Thursday, December 20, 2007

Food For Thought: What Do You Think of My Idea?

Chris Lyman, the CEO/Janitor of Fonality, made an insightful post on his blog regarding entrepreneurs and aspiring entrepreneurs here. I don't have much to add -- I thought it was good food for thought and wanted to file it somewhere so what better place then on my blog.

I think it's a good idea to fill your thoughts constantly with lots of inputs from all over. Just don't take any one of them too seriously. Consider everything and then decide where you want to go, on your own.

Here's an excerpt from Chris's post:

For 10 years now people have approached me with business ideas, and asked: "What do you think of my idea?"

And I have always taken their "What do you think of my idea?" very seriously. After all, asking for an opinion on something that you have labored over is difficult - it's a moment of vulnerability as you open yourself up to a potential battery of cerebral criticism and intellectual pugilism. It's not easy ...and I know this.

Thus, I listen to their pitches, I read their business plans, and opine. I try to give thoughtful advice on the "what-ifs" and the "how-tos" and I introspectively incant my "lessons learned."

But, it never sits right with me. And, slowly I have come to hate this question. And, finally I know why.

The entire act of questioning before leaping is fundamentally opposed to the true spirit of entrepreneurialism. Being an entrepreneur is about doing something NEW that has NEVER been done before, or doing something old in a totally NEW way. You just don't build a bad-ass business by being a me-too. In short, you gotta bring the NEW to outdo the OLD and the NEW can never be known because it hasn't happened yet and therefore ANY attempt to discuss the new as if you know what the hell you are talking about is an ego-trip and I don't want a ticket to that ride.

Let me illustrate my own idiocy at predicting the future:

In my last company, I had a Director of Sales named Jon Venverloh. One day, in late 1998, he showed up to work and said he was moving up north to take a sales job at Google. I laughed at him and asked him why the heck he would go to a company with no revenue and no revenue model. Remember this is 1998. He said: "I like Northern California better and I can ride my bike." Believing he was making a lousy career move, I wished him luck. Well, I just googled (hehe) Jon and he is currently listed as an Executive in charge of Federal Sales for Google, Inc.

Go figure. Nobody knows who is going to be the next Google. Least of all me. And the mere fact that you are asking means that you are doubting yourself and doubt is what you CANNOT have as you strive to create the NEW. Don't let the opining and the opinionated slow you down.


Asterisk Mashes Up Politics

I ran across this application today, called, which makes it easier for (U.S.) folks to contact their representatives. It's a nifty example of the type of applications that become possible when some imagination gets combined with lowered barriers to entry. This is what mashups are all about. Taking information that is out there on the Internet and combining it in ways that make it more useful, accessible, relevant, visible, etc.

This particular one uses Asterisk for the telephony, a database built from information on the Internet, and a custom AGI to interact with the user input, look up things in the database, make the calls, and get post-call rating feedback. AGIs are the equivalent of HTTP world CGIs (yes, the Asterisk world is progressing quite fast but the Web did get a big head start on it so it's still a little behind; CGIs, or AGIs, are pretty 1997 but you have to start somewhere).

Just wait until all the old school web developers that are used to coding in PHP, Ruby (Adhearsion), C, Perl (Asterisk::AGI), etc. discover they can write Asterisk telephony applications just as easily and in the same languages. (The Adhearsion page, even if you're not a Ruby programmer, has a good overview and example applications if you're curious). is a site that allows one person to target an entire congressional committee over the phone. The web application utilizes the open source Asterisk PBX system to connect you to every senator or house member on a particular committee. No more digging around the 'net entering zip-codes to retrieve phone numbers of representatives. automates the tedium of finding and dialing your favorite politicians.

Select a committee, enter in your phone number and click "Put me in touch with democracy!" and you'll be called by our system and sequentially patched through to the front office of each member on that committee. You can even rate how each call went; information that will enable us to rank representatives on how accountable and responsive they are to their constituents.
Once connected Committee Caller will tell you which representive you are calling, who their legislative director or chief of staff is, and what district they represent. At any point you can use the * to hang up the call and move on to the next one. Remember not to hang up after each call as you will have the opportunity to rate how your call went.


Monday, December 10, 2007

Cordless VOIP Phones, Well, Stink

Michael Graves, over at the VOIP Users Conference, has a nice summary of the common frustrations he's had with cordless VOIP (SIP) phones. Michael plays with a lot of hardware, is a real user, and isn't selling anything related. His opinions are worth a read.


Friday, December 7, 2007

My New Home Asterisk PBX Embedded Box

[ The first two are photos of the actual unit, pulled from the eBay auction. The last two photos are not mine but stolen from a friendly Flickr source. Hoping Santa will bring the family a new camera.. ;-) ]

On Friday my HP Thin Client arrived. Only I'm not going to use it as a thin client. Instead I'm going to install Linux (or FreeBSD, see below) along with Asterisk, the open source telephony platform, onto it. This particular unit is an HP T5700.

It cost me <$100 on eBay. Low power <20w, class="blsp-spelling-error" id="SPELLING_ERROR_1">Ghz (Transmeta Crusoe) based with 256MB RAM, and 256MB Flash. I may add a 2.5 laptop drive (has IDE and USB too).

The lack of noise and the tiny form factor is a huge driver since this is going into our apartment and the low power is for our savings accounts and the environment. :) The flexibility and ease of use gained by keeping it x86 based is a big plus for saving time (no cross compiling, no searching out funky code patches for less mainstream architectures) and maintaining compatibility with the maximum amount of things I may want to do with it.

I nearly bought an IP04, or one the variations based on it like uCpbx. These are Blackfin based embedded systems designed to run Asterisk, specifically the Astin distro. These are very cost effective looking solutions for SMB type environments. They are also very very similar to Digium's Asterisk Appliance 50 (AA50), which is also Blackfin based. In fact, they are nearly the same thing if you don't count formal Digium backing and support. (I recently got some experience in with an AA50, in an installation for a client with Snom 320 phones and intend to post some about that at a future date).

I'm looking forward to getting this box on-line as our full-time home phone system. If all goes well I'll probably pick up another one (or several) for lab use. This should free up some space in the apartment and not require me to keep shutting my dev box down to eliminate ambient noise and power consumption. Now if only the power supply would get here quick. :)

Typically I install Debian or Ubuntu then plop in Asterisk. This time, this is meant to be more of a true "appliance" than a server. So I'm going to evaluate some other options before I settle on anything. This will give me the opportunity to get experience with and thus cross out some items on my "To Evaluate/Learn" list.

I'm going to try out Askozia which looks promising. It'll be a new one for me and it's actually FreeBSD, rather then Linux based (it's based on m0n0wall). Askozia also has a built-in web GUI which I'm looking forward to contrasting with Digium's own GUI (which is in AsteriskNOW). AstLinux is another option I'll check out. Unfortunately out-of-the-box it's Asterisk 1.2.x not 1.4.x based (though there's a dev version that is 1.4.x).

I do miss having a lot of tools anytime I've worked with embedded distros. And I like having extensive logging available -- even if the device is supposedly an "appliance" that just sits there. Tough to troubleshoot an appliance when there ain't no logs. :-)

Ultimately I may roll my own stripped down something or other. Or, grab a more generic already stripped down distro and put Asterisk plus the Digium Asterisk GUI on top. Having the option to add a laptop drive gives me comfort I can go with this route, even as far as installing Debian or Ubuntu stock if need be, while remaining low-power.

I also intend to experiment with the various Bluetooth integration options for Asterisk. Namely chan_mobile for headset and cell phone integration.

We'll see what else. :) The nice thing is that, besides really enjoying Asterisk, I can justify more than one solution, since whatever I don't actually use as the house system will still be rewarding in the lab for self-education and evaluating the options out there for my clients.


Friday, November 30, 2007

The Modem Free Generation

Wow, how time does fly. We now have, at least in the US and elsewhere, our first generation of Internet users that have no idea what a real modem sounds like. For these folks, this is the closest they'll ever get to one.

While I'm not as old as the photo above by any means, my first modem was an external U.S. Robotics 2400 bps (generously loaned to me by a friend's father whom I later bought a more affordable Gould 1200 bps modem from), so I suppose, in a way, even I was late to the game.

Sure, with Caller ID we still have modems in our phones (at least until end-to-end SIP can do away with all that) and xDSL is still really a glorified analog modem but they are stealthy. Poll a random nine year old on the street with a modem carrier audio sample or ask if they've ever cursed when they forgot and set ATM2 instead of ATM0 or ATM1 and you'll get a blank look (and probably a scream for mommy to come and take them away from the scary crazy guy though a few smart top-of-their-class nine year olds, just starting their introduction classes to CCIE certification of course, might think I'm talking about this which is at least in the right vein).

I've yet to see an xDSL modem that has a speaker (let alone supports the AT command set) and rarely do I hear the caller ID carrier unless I'm on a really cheap phone and pick up the phone fast enough.

Maybe we can bring it back in vogue by customizing our mobile phone ring tone to sound like the good old days. And, demanding that xDSL modem vendors, add speakers. On other hand, there aren't too many of these around anymore either. And, man, were those things slow.



Wednesday, November 28, 2007

Improving the Snom IP Phone Retrieve Button Functionality

(Otherwise entitled "Getting the Snom Retrieve Button To Work Even When There Are Only Old Messages to Retrieve")

If you use Snom IP phones, you may have discovered, as I recently did, that the Retrieve button doesn't work, at least by default, unless there are new messages in the mailbox. If the user wants to listen to a saved voicemail, they are out of luck and have to dial the special voicemail extension directly. The Retrieve button just sits there and does nada.

This created some confusion in a recent installation since folks learned to use the Retrieve button to access voicemail and then later, after a day or so of use, wanted to listen to voicemails they had saved. :-) Sure, I had set-up an extension to dial the voicemail system directly (intended for when people were out of the office) but it was pretty silly to have two different ways for users to get used to accessing their voicemail, depending only on whether they had new messages or not.

I poked around a bit and the fix was very simple.... In the web management interface go to Setup->Identity X-->Mailbox and set it to your internal mailbox extension.

(As an aside: I am overall pretty happy with the Snom 320 IP phones. Be careful what firmware revisions you are running -- stay away from 7.x unless you know what you are doing and keep things consistent across your installation).

Monday, November 19, 2007

Another Submarine Telecommunications Cable Coming to San Luis Obispo

Over the years I've tried to keep an eye on the in-region activities related to submarine communications cables (and cool map here) . So it's with some interest that I've watched announcements and rumors during the last 18 months or so about several new cable projects. I've been waiting to see official filings to see if any would be added to the pile of cables that already come into San Luis Obispo county. It looks like we've got our first new addition to the area...

A recent California State Lands Commission filing seems to confirm that the backers of the Asia America Gateway Cable Network are serious about proceeding. They have pooled over $500M to build the network and plan to have it live sometime between Q4 2008 and Q1 2009.

The AAG will land in eight Southeast Asian countries before landing at the existing US West Coast AT&T landing station at Montana De Oro, in unincorporated Los Osos (approximately 15 miles outside of San Luis Obispo city). San Luis Obispo county already hosts other Trans-Pacific cable landings, at the same AT&T landing station as well at the Pacific Crossing station in Grover Beach (there are a total of at least six active submarine cables in the area, others are now dormant or very old used solely for research purposes, a bit more info here).

The eight countries, other than the US, where the AAG will have landing points are Malaysia, Singapore, Thailand, Brunei Darussalam, Vietnam, Hong Kong, the Philippines, and Guam. Besides the US West Coast the cable will also make a stop in Hawaii. In total it will span over 20,000 km (approximately 12,400 miles).

While other cables already go to Northern Asia, this will be the first direct submarine cable network between Southeast Asia and the United States. It also is coming online in time for the apparent retirement of two first generation Asia-Pacific cable systems, the APCN and TPC-5 (reference in press releases for the AAG but haven't found a direct source to verify this).

"The AAG is intended to provide an alternative and a more secure link for traffic from the region to the USA. This low risk route was designed to avoid the volatile and hazardous Pacific Ring, thus mitigating the effects from natural disasters like earthquakes and tsunamis, which have previously damaged submarine cable systems, resulting in major disruptions to international Internet links."
AAG appears to be, at first glance, a point-to-point design, rather a (redundant) ring. Though, from the sounds of it, the intention is that existing paths (Northern) on other cable networks will be used to complete the ring for carriers that desire redundancy.

Recently, other near-by Pacific submarine cable networks have also announced upgrades:

Sunday, November 11, 2007

VOIP Troubleshooting With (the free) Wireshark Packet Analyzer

Wireshark is a network protocol analyzer. Some may recognize it by its former name, Ethereal. It's free (and open source), runs on multiple platforms (including Windows and Linux), and actively developed. For those doing VOIP installations or troubleshooting existing installations, the latest release has some very handy VOIP specific support.

It will create visuals representing captured SIP and associated RTP connections. You can drill down by clicking on specific spots on the graph to pull up the associated packet(s). You can generate reports (as well as graph) jitter, bandwidth usage, etc. Various ways of displaying the data to get a better idea of what's really going on.

The screen captures at the beginning of this post are from Wireshark. They show a graph of a VOIP (SIP) call (and a half) between two Snom SIP phones attached to an Asterisk-based PBX (the green/blue/purple image). And an analysis of the associated RTP session (including packet loss, jitter, delay). WS can even playback captured VOIP calls (at least if using PCM/G.711/ulaw).


PCI: It's Alright to Question the Auditors

"It's alright to question your PCI auditor. This isn't about getting out of doing things that really should be done. It's about making sure you aren't unnecessarily wasting money, period. Ask them to justify their findings and recommendations. And seek a second opinion (from another auditor or a security expert) if need be."
A bit back a (then prospective) client came to me while going through a PCI audit. They'd been informed by their auditor (VeriSign in this case) that they needed to segregate off a group of servers. Fair enough. The catch was they were also being told that this needed to be done using a second firewall, in order to be compliant, even though their existing firewall had more than enough interfaces to configure additional distinct security zones. The proposed second firewall would be under the same administrative control and offer no greater granularity in security policy enforcement. In short, it wasn't a terrible idea but it didn't seem very value enhancing either.

The client had an inkling that this shouldn't be necessary. They had further discussions with the auditor to no avail. In the interest of time and manpower, they went ahead and bought another firewall. I was called in later to integrate this and some other changes into their network. One of my first questions was "Why are we doing this?". After hearing a bit more of the background I still felt firm in my conviction that either (a) we weren't getting the entire story and thus even with a second firewall I wasn't sure we were meeting the requirements or (b) there really wasn't sufficient grounds to add a second firewall when the isolation could be done completely adequately on their existing firewall by shifting around the topology a bit to utilize available interfaces and adding some new access rules.

My view was that the assessor had a specific ideal model in mind and wasn't really listening to the arguments given thus far. This was even though those arguments weren't against the server isolation being suggested. The only disagreement was over how to get the end result.

In the interest of time I proceeded with preliminary integration plan development that included the second firewall while recommending a continued push that the auditor needed to justify their recommendation more specifically. Over the course of the next several days, after the client had gotten input from myself including points to bring up and gained additional confidence in their original inkling that the extra firewall was unnecessary, the auditor shifted gears and said implementing the requested isolation on a single firewall was acceptable.

At this point I'd only spent several hours on this project. There was no longer justification for the purchase of a second firewall and the changes required to isolate the servers were far simpler. Even though my client had already purchased the second firewall prior to my involvement, they could now return it, sell it off, re-deploy it elsewhere, use it as a spare, etc.. The expense of engineering and labor for a more complex integration effort was avoided (plus, the long-term costs of having another piece of equipment to maintain, an added failure point, and a more complex topology to troubleshoot).

There are something like one hundred or so assessors that work with the PCI Council to do audits. Each has their own strengths, weaknesses, and agendas. Some are relatively pure-play professional services providers while others sell their own security software and hardware (and, yes, often related to assisting you in gaining PCI compliance). Assessors are allowed to recommend their own services and products as solutions to problems that come up during audits (though they are not supposed to require their use in order to pass). The PCI DSS standard isn't specific -- which is actually a good thing since every environment is different -- so there's much open to interpretation at both the end-user and the auditor level. Finally, all auditors are human and make mistakes as well.

Bottom line: it's alright to question your PCI auditor. This isn't about getting out of doing things that really should be done. It's about making sure you aren't unnecessarily wasting money, period. Ask them to justify their findings and recommendations. And seek a second opinion (from another auditor or a security expert) if need be.


Thursday, November 8, 2007

PCI Revisions, Adding Application Software Requirements

The PCI Security Standards Council announced another building block to set of payment industry security standards. This one covers applications -- specifically those developed and then distributed to third parties -- that handle credit card data. A draft has been released (not publicly) for review. Final release is expected in a few months (Q1 2008). Official press release here. The official FAQ is here.

The new standard (called PA-DSS) is based on Visa's existing best practices for applications which can be found here (scroll down to the bottom and you'll find a link to the document or just click here). Thus, even though the new standard isn't released, one can get a preview by reading through that document.

Some more coverage here and here.

Key Points:

  • Does not apply to internally developed applications by merchants (but these are subject to PCI DSS still)
  • Based on existing Visa "Payment Application Best Practices"
  • Will be publicly released in Q1 2008
(I would also anticipate that a future revision of this standard, or a similar counterpart, will come out covering in-house applications).


Tuesday, November 6, 2007

177 Megawatt Solar Project in SLO County Announced

PG&E and Ausra just announced a 177 megawatt solar thermal power plant in San Luis Obispo County. It will cover one square mile (640 acres) near the Carrizo Plain. Nifty!

The local paper has a good article here. It will be built on private land. Other coverage here, and elsewhere.

Ausra projects that the power plant will create over 350 skilled jobs on-site during construction, and an additional 100 permanent jobs in the area. The plant will burn no fuel, use minimal water, and have no air or water emissions.
The CPUC application and related documents are here and here.

It sounds like the deciding factor as to the location was the similar to what come up when deciding where to build a data center. You can build one in all sorts of places, but proximity to {major fiber routes, transmission lines} can be a deciding factor because it determines whether the project will have a reasonable cost and ultimately be a success.
John O’Donnell, executive vice president of Ausra, said the site identified for the plant, north of Highway 58, is ideal for the project.

“In developing large solar power plants, the biggest problem is not finding the sun or the land, but finding a place where you can transmit the power,’’ O’Donnell said. “And one of the real shaping things in serving PG&E is looking at the California electric grid and for places where we could put power into the grid. The Carrizo Plain is a major transmission line. That was one of the biggest drivers.’’


Although these agreements dwarf the deal with Ausra, New Energy Finance analyst Nathaniel Bullard said that Ausra is well-positioned.

Other solar thermal energy projects such as Solel’s Mojave Solar Park, to be constructed in California’s Mojave Desert, will be far away from populated areas and the electric grid. Ausra’s plant, to be located about ten miles north of Carrizo Plain National Monument, may get less sun than the Mojave Desert, but it will be directly under a PG&E transmission line, O’Donnell said.

Ausra’s proposed plant will only need “850 feet to connect,” said Bullard. They’ll be able to “tap right into the electric grid. It’s a lot less expensive and it speeds up the process.”

The high cost of the feeder and trunk lines required to connect to the grid from a long distance are often well outside of a smaller developer’s range.


Monday, November 5, 2007

Thinking In Percentages Not Absolutes (Investing)

Question: Which hurts your investment portfolio value the most?

  • You own $10,000 worth of a mutual fund representing the Nasdaq Composite index. The Nasdaq Composite, which opened at 2,795, drops by 200 points by the time the market closes today. Headlines scream about a large market loss.
  • You own $10,000 worth of stock in a company, which opened at $8.00/share and falls to $7.20/share by the time the market closes today.
Choose your answer. In the next day or so I'll post my answer, an explanation, and why I highlighted this scenario.

Friday, November 2, 2007

Web Form Silliness and Inefficiency

Why o' why do I continue to come across web forms that ask for my phone number, in a free form field, that then error if I enter dashes ("805-555-1212") because they require re-input without any dashes ("8055551212"). Isn't this the age of computers? Can't we be bothered to write the extra line of code to let humans input the data in the way most familiar with them? Can't we store the data generically and process it as appropriate for input/display? Aren't computers supposed to make data management easier? Wouldn't allowing the human to enter the data in a more familiar way reduce typos and errors?

The latest culprit was

Do any of YOUR web forms do this? Check now before you say no. :)

P.S. And, while I'm on the topic, why do we even bother asking for the state if we've already got the zip code? Heck, ask for the zip first and auto fill-in the city field too (I realize zip code to city mapping is sometimes erroneous, that's why I suggested just auto-filling the field, so the user still has the ability to edit it, on that one). Can't this all be looked up automatically? There are database downloads, web services, and CD-ROMs that make this information available, right? Why make it harder for people to do business with you? Why increase the chance of data errors?


Thursday, October 25, 2007

(Better) Invoicing & Time Tracking for Contractors/Consultants

UPDATE (12/23/2008): More than a year after posting the below, I'm still a happy user of FreshBooks. Gets the job done, is nice & simple, and gets out of my way.

When I set out on my own again, especially once the consulting gigs started to really pick up, I needed a solution to handle invoicing, time tracking, and accounts receivable management. In the past, I'd known myself to procrastinate (gasp!) generating invoices.

The procrastination was really the symptom of something else: I'd never really taken the time to automate the process. I'd started off on the wrong foot to begin with. I was tracking minutes in text files, adding them up manually, etc. Further, even if I'd used a fancy system to track and generate the invoices, I have this apparent aversion to addressing, stamping, and walking to the mailbox. Guess I'm just lazy.

So, a bit back, I spent a few hours seeing what was out there these days. Ultimately I settled on three (hosted Web 2.0-ish, if you will) solutions as the major candidates that met my needs:

After getting test accounts with each of them I ultimately went with FreshBooks. The main thing that did it for me was that FreshBooks allowed me to send paper invoices without actually touching a stamp, envelope, or printing anything. Yep, they mail it for me and even include the return envelope with my address!

I do actually send all of my clients e-mail invoices -- since that has become much more acceptable these days -- avoiding hard copy whenever possible. However I like having the option and it can also be handy when someone is taking their time paying..

Technically, FreshBooks doesn't e-mail the invoices but sends out an e-mail with a URL that contains the invoice. While others include the invoice in the actual e-mail, I have found it nifty that FreshBooks' approach allows me to see who has viewed their invoice (and they even provide an RSS activity feed to track client invoice reads!).

Since going with FreshBooks, all three billing solutions have added plenty of functionality. And Cashboard, which was in beta when I first looked at it, is now out of beta. I may re-look at each of them at a later date, but I really am pretty satisfied with FreshBooks for the moment.

If you suspect you spend too much time on invoicing, take a look at what's out there these days!


Sunday, October 21, 2007

(Still) Seeking Good Ethiopian Coffee

My brother (and his former employer) introduced me to Ethiopian coffee a bit back. The drinkable kind, not to be confused with the really well named Ethiopian soccer (football) team. :) Both fortunately and unfortunately, wine, beer, and coffee have a lot in common.... There are endless origins, variances from lot to lot, different year crops, etc. And the capabilities of the roaster and the way it is handled from the vine to the cup all matter a LOT. The best and most distinct tasting coffees can usually only be found at smaller coffee roasters (Larger roasters and chain coffeehouses can't scale the more unique coffees due to their volume requirements).

Anyhow I'm pretty certain I was spoiled and introduced to a really good sample during a very very good year. Lately, I've tried to replicate that flavor with newer lots both from self-roasted coffee (from Sweet Maria's) and various coffeehouses. I've been drastically disappointed.

One common attribute often cited with Ethiopian coffee is a "blueberry" flavor element. I'm not talking about an artificially flavored coffee here, this is a natural characteristic. Well, there's none of that -- or at least nothing like what I got from the Ethiopian coffee from 2DogsCoffee (where my brother use to work) a year or more ago.

The good news is that Sweet Maria's just got in two new Ethiopian's:

That's good because the last three I bought a month or two back weren't doing my memory justice (note: part of it may be my self-roasting not being up to par -- I'm an amateur roaster).

Looks I'll be placing another order for some samples soon!

For those curious about self-roasting: It's easy! If you can pop corn than you can roast coffee. I've been known to roast my own coffee from time to time. First with a regular old popcorn air popper and now with a Fresh Roast Plus, which is still really just a glorified popcorn popper. Takes about five minutes. Sweet Maria's (where I buy my raw unroasted green coffee beans) has a resource if want to read more about roasting your coffee.

Wednesday, October 17, 2007

Sanitize All Possible Inputs

If you write applications, well, it's not just public web form input that needs to be sanitized...



Tuesday, October 9, 2007

California and SLO County School Connectivity (and Ideas!)

According to this data posted by K12HSN, 17% of schools state-wide are connected to the Internet (and, in turn, Internet2) at 100 Mbit/s or higher. What I found nifty is, upon zooming into the local schools here in San Luis Obispo County, that number jumps to 67% (fifty seven out of eighty four). You can see other data for SLO here. (You can zoom in on other areas of California there as well). With this foundation, some intriguing possibilities now exist.

Quick background: K12HSN is a state program funded by the California Department of Education, providing Network/Internet connectivity and related services to K-12. Through K12HSN, schools get access to CENIC/CalREN and, as a result, Internet2 as well as, of course, the Internet. CalREN, the California Research and Education Network, is specially designed to meet the unique requirements of these communities, and the majority of the state's K-20 educational institutions are connected to it. CENIC oversees CalREN and coordinates other related services for California public educational institutions. Internet2 is an R&D platform, for various research institutions both public and private (and, if you're under the impression that Internet2 is just about high speed connectivity, a bunch of network geeks, and some talk about tele-medicine, look here as well as as some of the following links to see how it's being used in the performing arts).

With this as a backdrop, interesting possibilities have emerged for local K-12 students. Here are some ideas:

  • The SLO County Office of Education could host an Internet2 Day where research projects and applications are demonstrated to promote awareness and spur ideas in the minds of researchers (read: students, teachers). Projects/applications discussed and demo'd might include collaboration, health sciences, arts & humanities, and science & engineering. It would reach across all disciplines.
  • The "economies of scale" necessary to have live expert guest lecturers teaching students statewide via video conferencing (and here). I'm talking about having the top professors, researchers, artists, politicians, etc. speak live to students across the state and have the capacity to take real-time Q&A from students. Sure beats watching a passive recorded video on television! And it's sure to intrigue students who might easily overlook great thinkers sitting still on a textbook page in front of them. You get the benefits of serendipity, live action, interaction, and young minds all rolled into one. This same infrastructure could be used to publicize to the larger student body things like state-wide competitions, which, at least traditionally, only the local and regional winners of contests have been able to visit when they head off to compete at the higher level. Why not spread the inspiration around?
  • Got more ideas? Post 'em!
How about it?

Monday, October 8, 2007

Can Technology Geeks Be (Good) Managers?

If you are a technology geek currently serving as a manager, you better figure out how to become a business manager, if you intend to lead a successful IT department, group, team, or project. You owe it to yourself, your direct reports, whomever you report to, your colleagues in other departments, and your company. You will get a bigger budget, better compensation, more respect from all of your constituents and stakeholders, greater cooperation for your projects to help them be more successful, and greater satisfaction from your career.

It's not all bad for the technology geek turned manager though. If you can grasp the business side, by taking a bit of initiative to learn it, and combine that with technology savvy (even if you let your direct reports worry about the deep down details) you can have the best of both worlds. The last thing technology geeks want are clueless managers. It doesn't matter whether they are clueless about business or about technology -- they are still going to make things more difficult, albeit unintentionally, for their employees.

IT managers should know how to write business plans, prepare budgets, use financial concepts competently such as: the difference between cash flow and profit as well as grasping present and future value calculations, tie projects to business objectives, communicate and be held accountable in business terms, systematically assess and explain risk and uncertainty in ways that relate to the overall business, and communicate with non-technology management in regards to strategy.

This doesn't mean you need an MBA. If you don't understand all of these concepts there are options:

  • Take a basic accounting course (or two) at your local community college
  • Sit down with your CFO, controller, or accountant and ask for some tutorial sessions
  • Buy some books. Ask your CFO, controller, or account for some recommendations (and get them to promise to answer your questions if you take the initiative by reading the books they suggest).
  • Ask your CEO if you can peak at the organization's overall business plan. Afterwards consider and discuss how your department, group, or project fits into the bigger picture. Ask if there are ways you might better consider and communicate your group's vision, goals, successes (and, yes, failures too) as part of the bigger picture.
  • I'll also try to highlight, in a future post, some specific resources that have helped me out.

Sunday, October 7, 2007

Relationship Management for Non-Profits (Software)

This software package, CiviCRM, looks promising. It is an implementation of a "Customer Relationship Management" solution, but for organizations that don't really have customers in a commercial sense but still have plenty of relationships to manage. It's a bit like SugarCRM or but designed for not-for-profit type entities.

If you are involved in a non-profit agency that takes donations or has volunteers, this software may help you optimize your relationships, boost your effectiveness, and provide some dashboard like functionality for managing your organization. Well, that's the theory anyhow. :-)

It appears to have an active community and developers. And a good amount of documentation, a FAQ, a blog, and user forums. All signs that bode well for a sustainable open source project, since many applications die off without achieving critical mass.

I have not used it. I ran across it while researching some other software. Since I know folks involved in managing several non-profits, I wanted give them a heads up to explore further. If anyone takes a closer look please let me know how it goes!

CiviCRM: A Free and Open Source eCRM Solution

CiviCRM is the first open source and freely downloadable constituent relationship management solution. CiviCRM is web-based, open source, internationalized, and designed specifically to meet the needs of advocacy, non-profit and non-governmental groups.

CiviCRM is a powerful contact, fundraising and eCRM system that allows you to record and manage information about your various constituents including volunteers, activists, donors, employees, clients, vendors, etc. Track and execute donations, transactions, conversations, events or any type of correspondence with each constituent and store it all in one, easily accessible and manageable source.

CiviCRM is created by an open source community coordinated by CiviCRM LLC, and the 501c3 non-profit Social Source Foundation.

There is a (amateur but it'll give you an idea) Introduction to CiviCRM video and some others here.

Wednesday, October 3, 2007

Local company, Shopatron, gets $6m in Additional Funding

Congratulations to the folks over at Shopatron, a nifty San Luis Obispo (California) based company. Until relatively recently, they were called Firepoppy while Shopatron was the name of their primary product. They have picked up some additional capital and continue to be working hard on solving problems in their niche.

Shopatron solves problems for manufacturers that don't or cannot sell their products directly, namely connecting their customers (say, visiting their web site) with their retailer/distributor network. They do it in a way that is conducive to the customers desire to "buy now", with less hops to jump through, and make it a win-win all around (win-win-win, uh, win, really) .

It's one of those niches that makes a lot of sense once you hear about it and they've been working hard at perfecting it for a number of years now. And, since they are so focused on solving one particular problem space (and it's a real one at that, as best as I can tell), rather then solve every interesting opportunity that they run across haphazardly, they are sure to be successful.

Congrats Ed, Sean, Dave, and the rest of the crew over there.

Further Related: Links:

Digium (Asterisk) Is Sending Busy Signals

Digium, the commercial company behind the open-source Asterisk IP PBX, has been ultra busy of late. They came out with a self-contained hardware based Asterisk appliance targeted at developers, telephony carriers, etc. to build custom IP PBXes for their customer bases. They followed this with a full blown out-of-the-box installable hardware IP PBX appliance (the AA50) intended for the mass market. They bought SwitchVox, a leading IP PBX appliance vendor with some nice innovative user interface and functionality features, then announced a deal with 3Com who will be OEM'ing their appliance as the foundation of their IP PBX offering.

Digium, has been selling components, such as as cards to interface between the traditional phone network, development and support services for Asterisk, and commercial licenses for vendors OEM'ing Asterisk code into their own PBXes and other telephony applications for several years now. Now, it's time to get serious I guess.

Further Notable Links:

Tuesday, October 2, 2007

A Promising New Book: The Pragmatic CSO (Chief Security Officer)

Last week I ran across a book I had not seen before. From the looks of things it reasonably could have been entitled "The Pragmatic CIO/CTO/IT Director/IT Engineer/IT Consultant". It is actually called The Pragmatic CSO. CSO stands for Chief Security Officer. Even if your organization doesn't actually have a CSO, there is a de facto one -- whomever is in charge of IT.

Since anyone within the IT group involved in spec'ing solutions needs to have a connection to the underlying business drivers in order to get buy-in from management for their project to proceed, this book ought to be useful to IT manager and geek alike. At least those that want to see their budget requests approved. :-)

This appears to be a promising resource with some good food for thought and practical approaches all collected together in one place. And, to boot, the approaches that look to be discussed should be readily applicable beyond IT security, to any IT project. No IT project proposal will get very far without a business case.

The book's web site is It is available as a regular book or electronically. You can get a sample section e-mailed to you from the web site. Or you can d/l the introduction chapter directly here:

I have only read through the Table of Contents and Introduction and poked around at a few reviews at security blogs I monitor. If anyone else gets a copy and reads through more of it before me, please share your comments.


Friday, September 28, 2007

Running MacOS X on a Generic (non-Apple) x86 PC

Uh, nifty. Of course, no one reading this entry would ever do this because it violates Apple's EULA (even if you bought a Mac, deleted its copy of MacOS X, and installed from its media onto your, uh, alternative hardware). Nah, none of you would ever do that. Nope, won't happen.

Sunday, September 23, 2007

Dying 47-Year-Old Professor, Randy Pausch, Gives Exuberant ‘Last Lecture’

I just finished watching an all around nifty guy, Randy Pausch's, well, probably last lecture. :-( He is currently a professor at CMU. His specialty is human-computer interaction, such as virtual reality. He has done work with Disney and EA. Among other accomplishments, his most recent is Alice, which is an innovative and pragmatic educational programming language[1]. He was recently diagnosed with a dire case of cancer. This lecture was about achieving your childhood dreams -- and helping others achieve theirs. For a guy that knows he is about to die, he's got a great attitude about his life -- and life in general. Certainly, if we're looking for people to draw clues from in living our own lives, he's up there.

His wikipedia entry already has a brief overview and link to the video of the full lecture (1h:45m or so) so no reason for me to re-invent the wheel:

Professor Randy Pausch delivered his "Last Public Lecture", entitled "Really Achieving Your Childhood Dreams" at [[Carnegie Mellon University]] on September 18, 2007 [5] (the full version of which is viewable at

During this lecture, Randy Pausch was very upbeat and humorous, rapidly switching between standup comedy, insights on computer science and engineering education, advice on building multi-disciplinary collaborations, working in groups and interacting with other people, offering inspirational life lessons, and doing one-handed push-ups on stage.

This talk was modeled after an existing series of lectures where top academics were asked to think deeply about what matters to them, and then give a hypothetical "final talk", i.e., "what wisdom would you try to impart to the world if you knew it was your last chance?" And in Randy's case, this was more than an academic exercise.

Before he even started speaking, Randy got a long standing ovation from a large crowd of over 400 colleagues and students. When he motioned them to sit down, saying "make me earn it", some in the audience shouted back "you already did!".

Andries van Dam (a professor from Brown University) followed Randy with a tearful and impassioned speech praising Randy for his courage and leadership, calling him a role model and "a Mensch" (which in Yiddish means "someone to admire and emulate, of noble character").

Electronic Arts Inc. (maker of the popular "Sims" family of computer games with over 100 million copies sold) is now commercializing Randy's Alice system (, and pledged to create in Randy's honor a memorial scholarship for women in computer science, in recognition of Randy's staunch support and mentoring of women in CS and engineering.

The president of CMU (Jared Cohon) spoke emotionally of Randy's humanity, and called Randy's contributions to CMU and to education "remarkable and stunning". He then announced that CMU will celebrate Randy's impact on the world by building and naming after Randy a raised pedestrian bridge that will connect CMU's new Computer Science building with their Center for the Arts, symbolizing the way Randy linked those two disciplines. It will be called the "Randy Pausch Memorial Footbridge".

Professor Pausch was named "Person of the Week" on ABC's World News with Charles Gibson on September 21. His last lecture has also attracted wide attention from the national media.

[1] Alice is designed to appeal to specific subpopulations not normally exposed to computer programming, such as middle school girls, by encouraging storytelling through a simple drag-and-drop interface.

Thursday, September 20, 2007

Who Surveys the Surveyors?

(Questions That Every Survey Should Ask)

Four out five times I'll just toss out those surveys that get printed on the receipts from retailers, restaurants, coffeehouses, etc. If I'm looking for a distraction (or remember that I stashed one in my wallet the next time I'm there while I'm standing around in line anyhow) and the freebie I get for doing it entices me, I'll do one.

It's pretty frustrating to be willing to provide feedback only to discover the survey is your main gripe about the establishment. Based on my survey experiences, one of the following queries should be appended to every survey any company ever does. They basically all boil down to: "Did this survey suck?"

Q: On a scale of 1 to 5, how would you rate the friendliness of this survey?

Q: On a scale of 1 to 5, how would you rate the length of this survey?

Q: On a scale of 1 to 5, how would you rate the clarity of this survey?

Q: On a scale of 1 to 5, would you be likely to take a survey like this every again under the same pretenses?

If it's a written, online, or in-person survey (difficult to do with an automated phone survey) they might even ask something like: Do you have any ideas about how we might make this survey better?

If I had a great experience otherwise, well, we can all spell i-r-o-n-y, right?


Wednesday, September 19, 2007

Verifying Your Financial Advisors Advice - Service provides watchdog for investors

See article @

This is an interesting idea (follow article link above or see excerpts below). I think there might be some other ways of implementing this that could be even more useful but I certainly agree with the sentiment. And, for the price, it's a cheap second look at things to make sure you are not entirely getting simply "told a line" by your broker, financial advisor, financial planner, etc. while still being more formal than getting your friend "Bob" to take a quick look at your portfolio. Mostly what caught my eye was seeing another way for more folks to easily get a second set of eyes looking at their portfolio, ideally in a quasi-independent and professional manner, especially without the hired trying to take a big bite out of it themselves.

While it's not stated outright, it sounds like he's doing Monte Carlo simulations, so he's contrasting ones existing portfolio with a group of model portfolios of various supposed styles that have been back tested with historical data to supposedly ascertain their "risk". (The more mysterious part, at least to me, is just how to ascertain an individuals "risk" tolerance, which can be taken to mean many different things -- and whether that is even as relevant as the size of their portfolio relative to their overall net worth and their timeline for needing the principal back, but that's a digression for another day).

To compare this with another industry, this service is a bit like the automated security scans from the likings of ScanAlert (with the green "Hacker Safe" shield logo) that IT folks responsible for e-commerce sites have grown accustomed to. The results can be useful, sometimes annoying, but they also just might not mean anything. You still need to know their basis and how to interpret them for your particular environment.

Anyhow, it's not a perfect method but it's a start.


David Donaldson plans to revolutionize the investment industry by bringing accountability to financial advisers.

“I just can’t stand when I see people who are individual investors who get taken advantage of,” Donaldson said. “My goal is to be kind of a watch dog to make sure financial advisers are doing their job.”

On Aug. 27, he announced the launch of Advisor Check, a service that analyzes investment portfolios so that individual investors can see whether their financial advisers and asset managers are addressing their personal investment goals. Donaldson is the managing director and senior portfolio analyst for Advisor Check.


“It turns out what we found is a majority of people really want someone to give them a second look at their portfolio, but are afraid that if they go to someone else like a financial adviser, they’ll just be told what they want to hear,” Donaldson said, adding that he rushed to launch the service officially because of the current volatility of the market.


“I would say that about 79 percent of the portfolios we look at are improperly allocated and expose clients to more risk than they actually need to be taking,” Donaldson said.

Donaldson offers his clients an unbiased, third-party analysis. In order to avoid any conflict-of-interest, he does not offer advice or sell any services beyond a comprehensive portfolio analysis.

“If anything, it gives [investors] the ability to ask the right questions” of their advisers, he said.

“It gives financial advisers – if they do a good job – a lot of kudos for what they do, but if not, it’s a good reality check for them,” Donaldson said.


Monday, September 3, 2007

Musings About Office Space

I've been seriously considering getting some office (or at least desk) space lately. The problems are: (1) I'm cognizant of some folks who have bitten off more than they can chew too soon (2) I'm a bit of a cheapskate (3) I'd like to have more income coming in first.

On the other hand (1) I'm a firm believer in investing when the benefits are identifiable. There is a difference between being cheap and being prudent. (2) I've got several business venture ideas that I'd like to get more serious about (3) I'll always want a bit more income (4) There is reason to believe having dedicated space would allow for more income in and of itself.

For the last ten months or so, I've been working from of my home and a variety of local coffeehouses with wireless Internet. Until recently this has been a Good Thing. No (extra) rent, no commute, and no dress code. Since most of my work during this time period has revolved around one or more of the following this has made a fair amount of sense:

  • freelance technology consulting
  • research
  • business analysis and planning
  • investing
  • reading
  • thinking
  • drinking coffee
I've been teetering on the edge of late though. I'm coming to the realization that it may be starting to be more costly to not have a distinct working environment. Besides the clearer work/home boundary I expect I'd get the following benefits:
  • Greater focus and comfort
  • The ability to yell across the room back and forth with associates/partners
  • In-person brainstorming sessions and greater in-person serendipity
  • A white board
  • Freeing up space at and removing clutter from home
  • The ability to leave what I'm in the middle of working on spread out, on my desk, so that I can jump right back in next time I'm back at my desk
  • And, in a very real sense, a nice constructive kick in the ass to get moving forward (due to the monthly mortgage/rent payment and other obligations related to having the desk/office space)
Ultimately some other benefits will accrue:
  • I'm also nearing a point where I may be involved in several different ventures at once.
    • With others potentially involved, and some resource sharing between the businesses, it would be convenient to have all this together in a single place.
    • The ability to rapidly test out new ideas, which may require some physical space for various reasons
  • Room to build a lab environment
  • Room to have ad-hoc private uninterrupted meetings, including with outside folks
  • Our own espresso and bean roasting machines so we can insure high quality sustenance
  • Wall space to hang up useful stuff
    • reference material
    • motivational / success related quotes
    • posters of hot chicks (I meant pictures of my wife, of course) :-)
And, having entirely my own office space, would allow for some other interesting opportunities to be experimented with:
  • Hosting co-working environments
    • "Coworking is a movement to create a community of cafe-like collaboration spaces for developers, writers and independents."
    • Technology and Media Geeks and other independents/freelancers; Entrepreneurs; Small one to four person start-up launch pad, etc.
    • Accelerating serendipity
    • Networking - business, personal, funding, brainstorming, clients, partners, advice, assistance, support
  • Hosting/supporting interesting social/community events
    • Movies, taco nights, demos, video viewings, book releases, art showings, customer/client parties, coding parties, design parties, etc.
    • Local non-profit and industry events (e.g. Softec)
    • Fundraising events for interesting causes (e.g., SLO Food Bank)


Friday, August 24, 2007

Getting a Network Lab on the Cheap

A network lab is useful for all sorts of things. Unfortunately really good labs can be expensive to put together. Over the years I've developed some alternatives that have worked well for many situations. This is still in informal draft format but I don't know when I'll next get a chance to clean it up. I think some folks may find it useful as is so I'm going ahead and posting it now.

Here are my strategies:

  • Emulators
    • There are Cisco hardware emulators that allow you to run IOS and PIX/ASA images. This has also been known to be possible with other vendors from time to time, sometimes officially offered by the vendor and sometimes not. I suggest a Google search for something like "vendor emulator".
      • Dynamips (Cisco hardware emulator that runs your provided IOS images for the 3800, 7200 and other platforms).
      • PEMU (Cisco 525 PIX hardware emulator that runs your provided PIX OS image)
      • Versions for Linux and Windows of the above
    • These emulators often run in their own VMs so, for example, it's possible to set up an entire lab of Cisco devices on a single laptop or desktop and have the emulated devices all "connected" to each other purely in software. e.g.
      • 2 x Cisco PIX 525 + 2 x 7200 NPE-400
      • ....on a 1.4Ghz Celeron laptop
    • Don't expect to do performance testing with emulators but they are often fully functional (the Cisco emulators run actual IOS and PIX images, whatever ones you provide) since you can build testbeds that closely resemble your actual network, including testing actual config changes, etc.
  • Vendor and reseller online accessible demo environments
    • These are nice for poking around and following along as you read through their manuals. Sometimes you can't change things but you can usually get as far as saving your changes -- which is good enough for many situations.
    • Can also be useful to see what newer versions of firmware look like, before you upgrade, since vendors usually keep their demo units up to date
    • Do Google searches for "myvendor demo", "myvendor demonstration", etc. e.g.
  • Quasi-Public looking glasses
    • Telnet reachable looking glasses / route servers / traceroute servers
    • Web-based
    • usually Cisco, Juniper, and some Zebra-based Linux/BSD boxes
    • Not as useful as other methods but sometimes can view live info you might not be able to simulate elsewhere such as large BGP tables
  • Rack rentals -- rented remote network lab racks (most often rented in 4-6 hour chunks, designed for folks studying for certifications such as CCIE)
    • as cheap as $10 for a 4 hour block (!!!)
    • check eBay for low cost rentals
    • check Google for others -- there are many so prices are pretty competitive
    • search for "CCIE rental" for Cisco rentals. Similar ones exist for Juniper and other vendors with certification programs.
    • since folks studying for higher end certifications, such as the CCIE, require pretty elaborate labs these "rack rentals" give you access to some incredibly large and higher-end equipment
  • Quasi-public environments (left open by accident? Sometimes folks leave their mgmt interfaces open intentionally, accidentally, or, hopefully, just the read-only modes)
    • When evaluating Axis cameras a while back, I did some Google searches and turned up a bunch of cameras left open to the public.
    • Hint: For web-based GUIs, figure out a unique portion of the text string that is usually in the HTML title and search for it using Google's "intitle:" command.
  • Try and Buy promotions
    • Many vendors, especially the smaller and more aggressive ones, are pretty open about letting folks try their products out for a month or so. Many times you can even talk 'em into holding onto them a little longer if you keep in touch with them, let them know you are evaluating for future purchase, etc.
    • Helps to have a business entity, be a "consultant" (state outright that you regularly recommend equipment to clients, if that's the case, since that peaks the interest of most sales folks). Even better is a tax reseller ID I suppose (I don't resell hardware so haven't taken advantage of this last bit before but I've been asked by sales folks when evaluating hardware who I imagine like to encourage new potential sales channels).
  • Purchasing standby spares
    • Spares bought to have for on-site swap-ins in the event of hardware failures can be used (carefully!) for lab work. Just be careful not to break, lose, or otherwise leave your spares in a state that hurts their real function.
  • Purchasing, borrowing, decommissioning lower-end but current enough models
    • Older models, that may or may not be end of sales status by the vendor, may be available cheaply. It's all about eBay.
    • Upgrading production devices and retaining the older models that get pulled for the lab (previously sunk cost, easier to justify over spending more $$$ on lab equipment)
    • A maintenance window for a non-critical office/PoP or during a time window (e.g., after 5pm, or 2am-6am or whatever) that is acceptable in your environment. Then temporarily doing the testing/evaluation/learning with this equipment before returning it back to production state. This isn't ideal but works better than "learning" on a more important part of your network at the same time you are intending to go live with the changes.
  • Out of date models that people are giving away
    • for some needs, "free" equipment can meet certain needs, especially when first learning about a new device when just getting the basic look and feel of the command line or GUI is the focus. Spend money only when you get a bit farther along -- after all many times projects get delayed mid-stream anyhow so why buy new lab equipment only to have it sit and collect dust for the next few months until you get around to working with it (and probably frustrating your boss who you convinced to spend money on it now rather than later).
  • Borrow from a colleague
    • Call your colleagues at other organizations. Often they've got some extra hardware sitting around that they are willing to lend.
    • If you break anything make sure you tell them upfront and replace it (been there done that, with an awful hardware problem in a modular router that, best as we could tell, took out one of the test chassis in addition to the problematic one due to some weird short on a removable module we pulled from the busted chassis to test in the known good chassis).
  • Borrowing under vendor hardware replacement and support contracts
    • If you have a current hardware replacement or support contract with your vendor, you can explain your particular situation and sometimes have them do you the favor of lending you equipment temporarily.
    • In a near-emergency, if you have an advanced hardware replacement contract, you can consider having a "failure" then sending the advanced sent hardware back when you're done with it. Don't abuse too much Might be acceptable under some circumstances. Make your own judgment.
  • Hosted x86 Virtual Machines
    • usually VMWare or Xen based (not that it matters much to the end-user)
    • can boot up various OSes on-demand, cheaply
    • some hosting companies will let you rent on short-term basis (e.g. Amazon EC2 Xen-based VMs charge by the hour and don't charge you while your VM is "shutdown/turned off")
    • Good for adding hosts to your test lab (nobody ever said a useful lab had to be physical)
    • Combined with network device emulators, discussed previously, makes it possible to do some crazy stuff
      • Want to simulate a 50 router nationwide network of Cisco 7200 class routers? Get a usage-based VM hosting account and install Dynamips.... It'll cost you something like $20 to get access to 50 VMs for four running hours via Amazon EC2
    • If you've got some real equipment you want combined with your virtualized equipment, remotely hosted x86 VMs, etc than build a VPN overlay to connect things up the way you want. The VPN can be an invisible transport layer for your lab network if you want or it can be part of the lab network itself.

Wednesday, August 22, 2007

Routers, Switches, and Firewalls: Marketing Benchmark Numbers versus Reality

A consistent problem when reading datasheets for networking devices (routers, switches, firewalls) is that the throughput numbers offered by the vendor are not useful without context and are coming from a bias source. Today I happen to be reading through a SonicWALL firewall datasheet and I notice a reference to RFC 2544 in the fine print:

**Testing Methodologies: Maximum performance based on RFC 2544 (for firewall). Actual performance may vary depending on network conditions and activated services
***VPN throughput measured using UDP traffic at 1280 byte packet size adhering to RFC 2544
****Throughput measured using HTTP throughput test
Well, RFC 2544 has apparently been around since 1999. It suggests a framework for a standardized methodology for benchmarking networking devices. I'm not sure why I've never come across it before. (Note: I haven't read through it yet so I'm not endorsing it).

Thursday, August 16, 2007

I Don't Know. Really.

Sometimes we don't really know the answer but pretend we do. In fact, sometimes may be an understatement. Not knowing the answers -- or having enough data to have an informed opinion -- but pretending we do is not the foundation upon which to have a discussion to help yourself or someone else arrive at a more informed opinion.

This is particularly important with complex worldly issues (say, geopolitical problems that have the potential to create wars). Few of these types of issues have truly black and white answers. The "truth", such as it is in these cases, often lies within carefully selected -- yet still meaningful -- nuances that can only be honed after significant study and analysis.

Best case, we come off silly. Worst case, we, well, kill a few people. Thankfully we're all adaptable and like to better ourselves. So we can get better at all of this.

Get out there and vote but become truly informed first -- don't just sound informed to those that already agree with you. Be able to have an honest opinionated discussion with folks that don't agree with you and still walk away with an understanding of where they are coming from. If you can't do that, you probably don't know what you're talking about -- and should get back to reading, researching, and thinking before opening your mouth.

Anyhow, the excerpt (along with watching lots of West Wing episodes) that inspired this post (even though it was talking about managing software projects) is below:

True Factors

Next time someone tries to pin you down for an exact answer to an unknowable question — whether it's for a deadline date, a final project cost, or the volume of milk that would fit in the Grand Canyon — just start by taking the air out of the room: say "I don't know."

Far from damaging your credibility, this demonstrates the care you bring to your decision-making. You're not going to just say words to sound smart. It also levels the playing field by reframing the question as a collaborative conversation. By learning how exact your estimate needs to be (and why), you can work together to develop a shared understanding about the true factors behind the numbers.

—Merlin Mann, creator and editor of

Tuesday, August 14, 2007

More To Lose, Priceless Lessons

....and Why Wealth Is Best Acquired Neither Easily nor Difficultly
....and Personal Financial Literacy

I manage my own investment portfolio. For the most part, other than experimentation for educational purposes, I keep things pretty simple. I don't short stocks. I ignore options. My interest in the performance of the major indexes (e.g. Dow Jones Industrial, NASDAQ Composite, S&P 500) is mostly for entertainment purposes. I rarely consider fixed income securities (e.g. bonds, treasuries, etc), except during unusual situations when, effectively, due to the thesis of the investment in question, it really isn't a fixed income investment I'm making. I take long-only, and usually long-term oriented, positions in publicly traded stocks. Fractional interests in real businesses. Plain and simple.

My present approach, and seemingly most likely to remain permanent (though it will continue to go through maturity spurts as all good conclusions should), is based on quantitative fundamentals (i.e. the numbers on the balance sheets, cash flow, and income statements) combined with deep qualitative analysis. Purchase and sale price determination is based on a value-driven approach somewhat akin to Benjamin Graham, Warren Buffett, Third Avenue, Longleaf, Sequoia, Mohnish Pabrai, and others. The math is not rocket science. In fact, if it wasn't for the surrounding analysis, my eight year old could probably be taught how to do it. If I have to whip out spreadsheets and make lots of assumptions it's probably not the investment for me.

Call me old fashioned, but I invest to make money and that also means doing so as efficiently and effectively as possible. I see no reason to look at higher branches when there are inevitably enough low hanging fruit around (which also happen to be where I'm less likely to break my neck if I slip and fall). I enjoy investing but I also have plenty of other things I enjoy spending my time on.

With varying degrees of success I've been doing this for the last decade. Unfortunately it wasn't until the last two to three years that I finally really had enough of the pieces together to be able to deliberately and confidently make transactions in which I could be more certain that the outcome was due to my careful analysis over simple dumb luck. So my lessons have been both highly profitable and, alas, combined with others, highly expensive. i.e. I'm not (economically) wealthy yet. :-)

I wouldn't take any of it back though for anything. Not even a million dollars. Why? Glad you asked. :-) Two main reasons, more to lose and priceless lessons, which are sort of just opposite sides of the same coin. You see if I'd started with a million dollars the lessons would have been proportionally that much more expensive. Investing is a cumulative learning activity where you can learn a lot from your mistakes and where constant reading, honest reflection, and careful analysis is necessary. It's also useful to have a long-term perspective and understand that short-term performance is not something that can actually be extrapolated from in estimating long-term performance. (Side note: Rarely do things go quite as planned, especially so in the short-term. In the longer-term, things are usually closer to plan. So, uh, plan accordingly?).

If I had started with a million bucks I'd not only be much poorer than I once was (relatively speaking) but I'd also have spent even more on those priceless lessons I've learned along the way. Worse, I might have been just too risk-averse to even learn some of the lessons I have -- after all there would have been more to lose. The lessons may have been priceless but it's still much easier to earn a few thousand (or tens of thousands) back than a million or two when you have to start all over from zero again.

Another thing I like about this path is that extreme wealth, without having great and painful lessons along the way to achieving it, can often make one too conservative and controlling and naive for their own long-term economic good. For example, having all your capital tied up in fixed income securities forever won't do much for increasing your buying power. (Or, I suppose, not being controlling enough is also a problem if you are a spendthrift partier which is really the exact same problem manifest in a different form).

Even if one has painful -- but useful -- lessons one may still not reflect upon them properly and/or for some reason or another not behave economically rationally when the rubber actually meets the road. Unfortunately the same is true for most of us who have never truly achieved significant wealth. We usually have incorrect or irrational attitudes amount money and wealth, managing it, saving it, growing it, etc. We are just as bad as many of the folks that inherit their money without good parental financial teachings or, at least, innate (rare) financial intuition. We just aren't quite as first hand knowledgeable that we're pissing all our wealth away. i.e. We don't have the historical memories of seeing all the zeroes in our bank account balances and thus we are even less convinced we even have the potential to have larger bank accounts ever -- lot alone again. We're more ignorant of our potential because we didn't have it once then lose it (yet). :-)

While you can't deposit potential in the bank, having it and not capitalizing on it (oh, a pun, heh) is just as awful as already having lots of wealth and pissing it all away. And, if you really stop to think about it, it probably hurts just as bad too.

I suppose the conclusion is that becoming wealthy should not be too hard nor too easy and it's important to pay attention to the hard learned lessons along the way without getting too down on oneself. At least if your goal is to achieve wealth and "keep" it.

Unfortunately, probably much to the chagrin of economists, we humans are not economically rational beasts as a rule. We're so full of exceptions, biases, heuristics, assumptions, etc, at least if my own experience is of any commonality, that I couldn't even begin to comprehend what rules we all do operate by. Collectively we're fairly economically rational but individually we're not so much. In some ways, that explains why wealth, at least great wealth, tends to collect in fewer hands rather than being broadly dispersed. This seems true not only within wealthy societies but geopolitically as well as best as I can tell.

So, anyhow, this brings me to the one investment, wealth, and personal finance related topic that I have been struggling with. You see, I get freaked out a lot these days when I talk to friends, family, and various other folks about their investment portfolios. Not because I think I'm super smart investor guy whose feet everyone else should bow to. Feel free, however. j/k :-). I just happen to have already learned the hard way (and, because I discovered a deep interest, and tried to take it up a notch as well, I'm ultra-aware of this problem domain).

Let's get more specific. It's not uncommon to hear that someone has bought some stock for their portfolio and their reasoning -- and it's usually the extant of it -- is that it's a "cool company", "someone I know told me about them and I trust their judgement", "growing lots", "in the news all the time", "safe bet that can't lose", etc. etc. Yeah, that's great but what's the investment thesis? How can one be sure the price paid was realistic? How will one know when it has reached or exceed fair value (at what price shall it be sold)?

Oh, yeah, that. Buying a security without an idea of what it's worth is like saying you'll consider yourself happy when you're successful; We can all understand the words in this proclamation, their individual meaning is straightforward enough, but the sentence is too vague to be beneficially to anyone including the person stating it. Define success my friend before you attempt to achieve it. Keyword being before.

Just because, and even if you are "right", the stock of a company you bought goes up in price after you buy it doesn't mean it'll go to any particular price. Buying stocks is not as simple as saying "I'll just buy and sell when it goes up". Goes up to what exactly? Oh, double what you paid for it? Well, any idea if the company is even remotely, even under the most optimistic valuation, worth that much? One in this circular situation may be relying more on hope more than prudence. Worse, they are guaranteed to not be able to remove emotion from what should be an entirely business-like transaction. It's hard to remove emotion from the transaction when the initial purchase reasoning was hardly a step beyond that.

Another metaphor at the risk of beating a dead horse: Committing to a project, without confirming the project is even worthwhile, and stating at the same time that we'll consider it complete when it's done. We'd probably define "done" somewhere. Perhaps we'd use a metric of some type or at least some outcome that is a bit more readily identifiable and tangible. Oh, and we'd probably not want to spend our time on the project if it's not worthwhile (e.g. overpriced or just not the optimal return for the risk or, worse case, pure hype) so we'd make sure to evaluate that before we jump in too.

It's not that any of these people are stupid. Mostly they are in different businesses of their own, they are busy enough with enjoying their lives, they just have no time regardless of interest level in understanding this stuff, they don't know any better and take too many clueless folks or conventional wisdom articles at face value, they have zero interest in understanding this stuff (nothing wrong with that), they think hiring outside assistance is too expensive, etc. None of them is stupid at all. They just have other things going on.

So a goal I have is to figure out how to help improve the overall personal financial literacy of the populace. After all, we're all in this together and zero-sum game or not (depending on your view), there's plenty to go around for us all to be more than well off.


Friday, August 10, 2007

SCO Loses Linux Battle and Personal Investing Update

Linux is Legal (Still)!

Today SCO (the idiotic falling over themselves almost to the point that I almost felt sorry for them but decided to simply laugh at 'em instead company that has claimed broad intellectual property rights over the Linux kernel and has lawsuits pending against Novell, Red Hat, and IBM) received a big blow today in the three year old court battle with Novell over whether or not SCO even owns and controls the IP they claim to (they bought/licensed/borrowed? so-called original UNIX from Novell in 1995).

Short answer: Nope, nada. Read more elsewhere on the web or take a look at which has followed the whole thing since the beginning. Sorry, Darl, but your claims have never made any sense. On the upside, SCO is now a household name (again) within the Linux and IT communities. Too bad, its got sh*t all over it too now. Maybe Darl is really a super secret undercover marketing researcher mad scientist who was just out to prove wrong the clique that "there is no such thing as bad publicity".

Investing and Temptations

A couple months ago, in order to insure I would not make any foolish decisions and to stay focused on near-term cash flow sources (such as my consulting business), I stuck most of our uninvested cash into government securities. You see, a serious hobby has become analyzing public companies and investing in them when a (rare) gem at a good (or, more rarely, great) price pops up on my radar. The plan was (is) to leave things alone for six months or so. It had nothing to do with believing it was the best place for our cash -- I just didn't want to have too many distractions keeping me from focusing on what should be my near-term priorities. And, knowing I had other things to be worrying about, I didn't want to risk half-assing my investment analyses.

Well, then the market had to spin a bit. Most folks are looking at their holdings being down the last few weeks. A few of the stocks on my On Deck and Watch lists have dropped into more attractive price ranges. I really shouldn't be spending time on this right now, I have a consulting business to build, but damn it -- some of these look to be pretty attractive transactions to step into now and let play out over the next one to five years. Doh!

(And, no, SCO's most definitely not on the candidate list).