Sunday, January 20, 2008

Oh baby, that's a nice pen!

In about a week, a new product should hitting the virtual shelves. It has the potential to really hit it big. What is it? A pen. Specifically, the Livescribe. In addition to being a pen, it's also a computer, with an open platform to develop applications. We've all heard of products that are supposed to change the world. The difference with this particular device is that it's not supposed to change the world, and that is the exact reason that it might. Let me digress for a moment, then I'll come back to the pen, and hopefully that last sentence of mine will make more sense.

Think back a few years ago when Dean Kamen released the Segway. It is a transportation device that was heralded by some as having the potential to change the way that cities are built. Everyone in the world would want one. It would solve traffic problems, encourage walkable communities, clean up the air, etc. Fast forward about six years, and you'll maybe see an airport cop patrolling the terminal on one. A few mailmen deliver on them. There are specialty tours where you can see the city on a Segway. There are also arguments about whether the Segway should be allowed on the sidewalks since it could knock over pedestrians, but cars don't want to share the road with them either. Why isn't the Segway catching on, even though it's a wicked cool device? It requires us to change or adapt the way we do things in order to use it. It's neither a pedestrian device nor a vehicle. There's nowhere to park it. It takes about 5 hours to fully recharge after driving a maximum range of about 10 miles. It's too different, yet does not provide much benefit over a standard bicycle, other than being easier to make it up hills and harder to throw on the rack on the front of the bus.

My daughter got a doll for Christmas. (I'm still digressing, and I'm still planning on coming back to the pen.) This doll was supposed to be different than the dog my other daughter got for Christmas the year before. It's not. Both the doll and the dog are voice-activated. You talk to the dog and it does tricks or plays with a chew rope or eats a bone. You teach it to howl and shake. Well, when it understands what you say anyway, you can do all that stuff. It has to be perfectly quiet in the room, which doesn't happen much with four kids running around the house. It can't hear you if its moving or talking. You can only tell it commands that have been preprogrammed. You have to talk clearly. With high end voice recognition software like Dragon Naturally Speaking, there is a training period where it learns your voice, but it also trains you to speak more clearly. With this doll and dog, there's no training. It either understands you or it doesn't. I don't know how the experience with the dog didn't make it obvious that the doll wouldn't be a good buy either, but nevertheless it made its way to our house in Santa's bag. She plays counting games. She cries, and you have to ask her what she needs. You can feed her and make her go to sleep. Well, when it understands what you say anyway, you can do all that stuff. A good toy lets you do whatever you want with it. These voice-activated toys that don't understand what you want them to do just cause frustration, because you can only play with them how they were programmed to let you play with them.

What did all that have to do with the Livescribe? Well, it's a pen. It writes - whatever you want to write, in your own handwriting, as fast or as slow as your hand moves, just the same as any pen or pencil you've grown up with. You don't have to change or learn anything new. We've been writing so long that it would be hard to learn to write in another way. Just like the Qwerty vs. Dvorak keyboards - Dvorak is more efficient, but you have to relearn how to type, so we perpetuate Qwerty. So Livescribe simply lets you write, and while you write you can have it record audio. Later, when reviewing your notes, you can click on a word and play back the audio it recorded while you were writing that word. You can upload your notes to your computer and email them to your friends or search for certain words that you wrote down. So you still take notes the way you always have, but you now have recorded the audio that went with it. Cognitive load is decreased, because you don't have to worry about transcribing every word if you missed something. If you record a lecture using a regular mp3 voice recorder or tape recorder and you want to find the part where your professor explained a certain concept, you're going to be fast forwarding and rewinding, trying to find it. With Livescribe, you click on the word in your notes and hear the professor's voice defining it for you. Think of the uses: business meetings, field reporters, servers in a restaurant, professors grading student essays, etc.

In addition to being able to synchronize handwritten notes with recorded audio and easily share both with others, the Livescribe is an open platform, which will allow anyone to develop new applications to use the Livescribe. So really, the uses are endless and there will be little or no training required to use it. You just click record and start writing. Then you click play and point to the word where you want it to start playback from. It costs less than many iPods or cell phones, at about $200. You don't have to do anything different from what you might normally do, but you get the benefit of multiple technologies working together.

I hope it lives up to all the possibilities. The company is run by a team of experts who have collectively worked at such big names as Apple, BEA, Leapfrog, IBM, HP, Palm, GE, CNET, Chevron, and Lexar. If anyone can do it, hopefully these guys can.

Wednesday, January 9, 2008

DRM Who?

After the black eye Sony received a few years ago with their DRM rootkit fiasco, they seem to be headed in the right direction with their plans to provide some DRM-free music. It appears to be due to market forces, in trying to compete with Apple's iTunes, but it's encouraging nonetheless. We'll see how it actually ends up playing out.

For a lot of people, trying to get the music they paid for to work on the various devices they listen on is more difficult than it should be, so removal of DRM will be beneficial for many. It doesn't really affect me that much personally. I can load songs on my phone and listen to them through white headphones snaked up through my shirt so I don't have to hear people calling my name when I'm walking around campus, but I choose not to.

When I do listen to music, it's usually the Music Genome Project. You create free radio stations of songs that are similar to a certain song or an artist that you like. I've got an instrumental techno station I've created, because when I'm working on homework late at night I like having some music to keep me awake, but the lyrics distract me. One cool thing about it is that it plays music you might not have known about, but that is similar to stuff you like. You're not limited to what songs you've purchased, and you get to hear artists you might not have known about before.

Tuesday, January 1, 2008

Investing in Security

A recent article discussed several myths and realities related to investments in information security. IS investments are very complicated, since companies must provide the "confidentiality, integrity, and availability of information, while also assuring authenticity and non repudiation…." That is to say, data needs to be protected against unknown change and kept away from non-authorized persons, while at the same time assuring that those who have legitimate business with that data are allowed full access.

Because of the complicated nature of many businesses, CxOs rightfully demand some monetary justification for pumping money into security rather than other projects that also need funding. According to the authors of this article, the traditional accounting measure, ROI, does not completely capture the benefits and risks associated with Information Security, so other measures must be used to find a project's Return on Security Investments (ROSI).

The first myth dispelled in the article is that "the accounting concept of 'return on investment' is an appropriate concept for evaluating information security investments." The problem with ROI is that it is an historical accounting measure. The IRR, an economic measure of future asset values and discounted cash flows, is a truer measure.

The second myth is that "Maximizing the IRR on information security investments is an appropriate objective." That is, the highest IRR is not necessarily the best choice. The amount of investment that yields the greatest net benefit is the one that should be used. The IRR measures a percentage return, not an actual return, so the IRR is used to a point, but to determine the actual amount to invest, the proportion with the largest actual return should be used. I'm not so sure that I agree with this point, but of course none of my articles have been published in Strategic Finance yet. What it looks like to me is that if another project has a higher marginal IRR, it will have a higher present value than the IS project, so the alternative project should receive the additional funding. This may be implied, but the article seems to focus on comparing a project's IRR only to itself, not to alternative projects.

The third myth is that "IRR and NPV are ex post metrics for evaluating the actual performance of information security investments." IRR is used to anticipate the returns of a project. Going back to measure the actual return on a project once it has been completed is called "post-auditing." Because of the nature of security investments, the more successful a project turns out to be, the fewer security problems will be seen, and the harder it will be to measure how successful it was. So the most successful project will result in no one even thinking about the security plan.

The fourth myth is that "it's appropriate to invest in security activities up to the level where the investments equal the expected loss from security breaches." The probability of an event taking place must be factored in when determining the present value of those investments. So, with this final point, the authors tell us that optimal level of security investments must be found, not just the project's rate of return.

In their research, they have found that on average, a maximum of about one-third of the expected potential loss should be invested in preventing that loss. By investing more than this, the amount spent preventing a loss approaches the amount of the loss. By investing less than this, a firm leaves its systems completely open.

Gordon, L.A. & Loeb, M.P. (2002). Return on information security investments: Myths vs realities. Strategic Finance, 84(5).

So you want to start a business?

A few years ago, I attended a presentation by the owner of a car dealership. He had some advice on starting a business. One of his first points was that the statistics showing large numbers of failed businesses are skewed, because smart people often go for the guaranteed money, working for someone else, so many that would be successful never start their own business.

The smart ones that do make it and build a successful business will run their business by the numbers, not by emotion (of course, this is all coming from an Accountant). The following principles will guide entrepreneurs to success:
  • Know your break even point every month or day
  • Staff according to your slowest month; you may be understaffed on occasion, but never overstaffed
  • YOU be the key employee
  • Put money into what will make you money (buy vs lease)
  • Personal overhead = business overhead
  • Don't spend money just to reduce taxes; pay taxes like you should
  • It is safest to invest money in your own business, where you have the control; don't play the stocks
  • Only grow the business if it will make your bottom line grow
  • Always outsource if costs are the same as doing something in-house
  • Reinvest in the customer
  • Offense is exciting, but defense wins the game; that is, sales are exciting, but low expenses make the money


President Clinton passed the E-Sign Law in July of 2000 allowing a digital signature to complete a valid enforceable contract, but there is still little done by consumers using digital signatures. A few years ago, someone in my office came to me asking for my help in creating a digital signature. I did some research, found the costs and what technologies might be appropriate, and presented the options to my coworker. It turned out that all my coworker needed was for me to scan a signature from a piece of paper to insert into a Word document. I didn't explain that it wasn't really a digital signature I'd be creating; I just created it. Five-plus years later, I don't think that general consumer knowledge has risen much from where it was back then.

TCP/IP and the Internet in general was not designed to be secure. It was designed to not fail. In order to become secure, layers must be added at higher levels to protect data when it is being handed around the Internet. PGP (Pretty Good Privacy) and GPG (GNU Privacy Guard) are programs that use PKI for encrypting and signing data.

Public Key Infrastructure (PKI) is an application of cryptography. Technology is used to implement cryptography, but cryptography itself is inherently mathematic. Symmetric cryptography involves using one key to both lock and unlock or encode and decode a set of data. The sender and receiver must both have a copy of the same key. Asymmetric cryptography involves a public key and a private key. The public key is passed out to anyone, but the private key must be kept secret. With asymmetric cryptography, one key is used to encrypt or mark a set of data and the other key is used to decrypt or verify that the data sent has not changed. An asymmetric pair of keys can be used for either encryption or a digital signature or both. A symmetric key can only be used for encryption.

A regular, paper-based signature is used to prove to a third party that a transaction has taken place. Likewise, a digital signature is a mathematical operation to a set of data that proves that a message or transaction was enacted by the person who signed it and that it has not been changed.

A message goes through the following when it is encrypted: the message is written, a mathematical hashing operation is used to process the message, it is encrypted using a public key, the message is received and another hash is performed, and the message is decrypted using the receiver's private key.

A digital certificate, often used on websites and other transactions, contains the public key of a certain user or organization and identifying information such as email address, website, phone number, name, expiration date, etc. The digital certificate is signed by the organization or person who issued the certificate. Their certificate is in turn signed by the organization or person who issued their certificate, until a root is reached. Ultimately, it is that root that must be trusted. Each issuer must take the proper steps to verify the identity of an applicant before the digital certificate is issued.


I just read the book Freakonomics by Levitt and Dubner. The authors admit that there is no central theme to the book, which is really a series of individual essays that are loosely tied to one another.

Each chapter consists of comparisons between unlike groups of people to make a point. KKK members and real estate agents maintain power (or at least used to in the KKK's case) by protecting the information that they hold. A high school quarterback works hard against the stacked odds of becoming a star, while crack dealers work for minimum wage while hoping to make it some day as a big time drug dealer. Sumo wrestlers in Japan and school teachers in the U.S. sometimes cheat by throwing matches or by changing student answers on standardized tests, even though both professions are considered honorable and above such activity.

Other than these comparisons, there are some controversial findings. The drop in crime in the 1990s was due to abortion becoming legal back in the 1960s. More kids die in swimming pools than from guns in the home. It doesn't matter what school parents send their children to when they have a choice; the fact that they are willing to send their kids to another school means more than the new school itself. Sexual assault rates are lower than what is usually reported, but no one can publicly dispute those numbers due to political pressures.

The book does not cover traditional economic research topics, but in the foreward, Levitt explains that he's not really interested or competent when it comes to monetary policy, fiscal policy, econometrics, and the stock market. The research seems more like Sociology than Economics, but calling him a "rogue economist" sounds better than a "rogue sociologist". Levitt's PhD dissertation at MIT covered several political topics such as campaign spending, incumbent advantage in elections, midterm elections, and politician voting records.

Regardless of the topic of Levitt's research, this book should be required reading for any new PhD student. The book does not necessarily purport to solve any great world problems but rather encourages people to be a little more skeptical and to try to think more about why things happen how they do and to ask more questions. Basic research concepts are covered, such as correlation vs. causality and choosing correct data to measure.