Updated: clarified some points of contention.

Early this morning Google’s Tavis Ormandy published a vulnerability in the hcp protocol handler. It allows the attacker to run arbitrary commands as the user. In practice it created a lot of alerts and warnings for me - but the XP install I was using is somewhat locked down. So I’m not sure how practical this attack would be over any other attack that causes an alert, as the article mentions. Later his reports says it works around the alerts (I couldn’t reproduce that, but that was his intention). Either way, though, this is some pretty amazing research. However, there are some odd things about this that really struck me the wrong way.

Google has been the loudest proponent for responsible disclosure in the past. But if you look at the dates in his post, he says he reported it to Microsoft on the 5th of June (a Saturday), who responded the same day. He sent the advisory early in the morning today the 10th of June - meaning Google gave Microsoft less than 5 days to fix it to respond to his demand to have it fixed in 60 days. Even Mozilla backed down from 10 day turn around, and they’re only running a single software suite. How is that possibly reasonable to expect a company like MS to turn around a patch in 4-5 days and then get so upset that then you must go full disclosure? (Incorrectly stated) And it’s not like Tavis was acting on his own - he credits other security researchers inside of Google for their help lcamtuf who works at Google. So apparently it’s okay for Google Google’s employees to go full disclosure, but not for other researchers. The hypocrisy is amazing.

See, here’s the big problem. Either you are all about full disclosure (which is happening less and less these days), you use it only when you know the company won’t react otherwise or has all kinds of other hinky things they do behind your back (the same reason I advocate full disclosure against Google), or you use responsible disclosure. Google says it adheres to responsible disclosure, but at the same time they give Microsoft 5 days to fix their 0day agree to a 60 day patch cycle for exploit code that Google’s researchers themselves created! From Google’s own website:

This process of notifying a vendor before publicly releasing information is an industry standard best practice known as responsible disclosure. Responsible disclosure is important to the ecology of the Internet. It allows companies like Google to better protect our users by fixing vulnerabilities and resolving security concerns before they are brought to the attention of the bad guys. We strongly encourage anyone who is interested in researching and reporting security issues to observe the simple courtesies and protocols of responsible disclosure. Our Security team follows the same procedure when we discover and report security vulnerabilities to other companies.

… except when you don’t. Then Tavis puts a patch up on a domain that, no offense to Tavis, is more sketchy sounding than a lot of malware sites out there (http://lock.cmpxchg8b.com). Do you really expect a billion XP users to download and run that? (Non sequitur) There is evidence that it doesn’t even work in some cases, but it does appear to work against the one PoC Tavis put up in the test I ran. I don’t know, the whole thing just rubbed me the wrong way. But at least now no one has to pretend to do responsible disclosure with Google just because it’s the right thing to do - they don’t use it themselves. Even when MS finds a vuln in Google they do so responsibly. I don’t mean to say anything bad about Tavis, because he’s probably a good guy, with a lot of skill. But let’s stop pretending Google’s team is chivalrous, shall we? Let’s see what Google does when one of their own breaks their stated policies, whether the researcher is working in their own time or not.

There are really two kinds of people who do innovation jobs. Those who rock the boat, and those who don't.
My observation is the latter usually don't make much difference to anything. They're too scared to make a difference. Because they're scared, they only consider doing things that don't matter much.
The fact is this. Innovation jobs aren't supposed to be safe. If you sign up to do one, your duty to your organisation is to change things, to rock the boat.  If there was no desire to change the old way, why on earth would an innovation job have been created in the first place? Innovation jobs are permission to rock the boat.
The skill is in rocking the boat enough that things happen, but not rocking so much you capsize. 
Here's another observation I have about people in innovation jobs. They need to have alternative employment opportunities available to them at all times, or else the financial freedom to be without work for a bit while they find a new role. 
When you don't have that sorted out, you judge every innovation you undertake in terms of how much boat rocking it will likely cause. You limit what you do to preserve yourself. Consequently, you do very little, because there is no such thing as a comfortable innovation job.
It is inevitable that sooner or later someone is going to try to take out the innovators in an organisation if they try to do anything substantive. They'll get called distracting, or "not core to the business", or disruptive, or, even, dangerous. They'll try to take out the innovator, because what else do they know how to do? 
You have to plan for this, be ready to deal with it. Your plans have to handle everything up to and including getting fired. Some innovators do get fired when they cause a capsize. That's tough, but it comes with the territory. If change was supposed to be easy, everyone would be doing it.
But there are plenty of innovators who don't see it this way. Theirs is the land of the comfortable, where taking a justified risk is never justified. 
They are the failed innovators.
Are you too scared to rock the boat? You may comfortable and safe in that case, but you're also irrelevant. You should think about getting a new job, doing something meaningless that doesn't matter. 
By doing so, you will be safe and comfortable, and you will give someone else a chance to make a difference. 

This is an extract from the second chapter of my next work on what the enterprise sale looks like from the buy-side. I've stopped writing "One Big Thing" temporarily to do this, because I'm of the view that a decent guide for enterprise salespeople - not written by a salesman -is overdue. Hopefully, there's some value for people in hearing a few stories about what its like to be sold to.

In this chapter of the book, I'm covering the difficult first meeting, how to get one, and the kinds of preparation we appreciate. And, of course, I'm looking at some of the things that vendors do which we actually hate.
Unless your organisation already has a relationship with the buy-side, getting the first meeting with an organisation can be somewhat difficult. On the buy-side, everyone is deluged with requests for meetings, usually to such a degree that the only way to get any actual work done is to refuse to see any vendors at all.

In the last chapter, I explained that usually, the wares of vendors have much less value to us than they do to the vendors themselves, so unless there is a specific reason for a meeting, we are usually not all that motivated to use our time speculatively. We put up barriers to guard our ability to meet our internal objectives, because however much we might like to see new and interesting things, doing too much of it will get us fired.

So difficult can it be to get a hearing at the beginning of a relationship that vendors have resorted to a number of tricks that usually start things out on the wrong foot. Lets examine a few of these here.

Going to the Boss

One of the most effective ways to get a meeting with anyone in an organisation is to get to the decision-maker’s boss.

On the buy-side, we hate this passionately, and here is the reason. By seeing our bosses, you have essentially forced us to agree to meeting with you whether we have the time or not. We have to meet with you, because we must be in a position to report back to our bosses if they ask us whatever happened. And, of course, because the referral came top down, we are scared that if we don’t meet with you, you will go back to our bosses and complain.

It is even worse when an Account Director has somehow managed to extract some kind of agreement to do something from the boss.

The fact is most bosses don’t have the time to be across all the details of whatever the decision-maker is trying to achieve. Neither will they be aware of whatever else is presently going on that might be affected by whatever agreements the Account Director has managed to extract.

This puts the buy-side in a very invidious position. On the one hand, they want to support whatever calls their bosses have made, but on the other, they have to be able to achieve their goals by pursuing whatever direction of travel they’ve already invested in.

By extracting high level agreements, what you’ve essentially done is create an adversarial situation internally: you’ve made it likely the decision-maker will have to say “no” to their boss.

As you can imagine, this makes the buy-side nervous at best, and openly angry at worst. Not exactly a firm footing with which to start a relationship.

I was once in a situation where a vendor wrote a letter to my chief executive complaining that he’d had no success getting any meetings with any decision makers in our organisation. In this letter, he suggested that we “didn’t get it” and that we were “missing out on huge economic benefits”, and that the approach we were presently following was “just plain wrong”.

Faced with such a letter, what is a CEO to do? Naturally, the letter was immediately referred to us, and we were forced to explain - in detail - our reasons for pursuing the current direction of travel. We also had to agree to see the vendor, even though we expected the meeting to be a waste of time.

It turned out it was, of course. The product gave us capabilities we already had, and was, in fact, inferior. We explained this to our CEO, then blacklisted the vendor. Blacklisting, essentially means we’ll put up even bigger barriers to protect ourselves in the future, and the nett-nett is its unlikely you’ll ever get a meeting again.

This, by the way, is never something that happens on paper. We talk to each other, and the message gets around.  No-one on the buy side is stupid enough to write down a blacklist, but we do have our own jungle-drums that work very well, thank you very much.

The remainder of the chapter explains a number of other tricks vendors use to get first meetings (using Introducers, approaching personal networks, updating the sales pitch, and a few more). Then it goes on to explain what makes a good first meeting, and how to prepare for one. I expect the material to be available in full in about 3 months time.

Somebody asked me how I do Architecture, and it wasn't a question I could easily answer. Darn! I am one, but what is one, and how do I do it? Since then, I've been doing a bit of reading, and I think I have the answer. Here it is, by way of an anecdote called Rafi's, which was a project, and also a ribs & beer place. Crack open a beer, order in some ribs, and settle in. In 2000 or thereabouts, my team and I were sitting on the most sophisticated and working Internet payments system around. Having got it in place, we were then faced with the problem that bedevilled most all payment systems: people don't do payments, so much as, they do trade. This was a conundrum, one I wrote about in FC7, in where I claim that a financial cryptography system without a "financial application" is approximately worthless. Some slight context. To answer the obvious question here, we already had our application, being the swapping of financial instruments for cash, and back again. Good as it was, I was looking for more. A wider complication is that many obvious applications have beartraps in them lurking for unwitting payment systems, so there wasn't an easy answer such as copy amazon or google or expedia or Rafi's ribs place. And, finally, luckily, no customer was demanding this, it was an internally-generated strategic demand, so I could take my time. In trying to do more payments, then, the problem evolved into figuring out what trade people did, and trying to participate in more of that. In order to get a grounding in that, I surveyed how payments integrated into life. Initially, I thought about invoice cycles, because a payment is generated out of such a cycle. This seemed fairly tractable, but I wasn't comfortable with the variations. I went wider, and thought about trading of all form, the wider business exchange that goes on that generates an invoice cycle, and finally a payment. In principle, as we'd already done financial trades, and it was simply a matter of substituting finance with some other business, walking the transaction, architecting it and implementing it. Or so I initially thought, but it wasn't to be. Take a hotel check-in, an example I sometimes used to convince people *not* to get into the retail payments business. When you finally get to the hotel, and walk in the door, you start the process, something like this: "I'm after a room…" "We have singles, doubles, and the presidential suite …" How much is the double? "100 per night" OK, I'd like three nights. "We only have doubles available for 2 nights, but we have the singles." OK, and do you have a room at the back, not facing the highway? "Ah, yes you'll be wanting the presidential suite then…" And on and on it goes. The point is that, while invoicing cycles include some variability, trade cycles are all variability, to the point of arbitrary, unpredictable chaos. Examining such a process and trying to automate it presents rather special challenges. It is somewhat clear that we can create an ontology to capture all the probable paths of the hotel reception cycle. And indeed, this is what many projects tried to do: define the process, automate the use-cases. Consider flight booking systems. It's also possible to define an exceptions protocol, to catch those tricky "backside room," special meal requests or the more prosaic desire for a welcoming Carib. But it's hard. And risky, as having built it, how do we know the customers will agree with the ontology? Building such things only makes sense if they work, guaranteed, and that's unlikely in this case. But the real killer is that having done all that, ones grand structure is almost useless for the next business problem. That is, a flight booking system won't translate so easily to a hotel process, even though we want to offer both of them together (and many do). And it certainly doesn't have much relationship to a book drop-shipping business. Unless, that is, one believes that there is all-powerful super-meta-hyper methodology that can capture all interactions between all humans. An AP-SMH-UML, if you like, or perhaps the über-SAP. If you believe in that, just let me know how many decades you'll finance the building of it, and I'm willing to take your money :) if I can get to the head of the queue... In the alternate, it is possible to understand the essence of trade, approximate, and find some benefits. And this is where my months of thinking started to pay out some small glimmers of inspiration. The first thing I realised is that, a payment is but a tiny part. A bigger part is the invoicing process, which often involves a bill being delivered, checked, paid for, and confirmed. On both sides. This is an application in and of itself, it is probably 5 times bigger than a payment. And we still haven't given it any semantics, any meaning for the end-user. Intuitively, we have to deliver meaning in order to make it reach a customer (or, academically, recall the FC7 hypothesis above). But as soon as I tried to add some sort of semantics around the invoicing, I ended up with the killer issue above: a mess of interactions of no real structure surrounding an already challenging invoicing protocol, with a payment or three tacked on. What started out as simple modelling revealed an intractable mess, which by size dominated the original mission. My finger-in-the-air estimate is this: 1% payment, 4% invoice, 95% the messages of chaos. Logic therefore said to me that I if I could improve the 95% and reduce the chaos as it were, then this would likely dominate any efforts to improve the 4%, at a ratio of around 20 to 1! And, following this logic, the payment was now almost optional, almost vestigial. The less I thought about payments, the better. My next glimmer was to treat trade as a series of requests and responses, back and forth. But, that didn't quite work out because many of the so-called requests were unanticipated, and unresponded. Think of advertising's part in trade, and the request-response model is dead, which may explain why so many billing systems layered over HTTP look so ghoulish. So eventually I was led to treating interaction as a somewhat arbitrary series of messages, showing patterns of no particular import to us. The inspiration was then to flip the architecture system around: trade is messages, and to improve trade, improve the messaging capability. I didn't want semantics, I wanted freedom from semantics. I wanted a messaging system, with payments tacked on, rather than a payments system based on messaging. Indeed, I wanted a messaging system that could support arbitrary messages, and payments were just a trivial example of a message, within the full set of possible messages. (Trivial, because we already had them, and trivial, to focus the mind on the full possible set. Not trivial just from being payments, as these are anything but trivial.) So the mission became to convert our payments-system-built-over-messaging into a messaging-system-with-payments. It seemed elegant enough, so over several nights at Rafi's, over ribs and beer, I outlined the story for my team: we want more transactions, payments business derives from trade … trade is really messages, with a payment tacked on, we have a payment system, built on great messaging principles, we just need to switch the emphasis of our system architecture a little, to:messaging-with-payments, not payments-over-messaging. That's how Project Rafi's was born. I sold it to my team through beer & ribs, toasted the name, and commissioned a demo. Of course, when people talk of messaging as an application, they think chat or Instant Messaging or SMS. So I seized that metaphor, and turned it into the popular expression of the mission. We were adding IM to our payment system, or so we said. Which was a subtly different subset to what I wanted, but close enough to be easy to sell, easy to discuss, and easy to tune in the detailed requirements and later implementation. Sounds simple! Let's look back to the meat on the ribs of the original question: how did I do the architectural part? Looking at the above, the serial or static view is like this: define the business problem that I am trying to solve research the business context extract requirements build a virtual or model solution using some random classical technique or tools to hand But this assumes too much omniscience, reality is far rougher, full of errors, omissions, unknowns. So, we need an error-correcting overlay, a feedback cycle. The dynamic view is then cyclical: e. at each step, I test my results & conclusions against the earlier parts. E.g., test the solution against the requirements .. then test against the known business variations … then similar business problems … then the business statement. e-bis. something breaks. f. Out of which breach, identify the broken part (solution, requirements, research, problem). f-bis. Jump back to a,b,c or d, depending. Evolve and re-state the broken input. g. keep doing it until elegance strikes me on the forehead and I can't shake it off! Now, this might be special, but it's not unique, Indeed, you can find this on the net if you look around. Here's one from Malan and Bredemeyer: A 9 word summary might be set the mission, start high, go deeper, test, iterate. Or, if you want the 1 word secret, it is Iterate! Those with a sense of military history will see Boyd's OODA loop in there, with the problem being the enemy, the enemy being the problem, and the challenge to spin faster than the problem spins you :) And those with appetite will appreciate now why there are always so many ribs on the plate, and why architecture and fast food don't go well together. What might offend some people is that it is so simple. I think the response to simplicity is that this easy model hides a lot, but that which it hides is not the essence of Architecture. Rather, the hidden part is the essence of something else, which the Architect is able to successfully integrate without spoiling the secret. And as this post is about Architecture, and is already long enough, I'll stop right there. THEthe secretthe secret of software                        the secret of software architecture the secret of software architecture is . . . i t e r a t i o n ! Hence that age-old complaint of the frustrated architect, "there aren't enough ribs on my plate!"...

Tomorrow, I'm going to be giving a talk to a group of young people who have come to our organisation through our graduate programme. They are all very, very bright, and some of them are just about the most motivated to succeed I've seen in a while.

I love working with people at the start of their careers, and particularly this generation. The reason? They know and accept there are dinosaurs around, and they aren't scared of them.

I know when I was starting out, there were also dinosaurs. They had all this experience, all this knowledge, probably won in the "school of hard knocks". They were all senior, and you would never dream of questioning their determinations and decisions. If you did, there'd be consequences. I mean, what would you know about anything? Why would you be entitled to an opinion? Youngsters, you should listen and learn.

Well, that's over.

The dinosaurs today - and I hope I'm not turning into one myself - are hopelessly ill-equipped in many cases to deal with the way things are now. The problem is their years of experience are now a hindrance in a world where what's really important is freshness in absorbing concepts, ideas, and innovation. Things at which young generations have always excelled.

You can imagine the collective meltdown those words are likely to cause in the established IT community, of which I am a part. We're all in charge because of all those years of experience. How dare I suggest all those years are not that valuable?

But, for example, have a look at your IT organisation, and especially at your development processes. I bet you'll find they're gummed up with gates, and procedures, and evaluations and reviews. Everything takes ages, and the mantras will be "reuse" and "architecture" and "governance". These are the hallmarks of the dinosaur.

Why do I say that? Because they are mechanisms for controlling rampant spread of technology solutions in an age when doing big systems was expensive. It is still expensive, but only because of  the artifacts that have been left behind when things actually were expensive. It is our control artifacts that are now making us expensive, not the problems we are asked to solve.

This new generation of tech managers we're growing know this. They sit there and sigh when we ask for "one more gate", knowing that the new world is completely throw away. "Just build it", they mutter under their breaths, and could, indeed, fire up their personal laptop and do it overnight probably if they were of a mind to do so.

Don't laugh. We had this group of students show up once and do a hack-day. In about 24 hours they'd accomplished about as much as we'd done with traditional methods in several months. Oh, of course, it wasn't "governed", and "reusable" and "consistent with our architecture". But is was throwaway. Throwaway is what you want when the cost of development is a reducing function.

And it is a reducing function. I am amazed at what young-people start-ups can accomplish with practically no money. They maybe get half a million dollars from an angel investor and a month or two later have a system that's actually really useful and which people are desperate to use.

They go into these ventures serially. They work until something is obviously not working, throw it away, and start again. It is no accident that many of the most successful tech entrepreneurs presently are pretty young. They're not dinosaurs.

Anyway, back to what I'm going to say to these young technology managers I'm going to speaking to tomorrow.

Firstly, I'm going to tell them to recognise there are dinosaurs around. I'm going to tell them their bark is worse than their bite and even if they get bitten, they have years to recover. But of course, the best won't get bitten, because they will be clever about how they get their messages across.

And I'm going to tell them to question everything that comes from dinosaurs. And that their inexperience with the old way of doing things is their best chance to make a huge difference now.

Gunnar posts on the continuing sad saga of infosec: Theres been a lot of threads recently about infosec certification, education and training. I believe in training for infosec, I have trained several thousand people myself. Greater knowledge, professionalism and skills definitely help, but are not enough by themselves. We saw in the case of the Great Recession and in Enron where the skilled, certified accounting and rating professions totally sold out and blessed bogus accounting practices and non-existent earning. Right. And this is an area where the predictions of economics are spot on. In Akerlofs seminal paper the Market for Lemons, he predicts that the asymmetry of information can be helped by institutions. In the economics sense, institutions are non-trading, non-2-party market contractual arrangements of long standing to get stuff happening. Professionalism, training, certifications, etc all are slap-bang in the recommendations. So why dont they help? Theres a simple answer: we arent in the market for lemons! Theres one key flaw: Lemons postulates that the seller knows and the buyer doesnt, and that simply doesnt apply to infosec. (Criteria #1) In the market for security, the seller knows about his tool, but he doesnt know whether it is fit for the buyer. In contrast, the salesman in Akerlofs market assumed correctly that a car was good for the buyer, so the problem really was sharing the secret information from the seller to the buyer. Used car warranties did that, by forcing the seller to reveal his real pricing. The buyer doesnt really know what he wants, and the seller has no better clue. Indeed, it may be that the buyer has more of a clue, and at least sometimes. So professionalism, certification, training and warranties isnt going to be the answer. Another way of looking at this is that in infosec, in common with all security markets (think defence, crime) there is a third party: the attacker. This is the party that really knows, so knowledge-based solutions without clear incorporation of the aggressors knowledge arent going to work. This is why buying the next generation stealth fighter is not really helpful when your attacker is a freedom fighter in an Asian hell-hole with an IED. But its a lot more exciting to talk about. Which leads me to one controversial claim. If we cant get useful information from the seller, then the answer is, youve got to find it by yourself. Its your job, do it. And thats really what we mean by professionalism -- knowing when you can outsource something, and knowing when you cant. Thats controversial because legions of infosec product suppliers will think theyre out of a job, but thats not quite true. It just requires a shift in thinking, and a willingness to think about the buyers welfare, not just his wallet. How do we improve the ability of the client to do their job? Which leads right back to education: it is possible to teach better security practices. Its also possible to teach better risk practices. And, it can be done on an organisation-wide basis. Indeed, this is one of the processes that Microsoft took in trying to escape their security nightmare: get rid of the security architecture silos and turn the security groups into education groups [1]. So from this claim, why the flip into a conundrum. Why arent certifications the answer? Its because certifications /are an institution/ and institutions are captured by one party or another. Usually, the sellers. Again a well-known prediction from economics: institutions to protect the buyer are generally captured by the seller in time (if not in the creation). I think this was by Stiglitz or Stigler (?), pointing to finance market regulation, again. A supplier of certifications needs friends in industry, which means they need to also sell the product of industry. Its hard to make friends selling contrarian advice, it is far more profitable selling middle-of-the-road advice about your partners [2]. Lets start with SSL + firewalls ... Nobodys going to say boo, just pass go, just collect the fees. In contrast: In short, the biggest problem in infosec is integration. Education around security engineering for integration would be most welcome. Thats tough, from an institutional point of view....

It was with great interest - though not that much surprise - that I noted the news this morning that Apple has finally overtaken Microsoft in market cap. The market, clearly, thinks the future fortunes of the former are rather more steady than those of the latter.

Personally, I have to agree with the market. Not because I like all the Apple stuff I have, and not because I think Apple have better people or leadership than Microsoft. I am not one of those people who think  Steve Jobs is the lone force that drives the success of Apple, and in fact, I don't see how one man could ever have such influence over every detail in a company that large.

The problem for Microsoft is that it does not yet have its back against the wall, and in fact, has never done. It is not staring death in the face, not even nearly so. It has never even had a near death experience. And, consequently, it is not in a position where is has to do anything very much other than what it has always done: crank out new versions of its old hits.

If there is one thing that I've learned about the innovation process and in particular, radical innovation, it is that there must be a burning platform which forces senior leaders to do something different. Because of Office and Windows, Microsoft has no burning platform, and consequently won't do anything different no matter how hard it tries.

In fact, as we've seen from insiders accounts of life trying to be innovative at Microsoft, such efforts to be different will be killed off by political infighting and blatant defense of empires.

I always hate it, by the way, when everyone holds up Apple as an innovative company, and explains that it is innovation which has driven its present success. Same for Google. Neither organisation is especially innovative, at least when you take the conventional definition of the word. They come with interesting new ideas, of course, but their mastery is in seeking adjacent spaces for stuff that is largely working well and wrapping it in a way that disrupts whoever is there presently.

I don't need to bother with all the typical examples of this since they've all been written about countless times before.

My point is that Microsoft doesn't do this. Their strategy is to innovate in the truest sense of the word. They want to create brand new ideas that turn into hit products. When that doesn't work, they always seek to copy the way someone else has created a hit product, and win the war by attrition.

Microsoft think the product is important, not the business. Apple and Google start from the business and then come to the product. Consequently, they're always going into spaces which aren't always obvious but where they can leverage their capabilities from established hits. Microsoft, in contrast, goes to places where it has neither capabilities or hits.

I wasn't surprised to see one commenter on Mini-Microsoft exclaiming that Microsoft's main problem is its "terrible" marketing, and if it could just get better at that, all its new products would succeed. When you think product, as in "lets build the greatest product", it is tempting to imagine that success comes if you can just get the message out.

That has obviously not worked in the past for Microsoft, and is not the centerpiece of the success of Apple or Google now.

The real problems are twofold though. The first is that Microsoft has no culture of failure, because every failure it has ever had is overshadowed by the huge successes of its two main products. The second is those two main products are such successes that no-one in the company can believe that a product-centric strategy isn't the way forward.

So yes, I do think that Apple is more steady for the future. Its not too late for Microsoft to reverse its direction of travel, but I do have to wonder if that's going to be possible unless they have  a near-death experience.

The thing is, Windows and Office aren't going away, though they may be going into decline. That's a decline which will last years, and the incumbents in Microsoft will be able to dress it up as success for years. There's no burning platform at Microsoft, and there's not likely to be one.

The market has probably got its valuations right.

As I said a week or so ago, I'm busily writing a manual for enterprise sales people. Here's another excerpt, this time from the Introduction.
If you are an Account Director that’s responsible for selling to large organizations, you’ll be well aware of the traditional challenges involved in closing a deal.

You have to build strong and lasting relationships so you can get meetings with the people who can make a buying decision. You need to do so in the face of what is ordinarily quite considerable disinterest, sometimes even open hostility.

You have to make sure you get enough things in front of your customer that your pipeline is deep. You need a deep pipeline to ensure you have enough headroom to allow for the inevitable collapse of most of what you propose.

When you have, finally, got a deal on the table, you have to negotiate shrewdly in order to make sure you maximize your margins and extract the most value possible from your customer.

And in the end, ultimately, you then have to supervise every aspect of delivery, making sure you balance your costs so you do the minimum amount of work possible. You do the minimum you can get away with because that makes economic sense and maximises your margin.

That you do all these things in spite  of the fact that they don’t help your customer makes the relationship part of what you do completely, utterly false.

Nonetheless, some of you do quite well. My observation is that only the cleverest, most charismatic, of enterprise salespeople fall into this category.  You are great actors, able to delude customers into thinking that you actually care about them. Whereas the reality is that you think firstly about your number and what you have to do to make sure you hit it.

Whether you are a good person or not, this sets you up to lie in every interaction with your customer. You don’t care about what they’re trying to achieve, you care about what you have to achieve.

I’m not critising you, mind. The way organisations are structured presently, both on sell and buy side, you are forced to behave this way because it makes the best economic sense.

But the question I’m asking is this: what if things were different. What if you truly made the customer the centre of your world? What if, actually, you stopped lying in your interactions with them?

The Great Lie of the Sales Relationship

“Lying?”, I hear you ask?

Yes, lying, and here is why I make the challenging proposition that most enterprise sales people are extremely skilled at acting out the lie of their work.

Consider again the list of things enterprise sales people do with which I opened this chapter, but this time do it in the context of a real relationship, lets say with a personal friend.

You have to build a strong and lasting bond so you can get the meetings you need to pitch in the face of disinterest. A real relationship is never founded on disinterest - it is based entirely on common interests. Your friend is a friend because of the commonality.

You have to get enough stuff in front of your customer to ensure you have a deep enough pipeline to sustain deals that don’t go anywhere. In a real relationship with a friend, you’d never do this. A real friend would come to a mutual agreement about some course of activity - just the one - and would follow it jointly with you to an outcome. Friends support each other, they don’t play a numbers game to ensure they get to a personal outcome.

You have to negotiate shrewdly to extract the maximum value from your customer. If your customer was a friend, you’d be more interested in giving away your stuff, because you know that your friend would return the value as a natural consequence of friendship.

And finally, doing the delivery, you spend all your time making sure you spend only that amount of money you need to keep things on the straight and narrow. That’s cheapness, in the context of friendship. Imagine telling your friend you’re going to spend as little on them as you can get away with! Doing the minimum possible is a long way from going the extra mile, which is what a true friend would do.

Of course, enterprise sales is not friendship, but you can see how the activities of the enterprise salesperson can easily get really false.

You can’t on the one hand say you are successful on the basis of the relationships you build, and then go on to do everything that would normally bring a relationship to its knees. That’s why the best enterprise sales people are such great actors: they can make a customer believe in the relationship whilst simultaneously optimizing the outcomes for themselves.
I'm still seeking enterprise sales horror stories from either the buy-side or the sell-side. Right now, I'm looking for anything that has to do with mismanagement of evidence (ie, when case studies or customer references, or POCs have gone wrong), and blow ups when vendors have pitched "innovation".

The final book will likely be out in a couple of months.

"The Lever" (def): A mystical, invisible handle you can pull to get crushed by a safe. A device often used in popular culture, especially in cartoon shows featuring comical adversaries and their booby-traps.

The top five signals you should pull "The Lever" include:

1. You have just been in a three hour meeting you thought was concluding. Then some bright spark pops up with three items of "any other business", each of which will take another three hours. Because they are more senior than you, smile sweetly and resign yourself. While you're waiting for the cobwebs to form and your beard to grow, you pull "The Lever" because being crushed by a safe is more stimulating than the alternative of propping your eyes up with matchsticks.
2. The startup time of your laptop is longer than that needed to get through the items of "any other business". When you question this, you are told everything is within the SLA. You pull "The Lever" to get crushed by a safe because the alternative is to make so many cups of tea you'd cause the local water pressure to drop in the pipes.
3. While you're waiting for the laptop, but before you pull "The Lever", you are confronted by a sales-guy who has a proposition so good you'll be "dying to hear about it". You pull "The Lever" and get crushed by a safe because you'd rather die without hearing about it.
4. You discover one morning that "The Lever" has been decorated with gold gilt and now has a sign attached inviting you to pull it every time you've achieved one of your goals. Someone senior has determined that a public display is a great way to motivate, so you pull "The Lever" to get the public display of being crushed whilst putting yourself out of your misery at the same time.
5. The top reason to pull "The Lever", however, is you discover the person with the "any other business", and who thinks that slow start up times are OK, and who decorated "The Lever" are the same person. Even knowing this, you go and pull "The Lever" to be crushed by a safe because you know if you fail to do it this time, they will next dream up a Button-That-Dumps-You-In-The-Piranha-Pond and conceal it in the "on" button of your slow-to-start laptop.
   

Nelson spotted it, too late for yesterdays post of old predictions come true: Symantec Corp. is paying $1.28 billion in cash to buy a division of VeriSign Inc. that sells security technology to websites. The deal, announced Wednesday, represents VeriSigns most aggressive move yet to slim down and concentrate on its core business: managing traffic to websites with addresses ending in .com and .net, and collecting fees for registering those domain names. VeriSign has been purging divisions for the past three years, after realizing it was spread too thin following a buying binge designed to insulate it from the kinds of problems it had after the dot-com collapse a decade ago. Prior to Wednesdays deal with Symantec, VeriSign had sold more than a dozen businesses since 2007 for a total of nearly $1 billion. What Symantec gets out of the deal is one of the Webs best-known brand names for security. Back in 2005 (!) I predicted this would happen, because of complexity and the fear of litigation arising out of the phishing threat. The too-many-business-lines aspect is there in the above article. As it happened, the litigation has not emerged as yet, although if the Australian Bank Fees case pans out positively (for the fee payers not the payees), there might be more enthusiasm. Where does this leave the market for CAs? Well, Symantec probably has a very different outlook and approach. But its also a complex company in its own right, so the problem of complexity will need to be fixed there as well. And, it has another very close buyout of recent times: PGP Inc. Yes, the company famous for its version of OpenPGP, which is perhaps the bright shining light opposing the CA business, has been sold to Symantec for some $300bn. Leading light Jon Callas then left the company and went to Apple, which is an interesting move in a buyout phase. Meanwhile, I saw a recent comment that PGP Inc also has PKI and CA business, which makes me wonder. Is this true? If so, Symantec will have even more work to do rationalising of lines. Others muse on these issues too: One strength of PGP is its server-side encryption and security offerings, which compete with products from vendors such as nuBridges, Voltage, Vormetrics and RSA with its BSafe toolkit. Demand is growing for server-side encryption because of the Payment Card Industry data security requirements, Pescatore says. Symantec says PGP counts 100,000 enterprise customers with more than 1,000 employees, and 1 million small-to-midsized customers with fewer than 1,000 employees. For its part, Symantec says it sees PGP and its public-key encryption technology as its ticket to innovations making use of key management. Symantec is a market leader in the data loss prevention (DLP) product arena, and for complete use of DLP, encryption is an important part, Symantec CEO Enrique Salem told financial-industry analysts earlier this morning on a conference call to announce the acquisitions. The PGP platform for key-management will contribute to Symantecs focus on creating a policy-based approach in security, Salem said. In addition, a start-up acquired by PGP, called ChosenSecurity, offers another path into identity management related to establishing trust among users and sites, he noted. We will standardize on the PGP key-management platform, says Francis deSouza, senior vice president, Enterprise Strategy group, Symantec. (For what it is worth, I am strongly related to CAcert these days, which is an open community supplier of x.509 signatures and OpenPGP signatures, you should think about conflicts of interest in the above post.)...

Some things Ive seen that match predictions from a long time back, just werent exciting enough to merit an entire blog post, but were sufficient to blow the trumpet in orchestra: Chris Skinner of The Finanser puts in his old post written in 1997, which says that retailers (Tesco and Sainsburys) would make fine banks, and were angling for it. Yet: Thirteen years later, we talk about Tesco and Virgin breaking into UK banking again. A note of caution: after thirteen years, these names have not made a dent on these markets. Will they in the next thirteen years? Answer: in 1997, none of these brands stood a cat in hell’s chance of getting a banking licence. Today, Virgin and Tesco have banking licences. Exactly. As my 1996 paper on electronic money in Europe also made somewhat clear, the regulatory approach of the times was captured by the banks, for the banks, of the banks. The intention of the 1994 directive was to stop new entrants in payments, and it did that quite well. So much so that they got walloped by the inevitable (and predicted) takeover by foreign entrants such as Paypal. However regulators in the European Commission working groups(s) seemed not to like the result. They tried again in 2000 to open up the market, but again didnt quite realise what a barrier was, and didnt spot the clauses slipped in that killed the market. However, in 2008 they got it more right with the latest eMoney directive, which actually has a snowballs chance in hell. Banking regulations and the PSD (Payment Services Directive) also opened things up a lot, which explains why Virgin and Tesco today have their licence. One more iteration and this might make the sector competitive... Then, over on the Economist, an article on task markets Over the past few years a host of fast-growing firms such as Elance, oDesk and LiveOps have begun to take advantage of “the cloud”—tech-speak for the combination of ubiquitous fast internet connections and cheap, plentiful web-based computing power—to deliver sophisticated software that makes it easier to monitor and manage remote workers. Maynard Webb, the boss of LiveOps, which runs virtual call centres with an army of over 20,000 home workers in America, says the company’s revenue exceeded $125m in 2009. He is confidently expecting a sixth year of double-digit growth this year. Although numerous online exchanges still act primarily as brokers between employers in rich countries and workers in poorer ones, the number of rich-world freelancers is growing. Gary Swart, the boss of oDesk, says the number of freelancers registered with the firm in America has risen from 28,000 at the end of 2008 to 247,000 at the end of April. Back in 1997, I wrote about how to do task markets, and I built a system to do it as well. The system worked fine, but it lacked a couple of key external elements, so I didnt pursue it. Quite a few companies popped up over the next decade, in successive waves, and hit the same barriers. Those elements are partly in place these days (but still partly not) so it is unsurprising that companies are getting better at it. And, over on this blog by Eric Rescorla, he argues against rekeying in a cryptographically secure protocol: Its IETF time again and recently Ive reviewed a bunch of drafts concerned with cryptographic rekeying. In my opinion, rekeying is massively overrated, but apparently Ive never bothered to comprehensively address the usual arguments. Which I wholly concur with, as Ive fought about all sorts of agility before (See H1 and H3). Rekeying is yet another sign of a designer gone mad, on par with mumbling to the moon and washing imaginary spots from hands. The basic argument here is that rekeying is trying to maintain a clean record of security in a connection; yet this is impossible because there will always be other reasons why the thing fails. Therefore, the application must enjoy the privileges of restarting from scratch, regardless. And, rekeying can be done then, without a problem. QED. What is sad about this argument is that once you understand the architectural issues, it has far too many knock-on effects, ones that might even put you out of a job, so it isnt a *popular argument* amongst security designers. Oh well. But it is good to see some challenging of the false gods.... An article Why Hawks Win, examines national security, or what passes for military and geopolitical debate in Washington DC. In fact, when we constructed a list of the biases uncovered in 40 years of psychological research, we were startled by what we found: All the biases in our list favor hawks. These psychological impulses -- only a few of which we discuss here -- incline national leaders to exaggerate the evil intentions of adversaries, to misjudge how adversaries perceive them, to be overly sanguine when hostilities start, and overly reluctant to make necessary concessions in negotiations. In short, these biases have the effect of making wars more likely to begin and more difficult to end. Its not talking about information security, but the analysis seems to resonate. In short, it establishes a strong claim that in a market where there is insufficient information (c.f., the market for silver bullets), we will tend to fall to a FUD campaign. Our psychological biases will carry us in that direction....

I do a lot of meetings with vendors. A lot of meetings. And, as you'll know if you've been reading here for any amount of time, I'm of the view that many of these meetings are (frankly) a waste of time. Not all of them, by any stretch, but a very sizable percentage.

I'm beginning to come to a realisation about this. Vendors who have always been vendors (i.e., they have never worked customer side) are usually quite poor at understanding the real issues customers face. They say they understand, but I don't think they really do.

I have no other way to explain the behaviours you get from them otherwise.

Anyway, I also do quite a few speeches to vendors giving the "customer perspective". Almost always, people come up to me afterwards to say that they didn't realise X, or hadn't considered Y, and that my material was really interesting.  I like to be candid in those talks, so I usually don't pull punches.

Anyway, since I completed The Little Innovation Book I thought I'd try to do something constructive about the vendor thing. Therefore, I've paused One Big Thing (my next innovation book for people who have only one shot at getting things done) and decided to write an insiders view of the enterprise sale for vendors. I don't really have a good title yet (suggestions welcome).

It'll be another short, 30k word work, split into commute-readable chapters.

So you can get an idea of where I'm going, what follows is an excerpt from Chapter 2, which is about the falsity of the relationship selling model.

I open the chapter by reproducing an exchange between an Account Director and myself in one company I worked for. It was a technology vendor, one that mainly sold bits of commodity tin. Here is part of the analysis I follow this with:
The second point of note from the exchange I had was the Account Director, whether it was deliberate or not, was setting up an adversarial situation inside our organization.

When IT (for example) has made a decision on something that is disadvantageous to a vendor, it is a fairly normal reaction to scramble to find someone with more power that will re-balance things back in the vendor’s favour. There are strong economic motives for doing this, of course.

When a deal goes the wrong way, the potential loss of revenue can be huge. That is revenue that has to be made up elsewhere, and means that new deals have to be put on the table quickly if the Account Director is to make up their number at the end of the year.

From the perspective of the Account Director, trying to stop this happening makes excellent economic sense. For most selling organizations, the number of opportunities to make the number is essentially finite. Wasting any of them can have drastic consequences for end of year compensation.

Then, too, it may be that there is a real belief that the customer is making a mistake. In this case, in the name of the “doing the right thing for the customer”, you often see this behaviour occurring.

Whether or not the vendor is actually attempting to set up an internal confrontation, doing so is another example of the falsity of the relationship sales approach. In a true relationship, vendors would never dream of putting their partners in a situation where they are in the middle of a fight. Friends don’t do that to each other.

But the economic basis of relationship selling makes it very difficult to avoid. Faced with the certainty of a significant loss of money, or possibility of putting a relationship into a place from which it cannot recover, most Account Directors are forced to choose the latter.

After all, if they are good enough at their jobs - acting (that their primary concern is customers, not their targets) - it will be possible, given enough time and effort, to convince the customer that they really do  have their best interests at heart. A brilliant Account Director can make the choice of money over relationship time and time again and get away with it. Poor Account Directors, on the other hand, do so only once before they get thrown out by the customer.

Setting up adversarial relationships in accounts is an overt case of a much more common behaviour, known internally to the buy-side as “divide-and-conquer”. Vendors, usually with pretty good intentions, go around to as many people as they can making their pitch.

There will be a pretty varied reaction to this. Some people are open to a new proposition, and will be supportive. Most will be disinterested. And some will be openly dismissive.

By seeing as many influential people as they can,  vendors are able to maximize the opportunities they have to create a groundswell of demand for their offer. Indeed, this truly is a numbers game, because with enough meetings, it is possible to sell anything to a large organization by virtue of the fact that sooner or later, there will be enough people wanting it that a purchase is inevitable.

Divide and conquer is hated by the buy-side, because it creates a situation where things happen that are outside the strategic frame. The result is many smaller deals going on, which can add up to significant overspend over time. In one company I worked for, there were twice as many software licenses purchased as there were people in the organization.

This is demonstrably bad for the customer, and demonstrably very good for the vendor, of course. It is yet another example of where a decent account director will almost always trade relationship for revenue.
I'm planning to have the full book out in about 3 months. I'm still looking for any vendor horror stories - from either the buy or sell side - which can add some spice. I'll keep your identities and organisations confidential if you wish.

Well.... as frequent readers know, I collect data on how much it costs to purchase a set of Identity documents. I do this so that we know what the rough barrier to totally breaching the so-called Identity Requirement costs. So that we can feed that number into our construction of security models, and not get caught out. In short, my research suggests strongly that the cost is about a thousand, in any of the major currencies. Some reader in that business has just fed a comment into a post, advertising exactly that. My first thought was to remove it, as I dont like spam and adverts on the site ... but it is precisely on topic! In the spirit of research and data collection, I went to the site (which is at fake passports dot eu) and it has these prices, in Euros:...

Daniel wrote in comments a month or so back about the need to put the CAs brand on the chrome, so all can see who makes the statement: Assume for the moment that there is a real interest in fixing this issue (there isnt, but Ill play along). Andy is right that it isnt going to do much good because, in essence, users dont care. The fundamental problem with this security scheme is that it requires some action of the part of the consumer. But consumers arent interested in the bother. This is the accepted wisdom of the community that builds these tools. Unfortunately it is too simple, and the sad reality is that this view is dangerously wrong, but self-perpetuating. Absence of respect is not evidence that the actors are stupid. For a longer discussion, see this paper: So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. The title is maybe self-referential; if it takes you a while to work out what it is saying, youll appreciate how consumers feel :-) In short, it is not that consumers arent interested in the bother, its that they reject bad advice. And theyre right to do so. So there are two paths here, one is to improve the advice /up to the point where it is rational for users to pay attention/ which youll recognise is a very hard target. Or, remove the advice entirely and fix the model so that it represents a better trade-off (e.g., there is only one mode, and it is secure). As far as the secure browser architecture goes, that second path is pretty much impossible because it relies on too many external components, ones which will not move unless weve also figured out how to start and stop earthquakes, volcanoes and tsunamis at whim. So we are left with improving the advice, itself a very hard target. Lets try that: Imagine the following situation. You walk into your local bank but in order to withdraw any money you needed to do the following: interview the guard at the door to make sure he really worked for the bank, interviewed the teller to make sure he really worked for the bank, and then set at least 10% of the money you withdrew from the bank on fire so you could watch it burn and see if it was fake or not. Right, this is a common problem. The mistake you are making is that the majority view is how to design the product. In this case, if the majority ignore the information, we dont need to follow their view in order to redesign the product. The reason for this is that the minority can have a sufficient effect to achieve the desired result. This is what we call Open Governance: the information is put out there, but only a small minority look at any particular subset. The crowd in aggregate looks at all, but individually, specialisation takes root and becomes the norm. Lets step outside that context and try another. Consider a police officers badge. Its got a number on it. Often a name, as well. When the police officer busts some trouble maker, likely the perp does not notice the badge, nor the number. 99% likely, because the perp doesnt need to know, hes busted, and it matters little by whom. So whats the point? The point is, 1% will notice the badge number! And thats enough to cause the police -- that officer and all others -- to be cautious. To follow the rules. They dont know beforehand whos noting these things down, or not, and they dont need to. The just need to know that bad behaviour can be spotted, and as we get closer to routine bad behaviour, it is more likely that the number will be noted. Same with your bank guard. You dont have to interview him because the teller will. And if not, someone else in the branch. And if not them, some other customer will look. Welcome to Open Governance. This is a concept where the governance of the thing, whatever it be (a CA, a bank, a government, a copper) is done by all of us, the world, not by some special agency. Each of us on the net has the same chance to play in this game -- to govern the big bad player -- but only a very few of us actually govern any particular thing in question. Lets go back closer into context and consider CAs. How are these governed? Well, they publish CPSs, they get audited by auditors, and they audit is checked over by third party vendors. For example, weve seen audit reports that totally exclude important issues from consideration. And, nobody noticed beforehand! Which indicates that whatever is being done, whatever is being written, it isnt being verified nor understood. Which more or less casts in doubt all the prior due diligence done over CAs. This is one reason why Mozilla decided to bring in more open governance ideas. There was a recognition that the old mid-1990s CA audit model wasnt providing a reliably solid answer. There was at least some smoke and mirrors, some criticism of abuse, and these criticisms werent getting answered. More was needed, but not more of the same, more alternate governance. So Mozilla put in place an open list (you can join), published all new requests from CAs, and proposed them for open review (section 16 of the policy). There are a few people who read these things. Not many, because it is hard work, and it takes a lot of time. But its a start, we cant grow these things on trees. A forest starts with a single tree. The brand name on the chrome is the same thing. We might predict that 99% of the users wont look at it. But 1% will. And, we also know that most all computer users have someone experienced they turn to for help, and those people have a shot at knowing what the brand is about. The effect of the brand on the chrome as a security feature is then highly dependent on that effect: the CA doesnt know who is looking, but it knows that it is now totally tied to the results in the minds of those who are looking. This is powerful. Any marketing person will tell you that a threat to the brand is far more important than a deviation from a policy. CAs will fiddle their policies and practices in a heartbeat, but theyll not fiddle their brand. There is an old saying trust but verify. The problem is that this is a contradiction in terms. Trust means precisely that I dont have to verify. If I have to verify every transaction to see if the money is good, thats not trust. If I have to spy on my wife all the time to see if shes cheating, thats not trust. Asking the user to verify, when what the user wants to do is trust, is design failure that no amount of coding is going to fix. Actually, the expression is dead-right; trust can only come from verification, and repeated verifications at that. However, those verifications will have happened in the past; we might for example point to the fact that 99.999999% of all certificates issued have never caused a problem. Thats a million verifications, right there. When you say you dont have to verify, youre really saying you can take a risk this time. But there will come a time when that will rebound. Trust without verification is naïveté. But, what we can do is outsource and share who does the verifying. And thats what Brand on the Chrome is about; outsourcing and sharing the verification of the CAs business practices to the crowd....

My column Challenging China for Eurobiz Magazine”>Eurobiz Magazine focuses on Information Technology (IT) issues Western managers encounter in China. Eurobiz is a publication of the European Union Chamber of Commerce in China. China IT does have particular issues unique to the society, which, though modernizing at a rapid pace, is learning the kinds of processes and controls the West learned (and seems to continually forget) decades ago. I write:

“Unfortunately, the entire relationship between Western companies and the IT function in China is complicated in that the vast majority of organizations have to outsource their IT to a plethora of small, local outfits. This has as much to do with the dearth of IT talent in the marketplace as with the newness of IT as a discipline in China. The West has been fouling up corporate IT projects for decades; in China, a mere ten years at most. Outsourcing IT in many ways can be more frustrating and expensive than using qualified, in-house resources. Outsourcers have multiple clients they are juggling; your Management does not have the convenience of interviewing outsourcing resources, who are typically young and whose English language capabilities might be wanting; and outsourcing companies in China never seem to give adequate time to thinking through to the root causes of organizational IT problems, or to sticking around long enough to ensure issues never recur.”

The article is based on my efforts within Asia Base to rationalize IT support calls and resolution processes. It ain’t been easy, let me tell you.

“To the technician I was the irrational Westerner; his job was to fix the problem the user had called him on. My job was to make sure staff had an environment in which they could be productive and have somewhat fulfilling work to do that was profitable. The problem, I explained to the principal of the IT services company, was there was no triage system in place to help both users and service representatives prioritize issues. To both users and service providers, every issue was an emergency. The result was that IT was actually creating as many issues as it was solving. IT and user habits brought in off the busy streets of China were maintaining a destabilized work environment.”

Check out the article, when you get the chance.

addthis_url = 'http%3A%2F%2Fsilkrc.com%2Fchinadialogs%2F2009%2F02%2F23%2Fseat-of-the-pants-it-support%2F'; addthis_title = 'Seat-of-the-Pants+IT+support'; addthis_pub = '';

I wrote at the end of December how the Chinese government was unimpressed with company bosses who were closing up shop in Guangdong and Shandong provinces and running back to their home countries with their suitcases literally stuffed with the company’s proceeds. Of course, this course of action is highly illegal, as many staff remain to be paid and many taxes and fees much change hands with local government officials.

Today’s Financial Times reports that Chinese company owners are doing the exact same thing in the African country, The Democratic Republic of Congo.

“More than 40 Chinese-run copper smelters are standing idle in the Democratic Republic of Congo after their owners fled the country without paying taxes or compensating staff at the end of the commodity?boom, according to a governor.”

The circumstances surrounding the flight from Congolese justice sounds remarkably like that in the industrialized Pearl River Delta and Bohai regions.

“When global commodity prices tumbled, the result in Katanga was painful: in the space of weeks luxury house-building projects and freshly imported Jeeps vanished to be replaced by unemployment and rising crime.”

The Congolese government - like their gray-suited government counterparts in China - are singularly unimpressed with their errant guests.

““They didn’t pay their people, they didn’t respect anything. We have already written to them to ask them to give severance pay to their staff and to pay the tax due to the government.

“If they don’t, we are going to ask the court to auction their properties to pay the bills.”

I don’t imagine the Congolese will be rolling out the red carpet to Chinese businessmen anytime soon.

addthis_url = 'http%3A%2F%2Fsilkrc.com%2Fchinadialogs%2F2009%2F02%2F20%2Fhow-to-become-a-chinese-persona-non-grata%2F'; addthis_title = 'How+to+Become+a+Chinese+Persona+Non+Grata'; addthis_pub = '';

Economists are keen to gauge all kinds of ancillary data about an economy to divine the general direction in which an economy is developing; for instance, electricity usage, pollution rates, commodity prices, real estate values and vacancies, etc.

So how about measuring the number of mistresses a businessman is able to support? The China Daily’s Tuesday 17 February 2009 print edition had an article about a Chinese businessman that juggled five mistresses. Tragically, one of the mistresses died as she plunged the car in which she was driving her boyfriend and the four other mistresses to a resort area; she had lost in the first round of a beauty and talent contest the businessman had hosted to determine which of the five mistresses he should keep.

“The Shanxi native reportedly became Fan’s mistress shortly thereafter and lived with him in a two-room apartment bought by the man…Fan, a married entrepreneur, also kept other four mistresses two of whom were his employees and two his former clients, the report said.”

The economics of keeping a mistress in China is enlightening about how China’s New Money has chosen to invest its recent financial gains:

“Fan introduced the five to each other, but none chose to break up with him, as each reportedly received 5,000 yuan (US$733) a month plus a rent-free apartment.”

Clearly, in an economic downturn of global proportions, this bit of overhead can quickly seem burdensome. So, for a bit of creative vetting:

“But business began to go bad, and Fan decided to lay off all but one mistress to save money… To select the best one, he reportedly staged a talent show in a hotel last May, even inviting an instructor from a local modeling agency to be a judge…”

It seems though, not just mistresses are succumbing to the economic downturn; errant journalists under pressure to produce are as well.

Yesterday’s China Daily retracted the story, though, which was apparently a translation word-for-word of a Chinese article printed in Wuhan some time before.

Seems the dismal science has many more data points to choose from than ever before.

addthis_url = 'http%3A%2F%2Fsilkrc.com%2Fchinadialogs%2F2009%2F02%2F19%2Fsour-economy-affects-economics-of-being-a-mistress%2F'; addthis_title = 'Sour+Economy+Affects+Economics+of+Being+a+Mistress'; addthis_pub = '';

Last night on Suzhou local news - between the reports on the latest real estate scam and the young man that murdered his pregnant girlfriend - there were a couple reports on the state of the local school system, which, I imagine, is reflective of the state of the nation. Actually, given that Suzhou is as rich per capita as a second-tier city as any of the first tier cities in China, it just might be that the state of most other school systems is even more desperate than what I saw last night.

The first report talked about how over-crowded Suzhou public schools have become. On average, after 8th grade, it costs about 400 RMB per month for a student to go to a public school in the area. With the import of a wai di ren (literally, outside land people - Chinese from cities other than one’s hometown), public schools are bulging with pupils. For an additional 1000 RMB up to 10,000 RMB per month parents can send their children to private Chinese schools. However, the quality of the Chinese private schools is difficult for parents to gauge. So, they are in a quandry as to what to do with their children.

Which brings us to the second education-related report, fifteen minutes after the first. A private school for elementary age children was suffering financially (for reasons I am unclear on). The Chinese owner of the school saw the handwriting on the wall (in a manner of speaking) and ran off with the school’s funds. The parents nor the teachers nor the police know his whereabouts. Teachers continue to work without salary; though for how much longer no one knows.

Of course, it seems contradictory that in the first report there seem to not be enough public schools to go around, which should mean bonanza for private schools. However, if the quality of the private school is not good and/or the tuition is higher than the market is willing to bear, it seems it will meet its end.

I have a tough time, though, shaking the image of the six-year olds happily stomping around the playground, oblivious to the turn of events at their school, and clueless that getting a proper education in modernizing, ever-wealthier China will prove increasingly challenging for them.

addthis_url = 'http%3A%2F%2Fsilkrc.com%2Fchinadialogs%2F2009%2F02%2F18%2Fthe-value-of-education%2F'; addthis_title = 'The+Value+of+Education'; addthis_pub = '';

Yesterday I chatted with a young Chinese local who had been making the rounds of interviews in Suzhou. She had been laid off from her job as an interpreter from an American manufacturer in the area. Apparently, she pressed for a raise at just about the worst time an individual could: just as Wall Street and the American automotive industry were melting down and no one knew quite who would be the next president of the United States. Her two years work experience did not help save her job.

When I talked with her she had just finished an interview with a Taiwanese corporate training company. It had been her second interview with a company since the end of the Spring Festival. “There were fifty people for the interview,” she told me. Company management had had the group of hopefuls herded into the same waiting area.

The day before she had dropped her resume at a job search agency that promised - with the payment of a couple hundred RMB - to blast her resume out to target companies.

“You know,” I told her, “Taiwanese companies don’t have such a great reputation in China for treating their staff well.”

“I know,” she said, “I don’t want to work for a Taiwanese company; but no choice. I have to find a job.” Her family was acutely feeling the loss of a third of its income with her unemployment. The position of proctor for electronic English-learning pays about 1,500 RMB per month, she told me. Before, she was making 2,300 RMB per month.

“There are very few Western and Japanese companies hiring,” she said, “Most of the companies hiring are Chinese or Taiwanese.”

A Wall Street Journal article from today bears out her observation:

“Foreign direct investment in China plunged 33% in January from the same month last year to $7.53 billion, the Ministry of Commerce said Monday, as the global economic downturn slowed capital flows into the world’s third-largest economy…Tao Wang, China economic research head of UBS securities, … expects direct foreign investment into China to drop 30% to 40% for all of 2009.”

Looks like our interpreter-friend in is for long, hard job search.

addthis_url = 'http%3A%2F%2Fsilkrc.com%2Fchinadialogs%2F2009%2F02%2F17%2Fjob-search-blues%2F'; addthis_title = 'Job+Search+Blues'; addthis_pub = '';

I recently received an interesting email from a Jiangsu Province government official:

“Your China Economic Weather Report is interesting. We, at XYZ Economic Development Zone, are tasting the bitterness of global recession. We totally agree with your FDI Forcast for 2009. Some of our clients have decided to postpone or even cancel the investment plan under current economic turmoil. However,the pharmaceutical sector seems less affected by the economic meltdown. Three chemical companies signed investment agreement with us in 2008. We are making adjustment in development strategy to better cope with the downturn. The pressure is there on our shoulder to reach the same or even more amount of FDI in this situation. Hopefully things will get better in the second half of 2009.”

In particular I found the administrator’s observation that pharma was weathering the economic downturn relatively well quite enlightening. In talking with an American expert in the field who visited our office a few days ago, we agreed that Pharma in the West was at a crossroads: R&D has become prohibitively expensive; many blockbuster drugs are reaching their patent-expiry dates, after which low-cost manufacturers will be able to copy the drugs with impunity; and the road to FDA approval (at least, state-side), is fraught with expense and failures aplenty.

The China market - as is the case with so many other industries - has opportunities aplenty for relatively low-cost development as well as consumption. But - again, as is the case with so many industries in China - the market is highly fragmented with little regulation (think “milk”). It will be another few years at least before Big Pharma - and the FDA - will be able to feel comfortable pursuing substantial R&D projects in China, as well as clinical trials.

The allure of one billion pill poppers, though, will eventually transform the obstacles to developing China’s pharmaceuticals market into grand opportunities.

addthis_url = 'http%3A%2F%2Fsilkrc.com%2Fchinadialogs%2F2009%2F02%2F16%2Fone-billion-pill-poppers%2F'; addthis_title = 'One+Billion+Pill+Poppers'; addthis_pub = '';