|
 Monday, September 29, 2003
Dain Sundstrom ditched on our scheduled interview on Friday. I had been hoping to get his voice into the piece I'm writing on open-source Java; hopefully, he'll resurface. In any case, I would think he'd want to at least comment on Marc Fleury's comments about the breakup of the JBoss team. Or not.
Well, I'll keep trying.
11:25:06 AM 
|
|
Sunday, September 28, 2003
There's a growing amount of concern about the impact of RFID technology on privacy--you know, if you don't yank the tags, and the UPC-based tag is still on your person in the clothes or shoes or merchandise you're wrapped in, you may be leaving your unique consumer signature every time you pass by an RFID reader close enough to pick up the data. So, like as you go through the doors of any store, or through a metal detector, or through the toll booth...
Here's a great application for DARPA to look into for this: an RSS feed for every RFID tag issued, that updates every time the tag passes through another checkpoint. Want to know in near-realtime where a particular pair of sneakers has been? Subscribe to its RSS feed, and you could have its global coordinates posted to a dynamic weblog. Where's that kid off to? Enter the UPC code on his new pair of Air Jordans, and you'll not only know when he arrived at the mall, but potentially who with. Yowza!
[buzzword compliant/ dotCommunist]
10:01:45 PM
|
|
I had a phone conversation with my good friend Jeff Angus yesterday; he had read my Windows as Potatoes screed from Friday night, and reminded me that we had a similar conversation about monocultures and technology five years ago. He also suggested that maybe Monsanto was a better metaphor for Microsoft.
Monsanto has created a defacto monoculture through genetic engineering that gives customer a product that not only is derived from a narrow gene line, but is also sterile (so they can't cross-breed it with something else and correct any of its problems on their own) and guarantees post-sales support will come only from their licensed agents, spraying with their chemicals. Sure, it's easy to use, but as resistant strains of pests and weeds start to go after the vulnerabilities in the genetic/chemical firewall Monsanto has built, you're stuck waiting for their engineers and scientists to get a "patch" out in the next version of the product, which won't come out until next growing season at the earliest.
So is Windows the potato of the Internet age or the sorghum? Well, considering that Microsoft "eats its own dog food," maybe it is more feed-quality than for human consumption.
[buzzword-compliant]
9:53:25 PM
|
|
Saturday, September 27, 2003
Let's say everything about your desktop preferences was stored as a set of hierarchical XML fields on a server somewhere on your network. Application settings might be on other servers; cookies with your saveed application preferences for websites on another. What if, when you were authenticated at login at a desktop (running ANY operating system), the preferences were aggregated into something similar to an RSS file and sent securely to the desktop, and an agent program used the RSS to recreate your settings as closely as possible on the particular platform you had logged into?
So, for example, if you had a set of network drives you connected to, those shares would be established over the best file service protocol available for the client you were on (NFS, SMB, Windows filesharing, AFS). Bookmarks and cookies were configured for the browser available. Desktop icons would be linked to networked or local applications that provided equivalent functionality, with your preferences translated to them.
Most desktop strategies are monocultures. What if you could, through the application of secure web-based technology like SSL and IPSec, create a heterogeneous desktop strategy that gave you 80% of the power of the homogeneous ones? Using RSS as a vehicle, and a cross-platform agent in, say, Java, to do the client configuration?
I encourage someone to implement this model. All I want is "friends and family" status for the IPO.
10:21:35 AM
|
|
Friday, September 26, 2003
John Udell, Simon Phipps, and a host of other technorati have pointed to this report, "Cyber InSecurity: the Cost of Monopoly" published by the Computers and Communications Industry Association. It makes a very simple case, based on research by the authors--that having a "monoculture" of operating systems on the Internet creates an inordinate risk.
Monocultures have spelled trouble throughout history. My ancestors who brought the Gallagher name to the US came here in the wake of the failure of a monoculture--potatoes, which supplied an inordinate percentage of the food supply, were susceptible to a fungus "blight". The failure of potato crops had a disasterous effect that Ireland, it could be argued, only really recovered from at the end of the 20th century.
The EPA has a history of the Potato Famine on its website, which includes this passage:
Besides the horror, what unites the famines today with one over a century ago are the reasons behind them. Ireland's famine and those of the 20th century have similar, complex causes: economic and political factors, environmental conditions, and questionable agricultural practices.
Substitute "vulnerable code" for "environmental conditions", and "business" for "agricultural". and you've got a description of the current state of the Internet.
Windows is the potato of the Internet age. That's basically what the researchers, including analyst Daniel Geer of @Stake, were saying when they wrote, in the executive summary:
"Most of the world's computers run Microsoft's operating systems, thus most of the
world's computers are vulnerable to the same viruses and worms at the same time. The
only way to stop this is to avoid monoculture in computer operating systems, and for
reasons just as reasonable and obvious as avoiding monoculture in farming. Microsoft
exacerbates this problem via a wide range of practices that lock users to its platform.
The impact on security of this lock-in is real and endangers society.
"Because Microsoft's near-monopoly status itself magnifies security risk, it is essential
that society become less dependent on a single operating system from a single vendor if
our critical infrastructure is not to be disrupted in a single blow."
After this report was published, Geer was fired by @Stake, which is a Microsoft contractor. The fact that Geer was apparently fired for mentioning the elephant in the room with him is telling. Considering the world-wide press Microsoft is making to prevent alternative operating systems like Linux from taking root, it's obvious that some folks think maintaining the dependence of the masses on the next release of Potatoes Server and Potatoes XP is essential to continuing their standard of living.
As someone who once earned his bread by installing and administering Windows NT networks, I can't help but agree with the CCIA assessment. While I use multiple computers, I now do all of my daily work (including e-mail) on one of my two Apple computers--mostly because I haven't had to worry about an e-mail worm or script attack since I started doing so. My 12-year old son uses a Windows XP computer, which I'm constantly applying patches to. And as I mentioned in Server Not Found, constant reboots from applying patches actually killed my last Windows 2000 server in my inventory. It sits in the corner of my office, awaiting resurrection with a new mother board or cannibalization of its parts.
The best defense against any assault is defense in depth--relying on one thing for defense is what led to the Maginot Line, and, well, we know how that turned out. Having loosely coupled, heterogeneous systems means that you can more easily ride out an assault (or a fatal bug) in any part of your infrastructure.
The main problem is increased cost of ownership--you need to have people with multiple skill sets to maintain multiple operating systems, Well, maybe. Some alternative OSs may actually reduce cost of ownership for some classes of users. If you build your applications on top of a cross-platform architecture, switching from a MS SQL server backend over to a MySQL backend won't be that big a deal. If you stick to common file formats, the cost of maintaining different office productivity apps isn't that significant (I use Office, AppleWorks, and OpenOffice within my office, on the same files, interchangeably, every day--sometimes even at the same time).
A point made by the study is that any technology monoculture is a potentially bad thing. If we had a Linux monoculture (perish the thought), we'd all be dealing with the latest Linux virus...right?
Hmm. Probably not. Because, you see, there's a big difference in that scenario--anyone can look at Linux's source code. And because of all of the different potential configurations, distributions, and revs to Linux (hell, some application binaries don't work from one version of Linux to another on the same processor platform), a "Linux monoculture" would be an oxymoron.
But here's another example--what if, say, there was another flaw like the floating point "flaw" that Intel had with the Pentium processor, or the, ahem, cache problems that Sun had with the UltraSPARC, and a vast preponderance of systems running the Internet depended on that CPU? What if everybody used the same Ethernet chip for their network interface, and it was found to have a bug that caused it to go into permissive mode? What if someone could, say, exploit a hole in Passport, and use it to launch a DOS on every system running MSN Messenger?
What. indeed. Potatoes may be cheap and easy to cook, but if they're what you live on, their cost of ownership can get extremely high very fast. Just ask any Gallagher you run into.
10:47:17 PM
|
|
A couple of days ago, MIT's Philip Greenspun stirred up a lot of sediment with his weblog post, Java is the SUV of programming tools. I waited for the slashdot effect to die down before talking about this particular piece of programming politics, because Greenspun got walloped (at last count, there were 136 comments on the posting).
I am, as a non-professional who writes code when God sees fit to allow time for it, a programming pragmatist. While I like Java for some tasks, I do most of my web programming in PHP, thank you--at least partially because I don't host my own site, and very few hosting companies are comfortable with running a Java ServerPages-enabled site. But even when I do home portal stuff, servlets and JSPs are doable--but why would I waste my time when I can do it with a little server side script?
Java 2 Enterprise Edition is not a hobbyist's toolset. I don't sit down and say, "Hey, I should write that [insert trivial application here] in Java." Hell, it's not even appropriate for enterprise software projects with a lifecycle of less than six months. And, no matter what Sun tells you, Java is not exactly knocking anybody dead on the desktop; moving the focus of Java to the app and web server was the smartest thing the Java community ever did, because it widened the potential client system audience exponentially.
But that's not to say that Java couldn't move down into the world of trivial applications. You have to start off a little higher up the dev tool food chain than notepad.exe to make that happen, and you have to make the "include" process more transparent to developers. In fact, that should be determined at build time, not by the poor sap writing the code.
There are already some very good Java IDEs out there. But it's not just a cooler, flashier IDE that Java needs--it needs a tool that's got better property-driven components that can be rapidly assembled into applications. The key to the success of VB was the ease with which you could wire it to an external data source. ODBC and data-aware controls together, not just ODBC, made Visual Basic what it is today. Any moron with VB could create a client application that accesses a relational database.
Unfortunately, the Java IDE ecosystem has withered quite a bit over the last two years; now Borland is pretty much the only show in town outside Sun and IBM (and a personal bitch here: Borland's JBuilder for Mac is still back in version 6, while the rest of its tools have gone through 3 more generations).
The bottom line, it seems, is that Java's corporate custodians want it to be hard to use. They want it to be an enterprise tool that acts as a vehicle for consulting services; and with the increasing amount of open source Java tools available out there, they're depending on services to be what makes them money on Java. Look at IBM's WebSphere suite--it's a suite only in name, with no really clean integration of components. Some assembly required, your consultants put it together.
Greenspun's got it wrong. Java could be a sports car, or a skateboard. But the way Java is delivered to most developers right now, it's a 747, not an SUV. Companies end up with full blown J2EE servers when all they ever really run are JSPs and servlets. One corporate development manager told me that "what I need is a ball-peen hammer, but IBM insists on selling me jackhammers."
3:58:54 PM
|
|
Thursday, September 25, 2003
Here's a question (with credit to Noel Bergman) that nobody seems to be asking: does Verisign's hijacking of unregistered domain names to pull traffic to its advertising-sponsored web pages lower the level of trust in the company? And if Verisign is less trustworthy, would you trust certificates from them (see the quote at the end of the linked article)? Should a company that can't be trusted be allowed to manage domain registration?
10:14:10 AM
|
|
|
|
|
