March 27th, 2008
The worst software failures are successes
In the movies you know what’s coming when the team leader suggests the group separate and some red shirt gets sent off to investigate a dark cellar by herself - and oddly enough IT project failure reviews are often exactly like going to that kind of movie.
Basically what happens as you go through the files and talk to the people is that the standard markers of doom - things like methodologists in controlling roles; strong separation between designers, developers, and users; or simply too many people pushing too many agendas - give you the same sense of impending doom you get from watching the pretty girl march down those steps by herself.
You’d think experienced IT people would know better, and many do - but if you’re a developer or project manager just yelling “don’t go there” when these warning signs pop up is a lot like yelling it in the movie theatre: you get in trouble with everyone else around, but nothing changes.
In response I generally try to get non IT management to learn from the on-going disaster so that they’ll understand what they’re seeing the next time something suicidely stupid, like separating the players in the interests of saving time, shows up in someone’s IT project management strategy.
Unfortunately role separation is as basic to data processing as the waterfall model - and telling people that their entire methodological focus for project delivery is at the root of their failure to deliver projects usually produces a lot of hostility and the rather huffy assertion that most of their projects succeed just fine, thank you very much.
Unfortunately, I don’t think it’s true: on the contrary I believe that essentially all significant projects developed using rigid phase, and therefore role, separation fail the business - but in saying that claim that there are two very different kinds of failures. There are the obvious hard failures in which the project is cancelled, abandoned, or declared hugely successfull but never heard from again - and then there the really expensive ones: soft failures in which the project becomes an albatross hanging on user necks to impede them.
In other words, I’m prepared to argue that the worst software project failures from a business perspective are often considered successes by IT.
In this view, the worst of the worst are the ones that succeed at brilliantly doing the wrong thing.
Alberta Health, for example, went through at least three separate attempts to redevelop their original claims and registration systems, finally producing an outstanding success in the mid ninties - and locking the entire organization into an eighties style management structure that I’m guessing now costs the taxpayer well over a billion a year.
All of which leads me to propose a fundamental observation about software development: specifically, that there’s an inherent parallelism between the rigidity of the development process and the effect the application will have in use: i.e. the tighter the controls imposed during development, the more of a strangulation effect a successful release will have on downstream organizational flexibility and productivity.
March 26th, 2008
I’m not against Windows; Unix just works better
I’m biased in favor of Unix and against Windows - everybody knows that except me; my perception is that I like things that work and Unix works better.
Potential client: “Look, you’ve got a rep and we’re concerned you’re just going to recommend Solaris on SPARC - the way you did at XXX two years ago.
Me: “Yep: and then they went with HP. now they’re couple of million down with nothing actually working - so we will never know if I was right, but it’s pretty obvious they were wrong.
But you know, so what? you have to think about what you’re doing - not what someone else did. You’re planning, what? you said about 400 x86 8 core machines to start with and enough float, in square footage, power, and air, to quadruple throughput over two years? So am I going to recommend Sun for that? it depends on what apps these things are supposed to run - but I’ll tell you up front that with requirements in that range the job isn’t going to be to show why you should bet on Sun’s stuff, it’ll be to find reasons not to - and all of those would have to be application based because their current T2 line would, for most business apps, give you your start-up throughput with maybe 60 to 80 machines -that’s four racks, half empty - and with the “Victory Falls” stuff that’s quietly being shipped already they’ll have you down to two racks for the processors and maybe another two for storage.
If your apps let you go Sun, you probably won’t even build a data center at all - just sound proof the hell out of a couple of rooms you can get networking, power, and cooling into, split your rack count two ways for redundancy, and call it done. Read the rest of this entry »
March 25th, 2008
Security metrics and issues
One of the questions coming out of last week’s wintel vs lintel discussions asked which one is generally more secure. As it turns out that’s an easy question to answer -unless, of course, you want to demonstrate that your answer is correct, because then it turns out that virtually nothing is definitively known about either the question or the answer.
So lets start by stating the question in terms appropriate to the kind of practical decision making IT administrators face with every new acquisition or significant change opportunity: “which choice will best support efforts to establish and maintain a reasonable compromise between security and usability?”.
Next lets define “security” in terms of cost minimization; specifically in terms of the expected value of losses associated with system integrity failures such as data destruction, loss of processing productivity, unauthorized use of (or just access to) data, and so on.
What that leads to is an imaginary three part security metric made up as:
- a list of possible systems integrity failures; Note that this cannot be a listing of discrete events but must, instead, incorporate some kind of “liquid measure” classification to reflect event durations and scale.
- the estimated cost to the organization associated with each item on the list of possible failures; and,
- the estimated probability for each failure under different security policies (including OS choices) applied in each computing environment of interest.
Although there is no known practical way to generate the first two of these with any generality, this doesn’t matter because, except with respect to settlement of legal actions undertaken in response to systems integrity failures, neither affects the lintel vs wintel question. Basically we can over-simplify a little bit and assert that the wintel/lintel decision affects only the probability of each event - not its cost and not its nature.
In other words what we want to compare for a broad sample of events is the conditional probability that the cost associated with the event will be incurred given Lintel versus the conditional probability that the cost associated with the event will be incurred given Wintel. (To be technical we want to compare the two distributions, choosing the one with the smaller integral.)
As far as I know no one’s has tried to do this, but it’s obvious how a research project along these lines would proceed: simply record, across a large number of machines used in a significant variety of roles, how often events occur and with what effect. Doing this for even a few thousand machines in each group over a period of a few months should produce a definitive general answer which users could then review in light of their own applications.
There may, however, be a proxy data set that would serve: netcraft’s web server uptime and performance data. You have to pay for access to the actual data, but some of their regularly published reports, including the monthly hosting provider uptime and performance reports, are derived from it.
This data is of course far too narrow in scope to be remotely considered definitive - but it is probably reasonably indicative, and certainly pleasing to the Unix crowd because Solaris and the BSD’s top the reliability listings while the Linux/x86 variant routinely occupies five or more of the top ten slots in the monthly hosting provider reports.
So what’s the bottom line answer? We know how to answer the lintel vs wintel question with respect to security in the PC community sense of that word, but we don’t have the data to do it. The very limited data we do have, however, leans heavily toward lintel over wintel.
March 24th, 2008
Security: Lintel vs Wintel
In the PC community “security” just means defending against attacks aimed at destroying or misusing all or part of a computer system. In that context most of the complexities associated with trying to decide whether wintel or lintel will expose you to less security risk arise from the absense of suitable metrics.
I’ll suggest something tomorrow, but today want to look at two efforts to establish something effective. The first of these is represented by CERT’s Common Vulnerability Scoring System; the other is from a 2004 article by Nicholas Petreley.
CERT first. Here’s part of how they describe their metric:
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Two common uses of CVSS are prioritization of vulnerability remediation activities and in calculating the severity of vulnerabilities discovered on one’s systems. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.
Look further, and you can get a look at the underlying equations. Two excerpts:
Impact = 10.41*(1-(1-ConfImpact)(1-IntegImpact)*(1-AvailImpact))
Exploitability = 20*AccessComplexity*Authentication*AccessVector
f(Impact) = 0 if Impact=0; 1.176 otherwise…
ConfImpact = case ConfidentialityImpact of
none: 0
partial: 0.275
complete: 0.660
Now, I don’t know about you but whenever I see something like that definition my instant assumption is that the methodologists have wrestled control away from the practitioners - and with the usual results. In this case that first impression seems to be warranted: as nearly as I can make out the entire model seems to be based on the belief that guesses can be elevated to fact merely through the application of double precision arithmetic.
Petreley’s 2004 report comparing Windows and Linux security suggests eight sub-categories for each of three major sources of “security” risk and provides a guide for applying these to your own situation.
Here’s his summary:
Elements of an Overall Severity Metric
Damage potential of any given discovered security vulnerability is a measurement of the potential harm done. A vulnerability that exposes all your administrator passwords has a high damage potential. A flaw that makes your screen flicker would have a much lower damage potential, raised only if that particular damage is difficult to repair.
Exploitation potential describes how easy or difficult it is to exploit the vulnerability. Does it require expert programming skills to exploit this flaw, or can almost anyone with rudimentary computer experience use it for mischief?
Exposure potential describes the amount of access necessary to exploit a given vulnerability. If any hotshot hacker (commonly referred to as “script kiddies”) on the Internet can exploit a flaw on a server you have protected by a firewall, that flaw has a very high exposure potential. If it is only possible to exploit the flaw if you are an employee within the company with a valid login ID, using a computer inside the company building, the exposure potential of that flaw is significantly less severe.
He provides eight categories of risk in each group - a sample, this one for the “Damage potential” element:
Damage Potential
This metric is the most difficult to quantify. It requires at least two separate sets of categories. First, it takes into account how much damage potential a flaw presents to an application or the computer system. Second, the damage potential must be measured in terms of “what it means” to the company affected. For example, there is a single metric where a flaw allows an attacker to read unpublished web pages. That flaw is relatively minor if no sensitive information is present in the system. However, if an unpublished web page contains sensitive information such as credit card numbers, the overall damage potential is quite high even though the technical damage potential is minimal. Here are the most important factors in estimating technical damage potential for any given flaw, in order of severity from least to worst:
1. The flaw affects only the performance of another computer, but not significantly enough to make the computer stop responding.
2. The flaw only affects the attacker’s own programs or files, but not the files or programs of other users.
3. The flaw exposes the information in co-worker’s files, but not information from the administrator account or information in any system files.
4. The flaw allows an attacker to examine, change or delete a user’s files. It does not allow the attacker to examine, change or delete administrator or system files.
5. The flaw allows an attacker to view sensitive information, whether by examining network traffic or by getting read-only access to administrator or system files.
6. The flaw allows an attacker to gain some but not all administrator-level privileges, perhaps within a restricted environment.
7. The flaw allows an attacker to either crash the system or otherwise cause the system to stop responding to normal requests. This is typically a Denial Of Service (DoS) attack. However, the attacker cannot actually gain control of the computer aside from stopping it from responding.
8. The flaw allows an attacker to change or delete all privileged files and information. The attacker can gain complete control of the target system and do virtually any amount of damage that a fully authorized system administrator can do.
In the body of the report he recognizes, at least as I understand him, that this framework can be applied to fully contextualized decisions but cannot reasonbly be generalized to form a simple yes/no decision guide for everyone.
Instead, he suggests that the more general route to a conclusion starts by looking at the operating systems under consideration - and that this will always favor Lintel over Wintel because Linux is Unix and shares its traditional separation between privileged and unprivileged operations, while Windows is a brand name used to sell a wide range of products all of which are characterized by a separation defeating need to maintain backwards compatibility.
And that’s his bottom line: on average people applying Mr. Petreley’s metric to their own decisions will find that Lintel rates lower on the exposure part of the risk scale - making it generally the better bet.
March 21st, 2008
Discussing talkback formats
Just this morning a discussion erupted among zdnet bloggers concerned about talkback formats. Three issues seem to dominate the conversation:
- The wall - the complexities or otherwise of getting a login and using it;
- Idiots - whether bloggers should have the right and/or responsibility to remove/edit offending comments or even deny perennial offenders the right to comment; and,
- layouts, formats, and limits - things like thread views, the missing “Preview” button, and the limits on responses to responses.
No one else has raised it, but I’d also like to see comments about zdnet system performance - how fast, and how well, pages format on your screens.
In truth I don’t see any of this stuff as really my business - but you’re the users and it’s very clearly your business - so, comment to the editor time: what do you think about these issues and what suggestions do you have?
March 21st, 2008
Leadership vs. Management
This is the tenth excerpt from the first book in the Defen series: The Board Member’s IT Brief.
Note that this is a draft for a new bit to be inserted before the extract published last week - a response to the many comments received based on my perception that a lot of them derived from my failure to properly frame the hiring decision before discussing technology alignment.
Basically I think that discussion raised some very difficult issues - and that by itself justifies my decision to ask for help with the book (many thanks!) - and I’m quite sure I’ll be re-writing this section at least once more before it’s finished.
In that same vein I’ve also added a new second paragraph to section 3.2, which now starts:
In choosing a CIO, the cardinal rule is to pick someone whose skills align with the technology you have or want. Management processes form a critical piece of your information architecture and are not the same across all technologies - expertise with respect to one is usually counter-productive when applied to another
Notice, however, that real world IT, especially in larger and older organizations, is often characterized by a virtual dog’s breakfast of competing technologies. What you want to do is pick a mainstream, not the only one, but the one you have or want to get to as the primary driver for IT behavior and use in your organization.
3.1 the CIO and IT role
The most important thing you can do before reviewing resumes or interviewing candidates for senior IT management positions is to think long and hard about how you want IT to work in your organization - because you should expect that the guy you’re hiring is going to play a big role in making that happen, or not happen.
Be aware, however, that quite a lot of CIOs have no actual role in systems operations but act, instead, merely as figureheads interfacing the real IT head to other senior managers. Thus if you find that your other senior people are really looking for someone just like them who happens to speak a little geek, your biggest problem isn’t choosing a new CIO -you have one in place - it’s what to do about the other players participating in the charade.
Very broadly speaking, systems operations present themselves as either cost sinks or revenue generators - but be careful because a lot of cost sinks like to pretend to be revenue generators and you may have to look closely at the typical fence straddler to see which side the majority of the operation actually falls on.
Despite the sales appeal that goes with a revenue focus, however, you’ll find that most CIO candidates present themselves as cost minimizers - typically telling resume readers how they’ve saved their more recent employers just enormous chunks of change — but if you read carefully and maybe make a few calls to references, what you’ll find is that the hallmark of IT career success is having your share of the overall corporate budget increase every year.
Part of what’s going with that on is that head hunters make their decisions on which resumes to present based on perceived majority expectations, and therefore usually won’t present an IT guy who has consistently cut his own budget and span of control.
What you normally get, therefore, are lots of candidates who claim to be cost minimizers, but actually increased overhead expenditures in every management job they’ve ever held - and what that means as a corollary is that if you want someone who really will cut IT costs while shifting control to users, you’ll almost always have to rely on the grapevine instead of the head hunters.
Review enough resumes and you’ll see that there are three main ways CIOs achieve claimable savings while increasing budgets. The first, and easiest, is to rely on the operation of Moore’s law to bring down capital costs each year: “Reduced IT capital budgets from $16 million (annualized) to only $9 million - achieving a 77% saving!” - and simply not report on the resume that staffing, consulting, and software costs increased significantly more.
The second, and most objectionable, method is to institute or expand user department billbacks for IT services and recognize consequent reductions in the annual budget requisition as savings - while, in reality, of course, IT costs are sky-rocketing along with user resentment and rebel IT.
The third, and sadly most common, strategy derives claimable company wide savings from the fact that the combination of IT control centralization with IT efforts to find and sell new and more efficient user work processes often demoralizes users, turning the control shift into an avalanche and letting IT assert ownership of an ever larger chunk of user resources while justifying each step on short term savings.
What’s going on with these kinds of strategies is that the candidates involved see IT as inward facing: as vehicles for personal and career growth; and is fundamentally a consequence of IT’s original organizational posture as a function brought in to cut transaction costs in Finance.
In general, however, people hired as revenue generators tend to be better at it than people hired as IT administrators, so most of the time IT parasitism is accompanied by decreases in corporate productivity per overhead dollar - but be aware that most of the time is not all the time, and you have to think carefully about what you want IT to do in your organization and correspondingly how you want to manage it before embarking on your CIO quest. —
Some notes:
- These excerpts don’t include footnotes and most illustrations have been dropped as simply too hard to insert correctly. (The wordpress html “editor” as used here enables a limited html subset and is implemented to force frustrations like the CPM line delimiters from MS-DOS).
- The feedback I’m looking for is what you guys do best: call me on mistakes, add thoughts/corrections on stuff I’ve missed or gotten wrong, and generally help make the thing better.
- When I make changes suggested in the comments, I make those changes only in the original, not in the excerpts reproduced here.
March 20th, 2008
As others see us
Last week’s Walmart announcement about dropping the Linux PC from store shelves drew a lot of comments. One of those, by the Forbes editor who writes the fake Steve Jobs blog is worth a closer look for two reasons: a nice sentence summarizing a lot of outsider reaction to the whole Lintel vs. Wintel argument, and an apparently gratuitous attack on groklaw.
The report, under the title “Wal-Mart yanks Linux PC, cites lack of childlike wonder”, is dressed up as a comment on a March 11/08 Information Week piece by Serdar Yegulalp discussing Walmart’s failure to make money selling a $199 Linux desktop and concludes with this bit:
Nonetheless freetard hack boy says, “I don’t think this is the end of the road for retail Linux PCs — not by a long shot,” though he concedes that “selling Linux to the masses is going to require more than just a low price tag — since, when you get down to it, Linux already has that.”
Um, yeah. Put it this way. When you’re giving something away free, and people still don’t want it, and in fact would rather spend money on something else, you’ve got a problem.
As insights go, that one’s hard to argue with - although what caused the failure was packaging rather than Linux: a no brand, monitor less, box aimed at selling Linux to pretend and wanna be geeks just isn’t going to find love among “Wal-Tards” -as fake Steve calls Walmart’s customers. In contrast a Lintel box dressed like an iMac and aimed at people who just want an email and web access appliance would, I believe, sell quite well to those same Walmart customers because that’s what they want.
The attack on groklaw is more interesting. Here it is:
Nonetheless, I expect that soon the extreme freetards at Groklaw will suggest a Microsoft conspiracy. Like, um, after doing some heavy-duty investigative work it turns out that some mid-level executive who joined Wal-Mart last month is the same guy who back in the 1980s worked at an investment bank that managed money for a prince from Saudi Arabia and strangely enough records show that in 2003 Bill Gates visited Saudi Arabia and met with a cousin of that very same prince and they talked about creating a company to bring more tech to the Middle East. Pretty easy to connect the dots, right? Soon, Steven J. Vaughan-Cut-and-Paste of eWeek will pick up the meme and after repeating it once or twice will shorten it to “the well-known close ties between Microsoft and Wal-Mart, which led to Wal-Mart removing all Linux machines from its stores.”
On the surface what’s wrong with this parody is that the Forbes editor writing it missed groklaw’s signature “So there’s Waldo” schtick, but what made it interesting to me was the thought that this probably represents a majority opinion among Forbes readers - including many of our bosses.
It’s easy when you’re inside something to lose track of its relative importance in the greater whole - and what this suggests is that while groklaw looms large for the general Linux community, outsiders tend to see it with something akin to amused contempt.
It’s that same inability to see ourselves as others see us that really underlies the gPC’s failure to sell at Walmart - it wasn’t a bad box and the price was right, but the focus on selling Linux by wrapping it in a cheap computer was fundamentally out of step with a market which clearly did not want that - and may, I think, really be looking for something that’s simple, cheap, and complete enough to just work.
March 19th, 2008
Who benefits from data center centralization?
I read an Information Week article recently on data center best practices praising various data center centralization efforts. Here’s the opening bit:
There are data centers, and then there are data centers. The first kind ranges from the overheated, wire-tangled, cramped closets that sometimes also host cleaning supplies to the more standard glass-house variety of years past. The second kind–and the topic of this article–cool with winter air, run on solar power, automatically provision servers without human involvement, and can’t be infiltrated even if the attacker is driving a Mack truck full-throttle through the front gate.
These “badass” data centers–energy efficient, automated, hypersecure–are held up as models of innovation today, but their technologies and methodologies could become standard fare tomorrow.
Rhode Island’s Bryant University sees its fair share of snow and cold weather. And all that cold outside air is perfect to chill the liquid that cools the university’s new server room in the basement of the John H. Chafee Center for International Business. It’s just one way that Bryant’s IT department is saving 20% to 30% on power consumption compared with just a year ago. “We’ve come from the dark ages to the forefront,” says Art Gloster, Bryant’s VP of IT for the last five years.
Before a massive overhaul completed in April, the university had four “data centers” scattered across campus, including server racks stuffed into closets with little concern for backup and no thought to efficiency. Now Bryant’s consolidated, virtualized, reconfigured, blade-based, and heavily automated data center is one of the first examples of IBM’s young green data center initiative.
On a word count basis the first half of this article is mostly devoted to adding an energy savings/environmental sizzle to selling the centralization agenda - thus this bit, a mid article return to the Bryant University example, pretty much wraps that up:
Consolidation was one of the main goals of Bryant’s data center upgrade. The initial strategy was to get everything in one place so the university could deliver on a backup strategy during outages. Little thought was given to going green. However, as Bryant worked with IBM and APC engineers on the data center, going through four designs before settling on this one, saving energy emerged as a value proposition.
The final location was the right size, near an electrical substation at the back of the campus, in a lightly traveled area, which was good for the data center’s physical security. Proximity to an electrical substation was key. “The farther away the power supply, the less efficient the data center,” Bertone says. Microsoft and Equinix both have data centers with their own substation.
The next page or so focuses mainly on physical security - a return to the opening paragraph comment that some data centers are built so well they’re proof against a Mack attack. A sample:
For Terremark, too, security is part of its value proposition. It recently built several 50,000-square-foot buildings on a new 30-acre campus in Culpepper, Va., using a tiered physical security approach that takes into consideration every layer from outside the fences to the machines inside.
For its most sensitive systems, there are seven tiers of physical security a person must pass before physically touching the machines. Those include berms of dirt along the perimeter of the property, gates, fences, identity cards, guards, and biometrics.
Among Terremark’s high-tech physical security measures are machines that measure hand geometry against a database of credentialed employees and an IP camera system that acts as an electronic tripwire. If the cordon is breached, the camera that caught the breach immediately pops up on a bank of security monitors. That system is designed to recognize faces, but Terremark hasn’t yet unlocked that capability.
Some of what Terremark says are its best security measures are the lowest tech. “Just by putting a gutter or a gully in front of a berm, that doesn’t cost anything, but it’s extremely effective,” says Ben Stewart, Terremark’s senior VP for facility engineering. After the ditches and hills, there are gates and fencing rated at K-4 strength, strong enough to stop a truck moving at 35 mph.
The last part of the article advocates data center automation - here’s a bit:
Our data centers are pretty dark,” says Larry Dusanic, the company’s director of IT. The insurer doesn’t even have a full-time engineer working in its main data center in southern Nevada. Run-book automation is “the tool to glue everything together,” from SQL Server, MySQL, and Oracle to Internet Information Server and Apache, he says.
Though Dusanic’s organization uses run-book automation to integrate its systems and automate processes, the company still relies on experienced engineers to write scripts to make it all happen. “You need to take the time up front to really look at something,” he says. Common processes might involve 30 interdependent tasks, and it can take weeks to create a proper automated script.
One of the more interesting scenarios Dusanic has been able to accomplish fixes a problem Citrix Systems has with printing large files. The insurance company prints thousands of pages periodically as part of its loss accounting, and the application that deals with them is distributed via Citrix. However, large print jobs run from Citrix can kill print servers, printers, and the application itself.
Now, whenever a print job of more than 20 pages is executed from Citrix, a text file is created to say who requested the job, where it’s being printed, and what’s being printed. The text file is placed in a file share that Opalis monitors. Opalis then inputs the information into a database and load balances the job across printers. Once the task is complete, a notification is sent to the print operator and the user who requested the job. Dusanic says the company could easily make it so that if CPU utilization on the print server gets to a certain threshold, the job would be moved to another server automatically. “If we had a custom solution to do this, it probably would have cost $100,000 end to end,” he says.
Put all the pieces together and what you get is an innocent sounding question with an immediate corollary: how does today’s “badass” data center differ from the 1970s glass house?
The answer, I think, is that it doesn’t: from physical design to controls imposed on users, this is the 1970s all over again - and that’s what brings up the corollary question: all of this stuff is discussed and presented, both in the article and in the real world, from an IT management perspective - so who represents the users and what role do they have in any of it?
The answer to that, I think, is that the users weren’t considered except as sources of processor demand and budget - and that everything reported in this article, from the glass house isolation achieved at Bryant to the obvious pride taken in the user tracking component for the ludicrous printing “solution” at Dusanic’s company, reflects an internal IT focus placing enormous managerial barriers between users and IT.
Think about that a bit and I’m sure you’ll agree that all of this brings up the most difficult question of all: assume, as I do, that the analyses undertaken before these organizations committed to the increased controls and centralization praised in the article showed them to produce significant savings to IT, and then ask how it netted out organizationally after the impact on users is accounted for?
My guess is first that the question is never seriously considered by the people proposing or executing this type of IT power grab; and second that the answer will be expressed, in the longer term, as the organizational cost of rebel and personal IT. In other words, when some professor spends an extra dollar on a laptop so he can work independently of the network, spends an extra hour trying to make his own backups work, or relies on his home machine to serve course PDFs to his students, he’s functioning as a largely untrained, $100,000 per year or more, sysadmin and thus incurring enormous organizational costs that should be charged against those centralization projects - but almost certainly were not.
And from that I get my bottom line on this: a pithy new rule for executives reviewing data processing proposals from mainframers and their Wintel colleagues: the more money organizations save by centralizing IT control and processing, the more it costs them.
March 18th, 2008
When Lintel beats Wintel
Here’s the full text of something by frequent contributor Anton Philidor during last week’s discussion of various approaches to Lintel/Wintel TCO comparisons:
“Linux is more expensive than Windows.”
You agreed.
Quoting:
By mid 2004, however, enough people had bought into Red Hat’s non license licensing to make Linux arguably more expensive to license than Windows…
[End quote.]
There was a time when Linux was considered free software instead of the commercial product of two companies.
Because one of those companies was Novell, which competes with Sun to produce the least financial gain from estimable products, Red Hat was well on its way to a monopoly.
So Microsoft decided to sell Novell’s Linux, and proved to be the best sales staff the software ever had. But that has ended.
IBM helped Novell buy SuSE while carefully evading liability for open source IP violations, and then ignored the company when it was in difficulty. Perhaps because IBM treats Linux as a way to reduce costs or as part of a bait-and-switch scheme rather than software to be sold.
So now there are one-and-one-half Linux distributions (SuSE being the half and inevitably fading away) in the commercial market, the only one that produces enough money in sales to matter. The remaining Linux distributions are for enthusiasts.
It’s reasonable, then, to simplify: Linux is Red Hat.
Given this reality, how is it possible for Linux ever to be substantially less expensive than Windows? (Over the typical corporate time period.)
I don’t share Anton’s view of reality - and in particular I hope I don’t usually argue that assuming something proves its truth - but he does ask an intriguing question: “how is it possible for Linux ever to be substantially less expensive than Windows?”
As asked that’s a no brainer: if you’re not dumb enough to pay someone like Red Hat to impose a license on you, Linux really is free - meaning that it’s always possible to get Linux for less than Windows.
To extend that simple argument over the life time of the system you need to make a lot of assumptions - but reasonable assumptions produce reasonable results: i.e. if you’re fair about the assumptions, Wintel falls further and further behind Lintel as you extend the time frame simply because the cost of acquiring, installing, and supporting Linux applications is always less than that for Wintel applications.
(Note that the Wintel people frequently argue that it takes about as much time to administer a Lintel system as a Wintel one and that Lintel skills cost more -thus giving Wintel a long term cost of support advantage. In reality, however, a properly configured Lintel machine will typically require no further support until the hardware fails or something changes - and as the average MCSE ages his expectations about salary, benefits, and working conditions rise to the point that the new grads being hired to run Linux now cost most organizations considerably less than their more senior Wintel colleagues.)
It’s at this point in the analysis that you hit, however, the limitations built into the question as Anton asks it. Specifically, “how is it possible for Linux ever to be substantially less expensive than Windows?” focuses on cost when really we ought to be talking about expected benefits net of costs. Try to do that across a range of Lintel/Wintel usage scenarios and you’ll discover that you simply can’t make a case for Microsoft on most server applications but can make one for Microsoft on most desktop applications.
Notice that I said “most server” and “most desktop” applications because these generalizations don’t apply across the board. What does seem to produce a somewhat more general differentiation is whether Microsoft or open source leads with respect to the core application in a bundle.
That leadership can be expressed in two ways: through market dominance and through what the product does.
As far as I know the office suites offer the clearest example of this effect with respect to leadership achieved through market dominance. What happens there is that there’s no objective difference in benefits obtainable through use of either StarOffice/OpenOffice or Microsoft Office, but there is a consistent difference in the cost of ownership because open source users are forced to incur the costs of being different - providing additional training, re-assuring users unhappy about being held out of the perceived office automation main stream, and converting third party documents to and from Microsoft’s proprietory formats.
Look, however, at the product areas where Microsoft routinely struggles to catch up to the open source competitor -essentially all server applications from the OS up - and you see that technical leadership can have the same effect: forcing someone doing a long term TCO study to add the costs of following - in these cases often expressed as foregone benefits - for those not choosing the industry’s leading applications.
So what’s the bottom line reality here? simple: Lintel is always cheaper than Wintel to get into, but it usually only wins on long term TCO where the applications, like Apache and Firefox, lead Microsoft’s and, conversely, it loses on long term TCO where the applications, like StarOffice and Gnome, follow Microsoft’s lead.
March 17th, 2008
The tyranny of the majority
Most people find it extremely difficult to go against perceived majority opinion.
You can see one aspect of this for yourself by trying a simple social experiment: go somewhere a lot of people are partying and get at least ten to loudly and repeatedly urge another person to do something that’s really stupid - about eight times out of ten they’ll do it. In fact, if you’re like most people, you’ll have let some group con you into doing something obviously wrong or stupid at some point in your life and never afterward been able to really understand why you did it.
The reason is simple: mobs have emotional effects: it’s kind of a regression to the monkey thing that also underlies much of the appeal of pro-sports - because the vast majority of fans are there far more for the emotional high they get from being part of a roaring crowd than for the event itself.
One major problem with being part of a mob, however, is that repetition leads to belief: most sports fans think they care about the sport. More tragically, in large parts of the world today you either hate who they tell you to hate, or they kill you - and when that goes on for a couple of generations you get children who not only truly believe they hate, but believe that hate to be justified by historical or religious fact.
Mob psychology is part of being human: part of the fundamental us against them thing that makes us what we are. Look back a few hundred years and you see scholars willing to accept the orthodoxy of the day prospering while those arguing the rather obvious reality that the earth orbits the local star were being burnt alive - and more recently Canada’s leading enviro-fascist suggested global warming “deniers” should be jailed while numerous gorolites have demanded professional decertification and media silencing for weather professionals brave enough to doubt their nonsense in public.
Since mob appeal is basically just a human behavioral weakness it can, like most weaknesses, be exploited against you - and when the Wintel apologist community claims a 90% worldwide market share they’re just making up a number in the justified expectation that a lot of weaker people will find this a compelling argument for joining their mob.
In reality, however, a million blondes can be wrong: majority belief can lead to decisions and actions with real consequences, but has no effect on whether those actions are right or wrong, smart or stupid - moral relativism to the contrary.
There’s an IT bottom line to this: whether Wintel or Lintel makes more sense for some organization isn’t up for majority vote - it’s a horses for courses situation with a mob on one side and reason on the other, in which the decision maker has to look honestly and carefully at the factors going into his choices.
Paul Murphy (a pseudonym) is an IT consultant specializing in Unix and related technologies. See his full profile and disclosure of his industry affiliations.
Recent Entries
- The worst software failures are successes
- I’m not against Windows; Unix just works better
- Security metrics and issues
- Security: Lintel vs Wintel
- Discussing talkback formats
Most Popular Posts
- When Lintel beats Wintel
- Measuring TCO: Wintel vs Lintel
- Security: Lintel vs Wintel
- The tyranny of the majority
- Internet personalities: looking at three political sites
- Who benefits from data center centralization?
Top Rated
- I'm not against Windows; Unix just works better+13 votes
- Costs: Wintel vs. open source+7 votes
- The worst software failures are successes+7 votes
- Security: Lintel vs Wintel+7 votes
- When Lintel beats Wintel+6 votes
- Internet personalities: looking at three political sites+6 votes
- Advice for the MCSE: go back to school+5 votes
- What 2.484564472E24 means for internet security+5 votes
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- Sun Microsystems Announces Completion of MySQL Acquisition
-
Sun introduced immediate availability of 7X24 year round global, enterprise-class database subscriptions and services for the entire MySQL product line, enabling IT organizations worldwide to take advantage of the leading open database for the Network Economy.
- Sign-up for MySQL Enterprise trial subscriptions at no cost >>
- ZDNet News Videos
-
Tech news covering the latest in products, conferences and blog commentary, from ZDNet video.
- Watch the latest video >>
- Virtualize and Optimize Your IT Infrastructure
-
Attend this premier online event on April 10th and learn how strategies like virtualization can reduce your costs and make your business more competitive, flexible, and efficient at every level.
- Sign-up now for the upcoming premier online trade show from PC Connection!
- Built-in Manageability and Proactive Security for Business Desktop PCs
-
"This technical white paper explores the capabiltiies of Intel vPro technology, including remote communication, simpler remote management, proactive security, virtualization, and much more.
- Download the white paper to learn more about Intel® vPro™ Technology >>
Archives
ZDNet Blogs
- All About Microsoft
- The Apple Core
- Between the Lines
- The BlackBerry Beat
- BriefingsDirect
- The Core Truth
- Dev Connection
- Digital Cameras
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Alley
- Enterprise Anti-matter
- Enterprise Web 2.0
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- IP Telephony
- Irregular Enterprise
- IT Facts
- IT Project Failures
- IT Services & Outsourcing
- John Carroll
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- On Sustainability
- Rational Rants
- Real World IT
- The Semantic Web
- Service Oriented
- The Social Web
- Software as Services
- SOHO Networking
- Storage Bits
- Team Think
- Tom Foremski: IMHO
- The ToyBox
- The Universal Desktop
- Virtually Speaking
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
Popular white papers
- Inside India: Indians view their automotive future IBM
- How Compliant is YOUR Email Archive? Computhink
- Cool Features for SQL Server 2008 Quest Software
- Live Webcast: Transforming Your Sales Calls into Interactive Online Demos Citrix Online
- TCO Study: A Comparison of Blackberry and Microsoft Windows Mobile Microsoft
- Expanding Document Management from the Department Level to the Enterprise Level Computhink
