Phil Windley's Technometria

« June 2003 | Main | August 2003 »

July 31, 2003

Where's the Service in this SOA?

CBDi has posted a commentary comparing Amazon's Web services and that offered by salesforce.com. The conclusion: While both use the protocols of Web services, Amazon.com's offering is "service oriented" and salesforce.com's offering is merely lipstick on a pig.

10:15 PM | Comments () | Recommend This | Print This

The Power of Web Enabled Data Sources

I ran across a few interesting tidbits about RSS today that illustrate the powert of creating Web enabled data directories. First, Adrian Holovaty has started to offer custom RSS feeds for his blog. The RSS feed is essentially a generator that takes an optional parameter which represents a search term or filter for the RSS feed. Good idea. The second is interesting as well, but also shows the real power of RSS, Web services, and a properly designed, RESTian interface.

Paul Bausch has created a tool for creating custom RSS feeds from Amazon. What's neat however, is that this is just a XSLT stylesheet on the RESTian Amazon Web services interface.

These two posts are actually interesting to compare. In the first, RSS is being created and then filtered (or at least the rss generator program makes it appear that way). In the second, an RSS feed is being created by transforming the output of a much more general program for creating XML data feeds. This is a great example of the power of building web enabled data sources. Amazon didn't set out to create an application for building custom RSS feeds of their data. But exposing a public interface to their data allowed others to do that and hundreds of other things that Amazon would have never thought of.

9:59 PM | Comments () | Recommend This | Print This

July 30, 2003

Eve Maler on Web Services Security

Eve Maler is vice-chair of the WS-I Basic Security Profile Working Group and currently coordinating editor of the SAML (Security Assertion Markup Language) committee. This recent webservices.org interview with Eve on Web services security is worth reading. One thing that comes out loud and clear is that there's not going to be a magic bullet to Web services security issues. We shouldn't expect one. Rather than deter you from starting on Web services, however, this should induce you to not wait for the next standard or specification. There are solutions that work now. Eve says:

Web services are currently being secured in very traditional ways, to the extent that they're being secured at all. Web services on the Internet, as opposed to behind a firewall, might be secured with HTTPS SSL mechanisms, which are quite common in online individual purchase transactions. It does a fairly good job of protecting the contents of the message while in transit. However, in more complex Web services scenarios, this solution won't always be adequate. If many intermediaries are transacting with the messages as they go from initial sender A to ultimate receiver B, the simple SSL solution might not be adequate. The standards are not cooked yet for securing the content of the message and the channel in all the ways that people would want.

I don't disagree, but most people are trying to implement the complex scenarios that require more complicated security standards at present.

9:57 AM | Comments () | Recommend This | Print This

Gartner Survey Shows Web Services Projects Holding

A recent Gartner survey finds that while some businesses have slowed down Web services projects, not many of these projects have been cancelled. Gartner found that 48% of respondents said that the economy had caused them to curtail some spending, but the projects have continued. Nicole Latimer, a Gartner analyst, says:

Only 1% of respondents stated that they stopped all Web services development projects going forward, and only 6% stated that their organization has postponed the majority of Web services development projects for 1 year or more.

9:34 AM | Comments () | Recommend This | Print This

July 29, 2003

Enterprise Architecture Certification

I spent the day with John Gotze from Denmark discussing Denmark's enterprise architecture initiatives. I hope to write some additional thoughts on enterprise architecture later. While we were talking, John mentioned, the Federal Enterprise Architecture Certification Institute which was, coincidentally, related to this morning's post on the NDU CIO certification program. I'd never heard of FEACI before, even though I heard its executive director, Felix Rausch, speak at the Federal CIO conference I spoke at in May.

7:16 PM | Comments () | Recommend This | Print This

Federal CIO Certificate Program

The National Defense University offers several interesting certification programs for federal IT managers in IT management. The CIO Certificate Program requires coursework in eleven areas:

1. Policy
2. Information Resources Strategic Planning
3. Leadership/Management
4. Process Improvement
5. Capital Planning and Investment
6. Performance and Results Based Management
7. Technology Assessment
8. Architectures and Infrastructures
9. Security and Assurance
10. Acquisition
11. eGovernment/eBusiness

The eGovernment Certificate Program requires coursework in eight areas:

1. Policy
2. Planning and Organization
3. Change Management
4. Architecture and Enterprise Integration
5. Financial Resources
6. Performance Management
7. Security and Privacy
8. Human Capital or Information and Knowledge Resources

These courses are necessarily focused on the needs of the Federal government, but state and local IT managers can sign up on a space available basis.

Don't overlook training and education as a means of changing your organization. If you want to change the culture of your organization, focus on creating training courses for your managers that teach them the principals you want in the new organization. I wish I'd concentrated more on this when I was CIO for Utah. We did some of this by establishing the Product Management Council which has done a great job at educating a whole crew of eGovernment product managers inside Utah state government. We could have done much more, especially on the IT management side. The best way to manage change in an organization is through education.

8:11 AM | Comments () | Recommend This | Print This

Binary XML

In September, the W3C will host a workshop on binary XML formats. Your first reaction may be the same as mine: what the heck is binary XML? Binary XML is an attempt to find a common format for communicating pre-parsed XML trees to reduce bandwidth and the time it takes to parse large XML documents. The audience is primarily embedded and similar applications, but of course, once the genie's out of the bottle, it will be used in all sorts of applications. The announcement lists several advantages:

• It would not be restricted to a single schema or vocabulary, and hence could be interoperable between vocabularies;
• It would not be restricted to a single application or hardware device, and hence could be interoperable between implementations;
• Improved network efficiency and reduced storage needs: compression techniques that make use of domain-specific knowledge often do better than more generic compression;
• Sending pre-parsed data could reduce the complexity of applications, and may facilitate creation of simpler internal data structures.
• Web Services may need more efficiency, and a pre-parsed binary transmission format may help people to continue to work with Web Services rather than to explore proprietary interfaces

The biggest disadvantage is that pre-parsed data does not conform to the view source principal that has served the Web so well. In that sense, pre-parsed data doesn't seem Restian.

7:40 AM | Comments () | Recommend This | Print This

July 28, 2003

Digitally Signed Photos on US Passports

This article in New Scientist discusses a plan by the US Passport Service to issue with "smart" passports carrying a digitally signed photograph by late 2004. The new passports will include a smart card that will hold a digitally signed image. Of course, a lot of people are concerned about the potential for abuse. I've never shared those concerns. I think the advantages significantly outweigh the potential problems. Utah went through a period of civic dialogue (meaning people went non-linear) a few years ago when Scott Howell introduced legislation to make the driver's license into a smart card. I thought it would be a great place to keep a digital signature, along with other information. The black helicopter crowd was out in force decrying the loss of civil liberties. The legislation was defeated. Of course, the new driver's licenses have a 2D bard code on them that holds just as much information, its just read-only.

6:45 PM | Comments () | Recommend This | Print This

OSS in Government

Tom Adelstein continues his series on open source software (OSS) use in state and local government today with fourth article that talks about how the procurement process affects OSS. Tom makes some excellent points that jive with my experience. But, there are several insidious dynamics related to OSS that I don't think Tom quite captures.

First, RFPs are not written in a vacuum. RFP authors write it after studying whatever resources are available to them, including vendor web sites, sales material, and, interestingly enough, the salespeople themselves. There's an old saying in Government that if you want to win an RFP, you'd better help write it. OSS doesn't typically have sales people working on its behalf and the collateral material available to help an RFP writer is virtually non-existent.

Even more problematic is that RFP are not usually about just hardware or software, they're about solutions to particular problems, including hardware, software, supports, etc. Most government's don't write much software, they outsource that and the vendor supplies a system to meet a particular need. So, KPMG or Deliotte and Touche submit an RFP for a total solution. Here's the problem: these vendors get a percentage of the software and hardware sales in the RFP. As Tom points out in his article, most RFPs are judged on a lot of criteria other than cost, so is KPMG going to recommend Linux or Solaris? You know the answer.

Overcoming these systematic disadvantages for OSS requires that the RFP writer and the organization that he or she works for has a predisposition to use OSS. The use of OSS where ever possible could be one of the criteria in the RFP, for example. The more likely scenario, however, is that an unfunded project gets started using OSS and grows into a funded project where the OSS foundations forms a bias in favor of OSS for the larger project.

In Utah, we added OSS products to the "approved" software list as a way of just letting people know OSS was OK. Government managers who favor OSS software will need to take such steps to drive OSS usage in their agencies.

8:59 AM | Comments () | Recommend This | Print This

July 26, 2003

I'm Back from Camping

I spent last week with my son and his scout troop at Camp Steiner in the High Uintas. Really spectacular scenery and not a bad camp. I was the scoutmaster of this troop for 6 years, so I still like to tag along sometimes when they'll let me. I took a few photos.

8:46 PM | Comments () | Recommend This | Print This

July 21, 2003

Away for a Few Days

I'm going to be away for the next four days.

6:43 AM | Comments () | Recommend This | Print This

Real-Time Problems for MacDonalds and Innovate

Baseline Magazine in one of my favorite reads (right next to InfoWorld, honest) for information about enterprise computing. Their articles are detailed and usually tell a story in an analytical way. This month's issue has a detailed article, with numerous sidebars, about MacDonald's decision to cancel Innovate its five year, $1B program to build a real-time system for monitoring everything about its 30,000 stores, right down to the temperature in the fry-cooker. They'd already spent $170M which is largely just money down the drain at this point. A few weeks ago I wrote about the real-time enterprise and this is a topic that is near to my heart---a move that I think is inevitable in business. So, what's the deal?

MacDonald's challenges are painfully obvious to anyone who's visited one of their restaurants lately. Many are out of date, the service levels have slipped, and the menu is rapidly falling out of step with what many want to eat. At most you can't even pay by credit card. To add insult to injury, the bathrooms aren't as clean as they used to be. So, how's a $1B real-time digital network going to solve those problems? That's the very question the new CEO asked when he took them helm last year. Consequently, he decided to make investments other places.

I guess I can't really blame him, but you've also got to wonder when the aging IT infrastructure is going to get its due. The Big Mac still does its books on a mainframe-based, custom built general ledger system conceived and built in the 1980s. Company executives, can't really get detailed information about sales in individual stores and what data they can get is usually a week old. This doesn't sound like a system for getting back in touch with your customers either. A couple of interesting quotes from the article:

[I]nstead of investing in Innovate over the next five years, Cantalupo [CEO] says McDonald's will invest in itself through the share repurchases and dividends. These measures might provide temporary relief for the beleaguered stock price but will do little to improve the quality of the food or the speed of service at its locations. But then technology has never fit easily on McDonald's menu. "Culturally, it was always a fight at McDonald's," Dill [the then CIO] says. "My first day on the job I remember meeting with then-CEO Fred Turner and he said 'Carl, I never want to fail to sell a hamburger because a computer is down.' McDonald's just wasn't comfortable with technology."

A few comments:

• The biggest problem with projects like this is the sheer size. MacDonalds spent $170 without even rolling a single thing out---just on pilots and testing. Eighty percent of big projects go awry. You have to find a way to do these in chunks or you're setting yourself up for failure. Even chunking this in terms of systems (update the general ledger first, work on POS systems next, etc.) would have help, in my opinion.
• Companies like MacDonalds are trying to solve multiple problems at once. At the same time, their size makes the problems enormous. Most companies don't face these same issues of scale. Smaller companies shouldn't apply MacDonald's lessons to themselves without allowing for scale.
• Web services provide a means of doing enterprise application integration (lowercase) in an iterative way. Connect up the things that matter most and then start on the next tier, and so on.
• Iterating to integration doesn't obviate the need for a plan. This is called an enterprise architecture. I'm pretty sure I'll have a lot more to say on enterprise architectures over the coming month.
• MacDonald's failure notwithstanding, I think that real-time enterprises are inevitable. Why? I call it the Fed-Ex principal. If you're competition is using Fex-Ex to move the mail and you're not, they get documents delivered faster. Soon everyone has to use Fed-Ex and even though no one is advantaged by it, no one can afford to not use Fed-Ex. The same thing will happen with real-time enterprises. Some companies can pull it off (witness Wal-Mart). This means that they are at a significant advantage over their competition. Their competition will either become real-time or die. Eventually everyone will be real-time and there will be no advantage, but no one can go back. This is, in part, the argument that Nicholas Carr was making.

If you care about enterprise systems, this article and the accompanying sidebars deserve careful study.

6:40 AM | Comments () | Recommend This | Print This

Intermoutain Exchange: Call for Participation

The IX1 web site is still accepting proposals. Intermountain eXchange is an annual regional conference focused on next-generation wide-area network issues affecting Utah, Colorado, New Mexico, Wyoming, Montana, Idaho, and Nevada. We're excited to hear about what others in the Intermountain region are doing with wide area and metropolitan area networks. If you're doing something that others should know about, please respond to the CFP.

6:37 AM | Comments () | Recommend This | Print This

July 19, 2003

Untangling Web App Security

With the increased use of Web applications, businesses have had to peel back a layer in their perimeter defenses and give public network traffic access to internal applications. The result is a rise in network security problems, and an increase in the need to audit and thoroughly check publicly facing code for potential security vulnerabilities. Unfortunately, security expertise is in short supply. WebInspect 3.0 from SPI Dynamics aims to fill that gap by automating the tasks necessary to perform security audits. WebInspect is a remote assessment tool, meaning that it performs its audits solely by means of the same HTTP calls to which an attacker would have access. Administrators can add custom checks to find problems that are specific to a particular application. [Full story at InfoWorld...]

This is the review I was doing when I stumbled and caused myself and others some grief. Nice to have that chapter closed.

8:36 AM | Comments () | Recommend This | Print This

July 18, 2003

CNN on Aggregators

Calling them the biggest change to the way we use the Web since Mosaic, CNN has an article on news aggregators. In the typical style of the popular technology press is full of gushing and contains lots of "ooohs" and even a few "aahs". Very interesting to see the mainstream press finally start to talk about aggregators. Reminds me of 1994 when they started talking about browsers. Interestingly enough, there's no link to an RSS feed from CNN, which last time I checked it out was a static document pointing to the main cnn.com site. I can't find it now. I guess they decided that a static RSS document is even worse than a static homepage.

10:31 PM | Comments () | Recommend This | Print This

CS 462 Class Information

I'm starting to get some questions from people who are interested in taking CS462 in the Fall. CS462 is a class on large scale distributed systems that I teach at Brigham Young University. Here's information on when the course meets and the texts I've selected:

When: 5:00-6:15 pm MW
Where: W142 BNSN

The class will have three main sections: one on 2-tier architectures, one on n-tier architectures, and one on Web services. There is, unfortunately, no one text that can cover all of these, so there are three. All are required.

• MySQL and JSP Web Applications by James Turner will be used to study 2-tier architectures. In a perfect world, we'd use PHP instead of JSP for this part, but I want to keep the course about the architectures and not about learning a lot of languages.
  
• Enterprise JavaBeans (3rd Edition) by Richard Monson-Haefel will be used to study n-tier architectures. The largest project in the course will occur in this section of the course and involve installing and programming a EJB application server and linking it to a JSP-based presentaiton layer to create a significant web application.
  
• Java and SOAP by Robert Englander will be used to introduce Web services and the concept of "decentralized" as opposed to merely "distributed" architectures.

Please feel free to contact me with any questions.

2:24 PM | Comments () | Recommend This | Print This

Wireless VoIP

An interesting article in Fortune asks whether Wi-FI will revolutionize the phone. In particular, it talks about wireless of hotspots and the real possibility of multi-more phones that will allow you to call over IP when you're inside a hot spot and avoid cell charges. Cisco already has a portable handset for use with Wi-Fi networks. I make calls right now over Wi-Fi since that's the only internet connectivity I have and Vonage is my phone provider. There's no great technology breakthrough required here---just a little integration.

9:41 AM | Comments () | Recommend This | Print This

IT Reloaded: The Other Side of the Fence

According to economist W. Brian Arthur, Citibank professor at the Santa Fe Institute, "This country's one and only economic driver for the next several decades rests solely in the hands of CIOs." That's a bold statement and one that seems to fly right in the face of the IT Doesn't Matter Anymore mindset. In an interview with CIO magazine, Arthur's observation is that digital technologies go beyond automating, and create fundamental changes:

As different industries encounter digital technology, which includes telecommunications and satellites, the pattern seems to be that completely new activities spring to life. It's not about speed and productivity enhancements, better, faster, cheaper. There are actual new tasks being accomplished.

As an example, he uses the biological sciences, where digital technology isn't just automating old processes, but enabling completely new things like gene mapping or DNA fingerprinting. He points to the financial services industry and new products like financial derivatives are possible only through digital technology.

Arthur envisions CIOs in an active, rather than a passive role:

What CIOs need to do is, number one, realize what's going on. Then, they can't just react passively and say, "Yes, the people upstairs have demanded that we be in constant contact with Frankfurt or Boise, Idaho." They must imagine how all of this should happen in a reliable and intelligent way, and initiate it themselves.

This is a huge challenge for CIOs because not only does it require understanding trends and then applying those to the business, but it also requires selling everyone else on that vision. Believe me, most people won't see the vision over a short time frame. To paraphrase Proverbs: Where there is not vision the people and their CIO perish.

In the article, Arthur talks about digital technologies forming the "nervous system" of the enterprise. He's really talking about the real time enterprise where instrumentation and systems combine to give everyone the information they need to make the right decision in real time. Web services provide a means for accomplishing the integration that Arthur envisions piecemeal, without breaking the bank.

8:47 AM | Comments () | Recommend This | Print This

July 17, 2003

Relax NG

I wanted to go to Mike Fitzgerald's talk on Relax NG last week at the OReilly Open Source Convention, but it was opposite Andy McKay's Plone talk and I needed to go to that for other reasons. I did make a note to myself to spend some time looking into it when I got back and this morning I had a few minutes to do that.

The basic syntax for XML is pretty loose, basically requiring only a sea of angle brackets, proper tag nexting, and strict matching of opening and closing tags. Of course, to really make XML useful, we need schemas to further constraint the basic XML syntax. This is the feature that makes XML a meta-markup language. Schema languages can go beyond context free grammars (CFG) to specify some context sensitive constraints, but for the most part you can think of them as context free grammars to fed into a parser. The key difference between XML parsers and parser generators like YACC or Bison is that XML parsers are interpreted---they get their grammar on the fly instead of being hard coded for one specific parsing task.

Relax NG is an alternative schema language for XML. The specs for the language were developed by the RELAX NG technical committee at OASIS between April and December 2001. One of the things I like about it is an optional compact syntax that dispenses with angle brackets for human readability. I've long argued that using XML for XML's sake is silly. Relax NG is a merging of Makato's RELAX and Clark's TREX.

The resources linked in at the end of this article will give you some detailed information, including the slides from Mike's talk, which are excellent, but I wanted to include an example Relax NG Schema to give you a feel for what it looks like. Here's the XML version of a Schema to define a library patron.

<element name="patron"
         xmnln="http://relaxng.org/ns/structure/1.0">
  <interleave>
    <element name="name"><text/></element>
    <element name="id-num"><text/></element>
    <zeroOrMore>
      <element name="book">
        <choice>
          <attribute name="isbn"/>
          <attribute name="title"/>
        </choice>
      </element>
    </zeroOrMore>
  </interleave>
</element>

This example can almost just be read out loud. A library patron record contains a name, an ID number, and a collection of zero or more books which are identified by a title or an ISBN number. The compact version of this schema is shown below.

element patron {
  element name { text }   &
  element id-num { text } &
  element book {
    (attribute isbn { text } |
     attribute title { text } )
  }*
}

I think that's even clearer. Almost anyone who's studied BNF could read this and make sense of it. That's a huge improvement over most XML schemas. The compact schema is much more readable. Humans are remarkably good at parsing things and don't typically need all the closing tags and other paraphernalia that make XML such a good language for machine to machine communication.

Relax NG isn't likely to displace the W3C's XML Schema language anytime soon, but given its readability, I think its likely to garner a large group of users. Here are some resources that I found helpful in understanding Relax NG:

• Mike Fitzgerald's Powerpoint slides. There's some good material in the examples.
• Clarks' Relax NG Resource Page.
• The bottom of the Oasis page contains a list of Relax NG tools.
• Relax NG Tutorial
• Mertz's Doing Better than W3C XML Schemas and Relax NG Tools and Special Issues. Pay special attention to some of the design issues Mertz discusses in the second article.

11:39 AM | Comments () | Recommend This | Print This

July 16, 2003

Quantum Cryptography

Business Week has an accessible article on quantum cryptography. Quantum cryptography encodes information in the the orientation of photons and relying on Heisenberg's Uncertainty Principle to detect eavesdroppers. If you're looking for more information than what's available in the BW article try the following:

• BBN intro page on quantum cryptogrpahy
• Recent Red Herring technology brief on quantum cryptogrpahy
• A more technical article in Physic's Today from 2000 called From Quantum Cheating to Quantum Security

4:11 PM | Comments () | Recommend This | Print This

Jim Gray on Storage

Several days ago Tim Bray pointed to a wonderful interview of Jim Gray by Dave Patterson. Really very good. Be sure to read the piece at the end on intelligent disks. Jim has taken to shipping terabytes of data around via UPS inside computers because its cheaper than the net or even tapes. He says:

The phone bill, at the rate Microsoft pays, is about $1 per gigabyte sent and about $1 per gigabyte received--about $2,000 per terabyte. It's the same hassle for me whether I send it via the Internet or an overnight package with a computer. I have to copy the files to a server in any case. The extra step is putting the SneakerNet in a cardboard box and slapping a UPS label on it. I have gotten fairly good at that.

The main trust of the article is that disk density is increasing ten times faster than access speeds. The end result is that we are very close to having what looks, for all intents and purposes, like infinite storage capacity but not being able to access it fast enough. In fact, the speed to density ratio is approaching that of tape.

After I'd read the article, I had popped over to Jon Udell's blog to see what he was up to and while I was reading his piece on Publishing, Permanence, and Transparency, I was thinking of this Jim Gray interview. Apparently so was Jon.

3:49 PM | Comments () | Recommend This | Print This

July 15, 2003

eGovernment in the Kyrgyz Republic

I had a unique opportunity to meet with Almaz Bakenov, an attache with the Embassy of the Kyrgyz Republic and speak with him about eGovernment. Almaz has a Masters degree in Computer Science and one in Electrical Engineering as well. Our conversation focused on four areas of eGovernment:

• IT as a driver in economic development - IT can provide an opportunity for economic development in underdeveloped countries. Kyrgyzstan has few natural resources and has to rely on its workforce, which is surprisingly well educated, to drive economic growth.
• IT as a driver in societal growth and change - IT can provide information and communication more cheaply than many alternatives. For example, wiring schools and libraries is expensive, but it provides access to information and knowledge that changes society (we can debate whether for good or bad).
• IT as a means of managing society - this is the classic eGovernment angle and focuses on how to use IT to run the government and, in a democracy, let citizens understand what government is doing and impact the way it operates.
• Infrastructure - the other three depend on this and infrastructure is a classic role for government. When the US was young one of the first public works projects was a turnpike. In the 21st century, networks are as important as roads and in most countries, government is the only one who can afford to build them.

We talked a great deal about economic development since that provides resources for the other initiatives, if its successful. There's a waltz required however, since you can't just do one without also working on the others. I enjoyed my talk with Almaz very much and think he has some interesting challenges ahead as he tries to work through all this.

11:19 AM | Comments () | Recommend This | Print This

Munich Goes with Linux

At OSCON, Mitch Kapor predicted that the public sector would lead the way in moving Linux to the desktop. USA Today has a long article that details some of the behind the scenes movement in Munich's recent decision to put Linux on 14,000 desktops. Its interesting that this wasn't a decision made on cost. Indeed the winning bid, by IBM and SuSE, was almost $12M over the Microsoft bid. This was more about choice, future direction and out-year costs than it was about the immediate price.

8:09 AM | Comments () | Recommend This | Print This

IT Does So Matter!

I recently wrote about a Harvard Business Review article by Nicholas Carr called Why IT Doesn't Matter Anymore. My review focused on the idea that IT commoditization brings with it an increased role for operational excellence on the part of IT staffs. An article on ComputerWorld, entitled "IT Does So Matter!" reports interviews with four CIOs and their responses to Carr's article. The focus of that article is on innovation. I love this quote from Andrew McAfee (also of Harvard Business School):

Andrew McAfee of Harvard Business School McAfee: It's a matter of whether we're talking about IT enhancing productivity or competition. The telephone has made us able to get more done in a day. Has the phone continued to radically affect the competitive balance among companies? No. That's Nick's point. Some kinds of IT fall into that category. For example, e-mail. We all have it; we all use it. But it's not competition-changing, so overinvesting in it is not a great idea. The bases of competition revolve around other things. [But] there are industries where technologies are fundamentally important. Dell has an IT business-process automation infrastructure that really works. If you don't have one of those, do you have a hope of competing in that industry? And even if you want to put one of those in place, there will be a really big difference in how successful you are vs. another company, because it's tough organizational change in a technology wrapper. We're not equally good at doing it. If we find ourselves competing in an industry where these kinds of systems are important, then IT matters like crazy.

Later in the article, Paul Strassmann, acting CIO at NASA, points out that anyone could have bought a Teradata system from NCR years ago at the same time that Wal-Mart did (in fact many probably did). That didn't make them Wal-Mart. My OSCON Wrap-Up makes the point that in a world of commodity software, its what you do with it that counts and that's Strassmann's point as well.

Even though my review focused on the red zone, its important not to overlook the green zone. You'll do yourself and your business a disservice if you just assume the green zone is empty. IT managers and CIO especially have to work closely with business managers to help them see where IT can be used to change the business. That's innovative, green-zone work.

7:51 AM | Comments () | Recommend This | Print This

July 14, 2003

Internet Voting in 2004

This Boston.com article talks about the Secure Electronic Registration and Voting Experiment being run by the Pentagon which will allow thousands of military personnel and overseas civilians to vote in the 2004 election. Certain overseas residents of South Carolina and Hawaii and those in a handful of counties in Arkansas, Florida, Minnesota, North Carolina, Ohio, Pennsylvania, Utah and Washington will be able to participate. Of course, like any issue, this one has its fans and its critics. Critics are mostly concerned about security and that's nothing to treat lightly. I don't understand the specifics enough to pass judgment. The project has a web site if you're interested.

5:16 PM | Comments () | Recommend This | Print This

Harold Carr: PEPt Architecture for RPC Systems

Harold Carr has started a blog. He works for Sun, but lives in Salt Lake, so I've added him to the Utah Blogroll. I met Harold when I was planning on going to Middleware 2003 in Rio. Unfortunately, I was unable to go, but Harold was kind enough to bring me back a copy of the proceedings. He had a paper in the conference on an RPC architecture he developed called PEPt. PEPt stands for presentation, encoding, protocol, and transport. From the abstract:

PEPt is an architecture for implementing RPC systems. Although RPC systems seem quite varied they actually share the same fundamental building blocks: presentation, encoding, protocol and transport (PEPt). Presentation encompasses the data types and APIs available to the programmer. Encoding is the representation of those types on the wire. Protocol frames the encoded data to denote the boundaries and intent of the message. Transport moves the encoding + protocol from one location to another. The PEPt architecture enables a single programming model to adaptively change encodings, protocols and transports.

If you're interested in the implementation side of application servers and other middleware, Harld's blog should be an interesting read.

12:37 PM | Comments () | Recommend This | Print This

July 12, 2003

OSCON Wrap-up: Commodity Software is a Business Opportunity for Service Companies

At the beginning of OSCON in his keynote address, Tim mentioned a difference between software and services that caught my attention: if you buy a piece of software and the company goes out of business, the software still works. On the other hand, if you take the people out of a business like Google, or even your favorite ISP, there's no more service---its just goes away. This isn't a huge revelation, but its an interesting way to think about the service economy being about people rather than things. I had this in the back of my mind as I was listening to Doc yesterday.

Doc was talking about the construction business. He points out that we use construction industry metaphors all the time when we talk about building computer systems. That's an interesting perspective and meshes with Tim's comments. Doc talked about driving through some industrial area somewhere and noticing business after business with huge lots full of pipes, structural steel, and the like. These things are commodities and businesses that sell them make good money (albeit not with the kind of margins that Microsoft and Oracle have promised their shareholders). Moreover, the construction industry is large, profitable, and honorable business. Doc thinks this is a model for where the software industry is headed. I agree.

The construction industry is about service. While we typically don't thing of construction being part of the service economy, I think that view concentrates too much on the things and not enough on the construction itself.

I built a house several years ago and my general contractor definitely spent his time providing a service. Sure, he built things too, but mostly he assembled commodity products to build a custom house for me and that didn't diminish his ability to create value and be compensated for it. The companies who supplied the commodity products made money too.

Tim talked about a paradigm shift in his keynote. As I listened to the talks at OSCON, this thought kept coming back to me over and over again: building service-based businesses on commodity software products isn't just an idea for a business model, its the primary business model of computers in the networked era. Yahoo!, Google, ISPs, and other successful net-businesses are using this model right now and doing quite well at it. What's more, open source software is getting more and more capable all the time. Combine these facts with Tony Perkin's belief that now is the cheapest time ever to start a net-based business and I think you're staring opportunity in the face.

1:23 PM | Comments () | Recommend This | Print This

July 11, 2003

Beyond Struts

I'm in a session by MichaelÊRimov from Centerline Computers and CraigÊMcClanahan from Sun Microsystems, Inc. called "Beyond Struts."

Michael is the lead developer on the Expresso project, an open source framework for building data driven applications on top of Struts. From the web site: Expresso adds capabilities for security, robust object-relational mapping, background job handling and scheduling, self-tests, logging integration, automated table manipulation, database connection pooling, email connectivity, event notification, error handling, caching, internationalization, XML automation, testing, registration objects, configuration management, workflow, automatic database maintenance and JSP tag library etc. Expresso is a significant extension to Struts and demonstrates the ability of Struts to serve as the foundation for other, significant frameworks.

Craig is giving a case study on Struts and XML. While most Struts applications generate HTML, Struts can be used to generate XML. The resulting XML can be used by another machine or translated into HTML or some other mark-up for the client device. There's more information on the Jakarta website on packages for doing this.

JavaServer Faces is a serve-side user interface component framework for Java-based web applications. The goal is to reach out to corporate developers who are more comfortable with VB or other scripting languages and to provide tools for supporting GUI creation. JavaServer faces features an extensible UI component model, a flexible rendering model, and even and listener framework, a validation framework, basic page navigation support, and internationalization and accessibility. JavaServer Faces does a lot of what Struts does, but that doesn't mean that JavaServer Faces will replace Struts. They can be used together. A Struts developer can use Struts and things built on it like Expresso and still take advantage of the rich GUI environment that JavaServer Faces provides.

11:42 AM | Comments () | Recommend This | Print This

Miguel de Icaza: The Mono Project

MiguelÊde Icaza is talking on Beyond .NET: The Mono Project. Mono is a virtual machine, a set of class libraries, and development tools for an open source version of C#. The project is two years old. Miguel is an entertaining speaker.

Dan Olsen and I have had some Java vs. C# discussions. Dan is sold on C#, I've primarily been stopped by two things: (1) I need a bigger difference than the one that exists between java and C# to learn another language and (2) I'm not happy to be locked into a Microsoft environment---in fact I'll avoid it at almost any cost. Miguel says that C# is a decent language. Better than that, Miguel says that the runtime engine (CIL) makes it a language that will last. Even if he wants to change languages later, the runtime engine ensures that the C# he writes now will be useful with anything that runs on that runtime. With an open source runtime, that's a real advantage.

11:03 AM | Comments () | Recommend This | Print This

Von Neumann's Universe: Coding (and Engineering) at the IAS, 1945-1956

George Dyson (Esther's brother) is speaking about Von Neumann's Universe: Coding (and Engineering) at the IAS, 1945-1956. George is a resident scholar at the Institute for Advanced Study (IAS) and go through the archives. His father, Freeman Dyson is an emeritus professor of IAS and a renowned scientist. He's showing documents, pictures and some of the original drawings and schematics. The documents are full of names that are instantly recognizable, Godel, Pauli, Einstein.

EDVAC was the name of the computer designed and built there. The budget for designing the machine was $50,000. George has schematics for and and or gates, adders, and other devices that are still recognizable. Many components and design details that we'd recognize as being part of today's computer designs:

• central clock
• modular design
• "words" representing "order codes" handled in memory just like numbers

The talk is full of interesting and humorous quotes from the documents. For example, James Lighthill, an IAS official said in 1954:

It is time von Neumann revolutionized some other field of study. He has studied automatic computation long enough.

The talk is very appropriate in a conference on OSS because of the way that it was built. As what was largely a large scale university research project, the information was freely disseminated and the documents show NCR, IBM, and other universities checking them out and receiving distributions.

10:29 AM | Comments () | Recommend This | Print This

July 10, 2003

Mike Kruckenberg: Transforming XML for Web and Print

Mike Kruckenberg is from Tufts University. He's talking about how they built a system for managing documents and and displaying them for various media (i.e. content management). Mike, in case you're curious, the brother of Pete, a good friend.

Mike specifically concerned with translating documents for web and print (namely PDF). They created a document standard with a Schema and developed templates for XML authoring application to make creating the documents easy. They created an customized XML authoring environment from an off the shelf tool that was essentially the destination for any conversion process. They also provided an online tool for people who didn't have access to the authoring tool.

Existing HTML documents were cleaned up with Tidy and then a homegrown tool translated the cleaned-up HTML to XML. Once the XML was valid, the XML document was put into the database. For MS WOrd document, they tried a bunch of things, wvWare, saving as HTML, saving as RTF, and third party stand alone tools. They're looking forward to WordML. PowerPoint is a big tool for faculty, so it had to be easy to convert to an XML document. For PowerPoint, they have a service which create an XML document from the text and save JPEGs out and wraps everything up in XML.

Here's some questions about conversion I'd ask if there was time:

• Did you try reading Office documents into OpenOffice and then transforming the resulting XML?
• Did you try saving as PDF and then converting that to HTML?
• Are you supporting emerging standards like SlideML?

The transform is done using the libxml2 and libxslt libraries fro Gnome because the have good performance and command line and Perl interfaces. xmllint validates XML against a DTD. xsltproc renders XML as HTML.

Just rendering HTML isn't the goal however. The goal is to render HTML and PDF for print. Mike and his team used FOP and XSL:FO to create PDF.

Mike gives some lessons that they learned:

• Ensure XML is well formed and valid
• Lack of structure in the source document results in meaningless XML
• Special characters require the use of entity mappings
• Using the tool must be convenient
• FO transformations have limitations--read the documentation
• Fonts in PDF can be problematic and require embedding fonts
• Image and spacing issues cause problems and users don't understand the limitations
• The processes can be slow and CPU intensive so PDF documents need to be pre generated, not done in real time.

CIO Magazine published an article about this project.

6:49 PM | Comments () | Recommend This | Print This

Brian Ingerson: Ingy on Kwiki

I'm in Brian Ingerson's talk on Kwiki. Kwiki is the PERL based Wiki software that is running the OSCON Wiki. Brian is the author of numerous Perl modules. One of the chief design goals behind Kwiki was to make it easy to install. Brian demos this by creating a new directory (that can function as a CGI directory), typing "install-kwiki" and there's an instant kwiki. That's a neat feature if you want to tack up and tear down wikis for specific purposes (like using them as an adjunct to a conference call).

Brian points out a few Kwiki sites: Quiltzilla and LondonGeek.org. There are others.

Brian does a demo showing how to overload classes to change the formatting. he does this to show how the show the object oriented design and the overall design. The code is nice and clean and the design simple. Overall, this looks like a good, easy-to-use Wiki tool. I used TWiki for my class this last spring and it worked, but was difficult to configure and set up. This fall, I'll try Kwiki.

4:05 PM | Comments () | Recommend This | Print This

Panel: Open Source Projects in the US Government

Lisa Wolfisch is conducting a panel on Open Source Projects in the US Government. Well, its actually just her and Pat Moran from NASA Ames. The third panelist was supposed to be Terry Bollinger, but he couldn't make it at the last minute. That's too bad, Terry is a MITRE employee who did a study on FOSS (free and open source software) usage in the US government. I heard his speach last January and it was full of interesting things. Lisa said she has his slides, so maybe she'll give us a rundown.

She is going over a summary of Terry's information which showed 110 projects using FOSS in the DoD, with infrastructure and research projects being the most strongly represented. The DoD CIO placed FOSS under the same requirements us commercial software. There are, obviously, requirements for security certifications (like NIAP and Common Criteria). Oracle and IBM are sponsoring versions of Linux for Common Criteria evaluation.

EAMS, the Enterprise Architecture Management Software group, in the federal government is using an OSS model to support shared EA software.

Lisa is now discussing her project which is the State and County Quickfacts at the Census Bureau. The site features thematic maps designed for online viewing. The project was unfunded and took six months from planning to release. The site is built on a LAMP platform for $0 in start-up procurement. The same code drive MapStats which shows state and county profiles on FedStats.gov.

Lisa cites the fact that OSS has no procurement delays as a big factor in choosing it for government projects. Projects often die when there's a funding delay, even if the money shows up eventually. OSS0-based projects have an advantage in that area.

Looking around, the room is full with people sitting on the floor and standing at the back. Its a fairly large room too.

Pat wrote a paper in support of FOSS that includes quotes from the NASA mission statement about providing for the widest and appropriate dissemination of information. Some recent progress at NASA shows the legal office saying that there are no barriers to releasing software as open source from NASA. The next step is to work with the "Software Release Authority" within NASA to develop and OSS process.

3:06 PM | Comments () | Recommend This | Print This

Doc Searls: DIY-IT: How Open Source is Turning IT into a DIY Marketplace

Doc is speaking on DIY-IT, his view of how OSS is turning IT into a do-it-yourself marketplace. This talk was added just today and I'm glad to see Doc on the program. He's always got something interesting to say and further, he says it in an interesting way. Doc's July column for Linux Journal is Linux for Suits: How Linux Makes Companies Smarter and I'm confident that's related to what he's going to say today.

Every story has three parts: a story is about a (1) character with a (2) problem moving toward (3) resolution. Doc says this is why sports is so popular. Good characters thicken their own plots (tell me about it). War metaphors are great for describing problems "MS Preps Assaults on Linux." Doc says that marketing people fail to tell a compelling story when they try to portray the company as perfect (i.e. no problems).

There are two stories about Linux in the enterprise: the outside story about what vendors are doing for the customer and the inside story about what customers are doing for themselves (may or may not involve vendors). The first story is about attractive executives doing battle for their customers. The second story is about poorly dressed geeks. Which is easier to tell?

Doc tells some inside stories. The first is about Roland Smith and LSI Logic. The second is about Leon Chism and Orbitz. The third is Greg Thompson and UCAR (University Corporation for Atmospheric Research). The fourth story is Elliot Noss and Tucows. The fifth story is about Paul Perry and Verizon (who as on my panel at the Weblog Business Strategy Conference). The sixth story is David Pippenge and Yarde Metals.

The outside view is simple: vendor gives goods and services to customer in exchange for money. There are plenty of stories that tell well in that context. The real world is more complex with developer communities surrounding all this that interact on both the vendor and customer side. The use value of IT in this context is much greater than the transactional value of IT in the simple view. Most of what happens in this context doesn't tell well with the usual story metaphors about sports and war. There are stories.

The software industry is still growing up. The software industry is maturing into something like the construction industry. "We work in crews on projects." Do-it-yourself (DIY) is at the heart of getting stuff done. OSS is making DIY-IT possible. Its how the demand side supplies itself without a vendor relationship. That doesn't make vendor relationships bad, but you don't always have to go outside to solve a problem. Commercial vendor tools also drive the DIY-IT.

The construction industry is the oldest industry and is worth $2 trillion worldwide. Sharing know-how is natural in the construction industry. Doc makes a joke about a construction worker claiming his way of hanging a door is protected IP to a big laugh. Commodities are okay in the construction industry and big companies make good money in those commodity businesses. There's room for everyone in the construction industry because people are always trying to get things done and you've got to build things to do that. These are all good metaphors for where the software industry is headed.

1:06 PM | Comments () | Recommend This | Print This

Kevin Falcone: LDAP: Integrating Authentication Across Operating Systems and Applications

Kevin Falcone is speaking on LDAP: Integrating Authentication Across Operating Systems and Applications. This talk is a report on work he did as a student administrator at Northeastern University to create a single authentication authority using LDAP. This is a popular talk. There are people sitting on the floor and standing at the back and out the door.

The old system was based on NIS (Network Information Services or yp). There was no security model, the passwords were passed in the clear, and you have to use the yp tools. On the other hand it worked because its stock on Solaris and can be integrated with Linux, BSD, OS X, and even Windows.

Kevin's goal was to replace NIS with LDAP in order to increase security. LDAP can be used with SASL (Simple Authnticatino and Security Layer) or TLS using SSL certs. Moreover, the password file can be protected. The downside is that LDAP is complex, mirroring and replication are more difficult than in NIS, configuration is complex, and there are few tools for managing data. There's no standard for transfering data between different LDAP tools like OpenLDAP or iPlanet.

Kevin decided to use OpenLDAP even though he had access to a copies of iPlanet (educational institution) and the LDAP server in Lotus Notes (University standard). Of course, if he'd chosen one of those, he wouldn't be presenting here, would he? :-) He also used OpenSSL for the SSL layer (TLS). He chose TLS over SASL because of the simplicity of channel encryption. There were some systems that wouldn't support TLS, so he did use SASL (plaintext, Digest-MD5) in those cases.

There are predefined LDAP schemas for NIS which stores account data, password data, and access data. This, combined with the core schema (personal information) formed the basis for creating the data set. A set of scripts called PADL can create LDAP files from /etc/{passwd,group} and NIS data. It works great the first time, but doesn't go back and forth. Kevin ended up writing his own scripts using Net::LDAP.

Kevin created a testbed consisting of one Solaris 9 machine, multiple Debian Linux machines, an OS X machine, and multiple Windows machines. To make it work on Linux, Kevin used PAM. This talk generates some sigificant comments in geekspeak. Several comments of "did you try...." followed by some detailed discussion.

The Solaris LDAP client works with OpenLDAP and also uses PAM, similar to the way it works in Linux. The client manages the configuration files automatically, but its managing files that can be monitored outside the tool. OpenBSD doesn't come with an LDAP client out of the box, but there's one in the ports tree that works. There's no NSS, so you have to edit the /etc/passwd file to tell the machine that a user is an LDAP user. OS X was trivial. You tell it to connect to a particular LDAP server in the directory access panel and it "just works." Go figure. LDAP can be used with Windows by syncing with the Active Directory server, but leaves a problem of one way data. Again, go figure.

Conclusions:

• LDAP is difficult to configure and implement
• The gains in network security are significant
• OpenLDAP libraries and Net::LDAP work well for integrating one-off applications

12:07 PM | Comments () | Recommend This | Print This

Mitch Kapor: Linux' Journey to the Mainstream Desktop

Mitch Kapor is talking on "Linux' Journey to the Mainstream Desktop." OSAF's larger mission embraces more than just Chandler. Mitch recently initiated a project on behalf of OSAF to "take a careful look at the state of Linux on the desktop, and asked Bart Decrem to spearhead a short-term research project to assess the current situation and trends." You can read that report here (PDF).

Mitch is convinced that Linux will take a significant share of the desktop market. He takes a swipes at SCO as a company that has no business model other than taking the money that other companies have earned through litigation. He didn't actually say "SCO" but everyone knew what he was talking about and applauded. This, he says, is a sign of success for Linux. He cites several trends:

• PC Commoditization
• Increasing trouble getting consumer and companies to invest in continued upgrade cycles.
• Increasing feelings that companies (Microsoft) are using exploitive licensing.

Mitch references massive deployments of Linux desktops, mostly with a public sector angle. The largest one is Thailand's decision to deploy 1 million low cost PCs inside the country.

Transactional workers, people who use computers to perform some specific task, are the next trend in Linux deployment. Call center workers are examples of transactional workers. Knowledge workers use more apps and are more flexible in what they do each day than transactional workers. Getting significant numbers of knowledge workers to use Linux will not happen until at least 2007. The total breadth of applications available under Linux doesn't suit their needs yet.

Mitch gives a report card for Linux on the desktop:

The desktop	B
Desktop developer platform	C-
Computer hardware support	B-
Peripheral devices	D
Applications	C+
Windows connectivity	A

You should read the report (linked above) to understand the reasoning behind the grades. Mitch also gives a report card for the OS Desktop ecosystem. The bad grades (D) are in the areas of ISV's and distribution channels.

Much of the remaining work either spans multiple projects, or has fallen through the cracks between them. He provides a technical agenda which breaks down as 50% about office file formats, 30% about strengthening the foundations of the desktop, including a hardware abstraction layer and desktop consistency, and 20% about fit and finish. Remember this is an agenda for gaining wider adoption in the transactional worker market, not knowledge workers.

Predictions

• MS price cuts
• From good to gooderer
• 10% share of desktop globally running Linux in the not-to-distant future
• Rest of the world leads US as adopter
• Public sector is a driver in adoption
• Selective adoption in enterprises
• No consumer momentum for a while.

OSAF is doing things to attack the problems:

• Exploring ways to facilitate a desktop foundations layer
• Funding extensive compatibility tests with respect to Excel
• Providing fiscal agency services to selected OS projects
• Giving resources to public sector decision makers at opensector.org
• Building high quality desktop applications like Chandler.

11:11 AM | Comments () | Recommend This | Print This

Stormy Peters: Open Source at HP

Stormy Peters is the Director of HP's Open Source office, the office that is responsible for HP's use of open source software. She claims $2 billion in Linux related revenue at HP last year. She has a nice slide that shows a hierarchical representation of open source licenses. She characterizes the MIT and W3C licenses as having no restrictions, the BSD and Apache license has having restrictions, but no impact on other code, and all the others as some variant of copyleft.

Stormy talks about Martin Fink's book called The Business and Economics of Linux and Open Source. Martin is the GM for HP's Linux group. I haven't read the book, but I may try to pick a copy up. The book jacket advertises it as a guide for business managers considering using OSS in their business. Disclosure: Martin is Stormy's boss.

She suggests the following business models around open source:

• Commercial software - Oracle running on Linux is the example she uses.
• Support and services - This is the professional services model.
• Aggregation and enhancing - This is Redhat and other Linux vendors.
• Commercialize with a dual license - "Free for non-commercial use."
• Enable hardware
• End of life - What to do with a dog product that isn't selling?
• Building an ecosystem - Eclipse is the example here.

Why would you want to open source a product?

• Commoditizes a market you don't control (disruption)
• Make a technology pervasive
• Promote a proprietary product you have
• Lower the overall cost of a project (shared effort)
• Promote hardware
• Enable custom solution for customers (let them roll their own)
• Exit a business
• Leverage resources from others

When isn't it appropriate? This is bound to be controversial?

• The product is a control point (Windows)
• The product is obsolete (Windows---NO she didn't really say that.)
• The cost doesn't justify the benefit. This is a nod to the fact that open source development isn't free.
• Misdirection and defocusing of resources
• Intellectual property risk cannot be justified. Don't open source something you can prove you have the right to. This is important.
• Don't open source something to compete against the OS community.
• Just because its cool (I disagree with this---this is a great reason to open source something---ofttimes you don't see the benefit until people play with it and geeks are the ones to do that).

She talks about why and why not to do OSS development in a company. The most interesting one, to me, was time to market. If certain features are critical for what you want to get out of the software and you can't control the release dates (its someone else's OS project) you may want to avoid OSS.

10:35 AM | Comments () | Recommend This | Print This

July 9, 2003

Aleksey Sanin: XMl Security Standards in the Real World

Aleksey Sanin is talking about How to Use XML Security Standards in the Real World. He's going to speak on W3C XML Security specifications, the XML security library, and practical tips for XML security.

XML security specifications provide fine grained security for XML documents. XML Canonicalization (is that a word) provides a way to create a single XML document in the face of ambiguous XML formatting. For example, attribute order doesn't matter in XML, but it does if you're going to check signatures. Aleksey recommends the Exclusive C14N algorithm. The XML digital signature standard defines the schema for aggregating the signature algorithm name, the signed information, the signature value, and the key information in an XML structure that can be embedded in other XML documents (like SOAP headers). The XML Encryption standard aggregates the encryption algorithm name and reference, the key information, the cipher data (i.e. the encrypted data) and the encryption properties.

Aleksey has written a toolkit called XML Security Library that implements these standards in C and C++. There are other libraries from Microsoft, Apache, Baltimore Technologies, IBM, and Phaos Technology Corp. XML Security Library is open source. XML Security Library can support OpenSSL, GnuTLS, NSS, and practically any cryptographic library.

Aleksey offers some tips for using XMl security:

• Check what was actually signed
• Limit the allowed digest, signature, encryption and transform algorithms
• Limit key sources
• Check URLs and other references

6:05 PM | Comments () | Recommend This | Print This

Simon St. Laurent: Office XML Formats

Simon St. Laurent is talking about the XML formats for XML. Simon is clearly excited by the advent of XML formats for Office even though he's not known as a Microsoft Fan. He cites Internet Explorer's lax support for XML as a sign that Microsoft, advertising notwithstanding, has not always been the biggest supporter of XML. The last six months have shown that Microsoft only plans to fully support XML (at least with InfoPath [nee XDocs]) in the Enterprise edition.

Word has a format called WordML. In the professional edition, you get a set of tools for editing XML documents using your own vocabulary. I was most excited about this from an enterprise standpoint, but I'm disappointed that its only available in the Enterprise edition. Simon further states that this isn't as easy as it might be, so maybe its just as well.

Excel supports SpreadsheetML. Powerpoint has not XML format. Simon says (to a big laugh) that the PowerPoint team works in California and wasn't at lunch when they all discussed the XML support. Access will support XML schema and XSLT. Frontpage will be used to generate XSLT. InfoPath is a new Office component for building and using XML based forms.

A basic knowledge of WordML is necessary to create Word XML solutions in other flavors. If users save as XML, then the resulting documents can be processed as XML outside of Word. Word's XSLT support creates a method for inserting your own vocabulary into WordML documents. When they're saved, its possible to just see data in your own XML vocabulary. This should give Adobe a run for their money on these same features.

Simon creates and then saves a Word document to show us the XML. Its pretty complex. The document is also verbose because all of the style information, meta information, and formatting information is contained inside the XML. Simon points out some odd formatting issues with WordML, but says that at least its consistent. It may not be pretty or as well designed as it could be, but its always the same and that makes it usable. Images as encoded inline as base64 strings. Unfortunately, embedded spreadsheets are treated the same way, rather than including the relevant SpreadsheetML tags.

Users can specify XSLT transforms as hooks on import and export functionality so that opening and saving documents runs them through the XSLT transform.

Excel lets you separate the spreadsheet data from the spreadsheet logic so that you can get the data as XML without all the spreadsheet information. Simon does the same thing with SpreadsheetML that he did with Word: create a document in Excel and then show us the XML. The XML in SpreadhseetML is cleaner than WordML. The formula cells have both the formula and the current value given the spreadsheet contents. That's nice for just grabbing the data. He demonstrates how you can transfer a schema to the spreadsheet by dragging and dropping and then read in an XML file that meets the schema and see the data populate the spreadsheet.

Simon calls InfoPath a "bold endeavor." InfoPath is a stronger tool for both intranet web and SOAP-based web services than HTML forms. InfoPath seems most compelling as a human-readable Web service interface. InfoPath is Javascript, CSS, and other open tools, but its been extended to the point that they're no longer open.

Simon finishes by talking a bit about OpenOffice. OpenOffice XML formats have gone through OASIS and so are more open. They also have a mark-up designed for a variety of uses. There's no support, yet, for custom XML formats. Both Microsoft and OpenOffice are using XMl to connect their applications to a wider world. Apple, with Keynote, is doing the same thing. This could be the beginning of the end of the desktop island. The harder barriers to break down will be the mindset of users and IT staff.

4:00 PM | Comments () | Recommend This | Print This

Slashdot on Open Source

A few interesting posts from Slashdot today:

• OSCON news
• A note that the Japanese government will start doing its payroll on a Linux-based system.

1:37 PM | Comments () | Recommend This | Print This

Andy McKay: Introduction to Plone

AndyÊMcKay from Agmweb Consulting is giving an Introduction to Plone. Plone is an open source content managment system built on CMF and Zope, which I've always thought of as an open source content management tool. Actually, Zope likes to think of itself as application server for content.

Plone is a bundling of products: External Editor, Photo, Collector, and Wiki from Zope and PIL, ReportLab, Win32Extension from Python. Plone, like any good CMS separates the logic, presentation (CSS), and content. As an example, a "printable" view of a page is just a CSS change. There are built-in content types for documents, news items, events, etc. Content types are used for creating new documents. They appear to be template types. The underlying architecture provides user registration, a search engine (ZCatalog), workflow, and support for protocols like HTTP, WebDAV, FTP, XML-RPC, etc. The workflow is unusual as far as open source CMS systems go. This separates the configuration of security, events, approvals, and so on from the content. For example, press releases could go to a certain user for approval before they're put on the site.

Andy is discussing a feature called ArchTypes, a feature to be released in Plone 1.2. Archtypes allows users to easily create new content types using UML. A generator converts the UML into a new type. He gave a demo where he created a new content type for Products using UML and then inside Plone, the page for creating the product (field names, etc.) is available for use.

There will be a Plone conference in New Orleans on Oct 15-17. The slides for this talk are available online.

12:52 PM | Comments () | Recommend This | Print This

Ward Cunningham and Brian Ingerson: The FIT Framework

I was going to attend AyeshaÊMalik's (Object Machines) talk on Best Practices for XML Schemas, but Ayesha didn't show. As an alternative, I decided on Ward Cunningham's talk on Framework for Integrated Tests of fit. I'm glad I did.

Fit, is a methodology for creating tests for software modules that uses an HTML front end and a simple table format for creating tests. An automated backend uses these HTML pages to drive the code and report success or failure. The benefit to this is that business people or customers can define and read the tests according to what they think the proper function should be. With some coaxing and some samples, the customer can define the test cases.

Fixture is then defined to read the rows and columns that the customer thinks is important. Column fixtures are for logic, action fixtures are for interaction (buttons on the rows) and row fixtures are for databases. Fixtures are responsible for type conversion. Ward actually develops code in the fixtures (where its easily changed) and then transfers it to the right place when its mostly right. Of course, the fixture then calls the code in the right place and tests that.

Implementations are available in Java, C++, Delphi, Perl, Python, Ruby, CLOS, Scheme, and Smalltalk. There's a Ant integration project called AntFit.

Brian Ingerson has taken over and it talking about how fit can be used in open source projects. Brian has implemented a Fit modules for Perl called Test::FIT. Brian puts Fit tests for YAML (a data serialization module Brian developed) on a Wiki so that anyone can add tests. That's a neat idea. Brian runs a kwiki (that's not a typo) in every module directory and uses Fit tests for documentation and notes. Brian's module integrates the Fit methodology with the standard Perl module testing framework.

Brian has started FreePAN, a CPAN-like module directory for open languages. The vision is that the same modules would be implemented in each lanaguage and Fit would serve as the specification language.

12:27 PM | Comments () | Recommend This | Print This

Tim O'Reilly's Keynote: Open Source Paradigm Shifts

Tim's talking about paradigm shifts. He makes the point that software makers no longer tied to hardware. IBM gave that right to Microsoft and created a the biggest powerhouse in the computer world.

Open architecture inevitably leads to commodity software But open architectures can contain proprietary components: viz. Intel Inside, Cisco Tim sees some trends:

1. Commoditization of software
2. user-Customizable systems and architectures
3. network-enabled Collaboration

Open source promotes competition and dives down margins

• linux on intel gives 10x savings
• Apache means web serving is not a revenue opportunity
• MySQL threatens to do the same thing for databases (there's a Wall Street Journal article about this today)

Proprietary alternative must become free (as in beer) to compete. They will usually bundled with added value components. Plug compatible software has become the norm. eBay has switched from Linux to Microsoft and now (that IBM has the account) will probably go back to Linux.

Commodity components provide platforms and infrastructure on which addition software is built "for-use" in delivering services, not for sale (see Eric Raymond's book on the " The Cathedral and the Bazaar" for more on this).

Internet-era applications are updated daily, not yearly. This is why the P in LAMP matters so much. Dynamic languages form the glue for bringing software components and information together to build Internet interfaces. Open source has its roots in USENET and code sharing that was enabled by networks. Gives rise to the "Adhocracy" (See Cory Doctorow's " Down and Out in the Magic Kingdom" Users help build the application (more from Eric Raymond).

With a large enough development organization, OSS-berhavior emerges. He gives the example of Microsoft's ASP.net.

Tim recommends reading the essay: Listening to Napster by Clay Shirky. (Chapter 2 of Peer-to-Peer : Harnessing the Power of Disruptive Technologies) Clay outlines three ways to build something large:

• slaves
• pay people
• self interest (volunteers)

Napster was built so that individual self interest built a centralized directory. Google page rank depends on millions of independent linkers via the Page Rank algorithm. More people have "contributed" to Amazon than to Linux.

Tim talks about commodity software business models. Two of the most interesting are new platforms (e.g. web services, digital identity, location, search, etc.) and aggregating content for sale by the subscription, not the piece He gives the example of cable television subscriptions which are more successful than pay-per-view. People like large package of stuff.

Not just "professional services" but services delivered to end users. The ISP industry is a subscription-based access to open source software. UUNet is the greatest open source business success to date. BIND is a monopoly in disguise. Sendmail and Apache are not about software sales, they're about email and web hosting. Google, Paypal, Amazon, et. al. are the next step on the path to a services-based software economy.

Tim believe we're building an Internet operating system.

• p2p and ad hoc networking
• wireless
• social software
• cell phones
• pervasive computing
• grid and on-demand computing

Give customers increased opportunity for customization with plug replaceable standards compliant components, extensible architecture, and scripting support. Look for hidden services business models. Leverage collaborative development and processes and participatory interfaces. Watch the Alpha Geeks. New technologies are first exploited by hackers, then entrepreneurs, then platform players. For example, screen scraping predicted Web services.

10:45 AM | Comments () | Recommend This | Print This

July 8, 2003

Off to OSCON

I'm getting ready to leave for Portland for the O'Reilly Open Source Convention. I really enjoyed last year's event and I'm looking forward to this year's convention. If you're going to be there, look me up and say "hi."

8:43 AM | Comments () | Recommend This | Print This

IX1: Intermountain eXchange

The IX1 web site and call for participation have been posted. Intermountain eXchange is an annual regional conference focused on next-generation wide-area network issues affecting Utah, Colorado, New Mexico, Wyoming, Montana, Idaho, and Nevada. I posted the notes from the program committee meeting earlier along with a list of objectives:

• Discuss why broadband matters in the Intermountain Region
• Educate about regional developments in broadband and wide are networking.
• Share success stories, case studies, and ideas
• Develop a common vision and understanding of what is possible.
• As an outcome, define a path for future regional efforts

Jim Stewart has posted some information about speakers and planning. We're excited to hear about what others in the Intermountain region are doing with wide area and metropolitan area networks. If you're doing something that others should know about, please respond to the CFP.

8:39 AM | Comments () | Recommend This | Print This

July 7, 2003

Government Information Awareness

I first found out about the GIA program from Dioecetes, and then later saw this article in Wired News. A group of MIT researchers have started a web site for gathering intelligence on elected officials in the interest of better government. Its so busy today that its hard to see what it does for sure.

I think transparency is one of the most important features that eGovernment can have. Not all eGovernment has to be from the government. Some of it, as this GIT project points out, might best come from non-profits or others.

5:06 PM | Comments () | Recommend This | Print This

Blogging in the Workplace

An article in today's New York Times (free registration required) talks about how some companies are using weblogs as an alternative to email.

4:01 PM | Comments () | Recommend This | Print This

Pipelining the Web

Suppose you've created a Web services interface to a legacy application. Later, you decide to restrict access to this Web service to a certain collection of trading partners. You could modify the Web service itself, but this makes it less general and thus harder to reuse in some other capacity. Instead, an active intermediary can sit in front of your Web service and perform the authentication and authorization using LDAP, SAML (Security Assertion Markup Language), or another system.Ê Of course, programmers have been writing wrappers -- programs that sit outside another program and serve as its proxy -- for years. Whatâs different with active intermediaries is that thereâs no program -- at least not one that has to be written. Web services are based on the standardized interface protocol SOAP; SOAP interfaces are described using WSDL. The authentication service in our example could use the Web service's WSDL document to discover specific details of the SOAP-based API and wrap the Web service in an authentication and authorization proxy without anyone having to write any code. [Full story at InfoWorld...]

We set off to write this feature to provide an umbrella for the reviews of active intermediaries we've done and continue to do (I've got one of Blue Titan I'm working on right now). The goal was to explain some concepts and to create some classifying terminology for the various products. This article is accompanied by a sidebar by Jon Udell on how active intermediaries can halt the finger-pointing. I wrote a glossary of active intermediary terms to accompany the article:

Active Intermediary: a proxy or other program that sits in between two web services and acts on the message flow between them to add some new functionality.

Message Store and Forward: ensures that messages are delivered once and only once and, for some applications, ensures that theyâre delivered in order.

Service Call Switching balances server load, shuttles potentially high load jobs to specific servers, or moves a new version of a service into production.

Context Sensitive Message Filtering: filters messages based on their content or the message meta-information. Probably the most obvious example of context sensitive filtering is authorization.

Event Monitoring: places monitors, alerts and triggers on a message flow. Alert recipients can be other programs or people.

Message Logging: stores messages and message meta-information for traffic analysis or auditing.

Service Facades: adapts one Web service to another or to an industry or corporate standard.

Rule-based Routing: scripts Web service interactions and routes messages to intermediaries based on message content and meta-information.

I also created a table, which is referenced in the online version as "Selecting the Right Pipes." I can't find it online at the InfoWorld site, but I've made a version of it available on my site. I'll continue to fill it in as I review active intermediary products.

11:25 AM | Comments () | Recommend This | Print This

Managing the Web Services Flow

One of the chief differences between the decentralized computing model defined by Web services and distributed computing models of the past is the shift in component ownership. In distributed architectures, most of the interacting software components operated in a single trusted domain that was centrally managed. In the new decentralized model, interactions between components span organizational boundaries, making it difficult to manage, configure, monitor, and update the components from a single operations organization. Core 3.0 from Confluent Software is a Web services manager that tackles this problem by providing a single point of configuration for far-flung Web service components. The architecture of Confluent Core is as distributed as the services that it manages. Core works through a set of active intermediaries called "gateways" or "agents," depending on how they are deployed. [Full story at InfoWorld...]

Confluent CORE was a different product that ones I'd reviewed before. There was not specific transport layer included, just gateways, agents, and management points. There are certain businesses that will be very interested in the model that Confluent uses. For example, I was speaking to Scott Loftesness a few month ago about Web services and he made the observation that the financial services industry is not likely to embrace a third-party active intermediary model because of the security risks that would have to be mitigated. I'm inclined to believe Scott on this. CORE is an alternative that provides many necessary features without the attending potential risk of a third party intermediary.

10:24 AM | Comments () | Recommend This | Print This

July 3, 2003

Chad Gets RSS

I'm glad to see more pieces in the media about the advantages of aggregators and RSS like this one by Chad Dickerson. Chad quotes Phil Wolff saying that RSS newsreaders are TiVo for bloggers. That's a great line, for anyone who is in-the-know on TiVo. There are too many people who haven't figured that one out yet either.

I've been enamored with RSS and its possibilities since I first heard about it reading a column by Jon Udell called Hyperlinks Matter. That column's also what led to me start a blog. RSS gives me the NY Times, Infoworld, Yahoo News! and the thoughts of 30 or so people who I admire delivered straight to my desktop every day all day long. People ask me how I keep up. RSS is a big part of the answer.

9:34 AM | Comments () | Recommend This | Print This

July 2, 2003

Laptops Beat Desktop Sales

The New Your Times (free registration required) reports that laptop sales surpassed desktop sales for the the first time in May. This doesn't surprise me. Laptops are more convenient. I think laptop users are potentially more productive. I've used a laptop exclusively for years. What's held laptops back is their price/performace ratio. But now, computers are getting fast enough that people are finding that reasonable priced laptops are "fast enough." And as the article says, laptops are sleeker and sexier than clunky desktops.

When we talk about the move to mobile computing, we immediately think of phones and PDAs, but tablets and laptops have a role to play in that story as well. Whenever I see people using tablets (admittedly early adopters), I ask them whether they've given up their PDA and their desktop and transferred all their computing to the tablet. The answer is usually "yes." One even tell me that buying a tablet has led him to purchase a sheet fed scanner so that he could just get all the paper people send them into their tablet and be done with it.

9:18 PM | Comments () | Recommend This | Print This

No Fees for Online Vehicle Registration

Dave Fletcher reports that as of yesterday, utah.gov has additional dropped fees for renewing your vehicle online. This is a big step. We spent a lot of time trying to figure out ways to get rid of the fees. No one likes paying more for online renewal---most people think it ought to be cheaper. But government funding methods don't always mesh with real world expectations. Dave doesn't report how they finally managed to pull this off, but given that it happened on July 1, the start of the fiscal year, I'd guess it has something to do with a change in how its funded.

5:35 PM | Comments () | Recommend This | Print This

Escape from ETL Hell: The Real Time Enterprise

Five 9's--the universal symbol of reliability in high-tech. Five 9's represents 99.999% uptime or just a little over five minutes of allowed downtime per year. Achieving five 9s isn't easy. Operations organizations that do achieve it do it, in part, by carefully instrumenting and monitoring systems using expensive software like HP OpenView and IBM's Tivoli. These kinds of systems aren't cheap, but operations managers know that you can't manage what you can't measure and with only five minutes to spare in any given year, they'd better have that information in real time.

Technical operations managers may have pioneered the ideas behind real time information access and alerting, but business managers are learning that they can play this game as well. Good companies have long had accounting practices and other metrics in place to give them insight into how their business is operating. Great companies often make use of data warehouses to gather extensive information about every aspect of their business and allow users to query the data and create reports that can tell just about anything they want to know--as long as it happened a few days ago.

That's the problem. Data warehouses are trapped by what we might call ETL hell. ETL stands for "extract, transform, and load." ETL is necessary because the data resides on myriad systems in multiple formats. The data has to be extracted from all those systems, transformed into a common schema, and then loaded onto the data warehouse. Often this process can take days for some data.

A real time enterprise is free from the batch-process nature of data warehouses. Instead, data flows, in real time from the systems of interest, through translation services, and through a rules engine that can be configured to look for specific trends, coincident events, and other interesting activity. Managers can watch dash boards of this data as it changes, be automatically alerted to unusual conditions, and those alerts can be automatically escalated to managers when they're not handled in a timely manner. Systems people have had these kinds of tools for years, but the business side of the house is just seeing the benefit.

Imagine that you work for a large bank. Your job is to manage mortgage sales. In a good company, you see sales figures, broken down by region and mortgage type for the last three months and cumulative for the year. In a great company, all this data is in a data warehouse and you can query this information and almost any other you can think of on yesterday's sales. In a real-time company, you see a slump in the last hour's sales of 15 year mortgages and an increase in 5-year adjustable rate mortgages and can adjust your strategy for reselling the paper this evening instead of tomorrow afternoon.

Of course, real time data isn't a panacea. Most people have heard about CISCO's much vaunted real time sales system over predicting sales in 2001 because customers had gotten in the habit of double ordering to assure they got something back in the go-go days. Operations managers have learned that the key to solving these problems is managing process and holding frequent post mortem evaluations of mistakes and reporting errors so they can be avoided the next time.

These systems aren't just for executive management. To be effective, the company has to be prepared to deliver real time information to each worker just when they need it. Duy Beck of the Virtua Group called this the "virtual network of demand." Getting work done in any large organization is a function of workflow (formal or informal). Workflow gets things from one person to another in the right order, at the right time so they can act on them and send them on.

Another way to think of this is as every person representing a little bit of production capacity with their own supply chain and demand chain. All of these internal supply and demand chains represent a virtual network of demand. Getting business done requires finding ways to efficiently and effectively service this network and keep it flowing.

From an IT perspective, when we install CRM systems, ERP systems, employee portals, workflow systems, personal computers, office suites, and the like, we're trying to service and automate this demand network. The problem is that we can't, yet, approach it from the standpoint of viewing each employee as a custom unit that has specific needs because of their role, their style of work, the way they learn, the way that they're most comfortable communicating, etc. We more or less give everyone a standard set of tools and require them to do their own customization.

Real time enterprises are enabled by light-weight integration tools, collaboration software, wireless and mobile computing, Web services standards like SOAP and XML, peer to peer computing, and even instant messaging. As these technologies and other like them find their way into the enterprise, real time business decision making systems will become easier and easier to build and deploy. Nimble companies will deploy them to avoid information latency and the loss of competitive advantage that comes with it.

8:25 AM | Comments () | Recommend This | Print This

July 1, 2003

A Visit to SCO

While I was on the Linux Journal site, I ran across this article by Ian Lance Taylor on a visit to SCO right here in Lindon Utah to discuss their lawsuit and their case. Ian is just a developer from San Francisco who called up SCO and arranged a visit. Interesting reading.

3:43 PM | Comments () | Recommend This | Print This

Open Source Software Use in State and Local Government

Tom Adelstein. a Linux consultant in Dallas, Texas, has written a three part series in Linux Journal on the state of OSS in state and local government.

• Part I is about the state of open source in government--where it's happening, what it's used for, who's for it and who's against it.
• Part II is a look behind the scenes and OSS in Texas.
• Part II is A look at the success of Linux in schools, and how it should constitute the model for state and local government.

This is pretty comprehensive look at open source issues in state and local government. There's considerable analysis of the recent legislative attempts to drive OSS use. Tom is a Texan and he's spent some time looking at the state of open source in Texas government and offers Houston as an example of a place where OSS is working. The last part is mostly about OSS usage in schools and offers a good set of resources.

10:52 AM | Comments () | Recommend This | Print This