Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Software

Packages

Topic Guides

Understanding RSS
Digital ID Policies
Understanding VoIP
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Copyright

Copyright © 2002-2006 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« March 16, 2003 | Main | March 18, 2003 »

March 17, 2003

My Talk: Enabling Open Source Projects in Government

My talk is about how to make open source project viable in government. My slides are here. The summary of my talk is:

  • Educate and encourage employees
  • Preach open source
  • Start open source pilots
  • Find specific ways to insert open source into the RFP process
  • Work with vendors
  • Add open source to architecture standards documents (see Utah's standard)
  • Use the political process to push open source

03:21 PM | Recommend This | Print This

Iowa's Enterprise Authentication and Authorization Strategy

Tony Bibbs, from Iowa, is speaking on Enterprise Authentication and Authorization. Iowa has long been a leader in this area. This service is very similar to Utah's Master Directory project (which Dave Fletcher wrote a little about just lately), but its based on a collection of tools including some which are open source. The service provides a single repository for accounts, a single credential set (not the same as single sign-on), a way for users to self service, a single point for conducting security audits.

The service consists of three parts, a client library with clients in ASP, Java, PHP, VB, etc. A service layer based on XML over HTTPS and written in Java, and a "provider" layer that reads credentials from multiple credential repositories. This last part was important in Iowa because each agency was managing their users using different tools. Utah was lucky that they had standardized on Groupwise and Netware years before. As a result, even though there were multiple trees, at least bring them together into a single master tree was easier (even still, it took 9 months). As Novell migrated to LDAP compatibility, so did Utah's directory trees.

Iowa's strategy is to get everyone using the same service layer and same set of clients. Once that's done, the credential repositories can be changed out without changing the applications.

03:13 PM | Recommend This | Print This

eGovernment in Rhode Island

Jim Willis, the Director of eGovernment for the Secretary of State in Rhode Island, is talking about the use of open source in the Rhode Island's eGovernment projects. The eGovernment project is in the Secretary of State's office and the Secretary has the authority to determine what format the regulations filed with them will take. Not all states have a single repository of regulations (Utah does, in the form of the Administrative Rules division), but for those that do, this is a very powerful piece of authority.

Willis makes that argument that because Government data should be open, the formats that it is stored in (and hence, in most cases, the tools used to create it) should be open as well. I think there's a good archivist statement in there, but my experience is that state's pay more lip service to their archiving responsibilities than anything else. Still, its a plank in the platform and should be made.

A second point for open formats is that interoperability is easier, and as a result development faster, when data is stored in open, flexible formats. That allows lots of small parts to be developed and used together. You write code to glue these parts together. This is essentially the Web Services argument, made without explicitly mentioning the XML kernel.

WIllis gives the example of being able to write a small tool in a few hours that reads Rhode Island's standard data format and dumps it into iCalendar (via PHP-iCalendar) to create calendars from data that originally had some other purpose. This is an important concept. It won't come as a surprise that I'm big on this topic. I think states should pay much more attention to open data in standard formats. As an aside, the tool publishes calendars in iCalendar format so that you can subscribe to them and see them on your own calendar tool rather than having to continually go out and check the site. This is the kind of subtle interoperability that makes a big difference. Witness news aggregators, RSS, and weblogs.

One of the applications that Jim demonstrated tracks legislative bills (apparently the job of the Sec. of State). I've written about this problem before. Jim claims that the application is flexible enough to work for most states. I think it would be great to have a single legislative tracking application for a number of states. There are many groups who are affected by legislation in more than one state. Some conformity in tools could allow a single, usable interface to multiple state legislatures.

02:19 PM | Recommend This | Print This

Linux as Platform

Ian Murdock, from Progeny Linux Systems, is speaking on "Rethinking the Linux Desktop: Linux as a Platform, Not a Product." In the "Why is Linux Popular category, Ian says that Linux, and other FOSS products, are primarily "user-centric" whereas traditional software products are "vendor-centric." At first blush, I'm not convinced I believe that statement, but in the context he was speaking, I'd give it to him: Linux is a pretty flexible platform for all kinds of integrated products (like cell-phones or routers or TiVo) whereas Window's is not necessarily so (although Microsoft's trying). This would be Ian's point, I think: because MS is trying to make a profit (vendor-centric) they can't be as flexible.

Ian (who was part of the Debian Linux distribution effort) is making the point that Linux == Linux. The distributions are 99% identical. What's more, the various distributions try to sell Linux in exactly the same way vendors of closed-source operating systems sell their wares. The downside of this is that organizations get locked into a single distribution and get charged "per-seat" if they want support. Moreover, companies create their own standard builds which, in essence, are yet another distribution. This requires them to manage all of the distribution tasks including deployment, management, and maintenance, including security patches. This is a significant undertaking.

Now, we get to the sales pitch. :-) Progeny provides a product called platform services that provides a componetized Linux platform and toolkit for easily building and maintaining custom distributions. The componetization is fine-grained at the base and kernel level for creating small-footprint configurations. This creates a situation where an enterprise can create distributions that are scaled to the target platform, whether that be a cell-phone or a server.

The product includes, in addition to the components, a distribution management tool that allows an IT shop to create their custom distribution. You can even do your own branding, so that your users see your brand when they install or use the distribution. The pricing on the tool is designed to give an ROI over managing your own distribution without the tool (which Ian estimates is 2-10 people). That means its not cheap and is targeted at large organizations who would consider putting a group of people on the job of creating a custom distribution. I've got a client who is in that camp, so I know it happens.

12:35 PM | Recommend This | Print This

GXA Specifications

I'm listening to Joseph Chiusano from Booz Allen Hamilton talk about GXA specifications, about which I've written a considerable amount. Joseph has been very active on this front and contains a lot of useful reference to how these specifications might be used to enhance eGovernment. I'm hoping I can get a URL to his presentation. Here are a few summary quotes:

GXA is poised to play a major role in advancing the adoption of web services through its robust specification of mechanism for web services such as security, policy, coordination, federation, and routing

Several GXA specifications (WS-Transaction and WS-Coordination) appear to be plausible candidates for inclusion in the upcoming W3C choreography effort.

10:24 AM | Recommend This | Print This

Beware the False Advocate

During the morning break, a group of 5 or 6 guys came in dressed in Revolutionary War get-ups representing the NYLXS, or New Yorkers for Fair use. They are passing out flyers entitled "Beware the False Advocate" which denounce Tony Stanco, the organizer of the event because he has allowed people to come who don't preduce open source software (notably Microsoft). The flyer reads, in part:

The sponsors of this gathering, in the person of their representative Tony Stanco, Esq., have elected to include participants whop neither produce Open Source Software not support it. in fact these organizations are actively opposed to Free and open Source Software, as it threatens the archaic structures upon which their criminal businesses are based. Any free-thinking individual can kno in advance what their message will be, so why must we suffer their appearance today?

I suppose that the irony of them dressing up in Revolutionary War costumes to espouse a position that denies free speech would be lost on them. Besides, from the looks of this crowd, FOSS supporters outnumber any detractors by an overwhelming margin. I think there's little chance that the message will be corrupted.

Michael Bernstein was kind enough to send me the URL of the NY for Fair Use position. I don't think its particularly well argued. I disagree with their fundamental position. I think that Microsoft can and should be engaged in discussion. I also believe its patently unfair to castigate Tony for engaging them. Tony is doing more to promote open source that any amount of rhetoric will ever do.

08:59 AM | Recommend This | Print This

FOSS: Free and Open Source Software at DOD

The second presentation I went to this moring was by Terry Bollinger on the use of Free and Open Source Software (FOSS) in the Dept. of Defense. I heard this talk in January when I was out for Susan Turnball's workshop and blogged the results then. I went to it again to jog my memeory and get some ideas flowing for my own talk which I discoved this morning that I'm giving this afternoon rather than tomorrow as I thought.

08:30 AM | Recommend This | Print This

Whitfield Diffie on Security and Open Source

I'm at the opening session of the eGovOS conference. Whitfield Diffie, Chief Security Officer at Sun and co-inventor of the Diffie-Hellamn algorithm is speaking on the security aspects of open source software. The argument comes down to:

  1. More eyes looking at the code means that there will be fewer bugs leading to security issues.
  2. More eyes looking at the code means that there will be a greater chance that bugs will be exploited to cause security issues.

"Security is political and is always associated with someone's interests." The result of this observation is that lion's share of responsibility for security falls on the end user. In a closed-source world, the end user had no options other than chosing between finished products. There aren't many choices right now in many categories. In an open source world, the code is available for inspection and correction. Practically speaking, of course, end-user here has to mean 'government" or "large organization" since individuals won't usually spend much time looking through source code.

Part of the issue is that we've modeled computers on the world of publishing when the artifact is more like an automobile than it is like a book: it has function. In the world of automobiles, all kinds of reverse engineering takes place, creating a vibrant marketplace of aftermarket parts and people who know how to modify and customize cars.

Diffie is making an analogy between the standard crytographic practice of making the system public and the keys for transmitting individual messages private. This is not done for some altruistic reason, but because of a very real belief that the system is more more secure by being public. The cryptographic system is complex and costly to engineer and thus can't be easily changed out. Thus, it pays to have the cryptographic system be well engineered and to not rely on any "secret" features in the system itself.

One common argument against open source being more secure is that "trojan horses" can more easily be inserted into the code. The open source community regularly pooh-pooh's this with "that can happen in closed source code as well." Whit makes a great comment that is an important distinction: Many large organizations who are concerned about security (i.e. the military) can control their environments much more tightly than others. For them, keeping trojan horses out by controlling who has access to it is, perhaps, possible.

07:37 AM | Recommend This | Print This