DSC_9541

Things you don’t need for v1.0

Few people launch software products expecting them to fail. But many products do fail. I don’t have any figures, but I think I can fairly confidently state that more commercial software products fail than succeed. You think your product isn’t going to be one of the failures. But so does everyone else. The only way to find out for sure is to launch. The sooner you launch, the sooner you will find out. I have banged the drum for releasing early before, so I won’t labour it here. But it begs the question – how do I launch fast? What do I leave out? Based on my experiences of launching 3 software products, this is what I would leave out.

Polish

As developers we (hopefully) all want to do great work that we can feel proud of. But, as entrepreneurs, we need to be careful not to spend lots of time polishing something that might be a turd. So ship v1.0 before it is polished. Early adopters tend to be fairly forgiving of a few rough edges, if they are interested in the direction you are taking. I spent 6 months (part-time) working on the first version of my AdWords keyword tool. It flopped. So I shipped the first version of my visual planning software within a few weeks of writing the first line of code. It was pretty bare-bones and a bit slow for plans with hundreds of cards, but it was enough to demonstrate the basic concept.

Designer website

You don’t need a beautiful, state-of-the-art website to launch your product. My own table planner software had a pretty ropey website  (designed by me) for the first 10 years and it did fine. Just make sure the website clearly conveys what your product does.

Logo

You don’t need a professional logo for v1.0. The product name in coloured text using a font other than Arial will probably be fine. I did the initial logo for Hyper Plan in Microsoft Word Art in 10 minutes. Here it is in all it’s glory:

old Hyper Plan logo

I only paid a designer to come up with something better once I was sure it was worth my while.

DRM/Payment processing

I shipped the first version of Hyper Plan without even setting up licensing or payment processing. Every time you ran it, it just put up a window saying that it would expire on a certain date and that a new release would be available by that date. After that date it just stopped working.

Hyper Plan expired window

I only added licensing and payment processing once I had proved enough people were interested in the concept to make it worth my while. If you are going to take this approach, make sure you let people know that they will be expected to pay at some point.

Sophisticated pricing model

Ideally you want to segment your customers so you can charge more for the people who are prepared to pay more. But you probably don’t understand your market well enough to do this when you are starting out. So just pick a single price. I introduced segmented pricing for PerfectTablePlan in v4. Hyper Plan still has a single price.

Feature parity with your competitors

Trying to achieve feature parity with established competitors in v1.0 is a fool’s errand. Just pick one pain point that you think is not being well addressed and try to solve that. Make your lack of features a selling point by emphasizing how simple your product is to use.

Multi Platform

If it is going to take significant additional effort to release multi-platform, then just pick one platform to launch v1.0 on.

Extensive documentation

The first version of your product should be simple enough and well enough designed that it doesn’t need extensive documentation. My Hyper Plan software has been out for a year and it still only has a one page quick start guide.

Mailing list

Many people advocate building up a mailing list of interested people before you launch. It obviously helps a lot if you already have an audience in the market you are launching into. But, if you don’t, it takes significant time and effort to build that audience. I would rather put in that effort once I have something to show them.

Trademark

Why bother to spend time and money trademarking something if you don’t even know if anyone wants it?

Patent

I’m not a fan of software patents and I don’t have any patents after nearly 11 years in business. So I certainly wouldn’t waste time and money on a patent for v1.0.

Lawyers

If a bug in your software could kill someone or destroy their business, you should probably talk to a lawyer. Otherwise a boiler-plate end user licence agreement is probably fine for v1.0.

Company

I did create a limited company before I launched my first product to get a bit of extra legal protection. But its not strictly necessary (in the UK at least).

Trade-offs

It’s all a tradeoff. Obviously it is better to have a beautiful website than an ugly one. But is it worth spending lots of time and money on designing a beautiful website for an unproven product?

The best approach depends very much on your market and circumstances. If you are a big player with lots of money and reputation, then much of the above may not apply. If you are selling web design products, you had better have a pretty slick looking website for v1.0. If you are selling aircraft avionics systems then I hope v1.0 of your product is pretty polished.

digital-certificate-sha1

What every software vendor needs to know about SHA1/SHA2 and digital certificates

TL;DR : If you digitally sign your software you need to make sure you have an SHA2 certificate and use it to dual sign your software with both SHA1 and SHA2 digests.

Digital certificates are used to prove who authored a piece of software and that it hasn’t subsequently been tampered with. Starting with Windows XP SP2 you get a warning message if you download software that that isn’t signed with an appropriate digital certificate. So most commercial software vendors digitally sign their software. We grumble about price gouging by the certificate vendors and the hoops we have to jump through to get a certificate. But, apart from that, the system seems to work tolerably well. However Microsoft have thrown a spanner into the works by deprecating digital certificates using the SHA1 algorithm. I only found out about this a few weeks ago from a fellow vendor’s blog. Thanks for nothing Microsoft. If you are using a digital certificate you purchased more than a year ago, it is probably SHA1. This post explains what this means for software vendors, based on my research so far. I am not an expert on this topic and things seem to be changing fast, so please let me know if there are any mistakes or omissions.

I don’t digitally sign Windows software, does this affect me?

No. But perhaps treat Windows unsigned software warning with some skepticism until Windows software vendors sort this mess out. If you only develop for Mac OS X you can feel a bit smug (at least until the next time Apple nukes your development ecosystem from orbit).

What is SHA1?

SHA1 (Secure Hash Algorithm 1) is a cryptographic hash function that was used in digital certificates issued until recently. SHA1 was known to have weaknesses as far back as 2005. Microsoft (and Google) have finally decided that SHA1 is too vulnerable and SHA2 digital certificates should be used instead.

What happens if my certificate is SHA1?

If you signed your software with a timestamp before 01-Jan-2016:

  • It will be treated by Windows XP SP2/XP SP3/Vista as signed.
  • It will be treated by Windows 7/8/10 as signed only until 01-Jan-2017.

If you signed your software with a timestamp on or after 01-Jan-2016:

  • It will be treated by Windows XP SP2/XP SP3/Vista as signed.
  • On Windows 7/8/10 and you will get an ugly “The signature of <file> is corrupt or invalid” or “The signature of this program is corrupt or invalid” error when downloading. If you don’t see this, it might be because you haven’t done a Windows Update recently (shame on you).

Windows seems to treat software that has been downloaded from the web (with ‘mark of the web’) differently. So make sure you test a version of your software you have downloaded from the web. I carried out some tests on 01-Mar-2016 using an SHA1 certificate to sign an executable and then dowload it. It worked ok when downloaded using Firefox or Chrome, but was shown as corrupt when downloaded using IE.

How do I know if my current certificate is SHA1?

  1. Right click on your most recently signed installer and select Properties.
  2. Click on the Digital Signatures tab.
  3. Select the signature and click on the Details button.
  4. Click the View Certificate button.
  5. Click the Details tab.
  6. Look at the Signature hash algorithm.sha1 digital certificate

What should I do if my certificate is SHA1?

If you certificate hasn’t expired you should ask the company you purchased it from to issue you a new SHA2 certificate. They should do this free of charge. In the process they will revoke your SHA1 certificate, so you can no longer use it for signing. You should then use your new SHA2 certificate to double sign new releases (see below).

I have an SHA2 certificate, now what?

If you want a new release to be treated as signed on both Windows XP SP3/Vista and Windows 7/8/10 then you need to double sign the file for SHA1 and SHA2:

signtool.exe sign /f <pfx file> /p <pfx password> /t <sha1 timestamp server> /v <installer>

signtool.exe sign /f <pfx file> /p <pfx password> /tr <sha2 timestamp server> /fd sha256 /td sha256 /as /v <installer>

Note the the order of the above is important (SHA1 first).

The Comodo SHA1 and SHA2 timestamp server is:
http://timestamp.comodoca.com

You can add a /debug flag for verbose output.

If you only want to support Windows 7/8/10, then you can omit the first line (but why would you?).

You can use chktrust.exe to check the signature:

chktrust.exe <installer>

Note that only version 6.3 and later of signtool.exe (which comes with Windows 8.1 SDK and is also available here) supports the /as flag.

I always sign the program, as well as the installer.

Can I double sign .msi files?

I have seen reports that .msi installers don’t support double signing. But I don’t use .msi installers, so I haven’t investigated further.

What happens to software I signed with my SHA1 certificate after the certificate is revoked?

Software you signed previously will not be affected, e.g. it will be treated as signed by Windows 7/8/10 until 01-Jan-2017

How do I sign Windows XP SP1/XP SP2 software?

Windows XP SP1 doesn’t warn you if there is no signature, so you can ignore XP SP1. SHA2 signatures are not supported in Windows XP SP2. So you will need to have both valid SHA1 and SHA2 certificates to support XP SP2 and all the later versions of Windows. Its not clear that certificate vendors will allow this. Also, how many people with Windows XP SP2 (an unsupported OS) are out there buying software? I won’t be bothering to support signing for XP SP2.

Does this affect SSL certificates as well as code signing (Authenticode) certificates?

I believe so. But I don’t have any SSL certificates, so I haven’t investigated further.

How does this affect signing of device drivers?

I understand there are some differences for device drivers. But I don’t create device drivers, so I haven’t investigated further.

What is the difference between SHA2 and SHA256?

SHA2 is a family of two similar hash functions known as SHA256 and SHA512. SHA256 uses 32-bit words where SHA512 uses 64-bit words.

How secure is SHA2?

Er, it was designed by the NSA. Supply your own joke.

I don’t have a digital certificate, where can I get one?

I got my Comodo code signing certificate from reseller codesigning.ksoftware.net. They have a good reputation, and are significantly cheaper than Comodo. I don’t have any business relationship with them beyond being a happy customer.

Anything else I should know?

Microsoft has reserved the right to move the SHA1 deprecation date forward from 01-Jan-2017.

Acknowledgements

Thanks to Nikos Bozinis for first alerting me to this issue and to Mitchell Vincent of ksoftware.net for fact checking this article.

Further reading

http://zabkat.com/blog/code-signing-sha1-armageddon.htm

http://support.ksoftware.net/support/solutions/articles/215805-the-truth-about-sha1-sha256-and-code-signing-certificates-

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

Updates

02-Mar-2016: Added missing link and minor update.

03-Mar-2016: Minor update.

passive income

Software products are *not* passive income

Some people dream of creating a ‘passive’ income that generates money on auto-pilot while they go and learn tango in Argentina, or whatever their chosen path to the top of Maslow’s hierarchy is. In my experience, a software product is a long way from being a passive income. I know lots of people who own software product businesses. I don’t think any of them regard it as a passive income either.

While on holiday I’ve run my own business from a laptop in less than an hour per day. But the business would start to suffer if I did this for more than a few months. Even if you are not adding new features, software products require significant effort to maintain. Sales queries need answering, customers need support and bugs need fixing. New operating systems will often break things in otherwise stable products (particularly on Mac OS X). And there is always admin stuff to do: tax, accounts and a hundred other things. Marketing also requires ongoing effort, whether it be in the form of A/B testing, newsletters, SEO, PPC or blogging. If you aren’t continually improving your product and marketing, then harder working competitors are soon going to start eating your lunch. You can hire people to do the work for you. But then you have to train and manage those people. And the most capable people have a habit of going off to start their own companies.

There may be some products that can generate passive incomes. Perhaps ebooks, training videos and mobile apps. But I expect they still need significant amounts of ongoing marketing effort if they are going to earn more than pocket money. Remember – if it sounds too good to be true, it probably is…

iPhone 057

How to build a gym in your garden

Human physiology has evolved for a challenging existence on the African savannah. It doesn’t cope well with sitting in front of a computer all day, with high energy foods constantly within easy reach. But going to the gym is a hassle: get your gear together, drive to the gym, get changed, do your workout, have a shower, get changed back, drive home. Even just going for a run means 2 changes of clothes and a shower. I wanted something high intensity that I could do in a few minutes every day. I work from home, so I built a gym in my garden, right outside my office. I posted some pictures of it on social media and a few people asked for details of how I made it. So I thought I would write it up here, in case anyone else was interested.

Construction materials:

  • 3.0m x 0.1m x 0.1m fence posts (2 of)
  • 1.8m x 0.1m x 0.1m fence posts (3 of)
  • 1.2m outdoor pull-up bars with fixings (coach bolts and washers) (3 of)
  • 20kg bags of Postcrete (19 of)
  • 20kg bags of gravel (2 of)

The total cost of all the above was about £240, including delivery of the fence posts and pull-up bars.

You should be able to get the fence posts from any fencing supplier. Make sure they are pressure treated, so they don’t rot away in a few years. Anything narrower than 0.1m x 0.1m might not be strong enough. Anything bigger is going to be pretty unwieldy to work with.

You can buy outdoor pull-up bars from various sources. I got mine here. Make sure the bars and their fixings are either galvanized or powder coated, so they don’t rust. I choose bars long enough that I have the option to do wide-grip pull-ups.

Postcrete is a special form of concrete for fence posts (I think it might be called Quickcrete is some countries). You just add water and it sets solid in minutes. Leave it to ‘cure’ for 24 hours before putting any weight on it. I used 5 bags of Postcrete for each of the 3.0m pull-up posts and 3 bags of Postcrete for each of the 1.8m dips posts. You could probably get away with less, but I preferred to ‘over-engineer’ it. I also threw some old bricks and hardcore into the holes for extra bulk. You can  use standard cement, which is cheaper, but not as convenient.

scan013.jpg

You need to dig your post holes according to the height and spacing you want for the bars, which will depend on your height. The pull-up bar should be roughly the same height as your knuckles with your arms full outstretched above your head. The dips bars should be slightly more than shoulder width apart and level with your lower ribs. If you are very tall, you might need longer posts than I did. The holes should be approximately 3 times the width of the fence posts. Put approximately 0.1m of gravel in the bottom of each hole for drainage. The gravel also helps with getting the posts at the same level.

Digging a 1.0m deep by 0.1m x 0.1m across hole is difficult using a spade. I recommend you use a post hole digging tool. I bought one from building supplier Wickes for £25. The bolts were a bit loose, but once I had tightened them up it was fine. You can also rent them, but 3 days rental was as expensive as buying one new.post hole digging toolDigging the holes is hard work! I did 30 minutes of digging every now and then. Usually when I got fed up with whatever I was working on. Tip: Cover the loose dirt from the hole with something waterproof as it is much harder to move later if it gets wet.

Attaching the bars before you set the posts isn’t practical. Setting all the posts before attaching any bars is asking for trouble. So we alternated setting the posts and attaching the bars.

Setting the posts and attaching the bars is definitely not a one-person job, so I conscripted the family to help. We used rubber bands to hold 2 spirit levels onto 2 adjacent sides of a post, to make sure it was completely vertical (you can also buy specialist post levellers). One person then held the post while the other one added the Postcrete and water. To attach the bars just drill 4 pilot holes into a post and then use a socket and ratchet to tighten the coach bolts onto the washers.

iPhone 040.jpg

I also bought a heavy duty rubber mat and post caps to finish things off.

Normally I only create digital things (software, websites, documentation, blog posts etc) so it was really nice to make something physical for a change. Given my modest DIY skills, I am very pleased with how it turned out. It feels very solid and everything is pretty straight and level. Not bad for a software engineer!

Pull-ups, dips and leg raises cover a lot of the major muscle groups between them. Currently I am trying to do pull-ups and dips on alternate days. I usually do 3 sets of as many as I can, with at least a few minutes rest in between. I also do some negative reps. A negative pull-up is where you jump up and then lower yourself as slooooooowly as you can. This sort of eccentric training is very good for building strength (and also useful if you aren’t yet strong enough to do a pull-up). Just hanging from the bar is good for stretching your back muscles.

Because my gym is right outside my office and only takes a minute or so per set, there is no excuse. I also have a reminder set up in the Balanced app on my iPhone. In a few weeks I have gone from 3 pull-ups to 8 pull-ups (with good form). Once I have improved my strength futher and reached a plateau on those exercises, I may try some more exotic exercises. I hope eventually to be able to do a ‘muscle up’!

Muscle-up

software entrepreneur

Confessions of a bad software entrepreneur

If you read blogs and forums and go to conferences you will soon pick up that there are a number of recommended ‘best practices’ for being a successful software entrepreneur. I don’t conform to many of them:

SaaS product

No. Both my products are desktop based.

B2B market

Not really. Most of my customers are consumers.

Funded

No. I bootstrapped the business from my own savings.

Subscription model

No. My licences are a one-time fee.

Beautifully designed responsive website

No! www.perfecttableplan.com converts well, but it is certainly not beautiful or responsive (a new website is on the way though).

Co-founder

No. Just me.

Delegation

No. I have delegated bookkeeping to my lovely and talented wife (who also proof reads this blog) but I don’t have any employees or virtual assistant and do the vast majority of things myself, including all the marketing, sales, programming, documentation and customer support.

Drip email campaign

No. One day perhaps.

Focus

Not really. I like variety. I have 2 products under active development and also do some consulting and training.

Social media campaign

No. I have long since given up on Twitter and Facebook as marketing channels.

Mastermind group

No. I do talk with my peers in forums, at meetups and conferences, but not in any structured way.

Started young

No. I was pushing 40 when I started my entrepreneurial career.

Endless growth

No. I can’t really grow the business much more without taking on staff or becoming a workaholic. But I am happy just to maintain the current level of sales. [1]

Exit plan

No. I haven’t given it any real thought. I am quite happy doing what I’m doing.

But…

My one-man software business has made me a nice living doing a job I enjoy for more than 10 years. So I guess I must be doing something right. There is no ‘one true way’ to be an entrepreneur. If you have a good product with good support and good marketing, most other things are optional.

[1] Added after suggestion by Tom Reader.

estes-helicat-rocket

Rocket Science

My son, my wife and I have been messing around with model rockets. They seem to be a big thing in the USA, but are a lot less common here in the UK. They are a lot of fun.

I bought the above rocket + launch pad + launch controller kit from a local model shop, with some recovery wadding and 3 class C rocket motors with igniters:

rocket kit amazon.co.uk link

rocket kit amazon.com link

The total cost was £30.

Making the rocket involved a bit of glueing and assembly, but was fairly straightforward. Then we inserted some wadding (to protect the internals from the hot gas of the rocket motor), the recovery parachute and the nose cone with rotors. When it was finished we took it to a big open space, inserted a rocket motor and igniter, put it on the launch pad and used the 9v battery operated remote control to launch it.

We had a few non-launches because the crocodile clips (connecting the launch control to the igniter) touched, causing a short-circuit, or fell off. Not a great design. Once we had sorted that out we successfully launched and the rocket went well over 100 metres in the air. Cool!

In theory the motor should burn for a couple of seconds and then a little explosive charge fires to separate the nose cone from the main body. The main body then floats down on the parachute while the nose cone deploys spring-loaded rotors and auto-rotates down. In theory.  However, in our inexperience, we put in too much wadding and packed it too tightly. Consequently the rocket blew itself apart in mid-air and the parachute and rotors didn’t deploy. We managed to recover all the bits. The parachute was ok, but the rotor blades were too damaged to use again.

A video of our first launch

So we cut off the damaged section and added the nose cone back on to make a new, shorter rocket and did 2 more launches. Being lighter with the same motor it went a lot higher. Possibly over 200 metres!

We made a new rocket from the nose cone and tail of the kit, plus a long cardboard tube and lots of duct tape. We did another 3 launches using C class rocket motors. Even managing to get one successful parachute deployment. However as the new rocket was  heavier it got noticeablely less height, probably less than 100 metres.

A few things we learnt along the way:

  • Don’t force the parachute and nose cone in too hard or use too much wadding.
  • If the parachute doesn’t deploy the rocket can survive hitting the ground at speed surprisingly well. But they make quite a hole in the ground, so you REALLY don’t want to get in the way.
  • Even in light wind the rockets can land a fair distance away. Especially if the parachute deploys successfully. So pick a still day for the launch. You can also cut some extra vents in the parachute to make it fall faster.
  • You need a BIG open space, free from other people, animals and trees. Preferably at least 200 metres across, if you want to stand a good chance of recovering your rocket for another launch.
  • The maximum height of your rocket depends critically on the thrust to weight ratio.

Hopefully it goes without saying that pyrotechnics and objects travelling at high speed are potentially dangerous and require common sense and adult supervision.

Being a software geek with a physics background I couldn’t resist doing a few calculations. Here is a little Python script I wrote to calculate the maximum height and flight time based on the mass of the rocket and the thrust and duration of the motor. It applies a simple time-step approach to F=ma. Just modify the mass, thrust and duration variables.

rocket science codeIt assumes the rocket goes straight up and doesn’t allow for air resistance. But the values it calculates seem fairly plausible based on my observations. You can get the code via this link:

Python rocket calculation code

For example with a thrust of 6N for 1.6s I calculate a maximum height of:

Mass (Kg) Max height (Metres)
0.1 388
0.15 156
0.2 78
0.25 43

So you can see how critically important thrust to weight ratio is to maximum height.

Presumably it is possible to derive an analytic solution as well. I leave that as an exercise for the interested reader. ;0)

I think we will try a D-class motor next time (each step up the alphabet doubles the impulse). This seems to be the biggest that you can get hold of in the UK without a license. Watch out passing aircraft.

To infinity and beyond!