CyberOSINT banner

Kmart Australia Faces Security Breach

November 30, 2015

Oracle’s Endeca and IBM’s Coremetrics were both caught up in a customer-data hack at Kmart Australia, we learn from “Customer Data Stolen in Kmart Australia Hack” at iTnews. Fortunately, it appears credit card numbers and other payment information were not compromised; just names, contact information, and purchase histories were snagged. It seems Kmart Australia’s choice to use a third party to process payments was a wise decision. The article states:

“The retailer uses ANZ Bank’s CyberSource payments gateway for credit card processing, and does not store the details internally. iTnews understands Kmart’s online ecommerce platform is built on IBM’s WebSphere Commerce software. The ecommerce solution also includes the Oracle Endeca enterprise data discovery platform and Coremetrics (also owned by IBM) digital marketing platform, iTnews understands.

The article goes on to report that Kmart Australia has created a new executive position, “head of online trading and customer experience.” Perhaps that choice will help the company avoid such problems in the future. It also notes that the retailer reported the breach voluntarily. Though such reporting is not yet mandatory in Australia, legislation to make it so is expected to be introduced before the end of the year.

Cynthia Murrell, November 30, 2015

Sponsored by, publisher of the CyberOSINT monograph

MarkLogic Does Ecommerce

November 25, 2015

On their blog, MarkLogic announces they are “Eliminating Shopper Fatigue: Making Online Commerce Faster, More Accurate.” Anyone who has tried to shop online for a very particular item understands the frustration. Despite all the incentives to quickly serve up exactly what a customer is looking for, ecommerce sites still struggle with searches that get too specific. Writer (and MarkLogic chief marketing officer) Michaline Todd gives this example: A site that sells 652 different versions of a “screwdriver” returns zero results to the phrase “one-quarter-inch slotted magnetic screwdriver.” You know it must be there somewhere, but you have to comb through the 652 screwdriver entries to find it. That or give up and drive to the local hardware store, where a human will hook you up with exactly what you need. Good for local business, but bad for that ecommerce site.

Todd says the problem lies in traditional relational databases, upon which any eCommerce sites are built. These databases were not meant to handle unstructured data, like supplier-created product descriptions. She describes her company’s solution to the problem, which naturally includes MarkLogic’s NoSQL technology:

“The beauty of NoSQL is that it’s a schema-agnostic data model that ingests data in whatever its current form. Codifyd uses MarkLogic to quickly and reliably merge millions of data points from thousands of suppliers into a product catalogue for each of its clients. By gathering such fine-tuned information instantaneously, Codifyd recommends products matched to specific attributes in real time, increasing customer trust, loyalty and retention. This more precise information also allows retailers to bundle relevant product offers in a set, improving upselling and increasing the average order size. For example, a retailer can serve up the ‘one-quarter-inch slotted magnetic screwdriver’ the customers searched for as well as a toolkit that contains that particular screwdriver.”

Todd notes that Codifyd also dramatically speeds up the process of posting entries for new products, since unstructured data can be reproduced as-is. Launched in 2001, MarkLogic proudly declares that theirs is the only enterprise-level NoSQL platform in existence. The company is headquartered in San Carlos, California, and maintains offices around the world.

Cynthia Murrell, November 25, 2015

Sponsored by, publisher of the CyberOSINT monograph


SLI H116 and Related Info Swizzles

November 13, 2015

I read an item produced by a research outfit called Edison. What’s interesting is that the “news” refers to SLI Systems, a New Zealand based outfit which sells eCommerce search software. The company has been going through some choppy water and has two new executives. One is a president, Chris Brennan. The more recent appointment is Martin Onofrio’s taking the job of Chief Revenue Officer. Prior to joining SLI, Mr. Onofrio was, according to the Edison news item, the chief revenue officer at Attensity. That’s one of the sentiment oriented content processing outfits. (Attensity has been a low profile outfit for a while.)

In that “report” from Edison which you can read at this link, I noted a reference to H116 revenue. The report did not explain what this type of revenue is. I did a quick search and learned that H116 does not seem to be a major revenue type. H116 is a type of aluminum, a motorized stepper, and a string of characters used by a number of different manufacturers.

After some thinking whilst listening to the Jive Five, I realized that Edison and SLI Systems are using H116 as a token for “revenues for the first half of fiscal 2016.” There you go.

Another write up adds this color, which I think the Edison experts could have recycled when they made clear what H116 means:

Revenue is forecast to rise to $17.3 million in the six months ending December 31 from $13.6 million a year earlier when sales accelerated at a 27% pace, the Christchurch-based company said in a statement.

Here’s the important part in my view:

The software developer missed its sales forecast for the second half of the 2015 year, and has hired Martin Onofrio as its new chief revenue officer to drive revenue growth.

A couple of quick thoughts before I go watch the mist rise from the mine drainage pond:

  1. SLI might want to make sure that its experts output “news” which is easy to understand
  2. Inclusion of revenue challenges is probably as important, if not more important, than opining about the future. The future is not yet here, so, like picking the winner of the Kentucky Derby, touts are different from which nag crosses the finish line first.
  3. Attensity, in my opinion, has faced its own revenue head winds. I wonder if a chief revenue officer can generate revenue in a world in which there are open source and low cost eCommerce search systems?

A word to Edison: Please, do not write to complain about my nagging about the H116 thing. You offer a two page report which is one page. What’s up with that? Friday the 13th bad luck or a standard work product?

Stephen E Arnold, November 13, 2015

Amazon Punches Business Intelligence

November 11, 2015

Amazon already gave technology a punch when it launched AWS, but now it is releasing a business intelligence application that will change the face of business operations or so Amazon hopes.  ZDNet describes Amazon’s newest endeavor in “AWS QuickSight Will Disrupt Business Intelligence, Analytics Markets.”  The market is already saturated with business intelligence technology vendors, but Amazon’s new AWS QuickSight will cause another market upheaval.

“This month is no exception: Amazon crashed the party by announcing QuickSight, a new BI and analytics data management platform. BI pros will need to pay close attention, because this new platform is inexpensive, highly scalable, and has the potential to disrupt the BI vendor landscape. QuickSight is based on AWS’ cloud infrastructure, so it shares AWS characteristics like elasticity, abstracted complexity, and a pay-per-use consumption model.”

Another monkey wrench for business intelligence vendors is that AWS QuickSight’s prices are not only reasonable, but are borderline scandalous: standard for $9/month per user or enterprise edition for $18/month per user.

Keep in mind, however, that AWS QuickSight is the newest shiny object on the business intelligence market, so it will have out-of-the-box problems, long-term ramifications are unknown, and reliance on database models and schemas.  Do not forget that most business intelligence solutions do not resolve all issues, including ease of use and comprehensiveness.  It might be better to wait until all the bugs are worked out of the system, unless you do not mind being a guinea pig.

Whitney Grace, November 11, 2015
Sponsored by, publisher of the CyberOSINT monograph


Kroger IT Management and the Pain of Reality

October 12, 2015

In Harrod’s Creek, we have access to a giant store doing business here as Kroger. There is an all organic outfit down the hollow. I like that outfit. The prices are higher for some things, but the store is human scale. The Kroger warehouse requires me to walk almost 500 meters to get my dogs treats, my wife some ersatz milk product, and for me to stock up on Mountain Dew and M&Ms.

The salad bar is history, replaced with plastic boxes of pre-jigged stuff. The Fancy Dan foods cost the same and Organic City, so many folks in this area avoid the Kroger offerings. The center of our store houses Wal-Mart and Home Depot type products. I don’t think about buying red and blue non stick pans when I do a trip to the grocery for my wife.

I read with considerable interest “Kroger CIO: Four lessons for strategic IT.”

Each time I visit the Kroger in Harrod’s Creek or more accurately, Prospect, Kentucky, I fear the Hitachi based automatic check out systems. Kroger is trimming humans at check outs, presumably the Hitachi units are better, faster, and cheaper.

A trip to the local chain grocery can be an enjoyable experience. Don’t forget your customer loyalty card. Don’t complain about the difficulty of finding a product. Don’t hassle the Kroger humans about one price on the product and a different price in the Kroger database. Have a nice day.

I learned from Chris Hjelm, the CIO, of Kroger, one of the world’s largest companies, that information technology must be relevant. I wonder, “To whom, Mr. Hjelm.” Your boss, to suppliers, or to the individual customer? Mr. Hjelm is responsible for managing the company’s nationwide network of Information and Technology Systems, including systems used in retail stores, manufacturing plants, distribution centers and offices, as well as Research & Development. He also oversees 84.51°, Aviation, Corporate Travel, Indirect Sourcing, and the Check Recovery Center.” He has an honorary PhD degree and before joining Kroger in 2005, he was CIO of Cendant’s Travel Distribution Services, eBay, and Excite@Home, and a CIO at Federal Express. He “has a particular passion for food and is an aspiring amateur chef.” Cendant broke up into four companies. eBay is an online flea market. Excite@Home was a darned exciting outfit when it purchased Kendara’s personalization technology before Excite lost its excitement. FedEx, well, FedEx ships stuff.

Now what are the lessons for strategic IT. I assume this is different from making information technology actually work.

First, the lesson numero uno is to earn credibility as a reliable service provider. I think this means deal with vendors who will implement systems which meet the needs of the Kroger person or unit with an IT need. Yep, making stuff work is good.

Second, one must learn the business. This is no small task when one considers that work experience in shipping, Internet flame outs, online flea marketing, and travel may not seem to be directly related to selling groceries. No, I understand. The IT part is the fiber of these businesses. Ergo, food is just like eBay.

Third, form relationships with one superiors. Okay, that seems to be a safe statement. Due to the ultra conservative, siege mentality of most senior executives in many traditional businesses facing heat from online vendors, that’s good. Keeping one’s job is strategic.

Fourth, use experts. Nay, rely on experts. The good manager, it seems, can terminate experts or ignore them if down the hall. The strategy may reinforce self preservation like the relationships with those higher on the food chain (pun intended).

Now reality. Annoying reality.

At the local Kroger, senior management have deployed self check out units. Most of the time, about one third of the available units are operating. The reason is management’s desire to funnel customers to few self check outs and thus reduce the need for expensive humans who have to intervene frequently when customer transactions go off the rails.

Example: I bought an Ambrosia apple, number 3438. The Hitachi scanning system registered one pound of cheddar cheese. A moonlighting law enforcement officer was at the self check out and managed to clear the transaction. I got the apple for free. Ah, an annoying anomaly.

The new Kroger stores are large. They are organized according to the type of anti social thinking pioneered by Paco Underhill; to wit, make customers who want bread and fruit and milk walk from the entrance along a path of an equilateral triangle. Why put frequently purchased products in one convenient location? The strategy is to force a person to walk so the person will buy stuff not on the person’s list.

The scale of the products in our local Kroger is astounding. One employee told me that were more than 90,000 things in the story. Wow, how many red skillets sit for months without a human touching them? How much food is dumped at expiration time because no one buys the product?

Our local Kroger offers printed on paper maps, not mobile content, to help a customer find a product. Do you know where mustard is? Do you know where a mixture of mustard and relish is? Answer: in separate aisles, not together.

Kroger cannot alphabetize. Look at the signs hanging from the ceiling list products in an aisle. Are these alphabetized. Nope. Waste of time.

Everything in the Kroger—from the database which is out of sync with the product codes to the location of the products—is presented in a way that says, “Hey, go to Paul’s or Fresh Market.”

What is the information strategy at Kroger stores?

  1. Create a perception of credibility among your co workers and colleagues.
  2. Implement the routine business and learn the camp fire stories about how wonderful Kroger was and is.
  3. Get to be pals with those with more Kroger juice
  4. Use those consultants because it is easier to deflect criticism than take responsibility for tasks.

Kroger is a grocery store. Information technology should make it easier for customers. IT should make it possible for management to know when databases are not in sync. Partners can use Kroger IT to reduce waste and inefficiency.

Kroger, like any retail chain based on the build it they will come principle, will have to deal with two types of technical debt. Like credit card debt, the interest adds friction to keeping the flawed systems u9p and running. Like Walgreen’s, the interest on the real estate is not chimera.

Excitement is ahead for those living the retail dream in a world in which Amazon wants to use technology to eliminate the need to experience the pain and waste the time dribbled away at the grocery store.

Has Kroger IT entertained this statement, “When will that automated delivery arrive? I just ordered 10 minutes ago.” Amazon, are you listening?

Stephen E Arnold, October 12, 2015

The Sad eCommerce Search Realities

September 9, 2015

We love it when articles make pop cultures references as a way to get their point across.  Over at Easy Ask, an articled entitled “ ‘You Can’t Always Get What You Want’ – The Realities of eCommerce Search” references the Keith Richards and Mick Jagger song explaining how a Web site loses a customer.  The potential customer searches for an product, fails to find using the search feature, so the person moves onto a new destination.

What happens is that a Web site search function might not understand all the query terms or it might return results that fail to meet the shopper’s need.  The worst option any eCommerce shop could show a shopper is a “no results found” page.  It might be a seem like simple feature to overcome, but search algorithms need to be fine tuned like any other coding.   The good news that decent eCommerce searches have already been designed.

“How can you avoid these misunderstandings? One approach is to employ search software that understands the words in the search and how they relate to each other and the site’s catalog. These search engines are called ‘Contextual Search’ and employ ‘Natural Language Processing’ software. Remember diagramming sentences in elementary school and identifying the nouns, verbs, adjectives, etc. Knowing the role of a word in a website search helps find the right products.”

Contextual search that uses natural language processing treats queries based on a user’s true intentions, rather than giving each term the same weight.  Contextual search is more intuitive and yields more accurate results.  The article finishes by saying the customers “get what they need.” Ah, what a wise use of The Rolling Stones.

Whitney Grace, September 9, 2015
Sponsored by, publisher of the CyberOSINT monograph


Old School Endeca Yields EneCom

August 27, 2015

I read “iBiz Software Inc.’s EneCom, a standalone Endeca eCommerce, extends powerful Endeca’s Guide search with Cart functionalities.”

The main idea is that an Oracle partner has used Endeca (a late 1990s chunk of technology) to build an “end to end eCommerce omni channel solution.”

I thought that’s what Endeca’s system did.

I learned:

EneCom is a robust, scalable and cost-effective eCommerce solution that integrates with 3rd party vendors including Shipping Carriers such as FedEx and UPS, Tax engine using Avalara and Credit Card Payment Gateways using Chase Paymentech, EpicPay, and WorldPay etc. EneCom is self-sufficient and can be standalone. Existing Oracle Endeca customers can further extend their Endeca investment by taking advantage of the integrations and omni-channel capabilities.

I concluded that iBiz stood up a ready to roll implementation of Endeca.

No information about cost. As I recall, Endeca was an expensive solution. iBiz, which empowers cloud commerce, may have found a way to make Endeca’s approach mesh with the real time, go go mobile world.

It strikes me that EneCom is Endeca without the time consuming, expensive consulting work required to make the computational intensive system deliver useful outputs.

Without pricing information, it is tough to tell if the solution is a viable alternative to the numerous low cost eCommerce systems available.

Stephen E Arnold, August 27, 2015

Insight Into the Zero-Day Vulnerability Business

August 14, 2015

An ironic security breach grants a rare glimpse into the workings of an outfit that sells information on security vulnerabilities, we learn from “Hacking Team: a Zero-Day Market Case Study” at Vlad Tsyrklevich’s blog. Software weak spots have become big business. From accessing sensitive data to installing secret surveillance software, hackers hunt for chinks in the armor and sell that information to the highest (acceptable) bidder. It seems to be governments, mostly, that purchase this information, but corporations and other organizations can be in the market, as well. The practice is, so far, perfectly legal, and vendors swear they only sell to the good guys. One of these vulnerability vendors is Italian firm Hacking Team, known for its spying tools. Hacking Team itself was recently hacked, its email archives exposed.

Blogger Vlad Tsyrklevich combs the revealed emails for information on the market for zero-day (or 0day) vulnerabilities. These security gaps are so named because once the secret is out, the exposed party has “zero days” to fix the vulnerability before damage is done. Some may find it odd just how prosaic the procedure for selling zero-days appears. The article reveals:

“Buyers follow standard technology purchasing practices around testing, delivery, and acceptance. Warranty and requirements negotiations become necessary in purchasing a product intrinsically predicated on the existence of information asymmetry between the buyer and the seller. Requirements—like targeted software configurations—are important to negotiate ahead of time because adding support for new targets might be impossible or not worth the effort. Likewise warranty provisions for buyers are common so they can minimize risk by parceling out payments over a set timeframe and terminating payments early if the vulnerability is patched before that timeframe is complete. Payments are typically made after a 0day exploit has been delivered and tested against requirements, necessitating sellers to trust buyers to act in good faith. Similarly, buyers purchasing exploits must trust the sellers not to expose the vulnerability or share it with others if it’s sold on an exclusive basis.”

The post goes on to discuss pricing, product reliability, and the sources of Hacking Team’s offerings. Tsyrklevich compiles specifics on dealings between Hacking Team and several of its suppliers, including the companies Netragard, Qavar, VUPEN, Vulnerabilities Brokerage International, and COSEINC, as well as a couple of freelancing individuals. See the article for more on each of these (and a few more under “miscellaneous”). Tsyrklevich notes that, though the exposure of Hacking Team’s emails has prompted changes to the international export-control agreement known as the Wassenaar Arrangement, the company itself seems to be weathering the exposure just fine. In fact, their sales are reportedly climbing.

Cynthia Murrell, August 14, 2015

Sponsored by, publisher of the CyberOSINT monograph

Chrome Restricts Extensions amid Security Threats

June 22, 2015

Despite efforts to maintain an open Internet, malware seems to be pushing online explorers into walled gardens, akin the old AOL setup. The trend is illustrated by a story at PandoDaily, “Security Trumps Ideology as Google Closes Off its Chrome Platform.” Beginning this July, Chrome users will only be able to download extensions for that browser  from the official Chrome Web Store. This change is on the heels of one made in March—apps submitted to Google’s Play Store must now pass a review. Extreme measures to combat an extreme problem with malicious software.

The company tried a middle-ground approach last year, when they imposed the our-store-only policy on all users except those using Chrome’s development build. The makers of malware, though, are adaptable creatures; they found a way to force users into the development channel, then slip in their pernicious extensions. Writer Nathanieo Mott welcomes the changes, given the realities:

“It’s hard to convince people that they should use open platforms that leave them vulnerable to attack. There are good reasons to support those platforms—like limiting the influence tech companies have on the world’s information and avoiding government backdoors—but those pale in comparison to everyday security concerns. Google seems to have realized this. The chaos of openness has been replaced by the order of closed-off systems, not because the company has abandoned its ideals, but because protecting consumers is more important than ideology.”

Better safe than sorry? Perhaps.

Cynthia Murrell, June 22, 2015

Sponsored by, publisher of the CyberOSINT monograph

Amazon, Pages, and Research

June 21, 2015

I read “What If Authors Were Paid Every Time Someone Turned a Page.” As you may know, I have complained directly and through my attorney because IDC and its wizard Dave Schubmehl sold a report containing my information on Amazon. The mid tier consulting firm pegged a $3,500 price tag on an eight page report based on my work. Well, as Jack Benny used to say. Well.

The publisher / consultant behavior annoyed me, but I do not sell my content via Amazon. I would prefer to give away a report than get tangled in the Bezos buzz saw. Sure, I buy talcum powder from the Zon, but that’s because the grocery in Harrod’s Creek does not sell any talcum powder. The Zon gets the product to me in a few days. Sometimes.

My thoughts about Amazon ramped up a notch when I read this passage in the article from The Atlantic:

Soon, the maker of the Kindle is going to flip the formula used for reimbursing some of the authors who depend on it for sales. Instead of paying these authors by the book, Amazon will soon start paying authors based on how many pages are read—not how many pages are downloaded, but how many pages are displayed on the screen long enough to be parsed. So much for the old publishing-industry cliché that it doesn’t matter how many people read your book, only how many buy it. For the many authors who publish directly through Amazon, the new model could warp the priorities of writing: A system with per-page payouts is a system that rewards cliffhangers and mysteries across all genres. It rewards anything that keeps people hooked, even if that means putting less of an emphasis on nuance and complexity.

Several observations:

  1. I often buy digital and hard copy books because I need access to a specific passage. I recently ordered a book about law enforcement and the Web. I was interested in two chapters and the bibliographies for this chapter. The notion of paying the author, a police professional, for only those pages I examined rubs me the wrong way. I have the book and I may need to access other chapters at a different point in time. But I want the author to be paid for this very good work. If I understand the write up, Amazon wants to move in a different direction.
  2. When I get a book via Amazon for my Kindle, I thought I could use the book as long as I had the device. Well. (There’s the Benny word again) I have experienced disappearing content. My wife asked me where a title was, I said, “In the archive.” Nope. The title was disappeared. Nifty. I contacted Amazon via a form and heard nothing back. Who got paid? Amazon but I no longer have the digital book. Nifty, but I probably made a mistake or at least that’s what outfits operating like Time Warner-type companies tell me. My fault.
  3. Amazon, like the Google, is faced with cost projections that are likely to give accountants headaches and sleepless nights. Amazon, a digital Wal-Mart type operation, is going to squeezing revenue any way possible. Someone has to pay for the Amazon phone and other Amazon adventures. Same day groceries, anyone?

Net net: No wonder the second hand book stores in Louisville, Kentucky are crowded. Physical books work the way they have for centuries, thank you. You will be able to buy my new study from the electronic store we have set up. The book will even be available in hard copy if a person wants a tangible instance. Maybe I will sell fewer copies. That’s okay. I prefer to avoid being clever and making my work available to anyone who wants to access it. None of that IDC like behavior either. $3,500 for eight pages. Crazy, right?

I often purchase fiction books, read a few pages, and then decide the book is not in my wheel house. I want the author to get paid whether I read every page or not. I think the author wants to get paid as well. The only outfit who doesn’t want to pay may be the Zon.

Stephen E Arnold, June 21, 2015

Next Page »