“Fall in love with the problem, not with your solution.” ~ Peldi Guilizzoni
“Brand is what people say about you after you’ve left the room.” ~ Dharmesh Shah
“Don’t make customers happy. Make happy customers.” ~ Dharmesh Shah
“Improve the product experience, and everybody wins.” ~ Dharmesh Shah
“Don’t make ___(marketing)___ software. Make ___(marketing)___ superstars.” ~ Dharmesh Shah
“Services are low margin. Except when they’re not.” ~ Dharmesh Shah
“Give more than you take.” ~ Patrick Foley
“The hard part of feature design…what to leave out.” ~ Dan Bricklin
“If you want to be different, you must be willing to embrace your negatives.” ~ Youngme Moon
“Competence is no longer a scarce commodity.” ~ Seth Godin
What Is Fun Friday?
I created the Fun Friday category to be a collection of very short, and easy to read, posts. The intention is to provide useful information in a compact form factor. These posts will showcase short videos, graphs, top 10 lists, and anything else that can be digested quickly.
Now it’s your turn. What other meaningful business quotes have inspired you?
“The hard part of feature design…what to leave out.” ~ Dan Bricklin
The subject of the Citibank email scam is “Message ID: 72195”. As soon as I saw that subject line, I knew it was a scam, because it’s too generic. I wanted to get more information about this phishing scam, so I opened the email using Light Point Web to avoid downloading any malware.
The email says it is from “Citibank – Service” and the email address associated with that account is firstname.lastname@example.org. The body of the email message says, “You have received an urgent system message from the Citibank Department. To read your message, please, go to your account immediately.” You’d think that for such an urgent message they would have taken the time to provide a more descriptive subject line.
The link in the scam email points to the Romanian domain online.citibankcom.US.JPS.portal.Index.do.jTgFfNULSY.digikad.ro.
The Norton site rating for digikad.ro identified 4 identity threats on the phishing site. Norton defines identity threats as items such as spyware or keyloggers that attempt to steal personal information from your computer.
How to Protect Yourself From Phishing Scams
Here are 4 things you can do to protect your identity, and personal information, from malicious phishing email scams.
If you receive an email message claiming to be from Citi, or Citibank, with the subject line Message ID: [set of two numbers here], do not open it, and delete it right away.
If you receive an email message from Citi, or Citibank, and are not sure if it’s a legitimate message, call Citi to confirm the email. Your account has a log of the email messages Citi has sent you. The Citi representative can tell you if they’ve sent you any recent emails. Citi’s 24 hour customer service number is 1-866-670-6462.
If you mistakenly open the email message, and it states that you need to check your Citi messages, or inbox, open up a new browser window and login directly to your Citi account. Never click on a link in these email messages. If after logging in to your online account, you don’t have any recent messages from Citi, you can be sure the email you received is a phishing scam. Delete it immediately.
If there is a link in an email message you are unsure about, hover over the link and look at what the status bar tells you. If the URL shown in the status bar isn’t for the website you’re expecting, it’s likely a phishing scam. In this Citibank scam email the link points to the digikad.ro website, not a legitimate Citi website. Note that the scammers tried to make it look like a legitimate Citi website by including citibankcom as part of the URL. Also notice the strange http-like characters at the beginning of the URL.
Citi will never ask you for your password, or to update personal information via email. If you receive a suspicious email claiming to be from Citi, or Citbank, forward it to email@example.com.
Have you received similar phishing emails claiming to be from Citi? Let us know.
This post is part of a series of posts from the 2010 Business of Software conference (BoS2010). For a summary of the conference, and an index to the other presentations, click here.
Peldi’s 2010 Business of Software presentation: “Do Worry… Be Happy!” – One thing they don’t tell you about quitting your job to become a startup CEO is how much you’re going to worry about things.
Peldi was my favorite BoS2010 presenter. He started off with a really cool Bobby McFerrin video, and kept the energy going all the way to the end. His presentation was candid, and very inspiring. I hope they post Peldi’s presentation online, because there is no way I can do it justice here.
After his presentation, I had the opportunity to talk to Peldi. He’s such a nice guy! He’s very humble, and someone you can easily relate to. He’s the type of guy you want to succeed.
What Startup Owners Worry About
What do startup owners worry about? Everything! What should startup owners worry about? Well, not everything.
It’s actually really hard to choose to ignore certain threats, but it’s crucial for your business’s success. Deciding what’s worth worrying about is not an easy task, and can seem daunting at times – but it’s a necessary skill to learn. And even more important than learning to decide which concerns are worth worrying about, is learning to cope, and live with, the uncomfortable emotions that result from trying to ignore these lesser important issues.
In his 2010 Business of Software presentation, Peldi shares some of the issues that concern him, and discusses which ones are worth worrying about, and which ones are not. Peldi also shares some tips to overcome, and deal with, those fears.
Why You Should Listen to Peldi
Why should you listen to Peldi? Well just take a look at his revenue chart below. $2M in just 27 months! I’d say he knows a thing or two about running a successful software business.
What Startup Owners Should Not Worry About
Peldi started off by discussing three common fears startup owners worry about, but shouldn’t.
Asking customers to pay for your product. We have been paying for products since the beginning of time – I want something you have, so I’ll trade you for something you want (usually cash). But, for some reason we have this weird aversion towards paying for software. (Side note: I’m not totally sure why that is, but I suspect it has something to do with the internet being “free”, and the wide abundance of free software you can find online these days. My guess is that pre-internet it wasn’t so hard to imagine someone paying cash for a piece of software.)
So, don’t worry about asking customers to pay for your product – it’s a basic concept. And in general, if you have a decent product, people will pay for it. HubSpot co-founder, Dharmesh Shah, and other startup experts, suggest you start charging for your product as soon as possible, because you get way better feedback from paying customers.
Not having enough time. There will never be enough hours in the day to accomplish everything you need to. We all have this problem, and it’s one that will never go away, but worrying about it will only make things worse – and take your time away from working on real issues. Prioritize your tasks, and complete the most important ones first. The rest can wait until tomorrow.
Pirates. Software pirates that is…not the ones off the coast of Somalia. You’ll never have 100% guarantee that no one will steal your software. You can take steps to prevent most people from doing so, but you’ll be hard pressed to stop a really determined individual. Plus this is becoming more of a non-issue these days with the movement towards SaaS. The little bit of money you will lose from software pirates is not worth the time spent trying to stop them. Don’t worry about it, take it as a compliment, and move on.
Common Startup Fears
When to quit your full-time job. After working on his wireframing tool part-time for several months, Peldi decided to take a leap of faith, and quit his job at Adobe. This was before his company was profitable. Making this decision is not an easy one, and will vary from person to person. There are a lot of things you need to consider, such as:
How much savings you have
Who else this decision will impact (do you have kids, a wife/husband, or other dependents)
Your risk tolerance
How far away your startup is to profitability
The likelihood of success
Having competition. You should embrace your competition. Competition is a validation of your market, and your idea. If there is no competition maybe that means there is also no market to be had. In fact, you want to create something so good that people will want to copy it. You can also learn from your competition’s mistakes to make your product even better.
Building the wrong product. What if no one wants to buy your product? That’s a reasonable fear to have. It’s important to be flexible, and realize that your final product may not look anything like your initial vision. The key is to fall in love with the problem, not the solution. Listen to your customers, and modify your product if necessary. In the beginning, customer feedback is far more important than money, because it allows you to shape your product into something that the masses will want, and pay for.
Work/Life balance. You can’t spend every waking moment working on your business, and ignore your family in the process. You need a good balance that works for you, and your family. After all, they’re probably the reason why you’re doing this. Peldi’s strategy is to work while his family is sleeping, so they won’t know that he’s ignoring them.
Not being noticed. These days everyone wants to get on TechCrunch, or on the front page of Digg. The trick is to be so remarkable you can’t be ignored. Getting noticed is great – it’s what you want. But be careful what you wish for, it can also be a bad thing if you’re not prepared.
Picking a niche that is too small. A small market can be a good thing for a startup, because it is much easier to lead. Peldi gave the example of Bingo Card Creator – a very small market. Seriously, when was the last time you had to create your own Bingo cards?…When was the last time you played Bingo? Although it’s a tiny niche, Patrick McKenzie (a BoS2010 Lightning Talk speaker) is making it work. And so can you.
Finding advisors/mentors. Peldi has no formal method for finding advisors. The most important thing is to be yourself. The best advisor is one who you feel comfortable with, and can trust. It does you no good to have the top expert in your field (better known as Frank to those of us who attended BoS2010) as an advisor, if you can’t feel comfortable enough with him to discuss all of your business problems in excruciating detail. So look for someone you click with – someone who would be your friend even without the expertise.
Learning. Peldi suggests you read as much as you can. Especially before you start your venture, because you’ll be too busy to read after you’ve started. Peldi highly recommends you read You Need To Be a Little Crazy: The Truth About Starting and Growing Your Business. The book details all the horrible things that can go wrong while running a business. Peldi says it’ll scare you more than anything. However, if you still decide to pursue your venture after reading it, not only are you truly committed to the idea, but you will also be ready for the troubles that lay ahead.
Dealing with the business side. Most software startup owners are technical people. We are good at what we do technically, but we have no previous business experience. Developing a great product isn’t enough to succeed, you also need business brilliance. Most of us have never worked with accountants or lawyers in the past, dealt with payroll or EULAs, or heard of terms such as accrual versus cash or NAICS codes. Peldi says you need to fake it. Pretend you have expensive lawyers and accountants behind you. Pretend you are the CEO of more than a one-man startup. Always say ‘we’ instead of ‘I’, even if it is just you.
Feeling like a fraud. Peldi has been extremely successful with Balsamiq, yet he doesn’t feel he is at the same level as the other BoS2010 speakers. Feeling like a fraud is not all that uncommon among successful startup owners. In fact, research shows that 40% of successful people consider themselves frauds, and 70% of all people feel like fakes at one time or another. It’s fine to have these thoughts. The trick is to use these thoughts to improve your product. Don’t let them take over you, and destroy your business. Talk to an advisor, or other people you trust, about your fear – they will help you.
Raising capital. This isn’t always necessary, especially for software startups which require very little capital to get started. One option is to retain your full-time job, and work on your venture part-time until it takes off. Another option is to use your savings to fund your startup. Unless you are looking to be the next Facebook, don’t worry about raising capital, make due with what you can easily get.
When should you start hiring. It’s important you don’t hire employees too early. You could end up in a situation where you don’t have enough work for them, but are still paying them just the same. Peldi waited a long time before hiring his first employee. His suggestion is to “wait until you are about to die” before hiring someone.
Forgetting something important. A great way to remember things is to write them down. Peldi chooses to blog. Blogging is a way to record what you’ve done, what you want to do, and ask for feedback from your customers/readers. A side benefit of blogging is its marketing effect. Blogging shows your human side, and hopefully your personality will shine through. People rather buy from people than companies.
Creating a business plan. Writing a business plan is a good way to organize your thoughts, and really think about the viability of your business idea. However, it’s not something you should obsess over. The truth is that nobody reads business plans anyway. It’s a must have if you are looking for investors, but don’t fool yourself into believing that they will actually read the whole thing. And when an investor does look at it, he is just looking for all the reasons why he shouldn’t do business with you. Investors also know that the financial projections in your business plan are completely unrealistic. So write a trimmed down version for yourself, and move on.
Key Takeaway From Peldi’s BoS2010 Presentation
As you run your business, you will worry about almost everything, however, not everything is worth worrying about. Only worry about the important things – the rest will eventually work itself out.
Fun Facts About Peldi
I learned a couple of things about Peldi during his talk:
Some memorable quotes from Peldi’s BoS2010 presentation:
“Be so good they can’t ignore you.”
“Fall in love with the problem, not the solution.”
“Create something so good people will want to copy it.”
“If you work while they [your family] sleep, they won’t know you’re ignoring them.”
More on Peldi Guilizzoni
Giacomo ‘Peldi’ Guilizzoni is the founder and CEO of Balsamiq, makers of Balsamiq Mockups, a wireframing tool for programmers, UX experts, and even business types. Balsamiq has been a bit of a poster child for a new wave of tiny but ambitious bootstrapped tech startups, netting over $1.6M in sales in the first 18 months of operation and gathering rave reviews. Peldi is a champion of the “radical transparency” trend that’s sweeping the Internet, through his posts on the Balsamiq blog.
You can find Peldi’s personal blog here, and his Balsamiq product blog here.
This post is part of a series of posts from the 2010 Business of Software conference (BoS2010). For a summary of the conference, and an index to the other presentations, click here.
Dharmesh’s 2010 Business of Software presentation: “Building A Great Software Business: Notes From The Field”
I’m a big fan of Dharmesh. I’ve been following him for sometime now, so I was really looking forward to his presentation.
Before heading out to Boston, I watched Dharmesh’s 2009 and 2008 BoS presentations (to see the videos go to the end of this post). It was nice to see some recurring topics in his presentations, because that indicated to me that these were important enough ideas for him to repeat.
Dharmesh’s 2010 talk was packed full of insights – customer acquisition, customer retention, customer data, transparency, and venture capital. Dharmesh provided us with lots of useful equations and data throughout his presentation.
How to Measure Customer Happiness
To have a successful software business, you need happy customers. It’s simply not enough to just acquire lots of customers – you need to retain them. And to retain your customers, you need to make them happy.
Let’s look at customer acquisition first, and then customer retention.
The total Cost Of Customer Acquisition (COCA) is determined by dividing the number of dollars spent on Smarketing by the total number of customers. Smarketing, as defined by Dharmesh, is the total cost of sales and marketing.
The Lifetime Value (LTV) of a customer is the value, in terms of dollars, that you get from a customer for the expected length of time he’s your customer. For example, if you have a customer that pays $10/month, and you expect him to be a paying customer for 4 years, then the Lifetime Value of that customer is $480.
LTV = annual revenue from customer * expected length as customer
A customer’s LTV should be greater than your COCA. If it’s not, that means it’s costing you more money to acquire a customer than you’re making from that customer. That’s a bad business model…and sure to fail! If the LTV is much greater than the COCA, then it’s time to start pumping more money into the business to start acquiring more customers.
These may seem like obvious points, the problem is that very few of us actually take the time to do these calculations. Keeping an eye on these numbers will help you make better business decisions.
It takes a fair amount of capital to obtain a customer. Therefore, once you acquire a customer, it’s important to retain him as a customer for as long as possible. Customer churn, or customer turnover, is the rate at which your leaving customers are replaced by incoming customers.
Customer churn can be measured in several ways. The simplest way is to look at what percentage of customers are actually staying onboard versus leaving. Another way to measure customer churn is to look at what percentage of leaving customers are high paying customers versus customers on your lower priced plans.
When looking at customer churn, the higher the number of customers staying on compared to the number of customers leaving, the better. However, the above methods of looking at customer churn can lead to deceiving numbers. A better way to measure customer churn is to measure the discretionary churn.
Discretionary churn measures how many users actually have the option of canceling your service. For example, a customer tied into a 6 month subscription plan, may not be happy with your service, however, he won’t have the option to cancel for another 6 months. So, discretionary churn is a much better way of measuring customer churn than the above methods.
Customer churn can be a good measure of a customer’s happiness with your product or service. However, it is imperfect, because the absence of churn doesn’t necessarily indicate customer happiness. And this takes us to HubSpot’s Customer Happiness Index (CHI).
What Is the Customer Happiness Index
The guys at HubSpot created the Customer Happiness Index (CHI). CHI is a number from 0 to 100 that measures the probability any given customer will cancel, given the option to cancel. CHI is determined by three factors:
Frequency of product use: By looking at the frequency of use, you can assume that the more a customer uses your product, the happier they are with it, and the less likely they are to cancel.
Breadth of product use: By looking at the breadth of use, you can assume that the customers who use more features, are happier with your product, and again are less likely to cancel.
Sticky product features: This one is important, and probably not so obvious. Sticky features are features that provide a lot of value to your customers, especially when compared to your competition. Those customers that use sticky features are likely to be happier, and thus less likely to cancel. HubSpot has found that this factor is more important than frequency of use and breadth of use – irregular users that use sticky features tend to stick around longer than those that use frequently and use lots of features.
By religiously following the CHI scores of customers, HubSpot can identify early on which customers are unhappy. They can then take a proactive step towards fixing the problem by calling up the customer before they cancel. This action has helped HubSpot keep about 33% of their previously unhappy customers.
Dharmesh did warn against taking their success rate too much to heart. Although they may have prevented a customer from canceling this month, if the customer’s happiness level isn’t brought up significantly, odds are that customer may still cancel the following month.
The cool thing about CHI is that it can be used to measure other aspects of your business, not just which customers are likely to cancel. You can also use CHI to:
Measure the quality of the leads generated by your marketing efforts
Make decisions on which product features to keep, remove, add, enhance, etc
Make decisions on how much to compensate your sales folks.
How to Improve the Customer Happiness Index
“Invest in the experience, not the product, and everyone wins.”
Don’t make ___(fill in the blank)____ software. Make ___(fill in the blank)____ superstars. For example, don’t make marketing software. Make marketing superstars.
The key is to think about your customers. Think about what they want out of your software, what they want to accomplish. Make them awesome at what they do. Case in point, meet Molly:
The stuffed teddy bear in the picture is Molly. Molly is the customer’s stand in, and is required for quorum at all of HubSpot’s management meetings. Most meetings don’t happen without someone saying, “What would Molly say?”. It’s a good way to remember that your software is really about your customers, and making them great at what they do.
However, Dharmesh did point out that although customers are very good at finding problems, they are not so good at finding solutions for those problems. So remember that it is your job to find solutions to their problems. (Side note: This reminds me of the old project management cartoon about project requirements 🙂 )
Increasing Customer Happiness Through Services
Another way to increase a customer’s CHI score is by providing consulting services. HubSpot decided to not only offer consulting services to their customers, but to also charge for those services. Why charge? If a customer pays several hundred dollars for a few hours of consulting they will:
See more value in it, than if it were a free service. Something that costs $500 is definitely better than something that costs $0, right?
Get more out of their consulting session. If the customer is paying $500 for consulting you better believe that they are going to get their money’s worth out of the session. The customer will ask questions, and make sure they understand everything, just because they paid for the service.
A customer that knows how to get the most out of your product will be a happy customer (assuming you have a good product), which will increase their use of your product, as well as their LTV. Therefore, you should work towards making that happen – whether you charge for it or not.
HubSpot’s profit margins on consulting are actually very low. However, they continue to offer these services because it increases their customers’ CHI scores, which in the long run means greater overall profits for the business.
How to Gain (and Keep) Customers With Branding
Your brand is an important part of your business – and of acquiring and retaining customers. The most important thing your business can do (aside from creating a brilliant product) is to not screw with your customers. Dharmesh strongly advises against the Salesforce philosophy – don’t trick people into buying your product. To put it in Dharmesh’s words, “Brand is what people say about you after you have left the room.”
Dharmesh shared some HubSpot philosophies, including how much company information they share, and why they decided to accept venture capital.
Transparency Trumps Secrecy
Except for salary information, all of HubSpot’s data is available to all employees. All data! This includes financial information. (Side note: This seems to work for HubSpot. I recently saw the below tweets from HubSpot employees.)
Although HubSpot makes all of their data available to its employees, the data is off limits to the public. The reason is that they don’t see any real benefit to doing so.
The Evilness of Venture Capital
HubSpot is not Dharmesh’s first startup, but it is his first venture backed startup. Most of us think of pure evil when we think of Venture Capitalists, but VCs can play an important role in some businesses. Most software startups don’t need venture capital, and are actually doing themselves a disservice by pursuing it. But there are a few select startups that can benefit from venture capital.
If you are aiming for quick, high growth (like Facebook), or are starting a business that requires a lot of upfront capital (like a hardware business), then it might make sense to obtain venture capital. At HubSpot, they made a decision early on that they:
Wanted to become the dominant player in the industry.
Were looking for rapid growth.
Because you need a lot of money to accomplish both of these goals, they chose to look for venture capital. A key part of HubSpot’s strategy was to acquire these funds before they actually needed the money. The reason being that:
It is easier to obtain venture capital before you need it, than it is if you are already in need of it.
You get better terms early on because since you aren’t desperate for the money you can always back out.
Do note that once you take VC funds, you move from solving your customers’ problems to solving your investors’ problems. And the two rarely align with each other.
Key Takeaways From Dharmesh’s BoS2010 Presentation
These are the main points I got out of Dharmesh’s BoS2010 talk:
Log as much data as you have, even if you can’t use it now. You may be able to use it in the future.
Measure your customers’ happiness. Come up with your own metrics if you have to, but look at those numbers closely. Determine what makes happy customers, and what doesn’t, and adjust your business model accordingly.
Dream big, and execute small. If someone offers to buy your company, seriously consider it, even if it’s not what you dreamed of. Selling gives you cash, which allows you to move on to your next dream 🙂
Some memorable quotes from Dharmesh’s BoS2010 presentation:
“Don’t make customers happy. Make happy customers.”
“Brand is what people say about you after you’ve left the room.”
“Venture capital isneither necessary nor evil.”
“Services are low margin…except when they’re not.”
“Invest in the experience, not the product, and everyone wins.”
“Customers are very good at finding problems, not at finding solutions for those problems.”
“Transparency trumps secrecy.”
“Dream Big. Execute Small.”
More on Dharmesh Shah
Dharmesh Shah is the founder and CTO of HubSpot, a venture-backed software company offering a hosted software service for inbound marketing. Prior to HubSpot, Dharmesh was the founder and CEO of Pyramid Digital Solutions. Pyramid was a three time recipient of the Inc. 500 award and was acquired by SunGard Data Systems in 2005. Dharmesh is also the author of OnStartups.com, a top-ranking startup blog with over 20,000 subscribers and 100,000 members in its online community. Dharmesh is the co-author of Inbound Marketing: Get Found Using Google, Social Media and Blogs.
Dharmesh’s summary of his 2009 BoS presentation can be found here, on his blog. And his summary of his 2008 Business of Software presentation can also be found on his blog.
What are your thoughts on Dharmesh’s presentation? If you attended BoS2010, did I miss an important point? What was your favorite part of Dharmesh’s presentation? What was your key takeaway from his talk?
This post is part of a series of posts from the 2010 Business of Software conference (BoS2010). For a summary of the conference, and an index to the other presentations, click here.
Seth’s 2010 Business of Software presentation: “Are you afraid to truly make an impact? The opportunity for linchpin organizations and the people who run them.”
Being a great programmer is no longer sufficient to succeed. Creating a piece of software that works is no longer an indicator of success. Times have changed. And in a world where we are bombarded with brands and products, we must create a unique experience to succeed.
Today, everyone and their mother can whip up a working software program. Competence is no longer a scarce commodity.
Because the cost of producing and marketing a software product is closely approaching $0, it is becoming an increasingly crowded market, full of competition. It is now harder than ever to stand out from the crowd. As a result, success in the software industry is now dependent on your ability to create a tribe – a movement, a place of belonging, a community – and lead it.
Creating a Tribe and Leading It
People want to belong to a tribe – it’s human nature. People are also waiting to be led, and it’s your job to lead them. But how, you ask? You must be creative, but most importantly, you must tap into their emotions. Make them feel something – joy, compassion, anger, outrage, importance, etc. Make them feel like they are part of something bigger, something lasting, something good.
Seth gave several examples during his talk, but there was one example I felt a deeper connection to. Seth explained how one man from the SPCA was able to lead a movement to make the city of San Francisco a no-kill city. He later went on to accomplish the same thing in other U.S. cities, with no money and no recognition. How did he accomplish such a feat? Because this was about more than just one man, and because it touched the hearts of people like you and me. This was about improving the lives of many.
Your mission, should you choose to accept it, is to create a movement, and lead it! But software that’s boring will never turn to a movement. When considering a product’s viability, Seth says there are four things you should ask yourself:
Who do I need to reach? And how can I reach them?
Will they talk about my product to others?
Do I have permission to continue talking to them after I’ve reached them?
Will they pay for my product?
The Network Effect
In the old days, using software was a lonely experience. Today, software is used by millions to connect with each other. Question number 2 above, is central to making the network effect work for you. If you create value and provide a unique experience for your users, they will market your product for you.
When considering a software’s network effect, ask yourself:
Is my product creating a demonstrable value?
Is it easy and obvious for someone to recruit someone else?
Is my product open enough to be easy to use, but closed enough to avoid becoming a commodity?
Key Takeaway From Seth Godin’s Presentation
The best way to sum up Seth’s Business of Software presentation is to use his own words: “Software won’t succeed because it was written by a brilliant programmer. It will succeed because of the business brilliance behind it.”
Some memorable quotes from Seth’s BoS2010 presentation:
“The reason to fit in is to be ignored.”
“Software that’s boring will never turn to a movement.”
“People are waiting to be led.”
Seth summarized his BoS2010 presentation on his blog. You can find it here.
More on Seth Godin
Seth Godin is a renowned speaker and bestselling author of 10 books that have been translated into 20 languages, and have transformed the way people think out marketing, change and work. He is responsible for many words in the marketer’s vocabulary including permission marketing, ideaviruses, purple cow, the dip and sneezers. His latest book, Tribes, is about leadership and how anyone can become a leader, creating movements that matter.
October is national Cyber Security awareness month, and what better way to promote it than with the 2010 Hacker Challenge.
The Hacker Challenge is a competition in which Department of Defense Sailors, Soldiers, Marines, Airmen and civilian government employees try their hands at solving computer and network security problems. It’s a free and open competition designed for beginner to intermediate level security professionals and enthusiasts, and is designed to engage military and civilian members in a fun and educational way.
It started three years ago as a way to address training deficiencies in some of the military’s mandatory computer security training courses.
Hacker Challenge 2010 Details
The 2010 Hacker Challenge begins on October 27, 2010, and ends November 10, 2010. During this two week period, participants will work at their own pace to solve the challenges. If you’re interested in participating in the 2010 Hacker Challenge, you must sign up before October 25, 2010.
Teams of up to 6 members are allowed, including one person teams.
The Hacker Challenge is comprised of two parts – a written portion and a hands-on portion. The written portion involves a series of questions that will test a participant’s knowledge of technology and security topics. The hands-on portion will test the participant’s security knowledge through the use of tools during practical exercises. Some challenges will be easier than others. For a few examples see the sample Hacker Challenge questions below.
This is a friendly competition, and does not involve the use of any malicious software. There are also strict rules on cheating, and what is considered cheating. Any team caught cheating will be disqualified, and it will be publicized on the Hacker Challenge blog.
Sample Hacker Challenge Questions
Below are a few of the questions you might find in the Hacker Challenge competition. These questions were taken from the 2009 Hacker Challenge. Remember this contest is for beginner to intermediate level security enthusiasts.
1) Download and crack the passwords found at this link.
2) You perform a banner grab against a customer’s web server and get the following response. What does it mean?
GET / JUNK/1.0
HTTP/1.1 200 OK
Date: Sun, 15 Jun 2003 17:17:47 GMT
Last-Modified: Thu, 27 Feb 2003 03:48:19 GMT
3) Download the packet capture in the below link and look at the device with the MAC address of 00:12:0E:6F:B4:4B. What is this device, and what do you think it’s doing during the time period traffic was captured?
4) Watch Hak5 episodes 1 and 3 from season 4 and pay attention to the sections dealing with the “WiFi Pineapple.” Discuss how the WiFi Pineapple is able to masquerade as a “trusted” AP and suggest at least one way that a user can tell this type of attack is occurring.
5) Dig through the below captured packet and state the following things: (a) What browser is being employed? (b) What application on the browser will be used? (c) What OS is being used? (d) What device did this packet come from?
If you are a security professional in the advanced category, don’t lose hope. In late 2011 an advanced Hacker Challenge will be introduced, and it will be completely different from the basic/intermediate version. The new advanced version will be almost completely hands-on. The advanced version write-ups will require a deeper understanding of security concepts, and the targets will be a bit of a challenge. And FYI, some of the advanced challenges will require participants to sign a “release of liability” form.
I decided it would be a good idea to occasionally post a status update of our startup on our blog. I plan on listing which of the many steps involved in launching a startup we have completed, and some tips on the ones that warrant it.
My reasons are two-fold. The first reason is that I hope once our product launches and it is a huge success and I am super rich and spend my days racing yachts, someone who wants to launch their own startup can use these as a step-by-step roadmap on what to do. The second reason is that I think it will be good for me to take the time to think about all the things we’ve accomplished since the last update. This may be a moral booster if I see that we have done a lot, or help me realize we are slacking if we have not.
What Have We Done?
Idea. The first thing was an idea about how I can provide web security better than everyone else. This idea has not been released publicly, so there isn’t much more I can say about that right now.
Research. The next thing I did was research on how I could implement it, and to decide if it was feasible that I could turn it into a profitable business.
Development Setup. I needed a development environment before I could create anything. I bought a computer and installed a subversion server for version control and TRAC for issue management. If you are developing any serious software, you NEED version control and issue management software. It is well worth the time.
Prototype. The next thing I did was to start building a working prototype, or a proof of concept. This took quite a while, in which time I was also working other items in this list.
Business Planning. First I knew that I would not have time to build the product, and run the business. I enlisted Zuly, my then girlfriend – now fiancee, to fill this role. Neither of us had run a business before, but we knew we could figure it out. We came up with a name for the business, snatched up the URL, made a business plan, etc. As I worked on the product, Zuly learned how to do the business side stuff (accounting, legal, etc).
Evaluation. At this point I had a working prototype, but when I finally looked at the stats, I realized the product would not be able to scale. This prototype had taken most of a year to get where it was, and then I found out it wouldn’t work. I thought it was all over at this point. But I refused to give up. I did more research to find a more efficient technology, and found one. I decided to swap out the old inefficient technology for the new hotness.
Persist. This new technology was another open source library that did the same thing as the old version, but it did so, much more efficiently. However, the way this library was written was nowhere near how I needed it to work. I spent months tinkering and reading through hundreds of files of source code to try and fix it. Every time I fixed an issue, I discovered 2 more that had to be fixed. After an entire year of this, I had my proof of concept functioning as it did before the technology swap, but now it was an order of magnitude more efficient.
Improvement. I added more and more features, eventually turning it into more of a product than a proof-of-concept.
More Research. As I implemented features, I tried to keep thinking a few moves ahead. I had a plan on what I would do next, and what after that. So in my down time, I would do some reading to make sure my plans on how to do those next steps would actually work, or if there was a better way.
Business Setup. At this point, we decided it was a good bet that we can make this work. We each took some of our own money, officially registered the business, and set up a bank account.
Website. We transferred ownership of the business domain name to the business, and bought hosting to set up this web page. We got something decent setup, and gradually improved it over time. We are still doing this.
Networking. We started blogging, using Facebook, Twitter, and others to start making a name for ourselves online. This is a never ending step.
Branding. We have a name for the product, but we need to grab its domain name before we make it public.
Deployment and Beta-testing. We are now to the point where we need to start buying server capacity so other people can play with the product and give us feedback. We will use this feedback to make improvements until we feel the product is refined enough to begin charging for it.
Have I forgotten anything? If you see something missing that I should have done by now, please let me know. Or if you have any questions/suggestions, don’t hesitate to comment.
With over 400 million users, Facebook is a constant target of online criminals and scam artists. The “Facebook will start charging” scam has been around since last year, yet people are still falling for it. Even worse, there’s been an increase in these types of scams over the last couple of months.
How the Facebook Will Start Charging Scam Works
Online criminals create Facebook pages claiming that Facebook will begin charging some monthly fee. For example, the page “I won’t pay $3.99 to use Facebook starting in July” is a scam. And the page “I will not pay to use Facebook as of Sept 7th 2010” is also a scam.
There are many variations on this theme, and they’re all scams. I searched on Facebook for “Facebook pay” and got 287 page results (see below). And every single one of these pages is a scam! The top result had 7661 fans.
Just out of curiosity, I searched for “Facebook pay” again the following day and noticed that the pages are growing. The top result went from 7661 fans to 7844 fans and the second result went from 6877 fans to 6899 fans. So it looks like things are going in the wrong direction.
Online scammers create Facebook pages (and groups) in an attempt to trick people into divulging their personal information, downloading malicious content, or inviting their friends to join the page. In the case of the “Facebook will start charging” scam, it seems the most common method is to get people to invite their friends to the page in an attempt to amass a large number of fans they can then sell to unsuspecting businesses.
Just take a look at the information on the “I will not pay to use Facebook as of Sept 7th 2010” page:
And if you look at the information on some of the other Facebook Pay pages, you will notice that they don’t ask you for any personal information, or ask you to download something, or ask you to go to another website. The main thing these pages are asking people to do is to invite all of their friends. But that doesn’t mean there aren’t malicious links showing up on these pages, so be careful, and don’t click on any links in these pages.
So now that you know the truth, don’t join any Facebook pages claiming that Facebook will start charging.
How to Protect Yourself on Facebook
For the most part, these Facebook Pay pages weren’t setup to steal your personal information – although I didn’t look at every single page. And even if they were setup for that purpose, you usually have to take some action for this to occur.
But joining not only encourages criminals to keep coming up with these scams, it also puts your friends at risk. How? Well, as soon as you join, it’s displayed on your friends’ news feeds. A friend could see it and then join the group.
So, other than the obvious don’t join advice, here are a few other tips to help keep you and your friends secure while on Facebook:
If you see your friends joining these Facebook Pay pages, warn them about the scam and tell them to remove themselves from the page.
Spread the word. Scammers take advantage of the fact that people aren’t aware of these scams to do their dirty work. If people are informed of the risks, then it becomes a lot harder to get away with it. So tell your Facebook friends, and send them a link to this post, or any other post on the topic.
Be suspicious of any Facebook page that makes it easy for you to invite your friends, asks you to download something, or asks for your personal information in return for something else.
Always check the page’s wall before joining. There are legitimate reasons why you may be asked to download and install something from Facebook pages. However, there are also plenty of malicious programs out there. The legitimate stuff will, for the most part, work as advertised. On the other hand, the malicious stuff usually won’t work at all. So if you go to the page’s wall and see a lot of people complaining about the fact that it doesn’t work, stay away! Odds are it’s malware. And I’m not talking about a couple of bad reviews, because even the legitimate programs will get bad reviews every now and then. But if you see mostly complaints, then it’s likely to be malware. And even if it’s not, why waste your time, it obviously doesn’t work!
When trying to evaluate your own security, remember the old addage: “A chain is only as strong as its weakest link.” Here is story of some recent experiences I had which reinforced this for me.
About a month ago, I started seeing all kinds of articles online related to a massive amount of websites being hacked. Most of these hacks were WordPress sites hosted with a large hosting company such as GoDaddy. This site is WordPress hosted by GoDaddy, so when I saw this, I was very interested.
I read the articles to find out how to know if your site had fallen victim to this. The main goal of this attack was to place a bit of php code into every WordPress file on your server. When WordPress would serve up a page, this code would be executed. The result would be a redirect placed in each page that a user of your site would see. This would redirect the user to a malicious website which would attempt to exploit your site’s visitors.
I immediately checked the content of my site and was relieved to find that my site appeared unhacked. But I was not out of the woods yet. No one yet had figured out how the hack was able to infiltrate all these systems. Many people were blaming it on a flaw in WordPress. Others were blaming it on a flaw with GoDaddy’s hosting. Until I figured out where the flaw was, I was still at risk.
This hack was showing up on web platforms other than WordPress. This makes it seem like it couldn’t be a problem with WordPress that was allowing this to happen. But, it was also happening on hosting providers other than GoDaddy. On top of that, if it were a flaw in WordPress or GoDaddy, this hack would be capable of showing up on many more high-traffic pages. You would think that a hacker armed with an unknown exploit with such power would hit the biggest targets available, instead of just a few tiny blogs.
GoDaddy was blaming it on people using out of date WordPress installations. However, I read many articles reporting about people who got hacked, rebuilt their sites with the newest version of everything, and then immediately being hacked again.
The root cause of this hack still hasn’t been figured out as far as I know. I have read that a large number of the affected sites had some weak passwords. At this point, I believe this to be it, but there is no way for me to know for sure. I use very strong passwords. Maybe this is what saved me. Or maybe the hackers just hadn’t found this site.
The moral of the story is to remember you are only as secure as your weakest link. You can build a house out of solid steel with a vault door and barred windows, but if you leave a spare key under your doormat, how much more secure are you? WordPress and GoDaddy can be completely secure, but a guessable password makes it irrelevant.
The latest phishing scam targeting Twitter users is in the form of an email message claiming to be from Twitter Support. The subject line of the fake email message starts off with the word Twit and is followed by a set of numbers. These numbers will vary from email to email. The email message claims that you have some number of “unreaded” or delayed messages from Twitter, and provides a link to supposedly check your “unreaded” messages. How nice of them! But instead the link takes you to a malicious phishing website.
There are actually two links in the fake email message, both linking back to malicious phishing websites. Don’t click on either of them! Here’s what the email looks like:
According to Twitter Safety, Twitter Support doesn’t send emails about unread messages.
What Can You Do?
Here are 7 things you can do to protect yourself, and avoid becoming a victim of email phishing scams.
If you receive an email message claiming to be from Twitter or Twitter Support with the subject line Twit [set of two numbers here], do not open it and delete it right away.
If you receive an email with bad English or misspellings, most likely it’s a scam. For example using the word unreaded instead of unread. Don’t click on any links in the email or download any attachments.
Don’t click on links in email messages. Always go to the site directly and log in to your account to check it out.
If you must click on a link in an email, for example it’s not a check your account status type of email, hover over the link and look at what the status bar tells you. If the URL shown in the status bar isn’t for the website you’re expecting to go to, don’t click on the link. In the case of this recent Twitter scam, the URL in the status bar doesn’t link to twitter.com. Instead it links to dev.somedomainname.com.
Note that the only domain name used by Twitter is twitter.com. Any URL that doesn’t start with http://twitter.com/ is not an official Twitter page. That’s not to say it’s a malicious site, it’s just not an official Twitter page, so use caution when going to these sites.
Light Point Security was founded by former National Security Agency (NSA) employees with 30 years of combined experience in both offensive and defensive security.
It is an award-winning and internationally recognized company with customers ranging from multi-national financial institutions and federal government agencies all the way to SMBs and individual home users.
Its flagship product, Light Point Web, is an isolated web browsing solution designed to thwart even the most sophisticated attacks.
5523 Research Park Dr.
Baltimore, MD 21228