The Internet of (Insecure) Things

Back in 2014, I wrote an article entitled Why the Blinking Twelves is an Internet of Things problem in the making. If you’re not familiar with the idiom of the "blinking twelves", allow me to enlighten you:

Back in the last century, digital clocks with seven-segment displays became ubiquitous, including as part of other items of home electronics such as VCRs. When first plugged in, these would blink "12:00" until the time was set by the user.
Technically-minded people soon noticed that when they visited less technical friends or relatives, all the appliances in the house would still be showing the "blinking twelves" instead of the correct time. The "blinking twelves" rapidly became short-hand for "civilians" not being able to – or not caring to – keep up with the demands of ubiquitous technology.
One of the most frustrating things for techies about the "blinking twelves" was that nobody else seemed to care or even notice the problem that was driving them nuts. How could people not see the blinking twelves all around them, and do something about them?
It took Windows for the problem to become obvious. Windows computers, brought a much higher level of technological complexity, the computer needed regular maintenance and people rapidly realised that updates and patches were required at regular intervals if their computers were to remain functional and secure.
The problem that we are facing is that technology has already begun to spread beyond the desktop. Even the most technophobic now carry a phone that is "smart" to a greater or lesser degree and many people treat these devices much like their old VCRs, installing them once and then forgetting about them. However, all of these devices are running 24/7, connected to the public Internet, with little to no management or updates.

In the three years since I wrote that article, the number of Internet-enabled devices has simply exploded.

I know, it’s from Business Insider, take it with a large grain of salt - but the trend is unarguable.

Here’s the problem: all of those Internet-enabled Things are cheap, and therefore based on existing components, including software. Most software, at least below the level of the specialised RTOSen found in nuclear power plants and the like, is built around the assumption of regular maintenance and updates provided by knowledgeable operators. However, once these Things are deployed in the field, where "in the field" often means the home or office of people who are not IT professionals, it is a given that they will not receive that level of care.

When something like Krack hits, the odds are good that manufacturers for many devices will already have disappeared without providing patches. Even for devices from more stable vendors who do provide ongoing support, maybe the device is obsolete and replaced by newer versions with incompatible architectures. But even supposing that all the stars align and the patch is available, it will still not be deployed widely - because of the "blinking twelves" problem. Non-specialist owners will not know or care to update their devices, and so the cycle continues.

Our only hope is that we are saved by our devices' obsolescence, as the lack of updates eventually prevents them from functioning at all. Maybe this won’t be the final straw, but soon enough the figleaf in every click-through agreement about the software being "provided as is" and "no warranty of merchantability or fitness for purpose" will be ripped away, in favour of the sorts of consumer protection regulations that these same devices would be subject to if they were not Internet-enabled.

The alternative is that in the Smart Home of the Future that we keep being promised, troubleshooting steps really will require us to close all the windows, exit, and start what we were doing all over again.

Me, I’ll move to a cabin in the woods.

Photo by Heather Zabriskie on Unsplash

Living in the Future

So far this week my phone got me on a plane:

Around London by Tube and train:

Got me coffee, dinner and some light shopping:

Let me summon a car to my exact location, and pay for the trip:

Oh, and I wrote and published this blog post on my phone.

And I think I also made some phone calls, all while keeping on top of email, using social media, reading books and magazines, listening to music and podcasts, and finding my way around.

Tell me again how phones are overpriced and boring? 🤔

You may have noticed that none of those images are of my actual phone, or of my own boarding passes and credit cards. That is because I am not a complete idiot. Yes, people really do post pictures of those online. No, it is very much not a good idea.

Algorithmic reality

What if all of those earnest post-Matrix philosophical discussions were more on point than we knew?

One of the central conceits of the Matrix films is that the machines simulate a late-twentieth-century environment for their human “batteries"…

Oh. Spoiler warning, I guess? Do we still need that for a film that came out in 1999? I’m calling it - anything from last century is now fair game.

As we were: all the humans live in a simulated late-90s world, complete with all sorts of weird and wonderful mobile phones, before we decided collectively that all phones should look like smooth rectangles of black glass.

This of course had nothing whatsoever to do with the fact that the late 90s were contemporaneous with when the films were being made, and therefore cheap to film, and everything to do with the late 90s apparently being recognised as the pinnacle of human civilisation.

Here’s the thing: what if the Wachowskis were right?

The twenty-first century is no longer the domain of a purely human civilisation. We are now a hybrid, where baseline humans are augmented by artificial systems. I don’t think we are heading towards a Matrix-style takeover by the machines, but this is going to be a significant change, and one that is hard to fully comprehend from the inside, while it is happening. Also, once the change has happened, what came before will be fundamentally incomprehensible to anyone who comes of age in that future world.

The world they will inhabit will have bots and algorithms the way we baseline humans today have commensal bacteria in our guts. Our guts have enormous structures of neurons, second only to the brain itself:

Why is our gut the only organ in our body that needs its own "brain"? Is it just to manage the process of digestion? Or could it be that one job of our second brain is to listen in on the trillions of microbes residing in the gut?

We can see the beginnings of this process already: we drive where the algorithms tell us to drive, we exercise the way the algorithms tell us to exercise, and we even date whom the algorithms tell us to date. We buy films, music, and books that the algorithms recommend, go on holiday where they suggest, and take jobs that they set us up with. In the future, what other decisions will we hand over to algorithms - unquestioning and unconcerned?

The algorithms and bots may not be out to enslave us, but they do see things dramatically differently than we do. For an example, take a look at this map:

This is a snapshot of a map of the continental US doing the recent solar eclipse. The traffic algorithm has no idea of what an eclipse is, but it does know that something weird is happening: people are stopping their cars in the middle of roads across a wide strip of the US.

Famously, an algorithm figured out a teenage girl was pregnant before her dad did:

An angry man went into a Target outside of Minneapolis, demanding to talk to a manager:
"My daughter got this in the mail!" he said. "She’s still in high school, and you’re sending her coupons for baby clothes and cribs? Are you trying to encourage her to get pregnant?"
The manager didn’t have any idea what the man was talking about. He looked at the mailer. Sure enough, it was addressed to the man’s daughter and contained advertisements for maternity clothing, nursery furniture and pictures of smiling infants. The manager apologized and then called a few days later to apologize again.
On the phone, though, the father was somewhat abashed. "I had a talk with my daughter," he said. "It turns out there’s been some activities in my house I haven’t been completely aware of. She’s due in August. I owe you an apology."

And that’s not even the creepiest thing algorithms can do. They can identify your face, even when you hide it with a scarf to go to a protest - (unless of course they can’t ), and they can tell your sexual orientation from a photograph.

This is why DRM, privacy, and user control in general are such important topics: we are talking about our own future exoselves here. There are perfectly legitimate reasons not to want to broadcast your identity and all your particulars to all and sundry, especially in a world which is unfortunately still filled with prejudices against anyone who doesn’t fit in with the majority. And if something that is guiding your actions and your very thoughts belongs to a corporation that makes money from people who want to influence your actions and your thoughts, where does that leave you? About as enslaved as those human batteries in the Matrix, I’d say.

I’m a straight white middle-class dude, cis-het or whatever, and basically so square I’m practically cubic, so all of this is very far from affecting me personally. I’m at the very bottom of Niemöller’s poem - but I have friends and relatives who are much higher up, so I have both personal and selfish reasons for wanting to make sure this is done right. Personal, because don’t mess with my friends, and selfish, because as the Reverend Martin wrote, if we don’t fix it early, by the time it gets to causing problems for me, it will be way too late to do anything about it.

And of course there are all sorts of other aspects of this new future that we are building which all too few people are thinking about. Future historians will refer to these decades as "Digital Dark Ages": our history will be lost behind gratuitously incompatible file formats and DRM to which no living entity (human or corporate) has the keys any more. I was able to flip through my grandparents’ pictures and read a great-uncle’s book; as things stand, my grandchildren will not be able to have this experience.

The late twentieth century may indeed go down as the high-water mark of the purely human civilisation. The technologies that would make up the new world already existed - I played a full VR game, with goggles, 3D mouse, and a subwoofer in a backpack rig, in 1998 - but they were not yet fully joined up, and only vanishingly few people appreciated what would happen when they would all be connected up.

I have no intention of standing athwart history, yelling Stop - but we do need to think carefully about what kind of future we are building, and where it will take us. If the first couple of decades of this scary new century have taught us anything, it’s that the defences of “oh, that’ll never work" and “nobody would ever do that" are no defence at all, in cryptology, civil liberties, or anywhere else - if, indeed, they ever were.

Check In and Chill Out - Part Two

Yesterday I wrote about travel tips for road warriors to survive the holiday season. Today, I wanted to share some advice for less frequent travellers.

There are a few simple tips that can make time in the airport much less stressful for everyone, but they are the sort of thing that I had to learn through experience, instead of being able to refer to one source for all the information. Here is my attempt to gather some useful tips in one place.

My first piece of advice is about preparation. I wrote about luggage and packing; choosing the right bag and packing it right will make the whole trip more pleasant, but especially that bit at the airport where you will be spending quality time with your chosen piece of luggage. Of course if you only take one or two trips a year, it's not worth going for the high-end road-warrior stuff. I buy Tumi because it's the only brand that stands up to what I put my luggage through, but I'll be the first to admit it's expensive and its looks are, uh, challenging. It's still worth shopping around for decent luggage, because the wrong luggage can mess up your trip before it has even properly started.

Check in online! Your airline will tell you when the check-in window opens (usually either 24 or 72 hours before departure). Make yourself a calendar reminder, especially if you are travelling in a large party and want to sit near each other. Check in online, and save your boarding pass to your phone. Basically, you don't want to go anywhere near an airport check-in desk if you can help it, especially during holiday season. Even if you have luggage to check in, there are separate baggage drop desks, where the lines should move faster - but again, everything is slower during holiday season, so give yourself plenty of time.

Your airline’s web site will also give you the opportunity to fill in required passenger information, known as APIS. This usually means your passport number and its expiry date. Note that you may also need to fill in a separate document with the government of your destination country, such as the ESTA for the USA. This is also required even if you are only going to be in transit through the US, so don’t be caught out!

Your airline will tell you what its policies are for carry-on and hold luggage. Follow these to the letter, because they do check, especially at holiday times. If you have a connecting flight, especially if it involves a different airline or a change from international to domestic, different policies may apply. Don't be That Guy (or Gal) frantically repacking luggage at check-in, then shuffling through the security checkpoint looking like the Michelin Man because you're wearing seven layers of clothes that didn't fit under the weight limit. Yes, I speak from experience!

If your itinerary involves connecting flights, it’s worth making sure whether your bags will be checked straight through to your final destination, or not. For instance, if you make a connection inside the US, you will have to clear customs, retrieve your checked bags, and then go back through the check-in process all over again. You should allow extra time for this, and also note that the US domestic flight will almost certainly have different rules (lower weight limits, perhaps smaller number of items) for checked luggage than the international flight.

Security checkpoints will have the same policies regardless of airline: no liquids over 100ml, all liquids packed in a transparent bag, total volume not to exceed 1L. Some airports will provide the transparent baggie, but not all, and some will charge you for the privilege. Best to pack your own baggie at home, or simply avoid the problem by packing all your liquids in your checked luggage.

You will need to take large electronics out of your carry-on bag, but this means different things depending on where you are. It used to be simple: in the US, only remove laptops; in Europe, also remove tablets. Cameras? Best to ask. Now, that US policy might be changing.

Empty your pockets - of everything, not just metal. These days, most airports have millimetre-wave scanners, not just metal detectors, so it’s best simply to take everything out. To speed things up, put the contents of your pockets into your carry-on, together with your belt, watch, etcetera. This way, when you get through to the other side, you can grab your bag and go. Sort your pockets out later, without holding up the line or getting jostled by a thousand other people.

You may be able to pay to access Fast Track lanes even if you are not a frequent flyer or flying business class. At this time of year, that's probably a good investment. Check your departure airport's website; they often have deals, especially if you also pre-pay for parking (something else you need to allow time for, because all the parking lots are full and you'll end up two miles' walk and a long shuttle bus ride from the terminal).

Once you're through security, keep an eye on time. These days, most airports don't assign gates until quite close to boarding time. Don't hover in front of the screens waiting for a gate to be assigned! Your airline or airport's app or website should give you updates, so you can find yourself a corner in a bar or café to wait in comfort, instead of standing around in a crowd of bewildered tourists. There are also dedicated apps that will put a flight board right on your phone. If you’re worried about roaming, most airports have free wifi, at least for a time. Here’s a tip, though: park yourself right outside the frequent-flyer lounges, and you may be able to sneak onto their unlimited wifi instead.

Flights are full at holiday times, so there’s no way around it: boarding will be a scrum. If you have assigned seating, you only need to deal with that scene if you need to ensure space for your carry-on, in which case, yes, queue up early - or pay for early boarding, if your airline gives you the choice. On the other hand, if you checked your big bag in to the hold and you don't need space in the overhead bins, there is no downside to remaining seated and boarding the plane after the worst of the crush is over.

Once on the plane, be prepared to move smoothly. Know your seat row, and head there straight away. If you’re on a larger plane, there might be two aisles, but cabin crew will direct you to the right one as you board. When you reach your row, get out of the aisle promptly, stow your carry-on in the overhead bin, and sit down. Do remember that there is a special place in hell for people who put more than one item in the overhead lockers, or put their luggage above a different row than the one they are sitting in.

The one exception is if you are sitting in an emergency exit row. You should be notified of this during check-in, but there are a couple of nuances that are worth knowing about. First of all, you do indeed get extra legroom, but you have to be "able-bodied" by the airline's definition, to assist in an evacuation should it be required, so if you're pregnant, elderly, or in any way disabled, you may be asked to move. Secondly, you cannot have anything with you at all - handbags, jackets, everything has to go in the overhead lockers for take-off and landing. Finally, space in those overhead lockers might be limited precisely above the emergency exits, so make sure that you board early if you need to stow a lot of stuff.

My best advice to both seasoned road warriors and nervous travel newbies is just to relax and go with it. Me, I'm going for a driving holiday. See you when I get back.

Photos by ANDRIK ↟ LANGFIELD ↟ PETRIDES, Tom Eversley, Ashim D’Silva and Bambi Corro on Unsplash

Check In and Chill Out

Or, How To Survive Travelling for Business During Holiday Time

I'm a member of a tribe, seasoned road warriors who spend far too much time in airports, as my wife can attest (sorry love). We recognise one another from our Tumi bags and purposeful stride through the frequent-flyer lane. As part of our survival strategy, we develop an intimate knowledge of how to get from one terminal to another at CDG with a minimum of stress, where to get edible food in LHR, and how long it will take to get to different gates in FRA. We know whether you should pick up duty-free in AMS or in JFK, and in which season you should avoid ORD. We breeze through security, everything neatly laid out in trays, with no wasted motion.

All of this hard-won knowledge works very well for ten months of the year, but at holiday times, our turf is invaded by hordes of people who are not as used to travel as we are, sand in the gears of our smooth progress through the Aerotropolis.

What is to be done

First of all, there is absolutely no point in getting stressed out. Planning is key, and even so, SNAFUs will happen. Yeah, plan for those too.

Part of the preparation process starts before you even leave home. Choose the right bag, and pack it right.

Arriving at the Airport

Once at the airport, the thing to remember is that at this time of year, there are simply more people than usual in airports who are not used to flying. Inevitably, this causes delays - both at security checkpoints, and everywhere else, as they wander around indecisively, or suddenly realise that they need to be somewhere else. All this means is that the rest of us just have to be that much more prepared, including by simply leaving ourselves more time.

Getting frustrated at people who hold up the security checks because they have liquids in their carry-ons or whatever won't get you through any faster. This happened just in front of me at security in MXP earlier this week, when the guy in front of me started berating the guy in front of him on his third trip through the metal detectors. Of course the tirade didn't help at all; it just got everybody on edge before their journeys had even properly begun. And yes, this was the priority lane; at this time of year, it's no defence, because infrequent travellers with business-class tickets are mixed in with the frequent flyers with their loyalty cards. In fact, many airports allow passengers to purchase Fast Track passage separately from their ticket1.

Instead of getting stressed out at the Muggles in our midst, see if you can smooth things along, perhaps by giving directions, or helping parents (whose hands are always full by definition) with their luggage. Sure, nobody likes a screaming baby on their flight - but guess what is most likely to set the baby off? Seeing Mummy or Daddy all stressed out. Send some good vibes their way - and hey, if it doesn't work, that's what noise-cancelling headphones are for.

Air Side

If you don't have lounge access, or your airline or alliance doesn't have a lounge where you are, bear in mind that terminals are very busy at this time of year, so don't assume you will be able to find somewhere to sit - let alone charge devices. Charge everything before you leave, and carry extra batteries. If you have the luggage space, a spare shirt & change of underwear is probably not a bad idea either, just in case you end up delayed or rerouted unexpectedly.

Finally, passport control is (even more of) a nightmare at this time of year, with long queues probable, especially in smaller regional airports. The holiday season represents a massive surge in numbers for airports that are often all but empty for the rest of the year, and because border checks are the one function that cannot be staffed up by students on work-experience or zero-hours contracts, they cannot easily flex capacity in response to increased passenger numbers.

Again, experience helps (know where to stand on the bus to be first through the passport check, fill in your landing card or whatever while still in the plane), and that frequent-flyer card may get you in the FastTrack lane here too, but ultimately, you just need to allow extra time. Catch up on the emails you missed while you were in the air, call your family back home and tell them you miss them, research dinner options in town, and simply wait your turn. There is nothing you can do to speed the line up, and any attempt will just stress you out.

Business travel is stressful enough without adding to the stress. Give yourself extra time when heading to the airport, finish listening to that podcast while you stand in line, go over your prep materials one more time while you wait to board. Check in and chill out.

Photos by Angelo Abear and Glen Noble on Unsplash

  1. Some airports even offer their own loyalty programmes, with perks including lounge and Fast Track access, as well as various discounts. The Milan airport system has a pretty decent programme, as do many others. Just the rewards from parking at the airport keep me in points for when I need them, for instance to get the whole family into the lounge when we travel as a unit. 

Sowing Bitter Seeds

The Internet is outraged by… well, a whole lot of things, as usual, but in particular by Apple. For once, however, the issue is not phones that are both unexciting and unavailable, lacking innovation and wilfully discarding convention, and also both over- and under-priced. No, this time the issue is apps, and in particular VPN apps.

Authoritarian regimes around the world (Russia, "Saudi" Arabia, China, North Korea, etc) have long sought to control their populations' access to information in general, and to the Internet in particular. Of course anyone with a modicum of technical savvy - or a friend, relative, or passing acquaintance willing to do the simple setup - can keep unfettered access to the Internet by going through a Virtual Private Network, or VPN.

A VPN does what it says on the tin: it creates a virtual network that connects directly with an endpoint somewhere else; importantly, somewhere outside the authoritarian regime's control. As such, VPNs have always existed in something of a grey area, but now China (the People's Republic, not that other China) has gone ahead and formally banned their use.

In turn, Apple have responded by removing unregistered VPN apps (which in practical terms means all of them) from their App Store in China. In the face of the Internet's predictable outrage, Apple provided this bald statement (via TechChrunch):

Earlier this year China’s MIIT announced that all developers offering VPNs must obtain a license from the government. We have been required to remove some VPN apps in China that do not meet the new regulations. These apps remain available in all other markets where they do business.

Now Apple do have a point; the law is indeed the law, and because they operate in China, they need to enforce it, just as they would with laws in any other country.

Here's the rub, though. By the regionalised way they have set up their App Store service, they have made themselves unnecessarily vulnerable to this sort of arm-twisting by unfriendly governments. Last time I wrote about geo-fencing and its consequences, the cause of the day was Russia demanding removal of the LinkedIn app, and China (them again!) demanding removal of the New York Times app. As I wrote at the time, companies like Apple originally set up the infrastructure for these geographic restrictions to enable IP protection, but the same tools are being repurposed for censorship:

This sort of restriction used to be “just" hostile to consumers. Now, it is turning into a weapon that authoritarian regimes can wield against Apple, Google, and whoever else. Nobody would allow Russia to ban LinkedIn around the world, or China to remove the New York Times app everywhere - but because dedicated App Stores exist for .ru and .cn, they are able to demand these bans as local exceptions, and even defend them as respecting local laws and sensibilities. If there were one worldwide App Store, this gambit would not work.

The argument against the infrastructure of laws and regulations that was put in place to enable (ineffective) IP restrictions was always that it could be, and would be, repurposed to enable repression by authoritarian regimes. People scoffed at these privacy concerns, saying "if you have nothing to hide, you have nothing to fear". But what if your government is the next to decide that reading the NYT or having a LinkedIn profile is against the law? How scared should you be then?

If you are designing a social network or other system with the expectation of widespread adoption, these days this has to be part of your threat model. Otherwise, one day the government may come knocking, demanding your user database for any reason or no reason at all - and what seemed like a good idea at the time will end up messing up a lot of people's lives.

Product designers by and large do not think of such things, as we saw when Amazon decided that it would be perfectly reasonable to give everyone in your address book access to your Alexa device - and make it so users could not turn off this feature without a telephone call to Amazon support.

How well do you think that would go down if you were a dissident, or just in the social circle of one?

Our instinctive attitude to data is to hoard them, but this instinct is obsolete, forged in a time when data were hard to gather, store, and access. It took something on the scale of the Stasi to build and maintain profiles on even six million citizens (out of a population of sixteen million), and the effort and expense was part of what broke the East German regime in the end. These days, it's trivial to build and access such a profile for pretty much anyone, so we need to change our thinking about data - how we gather them, and how we treat them once we have them.

Personal data are more akin to toxic waste, generated as a byproduct of valuable activity and needing to be stored with extreme care because of the dire consequences of any leaks. Luckily, data are different from toxic waste in one key respect: they can be deleted, or better, never gathered in the first place. The same goes for many other choices, such as restricting users to one particular geographical App Store, or making it easy to share your entire contact list (including by mistake), but very difficult to take that decision back.

What other design decisions are being made today based on obsolete assumptions that will come back to bite users in the future?

UPDATE: And there we go, now Russia is following China’s example and banning VPNs as well. The idea of a technical fix to social and legal problems is always a short-term illusion.

Image by Sean DuBois via Unsplash

The Middle Cannot Hold

In light of Amazon's latest moves - first the acquisition of Whole Foods, and now a cooperation with Sears - the stock market is trying to work out what will be the next area of retail to be hit.

Here's a sample of the latest Finimize newsletter:

Investors should be asking, who’s next in Amazon’s line of fire?
One of the biggest threats is likely to come from Amazon making more of its own-label products. For example, why would people pay a premium for
toothpaste or
soap if Amazon basics are cheaper and arrive at our front door on the same day?
Procter & Gamble
and other consumer goods giants could experience serious upheaval to their business models. Similarly, apparel companies are threatened: Amazon’s own-label clothing sales grew 25% last year, far outstripping the industry’s 3% growth. Do you care if your downward dog is performed in Amazon yoga pants rather than
? Perhaps not.

This analysis is not wrong, but is incomplete. Amazon will indeed take over a large chunk of the bottom end of the market, which is almost undifferentiated. The top end will be largely unaffected, as it is driven by completely different mechanisms.

The vulnerable actors are the ones in the middle of the market, who offered neither exceptionally high quality, nor particularly low prices. Historically, these brands succeeded by controlling distribution, especially outside major population centres.

Once an alternative becomes available that offers lower prices for equivalent quality (or the perception thereof), those middle-of-the-road brands and distribution outlets get squeezed hard.

I have noticed this over the last few years on the ski slopes, where a number of relatively undifferentiated brands have disappeared under a rising tide of previously unkown logos. All of these - Wed'ze, Quechua, and the like - are the house brands of Decathlon, the French sports superstore.

This is the Amazon Basics formula: good quality, and very reasonable prices. What Decathlon adds to the mix is that the designs are usually attractive, if somewhat non-descript, and that the clothes are available to try on in their vast network of retail outlets.

That last factor is key: to conserve differentiation and therefore ability to compete against a determined behemoth like Amazon, offer something they don't. Even buying something as simple as a T-shirt online is a fraught experience, with the differences between European and US sizing. I can't imagine shopping online for anything more complicated, like a shirt or a suit. On the other hand, I buy stuff from Decathlon every season because I can check it out in store, try it on, feel the material.

The same goes for Zara, part of the giant Inditex group, which benefits from a joined-up online/offline strategy. Customers can try on clothes in store, but if the precise colour and size combination is not available, they can order it online through Zara's own retail site. Another factor that might cause shoppers to hesitate before making an online purchase is returns. The cost of shipping can outweigh the cost of the item, and in any case requires shoppers to deal with packaging and labelling, before taking the item to an out-of-town shipper. Zara on the other hand allows online shoppers to manage exchanges or returns in-store, thereby further monetising their investment in real estate even for online-first shoppers.

Of course not every operator has to take this route - which is good, because by definition there is not much room at this end of the market, where margins are razor-thin.

For anything I care deeply about, I shop from named brands that I have built up trust with - the likes of Level or Hestra for gloves, Under Armor for mid-layers, Burton or Arcteryx for outerwear, and so on. These are fairly big-ticket items, certainly in proportion to the base layers I pick up by the three-pack at Decathlon, so I shop around and get all picky about them.

Part of what I buy into is of course the experience. Going into a North Face store, you feel like you are participating in strenuous and exciting activities, even if all you are doing is bumbling about in-bounds trying to get your kids to graduate from their preferred "Snowplow Everywhere!!!" technique. Neither Amazon nor Decathlon can offer this, but then again, they have staked out the price-sensitive end of the market.

There is not much room in the middle any more, especially when you consider that consumers are quite happy to cross back and forth, wearing base layers from no-name brands under much more expensive outer layers. On the other hand, it's not a foregone conclusion that Amazon will own everything below the top of the market. Price-focused outlets still have a role to play, if they capitalise on their strengths.

As with most aspects of the digital revolution, it's the middlemen that are in trouble. The trick is to have a unique value proposition and stick to it. Operators whose only proposition was ubiquity and convenience cannot match the actual ubiquity and convenience of web-scale operators.

Coming full circle, groceries will experience a similar transition over time. Amazon is good at undifferentiated goods - which is why they started out with books: a book is the same regardless of when and where it is bought. I fully expect them to take over a big chunk of the market for packaged goods. On the other hand, there will always be a need to pick out fruit and groceries in person, to feel whether this avocado is ripe to make guacamole tonight or whether that bunch of bananas is green enough to last out the week. By combining online scale with Whole Foods' local presence, Amazon is going for the Zara play: check out a few products locally, buy many products online, and have both parts of the experience supported by the same seamless massive back-end.

Anyone wanting to compete with Amazon should choose their terrain very carefull indeed. After all, your margin is their opportunity.

This Is Where We Are, July 2017 Edition

A quick review of the status of the Big Three1 social networks as of right now.

It seems Facebook is testing ads in Messenger now, which is an incredibly wrong-headed idea:

Messenger isn’t really a “free time" experience the way Facebook proper is — you use the former with purpose, the latter idly. Advertisements must cater to that, just like anywhere else in the world: you don’t see the same ads on subway walls (where you have to sit and stare) as on billboards (where you have two or three seconds max and your attention is elsewhere).

I always hated Messenger anyway, just out of reflex because they had felt the need to split it off into a separate app. In fact, I kept using Paper until Facebook finally broke it, in no small part because it kept everything together in one app. It also looked good, as opposed to the hot mess of FB’s default apps.

Between that and the “Moments" rubbish junking up the top of every one of the FB apps, I am actively discouraged from using them. At this point I pretty much only open FB if I have a notification from there.

Meanwhile, Twitter is continuing on its slow death spiral. It is finally becoming what it was always described as: a “micro-blogging" platform. People write 100-tweet threads instead of just one blog post, and this is so prevalent that there are tools out there that will go and assemble these threads in one place for ease of reading.

It’s got to the point that I read Twitter (and a ton of blogs via RSS, because I’m old-school that way), but most of my actual interaction these days is via LinkedIn. I even had a post go viral over there - 7000-odd views and more than a hundred likes, at time of writing.

So this is where we are, right now in July 2017: Twitter for ephemeral narcissism, Facebook for interacting with (or avoiding) the same people you deal with day to day, and LinkedIn for actually getting things done.

See you out there.

Photo by Osman Rana on Unsplash

  1. I don’t Instagram, I’m too old for Tumblr, and - oh sorry Snapchat, didn’t see you down there

Not Biting My Tongue

I spend a lot of time explaining enterprise buyers and vendors. There are often perfectly good reasons for doing something in a way that is now considered old-fashioned or uncool. Especially for vendors, the argument of "people still buy X! for money!" is a powerful incentive to continue making X.

Where things go wrong is when stodgy enterprise vendors put on their dad-jeans and go down to the skate park.

Case in point: BMC trying to jump on the AIOps bandwagon. The whole thing is a pretty spectacular case study in missing the point, but I think this paragraph is the nadir:

As mentioned above, AIOps platforms should encompass the IT disciplines of Performance Management, Service Management, Automation, and Process Improvement, along with technologies such as monitoring, service desk, capacity management, cloud computing, SaaS, mobility, IoT and more.

If you’re not familiar with AIOps, it’s a model that Gartner came up with (paid link, unless you’re a Gartner subscriber) to describe some shifts in the IT operations market. The old category of ITOA had been broadened to the point that it was effectively meaningless, and AIOps recognises a new approach to the topic.

The first thing to know about AIOps is that the “AI" bit does not stand for Artificial Intelligence. This is somewhat surprising these days, when everyone and their dog claims AI, Machine Learning, or other poorly-understood snake-oil! Anyway, AIOps actually stands for Algorithmic IT Operations. AIOps solutions sit at the intersection of monitoring, service desk, and automation. The idea is that they ingest monitoring data, apply algorithms to help operators find valuable needles in the haystack of alerts, sync with service desk systems to plug in to existing processes, and trigger automated diagnostic and resolution activities.

So far so good - but here’s why it’s so laughable for BMC to claim AIOps.

BMC’s whole model is BSM - Business Service Management. Where the centre of AIOps is the algorithms, the centre of BSM is the CMDB.

The model for applying BSM goes something like this:

  1. Fully populate CMDB: define service models & document infrastructure
  2. When an alert comes in, determine which infrastructure element it came from, then walk the service model to determine what the cause and effect are
  3. Create a ticket in the ITSM suite to track resolution

Note the hidden assumptions, even in this grossly over-simplified version:

  1. The CMDB can be fully populated given finite time and effort
  2. All alerts relate to known elements, and all elements have known dependencies
  3. Every failure has one cause and falls within one group’s area of responsibility

In today’s IT, precisely none of these assumptions hold true. No matter how much effort and how many auto-discovery tools are thrown at the task, the CMDB will always be a snapshot in time1. Jorge Luis Borges famously documented the logical endpoint of this progression:

... In that Empire, the Art of Cartography attained such Perfection that the map of a single Province occupied the entirety of a City, and the map of the Empire, the entirety of a Province. In time, those Unconscionable Maps no longer satisfied, and the Cartographers Guilds struck a Map of the Empire whose size was that of the Empire, and which coincided point for point with it. The following Generations, who were not so fond of the Study of Cartography as their Forebears had been, saw that that vast map was Useless, and not without some Pitilessness was it, that they delivered it up to the Inclemencies of Sun and Winters. In the Deserts of the West, still today, there are Tattered Ruins of that Map, inhabited by Animals and Beggars; in all the Land there is no other Relic of the Disciplines of Geography.

purportedly from Suárez Miranda, Travels of Prudent Men, Book Four, Ch. XLV, Lérida, 1658

There is also a timing factor: what happens if an alert comes in between a change occurring and being documented? Another question is, what happens if operators simply don’t have visibility into part of the infrastructure - say, managed hosting, or outside telco networks? And finally, the big one: what if there is no one root cause? Modern architectures are sufficiently robust and resilient that it’s quite rare for any one macro-event to take them out. What gets you is usually a combination of a number of smaller issues, all occurring together in some unforeseen way.

The whole architecture of BSM is built around assumptions that are less and less true. This is not to say that individual products within that suite don’t have value, but the old BSM model is no longer fit for purpose. The result is an example of “shipping the org chart": the CMDB is at the core and Remedy is the interface, because that is what the organisation demands. However, you can’t just drape AIOps over the old suite and call it good! Radical changes are required, not weak attempts to shoe-horn existing “IT disciplines" into the new mold.

AIOps represents the algorithmic convergence of ITOM & ITSM. In contrast, if we consider the sequence of BSM, these are assumed to be different discrete steps in a sequential process. This is Waterfall thinking applied to IT Ops, where today’s IT infrastructures demand Agile thinking.

The most relevant question for users is, of course, “do I trust a legacy vendor to deliver a new model that is so radically different from what it has built its entire strategy around?"

The answer is simple, because it’s determined by the entire structure and market position of all the Big Four vendors. Like its peers, BMC makes its revenue in the old model of IT. As long as there is money to be made by doing the same things it has always done, there is enormous inertia to work against (the Innovator’s Dilemma in action). It takes an existential threat to disturb that sort of equilibrium. It was not until ServiceNow was seriously threatening the Remedy user base that BMC started to offer SaaS options and subscription pricing. It will take an equivalent upheaval in its business for any legacy vendor to adopt a radically new strategy like AIOps. These days, customers can’t wait for one vendor to see the writing on the wall; they need to move at the speed their customers require.

Much as I would like to believe that we have got BMC running scared, I don’t think that’s the case - so they will continue along their very profitable way. This is of course exactly how it should be! If they were to jump on every new bandwagon, their shareholders would be rightly furious. They absolutely should focus on doing what they do well.

But that does not include doing AIOps. If you’re a practitioner looking at this, I hope it’s obvious who you want to go with: the people creating the new model and who are steeped in what is required to deliver and adopt it - or the ones who see a keyword trending on Google, and write a quick ambulance-chasing blog post - or claim that Remedy is a key part of AIOps.

  1. Which is why BMC’s own automation products have their separate real-time operational data stores, which sync with the CMDB on a schedule. 

Biting My Tongue

So I'm working with a prospect in the fashion and luxury goods area. We've been doing a Proof of Value for the last few weeks, and we're now at the point of presenting the results.

So I built this slide deck as if it were a fashion collaboration, "Moogsoft X $PROSPECT_NAME", "Spring-Summer 2017", and so on. I'm super proud of it - not just the conceit, but also the results we have been able to provide for very little effort - but I'm also kind of bummed that I can never show it to anyone outside the company.

This prospect does not want its name used anywhere, so even if - I mean, when we close the deal, they will only ever appear anywhere as "fashion & luxury goods house".

This is not the first time this has happened to me. At a previous startup, we sold to, umm, let’s call them a certain automotive manufacturer and motorsports team based near Modena. While negotiating the price, the customer asked for "a last effort" in terms of discounting. In exchange, we asked for them to provide us with an official reference. After consulting with their brand marketing people, it turned out that the fee for use of their trademark would have been nearly twice the total value of the software deal… We respectfully declined their kind offer.

After all, the main thing is to do the deal and provide value; even if we can't get the logo on our site, it's still a win.

My only remaining problem (beyond actually getting the deal over the line) is that my wife wants me to be paid for this current opportunity in handbags, while the Moogsoft colleague who helped me out wants her share in eau de toilette…