Department of Defense Cyber Crime Conference 2011
Posted on by Zuly GonzalezCategories Computer Security, Events, Security1 Comment on Department of Defense Cyber Crime Conference 2011

The DoD Cyber Crime Conference focuses on all aspects of computer crime and incident response including intrusion investigations, cyber crime law, digital forensics, information assurance, cyber crime investigations, as well as the research, development, testing, and evaluation of digital forensic tools.

The goal is to prepare attendees for the new crimes of today and the near future. Speakers will discuss new approaches and new perspectives. The conference is sponsored by the DoD Cyber Crime Center.

The 2011 DoD Cyber Crime Conference will be held January 21- 28, 2011 at the Hyatt Regency Hotel in Atlanta, GA.

Department of Defense Cyber Crime Conference 2011

Cyber Crime Conference Schedule

The schedule for the 2011 Department of Defense Cyber Crime Conference is as follows:

Pre-Conference Training: January 21-24, 2011
Conference: January 25-28, 2011
Exposition: January 25-27, 2011

Who Can Attend the Cyber Crime Conference

In order to attend the conference you must meet the below criteria:

  • DoD personnel
  • DoD-sponsored contractors
  • Defense Industrial Base (DIB) Partners  (CIPAC)
  • Federal, state and local law enforcement
  • U.S. sponsored government representatives working in the following fields:
    • Counterintelligence Special Agents
    • Criminal Investigators
    • Computer Forensics Examiners
    • Prosecutors – federal, state, local, military
    • DoD Information Assurance/Systems Administrators
    • Computer Forensics Research and Development Personnel
    • Federal, State and Local Law Enforcement
    • Educators in federally funded information assurance program, like CyberCops or National Centers of Excellence for Information Assurance
  • U.S.-sponsored government representatives from Australia, Canada, the United Kingdom and New Zealand

Registration Fees

Registration is open for the 2011 Cyber Crime Conference, and closes on January 14, 2011. The registration fee schedule is as follows:

  • Early Registration (ends December 31, 2010)
    • Government Attendee: $400
    • Industry Attendee: $575
    • Fee includes: Tuesday night reception and all activities from Tuesday morning through Friday. This does not include the pre-conference training.
  • Late Registration (after December 31, 2010)
    • Government Attendee: $500
    • Industry Attendee: $675
  • Speaker Registration
    • Fee: $150
    • Fee applies only for those attending conference sessions (the conference sessions begin Tuesday morning and end Friday).
    • Fee includes: The reception and all activities.
  • Classified Training (Cyber Counterintelligence)
    • Fee: $80
    • Clearances must be submitted no later than 4 January 2011.
  • Exhibitor Registration
    • Fee: $135
  • Press Registration
    • Fee: $0
    • Press can attend the general session on January 25, 2011

Training Sessions for Cyber Crime Conference 2011

The 16 training sessions that will be available at the 2011 DoD Cyber Crime Conference are as follows:

DoD Cyber Crime Conference Training SessionFollow the Script Please!
This workshop will introduce students to the concepts of writing and editing scripts to automate incident response activities. Students will learn how to author and edit incident response scripts for Windows and Linux environments. This session is intended for beginners and those who simply need a refresher.

Advanced Network Intrusion Traffic Analysis
Attendees will learn how to identify intrusion traffic, understand the techniques used by the attacker, and how to reconstruct the intrusion traffic. Attendees will also learn how to identify the attack vector and mitigate loss and secure the vulnerability using Wireshark, Netwitness and Snort.

Analyzing Malicious Carrier Files
This class will cover the fundamentals of analyzing malicious carrier files such as PDFs, Microsoft Office documents, and CHM files, used in spear phishing attacks. They will cover the structure of common carrier file types and methods for recognizing, extracting, deobfuscating and analyzing embedded scripts and shellcode. They will then leverage this embedded logic to enable accurate extraction of any additional payloads found within the carrier file. This course will be a combination of file-level forensic examination and malicious code analysis.

Introduction to Botnets

Botnets are a significant part of the Advanced Persistent Threat (APT) facing corporate and government networks today. This course introduces botnets and gives the students an opportunity to get hands-on experience setting up and running a self-contained botnet.  In addition, students will look at the evidence left behind from a botnet compromise in network traffic and Windows system artifacts.

Introduction to Cyber Analysis: Teaching an Old Dogma New Tricks

Cyber analysis is a growing field that combines traditional analysis with the highly technical concepts of network intrusions to determine how various incidents are connected. This course provides an overview of cyber analysis as it applies to the network intrusion problem, and covers a basic overview of network intrusions and electronic artifacts, an introduction to basic Analyst Notebook use, and an introduction to analyzing the data.

Introduction to EnCase for Prosecutors and Case Agents
A quality computer forensic examination is worthless if the communicated results are not understood by the consumer. This course will cover some of the basic terminology, functions, capabilities and limitations of a common primary forensic tool used during forensic examinations.

Intro to Malware Analysis Techniques
This course teaches fundamentals and concepts involved in malware analysis at a basic level. Malicious code is often found on computer systems during network intrusion investigations. The main goals of analysis are to assess an executable to discover its functionality, and to identify the artifacts of its presence and usage.

Mac Forensics – 2011
This training addresses forensic examinations of Mac systems (OS X). They will approach the Mac platform with traditional forensic methods using EnCase to find and analyze OS X artifacts. They will also use OS X to examine exported OS X specific data which can best be viewed in its native environment.

Network Exploitation Analysis Techniques
This training session combines the disciplines of Pen Testing, Information Assurance, and Forensics into a unique opportunity to learn the components of a network attack, the traffic the attack generates, and the artifacts left behind. Presenters will use Metasploit to launch attacks while monitoring network traffic for analysis. After examining the captured traffic, forensic artifacts of the attack will be identified and discussed.


This course will teach students how to use the TUX4N6 digital triage tool to safely preview the active files on a suspect computer in a forensically sound manner.  The TUX4N6 tool is based on the Linux operating system and has the advantage of being able to “read” other computer system’s files without writing to or altering the data on those systems. Students will be taught how to conduct a manual search of a computer, use automated features to search the computer for keywords and specific file types, and how to save evidence to external storage media.

Online Anonymity
In this course, tools and methodologies will be demonstrated and provided that will enable an examiner or investigator to conduct information gathering efforts while obfuscating their source location.

Pen Testing 101
This training session will introduce open source pen testing tools and methods to students. You’ll learn the importance of Rules of Engagement for both tester and target.  Then you’ll dive into a white box test to prepare for the black box test at the end of the session.

Snort for Network Analysis
This training session is intended for incident responders and anyone with a desire to learn how to use Snort to analyze network traffic. Attendees will use Snort to quickly gain insight into the analysis of previously captured network traffic to locate particular files, or types of files, and for “anomalies” that are indicators of an intrusion.

Windows Incident Response
This course focuses on response in a Windows environment. Topics addressed include search and seizure, and incident response with Windows 2003 server.

Wireless Technology Workshop
This session makes use of practical, hands-on exercises to present and reinforce wireless technologies and techniques.  Attendees will learn how to use various wireless technologies and walk away knowing both the strengths and weaknesses of commercial wireless solutions.  Attendees will utilize Bluetooth and WiFi technologies, and learn open-source as well as proprietary attacks to exploit their inherent weaknesses.  Attendees will also capture and analyze open and encrypted data traffic with Wireshark and other open source tools.  Further, the presenters will cover methodologies to secure wireless networks, and techniques to scan for hidden access points and other wireless devices.  Other topics that will be presented include cracking tools, accidental association, direction finding, creating wireless heat maps, and denial of service.

Cyber Crime Conference Training Session

Windows 7 Forensics
Among the topics that will be discussed are: Libraries, Jump Lists, Pinning, Gadgets, Thumbnail Caching, Sticky Notes, exFAT, System Protection and Backup (Windows Backup, System Image, Previous Versions, Volume Shadow Copies), Virtualization, XP Mode, Registry, SuperFetch, Windows Search, Indexing, BitLocker and BitLocker to Go.

SANS Metasploit Kung FU Training Sessions

Metasploit was designed to help testers with confirming vulnerabilities using an Open Source framework. This course will help students get the most out of this free tool. This class will provide students with an in-depth understanding of the Metasploit Framework, and show them how to apply the capabilities of the framework in a comprehensive penetration testing and vulnerability assessment regimen. The class will cover exploitation, post-exploitation reconnaissance, token manipulation, spear-phishing attacks, and the rich feature set of the Meterpreter, a customized shell environment specially created for exploiting and analyzing security flaws. The course will also cover many of the pitfalls that a tester may encounter when using the Metasploit Framework and how to avoid or work around them, making tests more efficient and safe.

Classified Training Session

The classified session will focus on cyber counterintelligence topics in the following areas:

  • Cyber CI Policy both at the National and DoD levels
  • Cyber CI training both at the National and DoD levels
  • What the DoD services are seeing from State and Non-State actors in terms of Cyber CI
  • What the DoD services are doing in regards to Cyber CI
  • National level program with a Cyber CI focus

The briefings will center around the tactics, techniques, and procedures along with updates on current policies, investigations and operations from the services and National level agencies.  Due to the sensitive nature of the Tactics, Techniques and Procedures (TTPs), policies, investigations and operations the session will be classified Secret//NOFORN.

More on the 2011 DoD Cyber Crime Conference

If you have any questions on the conference, email

Follow the DoD Cyber Crime Conference on Twitter.

Do you plan on attending this conference or any other security conference in 2011?

Free Black Hat Webcast: Attacking With HTML5
Posted on by Zuly GonzalezCategories Computer Security, Events, Resources, Security, Web Security1 Comment on Free Black Hat Webcast: Attacking With HTML5

Black Hat LogoThe founders of the Black Hat conference, the best computer security conference in the world, will be hosting a free webcast. The webcast, Attacking with HTML5, will be held on December 16, 2010 at 2:00 PM EST. You can register for the Black Hat webcast here.

Black Hat has been hosting security webcasts since July 2008. The Black Hat webcasts are a regular series of live web events focusing on what’s hot in Information Security. Each month, they bring together Black Hat speakers, independent researchers and leading experts to discuss relevant topics in security, and give you a chance to ask questions live. You can see a list of all the previously recorded Black Hat webcasts here.

Attacking With HTML5 Description

HTML5 is a set of powerful features aimed at moving the web applications closer to existing desktop applications in terms of user experience and features. HTML5 is not the technology of the future as many believe; it is available right now in almost all modern browsers. Though the widespread use of HTML5 by websites is still a few years away, the abuse of these features is already possible.

Web developers and users assume that just because their site does not implement any HTML5 features that they are unaffected. A large section of the internet community believes that HTML5 is only about stunning graphics and video streaming. This talk will show how these assumptions are completely contrary to reality.

This presentation will show how existing ‘HTML4’ sites can be attacked using HTML5 features in a number of interesting ways. Then we look at how it is possible to use the browser to perform attacks that were once thought to require code execution outside the sandbox. Finally, they will look at an attack where the attacker is not interested in the victim’s data or a shell on the machine, but is instead after something that might perhaps even be legal to steal.

Special Offer for Black Hat DC 2011

If you register for the free webcast, you will receive $250 off of a new registration to the Black Hat DC 2011 Briefings (Training classes are excluded). When you register for the webcast you will receive a discount code in your confirmation email to use when registering for the Black Hat DC 2011 Briefings.

Do you know of any other security webcasts? Share with us in the comments.

Black Hat DC 2011 Conference
Posted on by Zuly GonzalezCategories Events, Security, Web Security2 Comments on Black Hat DC 2011 Conference

The Black Hat conference is the biggest, and most important security conference in the world. Black Hat has become a premiere venue for elite security researchers, and serves the information security community by delivering timely, and actionable, security information. The Black Hat conference series is now held four times a year

  • Black Hat DC: January 16-19, 2011 in Arlington, VA
  • Black Hat Europe: March 15-18, 2011 in Barcelona, Spain
  • Black Hat USA: July 30 – August 4, 2011 in Las Vegas, NV
  • Black Hat Abu Dhabi: November 2011 in United Arab Emirates

and is separated into a training portion and a briefings portion.

Black Hat DC 2011 Conference

The Black Hat Briefings are a series of highly technical information security presentations that bring together leaders from all facets of the infosec world – from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and knowledge.

Black Hat also provides hands-on, high-intensity, multi-day Trainings. The training sessions are provided by some of the most respected experts in the world and many also provide formal certifications to qualifying attendees.

The 2011 Black Hat DC conference will be held January 16 – 19 at the Hyatt Regency in Arlington, VA. The training portion of the conference will be from January 16 to 17, and the briefings portion will be from January 18 to 19.

Black Hat DC 2011 Registration Fees

Registration is now open for the 2011 Black Hat DC conference, and the registration fee schedule is as follows:

  • Briefings
    • Regular: $1395 (ends Dec 15)
    • Late: $1595 (ends Jan 15)
    • Onsite: $1895 (Jan 16 – Jan 19)
    • Academic: $600 (ends Dec 15)
    • Group: 10% – 15% discount (ends Dec 15)
    • Press: $0
  • Training
    • $1800 – $3800 per course

Group Registration: There is a 10% discount for groups of 6 or more. Groups of 12 or more receive a 15% discount. This discount rate applies to the Briefings portion only. If there are 4 or more people from your group attending the same training class and session, you can also qualify for a discount on the Training portion. The discount will be based on the rate at the time that you submit your group registration agreement form. Group registrations must be paid by Dec 15.

Academic Registration: The Academic registration is available to those who are either full-time students or full-time professors at an accredited university. The academic registration rate is $600, but gives you access to the Briefings portion only. Registration for the Academic pass ends on December 15, 2010.

Press Registration: Any media member that works for a publication that covers computer security on a regular basis can apply for a free press pass. Be prepared to show copies of your articles, a business card, and your assignment editor’s contact information. The press pass is normally only granted for the Briefings portion, but in very rare cases may be granted for the Training portion as well. During the conference a press room with internet access will be provided, and a separate room for filming interviews may also be available.

Briefings for Black Hat DC 2011

The 14 briefings that will be presented at the 2011 Black Hat DC are as follows:

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications
Speaker: David Perez

In this presentation they will show a practical attack against GPRS, EDGE, UMTS and HSPA (2G/3G) mobile data communications. They will demonstrate that an attacker with a budget of less than $10,000 can set up a rogue BTS, make the victim devices connect to such BTS, and gain full control over the victim’s data communications. Two vulnerabilities make the attack possible: first, the absence of mutual authentication in GPRS and EDGE (2G), which makes GPRS and EDGE devices completely vulnerable to this attack, and second, the mechanism implemented on most UMTS and HSPA (3G) devices that makes them fall back to GPRS and EDGE when UMTS or HSPA are not available, which makes it possible to extend the attack to these 3G devices.

Counterattack: Turning the tables on exploitation attempts from tools like Metasploit
Speaker: Matthew Weeks

In hostile networks, most people hope their con kung-fu is good enough to avoid getting owned. But for everyone who has ever wanted to reverse the attack, not getting owned is not enough. We will see how it is often possible for the intended victim to not only confuse and frustrate the attacker, but actually trade places and own the attacker. This talk will detail vulnerabilities in security tools, how these vulnerabilities were discovered, factors increasing the number of vulnerable systems, how the exploits work, creating cross-platform payloads, and how to defend yourself whether attacking or counterattacking. The audience will be invited to participate as complete exploit code will be released and demonstrated against the Metasploit Framework itself.

Checkmate with Denial of Service
Speaker: Tom Brennan

Denial-Of-Service is an attempt to make a computer resource unavailable to its intended users. A new and very lethal form of Layer 7 attack technique, which uses slow HTTP POST connections, was discovered. An attacker will send properly crafted HTTP POST headers, which contains a legitimate “Content-Length” field to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up precious server resources.

They will demonstrate how an “agentless” DDOS botnet can be created via malicious online games and how a victim website can be brought down in matter of minutes using the HTTP POST DDOS attack.

The Getaway: Methods and Defenses for Data Exfiltration
Speaker: Sean Coyne

There are several stages to a successful cyber attack. The most crucial of which is also the least discussed: data theft. Whether it be financial information, intellectual property, or personally identifiable information; the most valuable thing on your network is the data. Intruders may get in, but until they get out with what they came for, the game’s not over. During this presentation they will take a look at some of the advanced methods of stealing data they have recently encountered in the field, including: preparing and cleaning staging areas, avoiding DLP/traffic scanning products, and how attackers use a victim’s own infrastructure and architecture against them.

De-Anonymizing Live CDs through Physical Memory Analysis
Speaker: Andrew Case

Traditional digital forensics encompasses the examination of data from an offline or “dead” source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a large problem for this forensics model though as they run solely in RAM and do not interact with the local disk. This removes the ability to perform an orderly examination since the filesystem is no longer readily available and putting random pages of data into context can be very difficult for in-depth investigations. In order to solve this problem, they present a number of techniques that allow for complete recovery of a live CD’s in-memory filesystem and partial recovery of its previously deleted contents. They also present memory analysis of the popular Tor application as it is used by a number of live CDs in an attempt to keep network communications encrypted and anonymous.

Beyond AutoRun: Exploiting software vulnerabilities with removable storage
Speaker: Jon Larimer

Malware has been using the AutoRun functionality in Windows for years to spread through removable storage devices. That feature is easy to disable, but the Stuxnet worm was able to spread through USB drives by exploiting a vulnerability in Windows. In this talk, they will examine different ways that attackers can abuse operating system functionality to execute malicious payloads from USB mass storage devices without relying on AutoRun. There’s a lot of code that runs between the USB drivers themselves and the desktop software that renders icons and thumbnails for documents, providing security researchers and hackers with a rich set of targets to exploit. Since the normal exploit payloads of remote shells aren’t totally useful when performing an attack locally from a USB drive, they will look at alternative payloads that can give attackers immediate access to the system. To show that these vulnerabilities aren’t just limited Windows systems, they will provide a demonstration showing how they can unlock a locked Linux desktop system just by inserting a USB thumb drive into the PC.

Malware Distribution via Widgetization of the Web
Speaker: Neil Daswani

The Web 2.0 transformation has in part involved many sites using third-party widgets. They present the “widgetized web graph” showing the structure of high traffic web sites from the standpoint of widgets, show how web-based malware and scareware is propagated via such widgets, and provide data on how a mass web-based malware attack can take place against the Quantcast 1000 web sites via widgets.

Attacking Oracle Web Applications With Metasploit
Speaker: Chris Gates

In 2009, Metasploit released a suite of auxiliary modules targeting oracle databases and attacking them via the TNS listener. This year lets security test Oracle but do it over HTTP/HTTPS. Rather than relying on developers to write bad code, lets see what can be done with default content and various unpatched Oracle middleware servers that you’ll commonly run into on penetration tests. They will also re-implement the TNS attack against the isqlplus web portal with Metasploit auxiliary modules.

Inglourious Hackerds: Targeting Web Clients
Speaker: Laurent Oudot

This talk will look at technical security issues related to multiple internet web clients. While such tools are used to crawl the internet and retrieve information, there might exist many scenarios where evil attackers can abuse them. By studying the protocols, and by doing some kind of fuzzing operations, they will show how TEHTRI-Security was able to find multiple security issues on many handled devices and workstations.

Hacking the Fast Lane: security issues with 802.11p, DSRC, and WAVE
Speaker: Rob Havelt

The new 802.11p standard aims to provide reliable wireless communication for vehicular environments. The P802.11p specification defines functions and services required by Wireless Access in Vehicular Environments (WAVE) conformant stations to operate in varying environments and exchange messages, either without having to join a BSS or within a BSS, and defines the WAVE signaling technique and interface functions that are controlled by the 802.11 MAC.

Wireless telecommunications and information exchange between roadside and vehicle systems present some interesting security implications. This talk will present an analysis of the 802.11p 5.9 GHz band Wireless Access in Vehicular Environments (WAVE) / Dedicated Short Range Communications (DSRC), Medium Access Control (MAC), and Physical Layer (PHY) Specifications of this protocol. They will present methods of analyzing network communications (GNU Radio/USRP, firmware modifications, etc.), and potential security issues in the implementation of the protocol in practical environments such as in toll road implementations, telematics systems, and other implementations.

Your crown jewels online: Attacks to SAP Web Applications
Speaker: Mariano NUNEZ Di Croce

“SAP platforms are only accessible internally”. You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organization’s SAP platform in order to perform espionage, sabotage and fraud attacks.

Through many live demos, this talk will explain how remote attackers may compromise the security of different SAP web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting “hardened” SAP Enterprise Portal implementations will be detailed.

Kernel Pool Exploitation on Windows 7
Speaker: Tarjei Mandt

In Windows 7, Microsoft introduced safe unlinking to the kernel pool to address the growing number of vulnerabilities affecting the Windows kernel. Prior to removing an entry from a doubly-linked list, safe unlinking aims to detect memory corruption by validating the pointers to adjacent list entries. Hence, an attacker cannot easily leverage generic “write 4” techniques in exploiting pool overflows or other pool corruption vulnerabilities. In this talk, they show that in spite of the efforts made to remove generic exploit vectors, Windows 7 is still susceptible to generic kernel pool attacks. In particular, they show that the pool allocator may under certain conditions fail to safely unlink free list entries, thus allowing an attacker to corrupt arbitrary memory. In order to thwart the presented attacks, they conclusively propose ways to further harden and enhance the security of the kernel pool.

Identifying the true IP/Network identity of I2P service hosts
Speaker: Adrian Crenshaw

They will present research into services hosted internally on the I2P anonymity network, especially I2P hosted websites known as eepSites, and how the true identity of the internet host providing the service may be identified via information leaks on the application layer. By knowing the identity of the internet host providing the service, the anonymity set of the person that administrates the service can be greatly reduced. The core of this presentation will be to test the anonymity provided by I2P for hosting eepSites, focusing primarily on the application layer and mistakes administrators may make that could expose a service provider’s identity or reduce the anonymity set they are part of. They will show attacks based on the intersection of I2P users hosting eepSites on public IPs with virtual hosting, the use of common web application vulnerabilities to reveal the IP of an eepSite, as well as general information that can be collected concerning the nodes participating in the I2P anonymity network.

Responsibility for the Harm and Risk of Software Security Flaws
Speaker: Cassio Goldschmidt

Who is responsible for the harm and risk of security flaws? The advent of worldwide networks, such as the internet, made software security an international problem. There are no mathematical risk models available today to assess networked systems with interdependent failures. Experience suggests that no party is solely responsible for the harm and risk of software security flaws, but a model of partial responsibility can only emerge once the duties and motivations of all parties are examine and understood.

This presentation describes the role of each player involved in the software lifecycle and the incentives (and disincentives) they have to perform the task, the network effects of their actions, and the results on the state of software security.

Black Hat DC 2011 Conference

Training Courses for Black Hat DC 2011

There will be 11 courses offered at the 2011 Black Hat DC conference, ranging in price from $1800 to $3800 per course. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered for each class. The 11 courses are as follows:

Cyber Network Defense Bootcamp
Trainer: Adam Meyers

A two day workshop focusing on the progression from incident identification, investigation and malware analysis to explaining to management why it matters. In other words, how to go from geek to sleek.

Real World Security: Attack, Defend, Repel
Trainer: Peak Security

An intensive two day course for security professionals that want to up the ante on their current skill sets in offensive and defensive security. Learn new tactics and receive guidance from expert instructors while you test yourself in a team vs team environment.

Designing Secure Protocols and Intercepting Secure Communication
Trainer: Moxie Marlinspike

This training covers both designing and attacking secure protocols. Attendees will learn the fundamentals of how to design a secure protocol, and be armed with the knowledge of how to evaluate the security of and discover weaknesses in existing protocols.

CISSP Boot Camp (Four Day Course – Jan 16-19)
Trainer: Shon Harris

This Logical Security course trains students in all areas of the security Common Body of Knowledge (CBK). Using this course, students prepare for the exam, while at the same time obtaining essential security knowledge that can be immediately used to improve organizational security.

Information Assurance Officer (IAO) Course (CNSS-4014E) Certified
Trainer: Information Assurance Associates (IA2)

Very intense, highly concentrated, non-technical professional training necessary to achieve the fundamental knowledge needed to define, design, integrate and manage information system security policies, processes, practices, and procedures within federal interest information systems and networks.

Tactical Exploitation
Trainer: Val Smith

Using a combination of new tools and lesser-known techniques, attendees will learn how hackers compromise systems without depending on standard exploits.

Virtualization for Incident Responders
Trainer: Eric Fiterman, Methodvue

Principles and techniques for recovering evidence from virtualized systems and cloud environments – this course is intended for information security personnel who are responsible for handling incidents involving virtual infrastructure, cloud service providers, or desktop virtualization platforms.

Digital Intelligence Gathering Using Maltego
Trainer: Paterva

Unlock the true potential and raw power of Maltego. Learn how to navigate and map the internet’s darkest rivers.

TCP/IP Weapons School 3.0
Trainer: Richard Bejtlich, TaoSecurity

Use the network to your advantage while building incident detection and response skills to counter advanced and targeted threats.

Database Breach Investigations: Oracle Edition
Trainer: David Litchfield

This training course will teach students the tricks and techniques hackers use to break into Oracle database servers and then how to peform a database security breach investigation covering evidence collection, collation and analysis using V3RITY for Oracle, the world’s first database specific forensics and breach investigation tool.

Windows Physical Memory Acquisition and Analysis
Trainer: Matthieu Suiche

Learn all about memory dumps, including how they work and deep analysis using Windbg.

Black Hat DC 2011 Conference

More on Black Hat

You can follow Black Hat on Twitter, Facebook, and LinkedIn.

Twitter: Black Hat has two accounts on Twitter. For security research and updates on Black Hat events, follow @blackhatevents. For behind the scenes information from Black Hat HQ staff members, follow @blackhathq.

Facebook: Black Hat maintains an active Facebook page to communicate with members of the security community and provide information updates.

LinkedIn: Black Hat also maintains a LinkedIn group to reach out to professional security experts and provide information updates.

Will you be attending Black Hat DC 2011? Have you attended past Black Hat events? If so, what did you like the best?

Increasing Website Sales: Rob Walling’s 2010 Business of Software Presentation
Posted on by Zuly GonzalezCategories Business of Software, Events, Startups3 Comments on Increasing Website Sales: Rob Walling’s 2010 Business of Software Presentation

This post is part of a series of posts from the 2010 Business of Software conference (BoS2010). For a summary of the conference, and an index to the other presentations, click here.

Rob’s 2010 Business of Software presentation: “The Primary Goal of Your Website” – What’s the primary goal of your website? Not to sell software. With most visitors returning multiple times before making a purchase, your primary goal should be to draw visitors back to your site.

Rob Walling at the 2010 Business of Software conference (BoS2010)
Image credit: Betsy Weber

Rob Walling’s 2010 Business of Software presentation was another BoS2010 talk I really enjoyed, and got a lot of value out of. Rob discussed how we can use permission based email marketing to increase sales and profits. His presentation was eye opening for me, because I always thought of email marketing as ineffective, and a nuisance to the receiving party.

I spoke to Rob very briefly, and he seemed like a genuinely nice guy. I even got to see his adorable baby boy, and I’ll tell you what, he is definitely one of the cutest babies I’ve ever seen!

Effectively Using Your Website

Most of us think that the number one goal of our website is to sell our products. And in a way it is. However, to best achieve that you must motivate a visitor to return to your website.

Rob has researched this topic, and determined that returning visitors are much more likely to purchase your product than first time visitors (and he shared some statistics to back it up). In essence, the ineffective marketer asks you to buy too soon.

The main reasons why people don’t buy from your website are:

  • There’s not enough information on your website to make the decision.
  • They don’t trust you.
  • They don’t have the money.
  • They don’t have a need for your product.
  • They are never going to buy your product.

Rob examines each of these reasons, and suggests how to overcome all of these issues (except for the last one, because there’s nothing you can do about that).

A note on that first bullet item about insufficient information on your website: When Rob mentioned this, the first thing that came to mind was Bob Walsh’s StartupToDo website. I’ve heard good things about StartupToDo, and have thought about joining on several occasions. However, the fact that there’s no evidence on the website of the quality of the service has kept me from joining – even with the free 30 day trial. I’d just like to see a sample Guide, or two, before giving away my information. So I can totally relate to that first bullet item. Rob’s own Micropreneur Academy, which is similar to StartupToDo, is guilty of this.

Statistics on Returning Website Visitors

Rob shared with us statistics from four websites showing the importance of repeat visitors. These are all his websites, except for CrazyEgg.

  • DotNetInvoice: Using three years worth of data, Rob determined that returning visitors accounted for 450% more sales than first time visitors. The per visit value earned from first time visitors was $0.55, and $2.41 for returning visitors – a 440% increase.
  • JustBeachTowels: Looking at a one year period shows that returning visitors accounted for 770% more sales than first time visitors. The per visit value earned from first time visitors was $0.17, and $1.53 for returning visitors. That’s a 900% increase!
  • Another WordPress Classifieds Plugin: Here Rob saw a 583% increase from returning visitor sales over first time visitor sales. He looked at 8 days worth of data.
  • CrazyEgg: A 60 day period showed returning visitors accounted for 1585% more sales than new visitors.

To clarify the term returning visitor, Rob defines a returning visitor as someone who has returned to the website more than two times. However, someone can visit the website from more than one computer. So with that in mind, the actual percentages of sales to returning visitors are actually higher than the statistics indicate.

So now that you’re convinced on the value of returning visitors, the question is, how do you get visitors to return to your website?

Getting Returning Visitors to Your Website

Email is your answer. Email has the highest click through rates, and is one of the most effective ways to get people to return to your website. Email is a form of personalized broadcasting – the ability to communicate with a large number of people, while making it seem like an individual/personal communication. And as a bonus, email is an excellent way to A/B test pricing and special offers.

Blogging is much harder to pull off than email – it is also a lot more time consuming. Blogging is a good way to get someone to initially visit your website. But, after that initial visit, it’s much harder to motivate someone to return to your website with blogging. Social media can be effective, however, it’s very time intensive as well.

By following the simple 3 step process outlined below, you will increase the number of returning visitors to your website. This process takes advantage of the benefits of email, and should increase your revenue by 10%. Best of all, it will only take about 2 days to implement.

Step 1: Create a killer landing page. Don’t skimp on design. Ensure your landing pages are truly optimized to get your visitors to give you their email address (and permission to contact them). For example, provide a free downloadable user’s manual to your product, or a free demo. Also, don’t make your form too long, or you’ll turn away potential customers. In general, the more value your freebie is perceived to have, the more information your visitor will be willing to give up. Take a look at the below landing pages for inspiration.

Good landing page example - credit card processing

Good landing page example - DotNetInvoice

Good landing page example - Stripe-A-Zone

Step 2: Give something away for free. For example, consider putting together an eBook on a topic of interest to your target market, and give it away in exchange for an email address. It really helps to be unique here. The more unique (and valuable) the free item, the more email addresses you’ll get in return. Smart Bear Software gives away a free book (yup, book, as in an actual physical book) on peer code review. The makers of freckle time tracking give away an eBook on credit card processing.

Smart Bear Software Free Book Offer

Free eBook example from freckle time tracking

Step 3: Setup the follow-up. Follow up with your prospective customers via email. Rob recommends using MailChimp, which offers free service for lists with up to 1,000 subscribers.

Now, let’s go back to the reasons why people don’t buy from your website, and how you can counter each of these concerns. These strategies will become the foundation of your follow-up emails to prospective customers.

  • Problem: There’s not enough information on your website to make the decision.
    • Solution: Provide information.
  • Problem: They don’t trust you.
    • Solution: Build trust.
  • Problem: They don’t have the money.
    • Solution: Provide discounts and wait.
  • Problem: They don’t have a need for your product right now.
    • Solution: Stay fresh in their minds and wait.
  • Problem: They are never going to buy your product.
    • Solution: There is no solution. Forget this segment, and focus your energy on something else.

Let’s look at an example that shows how this follow-up technique can work for you. Test group A was allowed to download a free trial with no email required. Those in test group B needed to provide a valid email address to download the free trial, and were exposed to the below follow-up sequence.

  • On day 0 they received a welcome email with a $5 discount coupon, a link to the free trial, a link to the Getting Started Guide, and customer testimonials.
  • On day 2 they received an email with a buying guide (that highlighted other products), information on the standard and pro plans, information on their iPhone app, and customer testimonials.
  • On day 6 they received an email with an invitation to subscribe to their newsletter, benefits to some of the available features, and customer testimonials.
  • On day 30 they received an outright invitation to buy, and more customer testimonials.

The number of downloads by test group B was down by 33.6% when compared to test group A. That’s not a big surprise since those in group B had to overcome the fear of providing personal information. However, test group B showed a 3.4% increase in sales, an increase in profits by 15.4%, and an increase in first-time purchases by an average of 13.5%.

Avoiding Spam Filters

An extremely costly mistake you can make is letting your emails get stuck in spam filters. Not only is this going to destroy your email marketing, it can also hurt your brand (and reputation), if customers are not receiving your support emails.

Some common, and not so common, spam filter triggers are:

  • Sending the email message only in HTML format instead of text format.
  • Using all capital letters in the subject line.
  • Having a low text to image ratio.
  • Using poorly coded HTML.
  • Using the following terms in your subject line:
    • Dear
    • Extra inches
    • Stop further distribution (instead of using unsubscribe)
    • You registered with a partner
    • Oprah

Side note: This was something we struggled with in the beginning, and still do to some extent. At first, all of our Light Point Security emails were getting flagged as spam. We’ve since made a few changes that helped our emails get through spam filters. By far what helped us the most was using email verification tools, like those provided by All About Spam and Port25 Solutions. These free services print out a report detailing what they found when you send them a sample email message – I highly recommend it.

Increasing Email Open Rates

Now that you’ve made it past a prospective customer’s spam filter, you have to encourage the person to actually open your email message. An important factor in someone’s decision on whether to open your email or not, is the content of the subject line. Emails with the lowest open rates contain the following terms in their subject lines:

  • Reminder
  • Specials: Because it indicates you are trying to sell them something.
  • X% off: Because it indicates you are trying to sell them something.
  • Help: Because it indicates you want something from them.

Something else that has a big influence on email open rates is the From name. The From name is usually the second thing a user sees, and the more personal it is, the better. Remember, people buy from people not companies.

The best choice is to use the sender’s name in the From field. For example, if you receive an email from me, it will say Zuly Gonzalez. The next best option is to use the sender’s name along with the company name. For example, Zuly Gonzalez | Light Point Security. The third best option is to use the person or department’s role. For example, Light Point Security Support. The worst option is to just use the company name. For example, Light Point Security.

Rob Walling presenting at the 2010 Business of Software conference (BoS2010)
Image credit: Mark Littlewood

More Email Marketing Recommendations

One problem you may encounter is people giving you a fake email address. To discourage this behavior, try implementing a double opt-in process. For example, you may require the user to click on a link sent to the email address they provided, in order to validate the email.

A good technique to try is requiring the user’s email address at install time, instead of before downloading the free trial. Once they have downloaded the trial, they are much more committed, and will be more likely to give you their email address. You can request the email address after your product has been downloaded in order to send the user a key required to install the product. There was one data point from an audience member who used this technique, and he said it increased his email capture by 10%.

If you haven’t contacted someone within the last 6 months, throw away their email address. After 6 months, odds are they have forgotten about you, and will see your email message as spam.

In your initial welcome email, thank them for buying your product, and ask them what they want to do with your product. Learning how your customers use your product, and why they want to use your product, will help you improve it.

When emailing your users, also ask them if they have any feature requests. Again, this is great feedback you can use to improve your product.

One of the nice things about SaaS products is that you can tell if people are actually using your product, or not. You can use this information to email your inactive customers, and hopefully get some feedback as to why they are not using your product. This can also help you A/B test your email marketing campaigns to learn which emails worked, and which ones flopped.

Key Takeaway From Rob’s BoS2010 Presentation

Returning visitors buy more than first time visitors. Therefore, the primary goal of your website is to encourage visitors to come back. Because the most effective way to get returning visitors is via permission based email marketing, the main goal of your website is to obtain a visitor’s email address. After obtaining email addresses, implement an email follow-up strategy.

Rob posted a brief summary of his 2010 Business of Software presentation on his blog, along with a copy of the slides.

Memorable Quote

The most memorable quote from Rob’s BoS2010 presentation was:

  • “The ineffective marketer asks you to buy too soon.”

More on Rob Walling

Rob Walling is a serial entrepreneur and author of Start Small, Stay Small: A Developer’s Guide to Launching a Startup. He blogs at about building self-funded startups and runs the Micropreneur Academy, an online learning community of like-minded founders designed to get a startup from zero to launch in six months. Walling runs 11 one-man technology businesses and has been building web applications professionally for 11 years.

Follow Rob on Twitter here.

You can find Rob’s blog here.

If you found this information to be useful, take a look at Rob’s new book, Start Small, Stay Small: A Developer’s Guide to Launching a Startup – you can even download the first chapter for free. You can also read the chapter on virtual assistants on Jason Cohen’s Smart Bear blog.

What are your thoughts on Rob’s presentation? If you attended BoS2010, did I miss an important point? What was your favorite part of Rob’s presentation? What was your key takeaway from his talk?

Inspirational Business Quotes From the Business of Software Conference
Posted on by Zuly GonzalezCategories Business of Software, Events, Fun Friday, Startups2 Comments on Inspirational Business Quotes From the Business of Software Conference

In my second Fun Friday post, I’m going to share with you the top 11 business quotes from the 2010 Business of Software conference (BoS2010).

I attended the Business of Software conference this year, and highly recommend it. The conference was jam-packed full of insights for software startups, and was truly an inspirational event.

Top 11 Business Quotes From BoS2010

Be so good they can’t ignore you.” ~ Peldi Guilizzoni

Peldi of Balsamiq BoS2010 Quote: Be so good they can’t ignore you
Image credit: Betsy Weber

Fall in love with the problem, not with your solution.” ~ Peldi Guilizzoni

Peldi of Balsamiq BoS2010 Quote: Fall in love with the problem, not with your solution
Image credit: Betsy Weber

Brand is what people say about you after you’ve left the room.” ~ Dharmesh Shah

Dharmesh Shah BoS2010 Quote: Brand is what people say about you after you’ve left the room
Image credit: Betsy Weber

Don’t make customers happy. Make happy customers.” ~ Dharmesh Shah

Dharmesh Shah BoS2010 Quote: Don’t make customers happy. Make happy customers
Image credit: Betsy Weber

Improve the product experience, and everybody wins.” ~ Dharmesh Shah

Dharmesh Shah BoS2010 Quote: Improve the experience, and everybody wins
Image credit: Betsy Weber

Don’t make ___(marketing)___ software. Make ___(marketing)___ superstars.” ~ Dharmesh Shah

Dharmesh Shah BoS2010 Quote: Don’t make __software. Make __ superstars
Image credit: Betsy Weber

Services are low margin. Except when they’re not.” ~ Dharmesh Shah

Dharmesh Shah BoS2010 Quote: Services are low margin. Except when they’re not
Image credit: Betsy Weber

Give more than you take.” ~ Patrick Foley

Patrick Foley BoS2010 Quote: Give more than you take
Image credit: Betsy Weber

The hard part of feature design…what to leave out.” ~ Dan Bricklin

Dan Bricklin BoS2010 Quote: The hard part of feature design…what to leave out
Image credit: Betsy Weber

If you want to be different, you must be willing to embrace your negatives.” ~ Youngme Moon

Youngme Moon BoS2010 Quote: If you want to be different, you must be willing to embrace your negatives
Image credit: Betsy Weber

Competence is no longer a scarce commodity.” ~ Seth Godin

Seth Godin BoS2010 Quote: Competence is no longer a scarce commodity
Image credit: Mark Littlewood

What Is Fun Friday?

I created the Fun Friday category to be a collection of very short, and easy to read, posts. The intention is to provide useful information in a compact form factor. These posts will showcase short videos, graphs, top 10 lists, and anything else that can be digested quickly.

Now it’s your turn. What other meaningful business quotes have inspired you?

“The hard part of feature design…what to leave out.” ~ Dan Bricklin
What Startups Should Worry About: Peldi Guilizzoni’s 2010 Business of Software Conference Presentation
Posted on by Zuly GonzalezCategories Business of Software, Events, Startups2 Comments on What Startups Should Worry About: Peldi Guilizzoni’s 2010 Business of Software Conference Presentation

This post is part of a series of posts from the 2010 Business of Software conference (BoS2010). For a summary of the conference, and an index to the other presentations, click here.

Peldi’s 2010 Business of Software presentation: “Do Worry… Be Happy!” – One thing they don’t tell you about quitting your job to become a startup CEO is how much you’re going to worry about things.

Peldi Guilizzoni & Zuly Gonzalez at BoS2010

Peldi was my favorite BoS2010 presenter. He started off with a really cool Bobby McFerrin video, and kept the energy going all the way to the end. His presentation was candid, and very inspiring. I hope they post Peldi’s presentation online, because there is no way I can do it justice here.

After his presentation, I had the opportunity to talk to Peldi. He’s such a nice guy! He’s very humble, and someone you can easily relate to. He’s the type of guy you want to succeed.

What Startup Owners Worry About

What do startup owners worry about? Everything! What should startup owners worry about? Well, not everything.

It’s actually really hard to choose to ignore certain threats, but it’s crucial for your business’s success. Deciding what’s worth worrying about is not an easy task, and can seem daunting at times – but it’s a necessary skill to learn. And even more important than learning to decide which concerns are worth worrying about, is learning to cope, and live with, the uncomfortable emotions that result from trying to ignore these lesser important issues.

In his 2010 Business of Software presentation, Peldi shares some of the issues that concern him, and discusses which ones are worth worrying about, and which ones are not. Peldi also shares some tips to overcome, and deal with, those fears.

Why You Should Listen to Peldi

Why should you listen to Peldi? Well just take a look at his revenue chart below. $2M in just 27 months! I’d say he knows a thing or two about running a successful software business.

Peldi Guilizzoni's Balsamiq Revenue Chart at BoS2010
Image credit: Mark Littlewood

What Startup Owners Should Not Worry About

Peldi started off by discussing three common fears startup owners worry about, but shouldn’t.

Asking customers to pay for your product. We have been paying for products since the beginning of time – I want something you have, so I’ll trade you for something you want (usually cash). But, for some reason we have this weird aversion towards paying for software. (Side note: I’m not totally sure why that is, but I suspect it has something to do with the internet being “free”, and the wide abundance of free software you can find online these days. My guess is that pre-internet it wasn’t so hard to imagine someone paying cash for a piece of software.)

So, don’t worry about asking customers to pay for your product – it’s a basic concept. And in general, if you have a decent product, people will pay for it. HubSpot co-founder, Dharmesh Shah, and other startup experts, suggest you start charging for your product as soon as possible, because you get way better feedback from paying customers.

Not having enough time. There will never be enough hours in the day to accomplish everything you need to. We all have this problem, and it’s one that will never go away, but worrying about it will only make things worse – and take your time away from working on real issues. Prioritize your tasks, and complete the most important ones first. The rest can wait until tomorrow.

Pirates. Software pirates that is…not the ones off the coast of Somalia. You’ll never have 100% guarantee that no one will steal your software. You can take steps to prevent most people from doing so, but you’ll be hard pressed to stop a really determined individual. Plus this is becoming more of a non-issue these days with the movement towards SaaS. The little bit of money you will lose from software pirates is not worth the time spent trying to stop them. Don’t worry about it, take it as a compliment, and move on.


Peldi Guilizzoni Discussing Software Pirates at BoS2010
Image credit: ©John M. P. Knox

Common Startup Fears

When to quit your full-time job. After working on his wireframing tool part-time for several months, Peldi decided to take a leap of faith, and quit his job at Adobe. This was before his company was profitable. Making this decision is not an easy one, and will vary from person to person. There are a lot of things you need to consider, such as:

  • How much savings you have
  • Who else this decision will impact (do you have kids, a wife/husband, or other dependents)
  • Your risk tolerance
  • How far away your startup is to profitability
  • The likelihood of success

Having competition. You should embrace your competition. Competition is a validation of your market, and your idea. If there is no competition maybe that means there is also no market to be had. In fact, you want to create something so good that people will want to copy it. You can also learn from your competition’s mistakes to make your product even better.

Building the wrong product. What if no one wants to buy your product? That’s a reasonable fear to have. It’s important to be flexible, and realize that your final product may not look anything like your initial vision. The key is to fall in love with the problem, not the solution. Listen to your customers, and modify your product if necessary. In the beginning, customer feedback is far more important than money, because it allows you to shape your product into something that the masses will want, and pay for.

Work/Life balance. You can’t spend every waking moment working on your business, and ignore your family in the process. You need a good balance that works for you, and your family. After all, they’re probably the reason why you’re doing this. Peldi’s strategy is to work while his family is sleeping, so they won’t know that he’s ignoring them.

Not being noticed. These days everyone wants to get on TechCrunch, or on the front page of Digg. The trick is to be so remarkable you can’t be ignored. Getting noticed is great – it’s what you want. But be careful what you wish for, it can also be a bad thing if you’re not prepared.

Picking a niche that is too small. A small market can be a good thing for a startup, because it is much easier to lead. Peldi gave the example of Bingo Card Creator – a very small market. Seriously, when was the last time you had to create your own Bingo cards?…When was the last time you played Bingo? Although it’s a tiny niche, Patrick McKenzie (a BoS2010 Lightning Talk speaker) is making it work. And so can you.

Peldi Guilizzoni discusses small niches at BoS2010
Image credit: Betsy Weber

Finding advisors/mentors. Peldi has no formal method for finding advisors. The most important thing is to be yourself. The best advisor is one who you feel comfortable with, and can trust. It does you no good to have the top expert in your field (better known as Frank to those of us who attended BoS2010) as an advisor, if you can’t feel comfortable enough with him to discuss all of your business problems in excruciating detail. So look for someone you click with – someone who would be your friend even without the expertise.

Learning. Peldi suggests you read as much as you can. Especially before you start your venture, because you’ll be too busy to read after you’ve started. Peldi highly recommends you read You Need To Be a Little Crazy: The Truth About Starting and Growing Your Business. The book details all the horrible things that can go wrong while running a business. Peldi says it’ll scare you more than anything. However, if you still decide to pursue your venture after reading it, not only are you truly committed to the idea, but you will also be ready for the troubles that lay ahead.

Dealing with the business side. Most software startup owners are technical people. We are good at what we do technically, but we have no previous business experience. Developing a great product isn’t enough to succeed, you also need business brilliance. Most of us have never worked with accountants or lawyers in the past, dealt with payroll or EULAs, or heard of terms such as accrual versus cash or NAICS codes. Peldi says you need to fake it. Pretend you have expensive lawyers and accountants behind you. Pretend you are the CEO of more than a one-man startup. Always say ‘we’ instead of ‘I’, even if it is just you.

Feeling like a fraud. Peldi has been extremely successful with Balsamiq, yet he doesn’t feel he is at the same level as the other BoS2010 speakers. Feeling like a fraud is not all that uncommon among successful startup owners. In fact, research shows that 40% of successful people consider themselves frauds, and 70% of all people feel like fakes at one time or another. It’s fine to have these thoughts. The trick is to use these thoughts to improve your product. Don’t let them take over you, and destroy your business. Talk to an advisor, or other people you trust, about your fear – they will help you.

Raising capital. This isn’t always necessary, especially for software startups which require very little capital to get started. One option is to retain your full-time job, and work on your venture part-time until it takes off. Another option is to use your savings to fund your startup. Unless you are looking to be the next Facebook, don’t worry about raising capital, make due with what you can easily get.

When should you start hiring. It’s important you don’t hire employees too early. You could end up in a situation where you don’t have enough work for them, but are still paying them just the same. Peldi waited a long time before hiring his first employee. His suggestion is to “wait until you are about to die” before hiring someone.

Forgetting something important. A great way to remember things is to write them down. Peldi chooses to blog. Blogging is a way to record what you’ve done, what you want to do, and ask for feedback from your customers/readers. A side benefit of blogging is its marketing effect. Blogging shows your human side, and hopefully your personality will shine through. People rather buy from people than companies.

Creating a business plan. Writing a business plan is a good way to organize your thoughts, and really think about the viability of your business idea. However, it’s not something you should obsess over. The truth is that nobody reads business plans anyway. It’s a must have if you are looking for investors, but don’t fool yourself into believing that they will actually read the whole thing. And when an investor does look at it, he is just looking for all the reasons why he shouldn’t do business with you. Investors also know that the financial projections in your business plan are completely unrealistic. So write a trimmed down version for yourself, and move on.

Key Takeaway From Peldi’s BoS2010 Presentation

As you run your business, you will worry about almost everything, however, not everything is worth worrying about. Only worry about the important things – the rest will eventually work itself out.

Fun Facts About Peldi

I learned a couple of things about Peldi during his talk:

Memorable Quotes

Some memorable quotes from Peldi’s BoS2010 presentation:

  • “Be so good they can’t ignore you.”
  • “Fall in love with the problem, not the solution.”
  • “Create something so good people will want to copy it.”
  • “If you work while they [your family] sleep, they won’t know you’re ignoring them.”

More on Peldi Guilizzoni

Peldi Guilizzoni of Balsamiq at the 2010 Business of Software conference
Image credit: ©John M. P. Knox

Giacomo ‘Peldi’ Guilizzoni is the founder and CEO of Balsamiq, makers of Balsamiq Mockups, a wireframing tool for programmers, UX experts, and even business types. Balsamiq has been a bit of a poster child for a new wave of tiny but ambitious bootstrapped tech startups, netting over $1.6M in sales in the first 18 months of operation and gathering rave reviews. Peldi is a champion of the “radical transparency” trend that’s sweeping the Internet, through his posts on the Balsamiq blog.

You can find Peldi’s personal blog here, and his Balsamiq product blog here.

Follow Peldi on Twitter here.

What are your thoughts on Peldi’s presentation? If you attended BoS2010, did I miss an important point? What was your favorite part of Peldi’s presentation? What was your key takeaway from his talk?


Measuring Customer Happiness: Dharmesh Shah’s 2010 Business of Software Conference Presentation
Posted on by Zuly GonzalezCategories Business of Software, Events, Startups5 Comments on Measuring Customer Happiness: Dharmesh Shah’s 2010 Business of Software Conference Presentation

This post is part of a series of posts from the 2010 Business of Software conference (BoS2010). For a summary of the conference, and an index to the other presentations, click here.

Dharmesh’s 2010 Business of Software presentation: “Building A Great Software Business: Notes From The Field”

Zuly Gonzalez & Dharmesh Shah at BoS2010

I’m a big fan of Dharmesh. I’ve been following him for sometime now, so I was really looking forward to his presentation.

Before heading out to Boston, I watched Dharmesh’s 2009 and 2008 BoS presentations (to see the videos go to the end of this post). It was nice to see some recurring topics in his presentations, because that indicated to me that these were important enough ideas for him to repeat.

Dharmesh’s 2010 talk was packed full of insights – customer acquisition, customer retention, customer data, transparency, and venture capital. Dharmesh provided us with lots of useful equations and data throughout his presentation.

How to Measure Customer Happiness

To have a successful software business, you need happy customers. It’s simply not enough to just acquire lots of customers – you need to retain them. And to retain your customers, you need to make them happy.

Let’s look at customer acquisition first, and then customer retention.

Customer Acquisition

The total Cost Of Customer Acquisition (COCA) is determined by dividing the number of dollars spent on Smarketing by the total number of customers. Smarketing, as defined by Dharmesh, is the total cost of sales and marketing.

Definition of Smarketing by Dharmesh Shah at BoS2010
Image credit: Mark Littlewood

The Lifetime Value (LTV) of a customer is the value, in terms of dollars, that you get from a customer for the expected length of time he’s your customer. For example, if you have a customer that pays $10/month, and you expect him to be a paying customer for 4 years, then the Lifetime Value of that customer is $480.

LTV = annual revenue from customer * expected length as customer

A customer’s LTV should be greater than your COCA. If it’s not, that means it’s costing you more money to acquire a customer than you’re making from that customer. That’s a bad business model…and sure to fail! If the LTV is much greater than the COCA, then it’s time to start pumping more money into the business to start acquiring more customers.

These may seem like obvious points, the problem is that very few of us actually take the time to do these calculations. Keeping an eye on these numbers will help you make better business decisions.

Customer Retention

It takes a fair amount of capital to obtain a customer. Therefore, once you acquire a customer, it’s important to retain him as a customer for as long as possible. Customer churn, or customer turnover, is the rate at which your leaving customers are replaced by incoming customers.

Customer churn can be measured in several ways. The simplest way is to look at what percentage of customers are actually staying onboard versus leaving. Another way to measure customer churn is to look at what percentage of leaving customers are high paying customers versus customers on your lower priced plans.

When looking at customer churn, the higher the number of customers staying on compared to the number of customers leaving, the better. However, the above methods of looking at customer churn can lead to deceiving numbers. A better way to measure customer churn is to measure the discretionary churn.

Discretionary churn measures how many users actually have the option of canceling your service. For example, a customer tied into a 6 month subscription plan, may not be happy with your service, however, he won’t have the option to cancel for another 6 months. So, discretionary churn is a much better way of measuring customer churn than the above methods.

Customer churn can be a good measure of a customer’s happiness with your product or service. However, it is imperfect, because the absence of churn doesn’t necessarily indicate customer happiness. And this takes us to HubSpot’s Customer Happiness Index (CHI).

Customer Happiness Index (CHI) by Dharmesh Shah at BoS2010
Image credit: Betsy Weber

What Is the Customer Happiness Index

The guys at HubSpot created the Customer Happiness Index (CHI). CHI is a number from 0 to 100 that measures the probability any given customer will cancel, given the option to cancel. CHI is determined by three factors:

  • Frequency of product use: By looking at the frequency of use, you can assume that the more a customer uses your product, the happier they are with it, and the less likely they are to cancel.
  • Breadth of product use: By looking at the breadth of use, you can assume that the customers who use more features, are happier with your product, and again are less likely to cancel.
  • Sticky product features: This one is important, and probably not so obvious. Sticky features are features that provide a lot of value to your customers, especially when compared to your competition. Those customers that use sticky features are likely to be happier, and thus less likely to cancel. HubSpot has found that this factor is more important than frequency of use and breadth of use – irregular users that use sticky features tend to stick around longer than those that use frequently and use lots of features.

By religiously following the CHI scores of customers, HubSpot can identify early on which customers are unhappy. They can then take a proactive step towards fixing the problem by calling up the customer before they cancel. This action has helped HubSpot keep about 33% of their previously unhappy customers.

Dharmesh did warn against taking their success rate too much to heart. Although they may have prevented a customer from canceling this month, if the customer’s happiness level isn’t brought up significantly, odds are that customer may still cancel the following month.

The cool thing about CHI is that it can be used to measure other aspects of your business, not just which customers are likely to cancel. You can also use CHI to:

  • Measure the quality of the leads generated by your marketing efforts
  • Make decisions on which product features to keep, remove, add, enhance, etc
  • Make decisions on how much to compensate your sales folks.

How to Improve the Customer Happiness Index

“Invest in the experience, not the product, and everyone wins.”

Dharmesh used a quote from Kathy Sierra’s 2009 BoS presentation to set the mood:

Don’t make ___(fill in the blank)____ software. Make ___(fill in the blank)____ superstars. For example, don’t make marketing software. Make marketing superstars.

The key is to think about your customers. Think about what they want out of your software, what they want to accomplish. Make them awesome at what they do. Case in point, meet Molly:

HubSpot's Molly the teddy bear presented by Dharmesh Shah at BoS2010
Image credit: Mark Littlewood

The stuffed teddy bear in the picture is Molly. Molly is the customer’s stand in, and is required for quorum at all of HubSpot’s management meetings. Most meetings don’t happen without someone saying, “What would Molly say?”. It’s a good way to remember that your software is really about your customers, and making them great at what they do.

However, Dharmesh did point out that although customers are very good at finding problems, they are not so good at finding solutions for those problems. So remember that it is your job to find solutions to their problems. (Side note: This reminds me of the old project management cartoon about project requirements 🙂 )

Increasing Customer Happiness Through Services

Another way to increase a customer’s CHI score is by providing consulting services. HubSpot decided to not only offer consulting services to their customers, but to also charge for those services. Why charge? If a customer pays several hundred dollars for a few hours of consulting they will:

  • See more value in it, than if it were a free service. Something that costs $500 is definitely better than something that costs $0, right?
  • Get more out of their consulting session. If the customer is paying $500 for consulting you better believe that they are going to get their money’s worth out of the session. The customer will ask questions, and make sure they understand everything, just because they paid for the service.

A customer that knows how to get the most out of your product will be a happy customer (assuming you have a good product), which will increase their use of your product, as well as their LTV. Therefore, you should work towards making that happen – whether you charge for it or not.

HubSpot’s profit margins on consulting are actually very low. However, they continue to offer these services because it increases their customers’ CHI scores, which in the long run means greater overall profits for the business.

How to Gain (and Keep) Customers With Branding

Your brand is an important part of your business – and of acquiring and retaining customers. The most important thing your business can do (aside from creating a brilliant product) is to not screw with your customers. Dharmesh strongly advises against the Salesforce philosophy – don’t trick people into buying your product. To put it in Dharmesh’s words, “Brand is what people say about you after you have left the room.”

HubSpot Tidbits

Dharmesh shared some HubSpot philosophies, including how much company information they share, and why they decided to accept venture capital.

Transparency Trumps Secrecy

Except for salary information, all of HubSpot’s data is available to all employees. All data! This includes financial information. (Side note: This seems to work for HubSpot. I recently saw the below tweets from HubSpot employees.)

Although HubSpot makes all of their data available to its employees, the data is off limits to the public. The reason is that they don’t see any real benefit to doing so.

The Evilness of Venture Capital

HubSpot is not Dharmesh’s first startup, but it is his first venture backed startup. Most of us think of pure evil when we think of Venture Capitalists, but VCs can play an important role in some businesses. Most software startups don’t need venture capital, and are actually doing themselves a disservice by pursuing it. But there are a few select startups that can benefit from venture capital.

If you are aiming for quick, high growth (like Facebook), or are starting a business that requires a lot of upfront capital (like a hardware business), then it might make sense to obtain venture capital. At HubSpot, they made a decision early on that they:

  1. Wanted to become the dominant player in the industry.
  2. Were looking for rapid growth.

Because you need a lot of money to accomplish both of these goals, they chose to look for venture capital. A key part of HubSpot’s strategy was to acquire these funds before they actually needed the money. The reason being that:

  1. It is easier to obtain venture capital before you need it, than it is if you are already in need of it.
  2. You get better terms early on because since you aren’t desperate for the money you can always back out.

Do note that once you take VC funds, you move from solving your customers’ problems to solving your investors’ problems. And the two rarely align with each other.

Key Takeaways From Dharmesh’s BoS2010 Presentation

These are the main points I got out of Dharmesh’s BoS2010 talk:

  • Log as much data as you have, even if you can’t use it now. You may be able to use it in the future.
  • Measure your customers’ happiness. Come up with your own metrics if you have to, but look at those numbers closely. Determine what makes happy customers, and what doesn’t, and adjust your business model accordingly.
  • Dream big, and execute small. If someone offers to buy your company, seriously consider it, even if it’s not what you dreamed of. Selling gives you cash, which allows you to move on to your next dream 🙂
Memorable Quotes

Some memorable quotes from Dharmesh’s BoS2010 presentation:

  • “Don’t make customers happy. Make happy customers.”
  • “Brand is what people say about you after you’ve left the room.”
  • “Venture capital isneither necessary nor evil.”
  • “Services are low margin…except when they’re not.”
  • “Invest in the experience, not the product, and everyone wins.”
  • “Customers are very good at finding problems, not at finding solutions for those problems.”
  • “Transparency trumps secrecy.”
  • “Dream Big. Execute Small.”
Dream Big, Execute Small presented by Dharmesh at BoS2010
Image credit: Betsy Weber

More on Dharmesh Shah

Dharmesh Shah is the founder and CTO of HubSpot, a venture-backed software company offering a hosted software service for inbound marketing. Prior to HubSpot, Dharmesh was the founder and CEO of Pyramid Digital Solutions. Pyramid was a three time recipient of the Inc. 500 award and was acquired by SunGard Data Systems in 2005. Dharmesh is also the author of, a top-ranking startup blog with over 20,000 subscribers and 100,000 members in its online community. Dharmesh is the co-author of Inbound Marketing: Get Found Using Google, Social Media and Blogs.

You can find Dharmesh’s startup blog here.

Follow Dharmesh on Twitter here.

Dharmesh’s summary of his 2009 BoS presentation can be found here, on his blog. And his summary of his 2008 Business of Software presentation can also be found on his blog.

What are your thoughts on Dharmesh’s presentation? If you attended BoS2010, did I miss an important point? What was your favorite part of Dharmesh’s presentation? What was your key takeaway from his talk?

Leading a Tribe: Seth Godin’s 2010 Business of Software Conference Presentation
Posted on by Zuly GonzalezCategories Business of Software, Events, StartupsLeave a comment on Leading a Tribe: Seth Godin’s 2010 Business of Software Conference Presentation

This post is part of a series of posts from the 2010 Business of Software conference (BoS2010). For a summary of the conference, and an index to the other presentations, click here.

Seth’s 2010 Business of Software presentation: “Are you afraid to truly make an impact? The opportunity for linchpin organizations and the people who run them.”

Being a great programmer is no longer sufficient to succeed. Creating a piece of software that works is no longer an indicator of success. Times have changed. And in a world where we are bombarded with brands and products, we must create a unique experience to succeed.

Seth Godin at Business of Software (BoS2010)
Image credit: Mark Littlewood

Today, everyone and their mother can whip up a working software program. Competence is no longer a scarce commodity.

Because the cost of producing and marketing a software product is closely approaching $0, it is becoming an increasingly crowded market, full of competition. It is now harder than ever to stand out from the crowd. As a result, success in the software industry is now dependent on your ability to create a tribe – a movement, a place of belonging, a community – and lead it.

Creating a Tribe and Leading It

People want to belong to a tribe – it’s human nature. People are also waiting to be led, and it’s your job to lead them. But how, you ask? You must be creative, but most importantly, you must tap into their emotions. Make them feel something – joy, compassion, anger, outrage, importance, etc. Make them feel like they are part of something bigger, something lasting, something good.

Seth gave several examples during his talk, but there was one example I felt a deeper connection to. Seth explained how one man from the SPCA was able to lead a movement to make the city of San Francisco a no-kill city. He later went on to accomplish the same thing in other U.S. cities, with no money and no recognition. How did he accomplish such a feat? Because this was about more than just one man, and because it touched the hearts of people like you and me. This was about improving the lives of many.

Your mission, should you choose to accept it, is to create a movement, and lead it! But software that’s boring will never turn to a movement. When considering a product’s viability, Seth says there are four things you should ask yourself:

  • Who do I need to reach? And how can I reach them?
  • Will they talk about my product to others?
  • Do I have permission to continue talking to them after I’ve reached them?
  • Will they pay for my product?


Seth Godin at the 2010 Business of Software conference (BoS2010)
Image credit: ©John M. P. Knox

The Network Effect

In the old days, using software was a lonely experience. Today, software is used by millions to connect with each other. Question number 2 above, is central to making the network effect work for you. If you create value and provide a unique experience for your users, they will market your product for you.

When considering a software’s network effect, ask yourself:

  • Is my product creating a demonstrable value?
  • Is it easy and obvious for someone to recruit someone else?
  • Is my product open enough to be easy to use, but closed enough to avoid becoming a commodity?

Key Takeaway From Seth Godin’s Presentation

The best way to sum up Seth’s Business of Software presentation is to use his own words: “Software won’t succeed because it was written by a brilliant programmer. It will succeed because of the business brilliance behind it.”

Memorable Quotes

Some memorable quotes from Seth’s BoS2010 presentation:

  • “The reason to fit in is to be ignored.”
  • “Software that’s boring will never turn to a movement.”
  • “People are waiting to be led.”

Seth summarized his BoS2010 presentation on his blog. You can find it here.

More on Seth Godin

Seth Godin is a renowned speaker and bestselling author of 10 books that have been translated into 20 languages, and have transformed the way people think out marketing, change and work. He is responsible for many words in the marketer’s vocabulary including permission marketing, ideaviruses, purple cow, the dip and sneezers. His latest book, Tribes, is about leadership and how anyone can become a leader, creating movements that matter.

You can find Seth’s marketing blog here.

Follow Seth on Twitter here.

View Seth’s 2008 Business of Software presentation: ” Too important to be left to the marketing department”

What are your thoughts on Seth’s presentation? If you attended BoS2010, did I miss an important point? What was your favorite part of Seth’s presentation? What was your key takeaway from his talk?

The 2010 Hacker Challenge
Posted on by Zuly GonzalezCategories Events, Security1 Comment on The 2010 Hacker Challenge

October is national Cyber Security awareness month, and what better way to promote it than with the 2010 Hacker Challenge.

The 2010 Hacker Challenge Logo

The Hacker Challenge is a competition in which Department of Defense Sailors, Soldiers, Marines, Airmen and civilian government employees try their hands at solving computer and network security problems. It’s a free and open competition designed for beginner to intermediate level security professionals and enthusiasts, and is designed to engage military and civilian members in a fun and educational way.

It started three years ago as a way to address training deficiencies in some of the military’s mandatory computer security training courses.

Hacker Challenge 2010 Details

The 2010 Hacker Challenge begins on October 27, 2010, and ends November 10, 2010.  During this two week period, participants will work at their own pace to solve the challenges. If you’re interested in participating in the 2010 Hacker Challenge, you must sign up before October 25, 2010.

Teams of up to 6 members are allowed, including one person teams.

The Hacker Challenge is comprised of two parts – a written portion and a hands-on portion. The written portion involves a series of questions that will test a participant’s knowledge of technology and security topics. The hands-on portion will test the participant’s security knowledge through the use of tools during practical exercises. Some challenges will be easier than others. For a few examples see the sample Hacker Challenge questions below.

This is a friendly competition, and does not involve the use of any malicious software. There are also strict rules on cheating, and what is considered cheating. Any team caught cheating will be disqualified, and it will be publicized on the Hacker Challenge blog.

Sample Hacker Challenge Questions

Below are a few of the questions you might find in the Hacker Challenge competition. These questions were taken from the 2009 Hacker Challenge. Remember this contest is for beginner to intermediate level security enthusiasts.

1) Download and crack the passwords found at this link.

2) You perform a banner grab against a customer’s web server and get the following response. What does it mean?

GET / JUNK/1.0
HTTP/1.1 200 OK
Date: Sun, 15 Jun 2003 17:17:47 GMT
Server: Apache/1.3.23
Last-Modified: Thu, 27 Feb 2003 03:48:19 GMT
ETag: "32417-c4-3e5d8a83"
Accept-Ranges: bytes
Content-Length: 196
Connection: close
Content-Type: text/html

3) Download the packet capture in the below link and look at the device with the MAC address of 00:12:0E:6F:B4:4B. What is this device, and what do you think it’s doing during the time period traffic was captured?

4) Watch Hak5 episodes 1 and 3 from season 4 and pay attention to the sections dealing with the “WiFi Pineapple.” Discuss how the WiFi Pineapple is able to masquerade as a “trusted” AP and suggest at least one way that a user can tell this type of attack is occurring.

5) Dig through the below captured packet and state the following things: (a) What browser is being employed? (b) What application on the browser will be used? (c) What OS is being used? (d) What device did this packet come from?

0000    00 04  5a f2  25 d8  00 12  0e  6f b4  4b  08  00   45  00
0010    00 de  a2 ab  40 00  40 06  b5  3d ac  14  14  05   4a  dc
0020    d7 3b  05 f9  00 50  c5 5f  13  be 38  8e  eb  66   50  18
0030    0b 68  c9 47  00 00  47 45  54  20 2f  63  68  75   6d  62
0040    79 5f  76 69  64 65  6f 73  2f  62 61  6c  6c  73   2e  66
0050    6c 76  20 48  54 54  50 2f  31  2e 31  0d  0a  48   6f  73
0060    74 3a  20 72  62 65  6c 6f  74  74 65  2e  6e  65   74  0d
0070    0a 41  63 63  65 70  74 3a  20  2a 2f  2a  0d  0a   55  73
0080    65 72  2d 41  67 65  6e 74  3a  20 4d  6f  7a  69   6c  6c
0090    61 2f  35 2e  30 20  28 63  6f  6d 70  61  74  69   62  6c
00a0    65 3b  20 55  3b 20  43 68  75  6d 62  79  3b  20   4c  69
00b0    6e 75  78 29  20 46  6c 61  73  68 20  4c  69  74   65  20
00c0    33 2e  30 2e  34 0d  0a 50  72  61 67  6d  61  3a   20  43
00d0    68 75  6d 62  79 0d  0a 43  6f  6e 6e  65  63  74   69  6f
00e0    6e 3a  20 63  6c 6f  73 65  0d  0a 0d  0a

For more information on Hacker Challenge 2010, visit the official website.

Coming Soon: The Advanced Hacker Challenge

If you are a security professional in the advanced category, don’t lose hope. In late 2011 an advanced Hacker Challenge will be introduced, and it will be completely different from the basic/intermediate version. The new advanced version will be almost completely hands-on. The advanced version write-ups will require a deeper understanding of security concepts, and the targets will be a bit of a challenge. And FYI, some of the advanced challenges will require participants to sign a “release of liability” form.