January 31, 2003
@ 07:19 PM

Fighting Windmills. Yesterday, Brussels was another stop of the ongoing Microsoft EMEA Architect's tour. Going through the customer feedback on my "Service Oriented Architectures" talk I once again realized that there's a lot more work to do in terms of educating people about the significance of XML. One of the core messages of my talk is that the XML InfoSet is the focus of integration.

The comment that caught my attention was stating that I were completely missing the point about interoperability because "XML is just a data format". 

Excuse me, Sir, but it's not. XML is a very broad and deep infrastructure for data that has moved very much beyond being a "data format". The "data format" perception of XML may have been accurate in 1998, but by now, the focus has entirely shifted towards the XML Information Set (Infoset).

Focusing on the Infoset and not on angle brackets allows you to serialize to and import from virtually any binary or text format (including XML 1.0 with angle brackets) and always have a central anchor point that is indeed independent of your choice of serialization format. If you look (just to name one example) at Microsoft's BizTalk Server, you will see that it's common practice to have a parser that reads EDIFACT and produces an Infoset, performs various operations on the Infoset and serializes the result back out as EDIFACT (or X.12 or some custom text format) again. The fact that BizTalk will indeed serialize that Infoset as XML 1.0 as it is passes through its internal pipeline stages is an internal implementation detail of BizTalk.

I am sorry to say that, but if today you still believe and insist that XML is just another data format, the train may already have left the station for you.


Patch Your SQL Servers!. As John has already reminded people, don't forget to patch your SQL Servers, paricuraly on laptops! As long as programmers still create buffer overruns, its important to apply all patches (well, its important to keep current with all OS patches). The security fix is rolled up in the SQL Server 2000 SP3, which you should install if you have SQL Server 2000. Otherwise, read about and install these patches. [Sam Gentile's Weblog]

January 25, 2003
@ 11:52 PM

January 25, 2003
@ 05:34 PM

A morning for reliable messaging. I got online this morning and close to nothing worked. I don't know whether today is "international router config day" It's "unpatched SQL Server exploit fest" or something, but and there's suspiciously many IP destinations I can't reach from where I am and tracert shows loops or broken routes at random places outside the Deutsche Telekom network (that's where my DSL is hooked up to). So, at first sight, it doesn't seem to be an immediate problem of my carrier. Sometimes a route comes back and then it breaks again. Very bad. So, whatever the problem is, time and hordes of technicians will eventually, hopefully solve it.

I am very happy that I don't have to make any business critical Web service calls via plain HTTP and without a reliable messaging protocol layer today. I'd be screwed. On mornings like these, "HTTP is the one and only protocol" purism makes handsome gunwounds in both of your feet. 

(snapshot as of 2001-01-25T10:00:00+1, click for current status)

Microsoft's (!) Services for UNIX 3.0 raked in the "Open Source Product Excellence Award" in the "Best System Integration Software" category at LinuxWorld. Ok, again: Microsoft wins an award at LinuxWorld!

January 24, 2003
@ 04:44 AM

Radio discipline! I am in a "heavy coding" phase with about 5 projects (some serious, some play) going on concurrently. So, reminder to self, I shouldn't blog. My favorite "play" project is a pretty radical extension for Enterprise Services and COM+ - it's actually more a "new feature set" than a tool or wrapper. The last time I've written code based on analyzing hex-dumps was about 8 years ago; and now again. The only reason that I state this here is to force myself to actually get it done and make a binary drop available so that people can play with it - once there is a solution found for why it breaks Everett's GC.


January 23, 2003
@ 09:44 PM

Master Key Copying Revealed

A security researcher has revealed a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building. [...] After testing the technique repeatedly against the hardware from major lock companies, Mr. Blaze wrote, "it required only a few minutes to carry out, even when using a file to cut the keys." [nytimes.com -- free sign-up required]

Here comes the most expensive security vulnerability patch, ever.

Update: Slashdotted.


January 21, 2003
@ 10:09 PM

Welcome Christian!

Germany has a new Microsoft Regional Director. Christian Weyer is by far the #1 speaker on Web services in Germany -- he speaks a lot more about the topic in Germany than I do and does so in a very entertaining way (and lacks political correctness just as much as I do) -- and we, the other German RDs, Bernd Marquardt, Ralf Westphal, Marcellus Buchheit and myself are very happy that he is joining our small group. Next step: Convince him to start a weblog ;)


January 20, 2003
@ 07:02 PM

Transactions. I spent a good deal of the weekend reading two dozen research papers (CiteSeer is a great launch pad to dig into that space) on agreements, consensus, trust, and various forms of blocking and non-blocking atomic commitment models. All that of course motivated by the desperate search for a solution for the Web services space that preserves the simplicity of the programming model for 2-phase commit. Making stuff compensation-based is just a small step for a technology framework person, but it's a giant leap for someone who has to design compensation into the application logic.

Some special problems for Web services as we see them developing:

  • How to establish trust between parties? Think about the implications for dynamic service discovery and invocation using UDDI. Think about the fact that ACID transactions, unlike other services, have a direct impact on the behavior of an entire system due to isolation rules and therefore locking requirements. Think about the potential for creating damage by simply spoofing votes on transaction outcome and think about the potential for DDoS attacks by deliberate blocking.
  • How does proximity affect trust in this context? Is a transaction participant from my own company and for which I have full control of all implementation aspects, but which is running halfway around the planet as trustworthy as the machine next door? After all, a man-in-the-middle attack that targets blocking will only need to intercept and simply block all further traffic between participants.
  • How to deal with connectionless, multi-hop, asynchronous messages? Think about the fact that even these types of message exchanges may require ACID rules to be fully enforced, even of the message exchange isn't synchronous (in the sense of RPC). For optimization reasons, a transactional message conversation may go from Düsseldorf to Dubai, from Dubai to Signapore, from Signapore to Los Angeles and from Los Angeles back to Düsseldorf - so, rather routed once around the planet instead of being communicated in a star-shaped form -- in order to beat the limits of E=mc^2. (One of the reasons why I like things like WS-Routing and WS-Security's capability to variably encrypt select portions of messages).

That's a lot of problems already and just the tip of the iceberg.  I've got some scribbles that address a couple of these issues and one of the key workarounds is the introduction of rules around deadlines for when transactions expire even if participants are in a "prepared" state. However, to efficiently limit blocking, this brings up another hard problem: trustworthy and precise (<50ms) time-synchronization between all parties. Tough stuff.


January 20, 2003
@ 06:04 PM

It's a LinuxWorld, after all. Linux advocates will convene at a trade show in New York this week to promote their wares, tout customers, swap business cards and make their case that the operating system is growing up. [CNET News.com]

So, I am thinking how much the word "trade show" is indeed applicable for LinuxWorld?


January 20, 2003
@ 01:03 AM
To my complete surprise, I am the #1 Clemens on Google.

January 19, 2003
@ 03:51 AM

"I believe that this nation should commit itself to achieving the goal before this decade is out of landing a man on the moon and returning him safely to the Earth."  -- John F. Kennedy

The Guardian reports (/.) that Bush may announce in his State of the Union address that the U.S. plans to put astronauts on Mars by 2010. If that happens, it'd be a very bold challenge, because, in all reality, the United States space technology for human spaceflight seems to be locked in low orbit. To boot, there is no launch vehicle that would even get near the capacity of the Saturn V and no other manned space vehicles but Apollo 11-17 have ever left Earth orbit. A new launch vehicle, a new spacecraft, several (dozen) exploratory missions with unmanned probes and all that until 2010? Hard to believe.

Do it.

Conincidentally, I am currently reading "Before this decade is out: Personal Reflections on the Apollo Program" and "First On the Moon" in tandem. Reading both of these books at the same time lets you look at Apollo 11 from both angles -- in the spaceship and on the ground. I was born 12 days after Neil Armstrong and Buzz Aldrin set foot on the moon (with Michael Collins taking care of the ship for the voyage home)


January 18, 2003
@ 09:00 AM

Clemens also came to Norway do the .NET Extravaganza on April 9th last year, the day Germany invaded Norway in 1940... [Andreas Eide's Weblog]

I did 5 (!) sessions in a row at that event, with 700 people listening. That was a trip.

In contrast to 1940, the German left after just one day, though, and didn't cause any major damage except to his own health.


January 17, 2003
@ 10:19 PM

Ted Neward writes about garbage collection, motivated by Jason Whittington's reference to my lamenting about GC problems:

You need to know how it works. [...] So knowing the details of your managed environment's underlying resource allocation/deallocation implementation can be crucial to getting decent performance out of your enterprise system, just as knowing when you had to take control of C++'s default memory allocation algorithms (by overloading new and delete) was crucial for the same reasons. 95% of us out there will never have to do it 95% of the time, granted, but when that situation arises, you have to be able to know this stuff. [The Mountain of Worthless Information]

I agree. Just as being able to read x86 assembly is extremely important for a Win32 developer although (s)he may never ever touch MASM (again), it's very important to familiarize yourself with the essential knowledge about the internals of any environment you're working with. It remains important to be able to at least assess whether a bug is your fault or someone else's fault.  Your fault or their fault -- in the end, it's your problem.


January 17, 2003
@ 06:54 PM

What's a Regional Director you ask??
RDs are 130 partners in 50 countries.  Microsoft Regional Directors are independent developers and architects, volunteers chosen for their leadership in their local technology circles, whose primary purpose is to share information about Microsoft technologies with their developer communities and to provide feedback from developers to Microsoft. Regional Directors are not Microsoft employees, but instead are industry experts who choose Microsoft technology in order to help their customers reach business goals and objectives.

[Scott Hanselman's Weblog]

The above is a summary of the Regional Director mission from a Microsoft perspective, but it's worth explaining this a bit more. Microsoft has set up this program several years ago. Local Microsoft offices (either those in the U.S. states or international subsidiaries) get to nominate one or multiple Regional Directors that shall be enrolled in the program. This sounds a lot like the Microsoft MVP program, but it's quite a bit different. MVPs are typically nominated based on their participation in online newsforums and are (well recognized) "domain experts", while RDs are typically architects, technology consultants, educators and even people in CEO/CTO/CIO-equivalent positions, who have a broader perspective on technology. Another qualification shared by the RDs is that we're absolutely able and willing to wear a tie (when absolutely necessary), are not shy to get up on stage in front of 500 people to share our experiences (and do that very well) and are likewise not shy to give Microsoft more brutally honest feedback than they sometimes wish for -- and we do that quite often before you need to deal with things.

So, why should you talk to your local "Microsoft Regional Director"?

  • We are typically quite well informed about what's coming from Redmond. While there's quite a few things we are not able to tell you, we can certainly tell you what makes sense for you to do strategically and where you should probably make technology choices or take architecture approaches that allow your stuff to become a bit more resilient against future change.
  • Customers of companies lucky enough to have one of the few Regional Directors (it's a personal thing, not a company thing) on board, have a very good chance to become nominated for early-adopter programs and get their hands on bits before anybody else does and even influence the product direction.
  • We're pretty well connected to the product groups and therefore we can help quite well with hard problems.
  • We admit that we may be biased towards Microsoft products (because our knowledge of their stuff pays for our family breakfast), but we haven't sold our souls to them (and we get no pay). That means: If you ask for a honest opinion about product XYZ, you will very likely get it and it may be an answer that would surprise you. You'd probably be surprised how many of the RDs know their NDS, Oracle, Linux, Solaris and Java stuff very well.
  • You need someone who gives you advice on whether or not to pick a certain technology. Again, because we're neither Microsoft marketing nor sales people, there is no automatic answer like "take Microsoft This'N'That 200x", but it may also be "don't use Microsoft This'N'That 200x in this case".

The benefit for Microsoft is that they have a community of people who they can ask for ideas and feedback on certain issues, who they can ask to present at own or third party events and we, in turn, get good access to information and help that we use to make our customers happier. 

I should add an explanatory word on the "customers" term: Every RD I know is more than happy to answer the one or the other quick question directly or relay them to your local Microsoft office, or depending on what you are asking for, even to Redmond. That's mostly independent of whether you are a customer of the RD's company or not. So if you don't get any help asking around in newsgroups, it's a good idea to look up your local RD or any RD with the expertise you are looking for and drop them a line. There's no guarantee that you'll get a satisfactory answer, but quite often you will at least get a pointer to information to look at. However, we are not a replacement for Microsoft's support and therefore we may even point you to go and talk to them. The seemingly paradox rule of thumb is: the more challenging a problem is, the more likely your RD will look at it. We're curious people. Also, if you work in a, say, financial software company and your RD works for a similar, possibly competing firm and you are afraid of asking because you feel that you may be giving away trade secrets -- just ask another RD.   

How do I find my local Microsoft Regional Director?

There is a lookup tool on http://www.microsoft.com/rd where you can find an RD in your region. Some RDs work regionally, some of them work throughout the Americas or Europe and some of them are doing business world-wide. So, for instance, if you want to talk to someone about your problem in Norwegian, try talking to Andreas (everybody in Norway knows this already ;)  In the very unlikely event that he doesn't know the answer, he can and probably will ask around in the RD community and someone will likely know.


January 17, 2003
@ 07:36 AM

From yucky to yummy! Dear fellow frequent travellers, senators, 100K platinum red carpet frequence plus members and all you other people that spend too much time in narrow steel tubes that struggle with gravity riding on tons of flammable liquids through overcrowded skies: This is our website. Airline food. Photographed. From none to bad to good to stunning. (Yesterday, something like this was about all I got)


January 17, 2003
@ 07:13 AM

More WS-Reliability issues....

Werner Vogels lists more points that are problematic in WS-Reliability and I absolutely agree. As he points out, this specification is full of the type of problems that he and myself are pointing out and his and my list combined are probably just the ones that can be easily spotted within the first 10 minutes of cross-reading the document.


January 17, 2003
@ 06:38 AM
I finally bought an anti-spam tool today. The noise to signal ratio on my email account went from 1:5 to 10:1 within the last 3-4 months and I really had to do something about it. $20 for Spam Inspector is certainly not too much and the tool works very well with Outlook -- it's catching about 95% of all spam and didn't throw out any "good" mail, yet.

January 17, 2003
@ 01:43 AM

"It's an ugly planet, a bug planet." (Starship Troopers)  -- one of my projects is stuck at what I've isolated to be a problem that I am having with .NET 1.1's garbage collector. I am doing some very, very dirty things in that particular (lab-) project, which is supposed to provide some nice, new extensibility points for Enterprise Services components. While everything was working quite well in 1.0, the updated garbage collector doesn't seem to be as forgiving as the previous one. What's ugly about provoking such bugs and heap corruption in a "concurrent GC" environment is that the application continues to run fine until the GC starts running at some point and the GC thread just tanks with a fatal error (for which I can't blame it) and tears down the whole application domain. I sort of expected such problems to pop up and that's why I haven't written or talked about it or have shown this at any presentation, yet.  The extension set is indeed pretty close to what Ingo wished to see a couple of weeks ago (and he has already seen it). Imagine AOP for serviced components - that sort of thing.


January 16, 2003
@ 06:10 PM

Und wir tun's schon wieder: 5 Tage, 4 Nächte, über 50 Stunden .NET "hands-on": TornadoCamp.NET. 31. März 2003 - 4. April 2003 im Raum Frankfurt. Ab Juni, direkt vor der Microsoft TechEd, kommt "TornadoCamp.NET Advanced" mit Fokus auf XML Web Services, Enterprise Services und Architektur für sichere, skalierbare und robuste Systeme: Für alle, die schon dabei waren und noch immer nicht genug kriegen können ;) 


January 16, 2003
@ 05:48 PM
Yet another European Microsoft Regional Director is blogging: Andreas Eide from Norway. Andreas runs one of the most active .NET user-groups in Europe (the Norwegian .NET User Group), is co-author of a couple of books, a fabulous person to listen to, talk to, work with and work for (according to own experience and all that I've heard on my tours through Norway), and .... find out yourself: RSS, Radio, Blog.

January 16, 2003
@ 05:32 PM
I installed Greg's "News Gator" RSS aggregation plug-in for Outlook yesterday for the first time and it absolutely rocks. If you use Outlook, read weblogs and still haven't heard about this tool, yet: go get it. 

January 15, 2003
@ 08:33 AM

Fujitsu, along with Sun, NEC, Oracle and Sonic Software published a proposal for reliable messaging with SOAP. I assume this has been reported all over blogland already, but I am a bit "connection challenged" right now since I've been on the road, so I couldn't really do much blog reading. I've had time to look at this spec offline, though, and I think it is indeed interesting -- because it is so familiar.

Comparing WS-Reliability to the 2 year old BizTalk Framework 2.0, which first defined the reliability mechanism also known as SRMP -- SOAP Reliable Messaging Protocol, shows that there's unfortunately very little new to see in WS-Reliability, with the notable exception of ordered delivery of message sequences through the use of unique message identifiers. What's also interesting -- and doesn't really make me happy -- is that we're seeing the invention of yet another message header with message-id. WS-Routing, for instance, already defines one and I don't get why there needs to be yet another header to establish message identity with WS-Routing being around for such a long time already. I would think that reliable messaging is something that doesn't really work without a solid understanding of where to send a message, so it certainly could and probably should pick up that header instead of defining its own.

A bigger problem is, though, that WS-Reliability carries forward quite a few shortcomings of the BizTalk Framework and introduces a whole set of new problems due to the spec's choice of language.

  • Because WS-Reliability is unaware of and not integrated with WS-Routing, it is only useful as a point to point mechanism. While routing from the sender to the receiver will likely be possible, the "ReplyTo" to send the acknowledgement message to does specify a plain URL and doesn't allow integration with a reverse path as per WS-Routing. This means that unless the ACK message can be piggybacked on a synchronous response (the luckiest of all circumstances), the spec requires either direct connectivity from the receiver back to the sender, which may be impossible due to firewalls and NAT, or requires some form of acknowledgement message dispatcher gateway at the sender's site, which requires some form of central service deployment as well. In short: This doesn't really work for a desktop PC wishing to reliably deliver a message to an external service from within the corporate firewall.
  • There's quite a few problems to be solved with regards to simple sequence numbers and resends of an unaltered, carbon-copy (2.2.2) of the original message considering the accuracy of message timestamps, digital signatures, context coordination and techniques to avoid replay attacks. Sending the exact same message may be entirely impossible, even if it couldn't be delivered properly and therefore the "MUST" requirement of 2.2.2 cannot be fulfilled. Also, in 2.2.2 there's a reference to a "specified number of resend attempts" -- who specifies them?
  • The spec rightfully calls for persistent storage of messages (2.2.3), but doesn't spell out rules for when messages must be written to persistent storage in the process (it should obviously before sending and after receiving, but before acknowledgement and forward).

What I find also very noteworthy is that the authors say that they have yet to address synchronization between sender and receiver and establishing a common understanding by sender and receiver about whether the message was properly delivered (meaning that the send/ack cycle was fully completed). I assume that once they do so, they'll throw the synchronous, piggybacked reply on top of HTTP out of the window, because this creates an in-doubt situation for the acknowledging party.


A modular application without well-defined extensibility points is not modular.

January 6, 2003
@ 11:20 PM
I still can't believe that I stayed up until 2am to see the Giants throw away their game like that in the 4Q.

January 6, 2003
@ 10:23 PM
The recurring New Year's Resolution: "Keeping up with technology." Sigh!

January 6, 2003
@ 09:57 PM

Happy New Year. Patricia and I spent New Year's in New York this time. Observations: The city changed a lot and then again it didn't. There are definitely more "new parents" to be seen now, the Times Square area is no longer a place to be scared of, quite a few subway lines and stations got a makeover ... still, it doesn't feel that much different from back in '96 when I moved back to Germany (I've been back to NY only twice since then and not at all after 9/11/01).

Restaurant favorites this time around: Sushi Hana, 466 Amsterdam Ave - great sushi, excellent sake list; El Quijote, 226 W 23rd St - a long-time classic and easily the best value place for lobster lovers (If you are really hungry get the Paella with Lobster -- I am a big boy and I have no chance finishing it); EJ's Luncheonette, 445 Amsterdam Ave - The west-side standard for breakfast.

And this was definitely the last time I flew Delta Airlines across the Atlantic. Charging for booze on a trans-Atlantic flight is ridiculous. On top of that, our baggage is MIA for the third day now.