I’m reading… “Hit Refresh” by Satya Nadella

How do you bring significant change to an organisation? Particularly a large, multi-national organisation?

Where do you start once you’ve decided what it is that you want to change? How do you make change that is sustainable?

This is no ordinary organisation either, this is Microsoft, an organisation that has some huge fans, but also massive detractors. It’s an organisation that has made some very public missteps and become regarded as arrogant, but is also one of the most valuable organisations in the world.

How do you revive a giant?

Microsoft has, for a long time, had a reputation for being an organisation with an interesting way of working. This is something that Nadella refers to early on in the book by using a cartoon from Bonkers World that depicts Microsoft’s organisation structure as being one of a set of warring factions:

While it’s a cartoon, it has meaning because it is based in a truth. Moving away from this situation required a significant change of culture and to use Satya’s words for Microsoft to find its soul.

This book is partly an autobiographical telling of how Nadella got to be Microsoft CEO, it’s partly an outline vision for the future of Microsoft and partly a discussion on some of the opportunities and challenges currently facing the wider technology industry.

I found the autobiographical parts the most interesting, but I like biography. These sections give some insights into how someone born in Hyderabad becomes the CEO of an organisation that has had a dramatic impact on the world that we know. There are part of these sections that are very personal, particularly when he is talking about his son Zain who suffered in-utero asphyxiation during his birth which caused severe brain damage and left him with cerebral palsy. This isn’t one of those management books where someone tells you how brilliant they, there’s more humility than that.

Nadella describes the role of CEO as “curator of culture” and it’s clearly culture that he regards as the primary change required. Speaking as someone who works in the technology industry, Microsoft is an organisation that divides opinion, and it takes people a long time to change an opinion. Nadella took over as Microsoft CEO in 2014, since then Microsoft has sought to show a very different culture, embracing many things that previously would have been regarded as red-lines. Two words that Nadella uses several times in the book are listen and empathy neither of them words you would have associated with the Microsoft of the Steve Ballmer era.

The CEO is the curator of an organization’s culture. Anything is possible for a company when its culture is about listening, learning, and harnessing individual passions and talents to the company’s mission. Creating that kind of culture is my chief job as CEO.

The culture change I wanted was centered on exercising a growth mind-set every day in three distinct ways. First, at the core of our business must be the curiosity and desire to meet a customer’s unarticulated and unmet needs with great technology. This was not abstract: We all get to practice each day. When we talk to customers, we need to listen. We need to be insatiable in our desire to learn from the outside and bring that learning into Microsoft.

Still, many responses to the recently announced purchase of GitHub reflected suspicions of the arrogant Microsoft. I suppose it just goes to show that 4 years isn’t a very long time in people’s memories.

The third section, on some of the opportunities and challenges facing the technology sector are also interesting, but for a different reason.  These sections aren’t as insightful into Nadella’s thinking on a particular subject, but feel more like the thinking of the broader Microsoft organisation. There wasn’t, for me, any particular revelation here.

Summarising: Nadella is an interesting character with an interesting background. He seems to me to be taking Microsoft in the right direction, but it will be interesting to see where he gets put when the history of the current age is written.

DaaS or DaaS, or even DaaS?

We love acronyms in IT, see, we even define ourselves by one.

Sometimes we try to be cute with them and make words out of them: RADIUS – Remote Authentication Dial-In User Service.

Sometimes we create acronyms that enter the popular lexicon as words without people realising that they are acronyms:

  • LAN –  Local area network
  • RAM – Random Access Memory

Sometimes we get all wrapped up using the same acronym for multiple meanings.

In recent weeks I’ve found myself involved in multiple conversations about DaaS, which is pronounced “DAS”, generally with a hard-“A” (like the detergent), but sometimes with a kind of confused stutter as people try to pronounce both “A”s.

(This is one of those acronyms where saying the letters – D-a-a-S – is nearly as long as saying the meanings, and neither is very comfortable to say.)

Anyway, getting back to the point, DaaS, what does it mean? Well, it depends. It has a different meaning in different contexts, which, personally I find infuriating, especially as a couple of the contexts are quite similar.

DaaS #1 – Desktop-as-a-Service

I think that this one can claim to have been around the longest. It refers to the provision of virtual desktops as a pay-per-use service.

Lots of organisations use virtual desktop service, what makes this as-a-Service is that it’s delivered by a cloud infrastructure. AWS, Microsoft and VMware all have Desktop-as-a-Service offerings which you can purchase and use without the need for any internal capabilities.

DaaS #2 – Device-as-a-Service

Really, yes, “Device-as-a-Service” is different to “Desktop-as-a-Service”.

Device-as-a-Service has absolutely nothing to do with virtual desktops, it’s all about physical devices. If you’ve had a mobile phone contract which included the phone hardware then you’ve used something similar to Device-as-a-Service, you paid a monthly fee for the device in the expectation of certain services. Managing a large estate of devices is a complicated thing to do and adds little value to most organisations. Creating an arrangement with a third party to lease devices and let them manage the inventory gives them the problem, but also, potentially, allows your organisation more flexibility.

DaaS #3 – Data-as-a-Service

Once upon a time Microsoft produced an interactive encyclopedia application called Encarta, it shipped on a set of CDs and later DVDs. To get access to the data you needed to buy and use the application, the two were bundled together. The internet changed all of that and Encarta became obsolete in 2009.

The internet as a data source also made obsolete the need for applications to own the embedded data.  Lots of applications now use data that comes from other sources, sometimes that data is given away, sometimes it’s provided on an as-a-Service basis where people pay to use it. In some industries bureau have been set up to provide this data to the people willing to pay for it, one example of this is the credit check agencies who take the various sources of data about our financial situation, analyse it, and provide the results back to the financial institutions.

So there you have it, the same four letters, three different meanings.

I suppose that I ought to go now and use my DaaS provided equipment to access a DaaS so that I can use my application that gets its data from a DaaS source.

Add a Third Time-Zone to your Outlook Calendar

If you work in a multinational organisation and work across time zones then the latest build of Outlook for Windows (Version 1805 (Build 9330.2087)) has something that will make your life a little easier:

You can now view 3 time zones in your calendar 🙂

If you don’t work in a multinational world this probably sounds like a “so what”, but in my world this is excellent. I’m rarely in meetings with people from just one time-zone, it’s much more normal to be on a call with people from Europe, the US and India. This update allows me to see everyone’s time in the same view in my calendar.

You update the time zones via the calendar options:


Add a label, pick a time-zone.

These will then appear in your calendar view with the labels defined:


It’s as simple as that, once you’ve got the update.

This time-zone visibility isn’t yet in the scheduling assistant when creating an appointment which would be great.

Knowing what time people are in isn’t just about scheduling though, people behave differently dependent upon the time of day. The person in India who has already done a long day’s work is going to respond differently to the American who hasn’t yet had enough caffeine. The dynamics of the meeting are different for the participants – one wants to get off the phone and finish their day, the other is just getting started and happy to chat. Quite often the European, in the middle, is wondering when they can get some lunch.

Anatomy of a Phishing Email

I received an email today which was purporting to be from Apple Support telling me that my AppleID had been locked.

This email was quite similar to other emails that I’ve received from Apple it had an Apple logo on it and the fonts were all Apple, but this email had a number of giveaway signs that it wasn’t what it purported to be. All I had to do, all you have to do, is look for them.

These emails are deliberately structured to get us to react within the first few seconds before our rational mind has kicked in. What we have to build is a reflex that says “what?”, our rational brain will then wake up and start to point out the things we should have seen in the start and there were quite a few of them in this email, things like:

Email Subject


The subject of the email makes no sense. It doesn’t even relate to the issue within the body of the email; “New Statement Updates” a statement, about what? “login from other browser in Denmark” isn’t English and everyone knows that you don’t put a space before an exclamation mark.

Email Sender

AppleID - Sender.png

The sender of this email claims to be service@apple.com, but outlook.com does a reasonably good job of showing that this is just a front. The real sender of the email is something radically different.

This message is from a trusted sender?


There’s a poorly created graphic at the start of the email that is trying to mimic something that outlook.com does, but it’s clear it’s a graphic and not a very good one at that.


Text Inconsistencies

AppleID - Footer.png

There are a whole set of inconsistencies in the text that is presented. The most obvious is in the footer where there is underlined text that would normally link somewhere, but no links have been included. The creators of this email don’t want you going off elsewhere.

There’s another reason for this, it’s an attempt to circumvent the SPAM filters. Emails with multiple embedded links are treated more suspiciously.

The text of the email as a whole, once you read it, should also raise suspicions. The English isn’t great, including basic things like capitalisation and repetition.

The first line is as far as you should need to read:

someone else enters your password, security questions, or other account information incorrectly too many times, your Apple ID automatically locks to protect your security and you can’t sign in to any Apple services.

“someone else enters you password”?

This doesn’t take any special skill it takes reading and suspicion.

Misdirected Links

AppleID - Link.png

The text of the email then invited me to click on a link that said it was to iforgot.apple.com. This is the primary purpose of this email – getting me to click on this link.

iforgot.apple.com is the right place for me to go to resolve any issue with my AppleID, but the link associated with this text isn’t to apple.com it’s to somewhere else which I’m sure will look a lot like the apple.com account page, will ask me for all sorts of details and pass them on to a number of individuals who’s purposes will be less than friendly.

I have clicked on the link, and although the outlook.com SPAM filters let the email through the link checker told me that the link was unsafe and advised that I go no further.

It’s also worth noting that the text is written without the https:// at the front of it to try and circumvent the spam email filters.

But that’s not all.

No Apple ID

The ultimate give away for this email being a phishing attack is this – there is no Apple ID associated with the email address that this email was sent to.


Every time you receive an unexpected email you need to learn to say “what?” and in so doing trigger your rational brain to think. Once you start thinking you can often avoid future heartache.

YouTube is now your Mum/Dad/Practical Friend

One of the things that fascinates me is the social change that is driven by the internet and internet services.

Once upon a time we would answer practical problems in one of two ways:

1. Ask someone we trusted

The question would normally be to our mum or dad or to that a practical friend who knows how to do anything. Their proximity would allow them to show us how to do something in person, or talk us through it over the phone. Sometimes their answer would be to talk to someone else that they know who is practical in a particular way: “Talk to your grandma she’s really good at buttonholes.”; “Ask Eddie he knows how to protect a Koi pond from herons.”; “Ask Mary she’s good for advice on home automation systems.”

As a result our wisdom was limited by their knowledge, or the knowledge of the people that they know. What’s more we only knew if their knowledge was any good when we tried what they suggested. We had to decide whether to try what the suggested by judging their level of confidence in their knowledge. I suspect we’ve all had friends who’ve confidently told us to do something that has later turned out to be the last thing we should have done.

This was the normal way of finding out how to do something.

2. Go to the library or take a course

If we needed to know something outside the knowledge of the individuals we trust we may go as far as to do some formal research. This research would have mandated a trip to the local library and wading through reference manuals and the like. In extreme cases we may even take a course on how to do something, but this was only for the truly dedicated.

This was not the normal way of finding out how to do something, it was only used in exceptional circumstances.

Along comes YouTube (other video sources are available)

For many YouTube has now replaced your mum, dad and practical friend. it’s even replaced the library and training courses for some.

I’ve had two situations recently where this was the case:

Windscreen Washer Failure

It’s been an interesting winter here in the UK with different whether each day, switching from warm and wet to bitterly cold. Windscreen washers have, therefore, become a vital part of road travel, when the washer in the car that my wife drives failed it was important that it was fixed.

My first instinct was that it was just a fuse problem so opened up the in-car manual to see which one, only to discover that the windscreen washer wasn’t listed. Fortunately YouTube had most of the answer – someone called Andy Robertson had experienced exactly the same problem and posted a video. I say most of the answer because the fuse box that Andy shows isn’t quite the same as the one that’s in our Polo, but it did allow me to know that it was a 7.5 amp fuse and following a short process of illumination to find the one that had blown.

iPhone Charging Problem

I’ve been struggling to charge my iPhone recently – I’d plug a lightening cable into it and leave it, when I came back to it later the cable would be slightly out of the socket and no charging will have taken place. Having tried a number of different cables I realised that the problem was with the socket in the iPhone itself, not the cables. Going to the Apple Store to get it fixed sounded like an expensive proposition so I took to YouTube for help. It wasn’t long before I found a set of videos from people all telling me that it was likely to be dust and/or lint in the mechanism and simply to get a pin and dig it out. Putting a metal thing into a charging point didn’t sound like a good idea, but the basic idea worked a treat and now my phone stays plugged in.

I’m not sure which of my practical friends would have known to do that, mu parents certainly wouldn’t.

The New Normal

These are a couple of personal examples of what I think is the new normal way of working out how to do something, but it’s not just me. The car fuse video has been watched over 27,000 times, the iPhone one nearly 700,000 times. A friend recently used another YouTube video to work out how to get a broken headphone jack out of an iPad. Another friend gives overviews of his allotment that people use to get advice on the technicalities of an allotment and allotment life.

I wonder how many of the 1 billion hours of YouTube video that is watched every day is so helping people with their how do I questions?

Predictions: “in about 15 years” | “within the next 10 years” | “25 years from now”

Imagine that the year is 2032.

What do you foresee?

What dramatic change has occurred?

How has your daily life change?

You are almost certainly wrong. We like to think that we can see the next 10, 15 even 20 years, but the reality is that we are very poor at it.

In 1955 we predicted: “Nuclear-powered vacuum cleaners will probably be a reality in 10 years.” Thankfully, that didn’t happen.

As I child I would watch Tomorrow’s World and marvel at the impending future that it outlined. Here’s one from 1969 imagining the Office of the Future (there are two articles in this clip, the Office of the Future is in the first couple of minutes):

Even then we imagined robots doing our bidding even if it was one that looked more like a teasmaid than R2D2.

It’s interesting to see how many of these functional predictions happened, but in completely different ways – look out for the huge camera that fulfils the purpose many people use a mobile phone camera for today.

This wasn’t really “tomorrow’s” world being shown many of the functions shown that have been revolutionised took another 20 to 30 years to become mainstream. Many of the functions still aren’t mainstream and i’m not sure we would want them if they were.

How about this one outlining “Cassette Navigation” from 1971:

The use of GPS based navigation systems is second nature to most of us, but that was only possible when the GPS network was completed in 1994 and even then it didn’t become mainstream until the mid-2000’s when the likes of Garmin, TomTom and Magellan created the market.  Whilst GPS based SatNav systems do a functionally similar thing to the Cassette Navigation system their implementation is completely different and I doubt that anyone seeing the Cassette Navigation system imagined a future SatNav system. Again, this wasn’t “tomorrow’s” world, this was a problem that wouldn’t be solved for another 25 years.

In 2010 Jerry Zucker said: “It’s Moore’s Law, everything will be obsolete in 10 years – I’ll be obsolete in 10 years!” in reference to the iPad. It’s nearly the end of 2017 and I don’t see the iPad, or Jerry Zucker, being obsolete in the next couple of years.

Whilst we are terrible at predicting the longer term future it is fortunately for us most things progress along predictable pathways most of the time.

Within IT we are currently telling ourselves that we are living in a world of unparalleled and rapidly expanding automation, but we’ve been in that would since the invention of the Spinning Jenny in 1764, and arguably for millennia before that. What we are seeing now is the next step in the pathway that has been running for over 250 years.

I’m not saying that we shouldn’t try to imagine a future, or even try to predict it, we just need to be careful how much trust we place in our ability to predict.

I suspect that science fiction writers and film makers have done a better job than many of us deeply embedded in today’s technology. Minority Reports, which was 15 years old in 2017, was apparently a quite a good predictor of a number of technologies. I’m still waiting for my flying car though.

“I never think of the future, it comes soon enough.” Albert Einstein

Our password system is broken, and has been for over 50 years!

There has been a lot of commentary over the weekend about the pronouncement from Nadine Dorries that she shares her login with her staff:

I’m not planning to add to that overall commentary because others have done that already.

The issue that I want to address is that this is that it’s symptomatic of a broken system.

Passwords as a method of verifying authentication was adopted by computing in it’s very earliest of days. Passwords probably originated as a way of identifying who was doing what in the earliest time-sharing system which was MIT’s Compatible Time-Sharing System (CTSS) in the mid-1960s.

This early password system suffered from many of the same problems we experience with passwords today – in other words the password system has been broken for over 50 years and yet we persist.

The CTSS has been documented as the first case of password theft, this was caused by an insider circumventing the system. Allan Scherr, a researcher, wanted more computer time, which was very limited at the time. Scherr came up with the idea that he could increase his own usage by using the time that others weren’t using. He did this by using a privilege that had been granted to him which was to get a physical printout of any of the files on the system, so Scherr asked for a printout of the password file, which was, a text file:

There was a way to request files to be printed offline by submitting a punched card with the account number and file name. Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed and took the listing out of the M1416 folder. I could then continue my larceny of machine time.

Things got a bit more interesting when Scherr handed the password list out to other students and one of them decided to use it to log in to the computer lab director’s account and leave “taunting messages”.

Since those days in the mid-60’s we have been trying to convince ourselves that passwords are still the right way to go.

We’ve spent many hours training people how best to use passwords – long, complex, changing, non-repeating, etc.

We’ve invested many hours into code to strengthen passwords stores and probably just as many hours deploying, fixing and then redeploying that code.

Many lines of journalistic content have been invested on passwords and password related problems.

Passwords have resulted in an immeasurable volume of hours in lost productivity as people struggle to work out what the right password is. How many times have you lost hours of your working day caused by a password problem?

Then there’s all of the damage caused to individuals and organisations by hacked, poorly protected or poorly handled passwords.

We have, at least, created an opportunity for people to create applications to manage our passwords and to build businesses on the back of that opportunity.

Yet, the fundamental issues that existed 50 years ago still exist and those issues primarily surround the weak link in the password chain and that’s the human. Humans will always circumvent the system from inside. This is normally because people are very poor at estimating the risk of poor password practices and will circumvent them for almost any advantage. I suspect that Nadine Dorries gives her staff her password because there’s an advantage to her to do so, even if it is very unwise.

We’ve fixed the password problems in the physical world by using physical security which limits the access to the person with the physical entity. We started using physical keys as a way of securing physical property over 1000 years ago! Imagine how strange it would seem to go up to your car and type in a password, we’d soon have people patrolling car parks to stop miscreants trying to brute force attack on the car keyboard. How about walking up to a highly secure office environment, tapping on the small window in the door and saying “The weather in Moscow is mild for the time of year”? Would you expect to be let in?

In conclusion, the last 50 years have shown us that passwords have fundamental problems that we shouldn’t expect to fix because that would require humans to change. We need to move to a different authentication system, one based on physical security.