.NET Brisbane, Australia

The 300 Model

"Surrender, we are many, you are few. We won't lay down our weapons, you want them? Come get them! The Persians arrows will blot out the sun. Better this way, we will fight in the shadow."

The movie ‘300’ is like a big punch in the stomach and you have no time to fall. In '300', you see a comic book story that meets the entrepreneurship that meets the world history about the legendary battle of Thermopylae during the year of 480 BC where only 300 Spartans fought against millions of Persians for the future of Greece. Nobody knows exactly how many were really involved in the war; but everyone agreed: It was few against many!

Based on Frank Miller's graphic novel, the movie in its first week generated USD 70 millions in USA alone, with no Tom Cruise, Brad Pitt or a big-shot Hollywood star; instead the major roles were 'unkowns''; a Scottish called Gerard Butler as King Leonidas and a Brazilian called Rodrigo Santoro as King Xerxes.

Some might say that people go to see this movie because it shows sexy appealing scenes, rock music, violence and amazing special effects. That's a lie!

This movie captures the audience because it is about the eternal battle between the strong and the weak, between heroes and villains, between common people and powerful kings. This movie attracts people because every single one wants to know how to defeat a much powerful competitor when we have only too few resources; how to conquer the market when we have few people; how to make more out of few.

‘300’ is a bloody battle between a little small company carried on the shoulders of very talented warriors committed by the honor and a huge corporation machine maintained by millions of regular employees who, some of them, do not even know what are they doing in the company or why they are doing that.

This movie offers much more insights for your professional life than many MBA courses around there. Save yourself USD 500 and watch the movie for a few dollars.

You will learn :

• a lesson about the leader who inspired others (even to admire him until his last breath),
  
• you will learn about how to start a company where everyone wants to work on 24x7 (until their last moments),
  
• How to create a brand, a history, a legend (that will overcome the death).
  
• When the captain decides to punish the soldier, Leonidas - the Spartan King - teaches the manager the value of respect towards the lower ranks.
• When in doubt of his own convictions, Leonidas asks his partner’s opinion, wife, and Queen - who always is treated equally as any other man - about how to deal with the business.
  
• When busy, just a few days before facing millions and certain death, he finds himself quality time to spend with his little son and teach him the secrets of the business world that he knows so well.
  
• When ready for battle, tie, computer and mobile, everything he does is to KEEP FOCUS ON THE REASON to make the best for the business and his employees.
• When King Xerxes, try to seduce Leonidas with the benefits of a possible merge & acquisition of the little Spartan company by the mega-corporation Persia will bring to the shareholders, for him (by becoming CEO of Greece, palaces, women, higher salaries) and for his employees (who will set themselves free from slavery), Leonidas reminds Xerxes that the true slavery of the human being it is not the economical slavery or social, but is to lose the Spartan life style, their culture, their philosophy and the right to take decisions freely without need to justify to nobody.
  

In every scene you can learn something about you!

Forget the popcorn and the soft drinks, concentrate on the dialogues.

When the Spartan board of directors decides to surrender to Xerxes by not supporting Leonidas, they take the army command out from Leonidas, and tell him to kneel and behold the invisible; Leonidas instead, he does a spin-off in the army, creates himself his own company, he gathers 300 of his best soldiers and go to war against Xerxes' millions.

When he is asked about how he will defeat millions with just 300 soldiers he says he will use his brain when Xerxes uses his ego. He moves towards Thermopylae, a narrow passage where it will neutralize the enemy superiority in numbers.

When an incapable and mediocre Spartan asks him to join the army, Leonidas tells him to go home; in the other hand, Xerxes is sending his mediocre to the front to die first. In Leonidas' small company, only the best, the braves and the brilliants are accepted. He left out the weak, the average, and the non-team players.

Interesting, he brings all the married men with at least one son, meaning these are the most committed people when compared against young and singles. He does not want anybody to slow down his bests and show weakness to the enemy. He can not afford it.

During a very important moment of the battle, Leonidas meets Xerxes, the God-King asks: "How do you envision defeating me? I would kill anyone of my own men just to have you killed"; "I would die for anyone of my own men" Leonidas says.

When Leonidas notices that he will not be able anymore to defeat Xerxes' army, he decides to build a brand!!! He sends just one of your soldiers back home with a mission to make sure everyone knows about of what happened there and the history and glory of those 300 Spartans will live forever. 2.500 years later in the other side of the planet here we are talking about those 300 warriors. "The whole world will know that a handful of free men fought to their death against the tyranny, the whole world will know that few stand against many."

The marketing started by Leonidas worked. This viral inspired millions of Spartans, and produced the necessary proud to unite the Greek world who later ended the Persian invasion and Greece was never defeated by them in this war. And because of that, a new regime was being born, the Democracy.

The Spartan society left nothing behind except the stories of their battles. No art, no music, no dance, no knowledge, no invention, no technology to enlighten the path...they left the unconditional dedication and the strong discipline of his people to become the best warriors ever seen in this world as legacy. Sparta did not produced an Einstein, a Michelangelo, or a Leonardo da Vinci, but they gave birth to the expression "Spartan Life" that is today related to the lifestyle where a person give up privileges and personal benefits to embrace (with body, mind and soul) and surrender his life to a higher cause.

How to Make Productive Project Meetings ?

• Every meeting MUST have 3 elements: purpose, agenda and maximum duration. If any of these items is missing, the meeting is meaningless and should not happen.
• Make sure you are able to define a purpose for the meeting in a maximum of 2 sentences, for instance:"This meeting is to plan the new developments for the project X". This way, everyone will know why they are there, what needs to be done and how to proceed in order to well-succeed.
• Define a clear agenda in advance. Make a list of all the items to be discussed, revised, analysed, displayed etc. When I conduct meetings, my personal strategy is to allocate a time limit for each item in the agenda and to assign the responsability to lead the discussion to someone in the group. Works as a charm.
• Define a duration for the meeting, how many minutes/hours it should last. From the start make crystal clear to everyone what time the meeting will start and, sometimes more importantly, when it will end. It is amazing the number of managers who have absolutely no control of their meetings and do not know how to enforce the finishing rule. If you think you have this habit...CHANGE THIS !!!
• Do not wait for the delayed people. Meetings must start on the agreeded time. Do not wait about late arrivals. Do not wait for those who need to be called for the meeting. You just make sure everyone gets notified, then when someone arrives after the meeting have started, DO NOT STOP TO REVIEW WHAT WAS SAID. Do this as a proof of respect to those who arrived on time.
• If the meeting's organizer is late, Consider the meeting cancelled, and get back to work. How long is considered late? Depends on the company, but I would not wait more than 5 minutes.
• Document your meeting. What I do is to put someone in charge of writing down the notes. What to put in the meeting notes? Basically the name of the attendants, the discussed subject, the agreed points, the next developments and/or actions with dates and their respective responsibles.
• When the meeting is over - do not wait more than 24 hours - the meeting notes must be sent to: All the participants, to those who could not make it to the meeting and to those who might be influenced by upcoming decisions.
• Keep the focus. Every meeting must have a regulator to notify the others when someone is discussing any subject outside the scope of the current topic. Ask one of the presents to volunteer for this task when the meeting is about to start. His/her task is to interrupt the meeting at any given time when the focus is lost and bring back the main subject. This new outside topic can maybe then be noted and even can be discussed in future meetings. In case of doubt regarding a specific topic being in or outside the scope, the meeting organizer has the final word.

I hope these notes can be of any help in your next meetings. If you have any comments or other meetings ideas, please feel free to leave them here and share as well.

See ya later.

Why hiding my wireless Internet SSID will not make my connection safer ?

This weekend I went to a friend's house and we talked a lot about photography, another passion of mine. So I decided to use my iTouch to show him my online portfolio:

- sorry man - he said - I have to tell you my home network name. Otherwise you won't see it available to connect.

- what do you mean? Do you hide your wireless SSID?

- Yeah, I do this for security reasons.

And yet again here we go, another old security myth: Hiding your wireless SSID makes your home network safer.

First of all, what is this ?

In your house you may have Internet access. If you have a laptop what the people normally do is to buy a router, then connect the Internet cable to the router and then the router will 'emit' the signal to the air. This will allow you to connect to your Internet from your bedroom, kitchen, talk to your mother over MSN while walking around your house etc. Everything wirelessly, as long as you can still get the signal. And for that we give a friendly name to this signal called SSID, so you know where to connect.

The thing is, everyone who has a computer with wireless connection also sees your signal.

So how to avoid them to connect to your Internet and make them surf by stealing your connection? Well, you set a password to connect to your router, so when anyone try to connect they will be asked for it.

And here we get to the point: the SSID is not a password. As a matter of fact, the SSID was designed to be public, yes. So by making it public or hidden it really does not change much the security scenario. And besides remember what all the security experts say: there is no security by obscurity. Just because it's hidden it does not mean that it is safe.

So he decided to hide the SSID. Ok. It does not matter, it is not much hidden anyway. Let's see.

The wireless network that you have at home send packages of data-to-air, some are encrypted, some are not, and inside those who are not encrypted they also contain your SSID name. Simple like that and written in plain-text.

So if I am a hacker, I could use a sniffer program to capture the packages and open up to see what's inside. A lot of them I would see crazy stuff, those are encrypted; but in some of them I would see things of the like: trying to connect to SSID name 'myhomenetwork'.

So there we go, our secret is now gone. Do you still think you're safer after that?

Can you reduce the amount of packages without encrypted information? Yes, but you can not stop them 100%, so at some point they will be sent.

Another thing to worry about. If you use Windows XP we can observe an interesting behaviour. If your SSID is hidden, but the laptop is connected to the Internet, XP still apparently keeps sending requests to join the network, continuously. And guess what? The router will reply to your requests using non-encrypted messages.

Funny thing. If we think about it what we are doing here is make our hidden network sends over and over and over again a bunch of replies with not encrypted data with your so-cool-and-hidden SSID.

Why Windows XP and Windows Vista behave like this by default? because SSIDs were, as I mentioned before, designed to be public and I my guess is that Microsoft did this to comply with some governments cyber-laws. I've heard that in some countries, like the USA, it is a crime to keep your SSID hidden and to use hidden identities and hidden networks... all that stuff. I can't confirm that, so it is a guess, but it makes sense to me.

Hiding the SSID won't hide you from the wireless world. Unfortunately people still relates hidden things with secure things.

So how to make my wireless Internet at home more secure? Use something called WPA/WPA2. That's good enough mostly the times. If you are using WEP, change to WPA2. If you are running Windows XP and you have applied all the updates, you are safe. For Windows Vista is even easier because WPA2 comes with it out-of-the-box.

Here some stuff about securing your wireless internet

See you later

What do you do after speaking to a client or customer?

I am an IT guy. That's clear but often I think about many situations from a salesman's point of view, trying to view the world from another angle that I sometimes have no idea how it could be.

What do I mean by that? I'll explain but before please let me share with you this.

I must recognize, even thou IT is a really cool area to work and even thou because the pace it is so demanding we must run everyday just to remain in the same place, unfortunately not always we have the chance to deal with cool and state-of-the-art technology. Yes, sometimes we have to deal with repetitive tasks, sometimes boring tasks, sometimes old products etc. If you are an IT person you know that and might agree with me. Legacy base is a consequence of this fast paced world, as well.

In those situations we wonder: Mate, I am doing this because it was handed over to me out of nowhere and I know this is no rocket-science and despite that I must finish it by tomorrow. I bet we all at some point of our carreers dealt with this scenario, which normally leaves a strange taste in our mouth telling us there is nothing new to be learn from that experience.

Fear not my friends, there is always something to learn does not matter the scenario. 

Now, let's get back to the sales person thing I was talking about. 

The sales guy after a contact, client visit, sales performed, email delivered to a potential customer, whatever the reason, there is something they must do which is ask himself : What could I have done better ?

Sounds easy and trivial but that's a hard thing to do and as a matter of fact that's something I am trying to do with myself: What have I done today that I've could do better ? What I've done wrong today ?

As the time goes by this becomes a habit just like drinking coffee at 3pm and soon you'll picture yourself in a state of eternal improvement, or at least awareness of it. I am not telling you this is a magic rule to follow in order to achieve the perfection, far from it; but it certainly does something to us which IMHO is a must for a better version of ourselves: It takes us out of our confort zone.

Yet there are people out there who pay for this kind of professional service, Personal Coaching. Honestly, would be great to pay for one of those but I still prefer to put my hard earned money into my mortgage or my kid's school fees. So why not we become our own Personal Coach?

How do I do?
I ask myself: What could I have done better? and I write them on paper. I make a list. I put them on paper because I want that document to be a reminder, and you know what? writing it's free and doesn't hurt, specially the bad things and mistakes we made. Yes, the mistakes are important also because they will be like beacons in this dark ocean of our tries, but I try not to concentrate too much on them after all mistakes are consequences of tries. If you do not do many mistakes it means you haven't tried enough.

Just to illustrate look at our mailboxes with lots of emails trying to sell us stuff. Pay attention to them, I could say that the vast majority is really badly written, from the sales point of view of course. Lots of information about the product requirements, features and prices but very few information about how it would make my life easier or things like why I should buy it now and save effectively  1 hour of coding everyday.

The truth is: very few of them talk about benefits. Very few of them mention how their product will help the customer with its problems.

So, here it goes a good exercise: Try to find out what else that message wants to say in the email selling you stuff. Why I should go for this product instead the competition? How would you write the message to appeal to people like yourself. And how to put yourself ni other situations out of your comfort zone? Try to think about markets you don't know much about, like think how would you manage that coffee shop. If you were an attendant how would you receive a client like yourself looking for a good coffee during the working day?

Excellence is not a point to reach, it is a trajectory made up of very very small baby steps. Hundreds of them taken one at a time, one each day.

See you later. 

File Upload and Canonical Issues

Never trust the user input. The incoming data can be the source of many devils and a security flaw can be there just waiting for the right moment and the right person to break your application.

After finishing my upload control I finally did the integration with the website. Now the users can select the files and send it to the website to be processed.

What are the security risks here? Something that can be called 'canonicalization issue'.

For a start all data can be seen on its canonical form. A canonical form is the most simple and most stardard form that any data can be represented, thus canonicalization is the process of converting the data to its canonical form.

Proficient JavaScript programmers are very aware of what I am talking about, and as a matter of fact in our system the user can search for a name using wildcards. So you can ask him: "Retrieve me a list of all the instances where its canonical form includes Bill as mandatory prefix" The user will probably say: "Retrieve what???" but if you ask them: "Give me a list of all the users where their names start with Bill" they will type in the system 'bill*'. The user normally does not know that but he is doing is performing a 'type of canonical query'.

Now, back to our file upload issue. A file name is a very common canonical type. You can call the same file as:

• thairecipes.doc
• c:\recipes\thairecipes.doc
• c:\\recipes\\thairecipes.doc
• c:\   recipes\thairecipes.doc
• c:%3A%5Crecipes%5Cthairecipes.doc
  

As you probably figured the last one is the issue. Your Windows operating system will recognize the symbols %5C and %3A.

You see now because we are giving to the user the option to save in our system just about any file name he wants to at the same time we are also opening a door for a sort of canonical attack. Remember : Never trust the user. And by user I am not only talking about a person. In our context an user is any entity who uses a given resource or service, and for that matter an user indeed can be another system or another application.

A hacker would think: "how can I break into this site? Does it allow any easy access to any of its resources?". In our case, yes our website must allow the user to upload files.

What to do now? How to handle a file upload to a web server?

Well, first as a general rule you must not design a website that accept just about any file names created by the user and save it like that. As a matter of fact, any input must be validated and sanitized  if possible, not only in client-side but on the server-side as well.

A better design: Do not allow the user to save the file in the web server with the filename that he wants to use. Accept the file, keep the original filename somewhere and let the application rename that file with another name and then save it. I would suggest you to use a GUID string for that matter. That way you are not only closing the doors for a possible canonical attack but also you do not give a chance to a malicious user to try to find out the filenames you might have in your server. For example, If a hacker knows that there is a file called http:\\mywebsite\mydocs\clientid1\file1.doc he will try something like http:\\mywebsite\mydocs\clientid1\file2.doc, and then http:\\mywebsite\mydocs\clientid1\file3.doc and so on. By using an internal name rule creation you minimize his surface.

Another thing to observe: You don't have to fight against and defeat a malicious user, probably there can be hundreds of hackers trying to break your code and you are just one guy against them ( and you don't want to have any sleepless nights during weekends, do you? ) They always find a way to break your code. The best option is to minimize their attack surface. Chances are they are going to move on and concentrate their efforts to break a "weaker website" if your site if strong enough for the first rounds of attack.

These would be some instinctive considerations and additionally I would suggest to take a look at implementing File I/O guidelines as well. At the end of the day, it all depends about how secure you want to be, how much time you have available to implement it and how rigid the specifications were given.

See you later.

The Risk