For years, my friends have been telling me, with varying degrees of snideness, that people with as little sense of direction as I have ought not to go hiking as much as I do. And that, if I persist in my foolishness, I ought to buy a GPS.

Well. I got lost on a hike the other day and decided to give in.

The GPS Market is Ridiculous.

I haven’t been this frustrated while buying a consumer product since I bought my car (4 years ago). You know your industry’s in bad shape if it brings back memories of a gum-chewing Toyota salesman in a badly-fitted sports jacket. It’s even worse if that guy now seems like a fairly knowledgeable and helpful person.

To begin with, there’s not a lot of standardization out there. It’s hard to compare features across models from the same company let alone from different companies. And even the most innocuous accessories from a company don’t work across all models.

For example, Garmin sells CDs of data. The software on the CD works with almost all the Garmin GPS units. But the data itself doesn’t. Here’s a disclaimer:

“Please note: The trip and waypoint management functions of this product work with nearly all GARMIN GPS units, excluding the GPS100 family and panel mount aviation units. The map download feature of this product is recommended for use with the GPS III Plus, NavTalk, GPS 12MAP, and GPSMAP 162/168. It is compatible with StreetPilot GPS, StreetPilot ColorMap, GPSMAP 295, and eMap, which require a blank 8 or 16MB cartridge to upload map data to these compatible units. ”

That’s from the GPS City web site, but it’s from the manufacturer. GPS City also points out that the eTrek Vista “Accepts data from all of the MapSource CD-ROMs.” Seems like a contradiction to me. But I guess that way they keep their bases covered.

So you look at a GPS. You check out the features, the battery life (if it’s available; often it’s not), the screen size (for several models, the only data on screen size was hidden inside a flash movie on the Garmin web site), the weight, etcetera. And then you have look at each data CD, to see if the model is compatible with the data (and you do have to look at each data CD– they all have different lists of GPS’s that they’re compatible with).

The eTrek Vista also comes with a basemap of North and South America. Great! What’s on the basemap? How does the basemap information overlap with the Mapsource CDs? There doesn’t seem to be a lot of information out there helping me with that either. No one selling a GPS seems to think the buyer needs to know what data comes with the GPS.

Of course, I didn’t buy any of the Mapsource CD-ROMs anyway. As I searched wider and wider on the net, I found out that lots of people think the data on them sucks (more precisely: that the topographic information has been smoothed out to the point of being useless).

Apparently, successive generations of GPS receivers have no backwards compatibility requirements, incompatible data formats, and very rudimentary software. It’s impossible to figure out what works with what, or whether you even need
a particular feature or accessory.

There is a bright spot: I think Easy GPS and Gnomad are beginning to address some of the software issues.

But, to quote the immortal words of Paul Saffo, “this isn’t a problem, it’s an opportunity.”

To which I can only add: a Huge Opportunity.

Got a favorite trail in northern california? Share it with me.

I was lucky enough to catch the two days of this year’s href="http://www.santafe.edu/sfi/education/csss/summerSchool02.html"
>Complex Systems Summer School at the href="http://www.santafe.edu/">Santa Fe Institute which
discussed networks.  The two speakers were href="http://smallworld.sociology.columbia.edu/watts.html">Duncan
Watts and Mark
Newman.  They have revolutionized our understanding of how
messy hairball adhoc networks have surprisingly pleasant properties.
 One of these is the href="http://pup.princeton.edu/titles/6768.html">Small Worlds
characteristics .. two nodes on a peer network can actually find
each other quickly with near-optimal path length, using only the
local knowledge the nodes have .. no central, global structure.
 You know the idea: you meet a stranger at a party, and after a
few minutes you find you have a common friend, and you both say,
“Wow, what a small world it is!”

I had earlier explored Small
Worlds and Power Law networks as part of  a P2P project,
basically kicking the tires to see if this stuff works.  It
does!  And how!  For example, this power law graph of 100
nodes looks like a mess, but with the recent results from analyzing
these graphs, order is teased out and quite good, near-optimal
searching emerges.  The plot to the right shows the search
lengths (degrees of separation) we get, compared to the more usual
breadth or depth first searching.  Dramatic, even more so
considering the search scale is logarithmetic!

100 node power law net; click for full size.

Search statistics for large net; click for full size

But I had always had a nagging concern that this was just the
beginning, and we needed to figure out how to include more natural
searching ideas such as peer groups (occupation, geographical
location, age, and so on), much like people do when trying to surf
their social network.  Well, Mark, Duncan and others have been
busy working on the problem and the good news is that studies of
“identity” (read meta-data) in social networks have led the way to
better searching!  The earlier searches were pretty dumb: just
look for an exact match on the data (Do you have file “X”?).
 The new methods use a nice blend of meta-data (Check out the
folks “like me” and “near me” for file “X”) which tame the power law
nets even more. Mark’s href="http://www.santafe.edu/%7Emark/pubs.html">Networks and Graph
Theory page has a good selection of papers on the topic.

So hang in there gang. Math, The Next Big Thing, with the help of
very interdiciplanary folks at the Santa Fe Institute, are cracking
some of the tough nuts of peer systems, robustness, data mining and
other core problems.  Wait’ll I show you how these guys are
using the way ants forage to optimize the data centers! That’ll have
to wait for another day.

I’d be interested in any reader’s experiences in this general area too.

I was in New York City earlier this week, so I dropped in to the Jacob Javits Center for the PC Expo show. PCs are sufficiently last decade that the show, which I’m told is the largest general purpose computing show on the East Coast, has been rebranded as “TechX New York.” For good measure the organizers tossed in a Digital Video Expo and the Web Services Edge conference, both of which had separate exhibit floors.

The main show floor was much smaller than other conventions during other years. Some major players didn’t seem to be bothering. Maybe I missed it, but I didn’t see Oracle at all, which seemed odd, given the number of enterprise level vendors that were present. I’m almost convinced I just walked by it and didn’t see.

Web Services are a big thing right now, but I didn’t see anything new that really knocked my socks off. This really wasn’t a surprise, since JavaOne was just a few months ago and most of the vendors involved released new things there. Sonic Software had a good presence with their messaging software, Borland was pushing integration tools and BEA was touting partnerships. IBM had packed off to the main show floor, where WebSphere wasn’t a major presence (although IBM’s area was relatively small if prominently placed, so there wasn’t really much room to emphasize anything in particular).

There were some interesting points. IBM was showing off its 8 processor Xeon server, which they’ve managed to pack, if only barely, into 4U of rack space. Intel was showing off the second generation Itanium processors cranking through some very large SAS data sets, which to the naked eye looked pretty impressive, although I didn’t really have any way to bench it against anything. The 64 gigabytes of addressable memory was certainly enviable.

Both IBM and Intel were pushing their new platform security technology. I spend a lot of time worrying about security, authentication and access control, and trying to get around the problem of providing security systems that get the job done in an easily manageable way. The new technology here involves a chip attached to the motherboard with a cryptographic processor and an EEPROM to store keys. Each system and user has their own cryptographically strong identity, which can be used to encrypt files or access centrally controlled applications. The IBM guys were also showing off integration with biometric fingerprint readers. The target market is corporate desktops and laptops.

I also saw the latest generation of the biometric devices that can be used with or without something like IBM’s chip. The latest readers use a silicon based sensor rather than the older optical sensors. These apparently read several skin layers rather than just the surface, and as a result can not be defeated by molding a finger out of a gummy bear, as I’m told happend a few weeks ago. They can also fit on a snap-out panel embedded in a PCMCIA card. The USB readers are down to around $100. This is stuff that, once there’s an efficient, standardized way of integrating it all, is going to have a real impact on the way people put together distributed applications, particularly when the clients aren’t all under the control of corporate IT. The privacy issues are, of course, potentially pretty huge but also potentially controllable.

One fun piece of software was a personel video construction kit from Serious Magic, called Visual Communicator. The software takes video input and still images and allows you to create videos which can be streamed on the web or output to TV. The neat thing is that it supports real-time compositing of video streams, much like the editing systems used for live broadcasts of news programs. It also supports “green screen” filming, where you stand in front of a green background and the system substitutes another background for the green areas. It’s not something I have any current professional use for, but it’s very cool. The software runs $99, and an extended package with a green background and clip-on microphone is $149.

Now that I have a baseline for comparison it will be interesting to see where things move next year. I don’t get to very many of these things, but it seems like the computer trade show market is fracturing. Of course, this year is looking like an opportunity for a lot of companies to retrench rather than extend, and it hasn’t produced a hot new buzzword. Of course, we have five months left.

Did I miss anything?

Related link: http://www.javaworld.com/javaworld/jw-06-2002/jw-0621-jcp.html?

Is the Java Community Process (JCP) adequately preparing Java for Web services? Recently, the official release of the newest Java Web Services Developer Pack (JWSDP) introduces the Java API for XML Registries (JAXR) and Java API for XML Remote Procedure Call (JAX-RPC), recently approved through the JCP. The JCP is currently reviewing additional Java-based or related Web services APIs that should prove important to Java Web services development. JavaWorld.com’s Jennifer Orr spotlights the latest Web services technologies and examines how the JCP is responding to these technologies.

Is the JCP adequately preparing Java for Web services?

Related link: http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2871569,00.html

ZDNet’s Eric Knorr discusses the Sun ONE announcement from last week. Sun says it’s a software giant, too. In reality, it’s not given the market share statistics. The more they say they are, the more this clouds their message as a Java evangelist and the more their J2EE licensing revenue flow from the likes of IBM and BEA is at risk.

I’m sure IBM, BEA and others aren’t thrilled with last week’s announcement that Sun is basically competing with them in the same space, while at the same time, Sun collects licensing revenue from these competitors in that same space. For these competitors, that’s double jeopardy, thanks to Sun. For more on this, check out this feature on Sun’s Evolving Role as Java Evangelist as well as my previous Weblogs on Sun ONE.

By marching down this path, I believe that Sun is going to find more risk than reward for their investment in this strategy. Also, by doing so, they have clouded the original Sun ONE message as a Web services platform.

What do you think of Sun’s claim that it’s a softare giant based on its Sun ONE announcement? Is this that important for Sun as it could potentially endanger their more important endeavors?

It has been an interesting week in the J2EE space.
We have seen public draft’s for some of the most popular standards, EJB 2.1, and JSP 2.0. What is new?

EJB 2.1:

Here we see the addition of:

• The timer interface (cron meets EJB)
• More linkage to Web Services (easily allowing web service clients to the EJBs)
• Generalization of MDBs (not just JMS you know!)
• EJB-QL is enhanced (finally: ORDER BY, but are these additions enough?)

Spec: http://java.sun.com/products/ejb/docs.html

Chat: http://www.theserverside.com/home/thread.jsp?thread_id=14053

JSP 2.0:

Suddenly JSP jumped from 1.2 -> 2.0 (previously known as 1.3).
Some of the big changes are:

• The inclusion of the EL (shared with JSR 52)
• The new JSP Fragments (more formal JSP componentization)
• The new .tag idea, allowing custom tags to be defined
  using a JSP interface, not the Java interface
  Tags can be placed in WEB-INF/tags, allowing us to bypass
  the URI declaration

• <include-prelude> allows you to include JSPs at the beginning of a set of JSPs (by url-pattern)
• <include-coda> allows you to include JSPs at the end of a set of JSPs

Spec: http://jcp.org/aboutJava/communityprocess/review/jsr152/index.html

Chat: http://www.theserverside.com/home/thread.jsp?thread_id=14091

JSTL Jakarta Release: http://jakarta.apache.org/builds/jakarta-taglibs/releases/standard

Lots of new stuff to learn. again. :)

Do these new specs give you what you want? Should they have more, or less scope?

Related link: http://www.spamcon.org/

This afternoon I was sitting at my home computer writing about JavaMail best practices for an upcoming O’Reilly release. I also wrote about JavaMail in the second edition of Java Enterprise in a Nutshell, and while I was working on that chapter I hit a moral dilemma: what if someone reads this book and uses the knowledge gained to start spamming? After all, I even described how to use JavaMail to send HTML email. What was I unleashing? Thankfully, I came back to my senses and decided that JavaMail was too useful to leave out, that I didn’t want to be a technology censor, and that Bob would just get somebody else to write it anyway.

So as I was writing I started to wonder: exactly how much email gets sent on a daily basis. My initial estimate was something on the order of “an awful lot,” but it seemed like someone must have taken a slightly more scientific approach to the question. This will make a great footnote, I said to myself, so I went off to do some research, leaving the actual issues of JavaMail Best Practices aside for the moment.

Surprisingly, Google failed me. I found some interesting statistics on Spam volume on particular systems, including a sample from www.myrealbox.com, a webmail provider, that indicates approximately 25% of their incoming message traffic is Spam. They’ve also processed 1.5 million messages for 150,000 users over the last six days, and blocked another 500,000 in spam. But not knowing how many of those accounts are active it’s hard to scale. But assuming no growth of change in volume, this one mail provide will process over a hundred million messages this year. And out of all of my email correspondents only one of them users this particular service.

So while my initial estimate of “an awful lot” has been validated, I’m not any closer to real numbers, but I am taking suggestions. If you have any idea at all, please leave a comment below or send me a note. To get my email address, click on my name at the top of this page.

Any suggestions? What do the numbers look like, and where are they?

Related link: http://www.oreillynet.com/cs/weblog/view/wlg/1435

According to InfoWorld, the Sun ONE Studio 4, will be the successor to Forte for Java, which features Web services including a new UDDI-based registry product/service. This announcement is the latest on the Sun ONE evolution, or is it?

Remember when Sun ONE was Sun’s platform for Web services? I do, especially with Simon Phipps keynote last year at O’Reilly’s Java Enterprise Conference. Sun ONE was to be the Web services bridge between Java and Sun’s Solaris OS and server hardware. Of course, Web services is more more than that, but I think that was the plan. I think it was supposed to be positioned at the same level as .NET. Now, it seems that Sun ONE is a marketing slogan for much of Sun’s middleware and software solutions.

Currently, Sun ONE consists of Solaris OS (and maybe a Linux flavor currently supported by the new Cobalt servers), Sun ONE Web application server (use to be iPlanet/Netscape app server), Sun ONE Studio IDE, and more. Bundling Solaris 9 with the app server is a key indication that Sun is aggressively addressing the middleware market. I suspect that Linux will be key for Sun to really make headway with its current Sun ONE strategy. Expect to see Sun ONE Web application server bundled with the Studio and other software, perhaps database, etc. This seems to be the trend with other Web app server vendors: bundles Web app server as suite of softare, also known as extended Web app server middleware/software.

While this may be a plan to seek immediate revenue on Java software, this will, if not already, cause friction with many of Sun’s Java licensess such as BEA, IBM, etc. Moreover, it may affect the long-term viability of Sun’s software licensing revenue model.

While Sun ONE has evolved into a viable and competitive product suite, the original intent and message of Web services seems lost, other than the Web services features and tools found in the Sun ONE Studio and other Sun ONE products. And I’m not sure if this message is one that can be found again using the Sun ONE brand. I’m sure it’s possible, but it will be difficult for Sun.

What do you think? What’s Sun ONE? How do you think it’s perceived?

A week or two ago I wrote about Oracle’s new JDeveloper 9i Java IDE. In the midst of a generally positive minature review, I did mention that I hadn’t been able to get integration with CVS working properly.

A few days after the weblog entry went up I heard from a helpful Oracle employee who offered to help out, and after a few rounds of email I had the CVS integration working properly. I’ve never been entirely convinced of the benefits of integrating version control with the IDE (I sort of like the extra step of going out to another program, as it encourages good code hygiene by discouraging random commits), but it works as well as anything I’ve seen. For those interested, the trick was to set HOMEDRIVE and HOMEPATH environment variables to d: and /home/user, respectively. CVS under Windows doesn’t tolerate mixed path separators all that well.

Apparently integration with Oracle’s own Source Control Management system is even tighter, but I haven’t used this. I suspect that I’ll still end up using a stand-alone CVS client for some things (like cleaning up files after refactoring), but for most of the day-to-day will probably stick to the

Now that everything is working together, I’ve managed to condense four applications (IDW, SQL*PLUS, Oracle DBA Studio and CVS) down to one, and am therefore getting more work done. I suppose that’s a good thing.

Related link: http://www.politechbot.com

One very good test of an information resource is whether it tells you things you find frightening. The CBDTPA seems to be the current bogeyman for the technology community (and rightfully so), but it’s far from the first and won’t be the last. At this point in the 21st century, there are very few people in the technology industry who haven’t been living under a rock that would be willing to argue that it’s not vitally important for technologists to keep an eye on public policy. And frankly, if you’ve been living under a rock you’re probably not in the technology business. The gulf between Silicon Valley and Washington looks a lot smaller now than it did a few years ago, and it behooves everyone to try and stay on top of it.

The general media doesn’t do a very good job of covering important technology/politics issues while they’re still relevant. Instead, you have to look a little harder and find resources that are a little more raw. Sources like Declan McCullagh’s Politech mailing list are extremely valuable. McCullagh, a journalist and occasional programmer, has covered reactions to new technology in Washington and elsewhere for years, and the mailing list he founded is a clearing house for incident reports and commentary on legislation, lawsuits and politicians. All of the postings to the list itself filter through the moderator, which keeps the traffic level down and allows the casual reader to keep up.

And, yes, I occasionally find it frightening.

Where should we draw the line between thinking about technology and thinking about politics?

Related link: http://www.oreillynet.com/cs/weblog/view/wlg/1537

When the dust settles from all the speculation, rumors, and actual M&A (mergers and acquisitions), you should see the following types of Java middleware out there. The types I speak of are evolved or extended middleware, which now encompasses databases, as well as development and productivity tools such as IDE.

This new middleware trend enables hardware server sellers and middleware providers to offer complete, bundled software suites as a way to better compete, improve performance and/or increase server sales and revenue. To accomplish this, many of the larger firms are conducting aggressive M&A with smaller, cash-strapped firms who have little or no value in today’s equity markets and/or continue to struggle for market share in their respective areas of expertise.

When all is said and done, expect to see a highly consolidated Java middleware suite or extended Java-based Web application server market of players, which may likely look like this, if HP acquires/merges with BEA, etc.:

The Big Three

• HP: HP-UX with BEA WebLogic application server suite, which includes WebLogic, WebLogic Workshop IDE, and database product TBD. Database product may likely come from a partnership or M&A with Sybase.
• Sun: SunONE product suite: Solaris OS (and Linux long-term)with iPlanet Web Application Server, Forte for Java IDE, and database product TBD. Sun currently partners and invests in several minor players. Sybase may also be a possibility long-term if it’s still available.
• IBM: IBM/Red Hat Linux OS with WebSphere application server with IDE (VisualAge for Java will be replaced by a commercial, professional version of Eclipse), Web services e-directory software from Novell and IBM’s very own DB2 database software.

What about Oracle, Borland and the others?

You might ask where’s Oracle in all this. Well, Oracle is the wildcard that offers its Oracle 9iAS suite, which is a Web app server and database solution which comes bundled with Oracle’s very own IDE, JDeveloper. Unlike HP, Sun and IBM, Oracle doesn’t have servers to sell. Instead, they sell their softare/middleware suites and licenses to government and institutional agencies, which has received much scrutiny of late. Politically, Oracle has dug itself a hole with the major server vendors and now the government, which puts itself in a very precarious situation. Long term, this could mean a lot of things including M&A with one of the big server vendors above. For example, Sun may be the most likely interested, but reluctant, partner or even acquirer, long-term. We’ll see.

What about Borland? Borland has a similar situation to Oracle. It not only has JBuilder with Web services IDE, but it also has Web application server and databases (i.e., Paradox, etc.). While it can bundle as a complete, extended Web app server or middleware suite, Borland does not have servers to sell. Long-term, it will likely partner or even be acquired by one of the big three. If I had to bet, that would be IBM. Of all of Borlands tools, JBuilder would have the most value, especially to IBM if the commercial version of Eclipse does not fair well.

What about these players: Sybase is particulary inviting as a target for the big 3 above as a database solution, perhaps in lieu of something like Oracle. Novell will likely be acquired by IBM, given that IBM already uses/has used Novell as a distribution channel for its WebSphere. Players like IONA with some of its CORBA interoperability tools will be acquired by one of the big 3 to augment already existing tools. Etc.

Long-term, I believe companies like Oracle, Borland, IONA, etc. that offer only accepted software solutions will struggle as the value of middleware software diminishes over time. Even new product prices will go down from the current levels you see, given the following:

• Companies have done much of their IT hardware-middleware-software purchasing in the late 90’s.
• Revised company budgets and greater investor scrutiny on spending.
• The growing acceptance of open source Java implementations and tools in the corporate environment.
• There are over 4,000 open source Java and XML projects.
• Anti-competitive licensing practices are under review and revision; just see the news between Oracle and its state software licenses.

When the dust settles

In time when the dust settles, there will be the big three of HP (BEA, Sybase, Borland (with Rational)?), Sun (Novell/i-Planet, etc.), and IBM (Novell, Borland?, Red Hat, etc.). Oracle may be out in the cold if it’s not careful.

How do you see this market shaking out, when the dust settles?

Related link: http://www.onjava.com

Let’s start with some disclaimers. I work in a small startup where we use Java as our primary programming language. I co-chair a Java Developer’s SIG in Silicon Valley. And I wrote an
O’Reilly book on Java RMI. So maybe I’m just a little too deeply enmeshed in the Java universe. And that, 5 years into my Java experience, I’ve gotten jaded.

But.

Does it strike anyone else that Java, which once was an interesting new language that had the potential to change the world, has become deeply boring ? That our lovely little language has become completely and utterly disassociated from what’s interesting and innovative in the computer industry?

The positive spin that people put on this is that “Java is maturing as a platform” or “Once things get really useful, they stabilize” or “SUN’s providing a computing layer so that other people can innovate; you’re looking for innovation in the wrong places.”

To which all I can say is “Maybe.”

But “web services” and “what’s new in JDBC” smells like death-warmed-over to me. We’ve gone from “write-once, run-anywhere” and a world of mobile code flowing over the network to “let’s do RPC in ASCII so that our legacy systems can exchange data.”

Maybe this is good. Maybe this is a sign that Java is, as so many pundits tell us, “growing up.” But, then again, maybe John Cougar Mellencamp nailed it when he sang (in The Authority Song):

Growing up leads to growing old
And then to dying
Ooo-ooh and dying to me
Don't sound like all that much fun.

Bored with Java? What do you plan to work on next?

Related link: http://www.infoworld.com/articles/hn/xml/02/06/04/020604hnbluestone.xml

With the HP-Compaq merger behind them, the new HP has emerged more focused and aggressive as they sell off what’s apparently not working in favor of what’s working: BEA? If this is the case, look out IBM and Sun.

Why acquire BEA? Well, BEA has the market share leading middleware and, perhaps, the IDE (WebLogic Workshop (Cajun)) and other software that HP covets in order to boost its HP-UX server sales and be on a more even hardware-middleware-software footing with IBM and Sun. The only thing BEA may be lacking is a database solution. However, BEA or HP with BEA could acquire a company like Sybase to solve this problem. As far as adopting .NET, this remains a possibility as well.

Speculation is becoming more and more noisy regarding HP and BEA, regardless of whether or not HP and BEA have actually talked, yet. The real question: does HP have the cash it will need to acquire BEA in this current equity market? Perhaps, given its combined financial prowess thanks to its merger (acquision of) with Compaq. Time will tell.

In the meantime, look for strong partnerships with BEA, along with, perhaps, Microsoft to develop and continue.

What do you think of this possibility?

Related link: http://www.infoworld.com/articles/hn/xml/02/06/04/020604hnbluestone.xml

HP seems to have taken a U-turn. After purchasing Bluestone’s Total-E-Server, and building HP-AS, they now look like that are going to scrap it and partner with someone (*cough* BEA). Can they sell HP-AS now? Should they open source it?

I made an interesting discovery the other day. In the course of setting up a new system at the office, I created a fresh Windows 2000 installation for the first time in a year or so. After browsing the web for a while, I realized something was different, but I couldn’t quite tell what it was. Then I realized that there were no snowflakes falling down on the Weather Channel site, no cars screeching across the New York Times, and no full-size Palm Pilot’s blocking my view of Dilbert. Although Orbitz pop-up ads kept appearing on a regular basis, the overall web experience was far more productive.

Eventually a pop-up window came up, informing me that I needed to install Flash to view some element of a page I was visiting. Of course, I was being asked to install this extra software solely so that I could view an ad; I wasn’t going to get any new content. So I clicked no, and for good measure went into my IE options and completely disabled ActiveX downloads. I consider myself a savvy computer user and software developer, but actually going and turning off Flash to reduce the intrusiveness of online advertising had simply not occurred to me.

Four days later, I haven’t noticed a single difference, except that the Weather Channel web site is usable again, and I haven’t had to sit around and be frustrated for fifteen or thirty seconds at a time while an ad marches across my screen and attempts to trick me into clicking on it. Like most people, I begrudge wasted time, which is also why I own a DVR.

I don’t feel the least bit guilty about undermining the business model behind web sites with Flash based advertising. They’re too annoying, and annoyance for information is not a trade-off I’m interesting in making. But there really is a problem here: running sites like www.nytimes.com is not an inexpensive proposition, and I’m not naive enough to expect that they’ll be able to keep functioning after all of their revenue streams are removed. I’m willing to pay for things I find useful; but I’d rather pay in money than in time and aggravation.

More to come…

By not participating in advertising like this, are we undermining the financial stability of the web? Will we just end up with even less palatable and accessible models?

Related link: http://news.com.com/2100-1033-931583.html

According to c/net and JavaWorld.com, Evans Data reports that only 500 developers use Qualcomm’s BREW platform, while Sun estimates that 200,000 developers work with J2ME.

I have not doubt that some of Qualcomm’s woes come from this, and may have impacted the acceptance and sales of their cell phones in the market place. Perhaps, it’s time to consider the adoption of J2ME where there are many more developers, solutions, and application implementations including productivity tools and games for its cell phone users. Just a thought.

I just downloaded Oracle 9i JDeveloper last week, and I’m very impressed. Previous releases had simply been a rebranded version of Borland/Inprise’s JBuilder, and I never saw much reason to not simply use JBuilder. I’ve never had a lot of luck with rebranded software, particularly when the original development team wasn’t responsible for the new version.

That’s no longer an issue, as the new version is a ground up rewrite, in Java, and has the full set of Enterprise level development tools, including an embedded copy of OC4J (the Orion application server licensed by Oracle) and easy integration with certain application servers (Oracle 9iAS and BEA Web Logic are represented; IBM WebSphere, perhaps not so mysteriously, is not). There’s integration with various version control systems (including CVS), code analysis tools, a profiling and management system, and a workspace/project management system that works very well for managing not only Java code but Web Application resources as well. Integration with Oracle is, as to be expected, very tight, allowing viewing of tables and data as well as full editing of stored procedures, triggers and other code objects within the database. Overall, the feature set looks equivalent to the latest JBuilder Enterprise or equivalent.

Stability is great, too; in the last week of using it full time I haven’t experienced a single crash or hangup. On the flip side, I have had trouble with the CVS integration, but it appears to be a configuration fluke on my particular workstation. There’s also only partial support for J2EE 1.3, although there is a Servlets 2.3 runtime which will tide a lot of people over. The profiling tools only run on Windows.

That’s all great, but the really interesting thing about the new JDeveloper is the licensing. JDeveloper is a free download, while JBuilder 6 Enterprise will set you back a few thousand dollars. Support is available for $995, but, frankly, I haven’t needed it. It looks like they’re trying very hard to reach not just the general Oracle developer community, but the Open Source development community as well. The web site includes a How-To article describing how to connect directly to SourceForge.net project repositories via SSH and CVS.

It looks Oracle is trying to build up good will in the independent developer community, and maybe sell a few of their other tools (like their new SCM system, as well as the database and app server) into commercial development groups. They may even be trying to spur some Open Source projects built around an Oracle core. That’s probably the best remaining strategy for making money off open source software.

There are a few areas where JDeveloper can lock unsuspecting developers into an Oracle-only solution (the Web Services integration frameworks and the Business Objects support both require Oracle provided libraries), but there’s nothing inherently wrong with a server vendor making it easy to use their servers. It might prevent some people from using the tool, but that’s really no skin off Larry Ellison’s back. Sun, with Forte and NetBeans, doesn’t have that same flexibility, since their goal is to grow Java as a platform, not to sell databases.

Borland has been trying to crack the middleware business for years, and had built themselves a nice position on the top of the Java development tools heap. I wonder their response to this will be.

Is Oracle end-rushing the Open Source community?

Related link: http://ourcommongood.com/aboutus.html

Ever try to followup on a job applicant’s references? Maybe contact an applicant’s old boss, to see what they’re really like? In California, you won’t find out much. Every manager I know won’t say anything negative about an ex-employee. Because if they do, there might be a lawsuit later on. Many won’t say anything positive either, because then the “more negative” responses could be grounds for a lawsuit.

This is awful. Ever had a bad hire who “aced the interview” ? Ever thought “Geez. I wish somebody’d warned me” ? Ever wondered why you didn’t hear “Are you kidding? I wouldn’t trust him to take out the garbage by himself” instead of “Yes, he worked for us and was a team player on a number of projects.”

Well, now, officially, it’s your fault.

Related link: http://www.openspace.org

I went on an 11 mile hike today.

1. Start at Monte Bello parking lot.
2. Canyon Trail to Grizzly Flat Trail
3. Grizzly Flat Trail to Ridge Trail (crossing Skyline)
4. Ridge Trail north to White Oaks Trail
5. White Oaks Trail back to Monte Bello

Highly recommended if you’re in the Bay Area.

Related link: http://www.nytimes.com/ref/membercenter/help/qpass_redir.html

…this is ridiculous. The New York Times recently switched from one paid membership management system to another, and they changed the username and password of every paid account. For some reason, they’ve posted the system they used to choose new usernames and passwords on the Web for anyone to see. Security is certainly a difficult problem, and password management is even harder than most security problems, but it’s much worse when you don’t even try. If you have a paid nytimes.com subscription, be sure to read this.

The New York Times’ Web site offers some excellent paid features, including online archive searches and crossword puzzle downloads. In the past, they used a horrible service called Qpass to manage their paid accounts. Qpass was hard to use and unreliable, and many nytimes.com members (myself included) complained about it frequently. Apparently the people at the Times agreed, because in March they dropped Qpass and moved to a new account management system. The new system is a big improvement in usability and reliability.

My jaw dropped, however, when I got the email from nytimes.com telling me how to access the new system. It read:

Now enter the following Member ID and password which we have created for you and click the “Log In” button. You will need to use this Member ID and Password to access your NYTimes.com premium products in the future.

Member ID: marc_hedlund
Password: Your password is your Qpass User Name.

I quickly wrote them a note pointing out that usernames are easily guessable (my Qpass username was “mhedlund”) and often repeated across many sites, and were often not kept as secrets (for instance, message board posts are often tagged by username). Furthermore, I wrote, I thought this message violated their privacy policy, which states:

Data Security: To prevent unauthorized access, maintain data accuracy, and ensure the appropriate use of information, we have put in place appropriate physical, electronic, and managerial procedures to protect the information we collect online.

I certainly wouldn’t count sending password-guessing instructions to all of their users as “appropriate […] managerial procedures.” I asked if there had been some mistake, and suggested they revoke all the guessable passwords and send out new, random passwords as a stop-gap. They replied that there was no mistake and that I could always change my password if I found myself concerned about security. (And I did.) Today I noticed that the same instructions I had been emailed are available on the nytimes.com FAQ page, <http://www.nytimes.com/ref/membercenter/help/qpass_redir.html>.

It’s always disappointing when a site is negligent with security. What’s a little more surprising about this case is that this is a prominent commercial site — the New York Times is paid by each of its premium subscribers — so you’d think (or hope) they would care more about protecting their customer’s security. If I can get access to your account, I can buy articles from the New York Times’ archive and have them charged to your credit card without you knowing about it (particularly, but not exclusively, if you’ve enabled one-click checkout on your account). That right there is the core definition of an ecommerce vulnerability, and here’s one of the premier media organizations in the world making such an attack trivial.

How hard would it have been for the New York Times to send random passwords to its premium users rather than easily guessable passwords? They were already sending a customized email to each subscriber, and they already had to write a password update system. Alternatively, they could have had each subscriber choose a new password for themselves the next time they logged in. The cost of doing things much more securely instead of insecurely would have been $0.00.

If you are a premium subscriber, you should definitely change you password so that it is something hard to guess. You can change your password at &lthttp://www.nytimes.com/mem/profile.html>. Information about the importance of choosing a good password can be found at <http://www.nytimes.com/2001/12/27/technology/circuits/27PASS.html?ex=1010480> — yup, that’s right, in an article published by the New York Times.