Why not use phone in business communications

People are well-organized and sophisticated animals, where reflexes and habits (in opposite to thinking) play the major role. One of those habits is to talk, not to think. This approach is convenient for everyday communications, but when it comes to business negotiations or to technical questions, phone is not a productive option. And here's why.

The first delusion is seemingly fast resolution of the problem. Yes, a phone call is a fast method to make somebody do something in your favor (possibly the things which have been postponed or overlooked before). That's fine. However, if the problem needs time to work on, then the benefit of the phone call becomes void immediately. Moreover, distracting the specialist from his work brings nothing but frustration to both sides.

The second delusion is effectiveness in obtaining the information. Easy comes easy goes, it is. When you get some information, you ask for more details, and unless you write them all down immediately (and what was the sense for calling then if you need to write or type what you hear?), it's forgotten. When you have a written (typed) communication transcript, you can always get back to that transcript and clarify the things which were not clear. Moreover, the other party can do the same, so what you have agreed on is not forgotten by either party.

The last but not the least factor is possibility to think. Fast resolution of anything is almost never very effective. And while in everyday life a suitable but faster solution is preferred to the most effective but late one, in business it's different. By saving 5 minutes on typing you can lose hundreds of dollars on ineffective solution. So it's all simple math.

There exists one more factor, that acts in cases of various support and assistance channels. Written communication makes support personnel more accurate and attentive, because they know that the transcript can always be inspected and reviewed by management of both parties. Also if there's any debate initiated by either side, both parties can review the history of communications and work out the mutually satisfactory position.

To summarize the above, phone communication can save you 5-10 minutes but the long-term benefits of written communication outweigh that seemingly saved time significantly.

Security risks of open-source

An overwhelming 86 percent of those surveyed believe their applications are at least 80 percent open source with the remaining 20 percent custom components and code, illustrating a dramatic shift in how mission-critical software is built. This paradigm shift is forcing companies to rethink how they manage risk in the age of agile, component-based software development.
While reliance on open source components increases year-over-year, limitations on the visibility, control and management of their use continues to be a problem. Of those large organizations surveyed (companies with > 500 developers), an astonishing 76 percent have no control over what components are being used in software development projects and even more alarming is that 65 percent don't maintain an inventory of components used in production applications.

 Which means that the software consists of holes and bugs (80%) and tested software (20%).

8 reasons to choose commercial library instead of open-source one

This article has been written with security in mind and is about security of your business and of software development in general. 


Open-source software (i.e. software offered under free licenses with freely accessible source code) gains popularity day by day. The reason is obvious – price drops for the end-user software make it harder to invest cash into software development beforehand. And in case of in-house activities stiffer IT budgets make programmers choose code snippets of unidentified quality.

However while open-source libraries and code snippets seem to have zero initial cost of use, they start to consume resources later, during life cycle of your software. And commercial libraries can offer more than you can think of.

I will focus on professionally developed commercial solutions: putting a price tag on your code piece doesn't magically turns the code into the industry-level commercial product. Commercial library must be evaluated thoroughly to answer the question of how professional it is. Not everything with a price tag is good, that's obvious. But if it's commercial, chances are great that you will get the things missing in open-source offerings.
Let's review what exactly commercial software (and specifically component and class libraries for software developers) can offer, and then discuss objections and counter-objections.

Read more on CodeProject.com

And as promised, my reason #8:


Investment in future 

The “save tomorrow for tomorrow, think about today instead” mantra has brought humanity to the edge of ecological catastrophe. Apple's bias towards end-users (which is just a cloak for desire to sell more hardware) has hut the whole software industry badly. People are used to pay 0 to 1 dollar for software and then ask “what? Do I have to pay another $0.99 for a new version of the software title that I've been using for 3 years? Are you insane?”. That attitude poisons the industry and slows down innovation. For some time the race for the first places in the AppStore and Play Store will make developers invest their time and resources into software titles, but calculations and studies show, that this race is more of a lottery with a little chance for small developers to succeed.

Paying for software and motivating the users to pay as well is a culture of consuming the software which will let the ISV industry, and especially small vendors, continue to innovate in future and do this with satisfactory budgets.

Finally, if you don't pay for books you read, writers will stop writing and there will be no new literature to steal to read. If nobody pays for software now, there will be no skilled vendors in 5-10 years and no good and sophisticated software. Unlike music records, software vendors can't give software away for free and do something else for living – that's not a viable business model. So they will simply go out of business, and the world will become full of open-source stuff, unsupported and of unknown quality.

Advertising and sanity

While not directly related to IT security or crypto, this topic also applies to all businesses working in IT security business. 

I was looking to place advertisement of our security-related product for developers on certain well-known site for developers. Target market, you know (well, kind of). However, the approach to business used by this site has shocked me. In year 2013 they still offer only banner advertisement on pay-per-view basis (and they are not alone in this mistake, BTW).

We all know well, that banners don't work as they are being blocked by ad blockers, which nowadays are built into browsers. CTR of 0,01% (yes, one click per 10K views) is a common result due to multiple reasons.  So pay-per-view banner advertising just doesn't pay to advertisers. $3000 per sale generated by such advertising is far beyond the common sense.

As ads don't work, this site seems to not get many advertisers. And what do they do? Instead of exploring other possibilities in site monetizing, instead of providing context-based or audience-based ads (including text and video ads) they .. sky-rocket prices and set minimum spending limits, trying to squeeze the income from those lonely advertisers.

And I could understand if they were a site for paying audience, that really generates good sales. In opposite, this is the site devoted and biased towards lovers of free lunch and open-source.

One would say that instead of writing this I would need to go and find some other place to advertise at and stop complaining. Well, yes, and that's what I am doing. But I want to turn everyone's attention to inadequate business decisions made by some web sites, and how those design decisions lead to lose-lose situation.

About utter incompetence of malware "analysts" and journalists

Prerequisites: 

We have a software product, named RawDisk. This is a kernel-mode driver which is used to perfom several security-sensitive operations regarding access to disks on sector level for both reading and writing. In particular it can be used to write filesystem internal structures, MBR itself. Uses of such driver are numerous - from performing search across the disk to performing optimization of the disk to backups of locked files and more. The driver is signed with a code signing certificate. Our customers embed the driver to their software. We perform certain inspection of the customer base, i.e. we would not sell the product to individuals or to customers with no clear identification (without an address, phone etc). This is done to prevent misuse of the driver. Also, the driver can be bound to particular EXE file names to further harden misuse.

Story:

Some not identified script kiddies have crafted a malware which wipes victim's disks. To do actual wiping they have used our driver, probably stolen from some of our clients software (I am ommiting copy control technical details here for security).

The malware was discovered by several security companies. Only two of them, McAfee and Symantec, properly identified the driver as being stolen from legitimate software. Kaspersky Labs and several other wanna-be-specialists from other companies have made conclusion that those script kiddies managed to create the driver and sign it using "stolen private cryptographic key of EldoS Corporation" which is complete bullshit, that misleads people and takes analysis in wrong direction of searching for kernel-mode developers  (though script kiddies most likely are not capable of creating kernel-mode code).

Now some journalists have copy-pasted the above mentioned bullshit in their articles, without checking.

NONE of the above security companies contacted us for cooperation in identifying the source of the signature and/or the driver. NOBODY bothered to contact us about possibly stolen private key. NO journalist requested additional information or comments from us. Moreover, analysts from McAfee, which sent us a brief note about malware, didn't ever respond to our offer to find out where the driver has leaked from.

I claim this to be utter incompetence of those "security specialists" and journalists. And when you decide to buy some "security software" to protect your computer, think if you can trust people who don't want to find the roots of the problem, who are not interested in details of the case and who don't really stand for security.