Working with Enterprise

– By @BorisDinkevich (296 words)

We need you to help us deliver a package, just there, across the hill.

That was my introduction to a freelance gig, given to me by a senior manager at a large Enterprise company.

“No problem, Ill just take it there and be back in a few hours”.

That got me one of those “are you crazy?” looks. “I don’t think you understand” he said “we need your expertise here. We have a team of five ready to go and we already procured most of the equipment they will require”.

Now I was really getting confused, “Five people?”.

A proud smile split his face, “Yes! Last time we tried with nine people – as there is a lot of equipment to carry: camping, food, cooking, etc. But, our architects noticed that the team can share things like cooking utensils. So five is enough”.

“Cooking utensils?”

“Of course, its going ot take three days, they need food and shelter.”

“I thought you said the package needs to be delivered just over the hill, why three days?”

“Oh, thats because of all the equipment they need to carry. It should take three days to get there, but we packed for five, just in case.”

“Wait.. so without the equipment, couldn’t one guy just walk it in one day and be done with it?”

I could see he felt a bit embarrassed about the next bit: “Well, that might be possible, but I only now got into this project and my predecessor already had the team hired and equipment bought..”

“I see, so why am I here then?”

He was happy to be back on familiar grounds, “That’s where your unique skills are needed, such a big team is legally required to have a medic with them”

I left.



Discuss on HackerNews

Making Gmail a little more secure


I love Gmail, but there have been some security concerns haunting me ever since I started carrying a smart-phone, having my gmail accessible behind nothing more than a simple swipe gesture or 4 digits PIN.

My entire life is in GMail and anyone getting access to my phone will be able to get a lot of sensitive information and even worse, utilize the nefarious “forgot password” feature that almost any service offers to gain access to more and more data.

Funny thing is, most of those sensitive data emails and password-recovery notifications are rarely accessed. My security could be greatly increased if GMail just asked me to re-enter my password when trying to access them.

From a simple “Please enter your password” on emails matching a “password reset” rule to the ability to add Filters that sat a “Password required” flag.

It would be possible to partially implement this without Google’s help by routing important (or all) emails via a third party service. That service could encrypt the bodies of messages (matching a defined pattern) and then would use a Chrome Extension (and similar solutions) to decrypt the messages for viewing.
But a true implementation from the search giant will surely put people at rest.

Google, can I please please have this?

What if I lost my laptop

So, I work for a web development agency.

And today I thought I lost my Laptop.

Oh no..

Bought three years ago at ~$1,499 (lets say ~500$)

Add a day to re-install and re-configure a new one: +$1K.

Wait.. did I use an encrypted FS ?

A nice surprise awaits the smarter thief: The source code to quite a few active and profitable web properties.

How embarrassing, your private code all other the internet. And those pesky wannabe hackers around. Not a good day to be our client.

I hope I put pass-phrases on my ssh keys

Because he now has access to the production servers and databases of all my clients.

Probably take a bit of effort, but someone might be glad to put their hands on some first class leads and marketing data..

Good thing I keep all my passwords in Chrome’s history

Yeah, including those pesky AWS, Linode, Heroku, etc passwords.

So, remove all backups, play a bit with the data bases and watch the poor bastards scramble as their sites go down for a few hours losing days of business.

No money for the prankster, but oh the look on my client’s faces, priceless.

Yep, I found it

Didn’t lose it. So its all good.

But that sure did escalate quickly..

Editors note: This post is intended to raise awarness between developers about the high risk hidden right under their fingers.
We always make sure our laptops cover all of the above points for maximum security. Do you ?

EDIT: Comments on Hacker News
EDIT: To clarify, I use Ubuntu (12.10)

The Bitcoin and the Taxi driver

I am worried again.

Whats this about the taxi driver ?

Back in 2007 I was “investing” in the stock market. The global prices of potash were on the rise and a local stock was climbing up like there was no tomorrow. I was in, I was in deep. And then it happened, my taxi drive to the airport.

We had a conversation with the driver on the way, he told me how he went to the bank to deposit around $3000 in cash and was dumb struck, when the bank asked him a commission. “I am giving them money and they want me to pay for it ?” (it does sound kind of crazy..).

So he said he is going to invest in the same stock.
Why ? Because it has been going up.

Needless to say it crashed bad a short time after, hope he didn’t make the buy.

Fast forward to today

Just finished helping a friend launch his Bitcoin business, he allows people to buy Bitcoins in Israel for shekel. And during some backend improvement sessions, he told of an issue with a particular order. Made by a taxi driver.

Because Bitcoins allow to send transfers without fees ?
Because Bitcoins allow anonymity ?
Because Bitcoins are decentralized ?

Because Bitcoins are going up.

Run Forest, run.

Have you paid the global tax ?

Bought a can of Coca-Cola lately ?

How about “Old Navy” ? Maybe even a BMW ?

You probably never gave it any thought but that money didn’t go to the “Coke producing Cows”. Part of it went to manufacturing, part to supply chains, retailers, wages, profit.. and part… to marketing.

Lets do an experiment

Look at the Coke in your hand.
Now look at a video on YouTube.

That 15 second commercial you were forced to watch ?
You just paid for it.

Can’t escape

No matter where you are in the world and no matter who you are:

Every day you pay a bit extra for almost everything you buy(*), just to have that money used to show annoying Ads wherever you are online (and offline).

The sad truth

So the next time you see Ads take up 90% of the space in the article you are trying to read.. don’t get mad. Try to enjoy them.. hell.. you paid for them.

* Or a lot extra if its a “Brands” as the marketing budged is responsible for a considerable part of the product’s price.

Seriously ? Ads ?

Some Facts

  • Facebook now has close to one billion people (that is 1,000,000,000).
  • It is one of the most recognized brands online.
  • One year after launching ‘Facebook connect’ was everywhere
  • Can easily spend a billion dollar (case in point Instagram)

So what can you do with that power ?

Option 1

Ads, continue trying to push irrelevant pictures and text anywhere you can, hoping I will click it (mostly by mistake).

Option 53

Take the $1B, give it to a team of 1000 engineers and 1000 lawyers and let them do something real instead of the crappy ‘Facebook credits’ sham.

Offer a ‘facebook pay’ button in 200 countries and take 1%.

You know what my Mom understands ?
– Facebook.

You know how my Mom is gonna be shopping ?
– “I just clicked that facebook pay button”.

There is a trillion dollar (thats 1,000,000,000,000$) roaming around yearly out there. (credit card companies processed $1.9T in 2011 in US alone)

Why Facebook ?

Problem 1

To fight the money game you need extremely deep pockets. Something the newly IPOed facebook has more than enough of.

Problem 2

Fraud. Paypal and others use complex algorithms, special teams and God knows what. But Facebook has an unique and unparalleled data base of a user’s history, friends, activities and what not.

People will think twice about losing their ‘Facebook Credit Score’ over a few $ for an online presence  they spent (literally) years building and cultivating.

Bottom Line

Now that is where Facebook’s $10B profit is hiding.

But hey.. whats cooler making a $1B/year from advertising or making $10B/year from money processing ?

Or spend that money on iphone apps that got people sending customized farts to each other, no revenues today, but surely to justify their $300M price tag one day.


 UPDATE (14:05 GMT): 

Share your thoughts on HackerNews comments



Outside the AB testing box

How we got rid of 80% of our support calls

The year is 2010 and yours truly is deciding on opening a Groupon like coupon site back in his country. A bit of coding + a bit of selling and we were up in the air.

Beyond being the VP-RnD, CFO and Janitor, I had the dubious role of being the Head (and sole employee) of our “Customer Support”.

A wise man said once, “To know your customers, you must know your customers“. So instead of spamming my visitors with various pop-up/slide-on/drop-left/pop-off tools for suggestions/questions/injestions, I just went on and put my personal mobile phone. Right there on the buy page, in HUGE capital letters.

Number of people who emailed our support email during the next week: 2.
Number of people who called me up (thankful during reasonable hours): ~100

The next bit might surprise you: It appears that even in the year 2010, the average 30 year old mom (that is our main demographic – I asked) is utterly terrified of using her credit card on the web.

Is it possible to buy by phone ?” She would ask.
Well yes mam, did you have problems buying on the site ?“.
Noo.. its just that I am worried about putting my card on-line“.

In the beginning I was naive enough to try:
No need, we have SSL on the page and our servers are PCI compliant” line…
Yeeaa… but.. can I buy over the phone ?”  is what I got every time.

So we proceeded with me opening the website on my PC and filling in her details, as she dictated them to me.

Not a a week has passed and the executive team started getting multiple complaints from the support staff (Me). And the VP-RnD decided that something must be done.

Something being done

Option A: Do some bad-ass A/B testing. e.g. : Move button 17 pixels to the left, change the first letter of some words to capitals and maybe even try switching the radio buttons from being round to being square.

Option B: Try to address the issue at hand.

Since my users weren’t very tech savvy and couldn’t/wouldn’t understand that the page is secured with SSL. It became apparent that they needed to be told. Proposed solution: Put a big-red-dotted border around the form and write in large, red and reassuring letters: “SECURE ZONE”

The form before:

How our buy form looked before

The form after:

Our form after being "secured"

For the Hebrew challenged, the writing in red is “This area is secured by SSL”.


The test

Next step: Ask (sample user: mom) to buy a coupon and provide feedback.

(In the initial test version, I also had her enter her name and email in fields that were outside the “safe zone”).

Feedback:  “I felt a bit uncomfortable filling in the name and email, since they were not secure.. but I filled anyway because its your site” (GREAT SUCCESS !!)

3 minutes later we went live, one week later I took my phone off the site.

Results: Even with increased activity, phone calls went from ~100/week to ~20.


You can A/B test the crap out of your site, but you might try asking your users if something is wrong first.

“Most people will assume a safe is safe if it looks like a safe safe”


First employee of startup ? You are probably getting screwed !

Same story again

A friend of mine just told me about his exciting new opportunity:
He met two guys who are opening a new startup. They are known in the community and already had a small exit before. For the past half year they have been working on a startup, got some code and are now just finishing with a 500K$ seed raise.

And, they are looking for their first employee with significant equity !

After some interviews and f2f meet ups, they decided to offer him a job. Of course, they can’t afford to pay market salary just yet but they are willing to give significant equity, a chance to influence the company’s direction and become a core member of their team !

And he was just about to sign up.

Me: “So tell me more, what kind of numbers are we talking about.”
Him: “Good ! Half my normal salary and 1% of the company”

Now this might sound very reasonable and exciting, but perhaps its time for…

A bit of… math !

Taking the optimistic route
– In one year the company does series A and can pay full salary
– They raised 500K at a high 2M (pre-money) valuation, giving away 20%
– His normal 100K/years is cut to 50K/year.

From the looks of it, he is pretty much saving the company / putting in 50K.

What does an investor get for putting in 50K:
– 2% of company shares
– Priority on exit
– Invest small part of his capital

What does employee get for putting in 50K
– %1 company shares (options)
– 4 year vesting plan
– Exercise price
– No priority
– No control or rights of information
– Invest large part of own capital

Strange numbers, and yet people agree to them every day.
Because their 1% will turn into a million.
And as working for half their salary(or less).. hey.. its just for a while.

How low did you compromise ?

EDIT – 14:00:00 UTC
Interesting discussion on HackerNews

We are the McDonnalds of Shoe stores


“I am opening a new shoe store”

That is what a good friend of mine, happily announced to me.
“Not just a shoe store, we are going to be the McDonnalds of shoe stores !”
Shoe store ? Frankly I wasn’t too surprised, having heard that quite a few times already.
And he proceeded to happily tell me of his grand plans.

The shoe store he was planning was going to open in the huge mall in the capital.
Having thousands of patrons a day, made it an ideal target for him.
And regarding all the other hundreds of shoe stores there ? He didn’t seem to worried, on the contrary:
“Its great ! All those stores just means that there is a market for shoes !”.

But, he knew that just opening another shoe store was not enough, so, his will be special. Every person visiting, will get (hold for it….) a free high-quality coffee !
And who doesn’t want coffee ? Everyone will come for a drink and buy their shoes on the way.

“Wouldn’t you like free coffee ?” he asked me. And I had to agree I would. Sure it will put them at a loss in the beginning, but he made quite a few calculations in excel and in a year or two, the shoe sales will be high enough to cover the coffee and begin to become profitable. (Especially since they planned to move to their own coffee machines and bulk deals with coffee importers by then)

We chatted about coffee types for a while and then I told him of another friend of mine, who just days ago told me of his shoe store (that was already finishing their renovation) Their idea was: “massage chairs” – You get a massage while measuring shoes – people stayed longer – more shoes bought.

He dismissed them with a wave of his hand. “Bah ! We will get those too in time, and many other stuff others have”. In the end its all about execution. He had a great team and a professional designer who just left IKEA.
“With a bit of hard work, we will become the biggest shoe shop in the mall and then spread to other cities via franchise and be like Starbucks or McDonnalds”

I like it, I said, but there are hundreds of shoe stores in that mall, why not try something different ?
Or better yet, why no start in the smaller cities and villages where there are almost no stores, and the existing ones are small and bad ?
“Thats not how you do it if you plan big !” He and his partner just joined the state’s leading Coaching firm’s entrepreneurs plan. With the help of the firm, they will get money and connections needed to reach the Mall’s weekly newsletter and maybe even be featured on the large billboard at the entrance.

Sure competition was hard, sure there was lots of it. But their idea had a unique twist and with the proper execution ? The sky was the limit.

All that was three months ago, he has already quit his job and started working full time with his partner on designing the interior and the shoes selection.
They got some money from friends and a group of investors, moved to the big city near the huge mall and started looking for a good location for their shoe store.

And me ? Well, since all the shoes stores are in the big mall in the capital and none are in the hundred little cities around it (one of which I live in), Ill be driving tomorrow, 60 miles.. to buy shoes.

True web security from Javascript injections ?

With the coming of FireFox 4, a new (and wildly unnoticed) feature was added to the browser:
CSP – Content Security Policy.

The idea behind the CSP, was to try to mitigate many of attacks and abuses we have been seeing on the web in recent years. From Click hijackings, unexpected cross-site-scripting, injections by corporate / country or internet provider routers and many more.

How does it work ?

When serving a web page, the server can now specify to the browser, exactly where data can come from and where it can go.The policy can show which JavaScript files can run (and from which domains), where XHR request can be made and even where static resources (like pictures) can be loaded from.

To be exact a new HTTP header is added by the web server:

X-Content-Security-Policy: policy

The browser (currently only FF4) parses the rules and prevent the page from doing anything unauthorized.

For example:

X-Content-Security-Policy: allow ‘self'; img-src *; media-src; script-src

(More examples here)

A small test

One useful feature of CSP, is its ability to report violations. With the help of RoR and Redis, here is a little site, where you can check if any unexpected scripts are being injected to your plain HTTP pages:

Test your connection for JS injections

Read more about CSP