Technology's advancement requires competition.

I'm 100% in favor of a company starting out small with an innovative idea and then expanding. If this happens in a way so that little competition happens for the innovative company it's something magical to behold. Everyone benefits from competition however.

Without competition a company can set prices to whatever they want. If an innovative company has a new product and no other companies step up to compete, it could be because other companies lack funding, the knowledge, or they may see no benefit in competing at all (for a product they do not believe will be successful).

More and more in this day and age companies aren't getting ahead because they have more superior products or because the people buying the products have a heightened sense of brand awareness, but rather because a company benefits from information or services illegally or they pay other companies not to use the competition.

When a person knowingly supports a company that has ill-gotten gains, this helps and endorses the company to keep doing what they were doing. By having an unfair advantage a company can put all competition out of business and then set prices to control a market. If the item in question is technology, they can control all prices globally. Also without competition, technological advancement is in the hands of the only company left standing. If the company decides not to advance because it's not in the best financial interest of shareholders, then the results could be detrimental to a product line, a piece of technology, even society itself (just think if one company controlled the water supply... see Wikipedia for Water Privatization).

AMD Advanced Micro Devices and why you should not buy Nvidia or Intel (at the moment)
Many companies benefit when they hire a disgruntled employee from a competitor. They receive inside knowledge of the inner workings of the competition. They also benefit from any project the employee might have had knowledge about, not to a degree that the company can copy the technology entirely or beat the original company to a patent (unethical), but they can prepare for the competing technology, software, or product to be on the market and find ways to innovate and compete ethically and legally. This is the reason that companies have employees hire a non-compete and also clauses that state that anything you work on during employment with the company is the property of the company done as "work for hire." I myself feel non-compete clauses should be illegal themselves, but in most cases a company will be hard pressed to keep an ex-employee from obtaining gainful employment in their field of expertise. Work for hire is something that should be allowed if the company is funding the research, but if the company can show no receipts for the time the employee came up with the idea, then it should belong to the employee.

Sometimes however companies don't receive information legally, but instead pay recruiters to tempt employees of the competition into selling inside information before the employees have left the company. Insider theft and espionage not only cost companies billions, it can put a company out of business and even hurt everyone involved.

AMD Advanced Micro Devices stock values 1/28/2013.

Two cases have come to light in the past years involving AMD and unfair practices against their business. In a lawsuit filed 1/14/2013 - AMD vs. Feldstein, Desai, Kociuk, and Hagen - AMD is seeking damages and injunctions against the 4 people involved who allegedly sold inside information and collected data from the AMD database to AMD's main competitor in the graphics card market, NVidia. If only one person had sold the information to NVidia, or attempted to sell the information, then there might be the case that NVidia had nothing to do with the case and the person selling the information might have been opportunistic. Since four people sold information, it looks more like NVidia might be paying these people (and recruiting) information for ill-gotten gains.

The second case that comes to mind is an Antitrust issue between Intel and AMD. There was a "complaint" filed for NY vs. Intel where they go into detail about Intel suggesting to their clients that they stop using AMD chips. In the EU there was an Antitrust case filed against Intel in 2009 where the courts ruled in favor of payment to AMD. Intel's counter "Intel takes strong exception to this decision. We believe the decision is wrong and ignores the reality of a highly competitive microprocessor marketplace..."

In short, No, it is not innovative to pay off the market and keep companies from purchasing from your competitors products.

Is it okay to buy anything Apple branded?
While I definitely like the road Apple has taken with their machines recently in terms of speed, I give second, third, and even tenth thoughts to buying Apple products. Apple has become a company that ignores human rights when it comes to building their portable devices. Another reason is that Apple exclusively uses Intel chips in their machines and do not allow installation of their operating system on any other platform (including AMD). From Apple's EULA for Snow Leopard:

"You agree not to install, use or run the Apple Software on any non-Apple-branded computer, or to enable others to do so."

When companies (Psystar and PearC) selling hardware of their own branding with the Mac OS operating system installed were sued by Apple, the supreme court found that the use of the Apple Operating System on Non-Apple hardware was a violation of the DCMA. Meaning it's illegal. This makes me wonder if the Librarian at the Library of Congress has received any compensation for helping Apple to become a monopoly in this regard since the Library of Congress controls the DCMA (Digital Copyright Millenium Act). Because of this I have only purchased low-end Macs for checking email, but maintain an AMD 12-core server as my primary workstation.

Hybrid Postal Delivery Services: How they destroy brands

I recently ordered an upgrade to one of my workstations from a “local” vendor. They’re about 60 miles from my present location, just outside of Chicago. Most packages in the greater Chicago area being sent through the United States Postal Service take a maximum of 3 days from the time they’re sent, in my experience. This usually involves going from a local post office, to a main sorting facility, back to the destination post office, and into the hands of the postal carrier. Three days is on the high-end, as it is usually only takes two. This all depends on whether the address is handwritten or if the sender printed a barcode with all of the CASS-Certified presort information detail on the label. (Hand reading and sorting adds time to delivery.)

When I was making my purchase from the website, (I'm giving them a second chance hence the failure to mention them directly), I was presented with a couple of options: FedEx 2-day which would cost me an additional $15, FedEx Overnight Air $30 (no air involved for a local delivery), and several other highly expensive services. I trust the Postal Service very little, but rather than paying for extra non-essential services when my package could be delivered in two days using the normal postal system, I elected to use the “free” service which guaranteed 2-3 days.

When I received my receipt the vendor indicated the 2-3 day delivery and two and now three days have come and gone. My dilemma is that the people I ordered my package from, rather than using the standard United States Postal Service in a local, traceable method, decided to use one of the new hybrid services, in this case UPS SurePost 'Saver.' I HATE seeing this as the free option for local shipping because it almost definitely means that the package is going to be lost and take an extra few days. FedEx has a similar service call FedEx SmartPost… equally as bad (if not worse). When I use either of these services I end up seeing my package within 2-3 miles of the office for 2-3 days before it is finally delivered. Something about the process makes the postal service or the shipping service delay the final delivery.

After looking at the tracking detail last night and expecting my package to arrive today, I went down and met my postal carrier at the box and surprise, surprise... no package. He looks at me rather puzzled. I look at him rather puzzled and bid him a good day. He’s a nice guy, so are my local UPS drivers... it's not their faults... it's the logistics.

Upon returning to the office I go in to check the tracking detail. Apparently my package was “ROUTED TO WRONG LOCAL POST OFFICE. PACKAGE WILL BE TRANSFERRED TO CORRECT POST OFFICE FOR DELIVERY,” according to the UPS website. When I called UPS, rather eager to pick-up my package in person (because I’m tired of waiting), the person on the phone told me that my package would be delivered either today or tomorrow and that they were on top of it. When I asked if I could pick up the package, they said they weren’t sure where the package was exactly... a breakdown in the tracking detail between both services involved, in this case UPS and USPS.

So this brings to light several reasons why these services DO NOT NEED TO EXIST AT ALL. There are no savings using this model for anyone: shipper, receiver, or the shipping service(s). When a company loses a package or misdelivers a package due to the complexity of the shipping logistics it has the potential to smear all of the brands involved. That costs companies money (think Billions). In fact, here I am smearing their brands, DO NOT USE UPS SurePost or FedEx SmartPost ‘Saver’ Services for delivering packages to your customers or clients. They will find other vendors. Offer simple, yet-traceable delivery services. I may not purchase anything else from the original company for fear of not receiving it on time (or at all). I will avoid the UPS SurePost ‘Saver’ delivery service, like the plague, and try to find another vendor that will simply send my package to me, timely without added expense and patience required on my part.

If one were to go in and read the countless reviews on Amazon.com, Newegg.com, ebay.com or several other websites where reviews abound, they will notice a pattern of people who give an item a low rating simply because of a shipping delay. This not only hurts the success of the product (manufacturer's brand) that they are berating, but also the reputation of the company (seller's brand) that is selling the product. This is no doubt because the people doing the ratings have no concept of what they are doing, nevertheless it happens and is also costly.

When a package that should normally only touch two local post offices and a main sorting facility, bounces through three UPS sorting facilities, a local UPS branch, and two local United States Post Offices, and multiple mail carriers there is an increased risk of the package being mishandled, misdelivered, lost, stolen, and/or destroyed.

My recommendation if you’re UPS, USPS, FedEx, or Any Company that wants to have customers that spread good words of mouth about your products and services, then DO NOT use any of the hybrid sending services (or provide them) because unlike the normal services customers have come to love and expect, these complexities to the rather simple purchase and delivery model are a risk to all.


That's all for now.
-Chris

Information Sharing - A Double-Edged Sword

This posting was sparked by a few new exploits on the rise, a Java exploit and a couple of Ruby-on-Rails vulnerabilities. I found out about both of them from Dark Reading.

I've been using computers for a very long time (31 years) by technology standards. One thing I've become accustomed to is regular updates and patches to systems, programs, and apps. Sometimes the systems that need to be patched aren't the systems that people themselves might have access to, but they may be a web server, a mail server, a programming interface, or even a server-side plugin.


The good
The reason these things need to be patched and fixed isn't because the companies who are making the patches are making money off of them. It's actually kind of counter that. It's a huge issue for a company's brand (yes, PR and Marketing) when their software is the main reason most of the Internet or Corporate America goes down. Think of the damage control a company like Microsoft has to do when there is a massive worm spreading around the Internet like CodeRed or the Melissa Virus. It's huge. People change platforms, they decide they can no longer trust a company with such glaring vulnerabilities. They "switch." I myself started using Macs simply because I trust Unix way more than I do Microsoft's ability to protect my system e-mails and webpages.

Here's the problem though, those vulnerabilities usually aren't because some crazy hacker on a mission has decided they're going to ruin one of these worldwide brands. It's usually because the company themselves have someone, either on their payroll or contracted who has provided the notification of the exploit initially (internally or through a provider channel), either when they were working on the code, they crashed their own systems, or they had a hunch and tested their theory. They notify the company who in-turn rolls out a patch... these people are paid to provide this service.

People read everything with their own filter on the world. If they are a good person, when they see a patch, they probably think to themselves... I need to apply this because I don't want any downtime... but what if the people are bad? Okay, let's not say "good" and "bad" because that's not necessarily the case at all (and part of a larger discussion). Let's say they are users and then those other people who have "too much time on their hands" at the moment. I say this because at one point or another in a white hat hacker's life they have more than likely infected something or spread something on accident. They're not bad people, but if it's uncontrolled it could do just as much damage. Always test on an offline machine if you're going to open Pandora's Box.

The bad
So back to my point about the people filtering what they see. When someone who 1.) wants to experiment, 2.) has downtime, and 3.) a need of an idea for something to hack, they have this great expanse of information (the Internet)... I know it's pretty obvious right? Although [most] people think that most hackers all go to secret websites and have a secret handshake, that's really just the people who go to Defcon or who have friends who are hackers because they do it for a living, or they want to pretend they're hackers. Most of the other hackers I've met happened by accident because someone else mentioned that I hacked, then we talked about the level of what we were into.

Usually self-proclaimed "hackers" in my experience are in actuality script kiddies (people who use a program or a tool in a way they've read about to purposely cause chaos), so often when I'm confronted with the questions of what I do, I kind of go the other way and don't share what I'm into unless they let me know that they're "cool," A.K.A. not a script kiddie. Just like the branding issues companies have with being exploited, "hackers" white, black, and gray.... all hats, also have a branding issue because somewhere some [insert expletive here] is writing a virus that will cause harm and it says the same thing on my nametag to society that his says... I'm a creative professional with the means and ability. Society doesn't care whether I would do it or not or about my moral compass, but you have to think like a "bad guy" to outsmart a bad guy... it doesn't make me "bad." But it makes the unknowing populous marvel and wonder (in a bad way).

On with the Internet reference... when I say they have the Internet at their fingertips, they don't need to go to one of the heavily monitored websites for script kiddies or the IRC channels, all they have to do is browse through a company's patches. In the patches that most people install there is usually some bit of information that says what exploit or vulnerability is being patched. Apple doesn't share a lot of detail about this, but Microsoft usually tells you what they're patching if you follow enough links from Windows Update. Java, Ruby, PHP, and most other opensource languages will release it in a bugfix that you can read about. When it happened to Microsoft's brand before, Microsoft had already provided patches for the exploits for CodeRed and Melissa long before they were in the wild and running rampant. Most people however do not like applying patches because, just like going to the doctor, "If it ain't broke don't fix it."

I've heard all sorts of reasons why someone shouldn't patch something... "because if they don't know I'm running an older version I'm safe" or "it might bring down my machine so I wait a couple of months to test it." Zero-day patches just like zero-day exploits can also bring your machine to its knees. I wait about a week to make sure that a patch has been thoroughly tested by the masses. It takes most companies a couple of days to clean up after a failed patch, so that should be enough time to cover myself. (I can't afford to have downtime.)

The incurable
When an idle mind sees a patch and decides to take it upon themselves to figure out how to exploit it, then that's where the problems arise. The problems where there is a vulnerability that a company doesn't know about the day it's unleashed are called a zero-day exploits or holes and they're usually compromised in a zero-day attack... because the company has had zero days to prepare for the aftermath from a technical and marketing standpoint. These can be people purposely writing a virus or altering code and spreading it. Because a company has little or no warning then it can be catastrophic for the brand.

How is information sharing bad?
The problem is with the channels where information is shared. Most of the highly technical details about a vulnerability do not need to be out in the wild so a passing bot or web crawling search-engine can find them. They need to be behind at least one level of authentication. This makes is more like a deterrent because only the people who would really need to know about something would take the time and effort to go in and look at all of the specifics. Potentially harmful individuals might go in and still compromise a machine or series of systems, but a casual passer-by wouldn't see the info to get any ideas.

Really observant individuals might actually take the time to find a pattern in [poor] programming. For instance Microsoft has been pretty bad about securing Internet Explorer and the way it is interconnected with their operating systems. In the past, when someone logged in with the default Administrator account they could open an e-mail or a webpage and take down their machine with full privileges. Luckily it's a little more difficult for most users now.

On another note Whitepapers can be something of a major problem as well. I downloaded yet another Whitepaper on SQL Injection attacks again today. Nothing new or earth shattering, but it always pays to look to see what I might be up against. I'm always interested in new perspectives.

A thief who can see a whole building and examine it in full detail, might realize it's much easier for them to drive through the wall and bypass the door and window sensors on the alarm system altogether. The same thing applies to Whitepapers and Patch Descriptions on the web. Although much of the media clambers for information about the technical specifics of what happened, it's probably safer if all of that detail isn't on the record completely and in the open. PR and Marketing departments should be the main filter in brand protection. After all, too much self-provided information might actually help in destroying your brand. (Same goes for real hackers.)

Soap Box
If you have a person (or group of people) in your organization or company who really want to support some of the open-source platforms like Java, PHP, Ruby-on-Rails, and so forth they also need to understand the responsibilities that come with maintaining an effectively secure system. Everything needs to be patched and it needs to stay somewhat up-to-date. When companies invest in new ideas and those ideas fail the people who are working on the front lines and in the trenches are the ones that are hit. Most companies can reboot from a failed experiment, but most people can't.

That's all for now.