Blog http://blog.frapu.de/index.php Copyright 2010, Frank Puhlmann Frank Puhlmann en-US SPHPBLOG 0.4.8 It's here: Mobile BPM on iPhone http://blog.frapu.de/index.php?entry=entry100515-210407 inubit App for mobile BPM).


Executing BPMN 2.0 process (the red frame shows the current task).]]> tech, work http://blog.frapu.de/index.php?entry=entry100515-210407 Frank Puhlmann Sat, 15 May 2010 19:04:07 GMT http://blog.frapu.de/comments.php?y=10&m=05&entry=entry100515-210407 Chip and PIN is broken http://blog.frapu.de/index.php?entry=entry100212-211706 PDF). The results must be a major shock for the banking industry, since it is now evident that a customer is not per se liable if a transaction was authorized by PIN.



The approach is a classical man-in-the-middle attack. At some point in the negotiation phase between the terminal and the card, the customer enters his/her PIN into the terminal, which sends the PIN data to the card for verification. Unfortunately, the card returns a simple, unsecured response (0x9000) in case the PIN was entered correctly. Guess what? You can interrupt this communication and return 0x9000 for any PIN entered! Even worse, the terminal believes you authorized the transaction via PIN (and prints a receipt with "PIN authorization"), whereas the card and bank use a fallback mechanism that is used for signature-based authorization. Even worser, most specific protocol implementations do not even log this fallback. Of course, the dealer doesn't have the customer's signature, just a log with "PIN authorization". Still, this was enough to make judges believe that the customer was careless with his PIN. Now, however, it was enough.

The most important fact, however, is the ignorance of the industry regarding open standards and security issues. Seven years ago, in 2003, I wrote my Diploma thesis about the reconfiguration of Smart Cards via open networks (PDF, in German). An important part of my work was the analysis of the security frameworks that were offered at this point in time (Visa Open Platform). One of my key findings (written down in section 6.6.3) was, that the response code of the Smart Card's operating system application (the Card Manager) was not signed or anyhow secured. I found this to be a major bug for updating the content of a Smart Card via open networks, but unfortunately no card vendor was able to deliver something more secure. Luckily, the flaw did not tampered our main application on the card, a campus card application with digital signature functionality. Remarkable, the very same problem is still existing seven years later.

]]> research, tech http://blog.frapu.de/index.php?entry=entry100212-211706 Frank Puhlmann Fri, 12 Feb 2010 20:17:06 GMT http://blog.frapu.de/comments.php?y=10&m=02&entry=entry100212-211706 New books on BPMN 2.0 http://blog.frapu.de/index.php?entry=entry090720-212758

The Process (A. Großkopf, G. Decker, M. Weske)


The process is a novel on process modeling that tries to teach you BPMN inside a story, such as done in e.g. The Goal by Eliyahu Goldratt and Jeff Cox. Interestingly, the book is written by academicians. In contrast to a text book, however, the book is written for consultants and managers that need at least to have a clue on how to read a process model.

The introduction to BPMN is centered around a business scenario, where a young man named Tom Bauer hires for his first job after university. He has no clue on BPMN but gets the job to document the company‘s work for his boss. At his luck, there‘s already someone in the company, Anne, how can teach him the basics of the notation. Tom walks around the company and asks different people to get the process modeled. While doing this, of course, he always needs to learn new elements to capture his findings. He writes the new learned element in his notebook, that act as some kind of reference at the end of each chapter. Later on, he visits a BPMN training by some well know BPMN guru, to learn more about advanced constructs and some surroundings of process modeling, such as the core ideas of Reengineering the Corporation by Hammer and Champy. The book ends with a very neat motivation for Business Process Management (BPM), where process modeling is just the starting point.

Technically, the book contains just one running example, that is refined in each chapter. Some figures are even drawn by hand, which give a very nice impression. The book teaches you all the basic constructs of BPMN 1.x and also discusses different variants to model the same thing---known as shortcuts.

In general, I really love the idea of writing a novel on the topic. In the beginning, the book is a bit too slow from the story‘s point of view (or rather boring, but that might be due to my existing knowledge on the topic). Nevertheless, the story speeds up and has its highlight in the evening discussion of the guru‘s workshop. Did I say that I like the neat motivation for BPM that ends the book?

The book also has a little drawback. Don‘t expect a story like in The Goal. Tom Bauer has no family, no love to care about, and LaserTec (the company he works for) is neither fighting with bankruptcy nor competition. While in the beginning, I found this to be a major drawback, after reading the complete book, I found it to be an advance: The focus on the topic. You simply don‘t need to skim through the process modeling pages just to get to know how the love story ends. After all, I was able to read the complete book during a one day business trip (ca. 6 hours travel time).

You should also be aware that the book advertises the kind of product that the company of two of the authors offers: A Web-based process editor. While I like the idea of passing around links to process models, I actually do not see how this fits with a consultant working on the models while traveling (at least as long as no broadband internet is available in a plane).

Nevertheless, I rate the book 5 out of 5 and can strongly recommend it to any consultant or beginner in process modeling. But be aware that you might need a more complex reference to start modeling your own processes (maybe the one from the next review?).

BPMN Method & Style (B. Silver)


Bruce Silver, a well known BPMN trainer and member of the BPMN standardization committee, provides a very well written book on BPMN. In contrast to other books, that give you a straightforward introduction to the elements, Silver focuses on a methodology for BPMN. He doesn‘t only teach you all the elements of a process model---including the new ones from BPMN 2.0---but more importantly, he teaches when to make use of them and when to avoid them. That makes the book perfect for process analysts and modelers.

His approach is split into three levels, the descriptive modeling for documenting the process flow, the analytical modeling that adds more details, such as exception handling, and the executable modeling, that ships with BPMN 2.0 and allows the definition of directly executable process models.

The book contains a lot (and I really mean a lot) of examples, patterns, and best/worst practices. Especially the patterns and practices come very handy to the practitioners: Should I use a sub-process or a pool? How should I introduce exception handling? These, and many other things are discussed.

The book, however, has one major drawback. It doesn‘t tell you a single word about choreographies and conversations, two brand new BPMN 2.0 model types (besides a reference to page 216 in the index---that is indeed the last page of the book that states „Printed in the United States“). Choreographies describe the interactions between different participants from the viewpoint of the interaction flow (not from the participants!) and conversations describe a set of related message exchanges between different participants. Especially choreographies make a lot of sense in many business scenarios (or can you name a business that doesn‘t has suppliers and customers?). If you‘re interesting in seeing such models, take a look at my Wimmelbild (link) or read an interesting paper (in German) from Thomas Allweyer (link).

Furthermore, the print quality of the models looks a bit poor (never heard of vector graphics?). I would expect such a book to have a better finish. To see what I mean, just try to print the mentioned Wimmelbild and compare it to the models given in the book.

I rate the book 4 out of 5, since at least an outlook on choreographies and conversations should be contained. Otherwise, this is almost the perfect book on the topic.
]]> research, work http://blog.frapu.de/index.php?entry=entry090720-212758 Frank Puhlmann Mon, 20 Jul 2009 19:27:58 GMT http://blog.frapu.de/comments.php?y=09&m=07&entry=entry090720-212758 BPMN 2.0 Wimmelbild http://blog.frapu.de/index.php?entry=entry090701-211320 read more). The most obvious news is of course the support for modeling explicit conversations and choreographies. But also the traditional "internal process" view has been enhanced a lot with Event Sub Processes, Non-interrupting Events, Data Stores, Data Objects representing Collections, or the Star-Trek-inspired Escalation Event, to name just a few.

To give you some impressions on what the current BPMN 2.0 draft provides, I created a so called BPMN 2.0 Wimmelbild. A Wimmelbild is a German word for an illustrated page showing a scene with many, many different details, typically for children. An example is a crowded city crossing, a park, etc. The page is full of details, with many peoples and things are "wimmeling" around.

All I did, was transfering this concept to BPMN 2.0 - enjoy the result!



All models are in the context of an auctioning platform. From top-left to bottom-right: High level conversation view, a part of the choreography, and the refined process view.

07/30/2009: I updated the Wimmelbild to fix some errors and add more elements.]]> research, work http://blog.frapu.de/index.php?entry=entry090701-211320 Frank Puhlmann Wed, 01 Jul 2009 19:13:20 GMT http://blog.frapu.de/comments.php?y=09&m=07&entry=entry090701-211320 Happy Birthday Maja http://blog.frapu.de/index.php?entry=entry090512-010400
]]> life http://blog.frapu.de/index.php?entry=entry090512-010400 Frank Puhlmann Mon, 11 May 2009 23:04:00 GMT http://blog.frapu.de/comments.php?y=09&m=05&entry=entry090512-010400 Donauwellen http://blog.frapu.de/index.php?entry=entry090223-210152



You can find the full recipe here (also in German).]]> life http://blog.frapu.de/index.php?entry=entry090223-210152 Frank Puhlmann Mon, 23 Feb 2009 20:01:52 GMT http://blog.frapu.de/comments.php?y=09&m=02&entry=entry090223-210152 New Book Chapter on Pi-Calculus and BPM http://blog.frapu.de/index.php?entry=entry090206-225826 Process Algebra for Parallel and Distributed Processing, edited by Michael Alexander and William Gardner.



The chapter itself is called Business Process Specification and Analysis. In contrast to prior work, it is written at a more sophisticated formal level (at least from my point of view), thanks to my co-author Uwe Nestmann. Indeed, I wished my doctoral thesis would be this formal.

Technically, we investigated the asynchronous pi-calculus (new work here) and also introduced a formal or-join execution semantics for the pi-calculus (more new work, but not completely formalized). The main focus, however, was the introduction and discussion of Trios, a concept that refined the functional abstraction (definition 5.2 of my thesis).

Concluding, I can recommend the paper to anyone (still) interested in using the pi-calculus in the area of BPM (what else should I say as an author :-). Unfortunately, I have no permission to provide a PDF file for download, so you have to either find a library or make a rather huge investment to get the chapter.

But what I can offer for free is a prototypical tool that was developed during the writing of the chapter. While it's command line based (written in Ruby), it has a graphical representation of the business process currently executed. And yes, you need the same Mac tool (called OmniGraffle) as for the Lazy Soundness Toolchain to create your own BPDs that can be imported. But don't worry, I provide a lot of ready to use examples to showcase the execution and analysis of business processes in the asynchronous pi-calculus. The homepage of the tool, called pishell, can be found here. Have fun!

I would also like to place a last comment (and thanks) to the editors and publishers of the book. In contrast to Springer (where you have to do all by yourself), the chapter was proof-read by experts and the grammar and spelling have been professionally checked.
]]> research, work http://blog.frapu.de/index.php?entry=entry090206-225826 Frank Puhlmann Fri, 06 Feb 2009 21:58:26 GMT http://blog.frapu.de/comments.php?y=09&m=02&entry=entry090206-225826 Commercial: OOP 2009 presentation http://blog.frapu.de/index.php?entry=entry090122-215702 public presentation this year at the OOP 2009 conference taking place next week in Munich. In contrast to the last years scientific talks, this will be my first industry (say commercial) talk.

So, if you're around, I happily invite you to learn about the inubit way of practicing holistic business process management. I will guide you through the 45 minutes with a show case based on an HR process. Besides slides, I will also give a life demonstration.

Date: Tuesday, Jan 27, 2009 13:00 - 13:45 ]]> work http://blog.frapu.de/index.php?entry=entry090122-215702 Frank Puhlmann Thu, 22 Jan 2009 20:57:02 GMT http://blog.frapu.de/comments.php?y=09&m=01&entry=entry090122-215702 Happy new Year! http://blog.frapu.de/index.php?entry=entry081230-224441
And yes, I promise again, that the things I promised in some of the last blog entries might be come true next year.]]> life http://blog.frapu.de/index.php?entry=entry081230-224441 Frank Puhlmann Tue, 30 Dec 2008 21:44:41 GMT http://blog.frapu.de/comments.php?y=08&m=12&entry=entry081230-224441 BPMN and the Event-based Gateway http://blog.frapu.de/index.php?entry=entry081125-231402


The shape of the Event-based gateway changed from BPMN 1.0 to BPMN 1.1. Both types of Gateways (Event-based or Exclusive) make a decision, i.e. only one of the outgoing Sequence Flows is taken. Only one of the Gateways, however, is used for joining Sequence Flows. That one is the Exclusive Gateway (please keep this in mind when modeling).

But what are the differences between the two types of Gateways, which make a decision leading to the activation of exactly one of the outgoing Sequence Flows? Here are the golden rules:

1. An Exclusive Gateway is always used when the decision is internally (up to you, based on locally available information).
2. An Event-based Gateway must be used when the decision is externally (up to others, based on distributed events).

Consider for instance a simple business process of getting in touch with a friend:



You could either choose to write a letter or make a phone call. The decision on how to get in touch is made in the Exclusive Gateway numbered with (1). Please note, that the decision on how to get in touch is completely up to you. The Sequence Flows are joined with Exclusive Gateway numbered with (2).

The corresponding business process of your friend, however, can not anticipate how you will get in touch with him. He needs to support both cases, where the decision is triggered externally:



The decision is made in the Event-based Gateway (3), based on the directly following Event that is triggered first. The flows are joined, once again, by an Exclusive Gateway, in (4).

The difference becomes immediately visible when the two business processes are brought together to form a choreography:



It can be clearly seen that the decision is made in the upper Pool, whereas the lower Pool can only react to that decision.

Now, hopefully, I will never see a BPD with a wrong use of the Event-based Gateway anymore (and I've seen way too much).]]> work http://blog.frapu.de/index.php?entry=entry081125-231402 Frank Puhlmann Tue, 25 Nov 2008 22:14:02 GMT http://blog.frapu.de/comments.php?y=08&m=11&entry=entry081125-231402