What Startups Should Worry About: Peldi Guilizzoni’s 2010 Business of Software Conference Presentation
Posted on by Zuly GonzalezCategories Business of Software, Events, Startups2 Comments on What Startups Should Worry About: Peldi Guilizzoni’s 2010 Business of Software Conference Presentation

This post is part of a series of posts from the 2010 Business of Software conference (BoS2010). For a summary of the conference, and an index to the other presentations, click here.

Peldi’s 2010 Business of Software presentation: “Do Worry… Be Happy!” – One thing they don’t tell you about quitting your job to become a startup CEO is how much you’re going to worry about things.

Peldi Guilizzoni & Zuly Gonzalez at BoS2010

Peldi was my favorite BoS2010 presenter. He started off with a really cool Bobby McFerrin video, and kept the energy going all the way to the end. His presentation was candid, and very inspiring. I hope they post Peldi’s presentation online, because there is no way I can do it justice here.

After his presentation, I had the opportunity to talk to Peldi. He’s such a nice guy! He’s very humble, and someone you can easily relate to. He’s the type of guy you want to succeed.

What Startup Owners Worry About

What do startup owners worry about? Everything! What should startup owners worry about? Well, not everything.

It’s actually really hard to choose to ignore certain threats, but it’s crucial for your business’s success. Deciding what’s worth worrying about is not an easy task, and can seem daunting at times – but it’s a necessary skill to learn. And even more important than learning to decide which concerns are worth worrying about, is learning to cope, and live with, the uncomfortable emotions that result from trying to ignore these lesser important issues.

In his 2010 Business of Software presentation, Peldi shares some of the issues that concern him, and discusses which ones are worth worrying about, and which ones are not. Peldi also shares some tips to overcome, and deal with, those fears.

Why You Should Listen to Peldi

Why should you listen to Peldi? Well just take a look at his revenue chart below. $2M in just 27 months! I’d say he knows a thing or two about running a successful software business.

Peldi Guilizzoni's Balsamiq Revenue Chart at BoS2010
Image credit: Mark Littlewood

What Startup Owners Should Not Worry About

Peldi started off by discussing three common fears startup owners worry about, but shouldn’t.

Asking customers to pay for your product. We have been paying for products since the beginning of time – I want something you have, so I’ll trade you for something you want (usually cash). But, for some reason we have this weird aversion towards paying for software. (Side note: I’m not totally sure why that is, but I suspect it has something to do with the internet being “free”, and the wide abundance of free software you can find online these days. My guess is that pre-internet it wasn’t so hard to imagine someone paying cash for a piece of software.)

So, don’t worry about asking customers to pay for your product – it’s a basic concept. And in general, if you have a decent product, people will pay for it. HubSpot co-founder, Dharmesh Shah, and other startup experts, suggest you start charging for your product as soon as possible, because you get way better feedback from paying customers.

Not having enough time. There will never be enough hours in the day to accomplish everything you need to. We all have this problem, and it’s one that will never go away, but worrying about it will only make things worse – and take your time away from working on real issues. Prioritize your tasks, and complete the most important ones first. The rest can wait until tomorrow.

Pirates. Software pirates that is…not the ones off the coast of Somalia. You’ll never have 100% guarantee that no one will steal your software. You can take steps to prevent most people from doing so, but you’ll be hard pressed to stop a really determined individual. Plus this is becoming more of a non-issue these days with the movement towards SaaS. The little bit of money you will lose from software pirates is not worth the time spent trying to stop them. Don’t worry about it, take it as a compliment, and move on.

 

Peldi Guilizzoni Discussing Software Pirates at BoS2010
Image credit: ©John M. P. Knox

Common Startup Fears

When to quit your full-time job. After working on his wireframing tool part-time for several months, Peldi decided to take a leap of faith, and quit his job at Adobe. This was before his company was profitable. Making this decision is not an easy one, and will vary from person to person. There are a lot of things you need to consider, such as:

  • How much savings you have
  • Who else this decision will impact (do you have kids, a wife/husband, or other dependents)
  • Your risk tolerance
  • How far away your startup is to profitability
  • The likelihood of success

Having competition. You should embrace your competition. Competition is a validation of your market, and your idea. If there is no competition maybe that means there is also no market to be had. In fact, you want to create something so good that people will want to copy it. You can also learn from your competition’s mistakes to make your product even better.

Building the wrong product. What if no one wants to buy your product? That’s a reasonable fear to have. It’s important to be flexible, and realize that your final product may not look anything like your initial vision. The key is to fall in love with the problem, not the solution. Listen to your customers, and modify your product if necessary. In the beginning, customer feedback is far more important than money, because it allows you to shape your product into something that the masses will want, and pay for.

Work/Life balance. You can’t spend every waking moment working on your business, and ignore your family in the process. You need a good balance that works for you, and your family. After all, they’re probably the reason why you’re doing this. Peldi’s strategy is to work while his family is sleeping, so they won’t know that he’s ignoring them.

Not being noticed. These days everyone wants to get on TechCrunch, or on the front page of Digg. The trick is to be so remarkable you can’t be ignored. Getting noticed is great – it’s what you want. But be careful what you wish for, it can also be a bad thing if you’re not prepared.

Picking a niche that is too small. A small market can be a good thing for a startup, because it is much easier to lead. Peldi gave the example of Bingo Card Creator – a very small market. Seriously, when was the last time you had to create your own Bingo cards?…When was the last time you played Bingo? Although it’s a tiny niche, Patrick McKenzie (a BoS2010 Lightning Talk speaker) is making it work. And so can you.

Peldi Guilizzoni discusses small niches at BoS2010
Image credit: Betsy Weber

Finding advisors/mentors. Peldi has no formal method for finding advisors. The most important thing is to be yourself. The best advisor is one who you feel comfortable with, and can trust. It does you no good to have the top expert in your field (better known as Frank to those of us who attended BoS2010) as an advisor, if you can’t feel comfortable enough with him to discuss all of your business problems in excruciating detail. So look for someone you click with – someone who would be your friend even without the expertise.

Learning. Peldi suggests you read as much as you can. Especially before you start your venture, because you’ll be too busy to read after you’ve started. Peldi highly recommends you read You Need To Be a Little Crazy: The Truth About Starting and Growing Your Business. The book details all the horrible things that can go wrong while running a business. Peldi says it’ll scare you more than anything. However, if you still decide to pursue your venture after reading it, not only are you truly committed to the idea, but you will also be ready for the troubles that lay ahead.

Dealing with the business side. Most software startup owners are technical people. We are good at what we do technically, but we have no previous business experience. Developing a great product isn’t enough to succeed, you also need business brilliance. Most of us have never worked with accountants or lawyers in the past, dealt with payroll or EULAs, or heard of terms such as accrual versus cash or NAICS codes. Peldi says you need to fake it. Pretend you have expensive lawyers and accountants behind you. Pretend you are the CEO of more than a one-man startup. Always say ‘we’ instead of ‘I’, even if it is just you.

Feeling like a fraud. Peldi has been extremely successful with Balsamiq, yet he doesn’t feel he is at the same level as the other BoS2010 speakers. Feeling like a fraud is not all that uncommon among successful startup owners. In fact, research shows that 40% of successful people consider themselves frauds, and 70% of all people feel like fakes at one time or another. It’s fine to have these thoughts. The trick is to use these thoughts to improve your product. Don’t let them take over you, and destroy your business. Talk to an advisor, or other people you trust, about your fear – they will help you.

Raising capital. This isn’t always necessary, especially for software startups which require very little capital to get started. One option is to retain your full-time job, and work on your venture part-time until it takes off. Another option is to use your savings to fund your startup. Unless you are looking to be the next Facebook, don’t worry about raising capital, make due with what you can easily get.

When should you start hiring. It’s important you don’t hire employees too early. You could end up in a situation where you don’t have enough work for them, but are still paying them just the same. Peldi waited a long time before hiring his first employee. His suggestion is to “wait until you are about to die” before hiring someone.

Forgetting something important. A great way to remember things is to write them down. Peldi chooses to blog. Blogging is a way to record what you’ve done, what you want to do, and ask for feedback from your customers/readers. A side benefit of blogging is its marketing effect. Blogging shows your human side, and hopefully your personality will shine through. People rather buy from people than companies.

Creating a business plan. Writing a business plan is a good way to organize your thoughts, and really think about the viability of your business idea. However, it’s not something you should obsess over. The truth is that nobody reads business plans anyway. It’s a must have if you are looking for investors, but don’t fool yourself into believing that they will actually read the whole thing. And when an investor does look at it, he is just looking for all the reasons why he shouldn’t do business with you. Investors also know that the financial projections in your business plan are completely unrealistic. So write a trimmed down version for yourself, and move on.

Key Takeaway From Peldi’s BoS2010 Presentation

As you run your business, you will worry about almost everything, however, not everything is worth worrying about. Only worry about the important things – the rest will eventually work itself out.

Fun Facts About Peldi

I learned a couple of things about Peldi during his talk:

Memorable Quotes

Some memorable quotes from Peldi’s BoS2010 presentation:

  • “Be so good they can’t ignore you.”
  • “Fall in love with the problem, not the solution.”
  • “Create something so good people will want to copy it.”
  • “If you work while they [your family] sleep, they won’t know you’re ignoring them.”

More on Peldi Guilizzoni

Peldi Guilizzoni of Balsamiq at the 2010 Business of Software conference
Image credit: ©John M. P. Knox

Giacomo ‘Peldi’ Guilizzoni is the founder and CEO of Balsamiq, makers of Balsamiq Mockups, a wireframing tool for programmers, UX experts, and even business types. Balsamiq has been a bit of a poster child for a new wave of tiny but ambitious bootstrapped tech startups, netting over $1.6M in sales in the first 18 months of operation and gathering rave reviews. Peldi is a champion of the “radical transparency” trend that’s sweeping the Internet, through his posts on the Balsamiq blog.

You can find Peldi’s personal blog here, and his Balsamiq product blog here.

Follow Peldi on Twitter here.

What are your thoughts on Peldi’s presentation? If you attended BoS2010, did I miss an important point? What was your favorite part of Peldi’s presentation? What was your key takeaway from his talk?

 

Measuring Customer Happiness: Dharmesh Shah’s 2010 Business of Software Conference Presentation
Posted on by Zuly GonzalezCategories Business of Software, Events, Startups5 Comments on Measuring Customer Happiness: Dharmesh Shah’s 2010 Business of Software Conference Presentation

This post is part of a series of posts from the 2010 Business of Software conference (BoS2010). For a summary of the conference, and an index to the other presentations, click here.

Dharmesh’s 2010 Business of Software presentation: “Building A Great Software Business: Notes From The Field”

Zuly Gonzalez & Dharmesh Shah at BoS2010

I’m a big fan of Dharmesh. I’ve been following him for sometime now, so I was really looking forward to his presentation.

Before heading out to Boston, I watched Dharmesh’s 2009 and 2008 BoS presentations (to see the videos go to the end of this post). It was nice to see some recurring topics in his presentations, because that indicated to me that these were important enough ideas for him to repeat.

Dharmesh’s 2010 talk was packed full of insights – customer acquisition, customer retention, customer data, transparency, and venture capital. Dharmesh provided us with lots of useful equations and data throughout his presentation.

How to Measure Customer Happiness

To have a successful software business, you need happy customers. It’s simply not enough to just acquire lots of customers – you need to retain them. And to retain your customers, you need to make them happy.

Let’s look at customer acquisition first, and then customer retention.

Customer Acquisition

The total Cost Of Customer Acquisition (COCA) is determined by dividing the number of dollars spent on Smarketing by the total number of customers. Smarketing, as defined by Dharmesh, is the total cost of sales and marketing.

Definition of Smarketing by Dharmesh Shah at BoS2010
Image credit: Mark Littlewood

The Lifetime Value (LTV) of a customer is the value, in terms of dollars, that you get from a customer for the expected length of time he’s your customer. For example, if you have a customer that pays $10/month, and you expect him to be a paying customer for 4 years, then the Lifetime Value of that customer is $480.

LTV = annual revenue from customer * expected length as customer

A customer’s LTV should be greater than your COCA. If it’s not, that means it’s costing you more money to acquire a customer than you’re making from that customer. That’s a bad business model…and sure to fail! If the LTV is much greater than the COCA, then it’s time to start pumping more money into the business to start acquiring more customers.

These may seem like obvious points, the problem is that very few of us actually take the time to do these calculations. Keeping an eye on these numbers will help you make better business decisions.

Customer Retention

It takes a fair amount of capital to obtain a customer. Therefore, once you acquire a customer, it’s important to retain him as a customer for as long as possible. Customer churn, or customer turnover, is the rate at which your leaving customers are replaced by incoming customers.

Customer churn can be measured in several ways. The simplest way is to look at what percentage of customers are actually staying onboard versus leaving. Another way to measure customer churn is to look at what percentage of leaving customers are high paying customers versus customers on your lower priced plans.

When looking at customer churn, the higher the number of customers staying on compared to the number of customers leaving, the better. However, the above methods of looking at customer churn can lead to deceiving numbers. A better way to measure customer churn is to measure the discretionary churn.

Discretionary churn measures how many users actually have the option of canceling your service. For example, a customer tied into a 6 month subscription plan, may not be happy with your service, however, he won’t have the option to cancel for another 6 months. So, discretionary churn is a much better way of measuring customer churn than the above methods.

Customer churn can be a good measure of a customer’s happiness with your product or service. However, it is imperfect, because the absence of churn doesn’t necessarily indicate customer happiness. And this takes us to HubSpot’s Customer Happiness Index (CHI).

Customer Happiness Index (CHI) by Dharmesh Shah at BoS2010
Image credit: Betsy Weber

What Is the Customer Happiness Index

The guys at HubSpot created the Customer Happiness Index (CHI). CHI is a number from 0 to 100 that measures the probability any given customer will cancel, given the option to cancel. CHI is determined by three factors:

  • Frequency of product use: By looking at the frequency of use, you can assume that the more a customer uses your product, the happier they are with it, and the less likely they are to cancel.
  • Breadth of product use: By looking at the breadth of use, you can assume that the customers who use more features, are happier with your product, and again are less likely to cancel.
  • Sticky product features: This one is important, and probably not so obvious. Sticky features are features that provide a lot of value to your customers, especially when compared to your competition. Those customers that use sticky features are likely to be happier, and thus less likely to cancel. HubSpot has found that this factor is more important than frequency of use and breadth of use – irregular users that use sticky features tend to stick around longer than those that use frequently and use lots of features.

By religiously following the CHI scores of customers, HubSpot can identify early on which customers are unhappy. They can then take a proactive step towards fixing the problem by calling up the customer before they cancel. This action has helped HubSpot keep about 33% of their previously unhappy customers.

Dharmesh did warn against taking their success rate too much to heart. Although they may have prevented a customer from canceling this month, if the customer’s happiness level isn’t brought up significantly, odds are that customer may still cancel the following month.

The cool thing about CHI is that it can be used to measure other aspects of your business, not just which customers are likely to cancel. You can also use CHI to:

  • Measure the quality of the leads generated by your marketing efforts
  • Make decisions on which product features to keep, remove, add, enhance, etc
  • Make decisions on how much to compensate your sales folks.

How to Improve the Customer Happiness Index

“Invest in the experience, not the product, and everyone wins.”

Dharmesh used a quote from Kathy Sierra’s 2009 BoS presentation to set the mood:

Don’t make ___(fill in the blank)____ software. Make ___(fill in the blank)____ superstars. For example, don’t make marketing software. Make marketing superstars.

The key is to think about your customers. Think about what they want out of your software, what they want to accomplish. Make them awesome at what they do. Case in point, meet Molly:

HubSpot's Molly the teddy bear presented by Dharmesh Shah at BoS2010
Image credit: Mark Littlewood

The stuffed teddy bear in the picture is Molly. Molly is the customer’s stand in, and is required for quorum at all of HubSpot’s management meetings. Most meetings don’t happen without someone saying, “What would Molly say?”. It’s a good way to remember that your software is really about your customers, and making them great at what they do.

However, Dharmesh did point out that although customers are very good at finding problems, they are not so good at finding solutions for those problems. So remember that it is your job to find solutions to their problems. (Side note: This reminds me of the old project management cartoon about project requirements 🙂 )

Increasing Customer Happiness Through Services

Another way to increase a customer’s CHI score is by providing consulting services. HubSpot decided to not only offer consulting services to their customers, but to also charge for those services. Why charge? If a customer pays several hundred dollars for a few hours of consulting they will:

  • See more value in it, than if it were a free service. Something that costs $500 is definitely better than something that costs $0, right?
  • Get more out of their consulting session. If the customer is paying $500 for consulting you better believe that they are going to get their money’s worth out of the session. The customer will ask questions, and make sure they understand everything, just because they paid for the service.

A customer that knows how to get the most out of your product will be a happy customer (assuming you have a good product), which will increase their use of your product, as well as their LTV. Therefore, you should work towards making that happen – whether you charge for it or not.

HubSpot’s profit margins on consulting are actually very low. However, they continue to offer these services because it increases their customers’ CHI scores, which in the long run means greater overall profits for the business.

How to Gain (and Keep) Customers With Branding

Your brand is an important part of your business – and of acquiring and retaining customers. The most important thing your business can do (aside from creating a brilliant product) is to not screw with your customers. Dharmesh strongly advises against the Salesforce philosophy – don’t trick people into buying your product. To put it in Dharmesh’s words, “Brand is what people say about you after you have left the room.”

HubSpot Tidbits

Dharmesh shared some HubSpot philosophies, including how much company information they share, and why they decided to accept venture capital.

Transparency Trumps Secrecy

Except for salary information, all of HubSpot’s data is available to all employees. All data! This includes financial information. (Side note: This seems to work for HubSpot. I recently saw the below tweets from HubSpot employees.)

Although HubSpot makes all of their data available to its employees, the data is off limits to the public. The reason is that they don’t see any real benefit to doing so.

The Evilness of Venture Capital

HubSpot is not Dharmesh’s first startup, but it is his first venture backed startup. Most of us think of pure evil when we think of Venture Capitalists, but VCs can play an important role in some businesses. Most software startups don’t need venture capital, and are actually doing themselves a disservice by pursuing it. But there are a few select startups that can benefit from venture capital.

If you are aiming for quick, high growth (like Facebook), or are starting a business that requires a lot of upfront capital (like a hardware business), then it might make sense to obtain venture capital. At HubSpot, they made a decision early on that they:

  1. Wanted to become the dominant player in the industry.
  2. Were looking for rapid growth.

Because you need a lot of money to accomplish both of these goals, they chose to look for venture capital. A key part of HubSpot’s strategy was to acquire these funds before they actually needed the money. The reason being that:

  1. It is easier to obtain venture capital before you need it, than it is if you are already in need of it.
  2. You get better terms early on because since you aren’t desperate for the money you can always back out.

Do note that once you take VC funds, you move from solving your customers’ problems to solving your investors’ problems. And the two rarely align with each other.

Key Takeaways From Dharmesh’s BoS2010 Presentation

These are the main points I got out of Dharmesh’s BoS2010 talk:

  • Log as much data as you have, even if you can’t use it now. You may be able to use it in the future.
  • Measure your customers’ happiness. Come up with your own metrics if you have to, but look at those numbers closely. Determine what makes happy customers, and what doesn’t, and adjust your business model accordingly.
  • Dream big, and execute small. If someone offers to buy your company, seriously consider it, even if it’s not what you dreamed of. Selling gives you cash, which allows you to move on to your next dream 🙂
Memorable Quotes

Some memorable quotes from Dharmesh’s BoS2010 presentation:

  • “Don’t make customers happy. Make happy customers.”
  • “Brand is what people say about you after you’ve left the room.”
  • “Venture capital isneither necessary nor evil.”
  • “Services are low margin…except when they’re not.”
  • “Invest in the experience, not the product, and everyone wins.”
  • “Customers are very good at finding problems, not at finding solutions for those problems.”
  • “Transparency trumps secrecy.”
  • “Dream Big. Execute Small.”
Dream Big, Execute Small presented by Dharmesh at BoS2010
Image credit: Betsy Weber

More on Dharmesh Shah

Dharmesh Shah is the founder and CTO of HubSpot, a venture-backed software company offering a hosted software service for inbound marketing. Prior to HubSpot, Dharmesh was the founder and CEO of Pyramid Digital Solutions. Pyramid was a three time recipient of the Inc. 500 award and was acquired by SunGard Data Systems in 2005. Dharmesh is also the author of OnStartups.com, a top-ranking startup blog with over 20,000 subscribers and 100,000 members in its online community. Dharmesh is the co-author of Inbound Marketing: Get Found Using Google, Social Media and Blogs.

You can find Dharmesh’s startup blog here.

Follow Dharmesh on Twitter here.

Dharmesh’s summary of his 2009 BoS presentation can be found here, on his blog. And his summary of his 2008 Business of Software presentation can also be found on his blog.

What are your thoughts on Dharmesh’s presentation? If you attended BoS2010, did I miss an important point? What was your favorite part of Dharmesh’s presentation? What was your key takeaway from his talk?

Leading a Tribe: Seth Godin’s 2010 Business of Software Conference Presentation
Posted on by Zuly GonzalezCategories Business of Software, Events, StartupsLeave a comment on Leading a Tribe: Seth Godin’s 2010 Business of Software Conference Presentation

This post is part of a series of posts from the 2010 Business of Software conference (BoS2010). For a summary of the conference, and an index to the other presentations, click here.

Seth’s 2010 Business of Software presentation: “Are you afraid to truly make an impact? The opportunity for linchpin organizations and the people who run them.”

Being a great programmer is no longer sufficient to succeed. Creating a piece of software that works is no longer an indicator of success. Times have changed. And in a world where we are bombarded with brands and products, we must create a unique experience to succeed.

Seth Godin at Business of Software (BoS2010)
Image credit: Mark Littlewood

Today, everyone and their mother can whip up a working software program. Competence is no longer a scarce commodity.

Because the cost of producing and marketing a software product is closely approaching $0, it is becoming an increasingly crowded market, full of competition. It is now harder than ever to stand out from the crowd. As a result, success in the software industry is now dependent on your ability to create a tribe – a movement, a place of belonging, a community – and lead it.

Creating a Tribe and Leading It

People want to belong to a tribe – it’s human nature. People are also waiting to be led, and it’s your job to lead them. But how, you ask? You must be creative, but most importantly, you must tap into their emotions. Make them feel something – joy, compassion, anger, outrage, importance, etc. Make them feel like they are part of something bigger, something lasting, something good.

Seth gave several examples during his talk, but there was one example I felt a deeper connection to. Seth explained how one man from the SPCA was able to lead a movement to make the city of San Francisco a no-kill city. He later went on to accomplish the same thing in other U.S. cities, with no money and no recognition. How did he accomplish such a feat? Because this was about more than just one man, and because it touched the hearts of people like you and me. This was about improving the lives of many.

Your mission, should you choose to accept it, is to create a movement, and lead it! But software that’s boring will never turn to a movement. When considering a product’s viability, Seth says there are four things you should ask yourself:

  • Who do I need to reach? And how can I reach them?
  • Will they talk about my product to others?
  • Do I have permission to continue talking to them after I’ve reached them?
  • Will they pay for my product?

 

Seth Godin at the 2010 Business of Software conference (BoS2010)
Image credit: ©John M. P. Knox

The Network Effect

In the old days, using software was a lonely experience. Today, software is used by millions to connect with each other. Question number 2 above, is central to making the network effect work for you. If you create value and provide a unique experience for your users, they will market your product for you.

When considering a software’s network effect, ask yourself:

  • Is my product creating a demonstrable value?
  • Is it easy and obvious for someone to recruit someone else?
  • Is my product open enough to be easy to use, but closed enough to avoid becoming a commodity?

Key Takeaway From Seth Godin’s Presentation

The best way to sum up Seth’s Business of Software presentation is to use his own words: “Software won’t succeed because it was written by a brilliant programmer. It will succeed because of the business brilliance behind it.”

Memorable Quotes

Some memorable quotes from Seth’s BoS2010 presentation:

  • “The reason to fit in is to be ignored.”
  • “Software that’s boring will never turn to a movement.”
  • “People are waiting to be led.”

Seth summarized his BoS2010 presentation on his blog. You can find it here.

More on Seth Godin

Seth Godin is a renowned speaker and bestselling author of 10 books that have been translated into 20 languages, and have transformed the way people think out marketing, change and work. He is responsible for many words in the marketer’s vocabulary including permission marketing, ideaviruses, purple cow, the dip and sneezers. His latest book, Tribes, is about leadership and how anyone can become a leader, creating movements that matter.

You can find Seth’s marketing blog here.

Follow Seth on Twitter here.

View Seth’s 2008 Business of Software presentation: ” Too important to be left to the marketing department”

What are your thoughts on Seth’s presentation? If you attended BoS2010, did I miss an important point? What was your favorite part of Seth’s presentation? What was your key takeaway from his talk?

The 2010 Hacker Challenge
Posted on by Zuly GonzalezCategories Events, Security1 Comment on The 2010 Hacker Challenge

October is national Cyber Security awareness month, and what better way to promote it than with the 2010 Hacker Challenge.

The 2010 Hacker Challenge Logo

The Hacker Challenge is a competition in which Department of Defense Sailors, Soldiers, Marines, Airmen and civilian government employees try their hands at solving computer and network security problems. It’s a free and open competition designed for beginner to intermediate level security professionals and enthusiasts, and is designed to engage military and civilian members in a fun and educational way.

It started three years ago as a way to address training deficiencies in some of the military’s mandatory computer security training courses.

Hacker Challenge 2010 Details

The 2010 Hacker Challenge begins on October 27, 2010, and ends November 10, 2010.  During this two week period, participants will work at their own pace to solve the challenges. If you’re interested in participating in the 2010 Hacker Challenge, you must sign up before October 25, 2010.

Teams of up to 6 members are allowed, including one person teams.

The Hacker Challenge is comprised of two parts – a written portion and a hands-on portion. The written portion involves a series of questions that will test a participant’s knowledge of technology and security topics. The hands-on portion will test the participant’s security knowledge through the use of tools during practical exercises. Some challenges will be easier than others. For a few examples see the sample Hacker Challenge questions below.

This is a friendly competition, and does not involve the use of any malicious software. There are also strict rules on cheating, and what is considered cheating. Any team caught cheating will be disqualified, and it will be publicized on the Hacker Challenge blog.

Sample Hacker Challenge Questions

Below are a few of the questions you might find in the Hacker Challenge competition. These questions were taken from the 2009 Hacker Challenge. Remember this contest is for beginner to intermediate level security enthusiasts.

1) Download and crack the passwords found at this link.

2) You perform a banner grab against a customer’s web server and get the following response. What does it mean?

GET / JUNK/1.0
HTTP/1.1 200 OK
Date: Sun, 15 Jun 2003 17:17:47 GMT
Server: Apache/1.3.23
Last-Modified: Thu, 27 Feb 2003 03:48:19 GMT
ETag: "32417-c4-3e5d8a83"
Accept-Ranges: bytes
Content-Length: 196
Connection: close
Content-Type: text/html

3) Download the packet capture in the below link and look at the device with the MAC address of 00:12:0E:6F:B4:4B. What is this device, and what do you think it’s doing during the time period traffic was captured?

4) Watch Hak5 episodes 1 and 3 from season 4 and pay attention to the sections dealing with the “WiFi Pineapple.” Discuss how the WiFi Pineapple is able to masquerade as a “trusted” AP and suggest at least one way that a user can tell this type of attack is occurring.

5) Dig through the below captured packet and state the following things: (a) What browser is being employed? (b) What application on the browser will be used? (c) What OS is being used? (d) What device did this packet come from?

0000    00 04  5a f2  25 d8  00 12  0e  6f b4  4b  08  00   45  00
0010    00 de  a2 ab  40 00  40 06  b5  3d ac  14  14  05   4a  dc
0020    d7 3b  05 f9  00 50  c5 5f  13  be 38  8e  eb  66   50  18
0030    0b 68  c9 47  00 00  47 45  54  20 2f  63  68  75   6d  62
0040    79 5f  76 69  64 65  6f 73  2f  62 61  6c  6c  73   2e  66
0050    6c 76  20 48  54 54  50 2f  31  2e 31  0d  0a  48   6f  73
0060    74 3a  20 72  62 65  6c 6f  74  74 65  2e  6e  65   74  0d
0070    0a 41  63 63  65 70  74 3a  20  2a 2f  2a  0d  0a   55  73
0080    65 72  2d 41  67 65  6e 74  3a  20 4d  6f  7a  69   6c  6c
0090    61 2f  35 2e  30 20  28 63  6f  6d 70  61  74  69   62  6c
00a0    65 3b  20 55  3b 20  43 68  75  6d 62  79  3b  20   4c  69
00b0    6e 75  78 29  20 46  6c 61  73  68 20  4c  69  74   65  20
00c0    33 2e  30 2e  34 0d  0a 50  72  61 67  6d  61  3a   20  43
00d0    68 75  6d 62  79 0d  0a 43  6f  6e 6e  65  63  74   69  6f
00e0    6e 3a  20 63  6c 6f  73 65  0d  0a 0d  0a

For more information on Hacker Challenge 2010, visit the official website.

Coming Soon: The Advanced Hacker Challenge

If you are a security professional in the advanced category, don’t lose hope. In late 2011 an advanced Hacker Challenge will be introduced, and it will be completely different from the basic/intermediate version. The new advanced version will be almost completely hands-on. The advanced version write-ups will require a deeper understanding of security concepts, and the targets will be a bit of a challenge. And FYI, some of the advanced challenges will require participants to sign a “release of liability” form.

State of the Startup
Posted on by Beau AdkinsCategories Light Point Security Update, Startups1 Comment on State of the Startup

A long staircaseI decided it would be a good idea to occasionally post a status update of our startup on our blog. I plan on listing which of the many steps involved in launching a startup we have completed, and some tips on the ones that warrant it.

My reasons are two-fold. The first reason is that I hope once our product launches and it is a huge success and I am super rich and spend my days racing yachts, someone who wants to launch their own startup can use these as a step-by-step roadmap on what to do. The second reason is that I think it will be good for me to take the time to think about all the things we’ve accomplished since the last update. This may be a moral booster if I see that we have done a lot, or help me realize we are slacking if we have not.

What Have We Done?

  • Idea. The first thing was an idea about how I can provide web security better than everyone else. This idea has not been released publicly, so there isn’t much more I can say about that right now.
  • Research. The next thing I did was research on how I could implement it, and to decide if it was feasible that I could turn it into a profitable business.
  • Development Setup. I needed a development environment before I could create anything. I bought a computer and installed a subversion server for version control and TRAC for issue management. If you are developing any serious software, you NEED version control and issue management software. It is well worth the time.
  • Prototype. The next thing I did was to start building a working prototype, or a proof of concept. This took quite a while, in which time I was also working other items in this list.
  • Business Planning. First I knew that I would not have time to build the product, and run the business. I enlisted Zuly, my then girlfriend – now fiancee, to fill this role. Neither of us had run a business before, but we knew we could figure it out. We came up with a name for the business, snatched up the URL, made a business plan, etc. As I worked on the product, Zuly learned how to do the business side stuff (accounting, legal, etc).
  • Evaluation. At this point I had a working prototype, but when I finally looked at the stats, I realized the product would not be able to scale. This prototype had taken most of a year to get where it was, and then I found out it wouldn’t work. I thought it was all over at this point. But I refused to give up. I did more research to find a more efficient technology, and found one. I decided to swap out the old inefficient technology for the new hotness.
  • Persist. This new technology was another open source library that did the same thing as the old version, but it did so, much more efficiently. However, the way this library was written was nowhere near how I needed it to work. I spent months tinkering and reading through hundreds of files of source code to try and fix it. Every time I fixed an issue, I discovered 2 more that had to be fixed. After an entire year of this, I had my proof of concept functioning as it did before the technology swap, but now it was an order of magnitude more efficient.
  • Improvement. I added more and more features, eventually turning it into more of a product than a proof-of-concept.
  • More Research. As I implemented features, I tried to keep thinking a few moves ahead. I had a plan on what I would do next, and what after that. So in my down time, I would do some reading to make sure my plans on how to do those next steps would actually work, or if there was a better way.
  • Business Setup. At this point, we decided it was a good bet that we can make this work. We each took some of our own money, officially registered the business, and set up a bank account.
  • Website. We transferred ownership of the business domain name to the business, and bought hosting to set up this web page. We got something decent setup, and gradually improved it over time. We are still doing this.
  • Networking. We started blogging, using Facebook, Twitter, and others to start making a name for ourselves online. This is a never ending step.

What’s Next?

  • Branding. We have a name for the product, but we need to grab its domain name before we make it public.
  • Deployment and Beta-testing. We are now to the point where we need to start buying server capacity so other people can play with the product and give us feedback. We will use this feedback to make improvements until we feel the product is refined enough to begin charging for it.

Have I forgotten anything? If you see something missing that I should have done by now, please let me know. Or if you have any questions/suggestions, don’t hesitate to comment.

State of the Startup
The Facebook Will Start Charging Scam
Posted on by Zuly GonzalezCategories Web SecurityLeave a comment on The Facebook Will Start Charging Scam

With over 400 million users, Facebook is a constant target of online criminals and scam artists. The “Facebook will start charging” scam has been around since last year, yet people are still falling for it. Even worse, there’s been an increase in these types of scams over the last couple of months.

How the Facebook Will Start Charging Scam Works

Online criminals create Facebook pages claiming that Facebook will begin charging some monthly fee. For example, the page “I won’t pay $3.99 to use Facebook starting in July” is a scam. And the page “I will not pay to use Facebook as of Sept 7th 2010” is also a scam.

In fact, Facebook spokesman Larry Yu stated, “We have absolutely no plans to charge for the basic service of using Facebook.”

Facebook Will Start Charging Scam Page

There are many variations on this theme, and they’re all scams. I searched on Facebook for “Facebook pay” and got 287 page results (see below). And every single one of these pages is a scam! The top result had 7661 fans.

Just out of curiosity, I searched for “Facebook pay” again the following day and noticed that the pages are growing. The top result went from 7661 fans to 7844 fans and the second result went from 6877 fans to 6899 fans. So it looks like things are going in the wrong direction.

Facebook Will Start Charging Scam Search Results Facebook Will Start Charging Scam Search Results

Online scammers create Facebook pages (and groups) in an attempt to trick people into divulging their personal information, downloading malicious content, or inviting their friends to join the page. In the case of the “Facebook will start charging” scam, it seems the most common method is to get people to invite their friends to the page in an attempt to amass a large number of fans they can then sell to unsuspecting businesses.

Just take a look at the information on the “I will not pay to use Facebook as of Sept 7th 2010” page:

I Will Not Pay for Facebook Scam Page Description

And if you look at the information on some of the other Facebook Pay pages, you will notice that they don’t ask you for any personal information, or ask you to download something, or ask you to go to another website. The main thing these pages are asking people to do is to invite all of their friends. But that doesn’t mean there aren’t malicious links showing up on these pages, so be careful, and don’t click on any links in these pages.

So now that you know the truth, don’t join any Facebook pages claiming that Facebook will start charging.

How to Protect Yourself on Facebook

For the most part, these Facebook Pay pages weren’t setup to steal your personal information – although I didn’t look at every single page. And even if they were setup for that purpose, you usually have to take some action for this to occur.

But joining not only encourages criminals to keep coming up with these scams, it also puts your friends at risk. How? Well, as soon as you join, it’s displayed on your friends’ news feeds. A friend could see it and then join the group.

So, other than the obvious don’t join advice, here are a few other tips to help keep you and your friends secure while on Facebook:

  • If you see your friends joining these Facebook Pay pages, warn them about the scam and tell them to remove themselves from the page.
  • Spread the word. Scammers take advantage of the fact that people aren’t aware of these scams to do their dirty work. If people are informed of the risks, then it becomes a lot harder to get away with it. So tell your Facebook friends, and send them a link to this post, or any other post on the topic.
  • Be suspicious of any Facebook page that makes it easy for you to invite your friends, asks you to download something, or asks for your personal information in return for something else.
  • Always check the page’s wall before joining. There are legitimate reasons why you may be asked to download and install something from Facebook pages. However, there are also plenty of malicious programs out there. The legitimate stuff will, for the most part, work as advertised. On the other hand, the malicious stuff usually won’t work at all. So if you go to the page’s wall and see a lot of people complaining about the fact that it doesn’t work, stay away! Odds are it’s malware. And I’m not talking about a couple of bad reviews, because even the legitimate programs will get bad reviews every now and then. But if you see mostly complaints, then it’s likely to be malware. And even if it’s not, why waste your time, it obviously doesn’t work!
  • Join the Facebook Security page to get the latest security updates from Facebook, or visit Facebook’s Safety Center.
  • Read and follow the 5 most important steps for internet security to protect your computer from online criminals.

Have you come across this scam? Have you come across any other Facebook scams lately? What other ways of staying safe on Facebook do you recommend?

 

As Strong As Your Weakest Link
Posted on by Beau AdkinsCategories Web SecurityLeave a comment on As Strong As Your Weakest Link

The weakest linkWhen trying to evaluate your own security, remember the old addage: “A chain is only as strong as its weakest link.” Here is story of some recent experiences I had which reinforced this for me.

About a month ago, I started seeing all kinds of articles online related to a massive amount of websites being hacked. Most of these hacks were WordPress sites hosted with a large hosting company such as GoDaddy. This site is WordPress hosted by GoDaddy, so when I saw this, I was very interested.

I read the articles to find out how to know if your site had fallen victim to this. The main goal of this attack was to place a bit of php code into every WordPress file on your server. When WordPress would serve up a page, this code would be executed. The result would be a redirect placed in each page that a user of your site would see. This would redirect the user to a malicious website which would attempt to exploit your site’s visitors.

I immediately checked the content of my site and was relieved to find that my site appeared unhacked. But I was not out of the woods yet. No one yet had figured out how the hack was able to infiltrate all these systems. Many people were blaming it on a flaw in WordPress. Others were blaming it on a flaw with GoDaddy’s hosting. Until I figured out where the flaw was, I was still at risk.

This hack was showing up on web platforms other than WordPress. This makes it seem like it couldn’t be a problem with WordPress that was allowing this to happen. But, it was also happening on hosting providers other than GoDaddy. On top of that, if it were a flaw in WordPress or GoDaddy, this hack would be capable of showing up on many more high-traffic pages. You would think that a hacker armed with an unknown exploit with such power would hit the biggest targets available, instead of just a few tiny blogs.

GoDaddy was blaming it on people using out of date WordPress installations. However, I read many articles reporting about people who got hacked, rebuilt their sites with the newest version of everything, and then immediately being hacked again.

The root cause of this hack still hasn’t been figured out as far as I know. I have read that a large number of the affected sites had some weak passwords. At this point, I believe this to be it, but there is no way for me to know for sure. I use very strong passwords. Maybe this is what saved me. Or maybe the hackers just hadn’t found this site.

The moral of the story is to remember you are only as secure as your weakest link. You can build a house out of solid steel with a vault door and barred windows, but if you leave a spare key under your doormat, how much more secure are you? WordPress and GoDaddy can be completely secure, but a guessable password makes it irrelevant.

Latest Twitter Email Phishing Scam
Posted on by Zuly GonzalezCategories Web SecurityLeave a comment on Latest Twitter Email Phishing Scam

The latest phishing scam targeting Twitter users is in the form of an email message claiming to be from Twitter Support. The subject line of the fake email message starts off with the word Twit and is followed by a set of numbers. These numbers will vary from email to email. The email message claims that you have some number of “unreaded” or delayed messages from Twitter, and provides a link to supposedly check your “unreaded” messages. How nice of them! But instead the link takes you to a malicious phishing website.

There are actually two links in the fake email message, both linking back to malicious phishing websites. Don’t click on either of them! Here’s what the email looks like:

Twitter unreaded email phishing scam

According to Twitter Safety, Twitter Support doesn’t send emails about unread messages.

Twitter safety email phishing scam alert

What Can You Do?

Here are 7 things you can do to protect yourself, and avoid becoming a victim of email phishing scams.

  • If you receive an email message claiming to be from Twitter or Twitter Support with the subject line Twit [set of two numbers here], do not open it and delete it right away.
  • If you receive an email with bad English or misspellings, most likely it’s a scam. For example using the word unreaded instead of unread. Don’t click on any links in the email or download any attachments.
  • Don’t click on links in email messages. Always go to the site directly and log in to your account to check it out.
  • If you must click on a link in an email, for example it’s not a check your account status type of email, hover over the link and look at what the status bar tells you. If the URL shown in the status bar isn’t for the website you’re expecting to go to, don’t click on the link. In the case of this recent Twitter scam, the URL in the status bar doesn’t link to twitter.com. Instead it links to dev.somedomainname.com.

Twitter email phishing scam domain name on status bar

  • Note that the only domain name used by Twitter is twitter.com. Any URL that doesn’t start with http://twitter.com/ is not an official Twitter page. That’s not to say it’s a malicious site, it’s just not an official Twitter page, so use caution when going to these sites.
  • If you have a Twitter account, follow Twitter Safety or Twitter Spam to get the latest news about known Twitter scams.
  • Read and follow the 5 most important steps for internet security to protect your computer from these cyber crimes.

Image credits: Fake Twitter email, Twitter Safety tweets

Why You Are Not “Good Enough” to Avoid Malware
Posted on by Beau AdkinsCategories Web SecurityLeave a comment on Why You Are Not “Good Enough” to Avoid Malware

Compiling CodeIn my line of work, most of my colleagues are very technically savvy. Sometimes I will ask them about their views on different computer security products. More often than I would expect, I receive this response: “Oh, I think that is really important, but I don’t need it because I know what I’m doing.” When I press more on what it is they are doing that makes them immune, here are some of the possible responses, and my thoughts on each.

I’m careful where I click

Hmm, thats good. How are they careful. Maybe they don’t go to any site they haven’t heard of? So googling something, and clicking that perfect result is out of bounds for this person? Never clicking any link that has been run through a URL shortener like is so common on twitter? Staying away from sites that show ads? Never going to a site which doesn’t have perfect server security? If they did all these things then they really aren’t browsing at all. ANY site can be bad.  There are just too many ways that even the most trustworthy site can be turned malicious –  I will save that for another post.

I don’t use Windows

First off, I love Windows. It is my OS of choice, but it saddens me to say that this tactic does help. But why? Because Windows sucks? Not really, it is just a matter of targeting. When a hacker writes an exploit, he wants it to work on as many people as possible. Since most of the world uses Windows, he writes his exploit for Windows. It doesn’t mean he couldn’t have written it for any other OS, and there are times when hackers do write the exploits for the other OS’s. So while using a different OS will get you by most of the malware on the web, you are still counting on luck.

I’ve never gotten a virus before…

This one is classic on so many levels. So you’ve never been infected with malware before, therefore you must be immune… Hmmm, ok, lets assume that to be true, even though a child could tell you that it’s NOT. If you never use anti-malware products, and you have never been infected by anything, that tells me that you have never been infected by a poorly-written, or relatively harmless piece of malware. Those are the ones that you would be aware of if you were infected. A relatively harmless piece of malware would have a juvenile purpose: changing your desktop wallpaper, or showing you popups for porn sites. Not so bad. If the malware were more sinister, they want to make sure you don’t know they are there. They want to steal things from you without your knowledge. But if they are poorly written, they can crash your computer or other applications. But if it’s a well-written sinister piece of malware, that’s bad. You will not know it is there just by using your computer normally. Software specifically designed to find this stuff is the only way to know if it is there. You know, like anti-virus products.

Don’t fall into the trap in thinking you are just too smart to get infected online. It is a dangerous place out there, and it’s actually getting worse. In the old days, hackers wrote malware just to mess with people. Now they make money off of it. They are smart, and persistent. Do everything that you can to protect yourself. Here is a good starting point.

Spammers Create Fake Facebook Profiles
Posted on by Zuly GonzalezCategories Web SecurityLeave a comment on Spammers Create Fake Facebook Profiles

Have you received a friend request on Facebook from a hot girl you don’t recognize? You say what the heck, I don’t know her, but she’s hot, so yeah I’ll be your friend. Bad move! Take a look at the profile below, see anything strange?

Fake Facebook User Profile Maybe you received a friend request from someone you don’t recognize with a lot of mutual friends. So you accept the request thinking, well I probably met this person at some point. Wrong again.

Facebook spammers are now creating fake user profiles to amass a large number of “friends” they can then sell to unsuspecting businesses. These businesses may have seen an ad similar to this one:

Spammer Advertising

Soon after you accept requests from these fake users, you start getting invitations to join Facebook fan pages. This is how spammers create artificial word of mouth marketing.

Worse yet, now these spammers have access to personal information you’ve marked as viewable by friends only. This includes two very important pieces of information, your birthdate and location. This can possibly lead to identity theft!

What Can You Do?

  • Avoid friending anyone you don’t recognize. Hot girls aren’t the only threat, it could be a hot guy, or a normal looking person.
  • Ask a real friend. If you get a friend request from someone with mutual friends, send your real friends a message and ask them about this person you don’t recognize. If several of your real friends tell you they don’t actually know this person, stay away!
  • Look through your current friend list. Remove anyone you don’t recognize, especially if they’re constantly inviting you to join Facebook pages.
  • Spread the word. Spammers get away with this because most people aren’t aware of these threats. So tell your friends.

Have you seen any other suspicious Facebook activity? Let us know.

Categories
Archives