Excuses, excuses

Links, On Startups

Claire Lew:

I was on the phone with a CEO the other week. He wanted my advice for how he could cultivate a more open, transparent company culture for his team.

This CEO seemed to be already doing a lot of the right things. He held monthly all-hands meetings to get everyone on the same page. He also regularly asked questions to his employees about what could be better in the company.

However, when I recommended one question that he ask his employees, he was a bit taken aback.

“You want me to ask my team: ‘Are there any benefits we don’t offer that you think we should?’ Hmm, I dunno, Claire,” he told me.

This CEO assured me that he welcomed and valued feedback from employees. But asking about company benefits? And asking about them so publicly? He started to feel nervous about it.

“I don’t want the feedback to be a distraction,” he shared. “There’s so much we already do around benefits — I think this could set the wrong expectations and derail people from getting their work done.”

He continued:

“And, I don’t think we’re ready to act on that feedback. If we ask that question, it implies we need to implement something. But it might not be cost-effective. If we can’t do it, I don’t want to let people down.”

I get it. I’m a CEO myself. No CEO wants her employees to be distracted. No CEO wants to make false promises.

Here’s the reality, though: If you dig deeper, those two statements are actually excuses that are keeping you from building the open, transparent company culture you’re keen on.

We work with everyone to build a better product, but I've seen this happen at other companies I've worked at and with over the years.

Cracking the Code on Startup Product Pricing Strategies

Links, On Startups

If idea validation is about taking your business idea for a test-drive, then pricing your product is where the rubber really hits the road.

This is it. You’re done piloting. You’re done validating. You’re really done living on Ramen in an apartment you share with five roommates. You’re ready to come out and tell the world: “I have a product or service that provides value – and this is how much my product is worth.”

Needless to say, product pricing strategy is an essential piece of the startup puzzle – and it’s a notoriously tricky piece to get right. There are about a dozen moving pieces you have to take into account. Getting them all aligned just right is like unlocking the most complicated combination lock ever.

The crew at Startups.co wrote a great piece on figuring out Product Pricing Strategies, worth a read, and a bookmark and share.

Write like you talk

Links, On Startups

Nathan Kontny:

A handful of years ago I was volunteering for an organization here in Chicago where we helped high school kids prepare for their college applications. These kids were the first in their families, often underprivileged, to be applying to college.

One Saturday I met a student who wanted help editing his application essay. We went over to the computer lab and he pulled up a draft he’s been struggling with.

The essay was fine. It read grammatically well.

But it was terrible. It was dry and uninteresting. Artificial intelligence could have probably auto-generated it from a history of other applications.

I doubt any recruiter would remember him. How were we going to fix this?

Most of us trying to write to gain an audience, inspire people, market ourselves, etc. are all doing it wrong.

We stick with the education and rules we learned in high school and college: “Don’t end sentences with prepositions.” “Don’t start sentences with conjugations.” “Sentences have subjects and predicates.” We focus on the perfect paragraph and essay structure.

And if I asked most people to write an essay about their day. It’s likely going to come out a lot like my mentee’s. Stiff, formulaic, unoriginal.

But if we had an intimate conversation over coffee, the story about your day would be remarkably different. You wouldn’t worry about the word you used to start a sentence, or which of your sentences made up paragraphs. Instead, your struggles, achievements, and thoughts would hit my ears before you had a chance to think about: “Can I end a sentence with ‘at’?”

And because you weren’t worried about a hundred rules of grammar while you were talking to me, I’m that much closer to your internal voice.

The voice that makes you unique and interesting.

I wanted to share this post, as this is something I try to stick to when writing tutorials, I find it makes things sound better and smoother.

Naming a new product? Start with the job.

Links, start

A name can help people create a mental model for your product, which helps them to remember and associate your product with a particular job.

Other factors come into play, including how a name sounds, and how distinctive, appropriate, likable, extendable, and protectable it is. But most important is that the name is remembered and understood.

So to choose a memorable name for a product, you can start with the jobs you want people to remember it for.

A good lesson on product naming from the Intercom crew as they described naming their new bot service, operator bot.

Scan your projects for crossenv and other malicious npm packages

Links, code

Dominik Kundel, writing for the Twilio Blog:

On August 1st, Oscar Bolmsten tweeted about how he found a malicious npm package called crossenv that scans for environment variables and POSTs them to a server.

This is particularly dangerous considering that you might have secret credentials for different services stored in your environment variables.

Apparently it’s also not limited to just crossenv, but a series of packages — all of them are names of popular modules with small typos such as missing hyphens.

Check your project for malicious packages

These packages have been taken down by npm, but since credential theft happens upon installation, you should check if you have installed one of them. Ivan Akulov was so kind to compose and publish a list of (at least some of) these malicious packages on his blog. He also wrote a small one-liner that you can execute to check if these packages are installed in your current project:

npm ls | grep -E "babelcli|crossenv|cross-env.js|d3.js|fabric-js|ffmepg|gruntcli|http-proxy.js|jquery.js|mariadb|mongose|mssql.js|mssql-node|mysqljs|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv.js|openssl.js|proxy.js|shadowsock|smb|sqlite.js|sqliter|sqlserver|tkinter"

Search for infected projects on Mac/Linux

If you are like me a person who regularly develops Node.js applications you might have a series of projects and not just one project to check for. I extended Ivan’s command for that reason using find and xargs to actually scan all subdirectories of the folder that contains my projects and execute Ivan’s command there. You can run it by simply copy pasting this command into your command-line:

find . -type d -maxdepth 4 -name node_modules -print0 | xargs -0 -L1 sh -c 'cd "$0/.." && pwd && npm ls 2>/dev/null | grep -E "babelcli|crossenv|cross-env.js|d3.js|fabric-js|ffmepg|gruntcli|http-proxy.js|jquery.js|mariadb|mongose|mssql.js|mssql-node|mysqljs|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv.js|openssl.js|proxy.js|shadowsock|smb|sqlite.js|sqliter|sqlserver|tkinter"'

Search for infected projects on Windows

That command works when you are on Mac or Linux.. Corey Weathers wrote a small PowerShell script for that will do the same thing on Windows:

Get-ChildItem $directory -Directory -Recurse -Include "node_modules" | foreach { cd $_.FullName; cd ..; npm ls | Select-String -Pattern "babelcli|crossenv|cross-env\.js|d3\.js|fabric-js|ffmepg|gruntcli|http-proxy\.js|jquery\.js|mariadb|mongose|mssql\.js|mssql-node|mysqljs|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer\.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv\.js|openssl\.js|proxy\.js|shadowsock|smb|sqlite\.js|sqliter|sqlserver|tkinter"} -ErrorAction Ignore

What if a malicious package was detected?

You should immediately rotate all secrets that you have stored in the environment variables. If it’s a project that is shared with other folks don’t forget to alert them to do the same. Don’t forget that Continuous Integration systems and cloud hosts like to use environment variables as well. So if you shipped one of these projects into production or used a system that uses environment variables don’t forget to rotate them there as well.

Read the rest of the original post for more information, I wanted to share this here so you can check your code for any packages that shouldn't be there.

Page 1 of 50 Next