Password Strength and Security

xkcd has a cartoon that beautifully explains why strict password rules have brought us to a pass where it remains relatively easy for a computer to hack the password. But very difficult for people to remember them.

My company, like most large corporates, has a password policy that forces the use of numbers, large caps, special chars and minimum password length. The password expires in a month and you can’t use the last 20 (I think) passwords. The strict policy lives up to its promise. It is a unique password that I don’t use for any other service, that has enough gobbledygook in it to render it unguessable to human beings.

I also use a few financial services that are, or should be, concerned about security. Even if they weren’t, I do try to create strong passwords for them since they have my money. But its not so simple.

  • My broker in the US doesn’t allow special chars
  • My broker in India allows only a 7 character password (no more, no less). Strange, but true.
  • My bank in the US has a strong password policy. Not as strong as my company’s but close. No expiry rules.
  • My bank in India allows weak passwords but requires me to enter my password on a virtual keyboard. I guess they are more worried about keyboard loggers than the others.

Having the same password for all such services would make my life much simpler. But I can’t. Because they won’t let me.

Some security experts think that that may not be a good idea anyway. If you have the same password for many services and someone cracks one of them, they get control of all services. OK, but then isn’t that true about OpenID too?

Actually, I do have different passwords for different services. Partly because I have no choice. But even for services where I could have a common password, like the social media sites, I don’t. I have seen many people lose control of their Twitter, Facebook or email accounts because they got hacked. Scares me to death.

Which is all very nice and secure. Until it comes time to recall passwords.

The truth is that you can’t remember all these passwords. So you store them somewhere. And the moment you store them somewhere, a hacker is one password away from taking over your life.

Password Strength and Security

I don’t see an easy solution to this. Long phrase passwords, as xkcd suggests, might work well because they are easy to remember but hard to hack. But no password policy implementation can detect the difference between your full name and father’s name (terrible password) and a collection of random words (great password). Maybe an OpenID type service that requires a hardware token like SecurID could offer both ease of use and high security.

Till then, there’s always post it notes.

End of an Era at Infosys

Yesterday, N R Narayana Murthy retired from Infosys. In a touching farewell in Bangalore, friends and colleagues, present and past, bade him goodbye. There were breaking voices amongst the speakers and moist eyes in the audience. It was a great send-off for a great leader.

To Indians, everywhere, Narayana Murthy, means something special. For those of us in business, he didn’t just build Infosys into the global powerhouse that it is today. On the way, he set the standards in so many ways for the rest of corporate India – corporate governance, ethics and values, quality – he showed Indian industry what it meant to be world-class.

To ordinary Indians he is their inspiration. He makes them believe in themselves. That ordinary people with nothing except talent and ambition can make it big in modern India. And on the way, they don’t have to compromise on their values.

To me Mr. Murthy epitomizes what being a leader is about. I won’t even attempt to capture that in a few sentences because I can’t do it justice. But here’s a personal story that is pure Mr. Murthy.

One day in midtown Manhattan, I was walking with Mr. Murthy to a meeting. It was probably 1997 or thereabouts. Infosys was under $50 million in revenues and we were an inconsequential speck in the IT industry.

In midtown, we were surrounded by these skyscrapers adorned with the names of Fortune 500 companies. Suddenly, he stops, looks up at one such skyscraper and says “Basab, one day we’ll have our name on one of these buildings”.

That’s the way he is. Somewhere between ambitious and wild dreamer. The first step to being a great company is to aspire to be a great company. He knew that then. We know that today.

We will miss him being at the helm. Au revoir, Mr. Murthy!

Can You Write a Full Sentence of More Than 140 Characters Anymore?

In the IT Services industry you have to be able to write code. And English. In fact, not being able to write code may be alright. But without English you just can’t function.

And yet, it is surprising how little attention is paid to written communication skills. The BPO industry trained thousands of people in spoken English, often accompanied with accent training. But English writing skills get little attention.

Why are English writing skills so important?

Internal business communication in an IT Services company is entirely in English. The offshore model means that business matters that could have been transacted in a meeting or over the phone, necessarily end up on email. If an email, or design document is not well written, a whole day might go by before a clarification or correction can be made. Big waste of productivity!

Second, Indian offshore service providers work with clients who are used to dealing with consultants who typically have excellent writing skills. In western markets particularly, writing with clarity and even flair, is a mark of a good education. That’s what you get compared with.

Over time, most clients on the IT side of the house have adjusted their mental models and no longer automatically connect good writing skills with IT skills. But as we start going in front of business, the same problems will start surfacing again with a new set of clients.

Nominally, Indians in the IT Services industry were educated in English medium schools. I would guess that over 90% of the industry took their XII board exams in English medium. But when it comes to writing English, unfortunately, that doesn’t mean much.

Indian high school education is all geared towards college entrance exams. Entrance exams for engineering colleges don’t test on English. The Physics, Chemistry and Math exams are entirely (?) multiple choice. As a result, nobody cares about English at school. Correction – nobody cares about any language, period.

And then came the mobile revolution. The kids coming out of college now write emails, the way they text. Short, unintelligible sentences full of typos. Not surprising since for them words texted far exceed words written in full sentences in email or any other form of writing.

Go to the comments section of any Indian publication online. You’ll see what I mean. I can’t understand half of what’s written there.

This is actually now a crisis. I believe that with the new generation, writing full sentences is just not cool any more. Every idea must be conveyed in 140 characters or less. Much of it will be SMS English. There will be typos galore, because, you know what, I am too busy to review what I just wrote. If you can’t understand what I’ve written that’s your problem.

As always, the industry will have to come up with its own solutions. We can never rely on the Indian education system to meet our needs. But unlike technical knowledge, it is really difficult to start writing well if you have ignored it in school and college.

In Which Basab Gets UIDed

A couple of weeks back, I was in the Infosys Bhubaneswar offices. On Friday, which was my last day at work before my vacation, UID enrollment was going on on campus. SBI, one of the agencies entrusted to enroll people into Aadhar was going to be at Infosys for a week.

I decided that I must get enrolled. There would never be a better chance. And so I did. But it took me two trips and 3 hours.

UID or Aadhaar as it is called is India’s unique identification project. It is a massive, in fact the biggest, biometric identification program anywhere in the world. It is quite different from programs like the US Social Security programs or any country’s passport or driving license programs. It’s sole focus is on unique, infallible biometric identification. It does not have any benefit or purpose associated with it. Rather, it is designed such that any benefits program (like the Public Distribution System) or regulatory purpose (id of bank account owners) may use the Aadhaar infrastructure.

It will be cheap, fast and near infallible. Say you walk up to a bank to open an account. You fill up a form that states your name, UID number and maybe even father’s name and address. Then, you peer into a lens that scans your iris and sends its data and the data from the form to the UID system. The UID system simply sends a Yes or a No – Yes this person, whose iris you scanned, is who he claims to be (name, father’s name etc.). The system will never send back your name, father’s name etc. Just a yay or a nay. Clever.

Actually, it is clever in other ways too. By avoiding a direct connection with any benefits program, it entirely avoids the politics surrounding any benefits program. Also, the government plans to run only those parts of the system itself that it absolutely must. The rest is being outsourced. So we will hopefully not build up a huge bureaucracy to run Aadhar, just a small one.

The original team that worked on the UID project had many team members (and its program manager, Raj Mashruwala) who came from tech companies in the Bay Area. I attended a talk and panel discussion about UID by some of them at Google in Mountain View a few months ago.

Most Indians are cynical about corruption and so a common refrain you will hear about Aadhaar is that politicians and bureaucrats will never let it succeed because it will make leakages in benefits programs so rare. One of the panelists at the event was an ex-IAS officer, now entrepreneur. He said that pols and bureaucrats, especially the ones in New Delhi, won’t mind at all if petty corruption of the kind you find in PDS and NREG went away. In fact, pols might want to take credit for eliminating this most visible form of corruption. The big bucks are anyway in scams like the 2G scam, where UID has no role to play.

So anyway, back to my own odyssey to get enrolled in Aadhaar. At 5pm on Friday, I wound up my work and went and stood in line. There were probably 15 people in front of me. A form was handed out, which I filled out, but not after having to ask for help. Why is there a “Relationship” field after “Father’s Name”? It may not have been this exactly, but there were a few totally befuddling fields to enter.

The line was moving really, really slowly. When my turn came, it was close to 645pm. And then I discovered why.

There were two stations. At the first station, the form you had filled out, was entered into an application on a computer. The trouble was that they (Aadhar or SBI, I don’t know who) needed the fields to be populated in both English and Oriya.

Now typing in Oriya using a QWERTY keyboard needs special skills and a special keyboard. The next best thing is to type in English and transliterate. The enrollment application used Google Translate’s transliteration service. Which is pretty nifty, but only in the hands of a trained operator. The woman at the first station was, shall we say, less trained. As a result, the Oriya part of the form was taking forever.

Eventually, I had to ask her to step aside and let me do it. I can’t read Oriya. So I would type in Roman, transliterate and then she would tell me if it was OK or not. We made some progress. But even with this arrangement, something like “R. K. Puram” proved extremely difficult.

Just after 7pm I got done with the data entry. Now onwards to station 2. Station 2 was for finger printing, iris scan and a photograph. But just my luck. As soon as I sat down, the network connection just disappeared. The operator couldn’t pull my record from Station 1.

The operator tried various things, which to me looked like a variety of paths to reach the same file folder on the other computer which was no longer connected. Then he would jiggle some wires and try the same series of things again.

Doing the same thing again and again and expecting different results is called insanity. Or a random number generator. Windows is somewhere between the two. Sometimes it actually produces results. So I let him keep trying for 5 minutes before I asked him to call his supervisor.

He called (not phone called, just called out loud). The man was getting a cold coffee at the coffee station across the hall. He got back with his drink in another 5 mins.

He tried the same thing a couple of times. But not for too long. He seemed to have had some experience with the mysterious ways of Windows. He rebooted. Another 7 minutes.

Now, finally, the operator had my record. The iris scan was a snap. Next was the finger printing. No problem. And then, what should have been the easiest thing, taking a photograph with webcam, didn’t work. And finally, that’s when I gave up.

I had a scheduled call at 730pm. I left at 725pm, disappointed. I wasted 2.5 hrs of my life and had nothing to show for it.

People say that the profit motive automatically brings in efficiency. This was a clear example of how that is often giving credit where credit is not due. SBI is enrolling people into Aadhaar because it has a vast network and great reach which positions it well to profit from the exercise.

But I doubt if SBI is making money at this. Their costs per day per enrollment center are fixed. They probably get paid per enrollment. But if enrollment is this slow, how can they turn a profit? Simple things like investing a little bit in training, better software and a wireless network instead of wires going all over the place could easily increase throughput. But apparently it hasn’t occurred to them yet.

I also didn’t understand why Aadhaar requires information from enrollees in both English and the local language. Couldn’t it be in one or the other?

Anyway, my story ends on a positive note. I went in to the office on Monday evening just for this. Somebody had already confirmed that my record still existed. All I had to do is get my biometrics recorded. I did and now I am enrolled in Aadhaar.

The Two State World View and BYOC

Photo: Johan Larsson

I rejoined Infosys on June 1 as Head of Global Sales. It’s been quite easy slipping back into the saddle on most fronts. The one that took a bit of adjusting to, was on my gear.

Startups don’t have IT policies. For the past few years I have been using email in the cloud, a MacBook, an Android phone and have not been within miles of a securID card. All that changed overnight.

Infosys, like most major corporations, takes information security very seriously. Actually, because its policies have to be at least as strict as its most security conscious clients, Infosys is probably an outlier, even in the corporate world.

All very necessary and reasonable. But I am going to miss my personal tech freedom. Most people who have gone back to work for a large company know what I am talking about.

The world around them is changing, and companies will have to respond to it. Current IT policies are based upon a “two state” view of the world. It sees the “employee at work using company computing infrastructure” and “employee on her own time, on her own device” as two states, separated by time and space. This is increasingly untenable. Not only does it not reflect the reality of the life of information workers, it is also easy to argue that this view of the user is not in the interests of the company.

In today’s shrinking world, a major corporation is open for business in some part of the world at all hours. Employees have to be open to this 24X7, always-on kind of work environment. The boundaries between company time and personal time are blurred. Should the employee have to keep switching between company and personal devices?

If I go for a two week trip to Asia Pacific and carry just my company devices with me, can I put my personal life on hold? I might have to pay my bills, answer personal email and yes, even lookup my friends on Facebook. I might want to catch my favorite weekly show on HBO. Should I have to carry two laptops?

I could also argue that IT policy based upon this “two states” world view is not in the interests of the company. Let’s say a new employee is hired into a tax advisory firm. He is an expert in say cross-border taxation issues. For years he has kept notes in Evernote. But now he can’t bring those notes inside the firewall because of the lock-down environment in the company. That can’t be a good thing for the company.

Further, the taxation expert has a twitter account and a blog which connects him to other experts and people interested in his field. These are personal accounts, but the company gains from his network and reputation. The company gets leads because of his online presence.

Another problem is the consumerization of computing technology. There was a time when the IT department could standardize on Windows and Blackberry and few employees would be disappointed. But now Macs are a real corporate alternative. And iOS and Android phones and tablets outnumber RIM devices. Their users love them and will keep the pressure on IT to let them use these devices.

Fragmentation always costs more and IT departments hate it. But how long will they be able to hold up against employees who want their own device?

Which is why regardless of the challenges, Bring Your Own Computer and Bring Your Own Device are here to stay.

Bollywood Digital Music and the Galapagos Effect

Today was Mother’s Day. My gift for my wife was a compilation of Bollywood songs on a CD that she can play during her commute. I spent a good bit of time on Saavn and iTunes to put the compilation together. It got me thinking about the Indian digital music scene once again.

Saavn is a new and upcoming internet music streaming service for Indian music. You can stream any song in their very comprehensive library on demand. The quality of streaming is pretty good, at least out here in the US. The website is simple to use, though some minor UX issues could do with some attention. (btw, why don’t songs have composers as a field?)

You can make your own playlists, or just play playlists that other people have saved. I used their Weekly Top Songs as a jumping off point for my compilation.

Raaga is a competing website that has been around longer. Both these websites have the same ad supported business model. Currently, it is mostly display ads. Eventually, I expect audio ads. Both websites have Android and iPhone apps.

Overall, this ad-supported on-demand streaming model seems the most interesting thing happening in Indian digital music. They have completely handed over control of the download business to Apple, which is a shame. But that’s a different subject.

Funny thing is, this model doesn’t exist for digital music in the US. Here, on demand streaming is like owning the song. With wireless broadband now, for all practical purposes, one is never cut off from the cloud. If I can stream any song at-will, with high quality streaming it’s not very different from owning it.

In the US therefore, there is no ad-supported on-demand streaming model. You can subscribe to a whole library for a period of time which means more $$ (Rhapsody). Or you can buy and download all the songs you want for much more $$ (iTunes). [In Europe, Spotify is a little like Saavn, which is why they are having trouble entering the US].

Then there is the ad-supported model called internet radio. The differentiating characteristic of internet radio is that the user has no control over what song is played next. Pandora, the leader in this model, is expected to have an IPO soon. In India Bombay Production follows this model.

How is it that Indian digital music seems to be evolving very differently from western digital music? The answer is what I will call the Galapagos effect. The way unique species developed on the Galapagos island (or Madagascar) because it was cut off from the mainland, the same way, Indian digital music is insulated enough from the western industry that it can and will mould itself differently.

Copyright law is very tricky. It differs from country to country. Which is why you can’t get Pandora outside the US. Or Netflix. Or many books on the Kindle. It also works the other way, as in the case of Spotify.

Indian copyright law is different enough that Pandora or Rhapsody is going to avoid the hassle and instead focus on its US business.

But that’s not all. Broadband infrastructure is a key enabler for digital music. In India, that infrastructure so far has been well behind developed countries’. In fact, it might be argued that so far, the target listener for Saavn like companies has been mainly the NRI. This might change soon as broadband and 3G penetration increase.

So, while Pandora, Spotify and Rhapsody pass on the Indian market, it leaves white spaces for startups to exploit. That is, until Apple decides to go after the Indian market. They already have almost the entire market for Indian digital music. And they are rumored to be planning a cloud service for streaming your music. Which will be easy to extend since Indian copyright laws allow it.

In the meanwhile, I’m not complaining. I get to listen to any song I want on Saavn for free. If I’m feeling lazy I go to Bombay Production. It’s free and uninterrupted. Pretty good deal.

But I worry about the future. I want Saavn to survive. This morning I spent 2 hours on pulling together my compilation. Most of that was on Saavn which was incredibly useful. But then I went and spent $20 on iTunes. Doesn’t seem fair.

When Does a Services Company Need Products?

Never.

That is, according to Mark Suster who has a superb post on TechCrunch

They [a services startup] have created two internal technology “products” and wanted to figure out how they could turn their services business into a product business that could be financed. This team is talented. They wanted advice. And probably some money.

I gave them advice I don’t think they were expecting from a VC,

“Don’t raise venture capital for this business. Ever. And stop effing around trying to create a product company.”

The post covers a lot of ground, much of which will be of interest to services startups. But some of it applies to big services companies as well

I saw this first hand. My first career was at Andersen Consulting (one of the largest services businesses in the world). We built a hugely successful global services business yet we never got over our product envy from watching our tech clients. So we created internal software projects and all of the internal consultants on those projects became blowhards who thought they knew how to create software product businesses.

We stunk at every product we ever created. We had no sense for gathering real customer requirements. We over-spec’d products. We built for our over-intellectual selves. I can’t think of any great software tools ever created internally by Andersen Consulting. We were a great services business. Period.

Most of the bigger offshore services companies have some kind of active strategy to acquire a stream of non-linear services. Some people expect this to comprise of product-like revenues. In our forthcoming book we argue that tech products are a very different business from services. And given their lack of skills and management experience of the products business, services companies are going to find the going tough.

Fortunately, services companies don’t need to be “rescued” by products. They have ample opportunity to differentiate themselves within the ambit of services itself. The role of retained or developed technology IP doesn’t have to be wrapped up into a product to create value. The beauty of a services business is that there are so many ways in which you can extract value from a client, as long as you have something that they can’t get from the next company.

And yes, some of it, might actually be license or subscription fees. But hopefully, you’re not banking your company’s future on it.

Genpact Acquires Headstrong

Genpact acquired Headstrong for $550 million in cash.

Headstrong revenues for 2010 were $217 million. Genpact’s were $1.26 B. So unlike iGate’s acquisition of Patni, this isn’t remarkable in the minnow-swallowing-whale fashion.

Nevertheless, the acquisition is a sensible one. It is largely complementary in that Headstrong is mostly about IT Services to Capital Markets. Very little overlap with Genpact. Again, unlike iGate-Patni, this was about complementarity, not about achieving scale.

Genpact had to bulk up its IT Services business. IT Services offers both higher margin and higher growth. Both of which Genpact has not been able to deliver, at least to the satisfaction of investors whose expectations are benchmarked to the early days of the IT Services industry.

Genpact’s sophistication in BPO means that most of their growth comes from solutions where IT applications must be implemented or reengineered. Headstrong will bring them a lot more credibility, especially with custom applications.

And finally, even if the IT and BPO work are not joined at the hip in the same solution, having both offers cross-sell opportunities.

A few months back I had written about Cognizant’s rumored interest in Genpact. Eventually, nothing came of it. But I thought that that would have been a very good combination. Sort of a dream team – the fastest growing services company and the best BPO company.

Obviously, I don’t know whether the rumors were true or not, or what transpired if indeed there were serious discussions. But if I were to go out on a limb, I would say that they did have discussions. Maybe they didn’t agree on the price, maybe there were disagreements about the future of the combined company. Whatever the reason, the deal did not go down.

Which left Genpact in the position of being the leader in BPO, an industry that was very promising in the future, but an underachiever in the present. They had to do something to fix that. And so they acquired Headstrong.

This is a good time for bankers in the Offshore services industry. More transactions are to be expected. Watch this space.

Week’s Tweets 2011-03-27

  • Ghalib quoted in Lok Sabha, pulling the quality of discourse several levels higher http://t.co/Wda2ucc #
  • Apparently, my watching an India match does not always adversely affect the outcome. Will need to collect more data… #
  • Stunning! US corporate taxes fell from 30 percent of federal revenue in the mid-1950s to 6.6 percent in 2009. http://nyti.ms/eyliJD #fb #
  • I am seeing patch.com news a lot more in Google News. Is hyperlocal news the one defensible piece in the news business? #
  • Stupid, unsafe feature that thankfully doesn't work. | $23,000 App That Comes With a Car – http://nyti.ms/erTdLo #

Week’s Tweets 2011-03-20

  • Which Traits Predict Success? (The Importance of Grit) | Wired Science | Wired.com – http://t.co/syOZX9n #
  • Beware! Speak Asia Online Pays Money For Filling Surveys – Legit or Scam? | Amit Agarwal – http://t.co/oo51qxf #
  • Donate to Red Cross or MSF but don’t donate money to Japan | Felix Salmon | http://reut.rs/i3ovNN #
  • Imagine if your ISP charged a fee on every email. Now imagine if financial payments attracted no fees | http://reut.rs/em7GIn #
  • Seems like something useful will finally come out of all that Google Wave work. Looks interesting http://t.co/q9IP3Fc #
  • "Erase all traces of my memory" directive to Facebook. EU to force social network sites to enhance privacy http://t.co/b0afuba via @guardian #
  • No-fly zones are for the birds | Roger Cohen – http://nyti.ms/gYMGQs #