Month: March 2016

Andy Grove and Intel’s Move From Memory to Microprocessors

A titan of the technology industry recently passed away on March 21,2016. Andy Grove was instrumental in taking a commodity product such as the microchip and making it a branded must have hardware feature. “Intel Inside” and “Pentium” were on the minds of the majority of PC consumers during the 1990’s. As the beneficiary of Andy Grove’s leadership, Intel was able to sustain high profitability and sustainable profit growth. With the help of a Redmond based operating systems company, the “Wintel” standard won the format wars against Apple and IBM’s OS/2. Regarding Andy Grove and his Intel tenure, the Economist reported, “Under his leadership it increased annual revenues from $1.9 billion to more than $26 billion and made millionaires of hundreds of employees.”

For all of Andy Grove’s successes in the semiconductor market, it was not a forgone conclusion that Intel would ever make the leap into this industry. Most people of my generation who grew up in the 80’s and 90’s are not familiar with the fact that at the time of Intel’s founding, the company primarily produced replacement computer memories for mainframes. Intel first and foremost was founded as a memory company.

An article by Robert A. Burgelman in the Administrative Science Quarterly highlights the processes and decision calculus of Intel executives which led the company to exit the dynamic random access memory (DRAM) market. Burgelman provides key insights regarding the transformation of Intel from a memory company into a microcomputer company.

DRAM at one point in time accounted for over 90% of Intel’s sales revenue. The article states that DRAM was essentially the “technology driver” on which Intel’s learning curve depended. Over time the DRAM business matured as Japanese companies were able to involve equipment suppliers in the continuous improvement of the manufacturing process in each successive DRAM generation. Consequentially, top Japanese producers were able to reach production yields that were up to 40% higher than top U.S. companies. DRAMs essentially became a commodity product.

Intel tried to maintain a competitive advantage and introduced several innovative technology design efforts with its next generation DRAM offerings. These products did not provide enough competitive advantage, thus the company lost its strategic position in the DRAM market over time. Intel declined from an 82.9% market share in 1974 to a paltry 1.3% share in 1984.

Intel’s serendipitous and fortuitous entry into microprocessors happened when Busicom, a Japanese calculator company, contacted Intel for the development of a new chipset. Intel developed the microprocessor but the design was owned by Busicom. Legendary Intel employee Ted Hoff had the foresight to lobby top management to buy back the design for uses in non calculator devices. The microprocessor became an important source of sales revenue for Intel, eventually displacing DRAMs as the number one business.

There continued to be a disconnect between stated corporate strategy and the activities of middle managers during the transition period. Top executives gave weak justifications for the company’s reluctance to face reality and exit the DRAM space; they were emotionally attached to the DRAM business. A middle manger stated that Intel’s decision to abandon the DRAM market was tantamount to Ford deciding to exit the car business!

The demand for Intel microprocessors led middle managers to begin allocating factory resources to heavily produce microprocessors over DRAM. Intel’s cultural rule that information power should always trump hierarchical position power gave middle managers the decision space to make production allocation decisions that overrode corporate stated goals. These actions further dissolved the strategic context of DRAMs.

“By the middle of 1984 some middle managers made the decision to adopt a new process technology which inherently favored logic [microprocessor] rather than memory advances”. By the end of 1984, Intel’s top management was finally forced to face business reality with respect to DRAMs. In order to regain leadership in DRAM, management was faced with a 100 million dollar capital investment decision for a 1 MEG product. Top management decided against the investment and thus eliminated the possibility of Intel remaining in the DRAM space.

It should not be understated that Andy Grove saw a future where microprocessors would become the dominant driver of Intel’s success. He had the foresight to tell his direct reports to “make data based decisions and not to fear emotional opposition”. This was a gutsy call because the culture of Intel viewed DRAM memory as a “core technology of the company and not just a product”.

Andy Grove himself is quoted as saying, “The fact is that we had become a non-factor in DRAMs, with 2-3% market share. The DRAM business just passed us by! Yet, many people were still holding to the ‘self-evident truth’ that Intel was a memory company. One of the toughest challenges is to make people see that these self-evident truths are no longer true.”

Under Andy Grove’s leadership, Intel embarked upon a high stakes technological paradigm shift where either complacency or botched execution could have jeopardized the very existence of the company. Rest in peace Mr. Grove.

References:

Burgelman, Robert A (1994). Fading Memories: A Process Theory of Strategic Business Exit in Dynamic Environments. Administrative Science Quarterly. Vol. 39, No. 1 (Mar., 1994), pp. 24-56.

Protection Against Injection: The SQL Injection Attack

As we are all well aware, data is everywhere. Every organization generates and stores data and unfortunately too many bad apples are willing to exploit application weaknesses.  A very popular technique used by hackers of all hats to compromise data confidentiality and integrity is the SQL injection attack. “In terms of the attack methods used by hackers, SQL injection remains the number one exploit, accounting for nearly one-fifth of all vulnerabilities used by hackers” (Howarth, 2010). Don’t believe the hype? Visit the SQL Injection Hall of Fame.

Not everyone is a DBA or a security expert but if you care about data, you need to have a basic understanding of how this attack can be used to potentially compromise your web exposed data. In 2009 infamous hacker Albert Gonzalez was indicted by grand juries in Massachusetts and New York for stealing data from companies such as Dave & Buster’s Holdings, TJ Maxx, BJ’s Wholesale Club, OfficeMax, Barnes & Noble and The Sports Authority by using SQL injection attacks. All of these attacks were enabled due to poorly coded web application software (Vijayan, 2009). He masterminded “the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 through 2007—the biggest such fraud in history” (Wikipedia, Albert Gonzalez). As an aside, Mr. Gonzalez is serving 20 years in prison for his crimes.

In short, a SQL injection is a malicious hacking method used to compromise the security of a SQL database. Invalid parameters are entered into a user input field on a website and that user input is submitted to a web application database server for execution. A successful exploit will allow the hacker to remotely shell into the server and take control or simply obtain sensitive information from a hacked SQL SELECT statement. The exploiter may be able to further exploit SQL commands and escalate privileges to read, modify or even delete information at will.

A popular method to test the vulnerability of a site is to place a single quote character, ‘, into the query string of a URL (Krutz, R. L. & Vines, R. D., 2008). The desired response is to see an error message that contains an ODBC (Open Database Connectivity) reference. ODBC is a standard database access protocol used to interact with applications regardless of the underlying database management system. Krutz et. al (2008) offer the example of typical ODBC error message:

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the
keyword ‘and’. /wasc.asp, line 68

An error message like this contains a wealth of information that an ill-intentioned hacker can use to exploit an insecure system. It would be in the best interests of a secure application to return a custom generic error response. Furthermore, it is not necessary to be an experienced hacker to take advantage of this exploit; there are automated SQL injection tools available that can make carrying out this attack fairly simple for someone with a script kiddie level of understanding.

There are ways to protect against SQL injection attacks; the most obvious way is to apply input validation. Rejecting unreasonably long inputs may prevent exploitation of a buffer overflow scenario. Programmers due to the extra work involved, sometimes skip validation steps, however the extra safety margin may be worth the cost. Encrypting the database contents and limiting privileges on those accounts which execute user input queries is also ideal (Daswani, N., Kern, C., & Kesavan, A., 2007)

From a SQL Server perspective, here are a few best practice tips shared from Microsoft TechNet to consider for input validation:

    • You should review all code that calls EXECUTE, EXEC, or sp_executesql
    • Test the size and data type of input and enforce appropriate limits. This can help prevent deliberate buffer overruns.
    • Test the content of string variables and accept only expected values. Reject entries that contain binary data, escape sequences, and comment characters. This can help prevent script injection and can protect against some buffer overrun exploits.
    • Never build Transact-SQL statements directly from user input.
    • Use stored procedures to validate user input.
    • In multitiered environments, all data should be validated before admission to the trusted zone. Data that does not pass the validation process should be rejected and an error should be returned to the previous tier.
    • Implement multiple layers of validation. Validate input in the user interface and at all subsequent points where it crosses a trust boundary. For example, data validation in a client-side application can prevent simple script injection. However, if the next tier assumes that its input has already been validated, any malicious user who can bypass a client can have unrestricted access to a system.
    • Never concatenate user input that is not validated. String concatenation is the primary point of entry for script injection.

References
Albert Gonzalez. In Wikipedia. http://en.wikipedia.org/wiki/Albert_Gonzalez

Howarth.F. (2010). Emerging Hacker Attacks. Faulkner Information Services.

Krutz, R. L. & Vines, R. D., ( © 2008). The CEH Prep Guide: The Comprehensive Guide to Certified Ethical Hacking.

Microsoft TechNet. SQL Injection. https://technet.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx

Vijayan, J. (2009). “U.S. says SQL injection caused major breaches.” Computerworld, 43(26), 4-4.

Raise the Wage: The Minimum Wage’s Effect on the Restaurant Industry

Overview

The popular myth is that the typical minimum wage worker is a young high school student who is looking to earn pocket money in lieu of living expenses. This could not be further from the truth. According to the Department of Labor, “89 percent of those who would benefit from a federal minimum wage increase to $12 per hour are age 20 or older, and 56 percent are women” [9]. Within the past year the US has seen a number of fast food workers strike for a $15 an hour minimum wage. Would this increase be too high too fast? Back in 2007 when the minimum wage was looking to increase from $5.85 to $7.25 per hour, there was much wailing and gnashing of teeth from the restaurant industry. In 2007 I also wrote a small post which examined the possible effect of a minimum wage increase on the restaurant industry. Research studies have exhibited that an increase in the minimum wage would not be such a bad deal for the restaurant industry.

Labor and Prices  

One effect that the minimum wage increase will have on the industry is that labor costs will increase. Understandably, businesses have a strong desire to keep their costs low so they do not impact profit margins. Typically, labor accounts for about 30 percent of a restaurant’s overhead. This number is slightly below what is spent on food so it represents a significant portion of restaurant operating costs. For Darden Restaurants Inc labor makes up about 43 percent of its cost of sales [2]. Over the course of two years the federal minimum wage will increase by 40 percent. Margins in the casual dining restaurant are very slim, so any increases in costs will cut into the restaurants’ bottom line. As a result of the increases in labor costs, restaurants will be forced to raise prices on their goods. For example, Darden Restaurants Inc has adjusted prices in the past in response to state minimum wage increases. These increases were enacted so that Darden can maintain its profit margins.

Economists Daniel Aaronson and Eric French examined government-collected price data to determine the impact of minimum wage increases on prices. They found that “a 10 percent hike in the minimum wage increased restaurant prices on the whole by 0.7 percent, and prices at limited service establishments by 1.6 percent [1].”

The fast food sector of the restaurant industry provides a number of low skilled minimum wage earning jobs. Aaronson and French’s research shows that prices in this sector can expect to increase by 1.5 percent per every 10 percent increase [1]. With the minimum wage expected to increase by 40 percent over the next two years, if Aaronson and French’s model holds then prices will increase 6 percent in some states. Most likely this would occur in states that follow the federal minimum standard rates and those that do not have their own specific state minimums. Fast food chains that do a significant amount of business in states such as Georgia, Texas, Louisiana and Tennessee amongst others, could potentially feel the full impact of price increases. For states that are already above the federal minimum wage the impact could be less severe as these states may choose to not enact any further increases to their minimum wages.

Another consequence of price increases in the fast food sector would be its disproportional effect on the poor since poorer families spend a relatively large fraction of their incomes on such goods [4].

Employment

Aaronson and French in their research have constructed a model that attempts to determine the impact of minimum wage increases on employment. “In a perfectly competitive labor market, the authors find that a 10 percent increase in the minimum wage will result in a 2.5 to 3.5 percent decrease in employment. [1]”

While conventional theory dictates that minimum wage increases lead to higher unemployment levels, a study by David Card and Alan Krueger, two economic professors at the University of Princeton challenged this notion. They believe that the U.S. is far below the point where wage increases will begin to start costing jobs. Card and Kruegar conducted a study on minimum wage hikes and focused specifically on the New Jersey minimum wage hike in 1990 and its effect on the fast food industry. Unemployment rates and wages were compared in New Jersey and in Pennsylvania. What they found was that “employment actually expanded in New Jersey relative to Pennsylvania, where the minimum wage was constant. [4]”

Card and Krueger repeated this study and focused on the 1996 federal minimum wage increase with respect to New Jersey and Pennsylvania. In this instance the situations were reversed as New Jersey was already above the $4.75 mandated wage and Pennsylvania was increasing its wage from $4.25. They found that greater employment growth occurred in Pennsylvania than in New Jersey. Although they doubted that Pennsylvania’s strong employment growth was caused by the minimum wage increase they believed that the wage increase at worst, did not lead to unemployment as would be expected. “There is certainly no evidence in these data to suggest that the hike in the federal minimum wage caused Pennsylvania restaurants to lower their employment relative to what it otherwise would have been in the absence of the minimum-wage increase. [5]”

 Potential Benefits of Increased Minimum Wage

An increase in the minimum wage will produce some detrimental effects for that industry but there are some benefits to be had as well. I believe that there are employee benefits as well as employer benefits. The employee benefits are those that focus on the pluses experienced by minimum wage workers while the employer benefits are those that actually benefit the restaurants. An employee benefit would be that corporate restaurant chains would be forced to share some of their vast wealth with the people who helped create that wealth. In an economic outlook report issued by the National Restaurant Association they stated that “The industry is heading into 2007 as an economic powerhouse. [6]” The same association has also estimated nationwide industry sales of $536.9 billion next year, up 5 percent over 2006 [6]. With sales of this magnitude it may be feasible to require that more profit be passed on to employees especially since workers need a minimum amount of income to survive and pay bills. At the current rate of $5.15 and hour, “today’s minimum wage workers have less buying power than minimum wage workers had half a century ago. [7]”

Restaurant employers could benefit from the minimum wage increases as well. Card and Krueger studied restaurants in Texas after the federal minimum wage was raised from $3.80 to $4.25. They concluded that job growth was faster at those restaurants which were affected by the increase [9]. Some restaurants were not affected by the increase because they already paid at or over $4.25.

A higher minimum wage could help businesses like Applebee’s and Darden reduce their worker turnover which could increase the level of worker experience and reduce overall training costs. “High employee turnover is destructive to a company because it means that the company workforce lacks experience and continuity; it means that experienced workers have to spend much of their time training new hires; it means that managers have to spend both time and money finding replacements [8]”.

Conclusion

An increase in the minimum wage will mean that restaurants will most likely be forced to increase prices on their offerings in order to compensate for the higher labor costs. But as the article mentions, if prices increase and sales are not affected then fast food restaurant franchisers could reap the benefits of higher royalties. While conventional economics hint that higher wages will lead to higher unemployment, studies by Card and Krueger show that wage increases (at least as they apply to restaurants that rely on minimum wage workers) will not necessarily lead to higher unemployment. Their studies have shown that unemployment rates have fallen in states when the minimum wage was increased. An increase in the minimum wage could also pave the way for increases in restaurant productivity and a lowering of employee turnover.

References

[1] http://www.epionline.org/studies/aaronson_06-2006.pdf

[2] “Darden sees little impact from a minimum wage hike” Reuters News. (20 Dec. 2006) Factiva.

[3] Becker, Gary and Posner, Richard “How to Make the Poor PoorerThe Wall Street Journal (26 Jan. 2007): pg A11. Factiva

[4] http://www.uvm.edu/~vlrs/doc/min_wage.htm

[5] http://www.irs.princeton.edu/pubs/pdfs/90051397.pdf

[6] “UPDATE 1-US restaurants see 2007 sales up, oppose wage hikeReuters News. (12 Dec 2006) Factiva

[7] http://www.businessforafairminimumwage.org/

[8] http://www.huppi.com/kangaroo/41More.htm

[9] http://www.dol.gov/featured/minimum-wage/mythbuster

SQL: Think in Sets not Rows

This article is also posted on LinkedIn.

Structured Query Language, better known as SQL, is regarded as the working language of relational database management systems (RDBMS). As was the case with the relational model and the concepts of normalization, the language developed as result of IBM research in the nineteen seventies.

Left to their own devices, the early RDBMSs (sic) implemented a number of languages, including SEQUEL, developed by Donald D. Chamberlin and Raymond F. Boyce in the early 1970s while working at IBM; and QUEL, the original language of Ingres. Eventually these efforts converged into a workable SQL, the Structured Query Language” (Kriegel, 2001).

For information professionals and database practitioners, SQL is regarded as a foundational skill that enables raw data to be manipulated within a RDBMS. “This is a declarative type of language. It instructs the database about what you want to do, and leaves details of implementation (how to do it) to the RDBMS itself” (Kriegel, 2001).

Before the advent of commercially accessible databases, data was typically stored in a proprietary file format manner. Each vendor had detailed specific access mechanisms, which could not be easily configured and customized for access by alternate applications. As databases began to adopt the relational model, the arrival and eventual standardization of SQL by ANSI (American National Standards Institute) and ISO (International Standards Institute) helped foster access, manipulation and retrieval consistency across many products.

Think in Sets not Rows!

SQL provides users the ability to query and manipulate data within the RDBMS without having to solely rely on a graphical user interface. There are powerful extensions in the many variant structured query languages (e.g. T-SQL, DB2, PL/SQL, etc.) that provide functionality above and beyond ISO and ANSI standards. However, SQL practitioners must first and foremost remember that SQL is a SET BASED construct. The most efficient SQL code regards table data as a whole and refrains from manipulating individual row elements one at a time unless absolutely necessary.

“Thinking in sets, or more precisely, in relational terms, is probably the most important best practice when writing T-SQL code. Many people start coding in T-SQL after having some background in procedural programming. Often, at least at the early stages of coding in this new environment, you don’t really think in relational terms, but rather in procedural terms. That’s because it’s easier to think of a new language as an extension to what you already know as opposed to thinking of it as a different thing, which requires adopting the correct mindset” (Ben-Gan, 2012).

Working with a relational language based upon the relational data model demands a set based mindset. Iterative cursor based processing, if used, should be used sparingly.

“By preferring a cursor-based (row-at-a-time) result set—or as Jeff Moden has so aptly termed it, Row By Agonizing Row (RBAR; pronounced ‘ree-bar’)—instead of a regular set-based SQL query, you add a large amount of overhead to SQL Server” (Fritchey, 2014).

If all other set based options have been exhausted and a row-by-row cursor must be employed, then make sure to use an “efficient” (relatively speaking) cursor type. The fast-forward only cursor type provides some performance advantages with respect to other cursor types in a SQL server environment. Fast forward cursors are read only and they only move forward within a data set (i.e. they do not support multi-direction iteration). Furthermore, according to Microsoft Technet (2015), fast forward only cursors automatically close when they reach the end of the data. The application driver does not have to send a close request to the server, which saves a roundtrip across the network.

References:

Ben-Gan, I.  (Apr, 2012). T-SQL Foundations: Thinking in Sets. Why this line of thought is important when addressing querying tasks. Retrieved from http://sqlmag.com/t-sql/t-sql-foundations-thinking-sets

Fritchey, Grant. ( © 2014). Sql server query performance tuning (4th ed.).

Kriegel, Alex. ( © 2011). Discovering sql: a hands-on guide for beginners.

Microsoft Technet. Fast Forward-Only Cursors (ODBC). Retrieved April 23, 2015, from https://technet.microsoft.com/en-us/library/aa177106(v=sql.80).aspx

From White Hat to Cyber Terrorist: The Seven Types of Hackers

The traditional definition of a hacker is someone who uses computers to gain unauthorized access to data. “Hacks” are deployed for various reasons as diverse as the thrill of the conquest, protests, profit or bolstering status within the hacker community. Some security professionals question whether the term “ethical hacker” is a contradiction in terms, as hacking was originally defined as a criminal activity (Wikipedia, Certified Ethical Hacker).

Conrad Constantine a research engineer at the security management company AlienVault states, “The term ‘ethical’ is unnecessary – it is not logical to refer to a hacker as an ‘ethical hacker’ because they have moved over from the ‘dark side’ into ‘the light’… The reason companies want to employ a hacker is not because they know the ‘rules’ to hacking, but because of the very fact that they do not play by the rules” (Bodhani, pg. 66)

There are many subgroups within the hacker community that encompass more than the traditional black hat, white hat dichotomy. Here are a few of the different types of hackers and their aims:

  • White Hat: Commonly referred to as an Ethical Hacker. Holders of the Certified Ethical Hacker (CEH) certification who uphold the values of the EC-Council (aka the International Council of Electronic Commerce Consultants) would be classified as white hat hackers. The aim of the white hat is to legally and non maliciously perform penetration testing and vulnerability assessments against computer systems in order to improve security weaknesses. White hats are typically employed by security consulting firms that perform penetration testing.
  • Black Hat: Commonly referred to as a “cracker”. Black hats are the opposite of a white hat hacker in that black hats attempt to penetrate computer systems illegally and without prior consent. A Black hat hacker is interested in committing a range of cybercrimes such as identity theft, destroying data, destabilizing systems, credit card fraud etc.
  • Grey Hat: The ethics of the grey hat lies somewhere between those of the white hat and black hat hackers. A grey hat may use the tools and skill sets of a black hat to penetrate into a system illegally but will exhibit white tendencies in that no harm is caused to the system. Typically, the grey hat will notify the system owner of any systems vulnerabilities uncovered.
  • Blue Hat: An outside external security professional invited by Microsoft to exploit vulnerabilities in products prior to launch. This community gathers every year in a conference sponsored by Microsoft; the blue signifies Microsoft’s corporate color. “BlueHat’s goal is to educate Microsoft engineers and executives on current and emerging security threats in an effort to help address security issues in Microsoft products and services and protect customers” (Microsoft, 2013, para. 1)
  • Hacktivists: These hackers will compromise a network or system for political or socially motivated purposes. Website defacement or denial-of-service attacks are the favored methods used by Hacktivists (Wikipedia, Hacker (Computer Security)).
  • Script Kiddies: These “hackers” are amateurs who follow directions and use scripts developed and prepared by advanced hackers. The script kiddie may be able to successfully perform a hack but has no thorough understanding of the actual steps employed.
  • Cyber Terrorists: According to the U.S. Federal Bureau of Investigation, cyberterrorism is any “premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents. Unlike a nuisance virus or computer attack that results in a denial of service, a cyberterrorist attack is designed to cause physical violence or extreme financial harm. According to the U.S. Commission of Critical Infrastructure Protection, possible cyberterrorist targets include the banking industry, military installations, power plants, air traffic control centers, and water systems” (Search Security)

Bodhani, A. (January, 2013). “Ethical hacking: bad in a good way.” Engineering and Technology Magazine, 7(12), Pg.64-64

Cyberterrorism. In Search Security. Retrieved April 16, 2013 from http://searchsecurity.techtarget.com/definition/cyberterrorism

Microsoft. (2013). BlueHat Security Briefings. Retrieved April 16, 2013 from http://technet.microsoft.com/en-us/security/cc261637.aspx

Image courtesy of pat138241 at freedigitalphotos.net