Sea of Troubles

➞ What the Square and Starbucks Alliance Means for Payments

Brett King, founder of Movenbank, regarding the Square/Starbucks deal:

The real issue for Amex, Visa, Discover and Mastercard right now is that the ‘cardless’ movement is rapidly accelerating and customers are flocking to these new technologies. The issue is not the death of cash – but the death of plastic. In a much simpler, better informed payments interaction, plastic just looks dumb, insecure and outmoded.

King makes a great point. Much of the coverage of mobile wallet developments focuses on the idea of the “death of cash”, but there doesn’t seem to be much evidence that cash is being driven out.

What these mobile wallet technologies are very effectively doing is eliminating the user’s interaction with their credit card at the point of transaction, displacing both the swipe and the entering of digits, with an app. While most of those apps use credit cards as their transaction-processing back end, there’s no intrinsic requirement that they must always do so. Such an app could migrate to a stored-value model, or something else entirely.

Seen in this light, Apple’s EasyPay system has some of the same properties.

While it’s in the card schemes’ and acquirers’ interests now to support these initiatives – they do, after all, promise to drive payment volume – it may be a dangerous move strategically. If users’ can conduct the majority of their non-cash transactions without touching their card, they’re not likely to notice (or care) when the underlying payment mechanic changes. Given that the schemes derive their pricing power from universal reach and end-customer brand recognition, these apps represent a significant potential disruptor.

➞ Architectural Lessons in Identity From the Higgs Boson

Ganesh Prasad:

In the realm of identity management, I realised that any given entity has no inherent properties (attributes) at all! All attributes that an entity may be deemed to have are only by association (just as a particle acquires mass independently of its existence), and therefore the only necessary aspect of an entity is a unique and meaning-free identifier to set it apart from other similar entities. Attributes can then be assigned and de-assigned to it at will through the mechanism of the identifier, and gradually a more sophisticated model can be built up. In creating such sophisticated models, it’s important to remember that nothing is inherent to an entity, - not first name/last name, not primary email address, not social security number, - nothing! Just a unique identifier that is internal to the domain and kept invisible to the world outside the domain.

My CI Dashboard

A couple of people have asked recently how I keep up to date with what’s going on in security, and in technology more generally. So, here’s what I do.

Curate.Me — formerly XYDOBrief — is a good daily digest of the most interesting stories in your network. My account there sends me an email every morning at 7am, for the following topics:

  • Your Twitter Feed
  • Information Security
  • Hacker News
  • Technology
  • Apple
  • Business
  • Financial Services
  • Finance

Curate.Me has traditionally been pretty fantastic. Recently, though, the “Information Security” topic has become polluted with links to vulnerability advisories, which have floated above more interesting conversations in that domain.

Prismatic is a more recent service, and seems like it might become a successor to Curate.Me. It uses a similar “subscribe to topics” structure (and will use your social networks as inputs), but presents topics in an infinitely-scrolling list in a browser window. The underlying clustering engine does a really good job of grouping news articles, and only presenting the most interesting article for a given story.

I’ve also recently subscribed to the News.Me Daily Briefing service, which has a similar format to Curate.Me. It doesn’t attempt domain filtering or clustering, but just tries to pick out the five most interesting stories that your contacts have posted in the last day.

I use Reeder on iPhone and iPad to read my Google Reader subscriptions. Those subscriptions tend to be opinionated people I find interesting, rather than for strict news. At the moment, these include:

For more general news, I subscribe to both the Financial Times and The Economist. The FT sends daily emails with the useful headlines in each section; I usually read the Technology and Business ones, and click through to anything interesting I haven’t already read about.

Rather than read the Economist, I listen to their very excellent podcast; each week, it contains every word of the magazine, read by professional voice actors. You can download it through their apps, but I prefer to podcast it into iTunes and sync into my iPhone using Wi-Fi sync.

➞ Knight Algo Nightmare Dents Market as Trader Sounds Alarm


Knight said today that losses from the trading breakdown are $440 million, almost quadruple its 2011 net income and more than some analysts had estimated, and the firm is exploring strategic and financial alternatives.

Welcome to the brave new world of automation risk, where a trading firm can lose four years of profit in less than an hour. It’s happened a couple of times (remember the “flash crash”) in financial markets, but this is one of the first traced to a specific entity and which threatens that entity as a going concern.

Independently, this is another good wake up call to consider what other automation we have in place. As Chris Hoff argued after the flash crash:

[As] automation matures and feedback loops become more closed with higher and higher clock rates yielding less time between execution, our ability to both detect and recover — let alone prevent — within a cascading failure domain is diminished.

How much of your organisation’s critical compute, network, or storage is manageable by a given automated process?

➞ Nexus 7 Tablet: One Week In

James Kendrick at ZDNet:

I have used over a dozen different Android tablets and frequent crashes/reboots have affected every single one of them. I don’t know if that was the result of the earlier versions of Android or the apps I use, but it marred my enjoyment of Android tablets.

That’s no longer the case with the Nexus. No app has crashed and the tablet hasn’t spontaneiously rebooted while using it. It is as stable as the iPad in operation for me, and that’s a big thing.

Wow. I had no idea that stability was so poor on Android tablets.

I’ve not used a production platform in the last five years that was that unstable, including a Windows XP SOE. It seems extraordinary that products that unstable were made available for purchase.

You’ll Never Feel Like an Expert

I was fortunate enough to work, briefly, with the Trust Centre. While it was ultimately unsuccessful, during that time I worked alongside some of the most brilliant professionals I have known. Incubated within Westpac, a major Australian bank, Trust Centre had the resources to hire the very best people they could find – incredible technical, operating, marketing and financial experts.

One morning, one of these people walked into the office, and declared “I had that nightmare again, that today would be the day that everyone discovers that I’m making everything up as I go along.” The floor murmured its collective assent. How could it be that these people, at the very apex of their game, lacked confidence in their own abilities?

It turns out that experts don’t generally think of themselves as being so. The more you explore a subject, the more aware you become of it’s true complexity. That awareness deprives experts of a sense of completion; the more you know, the more you’re aware of what you don’t.

A couple of years later, Steve Schwartz wrote an excellent article describing an excellent, related lemma: “No one knows what they’re doing” (mild language warning). The essence of his thesis is that your most important task is not to acquire new knowledge, but to continually reduce what you don’t know that you don’t know. He concludes:

In fact, if you never feel clueless, and you always know better than everyone else, please let me know, so that I can be aware of how dangerous you are.

This interlocks nicely with the Dunning-Kruger effect, in which someone with low skill in a domain overestimates their skill, and the highly skilled underestimate it.

Put together, these three put my mind at ease in my own work. Even though I’m increasingly aware of the things I don’t understand, that’s a positive signal. I’m probably never going to feel like an expert, but that doesn’t mean I’m not.

➞ Amazon ‘Robo-pricing’ Sparks Fears

The Financial Times:

Last year, out-of-control algorithms inflated the price of The Making of a Fly, a genetics book, to more than $23m, according to Michael Eisen, a biologist who blogged about it.


➞ Solving the Problem Isn’t the Problem

Seth Godin:

Solving the problem isn’t the problem

The problem is finding a vector that pays for itself as you scale.

We see a problem and we think we’ve “solved” it, but if there isn’t a scalable go-to-market business approach behind the solution, it’s not going to work.

Godin’s perspective, as usual, is spot on. Read the entire article; he gives a couple of great examples.

Information security seems particularly prone to this flavour of fallacy.

There is a stubbornly persistent assumption that new technology will be easy to implement; just buy it and plug it in, right? In reality, buying the product is barely the first percent of doing something useful: you’ve got to get it into the environment (across development, test, production and disaster recovery instances), configure it, monitor it and manage its upgrade path. Once in, you then have to actually do something useful with it and successfully integrate it into your other controls. (Perhaps this systematic underestimation is part of security’s notoriously unconvincing business cases, and difficult to quantify ROI.)

Meanwhile, whenever someone suffers a breach, the security community enjoys a round of self-righteous tut-tutting. “How could they miss something so obvious,” we ask, “as an unpatched vulnerability?” What an astonishingly unhelpful waste of energy. In the billions or trillions of lines of code that make up any modern organisation, it’s inevitable that something will be missed. Remember: corporations are required by law to maximise profit; any security beyond cost-benefit is antithetical to our goal, and an organisations’ risk appetite will never be zero.

➞ A Quarterly Loss for Microsoft?


[O]n Monday, [Microsoft] announced a $6.2 billion writedown of a 2007 Internet-advertising acquisition […]. The writeoff is expected to hand the company its first quarterly loss - on paper - since going public in 1986.


A reminder that even the mightiest giants are vincible, and that Apple and Google will probably too eventually be disrupted.

(via MG Siegler)

Creating Foursquare NFC/QR Code Tags

I really quite like Foursquare. I’m the mayor at a couple of places, and I enjoy discovering new places using their recommendations engine, particularly when travelling.

I find though, that I often go entire days between checking in. Mostly, I forget to take my phone out and check in; occasionally, I remember only on my way out the door and don’t have time before I leave the geofence.

So, how to prompt my memory and speed up the check-in process?

Now that my Galaxy Nexus is running 4.0.4, it can (finally!) write NFC tags. So, to work!

I had previously purchased TagAge’s Starter Kit of blank NFC tags. Meanwhile, Tagstand’s NFC Writer app allows trivial encoding of Foursquare venue URLs. So, using the 164 byte tags (the data doesn’t fit in 64 byte tags) I made one for my favourite coffee shop and another for the office. Happily, they work as advertised.

That said, I don’t always have my android on me, often carrying just an iPhone. I’d love the same physical token to work for that device too.

Foursquare, fortunately, provides a custom URL scheme to jump right to the venue in the native app. You’ll need to get the venue’s ID, which you can get from searching for the venue on the website; the ID is the last part of the venue’s URL. For example, Pablo and Rusty’s venue ID is 4b0c58ebf964a520933b23e3.

The ZXing project provides a web application that generates QR codes. I created a QR code for each tag’s venue, using the URL type, with the content:


A handy Dymo LabelWriter 450 cheerfully printed the QR code onto a sticker small enough to attach to the tag.

And lo: a small sticker that provides both NFC and QC code quick access to the Foursquare native app’s page for a given venue.