Skeptical Inquirer

When customers hurt

2012-01-18T14:06:00.004+01:00

I recently went cycling with my wife in Sri Lanka and booked a flight with KLM. We paid loads extra for the seats because there were no direct flights to Colombo and we wanted to take bikes with us. We called KLM and even visited Schiphol airport to ensure that there will be no problems with taking bikes. Ok, so the tickets cost twice the price of the alternatives but at least one company is handling our bikes and transfers?

Sadly, I missed the small print on the booking page that indicated (or so its claimed) that the flight to Sri Lanka was subcontracted to Delta Airlines (Amsterdam to Mumbai) and Jet Airways (Mumbai to Colombo). In itself not really a big problem except:

The terms and conditions for each carrier are different (so on arrival at the airport, we had to pay EU300 per leg extra take our bikes along). Exactly the reason why I booked with KLM in order to avoid having to deal with multiple companies.
If for whatever reason you have concerns flying with an American carrier over Iran and Iraq, then you best know this before you get on the plane.
Lastly, the booking systems are not integrated so if you try and fly with a family, be prepared to negotiated with other passengers to change seats so your 7 year old daughter doesn't fly alone.

The whole situation was unpleasant and I wrote KLM a letter after which they called me, apologised and refunded the costs of the bikes. KLM monitors twitter and normally responds quickly to complaints.

But, what I find missing is the failure of the company to grasp that their solution, that customers should read the fine print when booking flights, completed does not solve the problem of pushing the pain of dealing with their fragmented supply chain, onto the customers.

Why would I book with KLM if I can book for 50% of the cost via Expedia and face the same pain of dealing with different carriers on a single journey? This broken interface to customers is basically making it impossible to support KLM and unless they define and measure their customer experience, they cannot ask for loyalty.

Why balance suck

2011-06-24T08:28:00.000+02:00

Peter Thiel wrote an exceptional analyses here on the impact of survivor bias on stock evaluations.

His analysis was driven by "fears of antedelivium apocalypse". He was basically trying to determine what stock to invest in, in the long run and concluded very wisely that collapse of the market skews our evaluation of stock since we exclude the catastrophic scenarios from our evaluations.

I believe he meta identifies the following theories:

Apocalypse cannot be avoided, but it is a question of when.
Our investment hastens or delays apocalypse.
Balance is an optimal strategy to maximise gains. Unconstrained globalization suggest efficient markets, but they are not.

So, there is what I think/feel:

Balance (like in "the force") will possibly encourage globalisation that is good for us (more efficient markets?) while curbing globalization in a healthy way will keep us responsible in terms of a sustainable future.

The information virus in us desires to survive as long as possible.
All the money in the world can just buy other money and not survival.
So, to survive, we should resist globalization, unless....
We get trapped in a local maximum (like the fire departments in New York at the turn of the previous century) that could have been avoided by a more efficient market.
So survival is about resisting growth while revolution is about supporting globalization.

We always seem to favor gambling/genetic algorithms/revolution over evolution/optimization/risk management. Well, at least the men in our society do that.

Supply and demand principles in product pricing

2010-07-03T12:37:00.003+02:00

Cheap now, pay later

Imagine the following situation: You buy a new laptop, but are offered a number of options. The same hardware/software configuration can be obtained cheaply, if you are prepared to switch certain functionality off or if it is priced expensively for all functionality.

There are many real world examples of this phenomenon:

Microsoft's family of operating systems, all built from the same source, but functionality enabled/disabled based on the end-user pricing, so the home version is cheap, but no corporate authentication etc.
Mobile phones, where the phone is "jailed" and functionality enabled/disabled based on the pricing options/desires of the network providers.

This basic principle is of course closely aligned with supply and demand pricing principles. In supply pricing, you charge a fixed margin on your product (your profit) irrespective of the utility or ultimate value of the product to the end consumer. If you then find out that the product is very useful to the end user and they are prepared to pay more than what you were charging them, and very importantly, there is some commercial reason why you can charge them (mostly no competitor to undercut you), then go into demand pricing and you increase your profit to the maximum that the client will pay.

Both supply and demand pricing are around in many forms today and they both have their supporters.

Here is my take on supply and demand pricing:

Unprotected and efficient markets are in general inclined to stick to supply pricing because competitors undercut each other when pricing is increased, thereby keeping the price as low as possible for customers. Standards and consumer protection is an issue since fierce competition drives unscrupulous suppliers to cut corners.
In the IT word, where technology choices result in lock-in, the formation of protected market (which can easily be argued to be inefficient), results in pricing quickly going to demand pricing. Examples of this software licensing models such as the mentioned example of Microsoft's operating systems and sometimes even hardware leasing models (a machine is supplied with 2 processors, but only one is switched on unless you pay more).
The mobile phone industry is basically a huge cartel because the market is in effect protected. So the mobile operators supply a data connection to their consumers, but pricing is variable based on which application generates the data (voice is metered by the minute and based on geographical origin or source while data is a flat monthly rate). Suddenly, the service providers are spending energy trying to stop you from doing things that are technologically completely feasible (for instance, putting voice over a data connection).
Security abhors demand pricing. The bulk of security challenges today originates where suppliers force clients into a certain mode of operation, but if the client can circumvent the controls that the supplier imposed on him/her, then they can increase the value of their product. Examples include, digital content provision, mobile phones, many online services etc.

I suspect that the Nexus 1 (Google's phone) will provide its owners with Root access to the phone, and this will remove the bulk of headaches from a security perspective for the service providers as they cannot control the technology on the phone to enforce user behavior.

Complexity as an indication of a raw deal

When a client sees demand pricing, it should be clear that they are not getting the best possible deal (take note European Commissioner for Competition that this a great way to determine the impact of legislation that results in protection of markets). Increased complexity of deals and an over abundance of rules is an indication that the consumer is getting a raw deal.

The role of government in competition

Lastly, how should the mobile phone networks have been built in order to circumvent the demand pricing in place today?

An option is that governments provided the call distribution infrastructure (cell towers and back-haul) and allowed companies to complete with each other on it, then the competition would probably have encouraged innovation and better pricing strategies. However, this huge new government department itself might quickly become the problem and probably should itself be given to the private sector and fragmented over a number of suppliers.

By separating the companies that supply the communication infrastructure and those that sell the services on it, you keep free enterprise alive by provide choice to all parties unlike the current situation where a company like Vodafone controls not only the distribution infrastructure but everything up to the instruments and what software runs on them.

The idea of governments selling a limited number of licenses to successful bidders to own all aspects of the mobile services, in order to raise short term revenue was a short sighted view that now has us in a stranglehold of demand pricing.

Passing objects to Page constructors in wicket

2010-07-03T10:33:00.020+02:00

When you pass data through models into Page constructors in wicket, you have to be careful about how to treat that data.

Do not store the underlying object that is returned by getObject() on the wicket page for many reasons. What can happen if you do this is duplicates in your database, issues with memory consumption as domain objects are stored in your wicket session, hibernate errors etc..

class Test {

private Object object;

public Test(IModel model){
   object=model.getObject();
}

public void doStuff(){
 IModel model=new LoadableDetachableModel(){
   public Object load(){
      return object;
}}
  ListView view=new ListView("list", model){
......
}}}
}

If you need to pass data into the page constructor, then store them as models and remember to manually detach them in onDetach().



public class Test {
    private IModel objectModel;
    
    public void onDetach(){
        super.onDetach();
        objectModel.detach();
    }

    public Test(IModel model) {
        objectModel = model;
    }


    public void doStuff() {

        ListView view = new ListView("list", objectModel) {
            ......
        };
    }
}
}

How to build a trigger

2009-12-18T07:47:00.000+01:00

I enjoyed this article about a visit to a nuclear silo.

http://www.crypto.com/blog/titans

Updating ListView in a ListView with an Ajax behaviour

2009-11-17T21:46:00.011+01:00

I have a list of questions that I format in a template in a two dimensional array. Why? because this stuff is going to be printed out and therefore needs to neatly fit on a page before being iTexted into a pdf/rtf or excel spreadsheet.

The objective is to use Ajax links to update data in ListView without forcing the whole page to be reloaded from the server (why? firstly, because your page will be loaded at the top and you will lose your position on the page, and secondly, ajax is a faster user experience because less data is sent back and forward).

But in order to do this, we face two major challenges:

We need to find a target for our AjaxRequestTarget to repaint so that our ListViews can be refreshed to reflect any changes to the list eg. if we changed the question order.
We need find a way to update the underlying data for the ListView while also updating our domain objects to persist the data in the database.

But in the spirit of OO development, we have been embedding panels in panels and suddenly we need to get a handle on our rendering container for re-painting while also getting hold of the ListView data (by calling listview.getlist()) for updating.

So the strategy is:
Step 1
Firstly, add all our listviews to a WebMarkupContainer in order to target it for re-rendering (Listing 1 and 2). Note that we are passing the container into the subpanels because we need to keep track of it for re-rendering. It is also possible to retrieve this container by ID see Listing 4.

public class QuestionEditPanel extends QuestionRenderPanel {

    public QuestionEditPanel(String id, final TemplateWebModel templatewebmodel) {
        super(id);
        Listinitial=templatewebmodel.getEntity().getQuestions();
        final WebMarkupContainer container=new WebMarkupContainer("container"); //container that will hold our listviews for repainting
        container.setOutputMarkupId(true);
        ListView rowslistview = new ListView("rows", QuestionProcessor.getListToMatrixWithLF(initial)) {

            @Override
            protected void populateItem(ListItem item) {
                List row = (List) item.getModelObject();
                ListView rowlistview = new ListView("row", row) {

                    @Override
                    protected void populateItem(ListItem item) {
                        final QuestionBase question = (QuestionBase) item.getModelObject();
                        item.setModel(new CompoundPropertyModel(question));
                        QuestionBaseWebModel questionmodel=new QuestionBaseWebModel(question);
                        item.add(new EditableQuestionPanel("question", questionmodel,templatewebmodel,container)); //note that the container is what we will repaint
                    }
                };
                item.add(rowlistview);
            }
        };
        add(container);
        container.add(rowslistview);
    }
}

Listing 1 QuestionEditPanel.java

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns:wicket>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
        <title>QuestionRenderPanel</title>
    </head>
    <body>
        <wicket:extend>
            <div id="document">
                <span wicket:id="container">
                    <div wicket:id="rows">
                        <span wicket:id="row">
                            <span wicket:id="question" />
                        </span>
                    </div>
                </span>
            </div>
        </wicket:extend>
    </body>
</html>

Listing 2 QuestionEditPanel.html

Step 2
Update both the domain model and the underlying data model for the ListView (Listing 3). Note the replication as you need to do the same thing twice (or you can update the domain model and retrieve the updated values to set the ListView model appropriately). So, to be clear, the ListView does not know when its data changes and therefore even if you update the Domain model, you still have to manually change the data and set the value on the ListView (Listing 4).

AjaxFallbackLink up = new AjaxFallbackLink("up") {

            @Override
            public void onClick(AjaxRequestTarget target) {
                AbstractDataSet dataset = datasetmodel.getEntity(); //domain object where we store questions
                dataset.moveQuestionUp(question); //move the question up on the domain object
                List list = QuestionProcessor.getMatrixToList(getRowListData()); //turn our matrix into a list
                QuestionProcessor.moveQuestionUp(list, question); //move the question up in the list
                setRowListData(getListToMatrix(list)); //set the list as the underlying data for the listview
                adsf.store(dataset); //store our domain model to not lose changes
                target.addComponent(outercontainer); //add our container for re-rendering
            }
        };

Listing 3 QuestionNavigationPanel.java (part 1)

private List getRowListData() {
        MarkupContainer container = getParent();
        while (!container.getId().equals("rows")) {
            container = container.getParent();
        }
        ListView view = null;
        if (container instanceof ListView) {
            view = (ListView) container;
        }
        return view.getList();
    }

    private void setRowListData(List data) {
        MarkupContainer container = getParent();
        while (!container.getId().equals("rows")) { //We traverse all the parents until we find one call "rows"
            container = container.getParent();
        }
        ListView view = null;
        if (container instanceof ListView) {
            view = (ListView) container;
        }
        view.setList(data);
    }

Listing 4 QuestionNavigationPanel.java (part 2)

In summary
Once this is done, your AjaxFallbackLink will move a question up, down or delete it from a row, update the domain model so that that the changes persist in the database and then modify the model for the ListView. The ListView must be added to a container that is then re-drawn by the Ajax behaviour.

Open Service Definition

2009-11-16T08:37:00.007+01:00

Now that the Open Source revolution is old hat, we look towards the bright future of cloud computing. Technically, OSS (Open Source Software) provided us with the right to modify code, run it ourselves, distribute it and still protect the rights of the producer to have the benefit of our improvements (and protection against unfair competition from us).

From a business point of view, OSS has had 3 major consequences:

It provided an escape clause to vendor lock-in. If the client and vendor had a fallout over price/functionality etc. the client could move/fork/hire an alternative while still using the same code base.
OSS provided clients with ownership over their data. This is a subtle but very significant change. If the source of the program is open, then the data is per definition as well (even if you only use the source to dump the data in a different format).
In a nutshell, OSS brought balance to the force by redistributing solution ownership/risk to the clients who were interested and capable to take it.

That was great for libertarian ideas. But the world has moved on.

Cloud computing suddenly made OSS obsolete (well, from the average clients' point of view). Compare Google Apps with Microsoft's online Office. They both provide the same functionality and we don't know which portions of each product is really OSS, because we don't come directly into contact with the code. We see only the service.

Which brings me to my discussion in this article. In a nutshell, what must Online Services offer the client to provide the equivalent benefits that OSS brought clients in the local execution model?

Firstly, why does this matter? Why should you be concerned about this?

Imagine you build your business on Google Apps and at some point, you are not happy with their security/costs/whatever and want to move on. If you cannot get your data in a reasonable way out of the system, then you are locked into them.
Imagine you suddenly find your sensitive company details in Google's search engine. Somewhere in the EULA you agreed to have your data accessed and now you don't like it anymore (but it is too late).
Imagine Google kills off all the competitors with their "free" service, and then suddenly after all the competition is dead, they start charging exorbitant fees.

Open Service Agreement

I believe online vendors should subscribe to the Open Service Agreement and it should contain the following provisions.

Privacy
All services comes in one of three formats (Service providers to indicate their position here):

Encrypted storage means your data is encrypted with a key that only you have and therefore it is truly secure, irrespective of the domain where the data is located. The Provider must state the encryption algorithms and which implementation of the algorithms they use (so that you know if/when your data is vulnerable to an exploit).
Confidential storage is a best endeavor effort by the service provider. So data is not encrypted but all things being equal, will be kept safely, securely and isolated from other customer's data on the Providers' online storage.
Confidential storage with service analysis where the provider informs you he/she will access your data for value-added-provisions, after all personal bias has been removed. That means, the provider can access trends in your data for their own purposes, but under no circumstances, can they allow the data to be connected to you. This is a provision that is very specific to the data being stored because for instance, if the service provider publishes a trend that indicates that the only person who owns a Xoloitzcuintil dog in Amsterdam also has aids, then it is relatively easy for your neighbors to conclude that it might be you if you are the owner of such a dog (based on the rarity of the breed).
The deletion is final clause states that a provider must provide assurances that data is completely deleted when you delete it. Delete means it is gone and cannot be retrieved for whatever reason at all.
Protection from invasion requires the provider to state their legal position on enforcing the privacy of your data. That means that they have to state in which legal domain/country the data is stored, what the local laws are regarding the state and other people accessing your data and the providers' position on protecting your privacy.

Continuity
Continuity addresses concerns regarding your business continuity when you want to move away from the provider or if the provider stops offering the service.

The provider shall provide Export formats in which you can download all your data in some open format. Open format in this case, means a clearly defined and open source supported format such as XML for which tools exist to manipulate the data.
The provider shall provide an efficient export solution. Efficiency means that you can download your data in a reasonable time and with reasonable effort.
"Living will" code escrow is a provision in which the provider keeps the source code to the product closed, but ensures you that in the case of their demise, that the source code will be available from an escrow scheme under an appropriate license for you to transition your business to another product. Providers should state that they either provide this or not.

Service Level Agreement
SLA's have been around for a long time in the big IT industry, but the relevance of SLA's are even more profound in the cloud computing services model.

Minimum downtime is a clause to provide assurances as to the minimum downtime guaranteed for the service.
Service history publication is a statement from the Service Provider where they agree to publish their performance history so that clients can decide for themselves whether the Provider is compliant with their own SLA claims.
Transaction performance guarantee is a statement as to what the distribution of maximum round trip times will be for the application. This is an indication of how long a client can expect transactions to take on average, with an indication of the worst case scenario.

Free (as in beer)
What does it mean when a service is free and what are the responsibilities of the client and provider to each other in this case?

Life time utility means the product stays free for the lifetime of the clients' need unless stated otherwise. This might be a very long time and if the provider wants to bug out of this responsibility, they need to comply with the termination requirements.
The bug fix clause requires a clear statement whether bugs will or will not be fixed during this period of time.
The provider may "fork" (forking clause) the services using the same OSS or COTS produce code base and provide a commercial alternative to the free service, as long as they stick to their provisions stated in the two points above.
The "What you see is what you get" provision means that the provider is not compelled to include any new functionality in the free product.

Termination
In regards to termination of a service, the provider must clearly state up front the following conditions:

On data access and continuity. For how long and in what format will the data be made available for clients to transition.
On service access and continuity. For how long will the service be made available for clients to transition from before termination.
The performance clause is a guarantee that the service will comply to some reasonable performance during termination (it is difficult to believe that during wind-up, a provider will invest in performance requirements, but if a provider states this up front, then it means that they at least thought about this)

Conclusion
The Open Services Agreement is a suggestion to level the playing field by formalising service risk in a comparable manner and allowing clients to compare services to each other so that they can select the most appropriate service for their needs.

Managing vendor risk

2009-11-03T08:14:00.011+01:00

I recently came across this post on dirty tricks that vendors use to sell enterprise software (Article). Having worked for American vendors before, I had a chuckle at the obviousness of these tricks, but yes, they happen all the time (I have been lucky and in general worked with very good sales people who didn't do these kinda things).

What lacked in the article was how to manage these risks and so here is my take on managing vendor risk.

Before I say anything about how I think these risks should be managed, just a few things about why I think they are risks.

Humans are bad at estimating risk intuitively. We are not capable of dealing with very small or large numbers in a repeatable, succinct or comparable way.
Humans are all human and sales guys....well, they are sales guys. Successful sales people are very adept at controlling the sales process to their advantage and often that does not include managing the clients' implementation risk.
Not all companies recognise the purchasing of enterprise software as a long and challenging process (not at all like buying a book from Amazon that is done in 30 seconds).

So, how do you reduce the risk of an enterprise implementation?

Firstly, recognise that there is risk. That means literally that you are about to purchase a product at an estimated cost, with a perceived functionality and to be delivered on an agreed upon date. These magical 3 objectives are very hard to disconnect. As a matter of fact, it is nearly always required that one of the three requirements must be decoupled in order to achieve the other two. However, with software product selection, your job is to manage this process in order to optimise that objective (get as much required functionality, as bug free, and as on-time as possible, without cost overruns).

How to manage vendor risk

Get a project plan. You need to read up on project management (not a whole lot) but a side effect of a project plan is that it projects agreements into the future (normally it is seen as a tool to record the past and manage the present). This is a first step to getting the vendor to formally agree how the future is going to look for you during this purchasing process. Amazing how so many of those really good looking candidates don't look so good any more after asking them to commit to the basic project plan.
Write everything down. Normally as part of the project plan, all agreements and critical statements by the vendor must be recorded in writing and signed off by both parties (well, an email to each other stating the obvious is mostly enough). This is the easiest way to prevent misunderstandings and prevent accidental scope creep.
Do a sensitivity analysis. What happens if the products are delivered a bit late or if the functionality promised slips from version 1.x to 1.y? In complex implementations you have conditional dependencies (think of flying people to remote locations to install equipment that has to be delivered independently). A sensitivity analysis not only points out potential huge losses but can also save you money by helping you make optimal decisions up front because it basically gives you a confidence rating in your future plans and you can now do contingency planning.
Quantify your risks if possible. Quantification is hard to do well because you need a lot of input data (that is difficult and specialised to come by) but when you are dealing with a complex project, then lack of quantification means you are trying to compare high risks with high risks and which one is higher? Quantification is typically a cardinal indication of risk that can be compared to alternatives.
Control the sales process. This is something that vendors specialise in taking over from you and you have to take this back. Remember, they spend all their time developing strategies on how to control the sales process while you only buy this product once every X years (or so you hope). If you want to evaluate the product, work with the vendors to arrive at acceptable evaluation criteria and never accept the vendors' claims of compliance. Testing the product does have downsides (often it is like driving a sports car without any training) and many vendors today prefer you to consult with reference accounts. That is fine, but make sure that you do your homework on the reference you visit or speak to. Who are they and how comparable is their situation to yours? Also, be careful that it is not just a vendor trick by providing a false reference.
Put the responsibility of the success of the project on the vendor. By splitting the sale into a "fixed price" product component and a "time and materials" implementation component, the vendor effectively makes you take some implementation risk on yourself. Hey, the vendor implements this solution daily (it is their job/product) so they should be a in a position to fix the implementation costs of the product and include it as a fixed price component in the deal. That way, they only get paid if the product does what it is supposed to do and they will only get paid what was agreed up front.
Agree on a change control policy. "Scope creep" is a typical phenomenon that vendors/implementers use to ratchet up the cost of projects. Turn this agreement to your advantage. If they can charge you for adding features to the sale, you can deduct costs for features that don't work as agreed.
What about vendor lock-in? This is a difficult challenge to solve in a generic way because the real objective here is to minimise your long term risk or total cost of ownership of the functionality. This can be achieved by buying open or closed source systems (both have their advantages or disadvantages) but here are my 2 cents on how to navigate this minefield. Guard your gates by making a "living will". Normally, it is the data that is important in systems and not the system itself, so if you can get your data easily in and out of the system (and think of transforming the data in between transfer in order to fit the new system) you already protect yourself from vendor lock-in. So a "living will" is a way for you to plan the recovery from possible systemic failure into the procurement of the product in the first place.
Lastly, get your whole team on-board. Large companies are fraught with internal politics and failure to notify and get agreement from all relevant stakeholders means that you could be fighting your own company during the implementation. Internal resistance can easily allow the vendor off the hook on critical issues because they can claim obstruction and therefore, insist on change control.

Wicket renaming your submit button

2009-07-22T11:09:00.000+02:00

add(new Button("submit", new ResourceModel("submit")));

ATI HD 4850 Linux issues

2009-07-04T20:24:00.008+02:00

I recently bought a Dell XPS with an ATI HD4850 graphics card in it. After struggling with this card for weeks, this is where I am now (the reason why I wrote this is to warn other Linux users about this card).

Config: Ubuntu Karma with Dual head display (HP Digital screen and Phillips analogue screen)
Driver: best performance so far is the AMD catalyst 9.6 driver.

Issues:
1. I can now enable xinerama or big desktop from within the driver amdcccle interface.
2. However, with big desktop, the card cannot put the screen into power savings mode (sleep) and on trying, the big desktop settings are lost and you have to restart X.
3. With xinerama, all looks ok, the screens can sleep, but on waking up, something crashed in the card and none of the 3D functions work (including screensavers etc.). You cannot even run xglfxinfo (it just silently hangs). This again means it is only a question of time before you have to restart X.
4. The open source drivers just crash when X starts.

UPDATE: The latest Open Source drivers in Ubuntu 9.1 works well with the only issue being the top resolution that you can get being a bit lower that what is possible with the closed source drivers.

Wicket stuff I always forget

2009-06-07T16:37:00.006+02:00

This is the stuff that I always need, but don't use enough to remember.

How to retrieve localized text programatically in a wicket application?

item.add(new Label("status",new Localizer().getString(session.getStatus().toString(), new AuthHomePage())));

public class MyChoiceRenderer extends ChoiceRenderer {

@Override
public Object getDisplayValue(Object object) {
return new Localizer().getString(object.toString(), new AuthHomePage());
}

@Override
public String getIdValue(Object object, int index) {
return object.toString();
}

}

How to use a checkbox to set a specific value (not boolean) in a wicket form:

private class InvoiceableCheckBoxModel extends Model{
private IModel wrappedmodel;

public InvoiceableCheckBoxModel(IModel model){
this.wrappedmodel=model;

}

@Override
public Object getObject(){
return Boolean.FALSE;
}

@Override
public void setObject(Object object){
if (object.equals(Boolean.TRUE)){
wrappedmodel.setObject(SessionStatus.invoice);
}
}
}

How to turn an array into a List?

Arrays.asList(SessionStatus.values())

eclipse vs. netbeans with maven, wicket and db4o

2009-04-20T22:31:00.002+02:00

Ok, I am not going to go into great detail why, but the bottom line is that I reached a point where I decided to move over from Eclipse to Netbeans.

This turned out to be slightly challenging because:

I used mvn jetty:run as a webserver which is simple/embedded and just works. However, netbeans doesn't automatically build projects when your source changes, you need to tell it to track changes to your sources. Here is the config for the webapp pom to track any changes to your source.


      <plugin>
         <groupId>org.mortbay.jetty</groupId>
         <artifactId>maven-jetty-plugin</artifactId>
         <configuration>
             <scanIntervalSeconds>5</scanIntervalSeconds>
             <contextPath>/practice</contextPath>
             <scanTargetPatterns>
                 <scanTargetPattern>
                     <directory>src/main/java</directory>
                     <includes>
                         <include>**/*</include>
                     </includes>
                 </scanTargetPattern>
             </scanTargetPatterns>
         </configuration>
     </plugin>

A second problem was how to reference the sources of my war and use it in a second project in a jar project. netbeans give dependency management completely over to maven so you cannot point one project at another at all. You have to do this in maven. What this means is that your project must successfully build in maven before you even think of making it work in netbeans. The strategy to achieve this requires you:

Create a high level project (parent.pom) and include your inter dependent projects as modules. Maven will work out which ones need to be built first. You then need to set the correct dependency in the dependent project to basically look for the compiled classes of the webepp in a special jar in your local maven repository (wait for it the trick will come in a second).
```
    <dependency>
       <groupId>com.musmato</groupId>
       <artifactId>webapp.war</artifactId>
       <type>jar</type>
       <classifier>classes</classifier>
       <scope>provided</scope>
       <version>1.0</version>
   </dependency>
```
Note a few things. Scope is provided (jar is in your local maven repo). We use a classifier which is slightly unusual (see link as to why)

You now need to somehow get maven to build and package your war sources in a jar. here is an extract from my pom. That is it. Here is info on the maven war plugin


           <plugin>
               <artifactId>maven-war-plugin</artifactId>
               <version>2.1-beta-1</version>
               <configuration>
                   <attachClasses>true</attachClasses>
               </configuration>
           </plugin>

This bit of magic will package your classes in a separate war and ensure that it is stuck in your local maven repo.

Once you have this all in place, running
mvn clean install
on the parent project will build your dependencies and install them for each other to use

So, in a nutshell, you cannot reference a war file without using the maven war plugin and storing the classes seperately.

Daemonlogger over OpenVPN for taking data to your IDS

2008-11-10T08:31:00.000+01:00

OpenVPN can set up a VPN using either a TUN (layer 3) device or a TAP (layer 2) device. It is also supported on both Windows and *nix systems so a nice way to plum things together.

Jimbo challenged me to try and get data from my Virtual Machine hosted in London, to a remote IDS with RNA in order to detect and analyse brute force attacks on the machine.

The design was to use daemonlogger on the remote machine to sniff eth0 and pump the data over tap0, a virtual ethernet adapter that is plummed into a remote IDS.

Setting up OpenVPN required some fiddling because it is normally used as a layer 3 solution (using a TUN device) and when used as a layer 2 device, it operates an internal bridge (which won't allow you to re-transmit raw Ethernet over it because it thinks all the MACs of interest is on the server side of the bridge).

http://openvpn.net/index.php/documentation/howto.html

To make OpenVPN really work in P2P mode, you have to remove all config options that might force it into bridge mode (these include on the server the 'server-bridge' option and on the client side, the 'client' option).

So, firstly I had to generate a symmetric key for the openvpn solution (it didn't work with certificates right away in P2P mode and I couldn't bother with making it work).

I ran openvpn from ubuntu 8.04 on both sides.


# apt-get install openvpn

on the client (install the config below)
# vi /etc/openvpn/client.conf

on the server (install the config below)
# vi /etc/openvpn/server.conf

# /etc/init.d/openvpn start

Also, I had to assign IPs manually as for some reason, tap0 didn't come up by itself
on the server

# ifconfig tap0 10.8.0.1 up

on the client
# ifconfig tap0 10.8.0.2 up

You don't need IP's (or should not) but it is a good way to verify that the link is really up (ping from one side to the other)

Here are the config files for openvpn

/etc/openvpn/server.conf

port 1100
proto udp
dev tap

secret /etc/openvpn/simple.key

keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-ids-status.log
log-append /var/log/openvpn-ids.log

/etc/openvpn/client.conf

dev tap
proto udp
remote REALIP 1100
secret /etc/openvpn/simple.key
persist-key
persist-tun
comp-lzo

Once this is done, you can apt-get install daemonlogger (yes, it is now included in the ubuntu repositories).

Then just run on the server
# daemonlogger -i eth0 -o tap0

On the IDS side, I used daemonlogger to move data into my virtualized IDS/RNA solution so I ran:
# daemonlogger -i tap0 -o vmnet1

This pumped all data from tap0 onto vmnet1.

The solution seem to work fine so far. It opens some nice doors to do:

Some form of Host Based IDS by intercepting post SSL encrypted traffic and sending it to remote analysis.
VMWare based IDS/RNA by tapping virtual environments and piping data to remote or other virtual environments.
Remote IDS/RNA in locations that doesn't warrent a sensor, by piping data off to a central analysis location. This trades capital costs (sensor costs) for operational costs (bandwidth).

Wicket, Apache, db4o

2008-11-08T10:10:00.002+01:00

Wicket Note of the day

When you setModel() and it works for 1 iteration of a ListView (or equivalent iterative) loop, but breaks on the second, you probable set the model on the top level class (for instance a Form) rather than on the iterative loop.

Let me give an example.

Listview listview=new ListView("listview",model,list){

protected void pupulateItem(ListItem item){

 Document document=(Document) item.getModelObject(); //this is because I want to use the object
 setModel(new CompoundPropertyModel(document)); //WRONG. This sets the model for the whole form
 item.setModel(new CompoundPropertyModel(document)); //CORRECT

}
}

Unfortunately this problem is difficult to diagnose because the error is obtuse. When you see ClassCastException deep in the wicket code....

2009 Predictions

2007-12-29T10:14:00.002+01:00

2009 Technology Predictions

Predictions being what they are (once they are predicted, we tend to pay attention to them), I thought I would let rip about my major technological gripes to see whether somebody could pay attention to them and make the problems go away:

Closed source crippled products

Failure to do what the box says it should will drive consumers to become more discerning. Take universal Plug and Play. In principle a nice idea. However, have you tried to plug a proprietary hardware UPnP device [enter Kodak EX 811 picture frame] into your network and then view your photos/movies/songs from [enter some open source media player such as mediatomb, uShare, mythtv etc.]? It doesn't work. Why not? Because between what Kodak expects the media player to implement and what the media player produces, seems to be a misunderstanding. So, the standards suck? Maybe, but the reality is that short of opening the Kodak device and re-implementing its operating system, there is no practical way to debug this problem. This problem cuts to the core of the OSS (Open Source Software) philosophy and COTS/H (Commercial Off the Shelve Software/Hardware). Kodak is doing a terrible job of making their frame talk to many backends and there is nothing the consumer can do about it (short of *not* buying Kodak products). Sadly Kodak is a big company and like so many large companies, have idiotically big pockets. They will survive, even though they should not.

Network Attached Storage is another cool idea. Just plug a drive into your network and it is available for storage. Well, that is until you try to back a Unix file system up to it and realize that the vendor only implemented some ancient backward windows file system on the NAS device that cannot store UNIX file attribute bits [read FAT32 etc.]. You can always format the device but then you loose the Network ability of it. Again, the box is sealed and we cannot get to the OS which means we cannot ad support for our favorite [ext3] file system. It is like buying a half dead horse.

I imagine that we will see more websites rating stuff and people paying attention to those ratings (even though the megalithing companies that make these products probably won't pay any attention to these sites).

Automation

There is more and more evidence that improved performance is tied to improved understanding. I imagine that the future of automation lies in machines understanding better what we are trying to say. This basically means improving the way we program computers. How to do this? Not sure considering that many people have been trying for years to improve programming languages and we are still far away from understanding natural language. The trick is maybe to compromise Natural Language and move towards a more precise language that is easier for computers to understand (thinking esperanto). Considering how bad humans are at learning new languages, clearly something else will have to happen before this move can be made. So, how about improving the way we learn languages? I am not thinking Muzzy here, but a complete structural U-turn on focus of learning languages. This will require not only the theoretical work to be completed first but also the political system to be convinced of this to implement it. Maybe OLPC could implement Esperanto as a hidden language?

Open Source DRM (Digital Rights Management)

Yes, Jon also said this sounds like a paradox. However, the problem is not with the concept of protecting the rights of the copyright holder, but rather the implementation of technology to achieve that. Combine the current implementations with ignorance of the technocrats/legal system, and you have something open to abuse.

So, what would good principles of Digital Rights Management be?

It should allow for backups in any format to any appropriate medium.
The data that you obtained the rights to, should in no way be "locked" and you should be able to view it on any platform of your choice (including an insecure platform where you take the legal risk of compromise of the data).
You should agree to some legal restrictions and be held accountable to your agreement through the legal process or if you want to use a technological system, it should conform to only the legal requirements and nothing more.
You should be able to read your copy of the data unhindered at any time in the future.
Your data should be anonymously assigned to you (so nobody should be able without the appropriate legal warrant, to extract your identity from your data).

So here is a concept design that might be interesting from an Open Source point of view.

Hide an anonymous signature spread across a document (in pictures and or text).
The user agrees to not circulate the document other than for personal use (very much like the books we buy in shops today). However, we do not stop the user from making a copy of the book or backing it up.
The user agrees to be liable for any damages from his actions (I am not sure how you prove that a book was downloaded X number of times).
Make the scheme resistant to statistical attack. If a number of users get together and compare books in order to identify the signature, ensure that it is resistant to attack (this is a standard Steganography problem).

The benefits of this scheme are:

It does not assume the user to be a criminal ;-)
It allows the user to read/access the document/media using any viewer of his choosing on any platform (including Open Source).
It reduces the incentive of the user to share content because he can now be held liable (and agreed to that effect).

Selling the future of our children

2006-10-16T09:49:00.003+02:00

How do economies grow and can all economies always grow? What is growth?

Lets assume that the size of an economy is reflected by the total wealth which is in turn reflected by the value of its currency (like a snapshot of currency exchange rates at a specific moment in time). So we are looking at the amount of dollars you can get for all the local currency as a reflection of the size of the economy. We know that local currencies change value on a daily basis, but we are looking at a snapshot at a specific moment in time for that specific moment in time.

The total value of an economy as measured in abstract but constant energy units (so we don't get into the dollars vs. pound debates) can increase in value through at least five mechanisms:

The relative change in the value of currency between economies (you can get more dollars for your local currency and therefore own more capital). So somebody things your currency is worth more and they are prepared to offer you more for it.
The nett value of stuff dug out of the ground (dig some gold to sell on the international market).
The amount of money that the lenders of currency is prepared to lend to the people and the people are prepared to borrow against their own future (borrow some money from those who are not born yet).*
The amount of trade that happens globally (sell some stuff on the international market and the profit grows your value).
Through improved efficiency.

For all economies to always grow, the net total of the first four factors has to always be positive for all countries.

If we discount the relative change in currency value and the effect of international trading, which both have a net zero effect since an increase in one economy must be accompanied by a decrease in another economy, then there are only three factors that can make an economy grown unconditionally:

a.) An increase in the production of raw materials.

b.) Lending people more money to spend on goods (which by the way has a negative effect on the two factors we discounted, currency change and global trade).

c.) Improved efficiency.

So, in order for finance ministers to ensure positive growth in an economy, they can either take from other economies through currency value and global trading mechanisms.

Or, if they feel morally (ir)responsible, they can dig out more raw materials or lend more money to the people (for instance by issuing government bonds).

Of course, at some point there will be nothing more to dig out of the ground but more importantly, by borrowing against the future, we incur an unknown and more importantly, potentially unsustainable load. When society refuses to honor this debt, this might lead to the breakdown of civilization as we know it.

One can increase market efficiency to enlarge an economy.

Package management for embedded systems

2006-05-08T02:07:00.000+02:00

We take it for granted that when we install software, there will be a magic "uninstall" button. Before apt and install-shield was around, the magic button wasn't that hot and we found that our operating systems grew with orphaned files that never did get removed.
However, the industry's inability to provide properly packaged binary updates for embedded systems (think wireless router, TV set-top box etc.) is hurting more than you think. Here are some things to consider when you try to flash the firmware on your wireless router (and pretend that you like a USRobotics doorstop)

Having a packaged management framework supports modularity since you can now split functionality across multiple packages and you don't have to do monolithic code updates to install everything including things you probably don't want anyhow (think hot new encryption modes on your router that are not that well supported and you don't want it).
Well, if you had package management, then you can control dependencies and won't have problems with binary compatibility.
This I guess is also close to version control which allows you reverse out of a bad install (unless you turned your router into a doorstop by turning off the power halfway during a firmware upgrade)
You can control upgrade paths for the first time. By setting dependencies properly, you can force users to upgrade via a known and support path and there is no risk that somebody tries to do an unsupported upgrade.
You can do proper testing (regression, upgrade and compatibility) since you now only support finite upgrade paths.
Configuration management is now an option since all components are clearly marked and the install state of all packages are easy to ascertain.
Most importantly, by spending the effort to stick your code in a management framework, you will soon find that all that time you wasted trying to find impossible bugs (resulting from for instance binary compatibility problems) and supporting users with problematic upgrades, can now be spend on adding cool new features (or getting rid of a few P1 bugs) before the next code release.

Debian is probably leading the way in the Linux world with their apt package management system. ( here at the debian package maintainers guide for those interested)

Improve our railways. Do some Monte Carlo modelling.

2004-12-09T00:54:00.002+01:00

If you think you can design a better railway schedule, then read this paper on using Monte Carlo methods to create a journey assessment model that can model the effect of delays as well as potential improvements such as longer overlap times in stations.

Operational Risk Management

2004-12-09T00:44:00.001+01:00

What does Nick Leeson, the Titanic, Nimda and The Shuttle Columbia all have in common?

They are all examples of spectacular Operational Risk Management failures.

I recently wrote a paper on ORM that can be obtained here that had the following conclusions:

ORM presents a new way to manage operational risk explicitly outside of the traditional operational process of a business.
ORM provides a clear strategy to view and report on hard to define risks in a consistent manner.
Even though ORM cannot make the company necessarily increase its turnover, it can improve profitability of the company in the long run.
ORM can identify catastrophic risks which must be dealt with either for corporate governance reasons or for fiduciary purposes.
ORM provides a mechanism for risk quantification for the purposes of risk transfer (e.g. insurance or contractual terms)
The Critical Success Factors for an ORM framework are:

Clear definition of objectives.
The correlation and analysis of outcomes of different models to improve confidence in the operational model.
ORM should identify and capture loss data at the highest possible resolution.
Implementation of organisational change to facilitate the ORM framework that includes board level visibility of OR.
ORM implementation costs should be well defined and juxtaposed against potential cost/risk improvements.

Operational Risk Management Failures

2004-10-18T15:43:00.001+02:00

Introduction

Operational Risk Management (ORM) is not a well know concept outside of the Financial Services industry, but in reality, it is the next step forward in terms of breaking out business logic of anomalous conditions (systems, processes or people failure or risk from external events) from the domain of industry knowledge into the more generic realm of mathematics.

Many companies feel that ORM is not relevant to them because they feel that it belongs in the domain of the business owners and should be dealt with on a daily basis with business logic. This paper deals with 3 case studies that demonstrates how ORM can benefit large organisations in most business sectors.

Company 1 – Inefficient Spending on Security Risk Management

Many companies earmark funds for security improvement projects after the board becomes aware of the impact of a specific virus on the organisation.

A London based FMCG manufacturer did exactly that and brought in a specialist security consultancy to help define and implement a security improvement programme.

The programme had the following problems:

From a tactical point of view, the funds were only made available for this programme months if not years after the virus damaged the company IT infrastructure and therefore, form a practical point of view, the company was still not dealing with the risk of virus infections on a strategic level while it was planning its programme.
The programme was managed by the IT department and Internal Audit was not actively involved in the programme to any significant degree. It meant that the results from the programme didn't have a “home” within the organisation's business plans because it wasn't necessarily in the best interest of the IT department to do risk management. The IT department had no performance incentives for risk management and the programme directly impacted on the performance of the IT department. As a matter of fact, there was internal resistance to the implementation of certain recommendations because it conflicted with the operational strategy of the IT department.
When the corporation started implement the recommendations, the decision was made the implement “quick wins” to obtain maximum organisational benefit from the programme. “Quick wins” however in the eyes of the IT department were never defined in terms of risk reduction and eventually boiled down to the “things that were easy to do” which off course weren't necessarily of great benefit to the organisation.
Board level reporting, a fundamental requirement of all ORM, was always done by the programme management who having an IT and not RM background, could not demonstrate the benefit of this programme to the board. The end result was that the programme was cancelled prematurely and no performance evaluation was done. These people are also not with the company any more.
After having spent a large amount of money on a Security Improvement Programme, the company had a blueprint of what was supposed to be done, some aspects of the programme was mid implementation but they still cancelled the program for the following reasons:

The board felt that the cost for the programme was too high after it was already agreed to implement the programme. If this decision was taken before the programme was developed, the programme design could have been addapted to fit the budget and not only focus on highest risk gains, but could also report on the residual risk that the company was inheriting.
The programme made no provision for either a qualitative or quantitative risk measurement before and after the programme which meant that there was no way to report the benefits of the programme to the board.
The board felt that there were no significant security compromises in the year or two after the major incident and natural human instinct helped them reallocate the security budget for production purposes.

How would ORM have benefited this organisation?

Strategic management of OR is in general much more cost effective that tactical response as putting fires out without any planned foresight means in general that you not only lose production time when systems are down, but all good business practice goes out of the window while recovery is in progress.
By having a strategic ongoing ORM programme, the company would have had a clear understanding of how much money they want to spend and what they want to achieve with that budget. There would have been a smaller risk of catastrophic failure.
The responsibility for the completion of the project would have been removed from the Operational Organisation to a dedicated team who were specifically incentivised to achieve the RM objectives.
Consultants would have been much more effectively applied to achieve well defined objectives.

London high street Bank sales strategy

A large UK based high street bank recently started calling its customers and asking them to submit their authentication credentials over the phone. The reason why the bank was calling its clients was to sell them additional value added services the reason why it asked them to identify themselves was probably for Data Protection compliance.

The problem with this approach is that there is no way for the client to verify that he is actually talking to his bank as the bank contacted him first and even if the user doesn't provide a complete set of his credentials (normally only a subset is required) he not only makes a brute force attack on his account easier, but also opens himself up for a man in the middle attack (the fraudster is connected to the bank on another line and only asks for the credentials that are asked of him) or in more than one call, will provide his complete user credentials to the fraudster.

The real problem however is not the call that the client has to handle, but the fact that the bank is basically training its clients in a certain behavior which will be exploited by fraudsters once they become aware of it and it therefore increases the Operational Risk that the Bank faces.

It is clear that the manager who made the decision to following the authentication strategy was not aware of the potential increase in fraud that he was stimulation and Risk Management clearly didn't have visibility of this project and therefore could not detect the impact of this on their own organisation.

This is a very good example of an OR failure in terms of fraud and legal risk that is incurred by the bank through the complex interaction of its day to day operations which should have been detected.

NHS IT Project costs spiral out of control

The Economist (16 October 2004, p 36) reports that once again, a large government IT Project is spiralling out of control. This is not the first time that this has happened. One estimate (Out-law) states that less than 16% of IT projects can be considered successful.

In the end of the day, this specific charge has been rebuffed by criticism of the accounting rules, but what is apparent is that the critical success indicators for successful large IT projects are not limited to accepting the lowest bid during procurement or even due diligence on the suppliers, but extends to other aspects, many which can be classified as operational risk management.

These aspects include:

Management oversight for risk items which management will have to accept responsibility for during the project development life cycle. It is very important to know of the risk of failure while a project is in development rather than once it is completed.
Board level reporting on OR outside of the implementation organisation because of the general conflict of interest between risk management and operations.
Management of OR that involves consideration of people, systems and process failure.
Consideration of the changing external environments.
Review of legal risk.

In the UK there are currently processes in place such as the Successful Delivery Toolkit (http://www.ogc.gov.uk) which deals with many aspects of risk during Government project delivery. Operational Risk Management is currently a growing subset of this Risk Management process.

Operational Risk Management and the procurement process outside the Financial Services industry

2004-10-18T15:31:00.000+02:00

Introduction

Operational Risk Management (ORM) has always been implicitly embedded in normal day to day running of a company and it is only fairly recently that the financial services sector with the Basel accord, have started breaking it out as a separate business function that should be managed in a dedicated framework.

ORM must be managed outside the operational business framework because of the inherent conflict of interest between the investment required in Risk Management (RM) and the incentives for financial performance which includes the minimisation of operational costs.
Basel2 defines Operational Risk (OR) as “The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, that includes legal risk, but excludes reputational, systemic or strategic risk.”

The definition of operational risk is not at all agreed upon and therefore there are no standard assessment models. Currently most organisations forge their own OR assessment and management strategies.

There are a number of reasons why OR is being broken out of the traditional day-to-day management of business:

Board level visibility of potentially catastrophic events for governance reasons.
Oversight and audit of business operations which are often incorrectly incentivised to accept unacceptable operational risk.
Public disclosure required by regulation.
Improved spending efficiency through strategic planning. e.g. quantitative scenario planning.

Procurement

Companies primarily spend money on two items:

Investments that are directly required in their line of work (Core business). These costs include Salaries/wages, rent, amortisation, depreciation, advertising, employee benefits, direct cost of sales, taxes
Risk mitigation. Corporations in the US that are capitalized to over $ 50 m with an annual turnover of above $ 100m spend on average 6.7% of their operational budgets on repairs, bad debts and miscellaneous expenses that include risk management. http://www.bizstats.com/genl.netcorps.htm

The reality of risk mitigation is that not only does it cost money to asses your risk, but when the company is under financial pressure, it will accept more risk at the preservation of investment in its core business. Ultimately, it might even forgo risk assessment all together to keep its core business going.

Vendors are either pandering to a market that cannot exist without them (e.g. delivery trucks for the FMCG market) and the challenge is to be selected as the vendor of choice when the client buys the product or they are selling a product/service (e.g. Intrusion Detection Systems) that can be classified as a risk management service whose viability is affected by the financial status of the company and the challenge is to get the company to buy in the first place and then secondly to buy form the vendor of choice.

How to manage OR?

Risk is the likelihood of an incident happening combined with the impact of it happening to a specific business process.

Traditionally, financial services organisations have been better than the bulk of industry at collecting historical loss data specifically for risk management purposes. However, Basel2 found that even many financial services companies didn't break their operational risk out sufficiently and correctly from its operational costs.

Risk events that are of interest to us are:

High exposure events that are relatively rare and difficult to predict.
Low exposure events that happen all the time. These events are relatively easy to incorporate into statistical models because it produces relatively large amounts of data.

How to calculate exposure?

Exposure can be assessed either through the evaluation of historical loss data or by calculating the impact on specific business processes when OR is materialised. Most of operational losses are a function of time in that the longer the anomalous conditions exists, the higher the cost to the business. Any predictive model should be consistent with historical data.

A number of Balanced Scorecard and Scenario Based approaches are being developed and they have the following benefits:

The assessment of the impact of controls can be done inside the model so you can evaluate the impact of different controls on your final OR strategy.
It relates the qualitative assessments of business posture to quantitative risk predictions.
It can use simulation methods (Monte-Carlo) to quantify the “elasticity” of variables i.e. the impact of statistical insignificant variance in the input parameters on the final calculations.

Irrespective of the method being used for OR, the outcomes should have the following properties:

The model must be validated by measuring its consistency with historical data.
OR scenarios must be easily reproducible.
Scenarios should be consistent with previous predictions.
The model should allow for scenario planning i.e. where individual aspects of the risk management model can be tweaked (controls replaced by cheaper ones etc.) and the effect of these changes be measured.
The control assessment framework must be placed within a financial management framework that can assess total cost of ownership.

Impact of OR on procurement

Companies that manage their OR explicitly behaves differently from those that handle it implicitly and therefore the procurement process for these organisations is different.

All companies satisfy 100% of their operational costs but not necessarily 100% of their OR costs. Therefore, depending on which budget you sell into, there is a likelihood that your project might not go ahead as planned.

In companies with no explicit OR management, your ability to sell Risk Management products or services boils down to the luck of the draw, being at the right place at the right time, because you cannot measure or predict the change in business posture within the corporation as that information is part of the industry specific knowledge of those who run the company.

Companies without ORM exhibit inconsistent RM procurement strategies because of the fluctuation's of their implicit OR implementation.

Very seldom do companies who do not implement explicit ORM measure the performance of their projects in terms of risk accepted or mitigated vs. cost of benefit derived.

In general, “eagle” salesman who bamboozle the client do well in these companies.

On the other hand, the benefits of explicit OR is:

A clear medium to long term corporate strategy in terms of Human Resources and Operational Business Risk management.
Ongoing performance measurement of all OR activities and curtailment of unsuccessful projects.
An optimal relationship with vendors which is of benefit both to the organisation and the vendor.
ORM provides control of the vendor relationship to the procuring party.
ORM provides the facility for clear internal and external communication plans.

Conclusion

By explicitly managing their OR, large corporations develop a consistent approach to procurement that is of benefit to both themselves as well as their vendors.
Vendors have more predictable sales cycle if they deal with corporations who manage their OR explicitly.
The ORM function is the market making channel in an organisation as it defines the strategic prerogatives of the organisation.
ORM allows for the strategic management of vendor relationships with is of benefit to both the client and the vendors.

IDS/IPS Market Position

2004-09-29T11:52:00.000+02:00

Executive summary

IDS market is mature and financial services organisations already have IDS
IPS is only relevant to organisations that have mature security management
IDS/IPS market currently is NOT price sensitive other than competitive pricing
Because of Open Source Software, the IDS market is over-crowded and has low barriers to entry for new competitors
Markets being developed by the Manufacturer should be sold directly into by the Manufacturer
Pricing policy should be a mix of discounts and fixed sales price based on reseller status
RRP should be private agreement between Distributor and Resellers and not made public
Promotion is a mix of PR and Personal selling for IDS and IPS
IDS and IPS is a high involvement sale that requires evaluation before purchase and is brand sensitive
Joint Venture Companies that leverage off an existing respectable brand have a significant marketing benefit.

Introduction

This paper explores what the best marketing proposition is for IDS and if IPS is a marketable proposition or just a “makeable” one.

Consumer analysis
Who needs IDS and who needs IPS

IDS is a basic necessity to gain visibility of malicious network traffic.
For anybody who wants to do security management, it is a table stakes element (ie. a must have)
The problem is that not all users understand/believe that they need this visibility. The reason for this is that they don't care what is happening beyond their computer perimeter and feel the same way about inside the perimeter.
IPS is a response technology that is relevant to those administrators that want to enforce policy.
IDS is needed by people who want to take control of their security posture
IPS is needed by people who want to reduce their already large security management cost.

Who is buying the product and who is using the product
The financial function often has the final control over purchasing decisions.
The security function advises the decision maker.
Products are used by the security function or it is outsourced.

What is the buying process?

Awareness
Very few clients regard visibility and incident response as a problem that can naturally be solved with IDS/IPS. Therefore the entry to selling the product is quite high.

Information search
All users use the internet to do a general search and then they contact vendors for product information.
Implementation references are very important in gaining trust of users.

Evaluate the alternatives
Most products go into a bake-off situation with the result that vendors can influence the deal by making concessions and throwing items into the deal. Personal relationships between the sales people and the client are very important to influence the deal during the evaluation process.

The purchase decision
The purchase decision is normally only reached after product evaluation.
The product is a high involvement product (expensive and one off purchase) which means buyers are very concerned that they make the right decision.
Brand loyalty is important to them and they would rather consider successful brands than new ones.
Price is not a primary factor in the decision making process. To compete on price is unproductive (See section on Channel sales)

Evaluate (post purchase behaviour)
IDS/IPS is a high value purchase that will only happen every 2 to 5 years. Post purchase evaluation affects references and maintenance revenue.

How to turn a low involvement product into a high involvement one

By turning a low involvement product into a high involvement product, income is maximised.

In the case of IDS/IPS, the following can be done.

Piggyback on consultancy results that require something important to be done about security visibility or security risk. Reaffirm the users' expectations that security is a difficult and complicated process best dealt with by this product. These projects are relatively rare and the consultancy firm that did the work in the first place as they are often the starting point for the tender process for equipment.
Ensure that customers are aware of the importance of security visibility
Features can be an important differentiator.
Appropriate advertising strategy. Direct marketing.
Bind to an existing well established security brand.

Market segmentation
Vertical markets
Enterprise
Financial services – already have IDS and replaces products periodically to maintain performance.
FSCG/ Manufacturing etc.
Tactical companies that spend money on tactical issues. Low probability for IDS/IPS security spend unless they already have a history with problems. Many therefore have IDS.
SME
Risk aware buyers will be interested.
Those who are aware of a problem.

Geographic markets
Sophisticated markets with a security budget and risk assessment projects
(no detail provided)

Demographics
Must have Security function
Must have budgeting process
Must have bought firewalls before
For IPS must have had IDS before

Psychographic
Must be risk takers
Behavioural
Must be responsive to marketing campaign

Market analysis
Product Life Cycle for IDS determines what the market requires from the product.

Introduction phase (1996 – 2005)

Evaluation required
Benefit sell to justify visibility
Urgent need buyers
Basic functionality required
Price high
An information request is the beginning of a relationship

Growth phase (2005 – 2007)

Product bake-offs take place
Benefit sell moves to risk management level
An information request is done to all suppliers
Still not price sensitive

Maturity phase (2007 +)

Features are important
Price sensitive
Advertisement budget needs to increase
Value added features important
Brand loyalty is important

Decline

Client lock in through data exchange formats
Leverage capital investment to sell Value Added Services
Message is you can't go wrong by buying the product

Key competitive factors in the IDS/IPS market

R&D – Features
Service – Mission Critical up-times
Quality – Par for the course
Advertisement – Can you reach your Target Market
Price – Sensitivity is low until maturity is reached

Competitive analysis

Define your core competencies
SWAT analysis

Barriers to entry

Traditionally the barrier to entry is very high in this market. However, Open Source Software has lowered that barrier to entry by making a basic but good detection engine available to anybody who wants to build a management framework around it (Snort).
This will lead to a crowded playing field with an over-supply of IDS/IPS devices.
Financial Services Companies already have IDS
IDS is an established market
Market leverage is a good way to bring the message to clients.
Joint Venture companies is a way to consolidate the market and to obtain market leverage.

Perceptual mapping of the product

Determine where your product stands in the market
price vs. quality – IDS and IPS should be high price and high quality
performance vs. ease of use – Good products will be easy to use and perform well.

Distribution channels

The options are Direct or Channel sales
Factors that affect the choice are

profitability
Reach
Sales effort
Rate of market share growth

Because of the complicated market and product, the manufacturer must implement a sales team.
The channel is worth while pursuing under the following conditions

Direct sales is pursued if no reseller is in place (ie. never give business to the resellers, but make them want to earn it)
The margin that the channel receives is directly in proportion to the amount of market that they are making. If they bring the market to the manufacturer then they receive maximum margins else the margin decreases proportional to the amount of work the manufacturer/distributor has to do.
Channel commitment must be obtained in terms of targets and effort committed to the product.
Channel commitment must be obtained in a process of accreditation with stock investment, training and marketing commitment. This is not reasonable during the Introduction phase of the Product Life Cycle.
Always trade with the channel and never give anything away.

Pricing policy

Fixed RRP vs. fixed selling price (discount vs. markup)
Fixed RRP has the following benefits:

All resellers go to market at the same price.
The Manufacturer can sell directly against the resellers without upsetting the market.
Product market position can be determined globally.

Disadvantages are:

Limits channel revenue and low free-market incentives.
RRP is protectionist of the reseller relationships at the cost of incentives for resellers that can charge more (leverage relationship with client).

Fixed selling price is good for those who want to sell at demand prices (what the market is prepared to pay) rather than supply prices but has the disadvantage of potential undercutting by other resellers.
Fixed selling price also benefits those who can leverage the relationships with their clients to maximise their profit.
Fixed selling price works where the resellers are in command of the pricing rather that the manufacturer.
The solution is a mixed pricing policy:

A private RRP which all resellers agree to not drop below.
A fixed price sale to the resellers (based on their reseller status) and no public RRP.
A commitment from the manufacturer and distributors only to sell into accounts where they make the market.
No maximum limit on the product price.

Stock
During the introduction phase, it is unreasonable to ask the channel to carry stock. However, this is an important bargaining chip for reduced supplier pricing.

Marketing mix

Product/Place/Promotion and Price

Product

Differentiation
Features
Capability – what can the product do?
Future proof investment.
Performance is important in IDS/IPS.

Fit
How are the user's needs considered in the product build?

Styling
Attention to detail
Custom or general hardware

Reliability
Service contracts and terms

Packaging
How are the units boxed and what do they look like when they arrive on-site.

Sizes
Consider pricing policy and market need.
Size might be related to performance.
Be careful of artificial sizing to maximise profitability as sizes should be a natural fit with client needs.

Service
Support contract is critical in this industry.

Brand Naming
Company name and product name on documentation and devices.
What brand do you want to build?
Joint ventures can allow you to piggyback on strong brands.

how does product life cycle affect the plans?

Introduction phase
Price is high
Features not that important
Market penetration is critical
Channel low responsibility and low margins

Mature phase
Price competitive
Promotions
New technologies integration and growth

Place

No physical markets.
Trade shows (but measure return on investment).
Exclusivity is a low risk option if guarantees are obtained from the resellers.
In this market condition, resellers go bust so make sure they owe you nothing.
During introduction, market penetration is important so width of circulation is important.
Develop a communication plan and single person responsible to communicate with the channel.

Promotion

Depends on the Product Life Cycle
Options are:
Advertising
because of the small size of the market the most relevant promotional mechanism is magazine publications focused on Security Managers and Financial Managers.
The advertising campaign should achieve the following:
1.Financial Management: Security decisions cannot be made without visibility.
2.Financial Management: You can reduce your security bill with IPS.
3.Security Management: Our product is the product of choice to solve these problems.
4.Financial Management: You can trust us to help you identify and solve your problems.
Advertising should result in the decision makers (Financial management) to trust the brand and the company. Integrity is critical.

Personal Selling
Personal selling is the most important sales channel.
It is expensive and labour intensive, but the target market is small and difficult to reach.
Personal selling is best done by consultative selling – Try to identity and solve client problems and report on it through benefit analysis.
A certain amount of pre-sales effort is required to identify the complicated issues.

Sales Promotion
Not very relevant to the current IDS/IPS market

PR
A very important way to reach the market.
Examples of PR that is worth pursuing are:

Security commentary relevant to your specialist field.
Product evaluations.
Employment announcements.
Security announcements.

Direct Selling
Not relevant to this market yet.

Pricing

IDS and IPS is traditionally highly specialised and small volume products which means that the relative small turnover requires a large mark-up to cover cost of sales.
Sales cycle is also between 3 and 6 months.
Demand pricing means that pricing is influenced by the following factors:

Competitive pricing (how much do your competitors sell their products for).
Discount requirements (deal making).
Budgeting process within buying organisation.

Perceived value to customer should be related to risk benefit. Security visibility is a table stake item and not an option. Be careful to charge a premium for a table stake item.
Buying market share is not productive during the introduction Product Life Cycle. Buyers are effectively one time buyers.

How to sell security to CFO's

2004-09-06T11:26:00.000+02:00

Security Engineering is a process of dealing with that what is not a fact and therefore is something that is seldom easily quantifiable in terms of benefit for money spent. Additionally, Security Vendors find that they are selling to Security Managers who often don't have the authority to spend funds but who are critical in terms of advising the Financial Management in an organisation how to allocate funds. From a vendor point of view, selling becomes more deterministic if the Financial Controllers in an organisation are prepared to put the right questions to their security organisation and the answers to these questions should then drive their Security Engineering strategy.

Who is actually controlling the budget?

CFO's know that security cost money, but it is difficult for them to determine how much to spend on what and how much it will save them.

With the exception of Financial Service Organisations and other risk aware organisations for whom security is a necessary part of life, specialist functions like Risk Management and Security Officers/Managers are used to make the case for security spending, but final spending decisions nearly always lies with a company's operational and financial management.

Most security vendors/consultancies still identify the Security or Risk Manager as their primary sales target, even thought they know that unless the Security Managers have already identified and sold the concept to management (which they hopefully understood and identified correctly), they will have to spend a long time working with the client to help generate the budgets for their products or services. The reality is therefore that vendors effectively depend on Security Management in organisations to sell their products or concepts on behalf of the vendor, to the real decision maker, the CFO.

The exception to this argument is of course when something really bad like a security break-in happens to a company, then Security Managers have large budgets to fix the problem. That is of course as long as they do it quickly because the longer they take and the more distant the incident becomes in the mind of those affected, the more they will find their security budgets re-allocated.

How to sell to CFO's

So, to sell security, it must be understood that you have to sell financial benefit to the company's financial controllers. They however, mostly don't understand security and that is after all why they employ Security Managers.

The challenge is therefore whether the security problem can be transformed into something that financial controllers can understand and that can help them evaluate their own security strategy. By marketing this strategy to them and by encouraging them to ask the right questions, you will get them to make the right decisions.

All CFO's should be able to answer the following questions regarding their security strategy:

What visibility do you have regarding the company's security posture?

How often do users/hackers try to execute/transport unauthorised code in your environment and how serious are the attempts? This includes viruses, hacking, worms and any unauthorised traffic such as peer to peer traffic which not only brings viruses into your environment but also creates legal problems. Where do the attacks come from?

What is your exposure if something bad happens?

What will happen to your business processes if certain security incidents take place? Most companies today are heavily dependent on email and if it is compromised, business can be hurt badly. If your web services are broken into, the resulting damage to the company's image can be devastating.

What will the impact of a worst case scenario be?

Exposure analysis should indicate what the impact of the worst possible scenario could be. This should be the Risk Managers starting point in terms of understanding what risk should be dealt with.

How likely are these scenarios to materialise? Can you justify these estimates with security measurements and controls?

It is no good to say that your organisation is not vulnerable to virus events if you don't have a way to measure virus traffic on your network or if you don't employ software to limit the spread of viruses.

How much does security cost you now and is there a way to reduce that cost without increasing our primary risk profile (the profile that you accept when implementing a security management strategy).

The reality is any new system will introduce new risks, but all things being relatively equal:

Outsourcing certain security functions might decrease your total costs and improve your security posture.
Introduce new technologies that requires a capital purchase but reduces the load on your security management. These technologies like Intrusion Prevention Systems or supporting technologies like ticketing systems can make your humans more effective thereby reducing your headcount and increases security posture by improving incident response.
Often you can bring security consultants in to re-engineer your security processes to make them more efficient.
Few businesses consider re-engineering their business processes as a potential way to increase their security posture or lowering their security cost. The problem with re-engineering business processes is that both security and business functions need to be involved to shape the new processes for maximal security and business efficiency.

What does your security input into your Management Information Systems looks like?

Keep in mind that security incidents are far and few in between (hopefully) and because of the infrequency it is easy to stop measuring your security status on a regular basis. Considering the fact that the impact of security incidents are significantly reduced by reducing the duration of the incident, knowing about things asap and having a good incident response plan is critical to limiting the damage of an incident.

CFO Security Radar

So, CFO's should be in a position where they can demand a strategic action plan from Security Management that outlines the following:

How and with what will incidents and risks on the network be identified?
How is exposure calculated and specifically how does the business provide input to the security function so that realistic costs can be obtained if security events bring business systems down?
What controls (product and procedures) are and can be employed to identify, manage and report on security incidents with the view on reducing the likelihood of the potential incidents happening and the impact of them on business processes when they happen?
The only way to realistically assess the potential benefit of a technology or change of business strategy is to develop two comparative business plans outlining how much the new technology will cost the company and how much it will save the company in exposure, likelihood of event taking place as well as impact of an event on the business by doing a business process assessment. Only by comparing the two comparative baselines can you make an informed Security Engineering decision.
What security information systems will report on the above mentioned items on a regular basis to Security Management?

Event correlation reducing the cost of IT security

2004-07-09T00:50:00.000+02:00

How to make Intrusion Detection Systems work better

Every year in every large company the golden question is asked: “How much are we going to lose this year because of security failures?”
The CITSO responds with:“Well, we need to find out what the likelihood is of things happening to us and we then need to check how much it will cost when those things happen to us. Once we have those figures, we can decide how much we have to spend and how much that spending will reduce the cost of these bad things happening to us”

So the first question is, how do we find out what the likelihood is of bad things happening to us? The most effective way to do this seem to be by measuring the daily activity on the network and seeing not only how many bad things happen on the networks, but also what their impact is on the organisation. This behaviour is then extrapolated and by correlating it with extraordinary global events (such as terrorist bombings), the “acidity” of the network can be predicted quite accurately.

Herein lies the problem, how to identify bad things. Intrusion Detection Systems have specifically been designed to detect bad traffic. In some cases, this means detecting traffic that contains data which is clearly identified as malicious, but in other cases, it also detects network behaviour that is out of the ordinary. But IDS's suffer from two problems, false positives when malicious behaviour is misdiagnosed and false negatives, when real attacks are missed. Examples of false positives are when signatures are triggered by themselves and the IDS then alerts on its own signature downloads while false negatives would be when an attacker substitute the NOOP sled (string of (sometimes) meaningless binary used to pad a buffer overflow until the function return value on the stack is located and overwritten) with binary data that is not detected by the IDS and the attack can therefore penetrate the environment undetected.

The real problem with IDS is actually that it is normally focused on assuming that the volume of alerts is important and that a large number of a certain alerts is more dangerous than a small number of another alerts. This design feature, combined with the fact that IDS events are context free in the bigger scheme of things (they stand by themselves and are not correlated with other events either inside or outside of the IDS system) result in false positives and irrelevant positives (a dangerous payload that went to machine not sensitive to it).

So, a whole new generation of Security Information Systems (SIMS) have been developed to collect data from all over your network and then correlate that data with your IDS data, thereby reducing false positives.

The broad idea is great, but it seems that most of these products will eventually be superseded by the capabilities of the IDS/IPS systems themselves for the following reasons.

1. All investigations start with the identification of anomalies and uses the rest of the information to qualify that anomaly, which means the IDS is key to the whole design.
2. IDS's are designed to deal with events and router logs, application logs and network banner grabbing produces events of a different kind that are still just events.
3. Large gains can be made by doing correlation of IDS events with themselves. Examples of this would be classes of alerts such as “attempted recon” that are then followed by “application exploit” are much more indicative of nefarious activity and raises the priority on clustered alerts that indicate a constructive effort to compromise a system.

What is also interesting is that by collecting application logs and system logs in your IDS for correlation, you now have the ability to alert on error conditions which might have been brought about by a security event or not, but is still something that has to be dealt with since it is costing you money and security systems are there after all to save you money!

False negatives are difficult to detect since they were missed by the IDS in the first place, but one can assume that application logs will provide more detail in the case of attempted or successful exploits, thereby exposing false negatives.

The bottom line is that visibility of network status is key to understanding risk and by correlating IDS alerts with application logs and other network information systems, false positives can be reduced thereby providing better information.

The logic of security

2004-06-01T08:54:00.000+02:00

FBI arrest
The FBI recently had to apologize to Brandon Mayfield of Oregon for detaining him for 14 days in connection with the Madrid bombings. The problem was the misidentification of a finger print on a bag of detonators and even though Mr. Mayfield insisted that he had not left the USA for a decade, he was still detained as a suspect linked through his finger prints to the terrorist bombing.
This story illustrates an example of how security systems in general need to become more complexand context sensitive in order to weed out false positives. In the case of Mr. Mayfield, maybe the FBI should consider that a water tight alibi that places him firmly in Oregon for the 10 years leading up to the attack might indicate that finger printing was not such a good indicator of guilt as was though initially?

Security objectives
Security systems in general are there to reduce risk and ultimately save money. However, if they incorrectly identify events as false positives, then they cost money.
When I left my office and tripped the burger alarm a security firm had to visit the premises to verify that the building was not broken into. In this specific case, you should wonder it the absence of any movement in the lobby might indicate a potential false alarm on the front door and save everybody the cost of the call-out? Would a more complex reporting system justify the costs of frequent false alarms?
However, the question is not always if you can you identify false positives, but also if you can identify the truly dangerous events amongst the many positives as well. An example of this would be if more than two sensors of the burglar alarm is triggered, then you can probably deduct that a real burglary is in progress and step your level of response up appropriately.
What is clear is that in today's world, you have to be able to measure context around incidents and then analyse that context to find supporting evidence that points to the event you have identified. Lets take an example of logical analysis. By specifying a range of logical conditions that must be satisfied (this effectively is a way to formalise context) and then ultimately producing the event that all these incidents support, you can gain greater confidence in the likelihood of the event being a true positive.
But, this article is not about better burglar alarms.

The broken record player
What about circumventing these systems? Once the logical definition of context is known, then it is as easy as designing a procedure that will “outsmart” the system in question. Hofstadter referred to this procedure as “the record that broke the record player” in his writing.
This question is related to Goedel's incompleteness theorem and it will be possible to always design a logical procedure to circumvent a logical design.
Maybe one can introduce a bit of randomness. Let us take the front door and lobby sensors in the burglar alarm as an example. Lets say the problem is that you don't want your pets to activate your motion detectors and you don't want a malfunction on the front door sensor to trigger your alarm.
In our newly defined system the front door alarm activation must be accompanied by motion in the lobby within a certain period of time (where this period of time is random because if it was fixed, the robbers could just wait for the specified period of time and then enter the lobby). So, once the front door is opened, the alarm will only be triggered if there is movement in the lobby within an unknown period of time. If the maximum waiting period is 48 hours (the longest possible time between normal access that takes place over a weekend) then the mean waiting time for the robbers would be 24 hours with the possibly shortest waiting time being as low as 1 minute (which is of course highly unlikely)
The problem has now fundamentally changed in that you now required gambling burglars (which they probably are!) to take a change to get into the build and by introducing random waiting periods in the context definition, you can ensure that the system does not behave deterministically and therefore reduce false positives and false negatives.

Network security
In computer network security, the problem is even more extreme. Intrusion Detection and Prevention systems looks at individual data packets and then look their payload up in a database of known bad signatures. If it matches, then an alert is raised, but in reality, the identification of a signature of known bad behaviour is very difficult without understanding the context of the packet that was detected. An example would be an FTP alert that a user is trying to up or download material from the website which he is not authorised to do. The problem is that unless this packet is seen within a context of an FTP session, then it is a false positive. However, considering that the information about whether this is an FTP session, the login and password exchange protocol, happened long in the past by the time this packet is seen, means that the context of this packet is effectively lost.
So, enters regular expressions where it is possible to specify that the requests for unauthorised information must be preceded by a FTP login request before this can be identified as a true positives.
Regular expressions should have a significant impact on the improvement of network security alerts.

Gaining access to efficient payment processing

2004-05-21T09:26:00.000+02:00

Mobile phone companies hold the key to future payment processing but so far, none of them seems to have gotten it right. After the dotcom failure, they seem to have receded from their previous enthusiastic point of flexing their billing infrastructures, set for total financial services domination to focusing on their core business, which is selling airtime and only maintaining the white elephant m-commerce payment gateways as a reminder of how much it can cost to play the e-commerce game and loose. This however, need not be the future of m/e-commerce.

Introduction

The problems with paying for things are that it is in general slow, you need the right amount of money or if you want to pay by credit card, the merchant must be able to process the transaction in real-time to be sure of the legitimacy of your funds. Not only do you need relatively expensive infrastructure to process electronic payments (a terminal or specialised software), the time to process electronic payment and the residual fraud liability associated with card not present transactions raise the bar to exclude many new start-up enterprises.

Where traditionally payment processing was a necessary evil to do business, improved and more efficient payment processing is a business enabler that can give small merchants with low turnover access to markets such as impulse buying and consumerism that didn't previously exist. For acquirers the challenge is to lower the payment processing costs for the merchants and thereby increasing their revenue by enlarging their install base, while still managing their fraud risk.

A number of companies have been formed since the event of electronic payment processing that tried to capture this market by utilising new and innovative technologies, but sadly, not many of them have succeeded in achieving the correct mix of critical parameters that would guarantee the successful commercialisation of their systems. And therein lies the catch: How to identify and manage the critical parameters to ensure successful m-commerce?

What are the new challenges to gain access to the future market?

It seems that even though the technological requirements for payment processing are relatively easy to meet, that there is always the mix of critical success factors that are hard to achieve and the same way that traditional monetary systems evolved in many unproductive paths, the current incarnation of m-commerce is also going about accessing their markets in a hit and miss fashion.

What are the factors influencing the success of an m-payment solution?

Since there are many more low turnover merchants than the Tesco's of the world, m-commerce must give the smaller merchant access to payment processing without a crippling large capital layout. At the high end of the retail market, this requirement is diminished since the capital cost of payment processing is relatively small compared to the turnover volumes and what improvements in efficiency and transaction cost is important.

The payment processing must be fast and simple to allow impulse buying and facilitate consumerism. Imaging the future of Coca Cola (or any other Fast Moving Consumer Goods company) without a rapid payment solution to allow users to quench their thirst when they are thirsty? The lack of fast and simple payment processing is hurting the retailers and the FMCG market.

The net transaction cost must be lower than existing credit card payment processing costs because without changing the basic benefits of payment processing significantly (such as security, confidentiality and non-repudiation etc.) only when all parties benefit will such a system be of outright benefit to all. Currently many merchants groan about the 3-5% transaction costs that they have to swallow for on-line payment processing.

It must be more convenient for clients and merchants and more people must be able to buy more items in more opportune locations.

Software costs should be realistic and that probably means very simple, secure systems. One of the drawbacks of the old e-commerce era was that payment processing software turned out to be relatively expensive and the software vendors made no effort to link the software costs to the revenue generated by the system (or maybe clients were just over optimistic?). What happened instead was the that the transaction costs turned out to be relatively high to pay for the expensive technological implementations and this resulted in low participation rates. This is a bad way to do business since low participant turnout makes it more prohibitive for the existing participants to generate the required revenues with the result of mass disinterest in the system.

How often do merchants allow customers behind the counter? So, why do e-commerce operators insist on using integrated payment processing facilities which is not only expensive because of lack of standardisation (try to move your shopping cart solution between different vendors to see what I mean), but security and the implementation is conceptually difficult? Why handle both your customer orders as well as payment processing through the same web interface if you can move payment processing to a service provider such as a mobile phone provider where the implementation is more standardised, transaction costs are lower and security is higher?

Why are mobile phone operators well placed in this market?

The reality is that the mobile phone operators are very good at keeping track of small units of measure (seconds of airtime) and billing that at variable rates to their consumers. And they do this for thousands of clients from various geographic locations. When last have you scrutinised your mobile bill in detail? Mobile phone operators are entering the phase where their excellent billing history makes them trusted payment processors and users believe that they are getting billing right.

But what is probably the biggest trump in the hand of the mobile phone operators, is a not always recognised benefit, and that is that they provide an trusted computing platform in the hands of the user which makes all the difference when it comes to electronic payment instructions and this is why:

During an electronic instruction, the critical steps of the transaction is where the user ties his payment instruction to some goods he wants to buy (or an identifier thereof) and hands it to the seller of the goods who then uses the existing banking system for settlement. From a legal point of view, a signature on a printed payment instruction is sufficient, but to truly experience the benefits of electronic payment processing, these identifiers must be electronic and they must be secure. And that is where the trusted computing platform comes in. Without the trust in the computing platform, there is no way that the user can truly believe that he has successfully tied his payment instruction to the electronic identifier specified and the merchant in question and without trust in the system, m-commerce will not move forward.

Even though a trusted computing device is probably the biggest benefit that mobile phones bring to m-commerce, there are some other benefits, many of the relating to the fact that mobile phones are ubiquitous and the capital layout is minimal for entry into the system.

Transaction costs are also low because the existing secure communications and data network is being reused for payment processing.

Security is fundamental and when you compare a lost credit card to a lost mobile phone, you will realise that since the phone should not ever hold any sensitive material, unlike a credit card, when it is lost, voice and data services, including payment processing capability, can be suspended with a single call.

Mobile technology is so pervasive that almost anybody can buy anything from anyone else. This out of band payment processing facility means that m-commerce can be attached to any transaction type, ranging from buying items over the Internet, to buying your ice cream on the beach with your mobile phone. Here is an example of a merchant that does payment processing without any specialised equipment. All you need is your mobile phone. http://www.merchantseek.com/mobile-credit-card-processing.htm

What are the critical success factors for such a payment scheme?

They range from hard technological requirements to more un-deterministic psychological ones and I list a number of the more critical ones.

Conceptual requirements
Non-repudiation: buyers and sellers must not be able to back out of the transactions and this has to be at least comparable to existing “card not present” type transactions where buyers have a opportunity to reverse transactions under certain conditions and merchants must bare the brunt of these losses.
Authorisation: The buyer must give a clear buying signal that cannot be contested.
Confidentiality: No third party must be privy to any of these transactions taking place or the contents thereof.

Human requirements
Ease of use: Users must not feel technological pressure to have to “learn” the system, otherwise it in itself becomes an entry barrier.
Users must trust that the system is secure and works
The system must be efficient (otherwise we could have stayed with coins)

Technology requirements
The link between the mobile phone and the back-end processor must be regarded as completely secure and no confidential information should be stored on the phone.
The mobile should not store a communication history that can contain sensitive material such as passwords in clear format.
“Keeping it simple” technology in terms of payment processing. The amortisation of the capital layout should be closely linked to the revenues generated by the software and not the other way round.

An conceptual payment scheme

How would such a payment scheme work? The reality is that it is dangerous to venture into the future when it comes to payment schemes, mostly because it has so often been proven wrong, but considering that there are a number of the psychological and technological details that need to be resolved, one possible scheme could be where a merchant sends a message to your phone stating an offer of goods you are interested in. The offer might be a text description with an MD5 hash drawn over it to reduce the size of the text you are dealing with. If you want to buy the goods, you would confirm the sale through your trusted device. This confirmation would consist of your signature (PKI keys should be stored on the back-end processor and transparent to the user if they are being used) of the hash of the goods and the merchant number. The mobile operator effectively acts as an arbitrator between you and the merchant by:

Firstly, keeping a record of the transaction for both party's edification.
By informing the buyer that the merchant has at least passed some vetting scheme to be able to use the payment processor. This might be as simple as the merchant is still with the processor with no complaints that rendered him suspended.
By informing the merchant that the funds have immediately been moved to his accounts and he can let go of the goods.
Thirty days later, the user will receive his regular phone bill, including all the purchases he made during the billing period and the merchant will receive his funds for all sales during the period.

Conclusion

The existing m-commerce solutions don't leverage the existing mobile phone infrastructure to provide the ability to their existing user base (which is effectively a very large fraction of the consumerist world) to buy stuff from other mobile phone users, using only mobile technology, thereby allowing so many more merchants into the market and ultimately generating real benefit and revenue for the mobile operators by leveraged their unique position in the market as trusted financial service providers.

Epitaph

I contacted Vodafone to find out how much it would cost me to open a small commodities shop and use M-pay for payment processing and their answer is included below. The situation is unclear to me since they already have a number of shops selling items of more than £5 each at http://www.vodafone.co.uk/mpay

Thank you for your email, unfortunalty Mpay only goes up to £5 and is really
designed for digital content

Kind regards R

R XXXXXXXX

Business Development manager
Commercial Partnerships - Sales

References

M-Pay Valista Vodafone trail
Eircell Vodafone, Altamedius
Thomas Geitner, Chief Executive, Global Products and Services, Vodafone,
www.merchantseek.com

Welcome Skeptical Inquirers

2004-05-18T15:56:00.000+02:00

The purpose of the blog is broadly to demystify and clarify general items of interest to community at large and if you feel you can contribute, please send me an email so that I can offer you an account.

This blog is a tribute to Hofstadter who first mentioned the Skeptical Inquirer in MetaMagical Themas. Unfortunately, my copy of the book has now gone to a friend with the consequence that I cannot remember who were the good guys, the Skeptical Inquirer or the National Inquirer. So, if we get it wrong, then lets just call it irony!