Roy Firestein

Security Feeds

Archive for 'My Recent Reads'

tcpdump and IPv6, (Sun, Oct 23rd)

October 24th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
I have been experimenting with IPv6 and tcpdump libpcap over the past several weeks and here are some of the filters that I have found working for me to look for certain types of IPv6 traffic. tcpdump and IPv6 still has some limitations but it is still able to zoom in on some of the data you might be looking for. Here is the list of libpcap filters:
IPv6 and TCP

tcpdump -nr ipv6_traffic.pcap ip6 proto 6

tcpdump -nr ipv6_traffic.pcap ip6 protochain 6
IPv6 and UDP

tcpdump -nr ipv6_traffic.pcap ip6 proto 17

tcpdump -nr ipv6_traffic.pcap ip6 and udp
IPv6, hostIPv6 and host fec0:0:0:bebe::2

tcpdump -nr ipv6_traffic.pcap ip6 host fec0:0:0:bebe::2
IPv6, host fec0:0:0:bebe::2 and TCP port 22

tcpdump -nr ipv6_traffic.pcap ip6 host fec0:0:0:bebe::2 and tcp port 22
IPv6, host fec0:0:0:bebe::2 and everything except TCP port 22

tcpdump -nr ipv6_traffic.pcap ip6 host fec0:0:0:bebe::2 and not tcp port 22

tcpdump -nr ipv6_traffic.pcap ip6 host fec0:0:0:bebe::2 and protochain 6 and not tcp port 22
IPv6, host fec0:0:0:bebe::2, and all traffic to destination port TCP 22

tcpdump -nr ipv6_traffic.pcap ip6 host fec0:0:0:bebe::2 and tcp dst port 22
IPv6, host fec0:0:0:bebe::2, and all traffic from source port TCP 22

tcpdump -nr ipv6_traffic.pcap ip6 host fec0:0:0:bebe::2 and tcp src port 22
If you have tested other libpcap filters not listed here and would like to share them, post them in the comment form or email them via our contact form.
———–
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Hacking .NET Resources

October 16th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

I saw a new .NET decompiler this week. This a big deal because the two existing ones that I often use are no longer free, have trackback ad functions (which makes me feel like big brother is watching my hacking activities… or my customers rather), and are less updated than I would like. The new [...]

Hacking .NET Resources belongs to Security Aegis

Node.js is Cancer

October 2nd, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)


If there’s one thing web developers love, it’s knowing better than conventional wisdom, but conventional wisdom is conventional for a reason: that shit works. Something’s been bothering me for a while about this node.js nonsense, but I never took the time to figure it out until I read this butthurt post from Ryan Dahl, Node’s creator. I was going to shrug it off as just another jackass who whines because Unix is hard. But, like a police officer who senses that something isn’t quite right about the family in a minivan he just pulled over and discovers fifty kilos of black horse heroin in the back, I thought that something wasn’t quite right about this guy’s aw-shucks sob story, and that maybe, just maybe, he has no idea what he is doing, and has been writing code unchecked for years.

Since you’re reading about it here, you probably know how my hunch turned out.

Node.js is a tumor on the programming community, in that not only is it completely braindead, but the people who use it go on to infect other people who can’t think for themselves, until eventually, every asshole I run into wants to tell me the gospel of event loops. Have you accepted epoll into your heart?

A Scalability Disaster Waiting to Happen

Let’s start with the most horrifying lie: that node.js is scalable because it “never blocks” (Radiation is good for you! We’ll put it in your toothpaste!). On the Node home page, they say this:

Almost no function in Node directly performs I/O, so the process never blocks. Because nothing blocks, less-than-expert programmers are able to develop fast systems.

This statement is enticing, encouraging, and completely fucking wrong.

Let’s start with a definition, because you Reddit know-it-alls keep your specifics in the pedantry. A function call is said to block when the current thread of execution’s flow waits until that function is finished before continuing. Typically, we think of I/O as “blocking”, for example, if you are calling socket.read(), the program will wait for that call to finish before continuing, as you need to do something with the return value.

Here’s a fun fact: every function call that does CPU work also blocks. This function, which calculates the n’th Fibonacci number, will block the current thread of execution because it’s using the CPU.

function fibonacci(n) {
  if (n < 2)
    return 1;
  else
    return fibonacci(n-2) + fibonacci(n-1);
}

(Yes, I know there’s a closed form solution. Shouldn’t you be in front of a mirror somewhere, figuring out how to introduce yourself to her?.)

Let’s see what happens to a node.js program that has this little gem as its request handler:

http.createServer(function (req, res) {
  res.writeHead(200, {'Content-Type': 'text/plain'});
  res.end(fibonacci(40));
}).listen(1337, "127.0.0.1");

On my older laptop, this is the result:

ted@lorenz:~$ time curl http://localhost:1337/
165580141
real	0m5.676s
user	0m0.010s
sys	0m0.000s

5 second response time. Cool. So we all know JavaScript isn’t a terribly fast language, but why is this such an indictment? It’s because Node’s evented model and brain damaged fanboys make you think everything is OK. In really abusive pseudocode, this is how an event loop works:

while(1) {
  ready_file_descriptor = event_library->poll();
  handle_request(ready_file_descriptor);
}

That’s all well and good if you know what you’re doing, but when you apply this to a server problem, you’ve pluralized that shit. If this loop is running in the same thread that handle_request is in, any programmer with a pulse will notice that the request handler can hold up the event loop, no matter how asynchronous your library is.

So, given that, let’s see how my little node server behaves under the most modest load, 10 requests, 5 concurrent:

ted@lorenz:~$ ab -n 10 -c 5 http://localhost:1337/
...
Requests per second:    0.17 [#/sec] (mean)
...

0.17 queries per second. Diesel. Sure, Node allows you to fork child processes, but at that point your threading/event model is so tightly coupled that you’ve got bigger problems than scalability.

Considering Node’s original selling point, I’m God Damned terrified of any “fast systems” that “less-than-expert programmers” bring into this world.

Node Punishes Developers Because it Disobeys the Unix Way

A long time ago, the original neckbeards decided that it was a good idea to chain together small programs that each performed a specific task, and that the universal interface between them should be text.

If you develop on a Unix platform and you abide by this principle, the operating system will reward you with simplicity and prosperity. As an example, when web applications first began, the web application was just a program that printed text to standard output. The web server was responsible for taking incoming requests, executing this program, and returning the result to the requester. We called this CGI, and it was a good way to do business until the micro-optimizers sank their grubby meathooks into it.

Conceptually, this is how any web application architecture that’s not cancer still works today: you have a web server program that’s job is to accept incoming requests, parse them, and figure out the appropriate action to take. That can be either serving a static file, running a CGI script, proxying the connection somewhere else, whatever. The point is that the HTTP server isn’t the same entity doing the application work. Developers who have been around the block call this separation of responsibility, and it exists for a reason: loosely coupled architectures are very easy to maintain.

And yet, Node seems oblivious to this. Node has (and don’t laugh, I am not making this shit up) its own HTTP server, and that’s what you’re supposed use to serve production traffic. Yeah, that example above when I called http.createServer(), that’s the preferred setup.

If you search around for “node.js deployment”, you find a bunch of people putting Nginx in front of Node, and some people use a thing called Fugue, which is another JavaScript HTTP server that forks a bunch of processes to handle incoming requests, as if somebody maybe thought that this “nonblocking” snake oil might have an issue with CPU-bound performance.

If you’re using Node, there’s a 99% probability that you are both the developer and the system administrator, because any system administrator would have talked you out of using Node in the first place. So you, the developer, must face the punishment of setting up this HTTP proxying orgy if you want to put a real web server in front of Node for things like serving statics, query rewriting, rate limiting, load balancing, SSL, or any of the other futuristic things that modern HTTP servers can do. That, and it’s another layer of health checks that your system will need.

Although, let’s be honest with ourselves here, if you’re a Node developer, you are probably serving the application directly from Node, running in a screen session under your account.

It’s Fucking JavaScript

This is probably the worst thing any server-side framework can do: be written in JavaScript.

if (typeof my_var !== "undefined" && my_var !== null) {
  // you idiots put Rasmus Lerdorf to shame
}

What is this I don’t even…

tl;dr

Node.js is an unpleasant software library and I will not use it.

Security By Obscurity — a New Theory

October 2nd, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
mikejuk writes "Kerckhoffs' Principle suggests that there is no security by obscurity — but perhaps there is. A recent paper by Dusko Pavlovic suggests that security is a game of incomplete information and the more you can do to keep your opponent in the dark, the better. In addition to considering the attacker's computing power limits, he also thinks it's worth considering limits on their logic or programming capabilities (PDF). He recommends obscurity plus a little reactive security in response to an attacker probing the system. In this case, instead of having to protect against every possible attack vector, you can just defend against the attack that has been or is about to be launched."

Read more of this story at Slashdot.


Minimum Viable Personality

September 29th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Today we have a special guest post. There have been a few guest posts here at AVC. Maybe a half dozen in total. One of my favorites was this one by JLM during the financial crisis of 2008/2009. But this one today may top that gem.

It’s from our favorite Giant Robot Dinosaur and it’s about Minimal Viable Personality, something I have referred to as “voice” in pior posts. The Grimster is so right that this is critical to building a successful product.

One final note. If you want to tweet out one or more of the many awesome quotes in here, please add the hashtag #grimlockquotes. I’d like to watch them come in. Because you know they will.

————

MINIMUM VIABLE PERSONALITY 

MOST IMPORTANT STEP FOR BUILD PRODUCT IS BUILD PRODUCT. 

SECOND MOST IMPORTANT IS BUILD PERSONALITY FOR PRODUCT. 

NO HAVE PERSONALITY? PRODUCT BORING, NO ONE WANT. 

BREADORBACON

 

PERSONALITY BETTER THAN MARKETING 

WHEN CHOOSE PRODUCT, HUMANS ONLY CARE ABOUT DOES WORK, AND IS INTERESTING. 

WORLD ALREADY FULL OF THINGS DO WORK. MOST BORING. 

PERSONALITY = INTERESTING. INTERESTING = CARE. CARE = TALK.  

EVERYONE CARE AND TALK ABOUT PRODUCT? YOU WIN. 

CAREPLUSTALKISWIN

SELL TO FRIENDS, NOT STRANGERS 

PERSONALITY MAKE PRODUCT FRIEND. YOU HELP FRIEND. YOU FORGIVE WHEN FRIEND NOT PERFECT. YOU WANT FRIEND WIN. 

BORING STRANGER?… YOU NOT. 

PERSONALITY IS API FOR LOYALTY. NO ONE CARE WHICH BORING STRANGER IS NEXT. BUT ALWAYS WANT FRIEND NEXT. 

LOYALTYPORT

PERSONALITY MAKE MEANING 

CAN PET ROCK. PET DOG BETTER. PET DOG HAVE MEANING. 

BORING PRODUCT IS ROCK. NO HAVE MEANING. INTERACT WITH PERSONALITY DIFFERENT. HAVE MEANING. 

INTERESTING PRODUCT THAT GIVE FRIENDS MEANING = MOST WIN OF ALL. 

NOTAROCK

HOW NOT BE BORING 

HAVE PERSONALITY EASY. ANSWER THREE QUESTIONS: 

1. HOW YOU CHANGE CUSTOMER’S LIFE?  

2. WHAT YOU STAND FOR? 

3. WHO OR WHAT YOU HATE? 

NOW HAVE MISSION, VALUES, ENEMY. THAT ENOUGH FOR MINIMUM VIABLE PERSONALITY. 

KEEP IN BRAIN WHEN WRITE, TALK, BLOG, TWEET. ITERATE. IMPROVE WHAT WORK. DELETE WHAT NOT. PERSONALITY GROW. 

NO BE CHICKEN 

CHICKEN LIVE IN CAGE. NO CAN HAVE PERSONALITY INSIDE CAGE.  

LAST STEP IS SMASH CAGE, LIGHT BARN ON FIRE. 

DO THAT, YOU WIN.

  CHICKENWIN

Can Neutrinos Move Faster Than Light?

September 23rd, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
If it’s true, it will mark the biggest discovery in physics in the past half-century: Elusive, nearly massive subatomic particles called neutrinos appear to travel just faster than light, a team of physicists in Europe reports. If so, the observation would wreck Einstein’s theory of special relativity, which demands that nothing can travel faster than light.

Scientists attempt to give spark of life to all-synthetic metal cells

September 19th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Just because it hasn’t happened yet, doesn’t mean it can’t; at least that’s what a Scottish research group is hoping as it attempts to create reproductive synthetic cells made completely from metal. At this stage, the idea of sentient metallic life remains a distant sci-fi dream, but researchers at the University of Glasgow have already birthed iChells — inorganic chemical cells. These bubbles, formed from the likes of tungsten, oxygen and phosphorus, can already self-assemble, possess an internal structure, and are capable of the molecular in-and-outs expected of its biological counterparts. Researchers are still tackling how to give these little wonders the ability to self-replicate, and possibly evolve — further cementing our doom post-Robot Apocalypse. Check out our future synthetic overlord’s first steps in a video after the break.

Continue reading Scientists attempt to give spark of life to all-synthetic metal cells

Scientists attempt to give spark of life to all-synthetic metal cells originally appeared on Engadget on Mon, 19 Sep 2011 07:59:00 EDT. Please see our terms for use of feeds.

Permalink DVICE, New Scientist  |  sourceUniversity of Glasgow  | Email this | Comments

6 secrets of fundraising success

August 23rd, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

(Editor’s note: Jon Olafsson is chairman and co-founder of Icelandic Water Holdings. He submitted this story to VentureBeat.)

With fear running amok on Wall Street and the future economic picture so uncertain, it can be hard to raise venture capital these days. Over the last 12 months, though, we’ve managed to secure $23 million from both institutions and friends and family.

Part of the trick, we found, was having a well-researched and clearly articulated business proposition that clearly demonstrated a very substantial upside for investors.  We cast our net wide, using our own personal networks as well as those of professional fundraisers.  And while we were prepared to be flexible on terms, we refused to entertain low-ball offers.

Ultimately, though, our fundraising success came down to a few factors. Here are our secrets:

Keep it simple – The market for bottled water is well established. We had the advantage of an existing product, but that was hardly a guarantee.

We condensed the investment proposition to four essential “pillars” – the market, the source, the product and the distribution – and demonstrated how we had competitive advantages in each area.

Go with what works – A core strength of our product is the spring we draw from, located in Ölfus. Investors , we quickly learned, liked the idea of owning a part of this highly valued resource.

Emphasize the positive – Communicating success signals the potential value in your company. We were fortunate to boast a strong sales performance during the fundraising period – something we regularly communicated to potential investors. Along the way, we also highlighted our growing U.S. sales and international distribution.

Eliminate the negatives – It’s easy for VCs to say no. And it’s incumbent upon you, as the business owner, to remove the reasons for them to give that answer.

During the process, we addressed three concerns that, admittedly, were specific to our industry, but showcase what any prospective fund seeker should think of in advance:

  • No track record – We ensured we had a company history, proving to investors that the product had legs.
  • No distribution – We obtained distribution in US, Canada and China, showing we weren’t a product that would be landlocked in Iceland.
  • No control of source – We bought the land that houses our spring, giving us the rights to the source in perpetuity.

Follow-up on all leads – We used all of our personal networks as well as those of two international investment banks to look for potential investors.  We were prepared to incentivise people to find investors, offering placing commissions of up to 4 percent.  We followed up assiduously on all leads giving further information, access to the data room, samples of the product and offering site visits to Iceland.  A successful first meeting was always a result of a personal engagement with the project on the part of the potential investor.

In the end, roughly half of the funding has come from investors who are my personal friends, with the rest coming from South African institutional investor Bidvest.

Believe in the business – There are always dark days in a business and fundraising can be especially frustrating in the current environment. We continually reminded one another about the quality of the product and the latent demand for it in international markets.

Some potential investors offered us terms that were much poorer than the ones we finally achieved.  It was our confidence in our business that gave us the strength to say no. Our existing shareholders helped support the business and the pricing by continuing to invest in the business during the process.

About the author: Icelandic Water Holdings, ehf, Chairman & Founder, Jon Olafsson has spent the last 30 years building successful companies from the ground up and transforming them into industry leaders. Best known as the chair of Northern Lights Communications — Iceland’s premier integrated media, communications and entertainment company — Olafsson has served as a critical player on the executive boards of more than 15 companies across multiple sectors including investment banking, entertainment, media, construction and land development.

Filed under: Entrepreneur Corner

CyanogenMod founder joins Samsung Mobile, promises to make Android ‘more awesome’

August 16th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

We already knew Samsung loved the guys at CyanogenMod, but we didn’t think they’d start absorbing parts of its development team. According to Steve Kondik’s Facebook page, the Android facade’s head sculptor is setting up shop at Samsung Mobile. Sammy’s new software engineer told his fans that although his ‘side project,’ CyanogenMod, is not affiliated with his employer in any way, he will be “working on making Android more awesome.” Makes sense, we heard Samsung’s phones were looking for a fresh coat of awesome.

[Thanks to everyone who sent this in]

CyanogenMod founder joins Samsung Mobile, promises to make Android ‘more awesome’ originally appeared on Engadget on Tue, 16 Aug 2011 00:38:00 EDT. Please see our terms for use of feeds.

Permalink Gadget University  |  sourceSteve Kondik (Facebook)  | Email this | Comments

The diamond`s quantum memory

August 10th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
For years, quantum computers have been the holy grail of quantum technology. When a normal computer has to solve a number of problems, it can only execute them one after the other. In contrast, a quantum computer could occupy several different states at the same time – and that way it could try out different possible solutions of a problem at once, finding the correct answer much faster than a normal computer ever could. Diamonds could now bring physicists one important step closer to the quantum computer. At Vienna University of Technology, microwaves have now been coupled to the quantum states of a diamond. The results of this research project were now published in the scientific journal Physical Review Letters.

Anti-Matter Belt Discovered Around Earth

August 7th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
hydrofix writes "A thin band of antiprotons enveloping the Earth has been spotted for the first time. The find, described in Astrophysical Journal Letters [arXiv] (Note: abstract free, full text paywalled), confirms theoretical work that predicted the Earth's magnetic field could trap antimatter. The antiprotons were spotted by the Pamela satellite launched in 2006 to study the nature of high-energy particles from the Sun and cosmic rays. Aside from confirming theoretical work that had long predicted the existence of these antimatter bands, the particles could also prove to be a novel fuel source for future spacecraft — an idea explored in a report for NASA's Institute for Advanced Concepts."

Read more of this story at Slashdot.


Fish Photographed Using Tools to Eat

July 11th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
A professional diver has captured what are believed to be the first images of a wild fish using a tool.

Useful Business Web Sites

July 7th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
It bugs me that there are tools on the Internet that I would find handy if only I knew they existed. I did a bit of searching and pulled together a list of useful, single-purpose, free, business utility sites that you probably didn't know exist.

boxoh.com – Track any shipment

whichdateworks.com – Find a date that works for everyone

everytimezone.com – A clear graphic of world time zones

followupthen.com – Quick way to set up a reminder email to yourself

www.dafont.com – Thousands of free fonts for PC and Mac

www.anonymouse.org – Surf the web without revealing your identity

encrypted.google.com – Keeps your search queries private from nosey bosses

www.hipmunk.com – Best interface for finding a flight to book

seatguru.com – Best way to find the right seat on a flight

flightstats.com – Track flights

Do you know of other sites that meet the criteria of being a useful, single-purpose, free, business utility that most people would find useful but probably don't know exist? I'll update the list from your input. (No entertainment sites, please.)

Richard Branson on Thinking Big

July 6th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
The celebrated entrepreneur shares advice on shaping company culture as you expand your business.

How Much Money To Raise

July 6th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

A Stack of BillsImage via Wikipedia

I spent some time yesterday talking to an entrepreneur about this topic and I thought I’d share what I told him with everyone.

When your company is growing really fast, doubling employees year over year, adding users and customers at a very rapid rate, you don’t want to raise too much money. If you raise three or four years of cash, there is a very good chance that by your second year, you will be sitting on cash that you raised when your company was worth considerably less. That’s not a good thing. It’s too dilutive to you and your co-founders and angels.

I’ve got two basic rules of thumb. First, try to dilute in the 10-20% band whenever you raise money. If you can keep it to 10%, that is great. You might have to do more, but try hard to keep your dilution below 20% each round. If you do two or three rounds at north of 20% each round, you’ll end up with too little of the company.

Second, raise 12-18 months of cash each time you raise money. Less than a year is too little. You’ll be raising money again before you know it. Longer than 18 months means you may well be sitting on cash that you raised when your company was worth a lot less.

These rules are most applicable in the early stages. When your company gets above 100 employees and valued at north of $50mm, things change. You may need to have more cash on your balance sheet for working capital reasons and you may not be increasing value at quite the same rate as you were when you were smaller. You might want to raise 24 months of cash or more at that stage.

But for the seed, Series A, and Series B rounds, I think 10-20% dilution and 12-18 months of cash are ideal. It’s what I advise our portfolio companies to do and it is what I advise other entrepreneurs to do.

Why Groupon Is Poised For Collapse

June 13th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Editor’s note:This guest post is part of an in-depth series looking at the daily deal industry written by Rocky Agrawal, an entrepreneur who has worked on local products since 1995.  Read Part I, Part II, and Part III also.  He blogs at reDesign and Tweets @rakeshlobster.

Imagine you’re a small business owner. You have to choose between two propositions:

  1. You can pay $62,500 for marketing. You’ll get a whole lot of customers coming through your door. No guarantees if they will ever come back, but they’ll come once.
  2. I’ll pay you $21,000. You get $7,000 in about 5 days, another $7,000 in 30 days and the remainder in 60 days. In exchange, you’ll give my customers cheap products for the next year.

I’ve been working on local for a long time and I know it’s hard to get small businesses to spend money on advertising. Really hard. Even getting $200 a month ($2,400 a year) is a high hurdle to meet.

There’s no way a business will sign up for #1. Most merchants would laugh you out of the store if you asked for $60,000.

Except they are. In droves.

Although they sound completely different, #1 and #2 are really the same—it’s the Groupon business model.

Businesses are being sold incredibly expensive advertising campaigns that are disguised as “no risk” ways to acquire new customers. In reality, there’s a lot of risk. With a newspaper ad, the maximum you can lose is the amount you paid for the ad. With Groupon, your potential losses can increase with every Groupon customer who walks through the door and put the existence of your business at risk.

Groupon is not an Internet marketing business so much as it is the equivalent of a loan sharking business. The $21,000 that the business in this example gets for running a Groupon is essentially a very, very expensive loan.  They get the cash up front, but pay for it with deep discounts over time.  (This post applies to Groupon operations in the United States and Canada; it’s different in other parts of the world.)

In many cases, running a Groupon can be a terrible financial decision for merchants. Groupon’s financials also raise questions about its ongoing viability. Buying Groupon stock could be as bad a deal for investors as running a Groupon offer is for merchants.  This is my opinion, but I have some facts to back it up.

Traffic is not necessarily profitable traffic

Groupon can clearly deliver customers. But in order to know if it makes financial sense as a customer acquisition tool, merchants need to know two key numbers:

  1. The proportion of Groupon customers who are already their customers
  2. How often new customers come back.

The higher the first number, the worse their deal will perform. The higher the second number, the better their deal does.

But for most businesses, these critical numbers are impossible to know. Groupons haven’t been out long enough to generate this data.  And Groupon’s tracking methods aren’t collecting this data. (My intuition is that Groupon doesn’t want to know.)

Groupon touts a win-win proposition. But the reality is that Groupon usually wins and merchants usually lose. The merchant agreement is one of the most lopsided I’ve seen.

It’s rare that Groupon loses . . . until merchants figure out how to cheat.

The hidden auction

Underlying Groupon’s success is an auction. It’s not explicit, like Google’s AdWords bidding platform, but the economic effects are similar. The fact that Groupon runs daily deals creates artificial scarcity and drives up pricing to absurd levels. Even with four deals a day in a given market, you’re talking about fewer than 1,500 deals a year.

The “bid” in this auction is the total revenue that goes to Groupon. That’s a function of the value of the voucher, the negotiated revenue share and the number of deals that will be sold. The number of deals that will be sold is a function of, among other factors, how deep a discount and how commonly needed the product is. The larger the discount, the greater the volume.

All of this creates an incentive to drive up Groupon’s revenues. It also provides an incentive for salespeople to sell bigger and bigger deals, some of which might not be suitable for a small business. Because of all the hype around Groupon, salespeople are able to use the “Who’s Who” model—sell what an honor it is to be specially selected to be featured on Groupon.

Groupon’s process for selecting which deals it runs has little transparency. It’s not always the highest bids that win; sometimes, lower value bids win just to keep subscribers opening their emails. (In this case, think of merchants bidding with discounts, so the deeper the discount, the higher the bid).  I’ve also heard from merchants who say Groupon has changed their deals at the last minute to make them more profitable for Groupon.

Cash is king

Many small businesses are struggling for cash and the Groupon sales pitch resonates. Marketing with no upfront payment. You get cash within days. A steady stream of customers. This is not a new idea. Rewards Network has been offering restaurants cash upfront in exchange for discounted meals over time. (But on more generous terms than Groupon.)

Groupon’s S-1 calls tough economic times a risk; but the recession was really their opportunity. As other forms of credit dried up, struggling businesses jumped at the chance to get cash now in exchange for discounting their product later. The real risk for Groupon is that the economy improves to the point that businesses don’t have to resort to deep discounting.

Repeat Groupon businesses

Some of the analysis of Groupon’s long term prospects has pointed to repeat Groupon offers from merchants as evidence of a viable long-term model.

How can a repeat customer be bad, right? For a Groupon merchant, a repeat customer is a great thing. But for Groupon itself, a repeat customer can be a sign of trouble ahead.

I had been struggling to understand why some businesses ran repeat Groupons or cycled among the various daily deal vendors, given that the economics clearly suck if you can’t drive repeat traffic. Some let the same customer buy 3 or more of the same deal. That’s a clear no-no for a loss-leader designed to acquire new customers.

A conversation with Forkfly (a Groupon Now competitor) CEO Paul Wagner was enlightening. He suggested that they were doing what struggling families do when they max out a credit card—they get another one.

That makes perfect sense. Revenue from subsequent daily deals help pay for the obligations created by the first one.

Receipts look like the one at right. Lots of product going out, staff to pay and little cash coming in. Taking out another Groupon loan is a quick fix. (If I were a sales rep, I’d have that date marked on my calendar for follow up. “I know we did 50/50 last time, but I’m thinking Groupon gets 70% this time.”)

Hacking Groupon

How would you exploit an overpriced loan? Don’t pay it back.

Assume that you’re a business that is unscrupulous and you’re looking to make a quick buck. You could create a wildly generous deal that would sell like crazy. In about 30 days, you’ll have 2/3 of your share of the deal. Then you shut down operations.

It also works for businesses that are just having a tough time. As critical as I am of Groupon, the slam dunk case is to sign up with Groupon if you’re going bankrupt. I strongly encourage every business that is about to go under to call Groupon. (Don’t tell them Rocky sent you.) It makes total financial sense—as a Hail Mary play. If you’re lucky, the upfront cash will be enough to help you stay afloat. If not, well, you were already going out of business. It may be your best option. In the short term, you’re actually helping Groupon because they’re being valued on revenue and no one is taking into account risk.

Groupon is essentially holding a portfolio of loans backed by the receivables of small businesses. If a business goes under, consumers will come back to Groupon for their money back. Unless Groupon is actually doing credit assessments on businesses that it chooses to feature, this is a big risk for Groupon.

The onerous terms for participating in Groupon also create an adverse selection problem. The most successful businesses don’t need Groupon for customer acquisition or financing.

The assumption is that nothing will go wrong and all of these “loans” will be paid back. (At least the subprime mortgage lenders were able to sell that risk off to Wall Street and AIG.)

Like the mortgage lenders, Groupon doesn’t know exactly how much risk it has piled up. Because some merchants track redemptions on paper, Groupon has no way of knowing how many unredeemed Groupons are outstanding. If a business goes under and the records are unavailable, every buyer of that Groupon could try to make a claim against it. (The risk is mitigated by the fact that a lot of redemption occurs within the first 60 days, but we don’t know how much.)

Google, with more than $36 billion in cash on hand, is uncomfortable enough with that risk that it dumps it onto Google Offers buyers. Groupon could mitigate this risk by changing its terms and conditions so that the consumer is responsible in case a merchant goes bankrupt.

Relying on float

Where does Groupon get all the money to give to these merchants? Credit cards—yours. Groupon gets paid within a couple of days by its banks. It then takes that money and gives it to the merchant in three chunks. From Groupon’s S-1:

Our merchant payment terms and revenue growth have provided us with operating cash flow to fund our working capital needs. Our merchant arrangements are generally structured such that we collect cash up front when our customers purchase Groupons and make payments to our merchants at a subsequent date. In North America, we typically pay our merchants in installments within sixty days after the Groupon is sold.

We use the operating cash flow provided by our merchant payment terms and revenue growth to fund our working capital needs. If we offer our merchants more favorable or accelerated payment terms or our revenue does not continue to grow in the future, our operating cash flow and results of operations could be adversely impacted and we may have to seek alternative financing to fund our working capital needs.

Translation: They’re using money from new deals to pay for previous deals. They need to keep growing revenue. As of March 31, they owed merchants $290.7 million.

In the agreement I’ve seen, the first installment is 33% in 5 days. If they have to pay merchants faster, that could lead to problems.

And Google might force that to happen. According to Google Offers’ payment terms, merchants receive 80% of their share in 4 days—more than twice as much, 1 day earlier.

There’s no way that was an accident.

If Groupon matches these payment terms, they’ll need cash faster and need to grow faster. (Google Offers accelerates the rate at which Groupon’s scheme has to draw in new suckers.)  If Groupon doesn’t match, it gives Google a key differentiator to win deals. If those businesses  go with Google’s more generous terms, that too will starve Groupon of the cash it needs to pay earlier merchants.

Now here’s the crazy part.  Not only is Groupon effectively giving loans to merchants, but it also works the other way around.  The merchant is on the hook for the entire value of those deals until Groupon pays the merchant back its portion.  Unlike other loan providers, the merchant is making a short-term loan to Groupon. (Not technically, but effectively.) They buy inventory in advance of the Groupon run. They also serve the initial rush of customers. The business is in a hole before they get their 30- and 60-day Groupon payouts.

While the chances might be small, Groupon merchants should know that they’re taking on the risk of Groupon’s collapse. If Groupon collapses, a lot of small merchants could be left holding the bag.

If you know of a business that closed after running a Groupon or other daily deal, please send an email with the name of the business to dailydeals@agrawals.org. And remember, correlation is not causation.

Photo credits: Rachel Lovinger and Rocky Agrawal.

Information provided by CrunchBase

Scalability panel (djangocon.eu)

June 9th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Participants: Andrew Godwin, Andy McKay, Jesper Noehr, Eric Florenzano.

What are the common mistakes you see. Things that take a long time
(“sending an email”) that lock up a process. Using the filesystem for
caching. Testing locally and pushing it live and see it fall over.

Using an external API can also take a long time. Work with timeouts to work
around it.

Scaling wise, what should you think about before scaling becomes an actual
issue? And what should you definitely leave until the moment comes you need to
scale?
First things first: use a queue like celery, even on small sites. Get
used to such a queue and have it in place, that’ll help a lot with performance
later.

Make sure you’ve got your database schema is mostly OK. It doesn’t have to be
perfect right away, but at least mostly OK.

Expect something to change and assume you’ll have to swap something out later
to improve the performance.

One important aspect of scaling is measurement and profiling. What are the
best practices and good tools for doing that in production?
Bitbucket has a
middleware that switches on with a special query string and that starts up the
python c profiler and gives them data on the request.

The debug toolbar is a great help in development. For realtime stats graphite
and statsd are an option. Or munin or kakti for real-time generic server
information graphs.

Logging. Always set up logging. Look at the logfiles and figure out what
happened.

Opennms, pingdom, munin, nagios, django-kong were mentioned as monitoring
tools.

Puppet vs Chef vs Whatever for provisioning servers in a Django
stack. Fight!
Puppet is good. Chef is good. Puppet is alright. (So: not much
of a fight :-) )

Django ORM: how much of an issue is this going to be when I want to scale?
It is much less an issue than it used to be.

You’ll only get to know the hotpoints for YOUR application when you run into
them. When you optimize beforehand, the points will be different than those
you’ll really hit. And then there are ways to solve it. Caching, asynchronous,
less joins, splitting things, etc. You can denormalize, too.

Simple: check your indexes. Do you have the right ones? Are you missing ones?

Also changing your actual database server configuration default values can
make a lot of difference. Spend two days figuring out all the options. And
check postgres for rediculously low default memory values.

Incremental roll-outs help with detecting problems. When all your 15 new
instances suddenly die, you know you need to change something.

Considering that using a caching proxy, like for instance Varnish, is
commonly used for improving performance/scalability, are there any options out
there for Django which handle cache invalidation in a good manner that you
know of?
Use etags.

Most caching is dependent fully on your individual app. So something generic
is virtually impossible.

Varnish gives you lots of control. You can invalidate pages from your python
code. So set up a couple of proper database triggers.

Is Django fast enough? Should more attention be on speed and benchmark
tests?
Yes and yes. It is fast enough, but we should watch it.

Django is fast enough. If you want to scale, scale over multiple boxes instead
of building out one single box.

But: watch out that django doesn’t get any slower!

Code deployment to web workers: there are lots of different ways, can we get
the groups thoughts on the best practices?

  • By hand.
  • Pip. But it is a bit slow. Now they use github (with a local git mirror for
    their sites).
  • Fabric.
  • Simple bash script that ssh-s to the server and that updates everything.
  • HAProxy helps in getting a server offline and getting it transparently back
    up after the update.

If you were starting a new project today, which Python VMs would you
consider?
Probably cpython as an ops person would probably not allow us to
run pypy. But I’m watching pypy and it looks good.

What’s the worst scalability failure story you’ve ever heard?

  • Running postgres with 32MB of memory (a default setting…).
  • A sysadmin that, to prove his valid point, pulled the electricity plug out
    of the live machine. He won.
  • Returning a string instead of an iterator in a wsgi script that was getting
    lots of hits. One character at a time…

What do you use to find slow sql queries? Django debug toolbar. Another
trick is to evaluate querysets early to better see what’s going on (as
querysets are lazily evaluated).

Use mysql/postgres’s configuration option to log slow queries.

How do you mimick a large load and can you simulate it? Use apachebench,
but keep in mind that that won’t be a “perfect” worst-case load.

The other answers were mostly “we can’t do that”. Incremental roll-outs
help. Key question: can you respond quickly? Can you deploy quickly.

How to handle database rollbacks when you rollback a release? Most either
don’t use south or they don’t do rollbacks. A migration can only ADD columns
or tables. They’re never removed. Never. Addition-only. This way the old code
can talk just fine to the new database structure.

Suggested reading: always ship trunk.

Which wsgi runner do you use? Mod_wsgi is not out of date or slow in any
way, it works just fine.

Gunicorn is awesome. Especially the built-in asynchronous mode and eventlet
can help a lot if you use it.

What’s your best experience regarding scalability?

  • A php site. 0.5MB traffic to 100 MB of traffic within in a month. It teached
    him a lot.
  • A plone site 8 years ago. Plone was two request-a-second at that time. They
    had squid in front. It was the oxfam site that was used for post-tsunami
    donations. He was Real Happy with squid that day.
  • Some multimedia website. From 0 to 8 million users in one year. Learning on
    the job!

How to deal with backfilling data? After adding tables, you sometimes have
to fill them with default data. How to do it without killing your server?

Use celery and use a management command to slowly push small batches unto your
task queue.

cycling holiday

21 Books Every Entrepreneur Should Read

May 31st, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

beach reading book

Summer is here, and even dire workaholics should take a few hours to relax. Read one of the following books and you’ll become a better entrepreneur while you’re at it.

We asked small business leaders and VCs to name books that anyone starting a business or even thinking about it should read.

Over the past two years, these were some of the best recommendations we heard.

Click here to see the reading list >

What books have influenced your career? Add them in the comments below.

“The Fountainhead” by Ayn Rand

Charlie O’Donnell: “I don’t know any book that sums up the entrepreneurial passion and spirit better than The Fountainhead by Ayn Rand:  'The question isn't who is going to let me; it's who is going to stop me.'"

Charlie is a principal at First Round Capital.

“Out of the Crisis” by W. Edwards Deming

Roger Ehrenberg: “Big or small, this book focuses the entrepreneur/manager on respecting employees, focusing on process, and insisting on the collection and analysis of data. The development of metrics to manage the business is critical for the start-up founder.”

Roger is Managing Partner of IA Capital Partners, LLC.

“Extreme Programming Explained” by Kent Beck

Babak Nivi: “Revelatory. Develop your product like this book tells you to, unless you know better (e.g. you have experience building operating systems, space shuttles, Googles.) Buy the first edition.”

Nivi is a founder of Venture Hacks.

See the rest of the story at Business Insider

For the latest career news, visit War Room. Follow us on Twitter and Facebook.

See Also:


My Job As A Pre-Launch Startup CEO Was To Buy Sandwiches

May 31st, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Seth Sternberg is the CEO and Co-founder of Meebo. He previously worked in M&A at IBM.

I love talking to aspiring entrepreneurs—I do it once a week at minimum.

I often get asked “what’s the role of a startup CEO?” Sometimes people are curious about the pre-launch “CEO” and ask if a startup really needs one. If that CEO isn’t an engineer, what do they do anyhow? Other times people wonder what I do today as CEO of a 180 person company. In this post I’ll cover the pre-launch role, and in a follow-up, I’ll get into the role post-launch.

So what does the CEO, who at the beginning is really the general business person, do at a pre-launch startup?

Let’s go back to the beginning of Meebo, circa April, 2005.

Co-founders Sandy Jen, Elaine Wherry and I met every Wednesday night and all day every Sunday in an effort to get Meebo off the ground. We’d never meet in my apartment—it was always either at Sandy’s or Elaine’s. Why? Because they had the better computers and the faster internet connections. Frankly, that’s pretty emblematic of one’s role as the “business person” pre-launch. I’ve touched upon this topic before in a Founder Stories interview with Chris Dixon (embedded below), but it is worth elaborating on.

For most consumer internet products, there’s not a whole lot the business person can really do pre-launch. All of the company’s value will come when the team builds and launches a product, so that should be the primary focus. There aren’t any partnerships to be struck yet, as the product has yet to build any credibility in the market. There aren’t any folks to interview, as you can’t afford to hire a full team, and you’re wasting your time looking for pre-launch financing—a controversial statement these days, I know, but that’s a topic for another post. So what can you do if the most important thing is simply to minimize all distractions in the pursuit of getting the product launched?

Buy sandwiches.

Well, really, the business person’s job, until the last 2-3 weeks before launch, is to be supportive.

When we got together on Sundays, I really couldn’t contribute very much real work. I could make the sandwich runs to the Andronico’s down the street (I still have the “buy 10, get the 11th free card” in my wallet). I could also take care of the mundane tasks like buying the domain name and paying the server bills. Heck, I could even suggest “that button might look better over there.” But that was about it. I was the support.

I began to wonder, “Should I even be here?” Frankly, it didn’t feel very good to sit there and watch Elaine and Sandy working away while I did comparatively little. I could just as well have been playing Frisbee.

When I wondered that aloud, the feedback from Elaine and Sandy was pretty clear: if you’re going to be part of this team, then we want you here.

We were all equals with our own skills that we each brought to the table. My presence, at some level, was moral support. At another level, it contributed to the team bonding that you need pre-launch. Post-launch, things will tend to get crazy, fast, so pre-built trust is critical. At the end of the day, it’s the team that really makes the startup. Strong teams—as Sandy is quick to point out—survive multiple ideas.

Let’s fast-forward to the 2-3 weeks pre-launch, however, where the business person begins to get a job.

First, go and line up the right law firm to get incorporated.

The standard deal, at least at the time, was $20K in legal fees deferred until you raise your series A. I don’t think much has changed. Make sure you get advice on which firm and partner to work with—the way your company gets incorporated can save you a lot of pain down the road. (Watch a relevant chat between Chris Dixon and Erick Schonfeld here). Do not work with a firm inexperienced in setting up startups. Rather, work with Fenwick, Wilson Sonsini, OMM, Gundersen, Orrick, and the like. And even in those firms, ensure you’re working with the folks who have startup creation experience—all partners are not created equal.

Second, figure out your launch strategy.

Do you want to line up a bunch of friends to test your product before launch? Do it. Then corral all of their feedback and help prioritize it for your co-founders. Do you need to find a couple of folks who can introduce you to a blogger or two to write about your launch? Find them and go pre-brief those bloggers. Make sure you also line up your friends to give you some social media mojo—get them to Facebook and Tweet your launch.

Third, find a good mentor or two.

It’s important to find someone who is passionate about what you’re up to and who genuinely wants to work with you and your team to help you create an awesome product. Someone who is perhaps 2-4 years ahead of the process from where you sit, who has seen good and bad, and who can guide you toward good choices and help you avoid potentially painful early mistakes. Ironic, but when you have the least experience is also when you make a bunch of choices on how you set up your company—choices which will potentially burn you or save you years down the road.

In a future post, I’ll get into the business person’s role post-launch. But before we end, one more thing: do you even need a business person pre-launch since they do seemingly so little?

The answer is yes, for three basic reasons.

First, post-launch, the business person’s job becomes very important. You want them there for their actual work product (beyond their amazing ability to remember your sandwich order) post-launch. You don’t want to go through the pain of finding this person post-launch when things get nutty. Rather, you want them lined up and ready to go from the start.

Second, just like it’s unbelievably hard to find great engineers, it’s also unbelievably hard to find great business people. Just like a bad engineering co-founder can help ruin a company and a good one can help make a company, the same goes for business folks. Once you find a great engineering co-founder, hold onto them as tight as you can. And once you find a great business co-founder, do the same.

Third, team bonding is really important. The more time you have to do this, the better. I’ve argued that there’s nothing more important in getting a company off the ground than finding and putting together the ultimate founding team. This bonding is super critical in the early days because you will likely spend years together. It’s hard to explain ust how important it is that you understand and trust each other, implicitly. The sooner you get together as a unit, the better off you all will be.

Photo credit: Flickr/FotoosVanRobin

Information provided by CrunchBase

There’s a Secret Patriot Act, Senator Says

May 26th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
There’s a huge “gap between what the public thinks the Patriot Act says and what the American government secretly thinks the law says,” according to Sen. Ron Wyden (D-Oregon). The gap is so big, in fact, that it amounts to entirely different, and secret, law.

Multiverse = Many Worlds, Say Physicists

May 26th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Via The Physics arXiv Blog (MIT Technology Review) -

The many worlds interpretation of quantum mechanics is the idea that all possible alternate histories of the universe actually exist. At every point in time, the universe splits into a multitude of existences in which every possible outcome of each quantum process actually happens.

So in this universe you are sitting in front of your computer reading this story, in another you are reading a different story, in yet another you are about to be run over by a truck. In many, you don’t exist at all.

This implies that there are an infinite number of universes, or at least a very large number of them.

That’s weird but it is a small price to pay, say quantum physicists, for the sanity the many worlds interpretation brings to the otherwise crazy notion of quantum mechanics. The reason many physicists love the many worlds idea is that it explains away all the strange paradoxes of quantum mechanics.

[...]

Let’s put the many world interpretation aside for a moment and look at another strange idea in modern physics. This is the idea that our universe was born along with a large, possibly infinite, number of other universes. So our cosmos is just one tiny corner of a much larger multiverse.

Today, Leonard Susskind at Stanford University in Palo Alto and Raphael Bousso at the University of California, Berkeley, put forward the idea that the multiverse and the many worlds interpretation of quantum mechanics are formally equivalent.

But there is a caveat. The equivalence only holds if both quantum mechanics and the multiverse take special forms.

[...]

At one time, such an idea would have been heresy. But in theory, it could be done if an observer could perform an infinite number of experiments and observe the outcome of them all.

But that’s impossible, right? Nobody can do an infinite number of experiments. Relativity places an important practical limit on this because some experiments would fall outside the causal horizon of others. And that would mean that they couldn’t all be observed.

But Susskind and Bousso say there is a special formulation of the universe in which this is possible. This is known as the supersymmetric multiverse with vanishing cosmological constant.

If the universe takes this form, then it is possible to carry out an infinite number of experiments within the causal horizon of each other.

Now here’s the key point: this is exactly what happens in the many worlds interpretation. At each instant in time, an infinite (or very large) number of experiments take place within the causal horizon of each other. As observers, we are capable of seeing the outcome of any of these experiments but we actually follow only one.

Bousso and Susskind argue that since the many worlds interpretation is possible only in their supersymmetric multiverse, they must be equivalent. “We argue that the global multiverse is a representation of the many-worlds in a single geometry,” they say.

They call this new idea the multiverse interpretation of quantum mechanics.

[...]

But what this idea lacks is a testable prediction that would help physicists distinguish it experimentally from other theories of the universe. And without this crucial element, the multiverse interpretation of quantum mechanics is little more than philosophy.

That may not worry too many physicists, since few of the other interpretations of quantum mechanics have testable predictions either (that’s why they’re called interpretations).

Still, what this new approach does have is a satisfying simplicity– it’s neat and elegant that the many worlds and the multiverse are equivalent. William of Ockham would certainly be pleased and no doubt, many modern physicists will be too.

Financing Options For Startups

May 24th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

I got a bunch of great suggestions in my kickoff post on this topic last week. Based on that feedback, the series is going to look like this:

1) Friends and Family

2) Contests/Prizes/Accelerator Programs

3) Government Grants

4) Customer Financing

5) Vendor Financing

6) Convertible Debt

7) Preferred Stock

8) Venture Debt

9) Capital Equipment Loans & Leases

10) Bridge Loans

11) Working Capital Financing

This list is roughly in chronological order of how a small company might avail itself of the various financing options, but there are always exceptions. Starting a company is more art than science.

I want to do each financing option as its own dedicated post so I’m not going to start today. I will start next week with friends and family.

If you are looking for some meaty MBA Monday reading this week, I point you to Brad Feld and Jason Mendelson’s awesome venture capital term sheet series, which is required reading for anyone seeking to raise venture capital.

Following the White Rabbit: Software Attacks Against Intel VT-d

May 15th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Today we publish a new paper which is a result of our several month long in-depth evaluation of Intel VT-d technology. To quote the abstract:

We discuss three software attacks that might allow for escaping from a VT-d-protected driver domain in a virtualization system. We then focus on one of those attacks, and demonstrate practical and reliable code execution exploit against a Xen system. Finally, we discuss how new hardware from Intel offers a potential for protection against our attacks in the form of Interrupt Remapping (for client systems available only on the very latest Sandy Bridge processors). But we also discuss how this protection could be circumvented on a Xen system under certain circumstances…

I think the attack is likely the most complex and surprising out of all the things we have presented so far. Parts of it are even funny (if you share our weird sense of humor), such as the use of ICMP ping to generate MSIs. The paper also covers the vendors’ response. You can download the paper here.

This Is The Best Blog Post We’ve Ever Read By An Entrepreneur

May 14th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

ben pieratt svpply

Ben Pieratt is the founder and CEO of Svpply, a social shopping startup in New York City, and he wrote the best blog post we think we’ve ever read from a startup CEO.

The title gives the tone of the post: “I have no idea what I’m doing.”

Pieratt writes about the fact that he’s a graphic designer by training, and that all of the business-y aspects of running a startup, recruiting, etc. are hard and scary. That things don’t happen how or as fast as they should. That even when it’s not his fault that things go wrong, it’s still his fault because the buck stops with him.

The world of startup entrepreneurship can be pretty macho, with plenty of onanistic self-congratulation about how awesome it is to be an entrepreneur. Your writer has started several companies, and the fact of the matter is that it’s lonely, terrifying and not glamorous at all. Most of the time, you really have no idea what you’re doing. Being public and upfront about it shows amazing humility and strength of character, two qualities that almost always go together.

Congratulations, Ben Pieratt.

Here’s how it starts:

I am the CEO of Svpply, Inc., a social shopping S-Corp operating out of New York City. My company has been the recipient of over half-a-million in investor dollars, for the stated purpose of building an unknown, 3,000-member web service into a cultural phenomenon, and I truly have very little understanding of what I am doing.

Click here to read the whole thing →

For the latest tech news, visit SAI: Silicon Alley Insider. Follow us on Twitter and Facebook.

Join the conversation about this story »

See Also:


Beating Up on Android: Practical Android Attacks

May 12th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
http://www.immunityinc.com/infiltrate/presentations/Android_Attacks.odt.pdf

Abstract

In this talk Massimialiano Oldani and Bas Alberts exploit the Android Attack Surface. This talk will demonstrate the various ways Android devices may be compromised both remotely and locally. Furthermore, it will explore many of the interesting things a remote attacker can do once they have established access to your Android device.

————————————————————

This presentation was presented @ Immunity Inc.’s Infilrate 2011 conference by two senior researchers for Immunity, Inc.

Google lobbies Nevada to be first state for self-driving cars

May 12th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Google hasn’t given up on its sci-fi ambitions to make self-driving cars a reality. The company is now lobbying Nevada to be the first state to legally allow self-driving cars on public roads, the New York Times reports.

We’re still far from seeing the self-driving cars widely deployed across the country, but landing Nevada’s approval could get the cars up and running in Las Vegas within a few years. Eventually, the cars could perform automated deliveries and serve as self-driving taxis in Vegas, policy analysts say.

The news comes about eight months after Google first announced the technology, which at the time seemed to have come straight out of an Isaac Asimov novel. And in addition to announcing it had developed self-driving cars that actually worked, Google also dropped a bombshell saying the cars had covered 140,000 miles of driving in California with occasional human control. Seven cars drove over 1,000 miles without any human intervention at all.

Google hired Las Vegas-based lobbyist David Goldwater to promote two bills that would legalize self-driving cars. One bill is an amendment to a current electric-vehicle bill that would allow licensing and testing of autonomous vehicles, while the other would allow texting while riding behind the driver’s seat of a self-driving car.

Thus far, Google has been testing the cars with a person in the driver seat (to take over in case the system fails) and passenger seat (to monitor the system). If the legislation is passed and Google’s technology reaches a point where it can be reliably deployed, the cars would be able to drive completely on their own.

Sebastian Thrun, the director of the Stanford Artificial Intelligence Laboratory and co-inventor of Google’s Street View service, previously said that the company’s goal is to prevent traffic accidents, give people more free time, and reduce carbon emissions by changing the way people use their cars.

Tags: , , ,

Companies:

People:

Half In / Half Out

May 6th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)



Recently I met a great entrepreneur working in a hot space. Like many entrepreneurs he’s bootstrapping his company by running a services business on the side. Today, I passed on that opportunity. Why?

- Does not yet have a clear vision and direction

- Not working on it full time

These points are completely related BTW. If his team was full time on this they might be much closer to having clarity around the problem, value proposition and ultimate vision. But they’re not there yet. And while investors can contribute to that vision and I certainly have some ideas, the vision has to come from the company.

Speed is so important to building value. Repeat founder Mike Cassidy who has built and very successfully sold multiple companies says speed is the ultimate strategy. Everything else being equal if I’m looking at two companies going after the same space at the same stage, I’ll back the one that’s moving fastest. Hard to do that when you’re part time.

I am very sympathetic to the need to put food on the table. I get it. But, if you’re going after a big opportunity, one that needs outside investment capital and is capable of delivering the returns that capital needs, then you can’t be half in / half out. You just can’t. If the opportunity is a good one then it’s guaranteed that other teams are working on it full time. And as an investor if I really want to be in that space, I’ll go and find those other companies.

The worst is people who come and pitch and idea they will start after they quit their jobs (after they get funded). Those conversations are very short.

If you want to raise outside $ and even if you don’t but you want to build a leader in your market you need to be all in. Technology and markets move too fast. The barriers to launching companies are almost non-existent. Speed really is the ultimate strategy. So, if you’re going to launch a company find a way to do it full time.

A Syrian Man-In-The-Middle Attack against Facebook

May 5th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

UPDATE: If you are in Syria and your browser shows you this certificate warning on Facebook, it is not safe to login to Facebook. You may wish to use Tor to connect to Facebook, or use proxies outside of Syria.

Yesterday we learned of reports that the Syrian Telecom Ministry had launched a man-in-the-middle attack against the HTTPS version of the Facebook site. The attack is ongoing and has been seen by users of multiple Syrian ISPs. We cannot confirm the identity of the perpetrators.

The attack is not extremely sophisticated: the certificate is invalid in user’s browsers, and raises a security warning. Unfortunately, because users see these warnings for many operational reasons that are not actual man-in-the-middle attacks, they have often learned to click through them reflexively. In this instance, doing so would allow the attackers access to and control of their Facebook account. The security warning is users’ only line of defense.

EFF is very interested in collecting TLS/SSL certificates. Our SSL Observatory project has collected millions of them by scanning the public Internet. Thanks to the assistance of a Syrian citizen named Mohammad, we can also provide a copy of the fake Syrian Facebook certificate. Interested readers can find a copy in human readable and PEM encoded form.1

This is very much an amateur attempt at attacking Facebook’s HTTPS site. The certificate was not signed by a Certificate Authority that was trusted by users’ web browsers. Unfortunately, Certificate Authorities are under the direct or indirect control of numerous governments, and many governments therefore have the capability to perform versions of this attack that do not raise any errors or warnings.

  1. 1. Mohammad’s machine resolved the s.static.ak.facebook.com domain to 195.59.150.24, and the www.facebook.com domain to 66.220.153.11. These addresses appear legitimate to us, so the attack was probably implemented with routers or proxies rather than DNS tampering.

Robots Evolve Altruism, Just as Biology Predicts

May 5th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Robots in a Swiss laboratory have evolved to help each other, just as predicted by a classic analysis of how self-sacrifice might emerge in the biological world.

10 Best Practices For Raising A VC Round

May 5th, 2011. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Having raised a number of VC rounds personally and observed many more as an investor or friend, I’ve come to think there are a set of dominant best practices that entrepreneurs should follow.

1. Valuation: Come up with what minimum valuation you’d be happy with but never share that number with any investor.  If the number is too low, you’ve set a low ceiling. If your number is too high, you scare people off. Just like on eBay, you only get to your desired price by starting lower and getting a competitive process going. When people ask about price, simply tell them your last round post-money valuation and talk about the progress you’ve made since then.

2. Never tell VCs the names of other VCs that are interested. Reasons: 1) if you are overplaying your hand that could send a negative signal.  Most VCs know each other and talk all the time. 2) it is possible they’ll get together and offer a two-handed deal in which case you have less competition.

3. I think the optimal number of VCs to talk to seriously is about 5.  That is usually enough to get a sense of market but not so much that you get overwhelmed.  You should pick these VCs carefully – this is where trusted, experienced advisors are critical.

4. If there is a VC you really like, have a “buy it now price” and if they hit that valuation (and other terms are clean) do the deal.  Otherwise, say you’d like to “run a process” and include them in it.

5. Try to set timelines that are definite enough that investors feel some pressure to move but not so definite that you look dumb if you don’t have a term sheet by then.  (Investors have an incentive to wait – “to flip another card over” as they say – whereas entrepreneurs want to get the financing over with asap). Depending on where you are in the process, say things like “we’d like to wrap this up in the next few weeks.”

6. Once you start pitching, the clock starts ticking on your deal looking “tired.”  I’d say from your first VC meeting you have about a month before this risk kicks in.  You could have a great company but if investors get a sense that other investors have passed, they assume something is wrong with your company and/or they can wait around and invest later at their leisure.

7. The earlier stage your company is the more you should weight quality of investors vs valuation. For a Series A, you are truly partnering with the VCs.  You should consider taking a lower valuation from a top tier firm over a non top tier firm (but probably any discount over 20% is too much). If you are doing a post-profitable “momentum round” I’d just optimize for valuation and deal terms.

8. Term sheets:  talk about terms in detail over the phone.  Only accept a term sheet once you have decided that if it matches what was described you are prepared to sign it.  After sending a term sheet VCs get worried you’ll shop it and usually want it signed in 24 hours.

9. Get to know the VCs. Talk to their other portfolio companies, read their blogs, call references, etc.  You will be in business with this person for (hopefully) a long time.

10. Timing. While it’s ideal to raise money once you hit the milestones you set out initially, you also need to be opportunistic.  Right now, for example, seems to be a really good time to raise a VC round.  You could make a ton of progress over the next 6 months but the market could tank and end up in a worse place than you would be today.

 
 

Read more posts on cdixon.org »

For the latest tech news, visit SAI: Silicon Alley Insider. Follow us on Twitter and Facebook.

Join the conversation about this story »