Away Mission: 2008 in Review - part 3
April is another Mad Month with competing tech events. Besides the events reviewed here, there are Black Hat Europe 2009, April 14-17, in Amsterdam, and the USENIX LEET (Large-Scale Exploits and Emergent Threats) conference in Boston, April 21-24.
This year will feature a new major event - the Linux Collaboration Summit, organized by the Linux Foundation. The 3rd Annual Collaboration Summit will be co-located with the CELF Embedded Linux Conference and the Linux Storage and Filesystem Workshop. It occurs April 8-10 in San Francisco. More information is here: https://events.linuxfoundation.org/events/collaboration-summit/
Web 2.0 Expo and Velocity
Over the years, the Web 2.0 event has split into the Expo, for Web production people; and the Web 2.0 Summit, for the leaders (which operates by invitation only). More recently, the Web 2.0 Expo has become a forum for social networking and Web designers.
The better bet for sysadmins and Linux hackers is the O'Reilly Velocity Conference in June, which was spun off from the Web 2.0 Expo last year by presenters from the tech tracks who wanted a dedicated event. It was very successful, even though the tech community was given barely 3 months notice. If you have to choose only one or two conferences this year, and you build or maintain data centers, Velocity should definitely be on your short list.
For starters, all the good tech presentations were repeated at Velocity. Many of those were expanded, and the networking opportunities are different. Web 2.0 Expo is about the nexus of art, Web tech, and - to some extent - marketing. Velocity is about getting things to work at Web scale and Web velocity. It's fundamentally nerdier.
Since social networking was a big piece of the show, there was a social networking site for Web 2.0 Expo San Francisco, used to find and connect with people at the conference and for general opinion mongering. See what people said: https://webexsf2008.crowdvine.com/
Another social networking site connected to the Web 2.0 Expo is https://socialtext.net/web20sf.
Praise: there is breakfast every AM - fruit, bagels, cream cheese, juice... which stayed out through the mid-morning break.
No praise: the coffee and tea disappeared after the AM break, and returned only for the short mid-afternoon break. Moral? Get caffeine early.
Conference attendees get a box lunch, each day. There were special requests, but a lot of those got lost the first day. They also tried to limit the number of vegetarian lunches, saying they were out temporarily. A long line waited against the wall on Wednesday, and seemed rather unhappy. (That seems to have been fixed on Thursday with a full table, one of four. That's only fair, as carnivores can eat vegetarian lunches, but vegetarians can't eat carnivore lunches.)
The sense I got from the panoply of 50-minute breakout sessions is that more people are using open source, and using it in more sophisticated ways for cutting-edge Web sites. There was some buzz around OpenID and OAuth, and also around open platforms such as the Google APIs and Google App Engine, the new Yahoo Social APIs, and lots of wiki and community hosting sites like Vox and Movable Type.
Although mashups and social networking are "so 2007", there are also lots of new platforms and frameworks to make it easier to roll your own site and (attempt to) bring these technologies into the business enterprise. Another emerging trend is the increasing interest corporate IT is showing in these technologies.
Some session presenters, mostly from platform companies or custom software houses, reported several large IT organizations experimenting with Web 2.0 and letting the business execs bring in (with some control and reservations) SaaS versions of the tools they want to use. The demand is getting to be too big to wait another year. However, those IT shops are trying to identify the data that needs serious protection, and trying to quarantine just that, as enterprises become porous and more vulnerable to penetration.
Everyone is talking about making the huge amount of data from social networks both easier to leverage and more protected for user privacy. That means increased use of Open Social and similar APIs and identity federation management frameworks. The work never seems to end.
There aren't really tracks for presentations at Web 2.0, but three rooms are set aside for "sponsored presentations". That often means a bit of marchitecture in those presentations, but most were hardly any different from the main presentations, except that the presenters were from bigger companies.
The sponsor session with Adobe's Duane Nuetall was actually a very technical discussion on folksonomies and ontologies, and did not mention any Adobe products because they aren't in the ontology business. Rather, much like the rest of us, they are interested in using semantic technology as it matures. The Microsoft-sponsored presentation, however, was on their new Mesh product, and it was heavy on the marketing side.
Other praise-worthy details: The keynotes and breakout sessions have no power taps or extension cords for users, except those built into the fixed walls (and in very, very few rooms). I have been bringing a 15-foot extension cord of my own to allow sitting at some distance from the outlet if necessary, and sharing one plug with up to 3 users. I don't know if I've inspired folks or if it's just the zeitgeist, but I am seeing others now emulating my actions, sometimes with only a 3-way tap. On Thursday, I saw some one with a full 6-tap power-strip! Bless that person.
On the last day, there was a block of sysadmin-oriented sessions, two of them in the same room. (There it is, again, another room scheduling issue.) As it turns out, all were to be technical presenters at the new and upcoming O'Reilly Velocity conference in June. That conference and these sessions took a bead on performance and capacity issues for the operations crowd. Seems that the O'Reilly folks understand that the interactive Web requires more than design artists and AJAX.
Steve Souders' presentation at Web 2.0 Expo 2007 was rated #2, which isn't that surprising since he also worked on YSlow extension for Firefox. Formerly the head performance guy at Yahoo, and now doing a similar job at Google, he is focused on the the client side or front end of Web transactions. He already has a recent O'Reilly book out on "Web Site Performance" that provided part of his talk at the 2007 Web 2.0 conference, and is now preparing a second book, which covers the user side of the equation.
His "Even Faster Web Sites" presentation was a gem, as was its follow-up at Velocity, a few months later. I'll distill a little of it here. Souders' research shows that most major sites spend 80-95% of their net time on front-end processing and browser issues. It's gotten to this state due to the ubiquity of JavaScript and the proliferation of scattered, individual scripts.
Even a 50% improvement on back-end performance yields only 5-10% gain for the user. However, simple changes in a few lines of source code can work wonders. According to Souders, you can easily get a 25% advantage in page load times by applying 14 performance rules. Just pick a few appropriate ones to get a fair gain. Here are a few:
- Make fewer HTTP requests, or bundle them up for less network delay.
- Use a CDN (content distribution network - use edge delivery as Akamai does).
- Add an Expires header, especially with a CDN.
- gzip components.
- Use YSlow and Firebug to test the load times and performance of individual items.
- Since scripts block other content downloading - move 'em to the end of the page code.
- Use multiple content domains for even faster downloads.
The last three points were subjects for the second half of the presentation. There are multiple JavaScript-Fu techniques to break up the monolithic script payloads. One of these calls for making scripts individual elements in the DOM (used at MSN.com.) Others use separate script payloads in different Iframes, or XHR injection (which may be best for the same domain) and no ordering of the scripts. Another option is to move some scripts to an external script, which can allow parallel downloads. Souders also suggests ordering the scripts so they can be executed in the order they're received.
See slide 31 from his presentation, showing the effect of script loading and execution on a Wikipedia page here: misc/dyckoff/Script-Load-Wikipedia.otp
For the full description of these techniques with code samples and a decision tree for selection of the most suitable in your environment, check out his presentation here: https://assets.en.oreilly.com/1/event/3/Even%20Faster%20Web%20Sites%20Presentation.pdf
Jesse Robbins and Artur Bergman of O'Reilly Radar presented an entertaining and informative review of major failures, disasters, and painful lessons learned in the past year. Check it out here: Failure Happens: What Broke Since Last Year (and What We Learned from It)
The conference party was an outside event... literally. It was a pub crawl through the restaurants and bars of the artsy, techy San Francisco South Park area - a brilliant stroke for pleasing the 30-something and 20-something crowd. The crawl had some sprawl and also was over 5 blocks from the Convention Center on a cold, foggy night. With a bag on each shoulder - a laptop bag and a tote with mags and swag - I opted for an early night and the faster subway ride home. That may have been the better choice, since many pub crawlers missed the earlier Friday AM sessions.
If Web design or social networking sites are your bag, then this is a must-attend event. However, if you are working the infrastructure and biting the scaling bullet, you might take a shine to the Velocity conference. Some people attend both.
RSA for Security Trends
Still one of the first-tier security events, RSA 2009 returns to San Francisco the same week as the MySQL conference in Santa Clara. Both are excellent, and have different audiences.
Alert: Last year (and 2009 as well), both TCG (Trusted Computing Group) and several identity communities under the auspices of the Liberty Alliance and Concordia Project held separate semi-public sessions on the first day of the RSA conference. The identity event includes representatives from major initiatives in the global identity sector, and is focused on how the identity industry can deliver new benefits to users of enterprise and Web 2.0 identity-enabled applications and services.
These sessions are open to all registrants, which should include expo pass holders. Since that day was (and continues to be) committed to tutorials, this is effectively a free extension to the conference. However, pre-registration is a requirement.
For 2008, the identity management workshop was titled, "Identity Federation & Web Services: Happening Today - Enabling Tomorrow". Materials from that event are here: https://projectconcordia.org/index.php/Concordia_workshop_RSA_2008_notes and the actual slide deck is here: https://projectconcordia.org/images/7/76/Concordia-Apr2008-wiki.pdf
For 2009, the event is longer - 8 am to 5 pm - and is titled, "Harnessing the Power of Digital Identity: 2009 and the Promising Road Ahead". It is supposed to be open to the public. A detailed workshop agenda and registration information is available at https://projectconcordia.org/index.php/April_20_pre-conference_workshop
At the separate TCG session, the room was broken up into a main area and four mini-classrooms where network and data security presentations could be given hourly. I believe they also provided box lunches and a USB drive with some of the presentation materials. The slide deck for the TCG 2008 presentation is here: https://www.trustedcomputinggroup.org/news/events/rsa_2008/.
I heard that the attendance was up for RSA 2008, after 2 or 3 years of modest decline. Pre-conference, the number was projected to be 17,000 - quite respectable. I hope they don't suffer a significant decline in this extreme recession.
I found the conference very well organized, with things to do for both full attendees and expo-only types. There was a hacker smack-down contest setup in the main corridor, and adjacent to it was a Jeopardy-like contest during day hours.
There was also the "crypto commons" lounge with plenty of space to sit down and charge up that laptop between conference sessions. Rows of tables allowed more focused work, and there were Ethernet drops too.
Most of the tracks were exclusively in single rooms, which minimized travel for attendees focused on a single area. Besides the two concurrent Hacker Tracks, there was an ID Management track, a very popular developer security track, a business track, a sponsor track for items that didn't rate a keynote, and also a new legal track. Of course, similar content might appear in different tracks, like presentations on XACML by Oasis Members.
One highlight of RSA 2008 was the Cyber Security Town Hall meeting, open to expo attendees as well. For 2008, this featured a presentation by Greg Garcia, the Department of Homeland Security Assistant Secretary for Cybersecurity and Telecommunications (who also spoke in 2007). Garcia spoke on the then recent Cyberstorm II exercise results. Unlike Cyberstorm I, which was more like a board game, this was a real-time cyber-attack scenario. The exercise planning began in 2007 and culminated in March of 2008, involving 40 companies, 9 states, and 5 countries (Canada, Australia, New Zealand, the US, and the UK). One thing DHS learned from the effort, Garcia said, was just how important critical vendors and support staff are in an international emergency. This sentiment was echoed by reps from EMC and Microsoft at a participant panel after Garcia's talk. Collect business cards from your peers at events like RSA, and be prepared for cyber-disruption, they advised.
Presentations and other conference materials for RSA 2008 are locked up, but many presenters post their own presentations on-line. So, looking up the presenter and the presentation title may turn up a presentation you want. This link offers several presentations from RSA conferences here and in Europe, including "Darwin and Security: What Evolution Tells Us About the Past and Future of Security: https://www.cryptography.com/research/presentations.html
The RSA conference archives have articles and podcasts that are public. See it here: https://365.rsaconference.com/community/rsaconference_archives
Also see this link: Podcast Series: RSA Conference 2008 https://365.rsaconference.com/blogs/podcast_series_rsa_conference_2008
I'd also recommend Bryan Sullivan's highly rated presentation from RSA Conference 2008 on "AJAX Security". This is an update of the RSA 2008 talk which was called: "AJAX applications: A blueprint for Disaster" due to the greatly expanded attack surface.
I do have some quibbles about the once spectacular "Cryptographers Bash", the night before the last day. I don't know if the ballrooms at the Marriott Hotel were collectively smaller than the Treasure Island venue, but the crowd seemed much smaller and the food stations had only a few variations repeated in all the ballrooms. It seemed like a step or two down from previous bashes.
While the variety of food and entertainment was already much more limited, some crazy person thought it best to hold back the desserts until after 9 pm, long after a sizable chunk of party-goers had departed to sleep off alcoholic and carnivorous excesses. Perhaps this reflected some new-felt economy measures, but for the folks who had eaten something before, it was an excessive wait. Many of us just left before they rolled out the sweets.
End day end-game: 3 track sessions without a break in the AM, and 2 keynotes in the afternoon. The first keynote featured Hugh Thompson in his techno-celebrity incarnation. He had also closed out RSA 2007.
The real closing honor went to Al Gore and his Green Energy message. Unfortunately, Gore's keynote was contractually a non-Press event. That meant all bloggers, tech writers, and local news hacks were escorted out before he spoke - by security staff. And that included this lowly Linux Gazette reporter. Of course, some press people had obtained separate expo passes, and snuck in anyway.
That event was not recorded or posted publicly, but Gore also spoke at the Web 2.0 Summit last November, and that video is in the conference archive. Check it out here: https://www.web2summit.com/web2008/public/schedule/detail/5068
MySQL - No Disappointments
The MySQL user conference never disappoints, and is usually tightly scheduled and well-organized. It features keynotes by technologists and researchers, and presentations by the MySQL development team and key partners. With nearly 2,000 attendees, this is the probably the world's largest community event for open source database developers and users.
Last year's event followed soon after Sun's purchase of MySQL, but the conference was substantially unchanged. Former CEO Marten Mickos addressed concerns and anxieties during and after his keynote, noting that Sun provided the resources that MySQL needed at that stage of its growth.
Mickos had tripped off concern in the blogosphere and on Slashdot that MySQL was moving in a proprietary direction by mentioning that "commercial extensions" planned for 6.0 would only be available to subscribers to the enterprise edition of MySQL 6. However, these management additions are really an outgrowth of the MySQL Network subscription for enterprise users, and have little impact on the user community.
Rick Falkvinge, of Swedish Pirate Party, gave a challenging keynote on "Copyright Regime vs. Civil Liberties" on the second day. He and his party consider modern copyrights and their legal regime a threat to civil liberties, taken from a very long historical viewpoint.
Recounting the battles between the medieval church and printing press, and later the exclusive charter to London printing guild by Henry VIII, Falkvinge described our rules of intellectual property as protections almost entirely for the publishers, not the creators. So, it seems not that much has changed in over 300 years.
Originally, copyrights were about public use and public performances of copyrighted materials. Now, IP owners like record companies are arguing against messenger immunity, an idea going back to the Roman Empire. They are also arguing for the right to inspect private e-mail and to pierce postal secrets and common carrier privacy. He argued that this undermines whistle-blowers and freedom of press, which need privacy to protect these "private" communications.
Some presentations at the user conference dealt with performance improvements and tuning in the then-new 5.1 release of MySQL, and other sessions discussed planning for a future 6.0 release, probably after 2010. That will probably be a major discussion point at the 2009 MySQL user conference. Here is the schedule for the upcoming 2009 conference: https://en.oreilly.com/mysql2009/public/schedule/grid
One potentially interesting session for 2009 talks is on "Drizzle", a fork of the MySQL server targeted at Web development and cloud computing. Monty Taylor, a very senior MySQL/Sun engineer, is working on it full time. Drizzle is also discussed at a panel session discussing the MySQL roadmap. Check out the keynotes and presentations at the O'Reilly archives. (See below.)
For on-line O'Reilly Conference archives, visit this link: https://conferences.oreillynet.com/archive.csp
I do have to give a nod to O'Reilly on this: They put up event archives quickly, and these are publicly accessible.
Talkback: Discuss this article with The Answer Gang
Howard Dyckoff is a long term IT professional with primary experience at
Fortune 100 and 200 firms. Before his IT career, he worked for Aviation
Week and Space Technology magazine and before that used to edit SkyCom, a
newsletter for astronomers and rocketeers. He hails from the Republic of
Brooklyn [and Polytechnic Institute] and now, after several trips to
Himalayan mountain tops, resides in the SF Bay Area with a large book
collection and several pet rocks.
Howard maintains the Technology-Events blog at
blogspot.com from which he contributes the Events listing for Linux
Gazette. Visit the blog to preview some of the next month's NewsBytes
Events.