8.31.2007

Worse than failure

While on the subject of funny posts, you should add "Worse than Failure" to your RSS subscriptions. This blog, run by Alex Papadimoulis, documents some of the strangest goofs in the world of software development. Often, he runs great stories about death-march projects, or the Dilbert-like world of enterprise development.

The best stuff, though, are the screen shots, such as the one pictured from BEA Systems (in his post, "How Helpful Was This Bug"), where BEA asks users to rank whether a bug was extremely useful, very useful, somewhat useful, not very useful, or not at all useful. Many of the screen shots show hysterical typos, wacky code snippets, or reveal debugging info or incomplete features in shipping software.

Some good posts:

A Perfect Score
That Internet Over There
Windows in Jeopardy
Makin' Funds
Securing Secure Security (a really good one)
Overwhelmingly Negative
File... Save As... Hard Copy
Predictive, Recursive Error

As I said, perfect for adding to your RSS subscription list.

The Eclipse MLP Project

All I can say is, Ian Skerrett has written one of the funniest blog posts that I've read in a long time. Ian is the director of marketing for the Eclipse Foundation.

8.30.2007

Microsoft and the WGA failure

Many analysts, myself included, have been increasingly unhappy with the ham-handed way that Microsoft handles software piracy.

With Microsoft, beginning with Windows XP, your copy of the operating system had to be validated by Microsoft in order for all its features to work… or in some cases, for it to work at all.

When Microsoft released Windows Vista, they extended their Windows Genuine validation program making it more obtrusive and obnoxious… and in the process, extended the philosophy that all of their software is presumed pirated, unless the customer can prove, to Microsoft’s satisfaction, that it is legitimate.

You don’t have to look far on the Internet to find tales of woe, such as validated Windows Vista installations that were suddenly “unvalidated,” or systems that failed validation after hardware or software upgrades, or even after someone ran a disk utility.

I wrote about this last October in “Microsoft: Customers are presumed guilty,” but haven’t returned to the topic since there wasn’t much new to say. That’s changed, thanks to last week’s well-documented failure in Microsoft’s validation service. Here’s a forum discussion by Microsoft’s Phil Liu, program manager for Windows Genuine Advantage, about what happened.

I second the acerbic comments by eWeek’s Joe Wilcox, who writes, “I might be more sympathetic if Microsoft offered customers more ‘genuine advantage.’ But there are really no substantial differences in what Microsoft offers customers now than before WGA. The idea was to treat customers as special, to reward them for being honest by offering them extras. Instead, Microsoft has, for the most part, taken stuff that had been available to everyone and put a validation gate in front of it. Passing validation gets access.”

He adds, “Today's WGA crisis—and it is a crisis for customers that failed activation/validation and also for Microsoft—spotlights what's wrong with the piracy checks: Their very existence, and with them the presumption of guilt. I suppose Microsoft could use credit checks or security checks as examples of presumption of guilt, too. However, the measure should be Microsoft's behavior and how its customers are treated.”

For another take on this, see today's comments by veteran analyst Amy Wohl, who ponders the SaaS aspects of the validation service. She views Microsoft’s WGA failure as a SaaS failure, but specifically of Microsoft's SaaS infrastructure. Amy does a nice job of puncturing John Dvorak’s knee-jerk reaction, published on PCMag.com, attacking the whole SaaS concept itself on the basis of the WGA fiasco.

8.27.2007

The five million dollar logo

Shortly after issuing our press release for the Inc. 5,000, I received a call from Reprint Management Services, a company engaged by Inc. to license stuff relating to the Inc. 5,000 award. Why? We had pasted the Inc. 5,000 logo on our BZ Media home page, and on our press release page. We were politely instructed to either take the logo down or license it.

License? That’s right: Inc. charges $990 per company to license one version of the logo for one year, or $1,450 to license a whole package of logo versions. If every Inc. 5,000 winner chose to license just one logo version, that’s worth $4,950,000 — which is pure profit for Inc., less a sales commission due to RMS. Not bad work if you can get it.

That prompted me to look at all the cool stuff we could license. We could get a Platinum Package with lots of reprints, logo usage for a year, promotional postcards, 500 commemorative issues and a bunch of little statuettes, all for only $8,500. There are posters, suitable for framing, for $590 each. Lots of things.

We took down the logo from BZMedia.com.

By the way, BZ Media produces two awards which have logos: the SD Times 100 and the Testers Choice (from Software Test & Performance Magazine). We don’t charge any fee whatsoever for winners to use our award logos.

We're on the Inc. 5,000!

I'm delighted to announce that BZ Media LLC has appeared on Inc. Magazine’s first-ever Inc. 5,000 list, which ranks the fastest-growing private companies in the United States.

BZ Media, founded in 1999, was ranked as the 2,529th fastest-growing company in the United States, and as the 48th fastest-growing media company, according to Inc.

More about the 2007 Inc. 5,000, and BZ Media's listing, can be found at Inc.com. We have also put out a press release. It's very exciting!

8.26.2007

From SUNW to JAVA

Sun Microsystems is changing its stock symbol from SUNW to JAVA.

The symbol has been SUNW (reflecting Sun workstations, the company's original product line) every since the company went public in 1986.

Why is Sun doing this? Because Java is a popular brand. According to CEO Jonathan Schwartz, on his blog last Thursday,

As I said, the number of people who know Java swamps the number of people who know Sun. Or SUNW, the symbol under which Sun Microsystems, Inc. equity is traded on the NASDAQ stock exchange. SUNW certainly has some nostalgic value - it stands for "Stanford University Network Workstation," and heralds back to Sun's cherished roots (in academia). Granted, lots of folks on Wall Street know SUNW, given its status as among the most highly traded stocks in the world (the SUNW symbol shows up daily in the listings of most highly traded securities).

But SUNW represents the past, and its not without a nostalgic nod that we've decided to look ahead.

JAVA is a technology whose value is near infinite to the internet, and a brand that's inseparably a part of Sun (and our profitability). And so next week, we're going to embrace that reality by changing our trading symbol, from SUNW to JAVA. This is a big change for us, capitalizing on the extraordinary affinity our teams have invested to build, introducing Sun to new investors, developers and consumers. Most know Java, few know Sun - we can bring the two one step closer.

I disagree with Jonathan about this. Branding is good, but there's a difference between a brand and a company. The company is Sun. One of the company's most popular and powerful brands is indeed Java. But there's a difference.

• If I want to know how Java is doing, I look at Java.
• If I want to know how Sun is doing, I look at Sun.

You're not going to ask, "How's Java doing on the market today?" or "I'd like to buy 200 shares of Java," though perhaps that's what Jonathan wants you to do.

What does the stock ticker JAVA has to do with Sun's other software brands, like OpenOffice/StarOffice, Solaris, NetBeans or SPARC? Nothing. It has even less to do with Sun's hardware brands. Java is only one part of Sun, albeit a very success one. It seems that Jonathan wants investors to forget his other products, and just focus on the Java brand.

Imagine if Apple were to change its stock ticker from AAPL to IFON (iPhone). Or Ford went from F to MSTG (Mustang). Or Microsoft changed from MSFT to WNDW or WDWS (for Windows). Or Motorola changed from MOT to RAZR. Or Proctor & Gamble went from PG to PMPR (Pampers). Silly, eh? So is changing SUNW to JAVA.

A stock ticker should represent the company, not just one of its more popular brands, because investors are investing in the company, not in just a brand.

Jonathan continues,

To be very clear, this isn't about changing the company name or focus - we are Sun, we are a systems company, and we will always be a derivative of the students that created us, Stanford University Network is here to stay. But we are no longer simply a workstation company, nor a company whose products can be limited by one category - and Java does a better job of capturing exactly that sentiment than any other four letter symbol. Java means limitless opportunity - for our software, systems, storage, service and microelectronics businesses. And for the open source communities we shepherd. What a perfect ticker.

However, the message that the ticker change sends is precisely that Sun is changing its focus.

A second criticism is that this continues the trend of moving Java away from a multi-vendor community standard to a Sun-specific property. I felt this way when Sun began rebranding its Sun ONE server software as "Java Enterprise System" in late 2003. Rather than reinforcing the popular message that Sun was creating universal software and a level playing field, the JES branding exercise declared that Java == Sun. The stock symbol change now says that Sun == Java.

So, how long until Sun Microsystems changes its name? Sun still owns the name JavaSoft, which defined a Java subsidiary that the company reabsorbed in 1998.

Who uses the ExpressCard slot?

My 15” MacBook Pro contains an expansion slot. Called the ExpressCard/34, it’s the successor to the old PCMCIA slot (which, of course, means, “People Can’t Memorize Computer Industry Acronyms”).

According to the PCMCIA (okay, the Personal Computer Memory Card International Association), the ExpressCard standard is to “carry forward the benefits of ‘plug-in’ I/O cards to the generation of personal computer devices.” There are two type of ExpressCard devices, 54 and 34; the number indicates the width of card in millimeters.

In the old days, I used to put four types of cards into the PCMCIA slots on notebook PCs: Modem cards, Ethernet cards, WiFi cards, and carriers for digital film cards, such as CF and SD cards.

Today, I have no idea what to put into the ExpressCard/34 slot. My MacBook Pro, and most other modern notebooks, already contains built-in Ethernet and WiFi. The MacBook Pro doesn’t have a modem, but Apple sells one as a USB accessory, not an ExpressCard accessory. As far as I can tell, Apple doesn’t offer any ExpressCard accessories at all.

In searching around, I’ve found very few ExpressCard accessories on the market. Martin MC Brown, writing for ComputerWorld, discussed the Transcend solid state disc for the ExpressCard/34 slot, which could be used as a scratch disc. The SSD comes in three sizes, 8GB ($133), 16GB ($255) and 32GB ($499). It would be interesting to see if it's bootable, and if so, could be used to replace a rotating hard drive.

Other than that, I haven’t found anything compelling beyond a few wireless and networking adapters, and of course digital-film readers. What’s your experience? Do you use any ExpressCard accessories with your notebook?

Getting Paris Hilton's old IP address

IP addresses may not be renewable resources. Over coffee one day, my colleague Andrew Binstock suggested a problem I hadn’t considered: Many applications and systems are hard-wire to access specific IP addresses, rather than fully qualified Unique Resource Identifiers (URIs). This, in turn, may be generating unwanted network or Internet traffic that probably can’t ever be stopped. (Andrew says that he, in turn, heard about this issue from InfoWorld’s Paul Venezia.)

I’ve seen examples of this myself, with applications and devices configured to send error logs via e-mail. In many of those cases, the app’s control panel has a space for the administrator to specify the dotted quad address (xxx.xxx.xxx.xxx) of the SMTP server. Months and years go by, and the SMTP server ain’t there no more. Meanwhile, the app is still trying to connect to it every day to it can transmit an error log that nobody even remembers any more.

This can be a problem with public and private IP address. Once upon a time, most those addresses were static. Nowadays, just about everything is be dynamic.

The benefit of using URIs, instead of hard-wired IP addresses is that it makes our networks and applications dynamic. That’s why best practices for doing Web services are to use URIs instead of IP addresses. But how many device still have control panels that require a hard-coded IP address for the SMTP server, or for other network resources? Far too many.

In the e-mail log example above, at least someone could track down and readily fix the problem. A bigger challenge is when developers hard-code IP addresses into applications’ source code. If the IP addresses are recycled, and nobody notices, someone’s getting unwanted traffic.

Andrew cited situations where a company is allocated a “fresh” IP address from an ISP, actives it – and then discovers that it’s being swamped by traffic sent to that IP address from some other service. This isn’t an intentional denial of service attack: the previous owner apparently wanted that traffic. However, it represents an unwanted nuisance and wastes bandwidth and CPU cycles.

It reminds me of when some person get new cell phone – with Paris Hilton’s old phone number, which some people still call. (See this Reuters story.) Or, when businesses who get assigned a “new” toll-free number (outside the U.S., often called a “free-phone” number), and the phone starts ringing off the hook… with people trying to reach that number’s previous owner. Sure, the phone numbers lay fallow for six months, but references to them live in printed brochures, databases, old magazine articles and even Web sites for years. How long do IP addresses lay fallow? I know of no policy or industry standard.

What can be done? Look back, nothing. Looking forward, we can set policies to discourage developers from hand-coding IP addresses into applications, even during the testing phases or for exception handling. It’s just not the right thing to do.

Say hello, new BlackBerry

Okay, I’m really hooked: I upgraded my original BlackBerry handheld device to a newer model. The upgrade was carefully considered, and was to solve very specific problems. However, the new model is significantly better than the previous one in every way.

Let’s go back from before my colleague Alex Handy loaned me a second-hand BlackBerry 7230. My phone at that time was a first-generation Motorola RAZR, which I liked for five reasons: It was easy to hold/talk into, it had a flip to cover the keyboard, it had had Bluetooth, it had a great speakerphone, and it was slim enough to fit into my pocket comfortably. The other features of the RAZR, like the musical ring tones and built-in camera, were not important, and I never used them.

Then Alex gave me the BlackBerry 7230. It was (and is) terrible at browsing the Web, but it did a great job with e-mail, hooking up easily to several accounts, including an Exchange server and Gmail. With a bit of work, I was also able to get it to sync with my Google Calender. Even so, I swiftly learned that this model had three significant limitations.

• No speakerphone. This was the first feature I missed, and I missed it big time. When doing things like checking voicemail, or while waiting on hold, I much prefer to use the speakerphone instead of holding the phone up to my head, or messing with a headset.

• No Bluetooth. It didn’t work with my Plantronics wireless headset, and worse, with my Garmin Streetpilot c550 GPS, which included a Bluetooth hands-free speakerphone for car use. (During long drives, I found myself putting the SIM card back into the RAZR so that I could use the Garmin hands-free speakerphone.)

• Too quiet. The ringer on the BlackBerry 7230, no matter how much I tried to adjust the volume, was always pretty quiet. So, if the phone was in my pocket, there was a good chance that I’d not hear the phone ring.

A few weeks ago, I’d had enough. The straw that broke the camel’s back was that I was waiting for my son to call me, and when he did, I never heard the phone ring.

T-Mobile owed me a heavily discounted phone upgrade, and the result was a brand-new BlackBerry 8700g — the model I wrote about last May. Physically about the same size as the BlackBerry 7230, it has a much brighter, higher-resolution display, and improved ergonomics. For example, it has better-placed keys for making and terminating calls. The keyboard is also colored in a way as to make the phone-pad keys easier to read; believe it or not, that really helps. Most importantly, the BlackBerry 8700g solved my three key problems:

• Speakerphone. Check.
• Bluetooth. Check.
• Loud ringer. Check. (I verified this in the T-Mobile store.)

Meanwhile, I’m benefiting from the better screen and ergonomics. The Blackberry 8700g works with both GPRS and EDGE networks, which makes it faster than the GPRS-only Blackberry 7230. The browser is still nearly worthless, however.

I have been asked, “Why didn’t you buy an iPhone.” Wasn’t even tempted. Why? I have no interest in changing carriers to AT&T; T-Mobile suits me fine. (I also don't want to buy a device just to hack it.) The iPhone's price is ridiculous. I have no need for a music player in my pocket. (I own three iPods, but never carry any of them around.) End of story.

8.16.2007

The odd joy of hacking

It's amazing how some people get their jollies — such as by hacking into and damaging an open-source project's Web site. As my colleague Edward Correia wrote about in EclipseSource this week, someone jumped onto the redesigned Eclipse Plugin Central site a few weeks ago, causing a service disruption and attempting to infect the site with a virus.

As Edward writes, "To what purpose?" Certainly if someone has that much creativity and talent, there are many of productive uses for those skills... if they choose to apply their skills that way. But it's easier to destroy than to create.

Last week, I wrote an entry, "Poor sports," where I suggested that it's too bad that hackers aren't publicly identified and humiliated; all we hear is that "the site was hacked." We never know who did it or why. Of course, some people might thrive on that type of publicity.

Edward's article got a few comments. Here's one that stood out:

There are many type of people ("animals"), some of them would just be ethical and good by nature and some of them are evil, no matter what you plea, no matter what you teach them, no matter if you give them 10 commandments, they will stay evil! For them, strict punishments "may work." Yes, you used the right words "The Real Sickos".

And there are some who can be inspired and stopped from going into wrong path. For these, teaching and preaching is a good start to control the evil.

I think Media in general and IT media in special must start a campaign of not publicizing big security breaches and hacks, and instead preach the importance of Computing Ethics, at very personal level. Try to create an EVIL image of those who steal or destroys someone's hard work.

I guess you used very proper language in your post and I think you have the right platform to talk about this issue.

What do you think? Is it good that we in the media publicize these sorts of hacks — even if we can't identify the culprit? Or does the "publicity" that we give attacks of this sort merely serve to reward/encourage more malicious behavior?

8.15.2007

A makeover for SDTimes.com

It’s new! It’s improved! It’s the new SDTimes.com home page, the first visible result of a top-to-bottom overhaul of our Web site.

Right now, we have just a few pages redone, but our Web team is working feverishly to change not only the look-and-feel, but also add new features, create room for more content, and of course, improve performance.

The new home page, and several second-level pages, went live today. So, if you haven’t visited SDTimes.com recently, we invite you to do so. And stay tuned – we’re using an agile process that will result in new stuff appearing just about every week.

I’d like to thank Web developers Craig Reino and James Hulsmann, and Web designer Nicole Schnatz, for their tremendous work over the past months, building infrastructure, creating the new look, and making it all happen.

SCO: Right winner, wrong case

This week’s news – that a judge ruled that Novell, not SCO, owned the copyrights to Unix and UnixWare – was good news for anyone who believes in open source software, and who also believes in giving customers choice. It was certainly bad news, very bad news, for SCO, and for other companies who shall remain nameless (like Microsoft and Sun) who supported SCO in its attempts to stifle Linux by bankrolling fear, uncertainly and doubt.

I’ve made no bones about it: I’ve been rooting against SCO, whose efforts to prove that IBM violated its licenses and stole its intellectual property were groundless. In particular, I’ve criticized SCO’s leadership, especially its CEO, Darl McBride, and its board of directors, for pursuing this course of action, and in the process, dooming the company, its employees and customers.

So, while I’m delighted with Judge Kimball’s ruling because it might bring this drama to a close, my problem is that I wanted to see the real issues settled by the courts. In short, Judge Kimball ruled that SCO didn’t have the right to sue IBM, because SCO doesn’t own Unix. Left unresolved, however, is the question that SCO raised in its lawsuits: Did IBM misappropriate Unix source code and put it into Linux? That question is not answered… and now may never be answered.

Over the past several years, as the lawsuit dragged out, it because evident to many observers that SCO simply couldn’t demonstrate any theft of intellectual property. It couldn’t, or wouldn’t, show offending source code, despite endless fishing expeditions disguised as legal discovery. Many of us wanted to see SCO’s claims ruled on by the courts.

If it turns out that Judge Kimball’s ruling stands, and the SCO v. IBM lawsuit is dismissed, we wouldn’t have learned a thing about the intellectual property foundations behind Linux. Instead, we would have learned that Novell apparently tricked The Santa Cruz Operation when it sold them UnixWare in 1995, but didn’t transfer over the copyrights or all the IP. We also learned that when The Santa Cruz Operation went to sell UnixWare to Caldera (later renamed SCO Group) six years later, Caldera didn’t buy what it thought it was buying. In other words, the judge essentially ruled that Caldera was sloppy on the UnixWare acquisition in 2001 — and that has nothing to do with Linux.

So, despite what many are saying, this wasn't a victory of "open source" over SCO. It was a victory of Novell over SCO about the terms of a 1995 business transaction.

To reiterate: I’m happy that this case appears to be winding down. SCO has behaved churlishly, making many claims about IBM, DaimlerChrysler and AutoZone that ultimately it couldn’t substantiate. SCO’s managers, and the investors who financed the company hoping for a big lawsuit payday, deserve to go down with the ship. It’s a shame, however, that we may never see the big Linux v. Unix issue resolved, conclusively deciding once or for all whether Linux contains Unix intellectual property.

8.10.2007

Novell — not SCO — appears to own Unix

Novell — not SCO — owns Unix.

According to a report on Groklaw, a pro-Linux, anti-SCO Web site, there’s been a major breakthrough in the SCO v. Novell lawsuit. To summarize: Dale Kimball, the judge on the case, has concluded that Novell is the actual owner of the Unix and UnixWare copyrights.

The case is rather complicated, but here’s the deal, filtered through my perception. (The years cited might be slightly off. Consider them to be +/- one year.)

• In 1994, Novell bought the Unix copyright, trademarks and licenses from AT&T. It also bought AT&T's Unix System V, which it renamed and sold as UnixWare.
• In 1995, Novell sold UnixWare — but according to Novell, not Unix itself, or the UnixWare copyright — to The Santa Cruz Operation.
• In 2001, The Santa Cruz Operation decided to get out of the UnixWare business. It sold its UnixWare properties to Caldera International, a Linux distributor, and renamed itself Taratella.
• In 2002, Caldera renamed itself The SCO Group.
• In 2003, the new SCO dropped its support of Linux. It then sued IBM claiming that Big Blue had violated Unix intellectual property licenses, which it says belonged to SCO.
• In 2004, Novell said, hold on, we sold UnixWare, but we didn’t sell Unix, or any of the copyrights. Thus, Novell said, Unix is still Novell property, IBM didn't violate its Unix licenses, and SCO has no basis upon which to sue IBM.

SCO turned around and sued Novell for “slander of title,” insisting that it, not Novell, owned the copyright for Unix, as well as for UnixWare.

Fast forward to August 10, 2007. Apparently, Judge Kimball has decided that Novell was correct. Quoting from the Groklaw posting, which in turn quotes from the judge's ruling:

For the reasons stated above, the court concludes that Novell is the owner of the UNIX and UnixWare copyrights. Therefore, SCO's First Claim for Relief for slander of title and Third Claim for specific performance are dismissed, as are the copyright ownership portinos of SCO's Fifth Claim for Relief for unfair competition and Second Claim for Relief for breach of implied covenant of good faith and fair dealing. The court denies SCO's cross-motion for summary judgment on its own slander of title, breach of contract, and unfair competition claims, and on Novell's slander of title claim. Accordingly, Novell's slander of title claim is still at issue.

The court also concludes that, to the extent that SCO has a copyright to enforce, SCO can simultaneously pursue both a copyright infringement claim and a breach of contract claim based on the non-compete restrictions in the license back of the Licensed Technology under APA and the TLA. The court further concludes that there has not been a change of control that released the non-compete restrictions of the license, and the non-compete restrictions of the license are not void under California law. Accordingly, Novell's motion for summary judgment on SCO's non-compete claim in its Second Claim for breach of contract and Fifth Claim for unfair competition is granted to the extent that SCO's claims require ownership of the UNIX and UnixWare copyrights, and denied in all other regards.


Furthermore, the court concludes, as a matter of law, that the only reasonable interpretation of the term "SVRX License" in the APA is all licenses related to the SVRX products listed in Item VI of Schedule 1.1(a) to the APA. Therefore, Novell is entitled to a declaration of rights under its Fourth Claim for Relief that it was and is entitled, at its sole discretion, to direct SCO to waive its claims against IBM and Sequent, and SCO is obligated to recognize Novell's waiver of SCO's claims against IBM and Sequent. Accordingly, Novell's motion for partial summary judgment on its Fourth Claim for Relief for declaratory judgment is granted, and SCO's cross-motion for summary judgment on Novell's Fourth Claim for Relief is denied.


Now, if you’re confused about all the various claims for relief, and all the other stuff, you’re not alone. I won’t claim to be able to distinguish SCO’s second claim from Novell’s fifth claim. As far as cross-motions are concerned, it's impossible to know where to start. I’ll just refer you to the Groklaw site. There are tons of documents there, including Judge Kimball's new ruling.

But in any case, this ruling appears to be a significant — perhaps fatal — setback for SCO in its many Unix-related lawsuits.

If this ruling holds, then this is good news for the Linux industry. Since 2003, the SCO lawsuit has chilled big-corporate adoption of Linux. Why? If SCO had prevailed in its IBM lawsuit — which claimed that IBM had placed SCO's Unix intellectual property into Linux — then it's possible that big companies might be forced to cease and desist using Linux, or that they might have to pay big $ to SCO to compensate it for their use of SCO's intellectual property. If the lawsuit disappears, so does SCO's fear, uncertainty and doubt.

8.09.2007

Bonds: 757. Splash: 45.

As hoped, Barry Bonds smacked his 757th career home run last night, as the San Francisco Giants beat the Washington Nationals 5-0.

Barry's mighty swing also created the 45th home team "splash," as the ball flew out of the ballpark and landed in San Francisco Bay's McCovey Cove. Signs mounted at the park detail both Barry's home runs as well as the home team splash count. (There have been 14 splashes by visiting teams.)

Also noteworthy at the game:

• Giants pitcher Matt Cain hit his first-ever Major League home run. Not bad for a pitcher!

• Giants manager Bruce Bochy racked up his 1,000th victory, as manager. He's only the 55th manager to ever reach that milestone.

There was surely a lot of celebrating in the S.F. Giants locker room last night. The Nationals didn't have much to party about. Great game, glad we were there.

Forward thinking on security

Bruce Schneier has written an excellent blog post talking about "backwards thinking" on software security. Using the recent California security review of voting machines as an example (all the machines tested failed — but were conditionally recertified for use by a state official, as long as the easily found flaws were patched), he said that too much security thinking today is:

"If the known security flaws are patched, then the product must be secure. If there are no known security flaws, then the product must be secure."

No, no, no, no, no. Bruce insists that people developing software have to demonstrate that their system is secure. The burden of proof should be on the developers to show that they designed and built the system properly — not on the testers to demonstrate that the system is hackable.

The government, including the military, use such forward-thinking security development processes. So do companies who build software for commercial airplanes. We know that good development is possible. Why, oh why, do state and local governments support development efforts (like the voting machines) that use a backwards-thinking, security model?

8.08.2007

Break with the past

Last year, I wrote a pair of "Zeichick's Take" columns for SD Times News on Monday. Unfortunately, they weren't archived onto the Web. However, I'm posting them here now, in response to an MSDN blog entry, "The real cost of compatibility is not in the hacks; the hacks are small potatoes," by Raymond Chen. So, while the 1993 Ford Mustang GT is no longer in my driveway (sniff...), it will live forever as embodied in these columns.

From March 30, 2006:


Zeichick's Take: Break With the Past

Dear Bill Gates: I was bummed when the Ford service manager told me that he couldn’t get the parts I needed to repair my 1993 Mustang’s heating system. But Ben — always helpful — explained that the pieces just weren’t available from the factory. He suggested the aftermarket, and indeed, I found exactly what I needed from Late Model Restoration.

Manufacturers can’t support old products forever. In the case of a 13-year-old car several model generations out of date, I can’t be upset at Ford for not having a temperature control cable. In the case of my new Intel-based iMac, software written for Mac OS 9.x (“Classic”) doesn’t work at all, and I’m fine with that, too. Drawing a line in the sand, saying that legacy products will be supported only for a finite amount of time, is generally acceptable, especially if it makes new products better.

One of the reasons why Windows is so bloated, Bill, is because your operating system doggedly supports lots of legacy hardware and applications, including antique overlapping APIs and libraries — many of which predate Windows XP, and some even go back to Windows 95. This complicates matters not only in terms of coding, but also for regression testing and in security patching.

My recommendation: Draw a line in the sand. Tell new Windows czar Steven Sinofsky to pick a set of modern APIs, and make sure that Windows Vista supports those. Eliminate the rest. Whether it’s 100 percent managed code through WinFX, or some mixture of late-model native binaries and .NET, there’s no need to go back to the Paleolithic Era. The same with hardware: There’s no good reason, none at all, for Windows Vista to support graphics cards, CD-ROM drives or network adapters that are older than, say, two years. Reinvent Windows as an operating system for new PCs. Focus on the preloads.

That’s what Microsoft’s PC partners, like Dell, HP and Lenovo, really want — they want to sell new desktops and notebooks, not watch consumers pick up a copy of Windows Vista Ultimate at CompUSA to run on their old Pentium III box. (Imagine if Ford would cripple its new Mustangs by requiring compatibility with the brake pads, fuel injectors and temperature control cable from my old pony.) Cutting off old APIs and reducing the support for old hardware might upset some customers, but it will result in a smaller, faster operating system that’s more stable and more secure. Get rid of the bloat!

What about enterprise customers? Don’t fool yourself, Bill — they’re not rushing to upgrade to Windows Vista anyway. Remember how long it took to get them from Windows 95 to Windows 98? I saw someone on a plane the other day who is still running Windows 2000 on his notebook because, he said, his company doesn’t do operating system upgrades on existing hardware.

Few companies retrofit new operating systems onto old PCs, because it’s expensive and not worth the hassle. Most will make the migration (after they’re through testing and evaluating) as part of the rollout of new PCs during a hardware refresh cycle. Sure, focusing on supporting only current hardware and applications might cause some of those customers to wait a bit longer (especially if they have to wait for enterprise apps to be updated or tested), but when they do upgrade, they’ll be happier and require less support.

Build a better Windows, Bill — by breaking with the past. Yes, cutting off compatibility with old binaries and legacy drivers will make some customers unhappy. But it’s the right thing to do.

From April 6, 2006:

Zeichick’s Take: Break With the Past, Part II

Last week’s column, where I urged Microsoft to break with the past and eliminate support for old APIs and device drivers from Windows Vista, elicited quick and harsh response. No, not from Microsoft, which didn’t respond at all. (Microsoft rarely responds to articles in SD Times or other publications, in my experience.) Rather, some loyal readers insisted that a lot of users still use older PCs — and that eliminating support for legacy hardware (I suggested cutting loose systems over 2 years old) would be an inconvenience.

(They didn’t question my premise that a clean-slate operating system would not only be easier to build and test, but also would be more stable and secure — and besides, as a rule, enterprises don’t upgrade desktop and notebook operating systems.)

In the past I have upgraded hardware on my PC and I have had to migrate to a newer version of Windows to support it. It would be a disaster if the newer version of Windows did not support the rest of the older hardware and software. People who update all of their hardware and software every two years are very rare,” one person wrote. He’s right: Some people do upgrade the OS to support specific hardware or applications.

But I believe that this may be an exceptional case. As he himself later wrote in his letter: “I know many people who are running Windows 98, Windows ME and Windows 2000 all with large variations of software and hardware.” Exactly. So, why should Microsoft struggle to make Windows Vista run on an old Windows 98 box — and delay the product and make it unstable in the process?

Another respondent said, “I am writing this on my 10-year-old no-name 200 MHz Pentium PC under Windows 95. The bloat is not in Win 95 but rather in Win 98, Win2000, and WinXP.” Completely true. But don’t you think that this guy is unlikely to put Windows Vista on that 10-year-old desktop anyway?

The best letter was, “I have devices which are more than 5 years old. Now, if Microsoft were to support older software and devices in a shell environment like Macs do to support Windows programs, that would be fine. But not supporting them is not an option.

That’s a great idea. How about if Microsoft used Virtual PC technology to enable legacy APIs on Windows Vista—i.e., Windows Vista shipped with Windows XP in a preinstalled virtual machine, the way that Mac OS X came with Mac OS 9.2 in a “classic” emulator? That would seem to be the perfect solution, in terms of streamlining the operating system and sandboxing older, less secure programming models and frameworks—and it could be turned off when users no longer needed to support legacy applications.

I like it.

Big boxes at LinuxWorld

Want to see the latest in quad-core servers? Go to the LinuxWorld Conference, going on this week at San Francisco’s Moscone Center. Want to check out Motorola’s latest cell phones? Want to see racks full of blade servers? Want to see the Palm Foleo mobile computer, “the perfect companion for your smartphone”? Go to LinuxWorld.

If you want exciting news about Linux, maybe it is hiding there somewhere, but I sure didn’t find it.

Perhaps it’s because Linux has reached a level of maturity where most changes are very incremental. Perhaps it’s because LinuxWorld hasn’t captured the heart and soul of the Linux industry, which values newsgroups over face-to-face gatherings. Perhaps it’s because the plethora of Linux distributions bogs everything down so much that you can’t refer to Linux with the same singularity that you’d use to describe Windows or Mac OS X or Solaris.

The fact that IDG World Expo, the producers of LinuxWorld, chose to mash this conference up with a new event, “Next Generation Data Center," should have been a tip-off that this wasn’t, well, a Linux conference. Data centers buy blade servers and UPSes… and there were plenty of those at the combined LinuxWorld/NGDC event. Data centers don’t buy software development tools, and there were sadly few of them in evidence. Of the more than 100 technical sessions at LinuxWorld, only a handful were focused on desktop/server applications and development.

By contrast, there were tons of sessions on mobile device development at – though, admittedly, most of those were conducted by Motorola, which paid big bucks to sponsor LinuxWorld this year. The company was out in force talking about its brand-new MotoMagx Linux run-time and development platform for cell phones. Another big-dollar sponsor, Wind River, ran classes on real-time device development. Beyond that, most of LinuxWorld was geared to either basic Linux tutorials or on hardware, hardware, hardware (specifically, quad-core and blades).

Fortunately, San Francisco’s Moscone Center is only a half-hour’s drive from my office. Had I traveled farther to LinuxWorld, or spent money on airfare or hotels, I would have been seriously depressed.

Saw it on TV

As I mentioned yesterday, I'm going to see the San Francisco Giants take on the Washington Nationals tonight. It would have been truly memorable to be there in the stands when Barry Bonds hit home run #756.

The bad news is that Barry did the deed last night. The good news is that my wife and I were watching the game in HDTV at home. It was truly a spectacular moment, and the video tribute by Hank Aaron and on-field presence of Willie Mays made it even better.

So, tonight maybe we'll see Barry hit #757. That would be nice. Not as nice as #756, but there you are.

The shame is that there will always be an asterisks next to Barry's name. As a story on Major League Baseball's own Web site says, "Bonds has had his dark moments. In recent years, his on-field heroics have been played out under the shadow of the investigation into the Bay Area Laboratory Co-Operative, widespread speculation about his part in the use by Major League players of performance-enhancing drugs, and a grand jury continuing to consider an indictment against him for perjury relating to his testimony in the BALCO case."

Sun has nothing to say

Is this any way to build a community?

Not only does Sun refuse to talk about the license for the Java Compatibility Kit for Java SE 5 and Java EE 6, but it won't comment on what companies like IBM and Intel wrote in their votes on the Java EE 6 proposal (JSR 316).

Sun refuses to disclose the license, and won't even tell us why, or engage in any conversation about it whatsoever. It won't tell us if it derives a competitive advantage from the license terms that imposes on its partners (we can assume that it does). Those terms lock out groups like Apache Harmony from using the Java SE 5 JCK, and thereby certifying their implementations of the spec, due to "field of use restrictions" that the JCK license would impose on anyone who uses Harmony.

Intel claims that a Sun representative promised that Sun won't impose "field of use restrictions" on Java EE 6. Sun will neither confirm nor deny this, or make any public statement on the subject whatsoever, even though this is a huge issue for the Java industry.

It's ironic that Sun CEO Jonathan Schwartz is a genuine believer in fair disclosure. Schwartz is going farther than any public company CEO, as far as I know, in using the Internet to disseminate financial results, for example. Schwartz, in his blog, raves about the value of openness, of community, and of the media. His company, however, discounts the value of openness, of community, and of the media. I wonder if his employees read his blog.

8.07.2007

New iMacs are pretty but not much new inside

Today, Apple released its next-generation iMac computers – moving away from the white polycarbonate slab introduced with the iMac G5 in 2004 toward a new, slimmer aluminum slab look.

The new Macs are pretty, though I fear that the MacBook-style keyboards will be a turnoff. They feel fine, but they look too much like the chiclet keyboard (see photo) that helped sink the IBM PCjr.

When you get underneath the skin, there’s very little difference between these new aluminum-slab iMacs and the previous generation of Core 2 Duo-based white-slabs. Frankly, if you already have an Intel-based iMac (even a Core Duo one), there’s not much reason to upgrade.

Compare the specs of the new 20” and 24” models (which Apple calls “mid 2007”) with the older 20” and 24” models (which Apple calls “late 2006”). The new machines are a little faster, sporting 2.0GHz and 2.4GHz processors and an 800MHz frontside bus, compared to the 2.16GHz and 2.33GHz chips with a 667MHz frontside bus. Definitely nice, but not nice enough for replacing an otherwise fine machine.

The other specs show similar incremental improvements. The new machines can handle 4GB RAM; last year’s models officially top out at 3GB RAM, though I’ve seen third-party kits that can bypass that limitation. Last year, you had 250GB and 500GB disks; now, you can get up to 1TB in the 24” model.

A nice touch is that you can have 802.11n in the new iMacs, but were limited to 802.11g in the “late 2006” white slabs. I’m also pleased that Apple has put FireWire 800 ports on both the new 20” and 24” iMacs; earlier, FireWire 800 was only on the 24” model.

So… Apple gets points for style, and if you don’t have an Intel-based iMac, this an excellent model to have. However, if you already are on Intel (with either Core Duo or Core 2 Duo), and don’t otherwise need to make a change, there’s no reason to buy at this time.

Know the drug code

As the parent of a teenage boy, the thought of his using illegal drugs – or abusing legal ones – is a constant worry. Of course, I know that he’s a good boy, and that he understands the dangers. On the other hand, having once been a teenage boy myself, I am aware of the lure of the forbidden, and of the terrible power of peer pressure.

And so, I worry. If you have kids, I’m sure you worry too. It’s hard to walk the fine line between letting him find his own way, and making sure my son doesn’t get lost. It’s also hard to find the balance between talking about these issues too little, and talking about them too much. Though, I have to admit, I was delighted when my son quickly identified the meaning of “Kicks” from Paul Revere and the Raiders. There's nothing like making a point using classic rock.

In order to communicate about an issue, you have to have a common vocabulary, such as in this teen drug slang story, posted today on cbsnews.com. I’m sure that the terms are already out of date. But heck, most are ones that I certainly didn’t know. Do you know them?

Poor sports

If you're not reading about Paris Hilton or Lindsay Lohan behaving badly, then you're reading about sports scandals. As a resident of the San Francisco Bay Area, I read about baseball great Barry Bonds in the news nearly every day. In part, it's because of his race to beat Hank Aaron's home-run record. But it's also because of his still-unclear role in the BALCO case, which involves the possible use of performance-enhancing drugs. Nearly every story involving Bonds brings up the steroid questions as "context."

Bonds' doping allegations are old news. New news is Michael Vick, a U.S. football quarterback accused of backing vicious dogfights. New news is Tim Donaghy, a veteran National Basketball Association referee accused of both betting on games (which is forbidden) and influencing the outcome of games (which is really forbidden). The cycling world has been rocked by a stream of scandals within the Tour de France over the past few years. This year, no fewer than three prominent racers—Alexander Vinokourov, Cristian Moreni and Michael Rasmussen—either failed drug tests or failed to show up for tests, prompting their exit from the race.

Ouch. But what's noteworthy about all these isn't that prominent celebrities and athletes are accused of either violating the law or their sports' rules. That happens all the time. What's noteworthy is that people like us hear about it…because they're celebrities. That puts a face and a name on possible wrongdoing. People relate to faces and names.

In our profession, software development, people also behave badly. Sometimes they behave badly on purpose, putting back doors into applications, writing worms, stealing data. Sometimes, they behave badly through ignorance or carelessness, by not running security tests, not encrypting backup tapes, not listening to user requirements.

In almost all cases, professional malfeasance in the software development world is hidden or anonymous. "The software had a bug," or "the data was stolen" or "the system was breached." We don't know who did wrong. We don't know why. There's no shame of public disclosure.

Shame drives people to care about their work. You're less likely to drink and drive, I believe, if you know your name will be in the local newspaper if you get caught. The "perp walk," or the parade of arrested celebrities past TV cameras, can be humiliating.

We should wish that our sports stars didn't cheat, and that our entertainment celebrities didn't take such a cavalier approach to the law. I'm glad that when they do get caught, however, we hear about it. I'm glad it's not merely swept under the rug.

I'm not suggesting that if someone forgets to check a buffer or initialize a return variable, we should splash their photo on national TV. But if we find developers cheating or stealing—not being a good sport, in other words—it would be good to know about it.

Of course, let it also be said that we’re all, to some extent, hypocrites: I’m going to see the San Francisco Giants play (vs. the Washington Nationals) tomorrow, and I hope to see Barry Bonds hit home run 756.

About Me

My Photo
Co-founder and editorial director of BZ Media, which publishes SD Times, the leading magazine for the software development industry. Founder of SPTechCon: The SharePoint Technology Conference, AnDevCon: The Android Developer Conference, and Big Data TechCon. Also president and principal analyst of Camden Associates, an IT consulting and analyst firm.