How long will it take to Brute Force AES?

 How long will it take to brute force a given encrypted text if encrypted with 256 bit AES?

As of April 3, 2013 Using modern cryptanalysis to break AES-256 bit encryption by guessing the key used on a given block of data using the Biclique Cryptanalysis method as developed by Andrey, Bogdanov, Dmitry Khovratovich, and Christian Rechberge [i] will require a minimum of 2^254 operations for a data-space of  2^40 Bits (128 Gigabytes). 

Processor	Operations Per Second	Number of Operations	Time in Years  (@ 100% Success)
Xeon E5-4650	1.4969 x 10 ^ 13	2^254	6.12818 x 10 ^ 55
I7 3970 XM	1.2969 x 10 ^13	2^254	7.07323 x 10 ^ 55
AMD 7970 (GPGPU)	3.584 x 10 ^ 15	2^254	2.55951 x 10 ^ 53
Titan (Oak Ridge National Labs) Current Top 500 King.	1.759 x 10 ^ 18	2^254	5.2150 x 10 ^ 50

Again, this is a perfect scenario; given a sample size of  2^40 bits ; 128 Gigabytes encrypted with the same 128 bit symmetric key. 

The world’s fastest computer would take 5.215 x 10 ^ 50 (That's 50 zeros) years at 100% accuracy; the research stipulates that the best hit / miss scenario is 63% accuracy so we may infer that the best case would actually be far longer than that. Bogdanov stated the following in an interview:

"To put this into perspective: on a trillion machines, that each could test a billion keys per second, it would take more than two billion years to recover an AES-128  bit key"[ii]

If we take Moore’s Law into account assuming that Titan’s number of operations will double every twelve months.

Number of Years = Number of Operations Required / Maximum Operations Available * Efficiency

A good method used to ball park would be to assume that every year the "Maximum Operations Available" for a given computing system will double.

Multibillion Dollar Super computers will be capable of brute forcing using AES using Bogdanov et. al. method using a single operation in 1.6457091 x 10 ^58 years; assuming 100% efficiency.

That’s 1,645,709,100,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 Years.

 

Current scientific estimates state that our sun will become a red giant; expand due to lack of Hydrogen for fusion and consume all inner planetary bodies including the earth in 7.59 billion years. Current estimates put the sun at 4.5 billion years of age which means around 3.09 Billion (3,090,000,000,000) years are left before this event occurs give or take a millienia. 

This analysis only covers the most recently published method to brute force AES; Side Channel Analysis, and other such methods that use attacks on the implementation of the algorithm such as improper key storage, memory management or the failure of security controls on a given system are excluded from discussions here and this is a purely theoretical discussion; we are not considering the platform or implementation of AES on a computer. 

These estimates are based on the idea that the current environment remains unchanged: That is of course unless someone builds a quantum computer capable of executing Shor’s, Grover’s or similar quantum factorization and search algorithms (greater than 1000 entangled q-bits) or if there is some kind of rapid change in Moore’s Law; such as inexpensive atomic replication and manufacture of complex systems such as the Drexler revolution, or the Kurtzwiel's singularity occurs where systems become self aware and more intelligent than humanity and become better at designing chips than we are this timeline is likely to remain somewhat constant.

IBM has already demonstrated the implementation of Shor’s algorithm with 7-qbits[iv], in 2001. Although the key requirement for Quantum systems is the sheer number of Q-bits required; the evolution of these systems is far more complex than the traditional computing systems as developed with transistors on silicon using VLSI and their associated developmental challenges. 

 The estimates for number of q-bits vary but somewhere between 512 and 1000 would be needed to break AES or RSA in a timely way; ie; before the sun explodes. And their development faces both real world theoretical problems in physics and practical engineering difficulties such as environmental isolation that are associated with said physics problems. Good examples of quantum machines include atom smashers built under mountains for CERN between Switzerland and France; they are under mountains for a reason; there's little to no background radiation there. 

As stated by Schneier[iii]  attacks against cryptosystems always get better, not worse; D-Wave systems is making massive inroads (more like major highways) into discrete optimization problems using quantum computing and their board has announced that soon they will have more computing power than that which is available in this universe according to Rose’s Law; limited by their computing architecture to said optimization problems; various scholars and industry pundits do not fear this event but openly admit the risk it maintains to their cryptosystems which include RSA and AES; the only issue bieng when will a company or organization produce a system like D-wave's only using Shor's or Grover's algorithms;

 

In a quantum machine environmental background radiation is similar to electrical or RF based noise in a traditional electrical machine; Ever notice how your personal radio may hum next to a fluorescent light? The only difference being the requirement for a kilometer of hard stone to prevent interference vs. the use of a grounded metal box, isolated power supply and exterior antenna.   

A cryptosystem is considered broken when a method exists to solve for a key that is more efficient than the existing brute force method using known ciphertexts and cryptanalysis. Even broken crypto systems often remain useful due to the time and effort required to search for a given key. 

Easy ways to defeat this and future attacks include developing and using cryptosystems that are lattice based and do not  make use of the discrete logarithm or large prime problems.

References;

---

[i] Bogdanov, Andrey; Khovartovich, Dmitry; Rechberge, Christian (Univesity Luven, Microsoft Resarch, France Telecom, 2011) Biclique Cryptanalysis of the Full AES [PDF Document] Available Online: http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf  (Accessed on April 2^nd 2013)

 [ii] Neil, Dave (The Inquirer, August 17^th 2011) AES encryption is cracked [World Wide Web] Available Online: http://www.theinquirer.net/inquirer/news/2102435/aes-encryption-cracked (Accessed on April 3rd 2013)

[iii]Schneier, Bruce (August 8^th 2011) New Attack on AES [World Wide Web] Available Online: http://www.schneier.com/blog/archives/2011/08/new_attack_on_a_1.html (Accessed on April 3rd 2013) 

 [iv]N.a. (IBM, 2001)  IBM's Test-Tube Quantum Computer Makes History [World Wide Web] Available Online: http://www-03.ibm.com/press/us/en/pressrelease/965.wss (Accessed on April 4th 2013)

On the nature of Agile Development

The history of software development within the last twenty (20) years is littered with notable software development and implementation failures; The Denver International Airport’s Luggage Handling System; Ford’s attempts at implementing an ERP / CRM based purchasing system; Avis Europe ERP platform; Hudson Bay’s Inventory Management system and many others; (Ewushi-Mensah, 2003)[i] (Galin, 2004)[ii] Both Galin and Ewusi-Mensa outline that the underlying issues at the root of the cause of software development failures and how they fail are related to the following characteristics of development: in addition to this there is the ever present Chaos report that cites the many reasons for project failure. (Standish Group, 1995)[iii] (Matus, 2009)[iv]; basically the Standish report on metrics about software projects indicate that only 32% are successful, 44% are challenged and 24% of all projects surveyed fail; of the 24% the reasons for failure are cited as further to this the PMI agrees that around only 30% of software development project succeed; this is often due to the following reasons:

1. Stakeholder Involvement
2. Requirements Analysis and Gathering
3. Project Planning and Execution
4. Project Metrics and Analisys
5. Project Risk
6. Software Quality Assurance Planning and Testing

Within the Information technology project management module we reviewed and analysed as well as developed a formal project plan using “Earned Value Management” in conjunction with Microsoft’s Project Management software to develop and analyse Gantt charts according to estimates made with the use of Bohem’s Cocomo II models of software development using the Project Management Institutes (PMI) PMBook as a frame of reference. This in conjunction with the Software Quality Assurance module underscored the importance of two key pieces of planning information when engaging in any project. Basically the PMBook acts as method we may use to determine “How to get to point b from here, point a”; Point B, being the end of the project and the requirements define what the end of said project looks like; by applying Occam’s razor to the project and compartmentalizing the development effort of said software into small manageable segments we may then create a project plan based on real world development time using previous software projects as a means to estimate the Time, Cost and overall requirements to meet the desired development of whatever software project is required. This is done by creating the following documents and plans and including them in a formal agreement with the client.

1. The Formal Software Requirements
2. The Software Development Project Plan
3. The Software Quality Assurance Plan
4. The Software Test Plan (as completed during testing).

Generally these expectations are included in the service level agreement and development contract; often we may employ the use of “Carrots” as bonuses for early completion and limit risk by identifying formal drop dead dates and sticks (punitive damages); associated with missing or failure to deliver on said predefined mile stones.

Why is User Acceptance testing crucial? Why is having their feedback so important to the development cycle? The “Agile” manifesto defines the principles of the “Agile” methodology; the methodology was defined by Beck et al. In 2001. (Beck et al. , 2001)[v] as a means to improve upon the existing software development methods such as Rapid Application Development using RUP and the Waterfall Model’s which have plagued the software development industry for nearly 25 years.

The issues are often that what the client desires is difficult to capture, depending on business, the nature of software abstraction and the use of people as your input agents: Even with formal requirements analysis, risk registers and wireframe design; scope creep is a formidable foe to any software or IT Project and these in conjunction with the inherent risk of working in complete mathematical abstractions only compounds and aggravates the problem of software development risk. The importance of using User Acceptance Testing and Business Acceptance Testing is oft cited by Galin (Galin, 2004)[vi] and Naik et al. (Naik et al., 2011, P. )[vii] That it is critical to defining software development project success factors; in that the End user (The person whom will use your software) defines what your project success is.

These components of stakeholder involvement, constant communications, simple requirements as defined by the client and development team and the rapid application software development life cycle in the Agile development methodology are part of the iterative process thus the definition of success factors for each iterative versions as developed; combined with the rapid software life cycle are designed to foster or incubate success factors within the life cycle of the development project; or at least help change the projects course should it go awry; for whatever reasons.

The ISACA and the (ISC)2 both state that senior management sponsorship is critical to any information technology project, this is also true for any software development project; thus the key to any good development effort is to maintain a body of project knowledge in conjunction with the legal agreements to develop said software and use acceptance testing for both business and users as a means to quantify the project as developed and delivered. Further to this should the project be critical to the businesses income the real risk of failure can be the client or end user bankruptcy and the loss of income for those at the client organization. The proof of the work as requested lies in the UAT along with the “Lessons Learned” briefs as created by the quality assurance plan and software test team; regardless of the nature of development without documented knowledge of what was done or how it was accomplished would lend itself to direct fraud.

This risk is very real when your deliverables are measured in lines of code, or binary executables that are coded by geographically disperse teams of geniuses around the planet and only executed by one parent organization in the internals of some business oriented system for a large multinational organization.

We may underscore the importance of client acceptance testing as being the ability for the client organization to either maintain or adopt the proposed solution with a minimal amount of platform development transfer risk; or undertake the full development of said project with limited and known financial risk according to estimations as generated. Where possible we may even measure against the estimates as a means to deduce project risk for a given iteration.

Software development is defined as both the most profitable industry and the one with the greatest level of risk; it stands to reason that the greatest amount of riches lie in the riskiest ventures. When the success or failure of your company lies in your users ability to use your software; their signature on the hand off documentation or at least of a number of requirements which also include being able to use said platform without aggravation or frustration or complete systems failure; as we see with modern organizations such as Microsoft; Google, Facebook, LinkedIn, Amazon, Yahoo, Apple and other major incorporations whose sole core revenue generators are software; their value is defined as the ability for the average every day person to use their platforms; less the cost of creating said platforms. There we may define the importance of the client sign off, UAT and BAT: as the life blood of the organization for without it lawsuits and bankruptcies may befall such follies.

References
[i] Ewusi-Mensa, Kweku (MIT Press, August 1st 2003) Software Development Failures ISBN: 0-262-05072-2

[ii] Galin, Daniel (Pearson/Addison Welsly, 2004) Software Quality Assurance ISBN: 978-0-201-70945-2)

[iii] N.a. (The Standish Group, 1995 – 2009) The Chaos Report [Online] PDF Document, Available from: http://www.projectsmart.co.uk/docs/chaos-report.pdf (Accessed on March 10th 2012)

[iv] Mateus, Aleh (Model Us, May 4th 2009) Standish Group Chaos Report 2009 [Online] World Wide Web, Available from: http://modelus.com/Blog/post/2009/05/04/Standish-CHAOS-report-for-2009.aspx (Accessed on March 10th 2012)

[v] Beck, Kent; Mike Beedle; Arie van Bennekum; Alistair Cockburn; Ward Cunningham; Martin Fowler; James Grenning; Jim Highsmith; Andrew Hunt; Ron Jeffries; Jon Kern; Brian Marick; Robert C. Martin; Steve Mellor ;Ken Schwaber; Jeff Sutherland; Dave Thomas (Agileinfo Organization, 2001) The manifesto for Agile Development [Online] World Wide Web, Available from: http://agilemanifesto.org/ (Accessed on March 11th 2012)

[vi] Galin, Daniel (Pearson/Addison Welsly, 2004) Software Quality Assurance ISBN: 978-0-201-70945-2)

[vii] Sagar Naik, Piyu Tripathy (John Wiley and Sons, September 23rd 2011) Software Testing and Quality Assurance: Theory and PracticeSoftware Testing and Quality Assurance: Theory and Practice ISBN: 978-1-1182-1163-2

The importance of Ethics

I have been working in Information Technology for over a decade, throught my career as an “it security guy” I have recieved many questionable requests; the gamut usually includes everything from indviduals to government bodies asking one of the following questions:


1. Can you hack into so and so’s e-mail and screw with them for me?
2. Can you get me free software / movies / music both from friends and employers?
3. Can you find out so and so’s password to this or that resource? 
4. Can you engage in this project that is potentially liable and possibly illegal but must be done by our group?


What are morals? what is ethical? certianly there have been many great men and women before myself that have spent lifetimes of study in philosphy arguing the benefice of the populace over that of the individual or nominitive and utilitarian views and many doctors of philosophy have argued the virtues and diffrences between Kant, Descartes, Camus, Wittgenstien and Popper(Edmunds et al.)1 Confucius, Plato and Tzun Tzu even pontificated on what might be ethical two thousand years before we crawled out of the dark ages. There are countless diatribes on the subject of the application of ethics and morality to any given problem. Generally morality may be best summerized as the “right thing to do for all parties concerned given a specific situation.” In the cases of War and Medical resarch the water get’s very muddy and murky very quickly. Is it ethical to test cosmitics on any mammal when almost perfect computer models exist? Is it ethical to test potentially fatal cancer treatments on humans that are not sick? The whole goal of Total War is to eliminate the threat posed by an opponent which less than 75 years ago meant another industrialized nation; as we have seen modern warfare views civilian casualties as a "collateral damage"; instead of "innocent bystanders".


With respect to security resarch; when if at al is it alright to publish security vulnerabilities in sofware is a matter of great debate; the CERT is designed to allow the vendor to fix or patch their issue before it causes grevious harm to their clients. Cisco has actually had consultants and employees alike sued and arrested for publishing vulnerabilities related to thier management and routing and switching hardware and software.(Scheiner)2 . 


There are many considerations that I make when I recieve the above requests; one is if I am asked to conduct a formal forensic investigation; I am not a forensics expert but usually law enforcement and private investigators will violate a persons right to privacy as part of a justified investigation where immideate grevious harm may be present. These are conducted where warrants have been granted to process digital assets; This includes people engaging in fraud, or whom have threatened acts of terrorism or violence against others or are at risk of doing causing harm to others. With respect to these situations and only these situations would I even consider recovering someone else password and divulging it to the appropriate parties.  


My paticular expierence where I had chosen not to engage a client and avoid legal and political liability; We had recieved a request from a potential client to help revise a medical records database in clear violation of the law. The client had asked me to update a platform they were using as an interim measure while they were waiting on a software release that complied with privacy and adminstrative legislation. Suffice it to say that recently this information has become poltically sensitive and at the time I had mentioned to our client during the initial meetings that thier actions to circumnavigate the process and procedures may land them in jail due to the sensitive nature of the records management involved and the contravention of the privacy act; Not to mention the associated disclosure risk was at a political level. 


I delicined the contract offer and I told the consultancy I was working for that if they engaged that client in that project that it would quite literaly result in leagal action in the future if it were uncovered by an inquirty or by any other means as the project it self violated the rights to privacy and both federal and provincial security policies regarding personal medical records and data handeling pratices. In the U.S. Medical companies must comply with HIPPA when dealing in the digital storage of records, Banks must comply with BASEL and FISMA and businesses must comply with Sarbanes Oxley (SOX); Failure to comply with these regulations usually results in punitive damages being exercised by the Federal government; however Sarbanes Oxley has yet to be tested by the courts against any business. 


As for the personal “Can you hack so and so for me” requests, I always offer the following guiding pieces of ethical training offered to me during my CISSP training. (Tipton)3 These are based upon the findins of Firtz H. Gupe, Timothy Garcia-Jay and Willion Kuheler.


Golden Rule - Treat others as you wish to be treated.
Kant’s Catagorical Imperative - If an action is not right for everyone it’s not right for anyone.
Descartes Rule of Change - If an action is not repeatable at all times; it’s not right for anyone.
Utilitarian Principal - Take the action that achieves the most good.
Risk Aversion Principal - Incur the least harm or cost.
Avoid Harm - Avoid Malfesance or “Do no Harm”. 
There is no free lunch - Everything belongs to somone.
Legalism - Is the action legal?
Professionalism - Is the action contrary to the code of ethics? Does it contravine one of the above rules; or will it require that someone I ask violate the above code?


As Groucho Marx once stated; “These are my principles and if you don’t like them I have others!”, in cases where ethical questions come to light I often find myself returning to this simple page to consider weather or not what I am doing is right. If it violates any of these rules, I tell my client politely that I cannot work with them on ethical grounds. 


1 Edmunds, David; Eidinow, John; Wittgenstien, Popper (Harper Collins, October 2002) Wittgenstein's Poker: The Story of a Ten-Minute Argument Between Two Great Philosophers ISBN: 978-0-060-9366-48


2 Scheiner, Bruce (Scheiner on Security, 2005) More on the Lynn / Cisco contraversy [Online] World Wide Web available from:http://www.schneier.com/blog/archives/2005/08/more_lynncisco.html (Accesssed on March 1st 2012) 


3 Tipton, Harold F (Auerbach, Taylor and Francis, 2010) The offical guide to the (ISC)2 CISSP CBK 2nd edition P 495 ISBN: 978-1-4398-0959-4

It's All Software anyway

Over the course of the last thirteen years of my life I've seen many CASE tools; most of which have been Integrated Development Environments. IDE's are language specific CASE tools that include debuggers, memory monitors, compilers if it's a complied language like C/C++ or Delphi or runtime environments with integrated development for organizations that use interpreted languages such as Python or J2EE standards which usually include Eclipse and the enterprise JDK from Oracle; The Oracle RBDMS as the Database with Swing or the SpringSource framework as my application stack running on Apache-Tomcat or BEA weblogic, but I digress. When I was writing my previous module for Programming the Internet; I used Bluefish as an Editor and my IDE consisted of a LAMP stack on a Virtual machine for rapid application testing where I could test my changes “in situ” thus following the Agile standard whilst developing a web-site using XML and Web 2.0 standards on LAMP in PHP, on my trusty work station HAL(2.0). I conducted some rudimentary work in Eclipse for JAVA functions on the website, but I loathe Java. One of the more common IDE's today is the Visual Studio from Microsoft, Visual Studio .NET has some very interesting functions and support C# and the .NET framework which I hear is inc readably efficient but according to the language popularity from DedaSys LLC it falls far behind Java and PHP for web-development. C/C++ still reigns king in the world of systems and application development. (DedaSys LLC, April 13^th 2011)ⁱ They even state the highest demand for work is in PHP and LAMP, this is due to the popularity of that platform, it runs over 60% of the websites used everyday.

My first real job was when I was in high school, in Ontario it's called secondary school and I worked with a startup that conducted RLC based power design in electronics for communications companies I was only 17 at the time, not bad for a high school job it did however pay like fast food. My first introduction to procedural programing was working with the MIPS environment from Microchip Inc. I was tasked with programming a PIC 16F84 as a fan controller for a project we were consulting on; needless to say it was a trial by fire but any programming in a junior career usually is. After the firm hit a major crisis with the local telecommunications industry meltdown in 2000 our path was changed and venture capitol was obtained from the same group that founded MosAid. We went from a consulting firm specializing in power systems design to an ASIC design firm specializing in power control ASIC's to fill a void in the components market in north America. last I heard they had a few plasma television manufactures interested in their products and the company had been sold to Powi Systems. I was laid off before the first chip completed design, To add insult to injury this was less than three months after the passing of my mother; but as always compassion and business rarely mix. It was a bit of a blessing in disguise as I began working as a network and systems consultant there after and I have not looked back ever since.

Working as a Lan Wan administrator I knew enough about the sun solars systems that were purchased to support the Verilog IDE's that were on them; from that experience I know now that all Hardware design is in fact software code; All transistors and accompanying rlc based circuits on any chip are really just a function described in a high level design language such as Verilog or VHDL. Ever since Carver Meade published his tomes on VLSI design (Meade, 1978)ⁱⁱ, Hardware electronics are designed in EDA (electronic design automation) suites that resemble IDE's with native drawing interfaces, you compile your circuits and test them with applications using a SPICE simulator (Nagel, 1971)ⁱⁱⁱ: everything from the printed circuit board to the circuits and schematics are all rendered in software and tested months before any prototype is ever built. This is primarily due to the sheer cost of prototyping both chips and circuits. We have been using computers and CASE tools in an iterative fashion to design better computers to achieve Moores Law: The standards are maintained by a consortium of software houses including AMD, INTEL, IBM and Motorola, companies such as NEC and others have some input to the standard but the bulk of most software design work still occurs in North America both in Silicon Valley in California and here in Ontario; An interesting side note ATI got started in Toronto and has offices in Waterloo and Mississauga; Matrox is still based out of Montreal; Now the ATI offices work for AMD but the design offices are still here: We also have a large Monolithic Microwave Integrated Circut (MMIC) design as well as GaAs (Gallium Arsenide), and InP (Indium Phosphide) tech sector that still survives here in Ottawa but only as boutique desgin firms like Xwave; not as the previously glorious houses that created innovation on crystal substrates that would make any communications engineer envious. Every single technological product ever developed from now on exists on a computer in a virtual environment in it's entirety before the decision is made to build or scrap; we can even calculate the market pressures to build said device before hand using automated ERP based econometrics programs.

Now how does JAD help organizations maintain competitive advantages in the IS and IT world where moors law rules king and Brooks (Brooks, 2006)^iv and Zawinski's Laws of software bloat ensure that the next version of software will bring whatever it is you use now to it knees with third order (O^3) out of sequence calls used in objects that are three times less efficient than what you use now; boils down to one simple thing; The software design life cycle.

Software is only useful for a given amount of time; This property is the usable life. the hardware is only good for five to seven years, that's what it's designed to last to; this also includes every single super computer on the planet. The software running on the hardware is directly responsible for achieving your business office functions, if your organizations business is developing software than your development methodologies, software supportability and maintainability and your organizations efficiencies of object re-use, testing, bug fixes and design considerations directly determine your bottom line; In short you live or die by the quality of the software your organization produces; and this is your competitive advantage within this economy. As Lehman stated in 1980, the usable life of a given piece of software is about 5 to 7 years before it requires a complete rewrite due to environmental changes. (Lehman, IEEE 1980)^v The adoption of the Agile and other such Rapid Application Development methodologies as defined by Highsmith result in code of a greater quality. (Highsmith, 2000)^vi He also states that daily compiles are necessary to achieve this level of quality to reduce overall project risk. As Galin states (Galin, 2004)^vii:

“As software errors are the cause of poor software quality it is important to investigate the causes of these errors in order to prevent them.”

Thus in an IS or design oriented organization where Joint Application Development methodologies are not being used or no use of SDLC can be seen we may assume that the software produced will contain many errors and not be sustainable in nature. It will be of a relatively poor quality. If the business is not producing sustainable software than it itself is unsustainable and may fail due to the burgeoning costs of maintenance of their software after it is sold or implemented in some poor organizations production environment: either by contractual obligation or loss of users and customers. Software and Security fixes are far cheaper when implemented in the design and architecture phases regardless of the methodologies used, by choosing to adopt an Agile rapid application development environment and methodologies such as SDLC and PCDA cycles an organization is effectively committing to reality testing all of its produced software frequently. As the old proverb states, failure to commit is committing to failure.

in.a. (DedaSys LLC, April 13^th 2011) Language Popularity [Online] World Wide Web, Available from: http://langpop.com/ (Accessed on November 2^nd 2011)

iiMeade, C; Conway, L (PaloAlto, Xerox Corporation, California Institute of Technology, 1978) Introduction to VLSI Systems [Online] PDF Document Available from: http://ai.eecs.umich.edu/people/conway/VLSI/VLSIText/PP-V2/V2.pdf (Accessed on November 3^nd 2011)

iiiNagel L. W.; Rohner R. A. (IEEE, Journal of Solid State Circuts, August 1971) Computer Analisys of Non-linear Circuts Exclusion Radiation [Online] PDF Document, Available From: http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1050166 (Accessed on November 2^nd 2011)

ivBrooks, Fredrick (Addison Wesley, 2006) The mythical man month P. 53 ISBN: 0-201-83595-9

vLehman, Meir M. (IEEE, Proceedings, Volume 68, Number 9, September 1980) Progams, Life Cycles, and Laws of Software Evolution [Online] PDF Document, Available from: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.116.3108&rep=rep1&type=pdf (Accessed on November 2^nd 2011)

viHighsmith, Jim (Cutter Consortium, 2000) Extreme Programming [Online] PDF Document, Available from: http://www.cutter.com/content-and-analysis/resource-centers/agile-project-management/sample-our-research/ead0002/ead0002.pdf (Accessed on November 2^nd 2011)

viiGalin, Daniel (Pearson Addison Wesley, 2010) Sofware Quality Assurance From theroy to Impllementation P.19 ISBN: 978-0-201-70945-2

The nature of Trust

A synopsys from the Ethics Smethics Point of Vue and other reasons why I'll never work with Michael Schrage 

http://www.cio.com.au/article/185611/ethics_shmethics/

Do the right thing or implement the system correctly. Well this statement is clearly flawed. If your IT department cannot implement a system correctly than you as the CIO have failed at developing a team with the right skills, Wilcox et al have cited that team composition and dynamic are of prime importance on ERP and CRM development. (Willcocks, Sykes, 2000)ⁱ If such difficulties arise you might be better off seeking employment as a used car salesmen or tax collector or some other business where a lack of ethics is a good fit. 

If you believe that withholding layoff information will help get your projects completed, it’s probably going to be your last project as CIO since the company will have serious issues gaining customer confidence once employee confidence and trust is lost. ; Issues of customer confidence include those experienced by Enron, MCI World Com, Nortel, Arthur Anderson and others. (Patasuris, 2002)ⁱⁱ

The truth is simple, the bright ones will see the writing on the wall and leave before the layoffs occur, those deer in the  headlights will expect a golden handshake for their woes but beyond that is the prime consideration involving the why; Why bother hiring developers if you only need a software tool? Simply buy the tool and it's rights. Microsoft bought the rights to it's first software platform; this still happens every day.

Senario:

CRM Development – Outsourced Support and Administration there after.

Utilitarian –

If you have a development department that is capable of developing a good valuable CRM solution that will function as desired and you plan to outsource support and administration, then you may consider engaging in business with this software house as a means to generate real revenue for your company. If you cannot create a new and profitable business venture than your company should have also outsourced the development as you had no intention of maintaining these employees after the project was completed, if you plain to fail then you fail to plan. The moral good of the collective of the employees would be best suited by ensuring their long term employment over considerations of profit; one such consideration would be that the organization owes these people work, just as this human capital owes the organization productive efforts. As Economics (Samuelson, Nordhaus, 2004)ⁱⁱⁱ states all production requires Factors that include Human Capitol and Land.

Nomative –

The moral facts of the situation as sited by Schrage are both simplistic and narrow minded. Yes IT is a business, but it’s up to the sales people and directors to ensure that it functions in a sustainable manner. In 2008 the software industry added $280 billion in value to the U.S. Economy alone (BSA, 2008)^iv, If the sales department of this organization cannot capitolize on such a large market than they should be the first to be replaced; The above scenario would not exist if they outsourced all development of the platform, or if they hired developers in a cautious manner. Full time gainful employment as a developer in an economy means that you as an individual have already made the choice to devote 100% of their time and effort to your company, to assume that these people are expendable just because the company cannot find a means to sell their talents is wrong in both the utilitarian and nominative philosophical sense. The prima-face (W.D. Ross, 1930)^v duties in the nominative sense would be that the benefice, fidelity and justice of the organization are co-dependent upon those received by their respective employees and those experienced by their customers. Henry ford once stated, Take aw

Short Term Losses

The short term losses of this organization would include a lack in skills and ability for the organization to product any software product, not to mention a loss in production and morale. Losses to corporate morale can kill a company; if your entire workforce is apathetic then your companies production may grind to a standstill.

Long Term Gains

The long term gains of this company or organization may be that instead of going bankrupt they exist in some form their than they used to. Current examples that include ones like this include “Research in Motion” where they have recently gutted their workforce in an effort to combat a downturn in sales.(Yin, 2011)^vi By reducing 11 percent of their programmers; one such strategic move would have been to refocus efforts on Android development of a blackberry compatible mailer client to further expand on a client base on an exponentially growing client base, thus no longer depending on their own hardware business and leveraging the strength of the mobile marketplace from Samsung, Motorola, Nokia and any other Android based phone manufacturer: however weather or not Rim will survive into the new year remains to be seen.

Good Ethics or Financial Benefits

The example above is just one example, however if all organizations were to invest as heavily into their employees as their employees invest in their organizations than the returns would include competitive advantages as well as financial ones, the best examples include sponsorship of an executive MBa as a means to capitalize on leadership within the ranks of an organization as opposed to purchasing or poaching an executive. Good Ethics lead to a good reputation, a good reputation directly increases sales and revenues regardless of the product or service being sold. 

iWillcooks Leslie P., Sykes, Richard (ACM, 2000) Enterprise resource planning: the role of the CIO and it function in ERP [Online] PDF Document Available from: http://dl.acm.org/citation.cfm?id=332051.332065 (Accessed on October 23^rd 2011)

iiPatasuris, Penelopie (Forbes, August 26^th 2002) The croproate Scandal Sheet [Online] World Wide Web, Available From: http://www.forbes.com/2002/07/25/accountingtracker.html (Accessed on October 24^th 2011)

iiiSamuelson, Paul A; Nordhaus, Paul D (McGraw Hill, 2010) Economoic 19^th ed P.295. ISBN: 978-0-07-070071-0

ivn.a. (Business Software Alliance, 2008) Software Industry Facts and Figures [Online] PDF Document, Available from: http://www.bsa.org/country/Public%20Policy/~/media/Files/Policy/Security/General/sw_factsfigures.ashx (Accessed on October 24^th 2011)

vW. D. Ross (Oxford University Press, 1930, Reprinted 2002) The Right and Good ISBN 0-1-992-526-53

viYin, Sarah (PCMag, 2011) Rim Cuts 2000 Jobs, Reshuffles Management [Online] World Wide Web, Available From: http://www.pcmag.com/article2/0,2817,2389071,00.asp (Accessed on October 24^th 2011)