spam and abuse side of things, which we always knew in the beginning would be a challenge… But of course, this is long before there was such a thing as cryptocurrency mining. So in today’s internet - I mean, I don’t know what the trust and safety team or whoever it is there that needs to deal with this, but I can only just can’t even begin to fathom how much work it is to kind of filter and manage just this totally free, open-ended runtime.

So I wish there had been a different solution; I’m sure they’ve thought about it and came up with what made the most sense, because I can see something there being a big problem for the business, and that problem impacting other users and customers, right? Badly-behaved apps in some ways sucking up all the time and attention of the team that’s running the thing, and then they have less time to support the people who are really getting value from the platform. So I see why the free apps would be a problem. But at the same time, it was a core part of the vision, which is that it’s completely frictionless to get started, and this takes that away.

Jerod Santo: Right. Well, this isn’t an investment show, it’s definitely a show about software, so I’ll stop down that route. But let me just say that we’ve been watching this, and watched loosely some of the alternative coins or the things that are changes to Bitcoin or inspired by Bitcoin, and like I said before the break, there’s lots of things that come and go… I was even mining some CoreCoin for a few months just for fun; that’s at 0.00 at this point, and perhaps is completely just a footnote in history.

One thing that we look for as we invest our time and our skills and perhaps even our money into communities and software projects, because this is a very large software and open source software projects - there’s over 80 projects that the Ethereum Organization has on GitHub… We look for sustainability and long-lasting things, and one of the constant themes in our shows and in our community of developers is the JavaScript fatigue and the constant churn of new frameworks and new ways of doing things - some people see it as a Renaissance, other people see it as ridiculous… I personally don’t buy into new JavaScript frameworks very often because I’m just waiting for the next one, and it seems like with the cryptocurrencies there’s very much that possibility. Aside from Bitcoin, many other ones have come and gone, and of course, Bitcoin itself hasn’t been around for all that long in the grand history… So that’s one of the questions I have about Ethereum, especially as we look at it as app platform - and we’ll get back to that. Looking forward, you’ve survived what would be considered a PR disaster and really a crisis in your community over the summer… Looking forward, what is it about Ethereum that you believe makes it have lasting power, and that we can have trust, not just in the currency, but in the platform as something that we can invest in?

Jeff Smith: No, I’d be glad to. As you mentioned those three things, it is the perfect storm, especially for topics today… And it was a journey to get here. And I can give you a little bit about my journey and how we ended up with AI and mental health.

I would say in my background - I’m a corporate guy gone good. A classically-trained entrepreneur. I built six companies, three nonprofits… It’s where I find the joy. Identify a problem in the world, create a unique solution, wrap a company around it and build it to scale.

And this one’s called Chrp, named from the story of the canary in the coal mine. When that bird stops chirping, you get the heck out. It can send signals that we cannot. Methane, carbon monoxide… And so it becomes an early indicator for health and wellness. And we’ve created a platform harnessing that, using music.

And so to go even further back on myself and how I even got in this business - for years, I was the go-to guy for most ad agencies in New York to do all their social impact branding, corporate social responsibility… I became an expert on weaving purpose into the brand narrative, and bringing people alive at work, and through the products, and the brands, and these global campaigns… And along the way found a significant disconnect, I would say, between the leadership – the leadership that cares. They care about purpose, they care about their employees, they’re throwing millions at perks, rewards, telehealth, but their employees aren’t feeling it. They’re not feeling seen, they’re not feeling heard. There’s work-life enmeshment. They’re depressed. They’re anxious. They’re looking for jobs. And so a few of us decided “Hey, let’s take that on.”

We created a small company to come up with solutions to address workplace flourishing, and thought “That’d be kind of cool. Let’s bring people alive in the workplace.” And we started there, and said “Hey, what’s this disconnect between leadership and employees? What’s the problem? If there’s intent and there’s resource, but not results, where’s the breakdown?” And we’ve found that it was an information problem. We’ve found it was the corporate survey, the quarterly polls. How are you feeling? Nobody answers it, they lie in their responses, fear of reprisal, and they’re just making blind bets.

The data they’re getting back is at fault, mainly because people hate surveys. They want to fill them out. And so we said, “Let’s start there. Let’s come up with a better diagnostic tool, so people can feel seen and heard and where they’re truly at. And how do we do that?” And we set out to improve the survey; the survey tool, different modalities, different lengths, maybe even the happy faces you see in the bathrooms at airports… You know, just make it super-simple. And none of those are really tracking after a few months, and I was training for a Spartan race. One of those crazy things that we do to keep ourselves alive… And I found my mood changing with my music. I switched to, I think it was Motley Crue, Kickstart Your Heart, and just found my energy level shifting, and started thinking, as I was running, “What’s happening here? Am I being affected by the music? Am I making certain choices in my music selection that’s a reflection of this?” And that was where I had the a-ha moment, to say “Hey, is music the signal that we’ve been looking for? Is that a reflection of how I feel?” And so we dug into that, looked at music science, listening behaviors, research AI, and found a direct link, as music is a mirror for your mood.

In the simplest form, Chris, if you’re driving in the car and you’re listening to the radio, and you change, change, change until you find a song you like, that’s just your mirror neurons lining up your emotion with that song. it’s how you’re feeling or how you want to feel. It’s very hard to listen to music you’re not feeling. It’s that grind… And so we thought, “Okay, if we can bottle this up, we’ve got a rocket ship. If not, we’ll sell the algorithm and move on to the next task.”

[08:07] And so fast-forward, raised a bunch of capital, surrounded myself with brilliant people, technologists, HR leaders, music… So a buddy of mine, Suman Debroy - we’ve built some amazing things together. As a doctor in machine learning, he jumped in to help figure out the models… HR leaders from enterprise companies, managing hundreds of thousands of employees, speaking into “What does that experience need to look like inside of the company?” The music industry, songwriters, musicians, former execs from the big music streaming companies saying “Hey, this is the data that’s available to you, or even the intent from the musicians.” And that was phenomenal, to understand what were they feeling when they wrote a song? What do they want to put out in the world?

And so that was fascinating. And then even the attorneys, legal counsel. We’ve got the former privacy chief of Homeland Security to really look at “What are the privacy blockers? How do we hold integrity in this conversation?” Because music is so personal. And so we brought them together and said “Hey, let’s solve this problem. Music is our answer.” And like any, I guess now a new tech company, you’re testing it across an alpha group, looking at everything: adoption, the science… You end up with a black box on the table, it works beautifully. And so that was like end of last year. Now you’re shifting to product-market fit. Who is this best built for, right? A healthcare company at 2,500, a sports team, automotive company? So that’s where I’d say the rubber hits the road, and where we’re at today.

And just incredible leaders - you mentioned Greg Enos and others - just looking at this, saying “Hey, here’s a direction. Let’s really look at that how we can apply it.”

Paul Copplestone: Well there’s this other piece that this particular product fits into. When I talked about most of those products, you would have noticed that they’re kind of standalone servers. And then the vector product, even though we launched it as a product, is actually an extension, and it ties together, like I talked about how to use [unintelligible 00:29:58.10] functions… You can use it with cron, pg_cron, you can use it with – we’ve got this thing called Database Webhooks, which is just another extension to trigger events out of your database to call the edge functions.

So these are all what I call or think of as the first-order primitives in terms of a platform. And Postgres is the substrate, then you’ve got these first-order primitives, and they’re the key products. But it turns out then if you combine some of these first-order primitives, you’ve got these second-order primitives. This one like vector is one of those second-order primitives. And they’re kind of jobs to be done by an engineer.

Another good example, which is quite popular on Postgres platforms, is queues. We could do queues inside Postgres, but also because we’ve got these background workers, the edge functions, they can be used too for the queues. Another really good one - we’re doing a lot of content around maps at the moment, PostGIS, and you want to store your… There’s a really awesome open source tool called Protomaps, where you can store all your tiles inside S3… And so because we’ve got storage, you can store them in your S3.

So you can see you can keep mixing and matching the primitives that we’ve called to release a suite of other kind of features or tools that developers need if they’re building. So we focus on what I think of as day one products at the start, and now we can kind of get these other maybe day 10, day 20 products.

Gerhard Lazu: Yeah, I really like that model. I really like that model, because then you have the freedom of mixing and matching, however you want them, so you’re providing building blocks for others to build. They are mostly open source, right? Apart from the platform stuff that you need to run… And I’m sure that at some point you can have like the enterprise version to run it yourself, but there’s a bunch of things that you need to be aware of… But having those components for you to build using your applications - then it has your look and feel. It’s Personalized, and you know how you want to combine it. That sounds like the builder’s dream, I would say; just like the Tailwind, right? Tailwind is a little bit like that.

Adam Miller: Yeah. So the CBF patent, and really any patent of this sort kind of gives you a range, and there’s certain things within that range that fall under the patent, and then things would fall outside of the patent. Anyone can go and google patents and look it up if you really want to get into all the techie details… But yeah, it’s really more of a concept of using the center of curvature and this little area that’s about 50 millimeters over the top of a chain ring as your kind of focus point instead of a virtual pivot point, like some other brands, or some other systems would use. So it’s a different way of thinking about how to design the suspension that really takes the chain ring and the center of curvature into effect. And by doing that, you have a range within that center of curvature, and there’s a few different ways to accomplish that range… But yeah, our bikes, even our different models - and now we have four different models of full-suspension bikes - it’s all very tweaked and fine-tuned within that patented range to optimize it. And that’s where the kind of secret sauce and the real magic comes in.

Someone could go out there and lay out a bike that fits into the CBF platform, and it might not ride incredibly well when you start mixing in 29-inch wheels compared to 27.5, and even different tire sizes, and even different chain ring sizes, and then geometries with different reaches and seat tube angles… It’s a whole pie, and the suspension platform is one piece of it, but you have to factor in all these other things of what the bike is going to do to optimize that suspension design, even within that suspension patent. And that’s where Chris Canfield, kind of working with us to say, “Hey, here’s what we want. How do we accomplish it?” I mean, the guy’s a complete magician.

Jerod Santo: Hello friends, I’m Jerod and this is Changelog News for the week of Monday, July 4th, 2022. But we’re shipping out on Tuesday instead of Monday, because [Freedom…! 00:00:16.11]

First up, thanks to everyone for sharing your thoughts on this little experiment of ours. We are listening and adapting, so please continue with the feedback. Here’s what’s different this time around. One, almost everyone said to make it longer. [As you wish… 00:00:37.10] This episode is about twice as long as last week’s.

Two - many of you also read Changelog Weekly, and since we’re covering the most interesting links from Sunday’s edition of the newsletter, it makes the audio version less new or interesting. So we are now mixing in stories that we haven’t previously covered. Hopefully, that keeps it fresh for everybody.

Three, many of you think the music bed is distracting, and asked us to turn it lower, or turn it off altogether. So let’s try it without, and see how that sounds. Nice and quiet.

Okay, let’s get into the news.

On DX tips, Swyx writes about the 4.5 kinds of dev tools platforms. This is his attempt to make sense of the overwhelming world of developer tooling. If you work for or invest in dev tool startups, I think this mental model is a good one. What are the 4.5? One, application platforms that make the user productive. Two, infrastructure platforms make the application run. Three, data platforms make the data useful. Four, developer platforms make developers productive. And the point five, internal services with cross-cutting needs to interface with every platform. Those are his high-level conclusions. Read the whole article for his thinking behind the matter.

Did you know there are things you should know about databases? Lots of things. And did you also know there is an excellent - and I mean, excellent post on architecturenotes.co to teach you some of those things. It’s focused mostly on indexes and transactions, explaining them in great detail with some seriously impressive diagrams to make sure it all clicks. Not much else to say about this one, except that it was the number one clicked link in the newsletter, and there’s a link for you to click in the show notes.

Brandon Rhodes wants you to start all of your commands with a comma. Why is that? If you have your own Bin directory somewhere in your path, which you probably should, and you put all your own little scripts and executable bits in there, like you probably should, eventually you’ll hit a problem or your script names start to conflict with the built-in and bundled commands. But if you start all your commands with a comma, like Brandon does, this problem melts away. [You cursed brat! Look what you’ve done! I’m melting, melting. Ohhhhh, what a world, what a world. 00:02:56.22]

As a bonus, team this technique with tab completion, and it’s super-easy to browse your collection of commands. Just type comma, then tab, and there they are.

Lobsters turns ten. Over the weekend, the website’s creator, Joshua Stein, tweeted “Ten years ago today, I “pooped out” a better version of Hacker News in my spare time.” As Thomas Ptacek eloquently put it. It didn’t really mature into the thing that I hoped it would, and I don’t use it much anymore, but I’m happy some people are still finding it a nice place to be.

Over on the site itself, current administrator Peter Bhat Harkins says “Over that time, our community of 15,013 users have submitted 87,530 stories, written 381,460 comments, and cast 2,536,117 votes.” That’s a lot. I am a fan of the site, which usually features more esoteric and engineering-heavy posts than other tech aggregators. The conversations there can still get toxic from time to time, but were on the internet is that not the case? Seriously, if you know of such a place, holler at me. [I want to go to there 00:04:18.09]

[04:20] James Hawkins and his team at PostHog have interviewed 725 people, and one of his big takeaways is “It’s normal for candidates not to ask harder questions about our company, so they usually miss out on a chance to 1) de-risk our company’s performance, and 2) increase the chances they’ll like working here.” So he shares some really important job interview questions engineers should ask, but don’t. Questions like “Does the company have product-market fit? How much runway does the company have? What’s the culture like?” and a whole bunch more. Definitely worth a bookmark for the next time you’re job shopping.

Go Time listeners already know this, but for the rest of you, our recent episode with Ron Evans a.k.a. @deadprogram is just too good to miss, even if Go isn’t your thing. Here’s the conceit - the year is 2053; the tabs versus spaces wars are long over. Ron Evans is the only Go programmer still alive on earth. All he does is maintain old Go code. It’s terrible. He must find a way to warn his fellow gophers before it’s too late. Good thing he finally got that PDQ transmission system working. What results is a hilarious and somehow still insightful conversation with so many funny moments like this one about the future of social media.

“You know, when you’re building something that’s gonna survive a two year trip to Mars, believe me, your mp3s sound pretty funny by the time the ship gets to its destination… Or so I’ve been told. I don’t know, actually those might be AIs sending back those reports. There might even be no humans that survived the trip. There’s a rumor going around they’re all just AIs.” “How’s it going around? Who’s it going around?” “Social media still exists in 2053.” “Oh, thank goodness. I don’t know what you’d do without it.” “I use Minder. You know, it’s where you’re allowed to dump your actual mind directly.” “That’s cool.” “Is it text? Is it visual?” It’s more like a feeling.” “It’s just Hex.” “Remember the feeling you used to get when there was somebody being wrong on the internet? It’s like that all the time.” “Is it XML though?” “No, you just plug directly into your brain-computer interface, and you’re just really mad right away.” “Oh, I love it.” “Yeah, it’s beautiful.”

Listen to the rest in our Go time feed, or on the web at Gotime.fm/235.

Last up for today. Upptime. Upptime. No, I wasn’t stuttering. [Did I stutter? 00:06:43.00] That’s U-p-p-t-i-m-e. That’s how you say that, right,? A super-cool uptime monitor and status page powered entirely by GitHub. It uses GitHub Actions as the uptime monitor itself, checking your website every five minutes. GitHub issues for incident reports, opening new ones when endpoints are down, and assigning team members appropriately, and GitHub Pages for a status website built with Svelte and Sapper. This project is not affiliated with or endorsed by GitHub, but it is super-cool, super-free, and endorsed by over 1,000 people who have set it up for themselves.

That’s the news for now. Let us know in the comments if you liked this better than last week; or worse, or whatever. Seriously, we do want to hear from you. We have an excellent conversation coming up for you on Friday. Brian Cantrell from Oxide Computer joins the show for a deep-dive on their attempt to build servers as they should be - hardware, with the software baked in for running infrastructure at scale. Adam’s on vacation this week, so I have a special guest/co-host joining us as well. Can you guess who? We’ll talk to you then.

Gerhard Lazu: Okay, that sounds really fascinating. I will have a follow-up question, but I promise to trade. So this is what I’m thinking… Whenever you get a Kubernetes, you think it’s the same, and it mostly is, but not always. There’s differences between IaaSes. In some cases, you would use, for example, a persistent volume claim. But that persistent volume claim will be so different between IaaSes that maybe it is the wrong thing to pick. Initially, in our case, we couldn’t pick SSDs for our persistent volume claims, which made anything that was using them really slow, depending on reads and writes. Networking - that keeps coming up a lot. Networks are so different between IaaSes, and it becomes very obvious when you have the same Kubernetes version, but the behavior is so different. Everything is the same. So while it behaves the same most of the time, there are certain differences which are really difficult to work with in failure scenarios or in bursty scenarios, or stuff like that… So then what are you doing? You’re just feeling good about what you’re using, until stuff just breaks, and you say “Ah, I wish I had chosen something else. What am I doing…?”

But it’s not so black and white. It’s not like you can use it or not use it. There’s good things and there’s bad things in it. So what I’m thinking is, as you mentioned - is it just like the hammer, and we just go with the hammer and nothing else? What if we use Kubernetes as something else? What if, for example, we use a platform? Because if you have a CDN in front of your app - and this is like a monolithic app - could you be deploying to Kubernetes and to a platform? You know, sometimes the platform works, and it’s good enough. But then how do you manage certain things which in a platform are more difficult to configure, like for example - I keep coming back to mixing runtime concerns and configuration concerns for your infrastructure… But there is something to be said about having everything in one place, and being able to see it, and understanding how all the pieces fit together. Cognitively, there’s less overload.

So could you have this world where you mix and match different runtimes, and everything just works, and it’s more homogenous? It doesn’t really matter where it runs, and almost like the first one to serve wins? So if Kubernetes is fast, that’s the first request that wins, and that’s it. If you have another origin in your CDN, which is much faster, then that’s the one that wins. And that’s the end of it. But I think that sounds very complicated to get it working. How do you do application updates? How do you manage upgrades? Now you have 2-3 things to upgrade, maybe, if they’re not managed, and then you still have the database problem. You have to move it somewhere, and then you have to connect to that… So I’m not sure whether that’s better, but I’d be curious to find out what does that look like, and work like.

Brendan Eich: [35:47] Yeah, so that’s the really radical idea, and it’s not fully implemented. Brave, with the right opt-in - we wouldn’t wanna surprise users with this, but Brave should be your personal Google; it should be your personal data set and machine learning, which adds value to the data.

You know how people say “Facebook sells your data”? They don’t, because if they did, it would all get quickly arbitraged to a low price, and it’s seasonal enough, there’s enough repeated behavior among users that it wouldn’t be necessary for them to keep selling it. It would be extracted and in bulk. Facebook doesn’t sell all your data. What they do is they say “Come onto our platform and do ads”, or “Come onto our platform and transact in a very limited way with the data.” That’s what Google does with the web. Google is a really brilliant, once-in-a-generation business. They started with search ads - very clean, because when you’re searching, you have strong intent, you’re looking for something, you’re willing to see a promotion, especially if it’s algorithmically well-placed. It could be better than the organic results that Altavista would have found in ‘98. That’s why Google started rising fast then, and they did search ads even then; they were making enough money they got the famous angel investment from Andreas Bechtolsheim. He asked them, “How do you make money?” and Sergey said “Placed results, search ads.” Andreas said, “I’m using Altavista, but they get tricked by pages that put a little dictionary in the HTML comment, and suddenly that page is authoritative for every word in that dictionary, and they get undue search rank in Altavista. What do you do about that?” Larry Page said, “Oh, we take care of that because we count incoming links to do reputation, pagerank.” Then Andreas said, “How much are you making?” This was like ’98, when Sergey and Larry were still I think on Stanford campus. They said, “A hundred thousand a month and growing”, and Andreas said, “Let me go to my car and get my checkbook”, and he wrote a famous angel investment check which paid off very well.

That search ad business is still strong for Google, but search is kind of flattening out. The smartphone is less of a searchy device, it’s more of a social and bespoke search, or custom app experience. Voice is rising, AI is changing things… Search is flattening. It’s gonna be a challenge for Google to keep satisfying Wall-Street’s needs as a public company.

Google also did something clever - in 2008 they bought DoubleClick, because they saw if you didn’t convert all those search ads on the search engine result page, those quality texty result up top that were clearly identified at ads, but sometimes could be better than the organic results – if you didn’t click on those, you went off into the organic results, and you visited publisher sites and ecommerce sites… You kind of got distracted and surfed a bit for fun, celebrity-stalked somebody a bit… Then you came back to your major purchase, but maybe you did it through an ecommerce site and Google had no piece of that action. So they bought DoubleClick, because DoubleClick had a display ad business. They were all over publisher sites, they were on a lot of ecommerce sites. And they had cookies, they could be audience profiles by tracking people across sites.

[38:59] That gave Google a more complete model of the user, from search, through browsing to various sites that DoubleClick had cookies on or other footprint on, and Google’s been integrating things ever since - YouTube’s gotten big… In some way they’re the web, eating their own ecosystem, but they’re also getting a more complete user model.

I think you may have seen, even Chrome will now be mixing your history into the advertising model if you don’t opt out, I believe. Powerful business, but it’s got some downsides. Increasingly, Google and Facebook own 90 cents of every marginal ad dollar spent. Every extra ad dollar being spent this year above last year, 90 cents out of it goes to Google and Facebook. And that’s not a stable setting, even if you don’t mind those two being the new duopoly on search and ads, or social and ads, because Facebook’s coming after Google, and Google’s search business is flat. So there’s a problem there.

Also, there’s a huge privacy problem. People just don’t like being tracked that way. They get retargeted by bad ads, they get creepy ads, ads that make your eyes bleed, parasite pictures, belly fat reducers, wrinkle reducers… And they get malware now. Malware is actually being placed, and has been for a few years. This is kind of an under-reported story, because a lot of it works by being ransomware - it holds your PC hostage, encrypts the disk and says, “Here’s how buy Bitcoin and send Bitcoin”, and it charges not too much. So grandma paid $600 or $1,200 to get her pictures back of her grandchildren, and she’s too embarrassed to admit it.

There was a hospital in Southern California where all the systems in the hospital were thrown by ransomware. That gets you more on the FBI and Interpol radar, but these are criminal gangs hiding in nation-states that don’t necessarily prosecute them. They’re using very sophisticated exploit kits; that’s the payload that downloads and tries a bunch of vulnerabilities.

The ones we know about from the last year and a half, Angler in particular, used Flash and Silverlight and Java plugin vulnerabilities. Brave turns off plugins by default. The plugins should die, Steve Jobs was right. Thoughts on music - he was right about DRM; thoughts on Flash - he was right about Flash. God bless Steve Jobs. [laughter]

I’m not gonna endorse everything he ever did, but he did two solid things there for the web and for security. These exploit kits now are trying browser vulnerabilities. I’m pretty sure Neutrino is the one that superseded Angler and it’s trying browser vulnerabilities, because every sophisticated endpoint software is endlessly vulnerable, and you have to keep patching it. That’s what Chrome does, that’s what Firefox does, that’s what Microsoft does now… It was one of the lessons of the last 15 years in browsers, that you have to release all the time to keep ahead of the exploits. You have to fuzz-test your codebase with travesty JavaScript-generated JavaScript that finds all the safety bugs.

[42:01] These exploit kits are out there, and they’re coming in through ad exchanges. How do they do it? They actually create fake ad agencies. These are fake businesses, with fake CEOs and CMOs, fake people pictures, bios, and they go and buy ads… They put custom creative ads into ad exchanges. They pay the fees to get into the exchange, and then in real-time bidding processes automated ad exchanges place these ads on publisher pages, sometimes even gateway to other exchanges. They get onto a Chrome ad exchange at a low price, but they can claim to guarantee some conversion or some performance to the publisher who wants to sell the ad space for the ad. And the publishers fall for this every time, because they wanna fill out every space they can with ads, even at the bottom of the page, where the parasite pictures are. And they generally don’t directly sell that to brands or agencies; it’s not good space, so they say “Oh sure, programmatic ad partner. Come on in and own my space and put whatever you want in there.” Programmatic means automated, if it means anything. So he goes and says “Okay, let’s use this ad exchange…” It’s AOL, or OpenEx or Yahoo!…

Pretty soon, you don’t know where those ads are coming from. They’re coming from Russia, but they look like legitimate ads. And here’s the crazy thing - sometimes if you scan their JavaScript, they all come with JavaScript, for tracking pixels to confirm that the ad was viewed, things like that. You don’t see anything overtly bad; you might see some funny little image, a processing loop that maybe is commented innocuously look like it’s doing something to do gamma correction on the image. What it’s actually is taking a graphic decoding of an exploit kit loader from image pixel perturbations. In other words, it’s taken out of the hiding, some kind of signal, a covert message in an image or a picture is being done to hide the guilty code that’s gonna load the Angler exploit kit.

This leads to the New York Times, BBC, AOL and other top sites in late March having ransomware malvertising on their properties. If you think about it, this is actually an outrage, right? Why should world-class online publishers tolerate this? Why should they not control the quality of the ads. Why shouldn’t they have only direct, trusted relationships? Well, as I say, the bottom of the fold, and even the middle of the fold (middle of the page) ad spaces just aren’t as valuable as the top, and even big publishers that have direct sales forces and their own tech teams and do beautiful, custom sponsorship ads…

[44:48] My favorite example, Louis Vuitton handbags on Elle.com. That takes up the bottom half of the frontpage, it looks nice, it’s a trustworthy ad as far as I know - there’s very little third party about it; there’s some tracking… It’s a custom video ad from Questra or somebody, but it’s pretty legit. That’s not the problem. It’s the stuff below that that all the publishers want to fill their space and make a little bit of money. Otherwise, if they leave the space dead, they’re just leaving money on the table. And that leads to malware coming on the pages.

To get back to Brave, we saw this coming. We said ad blocking - even in 2015 when we started - was rising. We started May 2015. We didn’t know that iOS, thanks to Tim Cook, would start making ad blocking easy to use with Safari. They make it an app install model, instead of a browser extension model. They make it content blocking, and it rose quickly to the top of the app store last fall and it became very popular until it saturated short-term demand, and it changed the whole conversation. It made people across the ecosystem - from the marketers who spend on advertising, to the publishers who rely on whatever of that spend is left after all the middle players and the parasites have taken their skim - it made everybody say “Oh no, ad blocking is not going away. It’s not just AdBlock Plus or uBlock Origin. Now it’s iOS. It’s Apple. And Apple had walked away from advertising as a business I think twice. But it wasn’t just because ads are annoying or unaesthetic; that’s a very shallow way to characterize it. Ads are actually dangerous, because they’re over delegated through these ad exchanges, and there’s no contractual relationship.

Doug Crockford knew this. If you remember Doug’s work at Yahoo! with AdSafe, which was a static verifier for JavaScript and was kind of like before Google Caja, which became Secure EcmaScript, AdSafe was Doug’s very picky way of trying to get Yahoo! ads not to contain malware. This has been a longstanding problem, and as I said, it’s under-reported because ransomware - the price the criminals extract is low enough people are embarrassed and they can pay it, get their system back… It’s very hard to track these criminals down. But even ignoring the ransomware threat, just the privacy problem that your data profile is constantly being sucked out of your machine and you’re not benefitting from it, you’re actually suffering from increasingly worse ads, even ignoring the malware; just annoying ads. Retargeting, which is when you get hammered by an ad you’ve already seen… Because it sometimes nags you into buying something you wouldn’t, or in the best case reminds you of something you forgot you do wanna buy. It has a little bit of lift, like a fraction of a percent, and that means that it’s gonna get done; it’s not gonna be left on the table. That money is not gonna be left on the table.

So advertising has become this toxic parasite system, in my opinion. It’s over delegated, there’s too much principal versus agent conflict of interest, there are layers of that, and along with that, there are layers of confirmation bias in the data that’s extracted in the model.

[47:54] They say they have great data, all these ad tech companies; they wanna go public or they wanna get bought by Oracle, and they say they have magnificent data which will increase yield. But if you look year to year, the actual performance of advertising, the so-called yield, doesn’t really go up. Money just goes from one pocket to a different pocket. Publishers are still suffering, and there are long-term negative externalities, like secular trends that are bad for everybody, like the rise of ad blocking and the rise of malvertising.

Brave is trying to address this, but not just - I’m being very negative here - we’re not just gonna cure something that’s bad; we wanna make things actively better. We wanna make this anti-Google, personal Google. We want you to be in charge of your data, and that means not only should you not have bad ads or annoying ads or dangerous ads, you should have a piece of the action. You should get revenue, you should be able to control the terms of the economics. And if you don’t want ads, you can donate, and then you can block guilt-free.