Great Experience with NZeTA App

Many countries now require visitors from supposed-to-be visa-free countries to apply for ETA (Electronic Travel Authority) or similar scheme before entering the country.

ETA is easier to obtain as compared to the visa.  The former requires only online submission and the results would be made available within a short time, a few days max. However, filling up the form for the ETA – especially for the USA – may be quite daunting.  It is not difficult but simply time consuming.

Until I applied for ETA for New Zealand, NZeTA.  From 1 October 2019 New Zealand will require visitors from visa-free countries to obtain NZeTA prior to the travel.

The New Zealand Immigration provided two options to apply NZeTA: through web or mobile app.  Interestingly, it costs NZD 3 less to apply using the app as compared to the web.  Out of curiosity I chose to apply using the app.

Searching the on Google App Store (well, I am an Android user) app was easy.  The installation was a breeze without any issues.

The application process was surprisingly easy.  Upon opening the app, I was prompted with the welcome page.

Followed by acknowledgement for the usual privacy and term and use.

The next step caught me a bit off guard. It prompted me to take a picture of the passport.

However, rather than taking the picture of the whole passport, the app actually scanned the Machine-Readable Zone (MRZ) area. The screen would show a blue bar where you should align the MRZ. As a result, capturing the MRZ was a breeze!

The next step was quite interesting, it asked me to do selfie!

It took me a few attempts to do the selfie. Once completed, the app displayed the information captured from the MRZ, with the picture on the top-left corner. It asked me to confirm the details.

After that, the app asked a series of questions, starting from whether I want to stay in NZ or coming as a transit passenger, whether I am an Australian permanent resident, and so on. Interestingly, the ‘expected’ answer is always highlighted.

After answering all the questions, I proceeded to pay the ETA and the International Visitor Conservation and Tourism Levy (IVL). The payment was done using credit card and it was a fuzz free. I did not use the feature to take picture of the credit card – which I believe would help me to key-in the credit card details; I chose to key-in the card details myself. The only missing is there was no 2 FA for the credit card transaction.

And that’s it! The whole process was completed in less than 10 minutes, all from within the app itself. It was a great experience!

The app made it easy for anyone who applied for NZeTA. There was no need to upload any additional documents or pictures. The app also reduces or even eliminates error by using MRZ to fill up the details; no need for the applicant to type all the details manually.

The selfie is also interesting. There is no need for the applicant to rush to to instant photo booth or photo studio to take the picture, which would delay the whole application process.

The app practically eliminates all frictions in applying the NZeTA. It is a great innovation from The New Zealand Immigration. As a citizen, friction-less transactions such as what the app offered is the one I am looking for when transacting with the Government; and as a public servant such app is the yardstick for a good Government eServices.

Embracing Messiness

One day I was asked to draw how the applications we have are interfacing with other applications. It was a quite big task to come out with such diagram, but I managed to do it.

The diagram looks like this.

Untitled

(of course, I need to remove the details)

When I presented the diagram, the most comments were about how messy the applications are.

I disagreed. Such messiness, in fact, should be EMBRACED.

Firstly, there is no application that can do all the functions that the organisation needs. An organisation typically uses different applications and integrate them at the back-end so that to achieve a good user experience across different applications.

When an organisation moves to the cloud, it opens up even more applications it can use. The integration between cloud-based applications (and also with Intranet-installed applications) would even be more pervasive.

With the advent of microservices and container, the integration would even more complex than typical application-to-application integration. A particular business function may be served by multiple microservices, each may call other microservices.

Microservices and container when combined with DevOps also introduces more complexity. If properly configured, a container can run in different hosting environment at different time, transparent to the user, but introducing a more (at least to what some people think of) another dimension of messiness (and complexity) as the service has no ‘permanent home’.

Trying to simplify the interfaces between applications would simply not work. What the organisation needs to do is to embrace such messiness with some measures to prevent chaos.

For a start, the organisation should put in place governance. The organisation should know what interfaces are being deployed, who is calling what, version, security, schema and which interfaces to be retired. This will also allow the organisation to better reuse existing interfaces, rather creating new ones.

However, governance itself is a rather tricky concept as may hinder application development. Governance implies set of rules that must be followed by developers otherwise there would be some kind of penalties. The scrum team may also see governance slowing down their works as they need to go through ‘review’ process. Some pragmatic approaches on governance needs to be applied.

The organisation may also consider to implement some systems, such as API Gateway or message queue to provide the layer of governance on interfaces. It also provides additional layer of security with the cost of additional complexity and reduced reliability as such systems may become a single-point of failure in the whole organisation.

Data governance is also important. An entity should have consistent data structure throughout organisation and across all applications. An inconsistency would simply create confusion, not only for users but also for integration. It would make interfaces more complex as application would need to transform the data to its own data structure. Intermediary systems such as API Gateway could used to do transformation; however it would simply move the complexity into such system and with more complex governance as there is a need to track the transformation logic.

</BH>

Two Lessons for DevSecOps from Grounding of 737-MAX

As an IT professional who is working DevSecOps and with strong interest in Aviation industry, I learnt some lessons from the grounding of 737-MAX series.

Automation is Essential but People Need to Know What Automation Does

The crash of ET302 and JT610 might be due to MCAS (Maneuvering Characteristics Augmentation System). The computer reads attitude of the plane and in certain situation it would intervene. It is meant to assist pilots and in ideal situation the pilots would not notice.

In DevSecOps, automation is essential; in fact without automation, it is not possible to achieve DevSecOps. Tools are used to achieve automation.

Use it right and in the hand of good engineers, the tools would do wonder. The DevSecOps would be able to deliver features, fixes, and updates frequently to deliver business values.

US Airway flight US1549 showed how a pilot, Capt. Sully, was able to utilise automation (in the form of auto pilot) to help him to steer the crippled plane before ditching on Hudson River.

In contrast, the computer on Air France flight AF447 provided warning to the pilots that the plane was stalling and approaching terra firma; however the pilots did not respond to the warning and only at last minute it figured out what happened, but it was too late.

In DevSecOps, it is common to mix different tools from different vendors. Each tool has its own strengths and the organisation may have its specific needs and constraints that dictate the tools used.

An engineer who is clue-less on the tools would make DevSecOps fail to deliver its value.

The engineer must be familiar with all of those tools. Using the tools everyday, however, does not make an engineer familiar with the tools; it was simply making the engineer as operator.

The engineer is expected to know how the tools work, how the tools interact to each others, how to exploit each individual tool, how to interpret the errors generated by the tools and how to fix the issues.

Not easy, but at least the engineer could quickly recover the tool-chain when there is/are error[s].

If an engineer is not familiar what each tool in tool-chain does, then he would not know what to do when something unexpected happened. In DevSecOps, it would simply created delays.

Unmanageable Technical Debt will Snowball to Bigger Problem in the Future

The Boeing 737-MAX is the latest variant of the venerable 737 series that started in the 60s. Throughout the years, Boeing kept improving the plane. It accommodate bigger engines, longer airframe (for bigger capacity), etc. It makes the plane still relevant, especially after Airbus rolled out A320s in the 80s.

However, what Boeing has been doing was simply continuously tweaking the plane. As the landing gears are not high, there is a limit on how big the engines 737 could use. Boeing has been tweaking the engine pylons so much that on 737-MAX the pilot needs to be assisted by the MCAS.

The Boeing 737 design has limited the changes that Boeing could do. It has become a technical debt but nothing was done.

Likewise in DevSecOps. While meeting the objective to deliver business values is very important, the technical debt also matters. Delaying addressing the technical debts would simply make the problem bigger and soon or later becomes unmanageable and affecting the business.

It is important for the organisation and DevSecOps team to allocate time and resources to address technical debt. It is either to be done in specific sprints/releases or inserted as part of releases.

Airbus and the Unlucky 8

Recently Airbus announced that it would stop the production of the largest airliner, the A380.  Despite its popularity with the passengers, the plane is unfortunately not popular to bean counters airlines executives.

The premature end of A380 productions (as compared to its rival, Boeing 747 series), also cap Airbus unlucky experience of using supposed-to-be lucky number of 8.

From A300 to A380

Both Airbus and Boeing have naming convention for its planes.  Airbus named its first model it produced, the A300.  Subsequently it named the model in multiply of 10: A310, A320, the A330 and A340 .

However, when Airbus announced the A380, it deliberately skipped A350, A360 and A370.  The number ‘8’ was chosen because it resembles the double-deck cross section – the A380 is the first airliner to have a full-length double-deck* – and it is considered as lucky number in Chinese numerology.

It is not uncommon for aircraft manufacturers to have different variants for the same model; different in range, capacity or generation.  For example, the 747 started as 747-100 and subsequent variant was named 747-200.  Airbus A330-200 is shorter (and has more range) than the A330-300.

The A380 has, in fact, two eights because the base (and only) variant of A380 is … 800.

Despite having two ‘8s’, the Airbus A380-800 – shortened as A388 – has not been having good sales.  Other than Emirates – which ordered half of A388s produced, no other airlines acquired the A388s in large number. The A380 programme was doomed.

Alas, Airbus continues to have problem with number 8.

Among other models Airbus is currently producing, A350 is its largest twin-engine wide-body airliner.  It has at least 3 variants, A350-900, A350-900ULR and A350-1000; with -900 has the shorter frame (and lower passenger capacity) as compared to A350-1000.  However, the A350-900 was not planned as the smallest variant.

Airbus planned to ‘shrink’ the -900 to even shorter frame (and with less passengers count) and name it A350-800.  It was meant to serve thinner route while maintaining commonality with its larger cousins. However, the shrink made the variant noncompetitive; so the -800 variant was a stillborn.

Airbus unlucky experience with ‘8’ does not stop here.  It recently launched the re-engined variant of its popular A330 model, called A330NEO (New Engine Option).  It has two variants, A330-800 and A330-900; with the former is having shorter frame (and longer range) than the later.

However, the -800 model has not been popular. Airbus has received order for only 8 A338 from one airline, Kuwait Airlines; as opposed to 231 orders for the A330-900 variant. It is unlikely for A338 variant to have large orders, considering that the -900 variant is as capable as -800 and the entire A330NEO line is facing stiff competition from Boeing 787s.

Boeing has a better experience with number 8.

Even though its latest variant of 747, the 747-8, is not selling well (with only 154 orders), the saving grace for Boeing is it spent a modest amount to develop B747-8 as it was a modification from earlier model, 747-400.   Boeing also could claim that nothing could dethrone the ‘queen of the skies’ as it will still be producing 747-8 – with current backlog and production rate – will still be produced when the last A380 leaves Airbus production line.

While the 747-8 is not considered successful, Boeing has a better experience with number 8 with its latest twin-engine wide-body model, the 787.  This model has been a runway success, clocking more than 1,400 orders. Its smallest variant, 787-8 has similarity to A388, it has a ‘double-eight’. However the similarity ends there as airlines ordered 444 B787-8s, well better than 251 orders for the A380s.

So, number 8 may not be a lucky number for everyone!

 

* Technically the A380 has 3 decks; however the passengers would see only the main deck and upper deck. The lower deck is used for cargo or crew rest area.

Cold Call

In my work, it is a ‘routine’ for me to receive cold calls from some companies.  The callers either tried to promote their companies or services, did a survey or wanted to send a ‘free’ white paper. Companies could easily find out about my DID number because my number (and so are all my colleagues in the company) is published on the Internet.

Such calls are really annoying.  Firstly, unlike junk SMS or junk emails/mails, you cannot simply ignore incoming calls.  Even though the calls are from the numbers you don’t know, you don’t know what’s the call about until you pick up the call and listen to what the caller says. It can be disruptive, especially when you are in the middle of work that requires concentration.

I always asked the caller to email me the information and then end the call.  I don’t mind to give them my email address, I could simply read those materials anytime or quickly delete them if I don’t find it useful. If I find the materials or services are relevant to me, I would call or email the company for more information.

However, most of callers did not want to stop at email address.  They continued asking questions regarding the IT in my company.  The main issue with such calls is I have no way to verify the caller.  I am acutely aware about social engineering. The caller may be claiming from one company, but what he wanted is to gain insight on my IT infrastructure; such insight may be useful for them to penetrate the IT system.

It does not help that I noticed number of such calls surged after I changed portfolio from Application to Infrastructure.  Every day, without fail, I received at least one such cold call.

I prefer to be safe than sorry. I usually asked the caller to drop me email for the questions.  If they insisted to continue with questions over the phone, I simply hung up.

But sometimes the callers can be quite daring.  One day I received a call claiming that my CIO (Chief Information Officer) had a meeting with his company and my CIO asked him to call me.  What puzzled me that the company has been a long vendor with us and my ICO and I just met with their management a week earlier.  He asked some questions regarding our infrastructure and he became impatient when I declined to give any information.  He even threatened me that he would let my CIO knows that I was not cooperative.

A few minutes later my colleague across the table received the call and from his replies, I could deduce he received similar calls and I quickly gave me the notes that the call should be terminated. Everybody in the division was alerted and true enough almost everyone received such call.

It did not stop there, one month later I received similar call, this time claiming that my Assistant Managing Director (AMD) was the one who asked him to call me.  Same pattern, same alert ringing across the division.  I joked that at that rate soon the caller would claim that my MD and later chairman asked him to call us.  It did not happen, though.