Bottom of the Pyramid Concept In India

The theory that even the poorest markets in the world can be revenue generating for companies if they tailored their product and packaging to these markets is considered the “bottom of the pyramid” concept.

SIM Cards on the Street in Hyderabad, India

This concept was introduced by the Late Professor of the University of Michigan, C. K. Prahlad, in his book The Fortune at the Bottom of the Pyramid: Eradicating Poverty Through Profits. Some well known examples of products that cater to these markets include micro-credit products and selling shampoos in sachets.

I am currently visiting India and below are some interesting observations on the concept that I see actually being applied:

Mobile phones

The cost of ownership of a SIM card is low. I got mine for $.20 cents with talktime and incoming calls free. No wonder there are over 900 Million mobile users in India.

According to a Times of India article, India has 70 subscriptions per 100 people, of which 96% are prepaid, while 53% of households own a mobile phone and India's price per minute use is the lowest possible at $0.01.

Mobile phones have  created an opportunity for entrepreneurs to setup dealerships and sell SIM cards by offering competitive discounts. These make the crowds flock to them to get the cards, as is reflected in the picture above.

SIM cards are also sold in businesses of different verticals. SMS is used a lot in India, according to the Times of India:

“Just under half of Indians use text messages on a regular basis.”

This creates a market for products and marketing techniques using SMS. A unique example is the launch of a service to send a message by SMS to find out if a cheaper generic drug was available for a prescription.

Cars

The cheapest car in the market is the Tata Nano.  According to CarDekho, it costs the equivalent of $3,616. Barriers to car ownership have come down leading to other problems like traffic.   On the flipside, this creates an opportunity for entrepreneurs selling auto accessories and service at repair shops.

Innovative Consumer Products

The case study of Godrej's refrigerator for rural India, ChotuKool, was designed with the help of women living in villages themselves and won several awards.

Social Innovation

Drinking water and health are very essential.  In November of 2011, NPR had run a story on a successful for-profit organization, HealthPoint, that provides safe drinking water to village folks at $1.5o per month and low cost diagnostic tests and ehealth consultation.

Food

This may be my own short term experience, but when I left India over 15 years ago, international fast food giants like KFC and McDonalds were costly and beyond the reach of the common man.

Judging by the prices today, they are competing not only in price but also in products by having products that are closer to the market they are serving. McDonald's McAloo Tikki Burger â€" a vegetarian offering made of potato is a a good example.

The take away for Small business and entrepreneurs globally from these examples should be:

1.) Think about how local market opportunities can be capitalized on using this concept.  Closer to home ,in the US, the Virgin Mobile brand of Sprint sells a cellphone plan with unlimited data and text plan with limited minutes for $35 which is very suitable for students

2.) If you are thinking of exporting, consider the market opportunities that exist in both the affluent markets and the bottom of the pyramid.

3.)  Be conscious of the strategy of large corporations that may affect your business.  For example, the fading away of local book stores due to competition. I miss the independent book stores a lot.

The Economist featured a post titled, “The bottom of the pyramid: Businesses are Learning to Serve the Growing Number of Hard-up Americans.” It includes examples of bottom of the pyramid products in the U.S.

What have you observed similar to the bottom of the pyramid concept?




AAPT confirms it is investigating data breach

Australian Telecommunications company AAPT has confirmed a breach of its systems that resulted in some of its business customer data compromised.

According to iTnews, the company said that it was investigating the potential data breach after Anonymous threatened to release 40GB of data from an Australian internet service provider. It said that 3.5GB of data is alleged to be from AAPT.

The hacker said that the data was stolen "to prove a lack of security at ISPs and telcos to properly protect the information", which would be stored under the Federal Government's data retention draft policies.

An AAPT statement said: “It was brought to our attention by our service provider, Melbourne IT, at approximately 9.30pm (EST) last night that there had been a security incident and unauthorised access to some AAPT business customer data stored on servers at Melbourne IT. AAPT immediately instructed Melbourne IT to shut down the servers when we were notified of the incident.”

The compromised data is suspected to be a 40GB backup of an Adobe Cold Fusion database, accessed through a well-known vulnerability.

AAPT said that the servers that the files were stored on had not been used or connected for at least 12 months, although it remained unclear whether the compromised data files had also included information relating to AAPT's residential customer base prior to acquisition by iiNet. AAPT primarily serves business customers after selling its residential base to iiNet for $60 million in 2010.

AAPT said that its preliminary investigation indicated two ‘historic' data files with "limited personal customer information" had been compromised.

“We are undertaking a thorough investigation into the incident with Melbourne IT and the relevant authorities to establish exactly the type and extent of data that has been compromised, how the security incident happened and what further measures are required to prevent any future incidents,” AAPT said.

“AAPT will be contacting any impacted customers as soon as possible.”



Black Hat 2012: Dan Kaminsky tackles secure software development

LAS VEGAS â€" Dan Kaminsky's annual "black ops" talk Wednesday at the 2012 Black Hat Briefings conference was a departure from past years' presentations, which were deep dives with a singular focus, exploring vulnerable core network functionality such as DNS security vulnerabilities, DNSSEC, certificate woes and more.

“We have to figure out what new tools we can give to developers to enable them to write code the way they want to.”

Dan Kaminsky

Instead, this year he offered attendees a macro view of security and insight on the potential effects on the economy and national security if the current state of affairs in information security isn't reversed.

“We have to fix this,” Kaminsky told the packed session hall. “And we're not going to fix it by dogma.”

Primarily, Kaminsky focused on the need for better code writing and secure software development, not only for Web applications but also OS kernel development. Kaminsky also proposed new technical means for improving the time it takes to find bugs, as well as a pitch for Net neutrality, a cause he's championed in the past, and the censorship of data and traffic by ISPs.

Kaminsky said developers are the key to righting the security ship. He said developers want their code to work, they don't want data to escape and they want simple tools that don't impede performance, or deadlines.

“Developers are in charge, not the architects, academics or management; security is not in charge either,” Kaminsky said. “We have to give them useful stuff. [Developers] like their code to work.”

Kaminsky held SQL injection vulnerabilities up as the example of continued coding issues that are exploited with great success -- and could have been fixed with equal success.

“We have to stop making fun of these attacks,” Kaminsky said, noting that the sheer number of successful SQL injection attacks have numbed security teams to their seriousness. “The majority of these attacks are used to steal stuff, and they're killing us. They're not [elite], and they are effective.”

For example, attackers used a blind SQL injection attack last year to take down mysql.com website and expose data. Research from the Privacy Rights Clearinghouse released last year said that 83% of hacking-related data breaches were executed via SQL injection attacks. Additional research from Redwood Shores, Calif.-based data protection vendor Imperva Inc. put the number of Web applications vulnerable to SQL injection at 115 million.

“We can say that we're fixing these problems, but if they're getting fixed, this would not be so pernicious,” Kaminsky said. “We have to figure out what new tools we can give to developers to enable them to write code the way they want to.”

Kaminsky's anti-censorship efforts continue as well. Last year at Black Hat, he announced a new tool he called N00ter, which is essentially a filter that screens out routers that could alter the path and delivery time of traffic packets, leaving just ISP to source paths.

“The Internet is less flat every day. Content is changing based on where you are, and not because of those running websites. It's because ISPs and governments are altering content,” he said. “Sometimes this is silently done.”

Kaminsky said he's working with privacy and civil liberties organizations such as the Electronic Frontier Foundation to counter Internet censorship by giving them the data streams generated by N00ter and other tools, solely as a data source, rather than as a data manager.

“I want to give them a mechanism to see what's available and what's being blocked,” Kaminsky said.




Black Hat 2012: Limited release for tool allowing smart meter hacks

LAS VEGAS -- A hacking tool designed to target and control a smart meter is getting a controlled release following a presentation Wednesday at the 2012 Black Hat Briefings conference.

"Our tool is providing the capabilities for the utility to understand what information can be pulled out without using a security code. Then they can get a change implemented."

Don Weber, InGuardians

Don Weber, a senior security analyst at Washington D.C.-based InGuardians Inc., is releasing his OptiGuard smart meter assessment toolkit to utilities, vendors and vendor-vetted smart meter security researchers. Weber, who was pressured to cancel an earlier talk about his research at the 2012 ShmooCon conference, described how his research led him to the creation of the smart meter assessment toolkit to a large Black Hat audience Wednesday.

"We decided not to release the tool publicly," Weber said. "[It will be released] only to people within the industry: vendors, utilities and researchers that are working on smart meter assessments that we can validate."

Weber also declined to demonstrate the tool saying that it wouldn't be fair to use it publicly against a specific smart meter, because the toolkit works on all of them.

OptiGuard is built in Python, Weber said, and can be easily assembled to communicate and interact with any smart meter. It was designed to use a smart meter's infrared port to read, write and run procedures.

Weber said the tool is highly configurable. A security code is needed to modify tables or run procedures, but Weber described a way to brute force the smart meter password in less than seven hours. A feat, he said, which would likely make the attempt far too difficult and cost prohibitive for cybercriminals and fraudsters. Weber said he has never gotten his tool to communicate with the meter for longer than 20 minutes at a time.

"Our tool is providing the capabilities for the utility to understand what information can be pulled out without using a security code," Weber said. "Then they can get a change implemented."

An attacker could use the tool to conduct smart meter hacks, accessing the firmware to turn the device on or off and make other adjustments to the meter. In order to develop the tool, Weber said he had to buy a commercial optical probe, a device that can be purchased online for about $350. The company is working with a Gainesville, Fla.-based manufacturer to build an open source optical probe. 

Don Weber of InGuardians talks to reporters and attendees following his Black Hat presentation. Credit: Robert Westervelt

Weber points out that smart meter hacking has been documented since about 2009. Customers use a variety of techniques over the years to try to cut down on electricity expenses from using powerful magnets against the device to taping in and modifying a meter's firmware.

The good news, Weber said, is that if a customer tampers with a smart meter, most utility companies should have the capability to identify the unauthorized configuration changes. Utilities, however, need to improve their incident response teams to monitor logs and detect and respond to anomalous activity.

Encryption also introduces issues. Current American National Standards Institute (ANSI) C12 smart grid meter standards, which define how meters can pass communication, use limited code obfuscation, Weber said.

"Everything is passed in the clear," he said, without encryption.

He said a newer ANSI C12 specification requires a DES-encrypted token to conduct mutual authentication, but then the rest of the exchanges are passed in the clear. Weber said most vendors will wait to implement a newer specification until an encryption algorithm is approved by the National Institute of Standards and Technology (NIST), a problem that is delaying development for vendors.

Weber said there are smart meter makers that use obfuscated protocols â€" they don't write the security code sequentially â€" making it extremely difficult to brute force a security code. It's a good practice, he added, because it makes attacking a smart meter a much more lengthy and costly process.




Symantec CEO ouster doesn\'t surprise industry analysts

According to information security industry analysts, Symantec Corp.'s sudden CEO shake-up isn't all that surprising, given the security software giant's lackluster performance and inability to meet Wall Street's expectations.

You would be hard pressed to find anyone that still views Symantec as an innovator in the security market, and to fix that will take more systemic change than swapping CEOs.

Andrew Braunberg,
independent analyst

At the company's analyst meeting last year, analysts were critical of former Symantec CEO Enrique Salem's work, said Chenxi Wang, vice president and principal analyst at Cambridge, Mass.-based Forrester Research Inc. Symantec hadn't demonstrated innovation in its product portfolio, she said, and Salem's reorganization of business units under different umbrellas didn't appear to have much effect.

"If he doesn't pull out some magic tricks to get the stock price moving, his days at Symantec are numbered," Wang said, recalling the conversation analysts had among themselves during the event.

Wang happened to be at Symantec's Mountain View, Calif.-based headquarters Tuesday, meeting with a Symantec executive. She said it was clear the company had had an eventful board meeting that day, based on her conversation with the executive.

Wang said she wasn't surprised today when Symantec announced it had named Chairman Steve Bennett as president and CEO, replacing Salem.

Bennett, who joined Symantec's board of directors in 2010 and became chairman last year, previously was president and CEO at software maker Intuit Inc. from 2000 to 2007. He also spent 23 years at General Electric. He will continue to serve as chairman of Symantec's board.

His No. 1 task will be squeezing more revenue out of Big Yellow, but Bennett has demonstrated an ability to do it in the past. As chief executive of Intuit, the company's revenue grew to $2.7 billion in 2007, up from less than $1 billion in 2000 when Bennett took the helm.

"My view," said Bennett in a statement, "is that Symantec's assets are strong and yet the company is underperforming against the opportunity."

In its first-quarter earnings report Wednesday, Symantec said it expects its second-quarter revenue to drop 1% to 3% year-over-year. Inconsistent revenue performance during Salem's tenure ultimately led to the change in leadership, according to Allan Krans, senior analyst at Hampton, N.H.-based Technology Business Research Inc.

Salem spent 19 years at Symantec, and served as CEO for the last three. He replaced John Thompson, who retired in 2009.

"The board's decision to make a leadership change was not based on any particular event or impropriety, but was instead made after ongoing consideration and a deliberative process," Dan Schulman, Symantec's new lead director, said in a statement.

Amy DeCarlo, principal analyst at Washington D.C.-based consultancy Current Analysis, said the leadership change wasn't surprising given Symantec's financial performance and how companies usually start at the top when they want change.

"Their financial results tended to be fairly flat in a market where there is a lot of demand for security and storage technology," DeCarlo said.

Symantec wasn't fully leveraging its assets, DeCarlo added, which led to missed market opportunities. "Symantec wasn't ahead of the game in having a good solid cloud strategy," she said. "They had an opportunity to be a leader there, not just on security, but [on the] storage side, and they were slow to capitalize on it."

The vendor only recently started to pull together its strategy on cloud security, DeCarlo said, namely using the cloud as a delivery engine for security services, and that latency provided an opportunity for competitors.

Wang said Symantec was late to the game in catching up to the consumerization of IT trend. "When you look at what's going on in the market, its consumerization and mobile," she said. In March, the company bought mobile device management (MDM) vendor Odyssey Software and Nukona, a supplier of mobile application management.

Andrew Braunberg, an independent analyst and consultant, said in an email that Symantec never recovered from its controversial 2005 acquisition of storage giant Veritas.

"All these years later the market has still not caught up to the business logic of that deal and the merging of those corporate cultures drove a lot of good talent out of Symantec," Braunberg said. "I think the profitability numbers were a convenient reason to get rid of Salem, but Symantec's problems run deeper than him.

"You would be hard pressed to find anyone that still views Symantec as an innovator in the security market," Braunberg added, "and to fix that will take more systemic change than swapping CEOs."

In a Forbes blog post, Richard Stiennon, IT security analyst and founder of Birmingham, Mich.-based industry analyst firm IT-Harvest, said Bennett should immediately prepare to sell or spin off the Veritas business and pursue an aggressive strategy of acquiring fast-growing security technology companies.

"The antivirus industry is alive and well. There are almost 100 vendors in the space, many of them thriving with over $100 million in revenue. The only reason that Symantec has for losing market share is the failure to recognize the opportunity in the space," he wrote.

Scott Crawford, managing research director at Enterprise Management Associates, an industry analyst firm based in Boulder, Colo., said via email that today's threats and security demands present a major challenge for companies like Symantec.

"Many of the leaders in security are built on products at risk of obsolescence. Blacklist-oriented defenses such as traditional antivirus are challenged by the sheer volume and variety of threats," he wrote. "Today's mobile devices are predicated on a significantly different security model from legacy PCs. The security demands of cloud computing are still evolving. Security leaders are challenged as never before to respond to these changes. This is not something most of them can turn around in a few years, given their dependence on big installed bases still largely centered on this legacy."




Crisis Trojan, new Mac OSX Trojan, considered a low risk for now

A new Trojan affecting Apple Inc. systems has been discovered. Though it's not yet in the wild, it could represent what future threats against Mac OSX endpoints may look like.

In a statement Tuesday, Bellevue, Was.-based Apple platform security vendor Intego Inc. called the newly discovered Crisis Trojan, or OSX/Crisis “a potential threat that the average Apple user should know about.”

OSX/Crisis has not been found in the wild and has been assigned a low risk level by Intego's research team. According to Intego, OSX/Crisis is a dropper Trojan that creates a back door when run. It installs itself without user permission and is virtually impossible for the average user to detect  if installed with root permission.

The Mac OSX Trojan creates randomly named files and folders to complete its tasks â€" 17 when it is run with administrative permissions and 14 when it is run without them. However, some file names, Intego said, do appear consistently.

With administration permissions, this folder is created: /System/Library/Frameworks/Foundation.frame work/XPCServices/

With or without administrative permissions, this folder is created: /Library/ScriptingAdditions/appleHID/

Samples of OSX/Crisis malware were discovered onVirusTotal, a site used to identify different kinds of malware. According to Lysa Myers, a virus hunter at Intego, “it seems most likely that this malware is part of a commercial package that has been primarily sold to government agencies in the U.S. and Europe, and several companies within those countries.”

Myers also said that this information has led Intego to believe the Crisis Trojan is likely to be used in a targeted attack, instead of spreading widely.

The Trojan runs in OSX versions Leopard 10.5, Snow Leopard 10.6 and Lion 10.7. However, it has a tendency to crash on OSX 10.5. Intego has stated that the threat does not run on Mountain Lion 10.8.

Intego VirusBarrier X6 has already been updated to detect and remove the malware, and Intego had urged its customers to update their signatures as soon as possible.




Black Hat 2012: Luminaries worried about social engineering techniques

LAS VEGAS -- During the last 15 years, software makers have improved their security practices while enterprises have deployed better security defenses, but the improvements have pushed cybercriminals to target vulnerable humans rather than vulnerable code.

That was a key theme that emerged Wednesday at the 2012 Black Hat Briefings. A panel of industry luminaries kicked off the event's 15th anniversary with a discussion of how the industry has changed and evolved during that time.

Social engineering techniques are now the basis of most successful enterprise attacks, with many cybercriminals stealing account credentials to penetrate enterprises, snatch intellectual property or snoop on government agencies. Defenses, in turn, will likely be less focused on technology and more on legal and policy tactics, said Bruce Schneier, CTO of BT Counterpane, and one of several prominent experts participating in the panel discussion.

Schneier said contractual arrangements could begin to drive security and privacy between people and the companies with which they do business.

"We are terrible as an industry in dealing with this targeted attack," Schneier said. "We're good at stuff that randomly goes after things, but we aren't good at defending against that targeted attack."

In addition to Schneier, the panel included security luminaries Jeff Moss, Black Hat's founder; Adam Shostack, senior program manager in Microsoft's Trustworthy Computing Group; Marcus Ranum, chief of security for Tenable Security Inc., as well as cybersecurity legal and policy expert Jennifer Granick, general counsel of Worldstar LLC. The panelists were chosen to participate by Black Hat conference planners because they all took part in the first Black Hat conference held in 1997.

The panelists agreed that the changes in the information security industry during the past 15 years have been dramatic. A lack of trust and transparency -- driven primarily from the use of outsourcing and cloud-based services -- has fueled an erosion in the amount of control people and businesses have over security and privacy of their data.

The panelists urged enterprises to make investments in people by bolstering forensics and malware analysts, and adding well-staffed incident response teams. From a technology perspective, the experts advocated a stronger focus on configuration and change-management activities to mitigate the problem of runaway privileges and misconfigured systems that open up pathways for cybercriminals to gain access to sensitive resources.

"You are going to want employees who are generalists," Ranum said. "[In the cloud] you've got extremely specific services that solve a specific problem like payroll. For your workforce, you need people to understand payroll systems at large, rather than at the specific level."

There's been a movement in the security industry to create technologies that can detect and isolate an attack before it becomes a serious problem, rather than defending against the constant attacks at the perimeter. Schneier said technologies are aimed at making it faster to recover from a breach when it inevitably happens.

"As an industry we've been telling people, 'Buy our stuff, you'll be magically safe,'" Schneier said. "I'm glad we're finally saying, 'God your screwed; buy our stuff when you are breached.'"

U.S. legislation being considered in Congress during the past year aims to foster information sharing to improve information security, but the panelists said the bills lack incentives to share threat data and could overstep their bounds. Moss, who serves as CSO of ICANN, said he was discouraged by the government's role in fostering information sharing, saying that often when the government gets involved with good intentions, it causes liability issues and other problems that wrangle most threat information-sharing groups.

When sharing becomes proscribed and formalized, Moss said, often the "intention is good, but in the end, I'm worried about the outcome."

Moss said the government is excelling at spending money on places where private sector isn't. It has the ability to jump-start technology research, drive adoption of technology within agencies and departments, and in turn force the security market to create new products.




Subscribe to: Posts (Atom)