Handing Off Your Problems to Someone Else

Today is the day when up to 300,000 Danes can no longer access their online banking. They also cannot use any of the gazillion public services that require a login. That’s because the old public ID system in Denmark has been retired, and everyone has to use the insecure and shoddily built new one.

The reason thousands of people are left behind is the cumbersome signup process that – among other things – involves scanning the chip in your passport with a modern smartphone. It turns out many people can’t figure out how to do that. But that is not a problem for the organization behind the ID system. They simply tell users to show up at the local service point in their town for help.

It is, however, a problem for the overworked local service center employees. They are staffed to (barely) manage their usual work. Dumping 500,000 IT support tasks on them has predictably led to huge waiting times for an appointment for anything.

Don’t allow your IT systems to dump their problem somewhere else and declare themselves a success.

Why Should the Business Trust You With Their Money?

“Give us a bag of money and go away.” That seems to be the thinking of most in the #NoEstimates movement. They have, of course, misunderstood the original concept, just like people who claim to do Agile when all they’ve done is to do away with the documentation. I agree that estimation is hard and software is complex, but asking the business to commit money for unknown benefits in the uncertain future represents monumental hubris. The real world works by comparing costs and benefits, even though both cannot be evaluated exactly.

I’ll be meeting some of the best and brightest IT architects in Denmark at the annual Software Architecture Open Space next week. This is an open-format conference, and I noticed some of the other participants have already brought up estimation and #NoEstimates as a topic. I’m looking forward to an interesting discussion. If you are in the vicinity of Copenhagen on Nov 3rd, I encourage you to participate in SAOS as well. You’ll surely learn something.

There are Many Reasons Not to Move to the Cloud

You don’t save anything by moving to the cloud. Ask around – how many of the organizations you know who moved to the cloud have reduced operations headcount? Some things are simpler in the cloud, but many others are more complicated.

You enforce some good security practices because there is no way to NOT install the latest security patches. And you can quickly spin up an extra testing environment.

But unless you really have a highly variable load, or you are starting something new where you don’t have a clue how much power you’ll need, the cheapest option is to buy some hardware and put it in your server room.

The next time one of the vendors tells you how much you save by moving to the cloud, take a really good look at the calculation. I’ll be happy to help you. You will likely find out that there isn’t a business case for moving.

Yet Another Project With No Business Case

There is nothing so good that you cannot do it badly. Case in point: Recycling. I’ve just received five new recycling containers in my summer cottage. The point is for me to sort plastic, cardboard, metal, paper, dangerous items, organic waste, and the remainder in separate compartments. I’m all for recycling, but I was curious about the business case for providing new plastic containers for summer cottages with limited amounts of waste and driving around with more big trucks on little dirt roads to collect the stuff.

It turns out there isn’t one. The danish Engineer’s Association has a weekly newspaper, and they have been running stories on this. Dispassionate calculation shows that the cost in money and CO2 of collecting and sorting several of these waste fractions far exceeds the benefit of recycling. For plastic waste, it turns out that we have to drive it – in trucks – to neighboring Germany because we don’t have a facility to reuse it in Denmark.

Surely, the government that invented this process would have a good counterpoint? Nope. I’ve been looking through several government websites. There is a lot of greenery and nice words, but no business case for recycling as much as we currently attempt to do.

So here in Denmark, recycling is a project with a worthy goal, political backing, and no business case. Have you ever seen something like that happen in IT?

Can You Trust Your Vendor?

Did you invite the hackers in yourself? Hundreds of German companies are waking up to the revelation that “German” cyber-security company Protelion is a front for a Russian company with links to Russian intelligence.

The hapless boss of the German IT Security agency even invited Potelion to sit on the German Cybersecurity Council. He is facing an unceremonious sacking…

Being able to roam freely inside the firewall and install agents with admin privileges is the dream of any hacker. There are at least one million devices running Protelion’s “security” software and the companies who invited Protelion in face a wholesale scrubbing of their entire IT infrastructure.

How do you plan to ensure that your security audits do not worsen your security?

Letting a System Give Ridiculous Answers

Here is another example of a computer giving a ridiculous answer. When I book a hotel, Booking.com will automatically suggest an airport transfer. OK, but not when the airport is 200 kilometers and a long ferry ride away. Providing meaningless answers to your users is not a trivial problem that you can brush off. It undermines the confidence your users have in a system, usage drops, and shadow systems in excel proliferate. Do you have a policy to build sanity checks into your systems?

Are You Afraid Robots Will Take Your Job?

Robots are not taking our jobs. It’s a good story to create eye-catching headlines and generate clicks, but the numbers do not support it in any way.  Michael Handel of the U.S. Bureau of Labor Statistics has published a paper where he carefully analyzes job losses across many professions. He finds that job losses follow long-term trends, and there is no hint of the dramatic changes predicted by people who make a living from predicting that the sky will shortly fall.

That matches what I see in the organizations I work with. Traditional IT projects regularly fail, and AI projects have an even higher failure rate. They might deliver something, but too often, it turns out to be impossible to move an AI experiment out of the lab and into productive use.

Additionally, in the cases where AI does provide real business benefits, it handles one specific task and not a whole job. All of our AI today is very narrowly trained for one task. That frees up workers to do more useful things with their time, making them more productive.

For example, the illustration for this post is made by me and the Midjourney AI. It was told to illustrate “the robots are not taking our jobs.” We ran a few iterations where I selected the best of its suggestions until we came up with this image.

Why Projects Without Business Cases are Shot Down

I just had a customer attempt to start a project without a business case. Such projects are usually driven by the desire to use a specific technology and with a vague idea that this would somehow benefit the end user.

If the IT department is strong, some of these orphan projects get started. They might be successful. However, since the organization has no idea of the business benefit, it is blind luck if the benefits exceed the cost.

If the business prevention department (compliance/legal) is strongest, they are shot down. There is always a reason not to make any changes. A project without a business case can be mortally wounded by any objections about compliance, GDPR, security, etc.

That is why every project needs a business case. It prevents IT from wasting money on something that will not add value, and it prevents compliance & legal from killing projects with a positive business impact.

Do your projects have solid business cases? If not, get in touch, and I’ll help you.

Who is in Charge of Outside-the-Box Thinking?

Everyone can track your license plate – not just the cops. A Belgian security researcher noticed that most parking apps do not validate that you actually own the license plate you add to your app. That means a stalker can add his victim’s license plate to his app and immediately be notified whenever that person parks anywhere…

This is another example of the inside-the-box thinking that developers are prone to. The developers of the Kryptonite bike lock had made it out of extra reinforced steel. Too bad a weakness in the lock allowed a hacker to open it with half of a ballpoint pen.

Finding holes in a system is not just securing the login and checking the encryption. It involves examining the system and its environment and users. That is a skill most developers lack. You need a “red team” who can find the holes before you roll out something embarrassingly insecure.

Patching is Your Responsibility, not Your Customer’s

Face it, you are not even fully patching your own systems. Assuming that your customers or users will try to patch their systems is unrealistic.

If you are delivering any product that contains software, you need to think about how you will patch the thing. Tesla just discovered a problem with the pinch protection in their power windows. Cars with electric windows must have an “automatic window reversal system” that detects if it is about to pinch a finger or worse. Tesla found its system would not always be within the required parameters and pushed out an over-the-air update to more than a million vehicles. Elon Musk took to Twitter to fume about the fact that such a fix is technically a “recall.”

On the other hand, more than a year after the vulnerability was discovered, there are still more than 80,000 vulnerable Hikvision cameras connected to the internet. Besides the fact that everybody can view their footage, the built-in Linux server is probably also mining crypto and sending spam. The owners could not be bothered to pull the thing down from the wall, connect it with a cable, install updated firmware and mount it again.

Be like Tesla, not like Hikvision.