Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Software

Packages

Topic Guides

Understanding RSS
Digital ID Policies
Understanding VoIP
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Friends

Mike Jones
Chuck Knutson
Kristen Knight

Copyright

Copyright © 2002-2006 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« November 2005 | Main | January 2006 »

December 30, 2005

Salt Lake Tribune News Quiz

I scored 105 or 125 on the Tribune News Trivia Quiz
I scored 105 or 125 on the Tribune News Trivia Quiz.

I took the Salt Lake Tribune's News Trivia Quiz and scored 105 out 125. That qualifies me as an official news junkie. I missed questions about entertainment--the one thing that doesn't interest me much. Try it and see how you do. I'm surprised they don't have ads on the quiz--lot's of page views.

The quiz has a bug in the HTML form presenting the questions. The top radio button doesn't have the same name as the bottom two, so it's possible to select more than one answer. Of course, when you do that, the database doesn't like it very much and spits out an error. The page source also shows the SQL for selecting the question--kind of sloppy. I hope they're not running this on a system with any sensitive information because it's probably a security nightmare. Even so, it's fun.

2:56 PM | Comments () | Recommend This | Print This

December 29, 2005

The Tolerance Continuum

Dion Hitchcliffe has a nice graphic on his blog showing a tolerance continuum. Notice at the top are things like HTML, RSS and folkonomies. At the bottom are ontologies, RDF, and enterprise applications like CRM and ERP.

I spoke with Dion yesterday and he talked to me about governance mistakes he sees clients making. The number one problem is something he called the “tyranny of the ‘MUST understand’ flag.” You get a SOAP-based Web service loaded up with WS-* header elements all tagged 'MUST understand' and you end up with something every-bit as much a central command and control structure as if you'd just reintroduced the mainframe. No one can do anything unless they're using the same toolset.

This isn't exactly what we're hoping for with SOA. We're hoping for flexibility and agility. The answer is for the SOA architecture group--the people who are creating the design rules necessary to ensure interoperability--to be tolerant of diversity wherever they can. Here's a set of questions I came up with to help determine whether introducing options and choice is worthwhile:

  1. Is there a way to support additional options or to increase choice?
  2. Will these options increase service independence?
  3. Is allowing choice likely to increase unintended and serendipitous service re-use?
  4. Can additional options be introduced without increasing interdependencies between services?
  5. Will the cost of additional choice simply be more infrastructure rather than reliability or interoperability? Another way to ask this is, will the costs be one-time or ongoing?
  6. Are there acceptable ways to mitigate the negative side effects of the additional options?

If the answer to these questions is “yes” then the more tolerant approach will probably serve the enterprise well.

5:17 PM | Comments (3) | Recommend This | Print This

December 28, 2005

Winer Nails It

This is so true:

If the people promoting an idea say nasty things about people who differ with them, and if they have to take their swipes anonymously, they must not have a lot to say that's substantial, and they clearly aren't willing to stand behind their own thinking.
From Scripting News: 12/26/2005
Referenced Wed Dec 28 2005 19:03:49 GMT-0700 (MST)

7:03 PM | Comments (1) | Recommend This | Print This

December 27, 2005

Toward More Tolerant SOA

In writing the SOA governance piece for InfoWorld, I've been thinking a lot about how organizations can misuse governance. I've been spending some time reading what Jeff Schneider and Dion Hitchcliffe have to say on the subject of tolerance. One thing that springs to mind is to get overly restrictive in ways that cover up poor design and reduce loose coupling. Here are a few examples I was turning over in my mind.

Suppose that my organization is making a commitment to SOA. One of the issues that will come up that requires governance is choosing a standard for security tokens. Will we, for example, support SAML, Kerberos, or something else? There's another choice, however and that choice is to be tolerant of different security token formats. This requires installing or licensing some kind of token exchange service. The trade-off is more upfront work for increased service consumption, looser coupling, and more flexible partner interaction later on.

Now, let's look at Social Security Numbers (SSNs). Most organizations store them and usually in more than one place. So, think about the possible variants:

  • A 9 digit string
  • A 9 digit number
  • A 11 digit string with hyphens
  • A 10 digit string with a single hyphen (EIN)

There are probably other ways people encode this and we haven't even talked about storage (CHAR vs. VARCHAR fields, for example).

In order to introduce tolerance in the exchange of SSNs, we need to know a number of things that identify the semantics of those 9, 10, or 11 bytes and provide some way of exchanging them.

One way to handle this problem is with strong governance. You establish an enterprise-wide, end-to-end data architecture that spells out all the details surrounding every piece of data. I deal with this in some detail in Chapter 16 of Digital Identity on Identity Data Architectures. You have to determine the way each data element will be displayed, exchanged, and stored and then update the data stores and applications that rely on them to match this model over time.

That's not a bad idea, but even if you do that you'll invariably want to hook up with a partner that does it some other way. At some point, you'll be forced to deal with the semantics of a SSN and apply them to the various formats that exist. Doing so allows you to create an exchange service so that when service A wants to send an SSN to service B, they can route it through a translation service that exchanges formats in a semantically neutral manner.

Too much work? Well then SOA probably isn't for you. This is a problem that can't be ignored. If you don't provide a way to translate common data among legacy apps and partners as part of your infrastructure, then every project will end up dealing with it individually and building it over and over again in an ad hoc manner.

Tolerant services increase the opportunities for serendipitous use and thus increase service re-use and consumption. Intolerant systems are just building tomorrow's chains in a new way.

12:59 PM | Comments (4) | Recommend This | Print This

What Does This Data Tell You?

I ran across this article about the State of Mississippi's Web site. What caught my eye was the information that the site had jumped from 49th place in Brown University's study to 9th place. Now, I'm sure they all worked hard and that this is a great accomplishment, but the very fact that you can jump so far in a single year underscores the assertion that state Web portals really aren't offering very much.

The truth is that we are still just playing around at level 2 of a four level eGovernment maturity model. The state eGovernment portals built to date require no change to the government organizations that underly the portal. For the most part, there's not integration that crosses departmental boundaries and services are built from the government viewpoint, not the citizens. Moving up the maturity scale requires that we ask some very hard questions:

  • Who will be responsible for building and maintaining this integrated service? Certainly each agency can be responsible for their piece, but who will be responsible for the whole?
  • Who will pay for it? Many of the pieces have fees associated with them, but there’s not overall fee or appropriation that currently covers the integrated service.
  • How should government be rearranged to accommodate such services and to what extent?
  • After such a service is built, who is responsible for its upkeep and enhancements?
  • How will we regulate the new services? Who is responsible for rule making, for example, when a service is created and maintained by various agencies and levels of government?
  • Will the integration be shallow or deep. That is, do we merely build a set of web forms that feed the data to a dozen or more different data sets and business processes, or do we integrate the data and processes?

Until your state government is willing to address these questions, it's unlikely you'll get anything from eGovernment that matters more to you than simple convenience.

11:22 AM | Comments () | Recommend This | Print This

December 23, 2005

Mashup Camp

David Berlind is hosting a Mashup Camp next month. He's looking for participants and people who've created mashups they'd like to debut. Good idea--I like these unconferences.

9:41 AM | Comments () | Recommend This | Print This

December 22, 2005

International Association of Software Architects

I didn't know there was an International Association of Software Architects. Did you? Membership appears to be free.

12:25 PM | Comments (3) | Recommend This | Print This

December 20, 2005

Erasing the Digital Signature Law

I have a piece at Between the Lines about State Sen. Lyle Hillyard's plan to repeal Utah's digital signature law in the next term.

That's not a bad thing since it's not being used, but there are things Utah could do to make digital signatures work. I think Utah ought to be the first state to become a CA and issue a digital signature with every drivers license.

10:02 AM | Comments () | Recommend This | Print This

Programming Head Shakers

If you're not reading The Daily WTF and you program, you really ought to give it a spot in your attention stream. Today's entry is a classic: using a termporary file instead of sprintf. The comments are pretty good as well, dissecting the code and pointing out all kinds of style programs. A humorous way to learn from bad examples.

9:03 AM | Comments (4) | Recommend This | Print This

December 19, 2005

More Diebold Hacking Demonstrations

The Miami Herald has an article on some recent demonstrations that aimed to show Florida officials how easy it would be to hack into electronic voting machines and change the outcome of the election. (They've also got some really annoying Javascript popups that mess up the page.)

BlackBox hired Herbert Thompson, a computer-science professor and strategist at Security Innovation, which tests software for companies such as Google and Microsoft.

Thompson couldn't hack into the system from the outside. So Sancho gave him access to the central machine that tabulates votes and to the last school election at Leon County High.

Thompson told The Herald he was ''shocked'' at how easy it was to get in, make the loser the winner and leave without a trace. The machine asked for a user name and password, but didn't require it, he said. That meant it had not just a ''front door, but a back door as big as a garage,'' Thompson said.

From there, Thompson said, he typed five lines of computer code -- and switched 5,000 votes from one candidate to another.

''I am positive an eighth grader could do this,'' Thompson said.
From Herald.com | 12/15/2005 | New tests fuel doubts about vote machines
Referenced Mon Dec 19 2005 13:57:02 GMT-0700 (MST)

Of course, someone with physical access to current voting tabulation equipment could also easily skew the results of the election. These kinds of stories scare the public, but they don't scare election officials as much because they know how bad the current systems are. Still, not something to give you warm fuzzies--you hope the new stuff will be better.

1:54 PM | Comments () | Recommend This | Print This

Home Made Digital Clock

You're going to want to be watching this at midnight on Dec 31.

8:46 AM | Comments () | Recommend This | Print This

Best Blog Posts of 2005

Mr. Snitch is looking for nominations for the best blog posts of 2005. Send a nomination his way, if you have one.

8:15 AM | Comments () | Recommend This | Print This

December 16, 2005

Don't Click It

This is an interesting Web site.

6:03 PM | Comments () | Recommend This | Print This

Computers That Control You

Commenting on my piece yesterday about TPM (trusted platform module) and computers that control you rather than the other way around, Jon Udell says:

Presumably no controls take effect unless the TPM is not merely activated by the operating system, but also pressed into service to guard some piece of protected content. So in theory it needn't affect you if you're creating rich media that you intend others to use freely, or if you're using rich media that others have created with the same intent.
From Jon Udell: Technologies of control, technologies of use
Referenced Fri Dec 16 2005 16:54:14 GMT-0700 (MST)

Jon's got a good point. However, I see TPM and TCP as a fundamental shift in how computers have always operated. In the past, we've always started from the assumption that software was infinitely malleable and we could write programs to do what we want. But, what if, for example, programs that let you create freely distributable rich media were deemed "dangerous" or "unsafe." TPM and TCP give computer manufacturers the option of excluding certain software from ever operating. You can't even say "well, then I'll run Linux" because they might choose to exclude that as well.

I don't mean to sound like a conspiracy theory nutjob. There's certainly futures with TCP that are not as bleak as all that, but for the first time, TCP opens a path to a possible future where general purpose computers disappear and are replaced by unhackable appliances. There are people who view such a world as good and desirable. Those people have been winning some lately.

4:51 PM | Comments () | Recommend This | Print This

Document Style and State Transfer

Mark Baker has a nice, short write-up of how document style Web services differ from RPC-style and how that's related to state transfer (the last part of Representational State Transfer, or REST). An interesting point that Mark makes is that multi-method protocols (like HTTP) affect the semantics of the message. POSTing a message has different meaning that PUTting the same message. While this seems obvious after you say it, I'm not sure it's a point explicitly recognized by some people.

1:37 PM | Comments () | Recommend This | Print This

Tech State or State Tech?

John Palfrey, Executive Director of Harvard's Berkman Center, made some remarks a few days ago on the proper role of government with respect to open standards. He did so in the context of Microsoft trying to use the Massachusetts Legislature to do an end run around the Massachusetts CIO on the issue of adopting open standards. John talks about the proper role of Government in this struggle:

That job is not to choose between competing technology vendors, circa 2005, in a fast-changing marketplace. The elephant in the room is the struggle between Microsoft on the one hand and IBM and Sun on the other. But that struggle is not, and cannot be, the real story on open standards policy. It's essential to bear in mind the state's proper role vis-a-vis this marketplace -- a marketplace which may in fact establish, and re-establish, other open standards over time, all plausibly based off of the same concept of XML. Consider, for instance, the "web 2.0" version of this discussion and witness the dramatic changes in the syndicated technologies space -- with RSS, Atom, OPML, the MetaWeblog API, and their ilk over the past few years -- which, to all but a few visionaries, were unthinkable as possible "open document formats" a short while ago. The key is to ensure enough flexibility in the process so that those who know the technologies and the implications of any changes can help the state to adjust its approach on the fly as progress, inevitably, marches on -- and such that citizens, or users, are not the ones left behind in the long-run.
From John Palfrey :
Referenced Fri Dec 16 2005 08:43:02 GMT-0700 (MST)

There's an interesting tension here between a legislative process that typically takes years and numerous iterations to come up with solutions to tough and vexing problems and a technology landscape that shift dramatically over the course of a single legislative session.

Legislators are big believers in democracy (duh!) and in their zeal sometimes try to apply the slow deliberative process to problems where it may not be the best choice. I think technology choices are an example of that. Legislatures should set establish broad legal frameworks and then appoint and empower the executive branch to run more flexible public policy processes to set actual rules.

As far as I can tell, that was what was happening in Massachusetts until Microsoft found a few legislators who they could rile up on the issue. If the legislature jumps in and changes the decision that the public policy process developed, I think it will be a big mistake. The public policy process made a decision to use open standards, a decision that is in the citizen's best interest. In overturning that, the Massachusetts Legislature will be making a decision against the interests of its citizens and in favor of a single, large company.

John concludes:

Information technologies are increasingly important to our democracy. A policy that seeks to ensure a citizen’s access to information and a citizen’s ability to transform data with as few constraints by those who make technology as possible is a worthy one. These goals should not be pursued by the state without the active involvement of the technical community; the legislator needs to get to know the technology developer, and those who set technology standards, much more intimately if the state is going to play in this game.

The question before the Commonwealth today is not whether to strive for such lofty goals, but rather how to meet the challenge of crafting and implementing a policy that will in fact achieve them over the long run. If the Commonwealth gets this policy right, others will follow. If the Commonwealth gets this right, it will be good not only for our state's economy but also for our democracy.
From John Palfrey :
Referenced Fri Dec 16 2005 08:57:33 GMT-0700 (MST)

Amen.

8:35 AM | Comments (1) | Recommend This | Print This

December 15, 2005

Structuring Citations

Scott Lemon sent me a note about Firefox Scholar, (more) a proposed plug-in for Firefox that would make using citation data on the Web easier. I'm not clear on how different it is from CiteULike other than being browser based instead of Web based.

That got me thinking that their ought to be a microformat for BibTeX. While I was looking around, I ran into this page at microformats.org and that led me to information on COiNs, a way of inserting citation data into a <span/>. It's not a microformat since it doesn't tag individual elements in ways that would allow them to be seen by humans and read by machines--a key microformats principle. There's a COiNs generator it you want to play with embedding it in your site.

This makes me think all the more that academic papers ought to be published as HTML as the preferred format. Then all the bibliographic data could be embedded in a machine readable format (not to mention other data related to the article). Does anyone know of a nice paper-publishing CSS set that includes CSS for Web and print formatting?

4:31 PM | Comments (2) | Recommend This | Print This

TPM and Positive ID

There's an article at MSNBC about how Trusted Computing Platform (TCP) chips, already installed in many computers, could be used to provide "positive ID" on the Internet and end anonymity. I find articles dealing with Internet identity in the mainstream media usually scare me--and this one is no exception.

What scares me is the willingness people have to sweep aside technical hurdles, privacy concerns, and practicality in wide-eyed optimism about how technology will eventually solve all our Identity problems.

With a TPM onboard, each time your computer starts, you prove your identity to the machine using something as simple as a PIN number or, preferably, a more secure system such as a fingerprint reader. Then if your bank has TPM software, when you log into their Web site, the bank’s site also “reads” the TPM chip in your computer to determine that it’s really you. Thus, even if someone steals your username and password, they won’t be able to get into your account unless they also use your computer and log in with your fingerprint. (In fact, with TPM, your bank wouldn’t even need to ask for your username and password — it would know you simply by the identification on your machine.)

The same would go for online merchants — once you’d registered yourself and your computer with an Amazon or an e-Bay, they’d simply look for the TPM on your machine to confirm it’s you at the other end. (Of course you could always “fool” the system by starting your computer with your unique PIN or fingerprint and then letting another person use it, but that’s a choice similar to giving someone else your credit card.)

Another plus for the TPM is that your computer will be able to make sure that it’s really a legitimate e-commerce site you’re connected to, and not some phishing-style fraud. There would still, of course, be ways that you could access your bank or e-commerce accounts from other computers when you were traveling, but the connection wouldn’t be as secure as using your own computer. Plans are already underway to put TPMs into smartphones and other portable devices as well.
From Let’s see some ID, please - The Practical Futurist - MSNBC.com
Referenced Thu Dec 15 2005 09:51:22 GMT-0700 (MST)
MasterCard paypass advertisement
MasterCard paypass advertisement

The first question that comes to mind is why do I want to use a 30lb desktop as a security fob. Wouldn't it make more sense to just use security fobs if that's the problem we're trying to solve. Oh, I remember why: people don't like them.

Ironically, as I read the article an ad for MasterCard's paypass token based payment system was shown to me (see right). So while the industry is trying to sneak heavyweight DRM into our living rooms under the guide of "making us safer," MasterCard is giving us RFID based payment solutions with, as far as I can tell, single factor authenticate (if you have it, you can use it). I believe people will almost always opt for convenience over security and privacy. This is an example of that.

The article gives a nod to fears that TPM could be used in draconian ways, but then blithely states:

And should a media or software company come up with overly Draconian restrictions on how its movies or music or programs can be used, consumers will go elsewhere. (Or worse: Sony overstepped with the DRM on its music CDs recently and is now the target of a dozen or so lawsuits, including ones filed by California and New York.)
From Let’s see some ID, please - The Practical Futurist - MSNBC.com
Referenced Thu Dec 15 2005 09:56:08 GMT-0700 (MST)

I'm not sure it's that easy. With TPM as part of the landscape, there may not be much recourse. TPM is like the Sony rootkit installed in the hardware. When you buy it and the OS that activates it, you'll be implicitly stating that you accept the controls it places on you.

I think we're in great danger of changing the nature of not only the Internet, but computing itself. With only a few mainstream processor manufacturers, we're at their mercy. We could easily see a world where only the applications Microsoft or Apple has "approved" would run on your machine. That scares me.

9:45 AM | Comments (3) | Recommend This | Print This

December 13, 2005

Intel QX3 Microscope and OS X

salt 60x
salt 60x

I've had an old Intel Play QX3 microscope hanging around the house for a while. My oldest daughter got it for Christmas years ago, but lately it's been gathering dust. It caught my eye tonight and I decided to see if there's an OS X driver for it. I was pleasantly surprised to see there is.

I couldn't get it to work at first. I had to change the resolution in the software to 320x240 before I got a picture. That's not documented anywhere. Still the Maccam software is pretty good--even controls the top and bottom lights correctly and responds to the shutter control on the top of the microscope.

My third grader is pretty curious, so he went around the house finding things to look at. We took some pictures and printed them off to take to science class tomorrow. I would have died to have something like this when I was a kid. Guess that's why I buy it all now.

8:50 PM | Comments () | Recommend This | Print This

Wikibooks

Wikibooks is an effort to do to books what Wikipedia did to the encyclopedia: build them using shared, open source collaboration. I think this could have some real application to texts and class notes.

From the few I checked out, it seems like it's still more idea than reality. Books are bigger than encyclopedia entries, so they will be more likely to be incomplete. This will negatively affect user's perception of quality. Wikibooks could probably use some way of segmenting works in progress from those in production and some community based way to promote books from the draft bookshelf to the production bookself.

Since I found out about this in print, I have to assume it's old news. Still, it was new to me, so it might be to you as well. One question I still have is how this is or could be related to MIT's OpenCourseWare initiative.

2:59 PM | Comments (1) | Recommend This | Print This

SOA Governance Questions

As I work on my SOA governance story, I came up with a list of questions for companies about SOA governance. Feel free to leave comments or to contact my directly with answers and ideas. As I dig into this, it's clear there's a book waiting to be written around this topic.

  1. How would you characterize the stage your company is at in deploying SOA-based systems? (some examples; pilot, beginning, advanced)
  2. Do you have a strong Enterprise IT Governance process now?
  3. If so, how is you SOA governance related to IT governance? Is it just a piece of it with no significant differences or have you changed your IT governance processes in significant ways to accommodate SOA?
  4. Do you have an SOA center of excellence? What role does it play? Who does it report to?
  5. Is SOA governance mostly a technology play (i.e. just buy the right tools and it will work out) or more about people and policies?
  6. What governance lessons have you learned in your early SOA deployments?
  7. What are the critical requirements for governing SOA? What do you have to get right? Where are the places you can make significant errors?
  8. How do you set, store, disseminate, enforce, and maintain SOA policies?
  9. One of the dangers in SOA policy is to only concentrate on those that can be represented electronically and enforced by tools, or to go the other direction and not use any automated support for policy enforcement. How do you deal with that?
  10. How does technology aid in SOA governance?
  11. Have you deployed a registry?
  12. Did you use your registry to govern the deployment process (i.e. use a registry for holding metadata about services in development and another to hold metadata about production-quality services with a governance process for promoting services from the first to the second)?
  13. What is the role of service intermediaries in SOA governance? Do you use them or enforcement of policy?
  14. Suppose your organization needed to make a decision about what kind of security tokens (SAML, Kerberos, etc.) to use in the WS-Security container in SOAP messages within the organization. What’s the governance process your organization would use to make, communicate, and enforce that decision?
  15. What advice about governance would you give a CIO or IT Architect just starting an SOA project?
  16. Is it OK to ignore governance in the pilot stage?
  17. Do you need technology like registries and service management intermediaries early on, or can those wait until you have critical mass?
  18. What are the steps that someone should take in establishing an SOA governance process in their organization?

To some people, this topic is a big yawner, but not to anyone who's tried to make a big deployment work. Admittedly, talking about all the cool things you can do with SOA is more fun, but it's just talk without governance.

11:46 AM | Comments (2) | Recommend This | Print This

Fishing Rivers of Information

Dave Winer has some comments about Flickr's use of RSS:

I know I'm the last person to discover how clever Flickr's RSS is. Here's the story. People were adding me as a contact as I kept uploading folders of pictures from my backlog. I would get an email every time it happened. I wondered why. I wonder no more. I started adding them as my own contacts, slowly, a few days ago. Cool, when I'd go to my Flickr contacts page, I could see if Betsy or Rex, Tara or Stewart had uploaded some new pics. Excellent. Then yesterday I wondered if they had an RSS feed for this. Yes, of course they do. Bing. I subscribed. Now, happily every time one of my contacts puts up a new picture, it shows up in my River of News and gets hooked on my fishing pole. Now every time I add a contact it's like subscribing in RSS. Scratch that, it's not "like" that at all. It's exactly that. Excellent.
From Scripting News: 12/13/2005
Referenced Tue Dec 13 2005 10:28:37 GMT-0700 (MST)

Two things caught my attention. First, not that "subscribing" isn't always about cutting and pasting RSS URLs into an aggregator. Dave used a Web-based application to "subscribe" to the new pictures from his contacts. RSS is just the delivery mechanism for getting that stream of data to the place where he pays attention.

Second, the metaphor of "rivers of news" and getting "caught" on Dave's fishing pole are ones I've used before in presentations and articles. I think it describes the reason why RSS is important and why using it is an adjustment for some people. They think of the Web as a collection of places to go visit rather than as streams of information to stand in and enjoy.

10:28 AM | Comments () | Recommend This | Print This

Cut the Vision in Half and Ship It

How many of us can relate to this?

Moral: If you find yourself talking more than walking, shut up, cut the vision in half, and launch it. You can always fill in the gaps later. In fact, you'll know more about what gaps need to be filled after you've launched “half a feature” than if you tried to fill them in before launching anything.
From Simple means launching something - Signal vs. Noise (by 37signals)
Referenced Tue Dec 13 2005 09:52:40 GMT-0700 (MST)

9:52 AM | Comments (2) | Recommend This | Print This

December 12, 2005

SSH Tricks

Linux Journal has a nice article on Eleven SSH Tricks. These, of course, work on OS X as well. If you're an OS X user, you may not be all that interested in the first one, X11 forwarding, but skip that one and read the rest.

I've used SSH for years for securing remote sessions and copying operations. I've never used it for port forwarding, but I may play with that a little. BYU doesn't offer VPNs for faculty and I've never bothered to set one up myself. Port forwarding would take care of some of the little things I worry about when I'm traveling.

9:57 AM | Comments (4) | Recommend This | Print This

December 9, 2005

Preparing Students to be Influential

In The University: An Owner's Manual, Henry Rosovsky discusses the varied "owners" of a university: students, parents, alumni, employers, and faculty. Similarly, academic departments are always torn between who their customers are. This always affects faculty discussions about almost everything.

In the BYU CS Department, we have a goal of developing and graduating CS majors who will have influential careers. That's a hard thing to define and difficult achieve. There are some who argue that "influential" is wishy washy and while it sounds nice isn't anything that can really drive decisions. I disagree.

Designers, architects, and CTOs are more influential than programmers Note first off, that we're not talking about how to help the best students to be influential. They'll probably achieve that regardless of, even in spite of, anything we do. The issue is how to help average students gather the skills they'll need to be influential.

If I look at the places a CS student might end up, I think one path that leads to influence is the role of software designer, architect, and even CTO. I contrast this specifically with programmer and even lead programmer positions which, while important, don't offer the same opportunities for influence. I also think these design-oriented roles are much less prone to outsourcing, as an additional benefit. So, how do you help someone prepare for those roles?

I think teaching them to be a competent and effective programmer is necessary, but not sufficient. We spend a lot of time ensuring that regardless of what other knowledge our students gain, they can at least do a good job of programming. Some of what we do is structural; we require that senior level courses require big projects, for example, so that no matter what electives a student takes, they get some experience with big (by academic standards), group projects.

Closely related to programming is problem solving. Designers and architects are good problem solvers. Programmers generally learn problem solving (although some are better than others).

So, beyond programming, what is there? One important item is communication skills. Not just technical writing, but presentation skills as well. I think we do a spotty job of this. Giving students time to make presentations takes quite a bit of time in class. Grading writing assignments can ruin a Christmas vacation. We need to find ways to more consistently develop student communication skills.

Another important item is to develop and appreciation for business in CS students. I'm not necessarily suggesting that every student should be required to take a business class of some sort, although that's certainly an option. Too often the feeling among technical folk is that the business side is not worthy of study because it's somehow soft or easy. I try to talk to each of my classes about business ideas and requirements and how they impinge on what we're talking about. Admittedly, my background makes that easier for me than it might be for others. We also have a software entrepreneur course that I encourage all students to take, even if they don't think they'll start a business soon.

We need to emphasize design more in all our classes and speak explicitly about software architectures. I'd love to see a senior-level architecture course, but that's not likely to happen anytime soon. I suspect our senior-level software engineering course could do more of this, but I'm not sure it does.

A capstone senior project/thesis would go a long way to building these skills into the curriculum if it was designed correctly. Making students interact with real customers would help them learn communication skills and they'd gain appreciation for business requirements and needs.

One thing that I think is important that is hard to do structurally, is building a culture of curiosity and innovation. In my experience, good architects have broad knowledge and skills. They generally picked them up because they're curious and self-motivated. As I said, the best students will do this naturally. Average students, however, tend to struggle more just getting the course work done and tend to spend less time just playing around and exploring. I'm leery of techies who don't want to program their own thing when there not doing something for work. Conversely, I'm always excited by students who want to show me something they built "just for fun." You can see the excitement in their eyes and those are the ones that I would hire and who I believe have a great shot at being influential.

Related to this is the ability and background to continue to learn. If students have the right background (these are usually defined as the classes they don't want to take), they will more easily pick up new concepts and technologies. See Understanding XML as an example of this.

So those are my ideas. What are yours? What can we teach to undergraduate CS students that will help them have influential careers after they graduate?

10:37 AM | Comments (8) | Recommend This | Print This

December 7, 2005

Google's Golden Rules for Effective Technical Teams

Hey! It's Google Day at Technometria. Not really, but this was still interesting. Google's Eric Schmidt and UC Berkeley's Hal Varian list ten "golden rules" that Google tries to follow:

  1. Hire by committee.
  2. Cater to their every need.
  3. Pack them in.
  4. Make coordination easy.
  5. Eat your own dog food.
  6. Encourage creativity.
  7. Strive to reach consensus.
  8. Don't be evil.
  9. Data drive decisions.
  10. Communicate effectively.

The goal is to be a good place for knowledge workers. They start by talking about Drucker:

At google, we think business guru Peter Drucker well understood how to manage the new breed of "knowledge workers." After all, Drucker invented the term in 1959. He says knowledge workers believe they are paid to be effective, not to work 9 to 5, and that smart businesses will "strip away everything that gets in their knowledge workers' way." Those that succeed will attract the best performers, securing "the single biggest factor for competitive advantage in the next 25 years."
From Google: Ten Golden Rules - Issues 2006 - MSNBC.com
Referenced Wed Dec 07 2005 21:07:13 GMT-0700 (MST)

There's more detail in the article, of course, but I thought what they said afterwards about problems they face was more interesting. In the paragraphs that followed the golden rules, they talked about these:

  • "Techno arrogance" that kills team work
  • The not-invented-here syndrome
  • Maturation of the company
  • Ensuring communication methods keep pace with increasing scale

All in all, some pretty good points about keeping a technical team effective.

9:12 PM | Comments (1) | Recommend This | Print This

Google and Taguchi

Jeff Huber, an old friend from Excite@Home days, landed in this Cringely column on whether or not Google is using Taguchi to optimize return on AdSense. Jeff, who heads engineering for AdSense, says "In short, no."

8:57 PM | Comments () | Recommend This | Print This

December 6, 2005

SOA Governance Article

I'm working on an article on SOA governance for InfoWorld. If you have ideas, I'd love to hear them. What I'm not looking for is emails that say things like the one I got yesterday. The PR person claimed her client has been "delivering SOA governance" to customers, like you can buy governance by the gross. I've been collecting some articles I run across at this del.icio.us tag. I'm particularly interested in hearing about what people doing large SOA deployments are doing about governance.

5:55 PM | Comments () | Recommend This | Print This

December 5, 2005

XRI, XDI, and Identity

I flew down to Oakland today to attend Andy Dale's XDI Workshop (slides and video available, eventually, on the wiki). XRI's one of those things I've wanted to understand better and I decided that going to a workshop with Andy was the best way to do that. Call me lazy.

Andy subtitled his presentation "an implementor's guide" and started off with an off-the-cuff comment that XDI is mostly at a stage where it can be implemented.

Globally Unique identifiers

You can't talk about distributed management without talking about global unique identifiers (GUIs). These are things like phone numbers. Local identifiers are things like phone extensions. Web site identities are local identifiers. Email has been used as a globally unique identifier, but people are hesitant to give it out. Besides, using concrete identifiers (like email) for an abstract identifier is a flawed.

Examples of GUI's include phone numbers, email, and URLs. Other examples include DNS and XRI, but these are abstract. Their main use is to link to other concrete identifiers. Domain names are designed to map to IP numbers and little else.

I-names sit on top of XRI and expose an extensible set of service capabilities. When you resolve an i-name, you get back and XRD (eXtensible Resource Descriptor), an XML document.

I-name resolution is is left-to-right. In an i-name, a period (.) is a valid character in a name, not a delegator. The asterisk (*) is used as a delegator. There are five global roots. The equals sign (=) is the root for individuals, hence =windley identifies me. @ is the root for organizations, + is the root for tag space, $ is the root for system tags, and ! is the root for i-numbers.

Each of these spaces are hierarchical and extensible. So, =windley*friends*steve could be an identifier for my friend steve. This would be more common at the organizational level. So, @technometria*=windley could be me.

You get an i-name from an i-broker. I-brokers are the i-name equivalent to a DNS registrar. GRS is the global registry services, analogous to the DNS top-level registry services. To register @technometria*windley, I'd first register the @technometria name with a commercial i-broker. The record is then added to the GRS. Next, I'd go to a community i-broker and ask them to serve as my registry. The community i-broker, the commercial i-broker, and the registrant enter into a transaction to authenticate that it's OK. Now, anyone can show up at the community i-broker and register a name in the @technometria community subject to whatever rules I establish.

Resolving the name @technometria*windley works much like DNS. Find the GRS for @, ask it about technometria, as that about windley, get an answer. In general, the situation is analogous to DNS, but has a richer vocabulary. Neustar is the GRS for XRIs.

When you register an i-name, you always get an authentication service (ISSO - SAML 1.1 today) and a contact page. You can buy an i-name for $25 for 50 years now. When Neustar takes over that price may change.

Single Sign On

Traditionally authentication happens in a linear fashion between an user interface of some kind and a data store that stores the userid and password. With single sign on (SSO), you provide a username which is then resolved in some way to find the authentication service for that name. The application asks the authentication service to authenticate the user and gets back a token. Thus multiple Web sites and applications (service providers) can use a single authentication service (AuthN). Note that resolution of the authentication service from the name is a critical piece of the puzzle.

I-names can support SSO through resolution to an XRD that indicates the authentication service. The authentication service will be the user's i-broker and will ask for a password. Supposing that the user recognizes the "trust cues" from the i-broker, she will enter the password. The user will be returned to the SP with an authenticated session. The flow actually uses redirects through the browser. The SP and the AuthN never talk directly to each other. The weak link in SSO is the password page and possible spoofing.

There are libraries available for doing i-name SSO now (SPIT) that work in PHP, Java, Perl, Python, and Ruby. BooksWeLike is an example of a site that has implemented i-name based SSO. I went there, registered by putting my i-name and email into their registration page and now can log into their site using my i-name, authenticating though 2idi (my i-broker). I dislike the multiple pages (with buttons that say things like "click here to complete the login process") but it's pretty cool to see it work. Here's my BooksWeLike page. Notice my i-name in the URL.

Moving on to XDI

While XRI is an extension of the URI concept, providing a richer set of mappings than DNS will support, XDI is the XRI Data Interchange. XDI is a set of specifications that are dependent on XRI and discuss how to share data resources that are identified using XRIs.

Why publish data from your systems? Internal and external system integration is the obvious answer. But, you can do something else at the same time: empowering you members so that you can serve them better. Say what? Here's an example:

Today people give money online to non-profits. non-profits remember that they do this so they can ask them for more later. But when many people give money to lots of organizations, it becomes difficult, especially for smaller organizations, to manage their donors. So small non-profits sell their data to aggregators and then by data back to get a better handle on who's giving what.

What happens if the donor ends up with an authoritative record of their giving? Then the individual can aggregate a profile of their own giving that far exceeds any data an aggregator can amass. The donors can also specify what they are interested in giving money to. Other data about the individual can be aggregated with the profile. This profile can be selectively exposed in the context of other transactions. Intermediaries can use this data to broker giving to organizations. This strikes me as the longtail of trust funds. There's also a serious attention component here.

To enable this, the donor must receive an authoritative record of the transaction. By publishing this data back to the user, you serve your members better. The system must provide fine grained permissioning that let's you control who has access to what. Roles-based permissioning simplifies the permissioning matrix. Service-based roles make permissioning doable for real people.

To do this, you should not only capture data at its source, but use data at its source as well. Data about me lives in lots of places. I don't want to gather it up and put it all in one place. What I really want is to establish a database of pointers to where my data is. Note that this is a different problem than whether I have control over who sees that data or not.

XDI is to the distributed data web what ODBC and SQL were to datastores in databases. XDI takes an XRI as the query you get back and XDI doc (a well known, universal data structure with introspection).

XDI has field level security. Since the structure is hierarchical, the permissioning can be specified by a path. John has access to "a/b/f/1" for example. This path-based syntax allows fine-grained and course-grained syntax in the same model.

The IP for XDI is open and it has a social layer. The social layer is represented by "link contracts" that mediate data access. Link contracts can express conditions for data use. This could be used to require certain behaviors with respect to caching and other things. This seems like identity rights agreements.

XDI has low-level caching. This is independent of (or an augmentation of) transport level caching since the XRI syntax can be used to specify what are authoritative copies of the data and which are no longer valid.

XDI has low-level versioning. XRI has a specified versioning syntax. Values can be soft deleted. Old values can be kept addressable and can be auditable only.

Triggers can be built into XDI implementations. XDI is not yet enterprise ready. There needs to be more work on backup and recovery, clustering and fault tolerance.

Because of these properties (in particular the fine-grained permissioning), you can easily incorporate the "user" into a data integration by merely permissioning her system. What's more, identity providers are found through resolution without having to integrate multiple IPs into each system.

At this point, a light bulb went off in my head and the information density of the next few minutes pegged my brain bandwidth. I'll have to parse it out and write about it later.

In XRI, my email address would be represented by =windley/+email. Resolution would be able to turn that into my current email address or even a contact service. This allows you to put a wall between the resolution and the email address, allowing someone (perhaps the user) to turn off email resolution on a case-by-case basis. This allows user-controlled access to personally identifying information.

ooTao has a XDI Demo available online.

4:56 PM | Comments (1) | Recommend This | Print This

Novell's New CTO

I'd have done it for half that.

3:36 PM | Comments (2) | Recommend This | Print This

Capability Discovery for Identity Protocols

While is possible that a single identity system will emerge for the Internet, it's not likely. Hence the claim by Microsoft's InfoCard to be a "meatasystem" for identity. That is, an infrastructure that other identities can ride on. Alternately, others are building such a metasystem from the bottom up.

Right now, that effort goes by the unfortunate moniker of YADIS. YADIS is a way of discovering the capabilites of various identity systems. Drummond Reed just announced that YADIS will also include i-names in addition to OpenID and LID.

12:50 PM | Comments (2) | Recommend This | Print This

NumSum and Other MicroApplications

I've been playing with a writable Web application called NumSum, a Web-based spreadsheet. Here's a little test spreadsheet I created. They have a "blog this" feature which creates an iFrame of the spreadsheet. Here's what it looks like:

Go ahead and change some cells and it will recalculate. Your changes won't be persistent. This is unlikely to put Office out of business anytime soon, but as a demo application, it shows just how far this might go. Doesn't feel like a Web-app, does it?

NumSum was built to show off the capabilities of TrimPath, a "web Model-View-Controller framework that gives you Rails without the Ruby." Heck, just a good set of JavaScript templates would make my life easier right now.

Apparently, someone has taken the TrimPath SQL parser and the AJAX massive Storage System to build a JavaScript database, one more piece in the microapplications puzzle. With an offline datastore, you can do things that require only occasional connectivity.

Tip of the hat to Tim Shadel for pointing these out to me.

11:17 AM | Comments () | Recommend This | Print This

December 2, 2005

Decipher This

10:26 PM | Comments (3) | Recommend This | Print This

CTO Breakfast Report

This morning's CTO breakfast was a lot of fun. We're getting a very good turn out and the discussion is excellent. The tenor of the discussion is different than at other technical meetings because the group has a fair number of CTOs, past CTOs, Director of Engineering types. That said, it's not exclusively that--there are plenty of young, fresh perspectives as well. It's a great mix that leads to good discussion.

We started off with a question about recruiting good technical talent and that led to a 50 minute discussion about hiring, managing, and, when necessary, letting go of programmers. Some of the comments from my notes:

  • There was some discussion of testing and screening candidates with the observation that often seemingly good people can't answer simple technical questions. Is the set-up too artificial (i.e. no access to references, standard environment, Google, etc.)? Are people just nervous or intimidated? How can this be done better?
  • Ask questions about outside interests, particularly those that are technical. Has the person every participated on an open source project? What code do they write when they aren't forced to?
  • You have to be willing to get rid of people that don't work out. Engineering organizations don't always hold everyone accountable for good work. Use a mandatory 90-day probation period.
  • No one in the room has used LinkedIn with any success to find employees although several had tried. some had used it to find jobs.

There was a lot of discussion about DRM and the increasing balkanization (my word) of the user experience. Scott Lemon made the observation that book publishers the next big battle. Textbook publishers will fight things like MITs online courses because it cuts their revenue. Publishers sell textbooks by providing free course material to instructors that's tailored to a book. They all want to know how their "content" and (mostly) their revenue model can be protected.

I posted a short piece on wikis at Between the Lines yesterday and this morning got a comment back from someone to the effect that current wikis are too technical. Regular folk don't want to be bothered with mark-up. I brought the comment up.

There was consensus that wikis are too technical and markup doesn't make sense to most people. Even people who think of themselves as "technical" ask "how do I use this thing?" Written text has a mark-up of sorts called punctuation and even educated literate folks struggle to get punctuation right. (See Eats, Shoots, and Leaves)

We need a web-based editor that really works. There are plenty of Javascript tools out there, but they suffer from two fundamental problems:

  1. Poorly chosen feature sets.
  2. Fragmentation. Its almost as if every document you write had a different editor.

We need 2 or 3 really good editors, not 1000 bad ones.

A few other things that were mentioned and people might want to look at:

  • Ajaxpatterns.org - writing a book in public.
  • Flock - suite of browser tools with an open API and modular architecture.
  • Mologogo - $60 pre-paid cell phone married to a GPS tracking service.

1:20 PM | Comments (4) | Recommend This | Print This

December 1, 2005

More Pictures from IIW2005

I found I hadn't uploaded the photos I took at IIW2005 on day two. I've done so now, if you're interested.

9:35 PM | Comments () | Recommend This | Print This

Geek Dinner Report and Pictures

December's Geek Dinner at Los Hermanos
December's Geek Dinner at Los Hermanos

I have a few pictures from last night's geek dinner. My talk went pretty well, but the Internet was out just when I was talking (worked before and after), so some of the demos I wanted to show involved some handwaving. One of the hardest questions to answer on microformats is "why would I want to do that?" Reminds me of XML in 1998.

The place was packed--well over 60 people. Phil Burns did a good job of running the dinner and keeping everything humming. Pete Ashdown was there and got a loud round of applause when Phil mentioned that he was running for US Senate against Orrin. All in all, a good event and one I'm sure will be repeated. Utah needs more of this--I know a lot of techies in Utah and the room was full of people I didn't know.

9:02 PM | Comments () | Recommend This | Print This

What Kind of Blogger Are You?

Mister Snitch identifies seven different styles of blogging that can result in high traffic. What kind are you?

8:46 PM | Comments (1) | Recommend This | Print This

Middleware Course

I'm teaching a graduate course next semester that's called "middleware" although that's really just a title that I chose to represent what it's not. The course will be about digital identity, Web services, service oriented architectures, and so on. Its what I call a papers and projects course: reading and writing papers combined with building things. I taught it last year and thought it worked out pretty well. If you're a grad student, you can sign up right now. If now, just bring an add card the first day of class and I'll sign it. Prereqs are CS462.

2:50 PM | Comments (1) | Recommend This | Print This