Richard Veryard on Computing

Industry Analyst as Prophet 2

2009-07-06T07:44:00.004+01:00

Many religious prophets are characterized by their vision of a world to come; but also by their bitter criticism of contemporary society and its leaders, and by righteous anger. Beware the angry prophet writes Jim West about the prophet Elisha, who cursed those who mocked his baldness.

In my previous post Industry Analyst as Prophet, I described prophecy as a combination of forecasting and evangelism. But some forms of prophecy also contain a strong element of righteous anger. Alongside the well-coiffured industry analyst firms that take money from vendors, there are also bald sites that constantly attack the large vendors and document the smallest perceived deviation from the path of righteousness.

Seaching the Internet for "who pays for prophecy", I found a bitter denunciation of both Gartner and Microsoft (Another Hopeful ‘Prophecy’ From the Gartner Group’s Paying Clients) on a website whose agenda is evident in its name: Boycott Novell. Microsoft seems to attract more than its fair share of this kind of attention - see for example Slated Antitrust.

Anyone who bases their understanding of the software industry on angry websites like these is clearly an idiot. When my son had a school project on Genetic Modification recently, we found websites that praised Monsanto and websites that denounced Monsanto as evil; I explained to my son that he could (probably should) reference anything he found, as long as he didn't take any of it at face value. There are certain companies that everyone likes to hate: when I was a student it was Barclays Bank; when I started in the software industry it was IBM; nowadays it is Walmart and Monsanto and of course Microsoft.

Obviously the same should apply to software industry analysis. The analyst should take nothing at face value: whether vendor marketing materials, or snide off-the-record remarks from other vendors, or wholesale denunciation from the vendor's enemies. The CIO who wants to exercise due diligence on a software vendor may ask an analyst if there are any competitors who should also be considered, but may also ask (expecting the answer no, but better to be safe than sorry) if there is anything on any of the denunciation websites that deserves any attention.

Given that this kind of check is a very small concern of many CIOs, it is surely more efficient and effective for many firms to share the costs of a trusted analyst wading through all this prophetic material, which saves everyone else the trouble. Is that a reasonable business model for industry analysis? Does that help answer the question: why should anyone pay for prophecy?

Industry Analyst as Prophet

2009-07-04T17:11:00.004+01:00

@j4ngis (A Jangbrand) asks

What are "analysts"? Problem Solvers or Prophets? Long-term-researchers? Consultants? All of the above? All the time?

I think industry analysts generally think of themselves as modern secular prophets, providing a combination of forecasting and evangelism. According to Wikipedia, "prophets are regarded as having a role in society that promotes change due to their messages and actions". The Hebrew word for Prophet literally means Spokesperson - in other words, the prophet is an intermediary.

As Wikipedia explains, there may be issues with the authenticity of a prophet: it is suggested that some prophets may have been schizophrenic. For a modern technology analyst, the authenticity of the prophecy may be compromised to the extent that the analyst turns out to be merely a spokesman.

Bob Dylan wrote a song about prophecy, which could also be interpreted as a song about software industry analysis.

There's too much confusion, I can't get no relief.
None of them along the line, Know what any of it is worth.
There are many here among us, Who feel that SOA is just a joke.
Let us not talk falsely now, The hour is getting late.

So who is the joker and who is the thief?

The future sounds like schizophrenia.

A Value Proposition for Industry Analysis

2009-07-04T15:01:00.005+01:00

@mcgoverntheory Following my last post on Industry Analysis by Survey, James McGovern asks for a blog entry on other low questions analyst firms ask.

"Low questions" may be an inevitable consequence of the way much so-called industry analysis is funded. What I really want is to find a viable business model in which analysts can ask the "high questions" they should be asking.

Software industry analysis is basically a two-sided market. Analysts provide value (of different kinds) to the software vendors and to the software users. Some of this value is funded by the vendors, for example by sponsorship, commissioning white papers, keynote presentations and other consultancy work. Some of this value is funded by the software users, for example by purchasing reports and training, subscribing to materials, and consultancy work again.

Analysts also receive value from both sides of the market. They get detailed briefings from vendors, and detailed case studies from users. Analysts under tight deadlines may sometimes be tempted to use this kind of material without thorough critical evaluation; after all, such sources of easy material might dry up if the analysts were too critical. As I said in my post on Industry Analyst Coverage, vendors can influence analysts not just by giving them money but also by doing their work for them. Users don't have the same commercial interest, but they typically block publication of wart-and-all case studies.

Software users sometimes seem to want to have things both ways. On the one hand, they want a high level of quality and independence, and complain when industry analysts fail to cover the things they want covered. But they often aren't willing to provide sufficient funding for this to happen.

Two-sided markets always introduce a level of complexity that is not present in single-sided markets. Like a double pendulum.

Last month I asked about A Value Proposition for Enterprise Architecture. So here's a similar question: what exactly is the value that software industry analysts deliver or should deliver, to whom? Given the obvious doubts about the transparency of how some industry analyst firms operate, is there something that doesn't quite add up in the current business model? Is it possible to formulate a transparent and viable business model for rigorous industry analysis?

Industry Analysis by Survey

2009-07-03T14:30:00.003+01:00

@pgiblett @chrisdpotts @seabird20 @

Following a recent poll of 900 CIOs, Gartner concludes "IT Spending Outlook Still Uncertain". Peter B. Giblett adds "... not necessarily recession related".

Chris Potts comments: "CIOs need to actively resist being cast as primarily interested in IT spending" and adds a hint to CIOs: "If a research organisation asks you how much your company is spending on IT, ask 'why does that matter?'". Chris Bird suggests that a more interesting question would be "What value are you delivering?". Chris Potts then adds a further question: "Which corporate strategy are you leading?"

Excellent questions Chris-and-Chris, but we know that surveys like these generally restrict themselves to asking numerical and multiple-choice questions, because the answers can then be "analysed" using simple Excel. As ChrisB points out, most of the hard numbers (?!) analysis is around purchasing.

The question "Why does that matter?" prompts the question "To whom does that matter?" So who cares about IT spending? Why would a CIO care what percentage of her peers are spending what amount on a given buzzword? Safety in numbers?

Perhaps, as ChrisB suggests, the people most interested in quantifying IT spend are the vendors and investors. But they can't learn much from an unqualified total figure. What they really need is a detailed breakdown, based on a consistent method of cost accounting, and they are not going to get that from surveys like these.

The problem is not just lack of detail, but lack of reliability. As ChrisB points out, people don't always tell the truth. Some CIOs may deliberately distort their answers, while others may simply guess the numbers in order to get the researcher off their backs.

In my opinion, then, the correct retort to "how much do you spend?" is "what meaningful conclusions can you possibly draw from whatever number I give you?"

Industry Analyst Coverage

2009-06-22T14:17:00.006+01:00

@mcgoverntheory (James McGovern) complains about the completeness, balance and objectivity of industry analyst coverage. He believes that certain areas are neglected (security, open source), and attributes this to a commercial bias.

How important is it for industry analysts to include security analysis in their SaaS research?
Does non-commercial open source have a fighting chance to be mentioned by industry analysts to their customers? How can customers understand analyst transparency when it comes to coverage of non-commercial open source?

James has always been particularly exercised about the fact that OWASP lacks coverage. When he raised this issue with me last year, I responded by posting some questions on the OWASP wiki and the OWASP Linked-In group, as well as several posts on this blog. I'm still waiting for answers.

If there is something in the product offering from any of the large vendors that I don't understand, I can contact one of my analyst relations "minders" and get a reasonably quick answer. If it's a small vendor, I can usually get an answer straight from the CTO. In contrast, my questions to OWASP go into a black hole. One person even suggested that if I wanted to know something about OWASP I needed to start a project. No thanks. (And, to answer Jim's comment below, I don't want to join a mailing list either.)

Industry analysts simply cannot invest that amount of time in chasing non-existent information. If OWASP wishes to be taken seriously by industry analysts, then it needs to put some energy into briefing industry analysts properly, instead of expecting us to root around the OWASP website and complaining when we don't.

Large vendors may sometimes try to influence industry analysts by commissioning work, and many analysts declare this when they deem it relevant. (I think that's what James means by transparency.) But a much more subtle influence can be achieved simply by providing better quality information and making our lives easier.

Layered Architecture of Technology Adoption

2009-05-27T22:00:00.003+01:00

@colin_jack asked whether companies ever really change, ignoring situations where there is a big change of staff (one group leaves, another group joins). People seem to want to slip back into their old way of working within weeks or months. Thinking particularly of the fast big bang changes companies go for. Agile, SOA, etc.

Companies do often change their nature as they get larger and older, but this is a slow process. Managed organization change involves several loosely-coupled streams of activity, which operate on different timetables. Installing new software, sending everyone on a training course, renegotiating project charters and external service contracts, building experience and confidence in new practices - these things all happen at different speeds.

A key principle of evolutionary change is that the slow-moving layers generally dominate the faster-moving layers. If your organization wishes to adopt "agile" or "service-orientation" or anything like that, this requires attention to the slow-moving layers as well.

When I was working with CASE tools in the late 1980s, I and a few colleagues constructed an adoption roadmap to help with planning technology adoption. This roadmap was designed in layers or streams, not just to aid with separation of concerns, but also to manage the different characteristic pace of change in each stream. This is architectural thinking applied to organizational change. And nearly twenty years layer, exactly the same principles were used by the CBDI Forum in constructing a roadmap for SOA adoption.

Factoring in Barriers to Entry

2009-05-27T15:57:00.002+01:00

@toddbiske and @djbressler make some interesting points about the adoption of software tools and platforms (Factoring in Barriers to Entry). Todd's specific example is applying BPM and BPMN tools to support EA processes, but his remarks would apply in many other contexts.

Todd's basic argument is that adoption is more important than sophistication. Better to get people started with simple tools and platforms - for example Visio and Sharepoint - than do anything that requires the IT department to get its hands dirty. (In an earlier post, Todd identified the IT department as one of the Barriers to SOA Adoption.)

But I don't think of adoption as a simple binary event (from "unadopted" to "adopted") but as a curve (from shallow occasional use to sophisticated and seamless integration into working practice). And although that's not how Todd is using the word "adoption", I think his argument is consistent with a richer notion of adoption. For example, he acknowledges a concern that "low barrier to entry eventually become a boat anchor".

If a vendor boasts thousands of users, and then I discover this merely means installing the trial version of the software and playing with it once, then I'm not very impressed. If a vendor has a dozen customers at the top of the curve, that's much more impressive than a thousand at the bottom of the curve.

From this point of view, lowering the barriers to entry is only half the story. What I'm interested in is the shape of the whole adoption curve, which enables people to find an appropriate level of adoption and not get stuck on the nursery slopes. That's where I think software like Visio and Sharepoint falls down - they may be easy to get started, but they can get hairy if you want to do anything more interesting.

Technologies for the Intelligent Business

2009-05-05T00:07:00.002+01:00

#orgintelligence

A number of vendors have started to introduce their own terms for different aspects of organizational intelligence. In the past week or so, I've picked up the following terms.

Collaboration Networks (Cisco, via Padmasree Warrior)

Continuous Intelligence (Aleri + Coral8 via Brenda Michelson)

Smart SOA (IBM concept that pulls together SOA, BPM, Collaboration + business architecture, via Neil Ward-Dutton)

As far as I can see, none of these concepts covers all aspects of Organizational Intelligence, but I need to do a more detailed mapping.

Any other vendor or independent concepts I should look at?

Technologies for Organizational Intelligence

View more presentations from Richard Veryard.

Reflections On Twittering at The Open Group

2009-05-02T10:22:00.006+01:00

#ogadc

Using Twitter at The Open Group conference in London this week was a new experience for me, so I thought I'd reflect on it here.

Firstly the mechanics. There was free wifi in the venue; however, many people had difficulty connecting on the first day, and I used my pay-as-you-go dongle instead. Someone proposed a hashtag #ogadc and nearly everyone used that, even though the correct abbreviation for the conference should have been #ogapc.

A number of people including myself started to post 140 character tweets during the sessions. Highlighting key sentences, summarizing or commenting. It was like we were all taking notes into the same notebook. The conference organizers put a large Twitter display screen in the coffee area, so people could read the Tweets from the previous session.

You can see the results here. http://search.twitter.com/search?q=#ogadc

Some people said they found it distracting. For myself, I found that it required a more concentrated listening to the speaker, in order to capture the important points into 140 character Tweets. (Some people continue a single thought over multiple Tweets, but I think that's cheating.)

It also led to new conversations, as Twitter conversations during the sessions developed into face-to-face conversations during the breaks. Sometimes I found I was sitting next to a fellow Twitterer, and could see my Tweets appearing on his screen and vice versa. Thus I made a lot of new friends.

People also posted links to photos as well as video from the evening dinner. I've experienced that at previous conferences via blogging and Technorati and hashtags on Flickr, but Twitter seems to be more effective platform for this kind of thing.

What about people who were not present at the conference? In the recent past, I have picked up interesting Tweets from conferences, so I hoped my followers would be somewhere between tolerant and interested in the unusually high volume of my Tweets. (I probably lost some followers, but I gained some as well. Swings and roundabouts won't break my bones as the saying goes.) Some friends who were not physically present were engaged enough to post Tweets into the conference stream - asking questions or making further comments - and I hope to see more of that kind of virtual participation.

The End of the Maintenance Endgame

2009-04-29T21:39:00.003+01:00

When Marc Benioff (Salesforce CEO) calls for the end of maintenance payments (ComputerWorld, PCWorld), he obviously wants to draw attention to one of the apparent advantages of the Software-as-a-Service (SaaS) model of software consumption.

As Judith Hurwitz points out, this advantage is more apparent than real. SaaS vendors like Salesforce still need to maintain their software assets, and to pass the costs of this maintenance to their customers, one way or another.

A significant fraction of software maintenance is required simply to keep up with the latest platforms and standards without delivering any new features or other innovation, and this is especially true for companies that have large portfolios of fragmented software assets.

Companies that fail to innovate may still retain a high percentage of their customers, at least in the short term, because of the high switching costs. This is not just a factor with traditional software products, but can be true of SaaS as well.

One key differentiator here is not between SaaS and more traditional software delivery and pricing, but between software companies that maintain their software assets intelligently and effectively and those that don't. Another key differentiator is between products and services with high switching costs (vendor lock-in) and those with very low switching costs (open market).

As Judith also points out, "many software companies have become increasingly dependent on maintenance revenue to keep revenue growing". In addition, there has been a trend in the software industry of companies acquiring mature software products in order to milk the maintenance revenues, with no real intention of innovation. (See my post on Innovation or Refinement.) This can be regarded as similar to securitization - treating a software product as a financial product, based on its expected income stream.

To the extent that open market SaaS exists, this represents a major challenge to this endgame, and this could possibly mean much quicker termination of declining products and services. But only a chess player would dare to predict how this will play out over time.

Open Group Boston Grid

2009-04-29T11:11:00.003+01:00

At the Open Group Architecture Practitioner Conference, I caught up with Allen Brown, President and CEO of The Open Group, to talk about TOGAF and the other activities of The Open Group. I also spoke with Chris Harding, Forum Director for SOA and Semantic Interoperability.

The Open Group originated as a merger of two UNIX standards bodies (X/Open and Open Software Foundation); and UNIX certification (e.g. Apple Leopard) is still its best-known product and cash cow.

The two rising stars in The Open Group portfolio are Architecture and Security.

At the core of Architecture is The Open Group Architecture Framework (TOGAF). TOGAF 9.0 is now available. It was launched in the US in February, and this conference represents the European launch. There are several forums and groups working in parallel with the main TOGAF Architecture Forum, including Business Architecture, SOA and ArchiMate.

Clearly there may be a temptation in some quarters to see TOGAF as a bucket for everything that is remotely architectural. The latest TOGAF guide does contain material on business architecture and SOA and security, as well as the core architectural framework and process. However, the working groups operate on a loosely-coupled basis - for example, the SOA working group timetable is not synchronized to the Architecture Forum timetable - and this probably makes a more modular structure inevitable, at least in publication and possibly also curriculum.

There is common interest and a desire for harmonization between The Open Group and other standards bodies, notably OMG and OASIS. (See minutes of SOA Summit from February 2009, which may go some way to addressing David Sprott's concerns on SOA Concept Standards from January 2009.)

Security brings together a number of forums and groups, including the Jericho Forum and Identity Management. Again there is common interest with other standards bodies.

At some point, these two "rising stars" may become "cash cows". Looking into the future, The Open Group may need to seek new initiatives. Semantic Interoperability may be a "problem child" at the moment, but this presumably creates a common interest with W3C, especially given Tim Berners-Lee's interest in the Semantic Web.

And maybe a few more problem children we don't know about yet.

Slow IT

2009-04-23T11:20:00.005+01:00

Ron Tolido (Capgemini) predicts that 2009 will be the year of Slow IT.

This is based on Carl Honoré's argument (In Praise of Slow) that "the important things in life need to be done at the right pace, with careful dedication and a genuine love for foundation and quality".

And also corresponds to what Albert Borgmann calls a Focal Practice. "Countering technology through a practice is to take account of our susceptibility to technological distraction, and it is also to engage the peculiarly human strength of comprehension, i.e. the power to take in the world in its extent and significance and to respond through an enduring commitment." (Technology and the Character of Contemporary Life, p 210)

Some stakeholders will regard the whole idea of "Slow IT" as provocative or paradoxical. Some people may think IT is already too slow and expensive, so recommending it gets even slower is just crazy.

But sometimes crazy ideas can work. Some therapists use crazy ideas as so-called "paradoxical interventions" - intended to achieve the exact opposite. So if a couple are shouting at each other, the therapist instructs them to shout even more, and that often shocks them into silence. (There's much more to say about paradoxical interventions, but that's another post on another blog.)

But Borgmann's analysis gives us an alternative path. Borgmann introduces the concept of Device Paradigm to explain the logic of "technological distraction" and instant gratification (or "hyperactivity"). What is important for Borgmann is not to revoke technological progress and productivity, but to put them in their proper place. We need to consciously separate those aspects of our life (including working life) where we want to take advantage of technological devices from those aspects of our life where we want to engage properly without undue technological distraction.

In IT (and possibly elsewhere), this kind of conscious separation is the function of architecture.

Can IT destroy a business?

2009-04-08T21:59:00.003+01:00

Can the £3bn downfall of the Dunlending Building Society be blamed on a £30m IT Project?

Just why did Dunfermline sink £31m into unproven IT project? (The Herald, 27 March 2009),
£30m IT Project Helped Drag Dunfermline Down (eWeek Europe, 30 March 2009) via Theo Priestley.

It certainly seems that the building society profits were cancelled out by the losses on this project. This raises several questions. Why was an organization spending such a large proportion of its profits on a single IT project? Why was the organization making so little profit from such a large loan book, and was the IT project expected to make a big difference?

Wind the clock back five years, and we can find a fairly typical account of the project from the prime vendor - Temenos, the banking software company. Compare its enthusiasm in the May 2004 Newsletter (pdf) with its current dry statement.

I shall bear that contrast in mind when I read vendor case studies in future.

The Perils of Facebook

2009-02-27T00:14:00.006Z

Dr Aric Sigman is a noted opponent of electronic media. He has written a book critical of television (Remotely Controlled: How Television is Damaging Our Lives), as well as newspaper articles saying that Mary Whitehouse (a noted British campaigner against sex and bad language on television) was right (Aric Sigman: In Bed With Mrs Whitehouse).

He has managed to get his latest attack on electronic media (Well connected? The biological implications of ‘social networking’) into a respectable fully peer-reviewed journal (The Biologist). The article was reported on the BBC under the headline Online networking 'harms health' [BBC News, 19 February 2009], reporting Dr Sigman's claim that a lack of "real" social networking, involving personal interaction, may have biological effects.

But what exactly is "real" social networking? Does the telephone count? I sent an email to Dr Sigman requesting a copy of the paper (which was not then available online), and asking a number of questions.

I'd be particularly interested to know whether your analysis allows us to differentiate between the effects of social networking (such as Facebook) and other electronic media (such as computer games and TV). Facebook may be worse than going to the pub, but is it perhaps not as bad as watching TV?

I'd also be interested to know whether you can see any difference between electronically mediated communication with a real person in real time (such as telephone or instant messaging) and disembodied asynchronous communication (such as email and blogging).

I haven't received a reply from Dr Sigman yet, but Ben Goldacre (who writes the Bad Science column for the Guardian) has confronted him on the BBC Newsnight programme. See his account under the sarcastic heading "Facebook Causes Cancer". As Dr Goldacre points out, the article is muddled and partial, and ignores much of the available evidence.

Dr Sigman's article might have been peer reviewed by Dr Sigman's peers, but that's obviously not saying much. In an ideal world, an article that claims to be saying something about the biological effects of computing in a social context should be rigorously reviewed not only by biologists but also by computer scientists and sociologists. Next time the Biology journal wants to publish this kind of thing, I should be delighted to give the author a peer review he won't forget.

See also Will Reader, who thinks Sigman is "doing a Sokal". Transgressing the boundaries via John Connell (cache).

Jargon Orienteering

2009-02-07T16:44:00.004Z

Many concepts in the software industry are something-based, something-centric, something-driven, something-led or something-oriented.

Component-based, but object and service-oriented
Architecture-led, but model-driven
Event-driven, but net-centric
Computer-based training (CBT), but computer-aided design (CAD) and computer-supported cooperative work (CSCW)

I could invent some fine distinction between these suffixes, but I am unable to detect any meaningful distinction in practice. I shall therefore use the terms as practically interchangeable, just as everyone else does.

If you disagree, if you think there is an important distinction, please explain in the comments.

OWASP Top Ten - Update

2009-01-09T14:46:00.006Z

OWASP is the Open Web Application Security Project. It is perhaps best-known for publishing Lists of the Top Ten (or more recently Top Twenty-Five) Security Bugs (or Vulnerabilities or Threats or Risks).

Following my earlier post on the OWASP Top Ten, as well as an exchange of emails with someone in the OWASP community, I posted the following question to the OWASP discussion group on Linked-In.

Do Top-Ten Lists distract from a holistic approach to security?
If you ask people to pay attention to the top ten items in a list of threats or vulnerabilities, they will almost inevitably pay less attention to other things. (Intelligent people are aware of the limitations of lists, but even they are not immune to such effects.)

If a security vendor has a particular interest in one item - for example selling protection or detection for a particular threat - then there may be some commercial significance in whether that item makes the top ten or not. So a commercially minded security vendor will look for ways of influencing (aka distorting) the top ten list in his favour.

Meanwhile, intelligent attackers may calculate that a significant portion of security dollars will be consumed by the top ten, leaving other vulnerabilities under-funded.

The OWASP website does contain a page (Where To Go From Here) explaining that the top ten list is only the starting point of a proper security analysis, but this page is very poorly signposted and I suspect that many people never reach this page.

The official purpose of the OWASP list is to educate people about the consequences of security vulnerabilities. But I think there is a broader education purpose, and I fear that top ten lists distract from this purpose.

This prompted a couple of interesting responses, expressing different views on the real purpose of the OWASP Top Ten. Michael Vance said that the items in the top ten list are those most likely to occur or those that are most likely to have the greatest impact. Christian Frichot said that lists are good at removing the low hanging fruit, which I interpret as being the most obvious and easiest to fix. Not the same thing at all.

In any case, the methodology for creating the OWASP top ten list does not seem to be designed to produce a list with the characteristics required by either Michael or Christian. It is partly based on historical data (frequency but not impact or low-hangingness, as far as I can see), but with some adjustment to allow for some future projections of increased risk. For example, one issue (CSRF) was promoted to the list because the team believed it to be important, but with no evidence produced to support this belief. So is the OWASP Top Ten List really based on a systematic assessment of (generic) likelihood and impact?

In any case, it would be strange if the same list were equally relevant to all applications in all organizations. Do we expect a retail bank to have the same security risks as a nuclear power plant? Do we expect an airline to have the same security risks as an online bookstore?

Clearly it would be stupid to rely completely on the Top Ten List - although I suspect that some people do just that. But my question is more fundamental - what are the grounds for thinking that a top ten list improves the overall process, rather than just adding a redundant step into the process? Christian's argument is interesting - by dealing quickly with the easy and obvious generic vulnerabilities, we can spend more time on the specific ones. But is that what people actually do?

Michael acknowledges that there is a significant disconnect between the way that Top Ten (and Top 20 and Top 25 and even Threat Classification) lists should be used and the way that they are used. He mentions a specific concern that this list will be misused by being improperly inserted into procurement language.

If OWASP were merely an academic organization, it could deny responsibility for how other people use their lists. "We produce the perfect lists, it's not our fault if people abuse them." But if OWASP is trying to make a real practical difference to security, then the actual effects and effectiveness of these lists is important.

Meanwhile, I am happy to see that other security experts agree with my concerns. Gary McGraw (CTO of Cigital) has just published an excellent article called Software [In]security: Top 11 Reasons Why Top 10 (or Top 25) Lists Don’t Work (via Bruce Schneier).

Update (March 2009)

Tom Brennan has just posed a question on the Linked-In discussion: "So what OWASP project are you going to start that will change this?" So the way to influence existing projects within OWASP is to start a rival project is it? What a strange organization!

Yahoo Endgame?

2008-11-06T14:51:00.006Z

Microsoft is in the game to win. [Steve Ballmer July 2005, via Robert Scoble]

And so is Yahoo, apparently. "My personal belief is if you're not in the game to win, you shouldn't be in the game, and that's the way that I try to encourage the whole company to think about it." [Jerry Yang, via BBC Newsblog, 6 November 2008]

Yes but which game?

"To this day the best thing for Microsoft to do is buy Yahoo," said Mr Yang. "I don't think that is a bad idea at all, at the right price whatever that price is. We're willing to sell the company," he told a packed ballroom at the Web 2.0 summit in San Francisco. [BBC News, 6 November 2008]

Around the end of May 2008, BusinessWeek ran a story headlined Yahoo's Endgame. This theme had already been around for some months - indeed, Larry Dignan had called the endgame back in February 2008 (ZDnet). See also Umair Haque.

Interpreting Beckett's play The Endgame, Wikipedia compares the struggle of Hamm to accept the end with "the refusal of novice players to admit defeat, whereas experts normally resign after a serious blunder or setback".

(He takes out the handkerchief.)

Since that's the way we're playing it...

(he unfolds handkerchief)

...let's play it that way...

(he unfolds)

...and speak no more about it...

(he finishes unfolding)

...speak no more.

(He holds handkerchief spread out before him.)

Old stancher!

(Pause.)

You... remain.

(Pause. He covers his face with handkerchief, lowers his arms to armrests, remains motionless.)

(Brief tableau.)

[Samuel Beckett, The Endgame]

See also Google-Yahoo: Unintended Consequences (BusinessWeek, 6 November 2008)

Software Updates

2008-11-04T10:41:00.003Z

My colleagues and I have been using Articulate to produce eLearning materials. The software adds a soundtrack to a Powerpoint file and produces a Flash movie.

Some of the materials we produced last year now have to be updated in order to work correctly with Flash 10. So I read the instructions on the Articulate website and downloaded an Updater program.

But when I try to run the Updater program, I get an error. Turns out that the Updater needs Microsoft .Net Framework 2.0. So now I have to download that as well.

So I have a little time to post something to this blog while I wait for all this stuff to install.

British readers of a certain age may remember a comic song by Flanders and Swann called The Gasman Cometh (lyrics), in which the gasman creates work for the carpenter, the carpenter creates work for the electrician, and so on through various trades, until they get to the painter who "painted over the gas tap and I couldn't turn it on".

Updating a laptop sometimes seems to be a similar infinite regress. I'm always afraid I'll be singing down the phone to technical support, something like "it's loaded over the bootfile and I cannot turn it on".

All I need now is a song about a big six-layered, semantic-grid-painted, Microsoft-transport, Intel-engined, ninety-seven–terabyte service bus. (Original song Transport of Delight.)

OWASP Top Ten

2008-10-23T18:04:00.003+01:00

Back in August, James McGovern asked me to provide some OWASP coverage. Someone called Jennifer (Bayuk perhaps?) added a comment

OWASP is not dominated by commercial interests, and so the message is different than from product vendors (and service vendors too, to a lesser extent). When an automated tool vendor claims to "address" the OWASP Top Ten, they should be ashamed of themselves. And you should be ashamed if you're buying that hype and promoting automated tools as anything much more than an interesting distraction. Covering OWASP would allow people to get a far less biased opinion of what's going on in application security.

Okay, let me start from that point. The OWASP Top Ten Project periodically publishes a "Top Ten" list of the most common web application security vulnerabilities. The official purpose of this list is to educate people about the consequences of these vulnerabilities.

But of course the inevitable effect of publishing a Top Ten list is pretty obvious - it causes people to pay particular attention to the items in the top ten, and considerably less attention to the items that don't quite make the top ten. If I was a niche security vendor, I'd be lobbying extremely hard to make sure that the particular vulnerability addressed by my product got into the top ten. Conversely, if I were running a criminal scam, I know exactly which vulnerabilities I'd be targeting.

This kind of thing clearly distracts people from a proper holistic view of application security. In my view it is the Top Ten List itself that is the "interesting distraction" Jennifer talks about, and I think OWASP should quietly drop this kind of cheap journalism and concentrate on educating people to do security properly. There is a lot of more intelligent stuff on the OWASP website explaining where to go from here, but I wonder how many people get that far?

Never let it be said that I am just a passive critic, however. Back in August, I registed onto the OWASP wiki and posted a couple of helpful questions about the OWASP principles. Haven't had a response yet, but I live in hope.

Software Retronyms

2008-10-23T13:53:00.002+01:00

A curious set of posts from my friends at Gartner on how technology complicates language

anemic words such as wireless (David McCoy)
anemic or retrospective, complementary retronym (Nick Gall)

When something new comes along, we sometimes have to invent new terms for the old things. Before we had mobile phones, all we had was phones. But once mobile phones became common, we needed to have a way of referring to the old phones, so the terms "fixed phone" or "landline" started to appear.

Once upon a time, all personal computers went under an office desk. Then we started to get portable computers, supposedly cool enough to put on your lap (if you happen to be wearing heat-proof trousers), so they are called laptops. The old-fashioned sort that sit under a desk are now called desktops.

Words like this, that are introduced for the sake of some kind of backwards compatibility, are called retronyms.

As an industry analyst, I often hear vendors trying to distance themselves from their competitors, or justify the wonders of their latest device by contrasting it with some notional predecessor. So they have to find labels to describe and disparage the past. Old software somehow manages to be simultaneously monolithic and spaghetti; old software methods are always silo-based waterfalls, and so on. If you are a serious innovator, the worst insult you can ever throw at anyone is "traditional".

Do we need terms for systems that are not real-time, not service-oriented, not event-driven, not business-aligned? Yes of course we do. But we may not find many vendors who will admit that their products lack any of these characteristics. On the contrary, they are all pimping up their products with the latest fashionable buzz-words.

Perhaps the most extraordinary example of retronymy is the series of mobile phone generations. First we had 3G. Then we had technology that wasn't quite 3G, so it was called 2.5G. Now we have 2.75G. Where will it end?

Rumour on the Internet

2008-09-15T11:09:00.004+01:00

In response to a recent incident in which the stock price of United Airlines (UAL), dropped from $12 to $3 in just 15 minutes, apparently in an over-reaction to an incorrect news story, Mark Palmer wants to Regulate News Market Data Sources.

As I pointed out in my post on Turbulent Markets, the regulation Mark proposes raises some interesting technical challenges, as well as calling into question the value of some of the rapid-response technology Mark himself is selling.

In any case, control of rumour sounds to me like one of the twelve labours of Hercules. Agatha Christie adopted exactly that interpretation of the Lernaean Hydra when she wrote twelve stories for Hercule Poirot based on the twelve labours).

So imagine my surprise when I heard on the radio news that Tim Berners-Lee was calling for broad controls of Internet rumour [Warning sounded on web's future, BBC News 15 September 2008]. How on earth is that going to work? Is he also planning to clean the Augean stables (internet porn)? What about capturing the Golden Stag of Artemis (Steve Jobs), the Erymanthian Boar (Steve Ballmer), the Cretan Bull (Larry Ellison), the Horse of Diomedes (Jonathan Schwartz) and Cerebus (Henning Kagermann). Have I forgotten anybody?

I put "Berners-Lee rumour" into a well-known search engine and found a page from March 2006 by one Aleks Krotoski, called Tim Berners-Lee on the Semantic Web. According to Aleks, Tim graduated from Oxford University in 1989. (Actually it was 1976. As I pointed out in my earlier post Hasta La Vista, Tim is now old enough to read a book called The Internet for the Older Generation "especially written for the over-50s".)

Aren't you impressed that a search engine, tasked with "Berners-Lee rumour", finds a false rumour about Tim's age? Can the Semantic Web do the same?

(Okay, okay, I'm being sarcastic. Obviously the search didn't find the page with the false information on purpose. And it's not exactly difficult to find pages on the Internet with false information, is it?)

OWASP Coverage?

2008-08-12T18:28:00.003+01:00

In a comment to an unrelated post, James McGovern asks

"What would it take for an industry analyst to provide comprehensive coverage via blog entries on the work that OWASP is doing?"

I can't speak for anyone else, but here's my answer. I might provide occasional comments about OWASP without any special motivation, but before I go to the trouble to provide comprehensive coverage about something, I need to see some strong interest from my readers. I also need to feel that this is a subject I can add some value to, rather than merely repeating what everyone else is saying.

So if anyone wants me to take a thorough look at OWASP (or anything else for that matter), please add a comment to this blog, indicating the nature of your interest and what specific questions you'd like me to address. Thanks.

Listening Post

2008-08-12T17:32:00.003+01:00

I finally got to see the Listening Post, which has been displayed at various places in the USA, and is currently on display at the Science Museum in London (until Feb 2009).

The work is a collaboration between an artist (Ben Rubin, who teaches at the Yale School of Art) and a statistician (Mark Hansen, formerly of Bell Labs/Lucent and now associate professor of statistics at UCLA).

The work has been evolving since 2001, and provides a real-time audio-visual summary from a vast number of Internet chatrooms, presented on hundreds of tiny screens, and with selected messages spoken using voice synthesis. When my eyes adjusted to the darkened room, I saw some benches in the middle and went to sit down. But much of the text was too small to see from that distance, and I found it more interesting to stand a little closer and try to read as many as possible of the hundreds of messages flashing across the array of screens.

The work is constructed in seven "movements". For example, one movement is entirely constructed from statements of presence ("I am hot", "I am waiting", "I am 32 years old"), while another movement is entirely constructed from random user names.

If the purpose of art is to provide an unfamiliar view on the familiar, then this worked elegantly and brilliantly. I was fascinated, and I shall certainly try to get back a few times to repeat the experience before it closes.

Notices and Reviews

Hannah Redler (Science Museum): "Monument to the present - the sound of 100,000 people chatting"

Torin Douglas (BBC News, Feb 2008): "Listening to internet chatter"

Peter Eleey (Frieze Magazine, May 2003)

Interactive Architecture (August 2005)

How Many Computers?

2008-08-05T18:05:00.004+01:00

In my earlier post On Being The Right Size, I discussed the scenario in which all the computing power in the world is concentrated into a handful of massive servers, with billions of intelligent devices connected into a single network. As John Gage of Sun once quipped, and Sun executives never tire of repeating, The Network is the Computer.

So I find it strange that cyber-crime is to be defined in terms of the number of computers damaged in an attack. [Senate Approves Cyber-Crime Bill eWeek 4 August 2008]. Robin Wilton notes that this decouples 'theft' and 'harm', and wonders how the notion of damage is to be defined. But we also need to count the computers that were damaged. If the network is the computer, that's only one computer. Haven't these guys read Asimov?

Perhaps this suggests an interesting line of defence for Gary McKinnon, a hacker who cracked the computer systems of the Pentagon and Nasa from his bedroom in north London more than seven years ago, and who is now to be extradited to stand trial in the US. [See analysis by Duncan Campbell via Bruce Schneier.] How many computers were damaged? Really? And how many bruised egos?

Follow Me Follow (We Are The Hollow Men)

2008-08-04T19:57:00.005+01:00

BBC

The BBC is using Twitter to provide alternative links to its content. For example

Ouch (a disability magazine), The Magazine (a general magazine)
Test Match Special (a sports unit)

The Magazine on Twitter

A link on the BBC website invites us to "Follow the Magazine in 140 characters or less via Twitter." As some readers have pointed out, the word "less" cannot refer to the 140 characters, because the correct word there would have been "fewer". [See BBC World Service: Learning English.] So it must either refer to the word "follow" or the word "magazine". In other words, following the magazine properly, or (via Twitter) less-than-following something less. So this must have been intended by the sub-editor as a sly dig at Twitter and the Twitterati.

Follow, Follow, Follow

HOST: Follow me, lads of peace; follow, follow, follow.

SHALLOW: Trust me, a mad host. Follow, gentlemen, follow.

ROBIN: I had rather, forsooth, go before you like a man than follow him like a dwarf.

FALSTAFF: Follow your friend’s counsel.

PAGE: Follow him, gentlemen; see the issue of his search.

Shakespeare (Merry Wives of Windsor). See also Edward Vielmetti (Vacuum).