IELM 231: IT for Logistics and Manufacturing

Course Agenda

Introduction

IT applications design: Human-Computer Interface

Fundamental IT tools: sorting, searching

The Client-Server architecture, Interacting applications

IT in logistics, Case study 2: web-based auctions

IT in logistics, Case study 1: web-search

How auctions workWeb issues: session trackingWeb issues: secure communicationsWeb issues: cash transactions

Search robotsData processing, Data storage/retrieval (DB, indexes)Data presentation: page ranking techniques

Web auctions: basics

Basic operations of a popular web-auction site: EBay

For each item: One seller – many bidders – one bid winner

Sellers actions:- Login / Create an account login- Upload the details of item for sale- Set up auction parameters closing date, seller’s reserve, tick, buy-it-now-price

Bidders actions:- Login / Create an account login- Evaluate personal value of item: Independent Private Value- Bid some amount for the item (same as IPV ??)[possibly repeatedly update bid until auction closes]

Web auctions: basics..

Technical issues

Design issues

When a user registers, how to send their data securely to server?

After login, how to keep track of the user after they click on links?

How to upload product data/bid data from client to EBay server?

What data is required to be stored for each user?

How to display the > 100 million items for sale?

How to manage the auction ? - what bid to display, tick, commission, …

Web auctions basics: technical issues

How to upload product data/bid data from client to EBay server?

How to display the > 100 million items for sale?

Directory-structure search interface (hierarchy of categories) [cf. Yahoo]

Site search engine

Using HTML forms

How to upload images?

Using HTML forms, but need special CGI functions to handle data

Web auctions basics: technical issues

After login, how to keep track of the user after they click on links?

Session tracking requires using cookies (you will learn this in lab)

HTTP servers are ‘stateless’ after sending a requested page, the server does not check its ‘past’ actions before responding to the next request

client

serverwww.abc.com

GET /index.html HTTP/1.1Host: www.abc.com

HTTP/1.1 OKContent-type: text/htmlSet-Cookie: name=value; expires=Date;<html> … </html>

Store cookie: name=value

GET /afile.html HTTP/1.1Host: www.abc.comCookie: name=valueAccept: */*

Example: (optional)Mon, 24-12-2007 12:00:00 GMT;

Example:SID=189234&user=joneja&p1=racket1234

1

2

3

HTTP/1.1 OKContent-type: text/html[..possibly reset cookie..]<html> … </html>

4

Web auctions basics: technical issues

When a user registers, how to send their data securely to server?

Data encryption transmit encrypted data decrypt data on server

How to encrypt/decrypt ?

Shared secret password: Symmetric keys (you will learn this in lab)

Asymmetric keys (uses Secure Sockets Layer protocol), or SSL

Web security background

1. Passive attacks:Attacker monitors data traffic on the web, and collects someinformation not sent to him (using ‘packet sniffers’)

2. Active attacks:(a) Attacker gains access to some computer using security loopholes (typically using virus, worms, trojan horse, etc.)(b) Spoofing: attacker pretends to be a trusted system, to make the user believe it is safe to send them some secure data.(c) Cryptographic attack: attacker captures encrypted data an decrypts it (e.g., repeatedly trying many possible passwords)

3. Denial of service attacks:Attacker overloads your server with too many requests, blockingother users from accessing it.

4. Social engineering:Attacker uses personal communication/phone call to cheat you intotelling them some secret information (e.g. password, credit card pin)

Data encryption: symmetric-key encryption

sender, receiver share a secret keyvia email/phone/letter

1

data

encryptionalgorithm

@#r%

@#r%

decryptionalgorithm

data

2 sender encrypts data, sends receiver decrypts data, reads

Usually, the encryption and decryption uses same key (password)

Common examples: DES algorithm (chops data into 64 bit ‘blocks’, encrypting each with a 56 bit key.) Feistel cipher

Data encryption: asymmetric-key (private key, public key)

Each party wishing to communicate has two keys:- Public key: a password that is released to everyone- Private key: a secret password that is not told to anyone

Properties of Public, Private keys:- must be different from each other- mathematically related- impossible to determine one from the other

Two common uses of Asymmetric keys:Secure communications: sending encrypted dataIdentity verification: digital signatures

Data encryption: asymmetric-key (private key, public key)

data

encryptionalgorithm

@#r%

@#r%

decryptionalgorithm

data

Sender encrypts data withreceiver’s public key

Receiver decrypts data withreceiver’s private key

r_pub r_pri

sends reads

Secure communications

data

encryptionalgorithm

@#r%

@#r%

decryptionalgorithm

data

Sender encrypts data withsender’s private key

Receivers decrypt data withsender’s public key

s_pri

s_pub

sends

readsDigital signatures

@#r%

decryptionalgorithm

data

s_pub

Asymmetric keys: user verification

Problem: how will the a user know whether the public key they ‘fetch’over the internet is really from the party they are communicating, orit’s been altered by some malicious party?

Solution: use of a “trusted” intermediary (third party), who is in charge of

(a) providing keys to all interacting parties (b) physically checking that the each party is who they claim to be

Implementation

- Use of a Public Key Infrastructure (PKI), which usually involves a

- 3rd party Certificate Authority (CA) who issues and manages key’s to

the applications that are communicating.

Some common CA’s - VeriSign, CoModo, GoDaddy, DigiCert, …

Two common technologies for secure web communication

Using TLS (Transport Layer Security)

Using SHTTP

- A set of functions written in the transport layer- URL is of the form: https://host/path/file- Connection on server is typically on port 443- When a secure page is requested, TSL protocol will

- verify identity of both parties- use symmetric-key encryption in the rest of the session

- Implemented as a set of functions in application layer- URL is of the form: shttp://host/path/file- Used by very few systems

TLS connections (simplified)

c_pub c_pris_pri

client server

client generates a random number: rc

s_pub

*rcencrypts rc: rc

client requests secure page: https://host/pageincludes: (a) list of cipher funcs, (b) *rc

s_pub

server generates a random number: rs

*rsencrypts rs: rs

server sends requested page, +

c_pub

encrypts server certificate: scs_pri

*sc

*rs *sc

rc

*rc

rs

*rs

client contacts CA to verify server identity

*sc

c_pri

s_pub

scsc

next page…

rc

rs

s_pri

TLS connections (simplified)

c_pub c_pris_pri

client server

s_pub

rc

rs

client contacts CA to verify server identity

sc

sc

sends encrypted certificate

encrypts client certificate: cc *ccc_pri

*cc

server contacts CA to verify client identity

*cc

cc

c_pub

cc

client generates a random number (pre-password): pms

pms

pmss_pub

encrypts pre-password: *pms *pmss_pri

pms

rcrs

rsrc

client, server independently calculate passwordpass

pass pmsrsrc

passSecure, symmetric-key session with password: pass

Web auctions basics: EBay design

What we have learnt up to now: - How to set up an E-commerce site - Where to store data (DB) - How to set up navigation for users (directories, search) - How to manage sessions - How to allow client and server to communicate securely

Next we consider: - How to design a ‘good’ auction web-site (using E-bay as a case)

Design (and simple analysis) of auctions

Types of auctions

1. First price, sealed bid

All bidders put their ‘bid’ in a sealed envelop and submit to

auctioneer

At the ‘closing time’, auctioneer opens all envelops

Highest bidder wins, and must pay the amount on the bid

Properties:

- No “open” (i.e. face-to-face) competition

- Each buyer must evaluate the value of the item to make their bid

Properties: - This type of auction can also be used as a mail-bid auction

Independent Private Value (IPV)

2. Open, Increasing bid auctions (English auction)

- Auctioneer starts at lowest acceptable price (reserve), and

- Increases bid amount in small steps (tick)

- Price rises until only one bidder remains (winner), who pays the current price

Types of auctions..

3. Second price, sealed bid (Vickrey auction)

- All bidders put their bid in a sealed envelop and submit to auctioneer

- At the ‘closing time’, auctioneer opens all envelops

- Highest bidder wins; and pays the amount on the 2nd highest bid (plus $1)

Properties: - No “open” (i.e. face-to-face) competition - Each buyer must evaluate the value of the item to make their bid

Properties: - This type of auction can also used as a mail-bid auction

Types of auctions…

A buyer checks tuna fish during an auction in Tokyo’s Tsukiji’s fish wholesale market

Open, Simultaneous bid auctions (Japanese fish market auction)

- Auctioneer starts the auction (rings a bell)

- Bidders simultaneously signal the highest price they wish to bid

- Highest bidder wins

Types of auctions (Japanese variation of English auction)

Five rooms with auction clocks form the heart of the auction.Each lot's price is determined by the Dutch auction system.The clock winds down from a high price, and the first buyer to press the button buys the lot.55,000 transactions take place every morning.By the afternoon, the flowers are off to destinations around the world.

Source: http://stevefazzio.com/Holland_Amsterdam_1.html

4. Open, Descending bid auctions (Dutch auction)

- Auctioneer starts the auction at very high price

- Price is lowered in small amounts (tick) in every time interval

- First person to make a bid wins

Types of auctions

First price auctions Dutch auction

Types of auctions: logical equivalences

Bidder only knows their own value (IPV) for the item

Bidder does not know the IPV of other bidders

In either case, the ‘winner’ only knows what they must pay, butdon’t know what the IPV of the second highest bidder is (theyonly know that the others are willing to pay less than him).

Second price auctions (English) Vickrey auction

In each case, the winner pays more than the 2nd highest bidder

Types of auctions: logical equivalences

In each case, winner bids = IPV Why ?

Bid less than IPV, and lose regret losing item

Bid more than IPV, and win loss of surplus

What is the bidder’s expected surplus if he bids = IPV in First Price auction?

Online auction: which model to use, how to implement?

Buyers’ concerns

Maximize their benefit = (Independent Private Value – price paid)

Sellers’ concerns

Maximize the sale price of the item

Practical/usage issues:Ease of finding item they want, timely end of bidding,secure and easy payment, safe delivery of items, tax/customs, …

Practical issues:Minimum opening bidSellers’ reserve (price below which item will not be sold)Commission to auction house (typically, 5%)Minimum increment (tick)Time limits, …

Online auction: which model to use?

What price should the highest bidder be required to pay?

What information should be posted on the website regarding the current bidding level?

Easiest choice: - display the highest bid so far - require the highest bidder to pay what he bid

First price auction

Problems: - What if not all bidders are logged in simultaneously ? - Auction ends when no more higher bid is received: when to end?

Best mode for internet auctionis to operate non-real time

Online auction: which model to use..

Copy the mail-bid format: - display only the closing time of the auction - require the highest bidder to pay what he bid

First price, mail bid

Question: - Will the bidder bid = their ‘value’ ?

Preferred mode of operation: - bidders should be given some time (e.g. 1 week) to make their bid.

Value: the price above which the bidder will prefer not to buy, and below which the bidder will buy the indifference point

First-price mail bid the bidder has no incentive to buy bidder will bid below their ‘value’ bid is “not sincere”

Online auction: which model to use..

Internet Vickrey model (eBay):

What happens if we display the current highest bid ?

Attempt #3: Non-real time, Second-price auction

Consider an Apple iPhone, worth approximately HK$ 3000Current bid = $50Next bidder bids $100,000No other bidder will be willing to bid (otherwise they have to pay 100,000!) Seller is doomed (since he must now sell for $50)

We should display the 2nd highest bid so far!

What information should be posted on the website regarding the current bidding level?

Question: in this case, the current displayed price = $50; - Is there any disincentive for a buyer to put a bid for, say, $2000 ?

Online auction: The EBay model

- Sealed bid (since only 2nd price is displayed)

- Dynamically posted 2nd price

- Second price (highest bidder only needs to pay second highest bid)

- Continuous bidding

- Each auction has a deadline

Question: Assuming honest bidders, is each bid ‘sincere’ ? i.e. Is there any reason the bidder will bid below their ‘value’ ?

- If they bid above their value may have to pay more than their value loss- If they bid below their value, they may lose the auction loss

Yes:

Some other design features of EBay

- Bidders may bid many times

- The highest bid at any time is hidden from the seller (only EBay knows it!)

- There is minimum starting bid (open reserve)

- There is a possible secret reserve winning bid must be greater to win

- It is possible for bidders, sellers to communicate (email)

- It is possible to rate each seller

- Seller can reject a bid

References and Further reading:

www.security, R. S. MacGregor, A. Aresi, A. Siegert, IBM and Prentice Hall

Snipers, Shills and Sharks: EBay and Human Behavior, Ken Steiglitz, Princeton University Press

Internet resources:

Ebay policies page

Web connections and transport layer security: wikipedia

Next topic: Mathematical foundations of auctions