January 30, 2010

Unconfirmed technologies

Sometimes you see a technology which looks like magic. Happens all the time in security, more often in IT, not so often in real world.

Steorn, for instance, just demonstrated Orbo, its new free energy technology. Violating one of the core principles of (not so) modern science. However, the demo itself was nothing worth of note. It's the tiny, small quote at the end "next week, come and try: measure with your own equipment".

The trick is not showing some magic. It's having people actually use it. It's one of the oldest techniques in the world, and made fortunes in IT (remember? Shareware). Any product has to learn from that: put down the barrier, release "easy to try at home" products, have people see for themselves. A video won't do it, nor will a live demo. OpenSource developers (including me) should learn it.

January 13, 2010

You get what you pay for

As you might know, since the news made its way to Slashdot, Moscow cameras streamed false pictures for a while.


Citing from the article:


According to the contract with StroyMontageService, the Moscow government only paid for working cameras. Dumalkina said the company unreasonably received around one million dollars for the northeastern district alone.


This is a very well-known problem: if you measure performance of a given service (and pay according to performance) the way you choose to actually perform the measurement changes the service itself. If you measure the number of calls which get out from the call center, people will do a lot of very short and possibly useless calls... and so on.

This is a very interesting point when applied to modern IT services. What are you going to measure? Availability of the application? Sure, a Cloud (citing an interesting, new topic) will give you more of that. But how are you measuring the tradeoff in security here?
Are you taking into account know-how your administrators are not building for themselves, when you outsource?

You get what you paid for: if you're just paying for your machines to be 100% available on a remote Cloud, that's exactly what you get. The more your infrastructure gets fuzzy - or "cloudy" - the less you know about it. The less you measure, the less you get (and hopefully pay, but that's not the point).

But hey - I can hear you think - weren't you an advocate of virtualization and cloud-based-stuff? Sure I am, but I really do think that we have to understand what we're doing. We have not built, yet, any meaningful measure of virtual-cloud-fuzzy efficiency: what we do have is some vendor-biased and -piloted accounting methodology, if we're lucky.

Think about what you're asking, what you're stating and what you're losing when you think about outsourcing. Maybe even virtualizing your hardware is outsourcing it in some way...