It seems like every couple of months a new Web desktop comes along and somehow grabs a whole bunch of press and blog activity (guess I'm not helping in that respect).  This week it's YouOS, developed by several MIT grads.  The difference between YouOS and the rest, it seems is that they have more of the traditional desktop functionality such as installers, API's, settings, program groups, etc, etc.

When Web desktops first came out, I thought they were kind of cool, and I played with a few, although I didn't really like any.  I basically just wanted a fancy RSS aggregator, and a place to look at my Gmail.  I've since given up on that idea and have gone back to Google homepage and reader.

That being said, why am I starting to hate Web desktops?

1. Why?  What's the point?  I already have several desktops that work just fine.  They meet no need I currently have.
2. They complicate instead of simplify.  Just looking at my screen right now there are about 50 icons staring at me, do I really need 50 more on top of that?
3. It's yet another fragmentation of my online identity.  I posted about this a while back, and it's just getting worse.
4. They're currently very buggy, slow, and generally not ready for prime time.  This is fixable but it's a big problem.
5. What am I supposed to do when it goes down?  As I mentioned before, I have no guarantees that the developers know how to construct a scalable application.  It's great that these guys are from MIT, but what have they done before?
6. How am I supposed to use one of these on a Mobile device?
7. I don't WANT to deal with installing things, managing configurations, or muck with anything that comes between me and what I'm trying to accomplish when I get on the Internet.  About the most sophisticated the average Internet user gets is saving something to their Favorites, or if they're really tech-savvy, to Delicious (screw the dots I refuse to type 'em).
8. As John Udell writes, "the desktop metaphor — with its cluttered surface and overlapping resizable windows — is at best a distraction and at worst an impediment".  A desktop in a browser just isn't that useful to me.  TDavid said it well: "The YouOS concept at first is amusing to play around with and look at but quickly frustrates... overcoming the sardine-like limitations inside a browser window will be too great for most people."
9. The Windows software model is broken and outdated, this is just an attempt to re-create it on the Web.  Windows will undoubtedly be the last proprietary starting point any of us ever use.  If they open-source this it might be different, but the other points still apply.  They will never make money selling them.  Maybe Google or Microsoft could make money showing ads on them, but they're probably the only ones big enough to pull it off.  At least one out there is open source, eyeOS, although I haven't played with it.

10. Here's the real deal-killer for me:  I don't want anyone else owning my data, let alone my entire desktop.  If someone is going to hold my data, they'd better be able to give me assurances that they meet some basic security requirements and let me know how to get the data out if they ever go belly-up.

This all looks like technology for technology's sake to me.  Just because you can doesn't mean you should.

This is kind of funny and sad at the same time.  I generally check out my trackback links to make sure they're real sites, if they're not I delete them.  One thing I've noticed happening in the past month or so is that there are   made for Adsense sites tracking back that seem to be completely generated text.  And they kind of form complete sentences, although trying to read them hurts my head.  But they have actually gotten to the point where I have to spend a few seconds scanning the page to figure out if it's a spam page or just a terrible writer.  For example, here's the first paragraph from one I just had to delete this morning (no link, for obvious reasons):

Until this date, access to HESSI data will remain restricted. Farm Business and Household Survey DataData Archive: Level 0 data files The data archive will be closed until February 27th, 2002. Profiles of America . The past participle of "to give" has been used for millennia, in the sense of a statementThis site features GIS mapping software, map Web services, online mapping and GIS training, demos, data, product and service information, support, user scripts, and much more.Food Consumption Database.

Clear as mud, huh?  It almost looks like somebody wrote a program to go grab random sentences from around the Web and munge them into one post.  If they spent some time refining this and running it off of a focused search result, it could be near impossible to tell the difference between an automated post and a terrible writer.  I think it's going to get more difficult to combat this stuff unless we start moving towards a decentralized blacklist.

Vinnie Mirchandani has been running an interesting series of articles on Sarbanes-Oxley and how much he hates it.  I agree.  HOWEVER, I think SOX is just a bad implementation of a good idea.  We need a replacement for IT, and here's why.

SOX is far too broad.  I think it works ok for finance, which is what it was originally intended for.  However, what the drafters DIDN'T intend (I think) is the unexpected reprecussions that it's had throughout the rest of the enterprise.  The language is so vague that SOX becomes whatever the consultant wants it to be.  I remember trying to implement SOX and it got to the point where we had to hire people to walk the floors looking for scraps of paper that need to be shredded, and had to make people sign in and out of certain parts of the building.  All well and good, I suppose, if you're handling extremely sensitive information, but this was most certainly not.  It was just customer-related, and the consultant interpreted that as meaning sensitive.

The biggest victim of SOX has been IT in my opinion.  There's really no reason for SOX to touch IT if IT is functioning properly.  If the IT department is functioning properly and has proper controls and guidance from the top, SOX would be a non-issue.  Customer data in the IT realm should be secure anyway.  If you're curious what kind of requirements SOX places on the IT department, you may want to check out the SOX-IT checklist I put together a while back based on my own experiences with SOX.

Now, here's where I'm a little torn.  It's just so darn easy to slap together an application these days that you can churn one out in a day and not worry about security.  I've begun thinking twice lately about using Web 2.0-style apps because I have absolutely no confidence that the data I put into them is secure.  Heck, I can't even get answers about whether my password is stored in hashed form instead of in plain text.  The post I wrote about Web 2.0 scalability touches on this a bit.

Obviously, some kind of formalized IT-centric certification or assurance is needed.  One that isn't a bastard child of a finance-focused directive.  I don't know who would come up with such a thing or audit the applications, but I do know that something along those lines is going to be a necessity if the Software as a Service industry is ever planning to creep into the enterprise.  I know I wouldn't trust MY company's data to some Joe Schmoe who just wrote a wiki yesterday unless I had some assurance that it was safe.

I can imagine that some kind of baseline security check could be done over the Web using an automated program.  A basic encryption/password hash/cookie check application could give you some approximation of how secure an application is and how well it's written, however it wouldn't have the ability to peek up the application's skirt to analyze the back end.  (What a dirty sounding metaphor :P)  I'm not sure how that piece should be handled, anyone else have any ideas?

Here I thought I was going to be clever and figure out a way to encrypt browser input going to the server using a fancy-schmancy Javascript public-key encryption mechanism.  I would really like to be rid of SSL if at all possible.  However, after wasting far too much time on it, I have given up and resigned myself to using SSL again.

The biggest problem with Javascript public key encryption is STORING the key.  I thought maybe I'd be able to use Dojo's Flash-based storage mechanism, but that thing is so undocumented and so hard to use that I couldn't figure it out and I finally gave up.  The other hard part is generating a keypair on the client that will work on the server as well, which is not quite as easy as I thought it would be.  This guy got it working in one direction, but he had to use the server to generate the private key which means you have to somehow send it to the client securely, which is easier said than done.  The only way I could think of to do it was to provide it via an SSL-secured connection, which at that point why not just go ahead and make the entire app SSL-secured and not bother with it.

Anyway, after wasting too much time on this I am surrendering to SSL and moving on.  Someday I'll attack this problem from my rocking chair in the retirement home or something.

Oh yeah by the way, has anyone else realized that the only pages that are typically ever secured on Web-based applications are the pages where you input your credit card to pay for it?  Did you know that something as simple as the Compose Email form in Gmail sends everything you input in plain text?  How does this kind of security still fly in this day and age?

This is a disturbing trend.  Although I've hoped that it would self-correct as these companies have gotten older, a LOT of Web 2.0 companies are NOT scaling well at all.  In fact the reverse is true, they seem to be totally overwhelmed and underprepared in dealing with any amount of customers.

Let me rattle off a few examples:

1. TypePad was down all day yesterday, and it is STILL not working properly for me.  EVERYTHING SHOULD BE REDUNDANT, SIX APART!!!  They lost data, even!  Ugh, I need to stop thinking about this, it's still pissing me off.
2. Digg's new interface sucks.  Nothing works right.
3. None of the Web Dashboards that I actually liked could tell me if my email passwords were secure.
4. A lot of the blogs I read look terrible in Explorer, the designers obviously only looked at them in FireFox.  Yeah, I still use primarily Explorer, so sue me.  So does 67% of the rest of the world.
5. GMail periodically goes down for hours at a time.
6. Any app that makes it to the front page of Digg automatically goes down.  Are they only expecting 20 or 100 customers?  Do they just want to cover their DSL connection cost or something?
7. UPDATED.  Now WetPaint is freaking out on me and not accepting my changes.  There must be a full moon or something.
8. UPDATED.  MySpace went completely down for quite a while, supposedly due to power outages.  Guess a few million just won't stretch far enough to buy some decent generators for the old datacenter.
9. UPDATED.  YouTube went down.
10. UPDATED.  Flickr went down too.

You want to know why Web 2.0 hasn't taken off in the enterprise yet?  That's why.  It hasn't proven itself yet, and businesses need 99.99% uptime.

And on the security end of things, it's pretty obvious we need some kind of test or standard that we can apply to these companies to make sure our data isn't naked to the world.  Especially with mashups, our data is going everywhere now.  A checklist of some kind (probably something similar to my Sarbanes-Oxeley checklist) would definitely put my mind at ease.  Or at least SOME kind of statement about security.  I mean, is everyone else ok with putting valuable data in the hands of a complete stranger who might have been homeless on the street yesterday before being data center manager today?

Dear Six Apart,

You are skating on thin ice with me.  TypePad, and my blog, was down for most of the day yesterday, and my domain name jasonkolb.com still doesn't work to access my blog.  If you expect to have any kind of significant lifespan as a Software as a Service business, you had better get your act together.  I have been involved in data centers for a long time now, and the explanation you posted was completely unsatisfactory.  As a paying customer, I want to know what you are doing right now to prevent this kind of outage in the future.  If you had a RAID failure, I want to know what kind of SAN you are buying.  If you had a network failure, I want to know where you are putting a redundant point of presence.  If someone hacked your database, I want to know what you are doing to shore up security.  Simply saying that you were down and you're sorry doesn't cut it when I'm paying you a monthly fee to be available.  An apology instills no confidence in me that this won't happen again.

This kind of event puts a black eye on the hosted business model which is a shame, because there are many responsible companies out there that maintain SLA's, run tight data centers, and give their customers relevant information when they have problems.  The way you handled this incident was unprofessional and amateurish.

If you don't take steps to rectify this situation you will be losing me as a customer very shortly.

Sincerely,

Jason Kolb

I don't know about everyone else out there, but I have been less than impressed with Tech.Meme lately.  When it first started (as Tech.Memeorandum) it featured posts and memes that were very interesting, timely, and actually meant something to me.  As time goes on, however, I've noticed that the original "memes" (ideas) have disappeared and it's basically turned into a technology industry news magazine.  I still find the occasional nugget of interesting blogging going on there, but for the most part it feels like CNBC for the Web.

Let's take a quick look at what's going on there right now:  there are a TON of posts about Dell starting a corporate blog (yawn), MySpace is the most popular site on the Internet (didn't see that coming from a mile away), Google Maps has an updated zoom feature (stop the presses!), Microsoft plans to continue it's CRM line of products (ok), and Time Warner is considering offering free AOL service to some of its customers (I'll be sure to alert the one person I know who uses it).

This is news?  These are IDEAS????  This is not the blogosphere, this is a new avenue for press releases and a holy grail for link mongers.  Do we really need another technology news site?  I think Wired, Digg, and Slashdot do a swell job of that.  Or has blog content really become this blase?  Is there anywhere I can go to see what people with ORIGINAL ideas are writing about?

I would love a utility that connects Outlook to Amazon S3 so that I can push a button combo in Outlook and send the email to S3 where I can search the emails saved there at a later time, a la Gmail.  It would keep my inbox clean and provide an online repository for emails I might want later, which is the one reason I keep using Gmail.  Searching Outlook and backing up PST files, or cleaning out my inbox when using Exchange, just blows; it feels like I have to crank-start my car when keyed ignitions are plentiful and common.

If somebody would like to write such a thing I would be forever grateful :)

It makes me a happy boy to see dialogue occurring on the best way to share and syndicate rich data publicly on the Internet.  I truly believe that when this bridge it crossed it will enable the next wave of Internet technology evolution/revolution, and I'm glad people are thinking in this direction so this happens sooner rather than later.  I also think Live Clipboard will be a nice catalyst for the whole idea because it empowers microformats in such a dramatic way.  All of this technology is still in its infancy, of course, but these are the types of conversations that need to happen between early adopters, developers, and entrepreneurs before it can go mainstream.

One thing that seems to keep coming up, and understandably so, is the idea of securing syndicated data.  For example, if I wish to publish certain parts of my contact information such as my email address, but keep other parts private and secure, such as my mobile number, I can't very well publish a vcard out to the Internet.  Even hiding certain chunks of it with stylesheets won't hide the content from aggregators, search engines, and people who know how to "View Source".  It's simply not an effective security mechanism.

Related to this is the sticky question of whether the data should be embedded directly in the content (or page) itself, or if the content should simply contain a pointer to the data (in the form of a URI).  The first approach is demonstrated in my little Microcontent Viewer example from a few weeks back, the second approach is demonstrated by i-Tags.

The concept of embedding data in content and how to secure it is a tough one, and I struggled with it for a long time.  I wondered if the URI-only approach was correct so that it could actually be an application at the other end of the URI which would be able to ask the reader who he was and provide the appropriate subset of data.  However, that raises all kinds of problems with user authentication and firewalls.  For example, if I publish a blog post that contains a vcard which points to a URI inside the firewall, that vcard becomes useless to anyone on the outside, so what's the point.

Personally, I finally decided a few months back that a hybrid approach was needed:  I would embed only the public data that anyone should be able to see into the content itself, but also provide a URI that can be used to retrieve the full set of data (or the subset that the reader has been allowed to see).  It could also be used by the reader to refresh the embedded data when the URI endpoint is available and online.  This is exactly the approach taken by my Microcontent Viewer example, although the refresh piece isn't hooked up.

I'm still pretty convinced that embedding public data in content is a good way to go.  After I published my test post Technorati picked up the embedded microcontent and I was able to find it using their microformat search, and get pictures and all.  See the results here.  It actually added value to the content, which was very cool.  Progress!

The URI endpoint part of this is much trickier, but is also much more interesting.  It's the secret sauce that's going to really kickstart some wild revolutions in online technology.  I believe that an open source application is needed to share, provision, and publish content at URI endpoint's, and that application is currently and secretly in the works but won't be released until it's ready.  For securing data, it uses an ingenious solution thought up by M. David Peterson to securely publish URI endpoints, see his post here for the technical details.

The beauty of this hybrid solution is that you can have your cake and eat it too.  Users who you don't even know exist can use the subset of your data that you make public, and public applications have data to work with but only that which you want the entire world to be able to see.  The embedded microcontent portion enables applications like the Technorati microformat seach to pick up  and use it.  However, if somebody wants to get to know you better, they can send you a request in the form of an LLUP message and you're then able to personally decide if you want to allow more information out to that individual or not, and at what level.

There are so many more goodies that this will enable in addition to fresh data.  You get to maintain an actual list of "trusted subscribers", and actually TELL them when you update or create content instead of waiting for them or their feed readers to find it.  You'll be able to tell EXACTLY what people are doing with your data.  You'll even have the ability to let THEM edit it, and tell you about it, at which point you'll be able to determine if you want to accept their changes or not.  (I can't wait for the day when somebody I trust can update their contact info from one of my blog posts and it will update all of my other blog posts as well as Outlook, Gmail, and my Blackberry.)  All the promises of push will be fulfilled when this domino falls.

Dion Hinchcliffe, a great writer and one of the few bloggers I make it a point to read on a regular basis, has done a wonderful job of outlining one of the primary barriers in front of this technology, which is the lack of a decentralized identity system.  A decentralized identity system is vital before we can even think about securely sharing data.  And while I certainly respect the efforts that are out there such as OpenID as SXIP, I think that the misguided efforts by companies like Microsoft and Google are going to derail any attempts to unify identity in the short term.  I think the catalyst for change is going to be the point in time when people can see actual tangible benefits from an decen tralized identity system, in the form of new capabilities that such a system baked into core software can bring.

I've got some great big surprises in store in this area in the very near future, but I won't release anything until it's polished and ready.  First impressions are pretty important, ya know ;)