Transcript of BriefingsDirect[TM] podcast with Dana Gardner, recorded July 6, 2006. Podcast sponsor: Eclipse Foundation.
Listen to the podcast here.
Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions and you’re listening to BriefingsDirect. Today’s sponsored podcast is a discussion around the “Eclipse Effect” on small businesses, growing businesses, generally looking at the business benefits of Eclipse for those that are taking advantage of the open source approach. Joining us are Damion Heredia, director of product management at Lombardi Software. Welcome to the show, Damion.
Damion Heredia: Thank you.
Gardner: Also joining us is Maher Masri, the president and co-founder of Genuitec, a developer of Java- and Eclipse-based tools. Welcome, Maher.
Maher Masri: Thank you.
Gardner: First let’s go to Damion. Tell us a little bit about Lombardi. You are a business process management suite producer, and you also do support. You have developed a software product. What is it that you do with Eclipse and why?
Heredia: First, business process management, or what we'll call BPM, is focused on solving a problem that exists in the large- and medium-sized corporations, where a lot of applications are built by feature and function and siloed. In reality, the business runs in a process, and that process needs to be managed and have visibility into how well it’s doing -- where it needs to be improved, what are the bottlenecks, who is involved, etc.
So, Lombardi produces a software product that we call TeamWorks Enterprise Edition, which helps development shops and IT shops, along with business analysts, collaborate on the development and deployment of processes in the organization. This involves automation, managing business roles, developing user interfaces, and a lot of all-around capturing of metrics and displaying scoreboards of how well your business is doing around these processes.
Gardner: So you are a classic ISV: fast-growth, working into an area that’s fairly new and growing. So, go-to-market, and speed-to-market, and reducing cost of development are essential, I assume?
Heredia: Absolutely. In the last three or four years the BPM market has just exploded. We’ve done very well in having one of the top products in this space in about three years. To tell how we got into Eclipse, we have a strong engineering culture here that’s responsible for monitoring the new technologies that are emerging, seeing how we can apply those to business problems that we have among our customers.
Just as I am responsible for understanding the market needs, they are responsible for the technical needs. They had been using Eclipse for a little while as a development platform, and as soon as it was spun out of IBM, it became very appealing to us. We saw the community gathering around it and saw an opportunity for us to leverage it as our standard platform for delivering user interfaces to both developers and business analyst end-users.
Gardner: Okay. Let’s move over to Maher at Genuitec. You are also an ISV, but in a little different characterization. You are producing tools and development suites to then help other ISVs. Can you tell us more about your company? How you came about, and why Eclipse is so important to you?
Masri: Certainly, Dana. Genuitec, the parent company behind the product MyEclipse Enterprise Workbench, really has been involved in the Eclipse space for quite sometime -- since the very early days of Eclipse, in 2001. We used be a consulting company, and the genesis of the company was in 1997, consulting in the J2EE space, helping companies built enterprise applications, large-scale applications.
And necessity being the mother of all inventions, we found in Eclipse unique capabilities to allow our developers and consultants help our customers build solutions faster. We also realized that Eclipse did not have the capabilities to provide enterprise solutions at that time, so we began building small plug-ins that gave rise ultimately in 2003 to the genesis of MyEclipse Enterprise Workbench, which today has become the leading integrated development environment (IDEs) for building enterprise work applications.
It's a large-scale set of development tool for all purposes [and] is used by well over 9,000 enterprises … around the world. Our user population is right now growing 10 percent, month-to-month, and is roughly about 270,000 users around the globe. We owe a debt of gratitude, to be honest with you, to the Eclipse framework itself.
Genuitec, in that sense, is truly a Cinderella story in that we owe our ability to become the lead enterprise IDE today to our decision to adopt Eclipse as a base platform. Eclipse offered us an incredibly unique product platform geared for rapid and incremental delivery and allowed us to grow the product and features set over time, becoming probably the most comprehensive IDE you can find in the market. And we’re very glad and blessed to reach that point at this time.
Gardner: Now, you had some other choices back then, and Eclipse wasn’t as prominent as it is now. So [choosing Eclipse] was a bit of a gamble for you. What made you go to Eclipse rather than some of the other environments?
Masri: You have asked the key question that we ask internally. When one of our developers came to us in 2000, and said, “Hey, look at this wonderful IDE that’s available now. It's great,” we asked why should we care -- yet another IDE, yet another framework, that’s available out there.
And, it dawned on us at that point that we are indeed looking at a truly disruptive concept, very analogous to the innovation that followed the PC market in the early '80s with the introduction of the open standard for the PC motherboard. In that sense it became very clear to us that Eclipse has a significant opportunity to become the motherboard for applications of all types. And, it can truly usher in innovations beyond our ability to comprehend. And so, yes, it was a gamble at that time, but was a strong selling point for us and an opportunity we could not miss.
Gardner: And is there anything beyond the technology, in terms of methodology and community, that you think is an accelerant here? What are the politics of it that seems to work?
Masri: We're back again to the key word: "community." The old joke is that if a tree falls in the forest, does any body hear it? And the point really is that it’s a moot point, because does anybody care? You have to have enough people around something for it to matter. And that’s why Eclipse matters, because it has a significant following; it has a significant community. They are willing to use it, support it, build around it. And over time, as we followed the Eclipse space, it became clear that other companies are willing to put significant amounts of investments in this platform, and we would be remiss not to do the same on our end.
Gardner: So, I suppose it's a real viral adoption pattern -- the chicken and the egg -- which comes first, and how do you get the volume that creates the power that then begets more volume. Is there anything about this Eclipse approach that you think was unique in getting that whole process jump-started, or was it really sort of luck?
Masri: Well you've got to rely on some luck, right? But not all the time. And again, I go back to the motherboard for the personal computer. If you look back to the '80s, it was very clear who was the market leader in the personal computer space -- and it wasn’t IBM or the personal computer itself.
It was necessary for a new disruption to be introduced in the market to create an entirely new market. No one could see what it would become today. And that’s really what we are talking about here in Eclipse, it’s much more than the technology, it’s much more than just a simple IDE. It’s much more than the underlying companies that are following it.
The future for Eclipse is probably 10 times what it is today, and the future for Eclipse is really in the application space -- in the rich-client application space. Genuitec was the company that was the author of the concept in 2001. We saw Eclipse going well beyond IDE.
Gardner: You mentioned the rich client, and we can refer to that as RCP, the Rich Client Platform, in our discussion. I want to take it back to Damion at Lombardi. What does this rich client aspect bring to the table for you as an ISV in terms of getting your product out to market? Is it cost saving? Is it the simplicity factor? What is it about RCP that’s appealing to you?
Heredia: For us it’s really about what it's going to add in terms of value to our end customers, as well as how fast we can get out to market. RCP itself is the primary platform for our customers in IT shops.
You walk into any IT shop and they will have Eclipse developers somewhere in that organization. As an ISV delivering software into those IT shops, we need to be a good fit into the tools that they use everyday. So it was a clear winner for us to build plug-ins for TeamWorks to be dropped in to the developer’s tools that they already have. You don’t have to learn yet another IDE or another development environment. The TeamWorks’ plug‑ins, the process modules, the simulator, the optimizer on it can be dropped into an existing Eclipse environment.
Now that’s a benefit to our customer as all-in-one environment to be focused on when developing applications. For us internally, we came from previously using Swing as our primary development platform. What Eclipse does for us is just allow us to focus on the things that actually add value to our customers. Rather than spending time on designing menus and custom controls and views, widgets, managing the undo and redo situations. Eclipse provides us the framework to build on top of.
Gardner: So, you are focusing on your business logic and your value-add to your customer?
Heredia: That’s right
Gardner: Is there any other benefit in terms of the size of the market that appeals to you? That is to say the community -- getting back to that chicken-and-egg thing?
Heredia: Sure. As a smaller company -- smaller than IBM, SAP, and BEA -- we have the opportunity to leverage the work of larger vendors and incorporate commoditized functionality, such as Web service integration. We have a WTP project, GMF [Graphical Modeling Project], the GEF projects, even BIRT for business intelligence. Leveraging and incorporating those pieces of functionality into our product, we don’t have to spend engineering resources to build them. So for us the community offers us a jump-start on commoditized functionality, and then allows us to focus on the innovative features and functions, and on solving the problems of our customers.
Gardner: And I suppose that also encourages you to give back to the community, so that this benefit keeps going.
Heredia: Absolutely! We were the first BPM vendor to join the Eclipse Foundation and big supporters of the process and business model. But the community aspect of contributing back to the community what we’ve learned, what we’ve changed, etc. betters the overall products at home.
Gardner: Let's bounce back to the Maher at Genuitec. What is it about some of the newer technologies in RCP that has a business benefit for your company? I am thinking about Eclipse 3.2.
Masri: Let me just step back for a moment and give you a little bit more context on what really gets us excited. What you see in the adoption level are the 130 to 140 companies that are member companies of the Eclipse Foundation today. They are building hundreds of solutions on top of the Eclipse platform, and as Lombardi mentioned, allowing companies to stand on the shoulders of giants to build, to innovate, and deliver more convenience to the end user.
But, what you don’t see are the thousands of companies that are building rich-client application and are out there realizing the same benefit that the Eclipse platform offers them from life-cycle management, from an ability to provide common framework tools, getting tools from somewhere else, and conveniences from somewhere else. Those thousands are truly turning into millions.
That’s what really excites all of us in terms of the potential growth for Eclipse itself. As we have developed the MyEclipse Enterprise Workbench we also offered consulting services around Eclipse as a platform. The revenue that we had in the early years predominantly came through the consulting services. We had the opportunity to see quite a bit of innovation in people applying the platform to building desktop applications, team applications, and applications that would have cost them an order -- multiple orders -- of magnitude [more money] to start from scratch.
They were able to do it in half the time at one-tenth the cost to build that solution. That kind of virus is going to catch on -- the features are available in Eclipse 3.2 right now -- and it is going to afford these customers and these companies the opportunity to do this faster and cheaper. So, you are going to see a rapid adoption.
The key here is going to be education, making sure that the population at-large, the people that are considering such solutions, have the opportunity to evaluate Eclipse in addition to, or in lieu of, other technologies. That would give them the right answer to the problems they are trying to solve.
Gardner: Let me ask you another question that comes up a lot, and that is: What about Microsoft? What about the power it has in the marketplace in all of those desktops, in all of those Microsoft shops, in all those enterprises that have developers who have been doing Visual Basic and Visual Studio activities? And what about the benefit of having many languages and then one runtime, and the monolithic power within that automation function?
Do you think that the Eclipse approach is separate and distinct, [compared] with what Microsoft has done in the market? And how do you view the large market presence that Microsoft has? Is it an opportunity, or it a threat?
Masri: Let me take a crack at the answer. The view of Microsoft environmental development tools or technologies versus Eclipse is often viewed as dimetrically polar opposites, which we don’t necessarily agree with.
Yes, Microsoft offers development tools; yes, they offer frameworks for building applications; but both could certainly benefit from a framework that allows the community at-large to build faster, better solutions and to benefit and to commercialize those capabilities. I suspect Microsoft is going to view it as a competitive solution. I think over time that view will change as the market grows to adopt more and more of the [Eclipse] framework. That view and the patterns of behavior will change over time to a more collaborative model rather than the competitive model.
Gardner: Damion, over at Lombardi, you must have faced this thought process. All that Microsoft brings to table for an ISV -- and then this other approach. Do you think that they are diametrically opposed? Or is there some way of having the best of both?
Heredia: We are pretty pragmatic about it. We are a Java shop in the back-end. So, our engines are a platform for delivering authoring interfaces through Eclipse, all based on Java. Our front-end is based on Microsoft Office, Internet Explorer, etc., so it is .NET on the front-end, if you will.
But, to be pragmatic about it, when we walk into a customer, I rarely now see a customer that is 100 percent .NET-Visual Studio. In large enterprises, there are heterogenous environments. They have an Java app server farm purchased from an app vendor or ERP vendor, or they have some applications that have been brought up onto a JBoss application server they have apps on. Their skill sets are hybrid: both .NET and Java.
And for us, the Eclipse platform is the delivery mechanism into this. That makes it feel like a Windows environment, in the sense of it’s not Swing, and it feels natural. But, ultimately for the short-term, I do see some developers going between Visual Studio and their Eclipse environments. What I have seen a little more of is the .NET-Visual Studio, which is focused on building services and is a Service Oriented Architecture. You know, it exposes some back-end functionality as a service, exposes a Web service, and then [you] come into the Lombardi TeamWorks and it builds the process and integrates with those services. So, you can segment off the functionality within IT.
Masri: Just to add to that, we maintain a fairly thorough understanding of our customer base and population use. The majority of our customers still use the Windows environment for their design side, as most tools -- 90 percent of tools are run on the Windows platform. We are seeing about five percent using Linux, and a growing minority of Apple users that are two to three percent grown over time.
So, I re-emphasize it: There are synergies and it is a heterogenous environment, and it is going to continue to be such. Things don’t really change overnight, and we've got a way to benefit, from our perspective as a tools provider, because our customers are asking us to provide both Java and .NET solutions at the same time.
Gardner: In terms of cost benefits, have either of you have been able to put dollars-and-cents value on what Eclipse means? And this might be more relevant for Damion of Lombardi.
Heredia: Let me talk about a few areas that we really take advantage of. One is in prototyping. Some of the challenges around innovation always lead to how you get the idea from the white board to what we put in the hands of the users in the market. With Swing, in our previous development environments, it would take two to three weeks to develop a prototype of that innovation. Whereas with Eclipse it would take me two or three days, especially with Eclipse 3.2 and the GMF project.
With the Graphical Modeling Project we've been able to have tools at our disposal that we can extend and build around. Getting the function out of these graphical modeling tools is greatly increasing our ability to deliver something to market. Like you said, it's just a substantial reduction of time to the prototype phase, which ultimately means that I am going to deliver the right solution faster. At the same time, we then take that extra time to put it in the hands of the users and iterate with them more quickly, especially with our beta sponsors and other design sponsors. So, the idea is fresh, and we come with the best solution possible.
Gardner: I want to poke at that modeling issue a little bit. A lot of organizations recognized in the long-term that modeling makes a lot of sense. It's sort of like for your own health, you've got to eat well and exercise a lot, but sometimes you just never get to it. Is there any thing about Eclipse that helps you move toward modeling? Is there an Eclipse accelerant to modeling that is somehow part-and-parcel with the adoption of it, or is it just a path you were going to take anyway?
Heredia: Eclipse, both the EMF framework and now with GMF, which came down with Eclipse 3.2, played very well with our internal approach to TeamWorks as a whole. We’ve taken a shared model approach.
So, we want our customers to model the process, the business process and not to write code or scripts or worry about maintaining assets of code, but to worry [instead] about the model itself, and then during runtime interpret that for the actual business process. So, when we moved to Eclipse, that paradigm holds well.
Now, with Eclipse 3.2 we’re taking that to a whole new level -- 3.2 with the GMF is going to allow us to have our customers extend a meta model in a way that it’s scalable, it’s maintainable, and it fits well with the developers’ skill sets. So, it allows them to add attributes and new components and extend the meta model, using graphical tools that are delivered from Eclipse projects.
Gardner: So, better requirements process, reuse of modeling, faster time to market, and more agility to react to markets. How about back to that question about money or at least a percentage of effort. Do you have any kind of metric that you would say Eclipse is doing "blank" for us?
Heredia: I wouldn’t disclose any monetary amounts, but I think the example I gave holds pretty well, in the sense of something that will take two three weeks in Swing takes me two to three days in Eclipse. That's powerful, especially for developers who do not like doing the monotonous, tedious work of designing the infrastructure of a user interface. They want to focus on the function that’s going to add value.
Gardner: How about you, Maher? Do you have any sense of a return on investment here; do you have any metrics you can apply to what Eclipse allows for you and your customers?
Masri: I can give you a very simple metric from our perspective. When MyEclipse was launched in January 2003, we had less then 10 developers allocated to the project. And then, in less than three years, we emerged to be one of the leaders in the tools space, competing on features with companies an order or two orders of magnitude larger than we are.
You could not find a better metric than that. The platform allowed us the ability to, as I said, innovate and incrementally build solutions and add features over time in a rapid manner. We rely on the reliability and the quality of the underlying platforms, such that we exude confidence that the end users are adopting solutions of equal, if not better, value than what they can find somewhere else.
Gardner: I suppose the bottom line here is just far better developer productivity.
Masri: Absolutely. And again, it’s much more than the technology itself. It’s the ability to incrementally deliver solutions over time without having to wait the traditional two years that are required in a soup-to-nuts implementation of a new solution.
In the past, for every solution that you delivered, you had to wait anywhere between 12 and 24 months to deliver a new IDE and new product, because you had to reinvent everything inside that framework. Contrast to that to a breadboard that allows you to add functionalities and features without modifying that breadboard over time. Or better yet, let somebody else worry about that over time. It gives you a leg up on the competition that don’t choose that path.
Gardner: And so, I suppose, there's benefit of adoption, a benefit over time, and then sort of a tax or penalty for those who don’t get that community benefit and reduced time-to-market that will accelerate and keep building.
Masri: Add to that the gravity of the critical mass on the commerce side. As this was described by us at Lombardi: The more people that use it, they find it more convenient to adopt the same technology. The pull that happens as a part of the larger community of users is dragging everybody in this direction. It certainly helps people like us all who want faster adoption from the commerce side.
Gardner: It’s almost like there is, in effect, here -- where Eclipse is making you an offer you can’t refuse -- but it’s doing it in a way that’s a community-based way, rather than a top-down or lock-in way.
Masri: That's a lesson we learned early on in delivering our business solution, and that’s how we were able to innovate -- by removing any friction from the end user adoption, and allowing them to adopt the solution, because it was literally a no brainier at that point in time.
Gardner: I know you are both active in the Eclipse community, and you probably make your wish list known that way. But for the benefit of our audience: Looking forward, what would you like to see brought to the Eclipse community that would help you in your business -- that is to say, have a direct business benefit to you? Why don’t we start with Damion, what’s on your wish list for the future?
Heredia: Yeah, one of the things is what came in Eclipse 3.2 is the GMF, but I think what we are looking to see in the market going forward with Eclipse is commoditization of other technologies. I think integration is a big area that Eclipse can take advantage of and commoditize; a lot of integration work done in IT organizations, especially around Web services with the WTP project, and possibly even legacy integration.
Each vendor has its own flavor of doing it, but in reality it’s a pretty standard thing to do and straight-forward if you have the right tools. In addition to what Eclipse 3.2 brought to the table -- and we’ll see more of the tools that allow developers to model their logic, their business logic, their intent of what the application should do graphically -- I think we’ll see a move away from just writing code and more about maintaining the model. It represents what your application is supposed to do, and then whether it's interpreting or generating code at the back end, letting that model derive the functionality of the app.
Gardner: How about Maher? With you at Genuitec, what’s on your wish list for Eclipse?
Masri: It’s truly a simple wish -- and we’re seeing traction toward that end. It’s simply to see the visible adoption for industry protocols of the platform. We’re certainly well subscribed in terms of the tools market, well represented in terms of the commoditization or normalization is taking place around the technology itself. There is quite a quite a bit of need out there in the manufacturing world -- pharmaceuticals, for example -- that would greatly benefit from adopting the rich-client platform as part of their desktop or their application delivery life-cycle that will benefit everyone in the long term.
I suppose there is also an opportunity for community to develop right within that vertical industry for specifics that have to do with logic and issues and taxonomy and schema and all these other things that are very granular and specific but that again can benefit from a community process.
Gardner: Well, I want to thank you both for sharing. I think it’s been a good discussion. It really helped me better understand why Eclipse has taken off so quickly. It’s clear from you folks who are benefiting from it that you see some passion and a long-term process here.
Well, joining us for this discussion on some of the business benefits of Eclipse, an ISV, Lombardi Software, and representing the company is Damion Heredia, the director of product management. Thanks very much, Damion.
Heredia: Thank you for having me.
Gardner: And also on a tools side, an Eclipse-based tools maker, Genuitec. And representing that is the CEO Maher Masri. Thanks for joining.
Masri: Thank you, Dana.
Gardner: This is Dana Gardner, principal analyst at Interarbor Solutions. You’ve been listening to BriefingsDirect and an Eclipse Foundation-sponsored discussion about the business benefits of Eclipse. Thanks for listening.
Podcast sponsor: Eclipse Foundation. Listen to the podcast here.
Transcript of Dana Gardner’s BriefingsDirect podcast on the impact of Eclipse on ISVs. Copyright Interarbor Solutions, LLC, 2005-2006. All rights reserved.
Thursday, July 20, 2006
Saturday, July 15, 2006
Full Transcript of Dana Gardner’s BriefingsDirect Podcast on the 20th Anniversary of High-Tech PR Firm Lois Paul & Partners
This summary is not available. Please
click here to view the post.
Thursday, June 29, 2006
Full Transcript of Dana Gardner's BriefingsDirect Podcast on Akamai and Cyber Security
Transcript of Akamai-sponsored BriefingsDirect podcast with Dana Gardner, recorded June 2, 2006.
Listen to the podcast here.
Dana Gardner: Hi, this is Dana Gardner, Principal Analyst of Interarbor Solutions, and you’re listening to BriefingsDirect[TM]. Today, a sponsored podcast and an important issue facing many nations around the world: cyber security and vulnerability.
With us is Professor Tom Leighton, Co-founder and Chief Scientist at Akamai Technologies. He’s also professor of Applied Mathematics at MIT and -- especially in the context of this discussion -- the former chairman of the Cyber Security Sub-Committee of the President’s IT Advisory Committee (PITAC). Welcome back to the show, Professor Leighton.
Tom Leighton: Thank you very much, Dana.
Gardner: We’ve talked in the past about the role of the Internet, how it’s important and particularly how its performance is important. I wanted to start our discussion by trying to understand the role of the Internet for society in Western culture. Increasingly across the globe, we seem to be more dependent on wide area networks, and networks like the Internet, or what we know as the Internet. How deep is this dependency, how intrinsic is it to our lifestyle and our security, and do you think this is only the beginning or is it a mature depth of dependency that we’re into now?
Leighton: I think we're critically dependent on the Internet today, and the depth of that dependence is constantly increasing. Aside from the obvious media and entertainment use of the Internet, from which we derive pleasure, the Internet is now central for communications, for commerce, for government, and for defense and utility industries. Pretty much all sectors of our society today have embraced the Internet and are now critically dependent on it -- and this will only increase going forward.
Gardner: So, if there were some disruption of this system we would see a significant negative impact across the economy, in politics, lifestyle, as well as the business of many companies. Are there any areas that you can think of that aren’t deeply impacted by the Internet?
Leighton: No, you are absolutely right. In fact we are already seeing some of the problems today that result from the lack of security in the Internet, through phishing and pharming, and cyber crimes -- personal identity theft -- that’s already happening today. We haven't seen large examples of cyber terrorism, or warfare on the Internet, or the takeover or loss of control of key utility facilities, although that's within the realm of possibility.
Gardner: We are seeing an increase in news about lists of important data being mislaid or misappropriated. We have heard about cyber extortion, as well as pharming and phishing, as you say, which are various forms of misidentifying or taking over seemingly secure communications. Does this really mean that our IT infrastructure is fundamentally insecure?
Leighton: That’s precisely what it means. Today we have evolved to a state where software is ubiquitous. Millions and millions of users have the same kind of software. That software is full of vulnerabilities, and it’s connected ubiquitously through networks that ultimately connect into the Internet. This enables cyber criminals great flexibility and power in launching attacks to exploit the vulnerabilities.
Gardner: Do you expect that there will be a sort of spy-versus-spy situation going back and forth, with remediation, patching, and band aids on one hand, and then more sophisticated nefarious activities on the other? How do I know that what I'm clicking on is getting to the right server?
Leighton: You really have no way of knowing that today, and I think we're pretty far from a state from where you will have an idea. If you're using SSL, and you're doing everything to verify what keys are being used in the SSL you’re using and who you're talking to, you can have some confidence. But it is very easy for the bad guys today to spoof you into thinking you are running an SSL connection when you are not -- or spoof you into thinking you are running an SSL connection with a trusted party, say a bank, when in fact you are running an SSL connection with a bad guy.
Today, you really have no idea -- at least 99 percent of Americans really have no way of telling who you're communicating with, and where you're packets are going on the Internet. This is what makes pharming attacks so successful. The person who is being victimized has no idea what’s happening.
Gardner: I have to say even though my email is filtered rigorously, I still get plenty of emails from folks claiming to be my bank, the people who do my stock trading, and my retirement account oversight, asking me to go in and re-affirm my password. I'm savvy enough not to do that, but they are pretty clever and very convincing.
Leighton: Those are examples of phishing attacks, and there are millions and millions of those a day. According to the statistics, about one percent of Americans fall victims to phishing attacks annually. What are much more difficult to spot are pharming attacks. In a pharming attack, the end result is the same: you lose your personal information. But in pharming attacks, you don’t have to do anything wrong. You don’t have to click a URL that was sent to you by a phishing email. Your just enter your bank’s URL as you normally would in your browser -- only you don’t end up at the bank. You end up at the bad guy’s site, and he delivers to you the normal signing page. Everything looks normal to you. You did nothing unusual. You sign in, and now he has your personal information.
There are a lot of ways he can make that happen. The basic protocols of the Internet don’t have any security. For example, consider the BGP, the Bordered Gateway Protocol. That’s the protocol that directs the path your packets take as they traverse the Internet. It’s easy for a bad guy to inject false information into the BGP protocol to send those packets to him. One way he can do this is to simply tell an ISP that he owns the IP address of the bank, and he will set the parameters so that, that information doesn’t spread more broadly than the particular ISP that he is attacking. And then, anyone in that ISP who dials up or gets broadband connectivity to that ISP will go to the bad guy, when they think they are going to the bank -- just because BGP doesn’t think to check whether the bad guy is really the owner of that IP address.
Another protocol that is now being exploited is DNS, or the Domain Name Server. DNS is like the 411 service of the Internet. When you type the bank’s name into your browser, the first thing your browser does is translate that name into an IP address. Just as when you make a phone call, you key in a phone number. You don’t type in a person’s name. The Internet uses DNS to do that conversion between a name and an IP address. There is a technique now that’s being widely exploited called “DNS cache poisoning” in which the bad guy goes into the DNS tables and changes the resolution for the bank -- or for any website -- to his IP address. When your browser tries to look up the IP address for the bank, it gets the bad guy’s IP address instead, and transparently goes there, without you having any knowledge that this took place.
Gardner: Now, is this a case of a double-edged sword? In an open and free society we are always going to have some vulnerability that we can do nothing about. Is this something we need to live with in order to enjoy the full functionality and openness of the Internet?
Leighton: No, that’s not the case. It should be possible to develop enough technology to preserve the openness that we cherish in our society, without leaving ourselves exposed to the criminals.
Gardner: I suppose part of the reason this goes on, this vulnerability, is that the risk seems to be acceptable, or the price seem to be acceptable. You would think that banks and retail and e-commerce organizations would be on the forefront of trying to stanch any risks, but e-commerce goes on, more and more people are on the Internet using it actively, and application activities are more robust. Do you think that we will soon reach a point where the risks become unacceptable -- and would that be a gradual type of event or some kind of a cataclysmic event?
Leighton: That’s an interesting question, and there are a lot of factors in play today that drive the answer. First, the banks, e-commerce players, and the commerce players that moved to e-commerce have already made the switch. There is no easy way to go back. The call centers are gone. The traditional methods of doing business aren't supported anymore at the levels they used to be in the past. The switch was made because the Internet offers tremendous economies. It’s much cheaper to handle the transactions over the Internet than it is by the traditional methods.
So, it’ not easy for them to go back. At the same time, the banks and financial institutions are very concerned about the level of fraud and cyber crime, and their exposure to it, yet they don’t have an incentive to be screaming about it publicly. In fact it’s just the reverse.
They don’t want to instill fear in the population, and the industries that have moved to e-commerce are in the same situation. They are successful, if people aren’t fearful to use e-commerce. If people would become afraid to use it, it wouldn’t be beneficial to business. Today, the financial institutions are backstopping the billions of dollars in losses. I think the statistics show that 80 to 90 percent of the losses are being covered by the financial institutions and not by the person who’s been victimized. But, there have been some well-publicized events recently where the person at home was left to pay. As that happens more, I think you’ll see an increased chance of a backlash against using the Internet. So, it is a double-edged sword. As criminals become more successful in exploiting the Internet, the costs go up, the need to get a solution increases, and the pressure increases there.
Gardner: So, this really is a case of an elephant in the room -- only the room is really the whole globe. I alluded in your introduction to your being chair of the cyber security subcommittee of PITAC or the President’s IT Advisory Committee. A number of findings were derived from that, and you delivered some testimony before Congress, the U.S. House of Representatives, in particular. You argued, I read in the transcript, that government funding needs to play an increased role, if not the lion’s share, in solving this. Yet DARPA, the defense research funding organization – which, by the way, helped Akamai to get its start in some basic research – doesn’t seem to be aware of this elephant in the room. Can you fill us in a little bit on what the issues are vis-Ã -vis research and development in order to try to ameliorate this before it become a crisis.
Leighton: DARPA is certainly aware of the problem. In fact, if you talk to officials of DARPA they will tell you that what keeps them up most at nights is our vulnerability in the cyber infrastructure that the defense department and armed forces rely on. At the same time, DARPA is now interpreting its mission to be one of a short-term nature to deliver products to the armed forces based on the research that’s funded by others. As a result, DARPA has dramatically cut its basic research program, for example, in universities. This has been felt particularly hard in the area of cyber security research.
In addition, much of this research has now been classified, which makes it impossible for the vast majority of researchers to work on the problem. It also makes technology transfer virtually impossible. Even if they were to discover something, it becomes classified, making it very hard to get it into the commercial sector.
So, DARPA, which historically has had a wonderful role in supporting basic research that’s led to all sorts of major advances including the Internet itself, is withdrawing from this area. At the same time, DHS, the U.S. Department of Homeland Security, which is tasked with the nation’s civilian infrastructure defense, is very focused on weapons of mass destruction -- and rightly so -- but to the point of having very little funding for basic research and cyber security. I think of their two billion dollar S&T budget, less then two million dollars goes to basic research and cyber security. And this leaves only NSF, which is way over-subscribed.
Gardner: And that’s the National Science Foundation.
Leighton: That’s correct, and the number of proposals they are seeing is overwhelming them. They can't begin to fund everything that needs to be funded to make advances in cyber security.
Gardner: So, we’ve established the stakes are high. DARPA doesn't seem to have a quibble with that. Investment is low relative to the risk, and yet there are so many proposals for research that the organizations that are in a position to fund can't keep up with the demand. Does that summarize the situation?
Leighton: Yes.
Gardner: Well, tell me a little bit about what the private sector can do. Obviously businesses have a lot of stake here. Akamai sponsored this podcast, so obviously there's some story here about what Akamai brings to the table. What do you expect that Akamai can do in the short term, and what do you as a businessman, educator, and a scientist think needs to happen beyond the short-term remediation?
Leighton: There really are two questions there. The first is what can businesses do, and one thing that they can do is work with the government to help encourage the government to do its job to fund basic research in this area and foster the development of new technologies which the commercial sector can implement and productize.
In the area of cyber security, the government is in a unique position to fund long-term and to even play a leadership role in adoption of better security practices, as well as to help standardize and adopt those security practices. I think industry, of course, has an important role to play, but we are at a point where we really need government leadership.
Now, in terms of what Akamai can do, we obviously can't solve the problem ourselves. This is a problem that took decades to make. We can help in certain areas in terms of a company’s Web infrastructure and application infrastructure. We can help shelter that infrastructure from cyber attack and we can help them by off-loading their public-facing material and getting it out of their critical infrastructure. Today there are many corporations and government agencies that poke holes in their firewall to let the world come in to access their websites and their applications.
In fact, if you go to any military base today, you will discover there are hundreds of websites sitting on the critical infrastructure, and there are all sorts of holes poked in the firewall to let the whole world come in. And, when you let the whole world come in beyond the firewall to your military infrastructure, that's not a good thing, because the bad guys can come in, too.
The software is so vulnerable that once they can come in, they can attack the infrastructure. Once they have done that, they can get across the local area network to critical infrastructure. And, then, very bad things can happen.
Gardner: It seems part of the issue, at least in the short term -- before we can get to the point of having research to go to a new generation of Internet infrastructure, protocols and security -- that this is managing permeability at its essence. What is Akamai bring to the table in terms of managing the permeability of the world as you put it getting into these important sites?
Leighton: We offer a solution wherein the public-facing website and the public-facing applications can be off loaded onto our infrastructure. Then, it's possible to close up the firewalls and not let the public come in any more. Akamai may need to come in, or may need to come to a staging point to get the content the first time or to get the applications, but we can be authenticated. So, it greatly improves the effectiveness of intrusion-detection systems and intrusion-prevention systems, because you are not by default inviting the world in. Then, Akamai will, through it's platform, deliver the content in the applications and do the interface with the world at large. At the same time, we put a lot of effort into making that infrastructure withstand denial of service attacks and various criminal attacks, such as theft of traffic. So, generally we can do a much better job of delivering that content securely.
Gardner: But as we pointed out, this is a fairly short-term. The real solution here is to come up with new science and put it in place. And as part of that, the committee we referred to earlier, the President’s IT Advisory Committee (PITAC), almost a year and a half ago had four recommendations for how to solve some of these issues. Do you have a sense of what the status is of these changes? What sort of progress has been made?
Leighton: Unfortunately, the progress is not as good as we might have hoped for. Of the four recommendations, the first recommendation had to do with funding and for basic research. The funding at NSF has improved but not to the measure that we requested and recommended. The situation at DARPA has not changed, nor has the situation at DHS. The recommendations to do with the size, increasing the size of the cyber security research community, and the tech transfer from the research community into the commercial community; there hasn’t been real progress there. On the last recommendation, dealing with coordination and oversight of federal cyber security R&D, there has been progress there, and that recommendation seems to have been adopted. We’re hopeful that the committee that has undertaken the charge to try and get an idea of what’s going on with cyber security funding will make some progress in that regard.
Gardner: Clearly, this is an international issue. There have been some reports in the media about other countries asking the United States for it to relinquish some of its control and influence over Internet infrastructure. That's coming at a time, as you describe it, not enough is being done to address long-term basic research issues. Should it be the United States government, DARPA, and the National Science Foundation (NSF) that are the leaders in this drive for advancement? Or is this something that has to be brought into an international organization or at least the some sort of federation?
Leighton: The United States does not control the Internet, so that's probably a misconception. There are clearly large companies here and, because of our economic power, we exert influence over the Internet.
In terms of fixing the problems, which will take a long time to do, that is a global problem. Fixing the problems of the Internet and to develop new protocols will ultimately require global agreement to really get to a much better state. That said, I think the U.S. government can play a leading role. Agencies like DHS, NIST [National Institute of Standards and Technology], or DARPA can play a leadership role, just as they have for example in IPv6 in saying that they want that protocol supported by contractors who do business with the government. DHS could fund the development of improved protocols for DNS, for example, that are more secure. Then, they could implement those protocols in government networks. They could then provide a leadership role where industry could say: “Yes, I want to have that protection, and I am going to implement that.” And before you know it, it becomes a de-facto standard.
Standard bodies themselves have not been particularly effective in the last one to two decades in improving the situation. There is a protocol called DNS Sec, which is a protocol that is meant to make DNS be more secure. It solved some of the problems, but not all the problems. That's been debated in the standards agencies for probably 15 years now, with no outcome. So, they have not proven themselves to be effective in changing the way the Internet works.
Gardner: Well, governments, both in the United States and elsewhere, seem to be responsive to the call of industry and the special interest that often represent them, and they also respond to the calls of the citizenry, particularly in election periods. What, from your perspective, should individuals and businesses do to try to increase the emphasis and understanding of this problem, and not let it sit on the back burner until it becomes, as we pointed out, a crisis?
Leighton: That's a complicated challenge. If industry were more outspoken about it, that would be helpful. You know as part of PITAC, we spoke with leading figures at several financial institutions. Behind closed doors and off the record they would tell you stories that made your hair stand on end about the problems we are facing and that they are facing today, but none of them would speak on the record.
I think if these officials would speak on the record and speak with Congress, that could be helpful. If they could speak with the Bush Administration, that would be helpful. There is an education process that needs to happen. There are a lot of folks in the day-to-day battle with cyber crime that are all-too-aware of the vulnerabilities we face, but in many cases the most senior officials in Washington and in corporations don’t understand that. They think by and large their systems are secure and they don’t fully understand the vulnerabilities they are facing.
So, I think education can also be helpful, and then once the people at the highest levels understand the vulnerabilities, there is a greater chance that the right prioritizations will be made and actions taken. The folks at home are stuck -- stuck until the problems get fixed. There is only so much they can do.
One report I remember said that if only mom and dad at home would keep their firewall up-to-date and their anti-virus software up-to-date, we wouldn’t have a problem. And that's a really naive statement, especially when you look at the biggest financial institutions and the Fortune 100 companies. Virtually all of them are routinely penetrated. They are buying every kind of the cyber defense that exists in the marketplace today and they can’t keep themselves from being vulnerable, and being infected. So, how are mom and dad at home going to figure it out? It’s just not reasonable to say that that's the main problem.
Gardner: Is it reasonable to expect that content and application delivery providers like Akamai can deploy services in order to keep this problem at bay, or do you think that eventually the bad guys, as you refer to them, will get the upper hand at some point?
Leighton: It’s a combination. Akamai is certainly a part of the solution. We can provide solutions to some of the problems. We can make corporations be more secure with their infrastructure by the steps that we have talked about earlier. That said, it’s not the entire solution, and we need to fix the underlying vulnerabilities in the infrastructure. That needs to be addressed. Today, the bad guys do have a big upper hand. There are a few companies like Akamai that help, but the vulnerabilities are severe. We have built the Internet over the last 30 years without really thinking about security at all, and core protocols we use are fully vulnerable today.
Gardner: Well, some sobering thoughts, but educational nonetheless. We are about out of ttime. I want to thank you for sponsoring the podcast and joining me here today, Professor Tom Leighton, the Co-founder and Chief Scientist of Akamai Technologies. This is Dana Gardner, Principal Analyst at Interarbor Solutions. You have been listening to BriefingsDirect. Thank you very much, professor.
Leighton: Thank you.
Listent to the podcast here.
Transcript of Akamai-sponsored BriefingsDirect podcast, recorded June 2, 2006. Copyright Interarbor Solutions, LLC, 2006. All rights reserved.
Listen to the podcast here.
Dana Gardner: Hi, this is Dana Gardner, Principal Analyst of Interarbor Solutions, and you’re listening to BriefingsDirect[TM]. Today, a sponsored podcast and an important issue facing many nations around the world: cyber security and vulnerability.
With us is Professor Tom Leighton, Co-founder and Chief Scientist at Akamai Technologies. He’s also professor of Applied Mathematics at MIT and -- especially in the context of this discussion -- the former chairman of the Cyber Security Sub-Committee of the President’s IT Advisory Committee (PITAC). Welcome back to the show, Professor Leighton.
Tom Leighton: Thank you very much, Dana.
Gardner: We’ve talked in the past about the role of the Internet, how it’s important and particularly how its performance is important. I wanted to start our discussion by trying to understand the role of the Internet for society in Western culture. Increasingly across the globe, we seem to be more dependent on wide area networks, and networks like the Internet, or what we know as the Internet. How deep is this dependency, how intrinsic is it to our lifestyle and our security, and do you think this is only the beginning or is it a mature depth of dependency that we’re into now?
Leighton: I think we're critically dependent on the Internet today, and the depth of that dependence is constantly increasing. Aside from the obvious media and entertainment use of the Internet, from which we derive pleasure, the Internet is now central for communications, for commerce, for government, and for defense and utility industries. Pretty much all sectors of our society today have embraced the Internet and are now critically dependent on it -- and this will only increase going forward.
Gardner: So, if there were some disruption of this system we would see a significant negative impact across the economy, in politics, lifestyle, as well as the business of many companies. Are there any areas that you can think of that aren’t deeply impacted by the Internet?
Leighton: No, you are absolutely right. In fact we are already seeing some of the problems today that result from the lack of security in the Internet, through phishing and pharming, and cyber crimes -- personal identity theft -- that’s already happening today. We haven't seen large examples of cyber terrorism, or warfare on the Internet, or the takeover or loss of control of key utility facilities, although that's within the realm of possibility.
Gardner: We are seeing an increase in news about lists of important data being mislaid or misappropriated. We have heard about cyber extortion, as well as pharming and phishing, as you say, which are various forms of misidentifying or taking over seemingly secure communications. Does this really mean that our IT infrastructure is fundamentally insecure?
Leighton: That’s precisely what it means. Today we have evolved to a state where software is ubiquitous. Millions and millions of users have the same kind of software. That software is full of vulnerabilities, and it’s connected ubiquitously through networks that ultimately connect into the Internet. This enables cyber criminals great flexibility and power in launching attacks to exploit the vulnerabilities.
Gardner: Do you expect that there will be a sort of spy-versus-spy situation going back and forth, with remediation, patching, and band aids on one hand, and then more sophisticated nefarious activities on the other? How do I know that what I'm clicking on is getting to the right server?
Leighton: You really have no way of knowing that today, and I think we're pretty far from a state from where you will have an idea. If you're using SSL, and you're doing everything to verify what keys are being used in the SSL you’re using and who you're talking to, you can have some confidence. But it is very easy for the bad guys today to spoof you into thinking you are running an SSL connection when you are not -- or spoof you into thinking you are running an SSL connection with a trusted party, say a bank, when in fact you are running an SSL connection with a bad guy.
Today, you really have no idea -- at least 99 percent of Americans really have no way of telling who you're communicating with, and where you're packets are going on the Internet. This is what makes pharming attacks so successful. The person who is being victimized has no idea what’s happening.
Gardner: I have to say even though my email is filtered rigorously, I still get plenty of emails from folks claiming to be my bank, the people who do my stock trading, and my retirement account oversight, asking me to go in and re-affirm my password. I'm savvy enough not to do that, but they are pretty clever and very convincing.
Leighton: Those are examples of phishing attacks, and there are millions and millions of those a day. According to the statistics, about one percent of Americans fall victims to phishing attacks annually. What are much more difficult to spot are pharming attacks. In a pharming attack, the end result is the same: you lose your personal information. But in pharming attacks, you don’t have to do anything wrong. You don’t have to click a URL that was sent to you by a phishing email. Your just enter your bank’s URL as you normally would in your browser -- only you don’t end up at the bank. You end up at the bad guy’s site, and he delivers to you the normal signing page. Everything looks normal to you. You did nothing unusual. You sign in, and now he has your personal information.
There are a lot of ways he can make that happen. The basic protocols of the Internet don’t have any security. For example, consider the BGP, the Bordered Gateway Protocol. That’s the protocol that directs the path your packets take as they traverse the Internet. It’s easy for a bad guy to inject false information into the BGP protocol to send those packets to him. One way he can do this is to simply tell an ISP that he owns the IP address of the bank, and he will set the parameters so that, that information doesn’t spread more broadly than the particular ISP that he is attacking. And then, anyone in that ISP who dials up or gets broadband connectivity to that ISP will go to the bad guy, when they think they are going to the bank -- just because BGP doesn’t think to check whether the bad guy is really the owner of that IP address.
Another protocol that is now being exploited is DNS, or the Domain Name Server. DNS is like the 411 service of the Internet. When you type the bank’s name into your browser, the first thing your browser does is translate that name into an IP address. Just as when you make a phone call, you key in a phone number. You don’t type in a person’s name. The Internet uses DNS to do that conversion between a name and an IP address. There is a technique now that’s being widely exploited called “DNS cache poisoning” in which the bad guy goes into the DNS tables and changes the resolution for the bank -- or for any website -- to his IP address. When your browser tries to look up the IP address for the bank, it gets the bad guy’s IP address instead, and transparently goes there, without you having any knowledge that this took place.
Gardner: Now, is this a case of a double-edged sword? In an open and free society we are always going to have some vulnerability that we can do nothing about. Is this something we need to live with in order to enjoy the full functionality and openness of the Internet?
Leighton: No, that’s not the case. It should be possible to develop enough technology to preserve the openness that we cherish in our society, without leaving ourselves exposed to the criminals.
Gardner: I suppose part of the reason this goes on, this vulnerability, is that the risk seems to be acceptable, or the price seem to be acceptable. You would think that banks and retail and e-commerce organizations would be on the forefront of trying to stanch any risks, but e-commerce goes on, more and more people are on the Internet using it actively, and application activities are more robust. Do you think that we will soon reach a point where the risks become unacceptable -- and would that be a gradual type of event or some kind of a cataclysmic event?
Leighton: That’s an interesting question, and there are a lot of factors in play today that drive the answer. First, the banks, e-commerce players, and the commerce players that moved to e-commerce have already made the switch. There is no easy way to go back. The call centers are gone. The traditional methods of doing business aren't supported anymore at the levels they used to be in the past. The switch was made because the Internet offers tremendous economies. It’s much cheaper to handle the transactions over the Internet than it is by the traditional methods.
So, it’ not easy for them to go back. At the same time, the banks and financial institutions are very concerned about the level of fraud and cyber crime, and their exposure to it, yet they don’t have an incentive to be screaming about it publicly. In fact it’s just the reverse.
They don’t want to instill fear in the population, and the industries that have moved to e-commerce are in the same situation. They are successful, if people aren’t fearful to use e-commerce. If people would become afraid to use it, it wouldn’t be beneficial to business. Today, the financial institutions are backstopping the billions of dollars in losses. I think the statistics show that 80 to 90 percent of the losses are being covered by the financial institutions and not by the person who’s been victimized. But, there have been some well-publicized events recently where the person at home was left to pay. As that happens more, I think you’ll see an increased chance of a backlash against using the Internet. So, it is a double-edged sword. As criminals become more successful in exploiting the Internet, the costs go up, the need to get a solution increases, and the pressure increases there.
Gardner: So, this really is a case of an elephant in the room -- only the room is really the whole globe. I alluded in your introduction to your being chair of the cyber security subcommittee of PITAC or the President’s IT Advisory Committee. A number of findings were derived from that, and you delivered some testimony before Congress, the U.S. House of Representatives, in particular. You argued, I read in the transcript, that government funding needs to play an increased role, if not the lion’s share, in solving this. Yet DARPA, the defense research funding organization – which, by the way, helped Akamai to get its start in some basic research – doesn’t seem to be aware of this elephant in the room. Can you fill us in a little bit on what the issues are vis-Ã -vis research and development in order to try to ameliorate this before it become a crisis.
Leighton: DARPA is certainly aware of the problem. In fact, if you talk to officials of DARPA they will tell you that what keeps them up most at nights is our vulnerability in the cyber infrastructure that the defense department and armed forces rely on. At the same time, DARPA is now interpreting its mission to be one of a short-term nature to deliver products to the armed forces based on the research that’s funded by others. As a result, DARPA has dramatically cut its basic research program, for example, in universities. This has been felt particularly hard in the area of cyber security research.
In addition, much of this research has now been classified, which makes it impossible for the vast majority of researchers to work on the problem. It also makes technology transfer virtually impossible. Even if they were to discover something, it becomes classified, making it very hard to get it into the commercial sector.
So, DARPA, which historically has had a wonderful role in supporting basic research that’s led to all sorts of major advances including the Internet itself, is withdrawing from this area. At the same time, DHS, the U.S. Department of Homeland Security, which is tasked with the nation’s civilian infrastructure defense, is very focused on weapons of mass destruction -- and rightly so -- but to the point of having very little funding for basic research and cyber security. I think of their two billion dollar S&T budget, less then two million dollars goes to basic research and cyber security. And this leaves only NSF, which is way over-subscribed.
Gardner: And that’s the National Science Foundation.
Leighton: That’s correct, and the number of proposals they are seeing is overwhelming them. They can't begin to fund everything that needs to be funded to make advances in cyber security.
Gardner: So, we’ve established the stakes are high. DARPA doesn't seem to have a quibble with that. Investment is low relative to the risk, and yet there are so many proposals for research that the organizations that are in a position to fund can't keep up with the demand. Does that summarize the situation?
Leighton: Yes.
Gardner: Well, tell me a little bit about what the private sector can do. Obviously businesses have a lot of stake here. Akamai sponsored this podcast, so obviously there's some story here about what Akamai brings to the table. What do you expect that Akamai can do in the short term, and what do you as a businessman, educator, and a scientist think needs to happen beyond the short-term remediation?
Leighton: There really are two questions there. The first is what can businesses do, and one thing that they can do is work with the government to help encourage the government to do its job to fund basic research in this area and foster the development of new technologies which the commercial sector can implement and productize.
In the area of cyber security, the government is in a unique position to fund long-term and to even play a leadership role in adoption of better security practices, as well as to help standardize and adopt those security practices. I think industry, of course, has an important role to play, but we are at a point where we really need government leadership.
Now, in terms of what Akamai can do, we obviously can't solve the problem ourselves. This is a problem that took decades to make. We can help in certain areas in terms of a company’s Web infrastructure and application infrastructure. We can help shelter that infrastructure from cyber attack and we can help them by off-loading their public-facing material and getting it out of their critical infrastructure. Today there are many corporations and government agencies that poke holes in their firewall to let the world come in to access their websites and their applications.
In fact, if you go to any military base today, you will discover there are hundreds of websites sitting on the critical infrastructure, and there are all sorts of holes poked in the firewall to let the whole world come in. And, when you let the whole world come in beyond the firewall to your military infrastructure, that's not a good thing, because the bad guys can come in, too.
The software is so vulnerable that once they can come in, they can attack the infrastructure. Once they have done that, they can get across the local area network to critical infrastructure. And, then, very bad things can happen.
Gardner: It seems part of the issue, at least in the short term -- before we can get to the point of having research to go to a new generation of Internet infrastructure, protocols and security -- that this is managing permeability at its essence. What is Akamai bring to the table in terms of managing the permeability of the world as you put it getting into these important sites?
Leighton: We offer a solution wherein the public-facing website and the public-facing applications can be off loaded onto our infrastructure. Then, it's possible to close up the firewalls and not let the public come in any more. Akamai may need to come in, or may need to come to a staging point to get the content the first time or to get the applications, but we can be authenticated. So, it greatly improves the effectiveness of intrusion-detection systems and intrusion-prevention systems, because you are not by default inviting the world in. Then, Akamai will, through it's platform, deliver the content in the applications and do the interface with the world at large. At the same time, we put a lot of effort into making that infrastructure withstand denial of service attacks and various criminal attacks, such as theft of traffic. So, generally we can do a much better job of delivering that content securely.
Gardner: But as we pointed out, this is a fairly short-term. The real solution here is to come up with new science and put it in place. And as part of that, the committee we referred to earlier, the President’s IT Advisory Committee (PITAC), almost a year and a half ago had four recommendations for how to solve some of these issues. Do you have a sense of what the status is of these changes? What sort of progress has been made?
Leighton: Unfortunately, the progress is not as good as we might have hoped for. Of the four recommendations, the first recommendation had to do with funding and for basic research. The funding at NSF has improved but not to the measure that we requested and recommended. The situation at DARPA has not changed, nor has the situation at DHS. The recommendations to do with the size, increasing the size of the cyber security research community, and the tech transfer from the research community into the commercial community; there hasn’t been real progress there. On the last recommendation, dealing with coordination and oversight of federal cyber security R&D, there has been progress there, and that recommendation seems to have been adopted. We’re hopeful that the committee that has undertaken the charge to try and get an idea of what’s going on with cyber security funding will make some progress in that regard.
Gardner: Clearly, this is an international issue. There have been some reports in the media about other countries asking the United States for it to relinquish some of its control and influence over Internet infrastructure. That's coming at a time, as you describe it, not enough is being done to address long-term basic research issues. Should it be the United States government, DARPA, and the National Science Foundation (NSF) that are the leaders in this drive for advancement? Or is this something that has to be brought into an international organization or at least the some sort of federation?
Leighton: The United States does not control the Internet, so that's probably a misconception. There are clearly large companies here and, because of our economic power, we exert influence over the Internet.
In terms of fixing the problems, which will take a long time to do, that is a global problem. Fixing the problems of the Internet and to develop new protocols will ultimately require global agreement to really get to a much better state. That said, I think the U.S. government can play a leading role. Agencies like DHS, NIST [National Institute of Standards and Technology], or DARPA can play a leadership role, just as they have for example in IPv6 in saying that they want that protocol supported by contractors who do business with the government. DHS could fund the development of improved protocols for DNS, for example, that are more secure. Then, they could implement those protocols in government networks. They could then provide a leadership role where industry could say: “Yes, I want to have that protection, and I am going to implement that.” And before you know it, it becomes a de-facto standard.
Standard bodies themselves have not been particularly effective in the last one to two decades in improving the situation. There is a protocol called DNS Sec, which is a protocol that is meant to make DNS be more secure. It solved some of the problems, but not all the problems. That's been debated in the standards agencies for probably 15 years now, with no outcome. So, they have not proven themselves to be effective in changing the way the Internet works.
Gardner: Well, governments, both in the United States and elsewhere, seem to be responsive to the call of industry and the special interest that often represent them, and they also respond to the calls of the citizenry, particularly in election periods. What, from your perspective, should individuals and businesses do to try to increase the emphasis and understanding of this problem, and not let it sit on the back burner until it becomes, as we pointed out, a crisis?
Leighton: That's a complicated challenge. If industry were more outspoken about it, that would be helpful. You know as part of PITAC, we spoke with leading figures at several financial institutions. Behind closed doors and off the record they would tell you stories that made your hair stand on end about the problems we are facing and that they are facing today, but none of them would speak on the record.
I think if these officials would speak on the record and speak with Congress, that could be helpful. If they could speak with the Bush Administration, that would be helpful. There is an education process that needs to happen. There are a lot of folks in the day-to-day battle with cyber crime that are all-too-aware of the vulnerabilities we face, but in many cases the most senior officials in Washington and in corporations don’t understand that. They think by and large their systems are secure and they don’t fully understand the vulnerabilities they are facing.
So, I think education can also be helpful, and then once the people at the highest levels understand the vulnerabilities, there is a greater chance that the right prioritizations will be made and actions taken. The folks at home are stuck -- stuck until the problems get fixed. There is only so much they can do.
One report I remember said that if only mom and dad at home would keep their firewall up-to-date and their anti-virus software up-to-date, we wouldn’t have a problem. And that's a really naive statement, especially when you look at the biggest financial institutions and the Fortune 100 companies. Virtually all of them are routinely penetrated. They are buying every kind of the cyber defense that exists in the marketplace today and they can’t keep themselves from being vulnerable, and being infected. So, how are mom and dad at home going to figure it out? It’s just not reasonable to say that that's the main problem.
Gardner: Is it reasonable to expect that content and application delivery providers like Akamai can deploy services in order to keep this problem at bay, or do you think that eventually the bad guys, as you refer to them, will get the upper hand at some point?
Leighton: It’s a combination. Akamai is certainly a part of the solution. We can provide solutions to some of the problems. We can make corporations be more secure with their infrastructure by the steps that we have talked about earlier. That said, it’s not the entire solution, and we need to fix the underlying vulnerabilities in the infrastructure. That needs to be addressed. Today, the bad guys do have a big upper hand. There are a few companies like Akamai that help, but the vulnerabilities are severe. We have built the Internet over the last 30 years without really thinking about security at all, and core protocols we use are fully vulnerable today.
Gardner: Well, some sobering thoughts, but educational nonetheless. We are about out of ttime. I want to thank you for sponsoring the podcast and joining me here today, Professor Tom Leighton, the Co-founder and Chief Scientist of Akamai Technologies. This is Dana Gardner, Principal Analyst at Interarbor Solutions. You have been listening to BriefingsDirect. Thank you very much, professor.
Leighton: Thank you.
Listent to the podcast here.
Transcript of Akamai-sponsored BriefingsDirect podcast, recorded June 2, 2006. Copyright Interarbor Solutions, LLC, 2006. All rights reserved.
Monday, June 26, 2006
Transcript of BriefingsDirect Podcast with Product Managers from BEA and Wind River on the ‘Eclipse Effect’ on Large-Scale Software Development
This is a transcript of an Eclipse Foundation-sponsored BriefingsDirect podcast with Dana Gardner, recorded June 13, 2006.
Listen to the podcast here.
Dana Gardner: Hi, this is Dana Gardner, principal analyst of Interarbor Solutions, and you’re listening to BriefingsDirect[TM]. Today, a discussion about the impact of Eclipse on the development market; taking a look at ISVs, those large vendors that are using Eclipse.
From industry reports, Eclipse these days is being used by two-thirds of Java shops. It’s really taken this market by storm over the last two years. And here to talk about their experiences in that are representatives from two major software vendors. First, from BEA Systems, Bill Roth, the vice president of the BEA Workshop Business Unit. Welcome to the show, Bill.
Bill Roth: Thank you.
Gardner: And also from Wind River, Steve Heintz, the director of product management for developer technologies. Welcome, Steve.
Steve Heintz: Good morning, Dana.
Gardner: As I mentioned, the ramp-up in the use of Eclipse as an [integrated development environment] IDE commonality for developers in both enterprises as well as [independent software vendors] ISVs, has been remarkable. Can you tell us, Bill, a little bit about how BEA became involved with Eclipse?
Roth: Sure. It helps to go back through a little bit of history. As many people know, we had our own IDE and were doing our own investment in IDE technologies throughout the early part of 2000 up until 2003.
It became clear as we moved into 2004 that Eclipse was taking developers in our target market, the Fortune 2000, by storm. It was in every account that we went into. As a result of that, we made the decision to move into Eclipse for two reasons … three reasons, actually.
First was that it clearly had a market presence. Second, it allowed us to leverage open source while contributing the important things that we thought needed to be added. And third, we finally became convinced that the foundation was independent enough from IBM that we could have some legitimate sway. Those were the things that helped move our decision to becoming a strategic member and a board member of the Eclipse Foundation.
Gardner: Has this experience worked out, in your estimation, according to what you expected?
Roth: Absolutely. In fact, it has exceeded our expectations in some regards. The governance processes, for example, are fair and balanced. Open source is generally a meritocracy. And so, we’ve been given our fair shot both in the [Eclipse Web Tools Platform] WTP project, where we have a number of committers, but also at the board level, where we actually have elected a committer representative to the board. That’s Tim Wagner.
Our ability to make valuable contributions in both the JDT, the Java Development Tools Project, as well as the Web Tools Project, says that it met or exceeded our initial expectations.
Gardner: Has Eclipse Foundation actually had a business benefit in terms of reducing your costs of development, simplifying through some integration and extension points what you would have had to have done, perhaps, on your own?
Roth: Yes. There have been a number of business benefits from my perspective. As someone who oversees the sales, production, and operations around our tooling business, the business benefits are several-fold.
Number one, there’s a bunch of people who were building an IDE that I can now retarget to build features to make developers’ lives easier. The joke I always use is, Eclipse is how BEA makes the most of IBM’s research dollar. Now, that’s a bit of a joke.
Gardner: This isn’t your first time, right?
Roth: Of course not. The second benefit is that it gives us access to a much broader market, and the last numbers I saw is that in the Java Developer Tools market, Eclipse or Eclipse derivatives have a 58% market share.
In any kind of open-source industry where you’ve got multiple vendors, it’s almost unheard of. And the other benefits include our ability to deliver software more rapidly. The Eclipse update model, which is really one of the under-discussed pieces, allows me to -- rather than be on an enterprise software cycle, where I’m delivering every 12 to 18 months -- deliver software every day if I have to. Those are really the three business benefits that I see from my position.
Gardner: BEA is a provider of development and deployment strategies and runtimes and solutions for large enterprises -- high-performance, high-complexity applications -- and so it’s clear that Eclipse is giving some benefits there.
Perhaps in a different direction, segueing over to Wind River, where their platform and tools target embedded development, a whole different marketplace. Steve, what’s been the Eclipse impact or the Eclipse Eeffect, if you will, in terms of how Wind River has adjusted to this marketplace?
Heintz: Well, when I take a look at our market, we’re dealing with a different language than Bill’s [BEA] customers. We’re dealing with customers that are developing C and C++ projects, usually using Linux on a target-embedded device or a real-time operating system, like the VxWorks on a target-embedded device.
Our customers are in the aerospace and defense segment, the consumer-device segment, or networking equipment. Most of those customers demand not only tools from us, but very specialized tools specific to the type of product that they’re building from various partners out there.
For us as a single company to go and make all of those partner relationships and all of those integrations it was too time-consuming. It was actually impossible for us to manage all those integrations ourselves. That’s one of the best things that Eclipse brings to the table for us. There’s an open API model, and there are a lot of partners in our investor segment who already have the integrations done. So we get to take advantage of a much larger part of an ecosystem than we could develop and mature on our own.
Gardner: Now, this notion of faster time to market, that’s a big factor in Device Software Optimization (DSO). In your marketplace, can you give us some examples of how your clients and/or you have been able to get to the market quicker with a product as a result of using and supporting, or gaining the support of, Eclipse?
Heintz: Absolutely. DSO, or Device Software Optimization, is something that not only Wind River, but most of the companies in the traditional embedded market, are now embracing. It takes a little bit of a different model and different look towards operating systems and development tools than a lot of our customers took in the past.
Before, operating systems and tool vendors all had their own proprietary ecosystems. So if you were going to build an iPod based on a specific ARM processor, you'd look to the market, and there was usually only one IDE that you had available to you as a choice and one operating system that was ported to that particular processor.
We got together with the other companies in our industry to say, “Let’s embrace Eclipse. Let’s embrace some more pluggable models.” You can choose the appropriate debugger technology on the backend.
In the device-software development world, there are a lot of different ways to debug an embedded system. You can connect to it with a hardware probe; you could attach to it over Ethernet; you could attach to it over USB. It's a very different debug model.
All the tools are very specialized, based on what you’re building. Time-to-market is something that is demanded by our customers, especially in the consumer-device market. They’re trying to release products on a six-month time window or less. So, they want to choose tools, they want to ramp up the speed, they want to plug into a common environment, and put their product out the door in a very quick period of time.
Gardner: One of the things that we’ve seen is this rapid ramp-up and, as Bill mentioned, a large market share. That’s very powerful. That brings a large community together. So, even with the technical benefits of Eclipse at hand and acknowledged, that community brings a marketplace to vendors like yourself. And that marketplace is, in fact, developers.
As we know from the history of IT, attracting developers is extremely important for a number of business-model reasons. Can you give us a sense from your business model what this community means, and what can you do moving forward to perhaps better take advantage of the community around Eclipse?
Heintz: Because we’re dealing with customers in the C and C++ world, we’re at an earlier stage in the Eclipse-adoption cycle than the Java developers. We’re trying to take an active role with Eclipse to help promote Eclipse as a platform for C and C++ developers. Bill talked about the 58% market share that he gets to enjoy on the Java side. We're in a much, much earlier stage on the C++ side. We see the benefits, but we’re really at the stage of helping promote that to ISVs, to some of the partners in the C/C++ ISV community right now.
Gardner: Okay, Bill, on this same notion of extending the benefits and leveraging the community, where would you like to see Eclipse go, and how as a vendor in the Java community would you like to steer this as a beneficial and productive community development process?
Roth: The development of the extension or the plug-in market would be one thing that would be valuable. We’ve actually benefited from some of the existing plug-ins. Our initial Spring support was from a great project, SpringIDE.org. Continued development and hopefully a business model behind it that let us offer plug-ins that offer more value to our customers from third parties would be excellent.
How we want the market to develop from a vendor perspective is that there are a number of important projects that are coming online right now that need to be adopted, and one of them, of course, is the Web Tools Project.
By the end of June, Web Tools Project Version 1.5 should be out, and this represents a major improvement in stability and functionality. The Web Tools Project and project model provide some fundamental technology for people that are doing Enterprise Java and server-side Java development. That model for building the applications is one of the things that’s our core focus -- making sure that that gets adopted.
Gardner: There’s another benefit from Eclipse here for those who are in a mergers-and-acquisitions mode. If you’re acquiring or being acquired and you’re Eclipse-based and the other company’s Eclipse-based, that offers some opportunity for getting to market more quickly and with less headaches in terms of integration. You’ve had an experience with this, Bill, at BEA. Can you give us the story?
Roth: We made the decision to take our current product line, which was called WebLogic Workshop, to Eclipse toward the end of 2004. It was important for us -- and it’s a substantial rewrite -- but we wanted to get into the Eclipse tooling market a lot faster.
The leading company of the independent Eclipse IDE vendors was a company out of Cupertino, [Calif.] called M7, started by some engineers from the former Symantec. For those in the Java community, you remember Symantec Visual Café. The chief architect and many of the engineers were from that particular project. They had a great product with some really interesting inspection software called AppXray, which really gave people the ability to see all of the aspects of a web application in one place.
It became clear to us toward the middle of 2005 that we needed to get into this market and get to market as soon as possible, because of all of the energy that was around open-source frameworks. We knew many of our customers were using open-source frameworks on WebLogic’s server. As a result, it became a natural acquisition. We bought M7.
We’ve integrated them, they’re now part of my group -- the Workshop group -- and their technology is really at the core of our offering. So right now, we’re in the process of taking our mainline technology, which will support folks from WebLogic Gate 1, and then merging it with the M7 line of code, which has been renamed BEA Workshop Studio, and we hope to produce a merged product by the end of the year.
Gardner: Steve, over at Wind River I know you can’t talk as a public company to a great extent about future plans around acquisitions. You’ve done several in the past few years. How does the Eclipse Foundation factor into a decision process around merger and acquisitions?
Heintz: Well, I can tell you that acquisitions are actually what originally drove our decision to adopt Eclipse. As you said, Wind River, acquired a number of companies over the last several years. And about three years ago, we had acquired, I think, four different companies that had their own proprietary IDEs.
Back in the old embedded approach to software development, everybody thought that their tool was the center of the universe, whether they were providing a simple editor or whether they were providing a test and diagnostic tool. We had these four IDEs that came into our product portfolio. We needed to decide which foundation we were going to use to build our single product line, and that’s when we took a look outside -- where Eclipse was at, where the Eclipse Foundation was at -- and decided to become a top-level contributor in the [Eclipse Device Software Development Platform Project] that we helped found.
This [DSDP Project] is helping move Eclipse to the C/C++ development world and helping move it to the specific needs of device software developers. Now, going forward, I can tell you that the first question that I ask of potential partners when we sit down at the table is “Is your product an Eclipse plug-in, or do you have a roadmap to take it to be an Eclipse plug-in?” because that substantially accelerates our ability to work together as a partner. So it’s absolutely one of the first requirements we look to for partners or further relationships.
Gardner: One of the questions I have been wrestling with on a philosophical level is the notion of whether Eclipse is an exception or whether Eclipse is a harbinger of what we can expect in terms of development, where a commonality or a federated mentality up to a certain point works very well. … What are your thoughts on this, Bill? Is Eclipse a model we should look at for the future in terms of a number of hybrids of development -- being open source and commercial? Or is this really just a one-hit wonder?
Roth: In some respects, Eclipse is unique; but in some respects, it gives us patterns that we can follow. I have a distributed team. I have engineers in San Jose, San Francisco, Seattle, Boulder, New Hampshire, Portland -- you know, they’re all over.
So that’s much like Eclipse. You got a bunch of people in Ottawa, and then you got people here, and then you got people all over the world. So, as a collaborative development model and a governance model it’s actually doing quite well, because, you know, [Bill] Joy’s Law: Most of the smart people don’t work for you. There’s Roth’s corollary to Joy’s Law, which is, most of the smart people don’t live in San Jose. I know that’s hard to believe.
Gardner: It is.
Roth: The fact of the matter is that this is the way that development really will be done in the future. That’s really one of the lessons that Eclipse has to offer. One of the interesting things is that IBM had sort of the germination of this project.
That is most significant -- and what’s going to allow for the building of a broader community -- the extensibility architecture and the fact that they chose things like [Open Services Gateway Initiative (OSGi)] to be the basis for this. It actually ties way, way back into some of the academic literature around System R and System R Star or the [IBM] Starburst Database Project to build an extensible database.
That’s sort of structured everything about how we view a base technology that can provide value, but yet still allow innovation, and a lot of innovation at that. In essence, it is somewhat unique, but we’re going to see more and more of the Eclipse model take hold across a number of projects that are going to be successful.
Gardner: Can you offer a couple of prophecies in terms of what types of projects, what types of technologies, you think would be ripe for this model next?
Roth: Well, that’s a really good question. There are a number of interesting things that are percolating. If you look at enterprise service bus [ESB] and some of the new category around service infrastructure, that sort of support, a SOA or a service network -- those types of things are where we’ll see the next model like this.
For example, in our service bus, we support not only mainframe connectivity, but Tuxedo connectivity, web-service connectivity, file connectivity, and all those things are plug-in-based and can be extended. Some of the high-order software, like service bus, are probably the next hit for this.
Gardner: How about on your side, Steve? Philosophically, do you agree that this is not a one-hit wonder, what the Eclipse Foundation has done, and if it is a pattern to be repeated, where would you like to see it head next?
Heintz: The way that the Eclipse Foundation is set up, the ability for member companies and contributing ISVs to influence the project on a regular basis, is very powerful.
From the Wind River perspective, Eclipse is not the only open-source project that we deal with. We actually sell a commercial Linux distribution as well to our customers. Our customers are putting Linux in routers or consumer devices, and I can tell you when I talk to my peers on the Linux management team or engineering team, on the Eclipse side of things, we really get to influence the project on a much more regular basis and get the extension points that we need in the software a lot more regularly.
So they really envy the model that is set up around Eclipse, as opposed to what they have to deal with influencing the Linux kernel or the Linux projects.
Going forward, Eclipse is going to be a great forum for some of the major challenges that face our industry and our customers in the future. We look at semiconductor companies coming out with most of their chips now being multi-core chips in the embedded market and the device market.
And, as Bill talked about there, new languages are being talked about, new methodologies for debugging and analysis and visualization of systems that run multiple cores, multiple processors, sometimes even multiple OSes in a single cell phone that you might get delivered in the future, or a digital TV, or a set-top box.
So these are some big programming challenges that our customers haven’t faced before, and we’re looking to some of our ISV partners, we’re looking to the academic community, we’re looking even to our own R&D teams to come up with new proposals and new ways to do this type of multi-core development, diagnostics, and debugging in the future.
Roth: Dana, Steve calls up one important thing, which is that … well, he’s got C++; I’ve got Java. We have a multi-language future in front of us. What we’ll see are developers building more and more technology in multiple languages.
There was recently a study by one of the market data firms that saw that, in general, Java developers -- my community -- use more languages when they develop than Microsoft developers. So, we’re heading into a phase where there’s multi-language development going on, and I can’t see how the people with proprietary IDE technology -- like Borland, like Oracle, for example -- are going to be able to adapt to that and have any real usability experience. Whereas companies like Wind River and ourselves are able to adapt -- because it’s fairly easy to mix the two languages. This is one of the untold stories.
Heintz: That’s a perfect example, Bill. When I take a look at some of our largest customers, customers in the telecommunication space that have thousands of developers, some of them are doing Java development, some of them are doing C/C++ development, some of them are doing mainframe development or scripting.
We went into one particular customer where they had 250 different development tools across a 5,000-developer organization -- nightmare to manage. These customers are making the decision on their own. They want to go to one common development framework.
Unfortunately -- well, fortunately for us – [Microsoft] Visual Studio is not an option. Microsoft is never going to support Linux development in Visual Studio, nor are they going to support Java development in Visual Studio very well. And so, these customers are choosing Eclipse as their base foundation.
Luckily, we were ahead of the curve. Now, we get the benefit from these customers coming to us and saying, “We only want to talk to you if you can plug into our standardized Eclipse Desktop that we’ve deployed to these software developers.”
Another great example is a very large military project, which is part of a future combat-systems initiative in the recent [U.S. Department of Defense] program by Boeing. They looked at all of the development tools available to them in the market, and they chose Eclipse -- specifically, they chose Wind River Workbench -- as their standardized development tool for all the subcontractors in the project, because everybody could write their plug-ins to a published, open set of APIs and standards.
Gardner: I think from the vantage point of 20/20 hindsight, one of the lessons to take away from Eclipse is it accelerated into the market rapidly, because it satisfied reduction of risk from both the user perspective, as well as the ISV and provider perspective.
And by that, I mean the contingency on a platform-level of risk for the user has been removed, or at least reduced, by the commonality of the Eclipse Foundation. The risk around tools and the choice of tools and the long-term implications of that has been reduced.
And whenever you get a situation where you’ve got a risk reduction, which means, you know, financial benefits on both ends of a virtuous cycle. It’s hard to beat. Do you agree with that, and do you think that’s what’s going to keep this spinning for some time?
Roth: Oh, most definitely.
Gardner: And you don’t see any real curtain-call on Eclipse. This was not a period for a consolidation -- and then we move on. This is something that’s got legs to it?
Roth: It’s partially because the notion of this history of extensibility. What that really means is a kind of scaffolding. If your question is, do things like the core Eclipse -- do they continue to develop and develop and develop -- I don’t know.
I think at some point in IDE, you get to the limits of what you’re able to provide, and the core of Eclipse architecture will be just fine. That’s a good thing. It forces the innovation for companies like Wind River and ourselves [at BEA] to basically innovate at higher levels and provide more and different value.
At some point, Eclipse may be just like oxygen. It may be part of the atmosphere; but it will be at the hub of everything we do for rich client tooling for software.
Gardner: Steve, the curtain call. Do you see a timeline on Eclipse, or how do you view this for the long term?
Heintz: For the foreseeable future. There are still some big challenges and big, big steps of innovation that are yet to be seen in our world, especially around C/C++; like I said, around multi-core programming and development, around multi-OS programming and multi-language development.
There’s going to be some time before we reach that point of Eclipse being the finished framework. And that’s fine. That’s exciting to us. We want to continue to contribute to that evolution and that change. But I don’t see this train stopping any time soon. Like I said, our major customers are deploying this across thousands and thousands of developers. Developers like it, our customers like it. It makes sense. It saves them time, money and increases their productivity. This is going to keep going.
Gardner: Great. Well, I think this has been a very educational and interesting discussion. I want to thank you both.
We’ve been discussing the impact of Eclipse among ISVs and in the market at large with representatives from two large software vendors. At BEA Systems, Bill Roth, vice president of the Workshop Business Unit, and also from Wind River Systems, Steve Heintz, director of product management for developer technologies there. Guys, thanks a lot for your time.
Heintz: Thank you, Dana.
Roth: Thank you!
Listen to the podcast here.
Transcript of Dana Gardner's BriefingsDirect podcast with product managers from BEA and Wind River on the ‘Eclipse Effect.’ Copyright Interarbor Solutions, LLC, 2006. All rights reserved.??
Listen to the podcast here.
Dana Gardner: Hi, this is Dana Gardner, principal analyst of Interarbor Solutions, and you’re listening to BriefingsDirect[TM]. Today, a discussion about the impact of Eclipse on the development market; taking a look at ISVs, those large vendors that are using Eclipse.
From industry reports, Eclipse these days is being used by two-thirds of Java shops. It’s really taken this market by storm over the last two years. And here to talk about their experiences in that are representatives from two major software vendors. First, from BEA Systems, Bill Roth, the vice president of the BEA Workshop Business Unit. Welcome to the show, Bill.
Bill Roth: Thank you.
Gardner: And also from Wind River, Steve Heintz, the director of product management for developer technologies. Welcome, Steve.
Steve Heintz: Good morning, Dana.
Gardner: As I mentioned, the ramp-up in the use of Eclipse as an [integrated development environment] IDE commonality for developers in both enterprises as well as [independent software vendors] ISVs, has been remarkable. Can you tell us, Bill, a little bit about how BEA became involved with Eclipse?
Roth: Sure. It helps to go back through a little bit of history. As many people know, we had our own IDE and were doing our own investment in IDE technologies throughout the early part of 2000 up until 2003.
It became clear as we moved into 2004 that Eclipse was taking developers in our target market, the Fortune 2000, by storm. It was in every account that we went into. As a result of that, we made the decision to move into Eclipse for two reasons … three reasons, actually.
First was that it clearly had a market presence. Second, it allowed us to leverage open source while contributing the important things that we thought needed to be added. And third, we finally became convinced that the foundation was independent enough from IBM that we could have some legitimate sway. Those were the things that helped move our decision to becoming a strategic member and a board member of the Eclipse Foundation.
Gardner: Has this experience worked out, in your estimation, according to what you expected?
Roth: Absolutely. In fact, it has exceeded our expectations in some regards. The governance processes, for example, are fair and balanced. Open source is generally a meritocracy. And so, we’ve been given our fair shot both in the [Eclipse Web Tools Platform] WTP project, where we have a number of committers, but also at the board level, where we actually have elected a committer representative to the board. That’s Tim Wagner.
Our ability to make valuable contributions in both the JDT, the Java Development Tools Project, as well as the Web Tools Project, says that it met or exceeded our initial expectations.
Gardner: Has Eclipse Foundation actually had a business benefit in terms of reducing your costs of development, simplifying through some integration and extension points what you would have had to have done, perhaps, on your own?
Roth: Yes. There have been a number of business benefits from my perspective. As someone who oversees the sales, production, and operations around our tooling business, the business benefits are several-fold.
Number one, there’s a bunch of people who were building an IDE that I can now retarget to build features to make developers’ lives easier. The joke I always use is, Eclipse is how BEA makes the most of IBM’s research dollar. Now, that’s a bit of a joke.
Gardner: This isn’t your first time, right?
Roth: Of course not. The second benefit is that it gives us access to a much broader market, and the last numbers I saw is that in the Java Developer Tools market, Eclipse or Eclipse derivatives have a 58% market share.
In any kind of open-source industry where you’ve got multiple vendors, it’s almost unheard of. And the other benefits include our ability to deliver software more rapidly. The Eclipse update model, which is really one of the under-discussed pieces, allows me to -- rather than be on an enterprise software cycle, where I’m delivering every 12 to 18 months -- deliver software every day if I have to. Those are really the three business benefits that I see from my position.
Gardner: BEA is a provider of development and deployment strategies and runtimes and solutions for large enterprises -- high-performance, high-complexity applications -- and so it’s clear that Eclipse is giving some benefits there.
Perhaps in a different direction, segueing over to Wind River, where their platform and tools target embedded development, a whole different marketplace. Steve, what’s been the Eclipse impact or the Eclipse Eeffect, if you will, in terms of how Wind River has adjusted to this marketplace?
Heintz: Well, when I take a look at our market, we’re dealing with a different language than Bill’s [BEA] customers. We’re dealing with customers that are developing C and C++ projects, usually using Linux on a target-embedded device or a real-time operating system, like the VxWorks on a target-embedded device.
Our customers are in the aerospace and defense segment, the consumer-device segment, or networking equipment. Most of those customers demand not only tools from us, but very specialized tools specific to the type of product that they’re building from various partners out there.
For us as a single company to go and make all of those partner relationships and all of those integrations it was too time-consuming. It was actually impossible for us to manage all those integrations ourselves. That’s one of the best things that Eclipse brings to the table for us. There’s an open API model, and there are a lot of partners in our investor segment who already have the integrations done. So we get to take advantage of a much larger part of an ecosystem than we could develop and mature on our own.
Gardner: Now, this notion of faster time to market, that’s a big factor in Device Software Optimization (DSO). In your marketplace, can you give us some examples of how your clients and/or you have been able to get to the market quicker with a product as a result of using and supporting, or gaining the support of, Eclipse?
Heintz: Absolutely. DSO, or Device Software Optimization, is something that not only Wind River, but most of the companies in the traditional embedded market, are now embracing. It takes a little bit of a different model and different look towards operating systems and development tools than a lot of our customers took in the past.
Before, operating systems and tool vendors all had their own proprietary ecosystems. So if you were going to build an iPod based on a specific ARM processor, you'd look to the market, and there was usually only one IDE that you had available to you as a choice and one operating system that was ported to that particular processor.
We got together with the other companies in our industry to say, “Let’s embrace Eclipse. Let’s embrace some more pluggable models.” You can choose the appropriate debugger technology on the backend.
In the device-software development world, there are a lot of different ways to debug an embedded system. You can connect to it with a hardware probe; you could attach to it over Ethernet; you could attach to it over USB. It's a very different debug model.
All the tools are very specialized, based on what you’re building. Time-to-market is something that is demanded by our customers, especially in the consumer-device market. They’re trying to release products on a six-month time window or less. So, they want to choose tools, they want to ramp up the speed, they want to plug into a common environment, and put their product out the door in a very quick period of time.
Gardner: One of the things that we’ve seen is this rapid ramp-up and, as Bill mentioned, a large market share. That’s very powerful. That brings a large community together. So, even with the technical benefits of Eclipse at hand and acknowledged, that community brings a marketplace to vendors like yourself. And that marketplace is, in fact, developers.
As we know from the history of IT, attracting developers is extremely important for a number of business-model reasons. Can you give us a sense from your business model what this community means, and what can you do moving forward to perhaps better take advantage of the community around Eclipse?
Heintz: Because we’re dealing with customers in the C and C++ world, we’re at an earlier stage in the Eclipse-adoption cycle than the Java developers. We’re trying to take an active role with Eclipse to help promote Eclipse as a platform for C and C++ developers. Bill talked about the 58% market share that he gets to enjoy on the Java side. We're in a much, much earlier stage on the C++ side. We see the benefits, but we’re really at the stage of helping promote that to ISVs, to some of the partners in the C/C++ ISV community right now.
Gardner: Okay, Bill, on this same notion of extending the benefits and leveraging the community, where would you like to see Eclipse go, and how as a vendor in the Java community would you like to steer this as a beneficial and productive community development process?
Roth: The development of the extension or the plug-in market would be one thing that would be valuable. We’ve actually benefited from some of the existing plug-ins. Our initial Spring support was from a great project, SpringIDE.org. Continued development and hopefully a business model behind it that let us offer plug-ins that offer more value to our customers from third parties would be excellent.
How we want the market to develop from a vendor perspective is that there are a number of important projects that are coming online right now that need to be adopted, and one of them, of course, is the Web Tools Project.
By the end of June, Web Tools Project Version 1.5 should be out, and this represents a major improvement in stability and functionality. The Web Tools Project and project model provide some fundamental technology for people that are doing Enterprise Java and server-side Java development. That model for building the applications is one of the things that’s our core focus -- making sure that that gets adopted.
Gardner: There’s another benefit from Eclipse here for those who are in a mergers-and-acquisitions mode. If you’re acquiring or being acquired and you’re Eclipse-based and the other company’s Eclipse-based, that offers some opportunity for getting to market more quickly and with less headaches in terms of integration. You’ve had an experience with this, Bill, at BEA. Can you give us the story?
Roth: We made the decision to take our current product line, which was called WebLogic Workshop, to Eclipse toward the end of 2004. It was important for us -- and it’s a substantial rewrite -- but we wanted to get into the Eclipse tooling market a lot faster.
The leading company of the independent Eclipse IDE vendors was a company out of Cupertino, [Calif.] called M7, started by some engineers from the former Symantec. For those in the Java community, you remember Symantec Visual Café. The chief architect and many of the engineers were from that particular project. They had a great product with some really interesting inspection software called AppXray, which really gave people the ability to see all of the aspects of a web application in one place.
It became clear to us toward the middle of 2005 that we needed to get into this market and get to market as soon as possible, because of all of the energy that was around open-source frameworks. We knew many of our customers were using open-source frameworks on WebLogic’s server. As a result, it became a natural acquisition. We bought M7.
We’ve integrated them, they’re now part of my group -- the Workshop group -- and their technology is really at the core of our offering. So right now, we’re in the process of taking our mainline technology, which will support folks from WebLogic Gate 1, and then merging it with the M7 line of code, which has been renamed BEA Workshop Studio, and we hope to produce a merged product by the end of the year.
Gardner: Steve, over at Wind River I know you can’t talk as a public company to a great extent about future plans around acquisitions. You’ve done several in the past few years. How does the Eclipse Foundation factor into a decision process around merger and acquisitions?
Heintz: Well, I can tell you that acquisitions are actually what originally drove our decision to adopt Eclipse. As you said, Wind River, acquired a number of companies over the last several years. And about three years ago, we had acquired, I think, four different companies that had their own proprietary IDEs.
Back in the old embedded approach to software development, everybody thought that their tool was the center of the universe, whether they were providing a simple editor or whether they were providing a test and diagnostic tool. We had these four IDEs that came into our product portfolio. We needed to decide which foundation we were going to use to build our single product line, and that’s when we took a look outside -- where Eclipse was at, where the Eclipse Foundation was at -- and decided to become a top-level contributor in the [Eclipse Device Software Development Platform Project] that we helped found.
This [DSDP Project] is helping move Eclipse to the C/C++ development world and helping move it to the specific needs of device software developers. Now, going forward, I can tell you that the first question that I ask of potential partners when we sit down at the table is “Is your product an Eclipse plug-in, or do you have a roadmap to take it to be an Eclipse plug-in?” because that substantially accelerates our ability to work together as a partner. So it’s absolutely one of the first requirements we look to for partners or further relationships.
Gardner: One of the questions I have been wrestling with on a philosophical level is the notion of whether Eclipse is an exception or whether Eclipse is a harbinger of what we can expect in terms of development, where a commonality or a federated mentality up to a certain point works very well. … What are your thoughts on this, Bill? Is Eclipse a model we should look at for the future in terms of a number of hybrids of development -- being open source and commercial? Or is this really just a one-hit wonder?
Roth: In some respects, Eclipse is unique; but in some respects, it gives us patterns that we can follow. I have a distributed team. I have engineers in San Jose, San Francisco, Seattle, Boulder, New Hampshire, Portland -- you know, they’re all over.
So that’s much like Eclipse. You got a bunch of people in Ottawa, and then you got people here, and then you got people all over the world. So, as a collaborative development model and a governance model it’s actually doing quite well, because, you know, [Bill] Joy’s Law: Most of the smart people don’t work for you. There’s Roth’s corollary to Joy’s Law, which is, most of the smart people don’t live in San Jose. I know that’s hard to believe.
Gardner: It is.
Roth: The fact of the matter is that this is the way that development really will be done in the future. That’s really one of the lessons that Eclipse has to offer. One of the interesting things is that IBM had sort of the germination of this project.
That is most significant -- and what’s going to allow for the building of a broader community -- the extensibility architecture and the fact that they chose things like [Open Services Gateway Initiative (OSGi)] to be the basis for this. It actually ties way, way back into some of the academic literature around System R and System R Star or the [IBM] Starburst Database Project to build an extensible database.
That’s sort of structured everything about how we view a base technology that can provide value, but yet still allow innovation, and a lot of innovation at that. In essence, it is somewhat unique, but we’re going to see more and more of the Eclipse model take hold across a number of projects that are going to be successful.
Gardner: Can you offer a couple of prophecies in terms of what types of projects, what types of technologies, you think would be ripe for this model next?
Roth: Well, that’s a really good question. There are a number of interesting things that are percolating. If you look at enterprise service bus [ESB] and some of the new category around service infrastructure, that sort of support, a SOA or a service network -- those types of things are where we’ll see the next model like this.
For example, in our service bus, we support not only mainframe connectivity, but Tuxedo connectivity, web-service connectivity, file connectivity, and all those things are plug-in-based and can be extended. Some of the high-order software, like service bus, are probably the next hit for this.
Gardner: How about on your side, Steve? Philosophically, do you agree that this is not a one-hit wonder, what the Eclipse Foundation has done, and if it is a pattern to be repeated, where would you like to see it head next?
Heintz: The way that the Eclipse Foundation is set up, the ability for member companies and contributing ISVs to influence the project on a regular basis, is very powerful.
From the Wind River perspective, Eclipse is not the only open-source project that we deal with. We actually sell a commercial Linux distribution as well to our customers. Our customers are putting Linux in routers or consumer devices, and I can tell you when I talk to my peers on the Linux management team or engineering team, on the Eclipse side of things, we really get to influence the project on a much more regular basis and get the extension points that we need in the software a lot more regularly.
So they really envy the model that is set up around Eclipse, as opposed to what they have to deal with influencing the Linux kernel or the Linux projects.
Going forward, Eclipse is going to be a great forum for some of the major challenges that face our industry and our customers in the future. We look at semiconductor companies coming out with most of their chips now being multi-core chips in the embedded market and the device market.
And, as Bill talked about there, new languages are being talked about, new methodologies for debugging and analysis and visualization of systems that run multiple cores, multiple processors, sometimes even multiple OSes in a single cell phone that you might get delivered in the future, or a digital TV, or a set-top box.
So these are some big programming challenges that our customers haven’t faced before, and we’re looking to some of our ISV partners, we’re looking to the academic community, we’re looking even to our own R&D teams to come up with new proposals and new ways to do this type of multi-core development, diagnostics, and debugging in the future.
Roth: Dana, Steve calls up one important thing, which is that … well, he’s got C++; I’ve got Java. We have a multi-language future in front of us. What we’ll see are developers building more and more technology in multiple languages.
There was recently a study by one of the market data firms that saw that, in general, Java developers -- my community -- use more languages when they develop than Microsoft developers. So, we’re heading into a phase where there’s multi-language development going on, and I can’t see how the people with proprietary IDE technology -- like Borland, like Oracle, for example -- are going to be able to adapt to that and have any real usability experience. Whereas companies like Wind River and ourselves are able to adapt -- because it’s fairly easy to mix the two languages. This is one of the untold stories.
Heintz: That’s a perfect example, Bill. When I take a look at some of our largest customers, customers in the telecommunication space that have thousands of developers, some of them are doing Java development, some of them are doing C/C++ development, some of them are doing mainframe development or scripting.
We went into one particular customer where they had 250 different development tools across a 5,000-developer organization -- nightmare to manage. These customers are making the decision on their own. They want to go to one common development framework.
Unfortunately -- well, fortunately for us – [Microsoft] Visual Studio is not an option. Microsoft is never going to support Linux development in Visual Studio, nor are they going to support Java development in Visual Studio very well. And so, these customers are choosing Eclipse as their base foundation.
Luckily, we were ahead of the curve. Now, we get the benefit from these customers coming to us and saying, “We only want to talk to you if you can plug into our standardized Eclipse Desktop that we’ve deployed to these software developers.”
Another great example is a very large military project, which is part of a future combat-systems initiative in the recent [U.S. Department of Defense] program by Boeing. They looked at all of the development tools available to them in the market, and they chose Eclipse -- specifically, they chose Wind River Workbench -- as their standardized development tool for all the subcontractors in the project, because everybody could write their plug-ins to a published, open set of APIs and standards.
Gardner: I think from the vantage point of 20/20 hindsight, one of the lessons to take away from Eclipse is it accelerated into the market rapidly, because it satisfied reduction of risk from both the user perspective, as well as the ISV and provider perspective.
And by that, I mean the contingency on a platform-level of risk for the user has been removed, or at least reduced, by the commonality of the Eclipse Foundation. The risk around tools and the choice of tools and the long-term implications of that has been reduced.
And whenever you get a situation where you’ve got a risk reduction, which means, you know, financial benefits on both ends of a virtuous cycle. It’s hard to beat. Do you agree with that, and do you think that’s what’s going to keep this spinning for some time?
Roth: Oh, most definitely.
Gardner: And you don’t see any real curtain-call on Eclipse. This was not a period for a consolidation -- and then we move on. This is something that’s got legs to it?
Roth: It’s partially because the notion of this history of extensibility. What that really means is a kind of scaffolding. If your question is, do things like the core Eclipse -- do they continue to develop and develop and develop -- I don’t know.
I think at some point in IDE, you get to the limits of what you’re able to provide, and the core of Eclipse architecture will be just fine. That’s a good thing. It forces the innovation for companies like Wind River and ourselves [at BEA] to basically innovate at higher levels and provide more and different value.
At some point, Eclipse may be just like oxygen. It may be part of the atmosphere; but it will be at the hub of everything we do for rich client tooling for software.
Gardner: Steve, the curtain call. Do you see a timeline on Eclipse, or how do you view this for the long term?
Heintz: For the foreseeable future. There are still some big challenges and big, big steps of innovation that are yet to be seen in our world, especially around C/C++; like I said, around multi-core programming and development, around multi-OS programming and multi-language development.
There’s going to be some time before we reach that point of Eclipse being the finished framework. And that’s fine. That’s exciting to us. We want to continue to contribute to that evolution and that change. But I don’t see this train stopping any time soon. Like I said, our major customers are deploying this across thousands and thousands of developers. Developers like it, our customers like it. It makes sense. It saves them time, money and increases their productivity. This is going to keep going.
Gardner: Great. Well, I think this has been a very educational and interesting discussion. I want to thank you both.
We’ve been discussing the impact of Eclipse among ISVs and in the market at large with representatives from two large software vendors. At BEA Systems, Bill Roth, vice president of the Workshop Business Unit, and also from Wind River Systems, Steve Heintz, director of product management for developer technologies there. Guys, thanks a lot for your time.
Heintz: Thank you, Dana.
Roth: Thank you!
Listen to the podcast here.
Transcript of Dana Gardner's BriefingsDirect podcast with product managers from BEA and Wind River on the ‘Eclipse Effect.’ Copyright Interarbor Solutions, LLC, 2006. All rights reserved.??
Subscribe to:
Posts (Atom)