The lesser of two online security evils: risk breaking it or let hackers do it.

The Equifax hack is spectacular in many ways and is forcing serious introspection on the part of developers and security managers. The current culprit is an Apache Struts Vulnerability that was reported (and fixed) in March 2017 but apparently the patch was not applied on the Equifax website.

As you’d expect, a lot of people are up in arms, dusting off their soap boxes to stand on and explain how unacceptable that is and how someone needs to be gallows bound!

Not an exception

Having, in a previous life, performed basic online vulnerability audits for some big companies, I can attest that this is far from being the exception and that most people in charge feel more comfortable in a « plausible deniability » situation than in seeking to eliminate all risks.

According to the US Computer Security Resource Center’s National Vulnerability Database, there are 2872 new high severity vulnerabilities in 2017 so far.

Hackers have mastered the art of automatically scanning for online systems that still have them and either extracting monetizable data or enrolling them in DDoS farms and other malicious purposes.

Firewalls may just provide a false sense of security and in the case of the Equifax breach, the traffic looked perfectly legit to the firewall!

As a matter of fact, this morning the customer web sites of Equifax and Experian, its main competitor, still fail on 3 security factors according to upguard.com!

Only the paranoid survive

Truth is that if you’re a developer or an IT manager, you get more recognition for adding a new system or new features to existing ones than avoiding an attack. There is nothing more unspectacular than a non-attack! Yet if and when one happens, you would be on the receiving end of blame and people will find it easy to point out very simple things you could have done and ask why you didn’t do them!

In fact most people in charge, are scared to break the system if they upgrade a component in order to deal with a vulnerability threat. In an ideal world, they would like to be able to retest everything before going live but because of tight schedules and limited testing resources, they will arbitrage against a security patch. Moreover, because often the components that need patching are part of some lower infrastructure software layer, only few people can perform an accurate impact analysis.

In addition to dedicated teams and efforts, managers should create incentive schemes that reward the security mindfulness of their IT teams and instill awareness and practices based on peer and external reviews.

Rediscovering Deming and Juran

I recently came to the realisation that you’re old when your kids describe your beloved t-shirt as “vintage”!
Call me vintage all you want but I recently rediscovered the work of Edward Deming who with Joseph Juran took the US industry out of the Quality (or lack thereof) sh%t hole it was stuck in back in the late 80s!
This brought back for me some fond memories of my late father telling us about his anecdotes when he was working on “Cercles de Qualité” in my native Morocco only to be faced with the proverbial “Inshallah” form the phosphate mines labourers.

Back to Deming and Juran, they are the actual fathers of many wisdom advises that have been since attributed to Google or Apple. if you have any doubts about that see see this interview from Steve Jobs describing how much he learned from Juran.

Both had a very high impact in giving “Made In Japan” the quality pizzaz it has today while post war Japan was known for cheap shabby goods that US consumers frowned upon. By the late eighties, US car and other manufacturers started noticing that at least some of the Japan miracle was home grown and started attending their Seminars.

The internet is full of documentaries and essays about them but looking at Deming, it is fascinating how he combined the systemic view of enterprise insisting on processes and continuous improvements yet with a humanistic focus on all stakeholders from workers, suppliers to managers by calling for a ban on empty slogans, crude performance-based compensation and long favouring long term single supplier win-win contracts.

I really think we could all learn a lot from these pioneers if we only go beyond the Vintage patine of their literature.

For more start with Deming’s 14 obligations of management

When did Necessity stop being the mother of Invention and is that bad?

Fun fact: did you know that Frank Zappa’s band name was originally « The Mother F…ers » but his publisher refused it so he renamed the band « The Mothers of Invention » (by necessity)!

But I’m digressing here. So there was an imaginary past time when things were so simple and in order to come-up with new stuff, all we needed was to ask « What do customers need »?

Unfortunately, I’m constantly reminded that it’s not always past nor imaginary as I see a lot of Product Managers invoking the proverbial « Let’ see what customers are asking for » or in its more acute form:  » I’ve never heard a customer ask for that ».

I must have missed the focus group where a teen-age girl from Arkansas expressed the vital need to take duck-faced pictures of herself and share them with everybody and their cousin. Here’s a case for you where Vanity took over Necessity hands down yet nobody will admit to it when asked!

I’m not saying that is bad but I’m more worried about the two byproduct of waiting for Necessity:

Analysis paralysis

Problem solvers are great but I’ve seen many become dysfunctional and do unproductive things (like posting on LinkedIn 😬) while waiting for the next problem to solve. I’ve also seen many push back until they had clearly formulated problems whith only one imaginable solution. Unfortunately my adoptive France offers an abundance of such examples and I always seem to hear a muttered « CQFD » which stands for « Ce Qu’il Fallait Démontrer » and loosely translates into « What was there to be proven ».

Single purpose products

There is always a fine balance to strike between what the product can do and what it is restricted to do. In Software Tooling (unlike Applications) it can be dangerous to assume that we know exactly how our products will be used. Like for a child, you equip them with capabilities, have them reach a viability stage, teach them a couple of tricks, (pray), then sit back and marvel at how they will be put into use. I remember seeing customers using the BI tool BusinessObjects in ways we had never fathomed during our long specification sessions back in the nineties!

So my friends, let’s explore how Passion, Curiosity, Opportunity and why not a bit of Vanity and Greed can give birth to more Innovation!

En quête de transformation digitale? Essayez la Near-Death Experience

En français, c’est l’Experience de Mort Imminente et il parait qu’on voit la lumière à la fin!

La Transformation Digitale est Le truc à la mode et une palanquée d’intervenants sont là pour vous vendre des recettes miracles: Learning Expedition dans la Silicon Valley, atelier de brainstorming avec des petits papiers colorés ou des présentations Powerpoint à assommer un éléphant!

Etant en plein milieu de l’arène du mobile depuis un moment, j’ai le privilège d’observer bon nombre de ces initiatives mais dans la plupart des cas, les gens évitent/oublient d’aller au cœur du sujet. Pour moi la question qui est l’alpha et l’oméga c’est « Si quelqu’un veut nous dégommer avec un dispositif digital, comment il s’y prendrait? ». Attention ce n’est pas forcement la doctrine de création de la startup qui mettrai à mal votre business mais c’est une façon efficace d’appréhender le phénomène. Airbnb n’a pas été démarré pour tuer AccorHotels mais c’est certainement pour eux un animal féroce et menaçant.

Kill the cow

Si votre entreprise est au CAC 40 ou son antichambre, il y a de fortes chances que vous soyez assis sur un portefeuille de services ou de produits qui inclue de belles vaches à lait. Ca peut aussi être des traditions ancestrales ou des « façons de faire » instaurées par des pères ou mères fondateurs et aux quelles on ne peut pas toucher (là il s’agit de vaches sacrées)! Dans ces cas, il est mentalement difficile pour les gardiens du temple de se projeter dans un monde où ces piliers n’existeraient plus: « Pensez vous, les taxis c’est un monopole réglementé par l’état et dont les licences se négocient une fortune… »

Au lieu de tourner autour du pot, il faut se forcer à imaginer le coup fatal porté par des produits et services que le digital rendrai plus accessibles, plus rapides, moins chers, de meilleure qualités, plus fiables, plus personnels, plus branchés ou de façon générale plus gratifiants.

Eat the cow

La tentation, une fois qu’on a identifié le danger et de chercher à s’en prémunir en mettant en place des « protections ». Les seules protections des beaux vieux carrosses qui survivent sont les cordes « do not touch » dans les musées! Si l’histoire ne va pas dans le sens de l’Histoire, il vaut mieux la réécrire pour acquérir des nouvelles barrières à l’entrée, ne serait-ce que le fameux « First-Mover Advantage ».

Trop d’initiatives de transformation digitale débouchent sur des idées « très cools » mais souvent à la marge et qui pudiquement évitent toute sensation désagréable de cannibalisation du business.

N’hésitez pas à me dire si ça vous rappelle des souvenirs, si vous n’êtes pas d’accord ou si vous avez de meilleures idées!

Alexa STOP!

I was on a Skype call with someone in California in the morning for me but the middle of the night for him. We both spoke french but all of a sudden, I overheard a female voice speaking english to him. I was wondering why his french wife would speak english to him and even for a brief moment, I had less noble thoughts of a different woman talking to him that late!

Things got even more interesting when I heard him scream « Alexa STOP! ». By then, I had established that his mistress was named Alexa and that they had a less than tranquil relationship!

That thought was short-lived as he proceeded to explain that he was addressing his Amazon Echo that has probably recognized a speech pattern in what he was telling me and felt compelled to answer something!

This struck me as a seminal moment for a new class of annoyances that A.I. will bring to our lives: smarty pants behaviors causing irritations and tension that you cannot release because it’s a DAMN MACHINE!

Since then I’ve been reading that Amazon Echo is selling like hot cakes this holiday season so, shrinks rejoice, you gonna get a lot of business from couples and family members who display frustrated behaviors they can’t put words on. But I’m sure some Startup will figure out an A.I. to help you better diagnose these things 😉

Hello World !

My name is Abdel Kander, welcome to my Blog.

With a lot of experience in the B2B Software industry across multiple countries, I think I made more mistakes and learned more tricks than the regular dose my age calls for. This website is a place for me to share some ideas, experience and non-sense instead of posting them on LinkedIn.

Stay tune for more….