Phil Windley's Technometria

« December 2004 | Main | February 2005 »

January 31, 2005

Digital Identity Nightmare

Via Kim Cameron comes this ACLU produced video of your worst digital identity nightmare. What keeps this from happening? I'm not sure. If you watch the video, you'll see that almost all the information that is revealed comes from two-party transactions where both sides have an ownership stake in the information from the transaction. By what right can I claim ownership of the data in a two-party transaction? I don't think that the mere fact that one party is an individual and one is a corporate entity is enough.

6:20 PM | Comments (1) | Recommend This | Print This

More on One-Click RSS Subscriptions

Dave Winer has proposed a solution to the problem of proliferating "click-here-to-subscribe" buttons for every aggregator in existence. In a comment to an entry I wrote a while back on Dave's proposal, Boris Mann asks why the Syndication Subscription Service isn't the solution. In another entry Tim Bray points to the Atom solution to this problem. These three all solve the problem, but in different ways. Here's my analysis of how they work:

A Big OPML Repository in the Sky

We might call Dave's proposal the "big OPML repository in the sky." Dave proposes a server, based on code in the public domain, that houses your OPML file. When you click the "subscribe" button the URL of the feed your subscribing to is added to your OPML directory of feeds and your feedreader knows to check that first everytime it goes out to check for new news.

One thing I like about this approach is that its pretty simple, requiring changes from the feedreader builders, but not the users or RSS hosters. I also see other uses for technology like this in building directories for RESTful Web services. The big downside, in many people's minds, is the centralization that it imposes by gathering together all the OPML files in one place. I can understand that.

Building Custom Subscriber Pages, One User at a Time

The Syndication Subscription Service (SSS) builds a custom page for you with an icon for every feedreader it knows about. You click on the "subscribe" button and then select your feedreader from the list.

SSS has the advantage that its in place now and works. I don't like the two step process, however. I also think its less generalizable for other kinds of WS directory applications. SSS is decentralized in the sense that it doesn't require users to store their OPML files there, but its still one place and, as far as I know, the source code isn't public domain.

Client-Side Linking

The Atom solution proposed by Tim relies entirely on client-side linking. RSS feeds are identified on the page with a URL and the server is configured to return them with a media-type of application/rss+xml. A properly configured browser then hands off the URL to the feedreader.

The nice thing about Tim's solution is that there's no server to interpret the data, this solution is completely decentralized. The downside is that browsers have to be configured to interpret the media-type correctly and RSS servers have to send the right media-type. This solution, as a WS directory most closely resembles WSIL and that's not all bad.

Combining Models

At the risk of complicating this well beyond what is needed, I've been wondering how we could take Dave's suggestion (which I like in principal) and generalize and decentralize it a bit. My idea is to create a hierarchical system not unlike DNS where people can choose to store their own OPML and organizations can delegate the storing of OPML to sub organizations. I know, its more complicated, but as a RESTful was of doing WS directories, it would be extremely flexible and decentralized. That's more interesting to me than just solving the subscribe button problem.

11:10 AM | Comments (2) | Recommend This | Print This

January 29, 2005

Lexus Infections

It had to happen: Now your car can get a virus from your Bluetooth phone. I was just talking to someone yesterday about how they love their LS430 and the Bluetooth integration to the built-in handsfree. Now, SC Magazine is reporting that some Lexus and Landcruiser models are susceptible to a virus they pick up from mobile phones serving as the vector.

Lexus cars may be vulnerable to viruses that infect them via mobile phones. Landcruiser 100 models LX470 and LS430 have been discovered with infected operating systems that transfer within a range of 15 feet.
From SC Magazine
Referenced Sat Jan 29 2005 14:32:12 GMT-0700

The virus infects the car's navigation system, which is based on the Windows OS. Having a virus in the navigation system probably isn't life threatening to most people, but one could imagine scenarios. Life-critical systems like brakes and steering are, at least for now, not controlled by systems that rely on Windows.

Last year 13,000 Bank of America ATMs were infected by the Slammer worm after they moved to a Windows-based operating system.

Some might ask why someone doesn't invent something to detect viruses. It turns out that that problem is equivalent to the halting problem and thus impossible to solve. They best we can do is to restrict virus vectors and protect against known variants.

2:30 PM | Comments (1) | Recommend This | Print This

GotzeTagged

John Gotze has improved his GotzeLink service and rechristened it "GotzeTagged." He says that it has some new features:

Gotze Suggest, that suggests resources as you type. Choose between titles, categories/tags, or search log words.
More holistic user interface. Increased and much improved system of relations between resources.
Integration of social technologies and various web services. Del.icio.us etc.
Improvements in the XML-feeds.

Good work John!

2:14 PM | Comments () | Recommend This | Print This

January 28, 2005

Textbook for Middleware and Distributed Systems Course

I think that next fall, I will use Web Services: Concepts, Architectures, and Applications by Gustavo Alonso, Fabio Casati, Harumi Kuno, Vijay Machiraju as the text in my large-scale Internet systems course. The book is talking of Web services in the broadest sense of the term and has a nice coverage of middleware as well. I like it.

2:59 PM | Comments () | Recommend This | Print This

Parsing XML Into Scheme

At Patrick Logan's suggestion I put together a Web page for my CS330 class that gives step-by-step instructions on parsing XML into Scheme using SSAX in DrScheme.

11:37 AM | Comments () | Recommend This | Print This

January 27, 2005

The Dos and Don'ts of Accelerating Your Funding Success

This morning, UITA held a breakfast meeting in Utah County with David Bradford and Fraser Bullock. David is the former General Counsel at Novell and does venture capital funding now. Fraser was the COO of the Salt Lake Organizing Committee for the 2002 Winter Olympics and is now the CEO of Sorenson Capital. The topic was "The Dos and Don'ts of Accelerating Your Funding Success."

David says that the initial impression that you have on an potential investor is the most important meeting you'll have. That meeting may be in person, or it may be the business plan, an executive summary, or a PowerPoint. Investors don't want to cull through a lot of information. The typical investor will initially only spend five minutes looking at the business plan or summary Highlight the most important points. Investors are looking for ways to say "no." What are the most important things you can do?

Make sure you relate to a specific pain that's being felt in the marketplace. Pain is a market opportunity. David tells the story of two real companies. Company A had $21M in sales last year and an EBITDA of $3M. Company B had $250K in sales. They were both founded in 1998 What's the difference between these two companies? Company A knew that State and Municipal governments were over paying workers compensation claims. Their business plan talked about the specific problem they solved. Company B's business plan talking about why they had great founders and how they were going to solve the "homeland security problem."
Don't over-hype your company. Leave out the superlative phrases. Lay out the facts. Let the investor judge the quality of what you're doing.
Don't try to be all things to all people. Most investors prefer to see a focused strategy. Founders see all the ways that their company can create value, but investors want to see the focus.
Have a sound "go to market" strategy. make sure its clear how you're going to approach to market. Don't talk about all the ways you might reach the market. Pick one and develop it.
Don't say "we have no competition." Talk realistically about your competition and why you're better. "No competition" translates into "no market need." Anyone else who's competing for the same dollars is your competitor.
Keep your presentation concise. Economize on your words. An ideal executive summary is one or two pages. An ideal PowerPoint is ten slides. Don't be boring. Document the details elsewhere, such as the R&D plan, the sales plan, or the marketing plan.
Don't be too technical. Business plans written by techies tend to be filled with jargon that the investor won't understand. The technical details can be fleshed out in the due diligence.
Get an introduction from a trusted source. Its difficult to get a meeting with a cold call.
Understand that only cash is cash. Revenues, profit, etc. are not cash. Too many companies get into trouble with cash flow even thought the accounting numbers are OK. Slight timings of when cash comes in can bankrupt your company.
Don't wait until its too late to go out and get your funding. Allow plenty of time to raise money. Assume that it will take 6-12 months from the time you make your first investor presentation until you have cash in the bank.

Fraser mentions an alarming statistic. In 1983, Utah's average wage was 96% of the national average. Today, the average wage in Utah is 76% of the national average. If you go through he math, any job less than $36,000 per year is a net drain on the economy. Raising money is tough work, but it creates companies that provide high paying jobs. Here's Fraser's advice:

The ultimate success factor in your business is "is it a good business?" What are the distinctive competitive advantage that you have. This starts with the management team. They need to be tenacious. They need to have done it before. They need to know what it means to survive. Fraser recommends "Good to Great." Look at the depth of the management team.
What is the compelling business need for what you do? For people to change their behavior, you have to have something thats ten time better. It can't just be a minor change.
Are you better than the completion? Always look at your competitors because they're coming after you.
What are your distributions channels? You can have the best product, but if you don't have great distribution channels, you can't sell your product. Business to business is easier than business to consumer. Strategic relationships that are real are invaluable. Form the strategic relationships.
Executing your business plan will take longer and cost more than you think. This is a tough balancing act because you want to raise the minimum amount of money you can to avoid dilution, but you have to have enough to survive. Your funders will require that you live with your business plan. Make sure you can.
Get a good board of directors. Large boards are ineffective. Five to seven people is optimal. Pick them carefully. Find people who can give you good guidance, can give you opinions and can network you.
Watch every penny. A company's money is a precious resource. Don't waste it. Distinguish between "must-haves" and "nice-to-haves." Set an example from the top. Fraser recalls that the first SLOC board meeting after he and Mit came on board, they served pizza and changed the directors a buck a slice. That sends a message.

10:16 AM | Comments () | Recommend This | Print This

The Human Element

Sean Nolan wrote to tell me a story that illustrates the weak link in many customer interaction systems:

So I�m waiting in line at Safeway to buy groceries. Like most supermarkets these days, they�ve got a loyalty card program and offer reasonable discounts at checkout for cardholders. An older man in front of me wants to purchase items that are on a card special, but doesn�t have his card and can�t remember his phone number. The clerk says, �hmm, wait a minute.� He starts punching in phone numbers at random, and after a few tries gets a �hit� and uses it to apply the discount.

I wonder who just had hemorrhoid cream added to their past-purchases profile?

Gotta love that inevitable weak link in business intelligence systems.

7:31 AM | Comments (3) | Recommend This | Print This

January 26, 2005

XML and Scheme

I put together a small demonstration of how knowing programming language concepts and Scheme can help you understand XML. My point isn't to show how to do XML inside Scheme or to say Scheme is better than XML. My point is simply to demonstrate that the things my students have been learning in class, which can seem pretty disconnected from things they read about in the trade press, are actually on point. In this case, they see that what they've been doing with BNF, s-expressions, and data-driven programming can help them understand XML and how it is processed.

9:04 PM | Comments (4) | Recommend This | Print This

BTL: Customer Interaction Points

I've posted an article on building customer interaction hubs at Between the Lines.

8:25 PM | Comments () | Recommend This | Print This

GovTech News RSS Feed

Government Technology News has RSS feeds. Recently the Web site for Utah's CIO started using those feeds to display Gov Tech News. A story at Gov Tech News tells how they did it. Basically it's a JavaScript connected to John Gotze's feed parser at his Slashdemocracy site. I don't know that having Gov Tech News on the CIO Web site is all that important, but this shows how other agencies and groups can use RSS on their Web sites and that example is important.

3:19 PM | Comments () | Recommend This | Print This

Performance Monitoring on VMWare ESX

I met with a Systems Engineer from VMWare this afternoon. Some of my students are working on a performance study of VMWare and so I took the opportunity to pick his brain on how to get performance data from the server. There are two levels that you need to gather data: the virtual machine and the host machine. Here's what I found out:

perfmon gives good data for everything but the CPU on the virtual machines. Because the host machine is running ESX (a modified Linux kernel) you can't directly run perfmon. For the host machine itself, there are several options:

VM VirtualCenter gives usage data, but the default polling interval is five minutes. This isn't fast enough. The polling interval can be reduced, although I still have questions whether or not we can create
esxtop is a special version of top that can run on the host machine.
vmkusage is an HTTP accessible program that gives host and virtual machine usage data.

Another question I've had is about resource constraints. We bought boxes that were maxed out in CPUs and memory. We're concerned that we'll run into network bottlenecks. I've known that we can buy a quad NIC and assign ports, but I didn't know that ESX will gang the quad NICs together and let do resource allocation to the virtual machines.

We also talked about using VMWare in a disaster recovery situation. Because the virtual machines look like files, they can be backed-up. Then you can recover back-ups daily to an off-site VMWare host and in the event of a disaster, be ready for a warm-start on the backed-up servers. You're a day behind, but could be rolling in a matter of minutes.

2:55 PM | Comments (2) | Recommend This | Print This

Becoming an IEEE Author

A humorous look at becoming an IEEE author.

10:46 AM | Comments () | Recommend This | Print This

Choosing a Host That Isn't Toast

A recent Baseline Magazine article, Choosing a Host That Isn't Toast, talks up AT&T Web Hosting. The name confused me--they're not just talking about Web hosting, they're talking about data centers. If you read the article without any background, you'll wonder if it isn't part of some special advertising section since it can't say enough about AT&T's hosting products. I don't have any experience with AT&T's hosting in the last 2-3 years, but I can vouch for their excellence before that.

At iMall and Excite@Home I had many opportunities to work with these people and understand their processes. As iMall, we built AT&T's shared Web hosting product (and won PC Magazine's Editor's Choice award) and, of course, at Excite@Home, AT&T was all over us as one of the owners. I didn't much care for their politics, but I can tell you that their people, their process, and their discipline were all top-notch. We spent a lot of time studying them and learning how they worked. Some of those ideas are in my whitepaper on tiered support, but a lot of the magic is in the people and the organization that you build.

As the article states, AT&T isn't the cheapest place to host--they're among the most expensive, charging a 15% premium over other, similar services. Is it worth it to you? Here's how I'd play it. If your organization is fairly mature, layering that one top of any good hosting provider will probably give you all you need. If you're immature or just trying to develop operational discipline, the 15% will buy you some backstopping that will probably pay for itself in increased stability of your online operations.

7:39 AM | Comments () | Recommend This | Print This

January 24, 2005

Building a Better Relationship, One Customer at a Time

Doc Searls quotes me on his latest Suitwatch: Building a Better Relationship, One Conversation at a Time.

4:42 PM | Comments () | Recommend This | Print This

How Other's Podcast

Steve Holden catalogues the technology and techniques that a dozen or so sites use to create their podcasts. I wrote up my own podcasting HOWTO a while back.

3:37 PM | Comments () | Recommend This | Print This

BTL: Don't Look for Innovation in Laptops

And on the topic of innovation, I wrote a piece over at Between the Lines on why we shouldn't cry too much about the outsourcing of laptop design to Chinese vendors.

2:58 PM | Comments () | Recommend This | Print This

Innovation in Utah

One of newly elected Governor Jon Huntsman's first moves on economic development was to get the University of Utah to appoint an "innovation czar." Jack Brittain, Dean of the Business School is now taking on this task as well.

Brittain said his job is to create as many jobs as possible in Utah by commercializing innovations that come out of the U. "It is also my job to make sure that current Utah businesses have access to the scientific might that is at the University of Utah, to help them develop competitive advantages and expand employment in Utah."

He said he intends to "dream big for Utah" by encouraging the outstanding science at the university to focus on potential new industries.

Brittain likened the mapping of the human genome in 2003 to Columbus' discovery of the New World in 1492. "Everything will change," he said.

According to Brittain, the U. is a world leader "in many areas necessary to take advantage of this opportunity, and we're determined to chart the course others will follow, and use this science to make Utah a leader in the world just over the horizon."
From deseretnews.com | U. names 'innovations czar'
Referenced Mon Jan 24 2005 14:36:09 GMT-0700

Jack's a good guy and I wish him well. I'm anxious, however to hear some specifics of how exactly this will work. I'm leary of University "technology transfer" efforts because I've not seen them offer the right incentives to get professors interested. One thing I'd like to see quickly is an analysis of how policies at the U affect the ability and willingness of faculty and grad students to commercialize their work. Here are a few examples of how they might do this:

If you want to affect this in a positive way, increase the credit professors get for technology transfer.
Ensure professors can get time away from the university to work on commercial projects.

I was in this boat (at BYU) and was often discouraged by the need to "choose" between my academic future and the possibility of creating a commercial success. Universities can do more to make this less of a either/or option and more of a slight detour.

12:02 PM | Comments (1) | Recommend This | Print This

January 22, 2005

A Blizzard of Unhappy Customers

On any other day I might have just blown past this Wired article on the problems that Blizzard Entertainment's having with subscribers to its World of Warcraft game. I'm not personally all that interested in computer games, online or otherwise. What made it stand out for me is that my sixteen year-old son is one of their unhappy customers.

[N]o one knew how quickly World of Warcraft would take off, and the downside to such instant success was that the game's servers rapidly got overwhelmed, leading to server shutdowns and delays.

"The success we've been experiencing since launch has been more than even we expected or hoped for," said Blizzard community manager Paul Della Bitta. "Unfortunately, that uncovered a few hardware issues with our infrastructure."

The game's server problems got so bad that Penny Arcade, an online gaming site, pulled its designation of World of Warcraft as game of the year until the problems go away.

Like most MMOs, World of Warcraft is intended to be available 24 hours a day, seven days a week, except for certain planned maintenance. Players pay up to $15 a month for full-time access to the game, and as such, expect to be able to play whenever they want. That's why, in spite of the fact that so many people love the game, there has been a vocal outcry from those who have experienced the server problems.
From Wired News: Dealing with Great Expectations
Referenced Sat Jan 22 2005 15:19:46 GMT-0700

My son loves playing Warcraft, so when the new game came out, he went right out and laid down the $50 for the game. Of course, since its an online game, you can't play without a subscription, so he also laid out $30 for two months of game time. Now, $80 may not sound like a lot to you or I, but to him, its about 2 month's salary from his only part-time job. Imagine you'd just laid out 2 months salary for something and then it wasn't available when you wanted to play. You'd be as upset as he was. I suspect that Blizzard has a lot of other customers in the same boat.

What made things worse was that the error messages were wrong. They claimed that he didn't have an account, even though he'd just signed on about an hour before. As I write this, he's happily signed in using the account that supposedly didn't exist two hours ago. Customer service wasn't any help either; the online information was out of date and the phone support was down for the weekend.

Blizzard is finding out what so many other's in the Internet space have learned before: having recurring revenue from your customers is nice, but it comes at a steep price in operational excellence and customer service.

I've been in the position Blizzard's in now and while its great to have unexpected success, its also nerve wracking. The pressure is intense because these kinds of problems can kill an otherwise outstanding product. Hopefully Blizzard will get a handle on this quick. It looks like they've got a winner and if the problems are fixed quickly, they'll be perceived as growing pains. If they're not, players, like my son, won't be likely to keep shelling out monthly fees.

3:15 PM | Comments () | Recommend This | Print This

January 20, 2005

The Bush Doctrine

David Gergen on CNN, commenting on Bush's inaugural, says that its a surprise that Bush's strategy is "far more ambitious than we ever imagined. His strategy is not simply going after Iraq and going after Sadam. Nor is it simply going after Al Queda. It is rather to expand liberty across much of the world." This is not news to me. I've understood that that was Bush's strategy for a long time. What's sad is that it probably is news to many. This is the Bush Doctrine and if he can pull it off will define his Presidency. That's why it was upfront in the speech. The biggest failure of Bush's team in the first term was to clarify this doctrine and make it part of the national debate.

I'm hopeful that this speech marks a much needed change and that we'll see this discussed, and debated. For any doctrine to be successful it has to become part of the national consciousness in a way that ensures that it lives past its founder. Truman's Doctrine of containment in the face of communism, for example, lasted for 40 years. That's what Bush and his team have to get right if they want to truly change national and global rule sets.

10:51 AM | Comments (5) | Recommend This | Print This

GovTech Picks Up My Story

GovTech picked up my story on shaking IT up in Utah and syndicated it on their site. I've had other, less public, interest in it as well.

10:43 AM | Comments () | Recommend This | Print This

January 19, 2005

OOP Is Better In Theory Than Practice

In a DevX, Richard Mansfield argues that OOP is better in theory than practice. Here's the intro to the article:

Think object-orient programming (OOP) is the only way to go? You poor, misguided soul. Richard Mansfield contends that OOP is just the latest in a history of ideas that sound good in theory but are clumsy in practice.�

Like many ideas that sound good in theory but are clumsy in practice, object-oriented programming (OOP) offers benefits only in a specialized context�namely, group programming. And even in that circumstance the benefits are dubious, though the proponents of OOP would have you believe otherwise. Some shops claim OOP success, but many I've spoken with are still "working on it." Still trying to get OOP right after ten years? Something strange is going on here.
From OOP Is Much Better in Theory Than in Practice
Referenced Wed Jan 19 2005 15:01:22 GMT-0700

I personally have a few beef's with Richard's arguments in the specific, but not his general direction. Even if you don't accept Richard's argument, I think its interesting to read this article alongside some of Paul Graham's essays. Java and other OOP languages are intended for a particular kind of programming. Paul calls it "accreting programs as a series of patches." I love that phrase. What if you're not doing that kind of programming?

One of the big value propositions of OOP is code-reuse and I argue to my students that we are getting better at code-reuse. However, that gain has been primarily based on packaged abstractions and frameworks (think PHP) than it has on components. Web services are the latest step in packaging abstractions.

3:02 PM | Comments () | Recommend This | Print This

FBI's Virtual Case File May Be Unusable

The FBI has spent the last five years and $170 million trying to create and electronic documents management system for its agents. The system is called Virtual Case File and it doesn't work. Only about 10% of the planned capacity has been implemented and an internal report by the DOJ's Inspector General says that it will be outdated before its fully deployed.

Work on the Virtual Case File began in 2000. Five years later, the technology world has changed and the way the system was developed makes updating it virtually impossible. For example, the Virtual Case File can't create or transmit electronic signatures, nor could that capability be added. FBI officials also expanded the scope of the file's mission and begun closer collaboration with the intelligence community following the Sept. 11, 2001, terrorist attacks, the official said.

Whether agency officials will press forward in completing the Virtual Case File remains to be seen, the official said. FBI officials have hired Aerospace to conduct an independent assessment, but a draft report from the Justice Department's inspector general already concludes the program will not work. The official refused to answer questions on the content of the draft report.
From Virtual Case File a virtual bust
Referenced Wed Jan 19 2005 06:51:46 GMT-0700

The FBI is ready to scrap it and go back to their old paper-based system. Of course, SAIC and the FBI are pointing fingers at each other. SAIC's biggest complaints were scope creep and a "merry-go-round of managers:"

But SAIC said scope creep and a merry-go-round of managers made the project "incredibly challenging." According to a written statement released by SAIC on Friday, in the time the company been working on the Trilogy project, the FBI had four different CIOs and 14 different managers.
From FBI's Virtual Case File Flops
Referenced Wed Jan 19 2005 06:54:37 GMT-0700

The FBI is haunted by the same kinds of problems that cause problems in the private sector to fail, multiplied by ten: its bigger and public-sector managers don't typically have the same control as private-sector managers. On top of that, they made two huge errors that probably put this project on the road to failure right from the start. First, they decided to roll their own. Every enterprise suffers from the temptation to think that their business is unique. Government is more apt to do that than most. There are always elements of truth to this, but the fact is, that this was, at its heart, document management and there are commercial systems that do that.

Second, the FBI approached this as a single monolithic project. Time and time again, big project fail. I see people making the same mistake in projects I'm familiar with. Iterative approaches can be more disruptive to workflow because they require people adapt to multiple little changes over time rather than one big change sometime way out in the future. Even so, they're the only way I know how to do projects that work. This also plays into the architecture. Viewing it as a series of loosely coupled applications, rather than a single system pays huge dividends in getting it done and maintaining and upgrading it once its online.

Interestingly, we see big projects fail in the private-sector. In the public-sector, where big takes on a whole new meaning, they almost always fail. I'm thinking, for example, of the FAA's flight control system that's been in the works for 20 years. I don't know if we'll ever understand how to build monolithic projects on the scale that the Feds require, but I know that we don't have to try. There are other ways to approach the problem.

6:47 AM | Comments (3) | Recommend This | Print This

January 18, 2005

Scott Lemon on the Axioms of Identity, An Interview

I've wanted to start interviewing some of the players in the digital identity space. I decided to start with Scott Lemon because he's a good friend and so I was sure I could count on him to be sympathetic to the technical problems I was sure I'd encounter. Here's the direct link to the MP3 and its on my podcast RSS feed as well. Scott was one of the leaders of Novell's Digital Me project, an early effort in digital identity. That project shaped Scott's views of what identity is and how digital systems can be built to support how we use it. I enjoyed the conversation.

My set-up was a JK Audio THAT-2 phone tap and two phones (Cisco VoIP phones on the BYU system)--one phone to drive sound into the mixer and one for me to talk on. I called into a conference bridge with both phones and so did Scott in an attempt to equalize my and Scott's levels. There were a few problems.

First, you can hear me breathing, even though I was trying to minimize it. I guess I need a different set-up. Maybe a headset will work better.
Second, the levels weren't as even as I'd have liked them. I was still louder than Scott and had to de-emphasize myself in some places.
Lastly, there's a hum. I suspect that there's a ground loop problem between the phone tap and my mixer. I'm not sure what to do about that.

I did more post-processing this time and cleaned up some of the "ums," "ahs," and "you knows." Plus I removed a lot of dead air. All told I cut 6 minutes of cruft from a 40 minute recording. Interesting.

So, listen, enjoy, and please forgive my technical glitches. Hopefully I'll get better.

9:02 PM | Comments () | Recommend This | Print This

ASCIIMathML

Bob Denive wrote to tell me about ASCIIMathML, a system for using ASCII markup to create math formulas. There's a javascript program that does the conversion. I was aware of MathML (although not the ASCIIMathML variant), but like the greater flexibility of TeX. Admittedly that comes at a price.

8:44 PM | Comments () | Recommend This | Print This

Tag Consensus

One of the problems with free form tags as a social categorizing mechanism is that different people will choose different tags for the same thing. Is the right tag for eGovernment e-government, egovernment, e-gov, egov, edemocracy, or what? The solution is to use blogs to drive consensus around tags. John Gotze is trying to do that with eGovernment. His proposal is egovernment. Works for me.

10:58 AM | Comments (4) | Recommend This | Print This

January 17, 2005

One-Click Subscriptions to RSS

Dave Winer is proposing a one-click subscription service for RSS feeds. The problem with the current set-up, as stated by Dave is:

Yahoo sends emails to bloggers with RSS feeds saying, hey if you put this icon on your weblog you'll get more subscribers. It's true you will. Then Feedster says the same thing, and Bloglines, etc etc. Hey I did it too, back when Radio was pretty much the only show in town, you can see the icon to the right, if you click on it, it tries to open a page on your machine so you can subscribe to it. I could probably take the icon down by now, most Radio users probably are subscribed to Scripting News, since it is one of the defaults. But it's there for old time sake, for now.

Anyway, all those logos, when will it end? I can't imagine that Microsoft is far behind, and then someday soon CNN is going to figure out that they can have their own branded aggregator for their own users (call me if you want my help, I have some ideas about this) and then MSNBC will follow, and Fox, etc. Sheez even Best Buy and Circuit City will probably have a "Click here to subscribe to this in our aggregator" button before too long.
From RSS:
Referenced Tue Jan 18 2005 07:42:36 GMT-0700

Dave proposes a service and a single, non-vendor specific icon that when clicked would add the feed to the user's OPML on the service. Dave even has a prototype to prove it works: feeds.scripting.com.

This differs from what Bloglines does in a few important respects:

First its non-partisan, as it were.
Second, it should tie back to the aggregator so that the aggregator knows to automatically go check the OPML at this service whenever its starts up and update the subscriptions. NetNewsWire, my aggregator doesn't play with Bloglines.

I support this plan. I think its a small step that provides real value. Furthermore, it begins a cooperative dialogue among various parties. Because Dave is proposing to make the code to the service public, this has the potential to become a lightweight version of UDDI for RSS and other RESTful Web services. I like that.

4:38 PM | Comments (7) | Recommend This | Print This

January 14, 2005

Shaking IT Up in Utah

Newly elected Utah Governor, Jon Huntsman announced sweeping changes to Utah State government yesterday including a plan to consolidate all 1000 IT workers in the state into a single department. (see stories in the Deseret News and the Salt Lake Tribune). I've heard rumblings of this for the past few weeks and there are more than a few nervous people in the State IT ranks.

Huntsman also plans to shake up the information technology operations in state government that are now strewn across all programs and agencies without a centralized line of control. The state's chief information officer, for example, only technically has two employees, while the state employs about 1,000 information technology workers.
From Salt Lake Tribune - Utah
Referenced Fri Jan 14 2005 09:17:03 GMT-0700

While I think there's some merit to reorganizing State IT functions, there is much that could go wrong here. There are a 1000 ways to do this wrong and only a few that will ultimately work. There are plenty of smart people advising the Governor on this--I'll offer a few suggestions in public:

Don't Overcentralize

State agencies can't be left without an IT function. In an era where IT is at the core of almost every business function, State agencies need IT advice and leadership that is steeped in domain knowledge. As I argued in my whitepaper on modular IT organizations, there are three primary functions that IT organizations perform: service provisioning (making the infrastructure work), solutions delivery (developing or buying IT solutions to business problems) and value innovation (figuring out how to derive business value from IT and meet business needs).

Of the three, service provisioning is easily consolidated and there are big benefits to doing so. The State's done that already with its network. The next logical place to do this is with desktop computers. Other possibilities include servers and data centers.

Value innovation has to remain in the agency. They're the only ones with enough domain knowledge to do it. This means that each agency ought to have a CIO and an IT staff sized according to the size of the agency's IT needs that is responsible for the agencies IT decisions and works closely with the business to drive innovation.

Solutions delivery is already largely done somewhere other than the agencies since almost all solutions delivery is already outsourced. Solutions delivery must remain under the control of the agencies. Agency IT staff should act as the "customer," who is determining what they need and, most importantly, controlling the money. This is one of the primary responsibility of the IT personnel who remain in the agency. There will always be some development in any IT organization and these people probably ought to be part of the central IT shop and hired as "consultants" as needed by the agency IT staff.

Give the CIO Authority

This plan will be a huge blow-up if the CIO doesn't have the right authorities. The primary goal of those authorizations will be to ensure the CIO can create policies that result in interoperability. Regardless of any other consolidation, agencies will always be in the business of buying and putting IT in place. Restrictions that disallow agency involvement in IT will prove to be too inflexible. To make this infrastructure interoperable, the CIO must be able to create and enforce policies that affect those decisions.

An important part of this is to ensure that the CIO doesn't actually run the IT Services. There should be a separate director of ITS. Its fine to have that person report to the CIO, but the CIO's role is about more than just running the centralized IT shop. As mentioned in the last paragraph, the CIO should also be creating policy. There's no point creating policy if its not enforced and you can't effectively enforce policy and provide service from the same organization. The CIO needs a separate organization (not large) that writes and enforces policy. Utah could probably do this with 2-3 people. One of the biggest problems with ITS in past years has been that too many people in that organization see themselves in the role of policeman rather than service provider. That mindset has to be shelved or this plan will never work. Ensuring that the function is organizationally separate is one way to do that.

Change the Merit System for IT Workers

This plan will be nothing more than a reshuffling of bodies if there isn't some room to make sweeping changes in the make-up and nature of State IT workers. The State will end up with too many of some types and too few of others. The inflexibility of the State Merit System is out of touch with today's fast-paced world of IT. As CIO, I'd rather have 700 well-paid IT workers than 1000 underpaid workers. At the very least, the bill doing the reorganization ought to put a moratorium on merit system-induced employment requirements and restrictions for two years in the new agency while it gets everything worked out.

The most important thing is to give the new organization enough flexibility to succeed. Don't tie its hands with lots of restrictions and then wonder why it failed. I think its important for Huntsman to do this early in his administration. There are the obvious political benefits, but I also think its important that all the kinks get worked out well ahead of any change in the administration. Otherwise the gripes and complaints (and there will be plenty) get turned into political footballs and the next administration feels compelled to undo the changes when it comes in. This has happened in several other States.

Conclusion

Interestingly, if you'd have asked me when I was CIO if I though this was necessary, I would have given an unqualified "yes," but two years of introspection have convinced me that you can achieve most of what needs to be done without this kind of massive shake-up. You have to do consolidation to get savings, but there are less risky ways of getting the savings than by doing a massive shake-up. Remember, scavengers get fatter then predators in public service. The scavenger strategy here would be to just mandate desktop consolidation and give the CIO clear policy making authority. Then leave everything else alone and see what falls out. I suspect that strategy would yield 90% of the benefits with almost none of the attendant risk of the more predatory full-scale restructuring.

9:12 AM | Comments (1) | Recommend This | Print This

Technorati Has Tags

Dave Sifry's at it again with another cool way to look at the web. Technorati now features tags. Tags at technorati are the same concept as tags at Del.icio.us--informal categories that you make up on the fly. Technorati will automatically make tagged entries from the categories on your blog, or you can add this to your pages to make your own:

<a href="http://technorati.com/tag/[tagname]" 
        rel="tag">[tagname]</a>

Here are a few well populated tags at Technorati right now:

Technorati augments its material with links for the same tag at Del.icio.us and Flickr.

7:57 AM | Comments (1) | Recommend This | Print This

January 13, 2005

User-Augmented Customer Support

Jon Udell's column in this week's InfoWorld is entitled Open Source Documentation. Jon's noticed that you can often find better support information by turning to Google than you can by going to the company's support page. I've heard Dave Weinberger related the same kind of expeerience with respect to finding pre-purchase information on a washer/dryer. Mr. Google almost always has the answer, whereas your typical support page is poorly organized and difficult to use. Even with that, the information you're looking for probably isn't there. As Jon points out:

Collectively, we users know a lot more about products than vendors do. We eventually stumble across every undocumented feature or quirk. We like to maintain the health of the products we've bought and we're happy to discuss how to do that with other users.
From InfoWorld: Open source documentation: January 07, 2005: By Jon Udell
Referenced Thu Jan 13 2005 21:36:43 GMT-0700

Jon proposes an interesting solution: vendor support for Wikipedia pages that provide users a forum for self-servicing. I don't know if Wikipedia is the right place or not, but I do think Jon has a great idea. Service organizations don't do enough to tap their user's collective knowledge. There's competitive advantage to the company that can figure this out and is brave enough to try it.

Bonus: In the same issue, there's a head-to-head review of four on-demand sales automation tools including Saleforce.com and a new offering from RightNow (CRM 7.0). Interestingly, RightNow scores the lowest of the group--falling down on integration and performance. The review praises its workflow subsystem and pans its dashboard.

9:29 PM | Comments (1) | Recommend This | Print This

Identity Reading List

While I was over at Kim's blog, I noticed he's posted Stefan Brand's reading list of papers and books on identity and privacy. Most everything on the list can be downloaded. I'm currently reading Digital Person by Daniel J. Solove. Its very focused on privacy. Solove tries to turn our metphor for understanding privacy from Orwell to Kafka--it's an interesting idea.

9:25 AM | Comments () | Recommend This | Print This

Aggregating Risk

Jamie Lewis reacts to the recent security breach at George Mason University where intruders made off with information about 30,000 students, faculty, and staff, saying "[A]s identity systems aggregate information, they also aggregate risk."

Kim Cameron, on the same subject, says that we need to assume our identity stores will be compromised at some point and plan accordingly:

We need to base our�approach to these scenarios�on the idea that one day, the store will be penetrated.� We need then to reduce information in the store to the minimum required.� We need to distribute information so breaking into one system gives away as little as possible.� And more than anything, we need unidirectional identifiers such that only access to a metasystem allows assembly of cross-aspect information.

For example, there was no need for�George Mason's ID�system to contain social security numbers.� Nor, bizarrely, is there probably any reason for it to contain�student identification numbers.� It could - I know this sounds primitive -�just contain�single-purpose�identity card numbers.� A metadirectory - which itself contained no substantive information - could provide glue to other identification contexts for those who merit it - and on a case by case rather than carte blanche basis.� This allows many more controls and balances to be built into the system.� (All of this is Law 4)
From Kim Cameron's Identity Weblog
Referenced Thu Jan 13 2005 09:07:55 GMT-0700

Kim's got a great point here. We frequently, because it makes the programs easier to write, gather all the data together in one place. Identity systems should be architected to return only the necessary information and have to ability to gather than information on-demand from various places.

9:01 AM | Comments (2) | Recommend This | Print This

January 12, 2005

LaTeXMath, a Kwiki Plugin for Mathematics

Yesterday, I was thinking about math and whenever I start thinking about math I want to write it down. I hate writing on paper anymore and like writing on wikis, so I decided to see if anyone had written a LaTeX module for Kwiki, my wiki of choice. Alas, no one had.

Now, a fact of life is that I'd rather write code than math. In a former life, I did formal verification in HOL which allowed me to write code and math at the same time. As a consequence, I was easily diverted to a new task and I hacked together a LaTeXMath module for Kwiki last night. You can see it in action on this introductory page. Essentiall, it turns this:

.latexmath
\int H(x,x')\psi(x')dx' = -\frac{\hbar^2}{2m}\frac{d^2}{dx^2}
                        \psi(x)+V(x)\psi(x)
.latexmath

into this:

I've put some other examples online as well.

The module is a wrapper for a hacked up version of John Walker's TeX to Gif translator. The module invokes five different programs via system calls for every equation (ouch!), but its hard to imagine it doing anything much different.

To cut down on the cost, the images are stored in a file with a name that is generated as an MD5 digest of the equation text. The plugin checks to see whether the image already exists and only generates a new one if necessary.

One minor problem is that the plugin doesn't know when an image is no longer needed, so they are never deleted. This is only a minor problem since they are fairly small. In addition, the directory could be periodically purged of old images using a cron job since they will be automatically regenerated when ever the page is viewed again.

I'm sure I messed this up horribly and I haven't tested it extensively yet, but I'll let you know if there are any major changes. I know that my plugin could be a little friendlier (it makes you create the directory to store the images, for example) and there are several parameters that ought to be in a config file rather than just stored in the module itself. Let me know what you think.

9:42 AM | Comments (2) | Recommend This | Print This

January 10, 2005

Lightweight Identity

Johannes Ernst contacted me today to tell me about Lightweight Identity (LID). Coincidentally, I'd seen it on Jamie Lewis' blog last week and had it on my list of things to write about (which is essentially equal to my list of things I want to know more about). I first met Johannes in May 2003 at a Jupiter conference on blogging in business. Johannes' company, NetMesh developed LID as a simple, easy-to-use, decentralized way to create identities. LID has a few features which will appeal to many:

Identities are URLs (no new namespace)
You control the URL and what's there (completely decentralized)
Built on standards including vCard, FOAF, XPath, and GPG

Johannes argues why he thinks LID obeys laws of identity. This is good because it will give some structure to Kim's arguments and point out how multiple, different systems might all obey those laws. They represent minimal rule-sets (things you cannot do), not maximal rule-sets (things you must do).

There are several responses from Dave Weinberger, Scott Loftenness, and Eric Sigler. These are all interesting parts of the conversation, but I think miss the point to some degree. The question in my mind is not whether or not LID a good system for storing identities and producing, upon request, identity information. History has shown us that lots of systems can be used as long as they're good enough and LID, along with SXIP, Identity Commons and others are probably good enough on those terms.

The question for me is one of trust, or as Kim likes to call it "recognition." When I use LID to retrieve Johannes' attributes, how do I know that they're OK? Even if I believe that they are exactly as he asserted them (i.e. I believe Johannes is tell me what his address is), how do I trust his assertions? In the real world, I may be having a business meeting with you and you give me a business card. For purposes of getting in touch with you, I believe your assertions because the stakes aren't that high. On the other hand, I may want to know, with some degree of assurance, what your name is. I'd ask for your driver's license. In that case, you're not asserting a value for your name, the government is. Or at least asserting that the person in the picture has a particular name, address, etc. That's the missing piece. LID let's me build business cards, not credentials.

For many things, that's OK. For others, its not. The problem is that making assertions that are trusted by others takes time and carries risk. Risk costs money.

So, going back to the physical world, suppose you apply for a credit card. You fill out a form, asserting a lot of things about yourself. LID could surely do that. Now you send in your form to the credit card company and they verify your assertions, primarily by doing a credit check. There are several companies that collect credit histories and provide credit scores to anyone willing to pay. Those credit scores, of course, are not assertions about a person, but about an identifier (the SSN in the US). Using that score and other information, the credit card company evaluates the risk and issues credit (or not). They pay money to reduce their risk. The credit history company charges, in part, to cover their risk (since they're liable for providing good information).

This presents problems and opportunity. Digital certificates (a way of transferring trust) cost money in part to cover the risk that digital certificate providers incur when they issue a certificate. That makes digital certificates useful in only certain places. It also means that some people will be willing to pay to reduce risk associated with digital identity. There's businesses to be built there.

The interesting thing is that "trust" or "recognition" is about relationships. This points to a way out of siloed identities. It doesn't matter as much that I've got one identity at Amazon and another at BYU as long as there is a mechanism for asserting a relationship between these (i.e. that they both refer to the same person) that can be trusted and an infrastructure that Amazon and BYU can build upon to leverage that relationship.

Randy Gordon wrote to me a few days ago and was talking about the mathematics of identity. In particular, he referenced this Ph.D. thesis from Japan by Tadao Ishii on neoclassical logics with identity connectives. Randy believes, and I agree, there there is room to formalize some of the identity discussion in a language for making identity assertions like the ones I mentioned in the last paragraph. That language could be the basis for building a system of trusted relationships between the referents of an entity.

2:25 PM | Comments () | Recommend This | Print This

January 7, 2005

Personal Identity Verification Project

The Feds are moving quickly toward a single employee identification system for all government employees and contractors. The system would be based on smart cards and allow the use of biometrics in some applications. The project is called Personal Identity Verification and is being managed by NIST.

Federal officials want to replace the existing piecemeal system of agency-level ID cards with "smart cards" that are hard to counterfeit, resistant to tampering and difficult to use by anyone other than the rightful card-holder if lost or stolen.

The new generation of ID cards must be able to digitally store biometric data such as facial photographs and fingerprint images, bear contact and contactless interfaces, and allow the encryption of data that can be used to electronically verify the user's identity, according to NIST draft standards.

Such cards will be required for all federal employees, including members of the military, as well as for employees of private organizations and state and local governments who regularly require access to federally controlled facilities and computer systems. That is a universe of more than 2 million people, said W. Curt Barker, the project manager at NIST.
From Single Government ID Moves Closer to Reality (washingtonpost.com)
Referenced Fri Jan 07 2005 14:53:38 GMT-0700

The State of Utah is in the same boat--every agency does its own ID cards. I'm sure that's true of most governments of any size. The upside of that approach is that it allows groups with high security requirements the freedom to implement something that meets their needs without burdening others with the expense. The downside, of course, is the obvious security risk as government operations become more and more interdependent.

There's a real possibility that whatever the Feds do will make the system cheap enough for others to follow in their tracks and so there could be some positive trickle down effects.

2:45 PM | Comments (1) | Recommend This | Print This

Where is Utah's CIO

This Federal Computer Week article puts into print some of the rumors I've been hearing about Gov. Huntsman considering a move of the CIO's office out of the Governor's office and into DAS (dept. of Administrative Services). I assume that that means that the CIO would head ITS (Information Technology Services). That would be a huge mistake.

This seems like a logical move a first. Since the CIO is supposed to be in charge of IT, why not place the position over the largest IT shop in the state. The problem is that ITS has had an adversarial relationship with most of the other IT shops in the State. I'm not using "adversarial" in a pejorative way--I believe that the tension is structural and won't go away because everybody sing kumbaya at the start of a few meetings. There have been and continue to be cordial relationships among the people.

The CIO has the opportunity to be an honest broker between these competing interests. This often requires the convening authority (when you call a meeting people show up) of the Governor's office. For the State's IT infrastructure to be secure and interoperate, the CIO also needs to be in a position to create policy. This is much more difficult to do from inside DAS.

Now, of course, this is all speculation since Huntsman hasn't announced what he intends to do. However, if he moves the CIO out of the Governor's office, I think that spells dark days for eGovernment in Utah.

11:15 AM | Comments () | Recommend This | Print This

January 6, 2005

Trying MarsEdit

MarsEdit is a blog editor from Ranchero Software. Since I use NetNewsWire as my ~~aggregator~~ feedreader and like it, I thought I'd give it a go. This post is coming to you from MarsEdit.

The program is pretty straightforward. It integrates with Movabletype (and many other blogging tools) well and does a good job of saving and uploading posts. On the other hand, there don't seem to be that many advantages over using the Web form, except that you can do it offline. But then, I use Emacs for that. I don't think it will change how I work, but if you're looking for an offline editor for your blog, this might be a tool to try out.

8:17 PM | Comments (1) | Recommend This | Print This

Coaching

I have several relationships right now with companies where I'm essentially playing coach to the CIO or CTO. That's a nice role and probably the most fun I've had in any of the consulting I've done. I get pulled into all kinds of things. Sometimes, its a quick question about a product and other times its a multi-week session to develop product strategy. I mentioned this sort of thing in a discussion of CIO resolutions for 2005. Many people are in roles where they could use a coach. Coaches aren't necessarily someone who can do the job better and they're certainly not an indication that the person getting coached can't do the job themselves. The value I provide has a couple of components. First, I have perspective because I'm not in the day-to-day work. Second, I have the luxury of keeping current--somethings that's hard to do in any role with operational responsibilities.

3:55 PM | Comments (1) | Recommend This | Print This

What Its Like To...

CIO Magazine has a couple dozen stories that all start with What Its Like To... I enjoyed reading through them and hearing about other people's experience in the CIO seat. For example, Richard Clarke's description of what its like to brief the president is something you just don't read about that often.

3:53 PM | Comments () | Recommend This | Print This

Bruce Sterling's Open Letter to the Cyberchump

Bruce Sterling has written an open letter to the next cyber~~chump~~czar. Given that this will be the fourth one in three years, there's plenty of room for fresh ideas. Sterling gives some straightforward advice about how to succeed:

Use Secret Service Electronic Crimes Branch as your police force.
Hammer out rational policies.
Create systems to give accurate Internet "weather reports" will track anomalous slowdowns, stoppages, and traffic jams.
Create a foreign policy.
Develop the ability to see around corners by recruiting every graying pundit, unemployed CEO, and retired computer scientist you can find.

The problem, as Bruce points out, is that the Cyberczar gets the blame for problems but doesn't have the authority to do much about them. Of course, to get a cyberczar, we'll probably have to get a Secretary of Homeland Security first. I haven't heard much about that lately.