Externalities are crucial for the software industry

balance-200x150Externalities exist in any business. We are very familiar by now with the externalities of the manufacturing industries – air and water pollution, noise pollution, depletion of resources etc. But what about the software industry? How bad is the industry’s addiction to the externalities?

In economics, an externality is a cost or benefit which affects a party who did not choose to incur that cost or benefit.[1]

For example, manufacturing activities which cause air pollution impose health and clean-up costs on the whole society, while the neighbors of an individual who chooses to fire-proof his home may benefit from a reduced risk of a fire spreading to their own houses. If external costs exist, such as pollution, the producer may choose to produce more of the product than would be produced if he were required to pay all associated environmental costs. If there are external benefits, such as in public safety, less of the good may be produced than would be the case if the producer were to receive payment for the external benefits to others. For the purposes of these statements, overall cost and benefit to society is defined as the sum of the imputed monetary value of benefits and costs to all parties involved.[2][3] Thus, it is said that, for goods with externalities, unregulated market prices do not reflect the full social costs or benefit of the transaction.


The externalities are absolutely crucial for the existence of the software industry as we know it today. Actually, if you listen carefully, many software manufacturers and vendors openly claim that if they could not use the externalities, could not pass a large share of costs on to the society, the industry would not exist at all.

What are the externalities of the software business? First and foremost, that is the quality of the software. In the broad terms, the quality of the software defines its suitability for the purpose and the price we have to pay while using it. If the software is written with the highest quality standards, you would not believe it, it does not crash, it works, it does only what it is intended to do, does it well, and does nothing else. The quality software does not crash itself or computers, it does not wipe the data, it does not corrupt the data, it does not annoy the user, it just works. Have you seen any? Well, in the Linux enthusiast world, perhaps, but we are talking about corporations here, so, no, not really.

Every software company is on the run to produce more cheap software that sort of works. That software then needs to be installed an configured by consultants, otherwise it won’t work. Then it has to be patched, otherwise it won’t work right. And, of course, it needs a much larger infrastructure than the task at hand would suggest. Not to mention the lost time and productivity opportunity  cost. All of that are costs that are externalized by the software vendor and passed onto the society.

Someone somewhere will have to pay for it, as is the case with all externalities. Those costs cannot be avoided, those costs will have to incurred and paid by the society. The problem is that if they were paid at source, the costs would be smaller than if the costs have to be paid many times over by the people around the world. The cost would be smaller for the society.

The software manufacturers of today are addicted to the externalities like drugs. The corporations cannot stop inventing more ways to pass more externalities on to us, the society at large and to create higher profits at the expense of the global costs to society.

I reckon it is not true that we would not have a software industry if the externalities could not be used. I bet we would have a very different software industry though. It would develop at a slower pace at the beginning, perhaps, but we would get quality at every step and we could be sure that things work. That would cause much stronger progress in the long term.

The software manufacturing uses its own industry’s produce to manufacturer more. The costs are incurred in the software manufacturing process as the result of the software industry passing the externalities onto itself. The software industry suffers from its own low quality as much or more than everyone else. Removing those costs would lead to a higher level of productivity and higher quality overall in the long run. Eventually, this different world would have overtaken the world as we know today because our costs are mounting up and theirs would not.

I think we will have to switch over to the internalization of externalities by the software industries to prevent a collapse under the burden of its own externalities. I would like to see this switch start happening sooner rather than later.

Microsoft strategy success: Nokia no more

nokiaNow it should be painfully obvious to everyone that the long-term strategic plan of Microsoft to bring down and absorb Nokia worked. Many years of hard work by high-profile managers and large investments are finally set to bring home profit for Microsoft.

Now that Nokia is bought by Microsoft, Microsoft can finally make the mobile devices that are, well, mobile devices. They will have the technology, the market, and the people. Unfortunately, they still have to make it all work. They still may run this very successful business of Nokia into the ground. And there is a high chance they will.

There was a time when I was wondering if it was just a Microsoft venture, or a joint venture by Microsoft and Samsung. Actually, no, I would not go as far as to say it is all clear now. We will see how things pan out.

The hole in the market remains though and the market share of Nokia is still up to grabs. The biggest problem is really the patent pool. This is the time when you wish there were no such things as patents. The market could flood with new and exciting mobile phones now if it was not for patents… Strange that the patent law created to promote innovation so often works in reverse, stifling it.

Insourcing – a new fashion trend

There is a new trend, a new fashion in the high-tech industry. They already coined the most natural term for it and it is called “insourcing”. A recent article was called “Insourcing QA to gain more control over the resources”. Yes, indeed, so outsourcing has outlived its hype by far and we need a new something for the managers to get bonuses about.

Not surprisingly, the new trend is a direct reversal of the previous trend. So, there is nothing new there really. In a decade or so we will be high on outsourcing again, so the Indians and others should just hang in there for a while and we’ll be back.

Reality is that neither outsourcing nor insourcing are the ultimate answer to anything. No magic bullet is going to cure an ineffectively managed business. The best one can do is ignore these fashions completely. Unless you are a consultant of outsourcing, of course, because now you will be consulting with equal vigour on insourcing.


Negotiations and Expectations

Some negotiations are like sailing in and out. Others – not quite. Why do so many negotiations fail and other, while successful, still present a thorny winding road to the participants? Why should people suffer through negotiations instead of just talking?

While there may be many reasons for not actually getting what you wanted in the first place in the negotiations and feeling frustrated about the results, should we actually make our lives harder than needed? What is the reason that many people think negotiations are a hard job? Why do they get drained out in a course of a short two hour business meeting that happens to be labeled “negotiation”?

I have a theory. It all has to do with expectations. Should you come to the meeting without particular expectations, you would be fairly objective and could actually follow the logic of the arguments on both sides, see compromises, do your job. But what happens when you come to such a meeting carrying expectations?

Expectations can never be met. It’s a rule and it is dead simple. We are all different people and different organizations. It is extremely unlikely that we think in entirely similar ways and will form entirely the same expectations from the same event. It is extremely unlikely that anything at all that happens will correspond to your mental picture that we call your expectations. And therefore your expectations can never be met.

You are frustrated at the outset of the meeting because your expectations are not met and it gets worse. Your mood is now of expecting the worst and you interpret the events towards the worst possible interpretations. We know that we do not work with the reality, we work with our interpretation of it. So now your interpretation gets skewed towards the deep end and your expectations continue to mismatch the content of the event. By the end of the negotiation you will be thoroughly depressed and depleted of energy by your own will.

I am exaggerating a little, of course, to make sure my point is carried across. Things usually aren’t that bad but they still tend to be worse than they should when you have some expectations and they get worse as your expectations multiply.

So the only reasonable way of dealing with the negotiations is to have no expectations. You may have business and personal goals but you may not have expectations. See the events as they unfold in front of you, marvel at the winding road leading towards agreement and accept things. You may not get what you wanted, completely or in part, but that does not mean you should not enjoy the discussion. By all means, do enjoy the negotiation and do not slip to the morbid side. Your life will become easier for you and you will also make the life of people on the other side of the table easier. Easier not in terms of convincing you but easier in terms of psychological pressure and exhaustion. Unless your negotiation tactic is to exhaust your partners at all costs, of course.

Mind you, an agenda of the meeting and expectations are different things entirely. An agenda serves to put some structure to the meeting so there should not be confusion now. And, again, your goals and your arguments are distinct from your expectations, so keep them separate.

Strategic direction: security ebb

Something quite prominent happened in the security field over the last week. It is a strategic move so I am going to talk about it here rather than on Holy Hash! although it would be interesting to the security folks too.

So, what happened, you ask? Ah, nothing so spectacular that TV shows would interrupt their evening program for but so momentous that I wish they would. It all started with the little exercise at RSA Conference where a couple of so-called “security leaders” declared that security is the territory of really large companies and anyone smaller should just forget about it. I already wrote my opinion about the basic idea of ignoring risks in an area where an incident, according to Coverity, runs on average to 7 million dollars but can easily be a couple of orders of magnitude more.

It would all go away into the history unnoticed if it was not for Bruce Schneier who suddenly chipped in with his commentary that he agrees to the gentlemen in question. Now, Bruce is not stoopid and he is the head of security for BT. To explain to our full satisfaction how come that his words go counter to what he usually preaches in his books and security life, we have to take it as the corporate direction from BT. Otherwise why would he go to the trouble of participating in this publicity stunt?

So here is a sand castle of conspiracy theory for you to contemplate. Notice now, how we suddenly have 3 companies largely unrelated to each other preaching the same message on highly respected channels. First, let’s summarize the message. I think it could be said along the lines of:

Only really large corporations can afford to invest in security. Small companies cannot justify the investment in security. Unless a company suffers a security problem the company must ignore security completely.

When I re-read that, I cannot help myself wondering: “where is IBM?” They should be in this game, they have been at it for decades! But I digress.

Whether the message is in earnest, as a joke or in pretense does not matter. What matters is the content of the message and the credibility of the source. Using serious well-known channels like RSA Conference and Bruce Schneier practically guarantees a large outreach for the message and the credibility of “beyond serious doubt” being automatically stamped all over it.

So this is the message and it is easy to imagine that the “smaller” companies would follow the advice and will not take care of their own security and the security of their own products. What will happen? They will lose all security related expertise, security developers and so on. So they will have to outsource the security somewhere else when accidents happen. And security accidents happen all the time, the ignorant companies will not have to wait long.

So I can see how this is a very profitable direction for BT, that sells security solutions. I can see how that is profitable for SilverSky, that sells security services. But how is it profitable for Adobe? Well, it probably isn’t. John Viega and Brad Arkin have spent a lot of time together and Cigital will certainly benefit, so I am not surprised at the performance from amis cochons even if it is irrelevant for Adobe.

Anyhow, here is an attempt at a new trend and we will see how things move on. I suppose we have to allow for several possibilities: (1) this is just a one-off publicity stunt for the people and companies in question; (2) this is companies “testing waters” for the new “approach to security” and (3) this is the beginning of a shift towards acknowledged massive insecurity driven by those interested parties. On a hunch, I would vote for the number three.

Mitigating risks … is a waste of money?

There was an interesting talk at one of the panels at the RSA Conference, where SilverSky and Adobe claimed that investing in security is a waste of money. Their message is simple and compelling:

“For most companies it’s going to be far cheaper and serve their customers a lot better if they don’t do anything [about security bugs] until something happens. You’re better off waiting for the market to pressure on you to do it.”

Although they say that this was all in pretense, we all know it was not, companies large and small try to avoid fixing problems as long as they can, waiting for customers to complain loud before ever doing anything. Basically, this is a risk that companies rate as unimportant because of its low perceived rate of occurrence.

The problem with this kind of risks that they cannot be properly rated. The probability of these risks is hard to rate because the data is basically unavailable. And the impact of the risk is underrated because of low perceived probability. People tend to ignore such risks.

But the companies, can they also afford to ignore such risks? What has to be considered is that a serious security problem may easily put a company out of business. Even if the company stays in business, the impact to the image of the company may be such that it will take several years to recover. These risks are what typically called “existential” or “terminal” risks.

English: A qualitative categorization of diffe...

Companies, for the most part, must account for and mitigate certain risks that would place them out of business. Doing otherwise is called gambling and is totally irresponsible towards the shareholders.

Everything is a hammer…

nokia-7It looks like for Stephen Elop, the Microsoft  manager in charge of Nokia, everything looks like a Windows computer. What is all this nonsense about Nokia delivering cheap smartphones in developing countries? That market is already taken, first by LG and Samsung and then a couple times over by Chinese manufacturers. He ran the most successful mobile company in the world into the ground and he should be proud of that achievement. I am sure he is. Can you imagine what it takes, what kind of dedication, to actually take the market leader and run it into the ground, destroy everything very quickly and systematically? It is a mind-boggling achievement. We will be watching Stephen for his next career move to see what company will be brought to its knees next.

Software Security Philosophy

What is “security”? Well, not in broad sense, that is, but in software security? What does it mean: to develop secure software? What do we understand to fall into the realm of software security?

I tell you what I mean when I say “software security”. For me, the software security means to bring the intent of the original designer to the customer.

This is very simple. The designer had some idea in mind when designing the software. He had some intention for the software to function in a particular way. That mental picture is translated into design, brought over into development, translated into source code, translated into binary, delivered, installed and configured at the csutomer’s site. And our task is to ensure that what operates now at the customer’s site reflects exactly what developer had in mind. If it does not – we have a breach of security.

I know that this is a very broad definition and it encompasses many areas traditionally thought to be Continue Reading

State of security – still miserable

Even after all these years the software industry seems to be ever in a state where we believe that if vulnerability exists but is unknown to the public it cannot be exploited, so our software is “practically secure.” In theory this is true, but the problem is that once someone finds the vulnerability, the finder may just exploit the vulnerability instead of reporting it or helping to fix it. Having “hidden” vulnerabilities doesn’t really make the vulnerabilities go away; it simply means that the vulnerabilities are a time bomb, with no way to know when they will be exploited.

Security is a fascinating subject even for uninitiated not to mention Bruce (who makes money with it no slower than the US Treasury printing presses) that may be looked at from different perspectives and talked about in several management dialects, including McKenzie (I do not speak it but I can understand it in a round-about sort of ways). Talking about security often gives you a cozy feeling. And all those diagrams, tables and, oh my, vectors and mitigations, they are so neat and kosher… until someone starts asking hard questions. Pray this someone is not your customer.

Talking about security does not help. Keeping it quiet does not help either. Only doing does.

The Future of NFC Payments

Someone asked me to provide feedback on an article regarding The Future of NFC Payments (yes, capitalized, like in “Big Future”). I do not cherish the idea of giving up my contact details for a brochure download, so I did not read the actual paper. I cannot imagine why people would not want their ideas to be widespread. I think it is silly to force people to register when you want them to read your articles, for they will simply read it elsewhere.

Anyhow, back to the subject of mobile payments with NFC – that’s what the paper claims to be about. I do not really know what they said inside but seeing “NFC was hailed as one of the biggest trends for mobile operators for 2011″ in the blurb is enough to get an idea of what might be on the inside.

Now, let’s be clear that mobile payments are a fighting ground for two large forces: the banking industry and the mobile service industry. Both of them deal with a lot of customers and a lot of cash. And none of them would willingly give up the payment transactions stream to another. One, the banking industry, owns the terminals and the networks, the payment infrastructure. The other, the mobile industry, owns the handset and the SIM card, the means of payment.

So, until I hear that those two – mobile operators and banking associations – came into some sort of an agreement between themselves on some terms regarding the mobile payments, I am not going to lose my sleep over any imagined mobile payments trends, with or without NFC, this year.

Mind you, there is always a chance for a small handset manufacturer like Apple to come up with a painfully obvious scheme that Nokia simply cannot afford…. But that is another story.