Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Software

Packages

Topic Guides

Understanding RSS
Digital ID Policies
Understanding VoIP
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Copyright

Copyright © 2002-2006 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« August 2003 | Main | October 2003 »

September 30, 2003

Apache 2.X Ready for Prime Time?

As I set up my new server, I had thought to use Apache 2.X. I've been a long time Apache 1.3.X user, but figured as long as I was going to load up a bunch of software, I might as well get into the new millennium. I've set it up with the built-in SSL (here's an important mod_ssl hint for Linux) and WebDAV support and compiled in mod_perl. Everything works like a charm. I even set up cronolog to rotate the logs. I'v seen some warnings on the net about Apache 2.X not being ready for prime time, but they're over a year old. Anyone know what the consensus is now?

9:42 PM | Comments () | Recommend This | Print This

eGovernment Interoperability Framework

Britain's GovTalk is analogous to the US Federal Enterprise Architecture PMO. They publish eGIF, the eGovernment Interoperability Framework. The document is a set of standards that agencies of the British government must comply with. The document comes in two parts. Part 1 is framework that contains high level policy statements, management, implementation and compliance requirements. Part 2 is the actual technical policies and specifications. There are five major categories:

  • Interconnection - policies for connecting system together
  • Data integration - XML standards
  • Content management metadata - Metadata standards
  • Access - What types of devices should be supported
  • Business areas - business specific XML standards

To give you an idea of what it looks like, this is a few of the policy statements from section 4 on interoperability:

4.1.1 departments are to interconnect using IPv4 and plan for migration to IPv6 in due course. See notes on migration to IPv6 below
4.1.2 interfaces for e-mail systems are to conform to the SMTP/MIME for message transport and POP3 for mailbox retrieval. Within government, the norm will be to use the intrinsic security provided by the GSI to ensure e- mail confidentiality Outside the GSI and other secure government networks, S/MIME V3 should be used for secure messaging security unless security requirements dictate otherwise

Elsewhere in the section are tables that specify, for example, that HTTP will follow RFC 2616.

This kind of standards process is essential to eGovernment. Without it, there is no hope of cooperation. Perhaps the most important thing a public sector CIO can do is establish a governance process for creating standards that everyone can live with and pushing it forward to create usable standards.

When I left Utah government, we were pushing for more of a framework approach to standards. We published a IT Product Standards guide and a stardards review matrix as first steps. There hasn't been much standards work in Utah this year, at least as far as published standards are concerned.

The Zachman Framework has done most of the hard part of creating the framework. Organizations need to localize it to their individual needs. I like the matrix because it gives you a field of play, so to speak. I imagine that if you study it, you'll find two, three, five, or ten of these squares you think you have a pretty good handle on. That tells you where to concentrate you focus and gives you some context. One of the tough parts of enterprise architecture as defined by the federal EA project management office or the state CIOs at NASCIO is that there was so little context that people have a tough time finding a hand hold and figuring it out. There's lots of places in the Zachman framework to grab on and get started.

12:37 PM | Comments () | Recommend This | Print This

Enterprise Architecture as Extreme Sport

Ray Lane has a post at Always-On called Are Web Services Really the Answer? He compares the current state of Web services with finding your way to Oakland:

The enterprise is very lost. It's as if you came to the Bay Area for the first time and wanted to get to Oakland. You're there at the airport and you stop to ask directions of ten different people, and they are all experts only on their own little locale. So they can tell you how to get anywhere in Atherton or Woodside, but all they know about Oakland is that it's somewhere to the east. What are you supposed to do with that?

Rays point is that what CIOs need is an answer to some very high level problems: how to make structural IT changes and save money and how to create flexibility to respond to changing business needs. Instead what they get is acronyms and partial solutions.

I believe that service oriented architectures and their implementation in Web services are a major step forward. Ray is right: there's still a lot of road left to travel before Web services are mature.

Still I have one major beef with what Ray says. Ray acts like its the IT industry's problem to solve and I don't believe that. I think it is each CIO's problem to solve. Web services provide a good tool, but they won't provide a complete solution or flexibility without an enterprise architecture. The roadmap that Ray's looking for, telling him how to get to Oakland, has to be created internally using the bits of local knowledge picked up from the natives.

You can't outsource this. The process of creating the roadmap is more important than the document itself. The countless meetings, the email flamewars, the hurt feelings, the coming together, the compromise are all part of what makes the enterprise architecture worthwhile when all is said and done. People like me can help you and advise you, but ultimately, this is the CIO's job. Its what makes being a CIO an extreme sport.

8:34 AM | Comments () | Recommend This | Print This

September 29, 2003

IM Worms

According to Eric Chien, chief researcher at Symantec Security Response in Dublin, Ireland there are 60 published IM vulnerabilities and over 30 identified IM worms. These run the gamut from holes that allow the IM client to be crashed to vulnerabilities that allow malicious code to be installed on the user's machine. Because IM Worms can hijack the buddylist, they can propagate quickly. This article from PCWorld.com has more detail on IM vulnerabilities.

8:59 PM | Comments () | Recommend This | Print This

Understanding Kerberos and Secure Authentication

Kerberos is a network authentication protocol which has been around for some time. Its based on asymmetric key cryptography and it best used for intra-organizational authentication tasks. Kerberos was developed by MIT and is distributed under a copyright permission notice very similar to the one used for the BSD operating and X11 Windowing system. Kerberos, by the way, is the name of the three-headed dog who guards the entrance to Hades.

Even if you're not interested in deploying Kerberos, understanding how it works is a good exercise if you're interested in secure authentication. You could read some dry technical document, but its more fun to read Designing an Authentication System: a Dialogue in Four Scenes, a short play about how Kerberos works. I don't know that its ever been performed, but its an entertaining read and will introduce you to the design issues and how they're solved in Kerberos. The issues are the same in any secure authentication system, and while the solutions might vary, knowing how Kerberos solved them is a good piece of knowledge to have in your toolbelt.

10:23 AM | Comments () | Recommend This | Print This

September 27, 2003

Why Windows is Like Potatoes

Sean Gallagher has an excellent rant comparing Windows to potatoes (you'll have to read it to understand) that builds on the Windows as a dangerous monoculture idea.

10:26 AM | Comments () | Recommend This | Print This

September 26, 2003

Massachusetts Moves to Linux

An associated press story is reporting that Massachusetts will adopt a broad-based strategy of moving its computer systems toward open standards, including Linux. Massachusetts is the lone hold-out in the multi-lateral State Attorney General lawsuit against Microsoft.

State Administration and Finance Secretary Eric Kriss said Thursday that the decision, adopted at a meeting of state information officers, was made on "technical grounds" and had nothing to do with Attorney General Thomas Reilly's pursuit of Microsoft. Kriss said the state's decision was driven by a desire to reduce licensing fees but also "by a philosophy that what the state has is a public good and should be open to all," Kriss told The Associated Press. He characterized the decision as the "most visible concrete action by a state government" to move toward open standards.

I've heard rumors that Microsoft is moving to protect Office file formats under the Digital Millennium Copyright Act to protect them against reverse-engineering. That kind of move would push more states in this direction, I think.

2:18 PM | Comments () | Recommend This | Print This

The Cost of Principle

A few security luminaries, including Bruce Schneier and Dan Geer, issued a report to Computer and Communications Industry Association that called the ubiquity of Microsoft software a hazard to the economy and to national security. The report states:

Because Microsoft's near-monopoly status itself magnifies security risk, it is essential that society become less dependent on a single operating system from a single vendor if our critical infrastructure is not to be disrupted in a single blow. The goal must be to break the monoculture.

The report goes beyond merely decrying the monoculture, however and points out the danger of Microsoft using its monopoly power and the security threat to further lock users into using Microsoft products:

Efforts by Microsoft to improve security will fail if their side effect is to increase user-level lock-in. Microsoft must not be allowed to impose new restrictions on its customers - imposed in the way only a monopoly can do - and then claim that such exercise of monopoly power is somehow a solution to the security problems inherent in its products. The prevalence of security flaw in Microsoft's products is an effect of monopoly power; it must not be allowed to become a reinforcer.

In a kind of unholy death spiral, the very security flaws that the Microsoft monoculture helped create a situation where Microsoft's monopoly is strengthened. Yikes! The report calls on government to set and example:

Governments must set an example with their own internal policies and with the regulations they impose on industries critical to their societies. They must confront the security effects of monopoly and acknowledge that competition policy is entangled with security policy from this point forward.

Imagine the impact if the feds or even some large states switched to open source on the desktop.

The bizarre part of this whole story is that Dan Geer's employer, @Stake fired him his part in the report. One of @Stake's biggest customers is Microsoft and while the company says that Microsoft put no pressure on them, I'm sure the self-administered pressure was immense. Its no secret that Microsoft plays hardball with this kind of thing and past actions are a strong enough signal to @Stake that failure to take action would have reduce shareholder value. Its a good thing principles are so valuable because they sure cost a lot.

9:09 AM | Comments () | Recommend This | Print This

Amazon May Support Internet Sales Tax Legislation

Amazon, the world's biggest online retailer may be close to publicly supporting legislation that would create a national sales tax system according to the Washington Post:

Supporters of a national Internet sales tax proposal are negotiating with Amazon.com in a bid to win an endorsement from the largest online retailer for legislation introduced today in Congress. The legislation would put the federal government's stamp of approval on a state-led effort to require online retailers to apply sales taxes to nearly all of their transactions. In return, states would simplify their complex tax laws to make collecting taxes easier for Internet businesses.

This is a subject I've grappled with since we started iMALL. Because we supplied ecommerce services to all kinds of merchants in all 50 states and many foreign countries, we had to be able to calculate and collect sales tax. Any current system is, at best, an approximation because of the complexity. There are over 10,000 separate sales tax jurisdictions in the US alone and deciding who's in which ones is nearly impossible--so you guess. And the problem doesn't end there. Different items are taxable in one state but not in another. For example, juice is taxable in some states and not others and in some it depends on the amount of "real fruit juice" in the juice. In some states candy is taxable, in others candy is taxable, but not gum... You get the point. Oh, and did I mention that it changes all the time?

There are a lot of misconceptions about sales tax reform:

  • This has nothing to do with the so-called "Internet tax moratorium." That is a moratorium on taxing Internet service, not the good bought and sold on the Internet.
  • You already owe this tax, the government just doesn't have a good way to collect it. At present, a merchant doing business in Michigan can't be compelled to collect sales tax for the State of Utah unless they do business in Utah.
  • This legislation would apply not only to Internet purchases, but to all cross border transactions, including catalog and mail order like the Home Shopping Network.
  • The amount of uncollected sales-tax due to online and mail-order purchases is actually relatively low at $3-4 billion per year.

Many brick and mortar merchants have started collecting it already. Wal-Mart and Barnes and Noble being two. They were on shaky legal ground to begin with, but the reality of the business is what finally caught up with them. Trying to maintain the facade of independent business units for online and meatspace sales cut into their ability to offer the kind of services that people want and only a retailer with a physical presence can provide. In-person returns of online-purchased goods, for example.

If the amount of uncollected tax is small, why bother? I think there's a pretty simple and easy to support answer: fairness. Governments will always find a way to get all the money they need. If they're getting shorted in online sales, they'll make it up in offline sales by raising taxes. I don't see it as an issue of whether the government gets the money or not. I see it as an issue of whether we, as a society, want to penalize merchants who have physical stores. I think that sends the wrong signal and creates unhealthy incentives. We ought to make the playing field as level as possible.

7:47 AM | Comments () | Recommend This | Print This

September 24, 2003

Utah.gov Wins Best of the Web

The Center for Digital Government announced today that Utah.gov, the State's online services portal, has won their Best of the Web award for 2003. Cathilea Robinett, executive director of the Center for Digital Government praised the portal:

Utah has a beautiful Web site that is easy to navigate and offers a variety of online services," said Robinett. "It has a live 24/7 customer-service help function, the most advanced common look-and-feel features in the nation, dynamic content, and a large amount of online services. Utah has historically been a leader in digital government. Capturing first-place in the Best of the Web contest reflects its true commitment to the citizens and businesses of the state

Utah Gov. Mike Leavitt's ambitious efforts last year to expand and restructure his IT department and accelerate the state's online offerings paid off. After months of collaboration between his office, IT managers and department heads, hundreds of online services were integrated, resulting in a consolidation that saved money and improved the quality of service to citizens.

Utah has worked hard to create a online presence that provides comprehensive and easy to use services. The one-stop business registration system is a perfect example of where Utah is headed. Everyone involved ought to be proud to have their hard work recognized.

9:28 PM | Comments () | Recommend This | Print This

IM in the Enterprise

I'm a fan of instant messaging (IM) in my personal and my corporate life. I've used IM as a tool for getting my work done for years and love the face-to-face style conversation with people who aren't right next door. Sure, there's the phone, but phone calls have more overhead than IM. If I've got a lot to say, I use the phone. When I just have a quick question, or want a low intensity conversation, I fire up iChat (OS X's AOL compatible chat tool). I've seen IM used in some interesting ways:

  • Business colleagues use IM it for back channel communications during conference calls. In todayâs high-speed business culture, meetings frequently happen on the telephone with most meeting participants in different locations and a teleconferencing bridge serving as the modern-day answer to the conference room. IM is a great way to carry on important side-bar conversations that used to happen in whispers or passed notes.
  • Geographically dispersed workgroups use IM to create a sense of workplace community and even coordinate complex tasks by remote teams. At iMALL, our engineers used IM to roll code into production in the middle of the night when the service was lightly loaded. Rather than everyone coming into work, they all gathered in their bathrobes and slippers in front of their computer screens and coordinated a difficult task using IM.

Even with my cheerleading there are things that concern me about IM when I put my CIO hat on:

  • Recreational-class IM systems are not tied into corporate directories, so its hard to IM someone who I'm not already in contact with.
  • IM conversations are not encrypted and may travel outside the corporate firewall.
  • Easy file sharing can be just one more, unprotected avenue for viruses to invade the workplace.
  • Some conversations need to be logged for regulatory compliance.

There are ways to solve these problems. One method is to provide an in-house IM solution. Groupwise, for example, has a built-in IM solution, although I've not used it and don't know how well it works. The State of Utah is using it, maybe someone can comment below on how well it works. The problem with an in-house system is that it probably isn't compatible with your customer's and partner's systems and some of the most important IM conversations are those your employees have with customers and partners.

Another solution is to try to fix the problems in AOL, MSN, ICQ, and Yahoo!'s offerings with a third party solution. One such solution is L7 from Akonix. I haven't reviewed this product, so I can't comment on how well, or even if, it works. The company literature says that L7 logs IM traffic, selectively stops file sharing, and secures conversations between parties. Sounds like it would be worth looking into.

3:53 PM | Comments () | Recommend This | Print This

September 23, 2003

RAID 1 Setup on Linux

I'm working on setting up a new server to host windley.com (including this blog) and my other websites. I've been hosting with Verio. A good fiend of mine started the company that eventually became the Verio hosting division about the same time I was starting iMALL. We traded lots of services and had some partnerships. One of the most personally gratifying was a comped virtual server he gave me in 1996. I've used it happily for seven years. But all good things come to an end and last year they started charging me. The per megabyte charges are getting to me. Everytime I turn around I'm buying another 100Mb. A content management system like Radio that publishes static pages for everything eats up a surprising amount of disk space. Add the fact that I'd like to put more pictures in my album, etc. and I eventually decided I ought to just configure my own server.

Since the server will be running far from my watchful eye and largely unattended, I didn't want to rely on a backup system that required changeable media. So, I decided to buy two 80Gb drives and configure them in RAID-1. RAID-1 gives you mirroring and only requires two drives. RAID-5, for example, requires at least three. Now, I haven't configured a RAID system for a while (five years?) and I was surprised at how easy Linux makes it. You choose the options during the disk partitioning and it just happens. What's not as easy is deciding how, exactly, to partition the disks.

I found a handy tutorial on RAID-1 at LinuxJournal. The tutorial is in two parts. Part 1 "describes RAID, in which cases RAID-1 is useful, the RAID-1 installation requirements and how to install RAID-1 when you have an existing ext2 filesystem." Part 2 shows "how to make a RAID-1 swap device and how to boot from a RAID-1 device, using RAID-1 to facilitate disk backups."

One of the things I learned from the article that I hadn't realized before was that the swap partition can and indeed should be a RAID device since you won't keep right on ticking if you lose your swap on a disk failure. You also want each drive to be on a separate controller and that's easy enough to do. In the end, here's what I came up with:

PartitionTypeSize
/bootext3100Mb
swapswap512Mb
/varext38000Mb
/ext3everything else

I made all of these RAID-1 partitions. I created the two software RAID partitions for /boot first so that they'd be in the first 1024 cylinders. I like a separate /var partition so that if log files go crazy due to a DOS attack or something, it doesn't fill up the rest of the disk. /tmp is a link to /var/tmp for the same reason. I like the ext3 journaled file system.

Now for the testing. With this set-up, I removed power from one of the drives and the system gave a few hiccups while it timed out trying to contact that device and then just kept right on going. I rebooted the machine and it came up just fine on one drive. I know I shouldn't do this with the power on, but I couldn't resist. I had to see it work. If you're not prepared to just trash a drive and buy a new one, don't be a hot-swap cowboy.

When you plug it in, you have to use raidhotadd to bring the drive back online. You use it like so: 

[root@lynx root]# raidhotadd /dev/md0 /dev/hdc5
[root@lynx root]# raidhotadd /dev/md3 /dev/hdc3
[root@lynx root]# raidhotadd /dev/md1 /dev/hdc2
[root@lynx root]# raidhotadd /dev/md2 /dev/hdc1

You can get the mapping from /etc/raidtab. Recovery takes a while (a couple of hours on an 80Gb drive). This is very disk intensive, so if one drive crashes and the other one isn't sounding healthy, you'll need to cross you fingers and hope you get a recovered disk before the other one blows. Unplugging the other gave the same results. I'm now comfortable that a drive failure won't take down the machine and that I can boot it on a single drive.

One note: if you want the machine to reboot automatically, all of your mountable partitions (everything in /etc/fstab) need to be RAID or else the reboot will die when it can't find a non-RAID partition on the dead disk. You can still boot, but you have to go into maintenance mode and manually remove it from /etc/fstab.

Lastly, if you're going to have a system that masks errors, you need to instrument the system so that you get notified when the errors occur. You could operate for a long time on one drive if you don't. There are some scripts that can be put in the crontab at http://www.1U-Raid5.net/Monitoring/. I like this one.

Its still amazing to me that I can get a RAIDed, journaled file system for free as part of Linux. When we built Emerald Lake we spent lots of money for these same features. Now, they power my blog.

If you have comments about my set-up or decisions, I'd love to hear them. There are plenty of people who know more about this than me. If you think I've made a horrible error, or even a minor one, leave a comment.

10:11 PM | Comments () | Recommend This | Print This

September 20, 2003

A Quote Blogmarklet

Jon Udell, in referencing Jesse Ruderman's well-formed bookmarklet reminded me that I've been meaning to create a small bookmarket of my own. I've been thinking for some time that some little bookmarklets would make blogging simpler and take care of some of the more mundane formatting chores. The one I started out with helps me with formatting quotes.

When I quote another web page, the convention I've developed is to place it in <P/> elements like so: 

<P class="quote">
This is a quote from another blog.
</P>

My CSS contains the following style: 

.quote {
  font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;
  font-style: italic; margin-left: 1cm;
}

which indents the quote and italicizes it. I've wanted to add uri and date attributes to the <P/> element for a while so that I can find the source again, or at least know when I referenced it, by looking at the quote. Alas, I'm too lazy to do that by hand, so I haven't been.

This evening, I created the a bookmarklet for blogging, or a "blogmarklet," which formats highlighted text on a page as I want it for inclusion in a blog article called Make Quote. Highlighting a section of text and pressing on the blogmarklet pops-up another window with the highlighted text correctly formatted and in a text area so it can be pasted into my editing window.

Highlighting a chunk of text on Jon's blog and pressing the blogmarklet produces this code: 

 <p class="quote" 
    uri="http://weblog.infoworld.com/udell/"
    date="Sat Sep 20 2003 18:35:06 GMT-0600 (MDT)">  
I picked up Jesse's "blogidate xml well-formedness" bookmarklet there, 
and  it immediately became part of my routine. Enlarge the screenshot and 
you'll  see it in action, in Mozilla (works in IE too), pinpointing a 
well-formedness error  in a draft of this posting. The red tint tells me 
there's a problem; the location  is highlighted; the parser error shows 
up in the browser's status line. When I fix  the error, I'm green and 
good to go. Excellent! </p>

which renders as:

I picked up Jesse's "blogidate xml well-formedness" bookmarklet there, and it immediately became part of my routine. Enlarge the screenshot and you'll see it in action, in Mozilla (works in IE too), pinpointing a well-formedness error in a draft of this posting. The red tint tells me there's a problem; the location is highlighted; the parser error shows up in the browser's status line. When I fix the error, I'm green and good to go. Excellent!

I got the biggest chunk of the code directly from bookmarlets.com and just modified it from there. Only one problem left to solve: the blogmarklet I've given here works with Netscape, but not Safari. Anyone have any hints into why?

I think that there's a lot of room for improvement in the current crop of blogging tools. They're nice, but they don't do as much as they could to aid me in creating the site I want to create. This is one example where a little Javascript can solve the problem. In general, I'd like to include more metadata in my posts to make my blog more useful to me as a reference. In that sense, Kimbro Staken's Syncato blogging tool looks like a great step forward.

Update: I discovered the problem with Safari. I had neglected to close out the <form/> and <textarea/> elements and so it wasn't writing the window. The version here now should work in Netscape and Safari. Safari Javasript debugging was no help in this instance.

6:42 PM | Comments () | Recommend This | Print This

IT in the Small Business

Yesterday I had lunch with the owner of a small business. He has grown from one shop to eight shops in fours states. A central distribution center in Salt Lake serves them all. The business buys inventory from multiple suppliers. My friend is making good money and the business is a success by most outward signs, but he has a problem: the entire empire depends on him working 12 hour days to make the critical decisions. My friend holds tight control on all inventory and purchasing from suppliers because this is where mistakes lead to huge losses. He also manages the salesforce.

This story reminded me of a story told by Charlie Feld. Feld, who was CIO for Frito-Lay tells about his instructions Herman Lay, the founder. When Lay founded the company in 1938, he was in intimate touch with his suppliers and his customers, often picking out the potatoes himself and delivering the finished product to stores. If the company had cash, Lay knew it because the cash was in his pocket. Lay wanted Feld to build an IT system that would get him back in touch with the business. Feld succeeded by putting in a $40 million logistics system that became a case study in IT.

At first the story of my friend's business and the problems of Frito-Lay may seem to very different, but I see them as the same story from different points of view. At some point, every small company that becomes a big company passes the stage where the owner can know every aspect of what's going on. This is a defining moment; owners who can't build processes to keep control of the business and keep it profitable as it grows either stay small or go bust.

As a CIO, I see this through IT-shaded glasses. I like to think that the CIO has a central role to play in helping the business not just automate process, but develop the processes themselves. As I talked to my friend about concepts like enterprise architecture and IT maturity hierarchy, he kept saying over and over: "That's our exact problem. You're telling me my history."

Most people who start businesses aren't IT experts and they shouldn'thave to be. They're good at making pies, fixing cars, or some other specialty. Even so, its folly to think that as IT gains more and more prominence in helping large business operate successfully, that small businesses don't need access to good IT as well. Many of them can't even keep their PCs running and they limp by on antiquated inventory systems because they're scared to jump in and make what could be a crushing mistake.

I've thought about this problem over the last few months and wondered how to give small businesses access to good IT advice and experience. As I said, the principles that we talk about in enterprise architecture and IT maturity are perfectly applicable, they just need a different context and some scaling down. Take, for example, the IT maturity hierarchy show at the right (click for a larger view). Small businesses have infrastructure issues that need to be solved first. They have the need for security and storage management. They have data to keep track of and applications that they need to buy or create to manage their business. At this stage, they're finally starting to get a view into their business that allows them to manage past the transition point and still have a comfort level with the business operations even though they're out of their direct control.

The problem with this, of course, is that the knowledge needed to create these systems is hard to find and hard to trust for a small business. Many don't have the discipline or see the value in going through and enterprise architecture process that creates, as one of its first steps, a business architecture. Its easier to just call up Billy down the street and buy a few cheap computers and an accounting system or a sales contact system to run on top of them. Then they get a few months down the road and find their systems aren't serving their needs and they're forced to live with them.

I don't have an answer. Maybe I'll get a chance to help my friend and come up with some ideas as part of that process. If you have some, I'd love to hear them.

12:48 PM | Comments () | Recommend This | Print This

September 19, 2003

Topic Guides

I've added a new feature in the left-hand margin called "Topic Guides." I frequently research subjects in some depth to gain an understanding of them as I write, consult, and speak. I used to just throw them in the Features page, but its becoming crowded and not as useful to me. So, I started creating guides for DIgital Identity and Voice over IP. I'll slowly migrate subjects out of the Features page and into individual topic guides. My goal is not to become a network directory, but to put information and net-based resources into context---at least my context.

7:10 PM | Comments () | Recommend This | Print This

WS-Manageability

This week IBM, CA, and Talking Blocks submitted the WS-Manageability specification to the OASIS WSDM technical committee. Because most of the writing I've been doing for InfoWorld has focused on the WS intermediary space, manageability has been a topic I've though a lot about. Most intermediary products make as much noise about their ability to manage Web services as they do about their ability to provide proxy services like security and logging.

The WS-Manageability specification defines the ideas of manageability topics and management aspects.

A topic covers the functional capability that supports management of a particular problem or management domain...The functional capability of a topic is described using as combination of three aspects: properties, operations, and events.

The five topics identified in the specification are:

  1. Identification - provides the capability to uniquely identify the resource under management.
  2. State - provides the capability to manage the operational state of the resource under management.
  3. Configuration - provides the capability to manage the collection of properties that affect the behavior of the resource under management.
  4. Metrics - provides the capability to manage important metrics, the raw, atomic, unambiguous, quantifiable data about the resource under management.
  5. Relationships - provides the capability to query the associations that the resource under management participates in with other resources.

The three three aspects of manageability are:

  1. Properties - the publicly exposed state of the resource.
  2. Operations - the methods that the resource supports.
  3. Events - information which describes state changes within the resource.

The specification goes on to describe these in great detail. The group also submitted a concepts document which contains some very good discussions of Web services in general and a representation document that contains the XML definitions for the specification.

10:24 AM | Comments () | Recommend This | Print This

September 18, 2003

I'd Wondered What Was Going On: Verisign's Wildcard

I noticed the other day that I mistyped a domain name and got a Verisign page. I thought it was odd, but hadn't suspected what had actually happened. From Slashdot:

As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising.

Jeremy Zawodny has a few things to say about it as well. I don't like it, but after all the other crap that happens, I have a tough time working up the indignation.

8:03 PM | Comments () | Recommend This | Print This

September 17, 2003

Wal-Mart's Move to Use RFID

Wal-Mart is very IT savvy. I guess they never read Nicholas Carr. They are also quite bold in their IT moves for a company so large. For example, I wrote earlier about Wal-Mart's move to force trading partners to use Internet-based EDI. The most recent CIO Insight carries and article about Wal-Mart's big experiment with RFID. If you're not familiar with it, RFID is radio frequency identification. RFID tags can be produced cheaply and embedded in packages allowing them to be identified from a distance. Wal-Mart isn't deploying them on consumer packaging--yet--but they're requiring their top 100 suppliers to have them on cases and pallets shipped to Wal-Mart stores and distribution centers by January 2005. Wal-Mart represents 10-40% of some of these supplier's business, so they will comply even though the cost will be borne solely by them.

Wal-Mart had also planned to have RFID devices on consumer packaging from Gillette in a pilot, but cancelled that this summer. Some thought the cancel of the consumer trial meant that Wal-Mart was backing off its plans to use them on cases and pallets, but that's not true. They plan to move beyond the top 100 and require RFID of all suppliers by 2006. That move alone could drop prices of RFID gear and make RFID into a viable technology for many other industries and retailers. The article describes Wal-Mart's history in RFID:

For the past two-and-a-half years, Wal-Mart has been working with the Auto-ID Center, a nonprofit research organization based at the Massachusetts Institute of Technology, to develop and test RFID technology that will allow companies to track goods using a universal Electronic Product Code (EPC). The Auto-ID Center's long-term vision is for companies to use smart shelves to monitor how many items are on each shelf. When inventory is low, software would signal a store manager that, say, more Tide detergent or Kellogg's Corn Flakes needs to be brought from the storeroom. Readers in the storeroom would monitor inventory and alert the distribution center when more product is needed, and so on back through the supply chain. But Wal-Mart and other sponsors of the Auto-ID Center have always envisioned that it might take as long as ten years before RFID tags would become inexpensive enough to put on individual items in stores.

Many people now expect RFID use at the pallet and case level to take off rapidly because of something economists call the "network effect," which basically says that the more people use a physical network (say, the Internet) or shared service (eBay), the more valuable it becomes. That encourages even more people to use the network, creating exponential growth.

The people who ought to be worried aren't Wal-Mart's supplies, but Wal-Mart's competitors. The savings from this are huge:

Here's an estimate of what Wal-Mart might save annually when RFID technology is deployed throughout its operations.

  • $6.7 Billion: Eliminating the need to have people scan bar codes on pallets and cases in the supply chain and on items in the store reduces labor costs by 15 percent.
  • $600 Million: Even with the most efficient supply chain on earth, Wal-Mart suffers out-of-stocks. The company boosts its bottom line by using smart shelves to monitor on-shelf availability.
  • $575 Million: Knowing where products are at all times makes it harder for employees to steal goods from warehouses. Scanning products automatically reduces administrative error and vendor fraud.
  • $300 Million: Better tracking of the more than 1 billion pallets and cases that move through its distribution centers each year produces significant savings.
  • $180 Million: Improved visibility of what products are in the supply chain-in its own distribution centers and its suppliers' warehouses-lets Wal-Mart reduce its inventory and the annual cost of carrying that inventory.
  • $8.35 Billion: Total pre-tax saving is higher than the total revenue of more than half the companies on the Fortune 500.

Wal-Mart will reap not only efficiency advantages, but eventually advantages in sales as well:

Studies show that products are out of stock in the grocery and mass-merchandise sector an average of 7 percent of the time. Procter & Gamble Co. has commissioned research that reveals that out-of-stocks on some fast-moving items can be as high as 17 percent.

This means that CIOs at other retailers will have to scramble to catch up and understand and then deploy this technology. Some will take a "wait and see" approach, hoping that Wal-Mart fails and gives them some breathing room. This is risky in my book. I wouldn't want to bet against Wal-Mart succeeding in this kind of venture. They don't fail often.

At the same time, there are worries about the technology not being ready for prime time. An article in yesterday's SiliconValley.com talks about some of the concerns.

With every supplier, there are two camps, said Kara Romanow, an analyst with AMR Research, whose report estimated companies would spend $2 billion trying to meet the Wal-Mart deadline. There's the camp that believes the end vision and has really bought into the hype. Then there are the people that are charged with implementing it that are scared.

At the same time there are privacy concerns:

Some privacy advocates, who contend the technology will soon be used to track people and their personal information, are also worried that RFID is moving too fast. Katherine Albrecht, of the privacy group Caspian, said citizen and consumer advocates should have been invited to the Chicago symposium to discuss their concerns. Instead, her group now plans to protest. "It's such a once-sided conversation about the needs of businesses, with so little input from the citizens and consumers who are the major stakeholders in society." she said.

There's little privacy concern with the current plans. The privacy issues begin when there's RFID tags on consumer items. I think some lessons from The Transparent Society are in order here.

4:39 PM | Comments () | Recommend This | Print This

September 16, 2003

XML Database Based Blogging

One of the things I love about reading Jon Udell's blog is that Jon is a "cool stuff" magnet. Such is the case today where Jon reports on Kimbro Staken's new blog software, built on top of Sleepycat's Berkeley DB XML. In Kimbro's system, the XPATH query on the XML data just becomes part of the URL and thus is folded right into the GET. As Jon says: "I just love this idea of incorporating XPath into RESTian URLs." There's something elegant about it.

Every once in a while I make a change to my CSS that allows my posts to have more meaningful mark-up. For example, I created a class for quotes so that it would be easier to find them. Still, I think there's much more to do in this area to make my blog a more meaningful data repository for myself and others. Using an XML based data base as the heart of the content management system would provide the infrastructure for doing this (although making it reality would still require discipline).

The other part of this post that's very interesting to me is the link to Berkeley DB XML. I'd heard of it before, but never looked into it. If you've ever thought about building an application that's based on XML, you know how key an XML based DB is to the whole thing. Berkeley DB XML is an open source XML database built on top of Berkeley DB. (People who know the history of iMALL are chuckling right now.) I found a good little article on Berkeley DB XML that contains PERL code showing how it can be used. Summary: supports XPATH queries, but not updates---yet. Imagine being able to GET, POST, PUT, and DELETE to an XML database in a RESTian manner.

4:58 PM | Comments () | Recommend This | Print This

Wisconsin Moves to Regulate VoIP

The Wisconsin Public Service Commission has informed VoIP provider 8x8 that its VoIP service is subject to the same rules as traditional telephone companies. Last month Vonage was told a similar story by Michigan. In this story from c|net News, Huw Rees, a spokesman for 8x8 claims that this ruling has ramifications beyond voice:

[The WPSC ruling] could potentially regulate e-mail because they don't distinguish between data communication and telephone communication. It seems to be a lot of confusion to how and whether or not to regulate these types of services.

The problem is that as services converge, its more and more difficult to separate out voice services from data services. Combine a Cisco 7200 with the right cards and software and you've got a voice switch. Buy some PRIs from the phone company and you can start offering phone service to your friends and neighbors. There are companies like PortaOne who will sell you the billing and self-service provisioning system and you're in business. Its cheaper than you think too: a few hundred thousand is all it takes to be your own phone company these days.

I think that PSCs around the country have to start regulating behavior instead of implementation. That is, don't try to figure out what's data and what voice. Don't try to regulate data packets. Just modify the rules so that they're consistent with voice service and forget about how its delivered. If we believe that there is some public interest in regulating voice, and I think there is (eg. 911 service, life line services, etc.) then let's provide for that. But all the rules now about CLECs and so on were made a decade ago when becoming a phone company required the cooperation of the RBOCs. At this point, its hard to imagine how they'd stop you.

2:35 PM | Comments () | Recommend This | Print This

Extreme Programming

There's been a lot of buzz about Extreme Programming, or XP as its sometimes called. Proponents claim that its the answer to late projects and buggy code. They might be right. A recent Wired Magazine article called The New X-Men talks a bit about XP and highlights four programmers at HP's Seattle office. One of those developers is Kevin Yu, described a s 25-year old, prematurely jaded programmer:

Yu is among thousands of coders who've discovered extreme programming, a method of software development that emphasizes constant feedback. Traditional coding devotes a huge amount of time to up-front planning, then demands rigid adherence to that plan. XP is different. Programmers spend relatively little time planning and instead dive into the writing, making course corrections as needed and allowing better ideas to emerge after snippets of code are tested and assessed. The result is a speedy loop: plan, code, test, release, plan, code, test.

At the heart of XP are some simple concepts and principals. The Wired article, following the lead of an article on IBM developerWorks by Roy Miller called XP Distilled, defines twelve rules for XP:

  1. The Planning Game XP is based on the assumption that you can't know everything upfront and that you'll learn as you code. This XP encourages the creation of a rough plan and then frequent updates as you go along. This involves constant communication and frequent meetings with the customer.
  2. Small Releases Put a simple system into production quickly, then release new versions on a short cycle. Even so, each release should deliver real business value.
  3. System Metaphor This is XP's answer to architecture. The system metaphor provides a picture of all the pieces and how they interact.
  4. Simple design Simple designs lead to simple implementations. The implementation should pass all the tests with a minimum amount of code and no more.
  5. Testing Writing unit tests is part of writing the code in XP. In fact, the test is written before the code and serves as the specification. The customers write the acceptance tests. How is that possible? See my write-up of Ward Cunningham and Brian Ingeson's talk on the FIT Framework for one possible answer.
  6. Refactoring Refactoring is rewriting the code to simplify, add flexibility, or remove redundancy without changing the functionality. An XP team refactors relentlessly.
  7. Pair Programming Write all code with two programmers at one machine. Some might think this inefficient, but Martin Fowler says "When people say that pair programming reduces productivity, I answer, 'that would be true if the most time-consuming part of programming was typing."
  8. Collective Ownership Any person on the team can change code anywhere in the system at any time.
  9. Continuous Integration Rather than scheduling daily, weekly, or even monthly builds, XP proponents build the entire system several times throughout each day to make sure each piece works in concert.
  10. 40-Hour Week Burning the midnight oil kills performance. XP teams endeavor to work a fixed number of hours each week and to never work overtime two weeks in a row.
  11. Onsite Customer Developers aren't allowed to make business decisions, so having a real, live customer or user on the team, available full-time to answer questions speeds the process. I think this dovetails nicely with a well developed discipline of product management.
  12. Coding Standards Having a coding standard prevents the team from being distracted by silly arguments and supports the pair programming and collective code ownership principals.

Some are put off by the religious fervor that XP devotees have. I put that down to excitement at discovering something they like and that works for them. From my perspective, XP is about big-scale programming. I think it would be difficult to do in a start-up and maybe not as useful where typically one visionary is creating the pilot. I'm intrigued though. If I were managing a development team again, I'd probably give it a try.

10:46 AM | Comments () | Recommend This | Print This

September 15, 2003

Event Driven Business

In an event driven business, products are built to order, not built to stock, reducing inventory carrying costs and allowing greater customer satisfaction as a result of customization. This article from ebizQ has a great analogy:

If you want the train to move over one foot, you have to do an immense amount of work tearing up and re-laying tracks. On the other hand, all you need to do to turn the more agile truck is move the steering wheel.

Historically, we've been better at laying tracks in IT that we've been at designing roads. The Internet is probably a counter example. Its flexibility has been its greatest strength. The article, entitled "SOA It Goes: The Agile Enterprise Goes Mainstream," talks about the relationship between event driven businesses and event driven IT. With Web services, we're trying to recreate the flexibility of the Internet in every application. That's a tall order. Perhaps the best line in the article, for me, was this one:

[E]vent-driven, service-oriented architectures integrate three kinds of data: reference data, such as the number of trucks in a fleet; state data, such as the number of trucks under repair; and event data, such as a delivery being completed.

I'm not sure why it stood out, but, it seems to be a useful taxonomy. I'd be interested in hearing if others have used this or a similar taxonomy to classify data in an architecture and what benefits there were.

Reading the article, an another I found at the same site while I was researching SOA performance monitoring, led me to wonder about the tie in between the Iteration Real-Time reporting suite I reviewd a few weeks ago in InfoWorld and Web services. While not specifically sold as a Web services monitoring tool, it could easily be tailored to that end and would provide some interesting visualizations.

10:01 PM | Comments () | Recommend This | Print This

A Noble Experiment: Free PDF Downloads of EJB Books

In a noble experiment in the economy of the Net, three books on J2EE and EJBs are available for downloading on The Server Side. The three books are:

Of course, the authors hope that you'll buy the book since most people prefer printed books to PDF and its more expensive to print it than to buy it. They're offering the complete book in PDF format as, essentially, advertising. This is apparently Ed Roman's idea. He did the same thing with the first edition of his book. I own that copy and found it to be a great book on EJBs. Since he's doing it again, he must have had a positive experience the first time around. Note: you will have to register with The Server Side to download the books.

3:53 PM | Comments () | Recommend This | Print This

I'm Blushing---Really!

Adam Gaffin, of Network World Fusion, has placed me on his list of top ten bloggers. I was surprised to be among such august company.

3:23 PM | Comments () | Recommend This | Print This

Online Zines and Blogs

CNET News.com has redesigned their site and incorporated blogs, of a sort, into the design. The site features six main areas of focus and a weblog, they call the "journals," for each one. For example, here's the Web Services Journal. I was disappointed when I found them. There's some issues like no permalink and no clear indication who's writing the weblog, but more importantly, they have a sterile, corporate voice. Seems like all they done is collected editorials into one spot and called it a blog. No RSS feed either.

In related news, according to Bruce Sterling, Wired magazine will also incorporate weblogs, but they haven't shown up yet. Fast Company also has a blog which, as far as voice is concerned, is a little better the ones at news.com, but still has more of a bulletin board feel than that of a true blog. At least there's an RSS feed.

Update: I had a short, pleasant exchange with Heath Row who is one of the writers of the Fast Company weblog---it helped clarify my thinking. I was probably too specific to the Fast Company weblog. I typically find blogs that are written by more than one person to difficult to connect with sometimes. They need some time to develop a personality which is usually immediately present in a one-person blog. They tend to feel more like a bulletin board with multiple people posting and then others responding in comments. Doesn't mean that they're not useful, just that they have a different style.

I think you have to work harder in a multi-person blog, particularly one that is affiliated with some other media concern, not to just sound like a collection of repurposed stories. I think it easier to do if the participants each keep a separate blog and then someone aggregates selected stories from them. Some would object to this "editing" and say that it would ruin the nature of the blog, but in fact, I see it as an honest kind of editing where value is being added to the original content by giving it context and putting it in place with other interesting stories. The originals are still available for those who wish to read purely.

8:01 AM | Comments () | Recommend This | Print This

PDF Resources

I found a site called Planet PDF, with a good collection of PDF information and tools. I learned a few things poking around.

7:49 AM | Comments () | Recommend This | Print This

September 13, 2003

Java Card Based Identity Management

Chris Gulker posted a piece on his blog about a visit to Sun where they use Java Cards as employee badges. Simply insert one of these into any thin client and you're logged in with your environment. Chris concludes:

. You could sell me on the idea of a Java card slot on every computer... anywhere you go, just pop in your card...

These little smart cards with a Java VM on them are manufactured by Schlumberger and others. These cards have something like 64K of memory on the card. Its not clear to me, in the application Chris describes, what use is being made of the JVM on the card. An onboard processor could buy you the ability to process keys on the card and not transfer them to the host machine. Absent that, you could do the same thing with any smart card and a good enterprise-wide directory.

12:50 PM | Comments () | Recommend This | Print This

September 12, 2003

The Economist on OSS and Government

The economist published an article on open source software and government yesterday. The article opens by discussing Munich's recent decision to go with Linux on the desktop. According to the article, governments around the world spend $17 billion on software:

Government purchases of software totaled almost $17 billion globally in 2002, and the figure is expected to grow by about 9% a year for the next five years, according to IDC, a market-research firm (see chart). Microsoft controls a relatively small part of this market, with sales to governments estimated at around $2.8 billion.

This figure seems low to me, I would have put it higher. The article goes on to call the marriage of OSS and government Microsoft's Achilles heel:

[I]t is a crucial market, because when a government opts for a particular technology, the citizens and businesses that deal with it often have to fall into line. (In one notable example, America's defense department adopted the internet protocol as its networking standard, forcing contractors to use it, which in turn created a large market for internet-compliant products.) No wonder Microsoft feels threatened÷the marriage of open-source software and government could be its Achilles heel.

When I first read this, I thought "hog-wash" there's no reason for a citizen to be forced to buy a Microsoft product just because the government uses it. After all, there are open standards or at least solutions that are freely available and not Microsoft specific in most areas. But then I thought of the many place on Utah.gov where, like it or not, there was some kind of Microsoft specific solution which at least suggested that using Microsoft would be easier than not using it. For example:

  • There are several places where downloadable forms or information was in Word. There's a free reader, but not many people have it. The Utah Courts have "self-service divorce" application that is based on Microsoft Word.
  • There are places where a web application is specific to Internet Explorer for one reason or another. In many cases, agencies work to avoid this, but some do not---either out of ignorance or financial pressure. There is not statewide testing lab, for example, that agencies can use to test for browser usability or even 508 compliance.

The conclusion: eGovernment portals ought to be more general than using the easy Microsoft solution, but often they're not because the culture is so overwhelmed by Microsoft products. Its easy to fall into little traps here and there and in the end you build applications that "work best" with Microsoft. Maybe The Economist is right after all.

6:24 AM | Comments () | Recommend This | Print This

September 11, 2003

Identity Management in Government

This month's issue of Governing Magazine is a special issue on Online Privacy. There's three articles: one on privacy, one on surveillance, and one on managing identity. All three are topics I enjoy, but the one that caught my eye was the identity article. It starts out:

There are ghosts in government, and they're lurking in databases and applications throughout the online universe. That should be pretty scary for the caretakers of the information that governments are supposed to safeguard. The specters are actually real people -- employees who were given access to computer applications so that they could get information they needed to do their jobs. Only now they've moved on: They've either changed jobs or left government altogether. But their names and accounts linger. A former employee or other knowledgeable person could use that opening to gain entry to a program or database and steal personal information, change data or simply see information he or she has no right to see.

Of course, government isn't the only enterprise with this problem. Many large organizations suffer from the same problem. I've heard stories of companies with "zero-day" start plans, but no reciprocal "zero-day stop" plan. Its a great efficiency boost to get employees turned on and working quickly, but its just as important to turn down authorizations when they're no longer needed.

The article highlights two states and what they're doing: North Carolina and Washington, but oddly, neither case study really addresses the overall identity management problem and what states ought to be doing. The North Carolina case talks about how they've got a secure portal for documents that require authorization and the Washington case talks about their use of certificates for businesses accessing some of their services. There is a nod to single sign-on, but neither addresses the real problem: managing identities.

To really get out in front of this requires a lot more than certificates or a secure portal, it requires an identity management strategy. A digital identity strategy is a long-term plan that models how identity information will be used by your business, taking into account the key stakeholders in identity: your partners, customers, and employees. There are several important steps:

  • creating an enterprise information architecture (EIA) to determine the business context for your strategy,
  • determining the digital identity life-cycle in your organization
  • developing a authentication and authorization policy consistent with the EIA and your digital identity life-cycle,
  • planning and implementing enterprise directory services and other infrastructure necessary to support your policies, and
  • publishing and maintaining a privacy policy based on the authentication and authorization policy along with relevant laws and stakeholder expectations.

Enterprises who implement an identity management strategy stand to reap significant benefits. Among these are a consistent and systematic approach to customers, improved security for corporate applications and information, lower user administration costs, and better compliance with internal and external policies.

6:04 PM | Comments () | Recommend This | Print This

September 10, 2003

Enterprise Architecture and City Planning

A useful analogy on enterprise architectures, software architectures, and patterns:

  • An enterprise architecture is like city planning
  • A software architecture is like a building design
  • Design patterns are like codes and best practices in the building trade

The Danish government's white paper on enterprise architecture makes the first analogy in Chapter 4. In it, the work of city planning is divided into three main categories:

  • Standardization - dimensioning of pipes, voltage, roadways, etc.
  • Certification - regulated and standardized qualifications for workers
  • Management - rules, notifications, permits, approvals, etc.

The work in enterprise architecture is largely the same. Most people who have a technical background understand the need for software architecture, but don't quite get the enterprise architecture thing. I think this analogy brings out the need and its relationship to software architecture quite clearly.

The need for a proper enterprise architecture is even more clear when you undertake implementing projects based on a service oriented architecture. Doing your own software architecture for your project does you no good if you can't talk to other services. General standards like SOAP and WSDL help here, but each organization also has much to decide to make SOAs work for them. If interoperability is the goal, then enterprise architecture is the way to get there.

2:56 PM | Comments () | Recommend This | Print This

Timezones and Phone Meetings

I have a lot of phone meetings and getting the timezone right requires constant vigilance. I had more than one meeting not come off because I or someone else messed up the timezone thing. Now that I'm working with John Gotze from Denmark on some things, its even harder. John clued me into a handy web site though that helps. Using the personal worldclock you can create a personalized collection of clocks showing the time in various cities. Here's one showing Salt Lake and Copenhagen. There's also a meeting planner and a fixed time calculator. Very handy.

9:41 AM | Comments () | Recommend This | Print This

New Zealand Government Standard on Using RSS

The New Zealand government has published a standard on using RSS to publish "media releases and other event-related content authored by government agencies and intended for public consumption via outlets in various media." These news feeds are collected and made available on New Zealand's website. Here are some highlights:

  • The standard calls for using RSS 1.0 and gives a NZ government specific module that adds to the Dublin Core so that government functions can be properly described. Utah's Government Information Locator Service, run by the State Library, provides a similar module for Utah State government and even provides a tool for creating the right metadata.
  • The standard provides examples of what properly created RSS feeds ought to look like, but offers little help how to actually create the RSS feed.
  • There is a procedure outlined for submitting your RSS feed to the eGovernment office for validation and inclusion in the central RSS aggregator. The central aggregator presents the news feeds on the NZ portal.

I, for one, applaud New Zealand's efforts in this area. Creating standards for things like this is the chief way that eGovernment offices and CIOs can provide for interoperability and help create an enterprise architecture that enables eGovernment. Ideally, such standards are created after a pilot stage where some experimentation and learning has gone on, but before too many people are intrenched in what they're doing.

RSS is an important step for governments to make. Utah has had a central calendar on its web site for years and its a great idea. Yet, because it was created before RSS was much heard of, the interface is proprietary. This has two huge drawbacks: agencies have to do something special, even manual, to insert events into the calendar. Once its in there, the data is useful for that application only and can't easily be repurposed. If the system were to be redone with RSS as its foundation, and the Governor's office, which has started using RSS for its news feeds, were to have agencies standardize how they create and disseminate news released and calendar events so that they automatically created RSS, the system would be more flexible and more widely used.

9:34 AM | Comments () | Recommend This | Print This

GM's Found Religion on Digital Identity

Tony Scott has interesting problems to work on. As CTO of General Motors, there are lots of things that could occupy his time, but increasingly, he's focusing on digital identity. He gave one of the keynotes at last year's Digital ID World conference and I was fascinated by how similar his problems were at GM to the ones faced by the State of Utah and probably every other large organization. From an identity standpoint, Tony has three huge areas of opportunity, or risk depending on how they're handled:

  • Hundreds of thousands of employees,
  • One of the largest, mot complex supply chains in the world, and
  • A vast distribution network of independent dealers

In a recent interview with Phil Becker, Tony commented on fact the digital identity is central to business strategy:

I end up participating in a lot of external events, forums, discussions, etc. and what's been interesting to me over the last year is the rising barometer around awareness of, and also concern about digital identity. There's hardly a session I go to these days where it doesn't come up in some form - whether you're talking about intrusion detection, who's on our network, who should be on our network, or application strategy. I was with a group yesterday that were talking about "compute on demand" and how you would enable that infrastructure. Not surprisingly the conversation wound around to identity management. It seems to be a very pertinent and rising issue, particularly in corporations. Especially as you go collaborative as GM has, where we do a lot of work with outside partner vendors and suppliers. That is heartening, because without some fundamental understanding of the issue and potential solutions, you can't get very far.

GM is right in the middle of this. Having a good identity system for customers, or at least their vehicles, let's GM dealers know the maintenance history for my Silverado pick-up even though I get it serviced at different locations from time to time. This is very similar to the medical records problem faced by IHC and other large health care providers. In the future, I hope that my vehicle maintenance history will also be available to the independent repair shop I like to use sometimes as well.

Of course, OnStar is one step further along the road of creating strong customer ties to GM and identity is at its core. Says Tony:

I think there is a greater understanding of where this fits architecturally in the whole scheme of things, how central identity is to enabling the infrastructure and applications of a company to really work. A personal story that illustrates this: I was recently at a meeting and rented a car with OnStar service. I was able to give them my OnStar account number while I was in this rental car. Later on, I called back in and they were able to save my route, give me an update on all of the services that I had requested, portable across cars. You could see the power of having an identity that you could transfer. On the same day, the opposite was also demonstrated. I was bumped off [an airline] and moved to [a different carrier.] Even though I have a frequent flyer account with an airline related to the second carrier, that carrier had no clue that I was a frequent flyer for their system.

I'm sure other large companies have clued into the fact that an identity infrastructure and an identity management strategy are key to their relationships with their employees, customers, and partners, but Tony Scott is putting GM's commitment to this idea very much in the public. Tony will be speaking on Thursday at this year's Digital ID World; I'm looking forward to hearing him again.

9:02 AM | Comments () | Recommend This | Print This

September 9, 2003

2003 NASCIO Conference

Dave Fletcher is blogging the NASCIO conference. NASCIO is the National Association of State CIOs. I blogged the conference last year. David Brin was one of the keynotes this year. I wish I'd been there to hear it. Coincidentally, I was reading his book and blogging about it during last year's conference.

1:40 PM | Comments () | Recommend This | Print This

Presence in the ER

Imagine that you're the CIO for a hospital. Like any CIO, one of the problems that you face is making sure people have access to the information they need to do their job. Another one of your problems is that you need to ensure that only the people who need to access a particular bit of information can. Unlike other CIO's however, you have a big stick called HIPAA hanging over your head, forcing you to do it right (at least as defined by HIPAA). Here's a riddle for you: how do you manage the computer terminal in the ER? Doctors, nurses, and other workers need to access the records that are available on it. Yet its preposterous to think that they'll log in and out for you every time they approach the terminal. Even so, your responsible for creating an audit trail of access to each and every record.

One answer to this problem is presence---having the computer detect who has approached it and is currently clicking the keys. This is actually not that hard to do. By embedding a low-range ID device (like RFID) into the ID badge, and installing a detector at the workstation, the software can know what ID badge is around the next of the person in front of the computer. Of course, that only works as long as good physical security is practiced and the work culture is supportive of good badge management practices. Still, its better than not knowing at all and likely good enough for the problem at hand.

12:08 PM | Comments () | Recommend This | Print This

September 8, 2003

Web Based Enterprise Management

The Distributed Management Task Force is working to create desktop, enterprise and Internet management standards. Not surprisingly, their website gives a long list of members. Their Web site lists the following standards:

Common Information Model (CIM)
This is a common data model of an implementation-neutral schema for describing overall management information in a network/enterprise environment.

Desktop Management Interface (DMI)
These standards generate a standard framework for managing and tracking components in a desktop PC, notebook or server.

Directory Enabled Network Initiative (DEN)
The Directory Enabled Network (DEN) initiative is designed to provide building blocks for intelligent management by mapping concepts from CIM (such as systems, services and policies) to a directory, and integrating this information with other WBEM elements in the management infrastructure.

Web-Based Enterprise Management (WBEM)
This initiative is a set of management and Internet standard technologies developed to unify the management of enterprise computing environments.

Alert Standard Format (ASF)
This specification defines remote control and alerting interfaces that best serve clients' OS-absent environments.

System Management BIOS (SMBIOS)
The SMBIOS Specification addresses how motherboard and system vendors present management information about their products in a standard format by extending the BIOS interface on Intel architecture systems.

I was interested in WBEM. WBEM uses CIM as a common format for collecting and describing management data. Another component, called xmlCIM encodes the CIM data for transport as XML and then a mapping describes how to use HTTP for transport. CIM is a fairly general language for describing management objects. I found a great little tutorial on all this that made it easier to get a handle on the effort.

1:30 PM | Comments () | Recommend This | Print This

Is This the End of Linux?

Connect Magazine, a regional business magazine where I have a monthly column has a feature story this month called Is This the End of Linux? The article is not an apology for SCO and not a SCO-bash either. Overall, I think it does a good job of presenting SCOs arguments while raising some some fair questions about how SCO operates. There's a good discussion of Canopy, the investment firm behind SCO. Ralph Yarrow, the head of Canopy, is quoted in the article:

"Dig into Canopy and you'll see we make much more money than we have in lawsuits. I'm in the business of growing tech companies, and if I need to litigate to protect them, I'll do that." Even if it means a rash of bad press, like the SCO case. "I've never worried about public image. I don't manage other people's money, we're self-perpetuating. Image has little impact, if any."

I don't buy this. One of the great tragedies of this whole thing is the damage that's being done to other Canopy companies---good companies that are unrelated to SCO but are feeling the weight of the bad press. I've talked to a number of friends who work for Canopy companies and they all feel it to one degree or another.

8:45 AM | Comments () | Recommend This | Print This

September 6, 2003

Do-it-Yourself Web Services Management

Most Web services deployments have been rolled out without the help of big consultancies. The following companies offer the tools you need to get a handle on Web services management. [Full story at InfoWorld...]

I put this list of Web services intermediaries companies together as a companion to this article about IBM, EDS, and others offering Web services consulting: Consultancies Aim to Ease Web Services Woes.

I wrote earlier about this issue in Who's Afraid of Web Services?:

One way to mitigate issues surrounding changing standards, security, and complex deployments is to hire one of the large service companies, like IBM or Accenture, to deliver and manage your company's Web services. But what if your budget doesn't have room for a top-drawer services company? Should you just give up on Web services until all the issues get sorted out? Another route is to take advantage of a Web services intermediary such as Grand Central Communications or Confluent CORE . Web services intermediaries, offer configurable services such as logging, auditing, monitoring, alerting, authentication, and authorization. Grand Central and Confluent CORE differ significantly in how they're deployed: Grand Central is a value-added network that you subscribe to for a monthly fee and Confluent Core is a software server that you buy, install, and operate. Both, however, can be used to connect external partners and customers to your Web services flexibly, securely, and reliably.

10:14 AM | Comments () | Recommend This | Print This

September 5, 2003

Viruses and Worms

Today I ran across three good articles related to viruses and worms. I can't imagine why the sudden interest! Here they are:

In San Francisco Chronicle, Mark Graff, chief cyber-security officer at Lawrence Livermore National Laboratory and author of a number of security books, says:

The attacks are going to come faster and faster, closer together. Eventually, as far as we're concerned, it will be one constant attack

This is, of course, partly a response to the general difficulty of creating secure systems. There's much to worry about and companies would rather devote resources to core missions than they would to protection from threats. Still, Graff see a cataclysmic future where we eventually get so sick of the situation that we're willing to put the resources in place to solve the problem.

This assume that the problem has a solution. Some problems do not. In the late 80s, there was big news when it was proven (wish I could remember who did it) that general detection of a virus is equivalent to solving the halting problem, which is unsolvable. Now, the proof is part of every undergraduate Theory of Computation class. An article in New Scientist discusses the crisis in virus detection. Because you can't detect a virus in general, modern anti-virus technologies are based on signature detection of known viruses---pattern matching. This leads to a constant game of signature file updates, which in some cases might be worse than many of the viruses themselves.

Now for the bad news: in this article, Hewlett-Packard researcher Matthew Williamson reports that "even if a signature is available from the moment a virus is released, it cannot stop the virus spreading if it propagates fast enough." This, combined with Graff's predictions in the last article are not good news. William's answer is more adaptive software, but the price there is false positives. This is the same problem that we face on the SPAM front where people don't like false positives.

Finally, this article from Wired Magazine reports some of the draconian steps college networks are taking to protect themselves from viruses and worms. To appreciate the job of being a CIO at a major university, imagine running a network for an organization that has 50,000 user IDs, 20% of which turn over every years, provides networking, file, print, and messaging services to those same users, many of whom bring on their own machines with every conceivable OS make and version to your network and expect it to work. Your network also has to support thousands of different applications in support of projects which change every 4 months. You can't firewall your users or their machines off from the Internet, you can't turn them away, and your job is to support them in pursuit of their real goal: getting an education. Add to that mix 1000 or so CS students who are trying to break things on purpose as part of the educational process and it makes for an interesting place. As your bonus, you get weekly, maybe daily calls, from RIAA lawyers and others complaining about copyright violations, which by law, you have to respond to. Amazingly enough, the ones I know still manage to keep smiling.

1:53 PM | Comments () | Recommend This | Print This

September 4, 2003

Technology for Public Safety

One of the fun things about being the CIO for a state was interacting with the cops at Public Safety. They were great people and had a completely different outlook from your typical geek. It was frustrating sometimes though to see where technology could add tremendous value to what they did and not see it being employed. One such area was GIS. From Wired magazine comes another example of how tools that business takes for granted could be applied to police work with significant effect.

Cloudy, With a Chance of Theft by Wilpen Gorr is about using business intelligence and forecasting methodologies that are commonplace in business to forecast crime. He says:

[W]e found that the way to predict lawlessness is to identify and track leading indicators. Companies look at consumer spending data; meteorologists keep tabs on barometric pressure. In our case, we studied soft crimes such as mischief, disorderly conduct, and trespassing. An increase often precedes a rise in hard crimes like burglary and assault.

This isn't too surprising since that's essentially the technique Giulliani used in NYC to drive the crime rate down: hit hard on soft crimes and the hard crimes take care of themselves. This, according to the article, is like "a giant game of Whack-A-Mole." Its reactive rather that proactive. Being proactive frees up resources to do other things, like homeland security. Sounds like a better use of our tax dollars than just blindly hiring lots more police and blanketing the whole city.

2:12 PM | Comments () | Recommend This | Print This

September 3, 2003

Principals of Loose Coupling

bLOGical has posted some Principals of Loosely Coupled APIs which provides a table of distinctions for tightly coupled and loosely coupled architectures as well as referencing an excellent article by Bill de Hora on Foundations for Component and Service Models.

bLOGical's table, reproduced here, is one of the best one page descriptions of loose coupling I've seen. I've made a few additions of my own, in red.

Tight Coupling Loose Coupling
Interface Class and Methods Fixed verbs (i.e. RESTian)
Messaging Procedure Call Document Passing
Typing Static Dynamic
Synchronization Synchronous Asynchronous
References Named Queried
Ontology (Interpretation) By Prior Agreement Self Describing (On The Fly)
Schema First-order Grammar Based Higher-order Pattern Based
Communication Point to Point Pub & Sub/Multicast
Interaction Direct Brokered
Evaluation (Sequencing) Eager Lazy
Motivation Correctness, Efficiency Adaptability, Interoperability
Behavior Planned Adaptive Reactive
Coordination Centrally Managed Distributed
Contracts By Prior Agreements, Implicit Self Describing, Explicit

I view this table as a continuum rather than a black or white distinction. A particular implementation might pick a feature from one column or the other, mix and match as it were, to get a desired result and the completed system will be more or less loosely coupled depending on which features are selected.

I should explain the change I made on Schemas in the table. I view Schemas in both styles being largely based on grammars, context-sensitive grammars to be precise. The question is more about what can you describe within the Schema and that's a question of what kind of predicate language you'll allow as your type system. For more details on this idea, you may want to look at Cardelli and Wegner's classic "Understanding Types".

The de Hora principals (with my commentary) are:

  1. Avoid changing or extending the interface methods. This corresponds to "Interface" line in the table. HTTP is a perfect example of an interface with a small set of fixed verbs (i.e. GET).
  2. Control change by using a dictionary interface. Used when a fixed set of verbs won't cut it, a dictionary interface (Python example) provides a set of verbs for finding and executing right method. This is akin to data-driven programming in the Lisp world.
  3. Calls should return documents not objects. The issue here is largely one of granularity. In a loosely coupled system, where latency is a real issue, getting back a pointer to an object isn't very useful.
  4. Avoid binary compatibility. Systems that require binary compatibility aren't loosely coupled since an upgrade on one end requires an upgrade on the other.
  5. Don't confuse an API with a contract. This emphasizes the difference between a protocol and an API. A protocol is a sequence of document exchanges that is required for compatibility. An API is more of a one-way, this is how we're doing things at the moment declaration.
  6. Version the contract. Versioning can be difficult to do. The task is made easier using using intermediaries. If you don't version, you're back to the tightly coupled upgrade issue again.
  7. Don't build an API for data transfer. The point here is pretty simple: we already have an API (protocol) for data transfer. Its called HTTP. Don't invent another one. See my paper on service-oriented data architectures for more about this.

de Hora doesn't like a lot of things in Java very much. Reading it reminds me of Paul Graham's quip that "Object-oriented programming ... lets you accrete programs as a series of patches." There's a lot of truth to that.

10:06 AM | Comments () | Recommend This | Print This

September 2, 2003

From Real Time to Deal Time

The Iteration Real-time Reporting Suite exemplifies how pure BI [Business Intelligence] is expanding. It does a number of useful things by adding real-time turnaround to data-warehouse reporting. Iteration's impressive interface allows those who haven't mastered reporting technology to craft deliverables though a familiar PowerPoint-style interface, which they're likely to already know.

The Iteration suite is a real-time business management tool. Unlike traditional data warehouse products that rely on a batch-oriented ETL (extract, transform, and load) cycle, Iteration processes and presents business data as a constantly updating stream of information. By making real-time feedback consoles available to data-rich enterprises, it aids in making quicker, better-informed decisions. [Full story at InfoWorld...]

I co-wrote this story with Jeff Angus and enjoyed the experience very much. Jeff is a seasoned writer and has some great insight into the Business Analystics and Intelligence space--a space where I'm just cutting my teeth. Jeff wrote a companion article called "Does BA beat BI?" that differentiates BA and BI.

Jeff compares BI to a rear-view mirror, great at telling you what happened. Analytics tries to add some gaming to the mix so you can play "what-if" scenarios. Iteration is an interesting tool in this regard since I think that rather than telling you what has happened, real-time BI products like Iteration have the ability to tell you what's happening now. I think this is a powerful shift. I was impressed with the product and possibilities it opens up to industries that depend on real-time information like manufacturing, transportation, and finance.

The online piece doesn't include the "How We Tested" box for some reason. Here's some information on that:

The Iteration suite consists of five different servers working in concert. In practice each of these could be installed on a separate server. In our test, we installed all of them on a HP Proliant server with 1Gb of memory and a single 2.2Ghz Xeon processor. A typical production installation requires a minimum of a 4-way SMP server with 8Gb of memory, but a single processor is sufficient for pilot tests and to observe and test the functionality. Iteration requires Windows 2000 with all of the latest updates and patches for the server as well as Internet Explorer 6.0 for the client, so the first thing we did after installing Windows 2000 was to download service pack 3 and 33 additional patches. You'll also need a relational database (we used MS SQL) and the .NET Framework.

The installation of the Iteration suite is fairly straightforward after the pre-requisites have been installed. There are surprisingly few configuration parameters or installation choices. The product relies on the integrated security feature in Windows for single sign-on support.

Iteration relies on being hooked up to real-time data feeds from back office systems, EAI systems, existing data stores, data warehouses, OLTP systems and the like. We didn't have any of that available to us. For testing purposes, Iteration supplies a program that creates a stream of data simulating multiple real-time data feeds. We used this in our testing. Our testing consisted of creating and using dataflow plans that processed and modified the data feeds, creating reports and alerts and using the client to view and manage them over various scenarios.

11:28 AM | Comments () | Recommend This | Print This

Bungle in the Jungle: Wireless VoIP in Laos

Vonage for one of the phone lines in my home and run it over the service I get from my WISP (wireless internet service provider). Some have written me asking how well that works. The answer is "not very well." The problem is my wireless connection. Right now, I get between 20-30% packet loss when the connection works. That doesn't make for a good phone call. Since there's no QoS, downloading a large file can make a cell phone seem like a dream connection. I'm hoping to get my wireless connection fixed soon and I'll let you know how that changes things. Meanwhile, I found a great article about an engineer using Wi-Fi and VoIP to provide voice circuits in the jungle.

Mike Burns was asked to provide voice and data services to a gold-mining operation in the middle of a Laotian jungle. The problem was that wires, buried or overhead, weren't an option. The solution was a Wi-Fi connection. Burns used router-based QoS to make things work.

The article also talks about two VoIP over Wi-Fi solutions deployed at Mercy Medical Center in Roseburg, Ore and the University of Southern California University Hospital (USCUH) in Los Angeles. In these instances, giving medical staff mobile voice communications was the goal. The Mercy installation uses Vocera devices like the one shown on the right. Mercy also plans to deploy tablet PCs to their nursing staff, giving the Wi-Fi network the chance to carry data.

Convergence is just a fancy way of saying "do more with less" because convergence allows one device or infrastructure to do the a job that required two or more before. Its the chief cornerstone of the computing age--general purpose computers are convergence machines. I've written about understanding the total cost of ownership for Wi-Fi, but haven't dealt much with the other side of that inequality: benefit. The move toward developing Wi-Fi standards such as 802.11i andÊ802.11e which will better support QoS, and thus VoIP, will enable convergence. This is crucial to increasing the benefit of Wi-Fi to organizations so that they see it as a "must-have" technology rather than merely a convenience.

8:28 AM | Comments () | Recommend This | Print This

September 1, 2003

Asian Powerhouses Threaten to Boot Bill

Reuters reports that Japan, South Korea, and China are likely to develop a new operating system as an alternative to Windows. The proposal was made by Japanese Trade Minister Takeo Hiranuma at an economic summit in Cambodia.

The article says its likely that the three governments will develop the new OS on top of Linux. I hope so. It would be silly for them to not take advantage of the work that's been done in the open source community already. Besides, without a development community like the one offered by Linux, they're likely to end up with the same problems they're trying to escape: a virus-prone, close and proprietary system.

8:11 AM | Comments () | Recommend This | Print This