Longtime RSA conference speaker cancels in light of NSA revelations

News of NSA contract rouses speaker dropouts at RSA conference

The RSA Conference is set to convene the last week in February, but several respected researchers and experts have canceled their appearances.

TrustyCon established in protest of RSA Conference, reaches capacity

This year's RSA Conference will coincide with another security event - TrustyCon - that reached capacity about six days after it was announced.

Researcher to demo hack for logging Android, iOS touchscreen movements

The "touchlogging" attack method will be presented in detail at RSA Conference next month.



Google Fiber To Get 10X Faster: What That Means to Small Businesses

google fiber

Your business has finally bought into cloud technology. You’ve even set up operations to run off of mostly cloud services.

This is all great until you realize that your Internet connection just isn’t allowing you to take full advantage of these services. You and your team can’t get access to critical business systems. Or worse yet, you’re prevented from accessing these services altogether.

That’s one of the problems a super-fast Internet connection was supposed to remedy. And it was one of the reasons why Google introduced Google Fiber last year. The special high speed Internet connection brings 1 gigabit-per-second of broadband to homes and businesses at a low cost.

At the time, Google announced Fiber would be coming to three tech hubs in the U.S.: Kansas City, Mo.; Austin, Texas; and Provo, Utah. So far, it’s only available in Kansas City.

But, before Google could even make good on that promise, the company announced it was already working on a faster version of Fiber. A USA Today report suggests that Google is already developing connections capable of 10 gigabits per second. The high speed should dramatically increase business confidence in software as a service (SAS) and cloud applications.

This is because the higher speed assures access to even the most data intensive applications, the newspaper reports. It’s a speed already much faster than most connections available to businesses.

At a Goldman Sachs Technology and Internet conference, Google CFO Patrick Pichette explained:

“That’s where the world is going. It’s going to happen. Why wouldn’t we make it available in three years? That’s what we’re working on. There’s no need to wait.”

We’ve noted in the past how faster Internet connection speeds can improve your business.

Here’s another perspective on the importance of Google Fiber to business from David Bresemann, Senior Vice President and Chief Product Officer at Silicon Laboratories Inc., a locally based semiconductor company, in Statesman:

“Access to more bandwidth is like rain in Texas â€" it’s good for everyone. Austin’s tech-savvy residents and businesses have an insatiable appetite for higher bandwidth.”

Image: Google Fiber

More in:

News of NSA contract rouses speaker dropouts at RSA conference

Less than two months before the industry's annual RSA Conference, respected researchers and experts are canceling their appearances at the major event in light of allegations that the National Security Agency (NSA) arranged a shady deal between it and security firm RSA.   

The fallout started after a disquieting article was published by Reuters last month.

In the story, which sourced classified documents obtained by whistleblower Edward Snowden, the outlet detailed a $10 million contract which set an NSA-influenced formula as the default method for number generation in RSA's BSAFE software.

Robert Graham, CEO of Errata Security, posted a running list online this weekend of the speakers that have pulled out of the conference in San Francisco, which will take place Feb. 24 though 28.

Easily the largest gathering of security pros to gather annually in the U.S., the RSA Conference will now be absent several voices that planned to lead talks or speak in panels.

Among the confirmed cancellations, are F-Secure Chief Research Officer Mikko Hypponen, Taia Global CEO Jeffrey Carr, Atredis Partners “Breaker in Chief” Josh Thomas and well-known privacy buffs Chris Soghoian (with the American Civil Liberties Union) and Marcia Hofmann (a special counsel at the Electronic Frontier Foundation who recently started her own practice focusing on tech and privacy issues).

In addition, Google software engineers Adam Langley and Chris Palmer, along with Alex Fowler, Mozilla's global privacy and public policy leader, have decided not to speak next month.

Josh Thomas, a partner at security firm Atredis, told SCMagazine.com on Wednesday that, despite the fact that RSA, the company, and RSA, the conference, “are two different entities” - that they still “share the same name,” and he didn't want to lend his name or credibility to the event.

“If I speak at the conference, I feel that I lend my name to their credibility and actions as a company,” Thomas said. “I had no interest in press [in canceling]. I just did not want to lend my name to something I do not believe in. “

He continued, saying that he doesn't believe that the group of cancellations will have a “big impact at the end of the day” on the company, “but on my principled stance, I just don't want to be a part of it.”

On Tuesday, a number of speakers, including Fowler, Soghoian and Hofmann, sounded off on Twitter about backing out of their RSA Conference engagements.

Soghoian specifically referenced RSA's quick (and meticulously worded) denial of the NSA allegations.

On Wednesday, Hyponnen took to F-Secure's website to confirm that, in addition to him canceling his appearance in an FTC panel at the event, that the company would not be “speaking, sponsoring or exhibiting at RSA Conference USA 2014.”

“While I am glad to see that many other speakers have decided to cancel their appearances at RSA 2014 in protest, I don't want to portray myself as a leader of a boycott,” Hyponnen wrote. “I did what I felt I had to do. Others are making their own decisions.”

The board for the Open Web Application Security Project (OWASP), a nonprofit group aimed at improving software security, is currently deciding whether the group should move forward with plans to train developers at the conference. OWASP has asked members to weigh in via a poll.

This story originally ran on SCMagazine.com



Steady rise in complex web attacks in 2013

The actions of just a few gangs can signal a big shift in the industry as a whole - and strangely - the Target breach may have reduced activity by some players.

Cloud infrastructure firm FireHost says it blocked more than 100 million malicious hacking attempts in 2013 - many of them featuring complex SQL injection attacks and originating from cloud service provider resources. 

The firm has just published the 2013 year in review `Superfecta' attack report and it cites cross-site scripting (CSS) and SQL injection as the most popular types of attack. It also suggests that major security incidents actually are reducing the volume of attacks on corporate web applications in the short term. 

While the CSS attack vector was the most common form of attack in 2013, the report says that SQL injection attacks increased substantially in the first three quarters of the year.

Chris Drake, FireHost's CEO and founder, says that the cloud has become a popular launch-pad for attacks, as cyber-criminals can easily deploy and administer powerful botnets that run on cloud infrastructure.

"Unfortunately, many cloud providers don't adequately validate new customer sign-ups so opening accounts with fake information is quite easy," he said.

FireHost says that it has seen a positive ‘blackholing' side effect, whereby its filters have over time helped to hide its customers' IP addresses from would-be hackers, by making them resemble darknet/honeypot space. No attacker, adds the firm, wants to be detected by connecting to darknets and will take extra care to avoid them. 

Interestingly, Tom Byrnes, CEO of ThreatSTOP - the technology that the FireHost platform is built on - believes that a decreased number of attacks blocked by FireHost during Q4 of 2013 could be down due to the widely publicised Target data breach. 

“The Target data breach was monumental and it's no surprise that it had an impact on FireHost's attack data. There are only a few hundred criminal gangs worldwide running this kind of cybercrime operation so the actions of just a few can signal a big shift in the industry as a whole," he said,

 "We certainly saw this in the build-up to the Christmas period and the Target attack. During this time, smart hackers may have ignored FireHost's servers completely and focussed all their efforts on obtaining consumer data during the busy online retail season. Others would simply have been too busy running up charges on Target customers' credit cards to bother with doing anything else," he added.

Commenting on FireHost's latest report, Rob Bamforth, a security analyst with Quocirca, said that the SQL injection vector increase seems to have been happened whilst other vectors of attack have decreased. 

"To me, this indicates that cyber-criminals are becoming more professional," he said, adding that it is clear that corporates must patch against CSS and SQL injection attacks, even though many IT departments view such activities as quite lowly when compared to the glitz of protecting against APT and other more popular attack vectors. 

"The problem with this most mundane type of patching is that it needs to be completed correctly," he noted. 

Sarb Sembhi, analyst and director of client services with Incoming Thought, another business and research analysis house, said the increase in attack volumes begs the question as to whether there are more people involved with cyber-crime, or have existing cyber-criminals - as Bamforth suggests - become more sophisticated. 

"The question I would ask is whether it is the tools or the cyber-criminals that are getting better. My observations suggest that the bar for cyber-crime is clearly going down, as the technologies involved become a lot simpler," he said.

"What we - as an industry - have not learned, however, is to meet the need to make the security defences to protect against these attacks just as simple to use," he added.



TrustyCon established in protest of RSA Conference, reaches capacity

This year's RSA Conference will be coinciding with another security event - TrustyCon - that reached capacity about six days after it was announced.

The convention was established by those boycotting the RSA Conference after reports began surfacing in late-2013, based on leaked documents, that RSA entered into a $10 million secret agreement with the NSA to use a flawed algorithm as an NSA backdoor.

Some of the industry's biggest names will be speaking at TrustyCon - which will be held at the AMC Theatre at the Metreon in San Francisco on Feb. 27 - including Mikko Hypponen, chief research officer for F-Secure, Christopher Soghoian, a security and privacy researcher, and Bruce Shneier, a cryptographer and security specialist.

“Confirmed attendees and sponsors have voiced their desire to be a part of the event and collaborate on ways that we - as individuals, small businesses, companies, and as a national industry - can solve security issues in tech,” Alex Stamos, TrustyCon creator, said in a release. “TrustyCon provides them a platform for their voice.”

TrustyCon is a collaboration of iSEC Partners, DEF CON and the Electronic Frontier Foundation (EFF) and is sponsored by organizations including CloudFlare and DigiCert. Microsoft previously announced that it would sponsor the event, but as a sponsor of the RSA Conference, the computer company was required to back out, according to a Wall Street Journal blog post.

In December 2013, RSA quickly denied entering into a $10 million secret agreement with the NSA after Reuters published a report based on leaked documents.

It was previously revealed in September 2013 that all versions of RSA's BSAFE Toolkits were impacted by a community-developed encryption algorithm that was believed to contain an NSA backdoor.

The algorithm in question was Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), which both RSA and the National Institute of Standards and Technology (NIST) recommended the industry not use at the time.

This story originally ran on SCMagazine.com

Redefining identity management in the digital world

Prior to the internet and the migration of much of our lives online, our public identity, while potentially a complex amalgamation of different roles, was essentially integrated and unified. Today, we are able to distill and separate those different roles into distinct online identities based on the groups with which we choose to interact - from the consumer one that Amazon and Netflix know, to the medical one that our healthcare providers know, to the professional identities that our employers and colleagues know, to the social one that our Facebook friends know.  Each of us have different approaches to how much overlap we allow between our identities. For example, we may connect our social and consumer identities but we may not feel comfortable connecting our social and professional identities.

For those of us tasked with managing the security of the digital world for the enterprise, there are serious ramifications to this evolution of identity. Specifically, how we manage identity must evolve as well if we are to maintain the security of our organizations.

The need for this evolution has been exacerbated by the growth of the consumerization of IT, as represented by the growth of bring-your-own-device (BYOD). Managing identity on single-purpose, work-provided mobile devices that were connecting to on-premise applications over third party networks was challenging enough. That challenge has expanded exponentially thanks to the fact that work identities now co-exist with personal identities on a multi-purpose, user-provided device that connects to on-premise apps and apps in the cloud.

We need to redefine identity management to meet these new challenges by shifting our perspective on identity management and updating its technological underpinnings.

We must first shed our IT-centric approach to identity management, focusing less on being a gatekeeper of IT assets and more on facilitating the goals of the business. The only way to do this is by allowing business owners to own and drive identity management controls, as they are the ones best positioned to understand the identities and corresponding roles supporting their business.

Secondly, we must update how we approach identity management from a technological perspective. We need to get beyond usernames and passwords. We need to enhance our methods of authentication from one- and two-factor to multi-factor and from a single point in time to continuous authentication. We need to move to a Big Data approach to identity management that is able to analyze and correlate our numerous identities and roles to efficiently and effectively enforce the right level of authentication and authorization for a wide variety of access patterns. And finally, identity management must be universal, enabling access from any device to any application.

Our identities are evolving online. Identity management can't afford to stand still. We have the ability to adapt to the new realities of the digital world. Now, as Nike would say, we need to just do it.

Researcher to demo hack for logging Android, iOS touchscreen movements

At next month's RSA Conference, a security researcher will demo a hack that could allow an attacker to capture all the touchscreen movements a user makes on their Android or iOS device.

According to Neal Hindocha, a senior security consultant at Trustwave, the “touchlogging” attack method “seems like the logical continuation of keylogging” - when saboteurs plant malware on victims' computers to track their keyboard movements and steal sensitive inputted data.

Hindocha developed the proof-of-concept which works on jailbroken iOS devices, in addition to rooted and stock Android devices.

Once installed, the malware tracks where a user touches their screen, giving an attacker insight on logged passwords, usernames, banking information - and the list goes on.

The touchlogging attack also allows a saboteur to take screenshots of the victims' movements,  which can create an even better picture of users' mobile activities.

In a Thursday email to SCMagazine.com, Hindocha said that “by taking screenshots and overlaying the X and Y coordinates on the screenshot, it is possible to see what the user is seeing, and [get] the information the user is inputting.”

He later spoke to some of the less obvious nuggets of information obtained by the malware, which became apparent to him throughout his research.

“One interesting aspect of this research is that initially, I thought the screenshot was a requirement to get something useful,” Hindocha wrote. “However, the more data I collect from my own phone, the more I realize that it is quite easy to determine certain patterns.”

One “pattern” was that a PIN or passcode was often the first thing to be inputted, after a phone had been locked due to being idle, he said.

Hindocha made note of other mobile habits that could be of use to attackers.

“Swipe motions up and down tend to indicate someone reading email, and touch events mainly in the area where the keyboard is, is often an indication of text input. In fact, differentiating between entering passcodes, moving around the home screen, writing emails and playing games is often not difficult, when only looking at the touch events (X / Y coordinates),” he explained.

The touchlogger malware can be installed on a target device using the usual attack vectors: through third-party app stores, by connecting a mobile device to an infected computer or through network-based attacks (like through open Wi-Fi networks), Hindocha revealed.

The researcher plans to show at least two demos on the attack method, as well as reveal more details on the hack, at the RSA Conference in San Francisco on Feb. 26.

“The research began by looking at the Windows platform, [and] seeing how powerful certain malware could be when it included keylogging functionality,” Hindocha wrote. “I wanted to bring this over to mobile, to see if similar techniques could be used to bypass security implementations when touchscreens were used."

This story originally ran on SCMagazine.com

OpenTable Introduces Mobile Payment for Restaurant Checks

opentable2

OpenTable has introduced a new feature to let you pay your restaurant check via the company’s mobile app. The change reflects a growing trend in which retailers give their customers as many options to pay as possible.

This new feature is an expansion of the app’s original intent. OpenTable allows diners to reserve a table at a favorite restaurant. But the app also provides basic information on local restaurants, including the average price of a meal and the cuisine offered. Diners can provide a review of participating restaurants. But currently, the app is only available to iPhone users.

The new payment feature also picks up on a growing mobile trend. On the official OpenTable Blog, Kashyap Deorah, General Manager of Payments explains:

“First, OpenTable made it simple to book a restaurant reservation at any time of day or night with just a few clicks. Now, we’re pleased to announce that it will soon be just as easy to pay for your meal. Rather than waiting for a check or, worse yet, being late for the theater, with the new OpenTable payments feature, you will be able to tap to pay - and be on your way.”

Deorah says the check payment option is only available to a group of users in San Francisco at the moment during an initial testing phase. But in the coming weeks, Deorah says more and more current users will be provided access and that OpenTable also intends to offer an option allowing interested users to request access.

In a comment on the blog post, Caroline Potter, OpenTable’s Chief Dining Officer, says the company is also planning an Android version of the OpenTable app after the pilot program for the new payment feature is completed.

In a recent post on Venture Beat, consultant and investor Rakesh Agrawal, who says he owns stock in several potential competitors of OpenTable, insists the app has a considerable advantage. Agrawal writes:

“OpenTable also has several big business advantages: it already has relationships with more than 28,000 restaurants. According to its fourth quarter 2013 financials, OT has seated a cumulative total of 110 million diners via mobile; mobile accounted for 40 percent of seated diners in Q4 2013.”

Last year, a Forrester Research study suggested mobile payments will equal $90 billion by 2017. Some major food and beverage retailers have enjoyed early success by allowing their customers to make mobile payments. McDonald’s and Starbucks are among food and beverage retailers offering mobile payment options to customers in select markets as of last year.

Image: OpenTable



OpenTable Introduces Mobile Payment for Restaurant Checks

opentable2

OpenTable has introduced a new feature to let you pay your restaurant check via the company’s mobile app. The change reflects a growing trend in which retailers give their customers as many options to pay as possible.

This new feature is an expansion of the app’s original intent. OpenTable allows diners to reserve a table at a favorite restaurant. But the app also provides basic information on local restaurants, including the average price of a meal and the cuisine offered. Diners can provide a review of participating restaurants. But currently, the app is only available to iPhone users.

The new payment feature also picks up on a growing mobile trend. On the official OpenTable Blog, Kashyap Deorah, General Manager of Payments explains:

“First, OpenTable made it simple to book a restaurant reservation at any time of day or night with just a few clicks. Now, we’re pleased to announce that it will soon be just as easy to pay for your meal. Rather than waiting for a check or, worse yet, being late for the theater, with the new OpenTable payments feature, you will be able to tap to pay - and be on your way.”

Deorah says the check payment option is only available to a group of users in San Francisco at the moment during an initial testing phase. But in the coming weeks, Deorah says more and more current users will be provided access and that OpenTable also intends to offer an option allowing interested users to request access.

In a comment on the blog post, Caroline Potter, OpenTable’s Chief Dining Officer, says the company is also planning an Android version of the OpenTable app after the pilot program for the new payment feature is completed.

In a recent post on Venture Beat, consultant and investor Rakesh Agrawal, who says he owns stock in several potential competitors of OpenTable, insists the app has a considerable advantage. Agrawal writes:

“OpenTable also has several big business advantages: it already has relationships with more than 28,000 restaurants. According to its fourth quarter 2013 financials, OT has seated a cumulative total of 110 million diners via mobile; mobile accounted for 40 percent of seated diners in Q4 2013.”

Last year, a Forrester Research study suggested mobile payments will equal $90 billion by 2017. Some major food and beverage retailers have enjoyed early success by allowing their customers to make mobile payments. McDonald’s and Starbucks are among food and beverage retailers offering mobile payment options to customers in select markets as of last year.

Image: OpenTable



6.8 million Target card credentials traded, losses approach $1 billion

With 6.8 million compromised records costing an average loss of $136 (£82) per record, potential costs of the Target breach are some US$925 million...and may exceed a billion US dollars.

The fallout from the Target Corporation data breach of late last year - in which more than 40 million card credentials and user details were stolen from the US retail chain - is rolling onwards. New reports detail a further 2.8 million sets of stolen credentials being traded on ‘carder forums', while US banks are now saying that the fiasco has cost them at least £120 million (US$200 million) so far.

The banks say that around 21.8 million of the 40 million cards have been replaced, whilst both Target and Neiman Marcus - a second US retailer hit by card credential losses - failed to show for a Tuesday briefing in Washington with the US government, which is investigating the breaches. As an aside, the US government was reportedly displeased at the absence of both retailers, especially as they had sent out multiple invitations to the hearings.

According to security researcher Brian Krebs, the volumes of valid card credentials stolen in the Target data breach is shrinking, forcing cyber-criminals to offload the stolen card details onto the black market at knockdown rates.

Indeed, prices on the latest batch of 2.8 million cards sold are said to have fallen by at least 70 percent. In the middle of December, card credential sets - which include a variety of data on the cardholder - were trading at between US$ 26.60 and US$ 44.80 (£15.97  to £26.89), says Krebs, adding that the price has now fallen to as low as US$ 8.00 (£4.80).

He says that this trend is being driven by the potential success rate on fraudulent purchases falling to 60 percent on the latest batch of 2.8 million - down from 100 per cent on the initial 4.0 million stolen Target card credential sets.  

Two US organisations - the Consumer Bankers Association and the Credit Union National Association - now report bank losses from the Target breach as having topped £120 million (US$ 200 million). This figure does not, however, include the cost of any fraudulent activity and stems from the costs associated with replacing 21.8 million of the affected cards. 

Breach costs will be higher still

Commenting on the Target cost revelations, Steve Smith, managing director of security consultancy Pentura, predicted that the total bill for these breaches will be higher still. He cites a 2013 study by Symantec and the Ponemon Institute as placing the average cost of a data breach at £82 (US$ 136) per compromised record.

With a potential cost going beyond the billion-dollar mark, Smith says that "prevention really is far cheaper than a cure." 

Barmak Meftah, president and CEO of AlienVault, the open source security software firm, added that, when a major breach occurs, it is vital that other major retailers step up their security to high alert and take lessons from what has happened because in all likelihood - they will be next. 

"This was recently witnessed with Neiman Marcus and other major retailers in the US being hit using the same techniques used in the Target breach,” he explained. 

Lamar Bailey, director of security R&D with TripWire said that a chain is only as strong as its weakest link - and Target learned that lesson the hard way last year.

"It has been a common occurrence for organisations to be hacked via weak security at their partners or supply chains. What happened to Target and Neiman Marcus is nothing new but they were affected on a much bigger scale," he said. 

“For many years the US card issuers have neglected to move to more secure credit card technology because of the cost required to upgrade the cards and infrastructure, with the large expense being replacing stolen cards and money for consumers,” he added.

"I hope this will change the card issuer's minds. Since Target and Neiman Marcus representatives decided not to appear on Capitol Hill, I expect we will see some discussions about new privacy and credit laws coming from the US Congress in the coming months."



6.8 million Target card credentials traded, losses approach $1 billion

With 6.8 million compromised records costing an average loss of $136 (£82) per record, potential costs of the Target breach are some US$925 million...and may exceed a billion US dollars.

The fallout from the Target Corporation data breach of late last year - in which more than 40 million card credentials and user details were stolen from the US retail chain - is rolling onwards. New reports detail a further 2.8 million sets of stolen credentials being traded on ‘carder forums', while US banks are now saying that the fiasco has cost them at least £120 million (US$200 million) so far.

The banks say that around 21.8 million of the 40 million cards have been replaced, whilst both Target and Neiman Marcus - a second US retailer hit by card credential losses - failed to show for a Tuesday briefing in Washington with the US government, which is investigating the breaches. As an aside, the US government was reportedly displeased at the absence of both retailers, especially as they had sent out multiple invitations to the hearings.

According to security researcher Brian Krebs, the volumes of valid card credentials stolen in the Target data breach is shrinking, forcing cyber-criminals to offload the stolen card details onto the black market at knockdown rates.

Indeed, prices on the latest batch of 2.8 million cards sold are said to have fallen by at least 70 percent. In the middle of December, card credential sets - which include a variety of data on the cardholder - were trading at between US$ 26.60 and US$ 44.80 (£15.97  to £26.89), says Krebs, adding that the price has now fallen to as low as US$ 8.00 (£4.80).

He says that this trend is being driven by the potential success rate on fraudulent purchases falling to 60 percent on the latest batch of 2.8 million - down from 100 per cent on the initial 4.0 million stolen Target card credential sets.  

Two US organisations - the Consumer Bankers Association and the Credit Union National Association - now report bank losses from the Target breach as having topped £120 million (US$ 200 million). This figure does not, however, include the cost of any fraudulent activity and stems from the costs associated with replacing 21.8 million of the affected cards. 

Breach costs will be higher still

Commenting on the Target cost revelations, Steve Smith, managing director of security consultancy Pentura, predicted that the total bill for these breaches will be higher still. He cites a 2013 study by Symantec and the Ponemon Institute as placing the average cost of a data breach at £82 (US$ 136) per compromised record.

With a potential cost going beyond the billion-dollar mark, Smith says that "prevention really is far cheaper than a cure." 

Barmak Meftah, president and CEO of AlienVault, the open source security software firm, added that, when a major breach occurs, it is vital that other major retailers step up their security to high alert and take lessons from what has happened because in all likelihood - they will be next. 

"This was recently witnessed with Neiman Marcus and other major retailers in the US being hit using the same techniques used in the Target breach,” he explained. 

Lamar Bailey, director of security R&D with TripWire said that a chain is only as strong as its weakest link - and Target learned that lesson the hard way last year.

"It has been a common occurrence for organisations to be hacked via weak security at their partners or supply chains. What happened to Target and Neiman Marcus is nothing new but they were affected on a much bigger scale," he said. 

“For many years the US card issuers have neglected to move to more secure credit card technology because of the cost required to upgrade the cards and infrastructure, with the large expense being replacing stolen cards and money for consumers,” he added.

"I hope this will change the card issuer's minds. Since Target and Neiman Marcus representatives decided not to appear on Capitol Hill, I expect we will see some discussions about new privacy and credit laws coming from the US Congress in the coming months."



How to Create DIY Professional Quality Writing for Your Small Business

I’m fortunate in that I’m both a small business owner and a writer. But I know a lot of you may not be writers. You might have dreaded your Comp class in college, or you might now grind your teeth at the thought of writing even just a paragraph.

The problem is: If you don’t have a big budget for marketing or writing, you’ll have to bite the bullet and do it yourself.

Fortunately, you don’t have to jeopardize your business’ reputation with poor writing. There are a few ways to ramp up your skills, whatever they are, and look like a burgeoning business who’s hired a professional writer to do the job.

Step 1: Start Reading

It might seem a strange place to start, but the more copy you read, including Web copy, blog posts, emails, books, articles, whatever, the better idea you’ll have for the style you can use in your own writing. Here are a few places you can start:

  • Marketo Blog: There are a variety of contributors, so you can get a sense of different blog post styles.
  • Mashable: Again, many writers. Great example of headlines that capture attention.
  • Small Business Trends: You’re already here, so take a look at topics that attract readers.
  • Dropbox: It’s been lauded for its simple, to-the-point Web copy.

Step 2: Start Learning

There’s nothing complex about writing a webpage title or a blog post. But there are some style and formatting points you’ll want to pick up. The more you write, the easier it becomes. My two favorite resources for writing tips are:

  • CopyHackers: With a slogan like “where startups learn to convert like mofos,” you know it’s going to be fun!
  • Copyblogger: Create a free account to get access to tons of useful eBooks.

Step 3: Start Writing

Don’t be apprehensive at this step. No one has to see what you write.  You just want to get into the practice of writing. Model your article, Web copy or email after one you’ve found that you really like. Implement the rules and guidelines you learned in step 2. Then walk away from it for at least a few hours.

Now that you’ve had your espresso and read the newspaper, come back and reread your copy. Tweak whatever needs a little work. There’s no shame in editing multiple times. Just don’t keep it in a perpetual state of edits. This is probably more about your lack of confidence than your writing really needing tons of work.

Step 4: Have Others Read It

  • Does it get your point across?
  • Is it clear, or too wordy?
  • Is it appealing?
  • Would you click to read more?

Use this feedback to make additional edits to your work if necessary.

Step 5: Put it Out There

I know, this is the scary step. Other people will read it! But remember: Nothing’s permanent in the world of digital copy. Post it to your site for a few weeks, and pay attention to your traffic, clicks, and conversion. If it goes down after you post it, try again with the copy. If it goes up,  you’re on the right track.

Your goal is to draw more people to your site, get more clicks, and bring in more customers and your copy is the key to that.

If you’re sending an email, you can try an A/B test to see which copy is most appealing to your subscribers.

When you’re a tiny small business, you have to wear many hats. But that’s no excuse for your writing hat to have holes in it. With just a little practice, your writing can be on par with a professional (and costly) writer’s and you can be well on your way to creating professional quality writing.

Writing Photo via Shutterstock

More in:

Maryland university data breach compromises 300,000 records

The University of Maryland in the US says that a "sophisticated" cyber-attack exposed sensitive personal data on more than 300,000 faculty, staff and students who attended the school since 1998.

University president Wallace Loh apologised for Tuesday's cyber-attack on the school's website on Thursday, and noted that the data breach affected 309,079 individuals affiliated with the school's College Park and Shady Campus sites since 1998. 

Loh said that names, social security numbers and birth dates had been compromised of persons who had their own university ID card, but stressed that the data breach hadn't resulted in a loss of financial, academic or contact information.

“I am truly sorry. Computer and data security are a very high priority of our University,” wrote Loh.

“A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number. No other information was compromised -- no financial, academic, health, or contact (phone, address) information.”

State and federal law enforcement authorities are now investigating the attack, while computer forensic investigators are looking at the how the school's “multi-layered” IT defences were breached. The university is, as some way of compensation, offering one year of free credit monitoring to all affected persons.



KPN to offer encrypted Silent Circle services, experts question security and value

Dutch telecommunications company KPN announced on Wednesday that it has entered into a partnership with encrypted communications firm Silent Circle and will be offering customers encrypted phone call and messaging services.

Customers will be able to make and send end-to-end encrypted phone calls and text messages on their iOS and Android mobile phones by June, according to a KPN release translated by Google, which explains that the services will be part of a Silent Circle package available for download over the KPN Cloud Store.

A spokesperson with Silent Circle and KPN did not respond to a request for comment, but John van Vianen, director of business market with KPN, was quoted in the release as saying that KPN feels a responsibility to contribute to privacy and security for its customers.

In a Wednesday email correspondence, Seth Schoen, senior staff technologist with Electronic Frontier Foundation (EFF), told SCMagazine.com that this is a good step.

“I'm glad to see people recognizing the importance of encrypted phone calls,” Schoen said. “This is the first time I've ever seen that from a carrier. Without it, the cell phone infrastructure is really extremely fragile and not able to protect calls against eavesdropping.”

Schoen said that KPN and Silent Circle still have their work cut out for them, particularly in reassuring customers that copies of the app distributed to actual end-users contain no backdoors.

Terence Spies, CTO with Voltage Security, told SCMagazine.com in a Wednesday email correspondence that this move will be convenient for customers, but may represent be a security issue since users will have to rely on and trust the network that is moving their traffic.

“For some customers that are concerned about privacy, they may have concerns about buying a solution that is bundled by the telecom, as opposed to something they install and administer themselves,” Spies said. “In the U.S., I suspect that telecom privacy solutions will be a fairly niche product and the consumers of that kind of product are likely to view a bundled solution as somewhat suspect.”

Some carriers have hinted that they do not provide these types of services because of government pressure to give up backdoors into encrypted communications, Schoen said, citing incidents in the United Arab Emirates and India as recent examples.

“Only countries like Saudi Arabia and Singapore are likely to block these types of communications,” Tanuj Gulati, CTO of Securonix, told SCMagazine.com in a Wednesday email correspondence. He added that he expects to see these types of partnerships developing in the U.S.

Philip Liberman, CEO of Lieberman Software, told SCMagazine.com in a Wednesday email correspondence that he does not see the value in these services being offered to ordinary users.

“The reality of today's voice communication is that no intelligence agency can afford to record all voice calls, and those that need encrypted communication already have it,” Lieberman said. “So, I am not sure of the value-add here, other than someone trying to create a business model around paranoia.”

This article first appeared on the SC Magazine US website on 19th February.



iPhone apps are \'more risky than Android\'

Surprising new research reveals that iPhone apps are 'more risky than Android' and also details that 90 percent of all top apps are under threat too.

Two new reports suggest there has been a sharp rise in malicious attacks on mobile devices, and surprisingly highlight that Apple's iOS operating system - which drives the iPhone, iPad and iPod Touch - is at least as dangerous for users as Google's Android platform.

The first report comes from Webroot which says that 15 percent of Android apps are malicious, with another 14 percent labelled as suspicious.

The second report from US-based apps risk management specialist Appthority reveals that Apple's iOS platform is worse, with more than 90 percent of the top 200 apps - 100 paid and 100 free - in Apple's App store exhibiting "risky” behaviour.

Both studies have been released to coincide with the opening of the Mobile World Congress in Barcelona on Monday. The show is arguably the largest mobile technology exhibition in Europe, with vendors showing off new hardware and software products, as well as security solutions.

Webroot's Mobile Threat Report 2014 analysed more than 5.9 million mobile apps and hundreds of thousands of infections, almost 125,000 lost device protection activations - and infection rates from millions of customers between 2011 and the end of 2013.

Grayson Milbourne, Webroot's security intelligence director, discussed the report's findings with SCMagazineUK.com and explained that it found that almost 39 percent of malware-generated text messages, and 8.9 percent of malware had started using obfuscation.

The mobile industry, he said, has reached something of a tipping point worldwide over the last few months, with the number of smartphones in active usage now exceeding the number of old-style `voice and text' mobiles.

"Our mobile research labs have been running for four years now, and we categorise apps into six classes: benign, malicious, moderate, suspicious, trustworthy and unwanted," he said, adding that just 14 percent of apps on the Android platform - which accounts for 80 percent of smartphones - were classed as trustworthy. 

Many users looking for pay apps - for free

Whilst Apple's App store and Google's Android Play app store are relatively safe, around 30-40 percent of users are actively looking to other sources on the Internet for free applications. 

The task of cyber-criminal analysis of apps has been made a lot easier by the arrival of tools that reverse engineer the app to produce the underlying code for the program. 

The solution, says Webroot's report, is that mobile users must take additional precautionary steps to protect their data in order to keep up with evolving - and opportunistic - presence of hostile programs and hackers. 

Milbourne says business users should also use corporate VPNs to defend their smartphone's connection the Internet, although he concedes that not all data flows need to be encrypted, such as routine web browsing. 

Appthority's report says that the apps you download onto your smartphone, especially on the iPhone, are sharing more personal data than most users realise.

Some 90 percent of the top 200 iPhone apps are claimed to exhibit “risky” behaviour, which is defined as location tracking, accessing contacts and/or calendar details, and sharing your data with third-parties such as advertising networks. 

Overall, the report says that iOS shares more data than Android and that free apps share more information than paid apps.

Appthority Mobile App Risk Management Service analysed the most recent top 400 apps provided by Apple and Google, and compared the findings to data from its Summer 2013 study. 

“Mobile apps bring both enormous opportunity and enormous risk to enterprises and their employees,” said Domingo Guerra, co-founder of Appthority.

“Companies know they must empower their workforce to leverage mobility while also protecting sensitive and valuable corporate data. Since BYOD quickly turned into ‘Bring Your Own Apps', it is essential for IT and security administrators to have full visibility and control over mobile apps that present potential security and privacy risks," he explained.



Small Businesses Thrive When Owners Tap Into Passion and Persistence

The success rates for small businesses aren’t as high as entrepreneurs would like them to be. Depending on whom you ask, in which industry and when, you might hear that half of small businesses close their doors within the first few years. That fact might be daunting to most people, but business founders aren’t most people. They are more likely to have the passion, the motivation and the persistence to fight against statistics in order to realize their business dreams. To do that and avoid the pitfalls that plague other businesses, business owners need to tap into that passion and persistence. These best practices might help.

1. Pursue a business idea that matters to you, and surround yourself with people who share your vision.

There are lots of elements that can go into a successful company launch. For some, that mix includes funding. Market research is extremely important. Pulling together the right advisors can make all the difference. But across the board, owner enthusiasm is the most critical component of business success. Take my company, for example. I bootstrapped Insightly for the first nine months of its existence. I worked out of my basement, and I put all of my time, energy and personal resources into getting the company off the ground. When it came time to bring others onto the team, I looked for smart people who shared my ideals and could help me grow the business. Passion is powerful in small business, and it can fuel owners through lean times.

2. Don’t be afraid to think big.

Running a small business should not necessitate small thinking. If the same motivation that prompted you to start a company later compels you to grow beyond your initial vision, don’t second guess that instinct. Perhaps your original goal was merely viability, and once you reached it, you started thinking about secondary markets, franchising or some other form of expansion. Harness the passion that got you started in the first place and pursue your ever-evolving goals. For example, my first goal was to create a product that would solve a market need no one had addressed before. As that became a reality and customers started to respond, I began thinking about the next level. This prompted me to move across the world from Perth, Australia to San Francisco, where the company had more opportunities to grow and help a broader customer base. Consistently setting, reaching and resetting goals is important to long-term business health. Don’t stop yourself from thinking beyond where you are today.

3.  When the going gets tough, small business owners have little choice but to keep going.

Those dreary small business statistics are for the other guy. If you have the passion and the motivation to start and grow a company, it follows that you should have the drive to persist through tough times - and there will certainly be tough times. Those are the moments that test entrepreneurs. How you handle them has everything to do with the long-term success of your current and future ventures. When you face a dip in sales or some other setback, maintain focus on your goal and consider every option for jumping the hurdles blocking your path. If you do fail, take the education that comes with that painful lesson and apply it to your next business.

It would be easy to look at the success rates of small business owners and assume that building a strong company requires a good bit of luck, but founders make their own luck. Yes, it helps to stumble into the right place at the right time, but those that go out and pursue their ideas with passion and persistence tend to be far more “lucky” than those who do not.



60 Percent in U.S. See Current Economic News as Neither Good Nor Bad

public view of economy

It’s easy for small business owners to get bogged down with the idea that a perceived “bad economy” is hurting their sales.

Would it surprise you to learn that the majority of Americans don’t see the economy that way at all?

If the public gets its perception of a good or bad economy from the news, then most Americans have mixed feelings, based on new data from Pew Research.

Pew’s survey asked more than a thousand adults recently whether they hear, see or read mostly positive, negative, or mixed economic news in the media. The study found that 61 percent of the public see news on the U.S. economy as mixed. But they do remain cautious.

Pew researchers write:

“Over the past year, the unemployment rate has fallen, but so too has the share of Americans in the labor force. The stock market rose during much of 2013, before falling at the start of this year.

Through it all, the public’s perceptions of economic news have changed very little.”

If there are economic areas where consumers are hearing mostly bad news, it’s regarding prices on gasoline, food and other consumer products. Still the only change is that the number of consumers hearing mostly bad news about the economy has actually dropped since this time last year.

The amount of the public hearing all negative news on the economy has dropped considerably from five years ago, though. In December 2009, about 80 percent of people surveyed by Pew said they heard mostly negative economic news. Since then, however, that rate has steadied to around its current level.

Today, only about one-third of the public, 33 percent, say they hear mostly negative reports about the economy through the news media. At the same time, just 5 percent hear all glowing reviews of economic conditions, Pew’s latest indicators suggest.

So don’t assume negative attitudes about the economy will hurt you business. They may not be as negative as you believe.

Image: Pew Research Center



13 Things to Consider Before Relocating Your Company

Moving to a new city can be exciting, but scary. Moving and relocating your company to a new city? That can take some adjustment. While a big move can really ramp up business, it can never hurt to be over-prepared.

To make sure everything on your list gets checked off (twice), we asked a panel of 13 startup founders from the Young Entrepreneur Council (YEC) the following question.

Here’s what YEC community members had to say:

1. Ecosystem Support

“If you’re going to try to break into a new market, it helps to have support. Who from your ecosystem has connections or extensions in the new market? What intros can they make? How can you parlay existing relationships into new ones? If you see a great opportunity for your offering in a new market but don’t have the insider track on getting the word out, it will be hard to get traction. “ ~ David Ehrenberg, Early Growth Financial Services

2. Cost of Living

“Manhattan sounds like a great place to do business, but if you’re moving from Conway, AR, you might be in for a surprise. Don’t let this prevent you from making the switch, but make sure the potential income gains outweigh the increase in expenses you’ll face. “ ~ Nicolas Gremion, Free-eBooks.net

3. Minimum Viable Move

“Expanding to a new city tends to get us dreaming about new office space, additional hires and other expensive changes to our companies. But an expansion can be as simple as driving to that city once a month and getting a day pass for a coworking space. Consider what the minimum presence you can get away with is, along with how you can test that you’re moving to the right city.” ~ Thursday Bram, Hyper Modern Consulting

4. Regional Habits

“Research the area, have knowledge of your target population specific to that region, and understand the area’s consumer habits before moving. “ ~ Zach Cutler, Cutler Group

5. Market Research

“Many people look to expand their companies to other cities because they want to be a national brand, and as a result, they don’t do thorough market research. Understanding the demographics is essential, and evaluating the actual need versus the desire to expand is often the biggest factor in a successful expansion. Visit the city, and get a real feel for it before you even consider the expansion.” ~ Aron Schoenfeld, Do It In Person LLC

6. Craigslist

“It sounds weird, and it might even be dated, but Craigslist is a great way to gather live data and tie into local communities before setting up shop. You can quickly test assumptions on office lease location and costs as well as gauge the local talent pool by posting a job.” ~ Andrew Fayad, eLearning Mind

7. Folkways

“Look at the city’s folkways. In Portland, you can go to meetings wearing jeans and a Polo shirt. But in our new market in Carlsbad, CA, you would be laughed out of the door if you didn’t show up in a suit and tie. Just be mindful of the local market’s customs.” ~ Mychol Robirds, Securus Payments

8. Remote Possibilities

“If you’re moving for talent or moving your existing team, ask yourself, ‘Can I do this remotely?’ We have employees in nine different countries and have offices in the U.S., Canada, Australia and the Philippines. It allows us to scale faster and more efficiently than any local company because when we need more talent, we just hire it regardless of where it is.” ~ Liam Martin, Staff.com

9. Current Market Standings

“Before venturing into a new market, you should look at your current market and see if you are No. 1 in that market. Make sure you have built a dominating business in your current market before you expand to another. If you can dominate your current market, then why go to another?” ~ Matt Ames, MN Pro Paintball

10. Sales Time

“Before moving your company to a new city, consider the sales cycle for your product or brand. Think about how long it took you to establish yourself as an expert in your field in the current region you are operating out of, and add in the same amount of time to brand yourself as an expert in the new field. People often overlook how long it will take to get clients in a new city. “ ~ Kris Ruby, Ruby Media Group

11. Core Leader Candidates

“You have to send a core member of your company to run a new unit. If you’re hiring a new person to run a new unit in a new geography, it puts a lot of doubt into the company. You can have a new office that doesn’t fit with the company culture. During all this confusion, nothing is done right. Move a core person in the beginning, and then once it’s settled, you can hire a new head.” ~ Rohit Singal, Sourcebits

12. Travel Expenses

“Even in the connected world with FaceTime, Skype and other conference solutions, nothing replaces face-to-face meetings for crucial milestones. Consider travel costs, including flights and accommodations. Are you opening an office abroad? Consider the currency exchange, cost of flying out once per month and accommodations. You will need to visit no matter how “smoothly” your business runs.” ~ Gideon Kimbrell, InList Inc

13. Employee Expectations

“In moving from the Midwest to Boston then San Francisco, I’ve seen a wide spectrum of things that new employees expect in startups. Employees in San Francisco expect to have lunches catered daily and fridges stocked with beer in the office. In Boston, they expect you to work late nights, whereas San Francisco pushes work-life balance. Just know what you’re getting into before uprooting your team.” ~ Heidi Allstop, Spill

Moving Photo via Shutterstock



13 Things to Consider Before Relocating Your Company

Moving to a new city can be exciting, but scary. Moving and relocating your company to a new city? That can take some adjustment. While a big move can really ramp up business, it can never hurt to be over-prepared.

To make sure everything on your list gets checked off (twice), we asked a panel of 13 startup founders from the Young Entrepreneur Council (YEC) the following question.

Here’s what YEC community members had to say:

1. Ecosystem Support

“If you’re going to try to break into a new market, it helps to have support. Who from your ecosystem has connections or extensions in the new market? What intros can they make? How can you parlay existing relationships into new ones? If you see a great opportunity for your offering in a new market but don’t have the insider track on getting the word out, it will be hard to get traction. “ ~ David Ehrenberg, Early Growth Financial Services

2. Cost of Living

“Manhattan sounds like a great place to do business, but if you’re moving from Conway, AR, you might be in for a surprise. Don’t let this prevent you from making the switch, but make sure the potential income gains outweigh the increase in expenses you’ll face. “ ~ Nicolas Gremion, Free-eBooks.net

3. Minimum Viable Move

“Expanding to a new city tends to get us dreaming about new office space, additional hires and other expensive changes to our companies. But an expansion can be as simple as driving to that city once a month and getting a day pass for a coworking space. Consider what the minimum presence you can get away with is, along with how you can test that you’re moving to the right city.” ~ Thursday Bram, Hyper Modern Consulting

4. Regional Habits

“Research the area, have knowledge of your target population specific to that region, and understand the area’s consumer habits before moving. “ ~ Zach Cutler, Cutler Group

5. Market Research

“Many people look to expand their companies to other cities because they want to be a national brand, and as a result, they don’t do thorough market research. Understanding the demographics is essential, and evaluating the actual need versus the desire to expand is often the biggest factor in a successful expansion. Visit the city, and get a real feel for it before you even consider the expansion.” ~ Aron Schoenfeld, Do It In Person LLC

6. Craigslist

“It sounds weird, and it might even be dated, but Craigslist is a great way to gather live data and tie into local communities before setting up shop. You can quickly test assumptions on office lease location and costs as well as gauge the local talent pool by posting a job.” ~ Andrew Fayad, eLearning Mind

7. Folkways

“Look at the city’s folkways. In Portland, you can go to meetings wearing jeans and a Polo shirt. But in our new market in Carlsbad, CA, you would be laughed out of the door if you didn’t show up in a suit and tie. Just be mindful of the local market’s customs.” ~ Mychol Robirds, Securus Payments

8. Remote Possibilities

“If you’re moving for talent or moving your existing team, ask yourself, ‘Can I do this remotely?’ We have employees in nine different countries and have offices in the U.S., Canada, Australia and the Philippines. It allows us to scale faster and more efficiently than any local company because when we need more talent, we just hire it regardless of where it is.” ~ Liam Martin, Staff.com

9. Current Market Standings

“Before venturing into a new market, you should look at your current market and see if you are No. 1 in that market. Make sure you have built a dominating business in your current market before you expand to another. If you can dominate your current market, then why go to another?” ~ Matt Ames, MN Pro Paintball

10. Sales Time

“Before moving your company to a new city, consider the sales cycle for your product or brand. Think about how long it took you to establish yourself as an expert in your field in the current region you are operating out of, and add in the same amount of time to brand yourself as an expert in the new field. People often overlook how long it will take to get clients in a new city. “ ~ Kris Ruby, Ruby Media Group

11. Core Leader Candidates

“You have to send a core member of your company to run a new unit. If you’re hiring a new person to run a new unit in a new geography, it puts a lot of doubt into the company. You can have a new office that doesn’t fit with the company culture. During all this confusion, nothing is done right. Move a core person in the beginning, and then once it’s settled, you can hire a new head.” ~ Rohit Singal, Sourcebits

12. Travel Expenses

“Even in the connected world with FaceTime, Skype and other conference solutions, nothing replaces face-to-face meetings for crucial milestones. Consider travel costs, including flights and accommodations. Are you opening an office abroad? Consider the currency exchange, cost of flying out once per month and accommodations. You will need to visit no matter how “smoothly” your business runs.” ~ Gideon Kimbrell, InList Inc

13. Employee Expectations

“In moving from the Midwest to Boston then San Francisco, I’ve seen a wide spectrum of things that new employees expect in startups. Employees in San Francisco expect to have lunches catered daily and fridges stocked with beer in the office. In Boston, they expect you to work late nights, whereas San Francisco pushes work-life balance. Just know what you’re getting into before uprooting your team.” ~ Heidi Allstop, Spill

Moving Photo via Shutterstock



Upstart: Backers Invest in You, And Your Future Earnings Repay Them

upstart backers

It is the curse of a college education. You leave with an impressive qualification which can set up your career and set you on the road to success. But with it comes the crippling baggage of student loans â€" some of which can extend into the hundreds of thousands of dollars.

So how can these former students get out from under this debt and be able to strike out into the world, and even start a business? One option is to turn to Upstart.

Upstart is a new type of funding site, created by ex-Googler Dave Girouard. Think of Kickstarter but instead of individual projects, it’s all about people. Applicants put themselves forward on the site for funding - in effect offering themselves as a long-term investment.  The site says:

“Venture capitalists say they invest in people, but our backers do it for real. While most new businesses fail, talented people tend to succeed over time. And by supporting upstarts with advice and introductions, backers can help them - and their investments - go further.”

In other words, Upstart backers are not investing in a company, and they are not investing in a new product ala Kickstarter.  They are investing in a promising person.

In return for backing a person, the Upstart backers are given a cut of that person’s earnings for a fixed term - but only once those are over $20,000 a year.

An applicant has to upload transcripts, GMAT and SAT scores, a resume, and more. Then an algorithm written by Paul Gu, a co-founder of Upstart, determines how good a bet the person is, by calculating future earnings. Several factors are taken into account, in order to decide. This can include things like what qualifications the person has and any previous earnings. Backers can then choose whether or not to invest in you, and even mentor you.

There are some safeguards. What if a successful applicant ends up creating a hugely successful company with millions or even billions in profit? Is it a sudden huge payday for the backers? Not so fast. According to Fast Company, Upstart caps repayments at three to five times the amount of the initial investment.

Upstart has backing from Google Ventures and high profile investors.  For instance, the photographs of Google executive chairman Eric Schmidt and Dallas Mavericks owner Mark Cuban also appear on their page listing investors.

The site is still in its infancy, though. According to the Upstart website, they have invested nearly $3 million, but show just 329 backers and 242 “Upstarts” as of this writing.

Some have criticized Upstart as indentured servitude or slavery. Will Herman, a Boston angel investor, told CNN that he was one of those critics.

“I can’t escape this feeling that there is this indentured servitude thing here,” he says. “You’re really buying into somebody’s salary stream, and I don’t want my hooks into a person like that.”

Yet, if it gives the person the start he or she needs, and backers are limited in the amount they get in return, calling it indentured servitude seems like harsh criticism.