Tag Archives: business

Product management and organization

I had to better understand the concepts, roles and duties related to Product management and Product marketing management in software companies, why are needed, which are the differences and how they fit inside an organization structure.

Most person i know never interested into this specific area of work, but when you want to be a product company (and not a consulting or solution company), you start having different products on different platforms for different target customers sold trough different channels with different pricing with a installation/different delivery process and that complexity must be managed in the proper way.

You realize that in order to let the product company grow in the right direction you need to organize product management activities formally, not closing your mind in rigid organization roles such as Marketing, Sales, R&D.

When we speak about Product Management i recommend the reading of the illuminating The strategic role of Product Management (How a market-driven focus leads companies to build products people want to buy) that clarify a lot of things, even if it outlook net separation of roles in product management, something that’s too heavy for a small company like a startup.

Still it provide a differentiation of duties between Product Management and Product Marketing.

A good understanding of the product management related to startup is given in the article Creating Product Management at Startup showing up different case related to the roles of the product visionary into the company.

It introduce the terms ceo of the product in the sense that the product management duties jump around into the various organization function by providing focus and effort where it’s needed, independently from the fact that the internal function requiring more effort is Development, Marketing, Sales or Communication. That’s means practically enhancing the product vision as it’s needed across all major product-related functions making the vision corporate-wide coherent.

A good representation of product management and product marketing activities is well described with the differentiation of between Strategical, Technical and Marketing sector and is not clearly separated between Management, Marketing(and Sales) and R&D :

Triad.jpg

I read that product manager background and knowledge are different depending on the company focus (where does product management belong in the organization?):

  • B2C -> Marketing experience
  • B2B -> Technical experience

An illuminating (for me) and very important differentiation regarding product management duties is the differentiation between:

  • Product Management
  • Product Marketing

The specific duties belonging to Product Marketing vs Management are greatly explained in Role Definitions For Product Management and Product Marketing that i suggest to read, letting you to better define tasks and responsibilities across your organization. It also provide a good definition of job requirements if you need to look for that figure!

At the same time it’s important to understand what’s NOT product management, effectively Product management is not just feature prioritization.

At the same time it’s important to understand which professional figure is NOT itself a product manager:

  • Product manager is not a marketing manager – while product management is usually seen as a marketing discipline, marketers are focused on the marketing plan and are usually not driving the overall product direction. In that context could however be found Product marketing manager that’s the arms of the marketing of the product, especially in small organization.
  • Product manager is not a sales manager – sales manager are about finding out how to sell a product, following which sales methodology, technique and channels and they could drive the company from a market oriented company (product) to a customer oriented company (solution and consulting)
  • Product manager is not a developer – Developers are focused on the technology and not the overall product. Some great product managers are former developers, but it is difficult to do both at once. There is a natural tension between developers and product managers that should be maintained to create a balanced product.
  • Product manager is not a software manager – the software manager is a functional manager and usually not focused on the product or the customers.
  • Product manager is not a project manager – project managers are about how and when, while the product manager is about what. Project managers work closely with product managers to ensure successful completion of different phases in the product life cycle.

The typical product management activities could be in extreme synthesis summarized as follow:

  • Strategy: Planning a product strategy
  • Technical: leading product developments
  • Marketing: providing product and technical content
  • Sales: provide pre sales support and work effectively with sales

Product management so it’s not precisely development, is not precisely marketing, it’s not precisely sales, so typically it’s difficult to identify “where it should stay” inside the organization structure (it’s even difficult to understand that’s needed)?

The Silicon Valley Product Group provide a nice insight on Product Organization Structure by pointing out which are the advantages and risks of several choices. Still the Cranky Product Manager say that It doesn’t matter where the product manager live in the organization.

It’s relevant to be careful not to have persons that are too much technical or too much sales oriented in order to fill the gap among different organization. Too much fragmentation of assigned duties across the organization may lead to bureaucracy, too much duties on one person may lead to ineffective implementation of needed tasks in some area and to a internal competition perception respect to the traditional roles.

Check there a very nice Resume of a professional with practical experience in product management (it’s an half techie/half marketing guys).

Ah! Another very common misunderstanding is to confuse marketing with communication where a i found a so good definition of Marketing that i really like and understand for strict relationship with Product Management:

Marketing is know the market so well that the product sell itself

But what happen when you don’t handle a product management and product marketing management process in a defined way?

A nice story is shown as example in The strategic role of Product Management :

Your founder, a brilliant technician, started the company years ago when he quit his day job to market his idea full time. He created a product that he just knew other people needed. And he was right. Pretty soon he delivered enough of the product and hired his best friend from college as VP of Sales. And the company grew. But before long, the VP of Sales complained, “We’re an engineering-led company. We need to become customer-driven.” And that sounded fine. Except… every new contract seemed to require custom work. You signed a dozen clients in a dozen market segments and the latest customer’s voice always dominated the product plans. You concluded that “customer-driven” meant “driven by the latest customer” and that couldn’t be right.

If you want to be a product company it’s relevant to precisely follow a strategy driven by product marketing and management and not by sales.

Confusion between duties of product management/marketing and sales could lead to unsuccessful product company that are not able to proceed within their strategy, simply because they getting opportunities that drive the business out-of-scope.

A product company must invest in it’s own product development and marketing in order to let sales activity stay focused and guarantee that the organization is every day more effective on the market.

After this reading, my understanding is that it’s relevant to identify how to create a set of flexible business process on how to handle various product management and product marketing duties separating them from sales.

Snake-oil security claims on crypto security product

Security market grow, more companies goes to the market, but how many of them are taking seriously what they do?

You know, doing security technology mean that you are personally responsible for the protection of the user’s information. You must make them aware of what they need, exactly what your are doing and which kind of threat model your product protect.

A typical problem of product’s security features is represented by the inability of the user to evaluate the security claims of the product itself.

So there’s a lot companies doing a not-so-ethical marketing of security features, based on the facts that no user will be able to evaluate it.

The previously explained situation reside in the security topic of Snake Oil Encryption, an evolution in the scientific cryptographic environment that let us today use best of breed information protection technologies without having to worry too much about backdoors or insecurities.

Let’s speak about Snake Oil Encryption

Snake Oil Cryptography : In cryptography, snake oil is a term used to describe commercial cryptographic methods and products which are considered bogus or fraudulent. Distinguishing secure cryptography from insecure cryptography can be difficult from the viewpoint of a user. Many cryptographers, such as Bruce Schneier and Phil Zimmermann, undertake to educate the public in how secure cryptography is done, as well as highlighting the misleading marketing of some cryptographic products.

The most referenced crypto security guru, Philip Zimmermann and Bruce Schneier, was the 1st to talk about Snake Oil Encryption:

Snake Oil by Philip Zimmermann

Snake Oil by Bruce Schneier

The Michigan Telecommunications and Technology Law Review also made a very good analysis related to the Security Features of Security Products, SNAKE-OIL SECURITY CLAIMS” THE SYSTEMATIC MISREPRESENTATION OF PRODUCT SECURITY . They explain about the nasty marketing tricks used to tweak users inability to evaluate the security features, including economic and legal responsibility implication.

Several snake oil security product companies does not explain and are not clear about the threat model to which the product apply. Very famous is the sentence of Russ Nelson:

“Remember, crypto without a threat model is like cookies without milk. ….. Cryptography without a threat model is like motherhood without apple pie. Can’t say that enough times. More generally, security without a threat model is by definition going to fail.”

So, how to spot snake oil security products?

Check a guideline of to spot Snake Oil Encryption Products: Snake Oil Warning Signs, Encryption Software to Avoid by Matt Curtin .

You can see this very good Cryptographic Snake Oil Examples by Emility Ratliff (IBM Architect at Linux Security), that tried to make clear example on how to spot Cryptographic Snake Oil.

Here represented the basic guideline from Matt Curtin paper:


By checking that points it’s possible to evaluate how serious an encryption technology or product is.

But all in all how to fix that unethical security approach?

It’s very significative and it would be really useful for each kind of security product category to make some strongly and independent evaluation guideline (like OSSTMM for Penetration testing) , to make this security evaluation process really in the hands of the user.

It would be also very nice to have someone making analysis and evaluation of security product companies, publishing reports about Snake Oil signs.

Blackberry Security and Encryption: Devil or Angel?

Blackberry have good and bad reputation regarding his security capability, depending from which angle you look at it.

This post it’s a summarized set of information to let the reader the get picture, without taking much a position as RIM and Blackberry can be considered, depending on the point of view, an extremely secure platform or an extremely dangerous one .

bblock.jpg

Let’s goes on.

On one side Blackberry it’s a platform plenty of encryption features, security features everywhere, device encrypted (with custom crypto), communication encrypted (with custom proprietary protocols such as IPPP), very good Advanced Security Settings, Encryption framework from Certicom (now owned by RIM).

On the other side they does not provide only a device but an overlay access network, called BIS (Blackberry Internet Service), that’s a global worldwide wide area network where your blackberry enter while you browse or checkmail using blackberry.net AP.

When you, or an application, use the blackberry.net APN you are not just connecting to the internet with the carrier internet connection, but you are entering inside the RIM network that will proxy and act as a gateway to reach the internet.

The very same happen when you have a corporate use: Both the BB device and the corporate BES connect to the RIM network that act as a sort of vpn concentration network.

So basically all the communications cross trough RIM service infrastructure in encrypted format with a set proprietary encryption and communication protocols.

Just as a notice, think that google to provide gtalk over blackberry.net APN, made an agreement in order to offer service inside the BB network to the BB users. When you install gtalk you get added 3 service books that point to GTALKNA01 that’s the name of GTALK gateway inside the RIM network to allow intra-BIS communication and act as a GTALK gateway to the internet.

The mobile operators usually are not even allowed to inspect the traffic between the Blackberry device and the Blackberry Network.

So RIM and Blackberry are somehow unique for their approach as they provide a platform, a network and a service all bundled together and you cannot just “get the device and the software” but the user and the corporate are always bound and connected to the service network.

That’s good and that’s bad, because it means that RIM provide extremely good security features and capabilities to protect information, device and access to information at various level against third party.

But it’s always difficult to estimate the threat and risk related to RIM itself and who could make political pressure against RIM.

Please consider that i am not saying “RIM is looking at your data” but making an objective risk analysis: for how the platform is done RIM have authority on the device, on the information on-the-device and on the information that cross the network. (Read my Mobile Security Slides).

For example let’s consider the very same context for Nokia phones.

Once the Nokia device is sold, Nokia does not have authority on the device, nor on the information on-the-device nor on the information that cross the network. But it’s also true that Nokia just provide the device and does not provide the value added services such as the Enterprise integration (The RIM VPN tunnel), the BIS access network and all the local and remote security provisioned features that Blackberry provide.

So it’s a matter of considering the risk context in the proper way when choosing the platform, with an example very similar to choosing Microsoft Exchange Server (on your own service) or whether getting a SaaS service like Google Apps.

In both case you need to trust the provider, but in first example you need to trust Microsoft that does not put a backdoor on the software while in the 2nd example you need to trust Google, as a platform and service provider, that does not access your information.

So it’s a different paradigm to be evaluated depending on your threat model.

If your threat model let you consider RIM as a trusted third party service provider (much like google) than it’s ok. If you have a very high risk context, like top-secret one, then let’s consider and evaluate carefully whether it’s not better to keep the Blackberry services fully isolated from the device or use another system without interaction with manufacturer servers and services.

Now, let’s get back to some research and some facts about blackberry and blackberry security itself.

First of all several governments had to deal with RIM in order to force them to provide access to the information that cross their service networks while other decided to directly ban Blackberry usage for high officials because of servers located in UK and USA, while other decided to install their own backdoors.

There’s a lot of discussion when the topics are RIM Blackberry and Governments for various reasons.

Below a set of official Security related information on RIM blackberry platform:

And here a set of unofficial Security and Hacking related information on RIM Blackberry platform:

Because it’s 23.32 (GMT+1), i am tired, i think that this post will end up here.

I hope to have provided the reader a set of useful information and consideration to go more in depth in analyzing and considering the overall blackberry security (in the good and in the bad, it always depends on your threat model!).

Cheers

Fabio Pietrosanti (naif)

p.s. i am managing security technology development (voice encryption tech) on Blackberry platform, and i can tell you that from the development point of view it’s absolutely better than Nokia in terms of compatibility and speed of development, but use only RIMOS 5.0+ !

China Encryption Regulations

Hi all,

i found this very interesting paper on China Encryption Import/Export/Domestic Regulations done by Baker&Mckenzie in the US.

It’s strongly business and regulatory oriented giving a very well done view on how china regulations works and how it may behave in future.

Read here Decrypting China Encryption’s Regulations (form Bakernet website) .

Mobile Security talk at WHYMCA conference

I want to share some slides i used to talk about mobile security at whymca mobile conference in Milan.

Read here my slides on mobile security .

The slides provide a wide an in-depth overview of mobile security related matters, i should be doing some slidecast about it putting also audio. Maybe will do, maybe not, it depends on time that’s always a insufficient resource.

SecurStar GmbH Phonecrypt answers on the Infosecurityguard/Notrax case: absolutely unreasonable! :-)

UPDATE 20.04.2010: http://infosecurityguard.com has been disabled. Notrax identity became known to several guys in the voice security environments (cannot tell, but you can imagine, i was right!) and so our friends decided to trow away the website because of legal responsibility under UK and USA laws.

UPDATE: Nice summary of the whole story (i know, it’s long and complicated to read at 1st time) on SIPVicious VoIP security blog by Sandro Gauci.

Following my discoveries, Mr. Hafner, SecurStar chief exec, tried to ultimately defend their actions, citing absolutely unreasonable excuses to The Reg instead of publicly apologizing for what they have done: creating a fake independent security research to promote their PhoneCrypt product.

He tried to convince us that the person behind IP 217.7.213.59, used by the author of infosecurityguard.com and pointing to their office DSL line, was this hacker Notrax, using their anonymous surfing service and not one of their employees at their office:

“SecurStar chief exec Wilfried Hafner denied any contact with Notrax. Notrax, he said, must have been using his firm’s anonymous browsing service, SurfSolo, to produce the results reported by Pietrosanti”

Let’s reflect a moment on this sentence… Would really an hacker looking for anonymity spend 64 EUR to buy their anonymity surfing service called surfsolo instead of using the free and much more secure TOR (the onion router)?Then let’s reflect on this other piece of information:

  • The IP 217.7.213.59 is SecurStar GmbH’s office DSL line
  • On 217.7.213.59 they have installed their VoIP/Asterisk PBX and internet gateway
  • They promote their anonymous proxy service for “Anonymous p2p use” (http://www.securstar.com/products_ssolo.php). Who would let users do p2p from the office dsl line where they have installed their corporate VoIP PBX ? If you do VoIP you can’t let third party flood your line w/ p2p traffic, your phone calls would became obviously unreliable (yes, yes, you can do QoS, but you would not place an anonymous navigation proxy on your company office DSL line…).
  • Which company providing an anonymous navigation service would ever use their own office IP address? Just think how many times you would have the police knocking at your door and your employees as the prime suspects. (In past i used to run a TOR node, i know the risks…). Also think how many times you would find yourself blacklisted on google as a spyware bot.
  • Mr. Hafner also says “We have two million people using this product. Or he may have been an old customer of ours”. 2M users on a DSL line, really?
  • I don’t use Surfsolo service, however their proxies are probably these ones:

surfsolo.securstar.net – 67.225.141.74

surfsolo.securstar.com – 69.16.211.133

Frankly speaking I can easily understand that Mr. Hafner is going do whatever he can to protect his company from the scandal, but the “anonymous proxy” excuse is at the very least suspicious.

How does the fact that the “independent research” was semantically a product review of PhoneCrypt, along with the discovery that the author come from the SecurStar GmbH IP address offices, along with the anonymity of this Notrax guy (SecurStar calls him a “well known it security professional” in their press release..) sound to you?

It’s possible that earth will get an attack from outer space that’s going to destroy our life?

Statistically extremely difficult, but yes, possible. More or less like the “anonymous proxy” story told by Mr. Hafner to cover the fact that they are the ones behind the infosecurityguard.com fake “independent security review”.

Hey, I don’t need anything else to convince myself or to let the smart person have his own thoughts on this.

I just think that the best way for SecurStar to get out of this mess would probably be to provide public excuses to the hacking community for abusing the name and reputation of real independent security researches, for the sake of a marketing stunt.

Regards,

Fabio Pietrosanti

p.s. I am currently waiting for some other infos that will more precisely confirm that what Mr. Hafner is saying is not properly true. Stay tuned.

Evidence that infosecurityguard.com/notrax is SecurStar GmbH Phonecrypt – A fake independent research on voice crypto

Below evidence that the security review made by an anonymous hacker on http://infosecurityguard.com is in facts a dishonest marketing plan by the SecurStar GmbH to promote their voice crypto product.

I already wrote about that voice crypto analysis that appeared to me very suspicious.

Now it’s confirmed, it’s a fake independent hacker security research by SecurStar GmbH, its just a marketing trick!

How do we know that Infosecurityguard.com, the fake independent security research, is a marketing trick from SecurStar GmbH?

1) I posted on http://infosecurityguard.com a comments to a post with a link to my blog to that article on israelian ministry of defense certification

2) The author of http://infosecurityguard.com went to approve the comment and read the link on my own blog http://infosecurity.ch

3) Reaching my blog he leaked the IP address from which he was coming 217.7.213.59 (where i just clicked on from wordpress statistic interface)

4) On http://217.7.213.59/panel there is the IP PBX interface of the SecurStar GmbH corporate PBX (openly reachable trough the internet!)

5) The names of the internal PBX confirm 100% that it’s the SecurStar GmbH:

6) There is 100% evidence that the anonymous hacker of http://infosecurityguard.com is from SecurStar GmbH

Below the data and reference that let us discover that it’s all but a dishonest marketing tips and not an independent security research.

Kudos to Matteo Flora for it’s support and for his article in Debunking Infosecurityguard identity !

The http referral tricks

When you read a link going from a website to another one there is an HTTP protocol header, the “Referral”, that tell you from which page someone is going to another webpage.

The referral demonstrated that the authors of http://infosecurityguard.com read my post, because it was coming from http://infosecurityguard.com/wp-admin/edit-comments.php that’s the webpage you use as a wordpress author/editor to approve/refuse comments. And here there was the link.

That’s the log entry:

217.7.213.59 – – [30/Jan/2010:02:56:37 -0700] “GET /20100129/licensed-by-israel-ministry-of-defense-how-things-really-works/ HTTP/1.0” 200 5795 “http://infosecurityguard.com/wp-admin/edit-comments.php” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)”

The PBX open on the internet tell us that’s SecurStar GmbH

The SecurStar GmbH PBX is open on the internet, it contains all the names of their employee and confirm us that the author of http:/infosecurityguard.com is that company and is the anonymous hacker called Notrax.

Here there is their forum post where the SecurStar GmbH guys are debugging IPCOPfirewall & Asterisk together (so we see also details of what they use) where there is the ip 217.7.213.59 .

SecurStarproof.png

That’s also really fun!

They sell secure telephony but their company telephony system is openly vulnerable on the internet. :-)

I was thinking to call the CEO, Hafner, via SIP on his internal desktop PBX to announce we discovered him tricks.. :->

They measured their marketing activity

Looking at the logs of my website i found that they was sensing the google distribution of information for the following keywords, in order to understand how effectively they was able to attack competing products. It’s reasonable, if you invest money in a marketing campaign you want to see the results :-)

They reached my blog and i logged their search:

infosecurityguard+cryptophone

infosecurityguard+gold-lock

217.7.213.59 – – [30/Jan/2010:02:22:42 -0700] “GET / HTTP/1.0” 200 31057 “http://www.google.de/search?sourceid=navclient&ie=UTF-8&rlz=1T4SKPB_enDE350DE350&q=infosecurityguard+cryptophone” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)”

217.7.213.59 – – [30/Jan/2010:04:15:07 -0700] “GET /20100130/about-the-voice-encryption-analysis-phonecrypt-can-be-intercepted-serious-security-evaluation-criteria/ HTTP/1.0” 200 15774 “http://www.google.de/search?sourceid=navclient&ie=UTF-8&rlz=1T4SKPB_enDE350DE350&q=gold-lock+infosecurityguard” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)”


The domain registration data
The domain have been registered on 1st December 2009, just two months to start preparing the dishonest marketing campaign:  

Domain Name: INFOSECURITYGUARD.COM

Registrar: GODADDY.COM, INC.   

Updated Date: 01-dec-2009

Creation Date: 01-dec-2009

The domain is anonymously privacy protected trough a whois privacy service:

Administrative Contact: Private, Registration INFOSECURITYGUARD.COM@domainsbyproxy.com , Domains by Proxy, Inc. DomainsByProxy.com

Notrax hacker does not exist on google
As you know any hacker that get public usually have presence of it’s activity on google, attending mailinglists, forum, homepage, past research, participation to conferences, etc, etc.
The fake hacker that they wanted us to to think was writing an independent blog does NOT have any trace on google. Only some hit about an anonymous browser called Notrax but nothing about that hacker.
Maybe when SecurStar provided the anonymity tool to their marketing agency, to help them protecting anonymity for the fake research, their provided them the anonymous browser notrax.So the marketing guy thinking about the nickname of this fake hackers used what? Notrax! :-)

The “independent review”completely oriented in publicizing PhoneCrypt

Of the various review don the phonecrypt review is only positive and amazing good feedback, while the other are only bad feedback and no single good point.

As you can imagine, in any kind of independent product evaluation, for all products there are goods and bad points. No. In this one there are only product that are good and product that are bad.

They missed to consider the security of the technology used by the products

They completely avoided to speak about cryptography and security of the products.

They do not evaluated basic security features that must be in that kind of products.That’s in order not to let anyone see that they did not followed basic security rules in building up their PhoneCrypt.
The technology is closed source, no transparency on algorithms and protocols, no peer review.Read my new comparison (from the basic cryptographic requirement point of view) About the voice encryption analysis (criteria, errors and different results) .
The results are somehow different than their one .

UPDATE: Who’s Wilfried Hafner (SecurStar founder) ?

I got a notice from a reader regarding Wilfred Hafner, SecurStar founder, CEO and security expert.

He was arrested in 1997 for telephony related fraud (check 2nd article on Phrack) earning from telephony fraud 254.000 USD causing damages to local telcos trough blueboxing for 1.15 Million USD.

He was not doing “Blueboxing” for the pleasure of phreaking and connecting with other hackers, but to earn money.

Hacking for profit (and not for fun) in 1997… brrr…. No hacker’s ethic at all!

All in all, is that lawful?

Badmouthing a competitor amounts to an unfair competition practice in most jurisdictions, so it is arguable (to say the least) that SecurStar is right on a legally sound ground here.
Moreover, there are some specific statutes in certain jurisdictions which provide for a straightforward ban on the practice we are talking about. For example in the UK the British Institute of Practitioners in Advertising  – in compliance with the Consumer protection from Unfair Trading regulation – ruled that:

”falsely claiming or creating the impression that the trader is not acting for the purposes relating to his trade, business, craft or profession, or falsely representing oneself as a consumer” is a criminal offense.

We have no doubt that PRPR  (which is the UK-based *PR company for SecurStar GmbH, led by Peter Rennison and Allie Andrews as stated in SecurStar Press Release) did provide their client with this information. Heck, they *are* in the UK, they simply cannot ignore that!

IANAL, but I would not be surpised if someone filed a criminal complaint or start civil litigation for unfair competition against SecurStar GmbH.
Whether this is going to be a matter for criminal and/or civil Courts or not is not that important. However, it is clear enough that SecurStar GmbH appears to be at least ethically questionable and not really worth of trust.

Nice try, gentlemen… however, next time just do it right (whether “right” for them means “in a honest manner” or “in a fashion not to be caught” I will let them choose)”

Fabio Pietrosanti (naif)

Dishonest security: The SecurStart GmbH Phonecrypt case

I would like to provide considerations on the concept of ethics that a security company should have respect to the users, the media and the security environment.

SecurStar GmbH made very bad things making that infosecuriguard.com fake independent research.

It’s unfair approach respect to hacking community.

It’s unfair marketing to end user. They should not be tricking by creating fake independent review.

It’s unfair competition in the security market.

Let’s make some more important consideration on this.

Must be serious on cryptographic products. They are not toys

When you do cryptographic tools you should be really aware of what you are doing, you must be really serious.

If you do bad crypto people could die.

If you don’t follow basic security rules for transparency and security for cryptography you are putting people life at risk.

You are taking the responsibility of this. (I want to sleep at night, don’t think SecurStar CEO/CTO care about this…)

Security research need reference and transparency

Security research have to be public, well done, always subject to public discussion and cooperation.
Security research should not be instrumentally used for marketing purpose.Security research should be done for awareness and grow of the knowledge of the worldwide security environment.

Hacking environment is neutral, should not be used instrumentally

Hackers are considered neutral, nerds, doing what they do for their pleasure and passion.

If you work in the security market you work with hackers.

If you use hackers and hacking environment for your own marketing purposes you are making something very nasty.

Hackers give you the technology and knowledge and you use them for your own commercial purpose.

Consideration on the authority of the information online

That’s something that pose serious consideration on the authority of information online.An anonymous hacker, with no reference online, made a product security review that appear like an independent one. I have to say that the fake review was very well prepared, it always posed good/bad things in an indirect way. It did not appeared to me at 1st time like a fake. But going deeply i found what’s going on.

However Journalists, news media and blogger went to the TRAP and reviewed their fake research. TheRegister, NetworkWorld and a lot of blogs reported it. Even if the author was completely anonymous.

What they have done is already illegal in UK

SecurStar GmbH is lucky that they are not in the UK, where doing this kind of things is illegal.

Fabio Pietrosanti (naif)

About the SecurStar GmbH Phonecrypt voice encryption analysis (criteria, errors and different results)

This article want to clarify and better explain the finding at infosecurityguard.com regaring voice encryption product evaluation.
This article want to tell you a different point of view other than infosecurityguard.com and explaining which are the rational with extensive explaination from security point of view.
Today i read news saying: “PhoneCrypt: Basic Vulnerability Found in 12 out of 15 Voice Encryption Products and went to read the website infosecurityguard.

Initially it appeared to my like a great research activity but then i started reading deeply the read about it.I found that it’s not properly a security research but there is are concrete elements that’s a marketing campaign well done in order to attract public media and publicize a product.
Imho they was able to cheat journalists and users because the marketing campaign was absolutely well done not to be discovered on 1st read attempt. I personally considered it like a valid one on 1st ready (they cheated me initially!).

But if you go deeply… you will understand that:
– it’s a camouflage marketing initiative arranged by SecurStar GmbH and not a independent security research
– they consider a only security context where local device has been compromised (no software can be secured in that case, like saying SSL can be compromised if you have a trojan!)
– they do not consider any basic security and cryptographic security criteria

However a lot of important website reported it:

This article is quite long, if you read it you will understand better what’s going on around infosecurityguard.com research and research result.

I want to to tell you why and how (imho) they are wrong.

The research missed to consider Security, Cryptography and Transparency!

Well, all this research sound much like being focused on the marketing goal to say that their PhoneCrypt product is the “super” product best of all the other ones.
Any security expert that would have as duty the “software evaluation” in order to protect the confidentiality of phone calls will evaluate other different characteristics of the product and the technology.

Yes, it’s true that most of the product described by SecurStar in their anonymous marketing website called http://infosecurityguard.com have some weakness.
But the relevant weakness are others and PhoneCrypt unfortunately, like most of the described products suffer from this.
Let’s review which characteristics are needed basic cryptography and security requirement (the best practice, the foundation and the basics!)

a – Security Trough Obscurity does not work

A basic rule in cryptography cames from 1883 by Auguste Kerckhoffs:

In a well-designed cryptographic system, only the key needs to be secret; there should be no secrecy in the algorithm.
Modern cryptographers have embraced this principle, calling anything else “security by obscurity.”
Read what Bruce Schneir, recognized expert and cryptographer in the world say about this
Any security expert will tell you that’s true. Even a novice university student will tell you that’s true. Simply because that’s the only way to do cryptography.
Almost all product described in the review by SecurStar GmbH, include PhoneCrypt, does not provide precise details about their cryptographic technologies.
Precise details are:
  • Detailed specification of cryptographic algorithm (that’s not just saying “we use AES“)
  • Detailed specification of cryptographic protocol (that’s not just saying “we use Diffie Hellman” )
  • Detailed specification of measuring the cryptographic strenght (that’s not just saying “we have 10000000 bit key size“)

Providing precise details means having extensive documentation with theoretical and practical implications documenting ANY single way of how the algorithm works, how the protocol works with precise specification to replicate it for interoperability testing.
It means that scientific community should be able to play with the technology, audit it, hack it.
If we don’t know anything about the cryptographic system in details, how can we know which are the weakness and strength points?

Mike Fratto, Site editor of Network Computing, made a great article on “Saying NO to proprietary cryptographic systems” .
Cerias Purdue University tell this.

b – NON peer reviewed and NON scientifically approved Cryptography does not work

In any case and in any condition you do cryptography you need to be sure that someone else will check, review, analyze, distruct and reconstract from scratch your technology and provide those information free to the public for open discussion.
That’s exactly how AES was born and like US National Institute of Standard make crypto does (with public contest with public peer review where only the best evaluated win).
A public discussion with a public contest where the a lot of review by most famous and expert cryptographer in the world, hackers (with their name,surname and face, not like Notrax) provide their contribution, tell what they thinks.
That’s called “peer review”.

If a cryptographic technology has an extended and important peer review, distributed in the world coming from universities, private security companies, military institutions, hackers and all coming from different part of the world (from USA to Europe to Russia to South America to Middle east to China) and all of them agree that a specific technology it’s secure…
Well, in that case we can consider the technology secure because a lot of entities with good reputation and authority coming from a lot of different place in the world have publicly reviewed, analyzed and confirmed that a technology it’s secure.

How a private company can even think to invent on it’s own a secure communication protocol when it’s scientifically stated that it’s not possible to do it in a “proprietary and closed way” ?
IBM tell you that peer review it’s required for cryptography.
Bruce Schneier tell you that “Good cryptographers know that nothing substitutes for extensive peer review and years of analysis.”
Philip Zimmermann will tell you to beware of Snake Oil where the story is: “Every software engineer fancies himself a cryptographer, which has led to the proliferation of really bad crypto software.”

c – Closed source cryptography does not work

As you know any kind of “serious” and with “good reputation” cryptographic technology is implemented in opensource.
There are usually multiple implementation of the same cryptographic algorithm and cryptographic protocol to be able to review all the way it works and certify the interoperability.
Supposing to use a standard with precise and extended details on “how it works”, that has been “peer reviewed” by the scientific community BUT that has been re-implemented from scratch by a not so smart programmer and the implementation it’s plenty of bugs.

Well, if the implementation is “opensource” this means that it can be reviewed, improved, tested, audited and the end user will certaintly have in it’s own had a piece of technology “that works safely” .

Google release opensource crypto toolkit
Mozilla release opensource crypto toolkit
Bruce Schneier tell you that Cryptography must be opensource.

Another cryptographic point of view

I don’t want to convince anyone but just provide facts related to science, related to cryptography and security in order to reduce the effect of misinformation done by security companies whose only goes is to sell you something and not to do something that make the world a better.

When you do secure products, if they are not done following the proper approach people could die.
It’s absolutely something irresponsible not to use best practice to do crypto stuff.

To summarize let’s review the infosecurityguard.com review from a security best pratice point of view.

Product name Security Trough Obscurity Public peer review Open Source Compromise locally?
Caspertec Obscurity No public review Closed Yes
CellCrypt Obscurity
No public review
Closed
Yes
Cryptophone Transparency Limited public review Public Yes
Gold-Lock Obscurity
No public review
Closed
Yes
Illix Obscurity
No public review
Closed
Yes
No1.BC Obscurity No public review
Closed
Yes
PhoneCrypt Obscurity
No public review
Closed
Yes
Rode&Swarz Obscurity
No public review
Closed
Yes
Secure-Voice Obscurity
No public review
Closed
Yes
SecuSmart Obscurity
No public review
Closed
Yes
SecVoice Obscurity
No public review
Closed
Yes
SegureGSM Obscurity
No public review
Closed
Yes
SnapCell Obscurity
No public review
Closed
Yes
Tripleton Obscurity
No public review
Closed
Yes
Zfone Transparency Public review
Open Yes
ZRTP Transparency Public review
Open Yes

*Green means that it match basic requirement for a cryptographic secure system

* Red / Broken means that it does not match basic requirement for a cryptographic secure system
That’s my analysis using a evaluation method based on cryptographic and security parameters not including the local compromise context that i consider useless.

However, to be clear, those are only basic parameters to be used when considering a voice encryption product (just to avoid being in a situation that appears like i am promoting other products). So it may absolutely possible that a product with good crypto (transparency, peer reviewed and opensource) is absolutely a not secure product because of whatever reason (badly written, not usable causing user not to use it and use cleartext calls, politically compromised, etc, etc).
I think i will prepare a broader criteria for voice crypto technologies and voice crypto products, so it would be much easier and much practical to have a full transparent set of criterias to evaluate it.

But those are really the basis of security to be matched for a good voice encryption system!
Read some useful past slides on security protocols used in voice encryption systems (2nd part).

Now read below some more practical doubt about their research.

The security concept of the review is misleading: any hacked device can be always intercepted!

I think that the guys completely missed the point: ANY KIND OF SOFTWARE RUNNING ON A COMPROMISED OPERATING SYSTEM CAN BE INTERCEPTED

Now they are pointing out that also Zfone from Philip Zimmermann is broken (a pc software), just because they install a trojan on a PC like in a mobile phone?
Any security software rely on the fact that the underlying operating system is somehow trusted and preserve the integrity of the environment where the software run.

  • If you have a disk encryption system but your PC if infected by a trojan, the computer is already compromised.
  • If you have a voice encryption system but your PC is infected by a trojan, the computer is already compromised.
  • If you have a voice encryption system but your mobile phone is infected by a trojan, the mobile phone is already compromised.

No matter which software you are running, in such case the security of your operating environment is compromised and in one way or another way all the information integrity and confidentiality is compromised.

Like i explained above how to intercept PhoneCrypt.

The only things that can protect you from this threat is running in a closed operating system with Trust Computing capability, implementing it properly.
For sure on any “Open” operating system such us Windows, Windows Mobile, Linux, iPhone or Android there’s no chance to really protect a software.
On difficult operating system such as Symbian OS or RimOS maybe the running software can be protected (at least partially)

That’s the reason for which the security concept that guys are leveraging to carry on their marketing campaign has no clue.
It’s just because they control the environment, they know Flexispy software and so they adjusted their software not to be interceptable when Flexispy is installed.
If you develop a trojan with the other techniques i described above you will 100% intercept PhoneCrypt.

On that subject also Dustin Tammel, Security researcher of BreakPoint Systems, pointed on on VoIP Security Alliance mailing lists that the security analysis is based on wrong concepts.

The PhoneCrypt can be intercepted: it’s just that they don’t wanted to tell you!

PhoneCrypt can be intercepted with “on device spyware”.
Why?
Because Windows Mobile is an unsecure operating environment and PhoneCrypt runs on Windows Mobile.
Windows Mobile does not use Trusted Computing and so any software can do anything.
The platform choice for a secure telephony system is important.
How?
I quickly discussed with some knowledgeable windows mobile hackers about 2 different way to intercept PhoneCrypt with an on-device spyware (given the unsecure Windows Mobile Platform).

a) Inject a malicious DLL into the software and intercept from within the Phonecrypt itself.
In Windows Mobile any software can be subject to DLL code injection.
What an attacker can do is to inject into the PhoneCrypt software (or any software running on the phone), hooking the Audio related functions acting as a “function proxy” between the PhoneCrypt and the real API to record/play audio.
It’s a matter of “hooking” only 2 functions, the one that record and the one that play audio.
Read the official Microsoft documentation on how to do DLL injection on Windows Mobile processes. or forum discussing the technique of injecting DLL on windows mobile processes.
That’s simple, any programmer will tell you to do so.
They simply decided that’s better not to make any notice about this.
b) Create a new audio driver that simply act as a proxy to the real one and intercept PhoneCrypt
In Windows Mobile you can create new Audio Drivers and new Audio Filters.
What an attacker can do is to load a new audio driver that does not do anything else than passing the real audio driver function TO/FROM the realone. In the meantime intercept everything recorded and everything played :-)
Here there is an example on how to do Audio driver for Windows Mobile .
Here a software that implement what i explain here for Windows “Virtual Audio Cable” .
The very same concept apply to Windows Mobile. Check the book “Mobile Malware Attack and Defense” at that link explaining techniques to play with those techniques.
They simply decided that’s better not to make any notice to that way of intercepting phone call on PhoneCrypt .
Those are just 2 quick ideas, more can be probably done.

Sounds much like a marketing activity – Not a security research.

I have to tell you. I analyzed the issue very carefully and on most aspects. All this things about the voice encryption analisys sounds to me like a marketing campaign of SecurStar GmbH to sell PhoneCrypt and gain reputation. A well articulated and well prepared campaign to attract the media saying, in an indirect way cheating the media, that PhoneCrypt is the only one secure. You see the press releases of SecurStar and of the “Security researcher Notrax telling that PhoneCrypt is the only secure product” . SecurStar PhoneCrypt is the only product the anonymous hacker “Notrax” consider secure of the “software solutions”.
The only “software version” in competition with:

SnapCell – No one can buy it. A security company that does not even had anymore a webpage. The company does not almost exist anymore.
rohde-schawarz – A company that have in his list price and old outdated hardware secure phone . No one would buy it, it’s not good for genera use.

Does it sounds strange that only those other products are considered secure along with PhoneCrypt .

Also… let’s check the kind of multimedia content in the different reviews available of Gold-Lock, Cellcrypt and Phonecrypt in order to understand how much the marketing guys pressed to make the PhoneCrypt review the most attractive:

Application Screenshots of application Video with demonstration of interception Network demonstration
PhoneCrypt 5 0 1
CellCrypt 0 2 0
GoldLock 1 2 0

It’s clear that PhoneCrypt is reviewed showing more features explicitly shown and major security features product description than the other.

Too much difference between them, should we suspect it’s a marketing tips?

But again other strange things analyzing the way it was done…
If it was “an impartial and neutral review” we should see good and bad things on all the products right?

Ok, see the table below regarding the opinion indicated in each paragraph of the different reviews available of Gold-Lock, CellCrypt and Phonecrypt (are the only available) to see if are positive or negative.

Application Number of paragraphs Positive paragraphs Negative paragraphs Neutral paragraphs
PhoneCrypt 9 9 0 0
CellCrypt 12 0 10 2
GoldLock 9 0 8 1

Detailed paragraphs opinion analysis of Phonecrypt
Paragraph of review Opinion expressed
From their website Positive Marketing feedback
Apple iPhone Positive Marketing feedback
Disk Encryption or voice Encryption Positive Marketing feedback
PBX Compatibility? Really Positive Marketing feedback
Cracking <10. Not. Positive Marketing feedback
Good thinking! Positive Marketing feedback
A little network action Positive Marketing feedback
UI Positive Marketing feedback
Good Taste Positive Marketing feedback
Detailed paragraphs opinion analysis of Gold-Lock 3G
Paragraph of review Opinion expressed
From their website Negative Marketing feedback
Licensed by The israeli Ministry of Denfese Negative Marketing feedback
Real Company or Part Time hobby Negative Marketing feedback
16.000 bit authentication Negative Marketing feedback
DH 256 Negative Marketing feedback
Downad & Installation! Neutral Marketing feedback
Cracking it <10 Negative Marketing feedback
Marketing BS101 Negative Marketing feedback
Cool video stuff Negative Marketing feedback
Detailed paragraphs opinion analysis of CellCrypt
Paragraph of review Opinion expressed
From their website Neutral Marketing feedback
A little background about cellcrypt Negative Marketing feedback
Master of Marketing Negative Marketing feedback
Secure Voice calling Negative Marketing feedback
Who’s buying their wares Negative Marketing feedback
Downad & Installation! Neutral Marketing feedback
My Demo environment Negative Marketing feedback
Did they forget some code Negative Marketing feedback
Cracking it <5 Negative Marketing feedback
Room Monitoring w/ FlexiSpy Negative Marketing feedback
Cellcrypt unique features.. Negative Marketing feedback
Plain old interception Negative Marketing feedback
The Haters out there Negative Marketing feedback

Now it’s clear that from their point of view on PhoneCrypt there is no single bad point while the other are always described in a negative way.
No single good point. Strange?
All those considerations along with the next ones really let me think that’s very probably a marketing review and not an independent review.

Other similar marketing attempt from SecurStar

SecurStar GmbH is known to have used in past marketing activity leveraging this kind of “technical speculations”, abusing of partial information and fake unconfirmed hacking stuff to make marketing/media coverage.
Imho a rare mix of unfairness in leveraging the difficult for people to really understand the complexity of security and cryptography.

They already used in past Marketing activities like the one about creating a trojan for Windows Mobile and saying that their software is secure from the trojan that they wrote.
Read about their marketing tricks of 2007

They developed a Trojan (RexSpy) for Windows Mobile, made a demonstration capability of the trojan and later on told that they included “Anti-Trojan” capability to their PhoneCrypt software.They never released informations on that trojan, not even proved that it exists.

The researcher Collin Mulliner told at that time that it sounds like a marketing tips (also because he was not able to get from SecurStar CEO Hafner any information about that trojan):

“This makes you wonder if this is just a marketing thing.”

Now, let’s try to make some logical reassignment.
It’s part of the way they do marketing, an very unfriendly and unpolite approach with customers, journalist and users trying to provide wrong security concepts for a market advantage. Being sure that who read don’t have all the skills to do in depth security evaluation and find the truth behind their marketing trips.

Who is the hacker notrax?

It sounds like a camouflage of a fake identity required to have an “independent hacker” that make an “independent review” that is more strong on reputation building.
Read about his bio:

¾ Human, ¼ Android (Well that would be cool at least.) I am just an enthusiast of pretty much anything that talks binary and if it has a RS232 port even better. During the day I masquerade as an engineer working on some pretty cool projects at times, but mostly I do the fun stuff at night. I have been thinking of starting an official blog for about 4.5 years to share some of the things I come across, can’t figure out, or just cross my mind. Due to my day job and my nighttime meddling, I will update this when I can. I hope some find it useful, if you don’t, well you don’t.

There are no information about this guy on google.
Almost any hacker that get public have articles online, post in mailing archive and/or forum or some result of their activity.
For notrax, nothing is available.

Additionally let’s look at the domain…
The domain infosecurityguard.com is privacy protected by domainsbyproxy to prevent understanding who is the owner.
The domain has been created 2 months ago on 01-Dec-09 on godaddy.com registrar.

What’s also very interesting to notice that this “unknown hacker with no trace on google about him that appeared on December 2009 on the net” is referred on SecurStar GmbH Press Release as a “An IT security expert”.

Maybe they “know personally” who’s this anonymous notrax? :)

Am i following my own conspiracy thinking or maybe there’s some reasonable doubt that everything was arrange in that funny way just for a marketing activity?

Social consideration

If you are a security company you job have also a social aspects, you should also work to make the world a better place (sure to make business but “not being evil”). You cannot cheat the skills of the end users in evaluating security making fake misleading information.

You should do awareness on end users, to make them more conscious of security issues, giving them the tools to understand and decide themselves.

Hope you had fun reading this article and you made your own consideration about this.

Fabio Pietrosanti (naif)

p.s. Those are my personal professional opinion, let’s speak about technology and security, not marketing.
p.p.s. i am not that smart in web writing, so sorry for how the text is formatted and how the flow of the article is unstructured!

Index of economic freedom

When looking at facts and figures about globalized world, the index of economic freedom is a nice tool to make proper considerations.

Military contractors going commercial

Most military contractors are suffering from the restriction of government’s budgets for military expenses and are moving into commercial markets, still they have to adjust a lot of things.

Read here a nice analysis from rochtel on how military contractors should adapt their strategy.

Iphone jailbreaking crashing towers? FUD!

It’s interesting to read a news about an anti-jailbreaking statement by apple that say that with jailbreaked phones it may be possible to crash mobile operator’s towers:

By tinkering with this code, “a local or international hacker could potentially initiate commands (such as a denial of service attack) that could crash the tower software, rendering the tower entirely inoperable to process calls or transmit data,”

So fun, as the Baseband Processor interface of iPhone is precisely the same of Google android and all Windows Mobile powered devices:

Basically the operating system use AT commands (do you remember old hayes modem commands?) with additional parameters documented and standardized by 3GPP that let more deep (but not that much deep) interaction with the mobile networks.

Please note that those AT commands are standard and widely available on all phones and are the interface to the Baseband Processor.

On iPhone that’s the list of commands that an from apple point of view could let “a international hacker to crash the tower software” :

Undocumented commands on iPhone

Damn, those European anarchist of Nokia are providing publicly also their AT command sets, and are AVAILABLE TO ANYONE:

Nokia AT Commands

Oh jesus! Also the terrorist oriented Microsoft corporation let third party to use AT commands:

Windows Mobile AT Commands

It’s absolutely unacceptable that also RIM, canadian funky against USA, provide access to AT commands:

Blackberry AT commands

And it’s unbelivable to see that Google Android also document how the system speak to the Baseband Processor and find on forums that it’s ease to access it:

Google Android Basedband Processor

Not to speak to ALL other mobile manufactuer that use the very same approach and let any party to speak via AT commands to the baseband processor of the phone.

Is the baseband processor of iphone buggy and the AT&T tower software buggy so that it’s dangerous to let the user make experiment with it?

Probably yes, and so those are only excuse because the software involved are not robust enough.

Apple, be careful, you have the trust of your users because you are apple you always have done things for the user advantages.

Users does like telephone companies that are huge lobbies that try to restrict and control users as much as possible.

If you, Apple, start behaving like a phone company users will not trust you anymore.

Be careful with FUD statements.

chinese espionage: the worst and more silent threat for western countries

Hi all,

in the past few years i saw an incredible increase in the amount of “public” news about espionage against different western countries and usually coming from far-east, typically china.

China want to be the largest economic power within 2020 and it’s following a grow rate of 8% per year. Their “controlled” capitalism without the inefficiency of the democracy it’s something that’s beating the western countries, less efficient because democratic.

China, in order to quickly grow it’s R&D capacity make an extensive use of espionage, it’s estimated that Chinese government have more than 1.000.000 intelligence agents worldwide.

And they know how to do espionage, their “spy” does not cost that much like western countries’ spy, less guarantee, less payments.

Also they are using cyber espionage as an important source of information and competitiveness against western countries companies and government R&D results. China is so un-cooperative that now also western countries spying each other, or even Russian, use chinese internet space as the “start base” for their internet based espionage activities.

I knew of a USA phisher that used to build it’s own trojan with a chinese version of Windows Xp with a chinese version of the Microsoft Visual Studio development suite. Why? For information deception, in order to tweak the forensics effort of the FBI analyst and have them think that it’s own attacks was coming from China!

Any investigators that see an attack coming from china typically think “oh shit, it comes from china, we’re lost”, and now even cybercrime use China like a far-west, untouchable base for cyber attacks.

Back tracing attacks coming from china it’s like trying to find out what’s inside a black hole, it’s a one-way trip and no information comes back.

To give better an idea of what i am speaking about just get the following list of reference:

Germany accuses China of industrial espionage

Chinese trainee goes on trial as French industry fears espionage

U.S. Vulnerable to Chinese Cyber Espionage

Massive Chinese Espionage Network

Cyber Spy Network Also Targetting Finland

How do the western countries defend themself?

That’s a nice points to speak about because there’s no simple way to defend against espionage other than considering it like a serious and concrete threat.

Governments should be able to get more understanding that their approach to informations systems and information security policy must not only exists on paper but also be applied everywhere in order to be effective. Governments are complex organizations and only a few are enough smart to be able to quickly and efficiently make security policies really be implemented organization-wide. But they are trying to, especially the most competitive ones like USA, UK and Germany .

Companies instead should acquire awareness of the problem that is present, available, concrete as concrete is the chance that someone enter into the offices to steal good (not for espionage). For that reason companies place alarm systems, access control with badge, camera monitoring systems.

But espionage does not mean fighting and protecting against poor thieves but instead against more sophisticated, either technically and socially, attacker that can use old school intelligence techniques always effective. Getting employed and stealing information while working. Simulate to be customers to establish a link trust with a salesman and then find a reason to let him execute some malicious software “hey, but my modellization software demostrate that your model used to measure the performance of your product it’s not the one you advertised. Check it out, see your self with the software we used!”. What do you think the salesman will do in order to catch the prospect customer?

Only awareness, knowledge about the issues can make such risk to be considered seriously.

Governments should provide financing to industrial associations, chamber of commerces and similar agencies in order to make such awareness national wide and let entrepreneurs became conscious and became prepared to recognize, identify and stop espionage activities.

The law perspective

Governments should strenghten their laws in order to be able have the required rights tools to enforce the protection from espionage.

Look at the analysis made by my smart cousin Angelo Pietrosanti on espionage “Is the European R&D Equally protected from espionage as in the US R&D?”

Country Civil Sanction against trade secret threat Criminal Sanction against trade secret threat Year of last modificationg
USA 5 mln $ up to 10(for domenistic) or 15 (for foreigners) Years of Jail 1996 (Economic Espionage Act)
Germany YES up to 3 Years of Jail 1986
France 0.03 mln $ up to 2 Years of Jail 1992
UK YES NO 1984
Italy YES up to 2 Years of Jail 1942
Switzerland YES up to 3 Years of Jail 1986
Finland YES up to 3 Years of Jail 1990
Sweden YES up to 6 Years of Jail 1990
The Netherlands YES up to 4 Years of Jail 1992

What this table show?

  • Outdated law (except USA)
  • Not so serious sanctions against espionage activities. (except USA)

Maybe some european policy on this could help.

In conclusion

We are in an economic war where the winner is not the one having more forces, but the one being more technologically advanced, and economically clever.

Chinese are demonstrating to be enough aggressive and clever, will the western countries be able to react both on the defense and the attack in this war?

Criminal business model: Somali pirate case study

Hi all,

this blog post is to have a nice economical point of view on somali pirates business model, something nice as also crime is a business and need it’s business evaluation:

An economic Analysis of Somali Pirates Business Model

It sounds much like a great deal, check it out the details:

The attack model and costs

The negotiation phase (Offer and Counter offer)

The resolution

And for the pleasure of home gamer, Cuttrhouat Capitalism: the game

Nokia World in Stuttgard 2-3 September

Everyone who’s business is directly connected to mobile, aggregators, operators and generally speaking mobility application should really attend Nokia World where most of the world key people in the mobile business .

It’s extremely interesting to see the evolution of the business models related to the Application Portals, how the mobile operators are changing their approach to the market, the increasing of value added services related to mobile industry.

And the most important things is, the mobile operators will be able to became financial operators to really provide mobile payment systems integrated into any day digital life?

And if this will happen, how the manufacturer and operating system provider will play this game?

Saas: is the end of the myth?

Saas business models growth a lot during the past few years and i personally appreciate it.

No software to be installed, configured, maintained, service available when you needed with a early adoption time and most important reduction (or apparent reduction) of the total costs of ownership.

I had few experience with SaaS business (as a customer) and i have to say that the following Gartner Group analysis on SaaS businesses imho tell you the truth only for half of statements:

  • There is always a partial integration issue (not all systems are so flexible to really integrate into your business like you would like)
  • There is often a lacks of the technical requirements needed by the specific business case
  • I DO NOT agree that there is a barrier in the costs, as SaaS usually let you start spending only a few. However it’s true that while doing the deployment you should be more conservative in the usage of features and items (es: I am using for my company a hosted VoIP PBX system, we pay for each extension we add. We don’t have test extension or extensions that are not strictly needed because it costs. When we had an internal VoIP PBX system, we was plenty of test extension. This slightly increase some complexity in maintenance and deployment, even if the total cost of maintenance is a lot lower than an internal system to be managed.

So we can assume that Saas it’s for most but not for all, especially if the need of customizations for the very specific business needs are relevant.

An in depth analysis and testing has to be carried on, in order to discover all the limits of the solution, on functionalities and pricing, to really discover if the specific solution fit the business need.

Best advices by world leaders

Today i found a very nice set of 22 ‘best advices’ on Fortune coming from world leaders and i would really like to link there some of the most interesting ones (at least for me).

I think that those suggestion let you work and manage your projects and goals (in any situation you play a leadership role, being business or personal stuff) in a proper, rational and effective way.

Colin Powel: Focus on performance, not power

Jim Sinegal: Show, don’t tell

Mort Zuckerman: Do what you love

Meredith Whitney: Always set realistic goals

Lauren Zalaknick: Listen (others opinion)  

Robin Li: Underpromise and overdelivery (while running a company)

Mika Brzezinski: Use failure to motivate yourself

The real goal of online marketing: lead generation

Often i discuss about online marketing, however it include the mysterious “marketing” magic word that’s tipically subject to misunderstanding and misconception .

The end goal of online marketing is to generate qualified leads coming from international markets.

Some interesting links about it, and how things should be properly done are below:

I would really like to see an effective leverage of online techniques and tools as the main interface and providers of information, the main pre-sales agent of the company explaining almost everything required to get back a qualified lead.

Voice encryption in government sectors

I will make some in depth articles about how voice encryption really works in government environments.

The open standards and open source still have to reach the military and government environments for what’s related to secure speech.

To give you an idea of the complexity and kind of particular issues that exists, look at the USA 3G Wireless Security: A Government Perspective and the A Waveform Architecture to Support Security and Interoperability in Multi-National Wireless Networks for Tactical Communication .

They are using so-custom protocols like Secure Communications Interoperability Protocol that require the use of patented MELPe ultra-narrowband codec that there’s not a real market of application and equipment using this. Only a small elite of government controlled companies from few countries manage this de-facto lobby.

Should we change this bringing open standards also to government sectors?

Product Management

You know, product management it’s a job for half-fish, half-meat guys, that understand both business needs and technology issues.

I found two amazing and very well done presentations about it, i suggest to read it as it clarify a lot of things of the marketing and technical activities applied to the management of products inside companies to reach the market.

The strategic Role of Product Management

Very in depth presentation. Ask yourself, do you know what’s the differences between marketing and promotions, sales, advertising? How to really manage the core of the company, the product?

Product Management for BrainMates

Very smooth presentation going to the point: A product is the tiny overlap between the needs of a business, the aspirations of it’s development team and the unsatisfied desires of the customer.