DAC is the tradeshow I know best. I’ve been to every one since 1984, the year DAC got big and Albuquerque was still small. I’ll probably still be going when DAC is small again. Anyway, unlike DAC, you can’t just wander around hoping to run across the interesting stuff. There are so many booths you can’t hope to see more than about 20% of them even in a couple of days. You have to decide which people you want to see and fight your ways through the mêlée to their booths.

One company, actually an $800M semiconductor company, we met with simply didn’t bother to have a booth. They just rented a suite in one of the nearby hotels and had all their meetings there. It was actually much easier to find them than if they had had a booth. But we were ravenous during the meeting. Unless you have 45 minutes to stand in line you aren’t getting any lunch. We tried to crash an NXP special event with a buffet but the security guard got to us first.

In EDA, many people wonder about the future of tradeshows. DAC seemed fine this year but it was on home turf. It will be interesting to see how it does in Anneheim this year where most visitors have to get on a plane rather than just get into their car. But CES seems to have had more visitors than they predicted. But for really big tradeshows the end can come fast if the biggest guys pull out. Remember Comdex, which was also one of the largest tradeshows anywhere with 200,000 attendees. Hotel rooms went for several thousand dollarsd per night. Comdex died in 2003, ironically partly because the center of gravity for computers had moved so far from being in the IT departments of corporations to consumers, and CES became the must-attend show.

Anyway, time will tell how this all plays out. Maybe the gravitational attraction vortex of EDA will once again prove too much and I’ll be back in a year or two.

In the meantime, I’ll continue to post stuff here, but only once or twice a week, not daily as I have been doing since the start of the year.

My email, as always, is paul%greenfolder.com (with the percent replaced by @ of course).

For example, iris recognition can be done at a distance of a couple of meters. You just look at a screen for a second or two and the system can identify who you are and thus whether you are approved to enter, or whatever. In a self-contained unit, the unit itself can store 100,000 people. With a back-end database there can be millions or even hundreds of millions and identification still takes place in under 2 seconds. This is still what is called cooperative recognition, where the person being identified follows instructions, opens their eyes, takes off their glasses (although it has a pretty good recognition rate even if you don’t, depending on how much other reflection there is off the lenses). There seem to be research projects going on to recognize people simply by scanning them as they walk by.

In Japan, half of all ATMs are equipped so you stick your finger in to validate who you are. Over 80% of them use Hitachi’s recognition system, which works, not by fingerprints, but by the pattern of veins inside the finger which can be seen by shining a bright red light into the end of the finger. Curiously, an ATM card plus your finger isn’t enough. You have to type in a four digit PIN too, but not because the banks want it. Japanese law says that ATMs much have PINs and the law hasn’t caught up with modern technology (that would never happen here, surely, where every senator already knows that the Internet is a series of tubes). Don’t expect to see this any time soon in the US since we don’t really use smart cards and the modern way to do things is to store the biometric data on the card and not in a central database so that it doesn’t have a single point of failure, and because in many countries (although not the US) there are major restrictions on biometric databases which are obviated if you only store them on something that belongs to the user.

In Pakistan, fingerprints are used to control elections, guaranteeing one person one vote. I talked in the bar one night to people who built that system and I asked them about its computational needs. They told me it all ran on “what counts as a server in Pakistan” namely a not-state-of-the-art PC. Apparently part of the cleverness is being able to reject over 90% of people without having to look at their detailed fingerprint data.

Those of you who are citizens may have noticed that all visitors (including permanent residents like me) are fingerprinted and photographed every time we enter the US. That’s over 600 million times a year. I’m sure Homeland Security would fingerprint everyone at the border if it weren’t against the law, just like the NSA decided to examine everyone’s phone traffic (despite being against the law). I’ve no idea what they do with the data, it seems like a boondoggle for the equipment suppliers. After all, the 9/11 hijackers all entered the country legally with visas (although in couple of cases the visas didn’t get approved until 6 months after 9/11).

It is clear that the federal government isn’t going to rest until we have standardized biometric driver’s licenses. I’m sure they will then require you to use your fingerprint or iris every time you take a plane or enter a federal building. Since most government databases have significant error rates and essentially no procedures for validating and checking the data, this is going to result in some wonderful Kafkaesque stories when people get lost by the system or confused with someone else.

Identity is very important for some things, like nobody except you should transfer money out of your bank account. For others it is completely unclear, such as getting on a plane. Despite the terrorist watch lists (people who are so dangerous that they can’t be allowed on a plane but so undangerous that they can’t be charged with anything at all) airline security seems never to have apprehended a genuine terrorist (as opposed to the occasional petty drug dealer).

A lot of what the government seems to be doing is analogous to the drunk looking for his keys under the streetlight because that’s where he could see. Take lots of biometric information in, because it is possible, even though nobody has a database of biometric information from suspected terrorists to match against.

In the meantime, in tiny drips like this, I think our freedom and privacy gradually ebbs away. Forget the differences in rhetoric, the Bush and Obama administrations both seem equally keen to centralize power and take away liberties in the name of the usual trifecta of terrorists, pedophiles and drug dealers.

As I talked about earlier, security is hard and people think it isn‘t. In the military and internally in big companies, the way that security works can be mandated. Even then there are regular stories of unencrypted disks going missing in the mail, or credit card databases being stolen wholesale. But in the consumer world there is a different issue: if the consumers find it too hard to use then they won’t use it. If a bank makes its customers jump through too many hoops to login and make online payments then either they’ll change banks or think badly of their bank for not really having a usable online payment system.

The solution that the credit card companies came up with is simply to accept a certain amount of fraud and try and manage it down. Some of the behavioral stuff they now use seems to have got really good. Someone got hold of a credit card number of mine recently and they didn’t let a single fraudulent transaction go through, and, until they finally put a complete hold on the card, without blocking a valid one. Further, that was the first time they put a hold on my card, they didn’t have any earlier false alarms. That’s a big improvement from when once I couldn’t pay for my hotel in Japan because "someone appears to be attempting to use your card in Japan". Er, yes, that would be me.

I think biometrics offers the possibility of industrial strength security coupled with consumer ease-of-use. There are some issues since a few people don’t have readable fingerprints and people occasionally cut their fingers and so on. So there does need to be an alternative route for those rare occurrences, although they can be relatively cumbersome. To some extent biometrics has a bad rap since early implementations were poor and had high failure rate (you put your finger on the pad and you are not recognized) and there are some health issues with shared detectors (do you really want to stick your finger on the same piece of plastic as several hundred other people, some of them with flu, already did?).

Biometrics is divided into what are called one-to-one and one-to-many. One-to-one is where you know who the person is and you are trying to confirm it. The amount of data and processing required is relatively low. The one to many is where you scan, say, someone’s iris or fingerprints and identify them within a second or two from a database of several millions people. That requires much more serious computation, although the amount of data required to be stored per person is only of the order of 1K bytes.

There are lots of subtleties to making biometrics truly secure in the face of virus-ridden PCs, keyloggers, unencrypted wireless networks and the rest. Unlike a password, you can’t change your biometrics so guaranteeing that the data remains secure is even more important.

Here’s one example. When I was an undergraduate in 1974 it was already standard practice in operating systems to store passwords after processing them through what was then called a one-way cipher and would today be called a hash function. Yet today, if you forget your password, many websites will simply send you an email telling you what it is (as opposed to resetting it and telling you what they reset it to). This is bad for so many reasons. Firstly, it should never be stored unhashed in the database since it risks the entire database being stolen (and thus everyone’s passwords). Since email is not secure, sending a password through email risks it being compromised that way. And you should not have your password on your computer anywhere (such as in an email) since one way of optimizing password search is to try every word on a person’s computer, orders of magnitude quicker than an exhaustive search. So something that was being taught to undergraduates nearly 40 years ago is still not being done.

That’s before worrying about the real weak link in security: users. We are all exhorted to have long passwords, not contain words, change them regularly, use different passwords for different purposes and so on. Nobody does that. What almost everyone does is have one weak password for stuff you don’t care about (if you really want to read the New York Times while pretending to be me then be my guest) and a stronger one for things you care a lot about (if you want access to my bank account then definitely don’t be my guest). Often banks insist on strong passwords (must contain an upper case letter, a lower case letter and a digit for example). So lots of people just write it down and stick a post-it on the computer. But then the usual set of backup questions are required for users who forget their passwords. I just don’t think it is that hard for someone to find the last 4 digits of my social security number and my mother’s maiden name (and an amusing aside: one website wouldn’t accept the answer to my mother’s maiden name question since it only has 4 characters and was deemed too short! It wasn’t even Wu or Li). It was a password recovery weak link that led to all the Twitter documents being compromised a few weeks ago.

As Bruce Schneier says, amateurs attack the cryptography; professionals attack the people. It’s even got a name, social engineering. Most readers of this blog are tech savvy and are at least suspicious of things like emails that look like they are from your bank or Paypal requiring you to go and log in. We are aware that the site you end up on might look like Paypal but probably is some password harvesting site. But less tech savvy people haven’t a chance. They’ve never heard the term phishing and don’t have any feel for which emails might be genuine and which are clearly fraud.

When people are phoned up they are even more vulnerable. There’s a lovely story of some high-up general inside the Pentagon saying that his password would be impossible for anyone to get. Susan Headley, a famous social engineer who had been briefing these generals, picked up the phone, pretended to be an admin in the Pentagon, called the general’s admin back wherever he was based and said the general had forgotten his password. She had it in a minute. But think about it. The general’s admin knew he was at the Pentagon, caller-ID may even have confirmed that, and so the whole story somewhat checked out.

A couple of years ago (I can’t find the reference any more) a security company went to a tradeshow, picked up lots of free USB memory sticks, loaded them up with a “phone home” program and then scattered them in the parking lots outside big companies. Well over half the memory sticks were inserted into computers inside the firewalls of those companies. If you found a memory stick beside your car are you sure you’d destroy it or might you see if it is any good (especially a couple of years ago before they became dirt cheap)?

Memory sticks are prohibited inside the DoD and homeland security since they became a vector for malware getting from employee’s home computers inside the firewall. Apparently this causes huge problems for some people since the DoD has many disconnected networks ("airgapped") and USB sticks were the way data got transferred between them. On coastguard ships there is equipment that doesn’t have a CD reader and without a USB stick, no way to update its tables.

One mail I can’t work out is that almost every day I get an email telling me I’m being sent a billing summary for my records, which is attached. But there is no attachment. I’m sure it is some sort of phishing attack but I guess somewhere along the email chain the attachment got stripped off for being too suspicious.

Managing a salesforce when you’ve not been a salesperson (or “carried a bag” as it is usually described) is hard when you first do it. This is because salespeople typically have really good interpersonal skills and are really good negotiators. You want them to be like that so that they can use those skills with customers. But when it comes to managing them, they’ll use those skills on you.

When I first had to manage a salesforce (and, to make things more complicated, this was a European salesforce with French, German, English and Italians) I was given a good piece of advice by my then-boss. “To do a good job of running sales you have to pretend to be more stupid than you are.”

Sales is a very measurable part of the business because and order either comes in or doesn’t come in. Most other parts of a business are much less measurable and so harder to hold accountable. But if you start to agree along with the salesperson why an order really slipped because engineering missed a deadline, then you start to make them less accountable. They are accountable for their number, and at some level which business they choose to pursue, and how it interacts with other parts of the company, is also part of their job. So you just have to be stupid and hold them to their number. If an order doesn’t come for some reason, they still own their number and the right question is not to do an in-depth analysis with them about why the order didn’t come (although you might want to do that offline), but to ask them what business they will bring in to compensate.

Creating a sales forecast is another tricky skill, again because an order either comes or doesn’t come. One way of doing it is to take all the orders in the pipe, along with a percentage chance they’ll close. Multiply each order by the percentage and add them all up. I’m not a big believer in this at all since the chance of a 10% order closing in the current period is probably zero and it’s easy to fool yourself. Yes, the occasional blue bird order comes out of nowhere, sometimes so much out of nowhere it wasn’t even on the list. I’ve never run a huge salesforce with hundreds of salespeople; the law of averages might start to work a bit better then, but typically a forecast is actually build up with the judgement of the various sales managers up the hierarchy.

Another rule I’ve learned the hard way is that an order than slips from one quarter to the next is almost never incremental. You’d think that if the forecast for this quarter is $500K, and the forecast for next quarter is $500K, then if a $100K order slips that you have a bad $400K quarter now but you’ve got a good $600K quarter coming up. No, it’ll be $500K. Somehow the effort to finally close the slipped order comes out of the effort available to close other orders and you are wise not to count on a sudden blip in sales productivity.

Salespeople are a pain to hire because you have to negotiate with them and they are at least as good, if not better, negotiators than you are. It’s even worse in Europe where, if you don’t simply lay down the law, you can spend days negotiating about options for company cars ("I insist on the 8-CD changer"). At least in the US most of the negotiation is over salary and stock, which are reasonable things to spend some time on.

Another thing I’ve discovered is that salespeople really only respect sales managers who have themselves been salespeople in the field. Not marketing people who have become sales managers, not business development people who’ve become salespeople. It’s probably partly camaraderie but sales seems to be something that you have to have done to really understand. You want your sales manager to be respected by the salespeople because you want them to bring him into difficult sales situations to help close them, and they won’t if they don’t trust and respect him.

The world of mobile payments has a multi-dimensional taxonomy:

1. Is this a developed world or developing world mobile payment system? In the developed world we have invested a lot in payment infrastructure for credit cards and ATMs. In the developing world this is much less developed and in the rural parts of the developing world not developed at all. Here’s the interesting statistic: there are four billion mobile phones in the world, but only one billion credit cards and two billion bank accounts (so one billion people with a bank account but no credit card). If you were Visa going to a new country to set up a way for people to pay for stuff, you’d do it with phones rather than trying to replicate the type of landline based system of terminals, ATMs etc that we have built. But in the developed world mobile payments have to compete with credit and debit cards, which already work pretty efficiently. Remember, most people in the world have prepaid cell phones, not billed. Even in the US, prepay is the fastest growing part of the market.
2. Is it digital goods or physical goods that you are paying for? And a secondary question is how big the payment is. Cheap digital goods (music tracks, ringtones, wallpaper, virtual currency in games etc) can easily be handled by network operators who just put it on your bill. If it requires shipping something then the operators are not set up to do that, and if the price becomes too high then their support costs go up (every call to a network operator costs $6 on average).
3. Is it remote or proximity payment. Proximity payment means that you wave your phone over some sort of sensor in a store. The leading technology to make this work is NFC (near field communications) but it is somewhat on the back-burner now due to the recession. Maybe in 3 or 4 years it will be come important. Remote (meaning that you are not necessarily at a store at all) is the most interesting part of the market anyway. I don’t consider proximity payments in the rest of this.

The players in this are banks, network operators (like Verizon and AT&T) and third party companies trying to build payment infrastructure independent of banks or network operators (or perhaps in partnership with them, depending on business model). The banks have so far not been very successful at setting up mobile payments although in the longer term they might be since the network operators are really only good at a few things: building networks, transmitting data over them, and billing people. So they are set up to sell you a ringtone. But once physical goods start to get involved it is no longer something that the network people know how to do and is more the preserve of people like Visa who already have all the fraud infrastructure, chargeback infrastructure and a business model to support it.

In Kenya (and now some other African countries) Vodaphone and their local partners set up a system called M-pesa. M for mobile, pesa is the Swahili for money (there’s no end to the interesting stuff you learn on this blog). It is basically branchless banking. With your phone you can transfer money from your pre-pay account to anyone else’s. You can go to many stores and pay in cash to top up your pre-pay account. Or you can take money out of your pre-pay account. So a worker in a city can go to the grocery store, add $50 to their account, transfer it to the account of their wife back in a village far from any bank, and they can go to the grocery store and take the $50 out of their account. Apparently people also use it to avoid getting robbed too: pay money in before getting on the bus, take it out at the other end. There are 7M users (in just a couple of years) with 2M transactions daily in just Kenya.

Mobile payments today are $24B annually. It is all either digital goods or cash infrastructure with things like M-pesa, essentially no physical goods. However, there is one big problem: security. The moment Paypal launches in a pre-paid market they see attacks go up. In fact, mobile security is better than regular internet security (the network really does know which phone it is and whose it is) but it is inadequate. If stealing your phone enables someone to empty your bank account you need better protection than just a four digit PIN.

Biometrics offers one of the best solutions to this: put a fingerprint sensor on each phone. That works OK for high-end phones but doesn’t do so well for the lowest end where phones cost only $20 to build and can’t absorb the cost of a sensor. The challenge is to have high security but a seamless customer experience.

Who might you not have thought about who could suddenly become a player in this space who is not a bank nor a network operator? Paypal, obviously. But also there is somebody who has 300M accounts already set up with payment instruments. Somebody who already sells over 25% of all music using this technology, some of it in the mobile market. Apple, with iTunes and the appStore, have moved a significant amount of distribution and billing away from the carriers. They have an infrastructure they could do more with if they decided to.

There’s another gorilla lurking who already has a huge number of accounts (I don’t know how many) already set up with payment instruments and already in the business of shipping a lot of physical goods? Amazon.