John Frankel, ff Venture Capital talking to London Web meetup

August 28, 2011

John Frankel is a Brit who is a partner at New York based ff Venture Capital and during a visit back home this week he gave a great talk to a mixed audience of developers and entrepreneurs at the regular London Web meetup. John’s fund, which he describes as “a micro VC or super-angel”, helps companies go from “3 to 30 employees”. ff has invested in companies like Voxy, Cornerstone OnDemand,, Mogotix, Klout, ShareSquare and many more.

You can watch the entire talk and Q&A below, or just read on:

ff typically invests in 4 – 12 companies in a year, but since December have invested in 15. The reason? John was unequivocal, this is an “interesting time with unbelievable opportunities for both investors and those seeking to change the world”. The reduction in cost of doing business online in the last decade means that mass customisation is now possible and software can create new and immersive experiences.

This disruption has entered every industry, citing Paige Craig, John told us that “every company is a technology company“. The platforms that didn’t exist 10 years ago are now in place: broadband, smartphones, cheap storage, etc.

He told how Jim Cramer of CNBC’s show “Mad Money” spoke at a conference John attended during the previous dot com boom, telling the story of how the media industry has these massive fixed costs through the legacy of newsprint production, by growing trees, waiting till they are mature, chopping them down, transporting them hundreds of miles, turning them into pulp, transporting paper hundreds of miles into cities usually, making newspapers from them, and then finally putting a pile on every street corner; every 24 hours.

Fast forward ten years and we have Amazon’s kindle, Apple’s iPad, and numerous inexpensive smartphones. John is certain that this time round “this is not a bubble“, although he did indicate they may slow down their investment pace if valuations get too high.

Advice for startups

“Solve big problems, they are more satisfying”.

And he used the example of the Winklevoss twins to tell us that “everyone has ideas, but execution is everything”.


Being in London – with its perennial inferiority complex-  of course the question of geography came up. John said that ecosystems are made by people and infrastructure, and despite the ability to use Skype, meeting “in person is important”. Although he’s prepared to invest almost anywhere it’s harder to justify if that company is off the beaten track. Another crucial geographic factor is big companies being in the vicinity of startups, as is the presence of second-time entrepreneurs.

Talking from his US experience he compared NYC as very individualistic to San Francisco is more team orientated, and collaborative, gaving the example of one of their portfolio companies relocating there for that reason.

What he looks for in investments

“The team”. And “unreasonable and driven people”. He says “pivoting is normal; the start idea is never the same as the end idea”. Specifically he likes companies with low capex model, and those that start charging for their product early, talking of the benefit of “training” your customer to pay.

He cited an example of one company they backed, the enterprise software company Cornerstone OnDemand of whom they were amongst the first outside investors in and since 2002 they invested in all 8 subsequent rounds until it went public in March 2011. Despite that incredibly successful exit, John says he doesn’t “believe in exit strategies”, and puts faith in interesting things happening and valuable things being created if you let smart people do interesting things.

I really enjoyed his talk, and I hope John spends more time in London, we need more of this kind of seed VC in the UK.

If this is your visit time visiting my blog, please feel free to subscribe by email or RSS, which you can do in the right hand column, thanks.


The emotional rollercoaster of entrepreneurship

August 26, 2011

This is one of the must-read pieces of advice about being a startup entrepreneur, and something I share frequently with friends and people I’m advising. Being an entrepreneur is hard, you won’t always feel like you can conquer the world, but don’t worry, you’re not alone:

Marc Andreessen wrote:

First and foremost, a start-up puts you on an emotional rollercoaster unlike anything you have ever experienced. You flip rapidly from day-to-day – one where you are euphorically convinced you are going to own the world, to a day in which doom seems only weeks away and you feel completely ruined, and back again. Over and over and over. And I’m talking about what happens to stable entrepreneurs. There is so much uncertainty and so much risk around practically everything you are doing. The level of stress that you’re under generally will magnify things to incredible highs and unbelievable lows at whiplash speed and huge magnitude. Sound like fun?

Here entrepreneur and Teamly advisor, Cameron Herold talks about how you get through it and crucially, what to do, and what not to do at each stage of the rollercoaster. Take the time to watch the videos to hear what he has to say, it will help.

Or, if you’d prefer to read, take a look at this blog by Cameron about entrepreneurial manic-depression and how to ride the curve.

Part 1:

Part 2:


Software is eating the world, but will our kids have the skills for it?

August 23, 2011

Marc Andreessen (who co-wrote the first web browser, and is now a VC having invested in Facebook, Twitter, and others) published a fantastic essay on how software is revolutionising the world in the Wall Street Journal.

I urge you to read it all, and show it to any young people you know. If you know anyone making education choices now, they need to know about this.

Andreessen’s thoughts echo those that Google Chairman, Eric Schmidt talked about recently at a speech in London, where he talked of the incredible power of computer science to change our lives for the better in the coming decades.

Here are a few of the key snippets from Andreessen’s essay:

More and more major businesses and industries are being run on software and delivered as online services—from movies to agriculture to national defense. Many of the winners are Silicon Valley-style entrepreneurial technology companies that are invading and overturning established industry structures. Over the next 10 years, I expect many more industries to be disrupted by software, with new world-beating Silicon Valley companies doing the disruption in more cases than not.

On why America is leading this charge:

It’s not an accident that many of the biggest recent technology companies—including Google, Amazon, eBay and more—are American companies. Our combination of great research universities, a pro-risk business culture, deep pools of innovation-seeking equity capital and reliable business and contract law is unprecedented and unparalleled in the world.

But he has a warning of what it takes for individuals, and countries to take advantage of this increasingly digital world:

Many people in the U.S. and around the world lack the education and skills required to participate in the great new companies coming out of the software revolution. This is a tragedy since every company I work with is absolutely starved for talent. Qualified software engineers, managers, marketers and salespeople in Silicon Valley can rack up dozens of high-paying, high-upside job offers any time they want, while national unemployment and underemployment is sky high. This problem is even worse than it looks because many workers in existing industries will be stranded on the wrong side of software-based disruption and may never be able to work in their fields again. There’s no way through this problem other than education, and we have a long way to go.

I couldn’t agree with that more, and I hope to see more kids studying maths and science, and more enrolling in Computer Science courses at University; that skill more than any other is what’s going to power the digital innovation we expect to see and it’s a skill that commands a premium. Traditionally parents like to see their children go into a professional occupation such as medicine and law, but Computer Science rightly deserves a place in this list.

[Google’s Eric Schmidt, speaking at the Edinburgh Television Festival criticised Britain’s education system for teaching kids how to use software, but no insight into how it’s made and warned that Britain is squandering its rich heritage in computing].

Computer Science was the course that (amusingly) both Bill Gates and Mark Zuckerberg dropped out of, but it’s a course that the founders of most leading web companies all have in common, including Google’s Larry Page and Sergey Brin, as well as Amazon’s Jeff Bezos.

If you know a smart and mathematically inclined student, please point out the existence of Computer Science, and my belief that the ability to write computer code will become an even more important skill in the coming decades as computers, software and the internet become even more prevalent. I’m not saying all kids should go and study this course, but I hope they are all at least aware of it and consider it. (I wasn’t and didn’t).

The interesting thing about the ability to program is that it means you are not only eminently employable by massive corporations but you also have a relatively rare skill which enables you to be self-employed doing contracting, or become an entrepreneur and start your own online business. I really don’t think there’s many skills which are quite so much in demand or quite so flexible!

Read Marc Andreesen’s full essay here:

Why Software is Eating the World

You might care about security online but do you understand it?

August 19, 2011

BankSimple Blog: Six Tips for Safer Online Banking

Do you want people accessing and reading your email account whenever they choose? How about logging in to your bank and transferring all your money? The bad news is that your password for both could quite easily by discovered if you don’t understand how passwords and encryption works online, and I’m quite certain that 99% of people online have no real clue about what security online really means. What’s worse is that many people operating websites don’t have a clue either.

The two things you probably didn’t realise:

There are many many commercial sites that don’t use encryption for logins or registration, so if you’re using such sites over your coffee shop’s wifi connection your passwords can easily be picked up.

There are also many sites that store your password in plain text on their server. This means anyone at those companies can read your password, and since you’re like most people you probably use that password for everything online including your email account and your bank account. How much do you trust the hundreds of sites you’ve given your password to?


I’ve been online since 1994, and from 1996-2006 I ran an ecommerce retail business. During much of that time, when most people made their first online purchase the media would talk a lot about whether it’s safe to shop online using your credit card. This was always frustrating to me as a responsible etailer, because it has always been the case that if your credit card is used for a cardholder-not-present transaction without your knowledge you’re not liable and the retailer has to stand a chargeback. The debate was a distraction because the risk to the individual was always low, the person holding the real risk was the retailer.

Things have moved on and now the media and the public are worried about privacy, and get worked up about whether or not Facebook should show you ads based on your likes, or use your list of mobile numbers to suggest friends to connect with through their site. Yes, we all want our data to be private and we want to understand what companies are doing with it, but the far more important issue of security generally has still not been adequately addressed; people are complacent and clueless about the risks, and have no idea how to reduce that risk.

Encryption is good, right?

the illusion of securityThe vast majority of our internet browsing is done unencrypted, there is simply no need for it. But for things like internet banking, you should see the padlock symbol in your browser address bar indicating that your session is encrypted, and what this means is that – no matter what internet connection you are using –  the data you are looking at on your screen is encrypted all the way back to the bank’s server at the other end. Your data could be travelling over the free and completely insecure wifi connection in your coffee shop, or a corporate network with super-duper firewalls, but it doesn’t matter, there is no risk to you because the encryption is end-to-end.

Encryption of logins and passwords only:

What about other less critical services where you probably don’t care if the entire session is not encrypted? It’s still highly desirable that the login process including transmission of your password is encrypted. Let me explain; many sites will use encryption for the login, so your username and password are transmitted securely. Once they have established who you are, then the encryption is turned off again, the padlock disappears and you proceed to use the rest of the site as normal. That’s fine because once your data is out on to the internet it’s split up into tiny fragments anyway and sent a hundred different ways to arrive at its destination, so while there is still a risk someone could intercept your data, the likelihood is very low. Such sites using this partial encryption, like Amazon and Linkedin turn it on again and get you to re-enter your password for any account changes, to verify it’s still you.

But as I said earlier, there are many many commercial sites that don’t use encryption for logins or registration, and many that store your password in plain text on their server.

How do you know a site is storing your password in plain text?

One likely indication is if the site emails you a record of your password after registration, or if you forget it and ask for it to be sent to you. It’s not a definite indicator, but as many as 30% of sites are thought to store passwords in the clear, and those that email you your password (which is bad practice), are more likely to store it badly too.

To test this now take your usual password and do a search in your email for that word…

ok, did you do it?

Unless you are using different randomly generated passwords for each site (clever you!) then you should see a list of many sites that are probably storing your password in plain text when you do that search. Is that the one you also use for your banking? Let’s be clear what this means, anyone who has access to those databases in those companies can read your password.

ok, here’s your chance to go and do that search if you didn’t already!

Now, most companies are honest and wouldn’t do anything with your password, but how about a disgruntled or dishonest employee, or a hacker steals their entire database? Or someone at that company takes a backup of their database home on a weekly basis, but on one occasion he goes out for a drink on his way home, and overnight his car is broken into and that CD ROM finds it’s way into the hands of some criminals?

Perhaps you think that’s far fetched or unlikely to happen? Possibly but I bet you’ve used a public wifi network without realising the risks.

The danger of public wifi networks

For example, your local coffee shop or favourite hotel lounge where you like to go for a couple of hours in the day for some meetings and some peace out of the office. These public wifi connections are nearly always unencrypted, and unlike when you are using the internet normally from your own connection – when your data goes straight from your computer out on to the internet, where it’s then jumbled up with everyone else’s data – in a coffee shop, if someone there at the same time is “sniffing” the connection they can see everything you are doing (if it’s not encrypted) before it goes out on to the internet. This applies whether it’s your local cafe sharing a domestic internet connection, or one of the massive international wifi networks operated by a telecoms company.

So here’s what any hacker might be able to see in a typical session:

  • logging in to your email
  • downloading your email
  • replying to email
  • logging in to Facebook
  • commenting on Facebook
  • uploading a photo
  • visiting your bank’s home page
  • selecting the page to login for internet banking,
  • logging on
  • viewing your bank balance
  • transferring money
  • paying that overdue bill
  • logging out
  • browsing the bank’s general pages for info on overdraft fees
  • visiting Amazon
  • browsing for a book
  • adding that to your cart
  • checking out and entering credit card details
  • visiting Google, doing a search
  • clicking on the link
  • visiting that new site, which is a private forum for bike lovers
  • registering and typing in your password for the site
  • logging on with that username and password
  • browsing the site
  • etc

Don’t worry, the parts crossed out are encrypted and safe, but – when it really mattered – did you remember to check for the padlock, to confirm they were actually encrypted?

A good example of where being padlock-aware matters is when I was recently sent a link by a company to pay one of their invoices online, but the linking page on their website which points to the payment screen didn’t use https at the start. So while the following page said “welcome to our secure encrypted payment page” it was quite happy to load in the clear with no encryption! I pointed it out to the company and guess what, a month later and they’ve still not fixed this pretty simple error.

How sites compare:

comparison of encrypted sites

Often sites that are not using best practices are doing so because the site owners are not clued up themselves on security issues, and sometimes it’s just simply an unintended screwup. But sometimes a deliberate decision has been made by a company that encryption is not required. e.g. Ning, the massive provider of private social networks. This company is well funded by top VCs and is generating revenue and profits as well but neither registration, login or browsing is encrypted. WordPress uses an encrypted registration page but then gets you to login over a regular connection, which kinda defeats the purpose of the secure connection for the first part.

What you can do to stay safe online:

  • Use a VPN when using a public wifi connection, so your traffic cannot be intercepted by someone sniffing the network. A VPN service is inexpensive, costing as little as $7 a month. Browse a range of VPN providers here. Failing that, just don’t use public wifi, a 3G dongle is safer.
  • Always check for the padlock when registering, logging in, paying for stuff and for anything else that matters to you and which you want to remain private. Don’t assume a site is secure when it might not be, so get in the habit of looking for the padlock.
  • Be smart with your passwords. Use services like my1login or Lastpass to generate and then store unique long passwords for each site you visit. You have no idea which sites securely store your password and which don’t, so the only way round this is to use a different password on every site. Only use password software to store passwords and not word documents, email accounts or anything else, as these offer no protection or encryption.
  • Turn on encryption where possible. Some sites, such as Facebook now give you the option to enable secure browsing for your entire session. (Click on Account Settings and then Security to enable this). This at least reduces the likelihood of casual hijacking of your account if you’re too lazy to use a VPN over wifi networks.
  • Use two-factor authentication when offered: Big companies have used this for years to allow employees secure access to corporate networks, but it’s now more widely available with some banks and even Google offers it to users of its Apps for Business service. It works by you having to enter a randomly generated code along with your usual login credentials. The code is generated by a dongle, or through an app on your mobile phone.  Without access to that device neither you, or anyone else can logon, even if they know your login and password.
  • Make sure encryption is enabled on your home/office wifi connection. It’s highly unlikely that you’ve switched this off, as all routers now come preconfigured with this on, but you might want to double check just in case. WPA2 is what should be turned on.

I hope you feel somewhat enlightened after reading this, and are more careful about your own personal data security more, and if you do operate a site, better understand how you store and protect users’ data and work out if you need to improve it.

For the dedicated reader, here’s a bonus rant:

What Governments could do:

Governments as a whole don’t understand technology or how to regulate it, and a great example of this is that the European Union has directed all member states to implement a ridiculous new law on Cookies this year. This will severely effect users enjoyment of, and owners smooth operation of websites, while protecting no one from any real danger online. [It seems designed to restrict personalised advertising online. Advertising is what makes a lot of websites pay for themselves, and so if we’re going to get advertised at, at least make those ads relevant?]

Instead of wasting their time, our money, the resources of web site operators and pissing off users, they could perhaps have looked at creating some legislation to force website operators to come up to a minimum standard of security for protecting peoples data and passwords. Like PCI DSS but not just for payment data, but for user data and passwords. That would deliver a much greater benefit to the general public by keeping the data that really matters to them, safe. It would also reduce the number of embarrassing data breaches (hello, Sony!) and raise the level of awareness both in the industry as well as with consumers.

[If the giant Sony Corporation so royally screwed things up with the hack in to their PS3 database,  how crap do you think a lot of much smaller companies are at managing data securely?]

I don’t know why Governments haven’t looked at this? Possibly because it’s a lot easier to find sites that are non-compliant on the very stupid cookie directive than it is to work out if sites are storing passwords sensibly or correctly encrypting pages that should be secure, but just because something is hard to police doesn’t mean they shouldn’t take any action.

Would love your comments, reactions or advice below, thanks!