September 01, 2014

CryptoWall ransomware held over 600,000 computers hostage, encrypted 5B files
The CryptoWall command-and-control servers assign a unique identifier to every infection and generate RSA public-private key pairs for each one. The public keys are sent to infected computers and are used by the malware to encrypt files with popular extensions -- movies, images, documents, etc. -- that are stored on local hard drives, as well as on mapped network shares, including those from cloud storage services like Dropbox and Google Drive. Files encrypted with an RSA public key can only be decrypted with its corresponding private key, which remains in the possession of the attackers and is only released after the ransom has been paid.

Business Services: What are they, really?
As a starting point, we can focus on the business processes from the process landscape comprised of core and noncore functionality. These processes can usually be represented at various abstraction levels referred to as process levels in a process model (e.g. descriptive, analytical/operational, and executable). Business services can then be identified and extracted from these levels with a top-down approach. Higher abstraction levels provide inputs for composite Business services, while lower levels provide inputs for fine grained candidates. Such a focus on processes and Business service candidates would also help identify functional redundancy across the enterprise. Still the results from such approach may differ from one organization to another.

Q&A with Marshall Van Alstyne, Research Scientist MIT Center for Digital Business
I think of “platform” as a combination of two things. One, a set of standards or components that folks can take up and use for production of goods and services. The second thing is the rules of play, or the governance model – who has the ability to participate, how do you resolve conflict, and how do you divide up the royalty streams, or who gets what? You can think of it as the two components of the platform—the open standard together with the governance model. The technologists usually get the technology portion of it, and the economists usually get the governance and legal portions of it, but you really need both of them to understand what a ‘platform’ is.

Big Data’s Two-Way Customer Conundrum
Yes, big data can address all of those things as well, though you won’t hear this side of the industry touted as its biggest benefit. And yet, it certainly should be. By approaching big data as a customer-centric imperative, not merely a money-making strategy (though that is important as well), companies can use it to a customer’s benefit. The end game: better customer service, increased convenience, greater brand loyalty and, ultimately, higher customer lifetime value from every single customer that engages with a brand.

Nigeria launches new biometric ID card - brought to you by Mastercard
"There are many use cases for the card, including the potential to use it as an international travel document," Onyemenam said. "NIMC is focused on inclusive citizenship, more effective governance, and the creation of a cashless economy, all of which will stimulate economic growth, investment and trade." The new cards carry two photographs of the holder, and a chip storing an individual's biometric information including 10 fingerprints and an iris scan using a system developed by Cryptovision. Nigeria first attempted to introduce identity cards 10 years ago and, as well as modernising the service delivery and improving bureaucracy ...

UK lags France and Gemany in big data analytics, but sees itself ahead
British IT executives seem to be more drawn to the view that doing big data means employing MapReduce and NoSQL specialists rather than taking a “holistic view of how new data types can be joined to relational data”, said Duncan Ross, director, data science at Teradata. MapReduce is a programming model for large-scale data processing, and the Hadoop framework is an example of it. Ross added: “It is possible that this is a side-effect of the UK being slightly ahead of Europe on the big data bandwagon, and seeing it more as a technology-focused activity than a business one.

Five SDN protocols other than OpenFlow
While the Open Networking Foundation defines OpenFlow as the first standard communications interface between the control and forwarding layers of an SDN architecture, it may not remain the predominating protocol. With all of its promise, OpenFlow also poses a slew of challenges from scalability to security. Most troubling, network vendors must create supporting switching in order for OpenFlow to take hold industry wide. While most network vendors have already developed OpenFlow-based equipment, they're also designing SDN architectures that use alternate communication methods -- including existing networking protocols, such as MPLS and NETCONF.

The future of mobile commerce is commerce
“Mobile commerce” is a bit of a rabbit hole. As a concept it makes sense to look at all the ways in which users will transact on their mobile devices. But mobile commerce encompasses a number of entirely different spaces. A Square-enabled mobile POS, a video game offering in-app purchases, FeLiCa’s tap-to-pay system at train stations, and a retailer’s mobile-enabled website all fit the criteria, but there’s very little overlap. The spectrum of mobile commerce into can be divided into six distinct areas:

Will the meteoric rise of Android popularity result in an insecure platform?
This particular topic is very hard to nail down. First of all, you have to know what mobile malware is. Google is constantly on the lookout for malware-infected apps. What constitutes a malware-infested app? Let's take a look at one of the most recent notorious pieces of mobile malware to hit Android -- BadNews. This malicious code looked like a framework for serving up ads in ad-based software. What the code did was send your private data (including phone number and IEMI) to a server (not surprisingly, a Russian server). It can't be debated that this is malware. Google recently removed 32 applications (mostly Russian language) from the Play Store that contained the BadNews code.

Stories of Collaboration in Remote Teams
Lisette Sutherland and Elinor Slomba have been collecting and sharing stories from people whose business models depend upon getting remote teams right. These stories showing how remote TEAMS COLLABORATE, bridge distance, build trust and get things done together will be described in the upcoming book Collaboration Superpowers: The Field Guide. InfoQ interviewed Lisette and Elinor about how people work in remote teams, which tools they use to collaborate and communicate, and what it takes to work remotely as a team.

Quote for the day:

"A life spent making mistakes is not only more honourable, but more useful than a life spent doing nothing" -- GB Shaw

August 31, 2014

Defining Web 3.0 and Developing the Fastest Enterprise Mobility Apps
There is also a definite demand for skills in the market in next generational frameworks and I call out Angular and Backbone as leading the way commercially, with Ember and Meteor also highly respected frameworks. This is created by a demand to build a higher quality of Web Applications and the learnings of the last projects of what went wrong when anyone tried to maintain the last attempt. The job specification is no longer “Web Developer” but instead it is “JavaScript Architect”. I interview a lot of people and the majority of web developers with 5 – 10 years of experience still do not know the following seven vital things:

How an Enterprise Architect Used Change Management Tools to Diagnose Business Problems
Desire is a difficult stage of change to get through. How do you create desire in the face of resistance to change? Keeping people informed helps overcome initial reactions against change. More desire is gained by clearly showing solutions that people will find useful. But in most engagements, we should be building buy-in with ongoing participation of stakeholders and those who will be affected by the changes. Influencing desire begins early in the planning process. Invest in stakeholder engagement early. During this phase, it can be very useful to make a vocal champion out of someone who was antagonistic at the beginning, but who has since become a supporter of the changes.

Perspectives of Business Reference Model
We are all witnessing the steady progress of the Enterprise Architecture(EA) discipline and it is now well understood that the EA is not just about IT infrastructure and the Business Architecture(BA) forms an integral part of EA. Unlike in the past, when Business Architecture was used for the purpose of eliciting the requirements for the IT systems, BA is used to develop and describe the targe business model and work on a road map that will get the business towards the target. The Open Group, as part of its "World Class EA" series, has published a White Paper on the Buiness Reference with an objective of providing the need help to organizations in developing BA assets and plan for the future.

eBook. The practice of Enterprise Architecture
This book does not propose a new framework, theory, or approach to Enterprise Architecture. Instead, we share the experience and lessons learned of many projects that we have conducted around the world over the last few years. There are three parts (1) a high-level introduction to Enterprise Architecture using TOGAF and ArchiMate, (2) an overview of good practices to get started with EA and (3) an overview of advanced topics and techniques.  When you are interested after reading the first two chapters, we recommend you to contact our salesdepartment at: They can help you to purchase this book.

Visualizing and Measuring Enterprise Architecture: An Exploratory BioPharma Case
The focus of this paper is to test if it can also uncover new facts about the components and their relationships in an enterprise architecture, i.e., if the method can reveal the hidden external structure between architectural components. Our test uses data from a biopharmaceutical company. In total, we analyzed 407 components and 1,157 dependencies. Results show that the enterprise structure can be classified as a core-periphery architecture with a propagation cost of 23%, core size of 32%, and architecture flow through of 67%.

How Can Enterprise Architects Drive Business Value the Agile Way?
As an Enterprise Architect, chances are you are responsible for achieving business outcomes. You do this by driving business transformation. The way you achieve business transformation is through driving capability change including business, people, and technical capabilities. That’s a tall order. And you need a way to chunk this up and make it meaningful to all the parties involved. ... An Enterprise scenario is simply a chunk of organizational change, typically about 3-5 business capabilities, 3-5 people capabilities, and 3-5 technical capabilities.

Guide to OpenIG
This guide is written for access management designers and administrators who develop, build, deploy, and maintain OpenIG deployments for their organizations. This guide covers the tasks you might perform once or repeat throughout the life cycle of an OpenIG release. You do not need to be an expert to learn something from this guide, though a background in HTTP, access management web applications can help. You do need some background in managing services on your operating systems and in your application servers. You can nevertheless get started with this guide, and then learn more as you go along.

Service Bus Authentication and Authorization with the Access Control Service
Service Bus and ACS have a special relationship in that each Service Bus service namespace can be paired with a matching ACS service namespace of the same name, suffixed with “–sb”. The reason for this special relationship is in the way that Service Bus and ACS manage their mutual trust relationship and the associated cryptographic secrets. Inside the “-sb” ACS service namespace, which you can explore from the Azure Portal by selecting the Service Bus service namespace and then clicking the ACS icon on the ribbon, is a “ServiceBus” relying party definition following the ‘Relying Party Applications’ navigation.

8 Open Source Web Application Security Testing Tools
Web application security testing might seems intimidating and esoteric to many web administrator, especially to the new ones. Have you ever asked yourself why so many IT professionals ignore the security aspects of the applications? We seem to have a tendency to ignore things that is unperceivable. ... Good news for those who are new to web security is that once you have the basic understanding of the most common web app vulnerabilities, you will find it much easier to protect your application from various types of well-known web attacks.

Nigel Dalton at Agile Australia on System Thinking, Social Experiments and 20 by 2020
Probably one of the biggest breakthroughs for us last year was getting a really crisp statement of purpose for the company and it is “empowering people by making the property process, simple, efficient and stress free”. Everyone who has worked for us has had a complex, inefficient and stressful property experience - whether it was renting an apartment, a share flat, or whether it was buying, or going to an auction, or otherwise. It is thus pretty easy to get a few hundred people aligned around that as a purpose.

Quote for the day:

"Products are made in the factory, but brands are created in the mind." -- Walter Landor

August 30, 2014

The long game: How hackers spent months pulling bank data from JPMorgan
Because of the multiple layers of the attack and the use of custom “zero-day” code in each of them, Bloomberg’s sources said that JPMorgan’s security team believed it was the target of “something more than ordinary cybercrime.” But such sophisticated attacks have already become the hallmark of Eastern European electronic crime rings, which frequently use custom code developed specifically to stay under the radar of target companies for long periods. The recent attacks on Neiman-Marcus,Target, and other retailers are examples of such long-game hacks that infiltrated corporate networks with malware designed specifically for their systems

CFOs’ Quest for the Golden Source of Data
“CFOs are frustrated with the situation right now,” says BearingPoint’s director Ingmar Röhrig, who led the survey of 65 finance officers at companies ranging from multinationals to midsize businesses. More often than not, it takes manual work to calculate how profitable a product is. Data is stored in multiple systems, so finding the answers you need at the press of a button is virtually impossible. Mergers and acquisitions add to the complexity. - See more at:

Tesla recruits hackers to boost vehicle security
Tesla's cars are among the most digitally connected vehicles in the industry with the battery, transmission, engine systems, climate control, door locks and entertainment systems remotely accessible via the Internet. So the company has a lot at stake in ensuring that the connectivity that allows its vehicles to be remotely managed doesn't also provide a gateway for malicious hackers. Security researchers have already shown how malicious attackers can break into a car's electronic control unit and take control of vital functions including navigation, braking and acceleration.

Management vs Leadership: the Divide
A sense of leadership is a quality that all managers strive for – an ability to effectively motivate and guide their employees to success. But where many employers fail to hit the mark is in understanding exactly what separates a manager from a leader. Admittedly, leadership is a somewhat abstract concept, and as much a state of mind as a skill or talent – but for employers to flourish within their roles, it’s essential to know how they can transition from management to leadership. So we know that managers aren’t, by nature, leaders – but how can they be?

Vulnerabilities on the decline, but risk assessment is often flawed, study says says
“It is difficult to point to any one factor that has contributed to the decline in the number of vulnerability disclosures in 2014,” the X-Force researchers said. “However, it is interesting to note that the total number of vendors disclosing vulnerabilities has decreased year over year (1,602 vendors in 2013, compared to 926 vendors in 2014).” Security experts have argued in the past that overall number of vulnerabilities is not as relevant for as their impact. However, despite attempts to standardize methods of assessing the severity of vulnerabilities, like the Common Vulnerability Scoring System (CVSS), there are many cases where the true risk posed by certain flaws is not represented accurately.

Understanding and Analyzing the Hidden Structures of a Unstructured Data Set
To do this you need to fetch out information from the free transactions text available on Barcllays transaction data. For instance, a transaction with free text “Payment made to Messy” should be tagged as transaction made to the retail store “Messy”. Once we have the tags of retail store and the frequency of transactions at these stores for Metrro high value customers, you can analyze the reason of this customer outflow by comparing services between Metrro and the other retail store.

Developers, Academia Team Up on Manual for Secure Software Design
Thirteen software companies and universities have banded together to create a group focused on educating developers about how to design secure software, releasing a report offering the 10 best practices to avoid common software flaws. Called the IEEE Computer Society Center for Secure Design, the group includes participants from Google, Twitter, RSA, McAfee, Harvard University and the University of Washington. The group, which has formed under the auspices of the Institute of Electrical and Electronics Engineers (IEEE), met in April at a workshop to compare examples of the design problems encountered by their development teams.

Why in-air gestures failed, and why they'll soon win
Leap Motion also released a demo video that I think you should see. It shows what's displayed in Oculus Rift, with two screens that (when you're wearing the Oculus Rift goggles) provide the illusion of 3D. It shows how Leap Motion's extreme accuracy in the real-time location of arms, hands and fingers translates into the ability to have total control in augmented reality and virtual reality programs. ... Extremely accurate motion control like what Leap Motion offers is not only a winning application for in-the-air-gestures, it's a perfectly necessary and inevitable one.

The Good, The Bad and The Ugly Of Enterprise BI
Our research often uncovers that — here's where the bad part comes in — enterprise BI environments are complex, inflexible, and slow to react and, therefore, are largely ineffective in the age of the customer. More specifically, our clients cite that the their enterprise BI applications do not have all of the data they need, do not have the right data models to support all of the latest use cases, take too long, and are too complex to use. These are just some of the reasons Forrester's latest survey indicated that approximately 63% of business decision-makers are using an equal amount or more of homegrown versus enterprise BI applications.

What We Do and Don't Know about Software Development Effort Estimation
An apparent lack of improvement in estimation accuracy doesn’t mean that we don’t know more about effort estimation than before. In this article, I try to summarize some of the knowledge I believe we’ve gained. Some of this knowledge has the potential of improving estimation accuracy, some is about what most likely will not lead to improvements, and some is about what we know we don’t know about effort estimation. The full set of empirical evidence I use to document the claims I make in this summary appear elsewhere

Quote for the day:

"I don't understand why people are frightened of new ideas. I'm frightened of the old ones." -- John Cage