Archive for the ‘Business’ Category
This is part 3 of my travel blog on my current business trip to Bangalore, India. The two previous parts are here and here. In this article I want to talk about the various communications challenges we have in working with globally dispersed teams and in particular with the one here in Bangalore.
The main purpose of my visit to Bangalore has been to enhance communications. To meet all the people I regularly talk to on the phone or exchange e-mails with. I’ve met several team members you have spent time in Vancouver already, so this has been my turn. Meeting face to face certainly provides the best medium for communications. Face to face is the most reliable mechanism, especially when you can discuss things over a period of time (in this case I had two weeks). But the trip to India is quite grueling and it’s a long way from home. So practically speaking we need other ways to enhance communications for the rest of the time. A key part of face to face visits is to learn who knows what, so in the future people know who to talk to.
One of the big reasons for this trip was to solve a number of lingering problems that just didn’t seem to be getting solved. We would think decisions were made and then a few status calls down the road they would resurface as open again. Generally it appeared communications between the various teams on this project were facing some serious challenges. Most of the discussion in this posting isn’t specific to these particular teams or to teams in India. They could equally apply to teams in different cities in North America, or even sometimes teams on different floors of the same building. But since I’m writing this in Hong Kong airport on my return from Bangalore, some of the items might have an Indian flavor to them. I talked about some of these issues in my blog posting on the umbrella ceiling which was to do with working remotely, but I think this topic deserves more discussion.
Roots of the Problem
I think the biggest root of this problem is that either people are trained that its best to be self-sufficient and try far too hard to solve things themselves rather than ask for help or people just don’t realize that there is someone else who knows the answer that they can ask.
Another cause might be politics between different companies when the teams work for different companies and there is some higher level interference because management wants things to look better than they really are. The paradox here is that if the team did ask for help, then things would be able to get better. By not asking for help, maybe you can create a short term perception of super-human ability, but this then just falls apart when the first milestone is missed.
Similar to the last paragraph, project time pressure also leads to a certain amount of bad decision making in this regard. Programmers under the gun will just work on their short term deliverables with all their effort and ignore e-mails, not read Wikis, etc. Doing this saves a bit of time in the day, but costs dearly if a key piece of information was communicated but not received.
Technology is Not the Answer
There are all sorts of great technologies to enhance communications. Video phones like Skype, all sorts of IM clients, very fancy telepresence setups, Wikis, blogs, etc. People are almost always connected these days to the Internet, so even with terrible time zone differences like between North America and India, communication can still be fairly immediate. But this all depends on people actually using the tools. A lot of times people see all these tools as a distraction and tend to avoid them.
The really hard problem here is how to disseminate important information that people will pay attention to. If there is too much information, then it’s just treated as spam and ignored. If there is too little then there are communication problems or people don’t bother checking for it. Add to this the problem that usually a new piece of information needs to be communicated three times in order to be absorbed.
Most Programmers are Introverts
Independent of where a programmer lives or works, whether it’s Canada, South America, India, Asia or where ever, there is a pretty good chance that programmer is an introvert. This usually means that the programmer almost has a physical repulsion to picking up a phone and calling someone. This usually means that the programmer is not going to arrange a telepresence session on their own initiative. This usually means the programmer won’t arrange a remote desktop session to work with someone to solve a problem.
Using e-Mail to Delay Communicating
E-Mail is often used as a way of delaying communications, especially when different time zones are involved. A good way to put off communications is to just send an e-mail. Often you won’t have to deal with the answer until tomorrow. It’s common to see a question e-mailed one day, then the next get a response asking for clarifications, then send the clarifications, then the next day get back an answer to the wrong question, then send further clarifications, etc, so that a simple question takes a week to get answered even though people are being fairly prompt with responding to e-mails.
E-mail is also a continuous interruption. Managing how you answer and manage your e-mails can be a big productivity booster. Certainly turn off audible alerts when you receive e-mails and don’t let them ruin your concentration on your real job. Perhaps set aside specific time slots for answering e-mails.
Special Problems to India
People often list language as a problem when speaking to India. One thing to keep in mind is that India actually has 1,652 languages. Even in Bangalore where the common local language is Kannada, many people working in the high tech industry have migrated from other regions of India. This means that often the only language in common between team members in India is, in fact, English.
Development groups in India tend to be quite large. Often communication problems aren’t limited to overseas. Often you get worse problems communicating things just to the whole team at the India location or just connecting the right people together who in reality sit quite close together.
Of course there is the 13½ hour time zone difference, and then the fact that it’s such a long flight to get to India. Visiting has gotten easier over the years, but it can still be challenging for westerners.
Communications is always a challenge on any large project. As a project increases in size, the number of communication channels increases exponentially. Enabling effective communications on a large project can be helped by technology, but is really a people problem and has to be continuously managed.
And so concludes my blogs while on my Bangalore trip. Perhaps not a true travel blog, but I like to blog on the issues I’m dealing with and this trip provided some good topics. Anyway I’m back in Vancouver now and life returns to normal.
This is part 2 of my travel blog on this trip to Bangalore, India. Part 1 is located here. In the first part I mostly covered the logistics of getting here. Now for this part I’ll continue with some of my impressions and learnings from being here. I was hosted on a very interesting day trip to Mysore and I’ve gotten quite a bit of exposure to living with the time zone difference and dealing with Indian traffic.
I’m from Vancouver, Canada which is in the Pacific (PST) time zone. Bangalore, India is on India Standard Time (IST). Basically IST is currently 13½ hours ahead of PST (in the summer during daylight savings time it’s only 12½ hours ahead). The reason for the ½ hour is that they didn’t want India to have two time zones so they took the average instead of dividing the country into two zones. This time zone difference is a big headache when working with Indian teams.
When in Vancouver my complaint is that during the winter I have to get to the office at 7:00am for various conference calls. Here I have the reverse problem. Now I have to get back to my hotel room for an 8:30pm conference call with Vancouver. Restaurants all open for dinner at 7pm here, so sometimes this can be tight.
I think it’s generally less disruptive to life, getting up earlier for these calls. I find it more disruptive having a big block of my evening consumed with them. Right now it doesn’t matter too much since I’m travelling and away from my family. But I’m pretty sure I would get some objections being on conference calls each evening between 8:30 and 10pm. So I really appreciate my Indian colleagues taking the evening side so I can take the morning side and I won’t complain so much in the future.
Agile Development and Indian Traffic
Traffic in India is very different from traffic in North America. Beyond the general busy-ness, a key difference is the variety of traffic on the road. It isn’t just cars and motorbikes (which can all maintain the same speed). In North America we get annoyed if a backhoe or cyclist is slowing down the flow of traffic. Here in India there are oxen towing carts, people pushing carts, horses, bicycles, tuk-tuks, overloaded slow moving trucks, vehicles that aren’t running properly, etc. Add to that cows and dogs deciding to randomly cross the street and lots of pedestrians crossing through the traffic. Generally it appears very chaotic where each vehicle moves ahead where it can, taking advantage of any open space there is. Everyone tries to flow around slow moving vehicles. Honking is very frequent to let people know you are there.
Out of all this apparent chaos, traffic does move and you do get to where you want to go. To some degree there are un-written rules and the behavior of other drivers is quite expected to the locals. But the locals still shake their heads at drivers going the wrong way down divided roads or suddenly changing direction.
Agile development in India has a tendency to operate a bit like Indian traffic. You generally have more people on a project, so things are a lot busier. All the teams are jostling ahead, moving into open spots where they can (perhaps taking an easier backlog item to move ahead on).
This tends to mean that teams are very good at removing obstacles and making progress. Generally making any progress is considered good. Where this runs into trouble is when things need to be synchronized. Getting a good stable build for integration testing is very difficult because each team keeps nudging ahead and when you fix one problem, another is introduced.
The way this is all controlled in traffic is via the strategic placement of speed humps. For instance if the road is divided, there are specific breaks in the divider where you are allowed to make a U-turn. But how do you do that into a continuous stream of oncoming traffic? Here they place a speed bump in the way of the oncoming traffic to slow it down and space it out, so that the people can merge in without having a head on collision. There aren’t many traffic lights here, but the strategic placement of obstacles seems to do the trick. The main downside of the speed humps is that they are rather severe and hard both on the people’s backs and on the car’s suspension.
Within the software development process you need to introduce the same sort of speed humps to control the flow of the project. This includes code review checkpoints, UI reviews, functional quality reviews and various other measures. Unless these measures have some teeth (like a fairly big triple speed hump), they will be ignored, but if they are enforced they do provide a good way to keep things synchronized. Indian project management is very focused on project metrics, so speed humps that affect the metrics get a lot of attention.
The most immediately noticeable difference between driving in India versus North America is all the honking. In North America honking is only used in extreme circumstances and people get irate (often leading to road rage) if they feel like they’ve been honked at unfairly. In India honking is a form of communication. There are subtle nuances as a quick tap of the horn is to let someone know you are there, a longer honk to say “watch out”. There are other forms of communication like flashing your lights (usually to mean move over so I can pass).
Similarly Indian development teams tend to be larger and there tends to be much more communications. Most of this is in the form of spirited discussions in the team areas. All this communication is good and I think we need more of this in North America. But beware like the communications between cars in traffic there are many local cues that non-Indians will not pick up on. One common reason for miscommunication is the Indian head nodding which is explained here. Remember that when you are having a conference call from North America you can’t pick up on all the body language that is going on and you could be missing and important aspect of the communications. For this reason having in person communications works better or consider using telepresence so you can pick up on these aspects.
This concludes part 2 of my coverage of my trip to Bangalore. Certainly it’s been an interesting trip so far and I’m picking up lots of insights in how things work.
I’m currently travelling to Bangalore, India to visit a large number of off-shore team members we work with on our projects. So for something different, I thought I’d try travel-blogging. I’ll be writing this blog as I go along and then periodically post my progress. This is my second trip to India, I visited Chennai back in 2008 for ten days.
Sage is partnered with several Indian companies to provide extra capacity for our projects. For this trip I’m visiting Sonata which has teams participating in several important Sage projects. I blogged previously on accelerating projects, which was really talking about our adding capacity through additional teams at Sonata. It’s great to have extra capacity and the ability to get more done, but it’s also a big challenge keeping all the teams moving in the same direction and continuously removing roadblocks and bottlenecks. Our goal is to treat the Sonata teams as if they were regular Sage agile teams with full access to all Sage resources like source control and other internal systems. To make this process work many Sonata folk visit our Richmond office and we have several staff visiting Bangalore. This is my turn.
Indian Visa Process
To back up a bit, travelling to India is a bit more difficult than other places due to the Visa process. To do this I needed letters from Sage and from Sonata giving my reasons for travel and that I’m still being paid by a Canadian company. Then you need to fill out and extremely long on-line visa application that includes detailed questions on yourself, your spouse and your parents. Gathering all the data for this form took several days, and when you save this form, it is quite buggy retrieving what you had before, so you need to check it closely. You also need a US sized passport photo and a Canadian passport with 1 year left (since I wanted a 1 year multi-entry visa). With all this you make an appointment with the company (BLS) that processes the visas. The earliest I could book was 1 week later. Then you show up for your appointment and they double check all your papers and take the rather large fee ($200). They take all this as well as your passport and promise to process it in 7 business days. Basically at this point they give it all to the Indian consulate for processing. Fortunately this all went fine and 5 days later their website said my passport was ready for pickup. Generally of all the countries I’ve visited, this is by far the hardest visa process.
If you don’t travel much, you should go to a travel clinic to get the right shots when visiting India. I travel quite a bit and all my shots are up to date. The first time I went to India, I needed to get 5 injections. I do recommend taking something like Dukoral since I’ve never had any tummy troubles when I’ve taken this ahead of a trip. Malaria pills may or may not be required depending on where you are going.
It’s a Long Way
I travelled to Bangalore via Hong Kong. It’s a 14 hour flight to Hong Kong and then a 6 hour flight on to Bangalore. Generally the best way to endure a long flight is to sleep through it. The Hong Kong flight left at 2:30pm, so I wasn’t sleepy until near end. By the time I was on the Bangalore flight I was so tired I slept through most of the flight. For some reason all international flights in and out of Bangalore arrive and leave between midnight and 4am. When you arrive you don’t really care what time it is just want to get to the hotel and sleep, so make sure you book for a day earlier, so you don’t need to then wait till 2pm to check in.
Managing in Bangalore
Some Indian cities can be quite hard to navigate. But Bangalore is fairly easy. You do need know how to cross the streets (i.e. make eye contact and walk slowly across the traffic, which will flow around you). If you are worried about having to eat lots of extremely hot Indian food, then don’t worry there are many good restaurants from other cultures like Italian or Mexican. Plus generally I don’t find the Indian food that hot here (perhaps it’s toned down for the tourists). I find the level of English was quite good and haven’t had any problems communicating.
Getting directions and finding your way around isn’t that hard and the area around my hotel (in the downtown old part of the city) seems quite safe. There are quite a few parks around and you can see quite a bit just walking around.
The office is 10km away and parts of the journey can be quite congested, but I find the traffic here to be better than in Chennai, Bangkok or Ho Chi Minh City. They are building a new elevated metro system which is causing quite a bit of road disruption along the way, but they seem to keep traffic flowing.
The office building is located in the Global Village Tech Park outside the city. There are quite a few tech companies located here including Sonata, MindTree, Accenture, HP and Texas Instruments. The office environment I’m at is quite nice. The building is modern and the work environment is quite pleasant. It uses an open office concept and provides a nice productive team environment.
Since this is India the company parking is quite different than what you would expect in North America. To maneuver quickly through traffic, two wheels is the way to go. If everyone using motorbikes was to switch to cars it would be total grid lock here.
This ends part 1 of my travel to India. I’m now here and settled in. Getting here is half the battle, now it’s time to get some productive work done.
If you were able to attend the Sage 300 ERP roadmap sessions at Sage Summit you would have heard that the next major release of Sage 300 ERP (named 2016 but released in 2015) will be dropping support for Pervasive.SQL and Oracle as database servers. This means the only supported database will be Microsoft SQL Server. Although we will support several versions of SQL Server long with the Azure SQL flavor.
The intent of this article is to help make sure everyone has plenty of advanced warning about this change. To help explain the rationale behind this decision, and to help people formulate migration plan if you aren’t already running SQL Server.
The first Windows version of Sage 300 ERP (then called CA-Accpac/2000) was released supporting one database which was good old Btrieve 6.15. We all have fond memories of those days when the world was much simpler, we just needed a simple robust database manager without any other real concerns. At that time we had a good bundling deal with Btrieve so we could include a database engine with every System Manager. At that time Btrieve was owned by Novell. At that point in time Btrieve was a good low cost database manager that supported transactioning, it was used by many ERPs, and was relatively easy to install and administer. Novell sold off Btrieve back to its original developers and that evolved into Pervasive.SQL and last year that was acquired by Actian.
Pervasive.SQL still has the same qualities that Btrieve 6.15 had, but it hasn’t really kept up with its competitors. SQL Server now has a free edition and Microsoft is much more favorable to doing bundling deals. Plus there are now many better low cost database alternatives such as SQLLite and MySQL.
Over that past years the higher end databases have become much easier to install and manage. Long gone are all the configurable parameters that would plague SQL Server installations (i.e. the defaults now work for most cases). So now Pervasive.SQL isn’t as easy to use.
Anyway Btrieve was the first database that Sage 300 ERP supported, and I think a lot of people have fond memories of Btrieve, but today it doesn’t seem to have a place anymore.
A lot of Sage 300 ERP installations require integrations to many other products, and nearly none of these support Pervasive.SQL. Hence if you want integration with BI tools, or other ERP related software, you are almost always forced to use SQL Server anyway. In the early days of Sage 300, SQL Server was very expensive and most products supported Btrieve as a low cost alternative, but today the need for that has disappeared and we are one of the last vendors to still be supporting Pervasive.SQL.
We’ve had Oracle support for a while now. However the sales numbers have never really justified the resources required to support this platform. Oracle tends to be the database of choice for larger companies that tend to be bigger than Sage 300’s target market. We’ve made a few government and large company sales because we support Oracle, but generally these customers would have been as well served by SQL Server.
Our perspective is that the demand for Oracle has waned and that they are really pursuing larger and larger companies and moving further and further away from our market segment.
Multiple Product Integrations
Most Sage 300 ERP sites these days involve multiple products working together such as Sage CRM and Sage HRMS. Generally people only want to work with one database system and the common one across the various products is SQL Server. Most products support a choice of databases, like Sage CRM supports Oracle and SQL Server and Sage HRMS supports FoxPro and SQL Server. To get a more uniform experience across all these products really only works well if you choose SQL Server. It’s generally nicer to have just one set up database operations for things like backup.
Further when you start to use more advanced cross product reporting tools, these can only do their job if all the products are based on the same database engine (so that SQL joins can work properly, etc.).
The Sage 300 ERP architecture is still the same and supports multiple databases, whether we support another database than SQL Server in the future will depend on the future of the database market. It might be a lighter weight SQL engine like SQLLite is best. Or one of the new NoSQL databases that are becoming popular like HBase or MongoDB. Certainly the NoSQL databases support capabilities that SQL Server can only dream of. Similarly products like SQLLite also run on all the mobile an alternate operating systems opening up all sorts of other possibilities. Chances are these will be introduced in a hybrid manner combined with SQL Server rather than as solutions that handle 100% of our system’s needs.
For the short term we will be concentrating on SQL Server which means can use some features that are more specific to SQL Server. However one of our keys to success has been sticking to the core SQL engine functionality. That we work fine with SQL Express and Azure SQL (unlike a number of competitors). So we will be careful to ensure anything we do doesn’t break our database independence or our flexibility in supporting all flavors of SQL Server.
Moving to SQL
If you are running an unsupported database and want to move to Sage 300 ERP 2016 then you will need to convert the database. To convert from an unsupported database like Pervasive.SQL, DB2 or Oracle, you need to run Database Dump on your databases, create SQL databases for these in SQL Management Studio, create the entries in Database Setup and then run Database Load. Make sure that you update and test your backup/restore and disaster recovery plans to ensure that you are still protected.
The conversion must be done before upgrading, since the 2016 version doesn’t include the unsupported database drivers and can’t access these databases and hence can’t do a Database Dump on them.
If you leave Pervasive, DB2 or Oracle databases in Database Setup then these won’t show up in any sign on dialogs. We’ve changed the message when you run the desktop, so that if you don’t have any databases because they are unsupported, why this is the case and to let you run Database Setup.
If you don’t want to switch to SQL Server, it just means the last version you can upgrade to is Sage 300 ERP 2014. This will be supported for its normal lifecycle. When it goes out of support, of course your software will still operate. But you won’t be able to get any new Service Packs or Hotfixes. This should present a quite large window on when to switch. These days, nearly all new sales are SQL Server and the number of SQL installs is the largest share and of course every one already running SQL Server won’t be affected.
The database world is changing and Sage 300 ERP needs to change with it. That’s why we are making these changes. We hope that converting your Pervasive or Oracle databases to SQL Server won’t be too painful and that you will get quite a few long term benefits from this move.
I’m just back from Sage Summit 2014 which was held at the Mandalay Bay Resort/Hotel in Las Vegas, Nevada. There were over 5200 attendees at the show, a new record for Sage. The Mandalay Bay is a huge complex and I racked up a record number of steps for GCC getting from one place to another. Las Vegas is easy to get to for most people since there are a lot of direct flights from around North America and you can find really cheap hotel accommodation near to the conference (like $29 at the Excalibur which is connected to Mandalay Bay by a free tram). The only down side to having he conference in Vegas is that smoking is still allowed in many public places, which is really annoying.
The conference had a great many guest speakers including quite a few celebrities like Magic Johnson and Jessica Alba. The convention trade show wasn’t just booths, there were also open speaking theatres that always had something interesting going on as well as the Sage Innovation Lab Exhibit.
There were a great many product breakout sessions as well as a large number of breakout sessions on general business and technology topics. The intent was to make Sage Summit a place to come to for a lot more than just learning new technical details about your Sage product, or promoting new add-ons for you to purchase. A lot of customers attending the show told me that it was these general sessions on accounting, marketing and technology that they found the most useful.
The show was huge and this blog post just covers a few areas that I was directly involved in or attended.
Great General Sessions
Besides the mandatory Sage keynotes, there were quite a few general sessions which were quite amazing. My favorite was Brad Smith’s interview with Biz Stone the co-founder of Twitter and Jelly. Biz certainly provides a lot of interesting context to Web startups, as well as a lot of interesting stories of why he left Google and chose the path he chose. It was certainly interesting in the way a lot of the successful founders left very secure lucrative careers to really struggle for years to get their dreams off the ground. A common theme was the need for persistence so you could survive long enough to eventually get that big break. Another common theme was to follow people and ideas rather than companies and money. Now I’m going to have to read Biz’s book: “Things a Little Bird Told Me: Confessions of the Creative Mind”.
Another very popular session was the panel discussion with Magic Johnson, CEO of Magic Johnson Enterprises, Jessica Alba, co-founder of the Honest Company and J. Carrey Smith, CEO of Big Ass Solutions. This discussion concentrated on their current businesses and didn’t delve into their celebrity pasts for which at least two panelists are rather well known for. There were a lot of good business tips given and it was interesting to see how Magic Johnson and Jessica Alba have adapted what they did before to becoming quite successful CEOs.
Sage’s Technology Vision
A lot of Sage’s technology and product presentations were about our mobile and cloud technology vision. The theme was to aggressively move into these areas with purposeful innovation that still protect the investment that our customers have in our current technologies. At the heart of this vision is the Sage Data Cloud. This acts as a hub which mobile solutions can connect to as well as a way that data can be accessed in our existing products whether in the cloud or installed on premise. Below is the architectural block diagram showing the main components of this.
This is perhaps a bit theoretical, but we already have products in the market that are filling in key components of this vision. Some of these are included in the next diagram.
We use the term “hybrid cloud” quite a bit, this indicates that you can have some of your data on premise and some of your data in the cloud. There are quite a few use cases that people desire. Not everyone is sold with trusting all their data to a cloud vendor for safe keeping. In some industries and countries there are tight regulatory controls on where your data can legally be located. The Hybrid Cloud box in the diagram includes Sage 50 ERP (US and Canadian), Sage 100 ERP and Sage 300 ERP.
To effectively operate mobile and web solutions, you do need to have your data available 24×7 with a very high degree of uptime and a very high degree of security. Most small or mid-sized business customers cannot afford sufficient IT resources to maintain this for their own data center. One solution to this problem is to synchronize a subset of your on premise ERP/CRM data to the Sage Data Cloud and then have your mobile solutions accessing this. Then it becomes Sage’s responsibility to maintain the uptime, 24×7 support and apply all the necessary security procedures to keep the data safe.
Another attraction for ISVs is integrate their product to the Sage Data Cloud and then let the Sage Data Cloud handle all the details of integrating to the many Sage ERP products. This way they only need to write one integration rather than separate integrations for Sage 50 ERP, Sage 100 ERP, Sage 300 ERP, Sage 300 CRE, etc.
We had a lot of coverage of the Sage 300 Online offering which has been live for a while now. This was introduced last Summit and now offers Sage 300 ERP customers the choice of installing on premise or running in the Azure cloud. Running in the cloud saves you having to back up your data, perform updates or maintain servers or operating systems. This way you can just run Sage 300 and let Sage handle the details. Of course you can get a copy of your data anytime you want and even move between on premise and the cloud.
The Sage Innovation Lab
On the trade show we had a special section for the Sage Innovation Lab. Here you could play with Google Glasses, Pebble Watches, 3D Printers and all sorts of neat toys to see some prototypes and experiments that Sage is working on with these. We don’t know if these will all be productized, but it’s cool to get a feel for how the future might begin to look like.
This really was Sage Summit re-imagined. There were a great many sessions, keynotes and demonstrations on all sorts of topics of interest to businesses. This should be taken even further for next year’s Sage Summit which will be in New Orleans, LA on July 27-30, 2015. Does anyone else remember all those great CA-World’s in New Orleans back in the 90s?
With Apple’s WWDC conference just wrapping up, I thought it might be a good time to meditate on a few of the current trends in the mobile world. I think the patent wars are sorting themselves out as Google and Apple settle and we are seeing a lot more competitive copying. Apple added a lot of features that competitors have had for a while as well as adding a few innovations unique to Apple.
The competitive fervor being shown in both the Google and Apple mobile camps is impressive and making it very hard for any other system to keep up.
Apple has had the iCloud for a while now, but with this version we are really seeing Apple leverage this. When Google introduced the Chromebook they used this video to show the power of keeping things in the Web. This idea has been copied somewhat by Microsoft. But now Apple has taken this to the next level by allowing you to continue from device to device seamlessly, so you can easily start an e-mail on your phone and then continue working on it on your MacBook. No having to e-mail things to yourself, it all just seamlessly works.
Apple also copied some ideas from Google Drive and DropBox to allow copying files across non-Apple devices like Windows as well as sharing documents between applications. So now this is all a bit more seamless. It’s amazing how much free cloud storage you can get by having Google, Microsoft, Apple and Dropbox accounts.
Generally this is just the beginning as companies figure out neat things they can do when your data is in the cloud. If you are worried about privacy or the NSA reading your documents, you might try a different solution, but for many things the convenience of this outweighs the worries. Perhaps a bigger worry than the FBI or NSA is how advertisers will be allowed to use all this data to target you. Apple has added some features to really enable mobile advertising, whether these become too intrusive and annoying has yet to be seen.
Copying is the Best Compliment
Apple has also copied quite a few ideas from Google, Blackberry and Microsoft into the new iOS. There is a lot more use of transparency (like introduced in Windows Vista). There is now a customizable and predictive keyboard adding ideas from Blackberry and Microsoft. Keyboard entry has been one of Apple’s weaknesses that it is trying to address. Similarly the drive option in the iCloud is rather late to the game.
Apps versus the Web
There is a continuing battle between native applications and web applications for accessing web sites. People often complain that the native mobile application only gives them a subset of what is available on the full web site, but then on the other hand the consensus is that the native mobile apps give a much better experience.
True web applications give a unified experience across all devices and give the same functionality and the same interaction models. This is also easier for developers since you only need to develop once.
However Apple is having a lot of success with apps. Generally people seem to find things easier in the Apple App store than in browsing and bookmarking the web. Apple claims that over half of mobile Internet traffic is through iOS apps now (but I’m not sure if this is skewed by streaming video apps like Netflix that use a disproportionate amount of bandwidth).
Yet another Programming Language
Rather than go down the road of Java and C#, Swift has tried to incorporate the ease of use of scripting languages, but still give you full control over the iOS API. How this all works out is yet to be seen, but it will be interesting if it makes iPhones and iPads really easy to program similar to the early PCs back in the Basic days.
The Internet of Things
Apple introduced two new initiatives, their Health Kit and Home Kit. Health kit is mostly to encourage adding medical sensing devices to your iPhone, whereas Home Kit is to extend iOS into devices around the home and to control them all from your iPhone.
The Health Kit is designed to centralize all your health related information in one central place. There is getting to be quite a catalog of sensors and apps to continuously track your location, speed, heart rate, pulse, blood pressure, etc. If you are an athlete, this is great information on your fitness level and how you are doing. Garmin really pioneered this with their GPS watches with attached heart rate monitors. I have a Garmin watch and it provides a tremendous amount of information when I run or cycle. I don’t think this is much use for the iPhone, which I always leave behind since I don’t want to risk it getting wet, but this might really take off if Apple really releases a smart watch this fall like all the rumors say.
Home Kit is a bit of reaction to Google buying Nest, the intelligent thermostat. Basically you can control all your household items from your phone, so you can warm up the house as you are driving home, or turn all the lights on and off remotely. We have a cottage with in-floor heating, it would be nice if we could remotely tell the house to start heating up in the winter a few hours before we arrive, right now it’s a bit cold when we first get there and turn on the heat. However with zoned heating we would need four thermostats and at $250 each, this is rather excessively expensive. I think the price of these devices has to come down quite a bit to create some real adoption.
There is a lot of concern about having all of these hacked and interfered with, but if they get the security and privacy correct, then these are really handy things to have.
Apple has introduced some quite intriguing new directions. Can Swift become the Basic programming languages for mobile devices? Will Health Kit and Home Kit usher in a wave of new wonderful intelligent devices? Will all the new refinements in iOS really help users have an even better mobile experience? Will native apps continue to displace web sites, or will web sites re-emerge as the dominant on-line experience? Lots of questions to be answered over the next few months, but it should be fun playing with tall these new toys.
With the recent Heartbleed security exploit in the OpenSSL library a lot of attention has been focused on how vulnerable our computer systems have become to data theft. With so much data travelling the Internet as well as travelling wireless networks, this has brought home the importance of how secure these systems are. With a general direction towards an Internet of Things this makes all our devices whether our fridge or our car possibly susceptible to hackers.
I’ll talk about Heartbleed a bit later, but first perhaps a bit of history with my experiences with secure computing environments.
My last co-op work term was at DRDC Atlantic in Dartmouth, Nova Scotia. In order to maintain security they had a special mainframe for handling classified data and to perform classified processing. This computer was located inside a bank vault along with all its disk drives and tape units. It was only turned on after the door was sealed and it was completely cut off from the outside world. Technicians were responsible for monitoring the vault from the outside to ensure that there was absolutely no leakage of RF radiation when classified processing was in progress.
After graduation from University my first job was with Epic Data. One of the projects I worked on was a security system for a General Dynamics fighter aircraft design facility. This entire building was built as a giant Faraday cage. The entrances weren’t sealed, but you had to travel through a twisty corridor to enter the building to ensure there was not line for radio waves to pass out. Then surrounding the building was a large protected parking lot where only authorized cars were allowed in.
Generally these facilities didn’t believe you could secure connections with the outside world. If such a connection existed, no matter how good the encryption and security measures, a hacker could penetrate it. The hackers they were worried about weren’t just bored teenagers living in their parent’s basements, but well trained and financed hackers working for foreign governments. Something like the Russian or Chinese version of the NSA.
Van Eck Phreaking
A lot of attention goes to securing Internet connections. But historically data has been stolen through other means. Van Eck Phreaking is a technique to listen to the RF radiation from a CRT or LCD monitor and to reconstruct the image from that radiation. Using this sort of technique a van parked on the street with sensitive antenna equipment can reconstruct what is being viewed on your monitor. This is even though you are using a wired connection from your computer to the monitor. In this case how updated your software is or how secure your cryptography is just doesn’t matter.
Everything is Wireless
It seems that every now and then politicians forget that cell phones are really just radios and that anyone with the right sort of radio receiver can listen in. This seems to lead to a scandal in BC politics every couple of years. This is really just a reminder that unless something is specifically marked as using some sort of secure connection or cryptography, it probably doesn’t. And then if it doesn’t anyone can listen in.
It might seem that most communications are secure now a days. Even Google search switches to always use https which is a very secure encrypted channel to keep all your search terms a secret between yourself and Google.
But think about all the other communication channels going on. If you use a wireless mouse or a wireless keyboard, then these are really just short range radios. Is this communications encrypted and secure? Similarly if you use a wireless monitor, then it’s even easier to eavesdrop on than using Van Eck.
What about your Wi-Fi network? Is that secure? Or is all non-https traffic easy to eavesdrop on? People are getting better and better at hacking into Wi-Fi networks.
In your car if you are using your cell phone via blue tooth, is this another place where eavesdropping can occur?
Heartbleed is an interesting bug in the OpenSSL library that’s caused a lot of concern recently. The following XKCD cartoon gives a good explanation of how a bug in validating an input parameter caused the problem of leaking a lot of data to the web.
At the first level, any program that receives input from untrusted sources (i.e. random people out on the Internet) should very carefully and thoroughly valid any input. Here you can tell it what to reply and the length of the reply. If you give a length much longer than what was given then it leaks whatever random contents of memory were located here.
At the second level, this is an API design flaw, that there should never have been such a function with such parameters that could be abused thus.
At the third level, what allows this to go bad is a performance optimization that was put in the OpenSSL library to provide faster buffer management. Before this performance enhancement, this bug would just have caused an application fault. This would have been bad, but been easy to detect and wouldn’t have leaked any data. At worst it would have perhaps allowed some short lived denial of service attacks.
Mostly exploiting this security hole just returns the attacker with a bunch of random garbage. The trick is to automate the attack to repeatedly try it on thousands of places until by fluke you find something valuable, perhaps a private digital key or perhaps a password.
The open source community makes the claim that open source code is safer because anyone can review the source code and find bugs. So people are invited to do this to OpenSSL. I think Heartbleed shows that security researcher became complacent and weren’t examining this code closely enough.
The code that caused the bug was checked in by a trusted coder, and was code reviewed by someone knowledgeable. Mistakes happen, but for something like this, perhaps there was a bit too much trust. I think it was an honest mistake and not deliberate sabotage by hackers or the NSA. The source code change logs give a pretty good audit of what happened and why.
Should I Panic?
In spite of what some reporters are saying, this isn’t the worst security problem that has surfaced. The holy grail of hackers is to find a way to root computers (take them over with full administrator privileges). This attack just has a small chance of providing something to help on this way and isn’t a full exploit in its own right. Bugs in Java, IE, SQL Server and Flash have all allowed hackers to take over peoples computers. Some didn’t require anything else, some just required tricking the user into browsing a bad web site. Similarly e-mail or flash drive viruses have caused far more havoc than this particular problem. Another really on-going security weakness is caused by government regulations restricting the strength of encryption or forcing the disclosure of keys, these measures do little to help the government, but they really make the lives of hackers easier. I also think that e-mail borne viruses have wreaked much more havoc than Heartbleed is likely to. But I suspect the biggest source of identity theft is from data recovered from stolen laptops and other devices.
Another aspect is the idea that we should be like gazelle’s and rely on the herd to protect us. If we are in a herd of 100 and a lion comes along to eat one of us then there is only a 1/1000 chance that it will be me.
This attack does highlight the importance of some good security practices. Such as changing important passwords regularly (every few months) and using sufficiently complex or long passwords.
All that being said, nearly every website makes you sign in. For web sites that I don’t care about I just use a simple password and if someone discovers it, I don’t really care. For other sites like personal banking I take much more care. For sites like Facebook I take medium care. Generally don’t provide accurate personal information to sites that don’t need it, if they insist on your birthday, enter it a few days off, if they want a phone number then make one up. That way if the site is compromised then they just get a bunch of inaccurate data on you. Most sites ask way too many things. Resist answering these or answer them inaccurately. Also avoid overly nosey surveys, they may be private and anonymous, unless hacked.
The good thing about this exploit, seems to be that it was discovered and fixed mostly before it could be exploited. I haven’t seen real cases of damage being done. Some sites (like the Canadian Revenue Services) are trying to blame Heartbleed for unrelated security lapses.
Generally the problems that you hear about are the ones that you don’t need to worry so much about. But again it is a safe practice to use this as a reminder to change your passwords and minimize the amount of personally identifiable data out there. After all dealing with things like identity theft can be pretty annoying. And this also help with the problems that the black hat hackers know about and are using, but haven’t been discovered yet.
You always need to be vigilant about security. However it doesn’t help to be overly paranoid. Follow good on-line practices and you should be fine. The diversity of computer systems out there helps, not all are affected and those that are, are good about notifying those that have been affected. Generally a little paranoia and good sense can go a long way on-line.