Problem

If you’ve read any of my previous posts, you know that revenue sharing is mostly evil. Everyone who has ever held an iPhone has an idea for an app that will (in their mind) make them millions. The number of people who can execute on those ideas, on the other hand, is exceptionally, vanishingly small proportion of developers.

Being one of those developers who knows what he’s doing, I get an awful lot of inquiries from flakey “revenue sharing” people. Up until recently, 90% of my inbox (and at least 75% of my work time) was spent dealing with these people. Let me give you a few humorous examples:

[App name] is a twin stick shooter that requires players to play smart. There are no game [sic] like this out there on any platform therefore we believe that it should sell well as the first of its kind. If you can program the enemies and world to have vibrant or eye catching movment [sic] it will add to the overall fun factor of the game. The game itself is very simple if you are willing to add any elements you see fit then feel free.
As for bosses and level of complexity I first need to know how much time you are willing to put into this project. If you are willing to do more then I will add different enemy types and levels to this.

Here’s some actual artwork I got along with that eloquent description. Keep in mind this artwork had absolutely no explanation or diagram as to what anything was actually supposed to be.

Another actual inquiry:

I am a video game consumer and unemployed wannabe-idea-man. I have this great idea about a game that could work for many platforms, in many different layers of complexity, and it involves cats. Iphone, web-flash, full PC sim…whatever. It will do it all.
I am not very experienced at this video game creation thing, but I am willing to learn. And I am sure that if you love cats, and know games, that once you hear my idea you will want to play the game.

So if you can imagine getting dozens of these in a day, you can see how chasing after nonexistent projects can suck up all your time. Not only was I not coding, I wasn’t even talking to people who would pay me to code.

Solution

I tried a lot of things.  The first thing I did was I started replying to all inquiries without even reading them, just to ask what their budget was.  A few failed to respond, and thus were filtered out, but the vast majority simply said something cagey like “We’re not sure”.  Now I have all the sympathy in the world for a real paying client who doesn’t actually know what the right budget for a project should be, but the number of inquiries like that are less than a sampling error.  Substantially more than 95% of those inquiries were from people who were quite sure that they wanted the work done for free.  So this plan of attack was not effective.

The next ‘wave of attack’ was to try to quote all these projects so that I could get them to a price “instantly” without wasting any more time.  Now for “real inquiries” I produce fairly detailed estimates, which explain to nontechnical clients in some detail what each feature is, and how it affects the others.  Anyone in software development knows this is a difficult (some would say impossible!) task, but I think it’s important to explain what parts are hard and what parts are easy to nontechnical folks.

Obviously that approach wasn’t going to scale to dozens of inquiries a day.  As much as I’d like to give everybody accurate estimates, there’s only so much time in the day, and I’d like to spend most of it, you know, actually coding.  So again, without actually reading the app description at all, I simply fired off an e-mail like this:

Hi <name>.  I’ve received your information and a project like this is typically about 6-7k.  Let me know if this is agreeable to you and I’ll draw up an agreement for this project.

Having to do this bothered me on two fronts.  It bothered me, first, because if I was a real client I wouldn’t like being treated this way.  I tend to believe the best in people, and in spite of the data indicating to me that these were all (or nearly all) shady “idea people”, I insisted on believing that a sizeable minority were genuinely confused about their budgets.  And it bothered me again because this sort of “estimate” wasn’t anywhere near my standards.  Maybe the project was just a “hello world” app, and so the price was high?  On the other hand, maybe the project was a triple-A 3D game with multiplayer servers and all, and so it really was a 50k+ project.  But I really didn’t have time even to skim the e-mails, so what else was I supposed to do?

Well, what actually happened once I started sending out these “fake estimates” is that 1-2% responded agreeing to the terms, 70% started pushing for a “revenue sharing” deal, and the rest never got back to me.  I deleted all the e-mails other than those agreeing to the terms, and things started looking up.  I was no longer wasting whole workweeks  writing detailed estimates for hundreds of people who had no intention of paying me anything.  And those triple-A 3D games?  I would assume that if they heard 6k for their app they would follow up, but nobody ever has.  So I can pretty safely assume I was worrying about a non-issue.

However, even as my workweek was brightening up, I slowly started realizing how much time I was actually spending copy-pasting my default reply.  As my blog posts started to get picked up on the front page of Google for common search strings like “find an iPhone developer”, the number of “shady” inquires I got started massively increasing.  At times I was fielding hundreds of replies a day, and every time one came in I was distracted from coding.  I considered moving the inquiry e-mail to another account so it wouldn’t interfere with my “real clients”, but this seemed like a poor solution.  There has to be a simple, elegant solution to this problem.  And there was.

I started by removing all the ways to contact me from my iPhone landing site, drewcrawfordapps.com.  I replaced them with this clever contact form:

Looks like your standard, poorly-styled contact form.  But here’s the brilliant part.  Try selecting a budget range:

If you pick the wrong range, you’ll get an error message and the submit button is greyed out.  No more spending time fielding e-mails from people with flakey budgets!

Analysis

While I was reworking the contact form, I decided it was as good a time as any to get some really advanced analytics code installed so I can figure out exactly what people are up to on my landing page.  I’ve been tracking the data for over a month now, and I’ve come to some really surprising conclusions.

First and foremost, a lot of people hit that message and bounce.  I was hoping that would happen; it’s by design.  But it’s nice to get some data to back it up.

Second, I’ve noticed that everybody picks the $0-4k budget first.  There has never been a person in hundreds of thousands of hits to that page who have ever started out picking a higher budget.  Does.  Not.  Happen.

Thirdly, when people hit the “low budget” message, if they don’t bounce, they actually rethink their budget.  By forcing them to actually think, instead of filling out a box, they actually try a few different options just to see how the numbers look “in black and white”, perhaps to visualize them spending the money.  It’s a very solid minority of users, and most of them convert to a real lead.

Fourth, this form has made me a lot of money.  Not only am I saving hours every day not fielding silly inquiries, but people are actually much more receptive to my estimates after being “prepped” by this form.  It’s a very statistically significant effect, and one that I want to explore a bit more.

Aftermath

Crisis averted!  Problem solved!  …Right?

Well… it turns out that revenue sharing people can be remarkably persistent.  Not most of them.  But either there are just so many of them that there are a really persistent few merely by chance, or something about not actually providing much value breeds a certain persistence just to survive.  In either case, I still get a few bad apples through the cracks every so often, although these are cleverer than most.

Sometimes they are really clever.  For instance, the other day I got an inquiry from people who had actual roles in startups that you’ve heard of.  They had an actual idea that might be moderately successful, unlike most.  But they wanted me to work for free.

You see, if I want to invest my sweat in something, I will invest in myself.  I have plenty of apps of my own that I pursue during my free time.  But I would never ask other freelance artists, designers, or other professionals who work on my apps to put their sweat equity at risk for something in which they have no control.

Ideas are never successful the first time.  They only become successful after a lot of failure at product/market fit.  And unless I have the authority or the control to make them become successful, I might as well just be throwing work away.  So unless I’m in a cofounding role, a pure-equity deal makes absolutely no sense.  It would be a better use of my time to stock shelves at the grocery store.

So for these new, enhanced breed of clever revenue-sharing guys, I’ve created a third wave of attack: demand either founder-level equity (giving me the authority I need to make the project successful), or demand nonmonetary compensation (i.e. bartering).  A lot of these people are talented teams with a good designer, and I am always in need of cheap iOS art, so it seems like the perfect deal on my end.  But so far, nobody has taken me up on the offer.  They’re fully confident that they’re going to have all this upside to go around after I put in a month of development work, but not confident enough to lend me their designer for a month in compensation.  Hmm… I think I’ll pass on that deal.

I discovered the weirdest behavior *ever* today.

	#define DRAW_COLOR [UIColor redColor]
CGContextSetStrokeColor(context, CGColorGetComponents([DRAW_COLOR CGColor]));

For some bizarre reason, this line of code works fine as long as you are drawing into a “screen” context (e.g. one set up by drawRect).

If you are drawing to a bitmap context (e.g. UIGraphicsBeginImageContext), it will for some random reason set the stroke color to transparent (WTF?)

The correct way (and as far as I can tell, nearly equivalent) to get drawing behavior to work for both types of contexts is this:

	CGContextSetStrokeColorWithColor(context, [DRAW_COLOR CGColor]);

The only conclusion that I can come to is that somehow the colorspace for bitmap contexts and screen contexts are slightly different. This is because the buggy line requires the device to be using an rgba colorspace, whereas I don’t think the second line depends on the colorspace or colorcomponents of the color.

There’s much ado today about the pain gun which HN thinks will be turned around and used on civilians. They’re probably right. But in the long run, that doesn’t matter.

You see, pretty much every piece of technology ever invented started out looking pretty evil. Computers were a way to rapidly calculate bomb trajectories. The internet was a secret government network designed to coordinate military attacks. GPS was invented to track ground and air targets.

These things don’t seem quite as evil today, do they? Computers and the internet are probably the most democratically-empowering invention ever, and we’re in the middle of a location-aware GPS renaissance that’s certainly much less hostile than an air strike.

The nature of technology is that it makes things easier to do. The idea in the DoD’s mind is to only make things slightly easier to do, such that only organizations as large as the government can do them. However, progress doesn’t stop because a large government wants it to. Smaller governments develop the technology, and then larger corporations develop technology, until finally, you and I are holding internet-connected computers with GPS in our hands.

This is the reason why the Orwellian nightmare didn’t happen: cameras became cheap enough not only for the government to buy them to spy on us, but for you and I to buy cameras to spy on them. State governments have recently figured this out, but there’s not an awful lot they can do about it.

The first casualty in the widespread availability of technology has been the music and movie industries. Until quite recently, copyright infringement that was good enough to actually pass as the original required complicated equipment–on the order of the cost to make the content in the first place. This complicated equipment was difficult to hide, was easily found when executing a search warrant, and it was expensive. Pirated copies had to be sold (instead of given away) to cover the expense.

Of course, this is no longer the case today. The device you are reading this on is more than powerful enough to copy the very highest-quality audio or video file. How far we have come from military defense networks and rocket trajectory calculators!

Until recently, it was easy to pirate content, but it was difficult to profit from it. Now it is even profitable. In spite of perhaps every country out for its blood, the Pirate Bay sails on, advertisers and all, and seems to be all but unstoppable.

This is the first and the best example, because it is almost fully played out. The pattern is this: technology is birthed to aid the elite. At some point it starts to chip away at the elite’s monopoly. It starts rendering existing laws widely unenforceable. And then it reaches a point where subverting the law is an enormously profitable market.

Let’s look at another example: encryption. Until about the 1970s, if you wanted to send a secret message you needed to employ a small army of mathematicians. If you wanted to keep your message secret from a world power, you were flat out of luck unless you happened to be the US government.

With the rise of formal private key cryptography, it became feasible, technically, to render search warrants unenforceable. Nobody was terribly concerned except the spooks at the NSA, who began feverishly trying to come up with better and cooler ways of cryptanalysis to keep ahead of the curve. They were successful for some time, and still are in a very technical sense. We know today that the NSA actually used some complex math that hadn’t been publicly discovered yet to “fix” DES to be stronger against attacks. However, as strong encryption became easier and easier to implement, it started to work against the NSA’s interests.

More and more politicians began to view strong encryption as a serious problem, and laws were put in place to ban its export outside the US. You actually had to have an export license in order to let your Munich office use your internally-developed DES software. This law remained on the books until 1996, at which point PGP and other open-source encryption software had rendered it totally unenforceable. Even in the PGP era, there were complex legal hoops that had to be jumped through–instead of digital distribution, PGP went through the ridiculous step of printing 6000 pages of source code, exporting them from the US on paper, and scanning and OCRing them, using the “scanned version” for all the international mirrors, where they were downloaded over the internet just like every other piece of software.

Of course, today, you can get military-grade encryption simply by typing an “s” after the “http” in the URL bar, and it would take the NSA a decade and a billion dollars to read your bank password. There is a whole cottage industry dedicated to very complex encryption software, and in an incredibly ironic twist, encryption is still being hailed as the holy grail to fix the failing movie and music industry.

The pattern isn’t quite as clearly marked, particularly because there are a few channels where encryption has not quite taken hold. Many voice communications, for instance, are not regularly encrypted in a secure manner, although new VoIP networks (see Skype) are often fully encrypted. This is why the NSA is so serious about their wiretap program–they know that the window of unencrypted voice communication is rapidly closing.

One potentially serious-sounding loophole is that in many countries (including the US) it is theoretically or actually possible to throw you in jail for refusing to decrypt some kinds of data. In response to this, there are now mathematically rigorous ways of encrypting data in such a way that it is impossible to prove that it is encrypted, and so by extension it is impossible to command you to decrypt it. And there are equally rigorous ways to encrypt several different data blocks in the same cyphertext, meaning you could reveal one of them on command, leaving your adversary no way to prove that there is a second layer. So this has basically rendered the “command decrypt” legislation unenforceable again.

So while this battle is playing out, and with the pattern firmly established, we turn to the future. What will be the next casualty of technology?

It seems to me that the next to go might be controlled money. In almost all civilized country, money serves as a very tightly regulated commodity, one subject to hundreds of thousands of laws, from the IRS code to business regulation to case law. Now some of you are thinking “But banking regulation keeps us safe–surely you are not arguing against it!” Technology did not care if we were morally in favor of copyright law, and it didn’t care if we were morally in favor of wiretapping laws. It simply gave everyday people a viable means to insulate themselves from both. I think the same thing is about to happen with money.

I can envision a future world where the IRS is simply incapable of determining how much money you made (and unable to tax you for it), where the private investigators are unable to investigate your credit card purchases, and where the governments of the world are unable to print more just to get themselves out of trouble. The flipside of deregulation is that consumer protections will also disappear–you cannot enforce bankruptcy protection if there was never a traceable debt to begin with.

Of course, this will cause every civilized government to fail, because governments depend on tax dollars. Do not fool yourself into thinking that this is a reason that it cannot happen–piracy will probably kill the record labels, but that fact hasn’t stopped it.

The easiest way to convince you that this is going to happen is to say “you can watch it happening already”. How many products do you buy from Amazon sales-tax-free? You are supposed to write the state a check for that. Already the entire sales chain that was used for well over a century to get mass produced goods in people’s homes has been virtually undermined. If it is easier to ship your cleaning sponges from a warehouse in New Jersey than it is to walk down to your local Wal-Mart, how long will it be before a warehouse outside of US jurisdiction is cheaper than both?

You also see anonymous banking as a very popular research topic. Right now there are mostly papers about it, and a few silly-looking implementations. It’s like cryptography in the 70s. If back then somebody said that the research was going to lead to subverting a dozen industries and severely curtailing the powers of the US government, you would be laughed at. Today, the cryptography battle is almost won.

But perhaps most convincingly there is a huge need to make money untraceable. Some of this probably comes from the highest levels of the US government as a way to move spies’ funds around without letting on to other governments. China has a huge incentive to prevent the US from trying to print its way out of a depression. But businesses and even normal people also want to reduce their tax liability (and increase their privacy safeguards). So you have the same demand slope for untraceable money as for digital copying and strong cryptography.

And so when I see articles about new government tech like the pain gun, and I see very smart people getting very upset, it strikes me a bit odd. The prevailing wisdom seems to be that we live in an oppressive legal world that desperately needs a reboot, and Orwell is lurking right around the corner. Perhaps this is true, but it is only true on paper. In practice, technology seems to be giving us back our rights even as the law fails to protect them.

And technology bestows rights in a way which is true and real far beyond the law. The law can be changed, but you cannot undiscover AES. The law gives you rights as a fiction, but technology gives you rights as a fact.

This is, more or less, how I taught myself x86 assembly. By reverse-engineering Skype.

http://www.secdev.org/conf/skype_BHEU06.pdf

It wasn’t quite that difficult back in the 90s. And these guys got way further than I ever did. But a lot of the binary protection (polymorphic checksumming, dynamic calling, a really clever packer, RSA verification, etc) is close or identical to what I was playing with.

Play with that stuff long enough and, well, you’ll get really good at asm. A lot of really clever ideas of mine came out of things I saw in their binary.

I tracked down one of the exe packers I helped write way back when, and turns out that malware protected with it has been detected by McAfee over half a million times now. So that’s kinda cool… even if it’s a little scary.

But sort of the holy grail of reversing right now is Kaspersky. Those guys are hardcore. Their engine can pick apart a lot of packers these days, even stuff it’s never seen before. I’ve heard stories of people who have written decent custom packers that get detected automatically. They’ve got a static analysis tool that can follow not just off-by-one byte alignment tricks or decompress LZW blocks automatically, but it can simulate execution in a sandboxed environment and use the binary’s own decryption routines to decrypt it, even on binaries that only decrypt a few pieces at a time. It’s incredibly hardcore.