Case Study: A Successful BotNet-Based Attack


By Zack Sanders – Security Expert – APconnections

In early 2012, I took on a client who was a referral from someone I had worked with when I first got out of school. When the CTO of the company initially called me, they were actually in the process of being attacked at that very moment. I got to work right away using my background as both a web application hacker and as a forensic analyst to try and solve the key questions that we briefly touched on in a blog post just last week. Questions such as:

– What was the nature of the attack?

– What kind of data was it after?

– What processes and files on the machine were malicious and/or which legitimate files were now infected?

– How could we maintain business continuity while at the same time ensuring that the threat was truly gone?

– What sort of security controls should we put in place to make sure an attack doesn’t happen again?

– What should the public and internal responses be?

Background

For the sake of this case study, we’ll call the company HappyFeet Movies – an organization that specializes in online dance tutorials. HappyFeet has three basic websites, all of which help sell and promote their movies. Most of the company’s business occurs in the United States and Europe, with few other international transactions. All of the websites reside on one physical server that is maintained by a hosting company. They are a small to medium-sized business with about 50 employees locally.

Initial Questions

I always start these investigations with two questions:

1) What evidence do you see of an attack? Defacement? Increased traffic? Interesting log entries?

2) What actions have you taken thus far to stop the attack?

Here was HappyFeet’s response to these questions:

1) We are seeing content changes and defacement on the home page and other pages. We are also seeing strange entries in the Apache logs.

2) We have been working with our hosting company to restore to previous backups. However, after each backup, within hours, we are getting hacked again. This has been going on for the last couple of months. The hosting company has removed some malicious files, but we aren’t sure which ones.

Looking For Clues

The first thing I like to do in cases like this is poke around the web server to see what is really going on under the hood. Hosting companies often have management portals or FTP interfaces where you can interact with the web server, but having root access and a shell is extremely important to me. With this privileged account, I can go and look at all the relevant files for evidence that aligns with the observed behavior. Keep in mind, at this point I have not done anything as far as removing the web server from the production environment or shutting it down. I am looking for valuable information that really can only be discovered while the attack is in progress. The fact that the hosting company has restored to backup and removed files irks me, but there is still plenty of evidence available for me to analyze.

Here were some of my findings during this initial assessment – all of them based around one of the three sites:

1) The web root for one of the three sites has a TON of files in it – many of which have strange names and recent modification dates. Files such as:

db_config-1.php

index_t.php

c99.php

2) Many of the directories (even the secure ones) are world writable, with permissions:

drwxrwxrwx

3) There are SQL dumps/backups in the web root that are zipped so when visited by a web browser the user is prompted for a download – yikes!

4) The site uses a content management system (CMS) that was last updated in 2006 and the database setup interface is still enabled and visible at the web root.

5) Directory listings are enabled, allowing a user to see the contents of the directories – making discovery of file names above trivial task.

6) The Apache logs show incessant SQL injection attempts, which when ran, expose usernames and passwords in plain text.

7) The Apache logs also show many entries accessing a strange file called c99.php. It appeared to be some sort of interface that took shell commands as arguments, as is evident in the logs:

66.249.72.41 – – “GET /c99.php?act=ps_aux&d=%2Fvar%2Faccount%2F&pid=24143&sig=9 HTTP/1.1″ 200 286

Nature of the Attack

There were two basic findings that stood out to me most:

1) The c99.php file.

2) The successful SQL injection log entries.

c99.php

I decided to do some research and quickly found out that this is a popular PHP shell file. It was somehow uploaded to the web server and the rest of the mayhem was conducted through this shell script in the browser. But how did it get there?

The oldest log data on the server was December 19, 2011. At the very top of this log file were commands accessing c99.php, so I couldn’t really be sure how it got on there, but I had a couple guesses:

1) The most likely scenario I thought was that the attacker was able to leverage the file upload feature of the dated CMS – either by accessing it without an account, or by brute forcing an administrative account with a weak password.

2) There was no hardware firewall protecting connections to the server, and there were many legacy FTP and SSH accounts festering that hadn’t been properly removed when they were no longer needed. One of these accounts could have been brute forced – more likely an FTP account with limited access; otherwise a shell script wouldn’t really be necessary to interact with the server.

The log entries associated with c99.php were extremely interesting. There would be 50 or so GET requests, which would run commands like:

cd, ps aux, ls -al

Then there would be a POST request, which would either put a new file in the current directory or modify an existing one.

This went on for tens of thousands of lines. The very manual and linear nature of the entries seemed to me very much like an automated process of some type.

SQL Injection

The SQL injection lines of the logs were also very exploratory in nature. There was a long period of information gathering and testing against a few different PHP pages to see how they responded to database code. Once the attacker realized that the site was vulnerable, the onslaught began and eventually they were able to discover the information schema and table names of pertinent databases. From there, it was just a matter of running through the tables one at a time pulling rows of data.

What Was The Attack After?

The motives were pretty clear at this point. The attacker was a) attempting to control the server to use in other attacks or send SPAM, and b) gather whatever sensitive information they could from databases or configuration files before moving on. Exploited user names and passwords could later be used in identity theft, for example. Both of the above motives are very standard for botnet-based attacks. It should be noted that the attacker was not specifically after HappyFeet – in fact they probably knew nothing about them – they just used automated probing to look for red flags and when they returned positive results,  assimilated the server into their network.

Let the Cleanup Begin

Now that the scope of the attack was more fully understood, it was time to start cleaning up the server. When I am conducting this phase of the project, I NEVER delete anything, no matter how obviously malicious or how benign. Instead, I quarantine it outside of the web root, where I will later archive and remove it for backup storage.

Find all the shell files

The first thing I did was attempt to locate all of the shell files that might have been uploaded by c99.php. Because my primary theory was that the shell file was uploaded through a file upload feature in the web site, I checked those directories first. Right away I saw a file that didn’t match the naming convention of the other files. First of all, the directory was called “pdfs” and this file had an extension of PHP. It was also called broxn.php, whereas the regular files had longer names with camel-case that made sense to HappyFeet. I visited this file in the web browser and saw a GUI-like shell interface. I checked the logs for usage of this file, but there were none. Perhaps this file was just an intermediary to get c99.php to the web root. I used a basic find command to pull a list of all PHP files from the web root forward. Obviously this was a huge list, but it was pretty easy to run through quickly because of the naming differences in the files. I only had to investigate ten or so files manually.

I found three other shell files in addition to broxn.php. I looked for evidence of these in the logs, found none, and quarantined them.

What files were uploaded or which ones changed?

Because of the insane amount of GET requests served by c99.php, I thought it was safe to assume that every file on the server was compromised. It wasn’t worth going through the logs manually on this point. The attacker had access to the server long enough that this assumption is the only safe one. The less frequent occurrences of POST requests were much more more manageable. I did a grep through the Apache logs for POST requests submitted by c99.php and came up with a list of about 200 files. My thought was that these files were all either new or modified and could potentially be malicious. I began the somewhat pain-staking process of manually reviewing these files. Some had been overwritten back to their original state by the hosting company’s backup, but some were still malicious and in place. I noted these files, quarantined them, and retested website functionality.

Handling the SQL injection vulnerabilities

The dated CMS used by this site was riddled with SQL injection vulnerabilities. So much so, that my primary recommendation for handling it was building a brand new site. That process, however, takes time, and we needed a temporary solution. I used the log data that I had to figure out which pages the botnet was primarily targeting with SQL attacks. I manually modified the PHP code to do basic sanitizing on all inputs in these pages. This immediately thwarted SQL attacks going forward, but the damage had already been done. The big question here was how to handle the fact that all usernames and passwords were compromised.

Improving Security

Now that I felt the server was sufficiently cleaned, it was time to beef up the security controls to prevent future attacks. Here are some of the primary tasks I did to accomplish this:

1) Added a hardware firewall for SSH and FTP connections.

I worked with the hosting company to put this appliance in front of the web server. Now, only specific IPs could connect to the web server via SSH and FTP.

2) Audited and recreated all accounts.

I changed the passwords of all administrative accounts on the server and in the CMS, and regenerated database passwords.

3) Put IP restrictions on the administrative console of the CMS.

Now, only certain IP addresses could access the administrative portal.

4) Removed all files related to install and database setup for the CMS.

These files were no long necessary and only presented a security vulnerability.

5) Removed all zip files from the web root forward and disabled directory listings.

These files were readily available for download and exposed all sorts of sensitive information. I also disabled directory listings, which is helpful in preventing successful information gathering.

6) Hashed customer passwords for all three sites.

Now, the passwords for user accounts were not stored in plain text in the database.

7) Added file integrity monitoring to the web server.

Whenever a file changes, I am notified via email. This greatly helps reduce the scope of an attack should it breach all of these controls.

8) Wrote a custom script that blocks IP addresses that put malicious content in the URL.

This helps prevent information gathering or further vulnerability probing. The actions this script takes operate like a miniature NetGladiator.

9) Installed anti-virus software on the web server.

10) Removed world-writable permissions from every directory and adjusted ownership accordingly.

No directory should ever be world writable – doing so is usually just a lazy way of avoiding proper ownership. The world writable aspect of this server allowed the attack to be way more broad than it had to be.

11) Developed an incident response plan.

I worked with the hosting company and HappyFeet to develop an internal incident response policy in case something happens in the future.

Public Response

Due to the fact that all usernames and passwords were compromised, I urged HappyFeet to communicate the breach to their customers. They did so, and later received feedback from users who had experienced identity theft. This can be a tough step to take from a business point of view, but transparency is always the best policy.

Ongoing Monitoring

It is not enough to implement the above controls, set it, and forget it. There must be ongoing tweaking and monitoring to ensure a strong security profile. For HappyFeet, I set up a yearly monitoring package that includes:

– Manual and automated log monitoring.

– Server vulnerability scans once a quarter, and web application scans once every six months.

– Manual user history review.

– Manual anti-virus scans and results review.

Web Application Firewalls

I experimented with two types of web application firewalls for HappyFeet. Both of which took me down the road of broken functionality and over-robustness. One had to be completely uninstalled, and the other is in monitoring mode because protection mode disallowed legitimate requests. It also is alerting to probing attempts about 5,000 times per day – most of which are not real attacks – and the alert volume is unmanageable. Its only value is in generating data for improving my custom script that is blocking IPs based on basic malicious attempts.

This is a great example of how NetGladiator can provide a lot of value to the right environment. They don’t need an intense, enterprise-level intrusion prevention system – they just need to block the basics and not break functionality in their web sites. The custom script, much like NetGladiator, suits their needs to a T and can also be configured to reflect previous attacks and vulnerabilities I found in their site that are too vast to manually patch.

Lessons Learned

Here are some key take-aways from the above project:

– Being PROACTIVE is so much better than being REACTIVE when it comes to web security. If you are not sure where you stack up, have an expert take a look.

– Always keep software and web servers up to date. New security vulnerabilities arrive on the scene daily, and it’s extremely likely that old software is vulnerable. Often, security holes are even published for an attacker to research. It’s just a matter of finding out which version you have and testing the security flaw.

– Layered security is king. The security controls mentioned above prove just how powerful layering can be. They are working together in harmony to protect an extremely vulnerable application effectively.

If you have any questions on NetGladiator, web security, or the above case study, feel free to contact us any time! We are here to help, and don’t want you to ever experience an attack similar to the one above.

What Does it Cost You Per Mbs for Bandwidth Shaping?


Sometimes by using a cost metric you can distill a relatively complicated thing down to a simple number for comparison. For example, we can compare housing costs by Dollars Per Square Foot or the fuel efficiency of cars by using the Miles Per Gallon (MPG) metric.  There are a number of factors that go into buying a house, or a car, and a compelling cost metric like those above may be one factor.   Nevertheless, if you decide to buy something that is more expensive to operate than a less expensive alternative, you are probably aware of the cost differences and justify those with some good reasons.

Clearly this makes sense for bandwidth shaping now more than ever, because the cost of bandwidth continues to decline and as the cost of bandwidth declines, the cost of shaping the bandwidth should decline as well.  After all, it wouldn’t be logical to spend a lot of money to manage a resource that’s declining in value.

With that in mind, I thought it might be interesting to looking at bandwidth shaping on a cost per Mbs basis. Alternatively, I could look at bandwidth shaping on a cost per user basis, but that metric fails to capture the declining cost of a Mbs of bandwidth. So, cost per Mbs it is.

As we’ve pointed out before in previous articles, there are two kinds of costs that are typically associated with bandwidth shapers:

1) Upfront costs (these are for the equipment and setup)

2) Ongoing costs (these are for annual renewals, upgrades, license updates, labor for maintenance, etc…)

Upfront, or equipment costs, are usually pretty easy to get.  You just call the vendor and ask for the price of their product (maybe not so easy in some cases).  In the case of the NetEqualizer, you don’t even have to do that – we publish our prices here.

With the NetEqualizer, setup time is normally less than an hour and is thus negligible, so we’ll just divide the unit price by the throughput level, and here’s the result:

I think this is what you would expect to see.

For ongoing costs you would need to add all the mandatory per year costs and divide by throughput, and the metric would be an ongoing “yearly” per Mbs cost.

Again, if we take the NetEqualizer as an example, the ongoing costs are almost zero.  This is because it’s a turn-key appliance and it requires no time from the customer for bandwidth analysis, nor does it require any policy setup/maintenance to effectively run (it doesn’t use policies). In fact, it’s a true zero maintenance product and that yields zero labor costs. Besides no labor, there’s no updates or licenses required (an optional service contract is available if you want ongoing access to technical support, or software upgrades).

Frankly, it’s not worth the effort of graphing this one. The ongoing cost of a NetEqualizer Support Agreement ranges from $29 (dollars) – $.20 (cents) per Mbs per year. Yet, this isn’t the case for many other products and this number should be evaluated carefully. In fact, in some cases the ongoing costs of some products exceed the upfront cost of a new NetEqualizer!

Again, it may not be the case that the lowest cost per Mbs of bandwidth shaping is the best solution for you – but, if it’s not, you should have some good reasons.

If you shape bandwidth now, what is your cost per Mbs of bandwidth shaping? We’d be interested to know.

If your ongoing costs are higher than the upfront costs of a new NetEqualizer and you’re open to a discussion, you should drop us a note at sales@apconnections.net.

Cloud Computing – Do You Have Enough Bandwidth? And a Few Other Things to Consider


The following is a list of things to consider when using a cloud-computing model.

Bandwidth: Is your link fast enough to support cloud computing?

We get asked this question all the time: What is the best-practice standard for bandwidth allocation?

Well, the answer depends on what you are computing.

– First, there is the application itself.  Is your application dynamically loading up modules every time you click on a new screen? If the application is designed correctly, it will be lightweight and come up quickly in your browser. Flash video screens certainly spruce up the experience, but I hate waiting for them. Make sure when you go to a cloud model that your application is adapted for limited bandwidth.

– Second, what type of transactions are you running? Are you running videos and large graphics or just data? Are you doing photo processing from Kodak? If so, you are not typical, and moving images up and down your link will be your constraining factor.

– Third, are you sharing general Internet access with your cloud link? In other words, is that guy on his lunch break watching a replay of royal wedding bloopers on YouTube interfering with your salesforce.com access?

The good news is (assuming you will be running a transactional cloud computing environment – e.g. accounting, sales database, basic email, attendance, medical records – without video clips or large data files), you most likely will not need additional Internet bandwidth. Obviously, we assume your business has reasonable Internet response times prior to transitioning to a cloud application.

Factoid: Typically, for a business in an urban area, we would expect about 10 megabits of bandwidth for every 100 employees. If you fall below this ratio, 10/100, you can still take advantage of cloud computing but you may need  some form of QoS device to prevent the recreational or non-essential Internet access from interfering with your cloud applications.  See our article on contention ratio for more information.

Security: Can you trust your data in the cloud?

For the most part, chances are your cloud partner will have much better resources to deal with security than your enterprise, as this should be a primary function of their business. They should have an economy of scale – whereas most companies view security as a cost and are always juggling those costs against profits, cloud-computing providers will view security as an asset and invest more heavily.

We addressed security in detail in our article how secure is the cloud, but here are some of the main points to consider:

1) Transit security: moving data to and from your cloud provider. How are you going to make sure this is secure?
2) Storage: handling of your data at your cloud provider, is it secure once it gets there from an outside hacker?
3) Inside job: this is often overlooked, but can be a huge security risk. Who has access to your data within the provider network?

Evaluating security when choosing your provider.

You would assume the cloud company, whether it be Apple or Google (Gmail, Google Calendar), uses some best practices to ensure security. My fear is that ultimately some major cloud provider will fail miserably just like banks and brokerage firms. Over time, one or more of them will become complacent. Here is my check list on what I would want in my trusted cloud computing partner:

1) Do they have redundancy in their facilities and their access?
2) Do they screen their employees for criminal records and drug usage?
3) Are they willing to let you, or a truly independent auditor, into their facility?
4) How often do they back-up data and how do they test recovery?

Big Brother is watching.

This is not so much a traditional security threat, but if you are using a free service you are likely going to agree, somewhere in their fine print, to expose some of your information for marketing purposes. Ever wonder how those targeted ads appear that are relevant to the content of the mail you are reading?

Link reliability.

What happens if your link goes down or your provider link goes down, how dependent are you? Make sure your business or application can handle unexpected downtime.

Editors note: unless otherwise stated, these tips assume you are using a third-party provider for resources applications and are not a large enterprise with a centralized service on your Internet. For example, using QuickBooks over the Internet would be considered a cloud application (and one that I use extensively in our business), however, centralizing Microsoft excel on a corporate server with thin terminal clients would not be cloud computing.

The Benefits of Requiring Online Registration Forms


By Zack Sanders, NetEqualizer Guest Columnist

The registration form is quickly becoming antiquated in the online world. Once viewed as an easy way to sign up or declare your interest in a company or product, the annoyance level and security concerns associated with filling out your personal data in a web form has led many businesses to utilize other techniques to grab new clientele. For a lot of companies, this is the right approach. There are metrics that show conversion rates for sales and sign-ups are higher when one asks for less information up front. This works particularly well for business-to-consumer sites, social networks that rely on ad revenue and large user bases, and web startups who need to gain a following.

For example, signing up for an online dating site might require you only enter in your sex, age, and email address. Then, once you’ve used the site a little bit, they’ll have you fill out other information in your profile. They’ve already hooked you at this point so obtaining a little more data is a trivial task. If they asked for all your information initially before letting you try the site, they’d be much less likely to gain you as a user.

A lot of companies might be quick to switch to this sort of registration method (after all, it’s the increasingly popular choice), but they should be careful about acting too hastily. It isn’t the best choice for every business. In fact, most business-to-business (B2B) organizations will see more success from a typical registration form. This is true for the following reasons:

  • Business customers usually have more strategic, long-term goals and have already determined there is a business need for your product. They usually aren’t just browsing with little intent to buy.
  • Your sales team will be more efficient because their calls to potential clients will convert better. They won’t be wasting their time as often when they know they are talking to at least semi-serious customers.
  • More sophisticated products might require a discussion between an expert/engineer and the customer. Every organization has slightly different problems they are trying to solve and it’s important to determine quickly whether your product will really help solve their issue. Just like with sales, you want to be efficient with these discussions too.
  • B2B transactions are usually large in volume or cost. Any organization or individual looking to purchase an expensive product won’t mind filling in their information. Because they are serious, the annoyance factor associated with a form goes down.
  • B2B companies have established reputations. Likely, potential customers already know you are legitimate. They won’t be as concerned about providing you with their personal details.

Figuring out what information to ask for is also an important task. You want to walk the fine line of getting complete data without being too invasive. Your form will be best received when you:

  • Make sure that the information you ask for is relevant to your product.
  • Make sure the customer feels confident about your privacy policy. No one wants their information sold to third parties.
  • Don’t hound potential clients with sales calls. Repeat calls from vendors can be extremely annoying and are a huge turnoff.

At NetEqualizer, we’ve tried both the quick/no registration method as well as our current method of requiring a form to be completed. We’ve found that the above benefits of a registration process outweigh the ease of not requiring any information. Our sales team and engineers can make more targeted, efficient phone calls and it gives us the opportunity to explain the benefits of our solution completely to potential customers. In return, the customers get better, more tailored service and support.

About the author:

Zack Sanders is a Web Application Security Specialist with Fiddler on the Root (FOTR). FOTR provides web application security expertise to any business with an online presence. They specialize in ethical hacking and penetration testing as a service to expose potential vulnerabilities in web applications. The primary difference between the services FOTR offers and those of other firms is that they treat your website like an ACTUAL attacker would. They use a combination of hacking tools and savvy know-how to try and exploit your environment. Most security companies  just run automated scans and deliver the results. FOTR is for executives that care about REAL security.

Product Ideas Worth Bringing to Market


By Art Reisman

Updated September 2012

Updated Jan 2013

Art Reisman is currently CTO and co-founder of APconnections, creator of the NetEqualizer. He has worked at several start-up companies over the years and has invented and brought several technology products to market, both on his own and with the backing of larger corporations. This includes tools for the automotive industry.

The following post will serve as a running list of various ideas as I think of them.

The reason I’m sharing them is simply that I hate to let an idea go to waste. Notice that I did not say a good idea. An idea cannot be judged until you make an attempt to develop it further, which I have not done in most cases.

Note: I cannot ensure exclusive rights or ownership for the development of any of these ideas.

1) A Real, Unbiased, Cell Phone Coverage Map

We all know those spots on the interstate and parts of town where our cell phone coverage is worthless. If you could publish an easy-to-use, widely-accepted and maintained guide to these areas, it would become a very popular site.

Research: From my brief search on the subject, a consumer trade rag called CNET has done some work in this area, but I could only find their demos and press releases. I kept getting a map of the Seattle area with no obvious way to get a broader map search.

2) Commodity Land Trading Site

If you have ever flown over the Great Plains you have noticed a gigantic, undeveloped sea of crop and grass land. It is very hard to invest in these tracts for anything less than 1000 acres. Unlike commercial and residential real estate, land prices are fairly easy to quantify, and the simplicity of land allows most of these tracts to be sold at auction. Larger portfolio managers and partnerships snap them up in the same way they would invest in a Mutual Fund. The idea is to place a large portion of farm land into a fund that can easily trade in fractional shares – each representing a real, tangible share of the land.

Research: There is a farm production site with a similar model already.

3) Visit Wineries From all 50 U.S. States at One Location

The idea here is to have one themed retail outlet where you can buy wines from all 50 states with each state given an equal share of floor space. Wines would be set up in themed booths from each state’s wine-producing area, with history and background literature also available. Wines would be from unique, boutique-type wineries and perhaps a few dollars more than the list price. In other words, this store would be more of a themed destination near a major interstate or tourist hub. Every state in the county has wineries, and most have wine growing areas.

Research: Article on wines from all 50 states.

4) Reclaimed Barn Wood

At one time the homesteads on the Great Plains numbered one per approximately 160 acres. Now there is about one family farm per several-thousand acres. As families have consolidated, all that remains are numerous, small, weathered barns and sheds.I would imagine the demand for this reclaimed wood would be on the East Coast and West Coast. There is a company that specializes in reclaimed barn wood, however I suspect the market has room for another player.

5) Site Dedicated to Debunking Dead-end Technologies

Often over the span of an Engineer’s career, they are forced to work on technologies that are politically based, and just down-right impractical or stupid. Once there is money or political pressure behind them, finding opposing views is hard to do. However, for investors or companies betting the house on them, an unbiased opinion from somebody with a brain would have great value, especially if such data could avert billions of dollars of wasted investment and time on technologies destined to fail. A couple of examples of over hyped technologies that drove product decisions are:

VXML
Artificial Intelligence
Voice Recognition

This is not to say there was not some merit in these technologies, but they had some basic flaws that have made them fall far short of their promises. These short falls were easily understood by many engineers working on them, but once the promises were sold to investors, the short comings were shoved under a rug.

6) Find Me a Human

I searched  the other day for a tool like this and so far have come up empty.

Take your phone call to a corporation or government agency, and call you back when it had a human on the line. The “how” does not matter to the end user here, but it would involve the reverse engineering of corporate call trees in order to navigate them for you.

7) A Natural Speed Test Tool for Corporations and Users with Higher-end Connections

Most speed tests are initiated by the user at a specific time, usually when they suspect their Internet is slow. But what if you have a busy corporate Internet connection? In this case, you might have hundreds of users on the link at one time, and running a speed test is not likely practical for a couple of reasons:

1) Speed tests usually run short duration files. For example, a 10 megabit file on a 100 megabit link would complete in 0.1 seconds, and perhaps correctly report the link speed to the operator, but this test would be irrelevant when compared to the same link’s performance with 1000 users downloading files all day long.

2) Speed tests might be able to test line speed to your nearest pop, but almost all public speed test sites are designed for consumers sending relatively short files to nearby local servers.

The good news is we have this in beta with our NetEqualizer product.

8) Web Search Engine for Faces or Images

You seed the search engine with an image or picture and it will scour the web looking for similar people. Perhaps something that could be used in crime fighting? I suspect something like this already exists but not at a consumer level.

Research: Tineye is trying to accomplish this feat at a consumer level.

9) A Search Engine that Really Finds What You are Looking For

When I first started using the Web, it seemed that all my searches found relevant content. Looking back, almost all the original content on the Web was academic. Academia and government predated any commercial use of the Web. Today, it seems like you can’t find anything non-commercial, and I suspect the reason is that commercial content simply overwhelms the system. Perhaps this Web search engine would filter all commercial content.

For example, last night I was looking for a free radio station that plays content similar to Sirius Satellite Radio’s “Deep Tracks.” I have this station in my car, but I really did not want to update my subscription to listen to radio on the Internet as there are 1000’s of free radio stations. My searches kept coming up with the same commercial crap and I had to weed through it, spending almost an hour trying to decipher it. Whenever I did find a station that claimed to play Deep Tracks, they didn’t as a format. They were all local stations with the same exact top 100 classic rock songs over and over. What got me going is that I know there is some freak out there with a Deep-Tracks-like play list. However, instead of finding that person, I am relegated to researching the old-fashioned way – human-to-human through forums and blogs – as the Web search engines cannot understand my context.

10) Insect Biomass in Pet Food

We had a very bad grasshopper outbreak in our yard this year. The little buggers eventually moved into the garden and chewed up the pumpkin plants and the tassels on the corn plants. Rather than use insecticides and try to destroy them, there must be a commercial use for them. Perhaps if you could attract them in large numbers into a trap and grind them into a high protein dog food there might be a market for them? They are free and abundant in most grassy areas, so the main cost would be in collection, transport, processing and marketing. I like this idea.

11) Buffalo Gourd Oil and by products

This little gourd is the toughest most drought resistant plant I have ever seen. The only problem with it is that the pulp is bitter. It may be the most bitter substance known to man kind. I should know I tried it. All the data on it claims there is nothing toxic to it, and I am pretty sure the cows that roam our pasture eat them, eating the gourds and leaving the plant.

So where is the commercial value ?
If you can figure out a process to efficiently separate the seeds from the pulp, the oil when pressed is delightfully sweet. I spent about 2 hours cleaning seeds and then ran a cup full through my manual seed press, the oil was very tasty.

Why bother with Buffalo Gourd ?

Well unlike other dry land crops grown in the western great plains such as corn , and sunflower seeds

1) the Buffalo gourd puts down a tap root as a perennial and finds deep water sources.

2) It grows well in the bottom lands and hill sides where it can find deep ground water places that most farmers have no use for with their cultivated drops

3)  thrives when other plants are withering in drought quite easily.

4)It also grows back in the same spot without reseeding.

5) seed oil is delicious

6) I am guessing the rest of the plant can be used as an insecticide or mosquito repellent, going to try it.
The technical issues with this plant are

1) Harvesting in mass, may need to be hand picked.

2) Drying and separating the seed from the pulp.

12) A real holloween town, not just a fancy pumpkin patch

This idea just won’t go away , the basic premise would be to create a real neighbor hood in a real midwestern town where it is always Halloween. I am not sure of the economics. Here is what I have flushed out so far.

-Small town with older houses within 45 minutes of  a population center

-Purchase 4 to 6 older larger homes on a residential block

-work with city to get some sort of exemption or special use business license

-Refurb the exteriors in holloween colors and trim

-town should be a liberal arts college with a strong theatre department, hire 20 or so students ,give them free rent in the houses

and have them rotate through shifts as holloween characters

-have characters always on shift, the idea is that it is always a holloween town not a park that opens or closes

-no charge for roaming the streets but there would be a charge for house tours, houses would have various special effects and so would the back yards

Other Related Articles:

Technology Predictions for 2012

Practical and Inspirational Tips on Bootstrapping

Building a Software Company from Scratch

Offer Value, Not Fear


Recently, I thought back to an experience I had at a Dollar Rental Car in Maui a few years ago. When I refused their daily insurance coverage, the local desk agent told me that my mainland-based insurance was not good in Hawaii. He then went on to tell me that I would be fully responsible for the replacement cost of the car I was driving should something happen to it. I would have been more apt to buy their insurance had their agent just told me the truth – that most of his compensation was based on selling their daily coverage insurance policies.

Selling fear to your customers is often the easy way out. It reminds me of the old Bugs Bunny cartoon where a character is on the verge of making a moral decision. On one shoulder, a little devil is yelling in his ear, and on the other, a little angel. The devil is offering a clear, short-term pleasure deal to the character. The devil’s path leads to immediate gratification, while the angel preaches delayed gratification in exchange for doing the right thing. The angel argues that doing the right thing now will lead to a lifetime of happiness.

In our business, the angel sits on one shoulder and says, “Sell value. Sell something that helps your customers become more profitable.” While the little devil is sitting on the other shoulder saying, “Scare them. Tell them their servers are going to crash and they are going to be held accountable. They will be flogged, humiliated, disgraced, and shunned by the industry. Unless of course they buy your product. Oh, you don’t have a good fear story? We’ll invent one. We’ll get the Wall Street Journal to write an article about it. You know, they also feed off fear.”

There is an excellent partnership between vendors and the media. Think about all the fear based run-ups that have been capitalized on over the years: CALEA, IPv6 (we are running out IP addresses), Radon, mold, plastics, global warming, the ozone hole, Anthrax. Sure, these are all based on fact, but when vendors sense a fear-motivated market, they really can’t help themselves from foaming at the mouth. The devil on my shoulder continues, “These guys will never buy value, they are fear driven. Wasn’t that Y2K thing great? Nobody could quantify the actual threat so they replaced everything, even borrowed money to do it if they had to.”

Humor aside, the problems with selling fear, even warranted fear, are:

1) It is not sustainable without continually upping the ante.
2) You will be selling against other undifferentiated products, and the selling may eventually become unscrupulous, thus forcing you into a corner where you’ll be required to exaggerate.
3) It takes away profit from your customer. Yes, the customer should know better, but investing in security is a cost, too many costs and eventually there is no customer.
4) It is a relationship of mistrust from the start.

On the other hand, if you offer value:

1) Your customer will keep buying from you.
2) A customer that has realized value from your products will give you the benefit of the doubt on your next product.
3) A high-value product may not be the first thing on a customer’s mind, but once in place, with proven value, good customers will purchase upgrades which fund improvements in the product, and thus contribute to a profitable vendor and profitable customer.
4) Value builds an environment of trust from the start.

So while sometimes it is easier to sell fear to a potential client, selling value will ultimately provide longevity to your business and leave you with happy customers.

Nine tips to consider when starting a product company


By Art Reisman

I often get asked to help friends,  and friends  of friends, with flushing out their start up idea’s.  Usually they are looking for a cheerleader to build confidence.  Confidence and support are essential part of building a company; however I will not be addressing those aspects here. I am not a good predictor of what might take off, and a marginal motivator at best,  but I do know from many failures as well as successes, the things you will need  to give yourself the best chance of success.    What follows are   just the facts, as I know them.

1) You don’t have much of a chance unless you jump in full time.

If you are not willing to jump into your venture full time, you are stacking the odds against yourself. Going halfway is like running a marathon without training and expecting to win. So be honest with yourself, are your doing this as a hobby or do you expect a business to pop out?  I know the ideal situation is to start as a hobby and when the business grows a bit then go full time,  you can also win the lottery but its not likely.   Even with a unique idea and no obvious competition you are still competing for mind share.  Treating your business as a hobby is akin to studying for a final when you don’t know what is on the test.  To insure a good grade you’ll need to know more than everybody else taking the test which means you need to study hard.

2) If your idea  requires a change in culture or behavior you are less likely to succeed.

There are literally trillions of ideas and things you can do that might be successful given a little energy. Too often I see entrepreneurs stuck on something that requires a change of consumer behavior beyond their control. This is not to say their ideas are bad or that a change in human behavior is not in order. The problem is you will have limited time and resources to promote and market your idea.  The best inventions probe high demand low resistance niches , meaning they fit into a segment where there will little adaption resistance.

I worked with a company that invented a shoe that would allow you to track your children.  One of the  behavioral show stoppers was that you had to put the shoe  in a charger every night.  Who puts their shoes in  a charger? It’s not that it could not be sold with this limitation, but the fact that it required a change in behavior which made  it a much less attractive idea.

Although one might assume that text messaging on phones just happened , from its roots in the Japanese market of the early 1990’s,  it took 10 years to become commonplace in the US. The feature was an add-on to product already in a channel and generating revenue hence it did not require a house bet from existing service providers to bring to market. You most likely will not have this kind channel to leverage for your product, in other words, it takes a special set of circumstances to influence human behavior and be successful.

3) Your idea involves  consulting or support services

If your goal is to get immediate income and become your own boss, then consulting and services are relatively easy to get going in.  Yes you will need to work hard to win over customers and retain them, but realistically if you are  good at what you do,  income will follow . The downside of consulting and support  is that it is very hard to clone your value  and expand beyond your original partners. For this reason, the tips in this article are geared toward bringing a product to market.

4) Sell it to strangers

Hopefully you don’t have too many enemies but the point of this statement is validate your product need. Selling a book to your family and friends through courtesy buys is good for some feedback and worthwhile, but you will never know how your product will fare until you are converting random strangers.  If you can sell to somebody that  hates you personally then you’ll know the product has staying power.

5) Test Market with small samples

The late billy mayes had it down to a science , take almost anything  produce a commerical and sell it to a small market with  a late night TV advertisement. Obviously this validation is only good for home consumer products, but the idea is to test market small.

6) Sell the idea without the goods.

You need to be careful with this one.  The general rule here is, do not under any circumstance take any money unless you  have your product in stock. Either that or fully disclose to potential customers that they are  pre-ordering a product that does not physically exist. If you break these ground rules you will fail. I learned this trick from a friend of mine who wanted to sell Satellite dishes when they first came out. They did not even have a Franchise license, but they took out a small Advertisement in the local paper for Satellite dishes and the response was overwhelming , they just told inquiries they were out of stock ( true statement) and then proceeded to get a Franchise License and follow up with their inquiries.

7) How do you eat an Elephant?

One bite at a time. I define success as selling something , anything and making one dollar, once you have made a dollar you can concentrate on your second dollar. Great if you can go faster, but unless you are really big  now as a company, there will be plenty of time and  space to grow your product into. You don’t need sales offices all over the world that is just a distraction.

8) Ask successful people to help and advise.  Most entrapanuers and business people love to help others get started and if you have a good idea they can help you open doors for oppurtunities but you must ask, and you must be sincere. Everybody loves the underdog and is willing to help. Remember your brother in law, that is a sales rep for Toshiba, is not who I am talking about.  You need to get advice from people who have started companies from scratch. Nothing wrong with brother in law at Toshiba, but the if you are doing a product spend your time getting advice from others who have brought products to marker.

9) Stop worrying about the competition.  Just do what you do best.  You will  often   to differentiate yourself from the competition.  I politely keep the subject on what I know , my product, and how it fits the customers needs.    Never bad mouth a competitor even if you believe them to be scum an astute customer will figure that out for themselves. Let somebody else bad mouth them.

10) I am waiting to be in a better financial situation before I start a  company

Time on this earth is way more valuable than the any dollar you can make. Letting years go by is not a rational option if you intend on doing a product. Your financial needs are likely  an illusion created by others expectations.  If you have to live in trailer without heat to make ends meet while developing your product you can do it. In fact,  the sacrifices you make will be far healthier for your children than that new Nintendo game. It just amazes me how many people will borrow 100k and give it to a school for a childs education while at the same time are afraid of investing in their dream with time and savings.

About the Author:

Art Reisman is  currently CTO and Co-Founder of NetEqualizer. He  has worked at several start up companies over the years , and has invented and brought several technology products to market, both on his own, and with backing of larger corporations.  Including tools for the automotive industry.

Related Articles

Practical and inspirational tips on bootstrapping

Building a software company from scratch

Fourteen Tips To Make Your ISP/WISP More Profitable


As the demand for Internet access continues to grow around the world, opportunities for service providers are emerging in markets far and wide. Yet, simply offering Internet service, even in untapped areas, does not guarantee long-term success. Just as quickly as your customer-base grows, the challenges facing ISPs and WISPs begin to emerge.

From competition to unhappy customers, the business venture that once seemed certain to succeed can quickly test the will of even the most battle-hardened and tech savvy business owners. However, there are ways to make the road to profitability a little smoother.

1. Make Sure You Have an Easy Customer Base to Grow into — Perhaps 500 households before you start building out. Yes, you can do it for less, but 500 is sort of a magic number where you can pay yourself and perhaps some hired help so you can be profitable and take a day off. WISPs and ISPs with 100 customers are great, but, at that size, they will remain a hobby that you may not be able to unload a couple of years down the road. Before you build out do some demographic research.

2. Set Boundaries from the Start — When starting up a new service, don’t let your customers run wide open. You may be OK without putting rate caps on users when you have only 10 customers sharing a 10 meg link, but when you get to 100 customers sharing a 10 meg link, you’ll need to put rate caps on them all. The problem with waiting is that your original users will become accustomed to higher speeds and will not be happy with sharing as your business expands – unless you enforce some reasonable restrictions up front.

3. Keep Your Network from Locking Up — Many ISPs believe that if they set maximum rate caps for their users that their network is safe from locking up due to congestion. However, if you are oversold on your contention ratios, you will lock up and simple rate limits are not enough. Don’t make this mistake.

This may sound obvious, but let me spell it out. We often run into operators with 500 customers on a 20-meg link. They then offer two rate plans — 1 meg up and down for consumers and 5 megs up and down for businesses. Next, they put rate caps on each type of customer to ensure they don’t exceed their allotted amount. Somehow, this is supposed to exonerate the operator from being oversold. This is all well and good, but if you do the math, 500 customers on a 20 meg link will overwhelm your link at some point and nobody will be able to get anywhere close to their “promised amount.”

If you are oversold, you will need something more than rate limits to prevent lockups. At some point, you will need to go with a layer-7 shaper such as Packeteer or Allot NetEnforcer. Or, you can use a NetEqualizer. Your only other option is to keep adding bandwidth.

4. Be the Reliable AlternativeIf you are in a dense metro area, and have the resources, you can offer Internet connections to hotel and business customers with pay-as-you-go services. Many hotels and businesses have unreliable connections, or none at all.  Obviously you’ll need real estate across the street, but once secured, you can point a directional antenna into the building and give your signal a recognizable name so your users will connect. Then, offer them the connection for a daily fee. For many users, paying a small daily fee for reliable service will be worth it – especially if the hotel or business offers sub par Internet service, none at all, or a connection for an exorbitant price.

5. Good Tech Support Is a Must — Don’t put all your faith into the local guru who set up your network. There are many good technical people out there and there are many more that will make a mess of your business. This can create some really tough decisions. I like to use this analogy:

I’m not a concert pianist – not even close – so I can’t tell the guy that hacks away playing Beatles tunes in the piano bar at my local pub from a Julliard trained pianist. Since I can’t play a lick, they all amaze me. Well, the same holds true for non-technical business owners hiring network techs or developers. They all seem amazingly smart when in fact they may run you into the ground. The only way to tell is to find somebody with a really good track record of making things work for people. So, ask around.

The good ones have no vested interest in making a custom dynasty of your business (another thing to watch out for). It’s like the doctor who needs the patient to stay sick. You don’t want that. Poor or misguided tech support may be the single largest cause for failed ISPs or issues with selling your business.

6. Make Payment As Easy As Possible — When a customer is delinquent on paying their bill, make sure you have a way to direct them to a payment site. Don’t just shut off their service and wait for them to call. For small operators, you don’t need to automate the payment cycle, just send them to a static page telling them how to pay their bill. For larger operators (3,000-plus users), the expense of automated bill payment may be worth the extra cost, but with a smaller set of customers, a static redirection to a page with instructions and a phone number will suffice. Your router or bandwidth controller likely already has this capability.

7. Look for a Competitive Credit Card Processor — Your bank will likely provide a service for you, but they are generally a middle man in this transaction. There are credit card processing agencies that sell their services direct and may be more cost-effective. These are no-brainer dollars that add up each month in savings.

8. Don’t Overspend – Remember that on the open market your business is likely only to be valued at three-quarters of your revenue, so don’t delude yourself and overspend on equipment and borrowing thinking that a white knight will come along. If your revenue is $500,000 per year, you will be in good shape if you get $400,000 for your business. And this may just cover your debt. Yes, there are exceptions and you might get a bit more, but don’t expect two-times your revenue. It’s just not going to happen in the current market, so plan your expenses accordingly.

9. Cross Market — What do your customers see when they login or sign up for service ? Do you send them regular e-mails about your service ?  If you answered yes to either of these questions you have ready-made billboards. Don’t be shy about it. Once you have a captive audience, there are all kinds of cross marketing ideas you can do for extra revenue. Done tastefully, your customers won’t mind. This could be a special with the local car dealer running coupons for them. Or for something like a pizza place. There is unlimited potential here, and if you’re not taking advantage of it, you’re missing out on easy revenue.

10. Optimize Your Bandwidth — A NetEqualizer bandwidth controller will allow you to increase your customer base by between 10 to 30 percent without having to purchase additional resources. This allows you to increase the amount of people you can put into your infrastructure without an expensive build out. Yet, a purchase like this can be a difficult decision. It’s best to think in the long term.  A NetEqualizer is a one-time cost that will pay for itself in about four months. On the other hand, purchasing additional bandwidth keeps adding up month after month.

11) Look for Creative Ways to Purchase Bandwidth — The local T1 provider is not always the lowest price.  There are many Tier 1 providers out there that may have fiber within line of sight of your rural business. For example, Level 3 has fiber rings already hot in many metro areas and will be happy to sell  you bandwidth. To get a low-cost high-speed link to your point of presence, numerous companies can set up with wireless backhaul equipment, which is a one time fixed cost for transport.

12)  Bundle Data Service with Phone Service — Look into your options for reselling phone service with your data packages.

13)  Offer a Discount for Customers that Auto-pay with Electronic Transfer or Credit Card on File — This is usually a win-win for both customer and ISP. The provider won’t have to worry about customers forgetting to pay their bill each month and the client won’t be forced to remember.

14) Offer Troubleshooting Services for Home PCs — You are a reliable tech contact point with your end customers, and likely know as much or more about PC viruses than the people giving out advice and charging for it at the local electronics superstore. You’re also likely in a rural area where good home tech support is hard to find. This would be a great source of additional revenue and you are likely already troubleshooting some home PC problems anyway, so why not make this part of your service and charge for it?

Obviously, these 14 tips won’t apply to every ISP/WISP, but it’s almost a given that at least some of these issues will emerge over time. While there’s no guarantee that any business will succeed, these tips should help steer Internet service providers in the right direction.

Created by APconnections, the NetEqualizer is a plug-and-play bandwidth control and WAN/Internet optimization appliance that is flexible and scalable. When the network is congested, NetEqualizer’s unique “behavior shaping” technology dynamically and automatically gives priority to latency sensitive applications, such as VoIP and email. Click here for a full price list.

Building a Software Company from Scratch


By Art Reisman, CEO, CTO, and co-founder of APconnections, Inc.

Adapted from an article first published in Entrepreneurship.org and updated with new material in April 2010.

At APconnections, our flagship product, NetEqualizer, is a traffic management and WAN optimization tool. Rather than using compression and caching techniques, NetEqualizer analyzes connections and then doles out bandwidth to them based on preset rules. We look at every connection on the network and compare it to the overall trunk size to determine how to eliminate congestion on the links. NetEqualizer also prevents peer-to-peer traffic from slowing down higher-priority application traffic without shutting down those connections.

When we started the company, we had lots of time, very little cash, some software development skills, and a technology idea.  This article covers a couple of bootstrapping pearls of wisdom that we learned to implement by doing.

Don’t be Afraid to Use Open Source

Using open source technology to develop and commercialize new application software can be an invaluable bootstrapping tool for startup entrepreneurs. It has allowed us to validate new technology with a willing set of early adopters who, in turn, provided us with references and debugging. We used this huge number of early adopters, who love to try open source applications, to legitimize our application.  Further, this large set of commercial “installs” helped us ring out many of the bugs by users who have no grounds to demand perfection.

In addition, we jump-started our products without incurring large development expense. We used open source by starting with technology already in place and extending it, rather than building (or licensing) every piece from scratch.  Using open source code makes at least a portion of our technology publicly available. We use bundling, documentation, and proprietary extensions to make it difficult for larger players to steal our thunder. Proprietary extensions account for over half of development work, but can be protected by copyright.  Afraid of copycats?  In many cases, nothing could be better than to have a large player copy you.  Big players value time-to-market.  If one player clones your work, another may acquire your company to catch up in the market.

The transition from open source users to paying customers is a big jump, requiring traditional sales and marketing. Don’t expect your loyal base of open source beta users to start paying for your product.  However, use testimonials from this critical mass of users to market to paying customers, who are reluctant to be early adopters (see below).

Channels? Use Direct Selling and the Web

Our innovation is a bit of a stretch from existing products, and like most innovations, requires some education of the user.  Much of the early advice we received related to picking a sales channel.  Just sign-up reps, resellers, and distributors and revenues will grow. We found the exact opposite to be true.  Priming channels is expensive.  And, after we pointed the sales channel at customers, closing the sale and supporting the customer fell back on us anyway.  Direct selling is not the path to rapid growth.  But as a bootstrapping tool, direct selling has rewarded us with loyal customers, better margins, and many fewer returns.

We use the Internet to generate hot leads, but we don’t worry about our Google ranking.  The key for us is to get every satisfied customer to post something about our product.  It probably hasn’t improved our Google ratings, but customer comments have surely improved our credibility in the marketplace.

Honest postings to blogs and user groups have significant influence on potential customers.  We explain to each customer how important their posting is to our company.  We often provide them with a link to a user group or appropriate blog.  And, as you know, these blogs stay around forever.  Then, when we encounter new potential customers, we suggest that they Google our “brand name” and blog, which always generates a slew of testimonials. (Check out our Web site to see some of the ways we use testimonials.)

Conclusion

Using open source code and direct sales are surely out-of-step with popular ideas for growing technology companies, especially those funded by equity investors.  But, they worked very well for us as we grew our company with limited resources to positive cash flow and beyond.

Here are some notes on what type product to create. Obviously, you’ll want to do something you are passionate about, otherwise there is no sense in even getting started.  If you are passionate about more than one thing remember this:  trying  to sell product on value, to IT people or engineering types, is much harder than selling to other Entrepreneurs or sales people.  Technical people are generally skeptical about new claims of something working well.  Also, unless somebody asks, they often really don’t tell many other people about the product they bought and the value they are receiving from it.

Looking for a peer group to get some advice from?  Find a local software group that you can join.  If you are in the Denver area,  I would recommend trying  http://www.denversoftware.org/

Five Key Marketing Tips for Entrepreneur and Tech Start-Up Companies


By Art Reisman, CEO and co-founder of APconnections, makers of the NetEqualizer

Updated April 25th , 2010

Aside from a few freakish start ups, very few products will take off with out some form of promotion. However, since founding APconnections in 2003,  we’ve learned that marketing can be a double-edged sword. Over time, we’ve been able to build upon both our successes as well as mistakes, coming up with a few dos and don’ts of marketing a tech start up along the way.  Here are a few of the key points:

1) Make sure your marketing company has skin in the game

Most marketing firms are staffed by people who went to college and took soft course work, meaning they were not into the black and white of the scientific method.  Perhaps they had a course or two with this emphasis, but it’s not likely to be as ingrained as perhaps a physics or psychology major whose course work included extensive lab experiments showing cause and effect.

Although some creative skill is necessary to be a good marketing person, the down side is most people in this industry tend to remain artsy and vague with how they can measure results. When negotiating with marketing companies  (or people), we came up with a simple formula to measure results and provide a metric which was easy to quantify — hits to the web site.

In our case it was very simple.  We had a baseline established already and we were only going to change one variable  — marketing.  Hence, it would be easy to tie any increase in web traffic to a marketing effort.  To make sure that  any benefit of doubt went to our marketing firm, we decided  any increase in web traffic, regardless of cause, would be credited to their efforts.

Once we tied marketing fees exclusively to a metric that could be measured, we were able to eliminate several marketing firms, many of which headed for the hills never to be seen from again.

2) Round two — good web traffic verses bad traffic

Having solved the problems of paying for results, we came across another hurdle. We’ll just call it good traffic verses bad traffic. The easiest way to describe this is by example.

Our product, the NetEqualizer, is meant to  be sold to commercial operators and businesses where there is Internet congestion.   An obvious catch-all key phrase to lead with in marketing literature would be, “speed up your Internet connection”.

If you throw this type of tag line into a generic advertisement to a broad audience,  perhaps 99 percent of the people who follow up on it will be home users, kids playing World of Warcraft, looking for some tool they can load up on their Windows machine for $25. In other words, the majority of these follow ups would certainly not be our target market.

What we found was that our consignment-based marketing people were not  screening this traffic out. We believe this disconnect  goes back to their inability to use the scientific method to control variables. So, as you can imagine, we initially had a flood of inquiries outside our target market which turned out to be a big waste of our time. The solution to ending this march of unqualified leads was to put a higher price in any literature or teasers and to emphasize our product was for commercial users etc. So, instead of just promoting the potential to speed up Internet traffic, we made NetEqualizer’s starting price clear from the beginning.

3) Make sure your marketing people understand  how your product is used and take an honest interest in it

We would spend hours explaining our target market and details about our product only to find out that this information would go in one ear and out the other. When we finally found somebody who had the capacity to understand our product we doubled their pay.  It was worth it in time saved.

4) Consignment ads only

Once you have decided on an effective message in an advertisement, follow this rule — Never pay a dime up front to bolster your ad’s exposure just to increase your market presence. Yes market presence is good, but unless you can measure this in terms of some metric,  just don’t do it.

Any advertisement you place should only charge you when somebody clicks on it. I am not talking about discount coupons for a local business here. I am talking about selling a product to a broad national or global audience. This edict pretty much rules out print advertising. To be fair, I have heard from other CEO’s of tech companies that if you stick with print ads and spend a good deal of cash, they will pay-off, but this shouldn’t be your first or only option. Until you have exhausted every conceivable outlet for consignment based advertising, why risk digging any dry wells?

Our experience with six weeks of continuous quarter- and half-page ads in tech magazines brought zero impact. Nothing. Nada. We measured no increase in web hits. Maybe we did increase awareness, but awareness has no value if you go bankrupt establishing it and don’t see any returns.

Of course, while there are no guarantees for successful marketing, these four tips have been tested and proven effective at APconnections over the past several years.

5) Avoid being strung out

Perhaps this tip should be number one as it is essential to understand how companies will string you out. As a start up, with an idea you will likely get conditional inquiries. Can you product do “this”, can we we customize it ? Often times the more questions, the more uncertain the customer is about their own business. You MUST establish the customers willingness to pay before getting  wrapped up in the promise of future sales. Obviously you cannot demand payment on a first consultation with a prospect, but this is a good time to  set some expecations that your time is valuable. I bring this up because at this very moment I am in talks with a large customer interested in our product that has been asking questions for over a month. This morning I basically told  them  (nicely)I will continue the conversation if and when they purchase their first unit from us. For all I know I am dealing with an underling that has time on his hands but no ability to influence a purchase decision. Getting them to purchase something is a big first step toward qualification. If you fail to master qualification you will find yourself borrowing money from relatives to pay your rent or out of business very quickly.

I’d also suggest you look at our tips for using google ads.

Another great site for start ups is entrepreneurship.org

Here is a marketing company (outspoken Media) that  I ran across last Friday , I have not talked to them yet but I really like their bio’s and attitude from their web site.

Good luck!

Looking for a new tech Job? You’ll need to embrace some fear and step out


By Art Reisman, CTO, http://www.netequalizer.com

Art Reisman CTO www.netequalizer.com

Art Reisman

As the CEO of a  tech company and former employee of large stifling unimaginative telecom company here is the advice I recently provided a former colleague on how to land the job at a smaller tech firm.

Contrary to popular media  belief very few (if any employers) care  about your age and race when hiring for a tech job ; however if your former company was  large and stifling, that will create  serious baggage  with a more progressive company.

Nobody ever takes the blame for being part of the problem at a sputtering old line company.  The fact is if you worked there for a long time, then  you were part of the problem. Even if you had a million great ideas on how the company should run itself and the bureaucracy held you down. You will be viewed as complicit by association.

Perhaps it was the high salary that kept you there, or the lack of other opportunity in your region. It does not matter , the smaller start up company will view your past with suspicion.

I meet with several CEOs of other tech companies once a quarter and the consensus is that people with ambition go someplace where they can make an impact.

The perception on the street  is that your old company is still sputtering off its legacy channel left over from what it retained from days past,  and that all the abuse and mind games it uses to stifle employees leaves permanent scars on ingenuity etc.

The kind of people that settled for climbing the ladder in a larger organization are not what new tech companies are  looking for.

You can break that mold by saying hey look how confident I am that I can help you , I am an go getter stuck in an “old company” body type of thing.

So how do you compete and break out?


I’d throw out any expectation of a salary  based on your previous compensation. The company you previously worked for likely  paid you very well. High pay creates a false sense of market value. You’ll notice when times got tough they had to cut massive staff to make ends meet.  So evidentally, the high paying jobs were more of retainer in a good job market rather than a measure against your productivity. Please don’t misconstrue the point I am making,  you do have the potential to make a difference and perhaps make millions, its just that your drive and creativity has been misdirected toward internal corporate games and must be revitalized.

For example, if you are comfortable doing technical sales support and really like a  new company then:

Approach the  CEO (hiring manager) of an established small tech company:

Note: the following specific advice was geared toward an individual and company he was approaching.

Offer to work for $10 an hour  with  conditions:

A Large upside commission and a future salary based on some measurable metric.

I would only make this type  of offer to somebody with integrity that would follow through. Yes there are people with integrity out there , the media plays up the slime balls but most businesses do not function that way at the top.

He  (the CEO)  has long complicated sales cycles with large Fortune 1000  clients.  A mature person who could explain the technology, demonstrate value, could be a huge benefit to his business;  but in this market,  he would not want  the risk of hiring you unless you had skin in the game . On the other hand he might not be able to do something like that because it would be upsetting to his other sales staff who knows ? I am sure it would get his wheels turning as to how he could make it a win win.

This approach also allows you to have some control of where and what you do rather than just take the rescue job that some VP musters  at your current company.

My experience in the real world is that you have to scrap down in the dreggs to get anything going and over time work your  way up. For example when we  first got started there were quite a few super star sales people from the likes of  XXXX and XXXX that I would run into and put to work on commission.  They were completely and totally useless to a small tech startup.  Yes they were nice people but without a ready made channel and customer  base who calls them wanting a bake off between them and the competition they were lost. So we developed a model of guerilla web marketing  and slowly built my oour own direct channel very slowly , but it cost very little and now has very little overhead.

Where are the safe tech jobs ?


By Art Reisman, CTO, http://www.netequalizer.com

Art Reisman CTO www.netequalizer.com

Art Reisman

Article Type: Opinion

As the CEO of a small (yet growing) tech company in the current recession I often get calls from former colleagues working at larger corporations. Amidst their companies insincere rhetoric, inaction, and falling revenues, good people wait around wondering who will be next to get the ax.

The underlying problem at most of these companies is that they are continue to push products into a stagnant or declining market. The only way to have any relative security is to get on board with an industry or niche with solid growth potential.

So if your wondering where to turn for potential job security here are some tips that might help

Look for a company that is doing something with real value for society and not just jumping on the latest bandwagon.

1) Renewable energy is hot , and certainly a job in renewable energy is better than selling steam engines running off coal. Renewable energy, although here to stay is being over hyped . Right now the success of renewable energy is dependent on battery technology. Fossil fuels are nothing more than the Suns energy stored up and retrieved at will when needed. For renewable (wind, solar) energy is to compete easily with traditional fossil fuels we must come up with a clean effective battery to store energy. My advice seek out a company that specializes in battery technology and then help them make a difference.

2) Network and Internet Optimization

Internet Infrastructure companies are being forced by their stock holders to turn a profit. The days of free falling bandwidth contracts are slowing down, hence the new hot market will be companies with products that optimize internet bandwidth. Bandwidth control , WAN optimization and compression although not on the front pages, are areas of value and are holding their own in the recession. Some companies to look at , are

APconnection (NetEqualizer)

Packeteer

Allot

RiverBed

Exinda

3) Medical Technology,

From newer and better and MRI machines to prosthetics , Americans will spare no expense for anything that will make their lives more comfortable. So when will this party end and the associated demand for jobs in the Medical Industry flatten out?

Although I do not expect a crash in this field as we might have seen in other boom and bust industries, I do expect a slowdown. Every bubble has its end, and the Medical technology industry is due for a slow down. As consumers push back on medical care pricing, high end technology research will slow down. Still a better prospect than steam engines though.

4) Auto Industry

If you are entering into the field of Mechanical Engineering or electronics controls now would be a good time to focus on the Auto Industry. For the next 5 to 10 years I expect that auto makers will be looking for new innovative ideas in their engineering departments. They will also be looking for new talent. Don’t let the down turn discourage you this is an opportunity.

Looking for a Good Web Hosting Company, Here Are Some Tips


We get asked all of the time for references for good Web hosting companies. This Ubuntu blog post by Inventa technologies is a great place to start.

Tips to find the right web hosting company

This article outlines the most important considerations one should keep in mind while looking for a website hosting service provider. Let’s take a look at some of them.

There are many things to consider when choosing a web hosting plan which suits your requirements. The 10 most important are listed below.

1. Types of Servers 2. Disk Space/Storage 3. Bandwidth or data transfer 4. Database support 5. FTP Access 6. Easy to use Control Panel 7. E-mail services 8. Cost 9. Customer Support 10. Added Features

To see the full original article click here.

Is running an ISP/Wisp a recession proof business ?


February 24th, 2009

Lafayette Colorado

APconnections makers of the of the popular NetEqualizer line of bandwidth control and traffic shaping hardware appliances today announced results of their annual ISP  state of the business survey, below is the summary.

We have been asking our ISP/WISP customers  how their business is faring in the recession over the past several months and the answer is a resoundingly upbeat !

Out of the 25 ISPs ( Tier 2 providers) only two had seen  a decline in subscribers, 18 were holding their own, and 5 were seeing strong growth.  Here are some other tidbits.

1) Many Households will cancel their cable TV before giving up their broad band

2) Cancellations  for one provider mainly occured with foreclosures, again this supports the notion of people holding their broadband right up to the end of their finances.

3) Laid off workers are signing up for broad band as they see this as a needed for job searches and also in looking for ways to start small home businesses

4) We have seen an increase in inquiries for our services across the US and Canada

5) We have not heard of anybody foregoing food as of yet , but I would not put it past some of the gamers.

Building a Technology Company from Scratch


Editors note: We wrote this article about a year ago before the blog was established. Although this article chronicles the model used to bootstrap the NetEqualizer from open source, the basic formula applies to any aspiring open source developer.

When we started the APconnections (APconnections makes the popular bandwidth shaping tool NetEqualizer), we had lots of time, very little cash, some software development skills, and a technology idea. This article covers a couple of bootstrapping pearls that we learned to implement by doing.

Don’t be Afraid to Use Open Source

Using open source technology to develop and commercialize new application software can be an invaluable bootstrapping tool for startup entrepreneurs. It has allowed us to validate new technology with a willing set of early adopters who, in turn, provided us with references and debugging.

We used this huge number of early adopters, who love to try open source applications, to legitimize our application. Further, this large set of commercial “installs” helped us ring out many of the bugs by users who have no grounds to demand perfection.

In addition, we jump-started our products without incurring large development expense. We used open source by starting with technology already in place and extending it, rather than building (or licensing) every piece from scratch.

Using open source code makes at least a portion of our technology publicly available. We use bundling, documentation, and proprietary extensions to make it difficult for larger players to steal our thunder. These will account for over half of development work but can be protected by copyright.

Afraid of copycats? In many cases, nothing could be better than to have a large player copy you. Big players value time to market. If one player clones your work, another may acquire your company to catch up in the market.

The transition from open source users to paying customers is a big jump, requiring traditional sales and marketing. Don’t expect your loyal base of open source beta users to start paying for your product. We use testimonials from this critical mass of users to market to paying customers who are reluctant to be early adopters (see below).

Channels? Use Direct Selling and the Web

Our innovation is a bit of a stretch from existing products and, like most innovations, requires some education of the user. Much of the early advice we received related to picking a sales channel. Just signup reps, resellers, and distributors and revenues will grow.

We found the exact opposite to be true. Priming channels is expensive. And, after we pointed the sales channel at customers, closing the sale and supporting the customer fell back on us anyway. Direct selling is not the path torapid growth. But as a bootstrapping tool direct selling has rewarded us with loyal customers, better margins, andmany fewer returns.

We use the Internet to generate hot leads, but we don’t worry about our Google ranking. The key for us is to get every satisfied customer to post something about our product. It probably hasn’t improved our Google ratings but customer comments have surely improved our credibility.

Honest postings to blogs and user groups have significant influence on potential customers. We explain to each customer how important their posting is to our company. We often provide them with a link to a user group or appropriate blog. And, as you know, these blogs stay around forever. Then, when we encounter new potential customers, we suggest that they Google our “brand name” and blog, which always generates a slew of believable testimonials. (Check out our Web site to see some of the ways we use testimonials.)

Using open source code and direct sales are surely out-of-step with popular ideas for growing technology companies, especially those funded by equity investors. But they worked very well for us as we grew our company with limited resources to positive cash flow and beyond.

%d bloggers like this: