William Vambenepe's blog

The New York Times published an article describing a plan to partially replicate the city of Lyon in Dubai. I wasn’t born in Lyon but I grew up there. At the cost of another off-topic post, I will take this opportunity to tell my American friends, whose itineraries in France tend to take them from Paris straight to the French Riviera, that they are missing out on a great city located half-way between these two spots.

The Lyon apartment building I lived in stands on what used to be a trading post for Gauls and Romans. Napoleon Bonaparte presided over the earth breaking ceremony for this building. A couple of windows in the apartment were later blocked with bricks because of a 19th century tax that was assessed based on the number and size of windows in your home (*). Through the remaining windows, the view from the apartment is over place Bellecour on which you can see a statue of king Louis XIV that was melted during the French revolution to make cannons and replaced during the Restauration period. There was also a guillotine in action there during the revolution. During WW2, the Gestapo took over the building (my elderly same-floor neighbor told me about being evicted by them - he came back after the war). And Antoine de Saint Exupery was born next door. That’s a lot of history for just one apartment building. Good luck replicating that in the desert.

Of course that’s not necessary and there is a lot you can be inspired by in Lyon without emulating its past (I don’t recommend cutting a few heads in public just to “capture the feel” of Lyon’s revolutionary history). The Times article lists a few challenges. The importance of pork and wine in the local cuisine is manageable. Once you accept that you’re not going to get a carbon copy, the challenge of Lyon-inspired cooking without these ingredients is one chefs could rise to (a generic prohibition on heavy sauces would be more problematic). The role of the rivers in the “feel” of the city seems more challenging to me. I lived in the peninsula formed by the meeting of the Rhone and Saone rivers. The rivers and the wide walking areas by their sides make for great (sometimes windy) walks during which you can see nice bridges and historic buildings (universities, a hospital, a courthouse and many Renaissance apartment buildings). And even if they manage to create an equivalent body of water in Dubai, the strong flow of the water coming down from the Alps is likely to be missing. There is a reason why the picture that illustrates the Times article shows a pedestrian bridge (looks like Passerelle Saint Vincent over the Saone river).

I am not sure what it really means to replicate an old city but there certainly is a lot to learned about urban life from Lyon’s long evolution. I am sure the people of Lyon don’t mind the money but even more they probably love being told that they represent a model to emulate. And it must feel good to steal the limelight from Paris just once. I don’t have millions to invest in the city like Dubai does, but I too am happy to speak highly of Lyon and encourage people to visit. Feel free to contact me if you plan such a visit and would like recommendations.

(*) the number of doors was also part of the tax calculations. The goal was to achieve some degree of proportionality in taxation since rich people presumably had more doors and windows in their homes. It wasn’t a new idea, Julius Caesar imposed similar taxes (called ostiarium and columnarium) on the numbers of doors and columns respectively. Looks like he didn’t care for McMansions either. Maybe it’s time to resuscitate the columnarium in US suburbia.

This is very much off-topic for this blog but if I read another article (like this one) that draws conclusions about the mind based on what areas of the brain light up under MRI, I am going to bang my head against the wall until my “anterior insula” switches places with my “ventromedial prefrontal cortex”. That should nicely mess up their models if I ever get in the MRI machine.

Brain science is in its early stages and there’s nothing wrong with that. Of course scientists need to progress step by step and for now MRI images might be the best we have. Go ahead and use the tool. But can we be spared statements about what area of the brain processes “soft-drink preferences”? These stories are so 19th century.

As far as I can tell, Flash is an advertising delivery platform for the Web. This is why I have not installed the Flash player in my Firefox browser. It saves me (especially when combined with the Adblock Plus Firefox add-on) from a lot of obnoxious animations. And a few security vulnerabilities too, (this latest one is what prompted me to write this quick entry to help readers protect themselves while retaining the option to use Flash).

Despite all the hype about Flash, I very rarely run into a page that requires it for something useful. A few sites are Flash-only (mostly restaurant web sites from my experience, apparently restaurant owners are easy preys for incompetent Web site designers) and when I find one I usually take that as a sign that I am saving myself a lot of frustration by taking my business elsewhere.

Still, once a while I need to view a Flash applet. Ideally, I would like to have Flash installed but disabled, such that I can enable it for a given page with a single click. This doesn’t seem to be possible (my guess is that Adobe knows very well that Flash is mostly used in ways that are not welcomed by users and that they would likely disable it most of the time if given the option). So here is a convenient way to achieve the same effect:

While I have not installed the Flash player in Firefox, I have installed it in IE. I have also installed the IE Tab Firefox add-on which allows one to switch from the Firefox rendering engine to the IE rendering engine within a given Firefox tab. It can be configured to place a small icon in the status bar. Clicking on that icon switches the rendering engine, which means that suddenly the Flash player is enabled for the page you are looking at. One-click enable/disable as requested!

You can also configure IE Tab to automatically switch to IE rendering for some pre-configured sites. So if there are Flash-dependent sites that you use on a regular basis, just enter them there and the IE rendering engine will automatically be used whenever you are on those sites. Again, this all happens inside your Firefox tab, it doesn’t start a separate IE browser. Enjoy.

[UPDATED on 2007/12/24: I wrote this entry to try to help readers and it turns out I am the one who's getting helped after all. Many commenters pointed to the Flashblock firefox add-on which is designed specifically to do what I get done in a round-about way with IE Tab. I looked for such an add-on some time ago and didn't find it, which is why I devised the work-around. Thank you all for the info.]

[UPDATED 2008/5/14: Another reason to keep Flash turned off: Crossdomain.xml Invites Cross-site Mayhem.]

[UPDATED 2008/6/9: Looks like Flashblock can be circumvented (in a way that my more basic FF vs IE setup cannot). BTW, I closed comments on this entry because for some reason it was attracting a lot more comment spam than all the others combined. Email me (see about page) if you want to post a comment here.]

What happens when a society gets hold of a new territory or a new technology? It usually starts by decimating the easy preys in that territory or by running wild with the technology. Using abundant resources (food, fuel or other) with abandonment, dumping waste everywhere. Then there is a crisis directly tied to this lack of restraint. Maybe an epidemic. Or starvation from the sudden disappearance of easy-to-get food (or fuel). Lack of clean water. Landslides from deforestation. Something is done to address that crisis and its direct causes. It starts with random acts of what is not yet called ecology. And then the best practices gets more widely adopted. But another crisis appears. Other changes need to be made. Eventually people start to look beyond fighting individual fires and towards managing the environment as a whole, in a way that aligns with the desired quality of life. Models are developed to better understand relationships and predict consequences. Comprehensive environmental studies appear. People take a lifecycle approach to managing the environmental aspects of development. Processes, policies and rules get defined. And of course, companies and consultants appear to help with these tasks.

This is a (widely) simplified description of how ecology appears out of necessity in developing societies and how its development is a gating factor for sustained economic development. Of course, this is the happy view, the one where the society is able to correct its course before collapsing.

Doesn’t this sound very similar to the way IT management appeared and is developing in enterprises?

When enterprises got hold of computing as a business tool, individual departments deployed applications with little planning and coordination, just to grab the low-hanging fruits of increased productivity. Then comes the crisis, a key system goes down and no-one knows what to do. Business suffers. Some early, localized, monitoring functionality is created to fix the problem. A random act of management that addresses a tactical issue. But more problems happen, the system gets more complex than niche management tools can address. Eventually people start to look at IT management more globally, to think of it as a way to align IT with business objectives. Models are developed to better understand relationships and predict consequences. People take a lifecycle approach to managing changes to the IT environment. Best practices, processes and even rules and compliance mandates get defined. And of course, companies and consultants appear to help with these tasks.

Does this parallel reveal any opportunity for one side to learn from the other? Will you hire Greenpeace to run your data center?

I am now an Oracle employee. My last day at HP was last Friday. I have a lot of excellent memories of my almost nine years there. And the company is (finally) very serious about software and investing a lot in it. HP Software is a very good place to be. But so is Oracle and the very interesting position I was offered convinced me that now was the time to go. So I am now in the Enterprise Manager group with the title of Architect. More specifically, I am in the part of EM that manages Middleware and Applications. Which also means that I’ll get to interact with the ex-Bluestone people who were my colleagues at HP Middleware and later joined Oracle’s application server team (like Greg). And I just learned today that David Chappell (with whom I collaborated on several specs) recently joined that group too. This is a happening place.

Another off-topic entry to add to the CrazyStats category. Today’s NPR’s “All Things Considered” included a report called “States Fret at Easing of Border Security Plan” which talked about “Operation Jump Start”, so described:

“For about a year, National Guard troops have been rotating in and out of outposts along the [US-Mexico] border. Soldiers stayed visible under blue tents right on the border to deter illegal crossers while scanning the landscape, reporting anyone who did cross.”

It then goes on:

“The deterrent worked. The number of crossers apprehended by the Border Patrol since last October is down by about one-third, while drug seizures are up.”

The implication seems to be that would-be illegal immigrants were deterred by the presence of the troops and that drug traffickers were not deterred but were more often caught thanks to the help of the troops (who presumably either directly caught drug carriers or freed up Border Patrol resources to go after them). Success! But what if the result had been the exact opposite? More crossers apprehended and fewer drug seizures. Couldn’t that just as easily be interpreted to mean that the troops helped in catching more crossers while providing reinforcements that deterred drug traffickers? When opposite results can be interpreted to both mean success the test is suspicious.

Since I am on a roll with off-topic posts…

I accidentally ran into some Web pages and scripts I wrote between 1994 and 1996. Mostly experiments with Web technologies that were emerging at the time. Some have pretty much disappeared (VRML), some are still pretty useful but slowly on their way out (CGI) but many of them are very prominent now. I found a bunch of Python scripts I wrote back then, some Java apps and applets and even a Minesweeper game written in JavaScript. And the impressive thing is that even though those were all pretty early technologies at the time, these programs seem to run just fine today with the latest virtual machines and interpreters for their respective languages. Kuddos to the people who have been growing these technologies while maintaining backward compatibility. Speaking of technologies that were emerging at the time and have made it big since then, all these were served from a Linux server and the Python stuff was developed on a Linux desktop (Slackware was the distribution of choice).

… because the issue has been mixed up with the whole terrorism/DHS hysteria. Game over. So now we have “Real ID” which won’t stop any terrorist but somehow is marketed as an anti-terrorist measure. I don’t like this law because it is too focused on physical identification (ID card) and not virtual identification. Trying to impersonate someone in person is difficult, dangerous (you risk being arrested on the spot or at least having your face captured by a security camera) and doesn’t scale. Doing it virtually is easy, safe and scales (you can even do it from anywhere in the world, including places where labor is cheap and the FBI doesn’t reach much). So this is where the focus should be. Also, this law is not respectful of privacy (the “unencrypted bar code” issue, even though if someone really wanted to systematically capture name and address from ID cards today they could take a picture of the ID and OCR it, the Real ID-mandated bar code would only make things a little easier).

On the other hand, I also can’t go along with the detractors of this law when they go beyond pointing out its shortcomings and start ranting about this creating a national ID card. While it’s true that this is what it effectively does, someone needs to explain to me why this is bad and why this would make the US a “police state”. If really such IDs are so damaging to liberties, why is it ok for every state to have them? What makes a national ID more dangerous than a state ID?

I agree that the Real ID effort is a bad cost/benefit trade off in terms of protection against terrorism. But leaving terrorism aside, we do need a robust (not necessarily perfect) way to authenticate people to access bank accounts and other similar transactions. In that respect, something like Real ID is needed. And in that context, the cost/benefit trade-off can be hugely positive if you think of how much impersonation costs and how much friction it creates in the country’s economy.

As long as we live in denial about what a Social Security number represents and as long as we can’t think sanely about terrorism, there can’t be an answer to the authentication problem.

An article in today’s New York Times reports that “the Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database”.

Almost there folks! But tens of thousands is not enough, we need to cover everyone. The simplest effective way to dent the “identity-theft” (or more exactly “impersonation”) wave is to go beyond this first step and publish on a publicly accessible web site all social security numbers ever issued and the associated names. And get rid once and for all of the hypocritical assumption that SSN have any authentication value. We need a reliable authentication infrastructure (either publicly-run as a government service or privately-run, that’s a topic for another day) and this SSN-based comedy is preventing its emergence by giving credit issuers (and others) a cheap and easy way to pretend that they have authenticated their customers.

Over the last couple of years, I have received two alerts that my SSN and other data have been “compromised” (one when Fidelity lost a laptop containing data about everyone enrolled in HP’s retirement plan and one from a university) and my wife has received three. Doesn’t this sound like a bad joke going on for too long (and I should know about bad jokes going on for too long, they are my specialty)? And of course this doesn’t count the thousands of employees at dentist, medical offices, and many other businesses that have at some point had access to my data (and anybody else’s).

So, to the IT people at the Census Bureau I say “keep going”! But of course that’s not the reaction they had. The rest of the NY Times articles goes on with the usual hypocritical (or uninformed) lamentations about putting people’s identities at risk. “We took swift action when this was brought to our attention, and took the information down.” says an Agriculture Department spokeswoman. And of course there is the usual “credit report monitoring” offer (allowing the credit report agencies to benefit from both sides of the SSN-for-authentication debacle). Oblivious to the reality even though it manifests itself further down in the article: “The database [...] is used by many federal and state agencies, by researchers, by journalists and by other private citizens to track government spending. Thousands of copies of the database exist.”

Another quote from the article: “Federal agencies are under strict obligations to limit the use of Social Security numbers as an identifier”. The SSN is a fine identifier. It’s using it as a mean of authentication that’s the problem.

[UPDATE] This is now a Slashdot thread. The comments are pouring in. Some get it (like here, and here). This one seems to get it too but then goes on to advocate dismantling the social security system which at this point is only connected by name to the issue at hand.

[UPDATED 2008/7/2: Sigh, sigh and more sigh while reading this article. The cat is so far out of the bag that a colony of mice has taken residency in it. The goal shouldn't be to try to make the SSN hard to get, it should be to make it useless to criminals. That approach isn't even mentioned in the article.]

The National Security Archive is not a government organization even though its name may sound like one, but a research institute hosted by The George Washington University. The Archive published today a copy of “CentCom PowerPoint Slides Briefed to White House and Rumsfeld in 2002, Obtained by National Security Archive through Freedom of Information Act“. A very interesting read, but commenting on the meat of this is way off-topic for this blog (I have a “off-topic” category, but not a “way off-topic” one). One side aspect is only a little bit off-topic though, so I’ll indulge myself: it’s about this reflection on the use of PowerPoint, by Lt. Gen. McKiernan as quoted in Thomas Ricks’ book Fiasco:

“It’s quite frustrating the way this works, but the way we do things nowadays is combatant commanders brief their products in PowerPoint up in Washington to OSD and Secretary of Defense… In lieu of an order, or a frag [fragmentary] order, or plan, you get a set of PowerPoint slides… [T]hat is frustrating, because nobody wants to plan against PowerPoint slides.”

It’s an old debate whether PowerPoint is a mostly good tool for presentations (that is often misused) or basically a crappy tool for presentations (if you’re in the Bay Area I can lend you the Tufte essay). I generally tend to fall towards the former view. But what should not be a matter of debate is whether a PowerPoint document is a good communication vehicle on its own (rather than as support for a presentation). I very much agree with Lt. Gen. McKiernan that it is definitely not. And by only changing a few words I could turn his quote into one that describes some interactions in several software companies I know of, including my employer. And I would guess non-software companies too, there is no reason why this would be limited to the software industry and the military.

Must…resist…killer-app…pun…

Too late.