Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Software

Packages

Topic Guides

Digital ID Policies
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Copyright

Copyright © 2002-2009 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« September 2003 | Main | November 2003 »

October 30, 2003

Connecting Stateful Session Beans and JSPs

Note: This example has been updated. See this essay on connecting stateful session beans for the most recent description.

In my class on large scale distributed systems, we've been talking about enterprise java beans. The question at this point (since they're starting on their project) is how to implement a system so that session state is maintained across multiple JSP pages and inside an associated stateful session bean. Since I've not been able to find many great examples that show how to put it all together, I wrote one today and I thought I'd share it here.

Here's the problem set up. You want to create a web application using JSPs and stateful session beans so that a user can browse multiple screens, making selections from each screen and when finished, use all of that information to perform some calculation. Obviously a shopping cart is a perfect example of this pattern, as are things like selecting classes from a course catalog, reserving seats to a sporting event, and so on. Its easy to see how to implement a stateful session bean (SSB) to do this, but how do you tie the JSP pages to the SSB and maintain context. The answer is a JavaBean on the servlet engine (I call this the ClientBean) that the JSPs can use to maintain their state in between invocations. The ClientBean also maintains the reference to the SSB on the EJB container.

The picture to the right shows the simple example I wrote to illustrate the technique. The example uses XDoclet to deploy on jBOSS. The example has four JSP pages. The first one is a form where the user submits an integer. The second is a form where the user submits a second integer. The third is a form where the user submits two more integers. The final JSP displays the sum. The ClientBean creates the SSB in the container and stores a reference to its remote interface when the ClientBean is initialized. Then as each JSP is loaded and the parameters processed, the accessor functions (setters) in the ClientBean store the form inputs into the SSB. The final JSP calls the process function on the ClientBean which merely invokes the business logic in the SSB and returns the result.

The SSB in this example is obviously contrived, but it illustrates the idea. In real life, the SSB could be using entity beans to update the database and process complex business logic. Also, its not always the case that the ClientBean acts so neatly as a mere servlet side proxy for the SSB in the container---this example is merely meant to display the general technique. The data being passed around in this case is fairly simple (integers). For more complex data, you'd want to use the data transfer object pattern to avoid multiple remote calls.

Note that the overall session state is maintained through the cooperation of multiple entities. The container is keeping the SSB around until its removed (or times out) because its declared to be "stateful." The ClientBean is sticking around because it was created in a JSP with its page scope set to "session." Because the ClientBean persists the reference it hold back to the SSB can be used to keep hold of the state stored there. Each JSP accesses that state through the ClientBean. Its a complex dance, but the end result works.

9:55 PM | Comments () | Recommend This | Print This

October 29, 2003

Make Sure You're Playing the Right Game

Chess and poker are perfect analogies for the competing interests in deciding how and where to be transparent. In chess, the state of the game is transparent. Each player can see the current state of the game and plan their strategy, and try to deduce their opponents strategy, from that state and the actions taken to get there. In poker, the current state is a secret, or at least mostly secret. You can't bluff in chess the way you can in poker.

Most geeks play better chess than poker, metaphorically at least. IETF and other organizations work on the basis of compelling ideas and working code. We like to believe that if everyone just has the right facts, good decisions will follow. I hear variations on this theme whenever I talk to techies about public policy issues.

This is one of the biggest problems I had when I was Utah State CIO: I thought we were playing chess when in fact we were playing poker. Its actually worse than poker---at least in poker, everyone has the same goal. In government everyone has a different goal and their actions often look irrational because you don't understand their motivation. I've spent years studying the actions of some people there and still can't deduce their motive. And yes, I've flat out asked them. They just look all wide eyed and innocent and say "I have no motives of my own---I just do my job."

In an environment like that, its difficult to make progress through an appeal to rationality and facts. Its often the bluffing and the behind the scenes maneuvering that makes the most difference. The winners frequently have no facts at all. They'd lose a chess game hands down, but they're very good poker players.

4:39 PM | Comments () | Recommend This | Print This

Its Like Windows, But it Sucks Less

Jon Kale has an amusing and interesting post on the first day of Microsoft's PDC. One of the most interesting things is his description of Allchin (MS Group VP for Platforms) editing code live in front of the 7000 member audience. That's the way it ought to be.

2:25 PM | Comments () | Recommend This | Print This

October 28, 2003

Organizational Blogging

I got an email from Thomas Burg in Austria asking for any hints on introducing blogging to an IT organization. Here's what I told him:

  1. Don't do it if you're not prepared, as an organization, to speak the truth. Blogging promotes, but also requires to some extent, a culture of candor.
  2. Start small.
  3. You need an organizational leader to set an example.
  4. Set up the infrastructure, buy licenses, etc. early and make it easy for people to get started. I bought Radio licenses for everyone. You could choose Moveable Type as well, but I think Radio has some definite advantages: (a) it includes the hosting that's outside the organization and (b) it brings a sense of user ownership since it lives on the desktop.
  5. Set a few guidelines (to show you've thought about them) but don't set too many since they will stifle people's creativity.
  6. Create an aggregator that reads the RSS feeds from the various blogs and presents them for people who don't use blogs and aggregators. Point at it and reference it whenever you can to drive traffic to the information in the blogs.
  7. Enable comments to encourage participation through feedback and interaction from those who don't write blogs.
  8. Be prepared for some people to be very threatened and offended when you speak the truth. Be proactive in preparing the people who they'll complain to so that they understand what you're doing and what the goals are.
  9. Pick out two or three people who like to write and give them special encouragement to get their blogs going. Meet with them often and form a "support group" of sorts to get things going.

Not all of these will work for everyone, but the advice is hard won. These are things I did that worked or things I wish I'd done. If you'd like to talk with me about doing this in your particular situation, send me an email, or comment below.

6:18 PM | Comments () | Recommend This | Print This

Serendipitous Flexibility

I got a lesson today in how loose coupling provides flexibility to applications in the face of change. Interestingly enough, I got the lesson from myself. As I've reported, I moved www.windley.com to a new server last Saturday. One of the things on my TODO list was to "fix" my newsletter since I was sure it was broken.

My newsletter is created from a special RSS feed on my blog. I created a category in Radio called "newsletter" and set it up so that it doesn't generate HTML, just RSS. Whenever I write an article on my blog that I want in my newsletter, I just check the "newsletter" category. The newsletter process is run from a cron job three times a week. It parses the RSS and turns it into a nicely formatted text file which automatically gets sent to the mailing list.

I had put "fix newsletter" on my TODO list since I was sure that moving my blog to its new home and leaving the newsletter process on the old server had broken it. Much to my surprise, when I read mail this morning, there was Monday's newsletter. It worked because the newsletter process reads the RSS feed over the network using a URL. It doesn't care where the RSS file lives as long as it can get it over the net.

"So what," you may be saying, "that's how it should work." To which I say, "yes, provided you've done things right." I can just as easily imagine that I would have simply grabbed the file from the file system, since the program and the file it needs were both on the same machine. The result would have a tight coupling. I called this "serendipitous" flexibility since I can't claim I thought of it ahead of time. Its a perfect, if simple, example of how following some simple guidelines results in more flexibility and agility.

6:08 PM | Comments () | Recommend This | Print This

October 27, 2003

If You're Going to be Naked, You'd Better Be Buff

Regular readers will know that transparency is a favorite topic of mine. One of the chief benefits of eGovernment is transparent access to information about what government does. In an IT organization, transparency makes happy customers: there's no place inside a healthy organization for hiding information about rates, project status, or operational metrics. IT customers should have ready access to all that information. Now, Don Tapscott and David Ticoll have written a book which deals with transparency in the larger organization called The Naked Corporation: How the Age of Transparency Will Revolutionize Business. The book was the subject of a recent article in CIO Insight. Here are a few highlights:

Tapscott says that "its staggering to think that companies, when it comes to disclosure of various classes of information, pretty much just wing it. Few have a strategy for figuring out what should be disclosed and under what conditions." He offers some specific advice for companies in an increasingly transparent business climate:

  • Abide by basic values in all operations. Tell the truth, abide by commitments, consider the interest of all stakeholders, be candid about shortcomings and challenges. Make sure that business integrity drives every aspect of company operations.
  • Deliver the right value to each group of stakeholders.
  • Understand the promise and peril of transparency and manage it continuously. Don't just try to spin and execute PR strategies when a problem occurs. Develop a proactive approach to communicating the values of the company in the face of challenges.

The article has a section entitled "Blogs and Martyrs" but it doesn't deal extensively with the idea of weblogs other than to mention that "stakeholder webs" can use them to bring public scrutiny to bear. I'd have liked to see more about how employee blogs can be a human voice for the company and provide positive results through transparency. In general, as you'd expect from the quote I give above, the tone is defensive: how to protect yourself from too much unwanted disclosure rather than proactive. Maybe the book is different.

One of the things I've been contemplating is how the intersection of several recent trends drives the move to corporate transparency. Here's the argument in brief:

Initiatives like Sarbanes-Oxley are requiring corporations to report more and more material information to shareholders.

Accounting data is not enough. In the past, when capital was the most important thing, accounting data rules supreme, but what about today's corporation where the quality of your technical operations or the knowledge tied up in your employees head is your competitive advantage? Does mere accounting data tell the whole picture of the company and its operations?

Right now, I get basically the same accounting information that a shareholder of Ford or GM saw in 1970. Yet, corporations are increasingly turning to digital dashboards and similar systems to provide business intelligence to managers because they know that the accounting data isn't enough. As a shareholder, I'd like to see some of that information when judging the health of a company. I'm sure that this would cause some significant angst among corporate executives, but I think that's where we're headed.

The article concludes with a discussion of the CIO's role. Just as eGovernment is about providing transparent access to government, corporate IT systems will increasingly be driven by policies and decisions regarding what information to disclose to whom. This is the essence of digital identity and is just one more example where traditional "secure perimeter" approaches to information security are becoming increasingly inadequate.

3:41 PM | Comments () | Recommend This | Print This

Upgrade to Panther

This was the weekend of moves and upgrades. In addition to moving my weblog to its new server, I also got Panther, the newest version of Apple's OS X, in the mail on Friday. I waited a little while to see what the forums were saying about the upgrade process and then went ahead and installed it on my TiBook. Here's what I did:

  • Backed up /Users, /Library, and /Applications, just in case. All of your user data, including address book entries, mail (if you use the Apple Mail client, at least), etc. are in your /Users/$user_name/Library folder. I backed up /Library and /Applications to preserve properties and so on in case of a disaster.
  • Ran the installation, choosing the upgrade option. I was originally planning on doing an archive and install, but decided an upgrade would work as well. I usually like to do clean installs, but that seemed too much bother, especially in light of the fact that I'm traveling this week and didn't want to keep finding things I needed when I was away from home. If the upgrade doesn't work well, I'll do a clean install later.

I backed up to a SMB mounted disk over my home network by just making compressed tarballs of the directories. Even with compressions, I had about 17Gb of data to back up, so it took a while. The installation proceeded smoothly and about 45 minutes starting the installation I had an upgraded machine.

Here's my first impressions and bug reports:

  • Expose ROCKS! If you haven't heard of Expose, its the new addition to the GUI that let's you see all of your windows at once. If you work with lots of open windows, as I do, you'll love how it lets you see where everything is and then let's you select which you want on top. The effect reminds me of the computer GUI in "Minority Report" a little bit. This is one of the coolest GUI innovations I've seen in a long time. I'd upgrade just for Expose.
  • Mail, iCal, and the Address book seem snappier and I don't see the "wait" cursor nearly as much as I used to. I tried the new message threading feature in Mail and turned it back off. It may take some getting used to.
  • Startup items are now listed under the user accounts preferences to give each user their own custom environment.
  • A few things didn't work in 10.3. The two I've found so far are uControl, a utility for swapping the CAPSLOCK and Control keys, and CopyPaste-X, a utility which makes the clipboard into a stack---very handy in blogging. uControl simply doesn't work (yet) with 10.3. CopyPaste-X made my lowercase "c" key not work for some reason.

That's it for now. A painless and simple upgrade that pretty much left the rest of the machine alone. I'll write additional reports as I gain more experience.

8:08 AM | Comments () | Recommend This | Print This

October 25, 2003

A New Home for Windley's Enterprise Computing Weblog

I've slowly been moving services that I used to host at Verio over to my co-located server. This weekend, I'm moving www.windley.com and this blog to the new machine. If you're seeing this message, then you're seeing the new digs. I'd appreciate any bug reports.

The new machine is hosted by Fibernet, a local ISP and hosting company run by my friends Lane and Lee Livingston. I've got a lot of respect for them because they've been around since the beginnin and they've survived in the boom times and the lean times. While others are struggling, they recently built and moved into a new building. In addition to co-location, they also offer DSL, shared hosting, wireless, and T1s.

12:05 PM | Comments () | Recommend This | Print This

October 23, 2003

Dan Farber on DIDW and PingID

Dan Farber was at Digital ID World and has written up a great article for ZDNet's TechUpdate. I didn't get to meet Dan at DIDW, I wish I had. Dan highlights three things from DIDW: Tony Scott's keynote, the discussions of federation, and PingID, and manages to tie them together nicely in a discussion of PingID and its mission (disclosure: I'm on the PingID advisory board).

One of Tony Scott's main points was that the technology to federate is the easy part, the hard part is issues like organizational trust, scenario planning, regulations, changing usage patterns, and how to split up costs. These are the kinds of issues that PingID tries to tackle: those above the basic pipes and protocols. Quoting Dan:

The company has developed the PingID Network, a member-owned, technology-neutral identity network that provides businesses with a legal and business framework to smooth the process of developing contracts between partners. While all the promises of transparent access, legal safety zones and privacy protection from the various standards and practices aspirants sound a bit idealistic, PingID takes its cue from a well-known and successful networked partner infrastructure: the ATM banking system. As ATMs grew more popular, banks interconnected systems regionally to provide customer convenience. The next step was to extend the partner network more globally. It became unmanageable for banks to individually or even regionally negotiate ATM partner relationships. The problem was resolved by creating a third-party network of national and international ATMs guided by a set of common operating rules and legal covenants, such as standardized procedures, risk management, dispute resolution and mutual confidence parameters. According to Durand, Ping Identity has defined shared services as well as common legal agreements, liability shifts and limits, participation requirements and dispute resolution procedures. Basically it's a template for creating a trust network based on the emerging Web services standards.

People have a tough time getting their arms around what PingID is doing at first. The best way I can describe it is to think of the world of credit cards before Visa and Mastercard. You pretty much could only use a credit card at that set of merchants who used the same bank you did. Visa and Mastercard, hook up various banks in a network and deal with the interorganizational issues (at this point by fiat). The end result is I can use a credit card from one bank at a merchant who uses another and Visa and Mastercard take care of bringing them together for a real time transaction. These same issues and islands of identity federation will exist in the world of digital identity and someone needs to hook them together in a network. Can PingID succeed at this? Andre likes to say this is a 5-10 year process and I think he's right. Even so, I see the need and PingID has some good momentum and, as of last week, funding.

8:08 AM | Comments () | Recommend This | Print This

October 22, 2003

Long Road, Large Gains for Identity Management

Tom King is CISO at Lehman Brothers Holdings. He had a simple idea: rather than build authentication into each application, they would build a central identity. provisioning and authentication system. Three years later, he's still working on the project. Before he could implement his idea, he first had to create a single repository of identity information in the company. Why go to the trouble? Read the following paragraph from the CIO magazine article where Tom's story is told::

So why bother with identity management at all? Because the returns can be impressive. According to a survey of more than 7,500 top IT execs cosponsored by CIO and PricewaterhouseCoopers, the top two strategic security initiatives for CIOs during the next year are to block unauthorized access to systems and to monitor systems activity. Identity management systems can help you do both. They also let CIOs provide new employees with almost immediate access to the applications they need (and take away access from former employees just as quickly). And since authentication (you are who you claim) and authorization (you're allowed to do what you're trying to do) occur at one location, employees can access all their applications with a single user name and password, a move that can dramatically cut down help desk calls.

NerveWire found that 38% of the 145 companies it surveyed expected an ROI of as much as five times on their identity management investment, and another 10 percent expected even higher returns. In an age where ROI is the king of the hill, its no wonder that CIOs are tackling these project, even if they are long term.

Of course, identity management projects can get hung up and suffer from scope creep just like any other IT project. I think there are some keys to making sure this doesn't happen:

  1. Realize that identity management isn't a product you can buy from a vendor. Its a process, that you have to create inside your business. This is about business goals, not just security or authorization.
  2. With that in mind, do the enterprise architecture work around the identity management piece. By that, I mean that you need to work out governance, business needs, standards for interoperability, and infrastructure requirements.
  3. Structure the project as multiple small projects. The first step is probably building a single master directory. The second should probably be password self-service since there's a huge ROI there for most organizations.
  4. Require new projects to use the identity infrastructure and add onto it as needed. Bring legacy applications on board as it makes sense from a feature/functionality standpoint.

I should be very clear about the third point. If the only thing you want is the ROI on password self-service, that's an easier project than a complete identity management project. You can do it as part of an identity management project, however and bank the ROI gains to help defray the cost of the identity infrastructure.

The gains in this kind of project are often soft: better agility and increased alignment with business objectives. You should take ROI anywhere you can, but don't expect this to be a cold, hard numbers kind of decision.

8:24 AM | Comments () | Recommend This | Print This

Digital Identity is Not an Emerging Technology

I proposed doing a tutorial on digital identity management protocols (SAML, SMPL, XACML, WS-Security, etc.) at the O'Reilly Emerging Tech conference next year. Just got notice that they didn't accept the proposal. I was planning on doing an expanded version of the tutorial I did at DIDW, but with more meat concerning the protocols and their implementation. I guess digital identity is not cutting edge enough for ETCon? Go figure.

8:08 AM | Comments () | Recommend This | Print This

October 21, 2003

Salt Lake Public Library

I'm sitting at the Salt Lake library in between a couple of meetings. Since the last time I was here, they've installed free Wi-Fi courtesy of XMission. I took some pictures of the library and its rather dramatic architecture earlier this year and they've become a popular attraction on my blog. They show up third in a google of "salt lake public library". One of the things I've discovered about blogging is that its hard to predict why people visit your blog. You can try and build a body of material that will attract that readership, but then your pictures of the library turn out to be the thing people really want to see. Go figure.

9:23 AM | Comments () | Recommend This | Print This

Closing the XML Security Gap

If you use a firewall as part of your network security strategy, you might be feeling smug, thinking that you've closed access to thousands of ports and vulnerabilities. What you may not realize is that your firewall is most likely blithely passing XML through port 80, the Web's default port. ... But there is hope for application security in the form of XML firewalls. These devices sit behind a traditional firewall and monitor traffic on port 80 and any other ports you select. They pick through the contents of the XML packets, looking for potential trouble and taking action when trouble is found. [Full story at InfoWorld...]

I had a good time working on this story about three XML security appliances, commonly called "XML firewalls." As the article goes on to say, I did have my favorite, but they all were very able devices. The crucial difference in the product was the view that their developers took on how an XML firewall ought to work. The Sentry seems the most like a traditional firewall while the Reactivity product was more like the Web services intermediaries I've been reviewing.

I did my testing at KeyLabs (see photo at right). I could have accommodated the appliances in my home lab (such as it is), but it was nice to have some support on DNS, power, etc. and room to spread out. Performance testing of the appliances was outside of the scope of my testing, but we did a pretty thorough feature and functionality test.

If I were running a business today and thought my digital assets were valuable enough to buy a regular firewall for security, I'd definitely go the next step and buy and XML firewall to sit behind it and monitor my HTTP traffic. Even businesses that aren't using Web services or XML are susceptible to XML attacks.

Beyond that, I think there's some pretty interesting things you could do with these boxes. They make managing encryption and digital signature tasks on XML a snap. They're extremely configurable XMl processing engines and that alone makes them fun little toys. The DataPower box, for example is programmed using XSL stylesheets and the hardware-based XML processing engine makes XSL transformations fast. One or two of these boxes and a lab full of grad students is a recipe for fun.

9:11 AM | Comments () | Recommend This | Print This

October 20, 2003

Redesigned Utah Legislature Page

The Utah Legislature's Web site has undergone a redesign. I like it. The new look is clean and functional and there are high profile links to the things people will want the most. They are even using le.utah.gov as the URL instead of le.state.ut.us! (You wouldn't believe the flack I took from the Legislature over the move to utah.gov.) And in a fit of foresite, legislature.utah.gov redirects to the same place. Very nice. My favorite part is the "What's happening today" box at the bottom of the page and the associated link out to a calendar of events. I just wish it had an RSS feed to go with it.

2:23 PM | Comments () | Recommend This | Print This

Open Source Business Conference

You've seen open source conferences and conventions. Maybe you've been to a few. They're interesting and exciting, but they rarely focus on what most businesses want to know: how do I make money if I open up the source code? Now there's a conference that answers that question.

Matt Asay, a good friend of mine and one of Utah's most active open source source proponents, is putting together a conference called the Open Source Business Conference (March 17-18). Matt has a knack for brining people together--he's the founder and host of Utah's largest monthly meeting of entrepreneurs and venture capitalists, the Genus Breakfast. The list of speaker is impressive and I'm confident its going to be a great show.

11:12 AM | Comments () | Recommend This | Print This

More on Massachusetts Moves to Open Source

I wrote about Massachusetts moving to OSS a few weeks ago. This AP story has more information. According to the article, the Microsoft-led industry group Initiative for Software Choice has tracked 70 different open-source preference proposals in 24 countries.

8:36 AM | Comments () | Recommend This | Print This

So Far, Participatory Democracy for Democrats Only

Esther Dyson wrote a piece for the New York Times last week called Power in Participation about some recent trends in politics involving the Web and blogs. She mentions MeetUp.com, a Web site for that helps organizes physical meetings. When I looked at MeetUp my first thought was "I can't believe its taken us this long to create a Web site that does this." MeetUp is well done and has active groups in many different categories. Its also been discovered by the politicos, as Esther points out:

Meetup was recently discovered by the Democrats, most famously and effectively by Howard Dean. About 40,000 Dean supporters "met up" face-to-face in 740 locations all over the country, and -- to the professional politicians' surprise -- they've helped donate more than $25 million. Also, the campaign has organized its supporters at Meetups to write tens of thousands of letters to undecided voters, asking not for money but for support.

She also points out the use of Web sites by the Dean campaign:

Meanwhile, campaign organizations for Dean and other candidates have discovered the world of political blogging, in which both campaigners and their supporters publish online journals, or Weblogs. The bloggers comment, pontificate and argue among themselves. The candidates -- or their blogwriters, today's version of the speechwriter -- record their thoughts and adventures on the campaign trail. One result is excitement: Voters are getting involved and energized. They are engaging in face-to-face discussions with their neighbors -- often people they've never met before. And they are publishing their views, adding to the political discourse without the gatekeeping of newspaper editorial boards or campaign "messaging."

As I went out and looked at MeetUp.com and political blogs, I was struck by the fact that I don't see much participation by Republicans. I wonder why that is. Maybe its because the incumbent president is a Republican and so there's not as much energy in the campaign right now. I should note that George W. Bush does have a blog and is using RSS for its newsfeed, but neither of these are what you would call grass roots efforts.

One thing I noticed while working my precinct as a delegate was pitiful lack of any significant use of IT in managing the process. If you're a techie and want to make a difference in a campaign or in your local party, there's plenty of low hanging fruit. Now, getting in the door and not having them just shuffle you to the back room to staple signs on sticks will be a trick. You'll have to work pretty hard, especially in smaller campaigns to find someone who will understand the value of what you're bringing to the table. I think its high time that every campaign caught a clue from the private sector and even government and got a CIO-like figure who could advise the campaign manager and candidate on how IT could be used to add value to the campaign. Even simple things like suggesting the use of MeetUp.com and similar sites would be valuable.

8:22 AM | Comments () | Recommend This | Print This

October 17, 2003

DIDW: Doc Searls Endnote

There's now a tradition that Doc closes out Digital ID World. Its a good conference strategy--I stuck around to hear Doc even though the desire to get into the sky and home is pretty strong. I'm glad I did. I can't possibly do justice to a Doc Searl's presentation, but here's some thoughts I had while I was listening.

Doc is speaking on the topic of "Myidentity, Ouridentity, Theiridentity," Andre's three tier hierarchy of identity domains and tying it into ClueTrain ideas. While he's been here, he created a vocabulary of identity buzzwords for his Buzzphraser application. Here's some identity phrases it created for me:

  • Properly Concerned Authorization Platform
  • Eventually Well-integrated ID APIs
  • Independently Hardened Disclosure Quagmire
  • Fiduciarily Influential Identifier Platform
  • Eventually Several Burden Tree
  • Inherently Productive Dispute Functionalities
  • Properly Related Access Proliferation

I'll be using this frequently in my consulting practice!

Doc talks about how our relationships with the tier-2 identity owners are very narrow. For example, I have a very narrow identity relationship with my credit card company. He shows the membership of Liberty Alliance and says its "scary." Does federated identity get us to broad, rich relationships?

What do we do with networked customers? We embrace if we're big, we enable if we're small. The answer is easy: think about what customers want:

  • Anytime
  • Anywhere
  • In the networked world

Wlcome relationships initiated by the customer. Let customers link to each other. Let suppliers link to each other. Can RSS and SMS help here? Imagine if by some really simple syndicated method we could express our desires and feedback to companies in personalized way. As people have new ways to express demand, mass advertising could die due to the inherent inefficiencies.

Google advertising is an example of this kind of personalized demand and supply. Google needs competition for our attention. Don't boil the ocean---just do some simple things.

11:52 AM | Comments () | Recommend This | Print This

Salt Lake County Recorder Web Site Get and Public Access

eGovernment is largely about public access to information. What does that say, then about making web sites as widely accessible as you possible can? I think there eGovernment Web sites have an obligation to be as accecssible as possible. In this category, I have to give the Salt Lake County Recorder's Office a grade of "F". Here's what I saw when I went to their Web site:

I sympathize with web site developers who want to offer some neat functionality that's browser specific, but I think its decidedly broken to offer public services only to people who use a particular kind of browser, computer, etc. This site simply can't be compliant with Section 508 or the American's with Disabilities Act. I've got a lot of respect for Gary Ott and I think he's clearly clueful about many of the public records issues that eGovernment is raising, but I'm disappointed in this.

10:58 AM | Comments () | Recommend This | Print This

DIDW: The Identity of Things

This morning's opening session was a panel moderated by Esther Dyson on the Identity of Things. The debate naturally moved to what does it mean for all of the things I buy to be individually identified. Who manages the relationships? Me? Others? A near-term example that can shed light on some of the questions is SpeedPass, the RFID devices that are being distributed in urban areas to charge tolls to cars as they speed by rather than making the cars stop and pay the toll. These can, of course, be used to track the vehicle in other places as well, and some people are concerned about the "big bother" aspects.

The question I have is, does anyone care? Now that's asked somewhat tongue in cheek since the debate that occurred today in Denver indicates that there are people who care. Even so, consumers have shown their ever increasing willingness to give Albertson's just about any information Albertson's might want to collect in order to save $0.50 on a six-pack of Coke. I think if you tell people that they can have a suitcase that tells you what you're missing after you pack it (based on RFID tags on the clothing), they'll jump for it. Sure, there will be some local news stories about how scary this is and some people will spend lots of money removing the tags or buying devices to kill them, but most people just won't care.

Got an opinion? Share it below.

10:37 AM | Comments () | Recommend This | Print This

October 16, 2003

Details on the Vonage Ruling

The judge who vacated the Minnesota Public Services Commission regulations concerning Vonage earlier in the week issued more detailed comments and rationale today. In a Washington Post article the judge is quoted:

State regulation would effectively decimate Congress's mandate that the Internet remain unfettered by regulation. The court therefore grants Vonage's request for injunctive relief.

I haven't found the actual ruling yet to link to. The MPSC has not said whether they'll appeal or not, but I think its a foregone conclusion that they will.

The real issue in my mind is this. If I had brought the Cisco ATA186 that Vonage gave me to my hotel in Colorado, it would work. I'd be using an 801 number, but with number portability, I think we'll see the tie between numbers and geography disappear over time. Its just a billing question now. I'd be using networks in Colorado to talk to a switch in New Jersey. Which gateway I use depends on who I call or who calls me. So why does Utah have a stake in regulating that transaction?

6:02 PM | Comments () | Recommend This | Print This

DIDW: Personal Area Networks

While I was chatting with Andre and Doc today, Andre mentioned something that I liked: a personal area network. Your personal area network is the group of folks in your buddy list. This is an incredible resource that no one has really tapped. People who use instant messaging have taken the time to indicate the people that they consider their friends and right now all its used for is chatting and presence. There's got to be other things that we could do with it. This comment happened in the context of a larger conversation with Simon Grice, the founder of Midentity. Midentity is pretty cool little application that is integrating lots of connectivity and identity information into a single pane. I called it a "personal identity management" tool and that seemed to resonate with Simon, Doc, and Andre.

Simon is doing something in England that uses SMS enabled phones to create community groups that people can use for neighborhood watch and similar purposes. I liked the idea a lot.

3:34 PM | Comments () | Recommend This | Print This

DIDW: How Identity will Refocus IT

Here's the cast of players:

  • Moderator: Phil Becker, Editor, Digital ID World
  • Rick Caccia, Director & Product Mgr, Oblix
  • Brian Anderson, Program Director, IBM Tivoli
  • Andy Eliopoulos, Director, Business Mgt. Network Identity, Sun
  • Kurt Johnson, VP Business Development, Courion

The number of applications that IT shops are supporting and the number of connections to partner systems is going up, not going down. Companies that can put the right people through the right resources, with the right resources are the companies that succeed. Identity has moved beyond can I come in, to the questions of where can I go and what can I do.

Measure the right thing or it will bite you: internal help desks sometimes fight against identity management solutions because they're measured on how many calls they take and how long they spend on the calls. If you introduce a password self-service reset system and calls to the help desk go down, help desks that are measured on the wrong things will be punished and consequently give pushback.

IT needs to remember that telling management what a technology does isn't the same as telling business why they need the technology. The example given in the panel is meta-directories. Explaining what a meta-directory does isn't the same as describing the business problems that it solves.

One of the problems with identity projects is that they requires some degree of centralized coordination. That means that its not a business unit decision, but an enterprise decision. This raises questions of governance and politics that haven't been part of the equation before.

The problem with this panel is that Phil is asking CIO-type question of a group of vendors and they're falling all over their tongues trying to come up with smart sounding answers. Phil asked about the centralization issue I pose above and follows up with a question about whether standards will alleviate this problem. No one gave the right answer. The right answer is that governance is the issue and that has to be worked out whether you've got industry standards or not. Governance implies that you've going to create an enterprise architecture and an interoperability framework. Once you've got those then each business unit can go do their own thing, follow the standards, and the system will stand a chance or working. Without them, its endless meetings leading to project failure.

3:05 PM | Comments () | Recommend This | Print This

DIDW: Tony Scott Keynote

Tony Scott, GM's CTO, is today's second keynote.

SInce 1996 GM has made significant progress toward common processes. They've reduced their legacy systems from 7000 to 3500. They have built a common email systems, created a global employee portal, created a single global CAD/CAM system (down from 23), and gone from having the highest IT cost as a percentage of sales to the lowest IT cost in the industry. That is impressive.

They've achieved this by taking a "one-company" approach to IT. They still have regional CIO's responsible for systems, but overlay that with cross regional "process information officers" that worry about supply chain, network, etc. Tony's one of those cross-regional offices. GM is 100% outsourced. There's no one in GM who's writing code, running data centers, administering networks, etc. GM manages IT by contract. What GM does internally is the "value innovation" function (see Modular IT Organization) that decides how IT can be used to help the business.

GM has been working on IdM since the current management team arrived in 1996. They started by working on the fragmented directories and worked toward a common directory infrastructure. They've been active in Liberty from its start because they saw the need to federate inside and outside GM. They've used Liberty to provide SSO in the employee portal (Socrates). They did this with an external benefits provider. Some lessons learned:

  • Trust is important: organization to organization, audit, and security.
  • Liability and support issues: costs and escalation process for problems.
  • User issues: users thought it was broken and called the help desk because it didn't continually ask them for a password.
  • Spend time on the use cases: work through all the specific cases like new employees, status changes, session time-outs, logging out of one site, but not another, and so on.
  • Obtain business buy-in: why is this important? What are the risks and benefits?

GM has built a global employee phonebook. It took a year to get regulatory approval in Europe. Europe has defined privacy as a human right while in the US data protection laws quickly run afoul of free speech issues. This means that location of data is important (in what country). Are you going to move that data outside the territorial boundary of the country. Data center consolidation turned from technology issue to a regulatory issue. One big lesson was that their data access and retention policies had to be harmonized globally.

Digital ID in Auto Manufacturing: Every vehicle has a unique ID that has not traditionally been leveraged very well. They're starting to change that. GM build about 250 test fleet vehicles of each type and subjects them to various conditions. There are 55 microprocessors on board for diagnostic purposes. In the old process, GM collected data in the test fleet on an ad hoc basis, there was significant lag time, and the data was only available to a few. It could take 180 days to get data from the test fleet into the engineering process and affect manufacturing. Today they collect data daily through OnStar, the results are available in real time on the internal network. Some problems can be corrected in real time. The benefit is a shortened engineering to production cycle. They are at 18 months now (down from 5 years). This also removes significant warranty costs by decreasing false positives, for example.

The long term implications:

  • DIgital IDs for many things, not just people.
  • Management tools will be necessary for commercial and personal applications
  • Rules for access and privacy are unclear
  • Still room for technology innovation in this space

10:15 AM | Comments () | Recommend This | Print This

DIDW: Jamie Lewis

Jamie Lewis, from the Burton Group, is giving today's first keynote. I remember enjoying Jamie's talk last year, although I didn't realize how much was there. I ask him for the slides and recently went back and reviewed them and realized how many concepts I hadn't gotten at all a year ago that now seem very important.

Jamie defines the virtual enterprise network (VEN) as the corporate network along with the connections to employees, partners, customers, and suppliers. Jamie's first thesis is that tightly coupled systems won't enable large-scale interoperability. The most important benefit of Web services is that it turns the network into a platform. Businesses are just starting to map out Web services strategies.

Jamie's second thesis is that exclusionary business models (read: firewalls) do not enable business. Identity enables an inclusive model that goes beyond the necessary but insufficient perimeter security models that are common today.

The same market pressures that are driving Web services are driving digital identity management (IdM). We have made significant progress in the last year in the deployment of real implementation of specifications and standards that were just ideas a year ago. To manage identity, you need to build process and infrastructure at the same time. Process is about managing the life-cycle (registration, propagation, maintenance/management, and termination). Infrastructure manages the actual IDs, entitlements, and so on.

The Burton Group has a reference architecture for IdM. The reference architecture provides a goal state. Each organization can build their own reference architecture to define their own goal state. It seems to me that this is a part of the Enterprise Architecture. The reference architecture is centered on the idea of a "security domain" which is different the intranet and corresponds to the VEN mentioned earlier.

Much of the Internet's potential is untapped because the infrastructure doesn't support the necessary functionality. Enterprises are interested in leveraging and integrating what they have, not buying new things. Jamie says they've had all the "technology cheeseburgers" they can stand; they're full and want to digest some of it. Web services is a move in the right direction.

Why will Web services work where other's have failed?

  • Markets have changed
  • We've learned out lesson about tight coupling
  • Technology and politics have changed with more vendor buy in and lots of standards work.

Standards and open source implementations of those standards are allowing us to create a true network platform. Still, the reality is that we've only taken baby steps toward the goal. Right now, you can count on XML and SOAP. WSDL is almost baked. The rest is in some disarray. The incentives are there to solve the problems, but they need to be solved.

Most early efforts at solving IdM problems tried to legislate homogenization dictating how developers with handle identity and security. X.500, Kerberos, X.509 are examples. They also placed inappropriate burdens on developers. The next step was to build heavyweight integration products and middleware. These steps are necessary for creating the intra-organizational infrastructure, but don't address the inter-organizational issues.

Inter-organizational IdM will ride on top of the network bus created by Web services. If Web services doesn't work, we'll need to invent something just like it to provide that functionality. Internal federation can enable interoperability and consolidation after M&A.

The fact that the product we buy aren't secure means that we've been forced to buy security products.

There's lots of interest in provisioning, but it can be a big project with lots of political pitfalls. Password management is the low-hanging fruit of provisioning and can provide the quickest route to ROI. Still, its not full-blown provisioning. Web access management is still a bedrock solution for portals. Delegated administration, self-service, password management, and other tools provide real differentiation.

Right now SAML is gaining momentum with lots of early adoption. There are multiple products in release or development, some of them open source. SAML has a simple , narrow focus. Liberty is entering early adoption with some implementation underway in consumer facing apps. The WS-* standards raise the convergence issue and looks like a polite war. WS-* has an ambitious scope, but eventually the concepts behind WS-* will be necessary. Burton's advice is don't let the conflict stop you from meeting business needs. Eventually vendors will support all of them. SAML is a safe starting point.

Identity networks:

  • Centralized like Passport and AOL ScreenName
  • Industry-base and proprietary: SecuritiesHub/Bond Hub, Verified by Visa, etc.
  • SAML-powered like Shibboleth
  • Liberty powered like Neustar's Land Records Exchange Network
  • PingID has announced that they will build a gateway that translates between SAML, Liberty's ID-FF, and the WS-* standards

Jamie sees us going through a long, but inevitable transition. Web services and federated IdM have enormous potential, but we're several years away. We've mde more progress in the last 2 or 3 years than we have in the past 2 or 3 decades. Understand what you can do today and get started building the most general purpose architecture you can.

You should also read AKMA's excellent write-up on Jamie's talk.

9:18 AM | Comments () | Recommend This | Print This

October 15, 2003

DIDW: Photos

I have a gallery of photos I've taken at Digital ID World.

6:23 PM | Comments () | Recommend This | Print This

DIDW: Grassroots identity: Does it Have a Chance?

I was torn between Carol Coye-Benson's session on The Business of Digital Identity and the session on Grassroots Identity. Grassroots Identity finally won out because the characters they've got assembled for this panel are bound to provide an interesting show:

  • Moderator: AKM Adam, Reverend Dr., Seabury-Western Theology Seminary
  • Doc Searls, Sr. Editor, Linux Journal
  • Simon Grice, CEO, Midentity
  • Marc Canter, Chairman & CEO, Broadband Mechanics
  • Simon Phipps, Chief Evangelist, Sun

T-shirts, haircuts, tattoos, cars, vanity plates, and so on are examples of non-digital grassroots identity. Digital example include email addresses that are picked,meetup.com and other community creating services. Issued identities include driver's licenses, passports, many email addresses. Grass roots identity is created by the person for their own purposes. Its about being yourself, expressing yourself, sharing your own data, thoughts, and ideas. This blog is an example of a grassroots identity created by me to share an aspect of myself.

No identity is an island. Every identity sits in some context.

People are willing to pay for choice associate with identity. For example, many people pay to have a particular email address. I'm one of these, for example. I pay pretty dearly in terms of money and time to maintain a domain (windley.com) where I can create my own identity.

Identity markets are about relationships. Identity isn't worth much without a context. People exist inside relationships (both personal and organizational). We're typically very forgiving of identifying attributes being transfered to organizations and people we have relationships with. This even applies to where we shop and our willingness to give up information about who we are hen we buy in order to get a discount.

5:44 PM | Comments () | Recommend This | Print This

DIDW: Federation, Policy, and Trust Management

I'm in the Federation, Policy & Trust Management session. The participants are:

  • Moderator: Jim Hurley, VP, Aberdeen
  • Khaja Ahmed, Chief Security Architect, Microsoft
  • Michael Barrett, VP Internet Strategy, American Express
  • Tim Moses, Sr. Director Advanced Security Technology, Entrust

I apologize that I've not kept careful track of who said what in the following. There's some general discussion of policies and trust. Access policies should be:

  • Accessible to people and businesses in native languages
  • Portable from business strategy through IT operations
  • Consistent from human readable to digital instruction and across time and location invariant
  • Reliable
  • Trusted

Policy is the set of actions that a party is required to take. Trust if confidence that a policy is being followed. For example, in authentication, the policy details the authentication mechanism and parameter values. The trust comes from the identification and authorization procedure and refresh requirements. In a different scenario, the policy might tell to what uses the data may be put, how long it can be retained, entities that may have access, etc and the trust is based on certification.

There are some important questions about policy in a federated space:

  • Who sets policy? First-party, third-party, bilateral?
  • How is the policy represented? Human readable, machine readable, both?
  • At what stage is the policy set? Deploy-time, run-time?
  • How flexible is the policy? Take it or leave it, adaptable?

The bad news is that traditional approaches for managing policy and trust are inflexible, slow, and costly. The worse news is that federation makes this worse. This sets the stage for requirements for policies that are machine readability, consistent, support late binding, adaptable, and function in a heterogeneous environment.

A community of trust has four components:

  • Governance (operating rules, roles and responsibilities, and legal validity)
  • Operations (people and the procedures they follow)
  • Technology (software and hardware)
  • Viable economic model

A village is a community of trust. Trustworthiness is based on reputation. Strangers have no trust, but over time this changes. eBay is a good example of this kind of trust system. MSN Messenger has provided a community for traders where people rely on the MSN messenger ID being inviolate. Email works very similarly--people trust email addresses and an email address conveys some sense of trust to people who have interacted with it for some time. Villages have a low governance burden. The community manages the trust and it works effectively across national boundaries. Risk management is done by each individual judging the risk/reward for a particular transaction.

Some ideas for reputation system:

  • Better formalized reputation system or 'gossip' mechanism in cloud-based systems
  • Services that allow a hybrid model (reputation plus authority assertions (village elder)
  • Rich, intuitive, "falling off a log" easy desktop tools for credential and attribute management.

Liability flow between companies affects trust. A liability flow occurs when a service provider can sue an identity provider for damages related to problems associated with an identity. False positives occur when someone has access to an account they have no rights to, an automated attack occurs and fools the system into granting an identity that doesn't belong to the attacker, or social engineering attacks. Another problem is authentication strength. Its very difficult to compare two authentication schemes and determine which is stronger (how UID is chosen, how passwords are chosen, how passwords are aged, etc.)

What to do? Ignore the risk--probably not a good idea. Accept the risk--viable and often done. Joining a prep-existing network that's worked some of these problems out--PingID is providing such a network. Utilize the Liberty Alliance Business Guidelines that explore these issues in detail and work out solutions.

4:51 PM | Comments () | Recommend This | Print This

DIDW: Digital Identity Tutorial

My tutorial on digital identity management was this morning from 10:15 to 12:15. It overlapped a keynote and consequently we were slow getting going. Initially there were just three people there, but by the time we finished the room was full. Many of those present were people I know and respect; I felt like I was talking to a group of people who knew more about digital identity than I did. We had some good questions and discussion and I had several people say that going over the basic technologies in context was helpful. That's why I developed this tutorial: I knew about the various technologies, but didn't understand how they worked together and interacted. The tutorial:

  • defined the language of digital identity,
  • related digital identity to familiar identity scenarios in the physical world,
  • described the primary protocols for creating, exchanging, and using digital identity, and
  • discussed how organizations can develop an identity management strategy.

You can get a copy of my slides. I also have a white paper upon which the slides are based. You can get a copy by signing up for my free newsletter. If you'd rather not sign up for the newsletter and were at the tutorial this morning, send me an email and I'll send it to you.

2:14 PM | Comments () | Recommend This | Print This

DIDW: Identity Management vs. Managing by Identity

Phil Becker is using an interesting distinction to emphasize a point I've made several times before: identity management is about opportunity, not just security. He calls this "managing by identity" rather than "identity management." He says managing by identity

  • uses identity to organize, manage and secure computing processes
  • allows business process and computing process to align more naturally
  • releases the real promise and capability of network computing: networking business processes

Networking business processes across business boundaries has now become possible. Soon it will be necessary for survival.

Phil moves onto the topic of trust. Networks require trust to release their power. Human networks learn to trust over time. You can't buy, build, or create trust. Trust is granted by others based on behavior. Transparency is the surest path to trust. Secrecy impairs trust. If this is interesting to you, be sure to review Professor Kent Seamon's research.

The web browser taught people the concept of discovery and networking at the document level in realtime. Web services are the next step at the application level. These new network activities have shown us the need for management by identity.

Federated identity is about linking silos of identity into networks of identity in a way that scales. The only way to make this happen, according to Phil, is to keep the management local while allowing the identity to be used globally. I think this is a great definition of federation because it is general enough to allow multiple solutions.

Because its impossible to pre-define all the ways people will want to integrate data and applications, we need to be able to integrate on demand. This is a good view of what's different about Web services. Businesses integrate on demand all the time: they form teams of people to solve special problems on a regular basis. The tools don't support this kind of "integrate on demand" business process. Only a robust identity infrastructure can support this.

Portals are a starting to address this problem. Portals have always been about aggregation. Portals should be organized based on the user's needs and the policies of the applications and data. Think of what an employee portal is meant to do. Aggregate the data that a user needs in a personalized way. This is an interesting view of what portals do.

9:18 AM | Comments () | Recommend This | Print This

nTAGS at Digital ID World

We're using these interactive name tags called nTAGS. These are little computers that you were around your neck. The goal is to provide a technology that enhances, rather than disrupts, face to face communication. The devices have a pretty simple interface and function well. They are a little heavy, but that's the first generation. I wish they were more dynamic. They're meant to be that, but the information that the conference attendees provided was more multiple choice than free form, so they're a little less free form than I think they need to be. Still its a fun experiment and they're great conversation starters.

8:55 AM | Comments () | Recommend This | Print This

October 14, 2003

Travel to Digital ID World

I'm at Digital ID World in Denver tonight. This was a great conference last year and promises to be even better this year. I flew my plane to Denver rather than going commercial. I was able to leave my house and be in the air 45 minutes later and land just 5 miles from the conference hotel. I had a 50 knot tail-wind and was traveling as fast as 218 knots at one point. Not bad. My door to door time was about an hour shorter than if I'd flown commercial. As a bonus, I was able to bring my pocket knife.

10:44 PM | Comments () | Recommend This | Print This

October 13, 2003

Public Records are No Longer Effectively Private

There are a lot of government records that are public: court proceedings, arrest records and property recordings are examples. Public records are one of the cornerstones of democracy. Democracies prefer accountability to enforcement. Rather than trying to enforce every rule and law with absolute certainty, we make information public and make people accountable. Accountability based systems scale better than enforcement systems. Even so, the Internet has upset some long held practices related to public records. Here's an example:

Utah County, where I live, has put property records online. They've also done a good job of making their queries using GET, so I can give you a link to the information they have about my property. (Warning: its buggy; most of the time it craps out with a 'server not found" or "Error in DLL" error.)

Now, I'm not sure I'm very excited about having my mortgage information on the Web for all the world to see, but I am convinced that they're not breaking any rules--everything they've made public really is public. I know my wife would be very upset to find this information on the net. She wasn't very happy about being able to type pour phone number into Google and get a map to our place. How do you feel about it? If your county doesn't make this information public now, they will. Recorders all over the country are moving in this direction since it makes their job easier.

There's a reason property information is recorded with the county and why its public: protecting the public from land fraud. When I buy a piece of property, I want to know what its exact boundaries are, what disputes their may have been over it, what rights come with it, and what liens there might be against it. The problem is that while this information has always been public, the reality of the paper record keeping system made it effectively private for most purposes. You had to physically present yourself at the county recorder's office to search through their records to find out about my property. This meant you had to really want it. Now anyone who wants to know what my mortgage is can go look it up online in a few minutes, in their bathrobe, for any purpose whatsoever.

These collisions between the Internet and public policy are fascinating. I wrote about a similar collision between State telecom regulation and VoIP last week. Techies have a unique perspective on these issues and can be of great value to the public policy discussions. Techies have a tendency to ignore these kind of debates however and then just rail against them when regulators, legislators, or whoever make a boneheaded move. These people need your help in framing the debate and they need to hear from you when the debate happens. The next few decades are likely to be painful if we don't solve these issues correctly, so I urge you to get involved.

10:26 AM | Comments () | Recommend This | Print This

October 10, 2003

Web Services Early Adopters

Many companies are reluctant to deploy Web services, having heard scary stories about security threats and half-baked standards. Still, a number of IT departments are moving forward--some slowly with pilot projects and others more aggressively. This most recent CIO magazine has an article on Web services early adopters and why they're keen on the technology. The highlighted organizations include Motorola, the US Navy, and Wells Fargo. Samir Desai is Motorola's CIO:

"This is about increasing the throughput, agility and cost-effectiveness of IT," says Desai. "How many times should I code a credit card check? With Web services the answer is one. In the past no one really knew the answer, but it was a much, much larger number." Merely by automating standard transactions, Web services promises to save a huge amount of effort and money.

The article goes onto list five risks and discuss how they can be mitigated. I've listed the risks from the article below, but the commentary is my answer to those risks.

  1. Web services isn't secure.

    First step, buy and XML firewall (I've got a review on three XML security firewall products coming out soon). Next understand that Web services and other emerging technologies break down the traditional secure perimeter and require a move to a more holistic digital identity strategy. Companies that can build a digital identity infrastructure won't see Web services security as a problem, they'll see digital identity as an opportunity.

  2. The lack of standards breeds complexity.

    I don't think lack of standards is as big an issue as the fact that there are still issues that need to be resolve and that will lead to new and different standards over the next few years. I'm still trying to figure out how this is different from the world of 3-4 years ago when there were no standards for decentralized computing. The way to mitigate this risk is to use a good Web services intermediary that can provide insulation from changing and emerging standards.

  3. Vendors might go out of business.

    Which brings us to the fear that once you pick one, they might go out of business. That's a real fear since many of these vendors are small start-ups and there's a whole pack of them. At some point there will be a market shake-up and we'll get down to just a few. First step in mitigating this problem is to look carefully at the company and choose vendors who you believe in as a business. If they do go belly-up, make sure that standards protect you as much as possible by not using proprietary features without understanding the upside potential and the risk.

  4. Adoption by partners is unpredictable.

    Again, Web services intermediaries provide some solace here. Most of these products will translate your Web services transactions into whatever system they happen to be using. If partner integration is a big issue in your deployment, make sure you understand what their needs are and pick and intermediary product that will provide the right adaptors to make things work.

  5. No evidence yet for enterprise ROI.

    ROI is a great tool, but I think that business that use ROI on a project by project basis miss some real opportunities for innovation. That's not to say that you want to just start spending money on whatever looks fun this week. You will need to consider some soft gains and long term benefits to create a case. Creating a Web services infrastructure is about moving to service oriented architectures and moving away from some of the traditional IT infrastructures that we've used in the past. You can't create an ROI for that if all you look at is the cost and benefit of the next project. How much are more agility, increased code re-use, better business-technology alignment, etc. worth? Maybe nothing. Maybe everything.

My advice to organizations is to stop sitting on the sidelines, pick one or two good pilot projects, and move forward. Once you've got that experience, you have a decision to make: are we going to make service oriented architectures (SOAs) part of the way we do business? if the answer is "yes" then the next tasks involve more than technology. You've got to build an enterprise architecture that supports your move to an SOA. If you don't, the dream of interoperability is just that, a dream. Interoperability can't be achieved within your organization by the mere existence of external standards. You've got to decide which which standards apply, how they'll be used, and by who. You have to build a framework around those standards that show how they're used inside your organization. Once you've got a reasonable interoperability framework, then Web services can become part of how every project is built and designed and inform every infrastructure decision. until that point, you're bound to be underwhelmed by a few sideline projects that just happen to use SOAP.

10:02 AM | Comments () | Recommend This | Print This

October 9, 2003

Local Government and Telecommunications Services

The Supreme Court is going to hear arguments on whether States can bar local municiplaities from entering into the telecommunications business. The question is before the court because the 1996 Telecommunication Act provides that no State regulation may prohibit the ability of any entity to provide any interstate or intrastate telecommunications service. Even so a number of states, including Utah, have passed legislation that restricts local governments from providing these services.

There's a lot of strong feeling on this question. I heard both sides of it while I was CIO. Private companies are scared that government will drive them out of business with unfairly subsidized services. Local government are tired of being caught in the middle with constiuents screaming at them on one hand and telecommunications companies refusing to expend capital on the other. Lots of folks have legitimate concerns over the ability of government to run an efficient service.

In Utah, State law allows local governments to create "wholesale" networks but prohibits them from providing retail services. The many municipal networks springing up around Utah (most of them in Utah County, south of Salt Lake) are trying valiantly to stay within this restriction. These include the Utah Valley Community Network (UVCN), a peering network between half a dozen local governments in Utah County, UTOPIA, an interlocal agency of seventeen Utah cities and towns, Provo City's fiber to the home project, and Springville and American Fork's municipal repurposing of a bankrupt overbuilding project.

UVCN has been included in a friend of the court brief that EDUCAUSE (consortium of 1900 higher-ed institutions) is filing in support of municipal networks. The brief cites UVCN as one of two examples illustrating the importance of municipal networks to higher education.

10:57 PM | Comments () | Recommend This | Print This

October 8, 2003

Federal Court Issues Injunction Against MPUC on VoIP

A few weeks ago, I noted that Wisconsin had moves to regulate VoIP provider 8x8. The Minnesota PUC had made a similar move against Vonage. Today a federal court issued a permanent injunction against a recent ruling by the Minnesota Public Utilities Commission to regulate Voice over IP provider Vonage as a telephone company. This is a huge win for VoIP companies (at least in Minnesota) since it gives them a significant pricing advantage over traditional CLECs and ILECs. Here's why:

A traditional ILEC (incumbent local exchange carrier) or CLEC (competitive local exchange carrier) has to pay numerous fees by regulation including universal service fund, e911, etc. Altogether these add up to something like $10 per primary line. This cost is, of course passed onto the customer. One reason that Vonage and 8x8 are able to offer such smoking deals is they don't pay these fees. I've taken to calling these guys NLECs (non-local exchange carriers); maybe there's a better name for them.

Here's a few links to stories on the ruling. A complete rationale for the ruling won't be available until Friday. If you see it before I do, give me a shout.

You can bet the RBOCs (Regional Bell Operating Companies) will be challenging this, so expect an appeal.

3:19 PM | Comments () | Recommend This | Print This

Quicksilver Wiki

coverI've been a huge Neal Stephenson fan since I read Crytonomicon. Since that time, I've added Snow Crash and Diamond Age to my list of books that have influenced my thinking and led me down new paths. Consequently, I was quite excited to see Quicksilver, Stephenson's newest book, at Borders last week.

The book is a work of historical fiction, something of a break for Stephenson, set during the 1600's amid a period of unbelievable scientific awakening. The protagonist is Daniel Waterhouse, a friend of both Newton and Lieniz, who were hotly contesting the origins and directions of Calculus at that time. I can't tell you how it ends, since I'm only about one-third of the way through, but I can tell you I'm enjoying the book very much.

Something that's added to my enjoyment of the book is a Quicksilver Wiki where Stephenson and others make frequent and interested posts about the book. One example is these page annotations that explain or expand on certain interesting points and this page further explaining the cryptosystems in Quicksilver. This is an excellent addition to an excellent book.

8:39 AM | Comments () | Recommend This | Print This

October 7, 2003

Setting Up a Serial Console on Linux

Tomorrow my new server (1U, rackmount) moves into its new home. There's still much to do, but I've been focusing on things that are easier to do while its in my machine room in my basement, like configure RAID-1 on the two 80Gb disks. The other task I wanted to get done before I installed it remotely was get the serial console working. The serial console enables start-up and configuration of the machine using a serial cable plugged into a laptop instead of having to haul a monitor and keyboard around. You have to do that at least once to configure the IP address when you move to a new home. The configuration was pretty straightforward. Here's what I did:

I pretty much followed the instruction in the serial console HOWTO. The primary steps are:

  1. Set up the serial port
  2. Change the boot loader to boot from the console and pass the right parameters to the kernel
  3. Make sure a getty is running on the right serial port
  4. Change any configurations for other programs that might get in the way

The HOWTO can seem daunting at first because it designed for every contingency. Just remember you won't have to do everything that's there, although you'll probably have to read most of it to figure out what you do have to do. Here's what I had to do to make it work on my box (Redhat 9.0 with the GRUB bootloader):

First, I disabled serial port 2, to ensure that its interrupt (which is shared with serial port 0 on Intel platforms) doesn't interfere with serial port 0. Add these lines to /etc/rc.serial (create it if necessary): 

# Disable /dev/ttyS2 so interrupt 4 is not shared,
# then /dev/ttyS0 can be used as a serial console.
setserial /dev/ttyS2 uart none port 0x0 irq 0

Next I configured the boot loader (GRUB in my case) to use the console and pass parameters to the console which cause it to use serial port 0 as its console: 

default=0
timeout=10
# splashimage=(hd0,0)/grub/splash.xpm.gz
serial --unit=0 --speed=9600 --word=8 --parity=no --stop=1
terminal --timeout=10 serial console
title Red Hat Linux (2.4.20-8)
     root (hd0,0)
     kernel /vmlinuz-2.4.20-8 ro root=/dev/md0 console=tty0 console=ttyS0,9600n8
     initrd /initrd-2.4.20-8.img

Configuring getty consists of adding a line to /etc/inittab to spawn a new shell on the console. I chose to use /sbin/agetty rather than plain old getty since you can pass the configuration in as parameters rather than putting it in the gettydefs file: 

co:2345:respawn:/sbin/agetty -h -t 60 ttyS0 9600 vt102

I had already change the inittab so that X doesn't spawn by changing the 5 to a 3 in the id line: 

id:3:initdefault:

Finally, there are a few things specific to RedHat which need to be taken care of.

There were two other things that needed to be done to make the box datacenter ready (or at least as ready as I know how to make it). The first is to disable error checking in the BIOS for the keyboard (since no keyboard will be connected and the BIOS will hang otherwise). The second is to check the power management parameters to ensure that the suspend mode is turned off and the box is set to return to the "on" state after a power failure. There's UPSs and generators at the datacenter, but I've seen too many boxes lose power in environments that are "fully conditioned" to trust them completely.

Once done, I tested the configuration by rebooting the box, watching what happens in a simulated "unattended reboot" and ensure that it comes up. Next I performed a simulated power failure (i.e. pulled the power cord) to ensure that the toggle switch defaults to "ON." Finally, I checked to make sure that I could log in at the serial console after all of this.

Of course, you will need to read and understand the HOWTO to determine how it pertains to your particular system, but don't be dissuaded by its size. Most of it is explaination and multiple configurations based on system particulars. There's plenty of tutorial material and other helps on serial lines, security, and so on. Once you've got software RAID configured, the OS installed, and the serial console working, you can pretty much do the rest of the job remotely. More on that later.

9:48 PM | Comments () | Recommend This | Print This

Joel's Bionic Office

Joel Spolsky recently moved his business, Fog Creek Software, to a new building and put a lot of thought into what the environment ought to be for developers. He came up with what he calls the Bionic Office with the help of a good architect. Joel says:

Maybe I'm just an architecture queen. I probably pay more attention to my physical surroundings than the average software developer. I might take it too seriously. But there are three reasons I take it so seriously:

  • There's a lot of evidence that the right kind of office space can improve programmer productivity, especially private offices.
  • Having drop-dead gorgeous, private, windowed offices makes it a lot easier to recruit the kinds of superstars that produce ten times as much as the merely brilliant software developers. If I have to compete at New York salaries against Bangalore salaries, I'm going to need those superstars, so when people come in for an interview, I need to see jaws on the floor. It's about drama.
  • Hey, this is my job; this is where I spend my days; it's my time away from my friends and family. It better be nice.

He had some pretty strict requirements and met them in some intelligent ways. Looks like a place people will want to work.

3:21 PM | Comments () | Recommend This | Print This

October 6, 2003

Using Identity to Fight Spam

An article in today's NY Times (free registration required) discussed the use of identity in fighting spam. It seems that companies that send out lots of legitimate email are increasingly getting caught in SPAM filters and the mail is not getting delivered. I can sympathize with that. This last month, I did not receive a prescription renewal notification from MedCo Health because their reminder was filtered out. I also nearly missed an invitation to speak (part of my livelihood) because the email seemed like SPAM, even though it was legitimate. I control my own SPAM filter, so fixing these was easy, but what about the person who's at the mercy of their ISP?

The basic idea is that it might be easier to identify legitimate emails that the SPAM. This is something like Called-ID for email. What's required is a way to identify the sender of the email. There are several ways to do this:

  1. Use some kind of email client certificate that has been identity proofed. I wrote about such a scheme in August.
  2. The second is to create a registry for email servers themselves and only identify the email servers.

The choice is between comprehensive and quick. The second choice would increase the burden on people who operate their own mail servers (like me), but it wouldn't be such a big deal, i suppose. Having certificates for every email user would be a bigger cost and more difficult to implement, but allow finer-grained control.

DNSSEC is a related solution. Knowing the domain with a degree of assurance cuts down on the effectiveness of worms, viruses, and so on. It also makes it easier to hold SPAMmers accountable.

Accountability is a more effective means to deal with SPAM than enforcement. Ultimately, what makes society work is that we're free to do what we want, but when we screw up, someone finds us and holds accountable. Enforcement requires larger infrastructure than accountability is. As Dan Geer says, "accountability is a log processing problem."

That raises an important issue: trust. From the Time article:

There is also a growing agreement that it is not enough for an e-mail sender to identify itself. The sender must also earn the trust of e-mail recipients, by promising to follow certain standards and having violations tallied and published. That would let people choose to discard mail from senders with high complaint rates. "Just because we can verify your identity doesn't mean you send good email," said Miles Libbey, the manager for antispam products at Yahoo. "You absolutely need identity and you also need reputation."

The problem with reputation is that it can be unfairly sullied. There's a system like this already called SPEWS (recently shut down) that keeps a blacklist of mail servers that have been used for SPAM. I host at Verio and someone on the same virtual server I use apparently did something to get on the SPEWS list. This meant that my mail server was on the list as well (since virtual servers share IP addresses). A number of emails I sent got bounced before the problem was resolved. Any system that does this needs to be based on identity as well as reputation. The problem with SPEWS is no identity. I can't uniquely identify my server from the problem server. There's no one to vouch for me in the SPEWS world.

2:33 PM | Comments () | Recommend This | Print This

ICANN Calls Verisign on the Carpet

Numerous people reacted with outrage over Verisign's DNS wildcard scheme. Apparently ICANN did too. Friday, Verisign announced that it will suspend the service so both sides can discuss it. From the InfoWorld story:

The controversial Site Finder service unveiled on the Internet last month by VeriSign Inc. was temporarily suspended by the company late Friday after the Internet Corporation for Assigned Names and Numbers (ICANN) demanded that the feature be halted immediately due to concerns about its effects on the Internet. In an announcement late Friday afternoon, Mountain View, Calif.-based VeriSign, which oversees the main Internet database of .com and .net domain names, said it will suspend the service to provide time for both sides to discuss and resolve the matter.

When no one's in charge, this sort of thing is bound to be a problem. Mind you, I'm not advocating that someone should be in charge, but its interesting that even though there was general outrage within the tech community about this, there was little anyone could do. ICANN is well positioned to force a change. I'm glad they stepped in.

1:50 PM | Comments () | Recommend This | Print This

Share Documents Safely

Information security has traditionally been handled at the network perimeter, its focus on defending the edge of the organization with firewalls and hardened servers. Cyber-Ark's Inter-Business Vault takes an alternative approach, storing sensitive data in digital vaults that -- by limiting data access channels and encrypting data on disk and in transit -- provide extraordinary security.

A bank, for example, could use Inter-Business Vault to share lock-box, automated clearing house, and account reconcilement processing records with its commercial customers. These processes have traditionally been done using homegrown applications that integrate FTP with encryption, couriers, faxes, VPNs, and leased lines. Not only are such solutions difficult to deploy and hard to automate, but they're also difficult to analyze and, hence, to trust. [Full story at InfoWorld...]

This is not the usual kind of product I review. Wayne Rash asked me to do it and it sounded interesting. What I got was an education in Windows security and that was well worth the price of admission. The first part of the installation, and indeed the part that consumes 90% of getting the product running, consists of updating Windows, uninstalling things from Windows, turning off services, and making registry changes. When you're done, you've got a very locked-down box. Installing the Inter-Business Vault adds just those services that the vault controls.

A word of warning: this product takes a dedicated machine. Nothing else runs and any network communication with the machine other than that supplied by the vault is verboten. Even the CD is disabled. In a production environment, this is exactly what you want, but it had some unintended consequences for me. First, I started working on this review in July and then got interrupted by some other things. As a result, the laptop I used for the testing was completely unavailable to me for the better part of six weeks. The other problem I had to solve was getting the screen shots off the machine. I had to stick the JPEGs in the vault and use the vault's Web interface to transfer them to my Ti-book.

Of course, security comes through process, not products:

With so many ways to access and modify files in the Vault, and the ability to delegate authorizations, Inter-Business Vault makes file sharing much easier. In fact, the hardest part of using Inter-Business Vault isn't deploying and operating the product -- it's creating an identity management strategy that correctly accounts for documents and other resources in need of protection, for the people who will access them, and for the authorizations that each person has with respect to the resources. Installing the Vault will only make data more secure if the right data is kept in the vault and users are permitted access only to the data they need. If an enterprise understands how it will manage resources and users, and puts useful policies in place, Inter-Business Vault can be a critical piece of infrastructure for securely sharing files with employees, customers, and partners.

7:31 AM | Comments () | Recommend This | Print This

October 4, 2003

RSS for Court Decisions

Rory Perry, Clerk of Court, Supreme Court of Appeals of West Virginia, has published an article entitled Syndication and Weblogs: Publish and Distribute Your Court Information to the Web. The document goes into some detail about how West Virginia has created RSS feeds for ÊRecent Opinions, Civil Topics, Criminal Topics, and Family Topics. He also gives resources for using RSS.

The Utah courts have done a good job of putting together information resources on things like court opinions. There's even an email notification tool. So far, no RSS, but creating it from what they already have wouldn't be difficult.

10:39 AM | Comments () | Recommend This | Print This

October 3, 2003

Pushing the Rope: How States Can Drive IT Innovation

In this month's Governing Magazine, Tom Davies' column is about the surprisingly small amount of influence states have on IT even though their total spend is roughly equivalent to the spend by the Federal government. The Feds, of course, have a huge influence. Tom writes:

Since the first generation of computers, the federal government has played a critical role in shaping the evolution of the technology industry. It was the federal government that sponsored the original research and development during WWII that led to what is now the computer industry. It was the federal government that purchased the first generation of computers for civilian use to help carry out the census in 1951. And it was the federal government that financed the creation of the network that was the forerunner of the Internet. Even now, the federal government continues to pioneer new security and information search technologies.

The problem is that the $50 billion in IT spending done by the states and municipalities is much more fractured than that of the Federal government.

While fragmentation is a fact of life, it need not be an insurmountable barrier to acting in concert. Where state and local governments have been able to pool their purchasing, such as with volume purchases of commodity technology products on statewide buying schedules, it has served them well. But being heard in the marketplace is not just about getting the best possible price on a purchase. It's also about influencing what new products and services are brought to market. And it is here that acting with one voice would best serve the interests of state and local governments.

WSCA, the Western States Contracting Alliance, is an example of the kind of volume purchasing contracts that States have been able to put in place. To create the kind of influence in the market place that Tom wants, however, will require more than WSCA, it will require nothing more than inter-state interoperability frameworks (read enterprise architectures) much like the Europeans are doing.

Here's how it might work: if each state and large municipality in WSCA had a fairly comprehensive interoperability framework, and WSCA, or some other organization, coordinated meetings where states could agree on a WSCA interoperability framework and agree to live by it, then the organization could start to create their its own standards for situations not covered by industry wide standards and drive the market. Could work, but it would require someone like the Western Governor's Association to coordinate it and bring it to life.

7:43 AM | Comments () | Recommend This | Print This

October 2, 2003

Negroponte on Rethinking Telecommunications

As part of a larger Wired New article, Nicholas Negroponte talks about rethinking telecommunications:

Telecommunications is now at a cusp, after "almost ice-age economics over the past few years," he said. But the cusp is historical, not simply economic. "This cusp is much more fundamental and intellectual and comes from looking at things in a different perspective," he said.

For example, Negroponte talks about business models:

Overall, the industry must totally rethink the way in which it values revenue streams, he said. Right now, telecoms still think in terms of revenue generated per user, from a single handset. Yet the world is moving toward an era of multiple devices and the possibility of having intelligent microchips embedded in almost any object, from a refrigerator to an automobile to the family dog. Such objects will need communication services, but the telecommunications operators are stubbornly resisting any change to their existing business models, Negroponte said.

OnStar is good example of a consumer device that needs communications services. My refrigerator doesn't yet, but it will once everything in it has RFID tags. Or maybe just my garbage can. You might just say: hook them all on the net. That's great at an abstract level, but some of those bits are worth more to me than others. Companies are leaving money on the table by not charging me differentially based on how valuable the bits are. All bits are not created equally.

2:27 PM | Comments () | Recommend This | Print This

Better Blog Quoting: Preserving Source Attributes

Jon has picked up on my quote blogmarklet idea and extended it so that it preserves the links and other source information in the quoted matter. That was on my list of things to do.

Links are powerful tools that we're still learning to use, but citation is a more than just linking. I'm becoming deeply interested in how we can publish fragments that are easy to cite and that, when cited, carry rich context with them. Phil Windley's quote bookmarklet is an example of what can be done. If you are running Mozilla and want to see a markup-preserving variation on that theme, select some text on this page and then click here. For best effect, sweep out a selection that crosses an element boundary, for example everything from "Windley's" through to "an example" in the sentence before the previous one. You should get this complete paragraph, a la Mozilla's right-click View Selection Source feature, plus some metadata.

Jon's entire post is worth reading as he gets into the issue of citations and URLs.

10:58 AM | Comments () | Recommend This | Print This

October 1, 2003

More Interoperability Frameworks for eGovernment

If you have any interest in the enterprise architecture and standards activities of governments outside the US, like Britain's GovTalk program that I featured yesterday, here's some links to a few more interoperability frameworks:

I've been giving thought to the contents of an interoperability frameworks. They are, of course, mostly about listing standards, but there are some other important parts that I put under the general category of "Guidelines:"

  • Governance How is this document maintained and by who. What is the process for changing it?
  • Application Where is this reference profile applicable and to who?
  • Adoption When does it need to be adopted if it is applicable?
  • Exemptions Are there any exemptions or provisions for requesting such?
  • Alignment What are the policies on aligning this NIF with other NIF and EA efforts?

In addition, each standard needs a status. Here are the ones we came up with in Utah:

  • Approved: An Approved standard is critical to the Enterprise and will be enforced.
  • De Facto: A De Facto standard identifies choices that are widely accepted because of widespread use within the enterprise and industry.
  • Emerging: Emerging standards may have future value within the enterprise but have proven no specific benefit at the time. The enterprise may be conducting a pilot project to establish the potential benefits and risks of selecting this standard.
  • Sustained: A Sustained standard indicates a standard or practice that no longer shows promise but is still used or even expanded because of a prior standards solution.
  • Migrate From: A Migrate From designation refers to a standard or practice that has been abandoned for a better solution. It is not a favored standard yet continues to be in use in the enterprise. Ministries should plan to migrate away from solutions assigned with this designation as soon as practical.

3:11 PM | Comments () | Recommend This | Print This