Externalities are crucial for the software industry

Externalities exist in any business. We are very familiar by now with the externalities of the manufacturing industries – air and water pollution, noise pollution, depletion of resources etc. But what about the software industry? How bad is the industry’s addiction to the externalities?

In economics, an externality is a cost or benefit which affects a party who did not choose to incur that cost or benefit.[1]

For example, manufacturing activities which cause air pollution impose health and clean-up costs on the whole society, while the neighbors of an individual who chooses to fire-proof his home may benefit from a reduced risk of a fire spreading to their own houses. If external costs exist, such as pollution, the producer may choose to produce more of the product than would be produced if he were required to pay all associated environmental costs. If there are external benefits, such as in public safety, less of the good may be produced than would be the case if the producer were to receive payment for the external benefits to others. For the purposes of these statements, overall cost and benefit to society is defined as the sum of the imputed


Read the full article ->

Microsoft strategy success: Nokia no more

Now it should be painfully obvious to everyone that the long-term strategic plan of Microsoft to bring down and absorb Nokia worked. Many years of hard work by high-profile managers and large investments are finally set to bring home profit for Microsoft.

Now that Nokia is bought by Microsoft, Microsoft can finally make the mobile devices that are, well, mobile devices. They will have the technology, the market, and the people. Unfortunately, they still have to make it all work. They still may run this very successful business of Nokia into the ground. And there is a high chance they will.

There was a time when I was wondering if it was just a Microsoft venture, or a joint venture by Microsoft and Samsung. Actually, no, I would not go as far as to say it is all clear now. We will see how things pan out.

The hole in the market remains though and the market share of Nokia is still up to grabs. The biggest problem is really the patent pool. This is the time when you wish there were no such things as patents. The market could flood with new and exciting mobile phones now if …
Read the full article ->

Insourcing – a new fashion trend

There is a new trend, a new fashion in the high-tech industry. They already coined the most natural term for it and it is called “insourcing”. A recent article was called “Insourcing QA to gain more control over the resources”. Yes, indeed, so outsourcing has outlived its hype by far and we need a new something for the managers to get bonuses about.

Not surprisingly, the new trend is a direct reversal of the previous trend. So, there is nothing new there really. In a decade or so we will be high on outsourcing again, so the Indians and others should just hang in there for a while and we’ll be back.

Reality is that neither outsourcing nor insourcing are the ultimate answer to anything. No magic bullet is going to cure an ineffectively managed business. The best one can do is ignore these fashions completely. Unless you are a consultant of outsourcing, of course, because now you will be consulting with equal vigour on insourcing.

 …
Read the full article ->

Negotiations and Expectations

Some negotiations are like sailing in and out. Others – not quite. Why do so many negotiations fail and other, while successful, still present a thorny winding road to the participants? Why should people suffer through negotiations instead of just talking?

While there may be many reasons for not actually getting what you wanted in the first place in the negotiations and feeling frustrated about the results, should we actually make our lives harder than needed? What is the reason that many people think negotiations are a hard job? Why do they get drained out in a course of a short two hour business meeting that happens to be labeled “negotiation”?

I have a theory. It all has to do with expectations. Should you come to the meeting without particular expectations, you would be fairly objective and could actually follow the logic of the arguments on both sides, see compromises, do your job. But what happens when you come to such a meeting carrying expectations?

Expectations can never be met. It’s a rule and it is dead simple. We are all different people and different organizations. It is extremely unlikely that we think in entirely similar ways and will form …
Read the full article ->

Strategic direction: security ebb

Something quite prominent happened in the security field over the last week. It is a strategic move so I am going to talk about it here rather than on Holy Hash! although it would be interesting to the security folks too.

So, what happened, you ask? Ah, nothing so spectacular that TV shows would interrupt their evening program for but so momentous that I wish they would. It all started with the little exercise at RSA Conference where a couple of so-called “security leaders” declared that security is the territory of really large companies and anyone smaller should just forget about it. I already wrote my opinion about the basic idea of ignoring risks in an area where an incident, according to Coverity, runs on average to 7 million dollars but can easily be a couple of orders of magnitude more.

It would all go away into the history unnoticed if it was not for Bruce Schneier who suddenly chipped in with his commentary that he agrees to the gentlemen in question. Now, Bruce is not stoopid and he is the head of security for BT. To explain to our full satisfaction how come that his …
Read the full article ->

Mitigating risks … is a waste of money?

There was an interesting talk at one of the panels at the RSA Conference, where SilverSky and Adobe claimed that investing in security is a waste of money. Their message is simple and compelling:

“For most companies it’s going to be far cheaper and serve their customers a lot better if they don’t do anything [about security bugs] until something happens. You’re better off waiting for the market to pressure on you to do it.”

Although they say that this was all in pretense, we all know it was not, companies large and small try to avoid fixing problems as long as they can, waiting for customers to complain loud before ever doing anything. Basically, this is a risk that companies rate as unimportant because of its low perceived rate of occurrence.

The problem with this kind of risks that they cannot be properly rated. The probability of these risks is hard to rate because the data is basically unavailable. And the impact of the risk is underrated because of low perceived probability. People tend to ignore such risks.

But the companies, can they also afford to ignore such risks? What has to be considered is that a …
Read the full article ->

Everything is a hammer…

It looks like for Stephen Elop, the Microsoft  manager in charge of Nokia, everything looks like a Windows computer. What is all this nonsense about Nokia delivering cheap smartphones in developing countries? That market is already taken, first by LG and Samsung and then a couple times over by Chinese manufacturers. He ran the most successful mobile company in the world into the ground and he should be proud of that achievement. I am sure he is. Can you imagine what it takes, what kind of dedication, to actually take the market leader and run it into the ground, destroy everything very quickly and systematically? It is a mind-boggling achievement. We will be watching Stephen for his next career move to see what company will be brought to its knees next.


Read the full article ->

Software Security Philosophy

What is “security”? Well, not in broad sense, that is, but in software security? What does it mean: to develop secure software? What do we understand to fall into the realm of software security?

I tell you what I mean when I say “software security”. For me, the software security means to bring the intent of the original designer to the customer.

This is very simple. The designer had some idea in mind when designing the software. He had some intention for the software to function in a particular way. That mental picture is translated into design, brought over into development, translated into source code, translated into binary, delivered, installed and configured at the csutomer’s site. And our task is to ensure that what operates now at the customer’s site reflects exactly what developer had in mind. If it does not – we have a breach of security.

I know that this is a very broad definition and it encompasses many areas traditionally thought to be outside the realm of security. Some people do not like that. But in my view, this is much simpler to act on than to try and define the precise separation of realms.

Take …
Read the full article ->

State of security – still miserable

Even after all these years the software industry seems to be ever in a state where we believe that if vulnerability exists but is unknown to the public it cannot be exploited, so our software is “practically secure.” In theory this is true, but the problem is that once someone finds the vulnerability, the finder may just exploit the vulnerability instead of reporting it or helping to fix it. Having “hidden” vulnerabilities doesn’t really make the vulnerabilities go away; it simply means that the vulnerabilities are a time bomb, with no way to know when they will be exploited.

Security is a fascinating subject even for uninitiated not to mention Bruce (who makes money with it no slower than the US Treasury printing presses) that may be looked at from different perspectives and talked about in several management dialects, including McKenzie (I do not speak it but I can understand it in a round-about sort of ways). Talking about security often gives you a cozy feeling. And all those diagrams, tables and, oh my, vectors and mitigations, they are so neat and kosher… until someone starts asking hard questions. Pray this someone is not your customer.

Talking about security does …
Read the full article ->

The Future of NFC Payments

Someone asked me to provide feedback on an article regarding The Future of NFC Payments (yes, capitalized, like in “Big Future”). I do not cherish the idea of giving up my contact details for a brochure download, so I did not read the actual paper. I cannot imagine why people would not want their ideas to be widespread. I think it is silly to force people to register when you want them to read your articles, for they will simply read it elsewhere.

Anyhow, back to the subject of mobile payments with NFC – that’s what the paper claims to be about. I do not really know what they said inside but seeing “NFC was hailed as one of the biggest trends for mobile operators for 2011” in the blurb is enough to get an idea of what might be on the inside.

Now, let’s be clear that mobile payments are a fighting ground for two large forces: the banking industry and the mobile service industry. Both of them deal with a lot of customers and a lot of cash. And none of them would willingly give up the payment transactions stream to another. One, the banking industry, owns the …
Read the full article ->