What Programming Language Should I Use to Build a Startup?

Often entrepreneurs ask me 'What technology should I build my startup on?' There is no right or wrong answer to this question. It's a decision every company makes for itself, depending on what it's trying to build and the skills of its cofounders. Nonetheless, there are a few rules that one should adhere to. We discuss them in this blog post.

Incident Response Policy

What happens in your company when a production incident occurs? Usually in a typical startup, you will see engineers running around frantically trying to resolve the problem. However, as soon as the incident is resolved, they forget about it and go back to their usual business. A good incident response policy can help bring order into chaos. We provide a sample template in this blog post.

Why Software Deadlines Never Make Sense

We discuss why software deadlines usually don't make sense.

Analyzing Front-End Performance With Just a Browser

We discuss a number of freely available online tools which can be used to analyze bottlenecks in your website.

Why Smaller Businesses Can't Ignore Security and How They Can Achieve It On a Budget

In this article, we show that security is both important and achievable for smaller companies without breaking a bank.

Tuesday, August 30, 2011

A Fake * Certificate Allows Snooping on Gmail. What To Do?

A counterfeit SSL certificate for all Google subdomains (* has been issued, which allows an attacker to snoop on your Gmail. It was issued by DigiNotar, a Netherlands-based certification authority, and was probably generated through stolen cryptographic keys.

This means a regular user can become a victim of a Man-in-the-Middle attack.
In this attack, a hacker sits in the middle of your queries to Gmail server.
It diligently forwards all of them back and forth from your computer to Gmail, but remembers their content.
SSL certificates were designed to prevent this, by displaying a broken lock icon in the browser when the endpoint your computer talks can't be validated.

Because the attacker now possesses a stolen Google cert, that means you will not see a broken lock icon, even when you are talking to attacker's server and not to Gmail. So what can you do?

It's recommended to disable DigiNotar CA root cert from your browser. You may get a broken lock icon if you visit other legitimate sites, validated by DigiNotar, but it's better to err on the side of caution.

To remove certificates from the browsers, do the following:
Internet Explorer:
Chrome: no need to do anything as it has built in protection
Safari: Go to Applications - Utilities and select KeyChain Access utility program.
Select under Keychains (System Roots) and scroll down to DigiNotar Root CA. Then right click on it and remove it.

NOTE: Alternatively on a MAC you can type
sudo security delete-certificate -c "DigiNotar Root CA" "/System/Library/Keychains/SystemRootCertificates.keychain"

Monday, August 29, 2011

Enterprise software

TechCrunch published an excellent article by Box CEO Aaron Levie Building an enterprise company that doesn't suck

The main point that resonated with me is that there's a big disconnect between people who buy the software (typically IT managers) and the software's end users (typically not the buyers). A better model is to let the end users first try the software out and drive the adoption up to the CIO.

You can take the same analogy to developers. Usually, they blindly implement whatever the Project Manager tells them to do. In reality, in best tech companies (e.g. Google, Gilt, etc.), developers must question the requirements which they get.
Only when a developer wears different hats, ranging from
an end user, exploring the product; hacker, trying to break into the system; system administrator, trying to set the product up; will we have software that's simple to use, secure, and easy to maintain.