1. Go to latest release download page, and download “Win32 binaries w/MySQL support” release. I am using Sphinx 2.0.3 version, on Vista. File name of downloaded file will be like sphinx-2.0.3-release-win32.zip.
2. Unzip the file. The unzipped content will look like c:/sphinx-2.0.3-win32/sphinx-2.0.3-win32/api etc.
3. Now copy/cut the c:/sphinx-2.0.3-win32/sphinx-2.0.3-win32/ inner folders and files
4. Create new folder in C:/sphinx/ (for the sake of simplicity i have selected this path, you can change it)
5. Paste the copied files and folders in this folder c:/sphinx/
6. Create c:/sphinx/data/ and c:/sphinx/log/ folders.
7. Create new text files c:/sphinx/log/query.log and c:/sphinx/log/searchd.log files. Note that files are having extension .log NOT the .log.txt or something.
8. We will be using simpler and easy to configure config file for sphinx. This file is c:/sphinx/sphinx-min.conf.in
9. Open c:/sphinx/sphinx-min.conf.in file in text editor and replace @CONFDIR@/ with c:/sphinx/ . There should be 5 lines where you need to replace this.
10. Now provide you mysql login info by updating sql_user, sql_pass and sql_db values. This will allow to test us the index creation and searching later. Also make appropriate changes to sample index “source src1″ which are changing query and attributes.
11. Open dos window by typing CMD in Run dialog and hitting enter.
12. In DOS window type C: and enter
13. Now type cd c:/sphinx/ . Now the command line should be looking like c:\sphinx>
14. Now type this command and hit enter C:\sphinx\bin\searchd –install –config C:\sphinx\sphinx-min.conf.in –servicename SphinxSearch
15. This will install the SphinxSearch as a service
16. Now I am assuming that you have made changes to config file correctly.
17. Now index the test index for the first time c:/sphinx/bin/indexer.exe –config C:\sphinx\sphinx-min.conf.in test1
18. Now to start the service use this command on Dos window C:\sphinx\bin\searchd.exe –ntservice –config C:\sphinx\sphinx-min.conf.in –servicename SphinxSearch
19. If every thing is OK then this command should show some results without errors. C:\sphinx\bin\search.exe –config C:\sphinx\sphinx.conf.in -i test1 term
20. The above command will tell if the “term” is found in “test1″ index.

Now we are done and you can start using sphinx via php or any other API. You may need to start service next time before using.

My local sphinx config file looks like this, you can use it by changing your mysql login info

#
# Minimal Sphinx configuration sample (clean, simple, functional)
#

source src1
{
	type			= mysql

	sql_host		= localhost
	sql_user		= root
	sql_pass		= password
	sql_db			= test
	sql_port		= 3306	# optional, default is 3306

	sql_query		= \
		SELECT id, name, state_id \
		FROM cities

	sql_attr_uint		= state_id
}

index test1
{
	source			= src1
	path			= c:/sphinx/data/test1
	docinfo			= extern
	charset_type		= sbcs
}

indexer
{
	mem_limit		= 32M
}

searchd
{
	listen			= 9312
	#listen			= 9306:mysql41
	log			= c:/sphinx/log/searchd.log
	query_log		= c:/sphinx/log/query.log
	read_timeout		= 5
	max_children		= 30
	pid_file		= c:/sphinx/log/searchd.pid
	max_matches		= 1000
	seamless_rotate		= 1
	preopen_indexes		= 1
	unlink_old		= 1
	workers			= threads # for RT to work
}

1. Web Servers
2. Databases Servers
3. Caches Servers

Lots of other things are also required. These all things helps in reducing the page render time when we have lesser amount of data. What if you have a terabytes of data and you need to serve it realtime Ooh that’s really difficult work to do. I will share my experience with you guy how I am doing this?

Well my thoughts are that Web servers are the processors, cache is RAM and databases are the storage. We better know that storage I/O is very slow we cannot serve too much traffic from the normal databases like mySQL, Oracle, MSSQL etc. So we need to have some sort of things those can reduce our dependencies from the storage databases.

So what are the things that we can use to increase the performance of our web applications at very low cost? So I will address the issues and then there solution for you.

1. Full text search: On a huge amount of data in relational database full text search is almost impossible so we can use the Sphinx search system. Sphinx performance of serving full text search is outstanding.
2. SQL JOIN: Store the data in denormilized form on sql queries runs very fast with less joins. It’s easy to store that data in noSQL forms like Cassandra, Hadoop ,etc. These noSQL algorithms helps in sorting of trillions of rows in few seconds.
3. Caches: We need to use the cache systems very effective like complete key management system of Memcache, MCACHE, Eaccelerator, etc. These caches can help you in most access pages and static contents to serve them from the memory faster.
4. Web Servers: Optimization of web servers are very important like we mostly use Apache web server which is more famous and its performance is outstanding on prefork and MPM Workers both thread controlling mechanism so we need to configure these process system very smartly.

The Open source OWASP( Open Web Application Security Project) is a non revenue dependent worldwide charity organization, concentrating on the improvement of web application security. Their particular mission is to highlight the application security mechanism in every way possible, so that people and organizations can be informed regarding original application security risks and their solutions. Worldwide, OWASP is free for everyone to join and take advantage or provide and help on OWASP’s security projects.

All of the information about security risks and their solutions are available under one free web portal. All of the information can be found on OWASP’s official website and all the latest information about it is available on OWASP’s blog. It has been requested to feel very comfortable to help make any changes and improvement to any of their security projects. In fact, there are hundreds of people around the world who review the changes to the site to help ensure quality and performance. They do have a ‘ Getting Started ‘ page for new users, and it becomes very easy for a new person to get involved with the information they are providing. It has been highly appreciated by OWASP team that every visitor become a member of their security portal.

Some of the projects done by OWASP are follows:

1. OWASP AntiSamy Java Project:  An API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacks.
2. OWASP AntiSamy. NET Project:  An API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacks.
3. OWASP Enterprise Security API (ESAPI) Project:  A free and open collection of all the security techniques that a developer needs to develop a secure web application.
4. OWASP ModSecurity Core Rule Set Project:  A project to document and develop the ModSecurity Core Rule Set.

OWASP AntiSamy Java Project

The OWASP AntiSamy project consists a handful of things. Technically, it is an API for ensuring HTML/CSS provided by user is in compliance within an application’s rules. Yet another way of stating that could be: It’s an API that assists you to make sure that your clients don’t supply any harmful cargo codes in the HTML they supply for their profile, comments, images etc… that get persisted on the server. “Malicious Code” is a temr regarding to web applications usually mean “JavaScript”. The Cascading Stylesheets (css) are only considered malicious when they are linked with JavaScript engines. Moreover, there are many situations where a completly normal HTML and CSS cab be used in many different harmful manners, AntiSamy project take care of that too.

Philosophically, AntiSamy is a departure from modern day security mechanisms to the future security mechanisms. Generally speaking, the security mechanism and user have a very useful communication which is virtually one way, for very good reasons. Leading the potential attacker know the details about the validation is considered unwise as it allows the attacker to discover and recon the mechanism for weaknesses. These kinds of information leaks can also become harmful in many ways that a user cannot expect. A login mechanism that tells the user, “Username invalid” leaks the fact that a user by that name does not exist. There are more things like the Username example which we does not consider to any worth. Attacker can use a dictionary and a phonebook to remotely check out the list of valid usernames. Using this information, an attacker could use  a brute-force attack (very popular attack these days) or massive account lock denial-of-service. We get that. Unfortunately, that’s just not very functional in this situation. Typical Internet users are largely pretty bad when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

The Owasp Enterprise Security Api

ESAPI (The Owasp Enterprise Security Api) is a web security control application library which provide ease to the developers to program applications with low risks. The ESAPI liabriries are basically designed for programmers to use it to retrofit security into their existing applications easily. ESAPI libraries are also very helpful for new development’s security foundations. Enabling for language-specific differences, all OWASP ESAPI versions have the same basic design:

There’ve been a set of interfaces for security control, they define for example, types of parameters that are passed to types of security controls.Each security control system is implemented with a reference guide for implementation. The logic is not both organization and application specific, string-based input validation is a good example. There could be different and custom implementations for each of your security control. In these classes, it may contain application logic which may be designed by or for your organization according to it’s requirement. Enterprise authentication is a good example.
This project source code is licensed under the BSD license, which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the Creative Commons license. You can use or modify ESAPI however you want, even include it in commercial products

OWASP ModSecurity Core Rule Set Project

ModSecurity™
A firewall web application engine which does not offer a lot of protection on its own. ModSecurity™ is to be configured under rules in order to become beneficial. SpiderLabs from Trustwave is serving a free certified rule set to provide maximized advantage for users of ModSecurity™ 2. x. It is not like a intrusion detection application or its preventation system, that rely on specific signature to capture vulnerabilities.
The Core Rules are providing many similar type of protections against known and unknown vulnerabilities which are found in several web applications (which are mostly custom coded so they become unknown). The Core Rules are to be used for step-by-step deployment for ModSecurity™.

The Core Rules Content

To provide numerous similar sort of web applications’ protection, Core Rules use the following methods:

1.     HTTP Protection – detects violation of the HTTP protocol as well as locally defined usage policy.
2.     Real-time Blacklist Loockups – utilize 3rd Party IP Reputation.
3.     Web-based Malware Detection – identifies malicious web content by examine towards the Google Safe Browsing API.
4.     HTTP Refusal of Service Protections – defense against HTTP Flooding and Slow HTTP DoS Attacks.
5.     Common Web Attacks Protection – detecting common web application security attack.
6.     Automation Detection – Detecting bots, crawlers, scanners and other surface harmful activity.
7.     Integration with AV Scanning for File Uploads – detects harmful files uploaded through the web application.
8.     Tracking Sensitive Data – Monitors Credit Card usage and blocks leakages.
9.     Trojan Protection – Detecting access to Trojans horses.
10.  Identification of Application Defects – alerts on application misconfigurations.
11.  Error Detection and Hiding – Disguising error messages sent by the server.

]]> http://www.infotales.com/open-web-application-security-project-owasp/feed/ 0 http://www.infotales.com/difference-between-2g-and-3g-technology/ http://www.infotales.com/difference-between-2g-and-3g-technology/#comments Mon, 12 Sep 2011 18:13:48 +0000 boogieman http://www.infotales.com/?p=1414 In Wireless communication, 2G denotes the second generation technology and 3G denotes the third. As we all know, the demand for fast communication has increased to its maximum level, resulted in several standards for mobile communication. Among all the mobile technologies, 2G and 3G are the most dominant standards which has revolutionize the industry of mobile communication in past years. Both the standards are emphasized on many targets and resulted in many new technologies.

2G (GSM) Technology

2G is also known as the Global System for Mobile communication which is the first step towards the digital wireless communication over the analog mobile communication prevailing. 2G technology standards was introduced in 1991 and from that a huge number of consumers has grown. This technology is the father of SIM (subscriber Identity Mobile) and it introduced and enhanced a secured and clear communication mode in the mobile industry. GSM technology has been widely adopted all over the globe and in today’s world most of the are of the globe is covered with GSM technology. GSM introduced a multiple number of techniques, TDMA (Time Division Multiple Access) and FDMA (Frequency Division Multiple Access) are the most valuable techniques that GSM introduced. TDMA and FDMA helped subscribers to make calls at a given time frame. GSM also introduced the Cell concept, each cell is responsible to cover a small area. There also are some standards for allocating bandwidth per user.

3G Technology

3G technology is the mobile standard specification which are compatible with the IMT (International Mobile

Telecommunications-2000) specs to support multimedia. The data rates under GSM’s air interface aren’t good enough to give high quality performance to multimedia applications under mobile phones, 3G specifications were released and has given various advanced technology options to provide multimedia application performance. 3G technology has supported applications like location based services, video streaming, high speed internet and video calls. Japan in 2001 launched the very first commercial 3G network.

Some basic difference between 2G and 3G Technologies are

1. 2G is the GSM specification intended for providing mobile communication for voice and 3G is the specification for mobile communication with enhanced capabilities for mobile users other than voice.
2. GSM air interface data rate is 270Kbps and 3G allows a minimum of 2Mbps downlink in stationary mobile and 384Kbps while moving.
3. GSM uses TDMA and FDMA for multiple access technology and 3G utilizes variations of CDMA technology like WCDMA, CDMA2000, CDA2000 1X EV-DO.
4. A5 ciphering algorithm is used in 2G and a more secured KASUMI encryption is used in 3G mobile communication.

]]> http://www.infotales.com/difference-between-2g-and-3g-technology/feed/ 0 http://www.infotales.com/what-is-brute-force-attack/ http://www.infotales.com/what-is-brute-force-attack/#comments Mon, 12 Sep 2011 17:40:26 +0000 boogieman http://www.infotales.com/?p=1409 During the brute force attack, attacker tries to bypass all the security mechanisms while having minimum information about them. Using one or more methods for accessing: dictionary attack(with or without mutations), brute-force attack (with given classes of characters e.g.: numeric, alphanumerical, special, case (in)sensitive) the attacker tries to achieve his goal. Using this attack method, number of attempts, system efficiency, which conducts the attack and estimation for the efficiency of the system, attacker will be able to guess how long the attack should be done. Attacks other than the great brute force are usually failures and that is the only reason why brute force attack is very common under good hackers and attackers, even giants test their portals with this attack to judge the resistance of their security mechanism.

Example:

The brute-force attack is commonly used for gathering passcodes and to bypass the access control. However there are many of tools, tips and tricks which uses this attack to test the service catalogue structure and find interesting information, from the attacker’s point of view. Usually the most of the attacks targets data in the form of GET/POST and surely the user session ids.

Example:

First scenario is about to get the passwords in decrypted form from a brute-force attack. In such cases, John the Ripper is a very helpful tool. To find out top 10 password cracking tools with different methods (including brute-force) can be found on http://sectools.org/crackers.html .

To test web services there are some tools like

• dirb
• WebRoot

Dirb has some better and advanced tools. Dirb can help us to:

• set cookies
• add HTTP headers
• use PROXY
• mutation of objects which were found
• test connections for http(s)
• seek catalogues and/or files using defined dictionaries and templates
• and much more

It has been told by the experts, that Govt. of Iran may have been supported a hacking attack, allowing it to grab Gmail from dissidents who were using secure connections they thought.

Internet security firm Vasco, Chicago-based said on Wednesday that it’s subsidiary DigiNotar, detected the hack attack on July 19, compromised it’s security guarantees for a number of domains including Google.com.

The company then secretly tried to fix the attack damage, but the company was alerted by the Govt. of Dutch on Monday that it had missed Google and some others.

People affected were primarily located in Iran, said by Google in it’s online security blog. It was also told by Google that Google Chrome users were not effected with this attack because Chrome was able to detect the fake certificates.

For further protection of the safety and privacy of users, Google planned to disable all the DigiNotar certificates in Chrome until the investigation is completed and Chrome users were given warning messages if they attempt to visit any website which has DigiNotar certificates. Similarly It was also told that after consulting with Microsoft and Mozilla, users of Microsoft Explorer and Firefox browsers will also receive warning messages if they attempt to visit any website that uses DigiNotar certificates.

DigiNotar is a firm in the market of security certificates for the “SSL” cryptographic protocol – in effect, giving guarantee that the privacy of communications among a user’s browser and a website is one of the digital notary. It was also told by the company, that somehow hackers were able to enter into their infrastructure and issued fake certificates.

F-Secure told that such certificates could have been used by a Govt. or a corrupt internet service provider to reroute user traffic intended for Google without being detected.

“We saw a similar attack in May,” said by the company on the incident posted on its website. “It’s likely the Government of Iran is using these techniques to monitor local dissidents.”

DigiNotar didn’t made a quick response to the requests for information regarding what other fake certificates were issued or what is the number of users that may have been affected, and where.

Vasco, the mother company of DigiNotar said that DigiNotar only accounts for a tiny fraction of its business, and the majority of DigiNotar’s offerings include it’s security certificates for communication with the Dutch tax authority – were not effected

]]> http://www.infotales.com/google-security-breach-due-to-diginotar-certificates/feed/ 2 http://www.infotales.com/mobile-google-analytics-sdk-for-ios-new-version-1-3/ http://www.infotales.com/mobile-google-analytics-sdk-for-ios-new-version-1-3/#comments Fri, 09 Sep 2011 18:17:59 +0000 boogieman http://www.infotales.com/?p=1395 Implementing Google Analytics in an application based on iOS has become easy with the new Google Analytics for Mobile Applications(SDK for iOS). Following document resource will describe how SDK could be integrated with applications.

SDK’s Basic Overview

Event Tracking

Pageview Tracking

Tracking Ecommerce

Custom variables

Overview

Google Analytics for Mobile Apps SDKs has provided a system for tracking down all the activities withing mobile applications and reporting those activities back to Google Analytics.

SDK can be use for calculating visits, length per session, bouncing rate, unique IPs etc. Tracking a mobile application is different in structure from a website tracking application. One should be familiar to Analytics tracking system in order to know and understand how the SDK works for us. SDK’s tracking model is developed to track visitors’ activites to traditional websites and how they interact with widgets. That’s why the following terms are used below reflects the website tracking model and being mapped onto tracking mobile applications. Mobile tracking SDK is to be used to track applications of your phone with the following Analytics interaction types:

Event Tracking

Events are designed to track and record all the user interaction with web page elements differently from linkview/pageview requests. Event tracking feature is a system of Google Analytics which is developed to make extra calls which will be reported in the section of Event Tracking under the Analytics report interface. Events are categorized and may use per even labels, which is flexible in reporting. A good example for Event Tracking feature of Google Analytics is a multimedia application which could have pause/stop/play actions for its music category and assigns a tag for each track name. For all the events tagged with the Music category, would be aggregated with Google Analytics reports.

Pageview Tracking

Measuring traffic volume on a website has a traditional name ‘Pageview tracking’. Mobile applications does not have HTML coded pages involved, you must decide when and how often to trigger a pageview request. Pageview requests were basically designed to be reported on directory structures, we should give a well descriptive names for the requests to take advantage of page path naming, from the Content reported in Google Analytics. The names will be recorded in your Analytics’ reports so you could use it to your advantage, by structuring paths to make additional grouping for your calls.

Tracking Ecommerce

All the shopping cart transactions and the application purchases would be tracked by Ecommercs tracking feature in you Analytics. To track down all the transactions, addTransaction method should be called to create an overall transaction, as well as the addItem method for every product in the shopping basket. After collecting the data, it can then be viewed in the Ecommercs reporting section of the Google Analytics interface.

Custom Variables

In order to refine Google Analytics tracking, you can insert Custom variables (name-value) pair as tags. Additional segments can be defined with Custom variables to apply to the visitors other than the variables that are already provided by Google Analytics. Once you understand the basic visitor interaction model which is being used in Google Analytics, you can get the most out of Custom Variables. The visitor interacts with your content time by time. This model records all the engagement of the visitor and breaks it down into a hierarchy.

This checklist is very helpful for and is available publicly to web server administrators, web developers and webmasters. For those who haven’t considered all of these security factors in developing security for your web resource, I recommend to atleast view this checklist once and consider this checklist with your website’s security requirement.

Encrypt the Login pages.

Data validation must be done from server-side.

Website should be managed via encrypted connections.

Cross-platform compatible encryption should be strong.

Never share login credentials.

Key-based authentication should be preferred over password authentication.

Always make sure that you have implemented very strong security measures that are applicable over all systems, not just those specific to web security.

Conclusion: Always make a complete security measures’ checklist according to your web resource, implement it carefully and always do a final security test before launching your web resource.

]]> http://www.infotales.com/web-security-measures/feed/ 1 http://www.infotales.com/bing-and-twitter-integration/ http://www.infotales.com/bing-and-twitter-integration/#comments Thu, 08 Sep 2011 20:40:43 +0000 boogieman http://www.infotales.com/?p=1385 Two years back, Bing contracted with Twitter to include tweet posts into the internet searches. And now Microsoft has upgraded its search engine with Twitter and localized it in a new, better and a improved way. The details of the renewed deal were not disclosed to public. But it is surely disclosed that Bing and Twitter are still in business togather.

Twitter and Google were in almost same business deal, but after the successful launch of Google’s social network Google+, the company decided not to make further renewal of contract with Twitter, and planning to launch a new and greater real-time search engine in the near future.

Bing & Twitter vs. Google & Google+

Now, that we know that twitter will be in business with Bing, we may see a very strategic business war between Google and BingTwitter, as both of the groups are strategically very strong. But, in today’s world, Google is the father and mother of all internet businesses. Let’s wait and see what strategies will they use.

Offering your product for free is a very tricky strategy, consumer cannot understand how and what is the company earning from them. In today’s world, a product for free is very attractive to the users and they don’t care how the company is earning from them.

Below are some key concepts which are followed by world’s leading companies today.

Marginal Cost:

Competing for customers, pricing is most important. There is an economic law, ‘in a perfectly competitive market, the long-term product price(market clearing price) will be the marginal cost of production’. Because of lowering the costs of bandwidth and hosting, the marginal product cost is minimum for most of the internet products.

Experience Good:

The “Free” models are the products or services which being offered to the customer without charging any cost. Most of the online products and services falls into the definition of an Experience Good: a product need, is unknown until a period of use given to it before the customer can understand the value of product.

A good example is Code Igniter framework. Programmers didn’t knew what a framework can do, It is helping every programmer to work 100 times faster than doing all the work without a framework.

There have been a lot of research and people putted a lot of efforts and thoughts to Experience Goods. The conclusion of Carl Shapiro was ‘since customers tent to underestimate the value of a product, the optimal pricing for an experience good is a low introductory price which is then increased when the customer realizes the value of the product’.

In some cases, customer may overestimate the product value. In such cases, the pricing strategy is to charge much in the start or to do some long-term contracts with the customers.

This is why customer wanted to try the product for free before paying or signing any contracts with the company.

Hence the conclusion, introductory price is very important and effective to the product, if the company is confident that their product will become high valued for the customers, they introduce their product on a low price.

Psychology of Cost free products:

A lot has been written for this topic. Two books that were written on the subject “Free” by Chris Anderson and “Predictably Irrational” by Dan Ariely. Making it simple, When people see a product for free their mind tells them that they have nothing to lose, but many people ignores to invest their time on a free product.

With this approach, free is a big push to adoption. The other side of this approach is that it is almost impossible to attract people to purchase a product which is already in the market for free.

Decision Factors:

In today’s world, Freemium has the biggest market share. But the decision is not so easy to make, we have to make very strong business strategies before putting the product in the market for free. After all every action is made to get something.

If we want the company to not to have a big market share and earn $8000 to $10000 a month, an appropriate price would be a good decision to make, but when thinking to make a dominant company that has a good market share, Freemium would be the solution to push the adoption.

There’s a great value of free users for all the successful freemium product companies, there are a lot of ways of making money and saving money from free users. Either making money from ads or data or saving the marketing costs. The biggest strategy used when serving free users is to spend less than minimum money and time or you will lose a lot. The cost of service a single free user must be 50% lower than what we are earning from him.

How huge is the market? It been said that the easiest way to get 1 million people paying is to get other 10 million people using. Ad is another big contributor in the business of internet market. When a person visits your web portal, he may come with empty handed but must not get off without making revenue for you. This is one of the greatest approach to generate revenue from just a visitor who don’t pay you anything and if you have a good market reputation, people will surely visit and generate handsome revenue for your business.

The Types of “Free”

The key factor in creating Freemium work is the structure of what you are offering. What it is that you are offering for free? There are some different kinds of free strategies. Let’s discuss some popular ones:

Freemium “True”: Offer a version of the product for free and charge for the other versions or updates. There are two techniques.

Value based – When we give our product for free, we still can keep the addons for sale. Using this strategy we can gather a good number of free users for our basic product, and of course there will be some limitations which our free users will face, we can convert 80% of our free users into our paying customers. Dropbox is a beautiful example of this strategy.

Characteristic based – For example we are offering a free product for only single user interface with the limitation to be used by multiple users or an organisation. This strategy won’t get 80% of the free users to our revenue generating customers but it is also a good strategy to follow. The more users know your product the more customers you can get.

Free Product for a Cross Subsidy – Giving one product for free and charging for complementary products.

Time Based Free Trial – This strategy is followed by a lot of companies. Give the product for free for some days to gather user’s interest. We also can earn from the user who is never going to pay for the product, we can add some ads to our free trail so we can get the revenue any way.

There are many factors which can be helpful in generating high revenue from your products, but if the product is not good for anything, nothing in the world can help your product to generate revenue. So when you start making your product, kindly do a complete research on the market’s need, or you will waste your time and money.