Category Archives: article

Costa Rica Nikon 135

How to make difficult decisions

When you run a business (even a small business like mine) you have to make a lot of decisions. Many of these decisions are complicated and have to be taken with incomplete information. But you can’t take too long over them, or you will never get anything done. Here are 3 techniques I use to help with difficult decisions.

Break it down

This is a very simple method for breaking a difficult decision down into smaller parts using a spreadsheet.

  • Decide the criteria that are important for the decision. Add a row for each.
  • Add a weighting column. Assign each criteria a weighting in the range 1 to 10, depending on its relative importance to you.
  • Add a column for each option you are considering.
  • Set each criterion/option cell a value in the range 0 to 10, depending on the extent to which the choice for that column fulfils the criteria for that row.
  • Calculate the weighted sum for each column.
  • Choose the outcome with the highest weighted sum.

Here is an example for choosing between 3 different types of hosting:

making difficult decisions

It’s not particularly scientific, but it does force you to systematically break down the problem into smaller parts and justify your decision.

Take the long view

It sometimes helps to stand back and look at the bigger picture. I can think of no better way to do that than to ask a hypothetical (hopefully elderly) future me, lying on my deathbed, which option they approve of. For example, given the choice between adding an innovative new feature to my product or improving the conversion funnel by a few percent, I think future me would be happier that I chose to add the innovative new feature. It is also a useful reminder that many decisions probably aren’t all that important in the grand scheme of things.

Flip a coin

Sometimes you need to make a decision, but you don’t have enough information or the time taken to get that information is going to cost you more than making the wrong decision. In that case, don’t agonise over it. Just roll a dice or flip a coin and move on.

Hammer For Mac static website generator

I prefer static websites to a CMS for simple product websites because:

  • Static websites are fast.
  • I have more low-level control over the HTML/CSS.
  • I don’t have to worry about the very-real threat of a CMS being hacked.

Obviously writing every page separately in raw HTML/CSS would go against one of the cardinal rules of development, Don’t Repeat Yourself. But you can avoid this using a static website generator such as Hammer for Mac.

hammer

Hammer uses a simple syntax embedded in HTML comments to ‘compile’ a website from source files. I have now used Hammer to create several static HTML/CSS websites, including my perfecttableplan.com and hyperplan.com websites.

I like the simple syntax of Hammer. For example:

I can put the HTML for a page header in an _header.html file and then each page just needs to start with:

<!-- @include _header.html -->

I can define and use variables:

<!-- $current_year 2016 -->
..
<p>Copyright <!-- $current_year -->.</p>

And I can let Hammer work out relative paths:

<img src="@path image.png" />

If Hammer can’t make sense of a source file (e.g. it can’t find the image file), it generates a compilation error.

Because everything is text based I can easily manage all the source in a version control system. Also, if I have to move away from Hammer, it should be relatively straightforward to change the syntax to another static generator (or even write a replacement for Hammer!).

Overall I like Hammer. But it does have a number of shortcomings:

1. The user interface is very limited. Hammer shows you a list of source files and you can click on a source file to see the compiled version or edit the source. But the source files are listed in the order they were edited and you can’t filter or sort the list. This seems such a simple and basic feature, that I can’t understand why the developers have omitted it.

2. Hammer takes a dumb, brute force approach to compilation. If you change any file in a source folder, it recompiles *everything*, without checking if other source files include that file. This is a pain if you have 100+ source files. Surely it wouldn’t be that hard to work out which files depend on which and only recompile the files that need recompiling?

3. You can’t nest variables. For example you can’t do this:

<!-- $current_year 2016 -->
<!-- $copyright_message Copyright <!-- $current_year --> -->

This might sound minor. But it limits the expressiveness of variables significantly.

4. The vendor doesn’t do email support. If you want to communicate with them you have to use Slack or Twitter. I am old fashioned, I like email.

5. It only runs on Mac OS X (the clue is in the name).

At one point Hammer looked like abandonware, but owner riothq.com sold it to beach.io and active development has resumed.

Currently Hammer is priced at £15.39 (and presumably some round number of US dollars). That seems way too cheap. I wish they would price it a bit higher and fix some of the issues above.

 

nam_2003_8_14 rock carvings

Updating the PerfectTablePlan website

I created the website for PerfectTablePlan back in 2005, using a dreadfully buggy piece of software called NetObjects Fusion (NOF). The sorry story of why I ended up using NOF is told here.

Until recently the front page looked like this.

old-website-design

I had done a fair amount of A/B test tweaking and it converted visitors to downloads and sales relatively well compared to other downloadable product websites. But it had that ‘designed by a programmer’ look and it wasn’t responsive, so it didn’t work on well on mobile devices. My software only runs on Windows and Mac, but I still want to appear in mobile searches. The HTML generated by NOF was also pretty horrible. Frankly, I was a bit embarrassed by it when I looked at websites for other products. I kept on meaning to update it, but there was always something more urgent or (to be honest) more interesting to do. I finally bit the bullet and had it redesigned in 2015. The front page now looks like this:

new-website-design

The process was:

  1. I wrote a specification for the new design.
  2. I ran a 99Designs.com competition to design a new home page based on the spec.
  3. I selected the winning designer and paid them to design 3 additional pages in the same style.
  4. I paid pixelcrayons.com to code up the 4 pages in responsive CSS/HTML.
  5. I poured all the old content into the new design. Being careful to maintain the existing page names, titles, text and images etc, so as not to lose existing organic traffic.

The whole process didn’t cost a great deal (somewhere around $2k), but it took quite a lot of my time, spread over 5 months. Especially the final step. This wasn’t helped by the size (some 128 pages were converted) and general cruftiness of the old website, and my lack of knowledge of CSS and responsive design.

I didn’t want to be locked in to a CMS, so I used Mac static website generator Hammer4Mac to generate the HTML. It goes without saying that I wrote a program to help me pull all the content out of the old website and into Hammer4Mac! While Hammer4Mac isn’t without flaws, I found it a vast improvement over NOF and the new website is now much easier to update and maintain than the old one.

The new website went live on 16-Dec-2015.

So how much difference did the redesign make? Here are the changes based on comparing 25 weeks of data before the change and 25 weeks of data after the change:

bounce rate +1.5%
time on page +16.0%
traffic +6.5%
        desktop traffic -2.2%
        mobile & tablet traffic +40.0%
completed installs +1.4%
sales transactions +11.4%
total sales value +21.8%
visit to sale conversion ratio +4.6%
average order value +9.4%

The increase in mobile traffic as a proportion of total traffic is pretty clear from analytics (the dip in December is seasonal):

traffic

I believe  a 21.8% improvement in sales is a lot more than I would have got by spending the same amount of time and money improving the product itself, which is pretty mature after 11 years of work.

Overall it looks pretty positive. But, as analytics data is fairly dirty (e.g. due to analytics spam) and I didn’t run a split test, I can’t definitely say that the changes above were due to the website changes. I wasn’t able to compare all the above data with the same time period for the previous year due to some missing analytics data. But the sales data for 25 weeks before and after 16-Dec in the previous year was:

sales transactions -9.9%
total sales value -2.7%
average order value +8.1%

Which implies that the sales changes are unlikely to be due to seasonal factors.

Best of all, I never have to use NetObjects Fusion again!

DSC_9541

Things you don’t need for v1.0

Few people launch software products expecting them to fail. But many products do fail. I don’t have any figures, but I think I can fairly confidently state that more commercial software products fail than succeed. You think your product isn’t going to be one of the failures. But so does everyone else. The only way to find out for sure is to launch. The sooner you launch, the sooner you will find out. I have banged the drum for releasing early before, so I won’t labour it here. But it begs the question – how do I launch fast? What do I leave out? Based on my experiences of launching 3 software products, this is what I would leave out.

Polish

As developers we (hopefully) all want to do great work that we can feel proud of. But, as entrepreneurs, we need to be careful not to spend lots of time polishing something that might be a turd. So ship v1.0 before it is polished. Early adopters tend to be fairly forgiving of a few rough edges, if they are interested in the direction you are taking. I spent 6 months (part-time) working on the first version of my AdWords keyword tool. It flopped. So I shipped the first version of my visual planning software within a few weeks of writing the first line of code. It was pretty bare-bones and a bit slow for plans with hundreds of cards, but it was enough to demonstrate the basic concept.

Designer website

You don’t need a beautiful, state-of-the-art website to launch your product. My own table planner software had a pretty ropey website  (designed by me) for the first 10 years and it did fine. Just make sure the website clearly conveys what your product does.

Logo

You don’t need a professional logo for v1.0. The product name in coloured text using a font other than Arial will probably be fine. I did the initial logo for Hyper Plan in Microsoft Word Art in 10 minutes. Here it is in all it’s glory:

old Hyper Plan logo

I only paid a designer to come up with something better once I was sure it was worth my while.

DRM/Payment processing

I shipped the first version of Hyper Plan without even setting up licensing or payment processing. Every time you ran it, it just put up a window saying that it would expire on a certain date and that a new release would be available by that date. After that date it just stopped working.

Hyper Plan expired window

I only added licensing and payment processing once I had proved enough people were interested in the concept to make it worth my while. If you are going to take this approach, make sure you let people know that they will be expected to pay at some point.

Sophisticated pricing model

Ideally you want to segment your customers so you can charge more for the people who are prepared to pay more. But you probably don’t understand your market well enough to do this when you are starting out. So just pick a single price. I introduced segmented pricing for PerfectTablePlan in v4. Hyper Plan still has a single price.

Feature parity with your competitors

Trying to achieve feature parity with established competitors in v1.0 is a fool’s errand. Just pick one pain point that you think is not being well addressed and try to solve that. Make your lack of features a selling point by emphasizing how simple your product is to use.

Multi Platform

If it is going to take significant additional effort to release multi-platform, then just pick one platform to launch v1.0 on.

Extensive documentation

The first version of your product should be simple enough and well enough designed that it doesn’t need extensive documentation. My Hyper Plan software has been out for a year and it still only has a one page quick start guide.

Mailing list

Many people advocate building up a mailing list of interested people before you launch. It obviously helps a lot if you already have an audience in the market you are launching into. But, if you don’t, it takes significant time and effort to build that audience. I would rather put in that effort once I have something to show them.

Trademark

Why bother to spend time and money trademarking something if you don’t even know if anyone wants it?

Patent

I’m not a fan of software patents and I don’t have any patents after nearly 11 years in business. So I certainly wouldn’t waste time and money on a patent for v1.0.

Lawyers

If a bug in your software could kill someone or destroy their business, you should probably talk to a lawyer. Otherwise a boiler-plate end user licence agreement is probably fine for v1.0.

Company

I did create a limited company before I launched my first product to get a bit of extra legal protection. But its not strictly necessary (in the UK at least).

Trade-offs

It’s all a tradeoff. Obviously it is better to have a beautiful website than an ugly one. But is it worth spending lots of time and money on designing a beautiful website for an unproven product?

The best approach depends very much on your market and circumstances. If you are a big player with lots of money and reputation, then much of the above may not apply. If you are selling web design products, you had better have a pretty slick looking website for v1.0. If you are selling aircraft avionics systems then I hope v1.0 of your product is pretty polished.

digital-certificate-sha1

What every software vendor needs to know about SHA1/SHA2 and digital certificates

TL;DR : If you digitally sign your software you need to make sure you have an SHA2 certificate and use it to dual sign your software with both SHA1 and SHA2 digests.

Digital certificates are used to prove who authored a piece of software and that it hasn’t subsequently been tampered with. Starting with Windows XP SP2 you get a warning message if you download software that that isn’t signed with an appropriate digital certificate. So most commercial software vendors digitally sign their software. We grumble about price gouging by the certificate vendors and the hoops we have to jump through to get a certificate. But, apart from that, the system seems to work tolerably well. However Microsoft have thrown a spanner into the works by deprecating digital certificates using the SHA1 algorithm. I only found out about this a few weeks ago from a fellow vendor’s blog. Thanks for nothing Microsoft. If you are using a digital certificate you purchased more than a year ago, it is probably SHA1. This post explains what this means for software vendors, based on my research so far. I am not an expert on this topic and things seem to be changing fast, so please let me know if there are any mistakes or omissions.

I don’t digitally sign Windows software, does this affect me?

No. But perhaps treat Windows unsigned software warning with some skepticism until Windows software vendors sort this mess out. If you only develop for Mac OS X you can feel a bit smug (at least until the next time Apple nukes your development ecosystem from orbit).

What is SHA1?

SHA1 (Secure Hash Algorithm 1) is a cryptographic hash function that was used in digital certificates issued until recently. SHA1 was known to have weaknesses as far back as 2005. Microsoft (and Google) have finally decided that SHA1 is too vulnerable and SHA2 digital certificates should be used instead.

What happens if my certificate is SHA1?

If you signed your software with a timestamp before 01-Jan-2016:

  • It will be treated by Windows XP SP2/XP SP3/Vista as signed.
  • It will be treated by Windows 7/8/10 as signed only until 01-Jan-2017.

If you signed your software with a timestamp on or after 01-Jan-2016:

  • It will be treated by Windows XP SP2/XP SP3/Vista as signed.
  • On Windows 7/8/10 and you will get an ugly “The signature of <file> is corrupt or invalid” or “The signature of this program is corrupt or invalid” error when downloading. If you don’t see this, it might be because you haven’t done a Windows Update recently (shame on you).

Windows seems to treat software that has been downloaded from the web (with ‘mark of the web’) differently. So make sure you test a version of your software you have downloaded from the web. I carried out some tests on 01-Mar-2016 using an SHA1 certificate to sign an executable and then dowload it. It worked ok when downloaded using Firefox or Chrome, but was shown as corrupt when downloaded using IE.

How do I know if my current certificate is SHA1?

  1. Right click on your most recently signed installer and select Properties.
  2. Click on the Digital Signatures tab.
  3. Select the signature and click on the Details button.
  4. Click the View Certificate button.
  5. Click the Details tab.
  6. Look at the Signature hash algorithm.sha1 digital certificate

What should I do if my certificate is SHA1?

If you certificate hasn’t expired you should ask the company you purchased it from to issue you a new SHA2 certificate. They should do this free of charge. In the process they will revoke your SHA1 certificate, so you can no longer use it for signing. You should then use your new SHA2 certificate to double sign new releases (see below).

I have an SHA2 certificate, now what?

If you want a new release to be treated as signed on both Windows XP SP3/Vista and Windows 7/8/10 then you need to double sign the file for SHA1 and SHA2:

signtool.exe sign /f <pfx file> /p <pfx password> /t <sha1 timestamp server> /v <installer>

signtool.exe sign /f <pfx file> /p <pfx password> /tr <sha2 timestamp server> /fd sha256 /td sha256 /as /v <installer>

Note the the order of the above is important (SHA1 first).

The Comodo SHA1 and SHA2 timestamp server is:
http://timestamp.comodoca.com

You can add a /debug flag for verbose output.

If you only want to support Windows 7/8/10, then you can omit the first line (but why would you?).

You can use chktrust.exe to check the signature:

chktrust.exe <installer>

Note that only version 6.3 and later of signtool.exe (which comes with Windows 8.1 SDK and is also available here) supports the /as flag.

I always sign the program, as well as the installer.

Can I double sign .msi files?

I have seen reports that .msi installers don’t support double signing. But I don’t use .msi installers, so I haven’t investigated further.

What happens to software I signed with my SHA1 certificate after the certificate is revoked?

Software you signed previously will not be affected, e.g. it will be treated as signed by Windows 7/8/10 until 01-Jan-2017

How do I sign Windows XP SP1/XP SP2 software?

Windows XP SP1 doesn’t warn you if there is no signature, so you can ignore XP SP1. SHA2 signatures are not supported in Windows XP SP2. So you will need to have both valid SHA1 and SHA2 certificates to support XP SP2 and all the later versions of Windows. Its not clear that certificate vendors will allow this. Also, how many people with Windows XP SP2 (an unsupported OS) are out there buying software? I won’t be bothering to support signing for XP SP2.

Does this affect SSL certificates as well as code signing (Authenticode) certificates?

I believe so. But I don’t have any SSL certificates, so I haven’t investigated further.

How does this affect signing of device drivers?

I understand there are some differences for device drivers. But I don’t create device drivers, so I haven’t investigated further.

What is the difference between SHA2 and SHA256?

SHA2 is a family of two similar hash functions known as SHA256 and SHA512. SHA256 uses 32-bit words where SHA512 uses 64-bit words.

How secure is SHA2?

Er, it was designed by the NSA. Supply your own joke.

I don’t have a digital certificate, where can I get one?

I got my Comodo code signing certificate from reseller codesigning.ksoftware.net. They have a good reputation, and are significantly cheaper than Comodo. I don’t have any business relationship with them beyond being a happy customer.

Anything else I should know?

Microsoft has reserved the right to move the SHA1 deprecation date forward from 01-Jan-2017.

Acknowledgements

Thanks to Nikos Bozinis for first alerting me to this issue and to Mitchell Vincent of ksoftware.net for fact checking this article.

Further reading

http://zabkat.com/blog/code-signing-sha1-armageddon.htm

http://support.ksoftware.net/support/solutions/articles/215805-the-truth-about-sha1-sha256-and-code-signing-certificates-

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

Updates

02-Mar-2016: Added missing link and minor update.

03-Mar-2016: Minor update.

estes-helicat-rocket

Rocket Science

My son, my wife and I have been messing around with model rockets. They seem to be a big thing in the USA, but are a lot less common here in the UK. They are a lot of fun.

I bought the above rocket + launch pad + launch controller kit from a local model shop, with some recovery wadding and 3 class C rocket motors with igniters:

rocket kit amazon.co.uk link

rocket kit amazon.com link

The total cost was £30.

Making the rocket involved a bit of glueing and assembly, but was fairly straightforward. Then we inserted some wadding (to protect the internals from the hot gas of the rocket motor), the recovery parachute and the nose cone with rotors. When it was finished we took it to a big open space, inserted a rocket motor and igniter, put it on the launch pad and used the 9v battery operated remote control to launch it.

We had a few non-launches because the crocodile clips (connecting the launch control to the igniter) touched, causing a short-circuit, or fell off. Not a great design. Once we had sorted that out we successfully launched and the rocket went well over 100 metres in the air. Cool!

In theory the motor should burn for a couple of seconds and then a little explosive charge fires to separate the nose cone from the main body. The main body then floats down on the parachute while the nose cone deploys spring-loaded rotors and auto-rotates down. In theory.  However, in our inexperience, we put in too much wadding and packed it too tightly. Consequently the rocket blew itself apart in mid-air and the parachute and rotors didn’t deploy. We managed to recover all the bits. The parachute was ok, but the rotor blades were too damaged to use again.

A video of our first launch

So we cut off the damaged section and added the nose cone back on to make a new, shorter rocket and did 2 more launches. Being lighter with the same motor it went a lot higher. Possibly over 200 metres!

We made a new rocket from the nose cone and tail of the kit, plus a long cardboard tube and lots of duct tape. We did another 3 launches using C class rocket motors. Even managing to get one successful parachute deployment. However as the new rocket was  heavier it got noticeablely less height, probably less than 100 metres.

A few things we learnt along the way:

  • Don’t force the parachute and nose cone in too hard or use too much wadding.
  • If the parachute doesn’t deploy the rocket can survive hitting the ground at speed surprisingly well. But they make quite a hole in the ground, so you REALLY don’t want to get in the way.
  • Even in light wind the rockets can land a fair distance away. Especially if the parachute deploys successfully. So pick a still day for the launch. You can also cut some extra vents in the parachute to make it fall faster.
  • You need a BIG open space, free from other people, animals and trees. Preferably at least 200 metres across, if you want to stand a good chance of recovering your rocket for another launch.
  • The maximum height of your rocket depends critically on the thrust to weight ratio.

Hopefully it goes without saying that pyrotechnics and objects travelling at high speed are potentially dangerous and require common sense and adult supervision.

Being a software geek with a physics background I couldn’t resist doing a few calculations. Here is a little Python script I wrote to calculate the maximum height and flight time based on the mass of the rocket and the thrust and duration of the motor. It applies a simple time-step approach to F=ma. Just modify the mass, thrust and duration variables.

rocket science codeIt assumes the rocket goes straight up and doesn’t allow for air resistance. But the values it calculates seem fairly plausible based on my observations. You can get the code via this link:

Python rocket calculation code

For example with a thrust of 6N for 1.6s I calculate a maximum height of:

Mass (Kg) Max height (Metres)
0.1 388
0.15 156
0.2 78
0.25 43

So you can see how critically important thrust to weight ratio is to maximum height.

Presumably it is possible to derive an analytic solution as well. I leave that as an exercise for the interested reader. ;0)

I think we will try a D-class motor next time (each step up the alphabet doubles the impulse). This seems to be the biggest that you can get hold of in the UK without a license. Watch out passing aircraft.

To infinity and beyond!

Technical Debt

Software products tend to build up ‘technical debt’ over time. Every bad decision, kludge and shortcut made to ‘just get it working’ makes the product more brittle and harder to change in the long run. Technical debt is very hard to avoid unless you know exactly what direction your product will take in the future (unlikely) and you can guarantee that the platform and libraries you build it on won’t change (even less likely). Like real debt, the longer you leave it, the worse it gets. Every so often you need to repay the debt if you want to keep your product healthy. Otherwise it will gradually degenerate into a Big Ball Of Mud.

My seating plan software has been developed continually for over 10 years now. I have done regular refactoring over that time to keep technical debt to a manageable level. For example, early versions of PerfectTablePlan were a bit lax about how memory was managed in the genetic algorithm. This shortcut wasn’t a big deal when the genetic algorithm was solving seat assignments for a few hundred people. But it became a performance issue when it was solving seat assignments for thousands of people. So I had to do a significant rewrite of the genetic algorithm. For PerfectTablePlan v6 I am going to have to rewrite all the remaining code that uses Qt3 classes, so that I can switch the codebase fully to Qt5. Oh joy! Thank goodness for the strong typing in C++. If I can keep the technical debt in check, perhaps people will still be buying PerfectTablePlan in another 10 years.

Technical debt is an inevitable consequence of the fact that software products are a ‘work in progress’ (including the software you are building on top of). The fact that software is never really ‘done’ can be frustrating, but it has its upsides. I was recently in the French mediaeval city of Laon, looking at their beautiful cathedral. I noticed that there were four and a half windows at one end of the transept. Four and a half? On further inspection it was clear that the builders had changed their mind part way through the build and then tried to cover up their mistake. It is still visible some 700 years later. At least we get the opportunity to correct our mistakes and our customers usually never know…

technical debt