Art of invisibility, between the lines; Model-watching before mine-digging; Are your people ready for mature content?; The fuzzy world of intelligence imitation

Books2Byte – August 2003


Art of invisibility, between the lines

D. Murali

If you want to know all about hiding encrypted messages in ordinary-looking data files, just read on.


SECRETS are whispered, conversations are too dull, and loud banter is usually worthless. Plain text is normally no challenge, but code messages, like locked vaults, hold the promise of value. So, routinely, e-mails and files are encrypted and transmitted as confidential communication, but there is a better alternative: Steganography. Your Word package would redline the word as unknown, but this is the old art of `hiding encrypted messages in ordinary-looking data files, making the very existence of the messages practically undetectable’. Well, that is how Finance Ministers throw bombshells of taxes during the course of boring speeches, but Eric Cole explains the whole art of `covert communication’ in “Hiding in Plain Sight”. Read on:

  • One of the earliest examples of steganography involved a Greek fellow named Histiaeus. As a prisoner of a rival king, he needed a way to get a secret message to his own army. His solution? Shave the head of a willing slave and tattoo his message. When the slave’s hair grew back, off he went to deliver the hidden writing in person.
  • Today terrorist groups are on the cutting edge of technology. They use computers, the Internet, encryption, and steganography to conduct business. If their cryptography is good, it can take decades to crack. If they use steganography, their transmission of data may go completely undetected. I randomly downloaded 500 images from eBay, and over 150 had data hidden in them. Somebody out there is very busy.
  • An electronic watermark is an imprint in a document file that you can use to prove authenticity and to minimise the chance of someone counterfeiting the file. Watermarking is used to hide a small amount of information in an image and to do it in a way that doesn’t obscure the original document.
  • Information theft in the US costs approximately $59 billion a year, according to a recent survey by the American Society for Industrial Security, PricewaterhouseCoopers, and the US Chamber of Commerce. The most common types of information stolen are R&D data (49 per cent), private customer information (36 per cent), and financial data (27 per cent).
  • One vision of the future is something called the Personal Net. In this scenario, we will all manage our own data, communications, and security. No longer will we trust our information and identities to a public Internet, which we already know to be dangerous and lax about security.

Do you see the writing on the wall?

Bake in, not paint on


Your company may not be world-class but does that have to stop you from having a world-class digital security system? Such a system would have security `baked in’, not just `painted on’. And, according to “Defending the Digital Frontier: A Security Agenda” by Mark W. Doll, Sajay Rai and Jose Granado of E&Y, your system should have six characteristics: Aligned (with overall objectives), enterprise-wide, continuous, proactive, validated and formal. The authors introduce the `Restrict, Run and Recover’ model to detect, and react effectively to intrusions, because digital threats know no borders and honour no limits. A sampler of security:

  • Confidentiality, integrity, and availability (CIA) are the most basic premises of information protection and therefore, are the central tenets of any digital security program.
  • Any comprehensive digital security program must satisfy three critical mandates: It must enable the organisation to protect and monitor access to systems and data; it must enable the organisation to operate at the highest level of productivity while enhancing performance to the degree possible; and it must enable the organisation to sustain an attack, absorb the impact, and regain full functionality, and do so within a time-sensitive context.
  • Knowing that everyone accessing a system is there by invitation or permission is necessary because threats and vulnerabilities can appear with little warning. When systems administrators know who is accessing a system and have defined what is normal behaviour for that system, they are better able to determine when something is not right, and better able to determine if an anomaly should be elevated to the status of a potential security incident.
  • 2002’s top 10 digital security threat vectors are: Digital infrastructure attacks, attack propagation, patch timing, evading radar, distributed tools, dynamic payload, multipurpose tools, anti-footprint techniques, wireless technology and mobile devices.
  • Security counter-measures must be taught on a need-to-know basis. Everyone in the organisation must learn basic logon procedures in order to be functional; everyone does not have to know what monitoring software is in place, where the surveillance cameras are, or that entrance to the executive-level floor requires biometric authorisation.

A book that can help in drawing the agenda.

Between Scylla and Charybdis


The path to corporate graveyard is laid with well-crafted strategies, and the cause of death, usually, is the chasm between the plan and the implementation. Why do so many well-intentioned businesses fail at bridging the divide? This is the question that the book “The Strategy Gap” by Michael Coveney, Dennis Ganster, Brian Hartlen and Dave King of Comshare seeks to answer. The authors suggest a process to effectively execute strategy by integrating best practices for corporate performance measurement (CPM) techniques with state-of-the-art information technologies. There’s more:

  • Enterprise Resource Planning (ERP) is the wrong vehicle for implementing strategic plans just as a farm tractor is the wrong vehicle for taking a family on vacation. The main reasons are the complexity of these systems for users and their closed architectures, which make it difficult to integrate non-ERP data. All ERP systems are focussed on transactions, not strategy. The very reason why traditional planning, budgeting, forecasting, and reporting systems fail.
  • Financial myopia is not the only problem plaguing many of today’s performance measurement systems in operation. Measurement overload and measurement obliquity are also major problems. It is not uncommon to find companies proudly announcing that they are tracking 200 or more measures at the corporate level. It is hard to imagine trying to drive a car with 200 dials on the dashboard.
  • Multidimensional databases were developed to overcome the limitations of relational databases. These store data in `cubes’ that combine the various business dimensions of an organisation.
  • There are fundamentally two ways to increase your competitive advantage: lower costs or increase differentiation. Any analytical application that increases understanding of costs, products, or services is a strategic application, one that increases a company’s competitive advantage.
  • Executives and organisations that develop and demonstrate strategic (financial and non-financial) thinking, understand how to apply technology to impact the organisation’s strategy, and add value and communicate that value to shareholders will be able to bridge the gap from strategy to execution.

Otherwise, it would simply be the execution of the firm.

(Books courtesy: Wiley

Wednesday, Aug 06, 2003

Model-watching before mine-digging

D. Murali

Target models in data mining can help companies use information wisely. But here’s some vital advice: Always test your model on data not used in model development.

WE have grown on a diet of sayings that exhort us to seek truth by introspection, since `light is within’ and one has to `find oneself’. Data mining grows out of this philosophy – that much of what puzzles any business can be solved if only they found out the hidden realities. “The world of data mining is experiencing an information explosion,” writes Olivia Parr Rud in Data Mining: Modeling Data for Marketing, Risk and CRM. “To enhance their data mining efforts, many companies are diligently collecting, combining, and scrubbing data. Companies new to data mining are revamping their databases to allow for easier access and extractability.” How to handle the data explosion? Use targeting models, advises the book. There is more to mine:


  • As markets mature in many industries, attracting new customers is becoming increasingly difficult. This is especially true in the credit card industry, where banks are compelled to offer low rates to lure customers away from their competitors. The cost of acquiring a new customer has become so expensive that many companies are expanding their product lines to maximise the value of existing customer relationships. A customer who is already happy with your company’s service is much more likely to purchase another product from you.
  • The primary risk in banking is failure to repay a loan. In insurance, the primary risk lies in a customer filing a claim. Another major risk assumed by banks, insurance companies, and many other businesses is that of fraud. Stolen credit cards cost banks and retailers millions of dollars a year.

Strong relationships have been identified between financial risk and some types of insurance risk. For instance, credit payment behaviour is predictive of auto insurance claims.

  • One of the cardinal rules of model development is, “Always validate your model on data that was not used in model development.”

This rule allows you to test the robustness of the model. So, before the model processing split the file into the modelling and validation data sets.

  • The life of a model depends on a couple of factors. One of the main factors is the target. If you are modelling response, it is possible to redevelop the model within a few months. If the target is risk, it is difficult to know how the model performs for a couple of years. If the model has an expected life of several years, it is always possible to track the performance along the way.
  • Churn models, also known as retention or attrition models, predict the probability of customer attrition. Because attrition has such a powerful impact on profitability, many companies are making these models the main focus of their customer loyalty program. Measuring attrition is easy. Defining an attritor is the challenging part.

Something that the marketing chaps need to read, with help from the systems.

How to become a hardcore gamer?

BOOKS are serious business, but games aren’t. How about a book on games? “Monster Gaming: A Beginner’s Guide” by Ben Sawyer is for “gamers who want to join the ranks of hardcore gamers”. The book covers everything you need to know from buying and setting up high-end game systems, creating killer audio systems, making PC mods to increase performance, and modifying games.


As the back cover explains, there is input on how to tweak your machine, compete in tournaments, find game servers, and participate in retro gaming. A few picks:

  • The entire PC industry is in a massive slump bigger than we’ve ever seen in our lifetimes. But there is one bright spot – gaming.

The entire arena of skins and PC mods has its roots in gaming. Major car manufacturers are asking designers of games like Ridge Racer and Gran Turismo to consult on their actual new cars. Sony, which makes billions of dollars, recently had three quarters of its profits attributable to games.

This from a company that makes half of the world’s TVs, owns a movie studio, and a record label.

  • Most strategic management games revolve around resource management techniques and solving them is a matter of understanding how the resources work.

To be good at these games you need to learn to parse the decisions you make into a good “flow”. Most strategic management games include a lot of various moves, reports, and overall data.

  • The only thing growing faster than the world’s insatiable appetite for speed and better graphics may be its need for more storage.

Thirty Gigs seemed enough before I went and installed 25 games on it, ripped 200 CDs, and stuck 1,000 high-res digital phots on my hard drive. The bottom line is that you can never have too much storage.

No monster gamer wants to swap out one game to make room for another. That sucks.

  • Display technology has advanced much slower than other computer technology such as processors, sound, and storage.

Fortunately, there are some big things on the horizon. A few companies are working on holographic screens. This isn’t like Star Wars per se. It’s more like a picture projected onto a piece of floating glass in mid air. It’s a very neat effect.

Another major display technology in development is called Organic Light Emitting Diodes (OLED). This technology enables the actual screens to project light so a separate source of light isn’t needed.

OLED is used now with some PDAs and cell-phones but eventually it could make it to screens. The cool thing about OLED screens is that the surface they work on might actually be incredibly flexible enough so that you could have a giant screen that rolls up and fits in a small case (imagine a 50-inch portable display).

  • Good game artists are illustrators; they can produce any scene required by a design specification and work within the technical constraints of a project. This could mean producing a killer beast with less than 400 polygons that looks like a cross between a lion, alligator, and eagle.

Artists also need to be able to work very quickly. Beyond that, they need specific skills with whatever art tools are used.

Most shops demand that their artists use their standardised tools but most skilled artists should be able to make the jump from one 3D product to another.

Are you game enough?

(Books courtesy: Wiley Dreamtech India P

Wednesday, Aug 13, 2003


Are your people ready for mature content?

D. Murali

How do you implement improved workforce practices? Here’s more on people CMM for software organisations.


BEFORE Arnie became a candidate for elections, he was Terminator; and before that Conan the Barbarian. Likewise, CMM (short for Capability Maturity Model) has been continually maturing. Watts Humphrey and his colleagues at IBM developed the original concept for the CMM in the early 1980s. The concept, in simple terms, is that the quality of the product is related directly to the quality of the process used to develop it. Then came SW-CMM for software, P-CMM for people and so on. The Software Engineering Institute of Carnegie Mellon University defines People Capability Maturity Model (People CMM) as an organisational change model designed on the premise that improved workforce practices will not survive unless an organisation’s behaviour changes to support them. Raghav S. Nandyal’s book “People CMM” is a guide for improving people-related and workforce practices and seeks to interpret people CMM for software organisations. Read on:

  • People CMM practices have little applicability to organisations that are either complacent by virtue of being too unmanageable or have a hard time dealing with empowering individuals like government operations and government-owned businesses with deeply entrenched notions of hierarchies and seniority rather than merits of knowledge and application of skills and talent.
  • People CMM is organised into five maturity levels: Initial, repeatable (renamed as managed), defined, managed (renamed as predictable) and optimising. Each maturity level is made of a group of process areas. A process area is a collection of practices which, when established, fulfils the purpose and therefore the accomplishment of goals leading to the establishment of organisational maturity.
  • There are managers who are the typical Type A bosses, seen to be stepping on the toes of engineers, modifying designs without adequate rationale and virtually handing out instructions for how things ought to be done. A deep sense of insecurity could be the reason for “It is my way or take the highway!” This leads to a high churn rate that further deteriorates competency development.
  • A higher process capability communication and coordination process area becomes visible when people feel and exhibit an open sense of loyalty to their employer and to the group they belong. Employee suggestions for change or about circumstances are automatic and forthcoming – as if it was their birthright. One does not need to goad people into speaking up.
  • Knowledge is represented as two components in Chinese Kanji characters. The first pictogram depicts a child standing under the roof of a school – the learning component. The second pictogram depicts a baby bird struggling to fly out of the nest for the first time – the practice component. Any organisation can be at level 5 for just five minutes. Only an empowered workforce can make the day-to-day changes that are required to operate and keep a level 5 process at level 5 for more than five minutes.

CMM (that is, come, make the most of) People-CMM.

In search of quality


Latin’s qualis, meaning `of what kind’, lies at the root of the word quality. ISO 9000:2000 defines quality as the degree to which a set of inherent characteristics fulfils requirements. ISO 9001:2000 is the standard to which organisations can be assessed and certified. It is the standard that is used by third part assessors for certification. Its predecessor was the 1994 version. The book “ISO 9001:2000 for Software Organizations” by Swapna Kishore and Rajesh Naik is aimed at providing assistance to companies that have to upgrade from ISO 9001:1994. The ISO 9001:2000 is a generic standard applicable to all types of industries. It is written in a semi-legal language, observe the authors. “While this provides the precision required in an auditable standard, it makes understanding and implementing the standard very difficult.” So, some help:

  • Quality management system (QMS) helps organisations achieve quality objectives. It also provides a framework for continual improvement so that the satisfaction of customers and other stakeholders can be enhanced. Since QMS derives from and has to be consistent with the quality policy, its approach starts with establishing the quality policy. The needs and expectations of customers and other stakeholders are determined.
  • The new standard requires procedures that explicitly cover six areas. These are: document control, control of records, internal audits, control of non-conforming products, corrective actions and preventive actions. The 1994 standard required documented procedures for more areas.
  • One important concept while monitoring and controlling a project is that of using thresholds. If thresholds are defined while planning, these can be used while monitoring to decide whether action is required for a deviation. Exceeding the threshold becomes the trigger for identifying and taking action.
  • While selecting the software subcontractor, special attention has to be paid to the process that the subcontractor uses for performing software engineering and management activities. This is because software quality is best assured by using a good software process.
  • The certificate issued for conformity to ISO 9001:2000 is a time-bound certificate. Typically, it is valid up to three years subject to the organisation satisfactorily passing the periodic surveillance audits that the certification body requires. Such audits are done every six months to ensure that the organisation continues to conform to the requirements of the standard.

Join the quality queue.

What’s new?


To thrive tomorrow, we need to create visionaries today who can see and seize opportunities and not be daunted to be petrified by the adversities. Thus exhorts the back cover of “Corporate Creativity – the Winning Edge” by Pradip N. Khandwalla. “We need to better understand the nature of creativity in the workplace,” urges the author. There’s more:

  • Mechanisms of divergent thinking consist of ways by which the mind generates novel, imaginative, offbeat, and unusual alternatives. Listing of alternatives without evaluating them is a powerful mechanism of divergent thinking. Another way of generating novel ideas is to take the currently accepted solution to a problem and ask what its opposite could be.
  • Aer Lingus of Ireland used its airline computerisation skills for marketing turnkey reservation systems. It utilised its engine overhauling capabilities by opening an overhauling plant to service other airlines. Leveraging its personnel management strengths, the airline took a contract to equip and manage a hospital in Baghdad, and a contract for the management of nursing homes in the UK. In the age of outsourcing, in-sourcing, that is, taking in outside business by leveraging the organisation’s functional management strengths, opens up a new way of growing.
  • Peter Drucker has discussed three forms of innovations-based competitive strategy. The first is the `fustest with the mostest’, where the organisation keeps innovating pioneering new products or services and eliminates competition for a while. The second is `creative imitation’, where the organisation leverages some other organisation’s innovation, and comes up with a product or service whose uses were not intended by the original innovator. The third is `entrepreneurial judo’ where the organisation identifies a neglected niche to dominate.
  • Intrapreneurship is internal entrepreneurship. The way it works is by the management making it known that it will entertain any novel product idea, even if it is a far out one, from its employees, and indeed also outsiders.
  • The leader need not personally be very creative. But it is important that he/she respects and understands creativity, and regards as a chief task the nurturance and evocation of creativity in team members.

So, you have a choice – to be creative or to be a leader.

(Books courtesy: Tata McGraw-Hill Publishing Co

Wednesday, Aug 20, 2003


The fuzzy world of intelligence imitation

D. Murali

Technology is helping us answer questions such as whether it is possible to create a machine that can think. Welcome to the world of Artificial Intelligence.


SOME are wise, and the rest otherwise. There are the haves, and the have-nots, the endowed and the deprived. For those who feel bereft of natural intelligence, there is the AI to help, artificial intelligence, that is. An area that is the preserve of the high-priests, but M. Tim Jones demystifies AI techniques in “Artificial Intelligence Application Programming”, a book that covers a wide variety of AI techniques and concepts such as neural networks, genetic algorithms, intelligent agents, rules-based systems, ant algorithms, fuzzy logic, unsupervised learning algorithms, and so on. A sampler of AI:

  • Many philosophical questions followed the idea of creating an artificial intelligence. For example, is it actually possible to create a machine that can think when we don’t really understand the process of thought ourselves? How would we classify a machine being intelligent? If it simply acts intelligent, is it conscious? If an intelligent machine were created, would it be intelligent or simply mimic what we perceive as being intelligent?
  • Although ants are blind, they navigate complex environments and can find food some distance from their nest and return to their nest successfully. They do this by laying pheromones while they navigate their environment. This process, known as stigmergy, modifies their environment to permit communication between the ants and the colony as well as memory for the return trip to the nest. What is most surprising about this process is that ants tend to take the best route between their nest and some external landmark. Ant algorithms are interesting because they share some of the fundamental qualities of ants themselves. Ants are altruistic, cooperative, and work collectively toward a common goal.
  • Artificial life, or Alife is a term coined by Chris Langton to describe a wide variety of computational mechanisms used to model natural systems. Artificial life has been used to model agents trading resources in artificial economies, ecologies of insects, the behaviour of animals, and entities negotiating with one another to study models in game theory.
  • The greatest drawback to rules-based systems is the amount of time spent trying to match a rule with available working memory. A solution to this problem is the Rete algorithm, which shares intermediate information between rules to limit the number of matches that must be performed.
  • The methods to achieve AI can be divided into two broad categories: top down and bottom up. The top-down category is synonymous with traditional symbolic AI where cognition is a high-level concept and is independent of the lower-level details that implement it. The bottom-up category is synonymous with connectionist AI (neural networks); following closely the model of our own mammalian brains.

Interestingly, AI exploration would reveal more layers of one’s own intelligence.

Ants can bite


WE’RE not asking, “Where is Jakarta?” Rather, what is Jakarta? It is an open-source project with emphasis on server-side Java solutions. The Jakarta community has “exploded over the last couple of years with insanely popular – and useful – projects, including Ant, Cactus, and Struts,” write Bill Dudney and Jonathan Lehr in “Jakarta Pitfalls: Time-saving solutions for Struts, Ant, JUnit, and Cactus”. The technology is new, as are all those novel terms named after small creatures and thorny plants. “Many developers are inexperienced with these tools and are getting trapped by the same pitfalls over and over,” say the authors justifying the book. A taster:

  • A pitfall is a common, overlooked, unsound way of developing and designing software. The consequences of pitfalls vary: Some are as mild as slightly decreased performance, but some have more severe consequences, like slipping schedules, difficult maintenance, and lack of changeability. Cohesive code is easy to follow and understand because it flows logically. Code filled with pitfalls is hard to follow because it does not flow logically.
  • Console-based testing is the practice of using System.out.println in the test code and then visually inspecting the output to validate that the test subject is doing what it should. Most often, this common practice leads to a numb stare at the console as untold numbers of lines stream by. After some experience with this blank-stare syndrome, developers often resort to putting strange leading and trailing characters into the logs so that the output in question catches the eye.
  • Actions embody an application’s user interface logic. `Struts’ defines the Action class as a controller component; therefore, Action implementations should not contain business logic, which properly belongs in model objects. Instead, Actions should confine themselves to responding to user requests, requesting services from the business tier, managing the associated responses, and handling system events.
  • Ant is a great tool that has replaced make as the build tool of choice for Java developers. It is straightforward, simple to understand, and cross-platform, and it can be extended when necessary with a simple Java class. Even though Ant is easy to pick up, developers still build poorly with it, particularly due to bad planning. For example, the build file can grow over time to include everything that comes up.

If you’re still searching for Jakarta on the map, this book isn’t for you.

Fix your PIX


FIREWALLS are as much necessary for those trapped with Microsoft products while predatory worms snarl around, as for the jungle campers to ward off the wild animals. A firewall is a device, or a group of devices, that helps you implement your security policies to protect your company against network traffic threats. Thus defines Richard A. Deal in the book Cisco PIX Firewalls – the Ultimate Reference. Cisco’s product range covers the SOHO and the large enterprise demands, using the same OS and management tools. The heart of the PIX firewall is the Finesse OS (FOS) and it implements the actual firewall functions that the PIX hardware performs. A few picks:

  • Using a proprietary OS in a firewall solution makes it much more difficult for hackers to penetrate the firewall. Hackers are very familiar with the functions of common OSs like Unix and Microsoft products.
  • The PIX is a stateful firewall. So, it adds and maintains information about a user’s connection. The Adaptive Security Algorithm (ASA) implements the stateful function of the PIX firewall by maintaining connection information in a connection and translation table, referred to as an xlate table.
  • One of the main advantages of Network Address Translation (NAT) is that you have an almost inexhaustible number of private addresses at your disposal: over 17 million. When you use private addresses, if you change ISPs, you will not have to re-address your network – you only have to change your translation rules on your translation device. Because all traffic must pass through your translation device to reach your devices with private addresses, you have strict control over what resources, like the Internet, the external users can access on the inside of your network.
  • Embedding addressing information in the data payload can create problems for address translation devices, such as firewalls. Typically, an address translation device only translates addresses in the IP header and port numbers in the TCP and UDP segment headers – any addressing information embedded in the payload is ignored.
  • AAA helps you centralise your security checks and is broken into three areas: Authentication (who), authorisation (what) and accounting (when). There are three security protocols used to implement AAA: Kerberos, remote access dial-in user service (RADIUS) and terminal access controller access control system (TACACS+).

Strengthen your firewalls and lock the stables before the data-horses bolt away.

Books courtesy: Wiley Dreamtech India P

Wednesday, Aug 27, 2003


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s