Interview with John McEleney of Onshape

I first met John McEleney in 1999 or 2000 when I was working as a SolidWorks reseller application engineer in Western New York. We had wings at the Anchor Bar in Buffalo. John was a part of the sales team at SW at the time. He also had some personal ties to Western New York. He got his bachelor’s at University of Rochester. All that just to say that I knew him before he was king of the hill. We weren’t great friends, but we were acquainted.

Over the years, and through many different situations, John has shown himself to be capable and fair minded. Looking back, when he left SolidWorks, things started to change in a way that led me in another direction. He was in touch with users in much the same way as Jon Hirschtick. I think this aspect of the leaders of the company being able to relate to end users was crucial to their success.

For this reason, even though my views on the cloud don’t make me a big fan of the Onshape project, I do recognize that there are some other innovations that are fairly interesting going on. Mr. McEleney agreed to an interview to counter some of my concerns about various topics. McEleney’s words are shown in green below.

Question: Will companies be willing to yield control and responsibility of their data to a Vendor?

Answer: Yes. Every day companies are moving more of their operations to the cloud. Take a look at some of the world’s leading software companies: SalesForce (Customer Relationship Management), NetSuite (Finance, ERP), Success Factors (HR), SAP and Oracle… the list goes on. So the question is why not product design? The short answer is because to make a high performing CAD system operating in the cloud is a hard problem to solve. We he have solved this and the industry has taken notice. Today tens of thousand of heavy users and thousands of commercial customers login to Onshape.

When you have a platform shift (e.g. Unix to Windows and now Windows to the cloud), you have the opportunity to redefine the user experience and to re-think how people can access the system. When we started SolidWorks, the industry said “do we really need another modeler? After all, Pro/E supposedly “owned” the market.”  Well, the combination of Windows, powerful pc’s and “affordable” software broadened the usage of 3D modeling. Fast forward twenty years and we’re redefining access and the user experience.

You asked the question “will companies be willing to yield control and responsibility of their data?” You might expect me to argue, and this is why we started the company, that they get better security, control, and accessibility when they are using a cloud solution – they do. These aren’t just idle words, the cloud is far more secure than most peoples desktop pc’s. Why do I say that? Because most people don’t talk about all the fails they have internally, whether it’s lost data because the system or hard drive crashed or because their system has been hacked, but they simply don’t realize it. As mechanical engineers, we tend to think that because we can see the hardware that it “must be” more secure.

Let me ask you a question: who’s going to be better at security? AWS or the IT/CAD manager at a medium-sized firm? This is not a slight at the IT/CAD manager, but rather the fact that AWS or Azure simply have the resources for industrial strength security.

There are literally millions of companies every day that are having their desktops hacked. Just look at the case of the recent Wanna Cry ransomware virus that went around. That happened on corporate and personal desktops, not on the cloud. Nobody in AWS suffered this fate. The only reason we heard about this is the staggering number of people that were affected, yet every day there are 000’s of events on desktops that don’t get reported (simply because people don’t realize that their systems have been penetrated).

Question (ML): Macs used to not get hacked, but that was because the market share was small. As cloud gets bigger and bigger, and the prize/target/pot of gold is bigger and bigger, don’t you think we’ll hear more and more about the cloud getting hacked?

Answer (JM): Oh, I think the cloud gets targeted tremendously today. The question is who’s going to have better protection? The individual firm or the cloud provider?  There are technical arguments, but also economic realities. Imagine there was a new firewall that knows all the right traffic and all the wrong traffic, but it costs $50 million, or $100 million. Most companies could not afford this, but Amazon and Microsoft can as they’ll amortize this over many, many users.

Question/Comment (ML):  I know my blog has been hacked 4-5 times – and by the way, my blog is a cloud system.

Answer (JM): Has your computer been hacked at all?

Response (ML):  No, as far as I know.

Answer (JM): Right, and there you go. If I was a betting man, I would bet that you’ve been hacked and you have no idea that this happened. They might not have stolen anything, but my guess is that you’ve been hacked. Real security experts will tell you the same.

Let’s use a simple analogy:  the White House is a very secure location,  even though it’s a safe bet that every terrorist organization in the world views it as a target. Even with all of that security, you’ve probably heard about the individual that jumped over the fence. You are aware of this because of the White House is very high profile. By contrast, walk down a side street in a major city and you’ll probably see some level of street crime, but you’re unlikely to hear about this on the evening news.

More and more progressive IT managers are starting to realize that they will provide a more secure environment by using the cloud. Let’s talk about a five person mold shop in Tennessee: are they better off trying to do all what’s necessary to insure a secure environment by themselves or leveraging the expertise and assets of Amazon? The answer is obvious.

Question/Comment (ML): The 5 person target may be vulnerable to attack, but they’re not really a target, no one knows they’re there.

Answer (JM): Sorry Matt, but you’re simply wrong. Go to Best Buy, buy a new router, create a new account, and put a modest password ( a little better than the default). In 24 hours, take look at your log files and see how many times it’s been attacked. It’s automatic. Every IP address out there is being hammered every single day. People don’t realize it, but more often than not, the hackers are getting in extremely easily.

Question/Comment (ML):  Chromebook has been around a long time, and it just hasn’t caught on. Do you see a relationship between this acceptance rate and general reliance on the cloud?

Answer (JM): No. I don’t think there’s a parallel between cloud adoption and netbook adoption. I think the growth of the Chromebook is being impeded by the price point convergence of laptops and Chromebooks. The growth of Cloud based apps is accelerating.

Question/Comment (ML):  Autodesk has had backlash from their push to cloud – outcry from the public about losing perpetual licenses and being forced into the cloud.

Answer (JM): I think the big concern from the Autodesk community is that they do not feel like they’re getting the value from the subscription offering. AutoCAD is clearly a mature product and the users feel that they are being forced to pay more for no material improvements.

Contrast that with Onshape. With Onshape, you’re getting upgrades every 3-4 weeks – we’re very transparent about this, take a look at our forums to see the improvements we have made. In addition, everyday their data is being backed up, upgrades are handled for them automatically, they simply log in and they get the new version. People are voting with their wallets and they think that they’re getting great value with Onshape.

Question/Comment (ML):  I have a license of Works 2013 that I have stopped paying maintenance on, but I still have all of those designs I’ve created that I can go back and look at, or work with, or even use the old software for new work. I can’t share data with newer version users, but that license still works for what I bought it for. Onshape won’t allow this way of working. Once you stop paying money, you can’t access the data any more.

 

Answer (JM): Let me ask you a question: if someone sends you a 2016 file, what do you do? You can’t open the file because you have an earlier version. With Onshape you can simply open recent and previous versions. In addition, users get continuous backup, infinite undo, access from anywhere anytime, no overhead work, no hardware upgrades, unlimited storage, online community… in other words people get a lot of value. For those that want to save data out to a neutral format, you can do this in a variety of formats, such as Parasolid, STEP, IGES etc.

 

Question/Comment (ML):  Is there any real reason why your system can’t work on local hardware behind the local firewall?

 

Answer (JM): Yes. There are technology and business reasons, but, suffice it to say that I do not know one business in the world that wants their own instance of SalesForce for their data center – it would eliminate many of the benefits.

 

Question/Comment (ML): What about a company that is sophisticated enough to have their own local cloud?

 

Answer (JM): Part of how we provide the benefits of Onshape, the real-time sharing, automatic backups, world-class security, automatic updating… is that we have a technology and operational model that allows us to operate this at scale. This is not possible if we have a lot of local instances.

 

Question/Comment (ML): What about history-based design. isn’t it old fashioned and unnecessary at this point?

Answer (JM): Absolutely not. Quite the opposite. Every day millions of people design products using the history based paradigm. Simply put: it’s familiar and it works.

Admittedly there are things that can be improved and we have worked on these. For example, from the beginning we made the decision to make Onshape a declarative system. What does that mean? It means that when you open a model, it will always regenerate. We have talked to x000’s of users and many of them like the ability to use external referencing, but a significant majority of them break all of the references,  because they don’t want inadvertent changes made to their model. In the SolidWorks community, the users refer to the feature tree as a “Christmas tree” because it lights up red. With Onshape this does NOT happen, because of how we built the external referencing capability.

Before we started Onshape, the industry was debating Parametric Feature Based Modeling vs Direct Editing, our opinion was that it was not a question of either/or, obviously you need both – so we built it into the core of the system.

Question/Comment (ML): Do you think NURBS is nearing the end of its functional life?

Answer (JM):  No. There’s a whole infrastructure that needs to interact with NURBS models. Having said this, we see a lot interesting technologies, such as sub-division modeling that allow you to easily create new shapes.

========================================================

I’d like to thank John McEleney for taking the time to do this interview and get it ready for print. He realizes that in part this blog represents at least a skeptical audience, but we agree that discussion of the issues is beneficial to everyone, and it is possible to disagree without losing decorum. But we obviously don’t disagree about every thing.

I would like to say that I’m arranging to continue this discussion with an independent IT security pro. We will talk about some of the realities of security from the point of view of the desktop, small organization, large organization, and the cloud. Some of John’s claims seemed a bit like reverse fear mongering. I wanted it to be clear that the only things that I have had hacked have been my (cloud based) blog, administered and protected by a mainstream IT organization that claims it knows security. I’ve never been taken by ransomware. People who get hit by ransomware did something specific that most of us know was the wrong thing to do (opening that questionable email and clicking a link).

Anyway, thanks again to John, and let’s continue the discussion in the comments.

 

 

11 Replies to “Interview with John McEleney of Onshape”

  1. I just wanted to add these references:
    https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
    https://www.theverge.com/2018/10/4/17935868/chinese-spies-microchip-hack-servers-apple-amazon-supermicro
    https://www.cnbc.com/2018/10/04/chinese-spy-chips-are-said-to-be-found-in-hardware-used-by-apple-amazon-apple-denies-the-bloomberg-businessweek-report.html
    https://www.theguardian.com/technology/2018/oct/04/china-planted-chips-on-apple-and-amazon-servers-report-claims

    This may be old news at this point, but the Chinese added spy chips on Amazon (and Apple) server motherboards. So a system like AWS that you claim is so secure has already been hacked before it was powered up. Sorry, I’m just not buying this whole cloud thing. It’s ok for storing pictures of the beach, but no thank you for anything I don’t want other people to see.

  2. This is an old post now, bit I want to inject some more input regarding access to the cloud. I travel to a certain large East Asian country that will go un-named except on the product IDs of most things in K-Mart.

    They have this thing called a national firewall (and many countries do). I had the experience of setting up a home grown VPN from there to someplace where I could access google. It was an interesting experience. I could watch the activity on both ends of the VPN connection real time and I found that though an encrypted tunnel was set up and active, the data going into the tunnel was not exiting on the other end. Instead it was going to someplace in said country. Not only that, but the routing of the tunnel data to the wrong place persisted after returning to the US.

    On researching just how and what they were doing to accomplish that I realized that it is very hard to guarantee where your data is going to end up when it is sent over the internet and what will happen to change it on the way even if sent securely. Said country has also been known to affect the internet outside of their borders by their antics.

    I am curious how a cloud based app can deal with this kind of attack on a national level where routers route to the wrong place, data is inspected even in supposedly secure tunnels, and dns cache poisoning is common.

  3. So Sram is a customer of OnShape? Or is this a user-submitted model? The model doesn’t appear to have the intricate tooth profile features that the actual product has. Would be really interesting to know if they were and what percentage of their engineering work is done using OnShape. While our company has embraced cloud-based PLM solutions, the CAD/PDM options out there just aren’t quite ready for prime-time, at least for the level of complexity and size that our products/designs are.

    1. Bruce, the images I used were given to me by Onshape. I assume they wouldn’t give out stuff without permission. The models could simply be imported, or dumbed down. Lots of possible scenarios.

  4. Pete,
    Thanks for the clarification on that. Yeah, I should have had a second interview that went into some of the more operational details.

    1. Matt,

      You might consider a strike-through on your assertion in the text of your post here, and then a corrective statement in parenthesis. A whole lot easier than another post, and it would be visible to those that don’t read the comments (who doesn’t do that right?).

  5. Matt,
    I wanted to point out that your statement here about Onshape is not true: “Once you stop paying money, you can’t access the data any more.”
    In Onshape the data is always yours to view regardless of whether you are paying or not. You pay to edit your private data. If you lapse off of a Pro account in Onshape, you can still access your private data. A free account can also create public data without practical limits. If you upgrade your free account to a Pro account, you can then edit your private data again. This all occurs without back paying lapsed subscription (don’t get me started), going through a middle man to purchase the upgraded software, performing a monstrously long installation, and updating the files once you do.
    Thanks for the discussion here. I think it’s beneficial. In my experience there is a some amount of knee jerk reaction to “the cloud” without a proper, disciplined, and rational approach to it.

  6. Paul, I was wondering what you were up to. The Git comparison was mentioned in a section that was edited out, but we didn’t really get into it I’m guessing because it would probably be a level of detail that we weren’t digging into this time. The original interview was probably 3x as long, and had to be trimmed down so someone might read it. Anyway, thanks for stopping, by, Paul. Good to hear from you again.

  7. Matt,
    What John is saying about hackers is absolutely true. I am sitting here in my room in Seoul Korea. I have a website that I use for a very specialized purpose. It has no domain name. It’s part of the dark web. I administer it myself and I am constantly having to block things like bot nets that are targeting WordPress. And I’m not running WP. Anytime anyone opens a port in the internet someone is going to try to stick their nose in it.

    I have played with running things on the cloud. If I had some need for a machine that had 16 cpus and tons of memory I could “rent” one on the cloud for a month and then shut it down. I could run any version of Windows or ‘nix I wanted and use a remote desktop app for graphics. So for that huge FEA or CFD job the cloud might be the ticket.

    One of the outstanding things I have noticed about the cloud is that it seems to have some really fast backbone connections overseas. While Onshape is kind of slow in Korea with a generic connection if I use a cloud based solution to route my Onshape traffic to the US it gets really fast.

    So access to the cloud internationally is one of the big drawbacks right now for me because they don’t seem to have a cloud server in every country I may travel to.

    John also didn’t talk about the possibility of injecting something nasty into Onshape from the inside via Featurescript or in an imported model file or an insider sharing a model inappropriately or making it public.

    John didn’t talk about the git side of Onshape much either because you didn’t ask him. But I think that will be a game changer in bigger companies.

    1. Paul,

      1. FeatureScript is a tightly controlled environment that only allows access to your part studio and therefore very secure – no ability to do any malice inserts
      2. WRT performance – actual model operations are done on local cloud locations (8 locations and expanding). Document lists refer back to original cloud (based on your ip address) and can be a bit slower to load when accessed from a new cloud location (in your case Korea), but once document is active all compute is done in closest cloud (Doc list generation performance from new location will improve shortly)

      John

Leave a Reply to matt Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.