The Smile-IT Blog » Blog Archives

Tag Archives: Transparency

Vicious Circle into the Past

We are on the edge of an – as recently called it – exploding era: The IoT Era. An interesting info graphic tells us stunning figures of a bright future (at least when it comes to investment and sales; see the full picture further below or in the article).

The info graphic in fact stresses the usual numbers (billions of devices, $ trillion of ROI) and draws the following simple explanation of the ecosystem:

IoT and BigData Analysis (info graphic clip)

A simple explanation of IoT and BigData Analysis

Devices are receiving requests to send data, in return they do send data and data gets analyzed. Period.

Of course, this falls short of any system integration or business strategy aspect of the IoT evolution. But there’s more of a problem with this (and other similar) views onto IoT. In order to understand that, let us have a bullet point look at the mentioned domains and their relation with IoT (second part of the graph; I am intentionally omitting all numbers):

  • Manufactoring: smart sensors use increases
  • Transportation: connected cars on advance
  • Defense: more drones used
  • Agriculture: more soil sensors for measurements
  • Infrastructure, City: spending on IoT systems increases
  • Retail: more beacons used
  • Logistics: tracking chips usage increases
  • Banking: more teller-assist ATMs
  • Mining: IoT systems increase on extraction sites
  • Insurance (the worst assessment): IoT system will disrupt insurances (surprise me!)
  • Home: more homes will be connected to the internet
  • Food Services: majority of IoT systems will be digital signs
  • Utilities: more smart meter installations
  • Hospitality: room control, connected TVs, beacons
  • Healthcare: this paragraph even contents itself with saying what devices can do (collect data, automate processes, be hacked ?)
  • Smart Buildings: IoT devices will affect how buildings are run (no! really?)

All of these assessments fall short of any qualification of either which data is being produced, collected and processed and for which purpose.

And then – at the very beginning – the info graphic lists 4 barriers to IoT market adoption:

  • Security concerns
  • Privacy concerns
  • Implementation problems
  • Technological fragmentation

BusinessInsider, with this you have become part of the problem (as so many others already have): Just like in the old days of cloud commencement, the most discussed topics are security and privacy – because it is easy to grasp, yet difficult to explain, what the real threat would possibly be.

Let us do ourselves a favour and stop stressing the mere fact that devices will provide data for processing and analysis (as well as more sophisticated integration into backend ERP, by the way). That is a no-brainer.

Let us start talking about “which”, “what for” and “how to show”! Thereby security and privacy will become and advantage for IoT and the digital transformation. Transparency remains the only way of dealing with that challenge, because – just as with cloud – those concerns will ultimately not hinder adoption anyway!


The IoT Era will explode (BusinessInsider Info Graphic)

The IoT Era will explode (BusinessInsider Info Graphic)

{feature image from}

Published by:

Automation Security

This post is part of the "Automation-Orchestration" architecture series. Posts of this series together comprise a whitepaper on Automation and Orchestration for Innovative IT-aaS Architectures.


An obvious key point to consider when choosing an automation solution is security. We’ve discussed Audit & Compliance separately from security since audit trails and compliance need the architectural support by the solution but are both less technical in itself compared to security.

Considering security issues for an automation solution means focusing on the following areas:

  • Confidentiality: How does the solution manage authorized access?
  • Integrity: How does the solution ensure that stored objects and data are consistently traceable at any point in time?
  • Availability: How does the solution guarantee availability as defined, communicated, and agreed upon?
  • Authenticity: How does the solution ensure the authenticity of identities used for communication of partners (components, objects, users)
  • Liability: How does the solution support responsibility and accountability of the organization and its managers?

None of these areas rely on one particular architectural structure. Rather they have to be assessed by reviewing the particular solution’s overall architecture and how it relates to security.

User security


Any reputable automation solution will offer industry standard authentication mechanisms such as password encryption, strong password policy, and login protection upon fail. Integrating with common identity directories such as LDAP or AD provides a higher level of security for authenticating user’s access. This allows for the “bind request” to be forwarded to the specific directory and thereby leveraging the directory’s technologies not only to protect passwords and users but also to provide audit trail data for login attempts. Going a step further, an authentication system provided through an external, integrated LDAP might offer stronger authentication – such as MFA – out-of-the-box without the need to augment the solution to gain greater security.

In addition, the solution should provide a customized interface (e.g. provided through an “exit – callback” mechanism) for customers to integrate any authentication mechanism that is not yet supported by the product out-of-the-box.

Personnel data base

Most organizations use one core personnel database within their master data management (MDM) process. For example, new employees are onboarded through an HR-triggered process which, in addition to organizational policies, ensures creation of access permissions to systems that employees use every day. As part of an automation system’s architecture, such an approach involves the need to offer automatically available interfaces and synchronization methods for users – either as objects or links. The automation workflow itself, which supports the HR onboarding process, would subsequently leverage these interfaces to create necessary authentication and authorization artifacts.

Authorization & Access

Enterprise-grade automation solutions should offer a variety of access control for managed objects. In addition to the core capabilities already discussed, IT operations should expect the solution’s support for securing various layers and objects within it. This involves:

  • Function level authorization: The ability to grant/revoke permission for certain functions of the solution.
  • Object level authorization: The ability to create access control lists (ACLs) at the single object level if necessary.
  • ACL aggregation: The ability to group object level ACLs together through intelligent filter criteria in order to reduce effort for security maintenance.
  • User grouping: The ability to aggregate users into groups for easy management.

In addition, a secure solution should protect user and group management from unauthorized manipulation through use of permission sets within the authorization system.


Automation solutions that do not include APIs are rarely enterprise ready. While compatible APIs (e.g. based on java libraries) would inherently be able to leverage previously discussed security features, Web Service APIs need to offer additional authentication technologies along commonly accepted standards. Within REST, we mainly see three different authentication methods:

  1. Basic authentication is the lowest security option as it involves simply exchanging a base64 encoded username/password. This not only requires additional security measures for storing, transporting, and processing login information, but it also fails to support authenticating against the API. It also opens external access for any authorized users through passwords only.
  2. OAuth 1.0a provides the highest level of security since sensitive data is never transmitted. However, implementation of authentication validation can be complex requiring significant effort to set up specific hash algorithms to be applied with a series of strict steps.
  3. OAuth 2.0 is a simpler implementation, but still considered a sufficiently secure industry standard for API authentication. It eliminates use of signatures and handles all encryption through transport level security (TLS) which simplifies integration.

Basic authentication might be acceptable for an automation solution’s APIs being operated solely within the boundaries of the organization. This is becoming less common as more IT operations evolve into service oriented, orchestrated delivery of business processes operating in a hybrid environment. Operating in such a landscape requires using interfaces for external integration, in which case your automation solution must provide a minimum of OAuth 2.0 security.

Object level security

The levels of authorization previously mentioned set the stage for defining a detailed authorization matrix within the automation solution’s object management layer. An object represents an execution endpoint within a highly critical target system of automated IT operation. Accessing the object representing the endpoint grants permission for the automation solution to directly impact the target system’s behavior. Therefore, an automation system must provide sufficiently detailed ACL configuration methods to control access to:

  • Endpoint adapters/agents
  • Execution artifacts such as processes and workflows
  • Other objects like statistics, reports, and catalogues
  • Logical tenants/clients

The list could be extended even further. However, the more detailed the authorization system, the greater the need for feasible aggregation and grouping mechanisms to ease complexity. At the same time, the higher the number of possibilities for controlling and managing authorization, the better the automation solution’s managability.

Separation of concern

Finally, to allow for a role model implementation that supports a typical IT organizational structure, execution must be separated from design and implementation. Object usage must not automatically imply permission for object definition. This allows another automation specialist to access the system to construct workflows with this and other objects without revealing the underlying credentials.

Communication Security

Securing the communication between systems, objects, and endpoints is the final security issue to be considered when assessing an automation solution. This includes

  • Encryption
  • Remote endpoint authentication – the ability to allow configuration of target endpoints authentication when interacting with the core automation management engine

For communication between components, encryption must be able to leverage standard algorithms. The solution should also allow configuration of the desired encryption method. At minimum, it should support AES-256.

Endpoint authentication provides a view of security from the opposite side of automation. To this point, we’ve discussed how the solution should support security implementation. When a solution is rolled out, however, endpoints need to automatically and securely interact with the automation core. Ideally the automation solution should generate a certification key deployable as a package to endpoint installations. Ideally this would happen via a separate, secure connection. This configuration enables a unique fingerprint for each endpoint and avoids intrusion of untrusted endpoints into the automation infrastructure.

Published by:

Audit & Compliance for Automation Platforms

This post is part of the "Automation-Orchestration" architecture series. Posts of this series together comprise a whitepaper on Automation and Orchestration for Innovative IT-aaS Architectures.


Audit and Compliance has assumed greater importance in recent years. Following the Global Financial Crisis of 2007-08 – one of the most treacherous crises of our industrial age (Wikipedia cross-references various sources to the matter) – audit and standardization organizations as well as governmental institutions invested heavily into strengthening compliance laws, regulations, and enforcement.

This required enterprises in all industries to make significant investments to comply with these new regulations. Standards have evolved that define necessary policies and controls to be applied as well as requirements and procedures to audit, check, and enhance processes.

Typically, these policies encompass both business and IT related activities such as authentication, authorization, and access to systems. Emphasis is placed on tracking modifications to any IT systems or components through use of timestamps and other verification methods – particular focused on processes and communications that involve financial transactions.

Therefore, supporting the enforcement and reporting of these requirements, policies and regulations must be a core function of the automation solution. Following are the key factors to consider when it comes to automation and its impact on audit and compliance.


The most important feature of an automation solution to meet compliance standards is traceability. The solution must allow for logging capabilities that tracks user activity within the system. It must provide tracking of all modifications to the system’s repository and include the user’s name, date and time of the change, and a copy of the data before and after the change was made. Such a feature ensures system integrity and compliance with regulatory statutes.


Statistical records are a feature that ensures recording of any step performed either by an actual user or one initiated by an external interface (API). Such records should be stored in a hierarchy within the system’s backend database allowing follow up checking as to who performed what action at what specific time. Additionally, the system should allow for comments on single or multiple statistical records, thereby supporting complete traceability of automation activities by documenting additional operator actions.

Version Management

Some automation solutions offer the option of integrated version management. Once enabled, the solution keeps track of all changes made to tasks and blueprint definitions as well as to objects like calendars, time zones etc. Every change creates a new version of the specific object which can be accessible at any time for follow up investigation. Objects include additional information like version numbers, change dates and user identification. In some cases, the system allows for restoring an older version of the specific objects.


All of the above handle, process and record design-time activity of an automation system, ensuring stored data and data changes are documented to comply with audit needs. During execution, an automation system should also be able to monitor the behavior of every instantiated blueprint. Monitoring records need to track the instance itself as well as every input/output, changes performed to or by this instance (e.g. putting a certain task on hold manually).

Full Audit Trails

All of the above features contribute to a complete audit trail that complies with the reporting requirements as defined by the various standards. Ultimately an automation system must be able to easily produce an audit trail of all system activity from the central database in order to document specific actions being investigated by the auditor. An additional level of security that also enables compliance with law and regulations is the system’s ability to restrict access to this data on a user/group basis.

Compliance Through Standardization

Finally, to ease compliance adherence, the automation solution must follow common industry standards. While proprietary approaches within a system’s architecture are applicable and necessary (e.g. scripting language – see chapter “Dynamic Processing Control”), the automation solution itself must strictly follow encryption methods, communication protocols, and authentication technologies that are widely considered as common industry best practice. Any other approach in these areas would significantly complicate the efforts of IT Operations to prove compliance with audit and regulatory standards. In certain cases, it could even increase the audit cycle to less than a year depending on the financial and IT control standard being followed.

Published by:

What is Social Media still worth for?

I’m pretty pissed by the recent rumours (let’s call it that way) about the social media platform “twitter” introducing an algorithmic timeline (wanna know more about the matter? either follow the #RIPtwitter hashtag or read this (very great and insightful) article by @setlinger to learn about the possible impact)

So why am I annoyed? – Here’s to share a little

personal history:

When having joined twitter and facebook in 2009, things in both networks were pretty straight forward: Your feed filled with updates from your followers, you could watch things you liked more closely and just run over other boring stuff quickly. Step-by-step facebook started to tailor my feed. It sort-of commenced when I noticed that they were constantly changing my feed setting to (don’t remember the exact wording) “trending stuff first” and I had to manually set it back to “chronological” ever and ever again. At some point that setting possibility vanished totally and my feed remained tailored to – well – what, actually?

Did I back out then? No! Because by that time, I had discovered the advertisement possibilities of facebook. Today, I run about 6 different pages (sometimes, I add some, such as the recent “I AM ELEVEN – Austrian Premiere” page, to promote some causes I am committed to; these go offline again some time later). I am co-administrator  of a page that has more than 37.000 followers (CISV International) and it is totally interesting to observe the effects you achieve with one or the other post, comment, engagement, … whatever. Beautiful things happening from time to time. Personally, in my own feed, I mainly share things randomly (you won’t know me, if you just knew my feed); sometimes it just feels like fun to share an update. Honestly, I’ve given up fully to think, that any real engagement is possible through these kind of online encounters – it’s just fun.

Twitter is a bit different: I like getting in touch with people, whom I do not really know. Funny, interesting, insightful exchanges of information happen within 140 characters. And it gives me food for thought job-wise equally as cause-wise (#CISV, #PeaceOneDay, … and more). I came upon the recently introduced “While you were away” section on my mobile, shook heads about it and constantly skipped it not really bothering about were to switch it off (subsequent answer to subsequent twitter-question: “Did you like this?” – always: “NO”).

And then there was the “algorithmic timeline” announcement!

So, why is this utter bullshit?

I’ll give you three simple answers from my facebook experience:

  • Some weeks back – in November, right after the Paris attacks – I was responsible to post an update to our CISV-International facebook followers. Tough thing, to find the right words. Obviously I got it not too wrong as the reported “reach” was around 150k users in the end. Think about that? A page with some 37k followers reaches some 150k with one post. I was happy about the fact, that it was that much, but thinkin’ twice about it: How can I really know about the real impact of that? In truth, that counter does tell me simply nothing.
facebook post on "CISV International" reaching nearly 150k users

facebook post on “CISV International” reaching nearly 150k users

  • Some days ago, I spent a few bucks to push a post from the “I AM ELEVEN – Austria” page. In the end it reported a reach of 1.8k! “Likes” – however – came mostly from users who – according to facebook – don’t even live in Vienna, though I tailored the ad to “Vienna+20km”. One may argue that even the best algorithm cannot control friends-of-friends engagement – and I do value that argument; but what’s the boosting worth then, if I do not get one single person more into the cinema to see the film?
facebook I AM ELEVEN boosted post

facebook I AM ELEVEN boosted post

  • I am recently flooded with constant appearances of “Secret Escape” ads. I’ve never klicked it (and won’t add a link here – I don’t wanna add to their view count); I’m not interested in it; facebook still keeps showing me who of my friends like it and adds the ad to my feed more than once every day. Annoying. And to stop it I’d have to interact with the ad – which I do not want to. However, I don’t have a simple choice of opting out of it …

Thinking of all that – and more – what would I personally gain from an algorithmic timeline on twitter, if facebook hasn’t really helped me in my endeavours anymore, recently? Nothing! I think. I just don’t have the amount of money to feed the tentacles of those guys, having such ideas, so that their ideas would by any means become worthy for my business or causes. Period.

But as those tentacles rarely listen to users like me but rather to potent advertisers (like “Secret Escape” e.g.), the only alternative will probably again be, to opt out:

Twitter: NO to "best tweets"

Twitter: NO to “best tweets”


Having recently read “The Circle” that’s a more and more useful alternative, anyway …


Published by:

Read “The Circle” and opt out!

Is it – as a committed social media aficionado – applicable to call for an opt out of it all? It is, once you’ve read “The Circle”, the 2013 fictional novel by author Dave Eggers.

Eggers portraits a powerful internet company making money through advertising (links to Google or Facebook are purely accidental, of course). Mae Holland is a tech worker and in her second job after having graduated she’s given an opportunity at The Circle – an opportunity which most tech workers these days desperately seek for. Mae got support from her college roommate Annie who had already made it to the group of the 40 most senior managers in the company, directly reporting to the founders – “Three Wise Men”: Tom Stenton, Eamon Bailey and Ty Gospodinov. While the first two actively involve themselves in the company’s endeavours, Ty works on new developments mostly secluded in the background.

Mae starts in Customer Experience and works herself up the chain by overcommitting to objectives and seemingly easily (but in truth with great personal effort and sacrifice) following the increasingly demanding involvement not only in her work duties but also all virtual and physical social interaction with fellow colleagues. She not-falls-in-love with one nerdy Circler she has sex with, whom she somehow admires for his technological development of a system protecting children from violence; she commences to desperately long for encounters with another Circler, who becomes increasingly mysterious as the company develops itself more and more towards total transparency.

Eggers, the author, does not keep the reader long from his message: One of the first major announcements of one of the Wise, Eamon Bailey, is a development called “SeeChange” – an extremely low-cost, top-quality A/V camera, capable of running on battery for about 2 years and streaming its crystal clear 4k images via satellite onto the SeeChange platform. Anyone can install cameras anywhere, they are barely noticed and everybody can logon to SeeChange with their unique – very personal and real – identity, their “TruYou”.

Rings a bell? Well, this is only the starting point into a rollercoaster of more awesomely cool technology tools, all aggregated through “TruYou” and made available to everyone anytime.

Dave Eggers is brilliantly creating a staggering balance between technological blessings and their benefit for employees, communities and the people as a whole on the one hand and the increasing sacrifice individuals could be demanded to make on the other hand in order to leverage that technological advance. This is – in short – the utter embarrassing red line throughout the whole book from the very first page until the closing line.

Of course, “The Circle” addresses the time we spend in social media, the way we communicate with each other (personally and virtually), the blessings and the threats that a modern, technology-based life bears. While reading, I was constantly torn between appreciating the sketched development (note: this isn’t science fiction, this is just the next step in a logical advance that we’re facing) and detesting the commitment it would demand from the ones making real use of it. Being into like two thirds of it and swallowing the book’s lines in nightly sessions, my only remaining questions was this: Will Eggers eventually manage to destroy my thorough belief in the two main importances of modern social media involved life and communication:

  • Utter transparency: I want to always know – or: be able to know – who does what with my data
  • And utter free will: I want to always be allowed to opt out, if I want to

I will not disclose the answer – I’d be “spoiling”. BUT – if you haven’t done so far, I recommend: Read “The Circle”. And then consider carefully, where and what to opt in or opt out of. It remains important.


P.S.: There’ll be a movie comin’ this year, starring Tom Hanks as Eamon Bailey. Don’t read the articles on it, as they all contain spoilers on one important turn of the story!


Published by:

Android is a scary platform

Significant Other is asking me in 12-hour intervals: “Which state are we in: Like, dislike, hate?” Kids are showing me handling best practice and useful apps. Any time and again you’d hear me cursing or smiling in joy – I’ve switched from a Windows Phone to Android!

Why? Well … 2 reasons, mainly: (1) my mobile provider doesn’t really support WP too well and (2) I wanted to know what Android is on to these days.

To begin with: I may have made a mistake by not choosing the Android-native Nexus; reason: I missed the SD card slot. Secondly, I stumbled across a review of OnePlus just a few days too late (that would’ve been interesting, too). So, eventually I ended up with a Samsung Galaxy S5 which after boot instantly updated to Lollipop (5.0) – without flaw.


The device is a 2.5GHz/2GB hardware with 16GB of internal memory (I added my 16G SD card holding all Windows Phone data – no prob here, either). First impressions in short:

  • solidly built hardware
  • nice display
  • very (very!) good camera with a lot of parameter possibilities (and HDR, of course)
  • LTE (fast and stable enough)
  • download booster combining WiFi and 4G for increased bandwidth (even faster, notably)
  • and a ton of apps from the beginning

Major annoyance: Some really strange and not at all useful native Samsung Apps (yes, I was warned that I won’t like that – took me a bit to wipe or disable and exchange them by their Android-native relatives but in the end I was fine).


You know that typical Android look-and-feel, right?

Homescreen overview

Homescreen overview

Turns out that Samsung had of course added their own launcher (TouchWiz) deeply into the OS – it isn’t too bad a feature; however, I’d have loved more to get what the OS manufacturer had in mind. Now, there’s no way really to get rid of TouchWiz w/o rooting the device; but there’s even some more annoyances …

I don’t have a screenshot of my old WP available (there’s lot’s of examples to be found anyway); however, the main flaw of Android’s way of presenting a home screen – with whatever launcher one eventually uses – is that it still remains “unstructured” in a way. Unless one develops a very own logic of grouping, ordering into folders and one’s personal homescreen sequence, it gets nothing short from searching anytime one wakens the phone. Also, the default setting is that every new app is automatically added to the homescreen – somewhere (obviously to the first free space). Where would one seek for this setting? Application Manager? Display Settings? No. It’s inside the Play Store app … well …

With WP I really honestly liked the tiled main screen and the instantly logical way of displaying installed apps. And recently they even added some visual customization capabilities – just enough to add personality to the screen. The openness of Android clearly has its drawback: There’s just too many places to change settings, customize appearance or control behaviour … and that continues …

Social and Comms

Why a smartpone if not for social media. Kids are teaching us how to use technology and social media really smart (think, we’ve discussed that many times before). One is well-off with Android in that respect.

Social media apps on Android

Social media apps on Android

I only even installed the obvious (as you can see above). There’s far more social media supporters to be found in Play Store – I didn’t have much time to test’em, yet. The ones I did try are doing their duty in a stable manner and I hardly miss any feature (just maybe that switching twitter accounts is much more convenient by just doing a swipe from the top in WP – in Android one has to go to the menu, select accounts and then choose the one to use).

One more on social (and communication): Every – emphasizing: every – social and comms app is by far faster in Android than their respective relative in WP (applies especially to WhatsApp and Messenger). And I’m still wondering why, indeed …

Mail & Calendar

To be blunt open: So far, this is an utter nightmare on Android!

While with WP7 the calendar was – to be honest – pretty ridiculous, the WP8 calendar (solidly redesigned) really offered some useful and perfectly helpful features. The Samsung Android phone – to begin with – comes with their own S-Planner application. Totally counterintuitive look-and-feel. Far too much information on one screen. … I instantly switched to another cal app I found pre-installed (probably the native Android calendar), just to discover that it is not much of a bummer, either. And — I was unable to discover any possibility to show upcoming meetings on the lock screen (also in this respect WP Notification Center is well ahead).

It gets worse with eMail (yes, I am still using that – sometimes ;)): I cannot remember whether there was a Samsung-owned eMail app (if there was, I probably got rid of it immediately). One of the very first eMail experiences one gets with a Google device is Google’s own GMail app. I was prepared for that. I never really liked Google’s way of categorization instead of a real folder structure. Anyway … the thing I really needed was a way to present my Exchange mailboxes – either in one place or as separate mail accounts within the system. I went with the built-in eMail app,

  • added all accounts,
  • discovered that I cannot change the order
  • discovered that I cannot change the mail account colour either
  • and finally realized that the app – depending on its daily mood – crashes within one particular mailbox (but not always the same one) or the “combined view” (which as such is pretty useful, but not when crashing).

So, this was no way to go. After finding out by fellow victims who already took time to complain online, that there isn’t really a way to solve that other than changing the mail client, I am now in the process of evaluating myriads of different clients (the advantage of Android’s developer openness pays off) and may share experiences in another post – let’s see. So far, I go with a thing called MailWise for Exchange/Office365 accounts and GMX Mail for POP accounts.

Android eMail apps as shown in the home screen folder

Android eMail apps as shown in the home screen folder

One more word re customization: With eMail and calendar – as a matter of fact – every single app ads its own notification scheme. Every one. And in eMail – for some weird reason – one even has to configure notification for every single account. I could possibly alter the notification tone for every mail account I am managing within the respective mail app. And this applies to A-N-Y mail app tested so far. One would end up with myriads of different rings, pops, knocks and melodies — wonder which brain is able to remember all those different assignments …


One major drawback of WP is their utterly limited app ecosystem. It gets better overtime – step by step, but still there is a lot of things one cannot do with WP that any other platform offers. I would love to urge Microsoft to invest heavily into overcoming that disadvantage of their OS; my take is, that they’d actually have to offer coding the WP app for free to any important vendor or services in order to increase acceptance of their phones.

The only problem with the Android app ecosystem really is that there’s so many to choose from – for every single area. So far, there’s only one useful app from my former WP times which I dearly miss on Android: CarRadar – an app that combines multiple “Cloud Car” (car sharing) offerings within one UI (including reservation). Other than that, there’s simply no shortage of features anymore. Meanwhile, I got 5 screens full of icons – which doesn’t necessarily mean that I search less and find more more quickly; it only means: it’s there. And sometimes I feel like: Less is more (though, not as few as on WP).

Data and how to control it

So, after having customized the basics to my needs (pretty awkward to spend some 2+ usage weeks and still not feeling fully under control of features), my utmost concern – as always – is: What happens to my data? Now, one knows, of course, that Microsoft spends much more thought on transparency than Google ever will. There is, however, a great big disclaimer whenever one commences using another Google service; it’s essentially an outtake of the full privacy policy:

  • we collect usage data, location data, logging data, …
  • we use it for presenting you with appropriate ads
  • we even combine data to improve your experience
  • bla bla bla

Nothing new under the sun. If one opts into using a Google device, one has to be prepared for that.

However, what one may not be prepared to is the utter nightmare that comes when wanting to get into control of all that again. With so many different apps, so many different places for settings, so many different parameters, a totally non-unified user experience (as a price for developer openness), … it gets really hard to find out all possible settings in all those many apps for controlling how those deal with data.

Here’s just some examples of what I discovered – intentionally or by accident – during the first 2 weeks of using the new phone:

  • Every new folder created and potentially filled with pictures gets grabbed by the Android photo backup feature asking whether to backup data within that folder to your Google account – there is no way of getting to the parameterization of backup other than when it pops up (as far as I could find out by now)
  • When an eMail is deleted from one of the accounts, MailWise still shows the deleted eMail as part of a conversation; the eMail object is nowhere to be found as such – it just shows in MailWise, hence must be somewhere (btw: I didn’t find a way of deleting one piece of a multi-mail conversation thread in MailWise – anyone able to help here? – please comment)
  • Everyone – by now – should know about Google’s aim to track your ways; if not -> read this!

However, by far the most weird moment was when suddenly out of nothing the (pretty newly developed) Google Photo Assistant popped up on my phone, telling me that it had discovered some images which seemingly combine well into a new banner photo (and it showed it to me):

Technology-Panorama from Ars Electronica Center Linz

Technology-Panorama from Ars Electronica Center Linz, auto-developed from 4 separate pics by Google Photo Assistant (no post work)

I never told Photo to act respectively; I even – thought to have – disabled all autonomy of Google Photo (knowing its still algorithmic weakness); nevertheless, it did its (Google-defined) duty and started suggesting things … simply utterly “scary” in a way …


“Which state are we in: Like, dislike, hate?” – Not “hate”, i’d say; “like” not either, though. I consider myself an advocate of transparency. I solidly believe that the way into the digital age is paved by a seriously vast data highway. We should know what flows there. We should be aware of our part in it. Microsoft is – to my believe – doing well with their OS in supporting the user to maintain control of what the device is doing; Android is missing out here. Totally. As a pay-off to flexibility and feature richness.

In a research document from earlier this year, IDC shows phone OS market share as follows:

IDC: Smartphone OS Market Share 2015, 2014, 2013, and 2012 Chart

Source: IDC Smartphone OS Market Share – Worldwide Quarterly Mobile Phone Tracker


If this is really true, WP is severely undervalued in my opinion. WP – to me – is by far the most logical, most transparent and most user friendly phone OS (I should maybe mention that for a customer project I am also testing an iPhone 5S at the moment; I just didn’t want to mingle experiences into this post).

Android is more flexible and simply offers a whole world of options – drawback being that you need far more time to dig into them all.

According to the report above, we are seeing a total of 260 million Android devices in use worldwide. I would dearly love to see all those users spend enough time to understand their device and especially understand its usage of data provided by them – and how to control it.


{feature image source:}

Published by:

Patriot Act: Illegal?

Woke up this morning to find this in my newsfeed: A New York Times article about the NSA collection of bulk call data being illegal!

“Significant”, to quote Ed Snowdon.

In essence, the ruling comes to the conclusion that

a provision of the U.S.A. Patriot Act, known as Section 215, cannot be legitimately interpreted to allow the bulk collection of domestic calling records.

This is the first time ever, that a higher court has reviewed this program and defined at least a section of it as being illegal. I cannot emphasize enough how important it is for anyone having the slightest interest in privacy and security to read this article, the details around the ruling and the consequences to expect from it.

Speaking of the consequences, however, I am asking myself: When in the past has any national security and/or investigative agency been acting within the boundaries of legitimacy? Best case is: they extend’em … I dearly hope, that one consequence of this is to continue surveillance practice on a legal basis where applicable and tremendously increasing transparency about it!


Published by:

Innovationskraft ist nicht das Problem!

Und so ist dies hier also mein erster österreichischer (vulgo: deutschsprachiger) Blogbeitrag. Garnicht so einfach, stelle ich gerade fest, wenn man es gewohnt ist, “English” zu schreiben … Und warum das Ganze? Weil diese Methode – “Arse First”, Greg Ferro’s Heransgehen an das Bloggen einfach immer noch funktioniert.

Bleibt die simple Frage:

Was war es diesmal

…, das mich dazu veranlasst hat, etwas zu schreiben?

Vergangene Woche besuchte ich das Pioneers Festival in der Wiener Hofburg: Eine Manifestation der Innovationskraft in der IT, ein Fingerzeig in die Richtung, in der sich die IT – nicht nur in diesem Lande, der Region oder Europa schlechthin – sondern einfach überhaupt hinbewegt. Eine grandiose Veranstaltung, die sogar einen nicht unbedingt genuinen Gründer wie mich (so, von der prinzipiellen Art her) motiviert. Ganz einfach durch den “Spirit”, der zwei Tage lang durch die altehrwürdigen Hallen der Hofburg wehte …

Und dann, am Abend des zweiten Tages, ergab es sich, dass ich wieder einmal Zeit fand, eine der regelmäßigen – durchaus guten – Veranstaltungen der APA EBC (eBusiness Community) zu besuchen. Ein Impulsvortrg mit Podiumsdiskussion zum Thema “Das neue Maschinenzeitalter: Wie die Automatisierung die Arbeitswelt verändert“. Peter Brandl (evolaris) sprach den Vortrag, der sich im wesentlichen mit Industrie 4.0 und IoT beschäftigte (der Mann hatte Gartner gründlich studiert und die wichtigsten Entwicklungen durchaus gut und launig zusammengesfasst). Vertreter von IBM, Kapsch und der TU Wien diskutierten danach mit ihm die brennenden Fragen rund um das Thema des Veranstaltungstitels, von welchen die heißeste offenbar jene nach dem möglichen Verlust von Arbeitsplätzen durch die nahen IT-technischen Zukunftsentwicklungen zu sein schien (Zusammenfassung gefällig?)

Während Andreas Kugi (TU) noch einige Male einbrachte, dass die innovativen und umwälzenden Entwicklungen der nächsten Jahre vor allem einer reformierten Art der Ausbildung bedürfen, hatten die übrigen Gesprächspartner offensichtliche Mühe, sich von Gemeinplätzen wegzubewegen. Warum? Weil ein Thema in der gesamten Diskussion – auch bei den Wortmeldungen aus dem Publikum (deren aus Zeitgründen überhaupt nur 3 zugelassen werden konnten) – völlig unter den Tisch fiel: Der Einfluss der Legislative an der Weiterentwicklung der IT in unserem und den übrigen Europäischen Ländern!

Letztendlich ist die Sachlage in unseren Breitengraden relativ simpel: Es gibt

3 einfache Punkte

für das Scheitern des Digitalzeitalters (neudeutsch: “Digital Business”) in unseren Landen:

  1. Während andernorts längst außer Diskussion steht, dass die Verbindung und nahtlose technologisierte Kommunikation von Menschen, Unternehmungen und Dingen Einzug in unseren täglichen (nein: nicht nur den Arbeits-)Alltag halten wird, war jene oben zitierte Diskussion über weite Strecken noch von der Frage geprägt, in welchem Ausmaß uns diese disruptiven Veränderungen treffen werden. Voll und ganz werden sie es – das ist relativ einfach vorherzusagen.
  2. Am – ebenfalls oben bereits erwähnten – Pioneers Festival meinte der Amerikanische Venture Capitalist Erik Bovee ( – Wien, Silicon Valley) wörtlich: “Venture Capitalists hassen Österreichisches Recht und Deutsche Besprechungsprotokolle”. Was als launige Bemerkung in einer einstündigen Präsentation zu StartUp-Tips gedacht war, zeigt eines schon sehr deutlich: StartUps und junge Unternehmer, die ihre Ideen vor allem mit den neuen Möglichkeiten der IT-Veränderungen unseres Zeitalters umzusetzen wissen, siedeln sich eher in Ländern an, die ihnen unterstützend unter die Arme greifen, als in solchen, die durch ihre Gesetzgebung oder regulative Kraft die Entwicklung und den Höhenflug einer brillanten Idee zu stoppen wissen.
  3. Eine weitere viel zu schwergewichtig in der genannten APA Podiumsdiskussion erwähnte Fragestellung war jene der Privatsphäre. O-Ton: “Natürlich ist es erforderlich, sich im Zuge des Platz-Greifens all dieser Industrie 4.0 und IoT-Technologien über den Umgang mit sensiblen Daten klar zu werden und dafür geeignete Maßnahmen zu ergreifen.” (eine Ebene, die übrigens bereits vor 6 Jahren in der damals hierzulande beginnenden Cloud-Diskussion immer wieder erklommen wurde – wohl um sich um die konkreten Cloud Computing Fakten herumzuschummeln – siehe auch diesen Blogbeitrag zum Thema). Die Frage nach den Chancen wird also offensichtlich wenn dann erst nach sorgsamer Betrachtung, Beantwortung und Regulierung möglicher Risiken in Augenschein genommen.

Ich glaube, wir sollten uns darüber im Klaren sein, dass die Weiterentwicklung von allem, was auf Basis von Cloud Computing in unsere alltägliche Lebenswelt Einzug gehalten hat – mobile Verfügbarkeit, der Einsatz sozialer Netzwerke für alles mögliche, Datananalyse in Echtzeit, inklusive entsprechender Schlussfolgerungen, die Verknüpfung von Informationen von uns, unserem Verhalten, den Dingen, mit welchen wir interagieren, … – nicht aufzuhalten ist. Wir sollten uns auch darüber im Klaren sein, dass diese Weiterentwicklung eine Unmenge an Chancen mit sich bringt, unser Leben – bei entsprechend weisem, bewussten Umgang damit – in jeder Hinsicht zu bereichern. Und wir sollten uns darüber im Klaren sein, dass da draußen irgendwo eine schier unglaubliche Anzahl an intelligenten, kreativen Menschen herumläuft (über 3.000 alleine am Pioneers Festival), die mit täglich neuen Ideen diese Weiterentwicklung aufgreifen, in Lösungen integrieren und vorantreiben.

Und wenn wir uns hinter Regularien und Gesetzen verstecken, die zu unserem angeblichen Schutz verankert werden – nun: Dann werden diese Menschen eben wo anders hingehen, um ihre Ideen zu verwirklichen. In der Tat: Das “Internet der Dinge”, intelligente Maschinen und Industrie 4.0 wird Arbeitsplätze lediglich verändern, nicht vernichten – in diesem Punkt stimme ich den Diskussionsteilnehmern der APA EBC Veranstaltung unbedingt zu. Vernichtet werden Arbeitsplätze in unserem Lande dadurch, dass den Möglichkeiten durch die Weiterentwicklung von Technologien und innovativen Ansätzen nicht genügend Platz, Raum und Recht gegeben wird.

In Österreich war Innovationskraft noch nie das eigentliche Problem! Das Problem war meist, dass sie nur in anderen Ländern wirklich Nutzen-schaffend ausgelebt werden konnte. Es wäre an der Zeit, das zu ändern. Dringend!


Update: Link zur Keynote von Peter Brandl

Published by:

What about Transparency?

If you need to seek for transparency, your provider failed.

Around September 25, AWS notified their valued customers of ongoing reboots of their EC2 infrastructure during the course of the upcoming weekend. The notifications always also stated: “You will not be able to stop/start or re-launch instances in order to avoid this maintenance update.” Hence, we – and many others, obviously – were forced to undergo this maintenance and prepare for any potential subsequent maintenance of their own following any possible failure during the reboot (which admittedly we were lucky not to have).

In an attempt to understand the root cause of this “scheduled” maintenance, we were able to discover some forum conversations such as this one:

On Wednesday, Oct 1st, customers received an eMail notification subjected “Follow-up Note on Bash Security Issues from Last Week” which claimed that AWS “reviewed the security issues, known as CVE-2014-6271 and CVE-2014-7169, and determined that our APIs and backends were not affected“. More detailed explanations were linked into the eMail referring to an AWS Security Bulletin.

When digging a little further into the issue, I was able to discover this article (also dating September 25th).

At this very moment it is still unclear what really caused the host reboots affecting many EC2 customers, and while AWS did a very good job in sending target oriented information to those customers who are really affected by the reboot (rather than spamming everyone with the info), they failed completely in making it transparent to users why the reboots need to happen.

Security – ladies and gentlemen at AWS – is about transparency. First and foremost.


Published by:

From bottom to top much can be lost

I’ve not been here for long. Not because I wouldn’t have had things to say – I actually had to say a lot, but it all went into our company’s architecture documentation. 100s of pages of high level designs, dependencies, relations, segregations, inputs, outputs, … and all of that boring stuff. Down the track of this work, one of the most important conversations with stakeholders and builders all-the-same was the one of the

Bottom-up versus top-down approach

Obviously – as with everything in life (well: nearly everything) – there’s 2 approaches to create blueprint documents/specifications and build the needed services accordingly: Bottom-up and top-down. In our case, the question arose wrt the framework of delivery support systems (operations support as well as business support systems) and the process of building/integrating them.

How to bottom-up or top-down?

The bottom-up approach focuses first on a few requirements to be defined in order to set expectations, then builds the stack according to the respective phase’s needs and derives the definitions accordingly. This approach is more “chaos” and ad-hoc driven and might serve a demo-led approach; at the same time it bears a few significant risks:

  • effort and cost consumption without properly defined product and architecture strategy
  • build and throw-away effects due to late findings
  • build and accept; i.e.: a prototype might be considered more mature than it actually is (under the hood) which would later result in very poor and endangering service quality
  • increased effort for keeping information through working teams synced
  • missing the point where neither the architecture not its Operations scale anymore and where a change of approach/setup is necessary (especially wrt OPS)

While the bottom-up approach clearly has the advantage of more rapid delivery and market-entry, it seriously endangers technical debt to be created:

Technical Debt (as defined by Ward Cunningham):

“If we failed to make our program align with what we then understood to be the proper way to think about our fin objects, then we were going to continue to stumble on that disagreement which is like paying interest on a loan.” – Ward Cunningham (

Hence, as a pre-requisite for this approach to be working, one must seek upfront clarity about

  • which ecosystem/framework services to build
  • around which products
  • which relations to create – and (!) maintain

which within the top-down approach might evolve and shape during the pyramid’s first layer. The top-down approach also has the advantage of an all-know-all effect which can allow for utmost work parallelity while at the same time ensure compatibility of built entities. Its risk – however – is first and foremost the late creation of content/deliverables, hence later demo, later feedback, later market-entry, etc…


Additional complexity is added when building the above in phases; i.e. from limited functionality offered to a limited amount of users in a first phase (e.g. Alpha) to offering full functionality at the final V1.0 release.

NOTE: Assuming a fully balanced build process, I would highly recommend a kanban-style build approach beginning with version 0.1 of the product or framework; assuming that fully balanced process, continous enhancements through continous deployment on a high patch/upgrade rate per day/week/month would be possible. However, even with that balanced process, the following is applicable allthesame.

Both approaches can be driven in a phased-mode in more or less the same way; i.e. in none of the 2 the full set of specifications (or backlog entries respectively) need to be created in order to start into the pyramid’s next layer. It is sufficient to create as much content as for a particular phase needed.

In both phases – though – it is essential to have a basic set of guidelines (like e.g. segregation of duties, purpose of buildling blocks) crystal clearly created so that anybody within any working team is able to align his/her work with these guidelines, perceive, recognise and acknowledge deviations and understand where alignment with other parties is crucial for ongoing success. It is the purpose of the first set of specifications to ensure these guidelines and clarity.

“… the whole debt metaphor or lets say the ability to pay back debt and make the debt metaphor work for your advantage depends upon you writing code that is clean enough to be able to refactor as you come to understand your problem.” (


Published by:
%d bloggers like this: