It's been a while since the last IT Strategy Letter, so there's a lot to catch up on.

• IT Conversations
  • Rick Chapman: In Search of Stupidity
  • Bruce Schneier: Beyond Fear (book review)
• Web Services
  • Information Week: Web Services Drivers
  • Yendluri: Web Services Reliable Messaging
  • Siebel: Software-as-Service = Failure?
  • PC Magazine: Web Services
  • Kaye: Web Services Security
  • Cutler: The Status of Web-Services Standards
  • Kaye: A Continuum of Services
  • Baker: SOAs More Loosely Coupled Than REST?
• Web Hosting and Other Stuff
  • Park: Web Server Performance Myths
  • Bloggers: The Metadata Debate
  • Allaire: RSS-DATA
  • Kaye: Protecting Against Spam for Web-Hosting Vendors
• Doug's Presentations
• Subscription and Contact Info

IT Conversation: Rick Chapman's "In Search of Stupidity". In 1982 Tom Peters and Robert Waterman kicked off the modern business-book era with In Search of Excellence. Their book was a runaway best-seller. But now 21 years later, many of the companies they profiled (Atari, Data General, DEC, Lanier, NCR, and Wang) are only memories. The reasons? In some cases: stupid marketing tricks.

Rick Chapman (with "the resume from hell") has the dubious distinction of having worked for some of the most infamous flameouts of the '80s and '90s: MicroPro, Ashton-Tate, IBM, Microsoft, Novell, Sun Microsystems, and many others. And he's decided to tell all. Name names and no holds barred.

A common mistake Rick documents is releasing competing products. Remember MicroPro's WordStar and WordStar 2000? How about NetWare and UnixWare, both from Novell? Even Microsoft made this blooper when Windows 95 and NT were simultaneously pitched as the latest and greatest operating systems.

With his unique sense of humor, Rick shares some of the lessons from his new book including Data General's DG One, the first laptop computer complete with "an amazing screen that was so shiny you could comb your hair in it."

He also describes some of the train wrecks about to happen: Microsoft's Software Assurance Program and high prices that open the door for Linux. Software pricing hasn't followed the rapidly declining cost of hardware. Customers and box-makers aren't happy that the OS and basic apps are now such a high percentage of the cost of a new system. And all of this makes the SCO vs. IBM lawsuit over Linux and Unix System V all the more interesting.

[I apologize that the audio quality of this IT Conversation isn't great. I'm still debugging the new studio hardware. The good news is that I've just found a big part of the problem. The bad news is that I didn't find it before recording Rick's interview.]

Schneier: Beyond Fear. Security guru Bruce Schneier didn't accept my invitation for an interview on IT Conversations (he's aiming for the mass market, not IT professionals), but since I'd already read his new book, I thought I would at least post a review. Beyond Fear--Thinking Sensibly About Security in an Uncertain World has the potential to become an important book if it can get the attention it deserves. The title is accurate: The book is about fear and (un)certaintly.

Bruce has been thinking about what security really means in virtually every aspect of our lives--not just in the IT world from which he comes, but in airports, digital identity, our homes, banks, cars, and for our states and nations.

What impressed me most was the range, depth, and sheer quantity of examples Bruce has found to support his ideas. I don't know if these are little factoids and anecdotes he's collected over the course of his distinguished career, or whether they're nuggets he uncovered just for the book, but I would guess the former. The book's real value is in the richness of these examples. Here are a few text-bytes I highlighted in preparation for the prospective interview:

• Objectives. "If the goal of security is to protect against yesterday's attacks, we're really good at it."
• Tradeoffs. One of Bruce's previously used examples is of the produce vendor who displays fruits and vegetables on a stand in front of his store. The risk that some will be stolen is mitigated by the additional business they attract.
• Reality. "More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk."
• Agendas. "Did you ever wonder why tweezers were confiscated at security checkpoints, but matches and cigarette lighters--actual combustible materials--were not?...If the tweezers lobby had more power, I'm sure they would have been allowed on board as well."
• Freedom. "The world's liberal democracies are the safest societies on the planet."
• Insurance. "It allows the store to convert a variable-cost risk into a fixed-cost expense." [That was an Aha! for me. Bruce doesn't buy theft insurance, BTW.]
• Civil Liberties. "When the U.S. Government says that security against terrorism is worth curtailing individual civil liberties, it's because the cost of that decision is not borne by those making it."
• Fear. "...people make bad security trade-offs when they're scared."
• Transitive Trust. "If you trust Alice, and Alice trusts Bob, that does not automatically mean that you trust Bob...When trust must be transitive, it creates brittleness." [Think about those SAML-based apps, eh?]
• Complexity. Complex systems have even more security problems when they are nonsequential and tightly coupled.
• Weakest Links. "The system didn't fail in the way the designers expected."

Information Week: Web Services Drivers. As part of their annual survey, Information Week asked executives of the IW 500 about web-services drivers:

Yendluri: Web Services Reliable Messaging. Prasad Yendluri, principal architect at webMethods, has written this good look at the issues surrounding reliable-messaging protocols. He begins with the objectives and explains why, in a multi-hop architecture such as will be typical for web services, we need protocols that operate at a level above the hop-to-hop transports. He then describes the prior art of RosettaNet, BizTalk, and ebXML.

The meat of the paper is a good and detailed presentation of WS-Reliability, of which webMethods is a co-sponsor to OASIS. Finally, Yendluri explains the differences between that protocol and WS-Reliable Messaging, proposed by IBM, Microsoft, and BEA. He says it's "a hurried response to the WS-Reliability specification...[one for which] the authors of the specification reserve all intellectual property rights...[and that it contains] dependencies on other proprietary specifications such as WS-Policy...Despite any potential merits and new concepts introduced by WS-Reliable Messaging, the specification is plagued by intellectual-property issues associated with the specification."

The paper contains valuable explanations and examples, but consider the source with regard to the politics. [Source: webservices.org]
Posted Tuesday, September 30, 2003 9:04:39 AM

Siebel: Software-as-Service = Failure? Tom Siebel, CEO of Siebel Systems "...is being forced to eat some more humble pie. The company plans to announce today that it has entered a partnership with IBM to offer its software over the Internet as a low-cost monthly service. The move comes barely two years after the company abandoned a previous attempt to do the same thing amid statements by Mr. Siebel that generally dismissed the concept."

"'Three years ago there was very little market for this,' Mr. Siebel says in an interview. Now, though, he says changes in technology and in corporate buying patterns mean 'this is the way software is going to be delivered in the future.'"

"'Salesforce.com is eating their lunch at the bottom and even the middle of the market,' says Amy Wohl."

This is a watershed event. When the big-name naysayers admit they're wrong, you know web services have turned a corner. [Source: Last Thursday's Wall Street Journal (print edition)]
Posted Friday, October 03, 2003 8:31:53 AM

PC Magazine on Web Services. If you doubt that web services have hit the mainstream, consider that the venerable PC Magazine's October 1, 2003 issue contains a full 10 print pages on the topic. And that's out of an issue that's only 150 pages total.
Posted Thursday, October 02, 2003 10:42:55 PM

Kaye: Web-Services Security. We (vendors and users) have focused our efforts on web-services security around the protocols, application firewalls, etc. But as we deploy external web services--in which we share information with parties not under our control--the real issue becomes one of trust. How (if at all) can you be sure that an external party will treat your information with the degree of confidentiality you require? Even if it's agreed to contractually, how can you enforce it, and how can you be confident your data is safe? I don't have the answers (sorry) but I believe this is the real issue that's been largely ignored. Using the world's latest and greatest encryption and security-assertion technologies doesn't mean a thing if the party on the other end doesn't play by your rules.
Posted Thursday, October 02, 2003 1:08:56 PM

Cutler: Web-Services Standards Status. On the W3C's Web-Services Architecture mailing list, Roger Cutler posted this status report of most of the web-services protocols. In case you're curious where we stand as of 1 October 2003.
Posted Wednesday, October 01, 2003 9:51:05 PM

Kaye: A Continuum of Services. I've been thinking about this scale of service architectures:

• Wrappers
• URI-based GET/POST interfaces (e.g., REST)
• SOAs
• Orchestration

What are the properties that place these concepts on a continuum? For one, this is the sequence in which most IT shops are implementing web services. It also tracks the scales of tight-to-loose coupling and the availability of supporting technologies.
Posted Tuesday, September 30, 2003 11:35:42 PM

Baker: SOAs are more loosely coupled than REST? Mark didn't let me down. I was confident I'd hear from him regarding the above Continuum of Services post on my weblog.

Mark and I have had an ongoing discussion about the looseness of REST. I say it's somewhat tightly coupled--certainly more tightly coupled than SOAs. Mark believes the opposite. When last we left this debate, Mark referred to DNS as (one of) the mechanisms by which REST uses delayed binding to keep coupling loose. In response, I explain (perhaps not as clearly as I should) how the very idea that information is tied to a single location--even if that location can change--is already a tightly coupled concept.

In a loosely coupled SOA, information passes from one service location to another. The information is contained within documents, which may not have a permanent home. REST requires that information be located at one unambiguous location. The physical location may change, but the address (specified by URI) may not. I believe that's too inflexible and tightly coupled a model to support loosely coupled processes.
Posted Wednesday, October 01, 2003 3:25:02 PM

Loosely Coupled--Now Available as a PDF (at a 63% Discount)

Entire book: US$14.95 Major parts (4 total): US$5.95 each Individual chapters (21 total): US$1.95 each

As an alternative to the hardcopy edition, you can now download my latest book in PDF format at a substantial discount using PayPal or BitPass. From the time you purchase the eBook version, you have 7 days during which you can download the content up to 10 times. The PDF files can be printed, but the text cannot be copied or modified.

Amazon.com Review of the Week:

Lin: Web Server Performance Myths. Regarding this 32-page PDF paper written by Peter Lin, Don Park wrote, "Here is a recent semi-public paper on web server performance mentioned in a message to Tomcat developer mailing list.  Download article.zip and read the PDF file inside the zip file.  It has some interesting discussion about web server performance myths.  Here is an choice excerpt:

[...] yahoo gets 1.5 billion pageviews a day. [...]

Yahoo uses 4,500 server to serve up 1.5 billion pageviews each day. If we divide that by the number of seconds in a day, we get 17,361 pageviews per second. Assuming the load is distributed evenly across the servers, each server handles 3-4 pageviews per second per system.

"One of the key points the paper stresses is the performance/value offered by hardware XML accelerators for XML-happy web applications.  There are other choice bits in the paper, so check it out before the authors take it offline." [Source: Don Park's Daily Habit]

Bloggers: The Metadata Debate. Lots of bloggers (e.g., Joi Ito and Tim Oren are discussing metadata this week. I went back to my archives and found my postings (1, 2, 3, 4) from two years ago. Bottom line: metadata doesn't work. I've been involved with far too many projects that depended on user-supplied metadata as the basis for the organization of information. All ended in failure. And it's not just me!
Posted Wednesday, October 01, 2003 7:44:37 PM

Allaire: RSS-DATA. Jeremy Allaire has posted his thoughts for expanding the role of RSS into data-oriented applications. I particularly like this idea because of its support of unintended consequences. Just like Amazon.com's and Google's web-services interfaces, I can imagine publishing all sorts of data-based RSS feeds for others to take and run with.

However as folks deploy feeds of a similar nature, it will highlight the need for standardized semantic models. Right now, RSS works in part because of its relatively consistent semantics. An RSS-DATA spec leaves that issue open, but that's okay for now. Others will address application-specific semantics.
Posted Wednesday, October 01, 2003 8:36:28 AM

Kaye: Protecting Against Spam for Web-Hosting Vendors. "Spam annoys us all, but it threatens the very survival of Web hosting companies. Hosting a spammer can affect the performance of your infrastructure and your other customers. Even worse, it can put your block of IP addresses on the known-spammer lists, which in turn could shut down your entire operation by causing you to unwittingly violate your own hosting service or ISP's Acceptable Use Policy (AUP)." [My latest column for The Web Host Industry Review.]
Posted Wednesday, October 08, 2003 4:59:55 PM

Presentations, Conferences, and Webcasts