Author Archive

Broadband as a value add? Yes, Its about the eyes.

June 5, 2015 Leave a comment

InternetThe days of ISPs making super profits are long gone. The margins being created by ISPs world over are thin. Also, should Internet connectivity prices go lower due to either more competition or legislation, ISPs stand to create even thinner margins in future. There will therefore be little if any revenue/profit oriented incentives for ISPs to be in business.

Having worked in the industry for about 12 years now (That’s eons in Internet growth terms), I have seen the ISP industry evolve both on the technology front and its value proposition to customers. The liberalization of the sector in most countries has also attracted many investors into the industry, this has created a stiff and competitive market, this has brought with it diminishing returns on investments. Small ISPs are dying or being bought out as they cannot stay afloat. Large ISPs are also merging to create economies of scale to survive.

With the coming projects such as Google’s project Loon and Facebook’s (and subsequent Internet by drones project) and many more that aim to provide nearly free Internet to the worlds’ unconnected, there will be no financial incentive for a commercial ISP to go into business anymore.

So what do ISPs need to do?

There has been a lot of talk in the market about value addition and that ISPs should stop selling ‘dumb pipes’ and offer value over and above just the internet pipe. All this has already happened and at the moment ISPs have been outmaneuvered by OTT providers who are providing this value addition type of services over the links the ISPs are providing to their customers. For example, some years ago, all ISPs were offering VoIP as a value add, now with the likes of Skype and Whatsapp calls, ISP-provided VoIP is a dud. Another example is dedicated hosting at ISP provided ‘data centers’ (a room with access control and cooling :-) ), with the maturity of cloud services, such a service is also not appealing anymore to customers. ISPs are at the end of their rope.

If you carefully analyze all recent ISP mergers and buyouts in Africa (and beyond if you have the time), you will realize that buy out decisions are less and less being based on an ISPs profitability or revenues and cash flow position. They are now based on subscriber numbers. But what is the commercial point of buying a unprofitable or low revenue business? Answer: Its about the eyes.

ISPs are and will no longer be about direct internet pipe derived revenues but about indirect revenues. Sources of these indirect revenues include online advertizing, OTT services and content delivery and purchase. This is the very reason why giants such as Google and Facebook have entered the ISP business, Its about the eyes. An ISP with more subscribers and loss making is now more attractive to buy than one with few subscribers and super profitable. Unbelievable isn’t it?

End to end control.

OTT operators such as Facebook have been blamed by traditional ISPs for using the ISPs network infrastructure to do business with the ISPs end users. Attempts by ISPs to make these operators pay for delivery of content has been met with opposition due to fears that such an arrangement can result in a tiered internet and with that a demise of net-neutrality that has been one of the key characteristics and a supposed catalyst of internet development. Attempts to camouflage net-neutrality-flouting arrangements by use of ISP led offers such as Facebook’s where users on certain networks access Facebook and Whatsapp for free outside their data plans have also been meeting resistance. Being so froward thinking, I am of the opinion that these companies foresaw the resistance to their initiatives to offer their content for free by paying the traditional ISPs, this is why they are all rushing to roll out their own infrastructure to provide free or near free internet to the masses. At the moment, other than their Satellite/baloon projects being tested in New Zealand, Google is already testing out high speed fiber -FTTH in select American cities. This will give them end to end control of the broadband supply chain and therefore quell concerns of creation of a tiered internet. This of course assumes they will come up with a way to show regulators that they have fair access policies for all third party traffic.

The future

As i see it, the traditional ISP will die a natural death if they don’t adapt to the coming changes. What was once a value add will become the product and vice versa. Internet broadband will be a value add to content and OTT services. A content provider such as Facebook or Google will offer you free internet to access their content. Internet broadband provision will be a value addition to content providers. As someone once said, if the product/service is free, you are the product. The free internet will come with privacy strings attached so as to enable advertizers track your habits and offer more targeted adverts. This targeting is getting more accurate and spookier if the tweet below is anything to go by.


The use of browser safety features to disable cookies wont work as companies such as Google are now using what is known as device finger printing to identify you. Device finger printing works on the basis that your computers OS, installed programs (and the dates they were installed), CPU serial number, hardware configuration (RAM/HDD/attached peripherals) will give your computer a unique identifier if applied to an algorithm. Therefore your computing device is unique and can therefore be tracked without the need to set cookies.

Why Is Kenya Power Dumping Pre-paid Meters?

May 19, 2015 5 comments

meter2Recently, the country’s only power utility company announced that it was slowing down the roll out of the prepaid metering system that they launched about 6 years ago. The reason given for this about turn was that the company is losing revenues as it is now collecting less from the same customers who are now on prepaid metering than they did before when the same group of customers were on post paid metering system.

According to the Kenya Power records, about 925,000 out of the 3.17 Million customers are on prepaid meters. Before the 925k moved to prepaid, they were collecting about four times more than what they currently collect from the same customers. The Kenya Power MD stopped short of accusing customers with prepaid meter tampering as his explanation of the reduced revenues. With the reduction in revenues, Kenya power has decided to classify this reduction as ‘unpaid debts’ in their books. Meter tampering would be across both pre and post paid users if he still holds the opinion that prepaid users are tampering with meters. In fact there are lower chances of a prepaid user tampering with the meter than a post paid user doing the same.

My little accounting knowledge tells me that it is every company’s dream to convert all their customers to prepaid. This shifts the cash flow position to a very favorable one of positive cash flow, you have the money from customers before they consume your service/product. With a prepaid metering system, Kenya power was heading to accounting nirvana but the recent revelations about the accumulating ‘debts’ from prepaid customers was a shock to many. First and foremost, if you do not buy prepaid meter tokens, you cannot consume power on credit and pay later, so how is this reduction in  revenues from prepaid meter consumers classified as a debt as opposed to an outright reduction in collected revenue?

Faulty meters?

There are two main brands of power meters used by Kenya power, Actaris and Conlog. The later brand was found to be defective 3 years into the roll out, the meters were erroneously calculating remaining power tokens especially after a power outage, you could be having say 30Kwh’s remaining on your meter and after a power blackout, the meter reads -30Kwh or some other random negative value. This is what consumers would notice, we cannot for sure say that the same meters also under bill on the same breath. Of course if it under bills, very few consumers would complain or even notice, they would however be quick to notice a negative token value because they would lose power. Could faulty meters be the problem here? Could Kenya power be suffering from substandard meters? Here is a blog link to one affected consumer who complained in 2012 about the faulty meters. Kenya power attempted to replace some Conlog meters but I still see some in the wild in use.

Reality of estimate billing?

We have all been there, where you receive an outrageous bill from Kenya power. This is because more often than not, they estimate power consumed and never get to read the meters in your house. When was the last time you saw a Kenya power meter reader on a motor bike in your estate if you are on postpaid? According to Kenya power books, one post-paid domestic customer consumed 12 Kwh of electricity and on average paid Sh1,432. And each prepaid customer consumed an average 23 Kwh and paid roughly Sh756 to the power company. This can only mean two things:

  • The postpaid customers are over billed due to poor estimation methods as meters are seldom read. I noticed this on my water bill too. When my bill is say 600/= and i overpay 2000/= when settling the 600/= bill, my next bill will be in the regions of 2000/= (estimated from my last payment). So i make sure i pay the exact amount on the bill these days to deny them room to estimate and over bill me.
  • The prepaid meters are spot on accurate. This is the most plausible reason and I will explain below.

Prepaid meters are accurate?

Unlike the old school postpaid meters that measure total ‘apparent’ power consumed, the new prepaid meters assume an efficient electricity grid and measure effective or real power consumed by the customers appliances.  In a situation where the power distribution grid is inefficient, the voltage and current are not in phase. This leads to a lot of ‘wasted’ power. In postpaid, consumers pay for the grid inefficiencies, in prepaid, they do not. This is why there has been a drastic reduction in revenues because consumers are now paying for what they consume and not the wastage on the grid. Perhaps this is what Kenya power sees as ‘consumed but unpaid for power’ by the prepaid meter users? Could be, this is because its not possible to consume more than what you have paid for on a prepaid meter. apparent power is consumed but not measured by the meters. This is especially true if you have appliances with electric motors in them such as washing machines, water pumps and air condition systems.  Read more about power factor by clicking here

You can read older articles on my blog touching on Kenya Power by clicking the links below:

  1. How Kenya can enjoy lower electricity tariffs
  2. Kenya is ripe for a Demand Response Provider
  3. Kenya Power Needs To Be Penalized For Blackouts
  4. There is need to end the Kenya Power monopoly

What Whatsapp voice means for MNO’s

April 1, 2015 5 comments

Facebook inc recently introduced the ability to make voice calls directly on its Whatsapp mobile application. This is currently available on Android OS and soon to be made available on iOS.

What this means is that mobile users with the updated app can now call each other by using available data channels such as Wi-Fi or mobile data. Going by a recent tweet by a user who tried to use the service on Safaricom, the user claims that they made a 7 minute call and consumed just about 5MB’s of data. If these claims are true, then it means that by using Whatsapp, a user can call anyone in the world for less than a shilling a minute. This is lower than most mobile tariffs.

Is this a game changer?

Depends on who you ask. First lets look at what happens when you make a Whatsapp call. When a user initiates a call to another user over Whatsapp, both of them incur data charges, in the case of the twitter user I referred to above who consumed 5MBs, the recipient of the call also consumed a similar amount of data for receiving the call. If it so happens that both callers were on Safaricom, then just about 10MB’s were consumed for the 7 minutes call. The cost of 10MBs is close to what it would cost to make a GSM phone call for the same duration of time anyway. Effectively, to now receive a Whatsapp call, it is going to cost the recipient of the call. This is unlike on GSM where receiving calls is free.  When the phone rings with an incoming Whatsapp call, the first thought that crosses a call recipients mind is if he/she has enough data ‘bundles’ on their phone to pick the call. The danger is if there is none or the data bundle runs out mid-call, the recipient will be billed at out of bundle rate of 4 shillings an MB. Assuming our reference user above called someone whose data had run out, Safaricom will have made 5 Shillings from the 5MBs and 28 shillings from the recipient. A total of 33 shillings for a 7 minute call translating to 4.7 shillings a minute which is more than the GSM tariffs.

This effectively changes the cost model of making calls. the cost is now borne by both parties, something that might not go down well with most users. I have not made a Whatsapp call as my phone is a feature phone but I believe if a “disable calls” option does not exist, Whatsapp will soon introduce it due to pressure from users who do not wish to be called via Whatsapp due to the potential costs of receiving a call. That will kill all the buzz.

Will operators block Whatsapp calls?

It is technically possible to block Whatsapp texts and file transfers using layer 7+ deep packet inspection systems such as those from Allot’s NetEnforcer and Blue coat’s Packeteer. I believe an update to detect Whatsapp voice is in the offing soon and this will give operators the ability to block Whatsapp voice. The question however is what will drive them to block it?  MNO’s will have no problem allowing Whatsapp traffic as it wsill mot likely be a boon for them if most of the calls are on-net (They get to bill both parties in the call). If however most calls are off-net (Like those to recipients on other mobile networks locally or international), then MNO’s might block or give lower QoS priority to make the calls of a poor quality to sustain a conversation. They might however run into problems with the regulator should subscribers raise concerns that they think the operators are unfairly discriminating Whatsapp voice traffic. Net neutrality rules (not sure they are enforceable in Kenya yet) require that all data bits on the internet be treated equally, it should not matter if that bit is carrying Whatsapp voice, bible quotes or adult content. This will mean that operators can be punished for throttling Whatsapp voice traffic in favour of their own voice traffic. This therefore presents a catch 22 situation for them. What they need to do is come up with innovative ways to benefit from this development like offering slightly cheaper data tariffs for on-net Whatsapp voice to spur increased Whatsapp usage within the network (and therefore bill both participants).

Worth noting is that it costs the operator more to transfer a bit on 3G than it does on 4G. Operators who roll out 4G stand to benefit from Whatsapp voice as they can offer data at a lower cost to them and this benefit can be passed down to subscribers. The fact that voLTE is all the rage now, Whatsapp voice can supplement voLTE and can even be a cheaper way for operators to offer their voice services on their LTE networks without further investment in voLTE specific network equipment.

In short any operator who wants to benefit from Whatsapp voice has to go LTE.

Much A Do About Bundles

March 2, 2015 1 comment

data bundlesKenyans (especially the Internet savvy ones) are an angry lot. Angry because a mobile operator has put in place what they term as restrictive terms of use of purchased data plans such as:

  • Expiry of the purchased data plans 30 days after activation
  • Restricted data bundle sharing ability. A user can only share his or her data with other up to a maximum of 10 times in a month down from 50.

Kenyan’s argument is simple; The operator took their money in exchange for the data and therefore the users have a right to use the plans for as long as they please and share as many times to as many people as they wish. This simplistic argument is based on a layman’s understanding of what exactly happens when you purchase a data plan.

When a user buys a data plan, a contract comes into force, this contract is between the buyer and the mobile operator. The contract obliges the operator to deliver the purchased data when and if required by the user. What we need to note however is that the contract comes into force to offer an option, not a product or a subscription.

An Option is defined as “the ability to take a predefined action for a fixed period of time in exchange for a fee. A product on the other hand is defined as tangible form of value. For value to be provided via an option, the seller must:

  • Identify some action people might wants to take in the future (browse the internet)
  • offer potential buyers the right to take that action before a specified deadline (guarantee the connection to download the purchased GBs)
  • Convince the potential buyers that the option  is worth the asking price (Marketing activities)
  • Enforce a specified deadline for taking action. (Data plan expiry)

Options allow the purchaser the ability to take a specific action without requiring the purchaser to take that action. If you buy a movie ticket for example, you have the ability to take a seat in the movie theater but you don’t have to if a more ‘plotious’ plan comes up that’s better than the movie. Being an option, you cannot seek a refund for not having  watched the movie at the advertised times.

Data plans are not a product, they are an option and are therefore bound by time for the specified action to take place. What you purchase is the ability to download xGBs and not the ‘actual’ GBs. This ability is time bound just like your movie ticket. I think the fact that most Kenyans refer them as ‘bundles’ signifies their belief that they have purchased a product.

Some people are arguing that by the fact that money changed hands, the end-user should determine his or her pace of use of the data plan/bundle and there should be no time limit of the usage. What we forget however is that the contract came into place when you purchased the data plan, but ownership was not transferred from the operator because this is not a products but an option. The contract specifies the terms on which the data plan (not bundle) will be delivered to you but it does not transfer any deeds to the end-user. Because options amount to dispositions of future property, in common law countries they are normally subject to the rule against perpetuities and must be exercised within the time limits prescribed by law.

Just like in companies that mostly offer employees share options and not share ownership. Options have limited specified actions and a time limit attached to it as opposed to share ownership.

The best the users can do is to petition the operator to revise the rules governing the options but not pontificate online about what is essentially an offer to take up an option and not buy a product.

When the operator came up with the feature that enabled a user to share or sambaza their purchased data plan to others, what was happening is that users were transferring their purchased option to a different party on commercial basis. The fact that a user could do the transfer many times posed a danger for the operator because:

  • The exchange of money and the option was between the operator and the purchaser. The contract is therefore enforceable between these two. Sharing the data bundle was innocently aimed at fostering data usage but had the inadvertent effect of complicating the options contract. Who should complain if the service is slow/poor? The original purchaser or the shared data recipient? You might argue that the recipient has a SIM card and is therefore in contract with the mobile operator, purchasing a SIM card and activating it constitutes an invitation to treat and no contract comes into force by activating a SIM card.
  • The option rules must have been understood by the recipient for them to accept. The fact that some people had started purchasing wholesale data and retailing it at much lower prices that the operator was doing wasn’t the issue, the issue was the operator found themselves in a legal quagmire as there were now people on the network exercising options they had not purchased. The retailers were purchasing the wholesale bundles as options and selling them as products.
  • An option for a wholesale data bundle has a longer specific action period in which the user can exercise the option. This is assumed to be the consumption of the data bundle in a manner that will deliver the agreed quality of service. A 200GB bundle has a longer expiry period to say a 10MB bundle, this is because based on the network resources, the higher GB bundle can be delivered over a period of time. If you now take the 200GB and ‘sell’ by sambaza-ing 2GB each to 100 people who will then proceed to consume the 200GB within 3-4 days, that voids the contract because the 200GBs were offered at a much cheaper price because there is an element of predictability of the network resources required over a longer period of time in which the 200GB was to be consumed and if these were consumed in a manner inconsistent to the initial agreement which was to ensure that its consumption also enables other users to enjoy their options, the contract is void. Same way you cannot demand a movie in a theater to be fast forwarded  on scenes you don’t like, data options have usage rules, if you make such a demand in a movie theater, the option contract becomes void and you will be asked to leave the movie theater with no refund.

Citations on some legal terms taken from:

  • Wikipedia

New ideas needed in the African telecoms scene in 2015

December 31, 2014 2 comments

telcoAs 2014 comes to a close, the continents telecom sector players have had a rather mixed year. Those who were lucky and made a tidy return during the year need to be aware that most of the innovative technology that enabled them return a profit is approaching a point of diminishing returns. if they are to make it through 2015 and beyond, they will need to out-innovate themselves and competition.

In the last Africacom conference held in Cape Town, it was noted by several leading telecoms analysts that telecom operators in Africa (especially Mobile) are confused; unsure if they are banks, insurance firms, hardware vendors, money transfer entities or fixed broadband ISPs. In my opinion this confusion lies in the fact that African operators are close to 100% dependent on vendor driven as opposed to market driven innovation. Noting that there are about 5 major vendors who serve most of African operators (Ericsson, Nokia, Huawei, ALU, Cisco), a lot of copy cat innovations have been shoved down the operators throats. The lack of in-house or external but vendor independent innovation ‘think tanks’ (for lack of a better word) will be their undoing.

Below are some points that I believe any wise telco CEO needs to be aware of in 2015.

Application software (Apps)

For a long time, broadband operators in Africa have been selling bandwidth pipes to connect users to the Internet. With the ‘Appification’ of many services and platforms, browsing via web browsing software is slowly diminishing. The good thing with this is that to some extent the end users cede control of how much is being transferred to the apps leading to higher data consumption spread over a 24 hour period per person. More data use=more revenues. Spread of usage pattern over 24hours = more predictable and stable network.

African operators need to work with content providers in the development of apps which will spur bandwidth consumption and simplify life for users. The burden of app development has been left to mostly young hobbyists in incubation centers and freelance programmers, its time operators took this seriously and worked with developers especially funding their start-ups. Operators such as Safaricom in Kenya and Milicom in TZ have already set-up a venture fund towards this. The effect of this is that these apps will spur a data boom.

Video On Demand

In the past, operators have been cautious over offering VOD services due to several factors such as:

  • Lack of a payment platform due to the very low penetration of credit cards in Africa
  • Unstable networks that would ruin a VOD experience
  • Expensive bandwidth that made it cheaper to lease/buy a DVD movie
  • Lack of VOD ready customer premise equipment

The above barriers are now rapidly vanishing, for example, there might not be a massive uptake of credit cards in Africa, but mobile money platforms have to some extent covered this gap, the other promising feature is the ability to pay for services and downloads from your mobile phone airtime aka Mobile operator billing. The main area that need to be worked on by operators and regulators is the high cost of bandwidth that is still prevalent in many countries in Africa. The telecoms sector is a major source of revenue for many governments by way of spectrum and operating license fees. This cost is passed down to consumers making services expensive. If the governments lowered their appetite for revenues from license and instead let the cheaper bandwidth spur economic gains, the continent stands to gain more. There are over 100 VOD registered operators in Africa and this number is bound to grow if bandwidth was cheaper. With a counterfeit movie DVD going for about $0.5 in Nairobi streets, VOD will take off when the cost of demanding a video online is lower than that, that’s 1.4GB for less than $0.5. The African VOD experience needs not be a carbon copy of the US or EU versions, lower quality videos (hence lower bandwidth consumption) will find a niche here I believe. Remember when people dismissed YouTube by saying who would want to watch grainy videos shot by amateurs from a mobile phone? remember when people dismissed Nollywood saying there is no market for such low-cost, simple plot movies? Low quality VOD could work here in the short-term.

VOD can avail additional revenue streams to operators if done well. It can also backfire on operators if they will not meet the surge in data demand due to VOD. It is one thing to say you offer VOD and it is another to ensure that your network does not collapse due to VOD load. Video will have increased 14-fold between 2013 and 2018. It is estimated that over two-thirds of data on most networks including mobile will be video by 2018. VOD is an opportunity for the prepared and a risk for the unprepared.

Shift from Infrastructure investment to service delivery

Too many operators today are busy investing in and maintaining infrastructure. This is a very outdated way of doing things. We have begun to see a shift in this here where in 2014 we saw Airtel sell its cellphone towers to a third-party and pay to get service from them. This has a two major effects:

  • Infrastructure associated costs now move from the fixed costs to variable cost column of the financial books. This has a great boost to the financial health and makes the company more resilient to market and revenue shocks.
  • Ownership of infrastructure by operators makes them very rigid and fail to adapt to the changing customer needs and make money, sometimes, this change if it happens is not fast enough to meet market demands. I remember working on a project to install a MMS platform for a local MNO, before the service was even officially launched, Whatsapp took the multimedia file exchange scene by storm. The firm had already spent millions. If this was a third-party service instead, they would have spent less or minimized the risk associated with the dismal uptake of MMS services.

Operators need to shift from being technology oriented companies to being service oriented. By service oriented I do not mean becoming a service marketing company by outsourcing everything other than the sales and marketing, I mean their critical business decisions should be informed by meeting customer needs as opposed to deploying the latest, fastest, smoothest or shiniest piece of tech.

Re-look at Value Added Services (VAS) strategies

The ‘VAS or perish’ song has been sung so many times in many a conference I have attended. The problem that is now arising is operators are coming up with what they believe is VAS but is in effect a burden to the consumer. Take for example a certain operator in South Africa who sent me about 4 SMS’s after every call I made on their line about enabling directory services, offer to automatically send my vCard to every person I called, how much airtime my call consumed, an offer for an international bundle whose activation process involved 5 steps and many more. That was outright annoying and took repeated calls to their call center to turn them off. It felt more of value attrition than addition.

That aside, most people relate VAS to mobile operators only, fixed line ISP’s, broadcast and others need to embrace the idea of value addition to their existing services. The tragedy is that many have confused product improvement to value addition, the two are different and can easily be told apart. A fast food restaurant improving the quality of their burgers and fries is product improvement, adding a small toy to all kids meals is value addition. This example therefore means that for value addition to happen, the product must first meet customer expectations otherwise VAS is a waste of time. Many operators use value addition to try to improve the product instead of using it for the purposes of eliciting further delight from the customer (which then creates stickiness). Of what use is the toy in a badly prepared kids meal? In short, if what an operator is calling VAS ends up improving the product as opposed to eliciting customer delight, it’s not VAS. Many operators in Africa are adding toys to burgers with rotten patties. This is why many so-called VAS strategies don’t work because they were simply product improvements disguised as VAS.

Have a happy new 2015!

Ideas For CIOs and IT Managers On Securing Their Networks

November 21, 2014 4 comments

cyber-securityThere has been a lot of talk about increased cases of cyber criminals accessing information stored on computing networks. Many an events organization have also held conference after conference targeting IT managers and CIOs to ostensibly sensitize them on the matter. Many have gladly drawn attendance cheques in favour of these conference organizers for a seat or two where they will go through slide after slide of how to protect their information and data. After the conference, the usual group photo (and many selfies) are taken, not forgetting that one photo where the IT manager or CIO is receiving a certificate of participation from the organizers and their sponsors.

The reality on the ground is that many conference-certificate-waving CIOs still continue to ignore and fail to implement basic measures to protect their networks and information.  Their ignorance however is no defense as cyber criminals continue to seek ways to get into their networks. These criminals try to gain access to networks for two main reasons:

  • To steal information and data from you
  • To use your network as a launch pad for further attacks, this is mostly done by criminals to cover their tracks. A Romanian criminal attacking say a US bank will most likely carry out the attack from an unprotected network in Africa or anywhere else.

I would like to put the issue of cyber security into perspective based on my experience in running large networks for the last 10 years or so.

Why are you a target?

You are a target because you are connected to the public internet, it’s as simple as that. As long as your IP addresses are routed over the public Internet, you will be a target. It’s not because you are a bank, insurance firm, government, Vatican or even a small 2 computer CBO office in Lokichar. You will be attacked for as long as you are online.

How do you tell if you are under attack?

No, when you get attacked, you wont see your computer mouse moving on its own opening files and spewing thousands of lines of code scrolling on your screen like in the movies. It is hard to tell if you are under attack by just sitting on your PC, However if you measure several key parameters on your network, you can know if you are under attack (whether the attack is successful or not is not the issue here). The first thing is your firewalls CPU usage. Many firewalls are low CPU users if configured properly (i am using the term firewall loosely here for now). rarely will a properly sized firewall consume more than 25% CPU. If your firewall is consuming more than that, it is either the wrong firewall size for your network or it is wrongly configured. So if  your CPU usage deviates from the normal by a huge margin, you are under attack. Below is a graph of my firewall CPU when it was busy fighting off a massive attack. As seen, CPU shot to 100% for sometime as cyber criminals initiated a DDoS  on all my /20 and /18 public address space on the Internet. If under ordinary operation my CPU was say 85%, that would leave just 15% to fend off possible attacks and gives a higher probability of an attack being successful because of using a smaller/less powerful firewall

CPU usage on the firewall showing a spike in % CPU cycle usage during an attack.

CPU usage on the firewall showing a spike in % CPU cycle usage during an attack.

The other symptom that you are under attack is an unusually slow network response times. However, network performance should not be used as the only indicator, rather it should be used together with other symptoms. This is because there are many other factors that can cause your network to slow down other than an attack. Firewall software systems reside in memory for faster access by the firewall engine, you will therefore rarely note an increase in memory utilization during an attack. Memory utilization increase in firewalls is mostly due to turning on of additional features on the firewall, for example a firewalls memory utilization increases if you turn on inbound SSL certificate inspection or mail scanning. it is advisable to turn off features you do not use on any device on your network. Also, just because a firewall has a feature you need, it does not mean u have to use it on the firewall device. For example, instead of letting the firewall do email spam scanning, you can turn that off and do it on a dedicated mail scanner Linux box. This action frees up CPU power for network protection.

Next Generation firewalls have inbuilt systems that can warn you if they detect suspicious activity. These warning can be in the form of an email sent to you with details about the attack. A good example is the email below showing attempted tcp scan for any open SSH ports 22 on my network from a criminal in Russia and an ICMP flood attempt by another in China. If the Russian criminal had managed to see some open port 22 on the scanned IP, he would then embark on hacking the device that has that port open, he was however blocked at the firewall and the attempt reported.

A screenshot of an email from a  NextGen firewall detailing attempted attacks on the network

A screenshot of an email from a NextGen firewall detailing attempted attacks on the network

Getting a good system that can prompt you of suspicious activity via email or SMS is highly recommended. You do not want to arrive at work in the morning and find a gory cyber crime scene just because you never got alerted when it all started.

Are all firewalls equal?

Of course not. Many IT admins grew up in Cisco environments and sat for Cisco certifications which they proudly display on their CV’s, they have therefore been conditioned to believe that Anything by Cisco must be the best in the market. That is very far from the truth. From experience, Cisco will offer very good protection up to layer 4 of the OSI model. beyond that (where most attacks occur), its’ performance has been very poor even with their attempt to move from Cisco PIX to the Adaptive Security Appliance (ASA). There are many comparisons online of ASA vs other firewalls like this one here which compared the Cisco ASA and the Fortinet’s Fortigate firewall (Which in my opinion is the best firewall in the world)

Next Generation firewalls have  Intrusion Prevention System (IPS), OSI layer 7 application control with Deep Packet Inspection (DPI). This therefore means the system is both application and content aware. This offers a Unified Threat Management (UTM) system.

Measures to protect your network

There is no one size fits all solution to tackling the ever-increasing attacks on cyberspace. However based on my experience, the following steps are recommended:

  1. Shut down all unused services on your network. For example if you have a Linux server that has Domain Name Service (DNS) running yet you do not use it, stop the  DNS daemon. This lowers the risk of a criminal gaining access to your network, remember that they need to establish a network/Internet socket to gain access. A socket is made up of an IP address and a port. They have the IP, don’t give them the port.
  2. Use non default ports. If you have to use a service within your network, it is advisable to use non-default ports for these services. For example, everyone knows that SSH runs on port 22, that will be the port a cyber criminal will most likely look for. Running SSH on say port 2222 will contribute to an extent to the security of your service incase the criminals manage to gain access past the UTM system. In addition to this, avoid using public DNS for domain name to IP mapping for internal services. But how will users access the services and DNS if they are outside the office network? (see point 4 below)
  3. Control access. Even after changing the ports as per the point above, it is also advisable to set access control rules to the services running on your network. This can be done by use of authentication (username/strong password pair), restricting which IP’s can access the ports via the use of access lists, restricting time of day when the services can be accessed if possible, use management policies such as frequent mandatory password changes. Also, highly recommended is the use of RSA  security tokens in addition to the passwords.
  4. Use of Virtual Private networks (VPNS). if you have users who need to access resources in the office network from outside the office (e.g a traveling salesman), they should do this by use of a Dial-In VPN service. This service should terminate at your UTM device
  5. Use a proven UTM appliance. Do your research before falling for marketing ploys, just because it’s from Cisco, it does not mean its the best. Just because its expensive, it does not mean it can do more/better/faster. Use of “systems that can scale” is a common buzz word in the ICT world mostly applied to having a system that will grow with your use. In the UTM world, a system that can scale is one which other than growing with your needs will also adapt quickly to changing nature of threats. For example, how long did your UTM vendor take to update their IPS signature with the heartbleed vulnerability? a 6 hour delay after the discovery of the threat led to the Canadian Revenue Agency losing taxpayer data.
  6. Enforce Bring Your Own Device (BYOD) policies. One of the easiest ways for criminals to gain access to your network is through the use of compromised systems belonging to your staff. That iPad that your CEO or that smart phone your accountant brings and connects to the office WiFi, is it safe? There are now many BOYD best practice recommendations including the simplest which is having such devices connect to a different and policy controlled VLAN in the office. many free apps that smart phone users download have back doors through which criminals can gain access to your network if the device is connected via WiFi.
  7. Control resource use. By use of policies such as those offered by Microsoft domain controllers, the IT admin can enforce resource use policies such as disable installation of software onto computers by staff. Many pirated software programs habour malware and back doors that can be used by criminals.
  8. Use of Internet Security Software. Also commonly known as Antivirus programs, each node on a network should have an updated Internet security software. These have evolved from being plain Antivirus detectors to security suites that provide protection from phishing, malware and insecure web browsing. The jury is still out on which is the best security software. I would highly recommend Kaspersky end point security software followed by Sophos.
  9. Gain visibility. A survey showed that over 70% ofCIOs have no idea what type of traffic runs on their network. By gaining visibility on what is running on the network and what time,CIOs can lower the risk of an attack. The graph below shows traffic running on a network identified by a device that can do Deep Packet Inspection (DPI). a simple system will classify Facebook traffic as HTTP (because its via port 80 at layer 4), with a DPI device, you can gain insights into exactly what is running on a network and control it. In the example below, because he can now see whats running on the network, a CIO may decide to block Yahoo mail access from the office network if he feels it poses a threat to the network if users will download malware or click on spam links on personal emails from within the office network.


    Graph from an application aware DPI device showing protocols at layer 7

What about encrypted traffic?

With the increase in the use of Secure Socket Layer (SSL) encryption on the open internet after the NSA debacle, many networks are noting a steady rise in encrypted traffic especially HTTPS. Older UTMs are unable to inspect encrypted traffic and this therefore poses a great danger to networks.  A recent report by Gartner Research says that less than 20% of organizations inspect encrypted traffic entering or leaving their networks. You might be wondering if it is possible to inspect SSL encrypted traffic, yes it is possible to decrypt most SSL encrypted traffic and confirm certificate authenticity with the use of a good UTM system. This ensures that only traffic with genuine encryption certificates enters the network.

Frequently Asked Questions part II

October 24, 2014 3 comments

Further to my previous attempt last year to answer some common questions people ask in relation to every day technology, I have come up with a second list of answers to more common questions people ask. I will try to make my answers as simple as possible.

Why are smart phones poor at battery power conservation?

Most of you have experienced this, your newly released iPhone or Samsung galaxy phone has to be recharged every day compared to your feature phone ‘Kabambe’ 2G phone which is charged once a week. You have also noticed that when you turn off Wi-Fi and data services on your high-end phone, the battery lasts longer. Other than the number of apps running on your phone, there is another factor that greatly affects your phone’s battery power consumption rate. This is called signaling. Other than your deliberate use of the phone to make calls and data transfer, the phone also is in constant communication with the base station sending what is known as signaling data. In fact in older poorly designed mobile networks, the signaling data is more than the actual user data. By turning off data on a phone, you greatly reduce the amount of signaling exchanged between your phone and the base station and hence conserving power. With the advent of newer technologies such as 4G/LTE, signaling is more efficiently done and hence better power consumption on 4G/LTE phones. Other than offering faster data rates, these newer technologies are also easy on your battery. There have been attempts by base station equipment manufacturers to lower the amount of signaling from phones but this hasn’t worked very well. In fact one of the biggest attractions of 4G/LTE is not the faster data rates but the lower power requirements and less signalling volume and more efficient signaling techniques they use.

My Internet speed tests do not match my links’ performance

We have all been there, your internet link seems slow and your YouTube videos are buffering but when you perform a speed test your results are spot on at your subscribed plan of say 10Mbps. Well, lets start with the basics. You call it your link ‘to the internet’ but have you ever wondered where  this internet is located? The fact is that most of the content we consume here in Africa is not hosted within the continent. This means that you have to traverse an undersea cable to get your content. For example to access from Nairobi, you have to go all the way to Mombasa, take an undersea cable either via south Africa or Suez canal to Europe and into United Kingdom to get to the website. So if it’s a news clip on the bbc website, the video traffic has to travel all the way. However when you perform a speed test, the speed test app on your phone or your browser is deliberately redirected by your ISP to a server within the country. So if you are in Nairobi CBD on a Zuku link, the speed test server is on Mombasa road and if you are on Safaricom then the speed test server is on Waiyaki way. Due to the fact that this is very near, your data transfer rates will be very fast compared to if you did the same tests using a server that is in Europe. On some speed test websites such as you can manually select a server, try selecting a server in Nairobi and one in Europe or USA and note the difference. So when your ISP sells you 10Mbps, it’s a 10Mbps circuit and not necessarily 10Mbps to the internet. This state of affair is slowly changing as content providers such as Google and content delivery networks such as Akamai are now locally caching traffic. this means that Akamai will keep a copy of frequently accesses content at a server in Nairobi meaning that the trip to get the content in US/EU is cut.

Why did the inventors of blue LED win the Nobel prize and not the inventors of Red and Green LED?

The 2014 Nobel prize in Physics went to three scientists who invented the blue Light Emitting Diode (LED) in the early 1980’s. The red and green LEDs had been invented in the 1950’s and they never won the nobel. The answer is two-fold:

  1. You need red, green and blue LED’s to make white light. It was impossible to make white light out of  only the red and green LEDs, blue was needed.
  2. To make a red or green LED was a straight forward process of sandwiching several crystalline elements together, the problem with making a blue LED in a similar fashion led to the quick destruction of the structure of the LED light causing it to disintegrate immediately due to the elements involved. Their approach involved growing the crystal elements on each other as opposed to taking existing element crystals and physically fusing them together.

Other than providing the ability to now produce white light (red + green + blue = white), The trio went on to turn their blue LEDs into blue lasers, found in Blu-ray players. Because the wavelength of blue light is shorter than that of red LEDs, the beam can be focused to a small spot. This lets you cram more information on to a disc and read it out, giving Blu-rays a better picture quality than regular DVDs.

The white light from LEDs is in use in many areas of your normal life. The screen from which you are reading this article is made from LEDs and the white you see on the screen is made possible buy combining the three primary colour LED lights. LEDs are also finding increasing use in lighting buildings. a LED light uses 75% less energy and lasts 25 times longer than a traditional incandescent bulb.

Why do cellphones no longer spot the protruding antenna?

Advances in antenna engineering have led to the development of Antenna arrays than can work as a single antenna. It is therefore possible to make many tiny antennas on an electronic circuit board and use then as one would do a single antenna. The biggest problem in using several antennas was the increases scattering loss and introduction of noise into the signal. newer coding techniques that worked in noisier channels meant that a signal can still be extracted even in a noisy environment and the use of micro antenna arrays was now possible. This is why modern handsets do not have the protruding antenna ‘finger’.

Why isn’t the more efficient and durable Einstein-Szilard refrigerator in production?

Unlike today’s refrigerators that use a mechanical compressor with moving parts, the Einstein-Szilard refrigerator which was patented in 1930 by Albert Einstein uses an electromagnetic pump with no moving parts, some modifications of the Einstein system also do not use electricity but can use any heat source such as a flame from paraffin or cooking gas.. This design was more efficient, silent and durable and was maintenance free and could last 100 years. The refrigerator patents were bought by Swedish home appliance manufacturer Electrolux ostensibly to stop its mass production. No manufacturer would want to  build something that would never break down and last 100 years. Electrolux is one of the largest compression type refrigerator manufacturer in the world, compression type systems have moving parts and therefore don’t last long.  In your lifetime you will buy 2-3 of the compression type refrigerators as opposed to you inheriting one Einstein-Szilard unit from your parents = no cash for manufacturers.

Why do cars turn?

From a simplistic view, when you turn the wheels of a car by use of a steering wheel, the car should not turn. This is because the two turned wheels will have different centers of circles if they turn by the same angle. This problem means that when wheels are turning, the inside wheel and the outside wheel will trace out circles of different radius and they will just skid in the general inertia direction. This was solved by a German engineer called Georg Lankensperger and was however patented by a a patent agent called Ackermann. This solution was called the  Ackermann steering geometry. This is a geometric arrangement of linkages in the steering of a car or other vehicle designed to solve the problem of wheels on the inside and outside of a turn needing to trace out circles of different radius. This was achieved by making sure all the wheels on the car have the same pivot point (denoted by D) as shown below. As the car moves faster, the point denoted by D moves forward to somewhere closer to the driver’s seat and a small twist in the steering wheel has a big turning effect compared to when the car is slower.

Ackermann geometry showing the different angles whe front wheels assume to enable a vehicle turn.

Ackermann geometry showing the different angles when front wheels assume to enable a vehicle turn. In this diagram, the outer wheel is at 23 degrees while the inner is at 20 degrees viewed from common point D. If both wheels turned by the same degree the car would skid forward.

 Are the three wires I see on power lines live, neutral and earth?

pole_smallWe are all familiar with the power socket outlet where the three holes provide contacts for the live wire, neutral wire and the earth wire. The assumption by many is that the three wires we see on power lines represent the live, neutral and earth. The actual fact is that the three wires on the pole are all live. The earth cable does not leave your premises and is usually connected to a copper rod that is buried in the soil somewhere near your house and sometimes connected to your metal water pipes (ever go a mild electric shock when you touch a tap in the shower and you have an open wound?). The neutral cable leaves your house but is connected to the body of the transformer that is supplying your house. The live wire leaves your house and is interconnected through transformers to the generating units wherever they are located.  Domestic users usually have a single live cable and a neutral cable coming into their premises carrying 240Volts. However heavy and industrial users who use more power have all the three cables plus a neutral cable coming into their premises with each of the three  carrying 250 volts. Because AC electric current is a sine wave, the three 240volt sources are 120 degrees apart and their sum is not 720Volts (240+240+240) but is 415 volts ( 240 x 1.732) We use the value 1.732  because it is the square root of 3 (You can Google why). The reason why a heavy user is asked to use three phase power is because the heavy load is distributed on the three phases as opposed to a single phase. The overall power sucked from the grid is therefore lower because there is less waste heat produced in the three wires compared to if all the power was in one wire in a single phase. Kenya power sets a limit of 2Kw load on single phase. One more point to note is that the three wires you see on poles usually carry 11,000 volts each and this is lowered by the transformer in your neighborhood to 250 volts. The reason why it is transmitted at 11,000 volts is because over long distances it results in less power losses during transmission than if it was transmitted at 240volts. To minimize the losses, it is brought at 11,000 volts to your neighborhood and lowered to 240 volts by the transformer.


Get every new post delivered to your Inbox.

Join 112 other followers