25 June, 2018

Working at Nextcloud

I've been around in communities like KDE, openSUSE, Mandrake/Mandriva and others... and various open source and closed companies. Seen some do a good job. Seen others be mismanaged. This one: the most fun. Serious.

Working at Nextcloud is special. For one, we're a distributed company. Is it hard? Well, yes and no. Working from home is great with such a motivated team with very little management overhead and good communication. Our company is entirely built on it, that is why it works.

As an example, while our head of sales lives in Hannover, the rest of the sales people is spread over Berlin, Switzerland, Stuttgart... Engineers can be found in Germany, Netherlands, Spain, even Croatia and as far as Cape Verde. I'm sure I forgot some countries. Our biggest office in Stuttgart has less people than we have in Berlin!

But we connect in person: roughly every second month, at a company-wide meeting in a single place, usually Stuttgart, for a full week of coding and having a great time. And once a year we go to Berlin for our conference, happening the last week of August! All those meetings are open, with often lots of community members participating in the whole process of designing and deciding around our software.

And yes, the sales people join there, too. I have NEVER worked in a company where the sales people, the marketing team and the engineers were so good with each other. Respect between these three departments is extremely rare, as I'm sure every one of my readers knows from experience.


Me handing the mic to the guys that started it all back in 2010


What else is crazy about Nextcloud? Here's another one: where lots of companies struggle to find good engineers, that is literally the LEAST of our problems. We drown in amazingly good CV's and have a big pool of enthusiastic, qualified engineers who contribute to Nextcloud and already know the code. I wish we could hire them all but growing more than 50-80% per year isn't really health for a company culture...

Also special: other companies struggle to get sales leads and pay lots of (advertising) money for them. We, we drown in leads... Even without marketing automation. Our biggest challenge, instead, is answering all the requests from companies that want to buy our product - we need more sales people!

Yes, we're a pretty unique company in how we approach open source business and we're successfully taking on much bigger companies. Yes, it works! Just check how we're doing on Google Trends. Love that!

If you want to work for us, especially in sales, or know somebody who should, tell me ;-)

Or first learn about us by meeting us - you're welcome at our conference! Or at one of our meetups, there's a monthly one in Berlin for example.



12 January, 2018

Nasty fall-out from Spectre and Meltdown

I guess it's hard to miss Spectre and Meltdown so you probably read about it. And there's more bad news than what's been widely reported, it seems.

You trust the cloud? HAHAHAHA

What surprised me a little was how few journalists paid attention to the fact that Meltdown in particular breaks the isolation between containers and Virtual Machines - making it quite dangerous to run your code in places like Amazon S3. Meltdown means: anything you have ran on Amazon S3 or competing clouds from Google and Microsoft has been exposed to other code running on the same systems.

And storage isn't per-se safe, as the systems handling the storage just might also be used for running apps from other customers - who then thus could have gotten at that data. I wrote a bit more about this in an opinion post for Nextcloud.

We don't know if any breaches happened, of course. We also don't know that they didn't.

That's one of my main issues with the big public cloud providers: we KNOW they hide breaches from us. All the time. For YEARS. Yahoo did particularly nasty, but was it really such an outlier? Uber hid data stolen from 57 million users for a year, which came out just November last year.

Particularly annoying if you're legally obliged to report security breaches to the users it has affected, or to your government. Which is, by the way, the case in more and more countries. You effectively can't do that if you put any data in a public cloud...

Considering the sales of the maximum allowed amount of stock just last November by the Intel CEO, forgive me if I have little trust in the ethical standards at that company, or any other for that matter. (oh, and if you thought the selling of the stock by the Intel CEO is just typical stuff, nah, it was noticed as interesting BEFORE Meltdown & Spectre became public)

So no, there's no reason to trust these guys (and girls) on their blue, brown, green or black eyes. None whatsoever.

Vendors screwed up a fair bit. More to come?

But there's more. GregKH, the inofficial number two in Linux kernel development, blogged about what-to-do wrt Meltdown/Spectre and he shared an interesting nugget of information:
We had no real information on exactly what the Spectre problem was at all
Wait. What? So the guys who had to fix the infrastructure for EVERY public and private cloud and home computer and everything else out there had... no... idea?

Yeap. Golem.de notes (in German) that the coordination around Meltdown didn't take place over the usual closed kernel security mailing list, but instead distributions created their own patches. The cleanup of the resulting mess is ongoing and might take a few more weeks. Oh, and some issues regarding Meltdown & Spectre might not be fix-able at all.

But I'm mostly curious to find out what went wrong in the communication that resulted in the folks who were supposed to write the code to protect us didn't know what the problem was. Because that just seems a little crazy to me. just a little.