Tradeshift : A Buyer To Seller ECommerce Document Sharing Platform

The cloud has enabled a platform for software modules and people network to connect and transaction.

A particular application of a cloud platform is for sellers of parts and buyers of parts (B2B) to transaction much more easily (e-commerce). Reducing transaction cost has always been a harbinger of greater trade (much like reducing tax or barriers). 

While Alibaba (NYSE:BABA) receives much credit for revolutionizing the B2B e-commerce world, connecting China manufactures with buyers around the planet - other smaller companies are also playing in adjacent space. One such example is Tradeshift.

Tradeshift has a cloud platform that allows for e-commerce documents to be shared easily between sellers and buyers. You might think "e-commerce document sharing" is boring, but anything that  streamlines mundane transactions deserves a drink of coffee.

In the scenario below, you have a seller of tires "Parts Producer", and you have buyer of tires "Factory".  In step 1, the Factory orders 100 tires. Step 2, the Parts Producer recognizes that Factory is a known customer with good credit and ships 100 tires. Step 3, Parts Producer sends an Invoice to Factory to pay up for the 100 tires. Step 4, Factory checks to make sure that the tires did arrive and wires funds to Part Producer.

Now, wouldn't be nice if all of this was automated - so that no paper needs to be shuffled around, found, updated, be kept consistent between Parts Producer and Factory (if the order changes, for example).

With Tradeshift, all this is automated!

Tradeshift has a platform (cloud software and database) and a network (buyers and sellers) so that a document tracking orders, shipment, invoice, and payment can be put in one place for all to see. Thanks cloud!

IT Security - A Quick Introduction

You Information And Laptop Under Constant Attack

Your information (username, password, social security number) is needed for you to do business on the web (shopping, paying bills, check status of work). But it is also a piece of information highly valued by internet bad people. So they will do anything they can to steal it. From the comfort of their living rooms.

The internet bad people want to steal your 1. information 2. resource such as your laptop.

Steal Your Information:

There are multiple ways for internet bad people to steal your information. I have broken it down to how you might fall pray - by the first point of contact.

1. Email spear phishing via social engineering

The internet bad people will look up your public information (Facebook, Google+, LinkedIn, ...), find out who your friends and family might be, then write you a convincing email to get you to respond or click.


2. Visiting website that are malicious

You might be led to enter a malicious website created by the internet bad people to look like a legitimate web site - so that you will enter your private information (username, password, SSN).

3. Malware

Malware is a bad program created by the internet bad people. It is some how downloaded on your laptop or mobile device (accidentally or through trickery). Once the bad program is installed, it can do many bad things. It can spy on your keystrokes to steal your username and password. It can turn on your laptop camera to peek at your. It can turn on the microphone to record you. It can even sabotage your laptop by draining your battery or overheat your laptop and potential start a fire.

4. Fake App

Perhaps a close cousin of the malware - a fake app is an app that you download that appears to be legitimate (a free game downloaded directly from a website instead of downloading from Apple iTunes Store or Google Play Store). During the fake app installation, it will ask you for permission into your personal information stored on your device. Once you give it permission, the fake app can siphon your personal information as you are using the fake app (games, etc).


Hijack Your Laptop:


1. Ransomware


Ransomware is a program that you accidentally or was tricked into downloading into your laptop or mobile device. Rather than stealing your information, the ransomware locks you out of your device. The only way to unlock your device is to pay the internet bad guys. Once payment is received, you will receive a passcode to unlock your device.

2. Virus, Bot

The internet bad people need resources (free laptops) to help them carry on their bad deed. One way they obtain resources is to somehow trick laptop owners to download a virus (email attachment that looks legitimate, download a file from a website). Once the virus is installed in a laptop, it will 1. find ways to plant itself in another laptop 2. wait for commands from the internet bad people. One of the common commands is to jam a website with infinite web requests from millions of virus infected laptop. The web server under attacked won't be able to handle the requests and the web server will be disabled. This is called Denial of Service (DoS) attack.



What To Do?

What can you do to reduce the likely of being impacted by these attacks?  One method is to use a firewall to watch and block potential threats from the internet bad people.

Firewall comes in two flavors : in software and in hardware.

Software Firewall

Built into most operating systems is the ability to setup simple firewalls.  Here is an example of the MacOS firewall:

MacOS firewall gives your program (Microsoft Excel) and service level (File Sharing) control.

Hardware Firewall

Hardware firewalls are usually physically included in a router. There are different approaches to how firewalls are implemented in hardware.

1. Stateless packet filtering (flow based)

As packet flows through the router, the firewall inspects the packets  individually, without regard to the bigger picture of what is happening. So this is a good start, but not very effective.

2. State packet filtering (flow based)

As packets flow through the router, the firewall determines the connection state before inspecting the packets. The connection state is based on TCP state.


3. Application (proxy based)

This approach takes all the packets, build up the final data view (document, picture, message, etc) and examines the data from the application point of view.

Identity As A Service (IdAAS) & Single Sign On (SSO) Introduction

Why Do You (A Normal User) Need IdAAS  & SSO

You have 100 of logins (laptop, gmail, Munchery, Atlasssia/Jira/Confluece, Concur , Box, SFDC…). 

You need to remember 100 usernames.

You need to remember 100 passwords.

This is a pain - to remember 100 usernames & passwords. 

And can be a security breach - if you start to get lazy and only use one usernames & passwords for all 100 accounts, a breach into one account is a breach into 100 accounts. Worse yet - if you keep your usernames and passwords on the bottom of your laptop, anyone with access to your laptop can steal all of your identities!

Gave up on tracking multiple passwords? A stickynote comes in handy. :(

Wouldn't It Be Nice :

If you can use one central neutral login - to login into all 100 web apps.
Now you can - using a service called Single Sign On (SSO). And the service is provided by Identity As A Service (IAAS) vendors (such as Okta or Centrify).

How IdAAS and SSO Works:

There are three principles in a IdAAS system : 1. User (you!)  2. Identity Provider (your company, let's call it Acme)  3. Service Provider (web apps such as Salesforce, Box, Jira,...)

The User will sign into an IdAAS provider. The User can the username and password from Acme. Most of the companies will also ask you to use a multi-factor authentication (MFA) so that you will need to have your mobile phone with you to log into the IdAAS. When you log in, there is a quick check through the LDAP from the Identity Provider to authenticated you. Once you are authenticated into the IdAAS, the list of web apps that you are entitled to from the Service Provider. The communication between the IdAAS and the Service Provider is performed via Security Assertion Markup Language (SAML).

It Not Only Helps You - IT Benefits, Too:

IT can also keep its data, network, and end-points (laptops, mobile devices) secure. How? By keeping tabs on who accesses their network, apps and data with 

   1) identity - you are who you claim to be via authentication 

   2) access management tools - once we know who you are, what are you allowed to do. 

These tools allow IT to verify a user’s identity through security and authentication capabilities, including LDAP AND multi factor authentication (MFA). IT can also define data access rules (engineering should not be able to see finance data) and application access rules (finance should not need to access Jira app). 

Who Is In the IdAAS Market?

Okta, Centrify, and Microsoft examples that provide IdAAS.

Explaining A Secure Web Browser Session Through the OSI Networking Layer

(This is from my MBA Networking class project paper focusing on use case approach of looking at IT networking. I bolded key terms that should make this easier to look up terms.)

Let’s examine how the OSI 7 network layers works with a very popular internet application - the web browser! Pretend that you want to browse cnn.com on Firefox browser. You are on a laptop that we can call a client. Starting from the top of the network layer, let's see how the layers work together to provide you with a web browser application.

Using an (7) APPLICATION such as Mozilla Firefox web browser to visit the Universal Resource Locator (URL) http://www.cnn.com, where a URL is a type of Universal Resource Identifier (URI). Firefox browser knows that you are using Hypertext Transport Protocol (HTTP) because your prefaced the request with http, not other URI such as FTP (ftp://ftp.synopsys.com) or FILE (file:///yourpc). Another application example is Spotify music streaming.

To ensure a secure web browsing connection, Hypertext Transport Protocol Secure (HTTPS) is used instead of HTTP. HTTP uses Transport Layer Security (TLS) or the older Secure Socket Layer (SSL) to encrypt data between your browser and the web server. The data is encrypted by using using session keys (keys that expire after browsing is done). The encryption uses X.509 Public Key Infrastructure (PKI). Transport Layer Security (TLS) allows the client (your browser) and the server (the web server ... let's say BankOfBits) to talk to each other securely. Using X.509 Public Key Infrastructure, the client connects to the server first, and the server provides a certificate. The client checks that the server certification is authentic by checking on its own trusted roots (sources that can look at the server certificate and give the ok that it is BankOfBits). Once the client knows that the server is safe, the client creates a SESSION KEY, encrypt it using the server’s public key, then sends the encrypted session key to the server. The server will use its private key to decode the encrypted session key. The client will start sending encrypted data using the session key, which the server will decrypt with the same session key.

The (5) SESSION and (6) PRESENTATION layers are not germane to discussion.  Some of the functionality might be shifted into the APPLICATION layer (such as TLS/SSL).

The (4) TRANSPORT layer uses Transmission Control Protocol (TCP), which is a connection based protocol (as opposed to User Datagram Protocol (UDP), a connectionless protocol). TCP is responsible for taking the email data from the application and keep trying until the email is sent reliably (CRC, checksum) and in order (flow control), or not sent via the network layer. TCP keeps track of the packets sent, numbers them so that it can keep the packets in order on the receiving side, as for a packet resend if packets are dropped, checks that the packets are not corrupted (using checksum, hashing). UDP is more simple than TCP because it does not track sequence of the packets nor the corruptness of the packets. UDP is used for streaming of music or video - where dropping some packets is ok. A TCP segment consists of a TCP header and a TCP payload. A TCP header contains information such as source port, destination port, sequence number (to support connection based protocol).  Many common services deploys fixed port numbers. For example, FTP uses port 20 or 21, Secure Shell (SSH) uses port 22, telnet uses port 23, Simple Mail Transfer Protocol (SMTP) uses port 25.  New services such as Spotify (streaming music) uses port 4047, either TCP (connection) or UDP (connection-less). Port numbers will be relevant in the firewall section.

In the (3) NETWORK layer, the email server uses Internet Protocol (IP) to try to forward the email data by finding the best route to the next most available server/hop. Internet Protocol Security (IPSec) is used to encrypt data at the IP/network layer. Once the next network node (forwarding address) is known, the email data is broken down into little frames defined by the data link layer. The IP dictates how many individual devices can be addressed. IPv4 can address 32-bit of range, equating to about 4 billion addresses. That is not enough for the new age of IOT. So IPv6 was introduced, which has an address range of 128 bits. An IP Packet is comprised of a packet header and packet data. The packet header contains information such as source IP address, destination IP address, time-to-live, etc.

The (2) DATA LINK layer is serves two basic functionality : Logic Link Control (LLC) and Media Access Control (MAC). In the LLC, data is encapsulated into Ethernet Frames. Each Ethernet Frame contains a SFD, source MAC address, destination MAC address, payload, FCD, etc.   The MAC is responsible for ensuring that the frames are sent, is correct (check sum), and controls access to the media (CSMA/CD). The little frames of data is finally passed to the real world via the physical layer.

The (1) PHYSICAL layer, which can be wired (Ethernet, USB, Optical, …) or wireless (Wifi, GSM, Blutooth, …). Most of us are probably reading this over a Wifi wireless network that is adopting IEEE 802.11g/n/ac protocol.

SSD - Upgrade from AHCI to NVMe to Extract Gains From Flash

Traditional computer systems read and write data to hard disk drives (HDD) using ATA or Advanced Host Controller Interface (AHCI) protocol. AHCI was designed for the physical behavior of a HDD - need time to spool up the platter, to find the first valid data on the platter, need time go to another place on the platter if the data is not stored contiguously on the platter.

But with the advent of solid state drives (SSD), the original ways of talking to storage using AHCI is outmoded.  That's why a new interface, designed for SSD, is needed. That is called Non Volatile Memory Express (NVMe).   It eliminates the overhead of the older protocol  - spooling up a platter, find first valid data on a platter - and  focuses on the strengths of SSD through lower latency and higher throughput.

There is also the PHYSICAL connection to consider. The traditional IDE/SATA/SATA Express physical connector interface is now replaced by PCIe.

Even with storage upgrades (HDD to SSD), other upgrades are needed as well. First, upgrade the HW interface (SATA->PCIe). Next, upgrade the SW interfaces (AHCI -> NVMe). Early Apple MacBooks had SSD drives, had PCIe interfaces, but didn't support NVMe yet.

Here you can see that a SW protocol can be mated with different HW protocol. For example, PCIe can support both AHCI and NVMe. On some of the Macbook Airs that I have used, the SSD is already connected to the SSD, but it is still using the older AHCI SW protocol. Apple has started to updated MacOS to support NVMe in the high end Macbooks. Hope to see this in Macbook Airs soon!

Why I Will Still Buy HDD - A Harsh Change From Microsoft OneDrive

How many of us signed up for free online cloud storage, but only to have the terms change on us years later. That's what happened with Microsoft OneDrive - we were promised 15GB of storage, but now that is being cut down to 5GB. Most of us understand the freemium pricing model, but to have the rules change on us is unfair. 

I want my storage to under my control. As a result, I went to buy a WD 4T Network Attached Storage (NAS)  to build my own private cloud storage. It supports DLNA - which means if I store movies, music, or pictures on it - I can view it on any TV or app that can receive DLNA streaming.

Conjoint Analysis - An analytic framework for deciding trade-offs between features

I did this a while back while scoping out trades offs between price versus hardware inside a tablet. Hardware features looked at are often focused on "CPU" and screen size. 

Application Processor (AP) is the CPU brains inside of a tablet. Why called application processor? Because the AP often not contains a traditional CPU, but it often also includes a separate graphics processing unit (GPU) - needed to make streaming video more smooth and makes games more realistic. There are two major AP architectures : ARM and Intel. ARM has been licensed by most AP design companies : Apple, Qualcomm (which then is sold to Samsung, Apple, ...), Samsung, Mediatek (then sold to HTC, ...), etc. Intel's Atom has been used in less brand known tablets such as Acer.  Indirectly tied to the AP is the size of the local memory (DDR). 

Screen size is the other dominate hardware feature used to make a tablet purchase decision. Some consumers look at the absolute size (diagonal measure, pixel count) as opposed to pixel density (how share the display will be). 

Here is an quick of a conjoint analysis.

S(N) denotes screen size. P(N) denotes # of processor cores and RAM. The conjoint (crossing of the S(N)xP(N)) denotes segments - and targets personas/use cases/budget.