Bret Piatt

Many people seem to think “cloud” is just off-premise “virtualization”.  Cloud comes in a few flavors and I’ll argue that you can have “private cloud” either hosted off-premise in a provider’s facility or in your own.  The fundamental difference between cloud and virtualization is the goal of cloud is to automate provisioning (this applies to IaaS, PaaS, and SaaS) and the goal of virtualization is resource utilization optimization.  You can (and many providers do) use virtualization as the basis for building a cloud but it is not required.

If we take a look at the Reductive Labs presentation from OpsCamp slide 3 illustrates the primary benefit of cloud.  Cloud helps companies even if their minimum unit of work is larger than a single host machine where virtualization just adds overhead in that case.  The difference between “cloud” and “grid computing” or HPC is that grid/HPC process jobs in a batch manner rather than serve interactive applications.  You can build a compute grid on top of a cloud but not vice versa.

Other folks are saying “private clouds can’t exist because you can’t have rapid elasticity and pay for what you use”.  For a small company you may not be able to have a private cloud but for a large enterprise with many business units you certainly can.  An IT infrastructure BU can provide other organizations in the company all of the requirements of a cloud.

For public cloud to succeed they need to provide all three

Depending on the current utilization across an enterprises infrastructure they may be able to defer spending for a number of years by moving to a fully cloud enabled business.  Right now many departments cling to servers they don’t need because they’re afraid if they release it they’ll never get it back.  With cloud removing that fear resource hoarding ends and many enterprises will have a significant increase in available computing power.

Over the long term if the public computing clouds continue to grow, increase their transparency, and optimize their delivery models it will no longer make financial sense for enterprises to build their own infrastructure.  Public cloud providers will need to prove over the next decade they can deliver on all three corners of the “impossible triangle”.

I’ll come right out and give my theory up front and then explain why… We need to stop teaching young children “facts” and we need to start teaching them how to learn.  The only reason we teach young children “facts” is to shape their world view into what we want it to be while their minds are easily influenced because they haven’t learned logic, critical/deductive reasoning, and other associated fundamentals required to think independently.

Elementary education in the US is typically half “learning to learn” and half “learning facts”.  You can search and look through many online class schedules across the country and see this.  The “learning to learn” — reading, music, math, art make up part of the day.  The rest of the day — spelling, science, social studies, history is filled with teaching children “facts” and shaping their world view.  Even a fundamental like reading is focused on content over skills to increase speed and comprehension.  Almost none of the public schools offer foreign language even though a number of studies show significant benefits.

Is standardized testing to blame?  Perhaps as it is hard to test for the ability to learn especially in a multiple choice format.  Tests make sure you know “facts”.  Because of these tests and constant measuring we’re afraid to spend time building a foundation so children can learn faster as they age.  Linear progression is “safe” and teaching the ability to answer a question (often through memorization) is favored over teaching the understanding of how to figure out the answer.  Laws like the No Child Left Behind Act focus dollars on ensuring everyone can reach “average” rather than allowing most of the class to move at an accelerated pace (if the effort is spent on getting students below SD -1 to average 80%+ of the students in the class are effectively held back).

My call to action — get social studies and fact memorization science out of elementary schools.  Use social studies to stimulate debate allowing children to discuss issues and form their own opinions.  Use science as a chance to teach critical thinking and problem solving skills.  Resist the temptation to tell children what to believe — make them understand how to formulate an opinion.  This applies to math as well as social studies.  We typically wait until the second hear of high school to teach proofs in geometry.  One example is instead of having children memorize their times tables with no understanding as to why have them figure out multiplication as a better way to do some addition problems.

At some point it is important to learn facts — history, geography, etc. — but by waiting to teach these facts they can be learned in a fraction of the time.  You could spend an hour a day teaching a middle school child all of the facts they’d learn in 5 years of elementary school.  Stop wasting an hour a day on spelling, teach latin and children will learn to spell naturally.

Imagine the following schedule for your child instead of what they have today…

7:50-8:25: Arrival – Pledge, announcements, and a critical thinking logic problem we’ll discuss as a group.

8:25-9:00: Latin – Replace spelling memorization with fundamentals that enable good spelling and a foreign language

9:00-9:40: Math – Teach problem solving, proofs, word problems

9:40-10:50: Reading – Teach concepts to increase speed and comprehension

10:50-11:20: Lunch

11:30-12:00: Recess

12:10-12:40: Music  (M, W, F) / Art (Tu, Th) – Encourage creativity and original thinking

12:40-1:20: Science (M, W, F) / Social Studies (Tu, Th) – Lessons focused on problem solving and critical thinking

1:25-1:55: P.E. (M, W, F) / Library (Tu, Th) – Focus on teamwork and leadership skills

2:00: Dismissal

Our education system isn’t an abysmal train wreck like some people will scream.  It does a good job but it could be better.  Like compound interest builds wealth over time a 10% increase annually in the amount of learning a child does  more than doubles the amount they learn by the time they graduate from high school.  Also by continuing to teach kids how to learn you’ll lower drop out rates — at some point when a child falls too far behind in memorizing facts they give up or start to cheat to fake their way until they reach 16 (or 18, whatever the minimum age in your state) and can stop going.

I’m going to break this post up into two sections, the first will discuss public clouds and their features focused on advanced networking as an example.  The second portion will look at the future of cloud computing hardware — both networking and computing.

Public Clouds and Feature Selection

A discussion started on Twitter today after Werner Vogels (@Werner) tweeted about the future of networking through a blog post by James Hamilton entitled, “Networking: The Last Bastion of Mainframe Computing”.  Christopher Hoff hasn’t been thrilled (understatement of 2009) with the networking features provided by cloud computing platforms both public and private.  Unless I misunderstood his tweet he’d love to hear public cloud providers commit to a flexible API driven networking layer using technology such as OpenFlow.

I tossed back a question asking, “Are customers willing to pay for complex network customization in a cloud? If so, what percentage of them? Thoughts?” and he replied, “In terms of paying for parity in what I can do in even a basic enterprise today? No thanks. That’s on you as a provider in long term”.  I threw this question out because here-in lies the problem… Public clouds will only end up with the features that a broad market will pay for or a small market will pay a very significant premium for.  The reason behind this is when a cloud adds a core feature, it adds it everywhere.  This leads providers to only invest in new features that a enough of their customers are interested in to offset the cost of deployment and still yield a satisfactory return on capital.

Today at Rackspace customers that want advanced networking configurations are directed to our Private Cloud platform (I say our because I’m employed by Rackspace — the opinions expressed here however are mine alone).  They can then create security zones, use IPS/IDS, and enable enhanced DDoS defense services all behind dedicated firewalls and load balancers.  The private cloud environment can have bridged network segments that connect to a public Rackspace Cloud Servers(tm) configuration for workloads that do not require advanced networking.  The current addressable market interested in both public cloud as a primary platform and advanced networking is small.  The early adopter group of start-ups and SMBs doesn’t typically need or is not willing to pay for advanced networking and the enterprises that are willing generally aren’t first movers on new technology.

As the public cloud market matures the addressable market will grow and you’ll start to see public cloud providers adding advanced networking capabilities though the cloud definition of “advanced” won’t ever be truly “cutting edge” on a mass market cloud.  I expect we’ll see niche clouds emerge that will cater to specific application use cases that will have advanced features for their target customer.  Early examples of this are Force.com or the OpSource Cloud.

The Future of Cloud Computing Hardware

I’m now going to loop back to James’s post that kicked this whole thing off where he compared the current network device situation to mainframe and the vertical scale centralized systems.  He asserted that we’ll see a commoditization of the networking layer similar to what we’ve seen in the storage layer through technologies like RAID and through servers with x86.  The reason RAID and x86 have been successful is they are multi-purpose with the capabilities to serve a broad range of applications well with proper configuration.

Networking gear is very different because the workloads are all uniform and when you have a uniform workload an ASIC (Application Specific Integrated Circuit) or a FPGA (Field Programmable Gate Array) that has is tailored to a specific type of workload will enable better performance per dollar.  The second core difference between the server/storage markets and networking is once you step into the “carrier/cloud class” networking equipment only a few hundred potential customers exist — markets with fewer stronger customers tend to be more consolidated.  Networking gear has also been “cloud like” for over a decade now.  Lets look at the NIST requirements for a cloud:

On-demand self-service - This requirement is for a cloud to user relationship.  I’ll translate this to a network cloud to network engineer relationship.  For them, all carrier class networking gear supports SNMP along with other potential programmable configuration methods through management systems with APIs such as the Cisco Configuration Engine [PDF].

Rapid elasticity – This dates back to frame-relay where the concepts of a CIR (Committed Information Rate) was introduced.  The space has continually evolved with QoS being introduced on ATM up through the advanced dynamic algorithmic traffic routing today over IP/MPLS networks.

Resource pooling - Doing this for computing is new outside of the HPC market — telecommunication networks have been multi-tenant since the point the 3rd phone was hooked up over 100 years ago.

Measured Service – Networking has been doing this for years as well, down to the minute or byte of data instead of the hour or GB (the smallest unit of measure any public cloud compute or storage platform bills in).

Sun Oracle Database Machine

Broad network access – Service provider IP networks are the ultimate in heterogeneous access through standards based communication.  They support connectivity over a number of layer 1 physical mediums using quite a few layer 2 communication protocols.

Cloud computing may actually end up bringing the server market closer to the current networking market than vice versa.  An IBM Z-series is capable of very efficiently Linux instances.  It also supports I/O virtualization for both networking and storage with granular controls — features we still don’t have at the same quality level from x86 virtualization solutions.  The Oracle Exadata V2 is another example, it supports 1 million I/O per second for non-sequential workloads on databases up to 140TB in size.  How many commodity x86 servers does it take to match either of those configurations and how do they compare in capex and TCO (Total Cost of Ownership) to the IBM or Oracle specialized platforms?  We see even specialized x86 platforms being developed and deployed by a number of players.  Some examples are the Cisco UCS, SGI Ice Cube, and the Sun Modular Datacenter.  These platforms are all designed to optimize spend for virtualization/cloud computing workloads and while they may be made up of x86 sub-components they are designed to function as a complete “mainframe” functional unit.

Conclusions

We’re still very early in the technology transition to a full utility style computing grid.  As the transition progresses we’ll see more use cases served by a broader range of features.  For the small verticals with complex configuration needs and a low willingness to pay a premium we’ll see niche providers.

Networking hardware has been cloud like for more than a decade and a few major players dominate the market because of the small number of strong buyers.  Technologies such as OpenFlow in combination with Moore’s law has the potential to disrupt the market but this isn’t a guarantee.  The current clouds being built using a massive number of commodity x86 systems is also not guaranteed to be the future — specialized computing platforms have the potential to deliver better unit economics and in a commodity business it will come down to the financials in the end.

The OSI model is a great way to learn to layered design so components can be refactored or replaced without a complete system redesign.   This will also allow for a project to be broken up into separate teams in the future as they’ll have a clear understanding of their upstream and downstream requirements.  Beyond being able to divide a project up you also gain the ability for a new hire to jump in and really start contributing.

The OSI model visualized

This doesn’t mean you should “use the OSI model” in each project, it means you should use the principles behind it when designing the project.  Lets take the OSI model concepts to a basic web application.

Application: Your web front-end that users of the site see.  This should talk to a clear presentation layer API to generate any dynamic content.

Presentation: This generates the dynamic content of the site, handles encoding / decoding of data formats.  You should use a standard interface to connect to your data storage (ODBC/JDBC, OS/file system abstracted file I/O).

Session: This layer should be handled by your application server (ex. Apache, Jetty, Tomcat, etc.)  This can handle communicating with the networking layer of your operating system.

Layers 1-4: Most web applications don’t redesign anything here.  If you’re writing an infrastructure application you may need to consider segmenting at these levels.

We’ve now gone through a single purpose, single module web application architecture.  When you add a second service/module to your application ensure that communication occurs at the proper layers.  Having an application layer service of module A talking directly to a session layer service of module B may sound efficient but you’ll quickly end up weaving a web that will cause long term problems down the road.  All communications between modules should occur at the same layer, i.e. A:5 to B:5 to pass session data to another service.

I’d like to write more on this topic with examples so I’m going to cut it short tonight with a plan to continue in a series on this that includes an example application.

Earlier today a conversation on Twitter with Christopher Hoff (@Beaker), James Watters (@wattersjames), George Reese (@georgereese), Benjamin Black (@benjaminblack), and Shlomo Swidler (@ShlomoSwidler) discussed how many people seem to assume that because clouds can scale and rapidly provision servers that they’re always available and that because of this availability doesn’t have to be a fundamental design concept anymore.  It kicked off with @Beaker’s tweet about BitBucket, “Cloudifornication: 20+ hour outage due to EC2/EBS on BitBucket http://bit.ly/A8vCy” BitBucket ran into a problem with EC2/EBS that made their site unavailable for 20+ hours (I’m linking to the comments discussing it on Hacker News since the main BitBucket page is back to normal now, no longer the explanation since the problem is fixed). [UPDATE: Adding BitBucket blog post on the outage.]

The purpose of this post isn’t to analyze the BitBucket situation, it is to help people understand how to design an available architecture while still keeping it efficient in terms of expense.  Given an unlimited budget (or nearly unlimited) most IT architects will be able to build a “bullet proof” configuration.  Most of us don’t function in that world though so compromises are made.  Here I hope to outline how you can compromise effectively by thinking about availability early and often in the design process.  The design recommendations I’m going to outline are general in nature and depending on your specific business and operational model may not fit.  I enjoy discussing specific use cases and designs so if you’d like analysis directly related to your situation comment on the post and lets discuss it.

With that disclaimer here goes…a step by step guide to building a web application that will be available “almost all the time”… [Second disclaimer, I work for Rackspace Hosting, we have a cloud (The Rackspace Cloud), the recommendations here are my opinions, not those of my employer.]

1. Start with DNS — This is overlooked quite a bit and is the easiest thing you can do to ensure availability.  Get a reliable DNS provider that hosts their DNS servers in multiple data centers that each have multiple peering arrangements with documentation on their BGP convergence times.  This DNS provider should let you set the TTL (time to live) on your A records down to a maximum of 5 minutes (some will let you go as low as 1 minute).  Now you have the ability to redirect www.yoursite.com to a new IP address in 1-5 minutes.  While this may not let you recover your site completely, the worst case is in 5 minutes you can have a simplified version of your site up and running “somewhere” in 5 minutes.  Being able to give your customers a “We’re experiencing issues” message with a phone number or other information is invaiuable.  When customers believe you are working on recovering your site and/or have things under control they’re willing to trust you much more than if they get a 404 or 503 error page from their browser — if they are a new visitor and not a customer a 404 most likely means they never come back.

2. Design your application with portability in mind. Using a technology only available from a single provider may sound like a good idea but it locks you into that provider.  While we all believe our hosting provider will be in business forever 5 years ago we all thought we’d never see GM go bankrupt or Lehman Brothers cease to exist.  Cloud computing makes this much easier to test and implement than it used to be.  Part of going from idea to launch should include deploying your application to a minimum of two providers to ensure if something does happen to your provider you’ll be able to continue to run your business.  I don’t recommend trying to run your application on multiple providers as it’ll generally add expense you shouldn’t need — however I do recommend having your code and data with mutiple providers.  This requirement means you should try to avoid customizing at the OS/kernel/filesystem level.  Those are the main items I see causing difficulty in portability.  Next, if you want a hosting provider to support your application infrastructure stack (i.e. the HTTP server [Apache, IIS, etc], database server [Oracle, MySQL, MS SQL, Postgres, etc]) pick standard versions or plan on hiring staff to support your customizations.  While a single provider may agree to support your (or their) modifications others probably won’t.  If your provider has their own special versions of the appliation platform they may be trying to lock you in — beware!

3. Spend some time on BCP/DR (Business Continuity Planning/Disaster Recovery). You’ve spent months (or years) going from idea to application — if you spend a day or two you’ll have a fair BCP/DR plan — if you have somebody with a background in this you can have a good plan in a day or two.  After putting the plan together –TEST IT!  I’ve helped a number of businesses put together a plan and after we’re done they check the box, put it in a filing cabinet and then pray they never have to get it out.  That mindset is like a football team having a “2 minute drill” playbook but never practicing the plays hoping that they’ll never need to use it.  When it comes down the having to do it, if you haven’t practiced how well do you expect it to go with the added stress of an outage? “But Bret, I can’t test it, we can’t take our site offline for a test!” — You don’t have to go all the way to taking your main infrastructure offline (see #1 DNS).  You can bring up the replacement site without ever impacting your real site by modifying the DNS on your test machines (either point them to a BCP system test DNS server or modify the local host files).

Backup your data, backup your data, backup your data.

4. Backup your data, backup your data, backup your data. Customers will deal with service outages.  They won’t put up with you losing their data.  You use time capsule, Jungle Disk, Mozy, Dropbox, or any other number of personal backup programs for your personal files.  If your house burned down you’d still have all of your own stuff.  What would happen to your web site if the data center your servers are in burned to the ground?  Is the data gone? If it isn’t gone how long will it take you to restore?  Is that timeframe acceptable to you and your users?  A couple of concepts to familiarize yourself with are RPO (recovery point objective) and RTO (recovery time objective).  RPO means how much data will be lost — if you do a daily backup you have a 24 hour RPO, if you run a transaction replicated database (such as Oracle with Data Guard) with the databases in separate geographic locations your RPO may be under a second. On RTO if you’re restoring from a backup medium like tape you’ll be able to recover ~10-40GB/hr (depending on the tape technology and compression ratio of the backup) — if you have a 400GB database you have a RTO of 10+ hours even if with cloud computing you can instantly have a new database server available to put the data on.  With a live database in a second geographic location your RTO is also potentially under a second (for restoring data, since you don’t have a restore — this doesn’t mean your whole site is automatically online in that same time).  I won’t go into detail here since we’re talking availability and not integrity but having a multi-geographic location replicated database doesn’t insure integrity — you still need snapshots or transaction logs or another way to go back to various points in time if you end up with bad or erased data (see my favoriate XKCD, “Exploits of a Mom”).

So now that we’ve taken all of this into account — what do we do?  My recommendations…

1. Make a “gold build” of each of the server types in your application and understand how long it takes you to have your necessary quantity of each server type online at various providers — cloud makes this much easier, in the dedicated world you’re looking at days typically to provision a new environment.

2. If your business relies on a fully functional web site as a primary revenue stream have a live database at a secondary location with the ability to launch web and app servers to bring your environment online quickly in the event of a primary provider failure.  If you can continue to service your customers via phone and/or e-mail have a static version of your web site running that you can switch to using DNS in the event of a primary provider issue.

3. Keep your source code in multiple locations with the ability for multiple employees to be able to deploy the site in the event of an issue.  I’m a huge fan of collaborative code repositories like GitHub and Beanstalk but if your code is only one one of them and they’re down (or in maintenance window) when you need to have that code to bring up a backup environment you’re stuck — it costs next to nothing to keep that code in multiple places.

I understand that nowhere in this post do I mention HA (high availability) nor do I mention things people generally think of when they hear HA.  Having redundant switches, firewalls, routers, and servers all in a single location (what people generally think of when they hear HA) will ensure that location stays online and you should certainly be doing that but it puts all of your eggs into that basket if you aren’t looking at HA beyond the single infrastructure.  Now that I’ve mentioned it if you want to learn more about HA design in a single location the Internet is full of good information on the topic.

I’ve also focused the discussion on architectures relevant to “most folks”.  If you’re Facebook, eBay, or Google (the search engine) you don’t want to rely on DNS to deal with outages at a specific location.  You’ll want to pair DNS with GLB (global load balancing) and BGP so you can have near real-time re-routing of users and potentially even sessions.  My availability recommendations certainly aren’t free to implement but they also don’t double your expenses.  It is very possible to add between 5-25% to your hosting expense to significantly increase your availability (and decrease your RPO/RTO).

I’m going to also note that I didn’t mention systems management or monitoring here really.  Those are both key items to understand to have an available environment but aren’t directly tied to designing an available architecture.  You’ll need to have proper systems management tools and policies (or you’ll cause outages yourself) and you’ll need monitoring so you know when to implement your BCP/DR plan.

The local paper is coming to an end...

The Internet and the plethora of news sources it contains gives you better and more timely information than reading your local paper.  “The paper” still had a chance when we could only use “The Internet” on big fixed location desktop computers.  Now that I can read the WSJ content on a mobile application on my BlackBerry I no longer need to have “a paper” if I’m out and want access to news.  It isn’t just about the better content on the Internet, it is about ease of consumption of that content as well.  What we all see happening right now to the newspapers will hit radio next.

This is where Pandora comes in to threaten local FM music radio.  I’ve recently acquired a new car that happens to have an AUX jack.  With that AUX jack I can hook up my  BlackBerry Bold with Pandora and play music, music relevant to me, music without commercials (I’m sure this will change over time), and it is easy to use.  As smartphones continue their proliferation and cars with AUX jacks (thank you Apple for the iPod success and it pushing automakers to add AUX jacks) do the same we’ll see more and more people doing what I’m doing now — listening to Internet streamed radio in their car for free.

This not only kills off local radio, it nukes satellite radio long before the local radio dies.  My new car came with a free 6 month Sirius/XM subscription and I’m not even going to activate it.  I’m a fan of the concept and I was actually an early subscriber to XM during my days commuting in the Bay Area during “the bubble”.  Sirius/XM is doing the right thing in coming out with smartphone based applications to consume their service.  This not only lowers their customer acquisition costs (I suspect they had to subsidize the hardware deployment in autos) but increases the ease in which I can use their offering.  They need to get all of their content over to the smartphone version yesterday and they need to start pushing this as their primary marketing effort.

Clear Channel, owner of over 1,200 local radio stations, is another player in the mix — and probably the player with the most to lose.  They’re experimenting in the smartphone space with iheartradio that currently supports both BlackBerry and iPhone with content from over 350 of their stations.  I haven’t tried this out yet personally so after I do I’ll come back and add more detailed thoughts.

August 13th, 2009 the Olympics made their best decision so far this century, adding golf as a sport in 2016.  The PGA Tour needs to work with the IOC so golf can go for two full weeks of the games, here’s why….

We watch the players week in and week out play in stroke play tournaments.  Sometimes they play match play now thanks to the WGC, and every once in a while they have a team event with the President’s Cup and Ryder Cups.  The Olympics has the opportunity to outshine all of these.

Here is my proposed schedule which I’ll follow by event descriptions:

Don't just have another stroke play tournament

Day 1 – Skill games qualifying round

Day 2 – Match play event practice round

Day 3 – Match play event seeding round

Day 4-7  – Match play medal tournament

Day 8 – Rest day

Day 9 – Skill games medal round

Day 10 – Stroke play event practice round

Day 11-14 – Stroke play medal tournament

For the skill games this will allow a much more wide variety of people to participate.  The qualifying rounds will be used to narrow the field down to the top 16 so you can make a good hour long TV event from the medal round of each.  Skill events descriptions:

Long Drive: This is pretty clear, many of you have probably seen the Long Drivers of America on ESPN, under the lights — with a gold medal on the line the finals will be epic.

Putting Challenge: We’ve all done this with our buddies out on the practice green, play “18 holes” of par 2.  Cities build huge stadiums for the Olympics, the golf course they’re holding it at can build “the best practice green ever” with plateaus, ridges, bowls, and more.

Sand Saves: Tee off from 18 different bunkers around a green, up to 60 yards out, play each as a par 3 which should lead to very low scores (if you did it as a par 2 the scores would be high and that isn’t as good for the viewership).  You can use the tournament course for this as each hole should have a fitting bunker.

Pin Seeker: Varied approach shots into flags on the driving range up to ~220 yards out.  The score for this event is measured in total feet from the pin to where the first shot comes to rest.

For the match play tournament you play a seeding round of stroke play where the top 16 qualify to play in the match play tournament.  This will be a high drama day even though a medal isn’t on the line — much like tournament week leading up to March Madness.  With the cut to 16 you can have 4 days of 18 holes going 16->8, 8->4, 4->2, and then on the final day 1 vs. 2 and 3 vs. 4.

For the stroke play tournament let all of the players from each country participate, cut the field in half (or within 10 strokes of the lead) after two rounds are complete.  This can have some added drama because we’ll also have “overall team medals” so we’ll need a point system for finishing positions in each event and with the stroke play tournament going last even if a player isn’t in position to medal in it, they may be in position to score enough points giving their team an overall medal.

To promote diversity each country should only be able to enter 3 players per event.  Yes, some countries will be leaving better players at home than others will enter but if those other countries don’t get to have an Olympic golfer how will that country ever get the “golf bug”?  This already happens in spots like swimming where each country can only enter their top 2 per event even if their 3rd player is the 3rd fastest in the world.

If they add golf, invite the normal field, play a normal stroke play event I won’t be watching.  Not because it doesn’t have the potential to be a great event but because it won’t have a chance of being what they could make it.

“So much to do, so little time”, was once said by the very intelligent Willy Wonka.  Each day we wake up and have to prioritize what we do — life throws a nearly infinite set of options at us.  Because of this many people spend some of their time exercising so they can “have more time” by living longer to have the opportunity to do the things they’ve always wanted to do.

We all have to spend some time sleeping and eating — average of around 9 hours each day.  This takes our 168 hour long week and cuts it down to 105.  Now we have to commute to work taking away another 4 hours leaving 101.  The BLS breaks down a number of things we spend time on, working, leisure activites, childcare, etc.  Now that we’ve gone to work, taken care of our kids, and picked up around the house we have gone through another 57 hours of our week leaving 44.

Now we’re down to 44 hours on average, if you commute more than 46 minutes a day or work more than 7.9 hours you’ll have less — if you don’t have kids or you have some help to pickup around the house you’ll have more.  I’ll continue to talk about the averages.  Those 44 hours have to fit all of your leisure activities — any hobbies, reading the newspaper or your favorite blog, watching television, or exercising.

This could be you...

Fourty-four hours may sound like a lot but it goes quickly and here is where the exercise comes in.  I’m suggesting you figure out how to do it in 15-30 minutes a day including the “start and stop” time of going to the gym and cleaning up afterwards — this means you probably need to figure out a way to workout at home.  If you’re going to workout five days a week packing a gym bag, going to a gym, changing, taking a class (spin, step, yoga, pilates, etc.) doing weights, showering, changing, and heading home this can easily take 2 hours if not more.

Those 10 hours are 23% of your “flex” time.  Unless exercise is a hobby that you get enjoyment from you’re committing too much time “just trying to live longer”.  I understand that “quality of life” is important and having a moderate level of fitness can help that as well.  With regard to length, most studies show that ones you reach the “healthy” zone of fitness your life isn’t significantly extended by being in “perfect” shape.  The “healthy” level can be achieved in an hour a week, only 2.3% of your “flex time” by working out at home

Those exercise hours add up, over a 40 year period at 10 hours a week you’ll spend 20,800 hours exercising, that is 2.4 years of time so even if that exercise extends your life by 3 years (a number that seems to come up in many studies) you’re really only gaining a few months of “flex time” and you’re getting those at the end at the cost of having them available throughtout your life.

Now that I have a somewhat decent amount of content I’m fiddling around with getting the site indexed by more sources. Right now almost all of my traffic comes from Twitter through the initial posts of the topics.

So Technorati I’m claiming this blog: 3s4h7akv62

Now we’ll see if you bring any visitors! I’ll share updates after a month or two of trying to find new ways to bring traffic to the site.

A common security technique is to classify attackers by IP addresses or reverse DNS lookup and blacklist the bad ones.  This technique has been falling in popularity with the increased usage of DHCP and NAT for Internet access and cloud computing will be its death knell.

Cloud computing allows attackers to rapidly switch IP addresses for as low as $0.015 per switch or per hour of using the address.  Right now only a few clouds exist so it isn’t quite the wild west yet but over the next 2-5 years we’ll see the thousands of dedicated hosting providers all switching to offer cloud services.

So what this means to the IT security world is you have some time to think about this and get it right using the few clouds out there now.  “Getting it right” may require more than just individual enterprises coming up with a way to solve it for them.  We really need to get together as an Internet community and discuss this in the broader scope of entity identification.  I use the term “entity” because we need a way to identify systems and individual users.

We're going to digital ID, the train is leaving the station

Identity and access management has always been viewed as an enterprise or site specific issue — this needs to change.  The recent Twitter hack is an example of how out of control identity and access management has become.  Understanding and documenting all of the application interactions around identity management in an enterprise is something few if any have a firm grasp on.  We’ve finally reached the point that implementing an Internet wide “digital identity” with a centralized identity and access management architecture similar to the domain registration/SSL certificate heirarchy.

OAuth and OpenID are a good place to start the discussion as they have the proper frameworks but they lack a centrally managed authority or list of authorities to manage identification and authentication.  Major “trust” providers on the Internet need to get together and solve this: VeriSign, Google, Microsoft, Ebay/Paypal, Banks, and major Internet Service Providers (AT&T, Verizon, Comcast, Cox, Time Warner, etc.).

Major Web 2.0 players have large directories of people but they don’t have a real trust relationship — just because you have a Myspace/Facebook/Twitter account doesn’t mean I should trust the e-mail you send me but if Chase Bank says you have a bank account with them and you’re sending me an e-mail I’m much more likely to trust it.  With the appropriate identity management if you’re sending spam I can flag that and Chase will tie it to your “digital identity” which is tied to your “real identiy” provided when you created that bank account.  It will be much more difficult to create new identities than it is today and we’ll see a significant decrease in “wild wild west” type behavior on the Internet.

The secondary benefit is consumers will also start to take security more seriously as they won’t want to waste time getting the “spammer” flag removed from their digital identity because their system was hacked (similar to disputing things on your credit report if the system works out properly).  They’ll also prioritize security in their buying decisions forcing system vendors to take it more seriously.

A tertiary benefit will be a reduction in misleading activities that lead to horrible events like the Myspace teen suicide because people won’t create fake identities to hide behind.  Some may say this is part of the “fun” of the Internet as it allows them to escape from their day to day lives.  That type of fun isn’t good for both parties involved — typically part of the fun is misleading other people such as the recent case of the lady that pretended to be a 15 year old kid with cancer.  “Fake identity” activities like this should be restricted to a place like Second Life where everyone knows people are pretending.

As private industry and a world society I hope we can take care of this ourselves before it gets so out of control Congress tries to figure out how to do it and we end up with some horrible mess of a “National ID and Digital Identity Act” that looks at it only from the perspective of the USA and makes it very difficult for non-US citizens to do anything online (as most of the major Internet properties are US based) creating a whole new barrier for 3rd world citizens to overcome.