Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Software

Packages

Topic Guides

Understanding RSS
Digital ID Policies
Understanding VoIP
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Copyright

Copyright © 2002-2006 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« February 2003 | Main | April 2003 »

March 31, 2003

Public Service Tip No. 9: Breaking Through Management Hardpan

If you're a gardener, you're probably familiar with the term hardpan, a soil condition where the individual soil grains become cemented together by bonding agents like calcium carbonate, forming a hard, impervious mass. Hardpan often forms a few inches below the surface of the soil. When this happens, the soil doesn't drain, because water can't percolate down through the hard pan and plants dry out and die because their roots can't get to water below the hardpan. Its a tricky gardening problem but it can usually be dealt with by creating drainage holes through the hardpan and backfilling with good quality soil. Public service has its own hardpan problems.

In public service you'll frequently run into what I call "management hardpan," a layer of management a few layers down in the organization that has cemented together into a hard, impervious mass. In soil, the hardpan restricts the flow of water. In the public sector, management hardpan restricts the flow of information.

In most government agencies, the very top layer or two is composed of appointed officials who are there to put the current administration's slant on the agency's operations. The rest of the organization is made up of long term government employees. This is not necessarily a bad thing--it discourages patronage, for example. The appointed officials depend on the permanent management for organizational memory, experience, and domain expertise.

In my experience, the appointed officials and the large body of agency personnel are frequently out of touch. You could bring the appointed officials to a consensus, but that didn't mean that the troops got the word, let alone were convinced of the program's efficacy and were on board. In some cases, this was the typical management problems you'd find in any organization. In many others, though there were active efforts by a few highly placed, long term managers to deliberately divert information and misinform the organization below them.

Why do this? Simple answer: power. The long-term government managers are the survivors. They've been working for the government for dozens of years and have worked their way to the top of their organization and wield considerable influence and control sizable budgets. Their viewpoints are quite parochial. They want the employees in their organization to be beholden to them for information. Moreover, they want their employees to see them as their savior and protector. That's only possible if they're saving them from something. If no real problem is present, its just as convenient to invent one.

I've been told by employees down in the ranks, for example, that their managers "discouraged" them from getting too chummy with me or other appointed officials. Sometimes this discouragement was very effective intimidation. These were the same managers who were shaking my hand, smiling at me, and telling me that they were my biggest supporters. In other cases, I'd talk to some of the IT employees I knew about some rumor or another and find that certain managers were actively promoting the rumors (and even making them up) in their group meetings.

Breaking through the hardpan layer isn't easy. You can try to convert them or you can go around them. The former isn't easy because they have a vested interest that is not aligned with yours (unless by mere coincidence). You have to find a way to align their interests with yours and that might require tools and techniques (like bonuses, raises, demotions, and outright firing) that aren't available to you in the public sector. Going around them is difficult as well because they do employ many of these tools and techniques to ensure that their organizations are aligned with them.

Is there any hope? Many gardeners despair because they think that they must break up the entire hardpan layer to have a successful garden. That's not true. Its only necessary to break through in select spots, where the roots must grow especially deep. The same is true in public service. Select you targets carefully and concentrate your efforts there. Work hard to establish relationships with those managers and find creative ways to align their interests with yours. In other areas, you may have to find a way to remove the hardpan and backfill. You'll also find some areas of the garden where there is no hardpan and those agencies present great targets of opportunity which can be exploited.

10:20 AM | Comments () | Recommend This | Print This

Salt Lake City Joins Utopia

Salt Lake City has elected to join 17 other Utah cities in UTOPIA, the fiber to the home (FTTH) project that promises to provide high speed internet, data, voice, and video services to over 750,000 Utah residents. Utopia is currently preparing bonds for sale and hopes to begin construction this summer. The bonds will be revenue bonds, not general obligation, which means that they are not backed by taxes. Good for the taxpayer, but harder to sell. I think Utopia is a grand experiment and I'm anxious to see how it progresses. There's some additional information on the Utopia Homepage.

8:38 AM | Comments () | Recommend This | Print This

March 28, 2003

Fat Pipes

I had lunch today with Ragula Bhaskar, the CEO of FatPipe Networks. I really enjoyed talking to him. FatPipe sells network devices that aggregate bandwidth from multiple providers for use by a single LAN. Why would you want multiple providers? Redundancy and extra capacity. They essentially eliminate the need for complex BGP configurations by selling a canned, configurable device. I remember the headache we had installing dual OC-3's in the Utah Excite\@Home office---and we were a networking company with some of the best network engineers around. FatPipe's market is ordinary companies that might combine a DSL with a T1 or even two ISDN lines. The installation is simple, just plug in the ethernet cables from the WAN routers and the ethernet to the LAN router or switch, log onto the built-in web server to configure it and you're up and running. Course there will always be some people who like to tinker with the routing tables. I'm not among them.

7:19 PM | Comments () | Recommend This | Print This

March 27, 2003

WS-Reliability

Joseph Chiusano reports that the OASIS Web Services Reliable Messaging (WSRM) Technical Committee has accepted the WS-Reliability specification submission from Sun. From the specification:

"Reliable messaging" means the set of mechanisms and procedures required to send messages reliably. This includes the processing of Acknowledgment messages, re-sending of messages, duplicate message elimination, and message ordering.

The purpose of WS-Reliability is to address reliable messaging requirements, which become critical, for example, when using Web Services in B2B applications.

The following features are within the scope of the specification:
  • Asynchronous messaging at the application level
  • Three reliability features: guaranteed delivery, duplicate elimination, and message ordering

This specification is not the same as the WS-ReliableMessaging specification which is part of GXA and put forth by Microsoft and IBM. This caused some concern in the TC meeting yesterday since the charter has a statement that says: "The resulting specification must be non-overlapping with, and have demonstrated composability with other Web Service specifications that are being developed in open, recognized standards setting organizations." Afterall, we wouldn't want Microsoft to get mad and decide not to play.

9:41 PM | Comments () | Recommend This | Print This

March 26, 2003

Corda's TroopTracker

Corda Technologies, a local Lindon high-tech company has put up a site called TroopTracker to highlight their OptiMap and PopChart products. I don't know much about either them or their products, but I've got an email into their CEO and once I visit with them, I'll post more. Overall, I think the map is engaging. The question, that the site really ought to answer, is how hard was it to create. If it took X hours and just using raw flash would take 2X hours, that's interesting. Even more interesting if its a factor of 10 or more.

8:16 PM | Comments () | Recommend This | Print This

March 25, 2003

Conference Wrap-Up

The conference wrapped-up with Tom Siebel and Governor Leavitt making a pitch for Utah as a place for high-tech build-out. What does this have to do with digital identity? its a message from the sponsor. Someone has to pay the bills. :-)

The panel I was on went well. I was the sole "customer" type there. Everyone else on the panel was selling something. I was the one who'd been in the position of buying. The conversation also turned to the role of government in the digital identity process and, as you know, I've had some thoughts in this area.

Here are some photos from the post-conference reception:

Rod Linton introduces Gov. Leavitt and Tom Siebel Natalie Gochner, Gov. Leavitt's Press Secretary
Gov. Leavitt presents a picture to Tom Siebel Val Oveson, Utah's CIO talks to Winston Bumpus

After the reception, Evelyn had five people at tables hosting small discussion groups on digital identity issues. Evelyn is good at creative interaction and this was probably a nice element of the conference, but I was beat, so I called it a night.

9:28 PM | Comments () | Recommend This | Print This

Kevin O'Neil: Framework and Approach for Protecting Digital Identity

Kevin O'Neil, the Executive Director of the International Security, Trust, and Privacy Alliance and CEO of CYVA Research is speaking on "Framework and Approach for Protecting Digital Identity." The ITPSA is an alliance of companies like IBM, Motorola, and others who are creating "policy configurable" frameworks for security and privacy. The framework consists of services and capabilities that a security/privacy product must have. Interesting that many of these folks are also involved in Liberty Alliance. I get the impression as he talks that he views ISTPA as complementary to Liberty. Ah, he just said it: ISTPA is an affiliate member. His talk was very interesting, but mostly filled with scenarios rather than concepts, so it was difficult to blog.

5:43 PM | Comments () | Recommend This | Print This

Bill Smith: Digital Identity in a Networked World

Bill Smith, who is the Director of Liberty Alliance Technology at Sun and the Secretary of the Liberty Alliance organization, is speaking on "Digital Identity in a Networked World." Bill starts off by posing a scenario where your car tells you that a gas station with the brand of gas you like to buy is coming up on the right, its $0.10 less than average and you have a quarter of a tank left. Sounds like a great application for OnStar. He poses another scenario where the same car gets in a accident with you driving and the arriving EMTs get medical information about you before they get there. Two scenarios, different identity requirements. Moreover, there are multiple service providers in each case that need to federate to use that identity.

Bill gives three components of identity: physical (height, weight, gender, etc.), experiential (education, travel, dining, purchases, drug use, etc.), and preferential (food, clothing, religion, etc.). These traits attributes, and preferences can be used to tailor service, but only if they're available from the many places that they're stored. Bill makes the point that this really works: Amazon makes recommendations that people use. I wonder if Amazon has released any data on the percentage of recommendations that are converted into sales.

Liberty uses the term "network identity" to describe using federation to link digital identity islands. This provides a single logical identity while preserving and enhancing existing trust relationships. Liberty is establishing an open standard for federated network identity. Their objectives:

  • Interoperability -- no digital islands
  • Privacy -- let users control their information
  • Ubiquitous adoption -- create one standard

5:05 PM | Comments () | Recommend This | Print This

Winston Bumpus: The Evolution of Digital Identity in a Web Service World

Winston Bumpus, the Director of Open Technology and Standards for Novell is speaking on "The Evolution of Digital Identity in a Web Service World." Winston says there are three reasons to do something: it will save you money, it will make you money, or the government requires it Obvious, maybe, but nicely said. His point is that government requirement are one of the biggest drivers toward standardization.

Not surprisingly, given Novell's history, Winston talks about identity as a representation of an entity, including, people, data, systems, locations, and so on. Directories manage these identities. The value of a directory is measured by the number of relationships it manages and the new applications that result.

Identity in web services needs to be

  • consumable by any service
  • consumable over any protocol
  • expandable to include different types of data

Web services are driving integrated deployments using meta-directories using a federated approach. Federation not only affects location of the identity principal, but also where the data resides (virtual directories).

Winston believes that XML will replace LDAP in the next 3 to 4 years and views LDAP as a legacy standard. Since LDAP based directories are hierarchical, XML is a great fit and it would simplify the integration burden for directories since almost everything is going to have and XML parser built in and this makes getting XML-based directory information much easier.

To be effective, directories need to integrate and understand business policies so that directories can manage themselves and provide support to the applications that are built against them. Thye must also allow data to be integrated from many different data sources using built-in meta-directory capabilities.

4:12 PM | Comments () | Recommend This | Print This

Phil Becker on Identity -- Why Now?

Phil Becker is the Editor-in-Chief of Digital ID World, which I have contributed to before. Phil is also the organizer of the Digital ID World conference. The title of his presentation is "Why Digital Identity and Why Now?"

Phil makes the point that while Hollywood frequently gets technical details wrong (or purposefully distorts them for entertainment value), they are very good at identifying trends. He has a great presentation using audio clips from movies starting with "2001: A Space Oddesy" that he uses to track societies perspective on computers from mainframes to PC's to hackers. His point is that this history has led to a situation where we commonly have used location as an implicit proxy for identity. PCs exposed some of these problems, but the qualifications and skills necessary for using early PCs allowed these problems to be ignored. The rise of the Internet and networked computing and the improvements in ease of use has changed all of that. Witness: script kiddies. Universal networking drives information towards the public domain through loss of access control. The only effective response to this is to architect applications and data around identity.

Security issues are often the drivers of digital identity. Firewalls and VPNs are the last stand of virtual location based on physical security. Identity infrastructure and security are intertwined. Most security problems, other than those that result from software bugs, are a symptom of incorret or missing identity structures.

Privacy is an interesting problem because its about enforcing a negative. Privacy is about what you agree not to do with data. To be effective, privacy must be created structurally, not with policy.

Phil sents for the following deployment path for digital identity:

  1. Intra-enterprise identity management. Utah did this with their master directory project. Many other large organizations are working on this as well. Phil claims that large organizations spend $450-$750 per employee per year on password resets. Just automating this is a huge win. Moreover, you gain security though identity life-cycle management (create, modify, and remove identities). Phil says 15% of IDs and passwords in a large organization are for people who haven't worked there for more than 3 years. This would be a wonder audit at the State.
  2. Inter-enterprise identity managenment. This allows user customized business to employee portals (this is inter-enterprise bacause almost no one does employee management like 401K, helath insurance etc. themselves). It also allows secure, managable B2B integration and enables web services. For inter-enterprise identity management to work, we must develop federated identity systems.
  3. Consumer identity management. Phil believes this will grow organically from the tools and techniques built for inter-enterprise identity management and be driven by key applications.

3:41 PM | Comments () | Recommend This | Print This

Digital Identity Summit: Mark Sunday

This afternoon's event is the Digital identity Summit. Evelyn Rodriguez of the Koru Group is the organizer of the event. Evelyn is trying to use identity to tie together web services, CRM, and network security and today's speakers will be talking on those subjects.

The first speaker today is Mark Sunday, the CIO for Siebel Systems. Siebel recently moved their entire production operation from California to Utah. They run in two redundant data centers. Mark's first comments are a bow to the idea that digital identity is important in a service-oriented economy. Unless we're willing to establish a digital identity, there's little chance that we can get most of the services we want. We do this everyday, of course, when we create accounts on web sites that require a sign-up. What we don't have is a convenient and secure way to aggregate and manage those multiple identities.

CRM is an integrated approach to identifying, acquiring, growing, and retaining customers. This includes sales, marketing, and service. Digital identity is crucial in this environment because customers jump back and forth between sales channels and expect continuity in service regardless of the channel they use to engage the company. CRM systems, at their heart, are really big databases of customer profiles---their digital identity with respect to that company. This corresponds to Andre Durand's second level of digital identity.

Siebel systems calls this big database of customer profiles, the Universal Customer Master. When customers have multiple identities in an organization (identity silos) not only does customer satisfaction decrease, but companies also leave significant revenue on the table. Mark is using the HP/Compaq merger as an example. Clearly one of the reasons for the merger was so that both organizations can leverage the customers of the other, but without some significant IT investments, that can't happen. Siebel is working with HP, using Siebel's Universal Application Network product to integrate a Universal Customer Master with HP's SAP ERP system, Siebel, and other legacy systems.

One of the things I like about Siebel is that they drink there own kool-aid. Siebel is moving thier own operations to be 100% web-based to increase the access for their "nomadic" workforce. This allows salespeople from Siebel to access their customer data from any web browser, cell phone, or PDA while they're away from the office.

3:25 PM | Comments () | Recommend This | Print This

Venture Capital Conference

The web services summit doesn't begin until this afternoon. This morning's event is a venture capital conference hosted by Cadence and the State of Utah. The idea is to showcase Utah companies in front of some valley VCs. Cadence has a recent Utah presence in Sandy. There are about 90 Cadence employees in Utah right now and that number is expected to grow to 200 within 18 months. Ray Bingham, the CEO of Cadence has Utah roots. He was born in Heber UT and graduated from Weber State University. Even so, Ray maintains that Utah competed on its own merits and beat out over 100 other sites.

Mike Leavitt Ray Bingham Brad Bertoch

The keynote is being given by Governor Leavitt. Governor Leavitt knows about convening power and he uses it well in events like this. The Governor's message is the familiar one: Utah has a workforce is growing at twice the national average, the workforce is well educated, there are outstanding recreational opportunities (quality of life) and Utah is 1.5 hours from Silicon Valley. He characterizes Utah as an "emerging place" with a strong technical heritage. The Governor outlines an important ambition: improving access to capital. He's signed HB 240, creating a fund of funds and believes that will help.

Brad Bertoch, President of the Wayne Brown Institute, a VC accelerator, is the master of ceremonies for the morning. This is a familiar role since Wayne Brown does this sort of thing at their conferences. The program will be an roll call of ten Utah high-tech companies making short, ten -minute pitches.

First up is Tomax Corporation, a provider of web-based solution for retail operations at retail.net. Eric Olafson is the President and CEO. Their customers include Gateway, TJ Maxx, Ultimate Electronics, Safeway, and others. The company is privately held and profitable. The message is really an IT message: retail operations are collections of isolated technologies that keep retail operations from gathering the information they need to drive their business. They are targeted at businesses over $1M in revenue. There are over 2 million business in the US that are smaller than that.

The next company is NxLight Inc. I've mentioned them before. Brent israelson is the President and CEO. NxLight is making web services real in the sense that they're creating real solutions for companies to use them in places the require significant security, and identity management, Their primary customers right now are insurance companies and financial services companies. The average insurance policy costs $400 to issue and takes 45 days. The error rate for this process is 35%. The are significant regulatory requirements. Using an electronic solution decreases policy issuance time by up to 99%, but it requires signed documents in compliance with privacy regulations. The solution is based on a self-contained XML packet that encapsulates the transaction including workflow, audits, authentication and privacy controls, and security. One thing missing from the presentation was a mention of Web Services standards. Maybe they're there and they just didn't think this audience would care.

The third company is NextPage. Darren Lee is the President and CEO. NextPage bills themselves as a "teamwork" company, but their solution is aimed at document management (not surprising since their roots are Folio). Their software help manage documents so that questions like Who has the latest version of this document? What work tasks and business processes relate to ti? Where is it being used and by whom? If I delete it once is it removed fro other hard drives as well? These are important questions for CIOs. I'm not sure that NextPage is getting that message across in a way that resonates with CIOs. They have a new product that they're getting ready to launch---maybe that will connect better.

Eric Olafson Brent Israelson Jeff Smith

Next up is Cerberian, an Internet filtering solution for homes, businesses, and schools. The President and CEO is Jeff Smith. Cerberian doesn't sell directly, but works through 21 OEM partners including SonicWall, Computer Associates, Broadcom, Zone Labs, and Belkin. Cerberian is a hosted solution. They host the database and filtering servers and thin client enables the blocking.

The fifth company is netdocuments. The President and CEO is Ken Duncan. The company sells solutions to law firms like Dorsey and Whitney, real estate companies like Kelty Trust, and financial services companies. ScanSoft integrates netdocuments software in the their scanning products. One of their markets is litigation support; they are an outsourced provider of document management for trial work. I haven't heard enough to tell me how they would contrast themselves with NextPage.

The next company is MyFamily.com. Tom Stockham is the President and CEO. MyFamily.com is one of the largest subscription business on the net. Family history is big on the Internet and MyFamily.com takes advantage of that. MyFamily.com has 30 million registered users and over 900,000 people pay a monthly subscription. This leads to real revenue growth. Subscription revenue is nearly doubling year over year. I wonder if their is a significant blogging presence in family history? If seems like a natural for genealogists to narrate their work to form communities in ways that you can't with just news groups or message boards.

Ken Duncan Tom Stockham Jim Kuo

The seventh company is MediConnect. The President and CEO is Michael Colemere. MediConnect is a medical record retrieval firm that does work for insurance and legal companies. These companies pay over $6 billion per year to retrieve and maintain medical records. MediConnect essentially acts as an agent for these companies. They have a call center that will call a doctors office, retrieve the information, scan it and deliver it electronically to the requester. Their competitors are using fax machines to do the same thing.

BioMicro Systems is an inventor of microfluidic biochip technologies that can be used in research tools, diagnostic devices, and consumer products. James Kuo is the President and CEO. BioMicro's product automates the sequencing preparation steps in genetics work, reducing the manual tasks from 11 to 4. They have been used by Myriad Genetics where they reduced reagents costs by $6M/year. They create the chips using an excimer laser to cut microfluid channels and wells into a doped plastic. The process and resulting product are protected by over 16 patents.

Salus Therapeutics has technologies for discovering, developing, and delivering of nucleic acid-based medicines. Dr. Richard Koehn is the President and CEO. Their technology, chemistry based, allows these genetic therapies to be directed at specific genes. The presentation has quickly dropped into a level of biochemistry and genetics that my high-school biology is not equipped me for. I wonder how everyone else in the room is doing.

Last up is GenData, a non-proofit organization that was created by the State incorporation with the University of Utah and Huntsman Cancer Institute to exploit the genetic data and records available in some very large, extensive and well-documented families in Utah. Michael Paul is the Chief Operating Officer. At its heart, GenData is a marriage between biotech and IT in that they're mostly about managing data. You might wonder why a non-profit is The English Bio-Bank is a similar effort in Britain. GenData combines family histories, clinical data, and genetic data to provide a set of data for genetic research.

Richard Koehn Michael Paul Darren Lee

Overall, this morning was a great event and showed off some great Utah high-tech companies in a very good light.

9:53 AM | Comments () | Recommend This | Print This

Washington Technology Mention

My blog got a brief mention in this weeks Washington Technology magazine. The follow-up paragraph promotes blogging as a way for "agency experts" to organize and publish information. I'm not aware of any bloggers who work for the Federal government and blog about their work on a regular basis. Anyone else know?

8:18 AM | Comments () | Recommend This | Print This

March 24, 2003

Pattern Recognition

I just finished William Gibson's new book "Pattern Recognition." I liked it very much; I think its his best book since "Neuromancer." Unlike many of Gibson's book, this one is set in the present and has a decidedly high-tech theme without being about geeks. I find Gibson's writing to be evocative and full of intense imagery with plenty of conceptual surprises. These concepts are fertile ground for sowing new ideas. Reading it reminds me of what I liked about Wired magazine way back.

6:33 PM | Comments () | Recommend This | Print This

Public Service Tip No. 8: Scavengers Get Fatter than Predators

Among carnivores there are two primary means of finding food: killing your own and eating something that someone else has killed. The conventional wisdom is that it is better, and more respectable, to be a predator than it is to be a scavenger. The truth of the matter is that being a predator is dangerous. The animals that you're killing frequently fight back. What's more, being in control of your own destiny, so to speak, isn't necessarily the best strategy for getting fat. Scavengers frequently fare better than predators.

This fact should not go unnoticed by those entering public service. The inclination for political appointees, who see their tenure as temporary, is to dive right in with both feet, set goals, and start driving to completion. To make matters worse, they frequently work for people who are anxious to get results and so the pressure to "make things happen" can become intense. Political appointees frequently come from the private sector where this type of behavior is the norm and you're expected to make your own opportunities by actively hunting them down and killing them.

Under pressure to get results in a short time frame, the temptation is to use positional authority, rather than moral authority, to get the results that you seek. Positional authority is that authority you get from your title and the location of your office (reporting to the Governor, for example). Moral authority is that authority that comes from establishing relationships and convincing people, on the merits, that your ideas are right.

In order to exercise moral authority, you must carefully use the one real power that positional authority gives you, the power to convene, to carefully cultivate relationships with key players (who may or may not occupy a lofty position in the org chart) and listen to their ideas, problems and concerns. This will allow you to see the opportunities in your organization and capitalize on them.

Here's the problem: this strategy requires you to exercise incredible patience and act on opportunities that present themselves, rather than the opportunities you create. Scavenging for success in this way is antithetical to the way most private sector executives are used to operating. But, it can cause considerable pain for all involved when this principal isn't understood.

This was a significant factor in experience as CIO in Utah. While we accomplished much and certainly tackled some important opportunities, my "predatory behavior" ultimately cost me the ability to act. I understood that I was in a significantly different position with respect to the source of my authority than I'd had in my previous jobs where I acted from significant moral as well as positional authority, but didn't understand how that would affect the dynamics of how I operated from the Governor's office. In my resignation letter, I said that I'd become a distraction and that was certainly true. I'd made enough people angry that the conversation was more about me than what we could accomplish. I acted through positional authority in an effort to short circuit the process and ultimately it didn't work. An expensive lesson learned.

As readers of the blog will know, I think there are some significant opportunities available to Utah and other governments, both in the way that they manage their IT as well as in how they service their citizens. CIO's in Utah and elsewhere will accomplish much if they can be patient, build their moral authority, and strike when opportunities present themselves. Not an easy thing to do, but its really the only road to sustained success.

2:10 PM | Comments () | Recommend This | Print This

Digital Identity Summit

I'm off to San Jose today to speak at a summit on Digital Identity. There are some interesting speakers coming including Mark Sunday from Siebel, Bill Smith from the Liberty Alliance, and Phil Becker from Digital ID World. I'll be blogging the conference, so stay tuned.

9:59 AM | Comments () | Recommend This | Print This

March 22, 2003

Craig Burton Leaving JanusLogix

Craig Burton is stepping down as CEO of JanusLogix. Craig's been looking for additional funding for JanusLogix for a while and its been hard to come by. That's too bad because Craig's got some very neat ideas and I'm convinced that sooner or later, someone will build and sell the kind of software that Craig envisions. Sounds like he's going back to strategic consulting. I wish him well.

10:14 AM | Comments () | Recommend This | Print This

March 20, 2003

Blog Going Crazy for Earthviewer

My blog is going crazy today. Something (I don't think its a someone) is searching for "earthviewer" on every major search engine and even some minor ones and then following the links multiple times. I've talked about Eathviewer quite a bit in my blog and so it shows up fifth if you google earthviewer. Its possible, I guess that the war has caused some surge in interest in Earthviewer, but it doesn't feel right.

6:53 PM | Comments () | Recommend This | Print This

Productive Knowledge Workers

I spent the day (and will spend tomorrow as well) at BYU as part of their annual President's Leadership Council (PLC) event. I serve on the advisory board for the College of Physical and Mathematical Sciences. The highlight of the morning was a talk by Stephen Covey (of Seven Habits for Highly Effective People) who is on the PLC. The talk was vintage Covey and its easy to see why he's so sought after as a speaker. The material was inspiring, and presentation fluid and flexible, and you can tell he has a real passion for the topic.

One of his principal topics is how organizations should be different in the age of knowledge workers from what was common in the age of industry. He, of course, if focused on the organizational behavior ideas, but I couldn't help but think of the tie that his comments had to IT and building IT systems that make knowledge workers more productive. Even Covey got into this a little talking about how the trend to dashboards is a knowledge era answer to accountability for things that matter now (whereas accounting is an industrial era answer to things that mattered then). Its not that the things that accounting measures aren't important now, but that we've come into a world where they are only one part of the story.

6:43 PM | Comments () | Recommend This | Print This

March 19, 2003

Open Source Dominant?

This timely story on open source from CIO magazine says that 54% of the 375 CIO's they surveyed said that open source software would be their dominant server platform. Saying it doesn't make it so, but it does indicate an expectation and a level of awareness that I think is unprecedented. The article says:

...for years open source has been dismissed as pie-in-the-sky, a toy for geeks. But today open source is undergoing a business revolution.

The article's conclusion?

CIOs who don't come to terms with this revolution in 2003 will be paying too much for IT in 2004. To avoid getting stung, CIOs should pursue as least some components of this 2003 open-source agenda.

Their recommendations include getting your feet wet with Internet pilot projects.

10:41 PM | Comments () | Recommend This | Print This

eGovOS Conference Wrap-Up

I had to bug out of the conference early to catch my flight. I was afraid that security at Reagan would be a nightmare, but it was a breeze. My closing thoughts on the conference:

  • There were quite a few people there. Tony said 700 registered. There were still some unclaimed badges at the end, but I'd bet that 500 people were there at one time or another.
  • There were five parallel tracks going all three days. I found something interesting each hour and sometimes more than that. Tony and I were talking yesterday: there's not as much energy in multiple break-out sessions, but you do get more content. I'd like to see a hybrid with some general sessions in the morning followed by break-out sessions in the afternoon.
  • One important reason for introducing open source ideas to Government is the power that OS has to change the culture. You can't start working on a LAMP platform engaging in open source projects without grabbing just a little of what modern IT is about.
  • Finally, Tony Stanco (that Tony talking to Whit Diffie in the picture) did a great job along with his entire team. There were three full days of excellent content. There was lots of heated discussion in the sessions I attended and some folks were getting educated.

There are two conferences that State CIOs ought to take notice of: this one and Digital ID World (coming up in Oct). I wish there was a way for NASCIO to do some cross sponsorships with these conferences or something to increase participation by the states. They're always reluctant to do anything, however, that might weaken their nearly exclusive relationship with State CIOs. Its their stock-in-trade and they guard it jealously. Still, State CIOs are busy and trust NASCIO to bring them the content and contact they need. NASCIO should not ignore these two good sources of material for the members they serve.

4:33 PM | Comments () | Recommend This | Print This

Matt Asay on Open Source

Our own Matt Asay is speaking on on "The Open Source Work Ethic and the Spirit of Capitalism." For those of you not up on the Utah high tech scene, Matt is a Stanford Law school grad who once worked for Lineo as the GM of their residential gateway business and now works for Novell. Matt is the host and force behind a series of monthly VC breakfasts that have been happening in Salt Lake City. Matt's talking about open source and his slides are clearly marked with a familiar "red N" logo in the corner. This is generating a little interest among some members of the press who are here.

Matt's is promoting a concept of "both-source" or a middle ground between open-source and close-source community. He points to his experience at Lineo where he saw a constant wave of open-source software moving up the software stack, forcing Lineo to move their value-added innovation further up the chain as well. This is an interesting look at open-source as a driver of innovation, even in companies deriving benefit from closed source code.

Matt's recommendation for public policy toward using open source in government is to avoid legislative solutions and work to develop purchasing models that support open source. There audience was quick to point out that there are some problems here, most notably that open-source doesn't have salespeople and it can't pay a percentage of sale to consultants. I don't see these as insurmountable. If the ROI is truly there, someone ought to be able to win contracts using open source that they can't win using closed source. The economics ought to be able to drive this if public employees can be educated to the fact that open source solutions are acceptable and even preferable.

9:47 AM | Comments () | Recommend This | Print This

March 18, 2003

Transparent Coding

K. S. Shankar (Doc) from IBM just said something which is similar to a comment that Michael Bernstein made via email earlier. Michael said "the knowledge that other people will be reading your code (whether shallowly or deeply) has a significant effect on how you code." What Doc said is a corollary: when people find a bug that you're responsible for, its embarrassing and people will work hard to fix them quickly. The point is that it comes down to transparency and the value that it has in many circumstances. I'm a fan of transparency as a tool for driving correct behavior in organizations. When you apply it to individuals it gets trickier. All kinds of privacy questions.

2:57 PM | Comments () | Recommend This | Print This

Optimizing Commanilties and Differences

What few things need to be the same so that everything else can be different?

This question, poised by Michael Tiemann, CTO of Redhat, is at the heart of many of the decisions facing IT today. This question defines the power of web services as well as the move toward managed desktops in corporations. Finding the balance in this question is a critical decision facing technologists as they develop enterprise architectures and operating models so that IT can serve the business.

12:38 PM | Comments () | Recommend This | Print This

Microsoft's Shared Source Initiative

Jason Matusow is the Shared Source Manager from Microsoft. I notice that he's not wearing a name tag. I'd bet that isn't accidental: Jason started his talk by referring to the scene in Hitchhiker's Guide to the Galaxy where cows are brought out so that people can be introduced to their dinner. The audience appreciated that analogy. He opened by making these points:

  • Access to source code is not the primary concern for most people
  • Having an option to work with the source code is important to to a few individuals and many organizations
  • Few people who have access to the source code actually use it

Jason points out some common myths:

  • The is a "right" software development model.
  • Contrasting "open source" software with "commercial" software. Much open source software has commercial interests.

Now we get to the heart of the talk: there is a move by traditional software vendors and open source software vendors to move to the middle and find a business model that works better than either has in the past. Microsoft's Shared Source initiative (SSI) is evidence of Microsoft's steps in this direction.

SSI is not open source. Rather, its an initiative to share the source under certain conditions with customers, partners, and governments world-wide. Someone in the last session I was at (actually it was David Sklar who wrote the PHP Cookbook) suggested that SSI created a situation where source is closed only to those without means. From a security standpoint, there is no closed source OS. Someone with the right resources has access to the code whether its Windows or Linux.

A pessimist will look at this as a disinformation campaign by Redmond and indeed, there's certainly a PR aspect to it. I'm by nature an optimist and I view it as evidence that the open source community is having an impact and driving change in traditional high-tech companies like Microsoft, Dell, Oracle, and Novell. We have to be happy about that.

10:14 AM | Comments () | Recommend This | Print This

Dell's Support for Open Source Software

Craig Lowery is a Software Architect and Strategist for Dell. Much of his talk was interesting, but not particularly new. However, he highlighted this statement and it caught my attention:

Dell believes that all the major pobjections to OSS have been addressed and its ready for the enterprise now.

This doesn't mean that they're ready to start shipping Linux on the desktop again, although Craig says that they're reconsidering it.

8:14 AM | Comments () | Recommend This | Print This

Openness As an Inherent Good

Yesterday, Fazal Majid reacted to my post on Whit Diffie's talk by saying:

I don't really buy this argument [that more eyes looking at code make it more secure] - unlike ordinary bugs, security reviews like the ones done by the OpenBSD team require a strong commitment and extended effort. They are not likely to arise from casual source reading.

Fazil, of course, is right. Finding bugs in general, and security issues in particular, requires a purposeful, planned, carefully executed review. This morning, almost in response to this issue, Mary Ann Davison from Oracle is discussing open source software evaluations. Specifically, Oracle is going to conducting (i.e. paying for) an EAL2 certification of RedHat's Linux Advanced Server product for use with Oracle DB. She makes the point that Oracle evaluates products all the time and when they do that, third party teams look at their source code.

On the other hand, I think that the argument restated by Whit yesterday (although not necessarily espoused) is a little more subtle than what its simple retelling in a talk (or blog) can convey. Its not so much that random eyes looking at code will make it more secure. The issue comes down to a basic philosophy of openness and its inherent goodness. As anyone who's read The Transparent Society by Daniel Brin knows, making this argument is much more involved than a simple sentence.

Having recognized softare openness as inherently good, I don't want to be misunderstood. I do not believe that this makes companies who close their source code inherently evil. I would, rather, view them as not having yet recognized the benefits of an alternate strategy.

7:56 AM | Comments () | Recommend This | Print This

March 17, 2003

My Talk: Enabling Open Source Projects in Government

My talk is about how to make open source project viable in government. My slides are here. The summary of my talk is:

  • Educate and encourage employees
  • Preach open source
  • Start open source pilots
  • Find specific ways to insert open source into the RFP process
  • Work with vendors
  • Add open source to architecture standards documents (see Utah's standard)
  • Use the political process to push open source

3:21 PM | Comments () | Recommend This | Print This

Iowa's Enterprise Authentication and Authorization Strategy

Tony Bibbs, from Iowa, is speaking on Enterprise Authentication and Authorization. Iowa has long been a leader in this area. This service is very similar to Utah's Master Directory project (which Dave Fletcher wrote a little about just lately), but its based on a collection of tools including some which are open source. The service provides a single repository for accounts, a single credential set (not the same as single sign-on), a way for users to self service, a single point for conducting security audits.

The service consists of three parts, a client library with clients in ASP, Java, PHP, VB, etc. A service layer based on XML over HTTPS and written in Java, and a "provider" layer that reads credentials from multiple credential repositories. This last part was important in Iowa because each agency was managing their users using different tools. Utah was lucky that they had standardized on Groupwise and Netware years before. As a result, even though there were multiple trees, at least bring them together into a single master tree was easier (even still, it took 9 months). As Novell migrated to LDAP compatibility, so did Utah's directory trees.

Iowa's strategy is to get everyone using the same service layer and same set of clients. Once that's done, the credential repositories can be changed out without changing the applications.

3:13 PM | Comments () | Recommend This | Print This

eGovernment in Rhode Island

Jim Willis, the Director of eGovernment for the Secretary of State in Rhode Island, is talking about the use of open source in the Rhode Island's eGovernment projects. The eGovernment project is in the Secretary of State's office and the Secretary has the authority to determine what format the regulations filed with them will take. Not all states have a single repository of regulations (Utah does, in the form of the Administrative Rules division), but for those that do, this is a very powerful piece of authority.

Willis makes that argument that because Government data should be open, the formats that it is stored in (and hence, in most cases, the tools used to create it) should be open as well. I think there's a good archivist statement in there, but my experience is that state's pay more lip service to their archiving responsibilities than anything else. Still, its a plank in the platform and should be made.

A second point for open formats is that interoperability is easier, and as a result development faster, when data is stored in open, flexible formats. That allows lots of small parts to be developed and used together. You write code to glue these parts together. This is essentially the Web Services argument, made without explicitly mentioning the XML kernel.

WIllis gives the example of being able to write a small tool in a few hours that reads Rhode Island's standard data format and dumps it into iCalendar (via PHP-iCalendar) to create calendars from data that originally had some other purpose. This is an important concept. It won't come as a surprise that I'm big on this topic. I think states should pay much more attention to open data in standard formats. As an aside, the tool publishes calendars in iCalendar format so that you can subscribe to them and see them on your own calendar tool rather than having to continually go out and check the site. This is the kind of subtle interoperability that makes a big difference. Witness news aggregators, RSS, and weblogs.

One of the applications that Jim demonstrated tracks legislative bills (apparently the job of the Sec. of State). I've written about this problem before. Jim claims that the application is flexible enough to work for most states. I think it would be great to have a single legislative tracking application for a number of states. There are many groups who are affected by legislation in more than one state. Some conformity in tools could allow a single, usable interface to multiple state legislatures.

2:19 PM | Comments () | Recommend This | Print This

Linux as Platform

Ian Murdock, from Progeny Linux Systems, is speaking on "Rethinking the Linux Desktop: Linux as a Platform, Not a Product." In the "Why is Linux Popular category, Ian says that Linux, and other FOSS products, are primarily "user-centric" whereas traditional software products are "vendor-centric." At first blush, I'm not convinced I believe that statement, but in the context he was speaking, I'd give it to him: Linux is a pretty flexible platform for all kinds of integrated products (like cell-phones or routers or TiVo) whereas Window's is not necessarily so (although Microsoft's trying). This would be Ian's point, I think: because MS is trying to make a profit (vendor-centric) they can't be as flexible.

Ian (who was part of the Debian Linux distribution effort) is making the point that Linux == Linux. The distributions are 99% identical. What's more, the various distributions try to sell Linux in exactly the same way vendors of closed-source operating systems sell their wares. The downside of this is that organizations get locked into a single distribution and get charged "per-seat" if they want support. Moreover, companies create their own standard builds which, in essence, are yet another distribution. This requires them to manage all of the distribution tasks including deployment, management, and maintenance, including security patches. This is a significant undertaking.

Now, we get to the sales pitch. :-) Progeny provides a product called platform services that provides a componetized Linux platform and toolkit for easily building and maintaining custom distributions. The componetization is fine-grained at the base and kernel level for creating small-footprint configurations. This creates a situation where an enterprise can create distributions that are scaled to the target platform, whether that be a cell-phone or a server.

The product includes, in addition to the components, a distribution management tool that allows an IT shop to create their custom distribution. You can even do your own branding, so that your users see your brand when they install or use the distribution. The pricing on the tool is designed to give an ROI over managing your own distribution without the tool (which Ian estimates is 2-10 people). That means its not cheap and is targeted at large organizations who would consider putting a group of people on the job of creating a custom distribution. I've got a client who is in that camp, so I know it happens.

12:35 PM | Comments () | Recommend This | Print This

GXA Specifications

I'm listening to Joseph Chiusano from Booz Allen Hamilton talk about GXA specifications, about which I've written a considerable amount. Joseph has been very active on this front and contains a lot of useful reference to how these specifications might be used to enhance eGovernment. I'm hoping I can get a URL to his presentation. Here are a few summary quotes:

GXA is poised to play a major role in advancing the adoption of web services through its robust specification of mechanism for web services such as security, policy, coordination, federation, and routing

Several GXA specifications (WS-Transaction and WS-Coordination) appear to be plausible candidates for inclusion in the upcoming W3C choreography effort.

10:24 AM | Comments () | Recommend This | Print This

Beware the False Advocate

During the morning break, a group of 5 or 6 guys came in dressed in Revolutionary War get-ups representing the NYLXS, or New Yorkers for Fair use. They are passing out flyers entitled "Beware the False Advocate" which denounce Tony Stanco, the organizer of the event because he has allowed people to come who don't preduce open source software (notably Microsoft). The flyer reads, in part:

The sponsors of this gathering, in the person of their representative Tony Stanco, Esq., have elected to include participants whop neither produce Open Source Software not support it. in fact these organizations are actively opposed to Free and open Source Software, as it threatens the archaic structures upon which their criminal businesses are based. Any free-thinking individual can kno in advance what their message will be, so why must we suffer their appearance today?

I suppose that the irony of them dressing up in Revolutionary War costumes to espouse a position that denies free speech would be lost on them. Besides, from the looks of this crowd, FOSS supporters outnumber any detractors by an overwhelming margin. I think there's little chance that the message will be corrupted.

Michael Bernstein was kind enough to send me the URL of the NY for Fair Use position. I don't think its particularly well argued. I disagree with their fundamental position. I think that Microsoft can and should be engaged in discussion. I also believe its patently unfair to castigate Tony for engaging them. Tony is doing more to promote open source that any amount of rhetoric will ever do.

8:59 AM | Comments () | Recommend This | Print This

FOSS: Free and Open Source Software at DOD

The second presentation I went to this moring was by Terry Bollinger on the use of Free and Open Source Software (FOSS) in the Dept. of Defense. I heard this talk in January when I was out for Susan Turnball's workshop and blogged the results then. I went to it again to jog my memeory and get some ideas flowing for my own talk which I discoved this morning that I'm giving this afternoon rather than tomorrow as I thought.

8:30 AM | Comments () | Recommend This | Print This

Whitfield Diffie on Security and Open Source

I'm at the opening session of the eGovOS conference. Whitfield Diffie, Chief Security Officer at Sun and co-inventor of the Diffie-Hellamn algorithm is speaking on the security aspects of open source software. The argument comes down to:

  1. More eyes looking at the code means that there will be fewer bugs leading to security issues.
  2. More eyes looking at the code means that there will be a greater chance that bugs will be exploited to cause security issues.

"Security is political and is always associated with someone's interests." The result of this observation is that lion's share of responsibility for security falls on the end user. In a closed-source world, the end user had no options other than chosing between finished products. There aren't many choices right now in many categories. In an open source world, the code is available for inspection and correction. Practically speaking, of course, end-user here has to mean 'government" or "large organization" since individuals won't usually spend much time looking through source code.

Part of the issue is that we've modeled computers on the world of publishing when the artifact is more like an automobile than it is like a book: it has function. In the world of automobiles, all kinds of reverse engineering takes place, creating a vibrant marketplace of aftermarket parts and people who know how to modify and customize cars.

Diffie is making an analogy between the standard crytographic practice of making the system public and the keys for transmitting individual messages private. This is not done for some altruistic reason, but because of a very real belief that the system is more more secure by being public. The cryptographic system is complex and costly to engineer and thus can't be easily changed out. Thus, it pays to have the cryptographic system be well engineered and to not rely on any "secret" features in the system itself.

One common argument against open source being more secure is that "trojan horses" can more easily be inserted into the code. The open source community regularly pooh-pooh's this with "that can happen in closed source code as well." Whit makes a great comment that is an important distinction: Many large organizations who are concerned about security (i.e. the military) can control their environments much more tightly than others. For them, keeping trojan horses out by controlling who has access to it is, perhaps, possible.

7:37 AM | Comments () | Recommend This | Print This

March 16, 2003

Off to DC for EgovOS

I'm off to DC to attend the Open Source in eGovernment event that Tony Stanco is putting on. I'll be speaking on Tuesday and I also have some other appointments while I'm there. I'll be blogging the conference, so read along if you're interested. I hope they have W-Fi.

9:51 AM | Comments () | Recommend This | Print This

March 13, 2003

Public Service Tip No. 7: Practice Your Duck and Cover Drills

In 1950, the Civil Defense community created a movie called "Duck and Cover" which featured Bert the Turtle. Bert became a cultural icon. By default, he also became the mascot of many public sector employees. (See Bert in action in "Duck and Cover" (quicktime).)

To illustrate this, one of the people who worked for me in Utah told me once (with a straight face), "I was starting on that, but I began to notice that I was out in front of everyone else and that's a very uncomfortable position to be in. They might not follow." This was a person who was supposed to be in a leadership role, but he was also a long-standing state employee who had survived a number of administration and leadership changes. He'd learned the art of surviving in public service: never take a position.

This duck and cover mentality is a critical skill for public sector employees. In the private sector, you live and die by your opinion and your judgment. After all, the way you shine and come to the attention of your boss is to express yourself and take a stand on important issues. In the public sector nothing could be further from the truth. When you take a position, you run the risk of having someone call you on something you've said. Taking a position makes you accountable.

Part of this is just normal office politics. However, there's a much more acute awareness of this and expertise at exploiting it in state government. There are a few good reasons for this:

  1. Mistakes can be deadly. Because of the very close relationship between government and the press, the press will magnify any mistake you make. What's more, the legislature does not have the time or inclination to understand why a problem has arisen. One of my staff advised me my first week on the job that I could never recommend canceling a project once it had begun. There was no room for error.
  2. As I've mentioned before, process is more important that results, so there's no need to take a position, just make sure you're following the process and everything will be OK.
  3. When you are trying to get something done, the past can come back to haunt you. The less of a past there is, the less likely that the past will get thrown in your face. A common political strategy for dealing with a project or proposal that you don't like is to publicly attack the person making the proposal on another issue and tie up your opponent with other problems. You may think that this isn't applicable if you're not running for office, but this strategy can be used equally effectively against appointed officials and other managers as well.

One of the consequences of all this is that people in the public sector are constantly striving for "consensus." My experience, however, is that this is not the true consensus that comes through leadership and trust, but just a "participation" exercise that let's everyone find the least common denominator and to gage where others are so that they can assure that they're not "out in front." As a result, you see a constant effort to "study the issues" and "vote on direction." I used to want to scream "you work for a democracy, not in one!" but it wouldn't have done any good.

There are a large number of excellent people on the public sector payroll. I worked with a number of them. Even so, I met few who were willing to take a stand in public. Plenty would say "you're doing the right thing; keep at it" in a private conversation, but they were timid to take a position even half that strong in any public setting. That limits progress significantly.

4:54 PM | Comments () |