Matt Mazur

About ten years ago, around 2000, an online gaming company named iWin launched. The premise was simple: when you played their online games you earned iCoins, which you could then exchange for prizes. It was kind of like exchanging tickets at an arcade for prizes, except that you didn’t have to pay iWin to play and their prizes were excellent: MP3 players, VCRs, gift certificates, etc. The only downside was that as you played the games on their website, a large ad banner appeared below the game, which is how they made their money.

At the time I was working on AOL-Files.com, a community of hackers dedicated to finding and exploting holes in the America Online service. A large part of what we did was pick at and probe the AOL software, hoping to find a vulnerability which would enable us to do things we werent supposed to do. When iWin launched, it became a popular target for a lot of the community because of the prizes it offered.

Breaking iWin

The first thing we noticed was that iWin rewarded you for referring other people to their site. Whenever you signed up it asked you for the user name of whoever told you about the site and then that person got something like 25 iCoins automatically. iWin didn’t employ a CAPTCHA, so it was incredibly easy to automate the registration process. We created bots that would sit there for hours and create accounts, all using the same referrer, which was our legitimate account. We quickly earned a massive amount of iCoins this way. (Note that this would have been relatively easy to mitigate by adding a CAPTCHA or not rewarding the referral bonus until the new user had played a certain number of games, which couldn’t be automated).

Eventually someone discovered a far easier way to accumulate iCoins. There was a page on the site that required you to type in how much you spend on an item. So, for example, the page would show a product and it would say that it cost 2,500 iCoins. You’d type in 2,500 into a text box, hit submit, and the 2,500 would be deducted from your account balance. If your original balance was 10,000 iCoins, iWin would recalculate your balance like so:

10,000 - 2,500 = 7,500

Well, someone figured that iWin didn’t check to make sure you were using positive numbers so if you entered a negative number, iWin would still try to subtract it from your balance:

10,000 - -2,500 = 12,500

And just like that, people could add thousands of iCoins by simply entering a negative number into that form.

Later, someone else figured out a URL that you could go to which would let you specify how many iCoins you wanted to add to your account. With one click, you could go from 250 iCoins to 2,500,000,000 iCoins (though that would have been a bit suspicious).

Their security was so poor that you couldn’t help but feel bad for them. They had a winners page which listed all of the recent winners and what they had won. Some spammers figured out that if you signed up with an account name like:

<h1><a href="http://www.spam.com">Click here!</a></h1>

Then the winners page would display the link which implies that 1) the user name was not validated at the registration step and 2) it wasn’t escaped prior to display on the winners page.

As you can imagine, these exploits didn’t last very long. iWin quickly fixed most of the vulnerabilities that we had taken advantage of. They also switch to an auction-only system so that you could not purchase a prize directly with iCoins; instead you could use your iCoins to buy raffle tickets for an item, which made it a lot harder to beat.

At this point you might be wondering how iWin ever expected to make money off of their originally business model. I wondered that for a long time too.

Here’s what I think: iCoins were very hard to accumulate legitimately. The games didn’t reward many iCoins and you’d probably have to play hundreds of hours to earn enough to purchase a decent prize. Most people probably quit long before they ever earned enough to get anything. In the mean time, the users had spent a lot of time playing the games and viewing the ads. Someone probably calculated that something like 95% of the players would never earn enough to win a prize and for those that did, the amount iWin earned in ad revenue would far surpass the amount they had to pay out in prizes.

Final Thoughts

I was 14 at the time. Looking back, I’m proud that we were clever enough to figure out how to break iWin, but I’m a ashamed that we actually did it. What we did was equivalent to stealing from Best Buy because the locks were broken.

At the time I probably would have said that it was a victimless crime, that everyone was doing it, that it was their fault for not securing their system, but that’s all bullshit. No rationalization can change the fact that we stole from them. I wish I could go back and talk some sense into myself.

I may have won a little, but in the end wasn’t worth it.

I’ve had this idea in my head the last few weeks that I’m going to just jump into my next major project and learn the skills required to make it along the way. That’s kind of what I did with Domain Pigeon and since it got the job done, I didn’t consider any alternative processes. But, after reading the first few chapters of the Django and Flash books, I think it’s a much better idea to successfully complete a few baby steps before I try the long jump.

So, instead of diving headfirst into a large project I’m going to work on several small ones that will each require me to learn something new. Breaking it up into small, manageable components will let me focus on mastering a few skills at a time. One will be a small Django project, one will be a Flash project, etc. I might even do several of each, depending on how much I’m enjoying the work.

And who knows, maybe one of them will turn into something big and I’ll abandon my current plans.

We’ll see what happens.

I started Domain Pigeon to help me prepare to found a start-up in a few years.  I wanted to learn Rails and web development and to gain valuable experience along the way. I realized today that over the last few weeks I’ve lost sight of that goal.

For example, I am not very good with git. I know enough to use it in conjunction with Capistrano to deploy my Rails app to Dreamhost, but when it comes to moderately complex tasks like branching and merging I’m completely inept. I have to constantly refer to the cheat sheets and even then, I’m not confident that I’m doing things correctly. I know this and know that I ought to become fluent with git, and yet I spent a good two hours today tweaking the font size of the links on Domain Pigeon’s homepage. 1.3em or 1.4em? Text decoration none or text decoration normal?

I have two Nolo books that I bought to help me learn what I’m talking about: Quick LLC and LLC or Corporation?. I made it through about a third of each of these, fell asleep, and went back to programming. I’m still not sure what’s the best choice for would-be founders.

I have subscriptions to Inc and Fast Company but lately I either let them stack up on my coffee table or, if I do get around to opening them, all I pay attention to are the designs. “That looks really good,” I say to my wife. “Maybe I can incorporate that into Domain Pigeon.” “Uh, OK, have fun with that honey.” Screw understanding what accounts receivable are, I want to know what font that is. And does the padding on that header looking like 10px or 15px?

Also, “cap deploy” is awesome, but it would also be nice to know how to administer my own server. It would probably be helpful if load balancing wasn’t just theoretical.

And what the hell is with blocks in Ruby? That shit is crazy.

I want to learn how to write better and want to get better at public speaking. Instead, I’ve been blogging about the morality of claiming that Domain Pigeon has “free” domain names vs “available” domain names.

Here’s the thing:

Knowing how to program is important, but its not enough if you want to be more than just a developer. Knowing how to run a business is also important, but its not enough if you want to be more than just a manager. To really make it big, you’ve got to be able to do both well. That, or get a kick-ass cofounder.

Now, if you’ll excuse me, I’ve got work to do. #222222 seems a bit too dark and I’m highly considering #2a2a2a.

What an interesting day.

It started off with a long conversation with my boss about work related issues. The only thing to say about that is that for some reason the more I want to impress someone the stupider I seem to sound. When I talk to my brother, for example, I am clear and deliberate and speak with a kind of verbal alacrity that I seem to totally lose when I’m talking to someone I’m trying hard to impress. I much rather have it been the other way around, but, what are you going to do…

I left work a bit early to head out to Philly for this month’s Ruby meetup. The group, formerly known as Philly on Rails and now known as Philly.rb (due to interests in frameworks other than Rails), meets twice a month: a pub night, where people sit around, drink beer, and talk about geeky things, and an instructional meeting, where people get together in a classroom environment and talk about more geeky things. Today was the first instructional meeting I’ve attended.

Getting there was a bit of an adventure. Due to today’s nasty weather in the Northeast, traffic was slow as hell. The drive to Philly took about three times as long as it should have normally taken. Stop and go, stop and go, stop and go all the way. Then, when I get there, I have to deal with city driving, which I’m not terribly fond of. Somehow whenever my Garmin says “Turn left in 200 feet” I always either turn too early or too late. After several wrong turns and angry honking horns later, I found my way to my destination… almost. I found a parking spot, walked another 15 minutes to the address I had written down and wouldnt you know it: it wasn’t the right address. Great. I walked back to my car, paid my parking ticket and attempted to leave the garrage, but putting the ticket stub in my wallet reset it so that when I finally got to the gate and attempted to exit, the ticket reader machine rejected me. I had to politely ask the six people behind me to back up so I could go back and talk to someone. I got that taken care of and made my way to the right address, and finally, after a long adventure, I found it.

I arrived at about 7:40. I had planned on getting there at 6 when it started. There were about 15 guys gathered in a dimly lit basement classroom at the college building where the meeting was being held. I quietly walked in as a guy was finishing a presentation about iPhone development. I didn’t understand most of what he was saying, but got the impression that iPhone development is a complicated beast.

When he finished the organizer — Colin — asked if anyone else was interested in talking. I had previously mentioned to him demoing Domain Pigeon. I thought it was very tactful of him to ask if anyone was interested even though he knew I was there and I had mentioned demoing. He could have called me out, but did the polite thing for me and the other guy who mentioned talking and just asked if anyone else was interested.

I said sure, he said something like “Oh yeah, you wanted to demo your domain site.” I got up, hooked up my Macbook, and started talking. I had a rough idea beforehand of what I wanted to say but mostly winged it.

On a scale of 1 to 5 I’d say I was about a 3. Not bad, but not great either. I noticed myself saying “uh” a bit too much and I hunched over the podium more than I should have. I added unnecessary details to my explanations and omitted important things. There was a general flow of the demo, but I should have practiced a bit more beforehand. After a few minutes of heightened self-awareness I loosened up and things were good, but I feel like I’ve got a ways to go in this area. My philosophy on things like this is that you have to do something and suck at it for a while before you can become proficient and eventually good. Some people may be able to jump directly to good by sheer talent, but for me at least with this, I have to do it for a while, however poorly, before I pick it up. It’s kind of frustrating to know you’re doing something poorly but lack the knowledge or skills to do better, but I’m happy that I at least realize it and know that it’s part of my process. It’s similar with web page design. ALL IN Expert was probably a 2 on the 1 – 5 scale. Domain Pigeon will probably be about a 3.5 or 4. Without taking these steps I won’t be able to get to the 5 one day, whatever that may be.

The feedback was generally positive. They asked some very good insightful questions about how it would work and gave me some helpful feedback on a few usability, coding, and design issues.

The two meetings I’ve been to have been very humbling. While I consider myself a pretty good programmer, these guys having an amazing amount of technical knowledge. Most of them talk way over my head when it comes to the intricacies of a programming language and how one languages compares to another and what not. I recall some of the terminology from my computer science education, but have forgotten a lot of it. It made me realize I care more about what I can do with the language than how it works. There are pros and cons to that but overall I’m happy with my bent towards practical vs theoretical considerations.

Afterwards, I got into a conversation with a guy named Eric. Eric’s a 50 year old serial entrepreneur who now specializes in buying and selling small businesses. He’s got a strong technical background, but doesn’t limit his work solely to that area. I started picking his brain and when it was clear that we enjoyed the conversation we decided to walk over to a nearby Starbucks and continue it over some coffee.

It was quite the discussion. We wound up talking about the significance of leverage and its current role in the economy, using neural networks for speech recognition, the philosophy of science, the long term value of an MBA, mobile phone startups ideas, the ideal size for a tech startup, differences in business structures, personal guarantees, the importance of passion for your job, equity considerations when raising capital, and the risks of getting married in your early 20s, among other things. We talked for over an hour and I walked away feeling that the night was well spent despite all the earlier difficulties.

And now I must sleep, as I have to get up in 4 hours… =)

I received a lot of great feedback regarding the ALL IN Expert post.

Here’s a quick summary of the major themes:

Advertising

I think you should have put a lot more thought into how to get users to find your product. Like, sometimes (often, maybe), people don’t even know they could use something and that something they could use exists. You have to educate them.

Tichy

I think what really went wrong was not the product, niche or anything like that. It was the marketing/sales. You should never underestimate how hard selling even a good product is.

Mikkom

Many people commented that advertising could have helped a lot. I’ve got to admit that when I originally read the line “Advertising is a tax for being unremarkable” I interpreted it as saying advertising is a bad thing and that you shouldn’t have to do it if your product is great. The feedback has given me a different perspective. With an amazing product such as Facebook or YouTube you might be able to get away with primarily word of mouth advertising, but regardless of your product, a strong advertising campaign can help a lot. A great product is worthless if no one knows it exists.

Screenshots

I note that on the website there seems to be no real screenshots of your application in action that give me a good idea of what it does and how it works. In my opinion, this is a huge mistake – I generally won’t download /anything/ unless I’ve seen a screenshot first.

halo

Halo pointed out that the homepage didn’t have screenshots on it. While the grid was put there to lure people in, I think I missed out on a big opportunity by not having an expansive screenshots section on the site.

Online Version

Perhaps you can make an online free version and put some ads?

lazyant

Some people suggested I make an online version. Had the product been successful, this might have be a viable route. In retrospect, I should have attempted this to start with, as it would have differentiated the product and given me experience doing something new so that should I fail, at least I walk away with some technical skills that I didn’t start with.

How to approach a risky project…

Fail fast and move on!

Breck

Next…

This was my favorite comment, taken from a comment on the blog:

I don’t know why you’re calling this a failure. How much time did you spend on it? Three months of time to think of, build, and launch something, even if it doesn’t work out, is time well spent. Think about it this way: that’s 4 startups a year… Sooner or later, one of them will end up working out (and in no small part due to the lessons previously learned).

David Rusenko

Day #3 of the Macbook…

I began working today with the intention of integrating a test Heroku site with Paypal’s Instant Notification System. Didn’t get there quite yet, but I’m getting there. Here’s a few things I worked on this evening:

Modifying the Terminal Prompt

Every line had been displaying “matthew-mazurs-macbook: Matt $” or something long and annoying like that, so I looked into how to change it. Some helpful individual on #rubyonrails told me to look up PS1 and surely enough, changing it is pretty easy. This site teaches you how to change it, though this method only works for the current terminal. When you reload the terminal the name reverts to its previous state. To change it permantely, you have to close down termal and edit /etc/bashrc in some text editor. Change the PS1 name to whatever you want and it’ll be changed permantently for future terminal windows. There’s probably an easier way to do this but hey, it worked.

Using VI

As nerdy readers have probably realized by now, I suck at the command prompt. I regret not taking more opportunities during my college compsci classes to gain more experience with it. Anyway, this tutorial is a pretty good introduction to what you need to know in order to navigate vi.

Ruby Gems

Up until this point in my app’s development I haven’t had to use any gems so I was pretty lost when I read I should install a Paypal gem to interact with Paypal’s Instant Payment Notification system. For the unenlightened, IPN is an alert that Paypal sends to your site when someone has made a purchase. You can use this notification to enable a user’s account, for example. Thankfully, rubygems.org offers an excellent tutorial which quickly brought me up to speed. I worked my way through their progressbar example, which as stupid as it is, was a nice thing to get working.

Fortunately, while developing ALL IN Expert (more to come on that — I promise), I spent a lot of time learning how to do IPN with PHP. Things are slightly different now, but the prior experience is helpful.

I’ve been spending some time the last few days thinking about ways I can improve my overall productivity. In general, I’m not working at a pace that I’m satisfied with, and while part of that is due to long hours at work, a lot is also due to not fully taking advantage of the free time I do have.

Accordingly, I made two major changes today that should:

News. A few months back, per Marc Andreessen’s advice, I subscribed to the Wall Street Journal. At first I attempted to read it on a daily basis. Now, I’m lucky if I scan it through twice a week. The problem is twofold: 1) I don’t understand a lot of it and 2) It takes time. The original purpose was to learn the important things going on in the world and in the tech industry. I think a combination of Hacker News, Inc magazine, and a few of the major blogs take care of the tech half of that goal. Usually, when my time was limited, I would just flip to the Business section and see if there were any internet related articles. For the news half, I’m going to subscribe to Time, which I think is excellent. Since they’re a weekly publication they generally avoid a lot of the irrelevent news, and they write less in one issue than the WSJ writes in a day. Starting tomorrow, I’m putting the WSJ on hold. There will hopefully come a time when I have the time and the need of reading it on a daily basis, but that time is not right now.

Computer Usage. I’ve been using InstantRails on Windows Vista in conjunction with UltraEdit for learning and programming Rails. InstantRails, as far as I can tell, is a hack that let’s Windows developers work with Rails. It gets the job done, but it just doesn’t feel natural. And so, today, I took the plunge and bought a Macbook, which I’m currently writing on. It is a breadth of fresh air; I wish I had made the switch earlier. It’s taking a bit of getting used to (I didn’t know what the traffic lights at the top of the windows were), but it’s incredibly straightforward. Usability was clearly a focus for the Mac developers, which is why it’s been such an easy transition. The plan is to do all my web development on this computer from now on.

My goal is to launch Domain Pigeon by the end of the year.

I’m going to try to write more often, as I find that it helps me to write things down.

Thanks for reading.

Not too much to say here.

On most weekdays when I’m not at work, spending time with my wife, or exercising I’m reading or programming. As much as I wish I could eliminate the first part of that equation, it is just a constraint that I have to work with for now.

I’ve been learning a lot about Rails. There is really no better way to learn that to just try to make something. For all that I read beforehand, I still had to reference the books tons, even for elementary things. I’m becoming more comfortable with it, but still have a ways to go.

One site I’ve been reading a lot lately is Mark Cuban’s blog. I think this guy is my hero.

I spent a fair amount of time this weekend working my new Rails project. While I got a lot of work done, it reminded me how much work I could be doing if I actually had more time to do it. I’ve come to realize that I probably won’t be founding any HUGE startup soon. I simply don’t have time to manage anything that requires lots of time and involvement from me. I get home at 6:30 – 7 on average, which leaves little time to accomplish everything I want. 

Maybe this project will be really successful, but even if it isn’t, it should provide me with a solid foundation for more ambitious projects in the future. If by summer ‘09 I can be a Ruby/Rails expert, I’ll have a lot more opportunities to do the type of things I want to do. 

Also, I’ve been blogging a lot less. Somewhat paradoxically, that’s not a sign that I’m doing less work, but a sign that I’m doing more. If there ever comes a time when I give in I’ll make sure to write about it, but I don’t expect that to happen… ever. 

For the few of you who continue to read this, thank you, and I hope you’re making progress towards your goals. 

Matt

I had the day off today, which gave me with some much needed time to think about what project to work on next. I finished Simply Rails 2, which has given me a foundation for starting a Rails application. There’s a lot I don’t know, but I feel like I’ve got a good enough foundation now that I should just go for it and learn along the way. It’s time to just do it.

There are four projects I’m considering and I haven’t been able to decide which one to pursue. So I headed to Barns & Noble and spent a few hours there this afternoon writing about the pros and cons of each project. There’s something about the atmosphere in book stores that I find very conducive to thinking, writing, and of course, reading.

Making the decision is tough and I don’t want to make it hastily. I didn’t put enough time into thinking about my last project, ALL IN Expert, and realized after I launched that there wasn’t a market for the product I had just spent three months developing (more on that in another post). For this one, I want to spend my time working on something that has potential to be big.

Armed with an asiago pretzel, some tea, and a notebook, I set to work detailing the pros and cons of each endeavour. I spent several hours there, doing this, perusing their selection of Rails books, and talking a 75 year old small business owner named Dave about politics and business. At the end, I still had no idea which project to go after, but was a little bit closer ;)

Dave was an interesting guy. A little overweight with thick white hair, I saw him reading Michael Moore’s guide to the 2008 elections and started a conversation with him. He told me that McCain had just picked a VP and we discussed the merits of his choice for a while. I don’t know much about politics, but I find other people’s opinions fascinating, especially when they are passionate. When that conversation died down I asked him what he did, and he said he was a business owner.

He was a minister till 40, then got into the wholesaling crafts and eventually jewelery. He traveled to Mexico a lot for the crafts, but eventually determined the margins were too small and the inventory too large, so he transitioned into jewelery. He’s been to Tailand, which apparently is a big jewellery hub, many times, but he said in recent years because of all the travel regulations he had to stop. I guess its harder to just carry $15K worth of jewellery into the United States these days. Anyway, I asked him if he had any advice for an entrepreneur and he said above all else, “Be dogged“.  He said you’ll run into a lot of problems along the way and you just have to take the hits and keep going. He said once a guy wouldn’t pay him $5K that he owed him from some jewellery sales. So, Dave went to the guy’s house and sat in the guy’s driveway till he came home. The guy, who had been at a casino, was furious when he got home. He got out of his car, cursing and threating Dave. Dave explained politely to the guy that he wanted his money and wasn’t going to leave until he got some. He said he got some of it that night and eventually got all of it. (This is Jersey – was Dave a mobster?) When he left he wished me luck. Nice guy that Dave.

Anyway… moving on…

Later on while browsing HN, I came across angelsoft.net, a site that helps link entrepreneurs with angel investors. One of the sites led me to an Executive Summary template for companies seeking an angel investment. Here’s my summary of each section on the template:

1. Business Description – quick summary of business including product, vision, and business model

2. Management – why our people are going to kick ass

3. Company Background – what problem are we trying to solve and why

4. Technology/Proprietary Rights – what hurdles do we have to overcome to get our product out

5. Marketing, Sales and Customers – who is our audience and what are the current trends in your market

6. Competition – where do you stand and what will set you apart

Then it asks about some of the more technical aspects of the company including:

* Type of financing sought

* Pre-money valuation

* Professionals (account firm, corporate legal, IP, bank)

* How you will use your funds

* What type of entity (S Corp, C Corp, LLC…)

Part of me says not to start working on something that wouldn’t make a legitimate business with a clear source of revenue. The other more persuasive part of me says don’t worry about that, just get traffic and worry about the money later. I think whatever I wind up doing will probably have a freemium business model, which is a great compromise which has worked well for a lot of web 2.0 companies.

I’m going to relax a bit this weekend, which’ll hopefully provide the clarity I need to make a good decision.