Corporate Scar Tissue

A couple of weeks after monktoberfest, there are a number of ideas that have stuck with me (along with the Stillwater Once in a Lifetime and the LoverBeer BeerBera).

The first is the concept of corporate scar tissue that Adrian Cockcroft brought up.  Complex rules, procedures, and processes that we all chafe against when dealing with large organizations have evolved as responses to previous injuries  in the same way that scars record past injuries on a person or animal.  So they are there for a reason, but mostly to record what not to do, and to prevent against recurrence of identical bad situations.

I found it a useful analogy, because all too often these frustrating rules and processes seem to have been designed to inhibit efficiency and progress (and even if they weren’t designed that way, that’s their net effect).  You could say the same thing about the vast majority of laws in any country, too – always drafted to prevent the recurrence of a past issue; almost never looking forward in anticipation.

I’m currently working with a client on an information governance project and using this analogy helped them to see that their rules on retention were almost entirely focussed on addressing bad things that had happened in the past.  Our job is to look forward to try and reduce the future development of more inflexible and painful hypertrophic scars or keloids; instead we should develop robust, flexible, pro-active ways to avoid future injuries (while remembering what caused the old ones).

Civility online?

Earlier in the week I was posting on a Lifehacker thread about cold-weather gear.  As someone who has spent a lot of time in extremely cold climates over the past 30+ years I thought I had something to contribute. And then “that guy” showed up – the one saying nobody needs all that fancy stuff and plain-talkin’ folks get by fine with flannel-lined jeans.  I responded to say we were talking about something a little more specialized than that and it began:

  • You’re a liar – you have never been where you say you have
  • You don’t know what you are talking about
  • I googled some things to prove you’re lying
  • Various insults and homophobic slurs

It left me annoyed and rattled and made me want to just step away and disengage completely.

And then I realized this is a tiny fraction of the degree of what many women online suffer every single day. I read Kathy Sierra’s heartbreaking and awful account of her history of threats and attacks. Penny Red has been bravely talking about her similar experiences over the years on her blog and twitter.  Linda Sandvik is another great source who is unafraid to call out those small (and large) putdowns that too many women get every day in tech.  When I read about the horrors that these women (and hundreds or thousands more) have to face every day, my brush with trolling and incivility faded into the minor annoyance that it was – but it gave a sliver of insight into what they face.

If I felt so shitty after one interaction with an aggressive troll, how do Kathy, Penny, Linda, and others deal with it every day?  I received no death or rape threats, stalking, or vile personal attacks (well, a little, but it’s not an insult to be called gay by a fool) – all of which are apparently common.

I don’t know how this can be stopped.  I guess those of us who are straight, white, middle-class males must stand up alongside everyone being abused online for whatever reason and make it clear that it’s not OK.  These horrible, evil trolls will presumably find something else to do, but in the meantime I’ll do what I can to support everyone’s right to participate online no matter who they are.

<Update> I don’t know how helpful the above message is. It just makes me so angry and frustrated that talented, smart, thoughtful women are being chased off from online participation and careers because of horrible small-minded shitheads.

I guess all I wanted to do is stand up and say “this is not OK”

<Update 2> Realized today that pretty much anything that Linda or Laurie say on Twitter will be contradicted by a dude trying to prove he is smarter or better than them.  There are very few (if any) guys in the world who have to deal with that – even if the response is just condescending rather than overtly offensive or threatening.

<Update 3> This is helpful and way more articulate than me.

Dishonesty in business – a crisis of late capitalism?

Cross-posted from my personal blog, because I think it’s very applicable to tech and I plan on exploring this in more depth in the future.

After my latest experience of being lied to and misled by a business (Chase credit cards this time) I reflected on the peculiar pathology that seems to be all around us.  A certain subset of businesses (usually the larger ones, but not always) have chosen not to compete for customers and revenue through developing better products and service, but instead have made the choice to grow revenue through deception and cheating.

Everyone reading this will be able to think of numerous recent examples – the landlord who dishonestly kept the security deposit, the cable or phone company who “mistakenly” charged you extra for months (it’s funny how these “mistakes are *never* in the consumers’ favor), the car or software salesperson who lied about what their product could do or disparaged the competition unfairly, the bank that chose to extract the payments before applying the deposits and then charged you multiple times, etc. etc.

I’m an honest and straightforward person. Although (because?) I have no religion, I have a very strong sense of morality and ethics and thus it’s hard for me to get into the mindset of the liars and cheats around us.  But time goes on and you become cynical and jaded – this offer is too good to be true, those claims can’t be valid – and generally you are right.

The ubiquity of this dishonesty in business suggests it’s a deliberate policy.  Lack of enforcement in most societies has educated white-collar criminals that their risk is low compared to regular criminals on whom far more resources are focused. I would consider the upper and middle management at Bank of America, Comcast, or Hertz to be as much white-collar criminals (although to a lesser extent) as the crooks who fixed the LIBOR rate or bankrupted Lehman.

It’s also odd, because in some aspects society is in a golden age of discovery and business growth.  Etsy and Kickstarter facilitate small craft and product development businesses; Tesla has successfully started the electric car revolution; Apple, Google, Microsoft, Blackberry, Citrix, and Cisco (and many others) have successfully unchained many workers from the cubicle and daily commute; Amazon and AliBaba allow people to live outside big cities and still have access to an enormous array of goods and supplies; ZipCar allows people to live in big cities and not own a car that sits unused most of the time; etc.

At the other extreme, the legacy businesses – banks, airlines, cable companies, property management companies, car companies (for example) – have by and large chosen not to innovate or create and instead to gouge their customers to improve their bottom lines.  Maybe in this current business climate there’s no viable way to keep United afloat other than fucking over their frequent and infrequent travelers through endless fees, charges, and erosion of service and benefits? Maybe the whole banking system operates on such small margins that BoA (and all of the rest) have to charge 12-23% interest on credit cards, while paying 0.03% on savings? Perhaps the only way GM and Ford dealers can compete with Tesla is by preventing Tesla from selling cars in that state?

I wish I knew what to do about this.  It’s just depressing, really, and I call it a crisis of capitalism because this certainly doesn’t feel like the operation of a rational market.  I don’t think it’s THE crisis of capitalism, and I suspect that as more and more people recognize what’s going on they will pressure their elected politicians to do something and eventually there may be a little more semblance of oversight and enforcement.  Of course that is tougher to do when politicians in the US and UK are primarily funded by the beneficiaries of this broken system – but I don’t think I can give up on both democracy and capitalism in the same week.

Update on Shellshock

Having poo-pooed much of the overreaction about the “shellshock” bug in bash, I will still be patching my systems.

Apple have released a patch for Mavericks here and it’s probably wise to patch now rather than waiting for it to be pushed in an App Store update.

I still don’t think it’s a big risk for most users, and it’s definitely not a reason to eschew cloud deployments in the future.

New features in Alfresco 5.0 Enterprise

Alfresco Summit was last week in San Francisco and there were quite a few interesting announcements timed to coincide with the show.  There was the news that Alfresco had raised another $45M to continue the expansion and “SaaS-ification of the content market” (seriously?).  I’m not at all interested in that apart from the fact that it means Alfresco will be around in the medium term to develop and update the suite. I’m outraged by the bastardization of the language in that quote above, but I’ll let that go for now.

There was less press hoopla about the new features in Alfresco 5, although those were covered more in various twitter feeds from the show.  Maybe official press releases are just for marketing fluff and actual technical stuff is covered elsewhere?

As far as I can tell, the new functionality listed here for Alfresco Community 5.0 is what is also in Enterprise 5.0 – but if I’m wrong I hope someone will correct me.  The main areas called out as new are:

The press release also talks about improvements in reporting and analytics, encryption, scalability, etc., but I’ll wait until we get more details to cover those.

I’ll be starting a new project next month in which we deploy Alfresco on AWS as an information governance solution, so I’ll be looking forward to digging into these capabilities in more detail and I will report on my impressions here.

“Shellshock” and various other FUD

I was going to write about what’s new in Alfresco Enterprise 5.0, which was launched at the Alfresco Summit in SF this week.

But then I got distracted by Bash and “shellshock“.  I linked to the Forbes article, but I could have linked to 77,500 other news articles (according to Google at 5pm today) and I guarantee that 77,000 or more of those stories will contain misinformation, confusion, FUD, and general bullshit.

I run a mac, so as soon as I read the news I knew that OSX contains bash and would therefore be vulnerable.  I’m far from a bash guru, but it’s my shell of choice and I use it on Linux and Solaris as well if I can.

Last night I checked my firewall settings and tightened them up a little by enabling “stealth mode”, deleting rights from a couple of old apps that don’t need connections, and unchecking the “automatically allow…” box

firewall copy

However, the more I read about the issue, the less I saw it being likely to affect most users.  The bug/exploit/hack requires a remote user or process to execute a script on your server/computer in order to invoke the weakness – which is executing more code than the shell should allow, usually as profile settings.  This is a decent explanation of the issue.

So the average user will be unaffected by this unless she or he has enabled advanced unix services and set up their machine to respond to requests from external servers.  Obviously web servers and other public-facing servers need to respond to such requests, so they are more at risk.  Hopefully most of those systems will be professionally managed (he says with a straight face) and patched quickly and efficiently.  The embedded systems and infrastructure (switches, routers) weaknesses are potentially more difficult to solve and patch, but that’s another topic.

What really annoyed me about the coverage of this (apart from the general cluelessness exhibited by authors writing for many publications in order to incite outrage and fear) was that people who should know better were using this as an argument *against* cloud services.  That’s absurd, since both systems are equally at risk and the chances of cloud infrastructure being professionally and competently managed is (in my experience) higher than locally managed servers.

Fascinating – insight into Larry Ellison’s early career at Oracle

I tweeted this – but for those of you who don’t follow me or are not on twitter here’s the link.

Some choice quotes:

  • “Larry always had a 10-year technical vision that he could draw on the whiteboard or spin like a yarn.  It wasn’t always perfect, but it was way more right than wrong…”
  • “I remember a brilliant young programmer whom Larry allowed to live anywhere he wanted in the US or Canada, didn’t care about hours, where he was or any of that stuff. We just got him a network connection and that was it. This was unheard of back then…”
  • “Lessons Learned
    Great entrepreneurial DNA is comprised of leadership; technological vision; frugality; and the desire to succeed.”

It’s a quick read, but fascinating.

 

WebCenter on Exalogic and Exadata

There’s currently a lot of interest in moving virtualized environments to Oracle’s engineered systems.  This is partly because they are good systems and, for organizations that can use their capabilities, provide good value for money and high performance. Partly because Oracle licensing makes it tough to virtualize cost-effectively on other platforms (looking at you, VMware). And partly because Oracle sales people are extremely motivated to sell hardware along with software.

Unfortunately, though, there is still a lot of confusion about how this might impact deployment of WebCenter on these engineered systems.  Here are a few scenarios you may come across and how to deal with them.

  • Exadata (or Database Appliance) – no impact at all from an installation point of view.  The database is still just a database from the application’s point of view and will continue to connect via jdbc.
  • Exalogic with native OEL – this is a rare configuration, but Exalogic does support install of OEL natively on compute nodes.  In this case there is no difference to installing on any other Linux OS.  Assume (and ensure) networking is handled by the Exalogic administrator because that is where the issues may arise.
  • Exalogic with virtualized compute nodes – the most common deployment.  Thestandard/supported approach is to install all the WebCenter components on virtual OEL servers as usual.  Installation of WebLogic and WebCenter on Elastic Cloud (Exalogic) is exactly the same as on a regular server. Networking can be challenging when configuring virtual environments on Exalogic, so be sure that is all worked out ahead of time. Domain configuration and data stores should be on the ZFS storage appliance.

A major value add for Exalogic is the optimization for WebLogic that is designed into the system.  All of these optimizations have to be configured on a domain or server basis, though, they are not OOTB. This is a good resource for working through the optimizations.

Two factor security challenges

<Updated> Clarification of specific issues with 2-factor authentication by vendor:

Apple – two factor authentication becomes three factor when Apple disables your password and refuses to re-enable or change it. The Recovery Key then becomes the only factor in single factor auth.

Microsoft – two factor authentication with your MS Account (live? not sure what they brand it as this week) is not supported for Office365 accounts – so you have to generate a new one time application password each time you reboot your computer.

Ebay/PayPal – handoff from Ebay to Paypal (with 2 factor auth) doesn’t work on iPad. Prompts for password and then redirects prompting for SecureID token.  Does appear to work on Safari for Mac.

Dropbox – does appear to work, but I’m sure I’ll find flaws

Google – do they even have two factor? I don’t use their spying stuff.

 

Those of you who follow me on twitter will know that earlier in the year Apple’s poor excuse for two-factor security and support frustrated me for months (literally) and ended with me losing everything I had ever paid for with that account and having to create another account from scratch.

I’m now finding out that Microsoft has implemented two factor security in a similarly half-assed way.  I just switched to a personal MS365 subscription for Office 2011. Since installing Office 2011 I had been annoyed by the 365 login screen each time I rebooted my computer.  But now I’m using my own account with 2 factor auth, it’s even worse. I get prompted for a login, but my password doesn’t work – I then have to login to account.live.com, authenticate, generate an app password, copy that and then paste it into the prompt screen.  After talking to 9 different MS support people, none of whom even understood the issue, I have to assume it’s working as designed.  Their only advice was to turn off two factor authentication.

Add to that my experience last week where the handoff between eBay and PayPal (also with 2 factor auth) was completely broken on the iPad and my conclusion is that for normal users the overhead and annoyance associated with security is untenable.

We are surrounded by news of security breaches on a daily basis and yet the largest software companies in the world can’t implement two-factor security properly. Password management is a mess because web pages prevent you from copying passwords into the login screens or because apps on your mobile devices forget the password at every update and again don’t support pasting of username and passwords.

I’m a technical person that has been using these systems since the mid 1980s. I understand the importance of password management, secure authentication, etc. and I’ve even experienced the outcome of hacked passwords and lost accounts. But to expect “normal” users to manage these broken and difficult to use tools is ridiculous.  People will just throw up their hands and go back to 1234 or password because trying to do the right thing is too hard and ends up with you locked out of your account.

I’m not sure how this is going to improve.  The burden for these insecure systems is still placed fairly and squarely on the shoulders of people with lithe to no interest or training in technology. There’s no clear competitive advantage in more secure and easy to use logins because nobody at the companies pays any price for their failures.

  • Two-factor authentication (as it is implanted by almost every tech company) is broken.
  • Username / password is broken.
  • There is no clear alternative currently out there.
  • We will continue to get daily reports of “hacking”, “cracking”, and online theft.

 

Larry stepping aside at Oracle?

A shock announcement from Oracle yesterday that Larry Ellison will be stepping aside as CEO to a new position as CTO, with Safra Catz and Mark Hurd stepping into the new co-CEO roles.  BUT, Larry was also named executive chairman of the board – so Larry will report to Mark and Safra who report to the board of which Larry is chair.

As a former Oracle employee, Larry’s presence always loomed large at the company in a way that Safra or Charles Philips  did not (I pre-dated Mark).  I’ve always respected the guy because I admire someone who grew up  poor as the child of a single mother and had the vision and tenacity to grow such a huge company from nothing.  I have never met him face to face, but people I know who have reported that he is very, very sharp technically and had a grasp of detail even when he was running this behemoth of a company.

Mark Hurd, on the other hand, is almost universally described as a spreadsheet-driven bean counter and was widely loathed at HP when he was there. A friend of mine was in an HP office in London when the news came via email that Hurd had resigned and described the celebration and joy that greeted that news.  I don’t know much about Safra Catz other than she is seen to be efficient and somewhat scary (although there may be some sexism colouring that viewpoint).

Over a few beers with friends earlier in the year, we came up with the idea that Oracle would merge with Salesforce at some point and put Marc Benioff in the CEO seat of the combined company.  I see more  charismatic leadership style from Marc than from Safra or Mark – but maybe the latter will grow into their roles as Tim Cook has at Apple.  And there’s still time for Oracle and SFDC to merge – seems like almost everyone at SFDC used to work at Oracle anyway.

FWIW – here is what Marc Benioff had to say:

beniioff copy