Software giant Microsoft Corp has won a US court approval to deactivate a global network of computers that the company accused of spreading spam and harmful computer codes, the Wall Street Journal said.
A federal judge in Alexandria, Virginia, granted a request by Microsoft to deactivate 277 Internet domains, which the software maker said is linked to a "botnet", the paper said.
A botnet is an army of infected computers that hackers can control from a central machine. The company aims to secretly sever communications channels to the botnet before its operators can re-establish links to the network, the paper said.
Microsoft on Monday filed a suit that targets a botnet identified as Waledac, the paper said.
Judge Brinkema's order required VeriSign Inc, an Internet security and naming services provider, to temporarily turn off the suspect Internet addresses, the paper said.
Microsoft could not be immediately reached for comment by Reuters outside regular US business hours.
On Feb. 18, Internet security firm NetWitness said in a report that a new type of computer virus is known to have breached almost 75,000 computers in 2,500 organizations around the world, including user accounts of popular social network websites.
Experts warn of catastrophe from cyberattacks
Computer-based network attacks are slowly bleeding U.S. businesses of revenue and market advantage, while the government faces the prospect of losing in an all-out cyberwar, experts told U.S. Senators in a hearing on Tuesday.
"If the nation went to war today in a cyberwar, we would lose," said Michael McConnell, executive vice president of Booz Allen Hamilton's national security business and a former director of national security and national intelligence. "We're the most vulnerable. We're the most connected. We have the most to lose."
The United States will not be able to mitigate the risk from cyberattack until the government gets more actively involved in protecting the nation's network, which may not occur until after a "catastrophic event" happens, McConnell said in testimony during a hearing of the Senate Committee on Commerce, Science and Transportation.
"The government's role will change to become more active," he said. "We're going to morph the Internet from '.com' to '.secure'."
The subject of the hearing was the Cyber Security Act of 2009, which would regulate organizations and companies that provide critical infrastructure for the U.S., require licensing and certification for cybersecurity professionals, and provide funding for grant and scholarship programs. The U.S. House of Representatives passed its version of the Cyber Security Act earlier this month.
The bill is necessary and overdue, said James Lewis, a senior fellow at the nonprofit Center for Strategic and International Studies (CSIS). The U.S. is "under attack every day, losing every day vital secrets. We can not wait," he said. "We need a new framework for cybersecurity and this bill helps provide that."
"A cyberattack would be like being bled to death and not noticing it and that's kind of what's happening now," Lewis said when asked to define what a cyber attack is. "The cyberattack is mainly espionage, some crime," he added, noting as an example an attack in which $9.8 million was extracted from ATMs over a three-day weekend.
"I don't worry about terrorists (because)...terrorists are nuts. If they had the ability to attack us they would have used it," he said. "There are people who could attack us now: Russia, China, some others, our potential military opponents. And we know they've done reconnaissance on the electrical grid.
"Could they turn off the electrical grid in a conflict over Taiwan or Georgia? Sure. That's what it would look like," Lewis said.
Cyberattackers are stealing "massive" amounts of business information that is compromising U.S. companies and markets, according to Scott Borg, chief economist at the nonprofit U.S. Cyber Consequences Unit. "Cyberattacks are already damaging the American economy much more than is generally recognized," he said. "The loss is greater than losses due to identity theft and credit card fraud."
Mary Ann Davidson, chief security officer at Oracle, warned of the dangers of linking SCADA (Supervisory Control and Data Acquisition) systems for monitoring and controlling critical infrastructure with the Internet.
"We know the SCADA protocols used in control systems were not designed to be attack resistant. They were originally used in electro-mechanical systems where you had to physically access the system, turn the knob, and so on," he said. "Now we are increasingly moving to the IP-based control systems and connecting them to corporate networks that are in turn connected to the Internet.
"We know some smart grid devices are hackable," she said. "We know there are PDAs, digital assistants, that talk SCADA because it's just so expensive to send a technician to the plant. Dare I say move the control rods in and out of the reactor? There's an app for that."
"If the nation went to war today in a cyberwar, we would lose," said Michael McConnell, executive vice president of Booz Allen Hamilton's national security business and a former director of national security and national intelligence. "We're the most vulnerable. We're the most connected. We have the most to lose."
The United States will not be able to mitigate the risk from cyberattack until the government gets more actively involved in protecting the nation's network, which may not occur until after a "catastrophic event" happens, McConnell said in testimony during a hearing of the Senate Committee on Commerce, Science and Transportation.
"The government's role will change to become more active," he said. "We're going to morph the Internet from '.com' to '.secure'."
The subject of the hearing was the Cyber Security Act of 2009, which would regulate organizations and companies that provide critical infrastructure for the U.S., require licensing and certification for cybersecurity professionals, and provide funding for grant and scholarship programs. The U.S. House of Representatives passed its version of the Cyber Security Act earlier this month.
The bill is necessary and overdue, said James Lewis, a senior fellow at the nonprofit Center for Strategic and International Studies (CSIS). The U.S. is "under attack every day, losing every day vital secrets. We can not wait," he said. "We need a new framework for cybersecurity and this bill helps provide that."
"A cyberattack would be like being bled to death and not noticing it and that's kind of what's happening now," Lewis said when asked to define what a cyber attack is. "The cyberattack is mainly espionage, some crime," he added, noting as an example an attack in which $9.8 million was extracted from ATMs over a three-day weekend.
"I don't worry about terrorists (because)...terrorists are nuts. If they had the ability to attack us they would have used it," he said. "There are people who could attack us now: Russia, China, some others, our potential military opponents. And we know they've done reconnaissance on the electrical grid.
"Could they turn off the electrical grid in a conflict over Taiwan or Georgia? Sure. That's what it would look like," Lewis said.
Cyberattackers are stealing "massive" amounts of business information that is compromising U.S. companies and markets, according to Scott Borg, chief economist at the nonprofit U.S. Cyber Consequences Unit. "Cyberattacks are already damaging the American economy much more than is generally recognized," he said. "The loss is greater than losses due to identity theft and credit card fraud."
Mary Ann Davidson, chief security officer at Oracle, warned of the dangers of linking SCADA (Supervisory Control and Data Acquisition) systems for monitoring and controlling critical infrastructure with the Internet.
"We know the SCADA protocols used in control systems were not designed to be attack resistant. They were originally used in electro-mechanical systems where you had to physically access the system, turn the knob, and so on," he said. "Now we are increasingly moving to the IP-based control systems and connecting them to corporate networks that are in turn connected to the Internet.
"We know some smart grid devices are hackable," she said. "We know there are PDAs, digital assistants, that talk SCADA because it's just so expensive to send a technician to the plant. Dare I say move the control rods in and out of the reactor? There's an app for that."
Intel targeted in January attack
Intel was targeted by a "sophisticated" attack in January, but no intellectual property was stolen and executives do not think it was linked with the attacks on Google and others that occurred around the same time, a spokesman said on Tuesday.
"We don't think it was similar" to the other attacks, Intel spokesman Chuck Mulloy told CNET. "The only connection is the timing and that it was a sophisticated attack."
Intel disclosed the attack as a risk factor, under potential theft or misuse of intellectual property, in its 10-K Securities and Exchange Commission filing on Monday.
"We regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software," the filing said. "These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful. One recent and sophisticated incident occurred in January 2010 around the same time as the recently publicized security incident reported by Google."
Mulloy said that "to the best of my knowledge, no intellectual property was lost". "We routinely see people attempting to hack into our network," he said. "It's one of the challenges businesses face today."
He declined to provide further details of the attack.
Intel's disclosure about the attack--an event companies regularly endure but rarely publicize--could be the start of a trend in listing hack attacks as a risk factor, just as natural disasters and terror-related incidents have been factored into business risks.
This was the first time Intel had mentioned a hack attack in its public filings, according to Mulloy.
"Risk factors are not written in stone; they change. It's very dynamic," he said. "When you write them you look at the environment around you and clearly we've seen a lot more public attention on hacking, particularly in light of the Google attack."
Intel executives thought it was "prudent to point out that we do see attacks on a regular basis and that we work hard to prevent them," he added.
It's likely there has been some exchange of information about the attacks between Intel and Google given that Intel Chief Executive Paul Otellini serves on Google's board of directors.
Google announced in January that its intellectual property had been stolen in a targeted attack in mid-December that appeared to target 20 other companies and may have originated in China. Gmail accounts of human rights activists were targeted as well, Google said. Adobe has acknowledged that it had been targeted in an attack, while Yahoo, Symantec, Northrop Grumman, Dow Chemical, and Juniper Networks were among the other targets, according to multiple sources and reports.
As a result of the attacks, Google said it would stop censoring search results in China and could end up leaving the country entirely. The search giant and Chinese officials have resumed talks after a hiatus over the Chinese New Year, according to The Wall Street Journal.
"We don't think it was similar" to the other attacks, Intel spokesman Chuck Mulloy told CNET. "The only connection is the timing and that it was a sophisticated attack."
Intel disclosed the attack as a risk factor, under potential theft or misuse of intellectual property, in its 10-K Securities and Exchange Commission filing on Monday.
"We regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software," the filing said. "These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful. One recent and sophisticated incident occurred in January 2010 around the same time as the recently publicized security incident reported by Google."
Mulloy said that "to the best of my knowledge, no intellectual property was lost". "We routinely see people attempting to hack into our network," he said. "It's one of the challenges businesses face today."
He declined to provide further details of the attack.
Intel's disclosure about the attack--an event companies regularly endure but rarely publicize--could be the start of a trend in listing hack attacks as a risk factor, just as natural disasters and terror-related incidents have been factored into business risks.
This was the first time Intel had mentioned a hack attack in its public filings, according to Mulloy.
"Risk factors are not written in stone; they change. It's very dynamic," he said. "When you write them you look at the environment around you and clearly we've seen a lot more public attention on hacking, particularly in light of the Google attack."
Intel executives thought it was "prudent to point out that we do see attacks on a regular basis and that we work hard to prevent them," he added.
It's likely there has been some exchange of information about the attacks between Intel and Google given that Intel Chief Executive Paul Otellini serves on Google's board of directors.
Google announced in January that its intellectual property had been stolen in a targeted attack in mid-December that appeared to target 20 other companies and may have originated in China. Gmail accounts of human rights activists were targeted as well, Google said. Adobe has acknowledged that it had been targeted in an attack, while Yahoo, Symantec, Northrop Grumman, Dow Chemical, and Juniper Networks were among the other targets, according to multiple sources and reports.
As a result of the attacks, Google said it would stop censoring search results in China and could end up leaving the country entirely. The search giant and Chinese officials have resumed talks after a hiatus over the Chinese New Year, according to The Wall Street Journal.
Spies, hackers exploit world cyber rule void
The best weapon against the online thieves, spies and vandals who threaten global business and security would be international regulation of cyberspace.
Luckily for them, such cooperation does not yet exist.
Better still, from a hacker's perspective, such a goal is not a top priority for the international community, despite an outcry over hacking and censorship and disputes over cyberspace pitting China and Iran against US firm Google.
Nations are thinking too parochially about their online security to collaborate on crafting global cyber regulation, an EastWest Institute security conference heard last week.
Policy statements from governments around the world are dominated by the need to heighten national cyber defences. As a result, too many cyber criminals are getting a free ride.
"Nations are in denial," Indian cyber law expert Pavan Duggal told Reuters, saying national legislation was of limited use in protecting users of a borderless communications tool.
"It may take a big shock of an event to wake people out of their complacency, something equal to a 9/11 in cyberspace", he said referring to the 2001 coordinated attacks on US cities.
With a quarter of humanity connected to the Internet, cyber crime poses a growing danger to the global economy.
TARGET THE PERPETRATOR
The FBI tallied USD 264 million in losses from Internet crime reported by individuals in the United States in 2008 compared to USD 18 million of losses from 2001: These were probably a fraction of the losses caused to companies and government departments.
The menace extends to many sectors including control systems for manufacturing, utilities and oil refining, since many are now tied to the Internet for convenience and productivity.
A priority for regulators is to find ways of tracking down criminals across borders and ensuring they are punished, a tough task when criminals can use proxy servers to remain anonymous.
"We cannot postpone the debate until we are in the midst of a catastrophic cyber attack," former US Homeland Security Secretary Michael Chertoff told the conference.
"We must formulate an international strategy and response to cyber attacks that parallels the traditional laws governing the land, sea, and air."
Security experts say the ability to conduct disastrous mass cyber attacks is the preserve of some governments, well beyond the capacity of militant guerrilla groups like al Qaeda.
But it cannot be assumed that international organised criminal networks, long practised at mass online fraud and theft, are not developing an interest in gaining this ability.
"Cyber crime is a very sophisticated crime with very sophisticated players and it takes a multinational effort to make sure we can enforce the law," Dell Services President Peter Altabef told Reuters.
"Once you have identified who is at fault you really want to make sure, as a deterrent, that you can go to those jurisdictions and enforce the laws on the books."
James Stikeleather, Dell Services Chief Technology Officer, told Reuters that tracking own criminals across borders could pose legal issues for drafters of multilateral regulation.
Giving an example, he said the more companies added the technology needed to give investigators the ability to attribute a crime, the more users' privacy and anonymity would be reduced.
"PLAYING WITH FIRE"
"Probably the sticking point among the governments will be 'where is the appropriate level of attribution versus anonymity or privacy for what people are doing (online)'."
Datuk Mohammed Noor Amin, chairman of the UN-affiliated International Multilateral Partnership Against Cyber Threats, said failure to regulate could perpetuate cyber "failed states".
He cited impoverished countries where customers can purchase unregistered SIM cards with mobile Internet capability, giving them the ability to commit online crime such as identify theft against people in rich nations without fear of being traced.
He said it was in the interest of rich nations to help poorer countries develop the capacity to crack down on this kind of abuse, because their own citizens were being targeted.
"Governments tend to look at their self-interest. But it's actually in their own interest to collaborate," he said.
Altabef said the growing rate and scale of international cyber attacks threatened to undermine the trust between nations, businesses and individuals that was necessary for economies and societies to act on the basis of the common good.
Complacency was also a problem, delegates said. "Nations take for granted the Internet is going to be 'on' for the rest of our lives. It may not necessarily be so," said Duggal.
"Imagine the Internet being down for two to four weeks," he said. This would "rain disaster" on online businesses as well as transport, industry and governmental surveillance systems.
"People have realise the Internet is an integral part of every country, politically, socially and business-wise."
"Not to focus on cybersecurity is playing with fire."
Luckily for them, such cooperation does not yet exist.
Better still, from a hacker's perspective, such a goal is not a top priority for the international community, despite an outcry over hacking and censorship and disputes over cyberspace pitting China and Iran against US firm Google.
Nations are thinking too parochially about their online security to collaborate on crafting global cyber regulation, an EastWest Institute security conference heard last week.
Policy statements from governments around the world are dominated by the need to heighten national cyber defences. As a result, too many cyber criminals are getting a free ride.
"Nations are in denial," Indian cyber law expert Pavan Duggal told Reuters, saying national legislation was of limited use in protecting users of a borderless communications tool.
"It may take a big shock of an event to wake people out of their complacency, something equal to a 9/11 in cyberspace", he said referring to the 2001 coordinated attacks on US cities.
With a quarter of humanity connected to the Internet, cyber crime poses a growing danger to the global economy.
TARGET THE PERPETRATOR
The FBI tallied USD 264 million in losses from Internet crime reported by individuals in the United States in 2008 compared to USD 18 million of losses from 2001: These were probably a fraction of the losses caused to companies and government departments.
The menace extends to many sectors including control systems for manufacturing, utilities and oil refining, since many are now tied to the Internet for convenience and productivity.
A priority for regulators is to find ways of tracking down criminals across borders and ensuring they are punished, a tough task when criminals can use proxy servers to remain anonymous.
"We cannot postpone the debate until we are in the midst of a catastrophic cyber attack," former US Homeland Security Secretary Michael Chertoff told the conference.
"We must formulate an international strategy and response to cyber attacks that parallels the traditional laws governing the land, sea, and air."
Security experts say the ability to conduct disastrous mass cyber attacks is the preserve of some governments, well beyond the capacity of militant guerrilla groups like al Qaeda.
But it cannot be assumed that international organised criminal networks, long practised at mass online fraud and theft, are not developing an interest in gaining this ability.
"Cyber crime is a very sophisticated crime with very sophisticated players and it takes a multinational effort to make sure we can enforce the law," Dell Services President Peter Altabef told Reuters.
"Once you have identified who is at fault you really want to make sure, as a deterrent, that you can go to those jurisdictions and enforce the laws on the books."
James Stikeleather, Dell Services Chief Technology Officer, told Reuters that tracking own criminals across borders could pose legal issues for drafters of multilateral regulation.
Giving an example, he said the more companies added the technology needed to give investigators the ability to attribute a crime, the more users' privacy and anonymity would be reduced.
"PLAYING WITH FIRE"
"Probably the sticking point among the governments will be 'where is the appropriate level of attribution versus anonymity or privacy for what people are doing (online)'."
Datuk Mohammed Noor Amin, chairman of the UN-affiliated International Multilateral Partnership Against Cyber Threats, said failure to regulate could perpetuate cyber "failed states".
He cited impoverished countries where customers can purchase unregistered SIM cards with mobile Internet capability, giving them the ability to commit online crime such as identify theft against people in rich nations without fear of being traced.
He said it was in the interest of rich nations to help poorer countries develop the capacity to crack down on this kind of abuse, because their own citizens were being targeted.
"Governments tend to look at their self-interest. But it's actually in their own interest to collaborate," he said.
Altabef said the growing rate and scale of international cyber attacks threatened to undermine the trust between nations, businesses and individuals that was necessary for economies and societies to act on the basis of the common good.
Complacency was also a problem, delegates said. "Nations take for granted the Internet is going to be 'on' for the rest of our lives. It may not necessarily be so," said Duggal.
"Imagine the Internet being down for two to four weeks," he said. This would "rain disaster" on online businesses as well as transport, industry and governmental surveillance systems.
"People have realise the Internet is an integral part of every country, politically, socially and business-wise."
"Not to focus on cybersecurity is playing with fire."
Chinese schools deny links to Google attacks
Two days after a New York Times report linked two Chinese schools to hack attacks on Google and other Silicon Valley companies, both schools are denying those claims.
Security experts traced the attacks to computers at Shanghai Jiaotong University and Lanxiang Vocational School, The New York Times reported last week. But over the weekend, according to the Associated Press, China's official Xinhua News Agency cited a representative of the university calling the accusations "baseless" and an official from the vocational school saying its investigation turned up no evidence the intrusions originated on school machines.
Shanghai Jiaotong University is known for its computer science program. The Lanxiang Vocational School was established with military support, according to the Times, and trains computer scientists for the military.
Google announced January 12 that e-mail accounts belonging to human rights activists in China had been compromised in "a highly sophisticated and targeted attack" probably originating in China. The company said it discovered the attacks in mid-December.
The revelations led the search giant to announce that it would stop censoring search results in China and possibly back out of the Chinese market altogether--a proclamation that underscored the troubled history, and uncertain future, for Internet companies doing business in China.
After warning of strained U.S.-China relations, China denied involvement in the attacks, and investigations by experts including the National Security Agency have only led to servers in Taiwan, the Times says. Findings implicating the Chinese schools in the intrusions could be a breakthrough in the case, though they don't automatically mean the attacks came from the Chinese government (sources have said it is typically difficult to find evidence specifically leading back to Chinese officials in computer attacks)--or even from Chinese sources.
Li Zixiang, the Communist party official speaking for Lanxiang school, disputed the Times report that evidence linked the attacks to a specific computer science class taught by a Ukrainian. "We have never employed any foreign staff," Xinhua quoted Li as saying. Another school official challenged the Times' statement that Lanxiang has close ties to the military, saying that students may join the military after graduating but are not required to.
Security experts traced the attacks to computers at Shanghai Jiaotong University and Lanxiang Vocational School, The New York Times reported last week. But over the weekend, according to the Associated Press, China's official Xinhua News Agency cited a representative of the university calling the accusations "baseless" and an official from the vocational school saying its investigation turned up no evidence the intrusions originated on school machines.
Shanghai Jiaotong University is known for its computer science program. The Lanxiang Vocational School was established with military support, according to the Times, and trains computer scientists for the military.
Google announced January 12 that e-mail accounts belonging to human rights activists in China had been compromised in "a highly sophisticated and targeted attack" probably originating in China. The company said it discovered the attacks in mid-December.
The revelations led the search giant to announce that it would stop censoring search results in China and possibly back out of the Chinese market altogether--a proclamation that underscored the troubled history, and uncertain future, for Internet companies doing business in China.
After warning of strained U.S.-China relations, China denied involvement in the attacks, and investigations by experts including the National Security Agency have only led to servers in Taiwan, the Times says. Findings implicating the Chinese schools in the intrusions could be a breakthrough in the case, though they don't automatically mean the attacks came from the Chinese government (sources have said it is typically difficult to find evidence specifically leading back to Chinese officials in computer attacks)--or even from Chinese sources.
Li Zixiang, the Communist party official speaking for Lanxiang school, disputed the Times report that evidence linked the attacks to a specific computer science class taught by a Ukrainian. "We have never employed any foreign staff," Xinhua quoted Li as saying. Another school official challenged the Times' statement that Lanxiang has close ties to the military, saying that students may join the military after graduating but are not required to.
Mindset change needed to work with Chinese developers
Home to the world's largest population, China is undeniably a potentially lucrative market that most businesses from around the globe will want a slice of. But, whether most can succeed in doing so or not, remains debatable.
From conversations with industry contacts and friends, I've been told that the Chinese market isn't easy to penetrate--several foreign businesses have tried, and failed. Oft-cited reasons for the failure include how businesses deals in the country are inked based on relationships (or guan xi), so if an organization is new to the local community it'll face a tough time getting contracts. Others also cite the vast difference in culture and workstyle.
Here, Tech Podium guest blogger Chong Yew Meng discusses her experience working in China and is refreshingly frank as she reveals the challenges she faces in the country.
Yew Meng is product and solutions consultant at Singapore-based software integration company, In-One Technology, where she is also a co-founder. She is responsible for the development of product concepts and for managing software development projects. The company's range of services include Web app development and software testing and quality assurance.
The draw of China's lucrative software market holds true also for In-One, and Yew Meng has worked with software developers in the country on several projects.
It is through such collaboration that she realizes working with Chinese developers requires a change in mindset, where even the definition of "quality" as she's used to, is starkly different from what her peers in China is used to.
With that, I'll let Yew Meng take it from here.
A lot of companies happily venture into China with plans to tap one of the world's biggest software developer markets. Developing software at a fraction of their native country's costs and using Internet to deliver the software beyond physical boundaries seems to be a perfect business strategy.
But, the plan often falls apart--software quality seems to be non-existent. Even with the best project managers on-site to monitor the team, the project still falls apart in terms of quality.
So why does that happen?
I've worked with developers and testers from China and it took me years before I realized that apart from all of us sharing a few physical attributes, the similarity ends there.
We think differently, we act differently, we communicate differently. I had assumed that being bilingual, I would have an advantage over my American counterparts because I'd be able to "communicate" in the language Chinese developers and testers were familiar with.
However, being able to talk and write in Chinese does not mean I can understand my team from China any better than my American counterparts. In fact, I think it creates more misjudgment because I'll wrongly assume I know them.
So what is "quality"?
I once asked the director of a well-known testing company why he still conducts most of his critical application testing in Singapore. Why not perform the tests in China as it is much more cost-effective? He replied: "Quality is taken for granted there."
It is common for the China team to conduct quality tests for software, so the issue isn't that there tests aren't being carried out. Rather, the definition of "quality" is different. Most Chinese software teams define quality to be "as long as it meets the positive workflow required by the requirements".
Hence, it is common for software to pass internal tests with flying colors, but fail miserably during production.
Difference definition of "work completion"
Chinese developers want to deliver quickly, while others are trying to fight to deliver higher levels of quality at reasonable time.
For many Chinese developers, software is considered to be completed as long as the software runs without major problems. The goal is often to complete as soon as possible--speed of development seems to be the key. Program codes may be messy, where performance can actually be further optimized, but as long as the program runs without major problems, it is considered "completed".
Our local team tends to view a piece of work as completed only if the internals are developed neatly (even if it is not visible to the customers) and the optimum performance is achieved. At times, we may be viewed as "perfectionist" (probably a more polite way of saying we are too fussy) by our Chinese counterparts, while we see our Chinese team as being too laid back on "work completion".
Hence, we are always in constant conflict with our team in China when it comes to definition of "work completion".
Developers decide what final software should be
When I first started working with Chinese developers, I'd thought that after providing clear functional and design specifications, I would be able to relax and wait for my system to deliver in the shape I expect it to be.
However, instead of receiving the system according to my specification, I received one that had deviations from my requirements. I wasn't informed that the team had encountered technical difficulties implementing the specifications I wanted, resulting in the need to change the requirements to work around the technical issues.
It is common for developers in China to make unilateral changes to specifications without informing the person who stipulated the requirements. At times, it seems as if they made their decision on what the final software should be.
This can introduce an unquantifiable amount of risk, and companies have to guess where software performance may have been affected as a result of the changes.
Keeping quiet about problems
It is common not to hear about any problem from your development team in China during the implementation phase, but this may not be necessarily so.
Developers that produce software often know where the problem lies with their software, but they may not provide that information to their project manager or customer.
The rule seems to be "tell you the good news; but keep the bad news". However, it's important to know the bad news so the situation can be remedied.
Hence, a lot of projects fall apart at the last stage because it is simply too late to resolve the problems by then.
So is there a future for software collaboration?
I believe that very developing economy must first make junk before it can produce a quality product.
With more Chinese developers being educated overseas--to more mature markets--and returning to China to work, the situation should improve as they'll bring back the "quality" concept.
And with companies training local developers through numerous interactions on software development, the quality problem will only get better, not worse.
Most important, companies that want to operate in China should learn to understand how to work more effectively with local developers. Chinese developers are brilliant in terms of creativity and if deployed correctly, this creativity can produce brilliant software offering the best quality at low cost.
It was only after countless failures and much frustration that I realize we're "not the same".
It was only after spending time to understand how my China team thinks and why they act in a certain manner, that I started to see the puzzles fit and when we were able to deliver quality projects.
From conversations with industry contacts and friends, I've been told that the Chinese market isn't easy to penetrate--several foreign businesses have tried, and failed. Oft-cited reasons for the failure include how businesses deals in the country are inked based on relationships (or guan xi), so if an organization is new to the local community it'll face a tough time getting contracts. Others also cite the vast difference in culture and workstyle.
Here, Tech Podium guest blogger Chong Yew Meng discusses her experience working in China and is refreshingly frank as she reveals the challenges she faces in the country.
Yew Meng is product and solutions consultant at Singapore-based software integration company, In-One Technology, where she is also a co-founder. She is responsible for the development of product concepts and for managing software development projects. The company's range of services include Web app development and software testing and quality assurance.
The draw of China's lucrative software market holds true also for In-One, and Yew Meng has worked with software developers in the country on several projects.
It is through such collaboration that she realizes working with Chinese developers requires a change in mindset, where even the definition of "quality" as she's used to, is starkly different from what her peers in China is used to.
With that, I'll let Yew Meng take it from here.
A lot of companies happily venture into China with plans to tap one of the world's biggest software developer markets. Developing software at a fraction of their native country's costs and using Internet to deliver the software beyond physical boundaries seems to be a perfect business strategy.
But, the plan often falls apart--software quality seems to be non-existent. Even with the best project managers on-site to monitor the team, the project still falls apart in terms of quality.
So why does that happen?
I've worked with developers and testers from China and it took me years before I realized that apart from all of us sharing a few physical attributes, the similarity ends there.
We think differently, we act differently, we communicate differently. I had assumed that being bilingual, I would have an advantage over my American counterparts because I'd be able to "communicate" in the language Chinese developers and testers were familiar with.
However, being able to talk and write in Chinese does not mean I can understand my team from China any better than my American counterparts. In fact, I think it creates more misjudgment because I'll wrongly assume I know them.
So what is "quality"?
I once asked the director of a well-known testing company why he still conducts most of his critical application testing in Singapore. Why not perform the tests in China as it is much more cost-effective? He replied: "Quality is taken for granted there."
It is common for the China team to conduct quality tests for software, so the issue isn't that there tests aren't being carried out. Rather, the definition of "quality" is different. Most Chinese software teams define quality to be "as long as it meets the positive workflow required by the requirements".
Hence, it is common for software to pass internal tests with flying colors, but fail miserably during production.
Difference definition of "work completion"
Chinese developers want to deliver quickly, while others are trying to fight to deliver higher levels of quality at reasonable time.
For many Chinese developers, software is considered to be completed as long as the software runs without major problems. The goal is often to complete as soon as possible--speed of development seems to be the key. Program codes may be messy, where performance can actually be further optimized, but as long as the program runs without major problems, it is considered "completed".
Our local team tends to view a piece of work as completed only if the internals are developed neatly (even if it is not visible to the customers) and the optimum performance is achieved. At times, we may be viewed as "perfectionist" (probably a more polite way of saying we are too fussy) by our Chinese counterparts, while we see our Chinese team as being too laid back on "work completion".
Hence, we are always in constant conflict with our team in China when it comes to definition of "work completion".
Developers decide what final software should be
When I first started working with Chinese developers, I'd thought that after providing clear functional and design specifications, I would be able to relax and wait for my system to deliver in the shape I expect it to be.
However, instead of receiving the system according to my specification, I received one that had deviations from my requirements. I wasn't informed that the team had encountered technical difficulties implementing the specifications I wanted, resulting in the need to change the requirements to work around the technical issues.
It is common for developers in China to make unilateral changes to specifications without informing the person who stipulated the requirements. At times, it seems as if they made their decision on what the final software should be.
This can introduce an unquantifiable amount of risk, and companies have to guess where software performance may have been affected as a result of the changes.
Keeping quiet about problems
It is common not to hear about any problem from your development team in China during the implementation phase, but this may not be necessarily so.
Developers that produce software often know where the problem lies with their software, but they may not provide that information to their project manager or customer.
The rule seems to be "tell you the good news; but keep the bad news". However, it's important to know the bad news so the situation can be remedied.
Hence, a lot of projects fall apart at the last stage because it is simply too late to resolve the problems by then.
So is there a future for software collaboration?
I believe that very developing economy must first make junk before it can produce a quality product.
With more Chinese developers being educated overseas--to more mature markets--and returning to China to work, the situation should improve as they'll bring back the "quality" concept.
And with companies training local developers through numerous interactions on software development, the quality problem will only get better, not worse.
Most important, companies that want to operate in China should learn to understand how to work more effectively with local developers. Chinese developers are brilliant in terms of creativity and if deployed correctly, this creativity can produce brilliant software offering the best quality at low cost.
It was only after countless failures and much frustration that I realize we're "not the same".
It was only after spending time to understand how my China team thinks and why they act in a certain manner, that I started to see the puzzles fit and when we were able to deliver quality projects.
Security breach in Hotmail
The breach occurred when users were trying to get into their own accounts using a mobile-phone Web browser, the company said in an e-mailed statement. It wasn’t clear if the security hole was related to the shutdown, Microsoft said.
“Microsoft takes customers’ privacy seriously, and immediately upon learning of these reports, we started an investigation,” the Redmond, Washington-based company said in the statement. “We will take appropriate action once we have completed the investigation.”
The outage occurred at about 12:30 p.m. New York time and affected Microsoft’s Windows Live ID system, preventing some customers from signing in to Hotmail free e-mail accounts and other services. More than 460 million users have online IDs that work with the system, according to Microsoft’s Web site.
Microsoft rose 55 cents to $28.35 at 4 p.m. New York time on the Nasdaq Stock Market. The shares have fallen 7 percent this year.
Unfamiliar inbox
Masato Kimura, a Hotmail user in Rockville, Maryland, said the security flaw began and ended at about the same time as the broader service failure. Kimura said he was trying to check his Hotmail messages from his LG Electronics Inc. Voyager phone when a different account popped up.
“All of a sudden, I saw an inbox that looked very unfamiliar to me,” he said. “I tried it again and got yet another inbox. I tried it several times and each time I would be getting a different inbox.”
Using a computer, Kimura wasn’t able to get to Hotmail at all. After Microsoft restored the service, Kimura was able to log in to his own account using his phone.
“It’s not a big deal if I can’t get into my own account for a few hours, the problem is if someone else can get into my account,” he said.
Infection may have triggered Blue Screens of Death
A number of system error messages that followed Microsoft's latest round of updates may have been caused by an underlying infection on Windows systems, according to the company.
Microsoft said in a blog post last week that the system error messages, colloquially known as a Blue Screen of Death, happened after users applied the KB977165 patch in the MS10-015 advisory, and that this could have been caused by malware.
"In our continuing investigation into the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behaviour," said a Microsoft blog post. "We are not yet ruling out other potential causes at this time and are still investigating."
Read more of "Infection may have triggered Blue Screens of Death" at ZDNet UK.
Microsoft said in a blog post last week that the system error messages, colloquially known as a Blue Screen of Death, happened after users applied the KB977165 patch in the MS10-015 advisory, and that this could have been caused by malware.
"In our continuing investigation into the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behaviour," said a Microsoft blog post. "We are not yet ruling out other potential causes at this time and are still investigating."
Read more of "Infection may have triggered Blue Screens of Death" at ZDNet UK.
Early-adopter criminals embrace cloud computing
Executives unsure of the viability of cloud computing need look no further than the criminal fraternity for a ringing endorsement of the technology, according to a security expert.
Cloud computing has been enthusiastically taken up by criminals for a range of activities, Rik Ferguson, senior security adviser at security firm Trend Micro, told delegates at a Westminster eForum on Wednesday.
"One of the things that persuades me personally that the cloud is absolutely a viable model and has longevity is that it has already been adopted by criminals," Ferguson said. "They are the people who are leading-edge adopters of technology that is going to work and going to stick around for a long time.
Read more of "Early-adopter criminals embrace cloud computing" at ZDNet UK.
Cloud computing has been enthusiastically taken up by criminals for a range of activities, Rik Ferguson, senior security adviser at security firm Trend Micro, told delegates at a Westminster eForum on Wednesday.
"One of the things that persuades me personally that the cloud is absolutely a viable model and has longevity is that it has already been adopted by criminals," Ferguson said. "They are the people who are leading-edge adopters of technology that is going to work and going to stick around for a long time.
Read more of "Early-adopter criminals embrace cloud computing" at ZDNet UK.
Chip-PIN defense is 'broken', say researchers
Chip-and-PIN readers can be tricked into accepting transactions without a valid personal identification number, opening the door to fraud, researchers have found.
Researchers at Cambridge University have found a fundamental flaw in the EMV--Europay, MasterCard, Visa--protocol that underlies chip-and-PIN validation for debit and credit cards.
As a consequence, a device can be created to modify and intercept communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification has succeeded.
Read more of "Chip and PIN is broken, say researchers" at ZDNet UK.
Researchers at Cambridge University have found a fundamental flaw in the EMV--Europay, MasterCard, Visa--protocol that underlies chip-and-PIN validation for debit and credit cards.
As a consequence, a device can be created to modify and intercept communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification has succeeded.
Read more of "Chip and PIN is broken, say researchers" at ZDNet UK.
Fortinet: Malicious code hits record-high in Jan
The amount of unique malware tracked by security vendor Fortinet, reached an all-time high in January.
Its distinct malware volume soared to over 9,000 last month, more than twice that in December, the company said in a statement Wednesday. Headquartered in Sunnyvale, Calif., Fortinet collects data from its FortiGate network security appliances and intelligence systems located globally, and compiles monthly threat statistics from the data.
Topping the charts were variants of Bredolab, accounting for more than 40 percent of all malware activity. The Bredolab downloader program, which has assumed the No. 1 position since November 2009, has been associated with the Gumblar attacks, said Fortinet.
Also highlighted in the report was the wave of attacks known as Operation Aurora--a major talking point following Google's threat last month to pull out of China. Fortinet said the attack, which uses a zero-day vulnerability in Microsoft's Internet Explorer browser, was ranked No. 4 on the list of top 10 attacks for January.
The peak volume of threat activity last month signaled that 2010 will likely be "another action-packed year", Derek Manky, Fortinet's project manager for cybersecurity and threat research, said in the statement.
"The amount of malicious code in the wild is increasing...while in-the-wild exploits and emerging zero-day attacks targeting very popular software, like Microsoft IE and Adobe PDF, create a vulnerable environment for users at every point of connectivity," he noted. "As the monetary gains of these threats continue to prove [valuable] to the criminals creating them, we'll only continue to see new and creative attacks take form."
Its distinct malware volume soared to over 9,000 last month, more than twice that in December, the company said in a statement Wednesday. Headquartered in Sunnyvale, Calif., Fortinet collects data from its FortiGate network security appliances and intelligence systems located globally, and compiles monthly threat statistics from the data.
Topping the charts were variants of Bredolab, accounting for more than 40 percent of all malware activity. The Bredolab downloader program, which has assumed the No. 1 position since November 2009, has been associated with the Gumblar attacks, said Fortinet.
Also highlighted in the report was the wave of attacks known as Operation Aurora--a major talking point following Google's threat last month to pull out of China. Fortinet said the attack, which uses a zero-day vulnerability in Microsoft's Internet Explorer browser, was ranked No. 4 on the list of top 10 attacks for January.
The peak volume of threat activity last month signaled that 2010 will likely be "another action-packed year", Derek Manky, Fortinet's project manager for cybersecurity and threat research, said in the statement.
"The amount of malicious code in the wild is increasing...while in-the-wild exploits and emerging zero-day attacks targeting very popular software, like Microsoft IE and Adobe PDF, create a vulnerable environment for users at every point of connectivity," he noted. "As the monetary gains of these threats continue to prove [valuable] to the criminals creating them, we'll only continue to see new and creative attacks take form."
Chinese govt takes Black Hawk down
The Chinese government has shut down what it believes is the country's largest hacker training site, according to state-controlled media.
Police in Hubei province arrested three people behind Black Hawk Safety Net and seized 1.7 million RMB (US$248,880) worth of assets, the China Daily reported Monday. Among the equipment seized were Web servers, PCs and a car.
The trio were accused of offering online tools and Trojans to launch cyberattacks--an act that was recently added to the country's criminal legislation, according to China Daily.
Established in 2005, the Black Hawk site is recognized by the Hubei province as the largest hacker training portal, propagating hacking techniques via online tutorials, forums and software. It has recruited over 170,000 ordinary members, and collected more than 7 million RMB (US$1 million) in membership fees from 12,000 VIP registrants.
According to the provincial public security department of Hubei, the police were alerted to Black Hawk when they found its members among suspects caught for an online attack and virus dissemination case in Macheng city in 2007. As many as 50 police officers had been involved in the investigation, which eventually led to the arrest of the Black Hawk owners.
Citing China's National Computer Network Emergency Response Coordination Center of China, China Daily also said the country saw losses totaling an estimated 7.6 billion RMB (US$1.1 billion) as a result of hacking incidents last year.
A blogger from F-Secure Labs welcomed news that the Black Hawk site had been brought down, noting in a blog post: "Kudos to the Chinese authorities for shutting down an online hacker training operation known as the Black Hawk Safety Net."
Police in Hubei province arrested three people behind Black Hawk Safety Net and seized 1.7 million RMB (US$248,880) worth of assets, the China Daily reported Monday. Among the equipment seized were Web servers, PCs and a car.
The trio were accused of offering online tools and Trojans to launch cyberattacks--an act that was recently added to the country's criminal legislation, according to China Daily.
Established in 2005, the Black Hawk site is recognized by the Hubei province as the largest hacker training portal, propagating hacking techniques via online tutorials, forums and software. It has recruited over 170,000 ordinary members, and collected more than 7 million RMB (US$1 million) in membership fees from 12,000 VIP registrants.
According to the provincial public security department of Hubei, the police were alerted to Black Hawk when they found its members among suspects caught for an online attack and virus dissemination case in Macheng city in 2007. As many as 50 police officers had been involved in the investigation, which eventually led to the arrest of the Black Hawk owners.
Citing China's National Computer Network Emergency Response Coordination Center of China, China Daily also said the country saw losses totaling an estimated 7.6 billion RMB (US$1.1 billion) as a result of hacking incidents last year.
A blogger from F-Secure Labs welcomed news that the Black Hawk site had been brought down, noting in a blog post: "Kudos to the Chinese authorities for shutting down an online hacker training operation known as the Black Hawk Safety Net."
Hackers Put TCS Website ‘tcs.com’ On Sale!
The cyber-terrorist placed a "For Sale" message in English and French for a whole day. Moreover, the cyber-terrorists offered email identification, abed_uk@hotmail.com.
The hack is said to be a DNS hijack, like the cyber attack that Twitter had during the last year.
DNS hijacking is the practice of making an illicit modification to a DNS server, which directs a universal resource locator to a different internet site.
According to the company's representative, "The TCS website, www. tcs. com, was disrupted. Subsequently, it has been restored and is functioning fine. None of the servers were compromised. Initial investigation reveals a DNS (Domain Name Server) redirection at the domain name registrar's end. Further investigations are on."
The cyberpunks altered the domain name of the site to 205.178.152.154 from 216.15.200.140, re-directing the name server records of TCS's website. The cyber-terrorist had also set up a whos. among. us widget in order to exhibit how many visitors were on the website at any given point.
According to security professionals, internet sites can easily be hacked if the Web software is not advanced.
The latest episode has aroused questions regarding the level of security attentiveness TCS has, experts believe.
New Circumventor:
http://www.pulseface.com/
(Remember you can access it with either http:// or https:// at the beginning.)
(Remember you can access it with either http:// or https:// at the beginning.)
Mozilla yanks infected add-ons, warns users
Mozilla pulled two programs from its Firefox browser add-on site for containing malware last Friday. Sothink Web Video Downloader 4.0 and all versions of Master Filer were found to contain Trojan horse code aimed at Windows users.
In a blog post, Mozilla stated that the Master Filer add-on was able to bypass AMO's security tests.
Mozilla user CatThief discovered the threat, it said. And when Mozilla added two more security checks to its vetting process and rescanned its entire catalog, it discovered that version 4 of the Sothink Web Video Downloader also contained a Trojan horse program. Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose.
Master Filer was removed from Mozilla's Firefox add-on site on January 25, and the Sothink video downloader was removed last Tuesday. CNET Download.com ceased hosting the Sothink add-on last Friday before noon.
Sothink Web Video Download 5.5.90819 had been a mildly popular Firefox add-on at Download.com, receiving 697 downloads in the past week and 63,716 downloads since it was first added to the site in June 2007.
Because the Trojan horse programs are tied to Firefox, Mozilla warns, host computers won't be infected until Firefox started. Uninstalling either add-on is only part of the solution, if the infection has already attacked the host computer. Mozilla recommends that users who suspect that they are infected use one of the following security applications to sweep and clean their computers after uninstalling the threatening add-on:
Infected users should note that only Avast and AVG are free.
Mozilla did not immediately respond to requests for comment.
In a blog post, Mozilla stated that the Master Filer add-on was able to bypass AMO's security tests.
Mozilla user CatThief discovered the threat, it said. And when Mozilla added two more security checks to its vetting process and rescanned its entire catalog, it discovered that version 4 of the Sothink Web Video Downloader also contained a Trojan horse program. Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose.
Master Filer was removed from Mozilla's Firefox add-on site on January 25, and the Sothink video downloader was removed last Tuesday. CNET Download.com ceased hosting the Sothink add-on last Friday before noon.
Sothink Web Video Download 5.5.90819 had been a mildly popular Firefox add-on at Download.com, receiving 697 downloads in the past week and 63,716 downloads since it was first added to the site in June 2007.
Because the Trojan horse programs are tied to Firefox, Mozilla warns, host computers won't be infected until Firefox started. Uninstalling either add-on is only part of the solution, if the infection has already attacked the host computer. Mozilla recommends that users who suspect that they are infected use one of the following security applications to sweep and clean their computers after uninstalling the threatening add-on:
Infected users should note that only Avast and AVG are free.
Mozilla did not immediately respond to requests for comment.
Subscribe to:
Posts (Atom)