Wednesday, November 29, 2006

Software as a Service

Last night Hugh Brien gave an interesting presentation on An Introduction to Tenant Based Software. By this he meant that applications live as a “tenant” in a larger infrastructure. He used Salesforce to illustrate how Software as a Service could be offered in such a way that individual users could use it to build their own custom applets. (Or at least that is how I understood him.) I will be writing more about his presentation next week.

In the meantime, here is one gentleman who is greatly underwhelmed by all the talk about SaaS.

About the author

My LinkedIn profile.

Presto Vivace tags

Presto Vivace Diggs

Tuesday, November 28, 2006

Pitching bloggers

Blogger Relations 410 and Pitching Blogs have aggergated a collection of terrific links on this important part of our work.

I am pleased to say that my own classic post on the topic is included on both blogs.

Some observations regarding SOA security

IASA meeting, November 17, 2006

Dr. Craig Miller spoke about Service Oriented Architecture (SOA) and software security. He began by making some general observations, pointing out that the distributed applications in the eighties, were similar to SOA.

Miller said he had been an early advocate of web services, having persuaded his previous employer, Proxicom, to offer web services.

Miller emphasized that security is a fundamental attribute of an application, not something you add on to an application software after you have finished building it.

He said that SOA can be defined in terms of technology or in terms of architecture. Currently, Gartner has a chart that shows SOA at its the height of its curve of adoption, suggesting that a crash is imminent. Miller said that this was probably true of SOA as a technology, but that SOA as an architectural topology is inevitable.

Here, Miller gave an outline of the history of IT architecture:
1) unconnected systems
2) spaghetti architecture -- point to point connectivity
3) hub and spoke -- data warehouse at the center
4) data bus -- moving data around with technologies like EAI
5) application bus -- SOA: robust standards

Miller described SOA as a continuing initiative; no one builds an organization around it.

SOA can be understood as a bunch of web services with a bus providing connectivity. Each web service does something small (such as extract the balance of an account); the application orchestrates the services through business logic.

Miller predicted that the web services part of this will be outsourced, with the bus and process logic done locally, because that is the more agile approach.

In a SOA system, the points of connectivity are points of vulnerability. Here, Miller said that software breaks more than anything else, that “crap” is the technical term.

Miller outlined the principles of network architecture as opposed to application software:
- componentization
- standardization - interface is rigid
- management (monitoring)

Here, a member of the audience pointed out that network software is simpler than application software. Miller agreed that this is true, but that network software offers lessons for applications software.

Miller said currently we don’t manage monitoring well in application software and that SOA facilitates monitoring by watching how often the bus calls for which web service and how the web service is used.

He said the industry has gotten over the point where everybody thought they could own the universe; we are now getting vendor independent standards. Here, he showed a diagram representing SOA structure:


Miller said SOA succeeds because of the business imperative. With the Internet we already have ubiquitous connectivity. The Internet has also pushed us towards vendor independent standards.

The essential vulnerability in SOA is all the points of connection (between the individual web services, the bus, and the application).

Here, Miller offered a brief survey of the different approaches to security by the two standards organizations: W3C and OASIS.

W3C key web services security standards:


multipole security token format
trust format
signature formats
encryption technologies
end to end messaging

XML access control markup language:
encode XML rules for access
chief standards issue is many
tree of entities -> rules for access

Miller said XRML syntax has been described, but that he has not seen it implemented.

Individual web services can put limits on the way that they are invoked by means of message tokens.

Miller was enthusiastic about the SAML tool kit, saying that it allows you to do virtually anything.

The OASIS view of security: identification & authentication, data integrity, and data confidentiality.

Miller said that message uniqueness is profound in SOA; how do you know you haven’t seen this message before? For example, you could send a message, “give me $100” and then keep repeating that message. The software has to know it has already received the message. The insertion of a nonce is one way to address this.

Miller was emphatic that SOA does not obviate the need for software security. Here, he offered another slide illustrating the reality of SOA architecture:

osc bss orchestrate bs
the bus
web service/ web service/ BULA (big ugly legacy application)

He made the point that most SOA systems involve Big Ugly Legacy Applications. Loops that go past the bus, usually tying Big Ugly Legacy Applications to the system, are vulnerabilities. I asked if the value of web services is not precisely because they glue together big ugly legacy applications. Miller agreed that this was so.

Miller said that the things that make code ugly are bug fixes; clean code is code that has not been debugged

Miller listed the factors driving emerging technology as bandwidth, processor speed, memory (RAM), and storage media. He pointed out that his digital camera has a 128 MB flash card. He also said that distributed storage technology was the most unexploited technology.

Note - in an email sent after the presentation, Miller said, “Web service security can be enforced in two ways -- the infrastructure can enforce rules for publication and subscription, or individual services can enforce security based on message tokens. Both can be useful. From the perspective of elegant design, I like to embed the security in the infrastructure / messaging layer rather than leaving it to the author of the individual service. It is easier to monitor it there, and I firmly believe that monitoring is a fundamental aspect of web service security.”

Wednesday, November 22, 2006

Simulation and Virtual Reality

Notes from the November 15 Nova IEEE Meeting

Dr. Jim X. Chen offered a survey of the research projects at the computer graphics laboratory at George Mason University. I have read a great deal about virtual reality, but this was the first time I had heard from someone actively working in the field.

Chen opened his presentation with a description of his work on the simulation of fluids. He explained that fluid dynamics is too complicated to simulate, but a simplified model achieves the same effect. With his model he was able simulate the waves created by the back of a boat. Similar concepts were employed in simulating the dispersal of dust created by a car driving across the desert.

Next, Chen described his work in what he called edutainment - learning through playing. Chen builds systems that use virtual reality to teach real world concepts. For example, students see a visual representation of a magnetic field to understand how magnetic fields work. Animations create physical representations of physics equations, helping students retain knowledge. Multi-User Virtual Environments (MUVEs) allow students to explore digital museums.

Chen has built a system for creating custom models for knee surgery visualization. First, a virtual model is built from MRI images. This is important, because MRI images are in black and white. Then, calculations are made for the forces on the joint. Then, a virtual model can be created for surgery visualization. This allows a surgeon to visualize the surgery before it is done on the actual patient.

Building a virtual ear surgery system, including temporal bone construction, is more complicated. Because of the fine detail, it is not practical to use MRI images. An actual specimen was used to create a virtual model. A haptic device allows surgeons to train in a virtual environment.

Chen described his virtual human anatomy and surgery system. Students can see cross sections of entire systems (skeleton, nerves, etc.) in natural color. There is a human parts browser to assist study.

Adapting the business model

Newspaper Firms Join With Yahoo in Advertising Partnership

Let's hope this is successful. We need prosperous newspapers.

Tuesday, November 21, 2006

What is a nounce?

Nonce: A randomly chosen value, different from previous choices, inserted in a message to protect against replays.

Now you know.

SOA adoption

At last week’s IASA meeting the chapter president asked the audience how many of them were using service oriented architecture (SOA) in their work. Only five raised their hands. This surprised me because I have been hearing about SOA for years. When asked about enterprise service bus, only three raised their hands.

Clearly we are still in the early adopter stage.

Contracting humor

Fun with acronyms.

The ESP Game

Image Labeling for Blind Helps Machines 'Think'

For the blind, the only solution is for each image to be labeled with an accurate description for the screen reader to say aloud. But few Web site designers do that.

That is why researchers are studying ways to tap the powers of the Web to have ordinary users label great numbers of images. Asking people to label image after image, however, is asking them to become bored quickly. To make it less tedious and more fun, Luis von Ahn, a computer science professor at Carnegie Mellon University, has created the ESP Game.

Two random visitors to are matched up and shown a random image, which they are asked to label. They cannot communicate. When both provide the same label, they win points. At the same time, computers are associating words with images, a valuable service for the blind.

This is just brilliant and moves us closer to the semantic web.

During the Clinton administration the federal government required all federal websites to be handicapped accessible. It is just a question of time before all American businesses are required to have accessible websites. Don’t wait for the government to hit you over the head. Be a good guy, adapt your website so it is accessible.

Note - I know Blogger blogs are not accessible. It is one of the many reasons I don’t like Blogger.

Wednesday, November 15, 2006

Notes from the November 14 NovaJUG meeting

Enterprise-class Java applications by clustering the JVM with Terracotta

Of all tech meetings I attend, NovaJUG’s are the most difficult for me to follow. I have decided just to reproduce my notes from the presentation. I hope my programmer readers will find them useful.

Ari Zilka presented on Terracotta’s clustering technology. Some highlights:

- Zilka said he believes Terracotta is the first to use transparent clustering at a high level.

- Clustering is not about shared memory

- Terracotta’s code is free, it is supported by a subscription service.

- cluster is above Java Virtual Machine and below the application

- clustering in runtime offers more control

- Terracotta 2.2 is due for release on December 4

Here Zilka made a demonstration of Terracotta with two Macs where two users moved images/objects on the screen simultaneously.

Zilka made some general observations about Java technology:

- Java specification is good; Java uses a strict & valuable set of semantics

Concerning Java serialization:
- language should work the way we were taught in the book
- object identity and pass-by reference
- coordination between threads

- return same reference to same object: map dot put = map dot get

- with serialization objects are moved across applications, you lose trust

- Terracotta clusters at runtime

- stateless programming - because operators can shut down neatly

- load balancing is good; but balancing at application level consistently is best

- with Terracotta you can write to stateful and run in statelessness

- managed runtimes relieve developers (example, memory management)

- Why runtime management is better, you can see patterns of activity, example, who accesses what information and how often they access it

- Terracotta put (serialization) get (deserialization)

- serialization perturbs the domain model

How API based clustering impacts simplicity
-scale out solutions relay on Java serialization
- perturbs the domain model
- adds new coding rules

Locality of reference
- database object not local for processor
- if an object can move then one must map
- must be able to lock object

- handles the getting and putting in the map
- you can trust equality
- no API
- almost no code

Terracotta instrumentation
- map level memory, read/write operations
- network based clustering with consistency
- transparent to business logic

- Bytecode instrumentation

AOP style control; does anyone have this object before I create it and if so, what is the address?

- no peer to peer in Terracotta

- Control cluster server knows who has the lock

- clustering to the heap

- heap level replication - share object
- ACID Replicators - no new exception or error scenarios
- central storage - keeps application state across restarts
- communications hub - manage shared objects
- virtual memory
- coordination

- stateful applications/stateless server

- Terracotta saves each field of each object

- JBoss is not ACID compliant; Terracotta is

- Terracotta shell servlets invoke Java for you

- stateless - kill any node - and still pick up where I left off

- logical extension of your heap

- Hub & Spoke -> scale the hub
- field level changes -> batched
- network overload -> runtime optimized

- Terracotta should be used with Hotspot 1.4 or 1.5, it works with Tomcat, WebLogic, Spring, and Weflow

Monday, November 13, 2006

Taking credit for success

There is such a thing as overdoing it.

The American election

Among the winners were those who specialize in preparing clients for congressional hearings, crisis communications, and corporate reputation repair. Get ready for subpoenas!

New home for D-Ring PR

The D-Ring has a snazzy new WordPress blog. For some reason I can't persuade my Tech on the Potomac blogdigger group to grab the RSS feed.

Thursday, November 09, 2006

It is a little like speech writers

Jim Horton asks why few care that politicians are paying bloggers openly.

It is precisely because politicians are doing this openly. Not only is this reported on an American politician’s FEC disclosure form, hiring bloggers is publicly announced. Bloggers write for the campaign’s official blog or disclose their relationship on their blog; sometimes a disclaimer statement appears at the end of each post. There is no question of sailing under false colors.

Protecting your data

Web 2.0 Confab Takes Aim At Closed Platforms

The Talis Community License aims to describe a more flexible, Web-friendly set of database rights than the current legal default, just as the Creative Commons License offers an alternative to traditional copyright protection and the GPL offers an alternative to restrictive software licenses. Talis is the brainchild of Ian Davis, a developer and technical lead of the research group at library software vendor Talis; he released a draft of the license in April.

As companies and individuals wake up to the implications of who controls their data, the importance of this issue will continue to grow.

Wednesday, November 08, 2006

New to me PR blog

the hubbub

Needless anxiety

When blogs put brands at risk

For companies worried about how consumers and activists view their business practices, these new media channels present a fresh challenge, undermining a traditional command-and-control approach to corporate communication and reputation management.

If you are running a profitable company you must have happy customers. Some of them are probably blogging about their positive experiences. A check of Technorati may reveal pleasent surprises.

Firefox and GMail are two examples of products that benefited from blogger evangelism. PR shouldn’t be so afraid of the big bad blogosphere.

Tuesday, November 07, 2006

It's election day in the United States

Today the Board of Elections in all fifty states is coordinating statewide network of election officers, voting machines, and all the logistics of democracy. They will be doing so in an atmosphere of unprecedented suspicion. This is long and difficult work. In Virginia election officers must arrive at the polls by 6:00 AM and stay until the votes are counted.

Though out the day local boards will field questions and deal with the inevitable controversies of what after all is a contest of power. The level of tension is very high.

After the polls close their website's site traffic will spike. Civil service IT personnel having working hard, testing their systems to prepare for the flood of traffic.

It is a remarkable process.

New Communications Forum 2007

March 7-9, 2007 • The Venetian Hotel • Las Vegas

They're going to offer workshops on podcasting and video casting along with everything else. I am going to try to go this year.

Monday, November 06, 2006

The voting machine PR debacle

Ever since the 2002 election serious questions have been raised about the reliability and security of the e-voting machines. Last Thursday HBO ran a documentary about the problems with Diebold. Now Hacking Democracy is available online.

This week’s issue of Federal Computer Week has a long detailed article about the continuing problems with the voting machines.

These companies have consistently failed to address the concerns raised by their critics. Indeed they could not have conducted themselves worse were it their purpose to dirty their reputation. Whatever profit they derive from the sales of these systems cannot possibly be worth the damage to their corporate reputations.

Friday, November 03, 2006

IASA Meeting on Securing SOA

IASA Mid-Atlantic Chapter

Thursday November 16th, 6-8 pm

Topic: "Securing SOA"


Integration has been the Holy Grail in information technology from the time the second program was written. Over time we have explored several different architectural models for integration and many different technologies. The scrap heap of IT history is littered with approaches that failed technically and technically brilliant approaches that did not capture the market. Despite a long history of failure, we have doggedly pursued the objective, because the imperative for integration in compelling and the cost of a failing to integrate is overwhelming.

We are now driving to integration through SOA. Through the evolution of ubiquitous connectivity based on internet protocols and vendor-independent standards with integration we are seeing much greater success than in prior efforts. SOA works, the case is compelling, and the rush is on. There are challenges, however. First, there are degrees of SOA, with huge implications in terms of cost, performance, and risk. Second, building SOA requires fundamental changes in organizations and processes. Focusing only on the technology is a prescription for failure. Finally, SOA is a very
different animal from a technical perspective. The standard point of attack on a system is at the interfaces, and SOA is all about interfaces. SOA is a target-rich environment.

Craig Miller will talk about his experiences in building SOA at the enterprise scale. He will talk about his personal experience with a small pharmaceutical company (Cubist), a large health insurance company (Wellpoint) and ongoing work with large internet security brokerage. All defined and approached SOA in their own way.

The Troubling Trends of Federal Procurement

ll R. Aitoro , VARBusiness

"The Troubling Trends of Federal Procurement." That title for the procurement policy survey published by the trade association Professional Services Council (PSC) and accounting firm Grant Thornton says it all. Thanks to conflicting strategic procurement initiatives, an insufficient workforce and skepticism from government agencies about collaboration with the private sector, federal procurement faces challenging times.

For the third time since 2002, PSC and Grant Thornton surveyed federal officials about their views on procurement policies and practices. Respondents included 37 representatives from myriad civilian and defense agencies. ...

... According to the Federal Procurement Data System, government purchased more than $374 million in goods and services in 2005, which equals about 45 percent of the annual discretionary budget. That's compared to $200 billion five years earlier. Such a market swell has left the acquisition community scrambling to adjust, often without necessary resources or support from those on Capitol Hill. The number of acquisition professionals in 2005 was 125,779, a 10 percent decrease from 1996, despite a 108 percent increase in dollars spent on purchases and 2 million more transactions completed.

This is an execellent article which explains how one goal can conflict with another.

A bad combination

Meth, Classified Docs and Nukes