Into the West - sad to see the Sun set

A number of people have been asking me what I think, as an ex-Sun-employee, of the acquisition of Sun by Oracle.

I am mostly sad.  I really liked Sun as a company.  In the beginning of my career, I was a heavy user of Sun technology, from Sun workstations and servers to, when it came out, Java.  And don't forget NFS.  And Open Office.  And and...  Then I was honored to become an employee at Sun, and regardless of how we fared, I always felt that the company's heart was in the right place, and they did things with passion and intelligence.

Oracle, at least from the outside, just isn't like that.  The culture, as I experienced as a competitor at Sybase and from talking to those who have been there, is aggressive and competetive.  I'm sure that's served them very well, but that's just not my style.  When I was in junior high school in Colorado, soccer was played for the most part by Vietnamese and Koreans.  I played soccer both because I loved it and because it was (at that time) just a bunch of friends getting together to have fun. Baseball and football were ruthless, competetive, and not much fun.

I quit playing soccer in high school when someone from the opposing team came at my head with his feet (I was the goalie) and with a malicious grin on his face.  Thanks, but no thanks.  It just wasn't worth it to me.

I see Oracle as a place where baseball and football are played.  Yes, you are successful, but it's not my idea of fun. 

Perhaps companies like Sun can't really succeed in the business world.  Perhaps you have to be ruthless and aggressive and competetive, both inside and outside your organization.  Perhaps a culture like Sun's only does well in the small - small businesses, small goals, maybe even staying private instead of going public.

But regardless, I'll be sad to see Sun and it's Most Excellent culture and products be subsumed into Oracle.  It's the end of an age - the elves are all leaving Middle Earth... :)  So long, Sun...

Reputation-based security

Today I read a transcript of Enrique Salem's keynote at the RSA conference, and in it he talked about something I found to be very fascinating - reputation-based security. The idea is that you can set security policies for applications you allow to run not based on some impossible-to-maintain whitelist or blacklist, but based on an application's reputation.

This new method isn’t all-or-nothing blocking like we’ve had in the past. This is a policy-based approach, where the administrator can configure the protection based on their own tolerance for risk. For instance, a government agency could forbid installation of all software that is less than 30 days old, hasn’t been installed by at least one million users, and doesn’t have a good reputation. This policy would guarantee that all software installed would first have to be vetted by literally millions of other users.

On the opposite end of the spectrum, an administrator at a university—where students constantly download all sorts of applications—could have a more lenient policy. For example one that requires new software to have a good reputation and have been previously downloaded by at least 100 users.

Think about it a little like a Zagat restaurant guide. Some people with a high risk tolerance may go eat at the new sushi place based on the recommendation of an acquaintance. Someone that is more risk averse might want to first check out the Zagat guide and wait until the place receives a high food rating before they go try it. But what’s most important is that you choose how daring you want to be when it comes to picking a restaurant. You should be able to make a similar choice when it comes to security.

I think this is really cool and makes a lot of sense. I like the way it balances flexibility with security. I like the way it takes advantage of the crowd to help categorize the safety of an application. It also helps me see how there are very interesting problems and potentially fascinating solutions in the world of security.

Security as a service

Now that I'm part of a security company, I've been contemplating this security thing.  As a child of the seventies I notice I have a knee-jerk reaction to see security as a force of totalitarianism and control.  I find myself wanting to 'stick it to the Man.'

But here I am at Symantec, a company that is all about security.  I can either be grimly resistant to the whole focus of the company, or I can examine my attitude and try to find an approach that works for me.

Yes, absolutlely, the name "security" can be lipstick onto the pig of extreme, sometimes brutal control and inflexibility.  In the name of security you can make life miserable for people.  But I have to admit, you can't do without security.  It's a part of life.  In Berkeley-speak we call it "healthy boundaries."  If you have healthy boundaries, then you are actually more able to relax and be yourself.  If I think of it that way, my liberal genomes can relax a bit - "oh, healthy boundaries, that's OK."

I've also been remembering my volunteer offering of security at my place of worship in Oakland many years ago.  I remember the stance we tried to have in that role.  We were vigilant, we kept our eyes open, and were prepared to lovingly but firmly escort someone out of the building if they were dangerous or inappropriate.   But most of the time we were Just There.  We didn't have big badges or scowls on our faces.  We just stood there on the corner or at the door welcoming people and watching the world go by.

To me that's Good security - there when you need it, but quietly present when you don't.  It creates a sense of safety and comfort, not one of being hard-armed and constrained.

So, it's a delicate balance you have to play - you don't want to be too loose, and you don't want to be overly firm and harsh.  You need to catch viruses, but you don't want systems to run 10 times slower or exercise absolute control over exactly what applications people can run.  You need to balance risk against cost.  It's really quite a dancing act. 

But most of all, I believe you need to have the right attitude.  If you approach security with a feeling of fear and panic, you tend make decisions that are likely to be overly dictatorial (see the Bush years as an example).  But if you have an attitude of service, respect, and flexibility, then you are much more likely find solutions that work for everyone.

So armed with that attitude - an attitude of service and respect - I'm ready to go have some fun at Symantec.  Security as a Service.

Dare Obasanjo - AtomPub fades away

Wow, great discussion of the reported demise of AtomPub. I was playing around with AtomPub a while back, and it's true, I've slowly moved over to just using JSON - see CouchDB for example.

The double whammy comes from the fact that although new forms of microcontent have shown up which do encourage the existence of desktop tools ... the services which provide these content types have shunned AtomPub and embraced JSON as the way to expose APIs for rich clients to interact with their content. The primary reason for this is that JSON works well as a protocol for both browser based client apps and desktop apps since it is more compatible with object oriented programming models and the browser security model versus an XML-based document-centric data format.

In my opinion, the growth in popularity of object-centric JSON over document-centric XML as the way to expose APIs on the Web has been the real stake in the heart for the Atom Publishing Protocol.

http://www.25hoursaday.com/weblog/2009/04/18/JoeGregorioOnWhyTheAtomPublishingProtocolAtomPubIsAFailure.aspx

More info about in-memory support in Java DB

Knut Anders gives lots of useful details about the new in-memory support in Java DB 10.5. Very simple to use: just specify "memory" in the URL. I love the tip about backing up your in-memory database prior to exiting the application - it's like doing one big checkpoint at the end. So you get both durability (OK, very large-grained durability :)) and speed.

Javascript implementation of CouchDB API in the browser

Some very interesting stuff is happening in the browser space. Damien Katz gives a link to this post by Atul Varma about creating an initial implementation of the CouchDB API in JavaScript.

Damien takes this and runs with it, saying that CouchDB is specifically intended to run in the client, and to provide a form of location transparency where your entire application can be running locally or remotely and you really don't know the difference except that perhaps some of your data is stale until you reconnect to the server.

This is the problem that CouchDB is designed to solve. Not just putting your data and apps into the cloud, but onto your laptop, your phone and your local office server. Fully query-able and editable in your browser, your data is available wherever you are, despite network outages, air travel or blocked access.

I like how Damien implies that the cloud doesn't include just servers, but also your own machine - that your client machine is part of the cloud. It's a very different way of thinking about web architectures. I highly recommend you keep an eye on this space.

Cool elevators

Here I am on the twentieth floor overlooking the San Francisco bay and watching the ferry come into the Ferry Building. Pretty posh - I'm trying to enjoy it while I can until we move next week.

But what I wanted to write about was the super cool elevators they have in this building. In most office buildings, during "rush hour" in morning, lunch and evening you wait and wait for an elevator, and then on the way up/down you hit every single floor.

But these are "smart" elevators. Instead of pressing "Up" or "Down" buttons, what you do instead is press the floor you want to go to. The EPU (Elevator Processing Unit) then does optimal calculations based on who wants to go where, assigns elevators to routes, and then a number flashes to tell you which elevator to take. So for instance this morning we had stops on the 18th, 19th and 20th floors, and that was it. At lunch time I stopped at one other floor before heading to the lobby.

That is just so cool, and now that I think of it, so obvious. I do wish all elevators worked this way...

Derby 10.5 - in-memory support!

I had lunch today with a bunch of old buddies from Sun, including Rick Hillegas and Francois Orsini from the Java DB/Derby team. They confirmed rumors I had been hearing that 10.5 (currently in release candidate mode) has support for running purely in-memory, and that some operations are running 1000 times faster than on disk.

Why is this interesting? Well, think of the scenario where you need to cache data with your web server instances so that your client requests can access the data they need locally, in-memory. This is a very common need to meet the scalability and performance requirements of web applications.

The problem is, most of the caches out there today are simple key/value hash maps.

What JavaDB in memory gives you is an in-memory cache that gives you all the expressive power of SQL. You can run SQL queries over your cache, or use Hibernate or JPA, rather than being limited to key-based lookup and building your own secondary indexes.

And then there are interesting features such as Java stored procedures and table functions, which I can envision being very powerful and useful in an implementation of an in-memory SQL-based cache.

So take a look at the 10.5 release candidate (or wait until 10.5 releases). It may be just what you need.

Back at work

My first day here at work at Symantec.  It's a very Windows-oriented environment, which is something I have to get used to.  I've already downloaded cygwin to help me have some UNIX comfort.  Next step is to install Perforce, get a build, and try to build this puppy.

The view here is spectacular - a view of the bay, Treasure Island, and if I just squint, I can see my house in Berkeley.  However, alas, this is not to last -- in one month (to the day) we'll be heading to the sixth floor of an office building south of Market, and no more view :(

My dev machine - well, it's hot.  8GB of memory, over 2TB of disk space, and a 4-core CPU.  Plus I get a company-issued laptop to take home with me - but not a Mac (wah!).   It's a Dell running Win XP.  So nineties :)

Hopefully I'll be up and running soon, but I may not be able to talk much about what I'm doing.  This is not open source in any shape or form.  We'll see what we shall see...

I got a new coffee mug and my boss brought cookies and invited everyone over to meet me - it's a very friendly, good-natured group.  I'm glad to be here.

Stratocaster · iPhone Upheaval

Rich Sands has a very nice analysis of the mobile market and the impact of the iPhone - particularly on the carriers.

Consumers love it. Developers, and content creators love it. Apple surely loves it. But carriers are rightly spooked, because this new model cuts them out of the content business and accelerates their inevitable slide into the abyss of commoditized, dumb data pipes, where price and low cost are the only things that matter, and margins get razor thin. But the carriers should have seen this coming. No matter how much control carriers exert, if what they deliver is more about their profits than satisfying end-users, they’ll eventually be attacked by someone who understands that consumers have the ultimate power, and that developers and other content creators are the source of most of the value to those consumers. The iPhone was inevitable.

http://rich-sands.com/wordpress/?p=51

Getting ready to go back to work...

I have been "not working" for 2 1/2 months now. It was very hard getting used to when it started. And now I'm finding myself preparing emotionally for going back to work, and relishing the time I have left.

I have been working on an under-the-radar project with a friend of mine, and that's been a lot of fun. If it ever turns into something, I'll let you know. Meanwhile, it's time to get back to paying the bills. I'm looking forward to working with the Symantec team - I really enjoyed interviewing with them and they seem like a very good group of people. But what can you say - no rushing in the morning, hanging out at wireless cafes, no commuting - these things just don't come around every day. Sigh...

Maybe I should write about the emotional stages of going back to work, to match my blog on the emotional stages of being laid off...

Old Jews telling jokes

My friend turned me on to this last night - OMG this is so hilarious.  You just have to watch these.  See http://www.oldjewstellingjokes.com/.  Be warned - these jokes are not PG rated, but that doesn't meant they're not funny.

Synchronized iPhone todo list on the cheap - Address Book

I've been trying to find a good way to have a simple todo list that is editable on the web, on my Mac, and on my iPhone.

I've been looking at the apps coming in to the App Store, but none of them seemed really worth the effort, especially since they don't have anything that works on the web or on my Mac.

I tried Evernote, but the dumb thing doesn't let you edit entries created on the Mac on the iPhone when you're offline (which I am a lot, because I don't have a data plan, just wifi and T-Mobile pay-as-you-go).  It doesn't matter if you "favorite" them, it doesn't work because the Mac-created entries are created with rich text, which can't be overriden (e.g. you can't use simple ASCII text).  There was even a todo list on the market that costs 50 friggin' dollars plus $10 for their iPhone app.  TODO: fuggetaboutit.

But wait: Address Book contacts have a notes field.  And I just found out you can synchronize Address Book with Google Contacts, and that Google Contacts has its own URL so you don't have to go through Gmail.

Problem solved.  I create a contact called Todo, and in the notes field I put all my action items.  I can even categorize if I want multiple todos (Todo-Family, etc.) but I've noticed that becomes too complex and is a good reason for me to slowly stop using it, and that defeats the purpose.

Now I can edit that note in Address Book on my Mac, on my iPhone, and even on the web if need be.  That works for me.

Obama’s Ersatz Capitalism - NYTimes

A great piece that lays it on the line. Read this, it explains the new bank "partnership" in clear and gory detail.

Paying fair market values for the assets will not work. Only by overpaying for the assets will the banks be adequately recapitalized. But overpaying for the assets simply shifts the losses to the government. In other words, the Geithner plan works only if and when the taxpayer loses big time.

What the Obama administration is doing is far worse than nationalization: it is ersatz capitalism, the privatizing of gains and the socializing of losses. It is a “partnership” in which one partner robs the other. And such partnerships — with the private sector in control — have perverse incentives, worse even than the ones that got us into the mess.

http://www.nytimes.com/2009/04/01/opinion/01stiglitz.html?_r=1

Three wishes

I've been reading a series of great books about djinns with my daughter, and one thing I really like is that the djinn are quite uncomfortable granting three wishes to humans because most of the time they don't work out very well.

So I started thinking, if I had three wishes, what would I wish for? 

But when I started going through possible wishes, I realized that all these wishes seemed off - I found myself feeling kind of "grabby" and small.  Why was this? 

After further thought, what I realized was that the very act of having a wish for something implies that I am dissatisfied and incomplete - it perpetuates a feeling of lack.  So no matter what you wish for, even if you get it, you'll still be dissatisfied and unhappy.  This is one way of understanding Lord Buddha's statement that the root of all suffering is desire.

So, was there anything I could wish for that wouldn't enforce this feeling of lack, that wouldn't create another cycle of dissatisfaction?

There was only one wish, or prayer, that worked for me: the prayer to follow God's will, or if you like to "go with the flow." That wish doesn't carry a feeling of lack. It feels full and complete.

Then I remembered this statement someone told me years ago, by Rabindranath Tagore, a great poet of India:

I slept and dreamt that life was joy. I awoke and saw that life was service. I acted and behold, service was joy.

Job found

Good news - I have found a place to land.  It has been an interesting experience talking to all these different companies and seeing so many different styles and cultures.  There are themes and commonalities, but there are also big differences.

I realized towards the end of this that I would find a job that was probably a near perfect fit, because everybody right now can be so picky.

So, where did I end up?  Well, not necessarily where I expected.  I don't have a big security background and it hasn't been one of my focuses, but I ended up at Symantec , working on their Data Loss Prevention (or DLP) tools.  Think employees losing laptops with medical records, like that.

I'll be one of their senior guys working with what they call "Data At Rest" - data in various storage repositories, be it databases, file shares, wikis, Exchange servers, you name it.  Their tool scans all of these repositories and run them through a detection engine and then raise alerts or run other workflow if something is found.

The group that builds these DLP tools is actually a recent acquisition for Symantec called Vontu .  They appear to be top in this market by quite a large margin.  And this market is continuing to grow, even in these times.  Security has always been an issue, but it's becoming more and more of one as a larger portion of our life starts to go online.

Aside from the technology, what sold me on this team was the way they interviewed.  Yes, they grilled me.  I had to design a data model for a card game and talk about how to implement flow control with it, answer questions file scanning performance, answer architecture questions, etc.  I even had to give a technical presentation followed by Q&A to the entire team as part of my second round of interviews.

But they were respectful, and friendly.  And they had just as many pointed questions about my work style, how I dealt with conflict, how I liked leading people, my opinions and ideas about development process, and so on.  They obviously cared, a lot, about the quality of a person beyond their technical skills.  This is something that has been important to me too, and has been sorely lacking in many of the "hot" Silicon Valley companies I've been talking to.  Some of these guys are so focused on technical prowess that they completely miss the boat in terms of having a respectful, friendly culture.  It's all grim, O log(N) kind of stuff.

The DLP team is based in San Francisco, and I'll be going in most days.  This is huge.  I was convinced I'd have to commute down to the South Bay (think two hours each way on public transit) every day.  That's just where most of the folks are.

This is also huge because this will be the first time in 9 years that I'll be going into an office every day, and meeting my coworkers face to face every day.  Ever since my daughter was born in 2000 I have been working from home in some capacity or another.  And for the past seven years the teams I have worked with have been in Europe or India.  I was looking at my wardrobe and realizing my clothes are all a bit ratty - I just haven't paid much attention to the presentability of my clothes!  Time to help the economy and do a little shopping...

But I am actually looking forward to going in the office every day.  I have loved working from home, and being there when my kids were at home, having some flexibility to help make Linda's life easier, and just being there to see and understand what Linda's life was like, if only a little.  But Michael's three now, getting ready for preschool, and I'm getting ready to start seeing the people I work with again, hanging out with them, and cracking dumb jokes with them.

This will also be the first time in my entire career where I commute daily beyond the East Bay.  That's a whole routine and way of life I will have to get used to - spending most of my time in a town far from home, and being one of the huddled masses on the BART train every day.  But I like trains, just like my son.  I think I'll be fine.  At least I don't have to drive every day (ugh).

I'll be taking two weeks off to breathe after an intense job search.  I'm spending time with the kids, giving Linda some time off, and then for one week I'm going to do a serious hackathon with a friend on a software idea we've been talking about for a while.  Yes, can you believe it, I'm going to code for my vacation.  But this is cool stuff, and what can I say, I'm a geek.  I've been having to shove this into what little extra time I have, so it's a real treat to dig down and code straight, if only for a week.  If anything ultimately comes of it, I'll be sure to let you know.  But even if it doesn't, I'm going to be having fun and learning a lot.

So, I am very grateful.  Let me tell you, this is no time to be looking for a job.  For all of you out there still looking, I'm thinking of you - we're all thinking of you.

Balsamiq Mockups

A friend of mine was raving about this tool called Balsamiq for quickly creating application UI mockups.

http://www.balsamiq.com/products/mockups/tour

Gregor Hohpe describes asynchronous design using Starbucks

Gregor Hohpe has a wonderful article in IEEE Software Design Magazine called Your Coffee Shop Doesn't Use Two-Phase Commit (PDF).

In the article Gregor describes asynchronous messaging design and error handling by comparing it to how drink orders are handled at Starbucks.

What does Starbucks do if they’ve already placed your drink order into the queue and it turns out you can't pay? They either pull your cup from the queue or toss the drink if it has already been made. Likewise, if they deliver a drink that's incorrect or unsatisfactory, they remake it. If the machine breaks down and they can't make your drink, they refund your money. Each of these scenarios describes a different but common error-handling strategy for loosely coupled systems

So cool. This often happens to me - I am thinking about a "mundane" process such as how families work or why freeways get jammed up and I see how it applies to systems design.

Gregor does a fantastic job of this, helping you understand what may fairly complex concepts very easily by imagining yourself at Starbucks. Definitely a good read.

Where was Joseph when we needed him?

My eight-year old daughter's class just put on a play about Joseph (the one with the many-colored coat). I had never heard the story before (I was raised by devout atheists). It was fascinating. Lots to think about and discuss.

But one thing seemed particularly relevant. Joseph could interpret dreams, and he saw that the Pharaoh's dreams signified seven years of plenty followed by seven years of drought, and he convinced the Pharaoh to put aside one fifth of the harvest every year during the years of plenty, and in this way the Pharaoh was able to feed not only his people but the Hebrews as well.

Arnold Scharzenneger is currently proposing a spending cap, taking it to the ballot this summer. The idea is that, even in years of plenty, the state only spends so much money. Any surplus is kept in a "rainy day fund" and can be used in years of drought. Sounds familiar...

I wish we had had more prudence during our last phase of plenty, perhaps we wouldn't be in such a mess as we are now...

Sun gets behind clouds, may be Eclipsed - thoughts from an ex-employee

I've been ruminating about Sun today, given a series of seemingly unrelated blogs and news items.

First of all, Closer To The Ideal commented how Sun hasn't seemed to be make any headway with Java FX in the last two years.  Tell me about it.

I remember when Rich Green did the Big Splash announcement for Java FX at Java One two years ago - I just groaned.  It was basically an "if you announce it they will come" strategy as far as I could tell - there was no there there.  The technology for the most part had not been built.  It was an announcement of an unrealized vision, not an actual working product.  And meanwhile there were not one but two competing solutions - Flex and Silverlight - from two of the best consumer software companies in the business.  Things did not look good - and still don't.

What made this whole Java FX thing really grating to me was that we as a company had to pull out all stops to get this thing to actually happen, since our VP of all software had put his reputation on the line by announcing it.  They pulled the best and the brightest from the NetBeans and Java Swing teams to work on Java FX.  They pulled our UI design resources.  They pulled our QA resources. And the now NetBeans was working on life support, and JavaFX struggled along, and continues to struggle along.  

The other announcement - Sun is going to provide a cloud offering.  OK, so let's remember Way Back to about five years ago, Jonathan was announcing this grand vision of selling CPU for $1 a CPU-minute.  This was the beginning of Sun's Grid effort.  This project ground along for year after year, having (IMHO) completely the wrong focus - focusing on HPC and batch-oriented processing instead of making it easy to host my application on their infrastructure.  Meanwhile Amazon takes the world by storm.  Sigh...

So now Sun finally announces a move into the real cloud, one that people care about.  But at this point they are way behind their competitors.  What makes them different from Amazon, or IBM, or HP?  Oh, I see, it's "REST-based" and it is with an open license.  Ho-hum...

I really like Sun, and liked working for them.  They have some great technology (Solaris, Java, ZFS, DTrace, Thumper, Glassfish, NetBeans), they have contributed enormously to the community, and are one of the most ethical and respectful companies I have worked for. 

But Sun has had this amazing ability to thrash for a very long time on large and ultimately doomed projects (remember N1?), and they just haven't been able to turn the corner and really reinvent themselves.  I think many of us have been rooting for them for a long time. But I'm losing faith.   No it's not that I'm bitter.  I just have been around the block a few too many times with new strategies and not seeing any of them really get any traction.  The recession has not helped - but hey, IBM is doing just fine, thank you, so somebody out there knows how to run a business.

Ah, IBM.   When I heard that IBM may be buying Sun - now that was interesting.  And it reminded me I had better start learning Eclipse...