NXP/Virage

Posted on October 14, 2009 by paulmcl

Virage is on a roll right now. Originally a standard cell and memory company, it recently acquired a microprocessor line with ARC and now it has acquired another big increase in its size by taking on a lot of the analog IP from NXP and a large development group in Eindhoven. An off-topic aside: if you ever go to Eindhoven (or the Netherlands in general) make sure to have Indonesian food. It’s wonderful and really flavorful, and the local Dutch food sets a low bar to clear. Rijstafel is the magic word.

Ron Wilson’s take on the acquisition is here.

I have been predicting that once the integrated device manufacturers (IDMs) give up on their fabs that they will turn out to be the wrong groupings of product lines. NXP already sold their wireless business to ST (who then merged it with Ericsson Mobile Platforms to create, wait for it, ST-Ericsson). NXP’s core differentiation, or a major one anyway, has always been its strength in analog. So this doesn’t seem quite as much like rearranging product lines as selling the family silver. On the other hand, perhaps the analog isn’t that differentiating any more. There’s a lot of it around (Synopsys for one has a big portfolio).

NXP was taken private by a consortium of private equity groups in 2006 for about $10B, which is way more than the company is worth today (even taking the sale of the wireless biz into account for $1.5-2B depending on how you count). The company is losing money and nobody is going to be lending them any in the current environment, so they have reduce their expense run-rate. So, they give this group of 160 people to Virage in exchange for stock worth around $15M today, and then spend $60M over the next 3 or 4 years licensing it back for use in NXP. Not so much selling the family silver as paying the scrap guy to take it away.

But they do reduce their run-rate quite a bit. They pay $60M over 3.5 years, save $30M per year approximately, and get $15M in equity that should become worth more if Virage is successful at pulling these two big acquisitions together. Overall NXP is getting $60M for the technology. Looks like a sweet deal for them. But big acquisitions like this have a poor track record and Virage certainly will have their hands full.

Posted in semiconductor | Comments Off

The Microsoft/T-Mobile fiasco

Posted on October 13, 2009 by paulmcl

I talked a couple of weeks ago about how it is necessary to be brutal and cull the managers of internal products in an acquisition otherwise the management of the joint product roadmap would become completely dysfunctional.

Unless you’ve been living under a rock, you probably are aware that Microsoft had a catastrophic failure of their back-end server systems that support T-mobile’s Sidekick phones, losing most user’s data completely without any backup. There are various rumors around about how that happened, the most complete one is here. At root, part of the problem is having two internal groups, one acquired, one with a special conduit to senior management, doing roughly the same thing. The one without the conduit to senior management knew what it was doing; the other not so much. They didn’t cull (in fact they did the opposite, they created a new competing group).

Now, a new source has stepped forward to elaborate on why Microsoft’s Danger acquisition failed so dramatically. This source, intimately involved in the core engineering circle of Microsoft’s Pink Project, outlined that Pink wasn’t simply the acquired Danger group, but existed prior to the acquisition. While the Pink group operated within Microsoft independently of both Windows Mobile and Zune, this source claims that “Pink was in fact a Zune-phone,” in that “Pink was a third group tasked with taking Zune software and making it a phone.”
 
The pre-Danger Pink group was characterized as “A huge source of trouble,” with the source explaining that “the Redmond-based Pink designers brooked no feedback and won all appeals to higher management (presumably by leveraging face-time).” Pink was given Carte Blanche to assemble a team and get started, but external constraints prevented Danger from simply growing into the Pink Project within Microsoft.

This is the most extreme example of how catastrophically things can go wrong when the management of acquisitions is not clean. You need your best people working on the most important products as quickly as possible and, like in a game of football, you want to block all the political hurdles so that they run to the end zone as fast as possible.

The whole story will probably come out gradually. Sidekick is much more dependent on the servers than iPhone since it can’t synchronize to your laptop and the designers of Sidekick made the reasonable decision that they wouldn’t try too hard to protect your data on the phone: after a major crash they simple cold-boot and reload the data from the cloud.

There seem to be rumors of sabotage, which become more likely every day that passes without some person from Microsoft explaining how it was due to a lightning strike on the datacenter, or a coincidental failure of 3 things or whatever the fundamental technical error was. The idea that a hardware upgrade went wrong and that a savvy IT group would undertake such a thing without backing everything up doesn’t pass the smell test to me.

Posted in semiconductor | Comments Off

That’s all folks

Posted on October 8, 2009 by paulmcl

There was a reason I wrote about biometrics trecently. I have a new job as COO (and VP marketing) at Biogy, which is a biometrics company. Already I’ve become a biometrics bore. But that means I don’t really have time any more to be an EDA bore as well, not to mention that since I’ll be spending less time in the EDA milieu I won’t have anything interesting to say about it any more. Okay, I set myself up for comments about not having anything interesting to say anyway, in which case why are you here reading this? Biogy isn’t fully funded so I’m not getting paid yet so I’m still interested in EDA consulting opportunities.

Anyway, time will tell how this all plays out. Maybe the gravitational attraction vortex of EDA will once again prove too much and I’ll be back in a year or two.

In the meantime, I’ll continue to post stuff here, but only once or twice a week, not daily as I have been doing since the start of the year.

My email, as always, is paul%greenfolder.com (with the percent replaced by @ of course).

Posted in security | Comments Off

Biometrics conference

Posted on October 7, 2009 by paulmcl

I was at a biometrics conference in Florida the week before last. The state of the art is much more advanced than I realized in many areas.

For example, iris recognition can be done at a distance of a couple of meters. You just look at a screen for a second or two and the system can identify who you are and thus whether you are approved to enter, or whatever. In a self-contained unit, the unit itself can store 100,000 people. With a back-end database there can be millions or even hundreds of millions and identification still takes place in under 2 seconds. This is still what is called cooperative recognition, where the person being identified follows instructions, opens their eyes, takes off their glasses (although it has a pretty good recognition rate even if you don’t, depending on how much other reflection there is off the lenses). There seem to be research projects going on to recognize people simply by scanning them as they walk by.

In Japan, half of all ATMs are equipped so you stick your finger in to validate who you are. Over 80% of them use Hitachi’s recognition system, which works, not by fingerprints, but by the pattern of veins inside the finger which can be seen by shining a bright red light into the end of the finger. Curiously, an ATM card plus your finger isn’t enough. You have to type in a four digit PIN too, but not because the banks want it. Japanese law says that ATMs much have PINs and the law hasn’t caught up with modern technology (that would never happen here, surely, where every senator already knows that the Internet is a series of tubes). Don’t expect to see this any time soon in the US since we don’t really use smart cards and the modern way to do things is to store the biometric data on the card and not in a central database so that it doesn’t have a single point of failure, and because in many countries (although not the US) there are major restrictions on biometric databases which are obviated if you only store them on something that belongs to the user.

In Pakistan, fingerprints are used to control elections, guaranteeing one person one vote. I talked in the bar one night to people who built that system and I asked them about its computational needs. They told me it all ran on “what counts as a server in Pakistan” namely a not-state-of-the-art PC. Apparently part of the cleverness is being able to reject over 90% of people without having to look at their detailed fingerprint data.

Those of you who are citizens may have noticed that all visitors (including permanent residents like me) are fingerprinted and photographed every time we enter the US. That’s over 600 million times a year. I’m sure Homeland Security would fingerprint everyone at the border if it weren’t against the law, just like the NSA decided to examine everyone’s phone traffic (despite being against the law). I’ve no idea what they do with the data, it seems like a boondoggle for the equipment suppliers. After all, the 9/11 hijackers all entered the country legally with visas (although in couple of cases the visas didn’t get approved until 6 months after 9/11).

It is clear that the federal government isn’t going to rest until we have standardized biometric driver’s licenses. I’m sure they will then require you to use your fingerprint or iris every time you take a plane or enter a federal building. Since most government databases have significant error rates and essentially no procedures for validating and checking the data, this is going to result in some wonderful Kafkaesque stories when people get lost by the system or confused with someone else.

Identity is very important for some things, like nobody except you should transfer money out of your bank account. For others it is completely unclear, such as getting on a plane. Despite the terrorist watch lists (people who are so dangerous that they can’t be allowed on a plane but so undangerous that they can’t be charged with anything at all) airline security seems never to have apprehended a genuine terrorist (as opposed to the occasional petty drug dealer).

A lot of what the government seems to be doing is analogous to the drunk looking for his keys under the streetlight because that’s where he could see. Take lots of biometric information in, because it is possible, even though nobody has a database of biometric information from suspected terrorists to match against.

In the meantime, in tiny drips like this, I think our freedom and privacy gradually ebbs away. Forget the differences in rhetoric, the Bush and Obama administrations both seem equally keen to centralize power and take away liberties in the name of the usual trifecta of terrorists, pedophiles and drug dealers.

Posted in security | Comments Off

Acquisitions: cull the managers

Posted on October 6, 2009 by paulmcl

When a company acquires another one, not just in EDA, there is often an internal group already doing something similar. For example, Intuit has just acquired mint.com and they already have a product, Quicken Online that competes in pretty much the same space. So how to merge the companies and the products?

Be ruthless and cull all the director-level management of the existing product (Quicken Online in this case). Put the managers of the acquired product in charge.

This is one thing that I learned at Cadence (you might have noticed that Cadence has done a fair number of acquisitions over the years, to say the least). The first thing to do is to lay off all the managers responsible for the internal competing product. They will inevitably try and sabotage the acquisition in more or less devious ways, worry too much about users of the existing product and so on. The junior worker-bee programmers or designers can be reassigned; they are much less emotionally invested in the failed internal product and have the knowledge to merge any parts of the old product that make sense.

In the Quicken case they seem to be doing something different, based on what they have said anyway. The correct thing to do, in my opinion, is to put the mint.com guys in charge of everything. Not just their own product but also the Quicken Online product. And the managers of Quicken Online need to go. They probably weren’t in favor of the acquisition and will subtly try and show that it was a mistake and try and ensure as much as possible of their own work survives going forward. But it is the mint.com product where as much as possible must survive going forward, and the best way to ensure that is to put those guys in charge.

Steve Jobs did just this when he returned to Apple along with the operating system from Next (internally Mac code is still littered with classes that start NS for NextStep). He put the Next software managers in charge and pushed out the managers who had been responsible for the failed strategy that Apple had been pursuing. The Next managers could implement their strategy much more easily if they didn’t have another set of managers arguing with them about every decision.

Everybody knows that the big time sink in mergers is where products overlap. But the best way to handle this is to make sure that the managers of the successful, acquired, product are in charge of those decisions and not the managers of the failed product. This doesn’t make the problem go away completely, after all the customers of the existing product cannot typically simply be upgraded painlessly to the new product, but at least it means that the winning product will be the acquired one, which is essentially the decision that senior management had already determined is what they wanted to have happen when they decided to do the acquisition.

Not all mergers are like this, of course. Sometimes the new product line is completely complementary with no overlap. But often, under the hood, there is more overlap than is obvious. When Cadence acquired Ambit, they were already ahead of the curve because their internal synthesis product, Synergy, was doing so badly that they had killed it off six months before they acquired us. But one reason for acquiring Ambit was for its timing engine, which seemed to be the best in existence at that time, but the existing timing team at Cadence still controlled timing strategy. It took months to arrive at the foregone conclusion that the Ambit timing engine should “win” and become the Cadence timing engine, a decision that would have taken 5 minutes if Ambit’s timing team had been put in charge on day 1.

It is very difficult to keep innovation going after an acquisition, especially if it is done at a high price so that many individuals have made significant money and are really hanging around largely to vest the rest of their stock. Keeping a competing team around, and one that already is better connected politically, almost guarantees that innovation will stop and that the acquisition will be much less successful than it could have been.

Posted in management | Comments Off

Biometrics

Posted on October 5, 2009 by paulmcl

What are biometrics? It is authenticating people by some aspect of their body, typically fingerprints (or finger vein), iris scan or voice recognition. I think that it will become much more important in the coming years since it offers a painless way to get increased security.

As I talked about earlier, security is hard and people think it isn‘t. In the military and internally in big companies, the way that security works can be mandated. Even then there are regular stories of unencrypted disks going missing in the mail, or credit card databases being stolen wholesale. But in the consumer world there is a different issue: if the consumers find it too hard to use then they won’t use it. If a bank makes its customers jump through too many hoops to login and make online payments then either they’ll change banks or think badly of their bank for not really having a usable online payment system.

The solution that the credit card companies came up with is simply to accept a certain amount of fraud and try and manage it down. Some of the behavioral stuff they now use seems to have got really good. Someone got hold of a credit card number of mine recently and they didn’t let a single fraudulent transaction go through, and, until they finally put a complete hold on the card, without blocking a valid one. Further, that was the first time they put a hold on my card, they didn’t have any earlier false alarms. That’s a big improvement from when once I couldn’t pay for my hotel in Japan because "someone appears to be attempting to use your card in Japan". Er, yes, that would be me.

I think biometrics offers the possibility of industrial strength security coupled with consumer ease-of-use. There are some issues since a few people don’t have readable fingerprints and people occasionally cut their fingers and so on. So there does need to be an alternative route for those rare occurrences, although they can be relatively cumbersome. To some extent biometrics has a bad rap since early implementations were poor and had high failure rate (you put your finger on the pad and you are not recognized) and there are some health issues with shared detectors (do you really want to stick your finger on the same piece of plastic as several hundred other people, some of them with flu, already did?).

Biometrics is divided into what are called one-to-one and one-to-many. One-to-one is where you know who the person is and you are trying to confirm it. The amount of data and processing required is relatively low. The one to many is where you scan, say, someone’s iris or fingerprints and identify them within a second or two from a database of several millions people. That requires much more serious computation, although the amount of data required to be stored per person is only of the order of 1K bytes.

There are lots of subtleties to making biometrics truly secure in the face of virus-ridden PCs, keyloggers, unencrypted wireless networks and the rest. Unlike a password, you can’t change your biometrics so guaranteeing that the data remains secure is even more important.

Posted in security | Comments Off

The flaw of averages

Posted on October 2, 2009 by paulmcl

I’ve been reading a very interesting book called “The Flaw of Averages” by Sam Savage. It looks at why using average data only produces the correct answers in very limited circumstances. The flaw of averages is that plans based on average assumptions are, on average, wrong.

For example, assume you are a manager deciding how big a factory (or fab) to build. Your marketing manager tells you he is certain that you’ll sell between 80,000 and 120,000 per year. But you insist on a number and get given the average of 100,000 and you build a factory with a capacity for 100,000. Let’s assume that the marketing manager nailed the numbers precisely (don’t we always?). On average how much money will you make? Well, the number will be somewhere between 80,000 and 120,000. If the number is less than 100,000 you make less money than you expected. If the demand is greater than 100,000 you don’t make more money because your capacity is maxed out. So, on average, you make less money than you expected even though your factory has average capacity.

There are other fascinating things. You may have heard of Simpson’s paradox. One of the most famous examples of this was a 1986 kidney stone study where treatment A was more effective than treatment B. But if you looked at only small kidney stones, then treatment B was better than treatment A. And if you looked at only large kidney stones, then again treatment B was better than treatment A. But when the two were combined, A was better than B. WTF?

Another example: in each of 1995, 1996 and 1997 David Justice had a higher baseball batting average Derek Jeter. But taking the three years together, Derek Jeter had a higher average than Justice. WTF?

A lot of what you learned in school about statistics (means, variance, correlation etc) is really not very relevant now that we can run large numbers of investigations as to what is really going on in seconds. Means and standard deviations were an attempt to get at something important before this capability existed, what Sam Savage calls “steam era” statistics. Now we can use computation to make sure we don’t fall into traps.

There’s also lots of stuff about options and how to price them depends on thinking (or computing) this sort of thing properly. If a stock is $20 today and on average will be $20 in 12 months time, how much should you pay for an option to buy it for $21 in a year. If you’d succeeded in answering this a few decades ago you’d have won the Nobel prize. You may have heard about Black-Scholes option pricing, which does the math to work this out. Even though at the average stock price ($20) an option to purchase at $21 is worth nothing (because you’d simply not exercise your option) it clearly is worth something since there is some chance that the stock will end up above $21 and you can make money exercising your option and selling it at the market price.

I haven’t finished the book yet but I can see already that some of the ideas are important in thinking about business plans and formalizes some of the sensitivity analysis that it is always good to do (how much more money do we need to raise if the first orders come 6 months later than expected? if the product costs 30% more to develop?).

Consider a drunk walking down the middle of a highway. His average position is in the center of the road on the yellow line. But on average where is he. Dead.

And don’t forget, almost everyone has more than the average number of legs.

Posted in book review | Comments Off

Designing a chip is like…?

Posted on October 1, 2009 by paulmcl

You’ve probably tried to explain to somebody the unbelievable scale of what it takes to design a modern chip with hundreds of millions or billions of transistors. But even we have difficulty with numbers when they get that large, like when we hear that there are 500 billion galaxies in the universe. Large numbers just don’t have that much impact. What’s another trillion dollars on the national debt? One way to make that one clearer is that it is roughly the amount taken in annually in income tax. So $1T of debt means one year of everyone in the country paying double their tax.

I was talking to an architect yesterday evening who was familiar with AutoCAD ($3K/seat!) for 3D design and she was asking how similar that was to IC design.

The usual analogy I use for designing an integrated circuit is that it is like designing the Boeing 787 except doing it in 12 months using a manufacturing technology that has never been used before, on a design system that has never been used in production for that manufacturing technology. And by designing a 787 I mean all the parts, every part of every jet engine, every part of every seat, pump and instrument.

Of course some subassemblies might have been used before, such as the seats or the fuel-gauge (hey, IP-based design). But most things, such as the landing-gear, will need at least some change. Actually in terms of the count of parts this is underestimating things but it’s not quite fair to compare a complex turbine blade with a single transistor and count both as one part.

But here’s the thing I thought of last night that I’ve never articulated before. Having designed the 787 on the computer, you press a button and an amazing automated assembly plant take a couple of months to manufacture one. And then you put it on the end of the runway, put the throttles up to full and expect it to take off first time, using engines that have never run before and flight surfaces that have never flown before. Which it had better do, since it is already scheduled to come into service in November ready for the holiday market.

Then, unlike Boeing, the plane will be obsolete in 6 or 12 months. Next Christmas the 797 will be required, even bigger and more complex. But it will need to fly first time too.

Posted in marketing | Comments Off

Interview questions

Posted on September 30, 2009 by paulmcl

A friend of mine is interviewing for a marketing position at an EDA startup. I’d better leave everything anonymous to protect the innocent. He (or maybe it was she) asked me what good questions to ask would be.

There are two reasons for asking questions in an interview, when you are the candidate. One is that the type of questions you ask reveal that you are already thinking about the important issues affecting the company. And the other is that you genuinely want to know. In most cases, the questions serve both ends. In fact most questions you ask should help you decide if the company is going to be successful and whether you have the right skillset to improve those chances.

When you interview for a position at a startup, it is important to realize that you are interviewing the company as much as they are interviewing you. The point of working for a startup is that the stock they give you will be valuable (otherwise go do something else) and they need to convince you of that. When you interview at a big successful company it is much more of a case of them interviewing you. After all, if you’ve done your homework, you should know what makes them successful. Most of that information is in the public domain.

The most important question I like to ask is why the senior people in the company believe it will be successful. Since they work there, presumably they do but sometimes that have a hard time articulating why. The answer needs to be more than just having good people or good technology. The market that they sell into needs to be large enough and homogenous enough for their (or any) product strategy to have the possibility of being successful.

Another thing I like to ask are: what is the one reason people buy your product? Of course, just like John Bruggeman was pointing out on Tuesday, if they don’t have a good answer then there is all the more upside from doing a great job at marketing (if you are interviewing for a marketing position). But typically, if most of the company is engineers, they’ll have too many answers to this question rather than too few. Avoid the fine art and bicycles problem. City Slickers marketing is finding out the “one thing” and becoming focused on delivering that. If customers are all buying for different reasons, it is not possible to build a repeatable sales process.

A third question is to ask, which is good in non-startups too, is “If I got the job and was starting tomorrow morning at 9am, what would be the most important things to get working on?” They may not be the most important strategic things long-term, but if there hasn’t been any marketing before there is usually a backlog of urgent stuff: the customer presentation is hopeless, the website hasn’t been updated in ages, the company logo sucks, engineering needs a decision about which standard to support, or whatever.

Posted in management | Comments Off

Why is security so hard?

Posted on September 29, 2009 by paulmcl

I’m amazed how much bad practice there is around security. People just aren’t very good at it, and sometimes don’t even realize that there is a security issue to worry about. It is not just that people aren’t good at it; they think they are.

Here’s one example. When I was an undergraduate in 1974 it was already standard practice in operating systems to store passwords after processing them through what was then called a one-way cipher and would today be called a hash function. Yet today, if you forget your password, many websites will simply send you an email telling you what it is (as opposed to resetting it and telling you what they reset it to). This is bad for so many reasons. Firstly, it should never be stored unhashed in the database since it risks the entire database being stolen (and thus everyone’s passwords). Since email is not secure, sending a password through email risks it being compromised that way. And you should not have your password on your computer anywhere (such as in an email) since one way of optimizing password search is to try every word on a person’s computer, orders of magnitude quicker than an exhaustive search. So something that was being taught to undergraduates nearly 40 years ago is still not being done.

That’s before worrying about the real weak link in security: users. We are all exhorted to have long passwords, not contain words, change them regularly, use different passwords for different purposes and so on. Nobody does that. What almost everyone does is have one weak password for stuff you don’t care about (if you really want to read the New York Times while pretending to be me then be my guest) and a stronger one for things you care a lot about (if you want access to my bank account then definitely don’t be my guest). Often banks insist on strong passwords (must contain an upper case letter, a lower case letter and a digit for example). So lots of people just write it down and stick a post-it on the computer. But then the usual set of backup questions are required for users who forget their passwords. I just don’t think it is that hard for someone to find the last 4 digits of my social security number and my mother’s maiden name (and an amusing aside: one website wouldn’t accept the answer to my mother’s maiden name question since it only has 4 characters and was deemed too short! It wasn’t even Wu or Li). It was a password recovery weak link that led to all the Twitter documents being compromised a few weeks ago.

As Bruce Schneier says, amateurs attack the cryptography; professionals attack the people. It’s even got a name, social engineering. Most readers of this blog are tech savvy and are at least suspicious of things like emails that look like they are from your bank or Paypal requiring you to go and log in. We are aware that the site you end up on might look like Paypal but probably is some password harvesting site. But less tech savvy people haven’t a chance. They’ve never heard the term phishing and don’t have any feel for which emails might be genuine and which are clearly fraud.

When people are phoned up they are even more vulnerable. There’s a lovely story of some high-up general inside the Pentagon saying that his password would be impossible for anyone to get. Susan Headley, a famous social engineer who had been briefing these generals, picked up the phone, pretended to be an admin in the Pentagon, called the general’s admin back wherever he was based and said the general had forgotten his password. She had it in a minute. But think about it. The general’s admin knew he was at the Pentagon, caller-ID may even have confirmed that, and so the whole story somewhat checked out.

A couple of years ago (I can’t find the reference any more) a security company went to a tradeshow, picked up lots of free USB memory sticks, loaded them up with a “phone home” program and then scattered them in the parking lots outside big companies. Well over half the memory sticks were inserted into computers inside the firewalls of those companies. If you found a memory stick beside your car are you sure you’d destroy it or might you see if it is any good (especially a couple of years ago before they became dirt cheap)?

Memory sticks are prohibited inside the DoD and homeland security since they became a vector for malware getting from employee’s home computers inside the firewall. Apparently this causes huge problems for some people since the DoD has many disconnected networks ("airgapped") and USB sticks were the way data got transferred between them. On coastguard ships there is equipment that doesn’t have a CD reader and without a USB stick, no way to update its tables.

One mail I can’t work out is that almost every day I get an email telling me I’m being sent a billing summary for my records, which is attached. But there is no attachment. I’m sure it is some sort of phishing attack but I guess somewhere along the email chain the attachment got stripped off for being too suspicious.

Posted in security | Comments Off