Capping IT Off

About coffee blends and the platform the web is

Over the last 5 years or so, web applications have shifted from a stateless, page oriented set-up to a statefull set-up where the concept of page has been completely banished. When it comes to the ways in which a user can interact with them, modern web applications can now rival with desktop applications. In fact, the distinction between them is already blurred. It won't be long before - from a user's perspective - either the notion of web application, or desktop application disappears. The fact that an application uses remote resources that it accesses through HTTP will and should be transparent for users.

Interestingly, many people don't even care what web browser they have to use, as long as it allows them to do what they need to do. Common internet users (people that are not particularly technology savvy) will "run yahoo" where they mean starting up their browser and (automatically) opening the yahoo URL. And consequently, if Yahoo "doesn't work" because the site is down, or the latest browser or OS update causes their web browser to crash because of incompatibility issues in Yahoo's javascript, they probably won't blame Yahoo or the browser, but their computer and will most likely call computer support.

In other words, to users, an application is something that allows them to achieve certain goals, and it is completely transparent to them how the application does it, whether they need internet access or not and whether a web browser is required or not.

From an engineer's perspective however, there are many ways of creating such applications. As Tim O'reilly stated in What is Web 2.0 , the web should be seen as a platform for building and deploying applications. What does that platform look like? What does it consist of? Engineers (like myself) always try to simplify things by dividing complex notions into layers, so in my mind that platform looks a lot like a lasagna (others might prefer an onion). Each layer addresses a certain problem domain, for which a multitude of technologies can be used.

The choice of these technologies depends on many factors, such as developer preference and familiarity with the technology, cost, community opinion, compliance, compatibility, performance, scalability, et cetera. Another interesting aspect is that application developers will probably also be unaware of the workings of lower layers of the lasagne. Put very simply, building a mashup basically consists of choosing a frontend technology (there is much to choose from: Adobe Flex, JavaFX, GWT, Dojo, JQuery, Sproutcore, you name it), Web APIs (mapping APIs, social network APIs, eCommerce APIs, ...), a hosting party and the technology for storing application specific data. The API's themselves have multiple layers themselves that the developer using these APIs probably doesn't care about. The developer only cares about certain aspects such as stability, support, compatibility with other APIs, reliability, et cetera.

I know that I am repeating myself, but in the end, the user is unaware of all this and doesn't even care. If, in spite of the superiority of all technology used, the user experiences difficulties and annoyance with an application, the user won't want to use it and probably switch to something else.

The other day, while I listened to one of my favourite podcasts: "The CoffeeGeek podcast", I had a weird enlightment. In the podcast they discussed about the fact that coffee blends hide the origin of coffee beans. One argued that the origin of the beans used in a blend should be mentioned on the package, whereas the other felt that that is completely irrelevant because it is the consumer's experience that matters. Coffee blends are very carefully created and it is ensured that the taste and quality is constant. Being a slight coffee snob, I buy single bean coffees myself every now and then, and the quality of these coffees definitely differs per year. I don't mind that, but most people just want their cup of coffee to taste good.

A Web API blends various resources, standards and technologies (which are also blends). The developers don't and shouldn't care about an API's composition. The API should just do what it promises within the expectations of the developer. A web application blends various resources, standards and technologies. The end users don't and shouldn't care about their application's composition. Most people just want their applications to work as they expect.

The World is Free

There are a couple of books that everyone should’ve read in his life and I think that Thomas Friedman’s “the World is Flat” is one of them. Anti-globalists might disagree with his “globalization is great” story, but you cannot deny that globalization has had a huge impact on our lives and the IT business we are working in.

I don’t want to discuss the impact of globalization or the offshore business, no I actually want to highlight a recent initiative that Thomas Friedman (and/or his publisher) launched: give away a free audio copy of his book! You might wonder… why? Since sales of his books are rocket high (still to date with all the reprints), why does he need to give away audio copies for free? Apparently he is about to launch a new book in September, called “Hot, flat and crowded” that will focus on “how America can lead the green revolution in the 21st century”. This is a pretty smart move, since (as far as I can see it) it creates two effects:

By doing this, he gets a lot of publicity (well we are talking in this blog about it, aren’t we?). It’s probably inspired by Radiohead’s decision to let users decide how much they want to pay for their new album (between 0 and unlimited). Radiohead got a lot of publicity, got a lot of street cred for this initiative and they get a huge revenue from their live performances anyway. So it’s free publicity for his new book (since you get also an excerpt from his new book for free).
He potentially reaches an audience that was not planning to buy his book “the world is flat”, but now that it’s free, they “just try it”, with the hope that they’ll like it and are willing to buy his new book

When you think about it, with almost no budget they have created a whole media buzz for Thomas Friedman and his new book, by giving away his old book for free. A similar initiative was launched recently by a computer book writer (sorry, I really can’t recall his name anymore) that gives away his books in PDF. His reasoning is that with almost zero costs, you can potentially reach millions. This has two effects:

People that were never ever planning to buy his book, download it and read it. They like it and decide to buy the hard copy.
People that were planning to buy the book, download it as well, but then decide not to buy the hard copy since they already have the digital one for free.

As long as the first group outweighs the second one, you make profit. Let’s just hope that his theory works out.

The funny thing is that this model of giving away something with the hope to get extra revenue back, is seen as “disruptive” outside the IT world, but it’s a very common business model in our industry for years: giving away hardware to drive software license and support revenues, giving community editions to drive sales of the commercial editions, opening up Google APIs in order to gather even more data that can be analyzed… Whatever initiative, you always need to be aware that there is not such a thing as a free lunch. How tasty it might be!

Can we apply this strategy also for knowledge? True, by opening up code, you are giving away intellectual property, experience and knowledge but I am more talking about knowledge management systems. What if you would open up your whole company internal knowledge system? Can you monetize that in such a way that the benefit you gain, is bigger than the “threat” that your competitors gain by having an insight in your knowledge?

An interesting blog I read is High Availability that discusses the architecture from the largest internet applications in the world, think about Facebook and MySpace, think about Digg and 37Signals. I frequently read that several of those big websites share a big part of the way how they have tackled scalability issues with the rest of the world. Why? Because most of the time they are all reinventing the wheel again and again. They all face issues that the database becomes a bottle neck, caching issues, fault-tolerance, etc. Facebook and 37Signals are not competing with each other on having the fastest database, no they are both focused on delivering a web application: Facebook a social network platform, 37Signals a hosted project management software. If they can learn from each other’s experiences, they can serve their respective markets better.

Does this also hold for a knowledge sharing system? Let’s say that Capgemini would open its knowledge system and thus exposing information of how we have tackled a complex IT infrastructure problem. We could keep it internal and reuse that knowledge at other clients. We could also share it with the world, thus risking that another competitor of us applies our solution to another client. Is that a bad thing? Not necessarily I’d say. If you are producing really innovative solutions, it really boasts your brand. You get a lot of recognition for the information you have shared and can establish yourself as an industry leader, with the added side-effect that it gets appealing for IT professionals to join your company. One concrete example that I can give is the Integrated Architecture Framework (IAF), an internally developed enterprise architecture framework that we have opened and donated to the Open Group’s TOGAF standard. Now we get a lot of street cred in the enterprise architects scene for this.

So open up the corporate knowledge system or keep it internal?

Goodbye Flash, Silverlight, AIR and other plug-ins

Techniques that require a plug-in in the browser are dying. However Silverlight is not the one dying, since it was already dead just before it started (why even try to penetrate a market with a product that is not finished and with a competitor that is 4 blocks ahead). Therefore we can conclude that Flash will disappear, AIR will disappear and finally those ugly Java applets (who ever thought those would be useful on the web, waiting 5 minutes to have an applet loaded) are gone too.

For me it is clear that all plug-in based techniques will be replaced by more native techniques like JavaScript. JavaScript was forgotten due to some browser wars which ended up in the result with two rather incompatible implementations of JavaScript. However with the several incompatible implementations becoming less dominant (there now is only one implementation that is questionable at some points) and the rise of the libraries like JQuery, Prototype, SproutCore, YUI, MooTools, ExtJS it is clear that JavaScript is back on its feet again and it is running to overtake all these plug-in based techniques. JavaScript is platform independent, as most plug-in based techniques are not.

The limitation in JavaScript used to be the 'flashy' things: drop and drag, animations, interoperability and other nice and fancy stuff that was either limited by the technique or by the processing power of the client. Nowadays this isn't a limitation anymore, do you want nice animations, you could use script.aculo.us, JQuery UI, or Processing.js. Interoperability is arranged in almost all libraries. Do you want applications that feel like desktop application, think of your design and build it, just like 280 Slides, Google Docs, Zoho and SproutCore gallery. You are no longer limited, you can make these things happen with techniques that are native for all browsers: HTML, CSS and JavaScript!

It will be hot JavaScript winter, especially since everything is possible again. Flash, AIR and Silverlight aren't the only techniques that can make flasy desktop like nice solutions. JavaScript can do that too and JavaScript does not create a vendor lock-in requiring a specific closed source plug-in.

The hyper corrective browser

I just had a discussion via Twitter about the desired behavior of browsers during an endless javascript loop (e.g. while(true){alert("test");}). One of my friends suggested that browsers should correct this kind of code. Browsers should do this in order to prevent endless loops that crash you browser or your operating system.

This really sounds horrible to me. Whenever I write code I would like to see it executed the way I wrote it, not the way I could have probably thought about it that it should work. If I write lousy code, let the browser crash, let my operating system crash and probably I will learn something of it. In the worst case even valid code could be corrected by the browser since it could match a pattern that is used to filter invalided code blocks. That would be a real developers nightmare: hyper correcting browsers that are adjusting valid code blocks combined with all current known specific browser quirks.

However this hyper correcting behavior could make the web even more insecure. Microsoft will probably implement some protection in Internet Explorer 8, at first sight this is pretty nice, however there are quite some (amateur) developers that 'test' their websites in only one browser. After testing it in e.g. Internet Explorer 8 it assumed save and published on the Internet. However when using a different browser XSS is still possible and the visitor can still be harmed by these kind of attacks.

With all these hyper corrections you will be in the end only safe on the Internet depending on what browser you use. This is incorrect you should always be safe on the Internet no matter what browser you use. The developer is responsible for the security /usability of his web page/ application, not the browser! The browser should only be supportive to visit and use this page / application.

Backpacking. Redefined.

I’m just back from a weekend getaway in Bangkok, Thailand, just to escape from the hectic work life in Mumbai. The Mumbai chaos can sometimes be a bit overwhelming for Europeans, so I decided to visit the well-organized “City of Angels”, mainly for relaxing and shopping.

I didn’t take much with me, with the idea that I’ll buy most of it over there, so armed with a couple of t-shirts, a pair of jeans, slippers and of course my 3G cell phone I took off. The latter was part of an experiment to redefine the way we travel. Forget maps, forget sending postcards, forget exchanging phone numbers. These are so nineties! The tools of the modern traveler are Google Maps to navigate, Dopplr or TripAdvisor to get advice from fellow travelers, Twitter to keep the home front updated and Facebook to keep in touch with the other backpackers you’ll meet.

It’s remarkable how well penetrated Facebook is in the young travel community. When I was passing by internet hotspots, 75 % of the people were checking their Facebook account and a very standard way to say goodbye is “oh, add me on Facebook”.

I use Twitter already a lot to engage in interesting discussions with colleagues and friends and a couple of my best ideas came from Twitter discussions. The most interesting part of something like Twitter is that you can think out loudly and once in a while it gets picked up by one of your contacts who gives you a whole different view on the problem you are trying to tackle. For this trip, I wanted to use it more to use as some kind of diary to keep everyone updated what I was doing and I even got engaged in some funny Twitter discussions while crawling through one of Bangkok’s many markets.

I sure admit that it takes perhaps some of the “romantic backpackers way of life” away, but it also puts an extra dimension to your trips. Think about a great night you had in a bar with some travelers you met. You take some pictures, upload it on your Facebook account, the people you’ve met can comment on the pictures, share their pictures with you and you build up a whole world of memories. It would be actually cool to have your geography location associated with your Twitter updates so that you can afterwards see on the map where you have exactly seen that funny cow sleeping in the middle of the street.

We are only seeing the tip of the iceberg of what is possible. One of the most promising areas for the future is the domain of location-based services where services and information adapt to your location, but that’s an experiment I will talk about in August. I’ve been asked by Nokia to test their E71 business phone (with GPS, HSPDA and Wifi) and will take this new way of traveling to a next level during my trips to Berlin and Helsinki.

Stay tuned!

Rent-a-ranter

My favorite podcast just finished their final, what they refer to as ordinary episode: LUG Radio . The podcast is hosted by four British blokes (Jono Bacon, Stuart Langridge, Chris Procter, and Adam Sweet) who admittedly swear and joke a lot but also discuss Linux and other open source related topics with very refreshing insights. That's all over now of course. They bailed out. Don't they say that only all good things come to an end? (wink,wink,smile)

In that final episode they were discussing whether - in their own words - "Pundits should fuck off". Their definition of a pundit is someone who writes or talks authoritatively about subjects without actually being an authority on that subject. In short: someone who pontificates. Listen to the episode yourself if you want to know what they concluded. One interesting question that came out of this discussion was whether good bloggers are just good at articulating things and not necessarily knowledgable about the subjects they write about.

Now I might be venturing on very thin ice here, but I actually like to write about subjects that fascinate me. And I am always fascinated by the things I don't fully understand yet, but am trying to understand. So my blogs are often thoughts that I am saying out loud, hoping I can spark some thoughts in other people's heads too. Does that make me a pundit? I'll leave that up to you (be gentle...).

Last week, Eiso Kant posted an entry on his blog with the inviting title: "Is blogging dead?". His point is that "blogs are often no longer about the integrity of the content but the number of backlinks it receives, the number of page views and how high it ranks in Google". I admit, these things matter much to me too, but you actually need to write about someting that is valued by others to achieve all that. That's the beauty of Web 2.0!

The thing that triggered me most was a response by Eiso on a comment to this blog entry, where he wrote:

"I have been at the head of a project where we hired article writers to populate blogs. When we paid them we didn’t ask for great articles, neither were we looking for the best writers, we were looking for cheap keyword rich content."

So if I am understanding correctly, you can rent a ranter for populating blogs. These people actually get paid to provide mediocre content. I have tried www.rent-a-ranter.com but it doesn't exist yet. So here's your chance!

Welcome to Web2.0 – with the same old same old Security (Continued)

Well, my post about Web2.0 security (or lack of it) seems to have aroused considerable interest.

How should real world laws apply to virtual worlds?

One thing which comes to mind straight away is that there can be more than one kind of virtual world. The rules around a quest for dragons' gold will probably be different from an office meeting and the context should be obvious.

So if I am meeting a group on line for a work meeting, then the rules of a work meeting would apply. In a work meeting you could commit offences like breach of contract, hate speech etc. This could create interesting evidential weight issues if someone wants to prosecute on the basis of behaviour at an online meeting. If someone suddenly decides to murder a colleague at an online meeting (assuming that our online office environment has such a facility), then we may not condone such behaviour but it clearly isn't real murder.

At a fantasy world on the other hand, the rules could be very different. Because everyone knows it's a game, I would expect more latitude about what speech and behaciour is acceptable. But would using an automated attack bot be illegal? What if I use it to rob someone of virtual gold pieces that are convertible to real money - is this robbery? I believe this situation has already arisen.

In all cases, I strongly believe that virtual smoking should not be an offence!

Should we have the same rights (e.g. to free speech) online as in real life? You can always argue that if you don't like the rights you get from one virtual world you can always go to a different world. Does that mean that governments shouldn't define online rights? I'm tempted to say yes.

Welcome to Web2.0 – with the same old same old Security

As the Internet has evolved our collaboration options have evolved with it. We have gone from email to ftp to web to im. Now everyone’s talking about Web2.0, which offers social networking and online worlds as personal and, increasingly, as business collaboration tools.
Each new collaboration method has ignored security issues at first, and has encountered reputation and take-up problems as a result. Web2.0 is set to conform to this time honoured pattern.
One of the very difficult things about Web2.0 is its similarity to real life. On-line networking is like real-world networking and on-line worlds are like the real world – even to the point of having convertible currency in many cases. But on the other hand, we want the freedom in an on-line world to do things which would be dangerous, illegal or impossible in real life.
That makes it very difficult to know what the rules should be in Web2.0. Is hate speech in an online world as bad as in real life? Should virtual smoking be banned in virtual restaurants?
Most Web2.0 hosts are doing as little as they possibly can and legislating on a case by case basis when real problems come to their attention. They aren’t attempting to work within an overarching framework.
Actually, I think this is the correct approach. Web2.0 hosts are developing common law rather than Roman law. As a member of the Anglosphere, I approve.
But will Web2.0 be able to develop the security, privacy and reliability levels that business needs? If not, it will have to stay as ‘just a game’.
I am indebted to my colleagues in the UK’s Security Consulting Practice, Anish Mohammed and Steve Allen, for contributing their know-how in this area.

Banking. Redefined.

I have yet to see the first financial portal that can be called user-centric and user-friendly. When I look at the website to manage my bank or credit card account, it’s quite sad to see that most of them are like still stuck somewhere in the pre-Web 2.0 era. I am not only talking about the fancy hocus pocus Ajax stuff, but really about usability and the YOU experience: the application should be centered about what I want and centered around my life (yes I am very egocentric) and not that I have to figure out how the bank thinks I should handle my account.

One of the frequent readers of this Technology Blog pointed me recently to some proof of concept (PoC) of the bank for the digital natives, where every feature has been thoroughly investigated how it can come forward to my needs: the Frank Bank (http://www.thefrankbank.com). It incorporates all the Web 2.0 concepts like tagging, gadgets (small applications you can add) and personalization of data. On top of that it lets you administer your budget with fancy bar- and piecharts and gives you different views on your data.

When you look at the video on the URL mentioned earlier you can see that one of the interesting features is that everything is based on tagging. You can add tags like “shopping” or “work” to every expense and thus create views on your expenses based on the tags. This is a similar approach that Google’s Gmail use to categorize your emails (instead of using the old-skool folder based approach). That gives you a grip on your shopping expenditure because you can perfectly get statistics of your shopaholic alter ego and decide whether you still need those Manolo Blahniks or not.

I’d say that the first bank that offers this to its clients will change the way how we look at financial portals. Trust me, this is quite revolutionary. It’s banking, but redefined.

Acid3 and 4, why even bother?

If you are in some way involved in web development you might know the Acid tests. These tests check if and how well a web browser completes a certain set of test cases. Based on this it can be concluded if a browser is compliance to certain web standards.

Well that sounds great, but what is in it for the users of the browsers and what is in it for the developers testing their web pages for standard compliance? In my opinion: nothing. Do you as a user really care that you use a browser that passed the Acid3 test? Probably not, otherwise the browser statistics would be quite different. Currently only the webkit (Safari) and the presto (Opera) engine pass the Acid3 test with a 100/100 score. These two browsers have only a market share of almost 5%. The trident engine (Internet Explorer) scores only a questionable 18 points and the new Gecko engine (Firefox) scores 80 out of 100. However these two browsers are used by approximately 90% of the internet population.

Users do not care about something nerdy like an Acid3 or 4 test. Simply because it has not any added value for them to have an Acid3 compatible browser. Most of the sites will be perfectly rendered in their browser; only a few specific advanced things that are tested in Acid3 will not be shown correctly. These specific techniques aren't used that common that it should have impact on ones browsing experience.

When buying a car, the results of the NCAP test can influence the decision to buy a car, simply because these results do add value (when you crash, will you and you passengers still live, or not). On internet there is another mindset. Bert Bos once said the following:

I'd like browsers to fix bugs as soon as possible, but it is true that they (and not me) will get the complaints from users when pages that used to work suddenly look differently in a new browser version. Too many people see the Web a bit like television: who ever heard of incompatible content? If there is an error, it's because the TV set is broken, or maybe the antenna. On the Web, it is much more likely that the content is invalid, but try to explain that to users who just want to buy their holiday or see their bank account…

This still is the mindset of most browser users. If you cannot visit your favorite website with your browser and you can with another browser, than the browser is broken and not the website. This mindset is also adopted by lot developers. Which is quite reasonable because would you make a website that can only be viewed successfully by 5% of your visitors?

Users and developers should become more standards aware, without proper use of standards the web is doomed to become something useless. The user's mindset should be changed that the Acid test is his NCAP test for the browser, however currently this is not the mindset. Therefore Acid3 is and Acid4 probably will be great for browser vendors and geeks like me to compare how well their render engines function, however the normal user and less geeky developer will not care. I hope they will care in a few years...