Dain Sundstrom ditched on our scheduled interview on Friday. I had been hoping to get his voice into the piece I'm writing on open-source Java; hopefully, he'll resurface. In any case, I would think he'd want to at least comment on Marc Fleury's comments about the breakup of the JBoss team. Or not.
Well, I'll keep trying.
There's a growing amount of concern about the impact of RFID technology on privacy–you know, if you don't yank the tags, and the UPC-based tag is still on your person in the clothes or shoes or merchandise you're wrapped in, you may be leaving your unique consumer signature every time you pass by an RFID reader close enough to pick up the data. So, like as you go through the doors of any store, or through a metal detector, or through the toll booth…
Here's a great application for DARPA to look into for this: an RSS feed for every RFID tag issued, that updates every time the tag passes through another checkpoint. Want to know in near-realtime where a particular pair of sneakers has been? Subscribe to its RSS feed, and you could have its global coordinates posted to a dynamic weblog. Where's that kid off to? Enter the UPC code on his new pair of Air Jordans, and you'll not only know when he arrived at the mall, but potentially who with. Yowza!
I had a phone conversation with my good friend Jeff Angus yesterday; he had read my Windows as Potatoes screed from Friday night, and reminded me that we had a similar conversation about monocultures and technology five years ago. He also suggested that maybe Monsanto was a better metaphor for Microsoft.
Monsanto has created a defacto monoculture through genetic engineering that gives customer a product that not only is derived from a narrow gene line, but is also sterile (so they can't cross-breed it with something else and correct any of its problems on their own) and guarantees post-sales support will come only from their licensed agents, spraying with their chemicals. Sure, it's easy to use, but as resistant strains of pests and weeds start to go after the vulnerabilities in the genetic/chemical firewall Monsanto has built, you're stuck waiting for their engineers and scientists to get a “patch” out in the next version of the product, which won't come out until next growing season at the earliest.
So is Windows the potato of the Internet age or the sorghum? Well, considering that Microsoft “eats its own dog food,” maybe it is more feed-quality than for human consumption.
Let's say everything about your desktop preferences was stored as a set of hierarchical XML fields on a server somewhere on your network. Application settings might be on other servers; “cookies” with your saveed application preferences for websites on another. What if, when you were authenticated at login at a desktop (running ANY operating system), the preferences were aggregated into something similar to an RSS file and sent securely to the desktop, and an agent program used the RSS to recreate your settings as closely as possible on the particular platform you had logged into?
So, for example, if you had a set of network drives you connected to, those shares would be established over the best file service protocol available for the client you were on (NFS, SMB, Windows filesharing, AFS). Bookmarks and cookies were configured for the browser available. Desktop icons would be linked to networked or local applications that provided equivalent functionality, with your preferences translated to them.
Most desktop strategies are monocultures. What if you could, through the application of secure web-based technology like SSL and IPSec, create a heterogeneous desktop strategy that gave you 80% of the power of the homogeneous ones? Using RSS as a vehicle, and a cross-platform agent in, say, Java, to do the client configuration?
I encourage someone to implement this model. All I want is “friends and family” status for the IPO.
John Udell, Simon Phipps, and a host of other technorati have pointed to this report, “Cyber InSecurity: the Cost of Monopoly” published by the Computers and Communications Industry Association. It makes a very simple case, based on research by the authors–that having a “monoculture” of operating systems on the Internet creates an inordinate risk.
Monocultures have spelled trouble throughout history. My ancestors who brought the Gallagher name to the US came here in the wake of the failure of a monoculture–potatoes, which supplied an inordinate percentage of the food supply, were susceptible to a fungus “blight”. The failure of potato crops had a disasterous effect that Ireland, it could be argued, only really recovered from at the end of the 20th century.
The EPA has a history of the Potato Famine on its website, which includes this passage:
Besides the horror, what unites the famines today with one over a century ago are the reasons behind them. Ireland's famine and those of the 20th century have similar, complex causes: economic and political factors, environmental conditions, and questionable agricultural practices.
Substitute “vulnerable code” for “environmental conditions”, and “business” for “agricultural”. and you've got a description of the current state of the Internet.
Windows is the potato of the Internet age. That's basically what the researchers, including analyst Daniel Geer of @Stake, were saying when they wrote, in the executive summary:
“Most of the world's computers run Microsoft's operating systems, thus most of the
world's computers are vulnerable to the same viruses and worms at the same time. The
only way to stop this is to avoid monoculture in computer operating systems, and for
reasons just as reasonable and obvious as avoiding monoculture in farming. Microsoft
exacerbates this problem via a wide range of practices that lock users to its platform.
The impact on security of this lock-in is real and endangers society.“Because Microsoft's near-monopoly status itself magnifies security risk, it is essential
that society become less dependent on a single operating system from a single vendor if
our critical infrastructure is not to be disrupted in a single blow.”
After this report was published, Geer was fired by @Stake, which is a Microsoft contractor. The fact that Geer was apparently fired for mentioning the elephant in the room with him is telling. Considering the world-wide press Microsoft is making to prevent alternative operating systems like Linux from taking root, it's obvious that some folks think maintaining the dependence of the masses on the next release of Potatoes Server and Potatoes XP is essential to continuing their standard of living.
As someone who once earned his bread by installing and administering Windows NT networks, I can't help but agree with the CCIA assessment. While I use multiple computers, I now do all of my daily work (including e-mail) on one of my two Apple computers–mostly because I haven't had to worry about an e-mail worm or script attack since I started doing so. My 12-year old son uses a Windows XP computer, which I'm constantly applying patches to. And as I mentioned in Server Not Found, constant reboots from applying patches actually killed my last Windows 2000 server in my inventory. It sits in the corner of my office, awaiting resurrection with a new mother board or cannibalization of its parts.
The best defense against any assault is defense in depth–relying on one thing for defense is what led to the Maginot Line, and, well, we know how that turned out. Having loosely coupled, heterogeneous systems means that you can more easily ride out an assault (or a fatal bug) in any part of your infrastructure.
The main problem is increased cost of ownership–you need to have people with multiple skill sets to maintain multiple operating systems, Well, maybe. Some alternative OSs may actually reduce cost of ownership for some classes of users. If you build your applications on top of a cross-platform architecture, switching from a MS SQL server backend over to a MySQL backend won't be that big a deal. If you stick to common file formats, the cost of maintaining different office productivity apps isn't that significant (I use Office, AppleWorks, and OpenOffice within my office, on the same files, interchangeably, every day–sometimes even at the same time).
A point made by the study is that any technology monoculture is a potentially bad thing. If we had a Linux monoculture (perish the thought), we'd all be dealing with the latest Linux virus…right?
Hmm. Probably not. Because, you see, there's a big difference in that scenario–anyone can look at Linux's source code. And because of all of the different potential configurations, distributions, and revs to Linux (hell, some application binaries don't work from one version of Linux to another on the same processor platform), a “Linux monoculture” would be an oxymoron.
But here's another example–what if, say, there was another flaw like the floating point “flaw” that Intel had with the Pentium processor, or the, ahem, cache problems that Sun had with the UltraSPARC, and a vast preponderance of systems running the Internet depended on that CPU? What if everybody used the same Ethernet chip for their network interface, and it was found to have a bug that caused it to go into permissive mode? What if someone could, say, exploit a hole in Passport, and use it to launch a DOS on every system running MSN Messenger?
What. indeed. Potatoes may be cheap and easy to cook, but if they're what you live on, their cost of ownership can get extremely high very fast. Just ask any Gallagher you run into.
A couple of days ago, MIT's Philip Greenspun stirred up a lot of sediment with his weblog post, Java is the SUV of programming tools. I waited for the slashdot effect to die down before talking about this particular piece of programming politics, because Greenspun got walloped (at last count, there were 136 comments on the posting).
I am, as a non-professional who writes code when God sees fit to allow time for it, a programming pragmatist. While I like Java for some tasks, I do most of my web programming in PHP, thank you–at least partially because I don't host my own site, and very few hosting companies are comfortable with running a Java ServerPages-enabled site. But even when I do home portal stuff, servlets and JSPs are doable–but why would I waste my time when I can do it with a little server side script?
Java 2 Enterprise Edition is not a hobbyist's toolset. I don't sit down and say, “Hey, I should write that [insert trivial application here] in Java.” Hell, it's not even appropriate for enterprise software projects with a lifecycle of less than six months. And, no matter what Sun tells you, Java is not exactly knocking anybody dead on the desktop; moving the focus of Java to the app and web server was the smartest thing the Java community ever did, because it widened the potential client system audience exponentially.
But that's not to say that Java couldn't move down into the world of trivial applications. You have to start off a little higher up the dev tool food chain than notepad.exe to make that happen, and you have to make the “include” process more transparent to developers. In fact, that should be determined at build time, not by the poor sap writing the code.
There are already some very good Java IDEs out there. But it's not just a cooler, flashier IDE that Java needs–it needs a tool that's got better property-driven components that can be rapidly assembled into applications. The key to the success of VB was the ease with which you could wire it to an external data source. ODBC and data-aware controls together, not just ODBC, made Visual Basic what it is today. Any moron with VB could create a client application that accesses a relational database.
Unfortunately, the Java IDE ecosystem has withered quite a bit over the last two years; now Borland is pretty much the only show in town outside Sun and IBM (and a personal bitch here: Borland's JBuilder for Mac is still back in version 6, while the rest of its tools have gone through 3 more generations).
The bottom line, it seems, is that Java's corporate custodians want it to be hard to use. They want it to be an enterprise tool that acts as a vehicle for consulting services; and with the increasing amount of open source Java tools available out there, they're depending on services to be what makes them money on Java. Look at IBM's WebSphere suite–it's a suite only in name, with no really clean integration of components. Some assembly required, your consultants put it together.
Greenspun's got it wrong. Java could be a sports car, or a skateboard. But the way Java is delivered to most developers right now, it's a 747, not an SUV. Companies end up with full blown J2EE servers when all they ever really run are JSPs and servlets. One corporate development manager told me that “what I need is a ball-peen hammer, but IBM insists on selling me jackhammers.”
Samba steps up Linux/Windows connection. The open-source development team releases an update to its Samba software for connecting Windows desktop PCs with Linux or Unix servers. [CNET News.com - Front Door]
Samba now integrates with Microsoft's version of Kerberos and with Microsoft Active Directory, through LDAP. Apparently, Microsoft hasn't totally locked down the intellectual property for the protocols required to connect to and from Windows.
Here's a question (with credit to Noel Bergman) that nobody seems to be asking: does Verisign's hijacking of unregistered domain names to pull traffic to its advertising-sponsored web pages lower the level of trust in the company? And if Verisign is less trustworthy, would you trust certificates from them (see the quote at the end of the linked article)? Should a company that can't be trusted be allowed to manage domain registration?
There's been a lot of Java-based spin around the splintering of the team that developed the JBoss open-source Java app server this summer. Some of the developers on the core dev team for JBoss spun themselves off as The Core Developer Network LLC in August, reportedly unhappy with life under the JBoss Group flag. Then their access rights to the code versioning system were cut off. The result was a “fork” in JBoss' code–JBossGroup continues its development, and the JBoss team at CDN continues on a separate path, now called Elba (since JBoss is a trademark of JBoss Group's Marc Fleury).
Elba was originally intended (by the CDN crew) to be an effort to incorporate The Apache Software Foundation's Geronimo Project with the JBoss code; now, it's a placeholder (and source of revenue) for CDN while it contributes to Geronimo itself, independent of JBoss code. Geronimo is to be Apache's Enterprise JavaBean (EJB) server, which it hopes to certify with Sun as J2EE-compliant. The Apache Software Foundation is in no way connected to Elba–and wants nothing to do with it.
Meanwhile, The JBoss Group is trying, now, to get certified itself. Bob Bickle, once of Bluestone and then of HP Middleware (killed by Carly Fiorina post-merger), is now the VP of biz dev for JBoss, and he, as he put it to me today, “drew the short straw” to negotiate certification licensing with Sun. He says the the move was driven by a change in JBoss's user base (more actual deployments by businesses); others outside the company suggest that the real reason is to get certified before Geronimo.
Clearly, no love was lost in the breakup. Marc Fleury said to me today in a phone interview: “The two guys working over there (Geronimo) were mediocre guys at JBoss.” He suggested they were purged because they weren't up to the transition of the project to “professional open source.”
In an interview with CNET, Sun CEO Scott McNealy once again goes back to his “software is a feature” attitude, despite his company's apparent interest in making money off software:
” This is why I crack up when I learn my third-grader's learning how to program. I want to go in and tell them, are you teaching him how to program a telephone switch, too? Or work a nuclear power plant? It's just a continuum. We've always done piece parts because people like to buy the piece parts. But now open interfaces, standard building blocks, and providing integratable alternatives to the welded-shut Microsoft hairball, people are getting more and more comfortable buying less mechanics and more assembled fixtures. “
Uh-huh. Well, I guess Scott's kid won't be building those fixtures.
But, seriously, I understand the “vision thing” that McNealy is trying to spin here; it's the software component-driven world we all thought we would be living in by now, that Sun tried to execute (poorly) with Java Workshop 1.0 in 1997 (or whenever that was). Unfortunately for Scott, that's still the world inhabited by George Jetson–and not us.
While the vision McNealy promotes is of information systems consumers not needing to know how to program,the reality is that somebody still has to play around under the hood to put the building blocks and interfaces all together–or even set them up properly. Packaged software, bundled hardware and software, and so forth are certainly available, but they often end up causing as many or more organizational problems for the companies implementing them than they solve. The return on the investment in these pre-formed slabs of software and hardware isn't exactly great, either. (Seen a happy Siebel or SAP customer lately?)
Grid computing is a wonderful thing, to be sure. Application dial-tone, fire-and-forget business apps, buzzword, buzzword, buzzword. There's just one problem–once you've got all this stuff, and you've installed it with default settings, how the hell do you get any differentiation out of your use of it from your competitor who set up the same system? How do you extract additional value from your leased compute cycles, virtualized storage, and packaged business logic? And how do you make your company dynamic once you've tied your strategy to any-color-as-long-as-it's-black product cycles?
I don't want my fourth grader to have to learn how to program a nuclear power plant, Scott. But I want him to learn logic, and programming technique at some point in his school career, so he can navigate the stupid menus to program a VCR. And I want him to be able to find a better way to do things than the losers fine people who build the interfaces and embedded software and operating systems that we're currently enslaved by. Software matters; programming matters, just as you argue IT matters. Making electrons jump on command is an essential part of making things work better, faster and cheaper, and you know it.
Let's look at the automobile analogy. You once said something like, “Nobody goes out and buys software for their right turn signal.” True. But there are two kinds of car owners out there–users and enthusiasts. Enthusiasts do everything they can to tweak the performance of their car, buying aftermarket kits and tinkering under the hood. Look at what happened to GM's J-car series when it got into the hands of these people, and you'll see what I mean–they made cars from the base car provided by GM that were better than anything GM's design team could come up with.
That's why “open interfaces” and “standard building blocks” may become the accepted baseline of IT–but who still buys the base model? There will always be a need, and a desire, for software jockeys to go under the hood to get that little bit more efficiency out of the system to get that much more of a profitability edge out of the IT investment. There will always be businesses that the standard building blocks don't fit. And there will always be another set of holes in those standard building blocks that need patching.
