Israeli Software

As an Open Source person, it's been years since I've installed proprietary closed source software. I use Ubuntu and I reckon that the type of license, GPL, MPL, LPL is probably more important than the software itself - assuming of course that it meets your requirements for functionality and reliability.

I started thinking about licensing again after reading the 2007 "FIFTH ANNUAL BSA AND IDC GLOBAL SOFTWARE PIRACY STUDY" - you can download it from the BSA Web site.

I would not take the numbers IDC and BSA bring at face value. The IDC/BSA estimates are guesses multiplied several times. They start off by assuming that each unit of copied software represents a direct loss of sale for software vendor - patently a false assertion.

If it were true, then the demand for software would be independent of price and perfectly inelastic.

A drop in price usually results in an increase in the quantity demanded by consumers. That's called price elasticity of demand. The demand for a product becomes inelastic when the demand doesn't change with price. A product with no competing alternative is generally inelastic. Demand for a unique antibiotic, for example is highly inelastic. A patient will pay any price to buy the only drug that will kill their infection.

If software demand was perfectly inelastic, then everyone would pay in order to avoid the BSA enforcement tax. The rate of software piracy would be 0. Since piracy rate is non-zero, that proves that the original assertion is false. (Argument courtesy of the Wikipedia )

Back when I ran Bynet Software Systems - we were the first Microsoft Back Office/Windows NT distributor in Israel. I had just left Intel - where we had negotiated a deal with Microsoft that allowed every employee to make a copy of MS Office for home usage. Back in 1997 - after the Windows NT launch, the demand for NT was almost totally inelastic - Not There, Nice Try, WNT is VMS + 1 etc. We could not give the stuff away in the first year. Customers were telling us that they would never leave Novell Netware. Never. But, NT got better from release to release and the big Microsoft marketing machine got behind the product. After two years of struggle and selling retail boxes and MLP for NT, demand picked up. Realizing that there IS price elasticity of demand for software - Microsoft dropped retail packaging and moved to OEM licensing, initially distributing OEM licenses via their two tier distribution channel and later totally cutting out the channel and dealing directly with the computer vendors like HP, Dell and IBM for OEM licenses of NT, XP and 2000, 2003 etc. Vista continues with this marketing strategy and most Vista sales are not retail boxes but pre-installed hardware.

Microsoft (who are a major stakeholder in BSA) probably don't have a major piracy problem with Vista. Let's run some numbers. Microsoft Windows Vista sales are at about a 9 million unit/quarter run rate. Microsoft June 2008 quarterly revenue is $15.8 BN. Single unit OEM pricing for Vista is about $80 and in a volume deal - maybe $20. Let's assume an average of $50/OEM license. This means that Vista accounts for about 50*3*9/15800 = 8.5%.

The BSA 2007 Global Piracy Study states that the "median piracy rate in 2007 is down one percentage point from last year" - 1 percent of 8.5 percent is meaningless for Microsoft - in dollar terms - BSA work to reduce piracy is less meaningful than a 7 percent drop in the US Dollar this year.

Microsoft probably have a problem with their cash cow - Microsoft Office. Microsoft Office 2003 retails for $450 but is available in an academic license for less than $100. Open Office 2.4 runs just fine on Vista and retails for $0. At those prices, sizable numbers of users are just sliding down the elasticity curve - calling into serious question the IDC/BSA statistics on software piracy.

But there is more to software piracy than providing software at a reasonable price. In poor areas of the world - assuming that the BSA efforts at combating software piracy are successful - only the very rich would have access to applications like Microsoft Office. The middle and lower class people won't have the opportunity to become MS Office-literate because the prices would be too high. For that I only have three words - download Open Office - the free and open productivity suite.

The past 2 weeks I got way off my blogging schedule in between a home improvement project, a JP Big Band gig, babysitting grandchildren and .... work.

How to Get the Truth From Interviewees?

The Challenge:How to ask employees effective questions during a risk assessment.

You have the job to collect data for a risk assessment in client's business unit. You sit down with the security and compliance manager and schedule meetings with people in the unit. You figure you’re going to be less than thrilled with the quality of information you receive and the employee may not be excited by your standard checklist questions. However, you know that whistleblowing is innate in all of us and it's worth trying to get to first base.

Drop the compliance checklist and use an attack modeling approach instead.

Explain the notion of valuable company assets, vulnerabilities, threats that exploit vulnerabilities and security countermeasures. It will take a few minutes and every employee I've ever met will grok the concept immediately. For starters - just ask 4 questions:

1. What is the most important asset in your job?
2. What do you think is the single biggest threat to that asset?
3. How do attackers cause damage to the asset?
4. If you could give the security and compliance manager a single suggestion, what would it be?

I did a Google search on "data retention" compliance today and I got 225,000 hits. I noticed that there was a peak of interest in tying data retention policy to compliance and regulatory requirements in mid 2004, 2005 by vendors like Sun and Microsoft. Since then the activity has petered out.

Back in 2004-5 industry consultants were recommending projects to analyze data retention in light of legal and regulatory compliance requirements at a level of individual data elements.

Since data classification projects are so complex and expensive, most organizations have apparently decided to pass on the challenge.

Data retention and regulation is a challenge because of contradictory regulatory requirements and the quantity of data elements in in hundreds of databases that a typical organization owns. On one hand, industry regulation such as PCI DSS 1.1 and the UK Data Protection Act mandates not storing payment cards, and limiting retention of customer data. On the other hand, anti-money laundering legislation mandates storing the money trail.

However - on a deeper level, it turns out that data retention is not the key issue for compliance.

If you're a merchant or processor of VISA / Mastercard credit cards simply don't store credit card and magnetic strip data - that's a pretty simply data retention policy.

If you're a banking institution and need to comply with Anti-terror and anti-money laundering you will have 4 strategic objectives:
a. Know your customer, including the source of their wealth;
b. Cooperate with law enforcement and supervisory agencies;
c. Communicate anti-money laundering policies and procedures with employee training
d. Perform continuous money laundering risk-assessment across the enterprise using Practical Threat Analysis

NONE of these strategic objectives, include data retention.

Since data retention is not a key issue - you'll be better off working on your strategic AML objectives.

Unlike an ERP system, enterprise risk is not a deterministic business process that can be planned and managed.

A central task in risk management is estimating dollar value of risk.

This is a indeed a tough problem; increasing numbers of security analysts from corporate security groups at companies like Cisco, Intel, Microsoft, Seagate and groups of independent security and compliance analysts who participate in the Practical Threat Analysis Professional Forum and The Control Policy Group are turning to practical threat analysis to help calculate risk in a premeditated way.

Threat modeling is based on the notion that any system or organization has assets of value worth protecting, these assets have certain vulnerabilities, internal or external threats that exploit these vulnerabilities in order to cause damage to the assets, and appropriate countermeasures exist that mitigate the threats.

With threat modeling, you make future risk scenarios vivid, tangible, and measurable in dollar terms, countering the tendency to ignore threats and do nothing. Threat modeling gives you and your employees a practical language of assets, threats, vulnerabilities and countermeasures.

Here are 6 rules for effective threat modeling -

Continue reading "Six rules for effective threat modeling" »

He who will not risk cannot win. John Paul Jones, 1791

This week, the Israeli business daily Globes reported that the recent fall in the shekel-dollar exchange rate has resulted in an increase in dollar terms in salaries of Israeli high-tech employees. Figures released by global business consulting firm Radford reveal that the salary earned by a software engineer in Israel is close to the customary salary in the US. The survey, which covered 550 companies in 80 countries, reveals that a software engineer in Israel earns a total of $68,000 a year. For the sake of comparison, a high-tech employee in the US earns a total of $76,000 a year, and a software engineer in Russia earns $17,993 a year. In countries in East Asia, the preferred location for outsourcing, the average salary is a quarter of what it is in Israel. Software engineers in China earn $19,457 a year, and in India they earn $14,240 a year. (Globes 23.06).

Reports I'm hearing from colleagues at the big technology employers like NDS and Comverse tell me that poor designs and low levels of software engineering expertise are runner-ups to great lunches and high salaries.

There is a sense of entitlement to Israeli high-tech workers that comes from having enough disposable income, a reasonably interesting job and a fairly clueless boss that is even more interested than you in job security.

As a security and compliance professional - I can tell you that with enough security controls you can make the risk go away - if you're concerned about trusted insider theft - you can take away email and Web access and make your employees pledge allegiance 5 times a day like in Catch-22. There will be no threats of malware or data breaches but then again - that kind of setup will pretty much guarantee that your customers won't get service and your company won't win records for engineering excellence.

With high salaries and low creativity - Israel doesn't have a compelling value proposition with places like China and India.

Andy Grove once wrote - "a little fear in the work place is not necessarily a bad thing". Maybe the time has come to reduce salaries and place the emphasis on risk-taking, creativity and software excellence before the Chinese eat our business for lunch.

In his Survey of current thinking, Malcolm Sparrow talks about how various public and private organizations are beginning to respond to threats in a more domain specific manner instead of following general regulatory dictates - for example in crime problems, or environmental issues, occupational hazards, or patterns of drug-smuggling.

"What’s odd, when you look at this new pattern of behavior, is that there does not seem to be a well-established language for it. Different professions have quite different vocabularies. In the police profession it’s called “problem-oriented policing.”

I don't know why this seems odd to a university researcher whose past research has focused on regulatory practice - since regulatory compliance is responsible to a large degree for mindless risk management.

Why?

Compliance regulations provide general guidelines and checklists of risk controls companies must do. In the case of Sarbox, a general statement (404) has required interpretations which developed into a $100BN franchise for accounting firms and technology companies. When you use a big regulatory stick with an organization you send a message that improving risk understanding is a non-value-added activity since the business objective is compliance and not understanding root causes of why senior executives steal.

However all is not lost.

An excellent methodology exists for understanding the root cause of risk. The methodology is called threat modeling. Threat modeling is a mature methodology with implementations from Microsoft and groups like PTA (Practical Threat Analysis) Technologies.

In threat modeling exercises - analysts and business decision makers use a model of assets, vulnerabilities of assets, threats (that attack by exploiting vulnerabilities) and countermeasures (that mitigate threats). The beauty of threat modeling is that it is a common language that any person working in an organization can understand.

You can download the free risk assessment tool PTA Professional - we'd be happy to hear if you also think that threat modeling is a useful tool for risk assessment.

Cratoni mountain bike helmet after crash.

This Sunday I went out for an easy 1 hour ride in the Ben Shemen forest not far from our home in Modiin. You don't have to get into the car, it's about a 15' ride to the entrance to the forest - and you then have an infinite variety of circuit trails, singles and cross-country rides of all levels of difficulty.

I chose a path I've ridden many times - from the entrance to the forest across from the Ligad office park into the Neot Kedumim Biblical Landscape Preserve and back. Coming back, down the first hill - I went up a small dirt ramp at the entrance to a path. The front wheel went up, I went over the ramp, flipped over in mid air and made a two point landing on my head and right shoulder.

It's one of those situations that happens in a split second - your brain registers that it is not going to end well, but it's too late. The next thing you know - you are flat on your side and picking dirt out of your ear, and looking for your glasses.

In my case, I got up and felt blood on my face and ear - I spent the next 15' looking for my glasses. Just as I found them - another rider came by and asked me if I was ok - to which I smiled and said - "of course not!". He gave me a Wet ones he had in his backpack from Turkish Airlines and I wiped down my face. We rode back to the exit from the forest together and I rode home. Oren from Kfar Oranim - you're a Good Samaritan man - thanks!

Got home, took a hot shower, soaped down the scrapes with antiseptic soap and iced the bruises. Went over to the doc in our local medical service (Kupat Holim Clalit). After a neurological exam and x ray he gave me a clean bill of health (no breaks, no concussions) and remarked that I was the third rider he'd seen that morning and by far the ugliest crash victim of the three.

I'm not going to post any pictures of myself after the crash - because this is a family blog and the pictures are too f-g scary.

I landed on my head, chipped a tooth, and 5 days later - still have a black eye and sore shoulder - my Cratoni Heli helmet saved my life.

To the good folks at the Cratoni factory in Germany - thank you.

We have come here this evening to fulfill two obligations that we have to the American family. We are here to defend truth and we are here to avoid tragedy.

Man - that's good news - because I find the entire FUD+PR person+Security Vendor triangle to be very problematic.

I personally would like to see Truth in packaging applied to Security technology in particular and ICT in general.

Almost 42 years ago - The Fair packaging and Labeling Act (Truth in packaging) was signed by Lyndon Johnson. Quoting LBJ:

"This is a strong but simple law. It requires the manufacturer to tell the shopper clearly and understandably exactly what is in the package, who made it, how much it contains, how much it costs.

The housewife should not need a scale or a yardstick or a slide rule or computer when she shops. This law will eliminate that need. The housewife should not have to worry which is bigger--the full jumbo quart or the giant economy quart. This law will free her from that uncertainty and that problem. It will protect her from being shortchanged by slack filling where a box is made bigger than its contents.

This law is one weapon against high prices. It will mean that the American family will get full and fair value for every penny, dime, and dollar that that family spends."

Replace housewife with CEO and American family with business and you get my drift

Don Dodge's post on Cloud Computing: Do You Really Want Your Data in the Cloud? has a great opening statement:

Reliability, scalability, security, and a host of other issues will prevent most businesses from moving their mission critical applications to hosted services or cloud based services. The risk of failure is too great.

Don Dodge is Director, Business Development at Microsoft. He handles Venture Capital relations and business development with start-up companies in the Boston area. His criticism of uptime problems at Amazon EC2, Typepad and Twitter are apparently ample proof for him that "most applications will not move to the Web".

I offer several points In rebuttal -

1) There are already a tremendous number of applications and data on the Web already - from SaaS offerings like Salesforce.com and Google Apps to big professional hosting companies like Verio and Rackspace.com and smaller guys like John Companies. Customers like IT services in the cloud because IT is not their core business and the service levels and performance they can get in the cloud is worth every penny of management attention. There is so much complexity involved in IT operations and security in today's fast-moving threat environment that any business is best served by focusing it's attention on it's own sales and not on data security.

2) There is more involved than data availability in the cloud - there are critical customer service and IT operations issues as well.

The level of information security, network management, server engineering, data integrity, backup services, operations and customer service at a hosted service is far beyond what virtually any business can afford to provide. Software Associates (our company) are professional systems developers with high levels of expertise in Linux and security and last year we migrated all our messaging to Google Apps - simply because our time is better spent on the business and not on maintaining Spam Assassin.

3) Convenience trumps security except in a small number of cases. Mr Dodge, since he works for Microsoft should know that consumers and most corporate business organizations prefer convenience to the headache of being on the bleeding edge of security.

4) A more subtle point is the ability of an organization to stay on top of customer data and IP protection issues if they run their own server farm. Unless I am mistaken - none of the security breach events in the past 5 years happened at a managed service providers, SaaS operations or professional hosting. We're talking banks and large retail organizations here that constantly get stung by trusted insider attackers and malicious hackers.

There is actually a huge advantage in not storing your data inhouse - the exposure to trusted insiders is almost nill.

5) Microsoft makes great software and has aspirations to become a SaaS application provider. Although disappointing for Microsoft, their lack of success in this space is not surprising because IT in the cloud requires an entirely different skill set than developing and marketing great client/server software.

Cloud computing is an important tool for collaboration in the global developer community - all the more reason to reject callow remarks on the future of cloud computing from a Microsoft executive.

This posting is dedicated to all those VCs who were traumatized by their IT security investments. Here is an application of threat modeling in the pharmaceutical industry. Not Web applications. Not network security.

This level of threat damage always stimulates a big business in countermeasure technologies. There are hundreds of products and methods from RFID tagging to nano-particles that are being proposed as solutions (not even risk mitigation) to the threat of drug counterfeiting. Most of these technologies are not cost-effective and can be easily sidestepped (to make a fake product, a counterfeiter only has to make it look real - he doesn't have to do the original research, development and manufacturing process).

Not surprisingly, because of the public health implications (how many men die from fake Viagra or women die from fake silicon breast implants), regulators like the FDA are stepping in. California is setting the gold standard like they did with consumer privacy protection - this time with a bill that would require a drug "e-Pedigree".

The California e-Pedigree law (SB 1370) specifies pharmaceutical product serialization which “require the pedigree to contain the drug's unique identification number established at the point of drug manufacture.”

When used through the supply chain, the e-Pedigree will help track and trace product, identify counterfeiters and enable consumers to authenticate the products they buy at the point of sale.

It's impossible for me to estimate how much e-Pedigree will eventually cost (it only becomes mandatory in California in 2011) but it's pretty clear that with all the packaging and information technology it's going to be a pretty steep price for the drug supply chain.

Instead of trying to solve an impossible problem, I decided to model a subset of the e-Pedigree. i.e. use of product serialization at the point of sale to the consumer in a pharmacy. My simple-minded threat model ignores supply chain integration and analyzes the risk associated consumers self-authenticating product.

The notion of having consumers call in a numeric token in order to authenticate a drug they purchased, was first proposed by Johnston, a researcher at Los Alamos Laboratories. There are commercial implementations, available from companies like Dintag and Algoril and Verify Brand. Dintag in particular appears to have the most complete implementation.

How does it work?

Pharmaceutical end user customers would be able to authenticate the validity of a random, ID number printed on packages via a simple Web search query similar to the Google search page. Other channels might also be used – for example: sending a text message with a cell phone or a making a phone call to an automated voice response service. Customers with cell phone cameras could send a picture of the label over the Web to the system, which would extract the ID number using OCR and return a text message to the consumer.

When used by consumers at the point of sale, or at home; product serialization becomes a relatively low-cost, low-tech way to authenticate a product, since there is no supply chain integration required and the large number of consumer eyeballs calling in tokens is free to the manufacturer. I believe that there is also a viral marketing effect as people tell their friends about the system.

I performed a threat analysis of the call-in numeric token method. In a later posting, I plan to publish the actual PTA threat model that was developed.

Continue reading "Threat modeling for the pharmaceutical industry" »