Stories 11-14

11. Being watched

After talking about how to prevent being hacked in many previous issues, I have to confess: there is always a big brother watching you, inevitably.

Any of your internet footprints, including your conversation, your login details, your browsing history, etc., will be recorded in many places. Without going into any technical detail, the analogy will be: when you get online, you are like dancing and talking on the plaza – all the people see you and hear you. Some will ignore you, some are watching you. It doesn’t even qualify to be called eavesdropping.

Is it legal? All I can say is, the person or the organisation who owns the network infrastructure, the network data centres can claim the right of possessing what appears to be your information. On top of that, the government can take the data in the name of, say, anti-terrorism.  According to a report in Bloomberg, Google has been the only major communication company to resist FBI requests for data; but they took it anyway. In some of the countries, the public are not even told this is happening.

This is a little bit different from the recent Edward Snowden incident and the Rupert Murdoch scandal, where the organisations involved were actively breaking into the network to monitor there. But these do at least confirm that there are big brothers out there, and it is not so uncommon.

12. Zero Vulnerability and Zero Day Vulnerabilities

If you are working in IT, I guess the most popular question you will get is: Can you help me fix my computer? This question actually has multiple implications. It can be a philosophical question – “To fix or not to fix”; it can be a possible date; it can be just a technical challenge. Anyway, every time when I am fighting against a Windows machine, I will check for security updates and patches after rebooting or reinstallation. This is to make sure that the computer has zero vulnerability.

The other day, we were running security checks on all the websites we developed. The best result is from a commercial website implemented with the state-of-art technology which turns out to have zero vulnerability. The worst, let me also mention it, is from a website developed many years ago with PHP which has more than 800 vulnerabilities. Both are in use.

If a computer system has zero vulnerability, is it safe? The answer is absolutely negative. There are something called zero day vulnerabilities. They are not yet identified or detectable by any antivirus and intrusion programs. Once they are found, the days are counting; and you probably get an update or patch from your software vendors on day 1 or day 2.

In the attack to RSA Security I mentioned in Story No. 7 Go Phishing, they reported that the hackers took advantage of 25 system vulnerabilities, and 24 of them were classified as zero day vulnerabilities at that time.

13. Price of Software (1)

There was a heated discussion amongst the team the other day: One of our clients enquired adding a new feature to their current system. As usual, our business analyst provided a quote for the job. The amount, after being assessed and estimated by the executive group, shall be 50 thousand dollars. A few days later the client came back and said, we want to pay at most 5 thousand. The business analyst brought the news to the team and there were a lot of F words blasted out.

Why there is such a huge mismatch? Let’s read the story from two sides. First thinking in the shoes of the client: Well, we are asking for a small common feature which can be found elsewhere. It must not have costed so much; we heard that there are low-priced or even free plugins available too. Why we need to pay so much.

Now from the software developers’ perspective, everything is measured in terms of time and materials. To add this new feature to the current platform, it requires hundreds of hours of designing, requirement specifying, developing, testing, quality checking and project managing time. All of these may be invisible to the client; but they are cost. Most importantly, it is a customised the feature, not something we can plug in and play.

In the end, one guy jokingly suggested that if the client could find someone who can develop their requirement for 5 thousand, we could subsidise another 5 thousand in which case we end up losing less.

14. Price of Software (2)

Lots of the customers do not really understand the cost of developing a piece of software; and to be fair, it is not clear anyway. The problem is when there are so many free or pirated options available, people often wonder how much we need to pay for a piece of software.

Although we may not be as accurate as an intellectual-property attorney, we can roughly tell the distinction of different software pricing. First if you own the software, obviously you will have to pay for the full price including somehow the future expense to maintain the software. It is really difficult to valuate a piece of software, as it comes down to not only the effort spent in the past but also the potential growth in the future. This scenario usually happens when an IT company acquires another company with their products.

Case 2, you own a copy of the software, e.g. Windows operating system. The amount you paid can depend on a lot of other factors such as the marketing strategies rather than its real value. Unlike owning a copy of a book, it is trickier because the copying of software is much easier. Also there is something called “source code”. It is quite ambiguous whether you may have access to or even modify the source code when you own the copy.

Last case, you pay for using the software, also known as “licensed” to use. This may be free of charge in most cases. For example, when you do searching on Google, you are using the search engine but don’t own anything. Interestingly enough, it is not free since the cost can be seen as covered by the advertisers.

Then why there are so many freebies in the IT world? Let’s discuss this another time.