First of all, we're told that Manning simply took rewriteable Lady Gaga DVDs to work, copied text files to them, and walked them out for eventual file re-assembly and transfer to wikileaks.

If the server(s) involved ran one of the Unix or zOS derived OSes cleared for use in secure environments access logs would have been created automatically - and at least in the case of zOS or Solaris alarms sent to the duty officer responsible for data center operations within a few seconds of the first byte being written to a detachable storage device.

Further, had he done this using a USB or DVD drive connected to a Sun Ray served from Solaris, that officer could have replaced or erased the file before the device could be dismounted.

In both cases, furthermore, software that looks for patterns in file accesses comes with the security upgrades - meaning that repeated accesses neyond his need to know would assuredly have triggered security interest.

It's also possible that he used a PC accessing one or more Wintel servers. While I regard allowing wintel on a secure system as demonstrating both incompetence and negligence, some people argue that the cost/benefit trade-off in doing it is acceptable and have thereby created a market for software intended to mitigate the more obvious risks.

The bottom line is that no matter the technology he had to have help to pull this off - although whether that assistance was intentional or simple gross negligence by many people concurrently isn't clear.

And there's a corollary here, I think, for those of us who work in civilian IT - because an Oracle case study on this could sell a lot of gear, software, and support to lawyers and others handling customer confidential information simply by pointing out that the logging software is standard on Solaris, alerting scripts are trivial, and the connection of external devices like USB drives to Sun Rays need not be allowed for most users.

The second thing that's not right about the wikileaks story is content related: in both rounds much of what came out was already known; became politically damaging only because the journolist community choose to notice; isn't a threat to national security; doesn't expose many good guys - defined as people working for the security and defense of the United States - to hazard; trails irresistible information in front of their opponents; and, exposes a lot of foggy bottom thinking to public ridicule.

Both leaks also managed to expose a lot of hypocrisy: The New York Times, for example, refused to publish the climategate letters exposing some of the global warming fraudsters on the grounds that the material had been stolen from University servers, but immediately published material believed stolen from American DoD servers - presumably because community rejoicing in the pentagon papers episode halos Assange as a kind of folk hero for their side of the political debate.

Both leaks also lend support to Bush era policies - from comments on WMD found in Iraq to background on activities in and by Iran and North Korea, there's a lot in both rounds to prevent future historians from taking the NYT/Economist axis seriously as a source of factual information.

All of which leads to a moral dilemma: I cannot condone leaking classified material even if that classification is often inappropriate and being misused to shield the guilty - but I've worked in secure environments and simply don't believe even wintel style pretend security could have let this happen undetected and undeterred; overall rather like the results; and keep thinking that Sun Tse might, were he alive today, see something deeply honorable in the risks taken, and the obstacles overcome, in making this happen.

There's something not right about the story behind the wikileaks documents.

appears in a web document. Right now google shows no hits on the quoted text. Tomorrow this request should, of ocurse, show up but the test will start when my blog for December 4th is released to zdnet at 12:15 AM PST this Saturday.

If you can help please email me or add the following in a comment on that blog entry:

• which tool or tools you used;

• what time your notification arrived; and,

• whether you are in the United States or elsewhere.

I'd also like to know if you set an alert and get no notification on the Saturday.

Thanks - and I'll explain why I'm asking in a subsequent post.

Since the attempted terror attack on board a US airplane last Christmas day, airport authorities around the world are in a race to find novel solutions to fight terror. Israeli strategic and technical tactics feature high on their lists. What's the secret to the country's success in keeping Ben Gurion Airport terror free?

"Israel concentrates on the passengers and not their luggage so we have a real edge over the rest of the world in protecting travelers," says Rafi Sela, a top security consultant and former chief security officer at the Israel Airport Authority. "This is in addition to us protecting the whole airport, while the others merely try to achieve aviation security," he tells ISRAEL21c.

Sela, who advises governments and airport authorities all over the world, has become the leading figure advocating Israel's unique approach to airport security in the past six years.

Through his company AR Challenges, he uses approaches and technology services rooted in Israeli innovation to try to help his clients stay one-step ahead of potential terrorists. The global transportation security consultancy, of which he is president, works with high profile clients including Canada's RCMP, the US Navy Seals and airports around the world.

Making use of homegrown technologies, some of them developed by whiz-kids in the Israel Defense Forces (IDF) Intelligence Corps 8200 army unit, Sela believes that Israel's strength in airport security is because it boasts near-invisible protective 'rings' of security around the airport and passengers.

Most airports around the world often lack measures as basic as video surveillance, he explains. "The airports are so concentrated on finding your bottles of water and perfumes that they don't even look at you," says Sela. "The security personnel forget that they are in the business of looking for terrorists."

At Ben Gurion Airport you can take a coffee on board. According to Sela, airport security personnel don't care what you take on the plane. "The security in Israel checks you as a passenger, and not the luggage. If you are cleared as a person then who cares what you bring on the plane with you?"

With that context in mind, I want to repeat much of what I said in this space on December 12th and 13th, 2005:

Bad guy detectors and ID - from Dec 12/05/

Do you know who Deborah Davis is?

Think a possible Rosa Parks for the Patriot Act era - here's the 411 from a supporter web site:

One morning in late September 2005, Deb was riding the public bus to work. She was minding her own business, reading a book and planning for work, when a security guard got on this public bus and demanded that every passenger show their ID. Deb, having done nothing wrong, declined. The guard called in federal cops, and she was arrested and charged with federal criminal misdemeanors after refusing to show ID on demand.

The bus was crossing through the Denver Federal center at the time, and three months later the US attorney in Denver announced a decision not to prosecute, but you can see that what really happened here was a collision between individual rights and government's reflexive belief in identification.

A thousand years ago people in western Europe were identified either as members of noble families or by members of noble families - and that's still fundamentally how it's done in places like Cuba, Vietnam, and Communist China. Even in democracies like Canada, however, we have remenants of that approach: to get a passport, for example, a Canadian has to be vouched for by three qualified professionals - doctors, lawyers, or priests.

In general, however, western governments have been handing the identification job over to computers - that is, to us IT grunts.

Here's the opening paragraph from a report by John Lettice, on the theregister headlined "EU ministers approve biometric ID, fingerprint data sharing"

The European biometric ID card takes another step forward this week, with the European Justice and Home Affairs Council set to approve "minimum security standards" for national ID cards. Alongside this the Council will be roadmapping the rollout of Europe's biometric visa system, which will contain the fingerprints of 70 million people within the next few years, and hearing European Commission proposals for greater sharing of fingerprint data.

There are two very different sets of issues here: the first involving effectiveness and the second human rights.

In thinking about effectiveness, consider that effectiveness comes in two forms. As perfected in East Germany the "Papieren, Bitte" smirk is part of an intimidation policy that really doesn't have anything to do with identification, but that's not what happened in Denver. There the cops barely glanced at identification documents produced by people who choose to comply because the cops really didn't care who these people were - they cared about the response they got when they asked for identification because they hoped that would help them separate the good guys from the bad guys.

Basically what's going on there is that the individual cop has to deal with large numbers of people he doesn't know anything about, and so asking for identification allows him to assess whether the individual confronted exhibits unusual hesitation or other odd behavior -and they have to ask people obviously not guilty of anything because not doing so gives people who are selected for questioning both an excuse not to co-operate and a defence if caught out.

If we set aside the ethical issues so we can concentrate on the technological ones we can see that what's wanted is a kind of social memory: an electronic prostheses making up for the fact that we live in a big world in which the cop probably didn't grow up with all the people he comes in contact with and therefore doesn't know them. In this context the identification document acts as an index to a life history access to which is intended to give the cop a fair chance of knowing enough about the people he's dealing with to separate the good guys from the bad guys.

Notice that this is contextual: you can be the worst kind of street scum or corporate criminal and still have every right to use public transit or get a hamburger at an airport kiosk. In the United States at least, the police can't wander around randomly accosting people on the street to arrest those with unpaid parking tickets or other public malfeasence on their records.

It's the elision (cutting out) of this contextual component in the issue of identification that's at the heart of the design mistakes governments everywhere are making as they embark on national id card schemes. Basically, they're asking everyone to carry an identification card that can be used, on demand, as an index to a life history when all they really need, and all they should get, is a token that lets the cop on the street make the good guy / bad guy call in context and provides no other information.

Nobody's proposing anything like this, and the reason is clear: the bureaucrats know with certainty that they need identification -because that's the only thing they've ever had, and no-one's told them that alternatives exist. The big consulting companies, people like Accenture, EDS, and IBM, are trapped too: they can only respond to an RFI (request for information) on national identification systems with proposals on national identification systems.

In other words this is a closed loop that repeats its mistakes until change is forced on it from outside. That force has to come from the politicians: who have to sell this stuff to the public: show them that sensible alternatives exist, let internal presure for change build from a few expensive failures, and change might have a chance.

The failure process is well underway already. Every major western government has embarked on a national identity card scheme of some kind - and the same people who brought us Canada's two billion dollar gun registery, who can't get the IRS into the ninties, and who blew a few hundred million pounds on the latest failed child welfare information system in the UK, are profitably deploying their usual expertise to take these solutions to new heights.

Meanwhile, of course, Ms. Davis was absolutely right and by the time governments get their national ID cards issued, you can expect her right to refuse to be widely supported in case law - at least in the United States and possibly in the UK.

So what's coming is a collision between an immoveable object (government's tendency to demand identification) and an irresistible force: human rights, into which it should be possible to slip a perceptional change about what's really needed and so get an alternative accepted.

Starting tomorrow I want to talk about how that could be made to work; meanwhile consider that we're the guys caught in the middle - the IT grunts about to receive impossible, and objectionable, marching orders we'll be expected to dog trot around a very large pile of taxpayer money and human rights issues.

National ID - tokens and processes (Dec 13/05)

A national id system that met legitimate law enforcement and defence objectives without compromising human rights would have to have three parts:

1. a "good guy" indicator or token together with a reader technology.

2. a separately verifiable authentication mechanism for the token itself - is it, not the information it conveys, legitimate and is the person holding it the person to whom it was issued?

3. a trustable backend, including issuance and updating processes, for the information conveyed by the token.

Ethical issues aside, making this happen is mostly about process and perception - and only a little bit about technology.

Such a token would have to be small -initially perhaps configured as a card, later possibly as a jewelry or watch component, and finally perhaps as a subcutaneous implant.

The token would have to respond to queries with a simple "Yes/No" response conveying no information beyond contextual legitimacy. Is this person a licensed driver? prohibited within 100 feet of playgrounds? known to be a non criminal citizen of Canada? Authorized to charge some amount to a particular Visa account?

I'm not aware that good candidate token technologies exist yet, but the foundations are certainly there. Nearly eight years ago "Safetyjet" needed iron-clad identification for crew members -and got that by combining a process based on having crew members vouch for each other with one based on a java card that only worked when held by the person it was issued to. That card used a fingerprint and the supplier failed to deliver the body temperture sensor they promised with it, but the basic card is now commercially available and one based on DNA matching isn't that far off.

A card that responds differently to different queries using either infrared or one of the near field methods doesn't exist yet either, but only because no-one's asked for it. The basic Unix ports technology is a natural fit for this kind of multi-layer with access for people with publically mandated information needs - whether bartenders or police officers, they would get the information they need, and nothing more.

YOu'd expect multi-port query gear to appear, of course, but official use can be controlled through well understood legal and organizational processes and there will be little or no value to unofficial use.

Token authentication is needed, but can be managed via something like RSA digital signatures - not impossible to forge, but so difficult as to be fundamentally out of reach for the bad guys, even if they are governments.

Basically the token has to answer three questions: is the token itself real? is the person offering it the person to whom it applies? and, is the person a good guy or a possible bad guy in the present context?

The technologies needed for the first two don't really exist yet, but obvious predecessors do, so how about the backend?

Envision updates to the token happening as "endorsements" and you don't need significant change in existing organizational structures for data management. The passport office, for example, would issue passport equivelency endorsements, motor vehicle departments and courts would handle endorsements for driving related purposes, and so on.

Compared to the national ID schemes being proposed, that's minor change with the only new organizational elements needed those involved in issuing and controlling the tokens themselves and a big potential payoff in cost reduction eleswhere in government as identification cards are made obsolete.

In the intervening five years:

1. No government has rethought the issue

2. Every major government effort to develop a unified citizen ID card has failed - and every such failure has been rooted, not in citizen or judicial pushback, but in data processing failure. Basically government's inability to make the system work has created the delays, the costs, and the weaknesses that have allowed those opposed to implementation to claim partial victories in terms of program cancellations, program delays, delayed or altered program rebirths, and weakened political support.

3. the security problems these efforts were supposed to address have gotten worse; and,

4. more easily implemented (read: non IT) solutions have proven more expensive, more intrusive, and less effective, than expected.

And, of course, everything that was marginally do-able in terms of making a simple good guy card work in 2005 is much more easily do-able today.

In many ways what's happened is a kind of good news - bad news scenario: on the positive side having bureaucrats spending billions trying to use early twentieth century methods to implement nineteenth century solutions has nicely prevented progress in the wrong direction - but money has momentum, and what seems most likely to come out of the present TSA brohaha is more billion dollar spending on whatever intrusive ID card projects various bureaucracies are selling the political level as sure to work, guaranteed, nothing to it, just write the check already.

What's going on is a confluence of stupid: what the data processing community has learnt from fifty years of failure is how to make money from it, the senior bureaucracy has no idea alternatives exist, politicians equate spending with positive action, and no one's publically making the case that a simple good guy card would be both cheap and effective while preserving basic human rights and freedoms.

All of which leads to a prediction: as payment, membership, and ID come together in multiple wireless technologies we'll see the good guy card idea evolve on its own - with government left behind as it spends both money and individual freedom on the laughably out of date and out of touch.

The one thing I was able to point out to him, and that I now want to spread a bit more widely, is the perception that cryptology is becoming significantly more important -and that Oracle's Sun CMT gear has some serious advantages over its competition, including the more traditional SPARC and Power gear, in this area.

Sun blogger Joerg Moellenkamp offers a clear summary on how Intel's approach to hardware cryptographic support differs from Sun's:

Intel

The AES-NI stuff is an extension to the x86 instruction set, that implements some of the important steps in hardware needed by AES ... and it just accelerates AES. Those instructions are an extension to the instructions not unlike SSE for example. So they are part of the normal flow of instructions in the pipeline. It's not a cryptographic coprocessor, it's the usual approach in x86 to extend the instruction set as needed and to use the normal cores for this tasks. It doesn't accelerate hashing and it doesn't accelerate public key cryptography. It's really just for the symmetric ciphers in the AES realm.

SPARC T3

The T3 implements cryptography in the form of cryptographic coprocessors. Each core provides one coprocessor. So a T3 has 16 cryptographic units. This accelerator is controlled by control words written into memory, it takes data from memory and writes it to another location - encrypted or decrypted depending on the direction you took. From the main processors perspective controlling the crypto unit is nothing more than some store instructions. From that point the crypto accelerators work in parallel at the clock speed of the processor. The core can work on something else while the crypto coprocessor is doing its work. That's why marketing has called this zero-cost cryptography - not only because the crypto accelerators are part of the CPU, but because they are integrated in a lightweight way working without using resources of the residual core.

In a footnote he provides, furthermore, a a particularly valuable reference and link to a 2009 Hotchips presentation on the "rainbow falls" cryptology co-processors done by Lawrence Spracklen that's well worth reading - and, if you want to see how Spracklen's predictions worked out in the hardware the Sun performance reporting blog compares cryptology throughput between the T2+ and T3 lines.

Unfortunately what that particular report illustrates rather better than the effects of the hardware change, is the lag between hardware change and matching software/skills change - and this is something you have to watch out for too. Hardware isn't magic: hardware can enable, but without the skills and software needed, your expensive new tools won't be magical, they'll just be expensive.

Oddly, there's another very recent report on the performance blog where this is a bit clearer: one trumpeting the joys of using SPARC to replace Lintel. Here's their summary:

One of Oracle's SPARC T3-2 servers was able to consolidate the database workloads off of thirty older x86 servers in a secure virtualized environment.

Thus their goal seems to have been to show people looking at racks of two and three year old servers that alternatives exist to just ordering replacement PCs - unfortunately they had to run the lintels at 10% utilization to get the result they wanted and that makes the story rather less than compelling for people who can divide 30 by 10.

I think the reason this happened to them, and thus the reason they couldn't max out those 30 lintels on I/O to make the case for real, was that they wanted to show a 1:1 mapping from lintel servers to Solaris containers - and because that falls afoul of the rule that the stronger you make the virtualization boundaries the less efficient the machine gets, they initially maxed out at somewhere around 5% utilization and then doubled that by using limited processor pools to cheat a little bit.

In effect they crippled their own demonstration by assuming that the customer would rather do something stupid than change - and, really, that's what Intel is doing with their 7 AES instructions too: assuming that customer intellectual inertia will force sales despite the disadvantages of doing things the 80s way.

But as we move into a world in which storage cryptology becomes an audit checkmark and https becomes "de rigueur" for just about everything web, more and more larger IT customers are going to have internal voices whispering about the advantages of ZFS, on board cryptology co-processors, and the use of Solaris to avoid PC style virtualization.

Basically, the cost of refusing to adopt better technologies is about to go up again - so my bottom line advice to the guy I don't know from the company I don't know was simple: bet on the world getting smarter, and consider the role cryptology seems likely to play in your life before today's new boxes hit retirement age.

As regular readers know I'm a big fan of the tea party and deeply concerned that the people in control of the Democratic party prior to the recent election hate everything good America has stood for over the years. Now, things are looking up: Pelosi is out; Obama arguably headed for impeachment and removal; there's a sane majority in the house committed to curbing the worst excesses; enough balance in the senate to prevent more hyperpartisan judicial appointments and anti-science adventures like carbon taxes; and the Obamacon's net neutrality proposals are never going to make it through the house.

Basically, the American constitutional system of checks and balances has been restored, sane democrats have a chance to take their party back, and only things holding back recovery are the debt and policy hangovers from four years of Pelosi -two of them unchecked in the Senate or Whitehouse.

These are huge problems requiring principled and courageous solutions - but if the new majority in Washington gives the Federal Reserve enough cover from Whitehouse pressure to stop the QE2 attack on the currency, we should see confidence recover and the recent minor jobs recovery, now fueled by holiday retailing and electoral anticipation, turn into something much more real and lasting.

If this happens I'm predicting a kind of bull whip effect on private sector IT employment - specifically

1. that, outside state and local agencies where cutbacks will drive rapid change, we'll see an explosion in obsolete technology hiring as many employers hit the limits of what existing staff can do with the technology they've maintained during the recession. Basically, what these guys are going to do is respond to the uncertainty still present in the political scene by hiring people they can easily lay off if prospects for 2012 start to dim.

    

2. but that growing confidence and a few examples of public sector success in doing more with less, will gradually lead to a boom in replacement technology buying - all of it needing need fewer, but better qualified, IT people per revenue dollar.

Now if this happens, and of course nothing in politics is ever a sure thing, the newly rehired will be at a natural disadvantage in terms of keeping their jobs during the rethinking and re-architecting stage that has to follow.

Hence this bit of advice: watch the American political scene and their national economic numbers: if you see the bull whip cracking, don't just take advantage of the new dollars coming your way to buy a new car or 3D TV: invest heavily in personal growth. Become an expert in whatever your users care about; dig deep into any non buzzy technology - particularly HTML5, Unix, Appliance/Smart display computing, and large scale bundled applications - you find interesting; and, above all, use your job to push your own boundaries on taking responsibility for user service.

Basically the bottom line on the bull whip is the usual one: many people hired in response to an incomplete economic signal, followed - either way - by a rapid winnowing process: one in which the winners will be the people best prepared to meet the new opportunities half way.

Not liking that idea/concept at all to be frank....

Not big on "Cloud" either. What both concepts seem to make a computer device as little more than a dumb terminal and all the real power is in the hands of some other enterprise in some unknown location. To big brother for me and destroys the whole "personal" empowering part of owning a computer. It's basically the return of the pre PC day where all the power was in IBM's hand and all you had in front of you was a terminal to the main frame. In the end what's to stop these companies from treating us and charging us like the cable companies do today? We give them control they will use it over us.

To which I responded,

Control issue

I agree with you about the control (and implicitly the security issues) association with cloud computing -and also about one of the key problems with data processing: centralized control.

However, Unix enables enterprises to build systems that are centrally run, but locally managed - not something that's practical in either the zOS or Wintel worlds.

As I've said many times, Unix makes it possible to do IT right or wrong - most people choose wrong, largely because that's what data processing and wintel have taught them to do, but you don't have to do things their way.

and he said:

Maybe practical for the "enterprise" but NOT for the

individual which is my point. PC's are suppose to empower the individual not place them under the clouds thumb.

To which I responded:

That's an interesting question

Does the PC empower individuals?

I'd argue that it clearly does not at work where the DP mindset rules and users have no ability to influence what's on their PCs or how they're used.

For most (non programmer/hobbyists) I could argue that the home PC means:

1- no choice on network connectivity
2 -no choice on who to buy software from
3 -no choice on what the hw looks like (differs in brand name and minor details only: all made by the same people in the same places using the same parts)
4 -no choice on whether to buy upgrades (some minor choice on when)
5 -only one or two choices only for search, archiving, cloud services, other software

Doesn't sound too empowering to me.. ?

It is an interesting question. Obviously there are edge cases - even corporate PC use has produced some genuine personal success stories - but in the main I'd argue that the corporate PC has empowered some of the people selling it, but only at great cost to the people and businesses buying it.

The problem here, of course, is a lack of solid evidence: to my knowledge no one has seriously compared the organizational impact of multiple IT architectures and even just assessing the productivity consequences of user device choices has been taboo since the early ninties - when multiple journolist inspired consultancies declared user productivity questions uninteresting while chorusing in leg tingling excitement over NT's ability to outsell the Mac.

But we've had the PC for more than twenty years now and exactly none of the really empowering technology breakthroughs, from handhelds to web servers and open source, have come from the wintel community - so where's the evidence for PC empowerment?

Clearly, the wintel PC has been a huge financial success for a few sellers, but the overwhelming majority of corporate users will, if asked outside the boss's hearing, give it no more than a lukewarm endorsement as probably better than 70s alternatives like the System 34 or 327X terminal systems, but then characterize it as an unreliable, expensive, intrusive, and unwelcome mechanism for the exertion of management control over users.

At the same time, however, every larger business I've seen has at least a few people who enthusiastically embrace the PC - and will fight you to the death if you try to reduce the control the PC gives them over their jobs. These people seem to feel empowered by the PC - and some, I assume, legitimately so, but most, at least in my experience, are self deluded. What I see, in fact, is that the pretend geek in accounting who's spent much of his professional life defending some unauditable lotus or dbase contraption from IT and the aging but amiable support drone who's progressed from doing reboots and reloads to ordering reboots and reloads, have both embraced the Wintel tarbaby and become victims - losing life, change, and opportunities for personal growth to the PC in just the same way the people we addict to drugs or welfare do.

But maybe the PC has been kinder to the home user? Remember the Marlboro man ads? I imagine that somebody really did once ride off into the golden glow of a Shenandoah valley sunset while smoking one of those things, but a rather larger number have died coughing their lungs out. For many home users, that's the PC experience - scratch the average home user and you'll get an apology for having a PC that's failing, falling behind, or messed up. Why? because people generally believe this stuff works for others and so blame themselves for problems arising from poor design, poor execution, and an unrelenting upgrade cycle aimed at extracting maximum revenues from the customer.

For most people the bottom line on home PC use is that it's conventionally necessary, but the disjunct between the public hype on the wonderfulness of it all and the reality of a machine requiring continual attention, and always more money, to mostly do most of what it's supposed to most of the time doesn't leave many feeling empowered; it leaves them feeling trapped, insecure, and inadequate.

And then, of course, there's the empowering world of DIY wintel: "build your own box! save money while learning" - that's the cry, but it's as delusional as the idea that the FBI, NASA, and DoD can't keep their PCs updated and secure but joe average home user can. Thus the reality on DIY wintel is simple: what you can learn from plugging PC components together is how to plug them together - and what you can learn from the fact that a $39.95 blender from Walmart contains over $300 worth of parts is that you shouldn't believe websites offering Intel's W3540 processor for $59.95, including shipping and handling, are really sending you the same product Intel sells assemblers at $562,000 per thousand.

The usual counter to all this is that the PC is ubiquitous and usage therefore empowering because home PC use is essential to both career and academic success.

Logically, of course, something that's ubiquitous can't confer individual competitive advantage but this is, in reality, just a bullying tactic no different in kind from any other form of group pressure aimed at enforcing compliance with a perceived majority position - and correspondingly transparent to anyone willing to see the emperor naked.

Consider, for example, how this has played out over the last twenty-five or so years: all those 80s and 90s kids who struggled with MS-DOS, Windows 3.X, and then Windows 95 instead of BSD, SunView, and MacOS because PC skills were going to be foundational to their future success? are now trying to puzzle out smart phones and iPads running Unix based OSes, GUIs, and applications descended from BSD, SunView, and MacOS.

Today's MS-DOS sells as Windows 7, but it's just just more of the same: there's no long term advantage to working with any of this stuff at home or in school unless your competitors are forever restricted to Vista. Think of it this way: 7 is surely better than XP, but the enthusiastic response the people who keep Cuba's fleet of pre 59 Chevys going would surely give a 63 Belair is no reason to think it the right choice for winter commuting in Minnesota.

So what's the bottom line on PC empowerment? In an absolute sense it may be better than nothing, but the only part of the sales pitch surviving even the most cursory investigation is the idea that you can use it as an educational tool - either as the most expensive and least reliable "cloud client" there is, or by replacing Windows with a BSD or Linux so you can learn how OS and applications code really can and does work.

Right Jim?

The headline lessons he sees as learnt from the pilot are:

1. People want the iPad 3G cellular version

2. Coding for the iPad's fairly easy (compared with the iPhone)

3. It's about marketing, and sharing in the Apple glow

4. People want to close the deal: Signatures

5. People want to print from the iPad

6. People don't need a keyboard

7. This is only the start

but to understand them in context you'll need to read his full article.

Implicit in most IT pilot projects of this kind is the assumption that if you hand the user something new and useful, that user will find ways to make it work within, or around, the rest of the infrastructure - and the usual unstated corollary is that the less proprietary and restrictive your infrastructure, the greater the flexibility it offers users in doing this and so the less disruptive the change process is to the IT organization.

Thus the most interesting thing I see in Murphy's report is that the reason the iPad amounts to a disruptive, rather than additive, technology for this company is that its flexibility contradicts assumptions built into their existing backend applications and processes. Specifically, focusing the pilot around a single, and quite narrow, application suggests that the company's IT thinking and architecture is tightly silo-ed -and therefore that both the limitations on the pilot and the changes they had to make in the pilot application reflect the constraints their view of how IT works put on the company's ability to benefit from user focused innovation.

Consider, for example, their discovery that it wasn't hard to make an application written for IE work with Safari - sounds good, right? well, except that had the application environment been any competent variation on LAMP/SAMP no adaptation would have been necessary and comments like this (quoting from the story):

The company can't yet track whether salespeople are accessing MB Advantage via PC or iPad; it expects to have that capability by November.

would be exceedingly difficult to explain.

More subtly, the story points at the conflict between user and IT views of what's good for the company - even linking to another story quoting Steve Jobs as saying:

What I love about the consumer market that I always hated about the enterprise market is that we come up with a product, we try to tell everybody about it, and every person votes for themselves. They go yes or no. And if enough of them say yes, we get to come to work tomorrow. You know? That's how it works. It's really simple. That's why in the enterprise market it's not so simple. The people that use the products don't decide for themselves. And the people that make those decisions sometimes are confused. We love just trying to make the best product in the world for people, and having them tell us by how they vote with their wallets whether we're on track or not.

Job's use of "confused" here, reflects, I think, his audience and context - less constrained usage would feature terms like "arrogant", "self-interested", "closed minded", "luddite" and "uninformed" to reflect user frustration with IT decisions made on value to IT, not value to users.

Look closely, for example, at this bit from the discussion of lesson "7: This is only the start"

The company isn't sure what its next step in mobility will be, but dealers are likely to push the iPad's use, now that they have it in hand. Already, one Mercedes dealer uses a remote-access app to let a salesperson access his or her desktop via the iPad. It's easy to see how salespeople might use a tool for checking vehicle inventory while on the lot, for example. "This is the start of looking into what [dealers] could do with the tablet PC," Kanzleiter says.

What I see here is classic blinkered IT thinking: in reality, the iPad isn't a tablet PC and every MB sales person getting one is going to want the applications they use moved to the servers - and that desktop PC sent to the landfill.

As Murphy says, iDevices are coming to the enterprise whether IT wants them to or not, but what he doesn't say - presumably in deference to his advertisers - is that what's coming with them is the end of the client-server era as users push IT to adopt the Sun/NCD network computing model in which the display is just a front end for data and applications across the network.

So what's the bottom line? simple really: iDevices are facing enterprise IT management with the same choice the tea parties have set for American Republicans: get on board, or get run over.

It now appears likely that the coming American mid term elections will hand control of both houses of Congress to people who are strongly motivated to reverse policies whose effects they see as creating and extending the current depression while weakening and degrading the American idea. What is less obvious is that the effect the changes they make have on the economy depends a lot on the degree to which they're able to convince the smaller players whose collective decisions determine American prosperity that the change in direction is stable, longer term, and "for real" - what they'll have to do to really succeed, in other words, is get people to believe that the 2012 election results will uphold and extend the renewed commitment to democracy, the rule of law, and American exceptionalism represented by tea party candidates today.

I'm sure, Mr. Ellison, that you have many opportunities, both as an individual and as the leader of your company, to contribute to your country; but I'd cheerfully bet thousands of my own dollars that none exceed in scope and significance the opportunities you have in helping clean up voting fraud and the consequent electoral and economic uncertainties across your country and around the world.

Patriotism, not party loyalty, counts here

I'm Canadian; but if I were American, I'd be a Republican and a tea partier - so of course I write from that viewpoint. In this case, however, it shouldn't matter: Republicans believe that Democrats cheat, and Democrats reflexively accuse Republicans of it - but this blog isn't about who cheats most: it's about using Oracle's technology to reduce the cost of elections while ensuring that all legitimate voters are fairly and accurately represented in the outcomes.

There's a hidden message here too: IT management is not about technology - it's about what you can do with it and for whom.

Obviously the actual processes of getting the solutions sold and then making them all work across thousands of affected governing bodies - at the state, territory, agency, municipal, county, and school levels - are going to be seriously non trivial; but the core ideas are almost trivial in their simplicity and straightforwardness.

The goal is a single system - parts of which can be used independently at any time to handle voting on state or local issues but which, in operation during national elections, uses an Apache/DB style application presented via Sun Rays installed in schools and offices to collect the vote at local, state, and national levels: all in near real time, all with clear auditability, and all at a few percent of today's cost of running elections at similar scales.

Sun Ray is not a client -thin or otherwise

This idea stands on two techno-facts: Sun Ray is not a client. There is no program execution on the Sun Ray and so no opportunity to falsify its operation. An expert called into court to testify on the security of any locally programmable voting device, no matter how cleverly designed, has to say "Yes" when asked whether it is theoretically possible to make the thing cheat - and "no" when asked the same question about a Sun Ray. Basically, electoral officials have to secure a few servers in controlled environments, not thousands of voting devices spread across hundreds of polling stations and managed by people who break them out of warehouses for a few days once every two years. the server based nature of the voting application breaks the link between voter and polling place. Thus most absentee/advance voting will disappear, and someone posted to outer timbucktoo can vote at the local PX in the same time frame, on the same ballot, and with the same convenience as his mother votes at her local school.

The selling strategy is to leverage concern at all levels over the risk of voter fraud in the 2012 elections to gain support for the concept; leverage state, county, and school board cost and privacy concerns along with existing Oracle software to get the Sun Rays installed, supported, and in daily use in schools and offices; leverage national process support to work with local and state level officials to get voter registration issues resolved; and then use state and local votes to debug the voting and vote management processes needed.

With Al Franken smugly in the senate to serve as an exempla horribilis and Dino Rossi quite possibly in the chamber with him, national political support for anything offering a smart, integrated, solution that increases confidence in voting outcomes while reducing cost and risk is as close as politics gets to a gimme - and not a single conservative is going to forget that every apparatchik tactic there is, from fake polls, ACORN registrations, and voter intimidation to the more traditional kinds of manipulation and messaging exemplified in the headlines listed below, will be deployed against the right in 2012.

Illinois Soldiers Wait for Ballots. Prisoners Get Hand Delivery. Cincinnati Public Schools accused of voter bribery Michelle Obama Illegally Campaigns INSIDE Polling Place

At the local level, and particularly at the county and school board levels where you most need support to get these systems into place, your salespeople should meet an eager audience - and for two main reasons:

1. for these people, costs count - a lot. Once they understand that the people advising them not to do the deal are the people who benefit most from keeping the wintel gear in place, all your people will have to do is make the five year combined cost and security case -and that's an easy case to make.

2. for many of these jurisdictions, the people making this decision will have personally experienced the horrendous pressure the democratic national policy of suing everybody remotely in sight on close losses puts on electoral officials - and because you'll be offering them an option that sidesteps much of the mess, any sales program offering the excuse and comfort of national action will have them stampeding to sign up.

The bottom line, Mr. Ellison, is that people like Catherine Engelbrecht and her friends need your help - and helping them reduce the uncertainties introduced by the expectation of voting fraud in 2012 will be good for the country, good for your company, and good for you.

There's a new phenomenon on campus: an easy majority of students have abandoned laptops and now carry only a smartphone. I imagine that many still use wintel or macs in labs, libraries, or at home to do things like writing term papers - but the new symbol of coolness is an iDevice or clone, not a Dell, or other PC.

In business the handheld is morphing - it's been at least 25 years since companies like Fed Ex pioneered the dedicated, radio based, handheld (and, yes, I know the US DOD had cart mounted "handhelds" in the 60s, but this is about the true handheld: small enough, light enough, and useful enough for a floor walker's use at Walmart). Specifically, it's becoming more flexible and more ubiquitous as better back office software combines with things like replaceable keyboards and downloadable customer specific code and configuration capabilities to bring this technology to much smaller operations.

Meanwhile what are the big IT suppliers doing? Oracle is building the appliance backend to all this - and the smartphone is creating huge new campus opportunities for Sun Ray- but they're about the only big player with a clear strategic direction.

Great Debate

Will Google Glass face adoption challenges due to privacy concerns?

Everyone seems to have an opinion about Google's ground-breaking product.

• Read more

Microsoft has its new Office and Windows 7 out - and the latter's both a decent successor to XP and a big success, but sales seem almost entirely limited to people who already had MS commitments: people in their 30s and 40s, not people in universities or just entering the workforce. Worse, they're repeated their own earlier mistake by hanging Windows 7 branding on their iClone and then guaranteeing that incompatibilities will develop by not sticking to Intel.

Meanwhile, Dell is apparently sitting things out while hoping its numbers will magically improve; HP has this weird dance going on with SAP - supplier of the software whose implementation nearly killed HP - and is so distracted by board level feuds, claims, and counter-claims that it couldn't line up behind a new product direction even if it could find one; and IBM, having beaten Sun via the financial markets, is waiting for the next Vax before transitioning to cell - and may be surprised when Oracle's Sun division provides one in rather less than the eight years it took last time.

Basically where we're at seems pretty simple: IBM is betting on the clock staying stopped; Dell and HP are on auto-pilot, Microsoft thinks the past predicts the future - and should soon be shipping Grecian Formula with its products :) - Apple's consumer focused strategy is working well and driving business adoption of its own down market competitors; google's commitment to free software and open standards is driving Android to early dominance among low end products; and the whole field of back-end to handheld integration for small to mid range business seems set to explode.

Forget the brand names and think big picture, big structure, and we've seen this situation before: at the beginning of the Reagan era when Unix reigned and IBM launched the PC as its forward line of defense for the mainframe. Back then, Apple and Unix lost; this time? IBM doesn't have the clout; the PC is passe; the new stuff, everything from hardware to OS and storage advances, is nearly all Unix; and November's American elections could trigger the end of the Pelosi recession -thus unleashing tremendous new demand for cheap, effective, IT infrastructure.

So what's the bottom line on all this? Blind, glowing, optimism because significant political change in the U.S. should drive an immediate jump in demand for more of whatever people have installed - and then trigger the kind of system wide infrastructure overhaul we saw in the eighties and nineties.

We see that same phenomenon all the time in IT: almost everyone outside IBM's data processing markets wants to focus on cost, but price shopping across architectures implies a value equivelance that does not exist.

The most obvious reason for the cost focus in IT is that it's easy to attach credibility to costs measured as the sum of checks written, and very difficult to attach credibility to benefits estimated on the basis of airy fairy stuff like user seconds saved per transaction. The more subtle reason, incidently, is that senior management's responses to IT are conditioned by data processing expectations in which hardware costs millions and leasing makes it a pretty good proxy for operating costs.

Underlying the errors this produces is, I believe, a mistake most of us make: assuming that the factors driving personal decision making apply equally to decisions in larger organizations. My favorite political example of this involves brick recycling: because if you have a use for some bricks and your neighbor is throwing some out, then it's just stupid not to use those -but when cities extend this logic to forcing developers to recycle bricks from building demolition, the cost burdens imposed generally produce the opposite effect: largely shutting down inner city redevelopment in favor of greenfield work in the suburbs.

In the IT version we see lots of real people believing that the unit cost of a PC as advertised in a drug store flyer says something about the cost of a PC used in business - and one of the saddest stories I know illustrating the stupidity this produces features a senior government guy blowing a few million taxpayer dollars. The situation was that his agency wanted to issue a time and materials development contract covering about 120 people for an estimated eight months - but government wide PC purchasing preferences meant that the approved purchasing process for the workstations needed would bring in product from a vendor he didn't like - and possibly raise questions about the application development contract too. Faced with this, the preferred vendor offered to provide 120 older workstations for the project duration without mentioning this in the paperwork; and the ADM, who noted during the meeting that both his teenagers used two year old laptops surplused by his department, happily agreed to what he thought was a bargain - with the result that about 120 hourly contract developers got to spend nearly two years using 32MB/600Mhz PII gear for code compiles and testing in an era during which the PC transitioned from the 128MB/Ghz P3 to the P4.

People will tell you that if you can't tell the difference between two products or choices, then there is no difference, but that's just wrong - it's a celebration of ignorance, not a justification for failing to do your homework. However, there's an unfortunate consequence to this: because once people stop seeing differences in the product, they seek differences in pricing and so drive a race to the bottom - a race that drives suppliers to distinguish themselves more in their advertising than their products. Today's major PC companies, for example, all deliver the same products, made by the same people, from the same parts, and loaded with the same software -while selling the public on the belief that their product is the same as the other guy's but magically also better and cheaper.

In reality, of course, this is ridiculous - but if you've ever wondered why today's 3Ghz, four core, Windows 7 PC doesn't do much more than an early 90s Mac AV, this is the answer: price competition coupled with marketing differentiation on indistinguishable products makes it cheaper and more effective to add cores and wait states than to increase memory throughput or change the software in any fundamental way.

Where all this comes together is in business adoption of the iPhone and iPad clones now being rushed to market by the same companies that decried the Apple products as useless consumer ornamentation - because what we're seeing there is exactly the same ignorance driven rush to the bottom, albeit this time with Unix variants (Android, Linux, Qnx, etc) in the MS-DOS role, that we saw with the PC.

This is a frightening prospect - and it's not helped by remembering that Microsoft's first OS product was actually a Unix clone. The saving graces, however, could be that this time around IBM's closed community isn't driving purchasing and Apple's consumer market share is well enough established to ameliorate IT's drive to the bottom by ensuring that at least some people continue to be able to tell the difference.

In the mid nineties he accepted a better offer - from Hitachi, and five years later found himself selling DASD and tape automation for StorageTek.

By late 2004 Sun was headed for deep trouble: on the positive side its products were four times faster, and an order of magnitude per cycle cheaper, than IBM's - but IBM's account control combined with the after effects of the NT bubble meant that their stuff sold where Sun's didn't.

Part of the response was to buy StorageTek - because Sun's board knew their own products were genuinely superior, had been led to see the problem as one of getting Sun sales people in through IBM data centers doors, and saw the StorageTek people, people like Joe, as already inside.

Confronted with new bosses, new marching orders, new products, and enough careerism in IBM's mainframe marketing group to block his return, Joe smiled through his pain and called on his old customers to sell them stuff he understood: x86, tape, some Hitachi disk - and because his managers judged him on revenue rather than margin contribution, even some third party disk into an HP SAN installation.

What he didn't do was sell SPARC, learn about Solaris, or buy into the user centricity of the Unix idea - indeed his overall reaction to the SPARC/Solaris combination was similar to that of the stereotype illegal meeting his first Walmart super center: baffled disbelief, total rejection, and a desperate scramble for the old certainties, the old perceptions, and the absolute social certainties underlying the comfortable gossip, and deep contempt for everything Unix, he shared with his friends and contacts.

Unfortunately for Sun, Joe is a personable guy with real selling skills and he didn't exactly hang out a sign saying: "I'm an idiot, shoot me" around his bosses - many of whom, of course, shared his bewilderment at being expected to shill for the enemy of all they believed in. As a result some joes moved up the ladder where they found each other in the chameleon culture of selling what's selling - and now? Well, "Sun is the brand and Oracle is the company".

Was it really that simple? Not entirely, but the underlying mistake: believing that people bought in from an opposing culture won't try to continue their old ways while undermining yours is dead common - history abounds with empires or royal houses which fell to the idea that barbarians hired to fight barbarians will miraculously change their ways. It doesn't happen: in reality a barbarian who interacts with barbarians stays a barbarian - and in the four bitter years Joe spent with Sun he took a few small SPARC orders (which he discounted to the limits of his authority) but he never initiated a sale, never mentioned Sun Ray to a customer, never learned what the company was about, and is still today as loyal to what he learnt in the 80s as he ever was.

More good news was hidden among the hype: Victoria Falls servers now, Solaris 11 in preview, Red Hat sidelined, stronger competitive positioning vis-a-vis both HP and IBM, new emphasis on operational simplicity and reliability (e.g. bringing networking and storage back into the box), and the working out of the Fujitsu relationship.

More subtly, I think there were back channel hints about yet another license simplification effort and, more importantly, clear indications that at least a few marketing people have figured out the obvious: IT may argue about price and throughput but users really only care about system response - so the T3's whomping of both x86 and Power7 on throughput and cost is much less important in the appliance market than its advantages in providing consistent sub-second response for application users.

To the extent that there was bad news it came from the Java people - where direction setting seems almost as confused as the environment itself, and not a single Oracle employee came anywhere close to admitting that the decision to use Java for the Fusion apps made sense before Oracle bought Sun, but doesn't now.

And of course there was lots of interesting minutiae, most of it positive - but some of it also amounting to a depressing commentary on the inadequacies of Sun's marketing people in the face of concerted media attacks. Some of Oracle's sales people have discovered, for example, that the cryptology processors embedded in CMT make sense and should be mentioned to customers - as in duh! and only four years late.

So what elephant in the room didn't get named? Growth: Ellison has said Oracle should grow, over the next five years, into something roughly IBM's size in revenue terms, but while the entire conference was about this, nobody spoke directly to the challenges involved in quadrupling revenues for an already large company.

At the grossest level the answer is, of course, obvious: they plan to sell the existing customer base whatever that base wants while betting the company on growing their applications market through appliance computing - thus the new OLTP appliances support SQLnet, a kludge embarked on when Microsoft omitted TCP/IP in Windows 3.

Most analysts answer the growth question by assuming failure: by assuming, that is, that management can't grow the company enough internally and will therefore have to make a couple of Sun sized or larger acquisitions. I think that's pessimistic: the growth opportunities in appliance computing are enormous and while it might make sense to grab a few good people or high potential technologies (like an advanced, non Intel, handheld) through acquisitions, buying into dying businesses like SAN storage or Global IT Services is a game for losers.

(One caveat: if Hurd gets both halves of Novell, he'll give Ellison the opportunity to go after IBM in the courts and the press - and that might be worth the money.)

Unfortunately the major sales challenge is the same one Sun faced: the absence of an adequate, customer side, fifth column - unlike Apple, Oracle doesn't sell directly to the end user and there are just aren't enough people with strong pro-Sun/Oracle prejudices in buying positions around the world to give Oracle the market growth it needs.

Basically the problem is that the mid size businesses that would benefit most from throwing out the Wintel/DP environments they have in favor of the appliance computing packages Oracle wants to sell, don't have enough people in place who know what these are, how they might work, or why their employers need them - on the contrary, the decision influencers in place generally have their careers tied to older and less effective technologies to the point that they'll willfully ignore more modern alternatives while lying to both themselves and their employers to protect the beliefs their jobs depend on.

This is the problem disruptive technologies always face - and, of course, dissonance theory predicts that commitment to failing technologies produces howling mobs desperate for disinformation; or, in this case, a market for the journolists working from the same talking points, quoting the same press releases, and spouting garbage like this:

Their appearance came as a surprise to many observers who did not expect the T3 processors and resultant systems to see the light of day following Oracle's takeover of Sun.

to denigrate everything Oracle at every opportunity.

Sun's marketing people tried appeasement, and failed - of course. So what would work? Obviously better marketing - and along those lines I have a suggestion for Ellison et al that might help: add a formal HR placement function to your certification processes, and deliver that service through an arms-length placement agency whose recruiters use appliance computing, can spell both lynnix and Solaris correctly, and at least split their sales effort between user management and IT.

The corporate goal would be to see this agency establish small franchisees in each major market and use them, in conjunction with existing local Oracle sales coverage and training programs, first to add work experience to certification, second to place evangelists in customer organizations, and third to provide a highly visible, Windows document focused, reference site for Sun Ray, Oracle Office, and appliance computing.

The bottom line on this idea is that implementation would be good for everyone - and not mainly because the placement business can be highly profitable, but mainly because it puts the right people with the right skills in the right places to drive the customer decisions shaping Oracle's growth.

From a long term perspective CIO stability and willingness to do as little as possible are the critical managerial success factors because the system as a whole is very much like Unix itself: something that works until brought down by an idiot with root access -or in the organizational context, a senior executive with hiring control over the CIO role.

At the day to day working level, however, the CIO job consists of keeping the outside forces seeking to destroy the system at bay while ensuring that his own people have the skills, authority, and resources needed to evolve the system as user needs and technology change.

This sounds simple enough, but you'll face three long term issues in actually doing this:

1. auditors are trained to Wintel/DP expectations - today's CoBIT requirements are functionally identical to the 1920s data center operational standards they're derived from, and correspondingly counter-productive when applied to science based computing.

   In the Unix organization, for example, you have to empower your user side people to make software changes as needed by their users, but because you don't want accumulating changes leading to chaos you have to ensure that these decision makers have the judgment needed to know where the limits on individual action are and thus both when to say no, and when to invoke organization or division wide co-ordination and/or rethinking. As a CIO you achieve that first by hiring good people but organizationally by cross training them through job rotation, by encouraging them to form ad-hoc teams as they wish, and by assigning every staffer one or more long term personal responsibilities while allowing them to trade execution on those responsibilities among themselves.

   In doing this you violate every IT audit expectation on role separation, on formal planning and execution processes, on change documentation, on data and application ownership, on reporting hierarchies, and so on and so on.

   Functionally, almost nothing you do right as a Unix CIO will pass a traditional IT audit because the auditor's expectations are based on something close to the opposite of what you do -basically, an auditor trained to see short swords and machine guns as indistinguishable weapons and then sent out to review the Legion isn't going to sign off on a ranger team.

   In theory you should be able to have your senior management address this with the audit partner, but in practice it's often easier, if seriously less honest, to recognize that data processing audits are driven entirely from paper records, never reality - so showing them the paperwork they expect to see: things like your SLA, your DRP, and your unique staff assignment and certifications file, works. You'll need to brief your CEO and senior management team in to get the paperwork in place, but the bottom line is that you're dealing with audit juniors who have few clues, no judgment role, and no career path based on exercising judgment - so a simple mouse click certifying that your application librarian maintains a prioritized license recovery plan trumps any amount of demonstration or logic even if all of the ideas and assumptions involved are completely foreign to your environment.

2. a properly implemented and run Unix/Smart display system has near zero visibility in the enterprise. The thing works - and therefore there are no IT crisis meetings facilitating face time with senior management, there's no continual user pressure on technology change, and that whole smarter-than-you separation between IT and users you get with PC support simply isn't there. Instead you're like the guy who fixes the phones: nobody knows who he is or appreciates what he does because phones, of course, run on centralized Unix switches and nearly always work.

   If we had a metric based on positive interactions between IT and non IT people, the Unix architecture organization would come out far ahead - but those interactions are mostly with users and user group level managers: not the senior people who vet your budget or hire your successors, and so two bad things come out of this:

   • you, your people, and your budget become safe targets for newly arriving senior managers eager to make bones with their colleagues - and because the Unix users won't care about systems while the Wintel/DP bigots never stop whining the resentments you build in beating these back will eventually force you to move on; and,

   • when you or one of your staff want to move on, it's the size of your organization and budget, not it's successes or effectiveness, that will dominate other people's perceptions of the resume. Basically head hunters and others will automatically consider a guy spending five million a year to achieve squat superior to the guy spending a million a year to give a comparably sized organization a major competitive advantage.

   Personally I've never found a way to beat this.

3. and, number three, finding, training, and keeping good staff can be very difficult.

   The basic problem here is that you need people who can take on every role in the IT organization - including yours - and then motivate them to stay long enough to truly contribute value to the organization. Unfortunately the smart ones are both the ones you want to keep and the ones most likely to move-on once they know the job and understand their own value to other employers.

   Strategies that generally seem to work include telling them right up front that they'll get a much wider range of experience much faster with you than with traditional IT employers and should therefore plan on taking over somewhere else in about five years; sponsoring some open source projects; paying for additional education; rotating IT staff through practicums as user managers; and, giving them paid leave to teach at local colleges and universities.

   Strategies that sometimes work (but often backfire) include setting formal IT performance and satisfaction metrics with senior management and tying IT bonus monies to the achievement of those goals; keeping a couple of training FTE slots on the organizational chart; and, simply trying to out bid the other guy to retain particularly valued staffers.

   And, of course, strategies that are sure to fail include accepting mediocrity in exchange for stability, creating team rivalries, and trying to keep people in the dark about the value of the skills they learn in your organization.

So what's really the bottom line on the CIO job? You need to set a clear direction, motivate your people, train most of them to take over your job, and then generally underplay the role to do as little as possible while maintaining some kind of positive profile with senior managers - most of whom think IT trivial and you a mere geek from the wrong side of the social divide.

Nothing to it. Really.

Many of the comments, both those written to the blog and those received privately, came from people who clearly think of the Sun Ray as a thin client. It is not - and Sun marketing's willingness to cater to this market misperception was, I think, diagnostic for its wider failure to move leading edge product.

A few years ago one of the wintel companies offered a PC architecture in which the graphics board was connected to the motherboard by cable. This enabled the customer to put the PC in a data center rack for easy access while putting the graphics controller, keyboard, mouse, and monitor on the user's desktop.

Notice that the remote graphics board for the PC can't be considered a "client" in a client-server sense because it does no application processing and is really just the normal display management component from the PC with the local motherboard connection stretched out as a cable.

Think of Sun Ray as the multi-user, multi-host version of this and you'll understand the key to its simplicity of operation.

Thin clients, in contrast, attempt to do at least some local processing and run some local OS - even if, like Sun's mid eighties diskless workstations, that OS is downloaded from the server at boot time. That can make them harder to abuse, but a client is a client and the complications arise from the architecture, not the nature of the client - thus both PC style thin clients and Linux desktops offer some benefits relative to the traditional wintel approach, but neither offers dramatic change and neither choice ultimately affects organizational structure and behavior.

As usual there's history to the distinction: back in the eighties when Unix vendors like Sun and Apollo experimented with thin clients their actions were mostly motivated by the cost of local disk - then over $1,000 for 30MB devices - and ended when disk prices fell much faster than progress was made in reducing the operational complexity of the set-up.

In the alternative approach the Plan 9 people at AT&T invented the Gnot as the first real network display, Sun developed NeWS, and NCD started its first line of X-terminals. Gnot never went commercial and NeWS fell to Adobe's licensing demands on PostScript, but NCD succeeded both technically and commercially until it eventually fell victim to a VP with a Microsoft driven NT infatuation and started making cheap thin clients instead of high end smart displays.

Specifically the original NCD network computer offered only an X-server that handled user interaction and absolutely nothing else - providing 24 bit color at 1600 x 1200 on 21" screens at a time when the PC press was erupting enthusiasm over 13 inch greyscale screens at 640 x 480 - and despite the fundementally brain damaged nature of X, some NCD HMX terminals are still in use today.

In contrast NCD's initial venture into the thin client world, software for an x-terminal capable of connecting to NT and running the Mosaic browser locally, ultimately led to what is now Citrix and various licensed thin client products, but also signalled the end of the company's commitment to technical leadership, network computing - and profitability.

At Sun meanwhile, Bill Joy's MAJC chip design was intended to power a new generation of super terminals but his ability to get the CPU made didn't extend to getting a corporate commitment to the new desktop, and so we got the ill conceived and ill fated Java Station -a seriously overweight and under powered "thin" client- instead.

The Java Station was both a technical and a commercial disaster - and would have faded quietly into history if a few recidivist engineers hadn't modified the Solaris X/Postscript display software for download, hung a Java Station with all the client code stripped out at the end of it, and called the result a Sun Ray.

To repeat: what they'd done was take a thin client and turn it into a smart display by taking out its ability to run anything locally. That's what makes a smart display smart: lots of graphics power, no local code - basically a recreation of the NCD network computer but latterly with faster hardware, better software, better branding, and a more focussed security agenda.

Although Sun "sales" still calls the thing a thin client and there are always people trying to impose some local processing on it, the current Sun Ray 3 and its matching software is still very much like that early device: no local processing ensuring both no local hassles and complete portability, while better hardware and server software mean it can display almost anything - from real time Unix/HPC imagery to Wintel and MacOS applications.

Notice that the bottom line here is simplicity and the freedoms and reliability you get from that: no local processing means no ambiguity (and therefore no help desk), no software limits, and no desktop product churn: just load up the applications and trust Unix to run them, whether you have one user or thousands.

Similarly there are DP people who'll tell you that a single free Linux license at $40K per year will support thousands of instances on one IFL - serving 2,400 desktops entirely on freeware.

And, of course, everyone knows that a Unix server costs a couple of million bucks to put in - and then fails all the time despite the hundreds of thousands it eats in annual consulting and support fees.

Such views are delusory - in reality, fixed infrastructure costs for Unix and Windows favor Unix (no surprise given that several free Unix systems run on Wintel hardware), while getting vaguely comparable performance on zOS/IFL costs at least an order of magnitude more.

The most surprising thing about this, however, isn't the nonsense many managers believe but that the cost differences we consider important at the personal level and within IT, really don't matter much for larger organizations: what counts at the enterprise level are the operating costs, risks, and limitations imposed by whatever infrastructure is used - not the start-up cost of that infrastructure.

Thus the mistake that matters when people believe obvious nonsense on Wintel/DP costs has little to do with the specific errors they're making and nearly everything to do with the hidden assumption that systems architecture is an IT issue with no significant consequences for the organization - basically the problem is the belief that a computer is a computer is a computer, and therefore that the choices between them may entertain the IT troops, but are of little strategic relevance in the boardroom.

Imagine, for example, that we have a 2,400 user government organization in which:

1. about 30 people in the financial review unit think they absolutely must have the very latest Microsoft Office desktops;

2. about 20 people regularly use Adobe publishing and pre-print tools;

3. about 240 need regular access to highly customized PeopleSoft financial and HR tools;

4. about 1400 have some need for basic WP/Spreadsheet and presentation software;

5. about 2,200 need daily access to a custom tracking and scheduling application;

6. about 2,400 claim to need browser access and email;

7. there are about 70 other applications, many of them locally grown spreadsheet, BASIC, or SQL-Server applications with the usual lack of documentation, backup, or auditability. On average each of these is thought to have about eight users, one of whom has largely rebuilt his or her job around servicing it;

8. there are an estimated 15 to 25 data transfer and/or remote identification "applications" (many are scripts) that are uniformly said to be mission critical but are documented only with respect to their original forms - not as they are today; and,

9. there are an unknown number of third party applications running on various servers really known only to those directly involved with them - and many of those people detest IT and will neither willingly report what they're doing nor participate in a change management program.

Right now no user manager, however senior, can make more than truly minor procedural or program changes without working through a formal IT assessment, technology change management, and (often) budget management process first.

The actual cost of the infrastructure used to meet these needs with wintel/DP is largely unknown - the book values are pure fiction. The outsourcer managing the desktop evergreen program values each desktop at about $1,400 inclusive of core desktop licensing and first level support; but exclusive of server infrastructure and custom applications, including Peoplesoft. There are about 160 physical servers in data center racks with recently purchased units averaging nearly $9,400 - much of it in licensing. There's an external shared data pool with its own servers - and nobody in the data center seems to know how many network controller racks and/or devices exist because these are administered by yet another third party. Bottom line? the senior IT people give $3,000 per user as a working estimate (about $7 million in total) and while that seems a little high for current replacement cost given government wide licensing for some Microsoft and other products, it's probably in the ballpark.

If I were to imagine replacing all this with a Solaris/SPARC system I'd probably think in terms of four identical units -largely because the organization is about evenly spread across contiguous floors in two nearly adjacent buildings and the idea of putting systems into opposing top and bottom corners in both buildings appeals to me. Each would have four T5440 servers with a 7410 (dual controllers, Flash, 40TB, 4 x x86, 128GB) data store in a rack with a UPS, highspeed router, and some 64GB, 4 processor, x86 Wintel server - and each would list at a bit under $600K for a net 20TB of fully mirrored data storage, 144 network channels, and 1024 virtual 1.4Ghz processors accessing 512GB of RAM.

Users would get 22" Sun Ray3 displays - at about $2.7 million in total including smart cards and software.

All the existing networking gear, including cabling, would go - to be replaced by an all optical system with no more than three devices in the path to the user: about $300K.

About 30 users would get their own little PC network - about $70K inclusive (about half in licensing). Another 20 would get Macs - about $80K inclusive (about two thirds in licensing). In both cases the "outside" backup processor would be in the nearest data center rack and double as the primary processor for other users needing occasional access to PC or Mac software.

The primary application was first developed using COBOL/IDMS in the 70s, converted first to a Vax running C/Forms in 1991, and then immediately to Adabas/Natural on the government's outsourced data center, is currently running as a windows client application accessing SQL-Server, and has been the subject of numerous successful redesign and redevelopment projects - none of which reached production. Today it looks almost trivial to do as a web application: about thirty data entry screens, perhaps 200 embedded functions, a dozen or so reports, and no known live interfaces to other applications.

In moving this to Solaris/Sun Ray I'd probably get two independent teams to convert it to PHP with MySQL - say $60K each - and then quietly start a re-examination of what the thing is really supposed to do and how it does it, preparatory to looking for a commercial or open source replacement (Although, of course, if I were doing this for real, I'd make porting it with guarantees and no nominal cost a condition of the deal with the Solaris/Sun Ray vendor.)

Each of the hidden applications would have to be found, documented, and evaluated during the conversion. In practice most are trivial and conversion, while possibly traumatic for those most closely dependent on control of them, fairly easy. Accommodations can, however be made if warranted - remember each rack will contain an x86 server able to provide Wintel support if and where needed.

Most of the other software is free and the Peoplesoft stuff is expected to transfer essentially unchanged despite the extensive customization effort ten years ago. As a result, and allowing about another quarter million for "surprise" software licensing and adaptation requirements, the whole mess should come in at a bit under six million - very roughly in the same ballpark they are now.

So where are the differences if they're not in capital cost? They're all in how using these two systems drives organizational behavior.

With Solaris/SPARC and Sun Ray:

• users get bigger, clearer, faster, displays - that make nearly no noise, produce nearly no heat, very rarely fail, and only get replaced about every ten years.

• users get access to more software - it's actually possible to run Unix, Mac, and PC applications on the same screen at the same time (although I believe cut and paste only works between two at a time - not sure if that's changed recently.)

• users get much faster and more predictable system response; more storage; almost total reliability, near total freedom from data theft, loss, or leakage risks; and the ability to access their personal desktop from just about anywhere at just about any time.

  Two notes on this:

  1. In the real organization this is very loosely based on, roaming access is considered critically important by many users, but is not allowed -nominally for security reasons. With the imagined Unix architecture providing secure access via iPads and/or iPhones to key data is trivial; and,

  2. if you time only the PC, the PC is usually a bit faster than the Sun Ray simply because 3GHz is faster than 1.4Ghz; -but if you time the system, the Sun Ray user wins because the system as a whole is far simpler and unbottlenecked. The classic example here is email: with Sun Ray, 2,400 users hitting their email at 8:16am would see no significant degradation, where today, the 30 or so exchange servers combine with network limitations to produce long delays during the first twenty minutes or so of every working day.

• users are freed from operational responsibility for their desktop computers - including complete freedom to ignore the entire panoply of PC style "security" threats.

  This is a much more important issue than it may seem. At present PC users everywhere are subjected to daily doses of paranoia on "security" issues - and some in this imaginary organization we're dealing with here are concerned that data leaks embarrassing to the government will be traced to their PCs while others worry that perceived enemies could do things like install porn on "their" desktops.

  The Sun Ray is not a client - there is no desktop OS to interact with the application or on which variant applications can run; and the user card plus password, not the user's machine, identifies the user. As a result most of the disasters people imagine befalling them through desktop abuse simply can't happen.

• users get complete clarity on software issues -because, with no local OS and/or PC networking to muddy the waters, any and all failures encountered running software are unambiguously due to that software.

  The key consequence of this that a particularly invidious PC usage effect is avoided: specifically companies installing enterprise class client-server applications generally find that each new generation of users is trained by its predecessors in both workarounds and magical thinking - with the result that each new generation uses fewer of the available features, and is less willing to experiment with the software, than their predecessors.

  With Sun Rays, however, you get the opposite effect: because people learn that they can customize their own environments and that experimenting with key software carries no penalty, organizations can expect their people to get better and better, rather than more and more constrained, with respect to the effectiveness with which they use the application.

• change hassles essentially disappear as user or senior management issues. Users can make minor changes to their own environments as they wish and user management can change most processes and procedures with little or no consideration of IT issues - the sysadmin assigned to them can generally either make, or co-ordinate making, any required changes more or less on the fly.

  Similarly, IT management can test and then roll out global change (usually updates) with no risk and no complexity while additional or alternative strategic software can be added without worrying much about destroying existing data, infrastructure, or relationship values -and without significant impact on continuing usage of existing software.

Although these kinds of differences drive organizational value they're hard to measure but luckily there's a general rule that applies here: the simpler and more effective an engineering solution is, the lower its long term cost - and so when you go from the complexities of Wintel/DP's variation on the Rube Goldberg machine to the simple elegance of Unix with smart displays, you get measurable savings in IT operating expense.

• the help desk disappears. In this particular organization that's a thirty FTE outsourced contract gone.

  (The biggest effect of disappearing the help desk, however, has nothing to do with the help desk: it's a behavioral artifact that arises because desktop users cannot easily tell application software failures from personal, desktop, or network delivery failures and so come to rely on the help desk to sort out a lot of application how-tos. Since the applications tend to support professional or quasi-professional activities and help desk staff rarely know the ins and outs of those activities, this tends to force regression to the simplest, and least effective, use of the applications.

  With Sun Rays, however, there's never any ambiguity about this, so lead users, generally people who are knowledgeable and enthusiastic about the application, provide application usage assistance to newbies - with the result that the value of the organization's IT investment rises even as its costs go down.)

• Most of the day to day operational activities in the wintel data center disappear - along with the data center floor space, about 50 IT staff cubicles or offices, and about 200 watts per desktop per hour in user spaces.

  Instead the organization will need a total of about 1200 square feet of cooled (and sound isolated) rack space for the four linked centers and about five people, with offices, to run the whole thing, including over 2,300 Sun Rays.

  In addition they will need a CIO and some sysadmin/DBA skilled user interface people posted in user groups - 16 (plus a wintel person in the PC center) in our imaginary case here.

  The user posted sysadmin/DBAs have both the most difficult and the most rewarding IT jobs here because their job is to understand user needs and meet those needs using the infrastructure in place.

  Thus the hardest part of the CIO job in this environment is to recognize the obvious: these people need to be treated as craftsmen, not as technicians - and so must be empowered to make, and act on, systems decisions affecting their users. (Remember: the goal is to provide centralized processing as a service, while decentralizing control of that processing to user groups - effectively creating many local IT departments all of which share both the infrastructure and a kind of team standard. Next week's blog entry: Job descriptions in the Unix Enterprise, expands on this.

  Given cross training, fill in, and special projects requirements the bottom line is that staffing drops from around 80FTEs plus the evergreen contract to no more than 30, inclusive -and for that your users get what they don't have now: someone who works with them every day, understands their concerns, evangelizes the system, and is empowered to make changes on a day to day basis.

• You're well advised to pay for full hardware support (including software upgrades) but total costs for that are about those for the wintel infrastructure - except that the cost of the desktop evergreen program disappears and that's 1,100 new PCs a year you don't pay for.

  The big difference here isn't in the dollars saved: it's in the simplicity of a change process affecting a few $80K machines per year instead of two or three $3K machines each week - and five or so $1000 machines every day.

Look at the whole thing on net, and the tangible savings from dropping client-server in favor of Unix with smart displays come mainly from staffing reductions, with some bonus monies coming from savings in annual software licensing and upgrades - but this is just the ginzu knives effect: the real value here is in the intangibles: in increased user productivity, in decreasing turn-over, in the elimination of most forms of software security risks, and in the near total elimination of system failures.

Thus the bottom line here is simple: the Unix system costs about the same as Wintel client-server to put in, but costs a lot less to run - and works significantly better on all the parameters users care about.

No, the hands down winner for tragi-comedy was this, from "civikminded":

RE: Forces of nature
@Roger Ramjet

You can run Windoze through DumbRays.

Sure.. what do you need on the back end? VMWare ESX. Wait.. or VirtualBox (I'll go on with this post when the laughter dies down)

All your 'Autonomics' can be achieved on Windows with Virtual Desktop Broker apps that have been available for 5-6 years. In fact with VMWare View, I can serve out thousands of desktops from a single OS image. No, not thousands of copies of a single OS image. 1 single OS image.

Here's a person whose response to the proposition that DP and Wintel have effectively merged to perpetuate the worst of both as the new standard, is to argue that: "I can serve out thousands of desktops from a single OS image. No, not thousands of copies of a single OS image. 1 single OS image. "

Notice the use of "I" in his claim? He can run thousands of virtual PCs from ONE OS image - provided the servers silently boot Unix to run Windows OSes as applications, the clients are PCs running Windows OSes, only some specially certified applications are allowed; and users? They get to put up and shut up.

I don't think he could have done better had he intended to demonstrate that today's Windows data centers tend to reproduce the worst features of IBM's 1970s mainframe world - and had he wanted to show that the people defending this nonsense often understand neither their own technology nor anyone else's; well, I doubt he could have improved on this either.

So what's going on? As regular readers know I think Festinger made a lot of sense, and what he'd say in this situation is clear: the more arrogant and absurd responses like these get, the clearer it should be that the people involved know they're wrong but are desperately hoping that enough shouting will, like the proverbial trillion monkeys typing out King Lear, eventually reveal something justifying what they're doing to their users and employers.

Convinced of my ignorance yet again..

Aside from the play by play, could you provide an example of how the DP method differs from Unix, as a theoretical. I don't understand how the user could be in more control by using a centrally controlled system where IT is involved (I have to assume re-writing or modifying) someone's program to suit, rather than installing (and letting the user configure) a program they already know. On the client side (the user) has a long road to re-learning or learning software in the first place.

I could cite a program like photoshop, and it's linux counterpart Gimp. there's no way the two are the same. (I will admit I'm getting better at using the Gimp, but just not the same in terms of ease of use and functionality) In a creative environment, there is not a real replacement for photoshop, or Autocad in it's many incarnations.

So you are left to virtualize, spend on licensing for the whole business etc. How could a centrally controlled entity make this any better?

Here's my summary response:

In brief: wintel, like DP, forces centralization of both processing and control. Unix allows (but doesn't force) people to separate these: centralizing processing while decentralizing control. Do that, and running IT (i.e. the gear etc) becomes a part time job, while IT people working inside user communities work for those users in making things (i.e. software) happen.

But, of course, there's more to it - specifically, things got to be as they are through the processes of history.

About the time data processing was getting started, organizational design people were enthralled by one Frederick Taylor, a popular exponent of "scientific management" whose view of the worker as an undifferentiated, and thus easily replaced, cog in the corporate machine:

Under our system a worker is told just what to do and how to do it. Any improvement upon the orders given him is fatal to his success.

applies reasonably well to the kind of unskilled labor he studied, but becomes increasingly counter-productive as both task and organizational complexity increase.

In his own context, directing highly repetitive activities like shoveling coal into furnaces, Taylor's ideas worked; but what really sold them into social prominence was the implied moral and social distance between those directing activity and those who carried it out. In the crudest terms: he sold management on the idea that the managerial class was so much smarter and more capable than the workers that they had both a right and a moral obligation to direct every detail of the worker's lives.

The reality, of course, is that Taylor over generalized from observations at the lowest end of the work complexity scale: basically the simpler and more organizationally isolated the task, the more applicable Taylor's liberal-fascism becomes - but the more complex and organizationally inter-linked a task gets, the more counter-productive attempts to apply it become. Thus Henry Ford usefully applied Taylor's ideas to individual work stations on the assembly line, but no five year economic plan produced by an economic dictatorship anywhere in the world has ever come anywhere close to reality.

You can see how Taylor's ideas were attractive to the men running Finance departments after world war I: they bought IBM's machines, hired clerks to execute the individual steps in data processing, and hired Taylorites to make sure that those clerks did their jobs, and nothing but their jobs, in wholly predictable ways optimized with respect to the most expensive resource: the machines.

Forty to fifty years later, people who made their bones in that system faced an organizational transition to virtual machines: from physical card sorters controlled by switch settings to card image sorting controlled by JCL - and just continued doing what they knew how to do.

The biggest external enablers for this continuity were cost and ignorance - the latter because then, as now, finance people simply didn't want to know what went on the black box labeled "data processing", and the former because cost continuity reinforces expectation continuity. Thus in the 1920s a line capable of end to end records processing for AR, AP, and GL cost about the equivalent of four hundred clerks hired for a year- and in 1964 so did the first 360 installations, while the typical $30 million zOS data center today is not far off that same 400+ full time equivalent cost.

In the 1920s that cost drove the focus on utilization, the role in Finance drove isolation and arrogance, and the combination of Taylorism with the after the fact nature of data processing both reinforced the other factors and enabled regimentation - both inside data processing and in its relationships with users. None of that has changed since: a DP manager magically transported from the 1920s could absorb the new terminology and carry on in most big data centers today without changing a single operational or behavioral assumption.

When Wintel started, things were very different: there was a booming personal computer industry, Sun was inventing the workstation, Apple was making the Lisa, science ran on BSD Unix, traditional research ideas about open source and data were widely established in academia, and thousands of large organizations were in the throes of conflict between traditional data processing management and user managers successfully wielding computing appliances from companies like Wang, Honeywell, DG, DEC, and many others to do things like document processing, job scheduling, and inventory management.

When the PC/AT came out user managers facing ever increasing corporate barriers to the purchase of appliance computing leveraged data processing's IBM loyalties to buy millions of them - only to then discover that there was little useful software for the things. That then created the markets and contradictions allowing Microsoft to succeed - and led directly to the 90s PC server population explosion with all its consequences for IT cost, security, and performance.

Those costs and consequent failures forced centralization: first of control and then of processing; until, today, most data processing wears a Windows face but is behaviorably indistinguishable from what it was in the 1920s - and the software, course, has evolved in parallel to make locking down the corporate PC to imitate a 327X terminal the least cost, lowest risk, approach to corporate "client-server" management.

Thus the bottom line on the merger of the DP and Wintel traditions in larger organizations is that any move away from centralized processing (whether implemented on zOS or wintel racks) adds both costs and failures while any move to decentralize control (letting users, for example, manage their own software) does the same.

None of this applies to the evolution of the Unix ideas: from the beginning science based computing has been about using the computer to extend, not limit and control, human communication and human abilities. Thus users are perceived, not as data sources for reports to the higher ups, but as members of a community of equals - and it's that perception of the role of the computer as a community knowledge repository and switch that ultimately drove the evolution of open source, large scale SMP Unix, and network displays like the NCD-X terminal then and the Sun Ray today.

There are both cost and control consequences to this for commercial use of Unix: the organizational data center that takes a zOS machine or several hundred PC servers to do the DP way, takes two or four SMP machines and costs an order of magnitude less to do with Unix. Neither the us vs them mentality from data processing nor the software functional differentiation that gets pushed all the back to the hardware in the Windows/DP world, exist in Unix - and open source ideas limit both licensing and development commitments. As a result processing centralization both minimizes system cost and maximizes the resources available to users without requiring control centralization.

It is possible (and common), of course, to be stupid: insisting on the right to run Unix in DP mode by doing things like restricting staff roles, tightly controlling user access, customizing licensed code, or paying for software to chop that big machine into many smaller ones. Thus the people running the organization I've been talking about over the last few weeks would, I'm sure, respond to an externally forced march to Unix by combining virtualization with both processor and job resource management to increase the negative impact of the limits and problems they face with Windows. Right now, for example, the 2,000 or so users who check their email between about 8:16 and 8:30 each morning completely stall out the 20 or so dedicated Exchange Servers and much of the network -and while none of this need happen with Unix, the unhappy reality is that everything these people know about running IT would lead them to spend money making things worse than they are now.

The point, of course, isn't that poor managers can't implement DP ideas with Unix, it's that good ones know they don't have to. The cost and risk forces that drove the adoption of DP ideas among wintel people simply don't apply: so giving IT staff posted within user groups the authority to act immediately on user requests falling within some global IT strategy offers significant corporate benefit without incurring the costs or risks this would entail with a wintel/DP architecture.

Note:

Sparkle farkle mentions two specific pieces of Wintel software, PhotoShop and AutoCad, as forcing wintel adoption. In some situations he'd be right: if, for example, you had 2000 users and 1900 of them routinely required autocad, then you'd probably find the Unix smart display architecture a poor solution - but if you have the more normal thing: 2000 users, 30 of whom routinely use autocad, then you need to remember that you're there to serve users, not to create and enforce computing standards - and so you give them what they need: a local wintel (or Mac, if it's photoshop) ecosystem all their own, complete with embedded support working directly for group management.

On the positive side, most of the costs of wintel, particularly those associated with staff regimentation, security, and software churn, rise super linearly with scale - so putting a bunch of "foreign" system islands into your Unix smart display architecture ultimately adds relatively little to the corporate IT bill - and remember too that users who only need occasional access to monopoly products like Autocad can be given that on their regular smart displays at no more than the same server and license cost the wintel people face.

And, finally, he also suggests that a Unix system requires a lot of code customization. This is not generally true: outside of research organizations most large Unix systems run unmodified commercial or open source applications - most original code does start on Unix (particularly Linux and MacOS X these days) but that's because it's a natural development environment. In non research use code development and customization expense is almost always associated with the Wintel/DP mentality and rarely found in Unix budgets put together by Unix people.

One consequence of this is that the wintel youth cult is not in evidence - most of those with more than personal responsibilities along with the outsourcer's on site staff are in their forties or fifties, and even the on site juniors pretending to the help desk probably average out in the high thirties.

Another is that the people involved know that their jobs depend on community approval - meaning approval among their IT peers and seniors, not their users or departmental management. As a result the generic Wintel cultural tendency to see users as lusers gets exaggerated with many users complaining that IT people patronize them - and, in particular, that IT's tendency to do things either not at all or without explanation both expresses their contempt for users and is intended to keep those users dependent.

Sometimes the situation throws up results that almost make me feel sympathetic: for example a senior official's request for help using old Norse in his password apparently caused a major panic in IT before it was realized that a government-wide Peoplesoft standards committee could be invoked to deny the request. (In reality, they use something derived from Peoplesoft's 1998 core financials but have put so much money into customization that "recent" client-server environment updates like AL32UTF8 absolutely have to be kept outside the bubble.)

Less amusingly, ordinary users asking ordinary kinds of things face significant organizational and personal barriers to resolution. Thus a user asking for an aphabetization change on a report was directed to an authorization and approval process worthy of a decision to invade Saskatchewan; while another, who asked for connection help with the client on a Windows 7 laptop with a misconfigured firewall, was treated to visible disbelief and public contempt before repetition coupled with repeated appeals to higher authority led IT to re-install the core Windows OS and authorized applications.

Now, it's pretty obvious what this organization has to do - but because I don't believe it will happen any time soon, and certainly not with the current players in place, my view is that the top people should just out-source the whole mess and then start rebuilding internal IT on a more user oriented basis as opportunities to do that come up.

But the experience raises, I think a more general question: since people who really are competent and enthused about their jobs tend not to be arrogant about it, and yet Wintel help desk people generally look down on "lusers", it follows that there's something about the job that either selects for pretenders or imposes a significant moral hazard on otherwise decent people.

I don't know what that is, and certainly the DP influence on Wintel management has a significant role here; but in watching some of these guys do help demonstrations by clicking through screens like a ten year old setting up to play Raymond's Raving Rabbits - thus leaving users no opportunity to orient themselves to any of it - I begin to wonder: is it possible that Wintel technology itself has evolved to be far too much like a poorly thought through video game and not enough like a knowledge based enterprise?

Look at them in terms of industry norms, and they look pretty good: professionally run, significant system wide redundancy; active PC security group; near parallel off site backups; solid evergreen, communication, and usage policies in place; and even some decent third party career management services for IT employees.

The history here is that this organization launched, in about 1985, an effort to update its systems (then built around the 327X/3096 architecture), experimented briefly with both WANG and DEC as suppliers, and had, by the time the 91/92 fiscal year rolled around, settled on the client-server architecture recommended by their current out-sourced services supplier. Since then they've gone from 11 IT staff to about 80, from betting on OS2 to Windows 7, from megabytes to terabytes, and from rigidly limited systems and data access to a claimed information ubiquity.

In reality, however, the IT implementation has changed from 327X/3096 to Wintel client-server but the organizational structure, access controls and underlying work processes have survived with little, if any, significant change since the 1960s. Thus information is still rigidly compartmentalized: clerks entering one kind of data cannot see other relevant data; the front line people cannot get access to either the detailed institution reports or the operational cockpit data available to a handful of senior people; the people screening applications exchange paper with the people doing enforcement monitoring; and so on.

I'm told that IT people working with senior management have tried to address some or all of this at various times through initiatives like a MOM project and an organization wide Notes implementation, but the claim is that work to rule responses from middle management effectively gutted the amazing technical success each such project achieves on the resumes of those involved.

Thus the bottom line here is, I think, that what they have now is a high cost implementation of the 327X/3096 architecture they sought to replace in 1985 - and that raises the question: had they lived in some alternative universe and gone to SunOS with NCD X-terms and some Apple laptops in 1988 or 89 where would they be now?

The answer, I think, is that they'd now have evolved to Solaris, Sun Rays, and iDevices; they'd still have about 11 staff and no out-sourcer; and their history in between would included far easier access to more software with fewer failures and security risks -meaning that the impact of IT limitations, costs, and assumptions on their organizational evolution would have been both vastly smaller in absolute terms and generally more positive than negative.

How those differences would be expressed is obviously a matter for speculation since the only organization I'm familiar with that actually made that choice more than twenty years ago is a high security operation subject to radically different organizational pressures - but I believe the direction and rough extent of those differences can be assessed by asking one question: where in the 20+ years of system evolution between that 1989/90 choice and today is the client-server advantage to the organization? What, in other words, does or did the existing choice make possible that otherwise would not have been?

The most important place it's not is in the devolution of IT control to user management: in more than twenty years it not only hasn't happened, but centralized control has actually been strengthened over the period with the reaction to server growth and document loss during the NT years having led to centralized document management, centralized standards enforcement, and a complete loss of communications autonomy by unit management.

In contrast, the benefits to IT are obvious: more staff, more money, and the ability to play to common perceptions about wintel to absolve themselves of responsibility for performance, security, and continuity.

So what, bottom line, did the organization get for making the client-server decision? I'd argue that they got more IT costs, more leaks, tighter central control, less user accessible software, reduced performance, and a long detour to nowhere.

Like all DP organizational artifacts the SLA has a long history - going back, in this case, to 1920s job descriptions for data processing management requiring incumbents to guarantee things like the on time delivery of the printed AR reports.

In today's context, however, the SLA is mostly used as a get out of jail free card: as a limitation on service expectations by DP people; as a critical element in getting an easy ride from the auditors by both DP executives and the senior people they report to; and, as barrier keeping DP people in a distant and clearly subordinate role by executive management.

Basically the problem is that an SLA commits DP to meeting specified expectations - and thus both relieves DP of any need to exceed those expectations and acts as a barrier separating those on each side of the agreement. As a result its existence in an organization testifies to that organization's ability to resist change by passing costs on its customers - meaning that its existence is characteristic of government and monopoly, or near monopoly, organizations; including industry level IT monopolies in which the employers compete but all use the same, essentially interchangeable, IT people, tools, and methods.

When confronted with an organization that relies actively on SLA enforcement through some kind of DP management committee but is now facing genuine cost pressure - say an American state or municipal agency facing sharply falling tax revenues- there aren't a lot of good choices.

One is to take advantage of the nature of the SLA process itself to recommend and strongly support out-sourcing all IT work. You do this nominally because outsourcers always promise quick savings and because use of the existing SLA as the basis for the contract means that no significant organizational change will be needed - but really because out-sourcing under cost pressure is a bad idea whose eventual reversal should - assuming cost pressures continue - lead to the kind of IT change the organization needs but is not yet ready to undertake.

The more dangerous alternative is to go after real change now - but that's extremely hard to do largely because you've got to pull off two miracles at once: change senior management perceptions, and change the way IT is run.

At the senior management level you'll be dealing with people who mostly don't want to hear it: and getting them to first internalize the reality that IT provides the organization's "nervous system" and isn't an arms length expense center at all, and then accept that DP's relatively poor performance, organizational isolation, and freedom to escalate project costs have historically been due to the SLA centric management processes in place, is usually more of a challenge than most of us can handle.

At the IT management level you'll be replacing bodies because what you need is an outward, service oriented, focus to replace the inward, utilization oriented, focus in place - and you're just not going to get it with people promoted under the existing system.

And the complication? it's been my experience that senior executive commitment to change seldom lasts long - so once you get them on side, you typically have between four and six months to get your IT changes set in stone because otherwise the little picture players in the organization will gut your efforts and leave the organization worse off than it was before.