A few thoughts on entrepreneurship

Written on 23 September 2018, 02:55pm

Tagged with: , ,

Some thoughts about succeeding with your start-up:

  • It’s the idea that matters, not the money. Money is relatively easy to get, what’s more difficult to have is a brilliant idea for your startup. 
  • But to get money you need a business case. This forces you to analyse and validate your idea. Of course, more than 99% of the ideas will be either not feasible or simply rubbish. Nobody will give you money for free, and going through the analysis required by a business case increases the chances that the money are well spent. 
  • Risk management is essential. After your idea takes contour and you have the necessary funding, it’s all about managing the risks. Start with identifying your assets, look at their vulnerabilities and the possible threats. Then perform a proper risk assessment (likelihood and impact) and manage the risks (mitigate, transfer, avoid, accept). Keep looking at the risks and the implemented controls periodically; it’s likely that you will play in an always evolving environment where the risk landscape always changes.
  • Always be better. Just because you have something out there (a product or a service) doesn’t mean that it will necessarily bring profit. Keep asking yourself what needs does it fill, and how these needs will evolve. Keep asking yourself if your product or service still brings value. You need to adapt to survive.  

A discussion from my first year of university (2000) stuck with me until now. I was chatting to one of the older students who was already leading his own business and was doing the university more out of curiosity. I understood the value of an idea when he told me that he is ready to go with me to the bank and get money, as long as I am coming up with a business idea that can be implemented. Needless to say, after a few tries we both concluded that there’s no need to bother the bank, and for the following years I kept thinking about good business ideas that never came.

Fast forward to 2012, and I was involved with a couple of friends into my first and only startup so far. We had an idea and we had the energy to build it ourselves. And we did it, and then we launched it. And boy, it was working! But soon, everything fell apart. As soon as the software product was built, we needed sales people to move things forward. We were engineers trying to solve a sales problem and not realizing that all we needed was to go to the bank and ask for money.

So in the end, doing the 4 things above offers no guarantee that you will succeed. Doing the right things at the right time takes practice. And that only comes after repeated failures. 

TLS Training London – day 2

Written on 8 September 2018, 02:07pm

Tagged with: , , , ,

Again, some notes about the second day of the excellent TLS Training delivered by Scott Helme. 

  • symmetric encryption is fast. AES is fast enough for transferring large amounts of encrypted data (ex. streaming)
  • asymmetric encryption is slow, therefore it’s only used for the authentication, in the beginning of the secured session 
  •  RSA algorithm was actually invented 4 years before: The acronym RSA is made of the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who first publicly described the algorithm in 1978. Clifford Cocks, an English mathematician working for the British intelligence agency Government Communications Headquarters (GCHQ), had developed an equivalent system in 1973, but this was not declassified until 1997.
  • Hashing: SHA256 (a subset of the SHA-2 family) is considered strong enough. Alternatives for the future are SHA384 and SHA512 (longer digests), but if the SHA-2 is fundamentally broken, then the SHA-3 family (Keccak) comes to the rescue. It’s like a never-ending cat vs mouse game between cryptographers and cryptanalysts. 
  • The CAs store their private keys in HSMs and rarely rotate them (a lifetime of a few decades is not uncommon)
  • There is a good analogy between digital certificates and passports
  • X509 is the standard describing the structure of the digital certificates. Currently at version 3, it introduced extensions (arbitrary metadata of key + values pairs). Example of an extension: the SAN (Subject Alternative Names) – where a number of domains can be given on top of the common name (CN). In fact, Google Chrome only looks at the SAN when parsing a certificate.
  • The certificate chain is typically composed of the Root CA certificate, then the Intermediate CA certificate(s) and finally, the end-entity certificate (the leaf). The last intermediate certificate has the ‘path length’ parameter set to 0 (it’s children can only be leaves).
  • The Root CA certificates are provided by the client (stored in the browser or OS), while the intermediate CA and end-entity certificates are provided by the server(the intermediate CA cert – for performance reasons)
  • It takes on average 5-6 years to become a Root CA. And if you want this, you must work with the following 5 relying parties carrying a set of root keys in their trust store: Apple, Google, Java, Mozilla, Microsoft. Let’s Encrypt started in 2016 and it’s not yet a Root CA; they are currently using another root CA to cross-sign their certificates (IdenTrust). 
  • The Web PKI is governed by the CAB Forum – an entity where the  Certificate Authorities and the major browsers are represented.
To be continued…

The tools that I’m using #4

Written on 8 September 2018, 01:10pm

Tagged with: , ,

It’s time for a new post about the tools that I’m using. See previous editions:

As usual, most of the applications are still there, but there are some changes. More importantly, I merged Productivity and Work into a single section since I no longer see a good reason to separate them.

Productivity and work

  1. Chrome
  2. Dropbox
  3. f.lux
  4. Logitech SetPoint
  5. Sublime Text
  6. Total Commander
  7. + LastPass
  8. + Workflowy
  9. + Pocket
  10. + BitVise
  11. + WizzMouse
  12. + Ditto
  13. + Freedome VPN

Gone are the anti-virus/anti-malware apps (Avast, MalwareBytes), along with the KeyTweak (I got a new notebook and I no longer need to tweak the keys). Also gone Beyond Compare (even though I’m still using it from time to time), and OneNote, replaced by Workflowy (Google Keep currently under evaluation) F-lux is at the borderline – still there, but I don’t know for how long. New entries: Wizz Mouse, because it makes your mouse wheel work on the window currently under the mouse pointer, instead of the currently focused window. Workflowy because of its brilliant simplicity and LastPass + Pocket because I forgot to add them 3 years ago. BitVise – because it’s much better than Putty + WinSCP combined. And finally, Ditto, a clipboard manager. Clear privacy issues, since it stores your clipboard forever, but it saved me a few times. Speaking of privacy – Freedome VPN is now in the list, since you can no longer not have a VPN nowadays…


  1. Neflix
  2. FastStone Editor
  3. WebShots
  4. + Photolemur

VLC and FastPictureViewer are gone, Photolemur is a new entry. And WebShots is still awesome!