Thursday, October 12, 2017


ExoLife Finder
I've been a fairly enthusiastic crowdfunder for the past 5 years; I started with the Raspberry Pi. Most recently I backed the ExoLife Finder, a huge telescope using innovative technology intended to directly image the surfaces of nearby exoplanets. Below the fold, some of my history with crowdfunding to establish my credentials before I review some recent research on the subject.

The Lowline
My Kickstarter account shows I've backed 32 funded and 5 unfunded projects. The funded ones include:
Scanadu Scout
I've also backed 8 projects on Indiegogo, such as:
  • Scanadu Scout, a pocket-size gadget that measured blood pressure, pulse, temperature and blood oxygenation. Alas, it didn't get through the FDA into production, and my now-irreplacable unit has just expired after about four years of daily use.
  • CODE: Debugging the Gender Gap, a wonderful movie about gender issues in technology.
Chibitronics Circuit Stickers
And 5 on Crowd Supply, such as:
In most cases, my reaction to the completed projects has ranged from OK to Wow! My ORWL showed up yesterday, a little later than promised. I haven't yet had time to explore its features, but it looks like a Wow! I'd guess that about 1/6 of my projects were disappointing, about half OK, and about 1/3 Wow! Which, for a venture capitalist, would be a great track record.

Ethan Mollick's 2013 paper The dynamics of crowdfunding: An exploratory study showed that:
the vast majority of founders seem to fulfill their obligations to funders, but that over 75% deliver products later than expected, with the degree of delay predicted by the level and amount of funding a project receives.
Mollick found that:
The majority of products were delayed, some substantially, and may, ultimately, never be delivered. Of the 247 projects that delivered goods, the mean delay was 1.28 months (sd = 1.56). Of the 126 projects that were delayed, the mean delay to date was 2.4 months (sd = 1.97). Only 24.9% of projects delivered on time, and 33% had yet to deliver.
I find strong evidence that project size and the increased expectations around highly popular projects are related to delays. ... even controlling for project size, the degree to which projects are overfunded also predicts delays. Projects that are funded at10× their goal are half as likely to deliver at a given time, compared to projects funded at their goal. ... project delays were attributed to a range of problems associated with unexpected success: manufacturing problems, the complexity of shipping, changes in scale, changes in scope, and unanticipated certification issues were all listed as primary causes of delays.
ORWL was funded four times its relatively modest $25K goal, so some delay is normal. In my opinion, overfunding delays are related to Bill Joy's Law of Startups: "success is inversely proportional to the amount of money". What Bill meant was that tight funding forces teams to take decisions quickly and stick with them, ensuring that if they are going to fail they fail fast. Lavish funding enables analysis paralysis, and pursuit of multiple options simultaneously, both of which detract from focus.

The recently published research is Does the Crowd Support Innovation? Innovation Claims and Success on Kickstarter by Anirban Mukherjee et al with an overview here:
we arrive at the startling conclusion that novelty and usefulness are not viewed as synergistic by the crowd. While crowdfunding pledges are boosted when the project is said to be useful (or alternatively, novel), claiming that it is both reduces the total amount of pledges by 26 percent.

Our data show that claims of novelty or usefulness, taken separately, do increase the total pledge amount. As a matter of fact, they have a very large initial effect, meaning that even one claim for usefulness (or novelty) greatly boosted the total pledged sum (as compared with projects devoid of either claim). However, it is also important to pick one or the other, not combine them.
This conclusion is based on analyzing the text, video and images of over 50K Kickstarter projects in product-oriented categories such as Hardware and Technology using machine-learning tools:
The resulting number of occurrences of the word “novel” and its synonyms served as proxy for novelty claims. Conversely, the sum of occurrences of the word “useful” and its synonyms became the measure for claimed usefulness.
The authors ask:
our findings are consistent with the literature on idea screening but not that on consumer evaluation of innovation, as modest innovations are more likely to get funded than more extreme innovations, i.e., innovations that are high on both novelty and usefulness. What is a possible reason for this inconsistency, given that backers in a crowdfunding context typically receive the product in exchange for their support, thus making their decision more like a product choice decision than a typical idea screening decision?
The authors speculate that:
this may be due to the high degree of uncertainty associated with the choice in a crowdfunding context, compared to a consumer purchase context. In the prototypical purchase context, consumer protection laws guarantee receipt of the purchased product. In the crowdfunding context, however, there is much greater uncertainty regarding (a) receiving the product and (b) features of the product, than in purchasing, for the following reasons. First, a project may not successfully reach its funding goal. In this case, backers are refunded but do not receive the product. Second, a successfully funded project may be delayed or may fail (the creator may be unable to follow-through). For example, a recent study ... found that more than three-quarters of successfully funded projects (on Kickstarter) are either delayed or failed. In this case, backers are neither guaranteed refunds – they may lose the entire amount pledged – nor guaranteed receipt of the product. Third, projects on Kickstarter are proposed blueprints, rather than descriptions, of the final product. ... we speculate that the higher level of uncertainty in the crowdfunding context drives backers to choose modest innovations and shy away from more extreme innovations, i.e., innovations that are high on both novelty and usefulness.
I agree that for product-oriented projects the extra uncertainty over a purchase tends to make backers conservative. But I may be an outlier. Overall, my experience for product-oriented projects is much better that Mollick's numbers; 1 failure to deliver and 2 long delays in 21 projects. Maybe I'm better than average at assessing projects. I have sometimes favored novelty over usefulness. For example, who really needs an open-source Arduino-compatible flashlight? But HexBright turned out to be a really good flashlight even ignoring the Arduino inside, which I have never found time to program.

USB Condom
On the other hand, I've sometimes favored usefulness over innovation. There's not a great deal of innovation in a USB Condom, which is simply two USB connectors on a circuit board lacking the data connections. You can check this by looking at the traces. But it is very useful even for people less paranoid than I.

It is important to note that, as far as I can see, almost all the research on crowdfunding is restricted to product-oriented projects. Products are only about 2/3 of my backings.

Rosie's Fine Food
But I, like many backers, also fund scientific and engineering research, arts projects, even restaurants in return for T-shirts, meal coupons and other tchochkes. In these others we are not buying an expensive T-shirt, we are supporting research, art, urban recovery and countless other worthy endeavors. With a less easily measured result, research is more difficult, and there seems to be little of it.


Anonymous said...

Another excellent post, to which I want to add a general principle: if you want something to happen or to continue to exist, fund it, by purchasing or donating. People want to continue eating, so they fund it by buying food, for example.
But that applies also to "free" stuff.
I donate every year a fair bit to the FSF, the Internet Archive, Wikipedia, OpenStreetMap, Xiph, and other project because I use them and want them to continue to exist, but also because I think they are generally important (especially the Internet Archive I think). I also donate every year to some web comics because I want them to continue to exist so I can read them, and to some blogs because they discuss topics that matter to me and promote points of view I like.
For most IT professionals a donation budget of say $1,000 a year for a set of projects they use everyday is usually very affordable, and allows them to keep some wonderfully useful sites and tools going, contributing to a great ecosystem.
Some people might think that such money should be better targeted at charity towards the poor, and that is indeed very important, but I feel that we don't live just to exist, else nobody would write or biy books or movies or paintings.

Anonymous said...

A to the merits of some of your crowdfunded projects I have mixed feelings about things like ORWL, or USB crypto-key sticks or also secure mail servers or backups servers and the like, because any sensible "black hat" organization should be trolling for people with something to hide by creating crowfunded or VC-funded projects for such things and build them with very subtle flaws, easily defensible as "mistakes".
Some "black hat" organizations have been doing something like that for a long time, two recent examples of very different situations with a common technique:
"The FBI infiltrated Liberation News Service (LNS), a New Left version of the Associated Press, using disinformation to make LNS seem an FBI front, and set up a phony newspaper to hire young radicals in order to spy on them."
"Australian police secretly operated one of the dark web’s largest child abuse sites for almost a year, posing as its founder in an undercover operation that has triggered arrests and rescues across the globe."

It is also public information that many "black hat" organizations have networks of "front" companies and businesses and even venture capital arms, and recruit "helpers" straight from universities before they go into jobs into many startups or many big IT companies. And I am not talking about the usual suspects that the newspapers talk about, the NSA or CIA or KGB or GCHQ/MI6, I suspect that the indian and israeli and chinese governments (and others), and many large private-sector gangs, do the same on a large scale too. They would be stupid to miss the opportunity; I would even guess that the usual suspects are not as big and sophisticated as some others in this space.

Anonymous said...

«many "black hat" organizations have networks of "front" companies and businesses»

To add to this, I was discussing "security" with a friend who asked me whether her hosting provider request to have their public SSH key enabled for 'root' access to her systems was reasonable. When I pointed out that she was renting VMs from them and thus it made no difference it took her a bit to realize that a VM host is a giant pretty and much undetectable backdoor into all the VMs it runs. I added that it is better, but not that much better, to rent physical hosts or to colocate one's own physical hosts in somebody else's data center.

When I told her that I would expect many "cloud" providers to be setup and funded by "black hat" organizations, they would be really stupid to miss that opportunity, she told me that she had visited some related businesses in Germany, dealing with personal data, like Equifax does, and she wondered at the time why they served customer traffic only from on premises data centers with their own hardware and expensive fat connections to the Internet instead of using more convenient "cloud" providers.

David. said...

blissex, every computer you can use has known vulnerabilities, such as SMM on Intel CPUs, and currently unknown vulnerabilities, like KRACK was until 2 days ago. I don't think you're suggesting not using computers, or not trying to be secure (for example not using Tor) because doing so might attract attention.

Logically, the ORWL is just like any other Intel Skylake machine with a self-encrypting SSD, so it has vulnerabilities. Mine runs Qubes, so a little bit harder to attack at the logical level than most. And ORWL, unlike the machines we all use every day, is protected against interception as it passes through the supply chain.

Physically, the ORWL is a lot better protected than most. I don't believe its invulnerable, but a good deal of thought has gone into hardening it.

And the ORWL team are fairly transparent, as you see here:

- They are going for FIPS140-2 level 4.
- They have engaged an independent pen-testing company.
- They are almost completely open source

I think ORWL is a worthy effort. Sure, it might be a front for "black hats" but all the "black hats" could get into the other machines I use anyway. So at least ORWL reduces the number of "black hats" who can get in physically.

Anonymous said...

«I think ORWL is a worthy effort. Sure, it might be a front for "black hats" but all the "black hats" could get into the other machines I use anyway.»

Ease of hacking is not the point I am making: put another way, my point is that people who buy "secure" products (hardware, software, services) are in practice a small self-selecting group of particularly valuable targets.

By buying an ORWL or installing QubeOS etc. you are putting a bull's eye on your data, at least by comparison with the vast majority of people. Then "black hats" may or may not have put some clever "bug" in it, but if they were to put clever "bugs" in something they would love to put it in stuff with a much higher probability than average of holding valuable data.

The ORWL or QubeOS or similar things *could* be honeypots, just like the radical newspaper the FBI created as in "a phony newspaper to hire young radicals in order to spy on them" , and any "black hat" organization able to, but not creating such honeypots, would be really stupid.

David. said...

blissex, that is a very selfish and ultimately self-defeating argument. It reduces to "no-one should use encryption because it reveals that you have something to hide". No. Everyone should use encryption because then the people who really need it disappear into the herd. That is why I use Tor and Tails, support the development of GnuPG, and crowdfunded both ORWL and Invizbox Go. And why you should too.

Anonymous said...

«It reduces to "no-one should use encryption because it reveals that you have something to hide". No.»

That's a ridiculous distortion of what I have argued, and I am sorry for not explaining it properly, I'll try again:

* How is it possible to verify that none of the people involved in developing services and products targeted at self-selecting, high value, opportunities for hacking are not "black hats"? In general the answer is "not possible". Without contrary proof, there is always the possibility that "secure email" services or "secure computer" products are honeytraps with backdoors, created or infiltrated by "black hats" specifically for high value targets.

* How is it possible to avoid attracting the attention of "black hats", given that some have large budgets and resources for "targeted operations", including blackmail and physical threats? One way is to avoid buying special services and products that hint at possession of valuable data. More generally according to E Snowden's documents "I hunt sysadmins" is something that NSA people do, and obviously it is not just the NSA, but any "black hat" organization, and not just sysadmins, but any developer or engineer that has access to critical IT code or infrastructure.

«Everyone should use encryption because then the people who really need it disappear into the herd.»

But that's not happening. The people who today use GPG or buy ORWL really stand out from the herd. It is a critical-mass problem that is not going to be solved soon. According to Snowden's documents even people who just use Linux stand out from the herd. Never mind GPG or ORWL; the list of contributors to the Linux kernel, the list of people registered on GitHub, the list of people with certain keywords in their LinkedIn profiles, are all "high value targets".

It is of course a matter of degree: not everybody who buys an ORWL or uses GPG is hiding the passwords for the Goldman Sachs treasury accounts, and not everybody who is a sysadm at Microsoft has access to Satya Nadella's confidential future product plans; but "black hats" work on probabilities, and the probability of getting hacked or made an offer you can't refuse rises...

Anonymous said...

«the list of people with certain keywords in their LinkedIn profiles, are all "high value targets"»

First case I see reported:
The first detailed information about China's use of fake social media accounts to recruit informants and extract sensitive information has just been published by the Bundesamt für Verfassungsschutz (BfV), Germany's domestic intelligence service. As Reuters reports:

"Nine months of research had found that more than 10,000 German citizens had been contacted on the LinkedIn professional networking site by fake profiles disguised as headhunters, consultants, think-tankers or scholars, the BfV said."