Friday, November 1, 2013

The end of cryptography?

I've just now come across the words by Adi Shamir (one of fathers of modern cryptography) in February when he said, that "cryptography is becoming less and less important". He explained that recent attacks successfully penetrated even the strongest barriers. And from this fact he concludes that cryptography is becoming less important.

This is an erroneous and misleading judgment, and it becomes even worse when it comes from the cryptography specialist. The most obvious conclusion which could have been made from the successful attacks would be that stronger barriers are needed. There's more significant problem to be addressed though - quality of defense.

Current software developers and system integrators don't pay much attention to overall quality and to security in particular. Businesses demand the shortest possible time-to-market and this of course contradicts the goal of obtaining proper security level. In addition there's a shortage in supply of developers and IT specialists on the market, and it's even harder to find security-aware software developers.

So the right conclusion must be "we must educate more security specialists and create a dedicated industry of digital security services". That's what I would expect to hear from any security-oriented person.

Tuesday, October 1, 2013

Why not use phone in business communications

People are well-organized and sophisticated animals, where reflexes and habits (in opposite to thinking) play the major role. One of those habits is to talk, not to think. This approach is convenient for everyday communications, but when it comes to business negotiations or to technical questions, phone is not a productive option. And here's why.

The first delusion is seemingly fast resolution of the problem. Yes, a phone call is a fast method to make somebody do something in your favor (possibly the things which have been postponed or overlooked before). That's fine. However, if the problem needs time to work on, then the benefit of the phone call becomes void immediately. Moreover, distracting the specialist from his work brings nothing but frustration to both sides.

The second delusion is effectiveness in obtaining the information. Easy comes easy goes, it is. When you get some information, you ask for more details, and unless you write them all down immediately (and what was the sense for calling then if you need to write or type what you hear?), it's forgotten. When you have a written (typed) communication transcript, you can always get back to that transcript and clarify the things which were not clear. Moreover, the other party can do the same, so what you have agreed on is not forgotten by either party.

The last but not the least factor is possibility to think. Fast resolution of anything is almost never very effective. And while in everyday life a suitable but faster solution is preferred to the most effective but late one, in business it's different. By saving 5 minutes on typing you can lose hundreds of dollars on ineffective solution. So it's all simple math.

There exists one more factor, that acts in cases of various support and assistance channels. Written communication makes support personnel more accurate and attentive, because they know that the transcript can always be inspected and reviewed by management of both parties. Also if there's any debate initiated by either side, both parties can review the history of communications and work out the mutually satisfactory position.

To summarize the above, phone communication can save you 5-10 minutes but the long-term benefits of written communication outweigh that seemingly saved time significantly.

Thursday, May 2, 2013

Security risks of open-source

An overwhelming 86 percent of those surveyed believe their applications are at least 80 percent open source with the remaining 20 percent custom components and code, illustrating a dramatic shift in how mission-critical software is built. This paradigm shift is forcing companies to rethink how they manage risk in the age of agile, component-based software development.
While reliance on open source components increases year-over-year, limitations on the visibility, control and management of their use continues to be a problem. Of those large organizations surveyed (companies with > 500 developers), an astonishing 76 percent have no control over what components are being used in software development projects and even more alarming is that 65 percent don't maintain an inventory of components used in production applications.

 Which means that the software consists of holes and bugs (80%) and tested software (20%).

Tuesday, April 23, 2013

8 reasons to choose commercial library instead of open-source one

This article has been written with security in mind and is about security of your business and of software development in general. 

Open-source software (i.e. software offered under free licenses with freely accessible source code) gains popularity day by day. The reason is obvious – price drops for the end-user software make it harder to invest cash into software development beforehand. And in case of in-house activities stiffer IT budgets make programmers choose code snippets of unidentified quality.

However while open-source libraries and code snippets seem to have zero initial cost of use, they start to consume resources later, during life cycle of your software. And commercial libraries can offer more than you can think of.

I will focus on professionally developed commercial solutions: putting a price tag on your code piece doesn't magically turns the code into the industry-level commercial product. Commercial library must be evaluated thoroughly to answer the question of how professional it is. Not everything with a price tag is good, that's obvious. But if it's commercial, chances are great that you will get the things missing in open-source offerings.
Let's review what exactly commercial software (and specifically component and class libraries for software developers) can offer, and then discuss objections and counter-objections.


And as promised, my reason #8:

Investment in future 

The “save tomorrow for tomorrow, think about today instead” mantra has brought humanity to the edge of ecological catastrophe. Apple's bias towards end-users (which is just a cloak for desire to sell more hardware) has hut the whole software industry badly. People are used to pay 0 to 1 dollar for software and then ask “what? Do I have to pay another $0.99 for a new version of the software title that I've been using for 3 years? Are you insane?”. That attitude poisons the industry and slows down innovation. For some time the race for the first places in the AppStore and Play Store will make developers invest their time and resources into software titles, but calculations and studies show, that this race is more of a lottery with a little chance for small developers to succeed.

Paying for software and motivating the users to pay as well is a culture of consuming the software which will let the ISV industry, and especially small vendors, continue to innovate in future and do this with satisfactory budgets.

Finally, if you don't pay for books you read, writers will stop writing and there will be no new literature to steal to read. If nobody pays for software now, there will be no skilled vendors in 5-10 years and no good and sophisticated software. Unlike music records, software vendors can't give software away for free and do something else for living – that's not a viable business model. So they will simply go out of business, and the world will become full of open-source stuff, unsupported and of unknown quality.

Tuesday, April 9, 2013

Advertising and sanity

While not directly related to IT security or crypto, this topic also applies to all businesses working in IT security business. 

I was looking to place advertisement of our security-related product for developers on certain well-known site for developers. Target market, you know (well, kind of). However, the approach to business used by this site has shocked me. In year 2013 they still offer only banner advertisement on pay-per-view basis (and they are not alone in this mistake, BTW).

We all know well, that banners don't work as they are being blocked by ad blockers, which nowadays are built into browsers. CTR of 0,01% (yes, one click per 10K views) is a common result due to multiple reasons.  So pay-per-view banner advertising just doesn't pay to advertisers. $3000 per sale generated by such advertising is far beyond the common sense.

As ads don't work, this site seems to not get many advertisers. And what do they do? Instead of exploring other possibilities in site monetizing, instead of providing context-based or audience-based ads (including text and video ads) they .. sky-rocket prices and set minimum spending limits, trying to squeeze the income from those lonely advertisers.

And I could understand if they were a site for paying audience, that really generates good sales. In opposite, this is the site devoted and biased towards lovers of free lunch and open-source.

One would say that instead of writing this I would need to go and find some other place to advertise at and stop complaining. Well, yes, and that's what I am doing. But I want to turn everyone's attention to inadequate business decisions made by some web sites, and how those design decisions lead to lose-lose situation.