Wanted - made. Alexey Drozd (aka @Labyrinth ) spoke with Lev Matveyev, a software engineer in the past, founder and owner of SearchInform in the present. The conversation turned out about how the IT industry was born in the post-Soviet space, how today's programmers differ from "yesterday's" ones, about reasons for pride and lessons from failure.
The text is big, but don't let that scare you. For the shy ones, be guided by the headlines.
Salary for machine time
Alexey: The conversation is timed to coincide with the 25th anniversary of the company. Then obviously everything was different (better or worse - I don't know). But a generation has grown up that thinks that security guards fought with mammoths before. And IT people in 95 were still running with spears. So the question is: what were the values then in '95, was the IT sphere considered elite?
Leo: Yes. To describe how the programmers were "celestials", I will describe how we worked. I first saw the computer in the first year of the institute in the 86th year. It was an EC 1036 with a large green monitor.
Then, to work for him, you were allocated a maximum of an hour or two a week. I was lucky, I made friends with one of the assistants of the department, who led our stream "Computing Technology". And under his login every day from 9 to 11 pm he worked additionally. We then valued "machine time" worth its weight in gold.
When I graduated from high school in 1993, a computer cost about 100 monthly salaries of an average developer. Few people understood why computers and programming were needed, most teachers knew less than some students. There were no reference books, there was no internet. Therefore, those who "dug the earth with their noses" became good programmers.
We talked in the so-called. bibieskah. 64 kilobits was considered a very high speed. Dial-up was terribly expensive.
Alexey: What did you write on then?
A lion:In pascal and assembler, I wrote my own database. He devoted a lot of time to speed, was interested in search, algorithms. I liked programming at the systemic algorithmic level, squeezing everything out of iron. Now, probably, very few people will understand why, for example, counting measures. It was important then. How many clock cycles are loading into the register? How much is the unloading? How much does the add command take? How much is the multiplication command? Sometimes it has been better to do two plus commands instead of one multiplication to improve performance. There was no compiler optimization - everything had to be done manually.
Alexey: Do I understand correctly that there was more emphasis on algorithms than on a beautiful interface?
A lion:Yes. Today, less attention is paid to this, because the iron has become good, cheap. Nevertheless, even today in the company, I ask you to focus on optimization, because the development goes in a spiral, and the performance problem is reincarnated. If earlier there was a question of how to sort an array of one hundred million records on conditional 16 megabytes of RAM, now the same problem arises, but in different orders: how to make sure that not one hundred trillion, but one hundred trillion is sorted on a gigabyte of memory.
Aleksey: That is, we have a hidden leitmotif in our development: “guys, focus on algorithms”, because optimization is an eternal trend. Let it not be popular with the masses.
A lion:Yes! And then, and now - you always need to optimize the work of the software, do not shift everything to hardware. But now it is problematic to find specialists who will do this optimization. They are essentially not there. Programming was an art then, and every second person in the profession was a guru. Now this is handicraft, the entry threshold has dropped significantly and this seriously affects the quality.
Alexey: I don't think it's that simple. As you noticed, the development goes in a spiral. The same gurus have remained, but now they work at a different level, the level of their own databases of Yandex, Facebook or Google ...
Lev:Yes, these people stayed, but the main thing was gone. In 92-93, we had our own social circle, Fido channels, where the pros sat. Since there were few of us, we all knew each other, even if not visually, not personally, but by bibies, by bibies confes.
Aleksey: Do I understand correctly that bibieski are a kind of "boards", notice boards? You download it, add your question, download it back.
Leo: Not really. Bibieska is a computer with one or several modems, it has special software. It is essentially a server that has a directory structure. It transfers everything to your computer, you view it, then download it back.
In fact, this is a prototype of a chat, but the answer was very delayed, because you connected to the bibiesque for 15-20 minutes - it was expensive to use the Internet (especially for a student), it was impossible to occupy the telephone line in the apartment for a long time. You need to get advice on work - you throw a cry: "Guys, ask your acquaintances, maybe someone like me is fighting about the same problem ..." Leave a message and hope that the person you need will answer in a day or two.
There were bibieski that were included on a schedule. For example, from 7 to 9 pm, because the owner could only support them at this time. They were enthusiasts. It was possible to organize the exchange of information between several bibies, and it was some kind of analogue of the Internet. When in my first business we kept a bibiesca on four multichannel lines working around the clock, it was a very cool service for our clients.
There was no "aichi" or "ibe"
Aleksey: It turns out that the realities of the early nineties are as follows: you have an unplowed field in IT - research what you want, develop what you want. Research itching pushes you ...
Leo: There was no such name "IT" at all! It appeared, probably, in the second half of the 90s, even by the end of the 90s - early 2000s. There was no such thing as an IT chief, there was no division into a system administrator and a programmer. It appeared later.
Any programmer, by definition, was a competent system administrator who can configure everything, lay a local network for 10 megabits. Now 80 percent of programmers do not know how to crimp the cable ...
Alexey:This is already a specialization. This is different. But still - here you are organizing your first business, was it a product that digitized regulations, laws, orders?
Leo: Yes. And he provided a search for these documents. It is now a common practice that any system has a phrase search, morphology. Back then, competitive solutions had only word-based searches. That is, neither phrasal search, nor at least some kind of harbinger of "similar search" (this is our technology that searches for documents similar to a request not only technically, but also in meaning).
Competitive programs were then expensive and ineffective. They were used only by large companies that were ready to assign a person to look for documents for several hours. For an ordinary entrepreneur with a staff of 20 people who needs to get an answer to a question in 5-10 minutes, this, of course, was not good.
Therefore, our search engine made an impression on the market. Our main competitor at that time, the Register company, had 150 clients, and the whole market was estimated at 300. My estimate was completely different - 1000-2000 clients. And then, in the very first year of operation, we got 500 customers, taking also half of the customers from the Register.
Alexey:When did the idea of information security first come to mind? I think in the early 90s, people who went online did not really think about security issues.
Leo: In the 90s, there was no information security as such. What then was meant by security? How to fight off bandits and police. The concept of information security was born in 2005. By this time, I had different projects under my belt, we released the so-called "harem pants" (shareware programs). Later they sold search as a product for the tasks of different businesses, such a corporate offline search engine, local "Google".
It was, relatively speaking, a delicious piece of candy without a "decent" package. So infobez has become this packaging for us. While developing DLP, we again did not start doing something similar to what was on the market. If you offer another bike that can reach speeds of not 25, but 30 km / h, then this is cool, of course, but it does not fundamentally solve the problems of a person who needs to travel 100 km a day quickly. He will need a car.
All market players then worked according to the principles of the tsarist secret police - the main thing was to intercept. A huge trash can of alerts was formed. What to do with it? View manually only.
We believed that the main thing for information security is search by information and analytics, and this made life easier for users, because it is not necessary to view the entire interception, but conditionally, only 1%.
Alexey:It turns out that you have solved the problem in a radically new way?
Leo: Yes. What else has always been bet on is optimization in two directions: so that DLP is undemanding to equipment, and that the search speed is high. This is critical, because if you need to launch a search once a day, wait a minute or three - it may not be scary. And if you need to make 50 requests per day, it will add up to 2-3 hours from minutes. Now the engine is 2-3 times faster than at the start.
Alexey: Why did you focus on information security in the context of protection from insider protection? Because it would be stupid to make another antivirus?
A lion:I think I estimated in time that there is a problem of data leaks in information security. It was the early 2000s, computers entered everyday life, information gradually began to move from paper to electronic form.
Alexey: We weren't pioneers, were we?
Lev: When we entered this market in 2005, there was chaos. I know for sure that one of the competitors took 6 thousand dollars for the trial version. Now tell someone: pay for the trial - they will be mistaken for an idiot.
Marketing was built on the fact that DLP is difficult, that implementation takes at least six months, that there should be special linguists to set it up. That is, to put up a security system, you need to involve specialists from the research institute and it costs like a spaceship. Only the richest companies bought this. And we made a boxed product: installed it, launched it, you can work.
Aleksey: I saw one of the first KIB advertising brochures. It contained information only about 4 controllers (then still sniffers). How did you decide which channels to work with in the first place? Their prevalence or ease of interception?
A lion:Build on what the customers wanted, which gives them the biggest headache. You need to understand who worked with us on the part of the customers. These are people from the "organs", people in uniform, who, in fact, formed the sphere of information security in Russia. They initially understood that internal incidents, not hackers, could create the greatest damage. These specialists know how criminals and unscrupulous employees think, they understand the value of information, and they have very strict product requirements. So they threw us tasks that were unsolvable in the opinion of information security specialists, and we gave them tools.
At first, DLP intercepted only "soap", documents sent to print - a critical channel, because then the Internet was not yet highly developed. There were no flash drives yet, so the DeviceController came later. The functionality of the program has evolved, full-text search has acquired the ability to search by regular expressions, find drawings, etc. But we saw what other functions were needed: we need a relationship graph, we need customer cards, we need a prototype of our ProgramController.
By the way, abroad the industry was formed in a completely different way, there IT administrators are more involved in information security. Therefore, domestic DLP is not at all the same as abroad. There it is a program with modest capabilities. We even had to change the positioning in the west so that there was no bias.
Alexey:Since we're talking about foreign countries. In the same booklet, which I already recalled, the American phone number was indicated in the contact section. Was it fashionable then to have an office in America?
Leo: Honestly, I don't remember. There has never been a representative office in the United States, but they probably took some number. We thought we would now go out to the whole world. And thank God they didn't do it. Having entered the information security market, we saw that it is immense in Russia as well. I made a decision not to rush abroad yet. It was the right decision to become No. 1 at home.
We went west only three years ago. The main thing is the first impression, you can't buy it for money, the product is the cornerstone. It was necessary to hone our software, because in the corporate sector you can work on a hundred PCs, but it’s not a fact that you will deploy to 500. Now we have a maximum implementation of 70 thousand stations in one company. But we have reached such a result, as they say, step by step. Many of our competitors do not learn from such stories. For them, when implemented on 100-200 PCs, everything works, but they put it on 5 thousand - and everything falls. Including reputation. But this is not our way.
I think it is precisely because of this approach of ours that now abroad we are causing the wow effect. And if we came out with a product that we had 5-6 years ago, most likely, that such a reaction would not have been, we would have wasted money on promotion.
Where slipped
Aleksey: It is always more pleasant to remember victories, technologies that have fired, and failures are not usually advertised. But I can't believe that everything was perfect during development. Maybe there are examples of something that didn't take off?
Leo: The biggest failure is TimeInformer as a standalone product. We spent about 15 million on development, hired 60 sales, which worked for six months. Developed activity, spent resources of programmers.
The program turned out to be technically strong, it just doesn't have a big market for it. We sell it to interested customers, but at the same time we understand that the transition to DLP is inevitable. If the client comes to the idea of control, he will not limit himself to just monitoring working hours. The data security issue will arise anyway.
Alexey:Were there any failures in terms of not marketing, but technology?
Leo: There were no direct failures and crashes. Technologies are not all equally successfully implemented, but they bring more and more benefits. For example, FTPController is not a downhole product, it is less important for clients than MailController. But this does not mean that it did not need to be developed, they just started working on it later. It's like in oil production - first you extract from the surface, and then you drill a well. Of course, it's nice to remember 2007, when we intercepted the “non-intercepted” Skype, but when the product is mature, each new feature will not cause the same explosive effect.
Alexey:You can also say that everything has its time. If neurons five years ago were only at the level of concept, now we are even looking at them, because they have ceased to eat resources like that.
Lev: If we talk about mistakes, I remember how they started writing in Angular 3 years ago. As a result, we ran into a number of inconveniences: a high threshold of entry, a complex system of modules, from version to version they break the API. Now switched to Vue.
Another story - 4 years ago they began to make a self-written ORM for processing messages from the queue server - as a result, they stopped development, because saw that we only get a slowdown in both development speed and software performance.
We tried to use the Cassandra database instead of MSSQL (without a radical change in architecture). We spent six months, but on tests we found out that there is a terrible degradation of work with an increase in the number of storages (keyspace), which is not in MSSQL.
There were several integrations with third-party products, which later turned out to be inoperative or further maintenance and support turned to hell. We suffered with them for a couple of years and refused to cooperate. At the same time, I note that we are perfectly integrated with some products and have been successfully working for a very long time.
But I treat these mistakes philosophically - this is an experience, an understanding of where to go and where not to.
Where is the money
Alexey: Where did you look for money for your projects then? Attracted from investors?
Lev: I borrowed for my first business, because there was no money at all, and I had to pay market salaries to 5-6 developers. Then it was 20 thousand dollars.
And at SearchInform we were not going to attract money at all, we developed ourselves. Without a steep profit, but overcame childhood illnesses, did not rack their brains over what money to pay the salary from. It so happened that a serious St. Petersburg company from the financial sector came to us, wrote that it would be interesting to invest in us. This was in June 1998. I decided why not go.
We started negotiations, the investment manager was quite competent. He says that we see that you are a promising company, but you are messing around in the sandbox, you need to open offices in different regions. I answered, they say, we plan to raise money in the next six months and open an office in St. Petersburg. They: what to expect? Here's the money and go! The amount and conditions were supposed to be comfortable.
We were salivating that we would open an office here and there, hire a call center, send money to advertising, to a series of Road Show conferences. Everything was planned, I came to St. Petersburg for the final negotiations - it was the same "Black Tuesday" in August 1998. They say: "Sorry, we are all."
It was a blow. But the thought of development has already taken root. And we decided that we need investments to reach a new level. At the ISDEF conference in October, I met Maxim Shekhovtsov, Managing Director of Alliance ROSNO Asset Management, and we started talking about investments. By December, they shook hands.
Aleksey: How different were the conditions that were before Black Tuesday?
A lion:Yes, of course, because after there was no money on the market. At that time Alliance ROSNO had 42 million rubles left, which they could invest in us. These were not the best conditions, but then the infusion was beneficial to the company. After 4 years, the fund manager changed, and we bought out the share - for more money than we expected. But in business, you have to argue and swear on the shore, and then comply with the agreements, even if they are already unprofitable for you. We worked fruitfully and parted as friends.
I am cautious about investments. There are many stories when companies enter a certain market, invest several million and leave. The tactic “we will fill everything with money and take another round of investments to fill in again does not work. An obvious example is the collapse of the dot-com bubbles.
The world is going a little crazy. When unprofitable companies are worth billions or hundreds of millions of dollars, I don't get it.
Alexey: Maybe investors just want to blow up a bubble to get theirs back?
Leo: Probably. But as for me - you can't borrow from Vasya in order to give the interest to Petya. You cannot constantly live in debt with other people's money, this is not a business.
Present, or How not to miss a good crisis
Alexey: Now they say that after the pandemic the world will never be the same. From the point of view of information security, there is a forecast, what will happen? Churchill said: you should never miss a good crisis. Will this crisis be good from an information security point of view?
Leo: Definitely good.
Alexey: How will this manifest itself?
Leo: The people switched to a remote location, some of them will remain there forever. It has both good and bad. We will communicate with Alice more often, and, probably, will forget how to talk to each other. But we will also save time on the road and get better sleep. As an owner and manager, I see more bad things in remote work, but I think that companies will wisely use this format and combine practices.
As a representative of the cybersecurity community, I am glad that companies have begun to understand that at a remote location it is necessary to control the movement of information and discipline is stricter. We saw an increase in the number of trials of the working time control module, there was a wave of requests for security policies for remote control, we even had to create a checklist for customers with recommendations for switching to a remote format - what to check and configure first. We saw great interest in our online learning center. This is significant.
Alexey:The way companies come to understand that information security is important can probably be compared to how a person who has moved to live from village to city changes habits. In the village, it is in the order of things to shut the door on the latch. The lock is used only as a last resort. In the city, leaving to close the doors with a lock is akin to an axiom.
Leo: Somehow people do not doubt that they need to put a lock on the apartment door, although they want to buy a beautiful banquet in the hallway. But if you buy a banquet instead of a castle, there is a chance that there will be neither her nor another half of the apartment. Therefore, it is necessary to invest in the castle, and then in the furniture. Any company over 50 PCs needs information security. But don't exaggerate. Complex information security products are not needed in a company with only 10 employees.
Alexey:Well, in conclusion, I must ask. You have been in business for so many years, some are already leaving management or even selling the company to devote time to other activities. You look like a person who doesn't get tired of business. What is the main thing for you in business?
Leo: In short - two things - people and drive.
If a little longer: people who are interested in doing the same thing as me. Who go to work not because they need to, but because it is interesting to solve complex problems, argue and achieve results.
Business also opened up the opportunity for me to communicate in a circle of very interesting people - entrepreneurs, for the most part, are strong personalities, from whom you learn a lot. In this I find the drive. In general, I could not be engaged, for example, in trade - this is not mine. IT is an area that energizes me.