|
 Monday, September 29, 2003
Dain Sundstrom ditched on our scheduled interview on Friday. I had been hoping to get his voice into the piece I'm writing on open-source Java; hopefully, he'll resurface. In any case, I would think he'd want to at least comment on Marc Fleury's comments about the breakup of the JBoss team. Or not.
Well, I'll keep trying.
11:25:06 AM 
|
|
Sunday, September 28, 2003
There's a growing amount of concern about the impact of RFID technology on privacy--you know, if you don't yank the tags, and the UPC-based tag is still on your person in the clothes or shoes or merchandise you're wrapped in, you may be leaving your unique consumer signature every time you pass by an RFID reader close enough to pick up the data. So, like as you go through the doors of any store, or through a metal detector, or through the toll booth...
Here's a great application for DARPA to look into for this: an RSS feed for every RFID tag issued, that updates every time the tag passes through another checkpoint. Want to know in near-realtime where a particular pair of sneakers has been? Subscribe to its RSS feed, and you could have its global coordinates posted to a dynamic weblog. Where's that kid off to? Enter the UPC code on his new pair of Air Jordans, and you'll not only know when he arrived at the mall, but potentially who with. Yowza!
[buzzword compliant/ dotCommunist]
10:01:45 PM
|
|
I had a phone conversation with my good friend Jeff Angus yesterday; he had read my Windows as Potatoes screed from Friday night, and reminded me that we had a similar conversation about monocultures and technology five years ago. He also suggested that maybe Monsanto was a better metaphor for Microsoft.
Monsanto has created a defacto monoculture through genetic engineering that gives customer a product that not only is derived from a narrow gene line, but is also sterile (so they can't cross-breed it with something else and correct any of its problems on their own) and guarantees post-sales support will come only from their licensed agents, spraying with their chemicals. Sure, it's easy to use, but as resistant strains of pests and weeds start to go after the vulnerabilities in the genetic/chemical firewall Monsanto has built, you're stuck waiting for their engineers and scientists to get a "patch" out in the next version of the product, which won't come out until next growing season at the earliest.
So is Windows the potato of the Internet age or the sorghum? Well, considering that Microsoft "eats its own dog food," maybe it is more feed-quality than for human consumption.
[buzzword-compliant]
9:53:25 PM
|
|
Saturday, September 27, 2003
Let's say everything about your desktop preferences was stored as a set of hierarchical XML fields on a server somewhere on your network. Application settings might be on other servers; cookies with your saveed application preferences for websites on another. What if, when you were authenticated at login at a desktop (running ANY operating system), the preferences were aggregated into something similar to an RSS file and sent securely to the desktop, and an agent program used the RSS to recreate your settings as closely as possible on the particular platform you had logged into?
So, for example, if you had a set of network drives you connected to, those shares would be established over the best file service protocol available for the client you were on (NFS, SMB, Windows filesharing, AFS). Bookmarks and cookies were configured for the browser available. Desktop icons would be linked to networked or local applications that provided equivalent functionality, with your preferences translated to them.
Most desktop strategies are monocultures. What if you could, through the application of secure web-based technology like SSL and IPSec, create a heterogeneous desktop strategy that gave you 80% of the power of the homogeneous ones? Using RSS as a vehicle, and a cross-platform agent in, say, Java, to do the client configuration?
I encourage someone to implement this model. All I want is "friends and family" status for the IPO.
10:21:35 AM
|
|
Friday, September 26, 2003
John Udell, Simon Phipps, and a host of other technorati have pointed to this report, "Cyber InSecurity: the Cost of Monopoly" published by the Computers and Communications Industry Association. It makes a very simple case, based on research by the authors--that having a "monoculture" of operating systems on the Internet creates an inordinate risk.
Monocultures have spelled trouble throughout history. My ancestors who brought the Gallagher name to the US came here in the wake of the failure of a monoculture--potatoes, which supplied an inordinate percentage of the food supply, were susceptible to a fungus "blight". The failure of potato crops had a disasterous effect that Ireland, it could be argued, only really recovered from at the end of the 20th century.
The EPA has a history of the Potato Famine on its website, which includes this passage:
Besides the horror, what unites the famines today with one over a century ago are the reasons behind them. Ireland's famine and those of the 20th century have similar, complex causes: economic and political factors, environmental conditions, and questionable agricultural practices.
Substitute "vulnerable code" for "environmental conditions", and "business" for "agricultural". and you've got a description of the current state of the Internet.
Windows is the potato of the Internet age. That's basically what the researchers, including analyst Daniel Geer of @Stake, were saying when they wrote, in the executive summary:
"Most of the world's computers run Microsoft's operating systems, thus most of the
world's computers are vulnerable to the same viruses and worms at the same time. The
only way to stop this is to avoid monoculture in computer operating systems, and for
reasons just as reasonable and obvious as avoiding monoculture in farming. Microsoft
exacerbates this problem via a wide range of practices that lock users to its platform.
The impact on security of this lock-in is real and endangers society.
"Because Microsoft's near-monopoly status itself magnifies security risk, it is essential
that society become less dependent on a single operating system from a single vendor if
our critical infrastructure is not to be disrupted in a single blow."
After this report was published, Geer was fired by @Stake, which is a Microsoft contractor. The fact that Geer was apparently fired for mentioning the elephant in the room with him is telling. Considering the world-wide press Microsoft is making to prevent alternative operating systems like Linux from taking root, it's obvious that some folks think maintaining the dependence of the masses on the next release of Potatoes Server and Potatoes XP is essential to continuing their standard of living.
As someone who once earned his bread by installing and administering Windows NT networks, I can't help but agree with the CCIA assessment. While I use multiple computers, I now do all of my daily work (including e-mail) on one of my two Apple computers--mostly because I haven't had to worry about an e-mail worm or script attack since I started doing so. My 12-year old son uses a Windows XP computer, which I'm constantly applying patches to. And as I mentioned in Server Not Found, constant reboots from applying patches actually killed my last Windows 2000 server in my inventory. It sits in the corner of my office, awaiting resurrection with a new mother board or cannibalization of its parts.
The best defense against any assault is defense in depth--relying on one thing for defense is what led to the Maginot Line, and, well, we know how that turned out. Having loosely coupled, heterogeneous systems means that you can more easily ride out an assault (or a fatal bug) in any part of your infrastructure.
The main problem is increased cost of ownership--you need to have people with multiple skill sets to maintain multiple operating systems, Well, maybe. Some alternative OSs may actually reduce cost of ownership for some classes of users. If you build your applications on top of a cross-platform architecture, switching from a MS SQL server backend over to a MySQL backend won't be that big a deal. If you stick to common file formats, the cost of maintaining different office productivity apps isn't that significant (I use Office, AppleWorks, and OpenOffice within my office, on the same files, interchangeably, every day--sometimes even at the same time).
A point made by the study is that any technology monoculture is a potentially bad thing. If we had a Linux monoculture (perish the thought), we'd all be dealing with the latest Linux virus...right?
Hmm. Probably not. Because, you see, there's a big difference in that scenario--anyone can look at Linux's source code. And because of all of the different potential configurations, distributions, and revs to Linux (hell, some application binaries don't work from one version of Linux to another on the same processor platform), a "Linux monoculture" would be an oxymoron.
But here's another example--what if, say, there was another flaw like the floating point "flaw" that Intel had with the Pentium processor, or the, ahem, cache problems that Sun had with the UltraSPARC, and a vast preponderance of systems running the Internet depended on that CPU? What if everybody used the same Ethernet chip for their network interface, and it was found to have a bug that caused it to go into permissive mode? What if someone could, say, exploit a hole in Passport, and use it to launch a DOS on every system running MSN Messenger?
What. indeed. Potatoes may be cheap and easy to cook, but if they're what you live on, their cost of ownership can get extremely high very fast. Just ask any Gallagher you run into.
10:47:17 PM
|
|
A couple of days ago, MIT's Philip Greenspun stirred up a lot of sediment with his weblog post, Java is the SUV of programming tools. I waited for the slashdot effect to die down before talking about this particular piece of programming politics, because Greenspun got walloped (at last count, there were 136 comments on the posting).
I am, as a non-professional who writes code when God sees fit to allow time for it, a programming pragmatist. While I like Java for some tasks, I do most of my web programming in PHP, thank you--at least partially because I don't host my own site, and very few hosting companies are comfortable with running a Java ServerPages-enabled site. But even when I do home portal stuff, servlets and JSPs are doable--but why would I waste my time when I can do it with a little server side script?
Java 2 Enterprise Edition is not a hobbyist's toolset. I don't sit down and say, "Hey, I should write that [insert trivial application here] in Java." Hell, it's not even appropriate for enterprise software projects with a lifecycle of less than six months. And, no matter what Sun tells you, Java is not exactly knocking anybody dead on the desktop; moving the focus of Java to the app and web server was the smartest thing the Java community ever did, because it widened the potential client system audience exponentially.
But that's not to say that Java couldn't move down into the world of trivial applications. You have to start off a little higher up the dev tool food chain than notepad.exe to make that happen, and you have to make the "include" process more transparent to developers. In fact, that should be determined at build time, not by the poor sap writing the code.
There are already some very good Java IDEs out there. But it's not just a cooler, flashier IDE that Java needs--it needs a tool that's got better property-driven components that can be rapidly assembled into applications. The key to the success of VB was the ease with which you could wire it to an external data source. ODBC and data-aware controls together, not just ODBC, made Visual Basic what it is today. Any moron with VB could create a client application that accesses a relational database.
Unfortunately, the Java IDE ecosystem has withered quite a bit over the last two years; now Borland is pretty much the only show in town outside Sun and IBM (and a personal bitch here: Borland's JBuilder for Mac is still back in version 6, while the rest of its tools have gone through 3 more generations).
The bottom line, it seems, is that Java's corporate custodians want it to be hard to use. They want it to be an enterprise tool that acts as a vehicle for consulting services; and with the increasing amount of open source Java tools available out there, they're depending on services to be what makes them money on Java. Look at IBM's WebSphere suite--it's a suite only in name, with no really clean integration of components. Some assembly required, your consultants put it together.
Greenspun's got it wrong. Java could be a sports car, or a skateboard. But the way Java is delivered to most developers right now, it's a 747, not an SUV. Companies end up with full blown J2EE servers when all they ever really run are JSPs and servlets. One corporate development manager told me that "what I need is a ball-peen hammer, but IBM insists on selling me jackhammers."
3:58:54 PM
|
|
Thursday, September 25, 2003
Here's a question (with credit to Noel Bergman) that nobody seems to be asking: does Verisign's hijacking of unregistered domain names to pull traffic to its advertising-sponsored web pages lower the level of trust in the company? And if Verisign is less trustworthy, would you trust certificates from them (see the quote at the end of the linked article)? Should a company that can't be trusted be allowed to manage domain registration?
10:14:10 AM
|
|
Wednesday, September 24, 2003
There's been a lot of Java-based spin around the splintering of the team that developed the JBoss open-source Java app server this summer. Some of the developers on the core dev team for JBoss spun themselves off as The Core Developer Network LLC in August, reportedly unhappy with life under the JBoss Group flag. Then their access rights to the code versioning system were cut off. The result was a "fork" in JBoss' code--JBossGroup continues its development, and the JBoss team at CDN continues on a separate path, now called Elba (since JBoss is a trademark of JBoss Group's Marc Fleury).
Elba was originally intended (by the CDN crew) to be an effort to incorporate The Apache Software Foundation's Geronimo Project with the JBoss code; now, it's a placeholder (and source of revenue) for CDN while it contributes to Geronimo itself, independent of JBoss code. Geronimo is to be Apache's Enterprise JavaBean (EJB) server, which it hopes to certify with Sun as J2EE-compliant. The Apache Software Foundation is in no way connected to Elba--and wants nothing to do with it.
Meanwhile, The JBoss Group is trying, now, to get certified itself. Bob Bickle, once of Bluestone and then of HP Middleware (killed by Carly Fiorina post-merger), is now the VP of biz dev for JBoss, and he, as he put it to me today, "drew the short straw" to negotiate certification licensing with Sun. He says the the move was driven by a change in JBoss's user base (more actual deployments by businesses); others outside the company suggest that the real reason is to get certified before Geronimo.
Clearly, no love was lost in the breakup. Marc Fleury said to me today in a phone interview: "The two guys working over there (Geronimo) were mediocre guys at JBoss." He suggested they were purged because they weren't up to the transition of the project to "professional open source."
9:02:44 PM
|
|
Monday, September 22, 2003
In an interview with CNET, Sun CEO Scott McNealy once again goes back to his "software is a feature" attitude, despite his company's apparent interest in making money off software:
" This is why I crack up when I learn my third-grader's learning how to program. I want to go in and tell them, are you teaching him how to program a telephone switch, too? Or work a nuclear power plant? It's just a continuum. We've always done piece parts because people like to buy the piece parts. But now open interfaces, standard building blocks, and providing integratable alternatives to the welded-shut Microsoft hairball, people are getting more and more comfortable buying less mechanics and more assembled fixtures. "
Uh-huh. Well, I guess Scott's kid won't be building those fixtures.
But, seriously, I understand the "vision thing" that McNealy is trying to spin here; it's the software component-driven world we all thought we would be living in by now, that Sun tried to execute (poorly) with Java Workshop 1.0 in 1997 (or whenever that was). Unfortunately for Scott, that's still the world inhabited by George Jetson--and not us.
While the vision McNealy promotes is of information systems consumers not needing to know how to program,the reality is that somebody still has to play around under the hood to put the building blocks and interfaces all together--or even set them up properly. Packaged software, bundled hardware and software, and so forth are certainly available, but they often end up causing as many or more organizational problems for the companies implementing them than they solve. The return on the investment in these pre-formed slabs of software and hardware isn't exactly great, either. (Seen a happy Siebel or SAP customer lately?)
Grid computing is a wonderful thing, to be sure. Application dial-tone, fire-and-forget business apps, buzzword, buzzword, buzzword. There's just one problem--once you've got all this stuff, and you've installed it with default settings, how the hell do you get any differentiation out of your use of it from your competitor who set up the same system? How do you extract additional value from your leased compute cycles, virtualized storage, and packaged business logic? And how do you make your company dynamic once you've tied your strategy to any-color-as-long-as-it's-black product cycles?
I don't want my fourth grader to have to learn how to program a nuclear power plant, Scott. But I want him to learn logic, and programming technique at some point in his school career, so he can navigate the stupid menus to program a VCR. And I want him to be able to find a better way to do things than the losers fine people who build the interfaces and embedded software and operating systems that we're currently enslaved by. Software matters; programming matters, just as you argue IT matters. Making electrons jump on command is an essential part of making things work better, faster and cheaper, and you know it.
Let's look at the automobile analogy. You once said something like, "Nobody goes out and buys software for their right turn signal." True. But there are two kinds of car owners out there--users and enthusiasts. Enthusiasts do everything they can to tweak the performance of their car, buying aftermarket kits and tinkering under the hood. Look at what happened to GM's J-car series when it got into the hands of these people, and you'll see what I mean--they made cars from the base car provided by GM that were better than anything GM's design team could come up with.
That's why "open interfaces" and "standard building blocks" may become the accepted baseline of IT--but who still buys the base model? There will always be a need, and a desire, for software jockeys to go under the hood to get that little bit more efficiency out of the system to get that much more of a profitability edge out of the IT investment. There will always be businesses that the standard building blocks don't fit. And there will always be another set of holes in those standard building blocks that need patching.
2:51:18 PM
|
|
Friday, September 19, 2003
The Dalai Lama:"If I had not been a monk," he said last weekend, "I would have become an engineer."
4:27:11 PM
|
|
Wednesday, September 17, 2003
Ray Ozzie has a lot to say about the Eolas v. Microsoft case. And he thinks he knows of some prior art that trumps Eolas' claim. He should--he created it.
9:36:50 PM
|
|
There's a vulnerability in Sendmail that allows remote attacks by buffer-overflow. The security hole could be used for denial of service attacks against e-mail routing infrastructure.
This is just the latest problem with Sendmail, which has had other similar vulnerabilities (this is the third this year).
But you never hear about sendmail attacks in the press, now do you? And the patch for the problem was ready for deployment within 5 days of the bug being reported on the Full-Disclosure list.
2:57:57 PM
|
|
I got a quick look at the keynote at Sun's SunNetworking conference in San Francisco this morning, from my desk here in Baltimore. The view was courtesy of Simon Phipps and his PowerBook and iSight camera, via a wireless LAN connection at Moscone, to me on Apple's iChat A/V.
This convergence of wireless networking and audio-video realtime conferencing is waaaay cool. It is portentous, in the same classs of developments as camera/phones and moblogging. It's like peer-to-peer TV news.
I had been in doubt about how well my iSight camera was working with my old reliable G4 Cube; despite being able to conference within my LAN, my attempts to conferene with an old colleague had been discouraging. I was convinced the problem was the speed of the G4's bus, or processing speed, or (worse yet) its cable modem connection being too slow.
It turns out, however, that it's his problem.
2:27:48 PM
|
|
Tuesday, September 9, 2003
My column on Eolas has gone live on the eWeek site. Read it and weep.
4:31:01 PM
|
|
Bill Joy is leaving Sun to "persue other interests." Joy is the father of BSD Unix, and had a hand in many of Sun's most important innovations, including Java.
So what are those "other interests"?
1:10:57 PM
|
|
Saturday, September 6, 2003
The victory of Eolas Technologies in its patent infringement lawsuit against Microsoft, as I noted yesterday (Termination Dust for Web Apps?) has a lot of people in the open source and standards commmunity as well. Ten years of standards development is about to be upended, it seems, by a one-person company with no product except a passle of patents licensed from the University of California.
It seems ironic that the University of California was on the other end of the stick some time back when it was sued by AT&T for patent infringement for its development of BSD Unix--a case which it won, and which put a substantial amount of Unix technology into the public domain. Now, it's putting the same open source community on the spot again--unless, of course, Eolas and UC act to allow open source development based on their patents to continue, or a higher court overturns the decision against Microsoft.
The patents that Eolas claims are disturbingly broad in scope, and would seem to be undermined by significant "prior art" elsewhere in the software world/.
Of course, the Patent and Trademark Office (PTO) is incapable of screening effectively for patents that infringe on unpatented (but copyrighted) work, because there's no link between the patent and copyright systems--patents are governed by the Department of Commerce, and copyrights by the Library of Congress (which isn't even in the executive branch, to my knowledge). And the PTO is woefully understaffed, underfunded (it operates solely on the funds it takes in in patent fees) and, based on the evidence, just plain full of idiots to begin with.
Copyrights are relatively easy to enforce than patents (especially when it comes to software), and not as damaging to innovation. It's easier for the poor downtrodden masses to file for a copyright (you don't need a lawyer to do it), and copyright is protected by common law in most cases. Patents, on the other hand, are generally available to anybody who can pay the lawyers to fill out the forms cryptically enough, and they not only prevent copying but can be used to prevent innovation by others.
The threat posed by software patents extends to Europe as well, where the EU has been considering a new law governing them. If passed there, it could be a spanner in the works for everybody. As Simon Phipps says: "Without a legal protection for standards against retrospective attack by software patents we will suffer death by a thousand gold-diggers as we try to navigate into the massively-connected future. "
There are two ways to fix the disconnect between patents and coyrights. The first way is to unify the patent and copyright systems, either by some sort of shared knowledge base (or by patent inspectors using a search engine to look for prior art as part of the patent approval process, which they rarely do). But as Otter said in Animal house, "that could take years, and cost millions of lives."
The other way is simpler: ban software patents. Period. And that's a move I can get behind.
4:45:52 PM
|
|
Friday, September 5, 2003
The victory of Eolas in its patent-infringement suit against Microsoft--to the tune of more than a half-billion dollars--is knocking the rest of the Internet software industry (and the open source community) for a loop. Eolas' patent, licensed to it by the University of California system, covers web "plugins" and "applets"--any software that runs inside the web browser.
As a result, Microsoft is going to have to rewrite parts of Internet Explorer. The changes will impact any company that depends on client-side code in web applications--like Java, ECMAScript, JavaScript, Quicktime, Flash, RealAudio...the list is a long one. It could affect Netscape and Mozilla, too, as they have plugin implementations of their own. And W3C standards could be thrown into a crisis as well, as the "OBJECT" and "SCRIPT" tags in HTML (as Noel Bergman pointed out in an Apache mailing list) may be seen as in violation of the patent.
When software depends on standards to advance, how does it go anywhere when software patents can be used to essentially hold standards hostage?
3:15:20 PM
|
|
Wednesday, September 3, 2003
My old colleague Steve Gillmor apparently got a lot of grief about his RSS obsession, thanks to a posting by the Scobleizer (there's a reason he's got that knickname, after all). Without context, Steve's RSS boosterism may seem to border on the bizarre to some. But it's easy to understand once you put all the other pieces together.
For those of you who haven't been fully indoctrinated yet, RSS (which, depending on which faction of the XML wars you belong to, stands for Really Simple Syndication or RDF Site Summary) is an XML format most commonly used to "syndicate" content (usually web content, as in news "feeds" or weblog entries)--as part of a paid or free subscription to a specific content source. RSS "feeds" are pulled in by a piece of software and rendered for a user to read directly (as with RSS newsreaders like AmphetaDesk and Ranchero's NetNewsWire, and blogging software like Radio), or processed to be posted to a web page.
At least, that's what they're used for now. Because of the way they work, RSS feeds could concievably be the delivery vehicle for any number of things. Radio already uses them to deliver media downloads--subscribe to, for instance, Adam Curry's weblog feed, and you'll get an occasional video "enclosure" download to your hard drive.
In fact, RSS is potentially a great way to deliver web services to user's desktops as well. What if they were used as the subscription vehicle for web services--to, say, syndicate an interface to a movie schedule database, or a context-sensitive connection to an online bookseller?
There's already a similar implementation of a "channel" based content delivery system that's widely distributed: Sherlock in Mac OS X 10.2 uses "channels" to deliver web services to the desktop. Sherlock uses an Apple-specific API for its web services that governs how they're presented on the client--but what if that information were just provided in the description tag for an RSS feed item, and the link was to the backend web service instead of Jow Blow's latest weblog entry?
There are already some web services being delivered as RSS. An early example of this is Google Alert (which uses the Google Web APIs to generate an RSS feed of a specific Google search, updating it daily); Radio allows users to do something similar with its "Googlebox" code.
Amazon already has an "associate" program that uses links from other people's websites--but what if it delivered a web service-based front end, through an RSS feed?
Or, what if Microsoft issued all of its security patches via an RSS feed that was consumed by the OS itself at start-up?
10:46:44 AM
|
|
|
|
|
