They do not cost millions. Not even close. I can have an international search run by my IP attorney for a few thousand dollars. Microsoft has them internally.
If you want to exclude all posibility of collision you do. Trademarks are complex, you can have different companies using the same trademark on different categories of product.
Microsoft probably did do a cheapie thousand dollar job, I would not expect that type of search to preclude any possibility of a claim.
I doubt the case gets too far however since Microsoft never sold anything under the Palladium brand. Attempting to trademark an element name is difficult in any case. Kind of like trying to enforce a trademark on windows...
Why is it that a $300 billion some company isn't able to hire someone who check the with the trademark office to see if any of the crap they are using is already trade marked?
It was a code name, they were not using it in trade.
An international trademark search costs millions so companies use code names while they do trademark searches.
Palladium was simply one of a list of metals that they had used for secure O/S projects.
Microsoft was never going to market under the name Palladium any more than it would use Yukon or Longhorn.
Re:CRAP! (If it's not Scottish, it's...)
on
Cross-Site-TRACE
·
· Score: 2, Insightful
This report is just nonsense. TRACE causes the web server to send a reply containing a 'body' part consisting of the request headers.
There can be no security vulnerability in HTTP that is due to cross site scripting PERIOD.
This is because support scripting was never considered in the design of HTTP. Scripting has known security problems. The onus for solving those problems rested and rests today on the idiots who introduced scripting. It has nothing to do with the protocol layer.
TRACE was in the HTTP specs long long before Javascript was cobbled together in two weeks at Netscape. Netscape could not even be bothered to ask for advice from the HTTP community before unleashing their abomination, so why is this supposed to be my fault eh?
Java script sucks, alwasy has always will. It was yet another of those hacks Netscape put in to please the advertisers or whichever customer they were going after that week. As a result we have pop-under adds and sites can screw up the navigation buttons. Oh yes and sites keep coming up 'javascript error class not found'.
None of the uses javascript is necessary for could not have been better supported through extensions to HTML. But the Netscape guys didn't want to do that because they wanted to try to control the standards by simply throwing whatever crap they wrote over the wall and faxing the 'specification' to W3C to they could say that it had been submitted in their press release.
The TWIRL paper describes all that. They propose using a mesh-routing algorithm for doing the matrix job, as described in the paper "Analysis of Bernstein's factorization circuit" by Lenstra, Shamir, Tomlinson and Tromer, which they estimate can be built to solve a matrix for a 1024 bit GNFS factorization for only $5000.
Yeah, just got to that bit, I am suprised that that paper had not received more comment since that is the step that has been limitting.
I still think that Adi significantly underestimates the costs. The thing that made deep crack practical was that it completed the run in a pretty short length of time (days). So the system did not require a lot of extra engineering to cope with unreliable processors etc.
I don't think we are going to see this built for at least five years or so. Of course others might build it and not let on. And even then Deep crack was built to prove a political point, not just for the cryptographic fun of it.
Even so, there is no particular reason to insist on continuing to use 1024 bit keys at this stage. The 2048 bit roots have been distributed for some time. Most computer systems are now sufficiently fast that the longer keys can be used without unacceptable delays.
the NFS sieving step for 1024-bit RSA keys can be completed in less than a year by a $10M device
The NFS sieve step is only half the problem, you still have to invert a huge matrix and that requires a closely coupled machine.
Adi has been describing machines of this type for years, he proposed twinkle a while back. The big problem is that only one half of the problem has a trivial parallelism.
OK there is a tradeoff between the sieve stage and the matrix stage. But it is not that helpfull. Basically to halve your work at the matrix stage you have to increase your sieving at least four-fold. This does not get you too far since the sieve stage is still pretty stiff.
Wow. Looks like somebody's winning the $200k after all
Not likely since the XBox key is 2048 bits, as are most of the major keys in use. The competent CAs plan about 10 years in advance. There are 2048 bit roots embedded in the browsers that can be used as soon as there is a need.
One of the best thing you can do with a firewall is something it's hard to do with a desktop machine...LOG.
The problem with logging is that it is usless unless you actually review the logs. This rarely happens until after a site has been compromised.
Much more useful is to have the firewall connected up to a 24x7 monitoring, or better management service like Counterpane, VeriSign or whatever.
Over time I expect that cost of high end firewalls to drop significantly. I have two firewalls at home, neither cost more than $200 and they are both pretty adequate for my needs. So why does an enterprise setup cost $80K rather than $4K or so?
I have argued for many years that people tend to get the idea that a firewall is some kind of +8 amulet of protection they just strap on which will protect them from pretty much anything.
However there are real benefits to using firewalls and NAT boxes. Unfortunately there are some members of the IESG who are confused on this point but thats because they are blinkered by the end-to-end dogma. I'll note here that Steve Bellovin, the new security AD knows a thing or two about firewalls.
There are actually two end-to-end principles. Applied to networking it meant put the intelligence at the ends, not in the middle of a communication. This was applied to security to mean the same thing.
End-to-end is appropriate to the design of network protocols, it is inappropriate as a guide to operational security. Many protocols are not designed securely, most protocol implementations have flaws.
Another dogma that is inappropriate to operational security is the 'security through obscurity' trope. A design that relies on security through obscurity is broken. This does not mean that operators should divulge all the details of their operations to attackers in the hope this will improve security, it will not. Argument of this type was used to block the introduction of shadow passwords on UNIX for years after the vulnerability to dictionary attacks was widely known and being exploited by attackers.
A firewall and NAT box provides a significant degree of security at low cost. NAT provides a means of concealing the internal structure of the network. This does not eliminate the possibility of attack but raises the bar significantly. If you are running a site that is considered attractive to hackers a technology that weeds out the knob turners and dimmer script kiddies has value.
What we need to move to is security in depth, recognizing that design security and operational security are different and that both are important.
Actually, this is a good question. What is the database used for?
The database is a buffer between the requests comming in from the registrars and the DNS resolvers. So you get a bunch of requests comming in once a day saying stuff like 'change asm.org DNS to 10.2.3.243' and the registry has to decide what to do with them. To do that they need to have a bunch of info stating what registrar owns the account at the time and so on. And yes it is not unknown for registrars to attempt to do things they should not.
The DNS infrastructure that is queried by you DNS server is completely separate. Every hour or so the SQL database will do a dump which will then be checked and if it passes will be sent to the production DNS infrastructure which is essentially a read only affair.
So no, this does not mean that every DNS lookup in.org is going to result in a mySQL transaction. Nor can you say anything about whether this deployment proves mySQL is ready for primetime, at least not yet you can't. You probably want to wait to see how the zone holds up over the next few months before drawing any judgements.
BTW the technical name for Oracle features is 'complications'.
Well, that's the theory. In practice, however, there are millions of servers out there that do not cache NXDOMAIN at all,
That is hardly suprising since a lot of servers don't even cache the positive hits.
The report said 70% of the hits were repeated requests. Again this is not too suprising, the root zone caches really well. There are less than 200 domains after all and only 20 of those have a significant degree of activity. The TLD configurations change so infrequently that the TTL could be set at a month without inconveniencing anyone.
So the 'necessary' traffic for the root servers is negligible. Even with a million odd DNS servers out there each root need see no more than a few tens of thousands of hits an hour.
It makes no real difference since the roots have to be scaled to be able to survive a sustained DDoS attack for at least as long as it takes remediation measures to kick in. Get rid off all the bozo queries and you still need the same size box because of the script kiddies.
There are a bunch of changes that could be put in place that would reduce the DDoS problem. First we could follow the proposals of Mark Kosters and Paul Vixie to start using anycast (this looks like it is going ahead).
Another thing we could do is to change the DNS logic so that servers keep records in their cache beyond the TTL and use those as backup if the root or TLD is unavailable. Then even a DDoS that succeeded would have only marginal effect.
Though I wonder how the 'search from address bar'-feature has affected the number of non-existent queries.
A way to tell would be to see how many of the queries were looking for mx records.
I suspect that people using dummy email addresses like 'a@b.c' for subscriptions are another major cause of the misfires.
The browsers doing search from the address bar probably reduces the number of misfires. A modern browser will only go to DNS if it sees something like foo.bar. If it just sees foo it will typically try foo.com and then go bang a search engine.
Another reason I suspect spam is a major issue in the misfires is that lots of spam filters do lookup on sender addresses and those frequently point to non existent domains. Also the spam senders rarely do the most basic filtering on their lists - you can tell that since every now and again you get a spam with a full sender list at the top and you can see the broken addresses right there.
About 12 percent of the queries received by the root server on Oct. 4, were for nonexistent top-level domains, such as ".elvis"
If the authors actually thought how the DNS works they would realise the reason for this. A DNS server that gets a request for.com will consult the root the first time and then cache the result. So even though the server might then get a million hits in.com it won't ask the root again.
If the server tries to query for a non existent domain it will get back a 'non-existent' response. Now it will cache that response for some time but the chances of getting a cache hit is actually pretty low.
So if you have a properly configured DNS with a bunch of web surfers that view 1 million pages in 20 TLDs and 1,000 bogus ones they will generate 20 hits they would classify as genuine and 1,000 that were 'unnecessary'.
That is how the system is meant to work.
The 70% of repeated requests are likely to include outright attacks as well as misconfigured DNS systems.
The problem dealing with these issues is that a DNS query is pretty cheap to handle, cheaper in fact than most of the proposed defenses. It is probably more expensive for a DNS server to check IPs against a blacklist than to just return the damn data...
In all, we spent $600, but the total equipment value came out to somewhere around $4,000
The real costs of any effort of that type are going to be people costs. So it costs $600 for a recording for a chuch band, maybe $1000 if you had to hire more of the equipment.
On the other hand a top act such as U2 or the like are likely to want to spend several days in a fancy studio with a full crew of sound technicians, personal assistants, caterers and the like. It is pretty easy to end up spending $10K a day that way - even if you own the actual studio and all the equipment.
After that there is the cost of making music videos and the payolla required to get airplay. Those costs have gone up quite a lot since Queen spent $500 to make the Bohemian Rhasphody video.
Clearly the industry can't spend $500K+ on the low budget albums that form the bulk of new releases. But even so few of those low budget efforts are going to have a chance to get anywhere near the top 40.
Last time I looked at it in detail (1.0?), UML had an extension mechanism
Yeah but will there be any point?
UML is already bodged, further extensions are not going to help much.
I never saw the value of graphical methods until I became a consultant. Now I understand that the difference between a $500 a day consultant and a $5,000 a day consultant is the ability to use powerpoint and visio to confuse and confound.
They say a picture is worth a thousand words. If you are the customer, running code, debugged or not is worth a thousand stupid pictures in any graphical programming methodology you chose.
According to a USA Today today, it went like this:
Houston looks at upgrading their systems.
If you read the OIG inspectors report into the deal you will see that USA Today got it wrong from the very start. The deal had nothing to do with upgrading existing systems. The plan was to 'bridge the digital divide' by somehow giving Houston residents free access to the hosted desktop applications via public libraries. The whole scheme was a boondoggle from the start.
The bit about 'upgrading the systems' was not actually mentioned in the RFP. That only came in later when it was asserted that the software would save the City $1.6 million. Unfortunately Piper gave absolutely no indication as to how the figure was arrived at. None of the departments that might make use of the software were actually consulted so it is not very likely that they will be using the system.
Microsoft threatens legal charges for rigged bidding.
Again the chronology is wrong. The questions started after Piper, the CIO who had set the deal up left for another job weeks after the contracxt went through. The complaints about the rigged bidding came from a Houston councilor, Bruce Tatro who thought the scheme looked like a boondoggle. The actual investigation was started by a complaint from Brenda Flores after a Houston Chronicle article.
The investigation was instigated by Tatro, not Microsoft. The only connection Microsoft had to the investigation was that the investigators interviewed the Microsoft salesman. Incidentaly the investigation found that the Microsoft sales person had been misled but found the charge of lying 'not sustained' as they claimed it could not be proved that the misleading was deliberate.
If you read the other vendors comments in the report you will find statements like 'why is the city spending $9.5 million to replace an existing exchange implementation with an untried product nobody has ever heard of'. The Microsoft salesperson pointed out that Yahoo and Hotmail provide hosted services for email and instant messaging for free.
Houston says, "You made up our minds for us," and went with Linux
The deal had nothing to do with Linux. The services are hosted on Microsoft Windows 2000 Datacenter edition. The deal was about using 'open source' as smoke to cover a scam that might well end up costing the city of Enron resident's $9.5 million. The politicians bought into the scam because they were conned into believing it would be 'a political win for your mayor' to quote correspondence between the conspirators.
Piper is currently facing fraud charges over the alleged theft of $294,000 from a previous employer.
If we are doing slashback lets not forget that yesterdays triumph of the foes of Microsoft in Houston has turned out to be a sordid little story of a $9.5 million contract going to a local firm after a rigged bidding process.
Slashdot got the sequence of events wrong. It was not Microsoft lost contract, complained. The real sequence was only one company bid on the contract. People asked why the city was spemding so much money on a product nobody had ever heard of to be installed in public libraries. Then there was an investigation in which all the bidders thought that the bid had been rigged so that only IAT could win.
So really the story has nothing to do with Microsoft. It is simply business as usual for Enron city.
The problem seems to be that neither you nor your "UML people" are all that familiar with UML.
Since the individual concerned was working for OMG I very much doubt it. I have had ten years experience of UML and its antecedents such as OMT.
I saw the proposals OMG made, they simply do not understand the data model of XML Schema.
Even if they did UML has become a grotesque caricature. It is even more of a committee spec than XML Schema. You have a bit of object orientedyness and a bit of entiry relationalness and a hodge podge of finite state theories and then the use cases stuff thrown in on top. Thats hardly suprising since its just the earlier work of Booch, Rumbaugh and co smashed together for the benefit of the company selling the graphical design tool.
I put together a graphical notation for XML Schema I used in some of the SAML meetings that seemed to help discussions. But that notation was very carefully chose to illustrate a few carefully chosen aspects of the schema.
The big mistake with graphical languages is attempting to use them as substitutes for code. By the time the notation has enough decorations for that it has become so complext that it is unreadable.
The involvement of OMG group does not impress me in the least. Those are the same turkeys who gave us CORBA and took more than ten years to realise that maybe it might not be taking on as fast because the idea people would rip out their legacy systems and migrate them all to an ORB was fundamentally clueless.
DTDs are a hangover from SGML that will eventually go away. The big problem with DTDs is that they only define syntax, there is no data model. The syntax model isn't all that hot either, SGML was designed by a lawyer who hadn't heard of finite state machines, let alone Chomsky grammars.
XML Schema is also kinda whacked. It shows all the signs of being a committee specification.
The big problem with schema is that you actually have two type systems going. Element definitions are types for elements. Type definitions are actualy types for types for elements. I saw a hopelessly confused attempt by some UML people to express XML schema in UML, they simply could not understand that there was no way it could ever work. UML has completely different semantics.
There are a bunch of schema proposals that folk have said good things about. Eve keeps telling me I should look at Relax. But for the time being XML schema is going to be the basis for standards in W3C and OASIS.
There might be an opportunity to do a clean up job on XML schema in 4 or 5 years but that will only happen if it is causing real problems.
Well guess what it is not. C# base classes are open. But base classes is not what you use to build applications. Base classes are good for demos.
You appear to be unable to distinguish between the language and the platform.
Windows is not an open platform, it is however a very rich platform with a lot of features. If you want to make use of those features you can use C#. You can also use Java but only by using methods that Sun has deliberately made unpleasant.
As for base classes being good only for demos, well a lot of people would say the same of the Java clases. If you are on a windows machine or a Mac the java classes look really yucky.
If you want to write high quality code for a proprietary platform you are going to want the power of access to the native libaries of that platform. I don't want my PC application to look like a piece of trash. I certainly don't want my Mac applications looking like anything other than a Mac.
I don't consider a language open if it can only be used with one platform. Java is closed because Sun have set themselves up as the absolute arbiters of what will be permitted with the language.
I consider C# open because I can do whatever I like with it and Microsoft don't have the right to sick lawyers onto me. They gave up that right when they made the ECMA submissions.
Thanks to Sun I can't use Java to develop Windows applications. As a result I have zero interest in Java now. I am only interested in a language that will allow me to support any platform I choose. I write in C# because at the moment Windows is the largest platform. I can also be confident that over time C# compilers will be available for Mac and Linux. I can be equally confident thanks to Suns lawyers that Java will never be useful as a windows development environment. Sun seems to consider that some sort of victory, phyric would be the term.
These arguments that.NET allows "other" languages, is pure BS. Does.NET allow IL like C++? NOPE! But so long as the language behaves like C# everything possible. Well gee DUH! The same goes in the Java world.
That is pure bull shit, C++ is sufficiently screwed up that nobody can get it to run in managed code. However Microsoft have got pretty much every other language - Basic, Python, Eifel, Cobol, Perl, Scheme etc. to run. So the claim that.NET is language neutral is not disproved by choosing the single contrary data point that Microsoft themselves make no effort to hide. The only major languages that don't run are Common Lisp and C++, both of which have multiple inheritance which language design has been backing off from for years.
As for C# 'copying' single inheritance from Java, COM had single inheritance from the get go. I would be very surprised if Microsoft didn't have coding rules that prohibit using multiple inheritance and compiler flags to disable it for internal use. Every large software house that tried C++ in the early days discovered that multiple inheritance led to disaster. The programs could only be understood by their original authors.
C# borrows some stuff from Java but it borrows rather more from objective C. It also has meta-data tagging which if you know how to use it is massively useful.
Sure C# could have been an evolution of Java in the same way that Java was an evolution of C. The only reason it wasn't was Sun's decision to insist on full control of Java and sicking lawyers on Microsoft for wanting to use it to do other things.
Sun has repeatedly promised to make Java open and every time it has reneged. The Java Community Process was created to ensure that Sun kept control of Java, it is not an open standards process in any meaningful sense of the term. Sun retain effective control over every aspect of Java language design. The JCP is independent in the same way Vichy France was independent of Germany.
What Microsoft wanted to do was to use Java as a replacement for C++. To do that they had to have a bunch of stuff that Java didn't have so they added it. That is how every language prior to Java has evolved. For years the standard for Fortran was VAX Fortran.
Sun's hardware business is collapsing under pressure from low cost Linux on Intel boxes. They have failled to make any money from Java, execept by using it to drive sales of their hardware boxes to dotcoms when those still existed. If you think the SCO/Unix situation is bad just wait a few years until Sun has gone the way of SGI and their lawyers are looking to extract whatever value they can from their 'Intellectual Property'.
Still, it tickled me to see in the article the headline:
Microsoft says it was misled
This misrepresents the chronology. The scandal predates the Microsoft statement which was in fact made to the OIG inspector who was interviewing all the people who attended the pre-bid meeting.
The slashdot story is completely off-base, Microsoft was not the source of the complaint and did not trigger the investigation. The source of the complaint and the inquiry was Bruce Tatro, an assembly member who thought that the $9.5 million contract was highly suspicious and has uncovered a large amount of proof to back his case.
The point is that it was not only Microsoft that thought that the RFP had been deliberately written so that only IAT could bid on the contract. Furthermore if you read what the project was meant to do it is clear that the $9.5 million was in any case being flushed down the toilet.
However, straw men aside, it's really irrelevant anyway. What piper may or may not have done is quite a separate issue from his project of moving Houston away from Microsoft's Office project.
That is not what the project was about. It was about providing free access to software applications through the houston public libraries. The city bought 15,000 seats at a cost of $9.5 million - or $650 a seat so it was hardly a bargain.
It is a fairly common political tactic to attack a the character of an opponent in order to discredit a project that he has undertaken. Some people will be distracted by this and not realize that the project is not "guilty by association."
That is an ad-hominem attack, or argument to the man. Ad-hominem is actually perfectly valid when the question centers on questions of individual honesty as in this case.
For example it is perfectly legitimate to question the current 'Trust us' argument being used to justify invading Iraq on the grounds that the people making it have repeatedly lied to get their tax cut proposals passed. The fact that piper is facing charges over a $294,000 theft charge is very relevant to the question of whether Piper's claimed motives for the contract can be believed.
The OIG report did actually find that the Microsoft sales rep had been misled by Piper but claimed that it had not been proven that this was intentional. If you read the actual report you will see that this was not simply an isolated issue.
This whole slashdot thread has the chronology wrong. The sequence was not Microsoft loses contract, complains, investigation is started. The actual chronology was:
contract was awarded for $9.5 million,
Piper resigns,
questions are asked as to whether the contract was suspect by Tatro and others
emails were uncovered suggesting that Piper may have had an amorous relationship with one of the parties involved in the IAT bid
formal investigation started by OIG
OIG question Microsof
Whitewash report issued
This story has almost nothing to do with Microsoft. It is the story of a very very smelly contract being awarded under very very smelly circumstances.
Before all these spam companies just move off-shore to avoid litigation ?
Have you been to Grand Cayman? Would you want to actually live there?
Moving the data center operations of a spamhaus offshore does not prevent prosecutors charging owners living in the US. If the criminal activity takes place in the US they can prosecute in the US.
It is quite likely that the offshore havens can and will prosecute also. Hosting SPAM senders does not bring anywhere near the amount of revenue that the traditional offshore industries of banking and shipping do. Any country that is in the offshore game is anxious to ensure that it does not draw unwanted attention to its current scams by allowing high profile criminal activity. You don't get much more high profile than businesses that anoy millions of people an hour.
Offshore havens are not by and large lawless, in fact the cayman islands sells itself on the fact that as a result of its British administration it has a government and banking system that have very high integrity. Cayman is not going to do anything to threaten that reputation and its existing business. So that leaves the spam senders with places like Congo, Nigeria and Afghanistan where the civil government has collapsed (though few 'libertarians' seem to want to live inthose countries).
Moving data centers offshore is in any case a high cost and would be a significant barrier to entry for new spam senders. If you have to move to a jurisdiction where the civil government is corrupt costs are going to rapidly spiral out of control.
The 'regulatory arbitrage' stuff is all about ideological commitment rather than analysis.
Interesting... any support for this statement? I'm sure we can find people who say the opposite, why should we believe you?
Oh, plenty, see some of my other posts in this thread. Unfortunately I started from what I thought was the clincher, the fact that Piper, the procurement guy behind the bid is currently behind bars on charges he embezzled $200,000. (actually it was $294,000 but who's counting?)
It was only after I started digging that I discovered that the inspector generals report that 'exhonerates' Piper and the contract in fact does the exact opposite if you read the facts themselves rather than the whitewash conclusions drawn from them.
If you read the report you will find that this was not a Microsoft vs IAT contest at all. IAT was given the inside track against all the other bidders. Basically the contract was written in such a way that IAT was the only possible bidder for the $9.5 million contract.
One reason you can tell the deal stinks is that the whole point of adopting an outsourced model is that it allows you to scale your resources to your exact needs. If you need an extra 1000 seats you simply call up the vendor and send them a check. There is simply no rational justification for committing to purchase 15,000 seats in advance before you know what the demand is going to be. What you would do is to write a contract that allows you to purchase from 1000 to 15,000 seats in increments of 500 seats as required.
I have been involved in outsourcing procurement deals of this type for a very long time. Deals of this type are known as 'sweatheart deals', you know what they are as soon as you read the RFP. If you are not the favored bidder you can be absolutely certain that the only result of making a protest will be a whitewash investigation and your company being blacklisted in all future contracts.
This is not a party matter, the Mayor of Houston is a Democrat posing as an Independent but Republicans have pulled far larger scams in that citty. The biggest scam of all being the billions Enron and its accomplices ripped off California with the active help of Bush and Cheney.
Take a read of the comments in the OIG report, in particular the comments of the BMC and Advarion guys. The conclusions are pure whitewash but its much harder to hide the actual facts.
The contract was clearly a boondogle from start to finish and Piper gave IAT the inside track to win it. It was not only Microsoft that was frozen out, it was also IBM.Lotus (heard of them) and anyone else who could have provided the same functionality.
I have to ask, why was Tatro SOOO against this move? So much so that Piper was investigated for rigging the bid but later nothing was found.
Well you could read the report. It is basically a whitewash job to save the Mayor's butt, but it can't do the job. As for whether Tatro has a hidden agenda, quite possibly but it seems rather more likely that his agenda is party politics than carrying water for Microsoft.
The report is actually pretty damning. The contract amount was $9.5 million, yet the report states that "Mr Piper did not understand the contract development and negotiation process and the time it would take".
If you have had any experience at all of city politics you know that a statement of that type is horsepucky. You do not get to be CIO of a city the size of Houston without understanding the difference between an RFP and a contract negotiation. The story that he came from private industry does not wash either, anyone involved in corporate procurement knows what an RFP is.
When you see a statement like that in an inspectors report it means precisely one thing, namely the inspector is pretty sure that something fishy went on but lacks the evidence to prove it.
The description of the bidding process demonstrates pretty clearly that the RFP was deliberately written to ensure that only one party could bid. It was written so narrowly that only IAT's application fitted. It was not only the Microsoft sales guy who was frozen out. The IBM sales rep would have bid if allowed additional time - which IAT did not need because they had known about the RFP two months beforer it was issued and in any case it described their product.
Its not just the Microsoft guy who thought the deal was stinky, the BMC guy also wondered why the city would replace an existing exchange installation that was fully functional with 'an untested product for $9 million'.
The Advarion guy also had some pretty good points, the contract was massively inflated from the start, the number of users was overstated, the number of simultaneous users was overstated. It was also plain wrong about a lot of technical issues. Why specify a 5Tb file storage device when it is easy to add extra capacity? "Many requirements do not state a problem to be solved but include required equipment, resources and programming design. Most of the time the City is concerned with solving a City problem, not a programming problem. The RFP includes software architecture and virtually useless features as requirements. This does not encourage proposal submittal but confuses software companies and discourages proposal submittal."
Piper himself admits that the contract price grew by $4.5 million because they had underestimated the cost of bandwidth.
The inspectors report does not actually clear Piper of all charges, the dispute over what was said to Microsoft is 'Not Sustained' rather than 'No'. It is interesting however to read the actual text used to justify these conclusions.
The RFP process is found to have been 'fair' because the vendors who were frozen out failled to complain about the process at the time. The fact that IBM and Centrix 'indicated that they could have entered a bid'. This is pure whitewash, IBM stated they did not enter a bid because the city did not allow enough time and Centrix did not enter a bid because they did not know from the RFP what the City actually wanted.
The inspectors report only considers the issue of whether the process was unfair to the bidders. The real scandal is that the whole project from start to finish was a collosal boondoggle that was a collosal waste of public money. It is typical of dotcom era and enron thinking rather than practical realities. $9.5 million has been spent on an IT infrastructure that we can confidently predict will never be used.
The Houston Chronicle has a story on this contract. It appears to bear a more than a passing resemblance to the California Oracle contract.
Basically IAT was awarded a contract for $9.5 million. There are several problems with this contract:
One of the big question marks about the whole deal involves Piper's spending of 42,000 of our public bucks for a PR plan for the new IAT system, and doing this more than a month before the deadline for companies to present proposals. Amazing. With so much time remaining for bids to come in, how could Piper possibly be so certain about which company would win?
Denny Piper, the city's chief information officer who resigned right after the contract was awarded, had claimed SimHouston would save the city $1.6 million this year. Tatro said Piper didn't support that with any documentation, but he told the councilman that "I feel" that would be the savings.
Tatro said he suggested council members pray about the contract because "if feelings get us $1.6 million, prayer ought to get us $3 million."
Call me a skeptic but I get somewhat suspicious when organizations start throwing arround $9.5 million contracts to companies that nobody has ever heard of for a product that nodody has ever heard of against a legacy product that can be bought in units of $500 a piece, I tend to think there is something odd.
There might be a case for going for the other vendor, but I would want to see rather more of a track record with the city before I voted for spending $9.5 million on an untried product. Like doing a trial of 100 seats or so over an extended period.
The premise behind the contract appears to be that the CIO office will spend $9.5 million making a central purchase of desktop application software and this will save money becuase the departments won't have to buy office. The problem with this argument is that the departments that have already deployed office are not going to switch to a different platform just because the CIO office tells them to, particularly if the order appears to be to facilitate some scam.
Slashdot Mirror
If you want to exclude all posibility of collision you do. Trademarks are complex, you can have different companies using the same trademark on different categories of product.
Microsoft probably did do a cheapie thousand dollar job, I would not expect that type of search to preclude any possibility of a claim.
I doubt the case gets too far however since Microsoft never sold anything under the Palladium brand. Attempting to trademark an element name is difficult in any case. Kind of like trying to enforce a trademark on windows...
It was a code name, they were not using it in trade.
An international trademark search costs millions so companies use code names while they do trademark searches.
Palladium was simply one of a list of metals that they had used for secure O/S projects.
Microsoft was never going to market under the name Palladium any more than it would use Yukon or Longhorn.
There can be no security vulnerability in HTTP that is due to cross site scripting PERIOD.
This is because support scripting was never considered in the design of HTTP. Scripting has known security problems. The onus for solving those problems rested and rests today on the idiots who introduced scripting. It has nothing to do with the protocol layer.
TRACE was in the HTTP specs long long before Javascript was cobbled together in two weeks at Netscape. Netscape could not even be bothered to ask for advice from the HTTP community before unleashing their abomination, so why is this supposed to be my fault eh?
Java script sucks, alwasy has always will. It was yet another of those hacks Netscape put in to please the advertisers or whichever customer they were going after that week. As a result we have pop-under adds and sites can screw up the navigation buttons. Oh yes and sites keep coming up 'javascript error class not found'.
None of the uses javascript is necessary for could not have been better supported through extensions to HTML. But the Netscape guys didn't want to do that because they wanted to try to control the standards by simply throwing whatever crap they wrote over the wall and faxing the 'specification' to W3C to they could say that it had been submitted in their press release.
Yeah, just got to that bit, I am suprised that that paper had not received more comment since that is the step that has been limitting.
I still think that Adi significantly underestimates the costs. The thing that made deep crack practical was that it completed the run in a pretty short length of time (days). So the system did not require a lot of extra engineering to cope with unreliable processors etc.
I don't think we are going to see this built for at least five years or so. Of course others might build it and not let on. And even then Deep crack was built to prove a political point, not just for the cryptographic fun of it.
Even so, there is no particular reason to insist on continuing to use 1024 bit keys at this stage. The 2048 bit roots have been distributed for some time. Most computer systems are now sufficiently fast that the longer keys can be used without unacceptable delays.
The NFS sieve step is only half the problem, you still have to invert a huge matrix and that requires a closely coupled machine.
Adi has been describing machines of this type for years, he proposed twinkle a while back. The big problem is that only one half of the problem has a trivial parallelism.
OK there is a tradeoff between the sieve stage and the matrix stage. But it is not that helpfull. Basically to halve your work at the matrix stage you have to increase your sieving at least four-fold. This does not get you too far since the sieve stage is still pretty stiff.
Wow. Looks like somebody's winning the $200k after all
Not likely since the XBox key is 2048 bits, as are most of the major keys in use. The competent CAs plan about 10 years in advance. There are 2048 bit roots embedded in the browsers that can be used as soon as there is a need.
The problem with logging is that it is usless unless you actually review the logs. This rarely happens until after a site has been compromised.
Much more useful is to have the firewall connected up to a 24x7 monitoring, or better management service like Counterpane, VeriSign or whatever.
Over time I expect that cost of high end firewalls to drop significantly. I have two firewalls at home, neither cost more than $200 and they are both pretty adequate for my needs. So why does an enterprise setup cost $80K rather than $4K or so?
I have argued for many years that people tend to get the idea that a firewall is some kind of +8 amulet of protection they just strap on which will protect them from pretty much anything.
However there are real benefits to using firewalls and NAT boxes. Unfortunately there are some members of the IESG who are confused on this point but thats because they are blinkered by the end-to-end dogma. I'll note here that Steve Bellovin, the new security AD knows a thing or two about firewalls.
There are actually two end-to-end principles. Applied to networking it meant put the intelligence at the ends, not in the middle of a communication. This was applied to security to mean the same thing.
End-to-end is appropriate to the design of network protocols, it is inappropriate as a guide to operational security. Many protocols are not designed securely, most protocol implementations have flaws.
Another dogma that is inappropriate to operational security is the 'security through obscurity' trope. A design that relies on security through obscurity is broken. This does not mean that operators should divulge all the details of their operations to attackers in the hope this will improve security, it will not. Argument of this type was used to block the introduction of shadow passwords on UNIX for years after the vulnerability to dictionary attacks was widely known and being exploited by attackers.
A firewall and NAT box provides a significant degree of security at low cost. NAT provides a means of concealing the internal structure of the network. This does not eliminate the possibility of attack but raises the bar significantly. If you are running a site that is considered attractive to hackers a technology that weeds out the knob turners and dimmer script kiddies has value.
What we need to move to is security in depth, recognizing that design security and operational security are different and that both are important.
The database is a buffer between the requests comming in from the registrars and the DNS resolvers. So you get a bunch of requests comming in once a day saying stuff like 'change asm.org DNS to 10.2.3.243' and the registry has to decide what to do with them. To do that they need to have a bunch of info stating what registrar owns the account at the time and so on. And yes it is not unknown for registrars to attempt to do things they should not.
The DNS infrastructure that is queried by you DNS server is completely separate. Every hour or so the SQL database will do a dump which will then be checked and if it passes will be sent to the production DNS infrastructure which is essentially a read only affair.
So no, this does not mean that every DNS lookup in .org is going to result in a mySQL transaction. Nor can you say anything about whether this deployment proves mySQL is ready for primetime, at least not yet you can't. You probably want to wait to see how the zone holds up over the next few months before drawing any judgements.
BTW the technical name for Oracle features is 'complications'.
That is hardly suprising since a lot of servers don't even cache the positive hits.
The report said 70% of the hits were repeated requests. Again this is not too suprising, the root zone caches really well. There are less than 200 domains after all and only 20 of those have a significant degree of activity. The TLD configurations change so infrequently that the TTL could be set at a month without inconveniencing anyone.
So the 'necessary' traffic for the root servers is negligible. Even with a million odd DNS servers out there each root need see no more than a few tens of thousands of hits an hour.
It makes no real difference since the roots have to be scaled to be able to survive a sustained DDoS attack for at least as long as it takes remediation measures to kick in. Get rid off all the bozo queries and you still need the same size box because of the script kiddies.
There are a bunch of changes that could be put in place that would reduce the DDoS problem. First we could follow the proposals of Mark Kosters and Paul Vixie to start using anycast (this looks like it is going ahead).
Another thing we could do is to change the DNS logic so that servers keep records in their cache beyond the TTL and use those as backup if the root or TLD is unavailable. Then even a DDoS that succeeded would have only marginal effect.
A way to tell would be to see how many of the queries were looking for mx records.
I suspect that people using dummy email addresses like 'a@b.c' for subscriptions are another major cause of the misfires.
The browsers doing search from the address bar probably reduces the number of misfires. A modern browser will only go to DNS if it sees something like foo.bar. If it just sees foo it will typically try foo.com and then go bang a search engine.
Another reason I suspect spam is a major issue in the misfires is that lots of spam filters do lookup on sender addresses and those frequently point to non existent domains. Also the spam senders rarely do the most basic filtering on their lists - you can tell that since every now and again you get a spam with a full sender list at the top and you can see the broken addresses right there.
If the authors actually thought how the DNS works they would realise the reason for this. A DNS server that gets a request for .com will consult the root the first time and then cache the result. So even though the server might then get a million hits in .com it won't ask the root again.
If the server tries to query for a non existent domain it will get back a 'non-existent' response. Now it will cache that response for some time but the chances of getting a cache hit is actually pretty low.
So if you have a properly configured DNS with a bunch of web surfers that view 1 million pages in 20 TLDs and 1,000 bogus ones they will generate 20 hits they would classify as genuine and 1,000 that were 'unnecessary'.
That is how the system is meant to work.
The 70% of repeated requests are likely to include outright attacks as well as misconfigured DNS systems.
The problem dealing with these issues is that a DNS query is pretty cheap to handle, cheaper in fact than most of the proposed defenses. It is probably more expensive for a DNS server to check IPs against a blacklist than to just return the damn data...
The real costs of any effort of that type are going to be people costs. So it costs $600 for a recording for a chuch band, maybe $1000 if you had to hire more of the equipment.
On the other hand a top act such as U2 or the like are likely to want to spend several days in a fancy studio with a full crew of sound technicians, personal assistants, caterers and the like. It is pretty easy to end up spending $10K a day that way - even if you own the actual studio and all the equipment.
After that there is the cost of making music videos and the payolla required to get airplay. Those costs have gone up quite a lot since Queen spent $500 to make the Bohemian Rhasphody video.
Clearly the industry can't spend $500K+ on the low budget albums that form the bulk of new releases. But even so few of those low budget efforts are going to have a chance to get anywhere near the top 40.
Yeah but will there be any point?
UML is already bodged, further extensions are not going to help much.
I never saw the value of graphical methods until I became a consultant. Now I understand that the difference between a $500 a day consultant and a $5,000 a day consultant is the ability to use powerpoint and visio to confuse and confound.
They say a picture is worth a thousand words. If you are the customer, running code, debugged or not is worth a thousand stupid pictures in any graphical programming methodology you chose.
Houston looks at upgrading their systems.
If you read the OIG inspectors report into the deal you will see that USA Today got it wrong from the very start. The deal had nothing to do with upgrading existing systems. The plan was to 'bridge the digital divide' by somehow giving Houston residents free access to the hosted desktop applications via public libraries. The whole scheme was a boondoggle from the start.
The bit about 'upgrading the systems' was not actually mentioned in the RFP. That only came in later when it was asserted that the software would save the City $1.6 million. Unfortunately Piper gave absolutely no indication as to how the figure was arrived at. None of the departments that might make use of the software were actually consulted so it is not very likely that they will be using the system.
Microsoft threatens legal charges for rigged bidding.
Again the chronology is wrong. The questions started after Piper, the CIO who had set the deal up left for another job weeks after the contracxt went through. The complaints about the rigged bidding came from a Houston councilor, Bruce Tatro who thought the scheme looked like a boondoggle. The actual investigation was started by a complaint from Brenda Flores after a Houston Chronicle article.
The investigation was instigated by Tatro, not Microsoft. The only connection Microsoft had to the investigation was that the investigators interviewed the Microsoft salesman. Incidentaly the investigation found that the Microsoft sales person had been misled but found the charge of lying 'not sustained' as they claimed it could not be proved that the misleading was deliberate.
If you read the other vendors comments in the report you will find statements like 'why is the city spending $9.5 million to replace an existing exchange implementation with an untried product nobody has ever heard of'. The Microsoft salesperson pointed out that Yahoo and Hotmail provide hosted services for email and instant messaging for free.
Houston says, "You made up our minds for us," and went with Linux
The deal had nothing to do with Linux. The services are hosted on Microsoft Windows 2000 Datacenter edition. The deal was about using 'open source' as smoke to cover a scam that might well end up costing the city of Enron resident's $9.5 million. The politicians bought into the scam because they were conned into believing it would be 'a political win for your mayor' to quote correspondence between the conspirators.
Piper is currently facing fraud charges over the alleged theft of $294,000 from a previous employer.
Slashdot got the sequence of events wrong. It was not Microsoft lost contract, complained. The real sequence was only one company bid on the contract. People asked why the city was spemding so much money on a product nobody had ever heard of to be installed in public libraries. Then there was an investigation in which all the bidders thought that the bid had been rigged so that only IAT could win.
So really the story has nothing to do with Microsoft. It is simply business as usual for Enron city.
Since the individual concerned was working for OMG I very much doubt it. I have had ten years experience of UML and its antecedents such as OMT.
I saw the proposals OMG made, they simply do not understand the data model of XML Schema.
Even if they did UML has become a grotesque caricature. It is even more of a committee spec than XML Schema. You have a bit of object orientedyness and a bit of entiry relationalness and a hodge podge of finite state theories and then the use cases stuff thrown in on top. Thats hardly suprising since its just the earlier work of Booch, Rumbaugh and co smashed together for the benefit of the company selling the graphical design tool.
I put together a graphical notation for XML Schema I used in some of the SAML meetings that seemed to help discussions. But that notation was very carefully chose to illustrate a few carefully chosen aspects of the schema.
The big mistake with graphical languages is attempting to use them as substitutes for code. By the time the notation has enough decorations for that it has become so complext that it is unreadable.
The involvement of OMG group does not impress me in the least. Those are the same turkeys who gave us CORBA and took more than ten years to realise that maybe it might not be taking on as fast because the idea people would rip out their legacy systems and migrate them all to an ORB was fundamentally clueless.
XML Schema is also kinda whacked. It shows all the signs of being a committee specification.
The big problem with schema is that you actually have two type systems going. Element definitions are types for elements. Type definitions are actualy types for types for elements. I saw a hopelessly confused attempt by some UML people to express XML schema in UML, they simply could not understand that there was no way it could ever work. UML has completely different semantics.
There are a bunch of schema proposals that folk have said good things about. Eve keeps telling me I should look at Relax. But for the time being XML schema is going to be the basis for standards in W3C and OASIS.
There might be an opportunity to do a clean up job on XML schema in 4 or 5 years but that will only happen if it is causing real problems.
You appear to be unable to distinguish between the language and the platform.
Windows is not an open platform, it is however a very rich platform with a lot of features. If you want to make use of those features you can use C#. You can also use Java but only by using methods that Sun has deliberately made unpleasant.
As for base classes being good only for demos, well a lot of people would say the same of the Java clases. If you are on a windows machine or a Mac the java classes look really yucky.
If you want to write high quality code for a proprietary platform you are going to want the power of access to the native libaries of that platform. I don't want my PC application to look like a piece of trash. I certainly don't want my Mac applications looking like anything other than a Mac.
I don't consider a language open if it can only be used with one platform. Java is closed because Sun have set themselves up as the absolute arbiters of what will be permitted with the language.
I consider C# open because I can do whatever I like with it and Microsoft don't have the right to sick lawyers onto me. They gave up that right when they made the ECMA submissions.
Thanks to Sun I can't use Java to develop Windows applications. As a result I have zero interest in Java now. I am only interested in a language that will allow me to support any platform I choose. I write in C# because at the moment Windows is the largest platform. I can also be confident that over time C# compilers will be available for Mac and Linux. I can be equally confident thanks to Suns lawyers that Java will never be useful as a windows development environment. Sun seems to consider that some sort of victory, phyric would be the term.
That is pure bull shit, C++ is sufficiently screwed up that nobody can get it to run in managed code. However Microsoft have got pretty much every other language - Basic, Python, Eifel, Cobol, Perl, Scheme etc. to run. So the claim that .NET is language neutral is not disproved by choosing the single contrary data point that Microsoft themselves make no effort to hide. The only major languages that don't run are Common Lisp and C++, both of which have multiple inheritance which language design has been backing off from for years.
As for C# 'copying' single inheritance from Java, COM had single inheritance from the get go. I would be very surprised if Microsoft didn't have coding rules that prohibit using multiple inheritance and compiler flags to disable it for internal use. Every large software house that tried C++ in the early days discovered that multiple inheritance led to disaster. The programs could only be understood by their original authors.
C# borrows some stuff from Java but it borrows rather more from objective C. It also has meta-data tagging which if you know how to use it is massively useful.
Sure C# could have been an evolution of Java in the same way that Java was an evolution of C. The only reason it wasn't was Sun's decision to insist on full control of Java and sicking lawyers on Microsoft for wanting to use it to do other things.
Sun has repeatedly promised to make Java open and every time it has reneged. The Java Community Process was created to ensure that Sun kept control of Java, it is not an open standards process in any meaningful sense of the term. Sun retain effective control over every aspect of Java language design. The JCP is independent in the same way Vichy France was independent of Germany.
What Microsoft wanted to do was to use Java as a replacement for C++. To do that they had to have a bunch of stuff that Java didn't have so they added it. That is how every language prior to Java has evolved. For years the standard for Fortran was VAX Fortran.
Sun's hardware business is collapsing under pressure from low cost Linux on Intel boxes. They have failled to make any money from Java, execept by using it to drive sales of their hardware boxes to dotcoms when those still existed. If you think the SCO/Unix situation is bad just wait a few years until Sun has gone the way of SGI and their lawyers are looking to extract whatever value they can from their 'Intellectual Property'.
This misrepresents the chronology. The scandal predates the Microsoft statement which was in fact made to the OIG inspector who was interviewing all the people who attended the pre-bid meeting.
The slashdot story is completely off-base, Microsoft was not the source of the complaint and did not trigger the investigation. The source of the complaint and the inquiry was Bruce Tatro, an assembly member who thought that the $9.5 million contract was highly suspicious and has uncovered a large amount of proof to back his case.
The point is that it was not only Microsoft that thought that the RFP had been deliberately written so that only IAT could bid on the contract. Furthermore if you read what the project was meant to do it is clear that the $9.5 million was in any case being flushed down the toilet.
That is not what the project was about. It was about providing free access to software applications through the houston public libraries. The city bought 15,000 seats at a cost of $9.5 million - or $650 a seat so it was hardly a bargain.
It is a fairly common political tactic to attack a the character of an opponent in order to discredit a project that he has undertaken. Some people will be distracted by this and not realize that the project is not "guilty by association."
That is an ad-hominem attack, or argument to the man. Ad-hominem is actually perfectly valid when the question centers on questions of individual honesty as in this case.
For example it is perfectly legitimate to question the current 'Trust us' argument being used to justify invading Iraq on the grounds that the people making it have repeatedly lied to get their tax cut proposals passed. The fact that piper is facing charges over a $294,000 theft charge is very relevant to the question of whether Piper's claimed motives for the contract can be believed.
The OIG report did actually find that the Microsoft sales rep had been misled by Piper but claimed that it had not been proven that this was intentional. If you read the actual report you will see that this was not simply an isolated issue.
This whole slashdot thread has the chronology wrong. The sequence was not Microsoft loses contract, complains, investigation is started. The actual chronology was:
- contract was awarded for $9.5 million,
- Piper resigns,
- questions are asked as to whether the contract was suspect by Tatro and others
- emails were uncovered suggesting that Piper may have had an amorous relationship with one of the parties involved in the IAT bid
- formal investigation started by OIG
- OIG question Microsof
- Whitewash report issued
This story has almost nothing to do with Microsoft. It is the story of a very very smelly contract being awarded under very very smelly circumstances.Have you been to Grand Cayman? Would you want to actually live there?
Moving the data center operations of a spamhaus offshore does not prevent prosecutors charging owners living in the US. If the criminal activity takes place in the US they can prosecute in the US.
It is quite likely that the offshore havens can and will prosecute also. Hosting SPAM senders does not bring anywhere near the amount of revenue that the traditional offshore industries of banking and shipping do. Any country that is in the offshore game is anxious to ensure that it does not draw unwanted attention to its current scams by allowing high profile criminal activity. You don't get much more high profile than businesses that anoy millions of people an hour.
Offshore havens are not by and large lawless, in fact the cayman islands sells itself on the fact that as a result of its British administration it has a government and banking system that have very high integrity. Cayman is not going to do anything to threaten that reputation and its existing business. So that leaves the spam senders with places like Congo, Nigeria and Afghanistan where the civil government has collapsed (though few 'libertarians' seem to want to live inthose countries).
Moving data centers offshore is in any case a high cost and would be a significant barrier to entry for new spam senders. If you have to move to a jurisdiction where the civil government is corrupt costs are going to rapidly spiral out of control.
The 'regulatory arbitrage' stuff is all about ideological commitment rather than analysis.
Oh, plenty, see some of my other posts in this thread. Unfortunately I started from what I thought was the clincher, the fact that Piper, the procurement guy behind the bid is currently behind bars on charges he embezzled $200,000. (actually it was $294,000 but who's counting?)
It was only after I started digging that I discovered that the inspector generals report that 'exhonerates' Piper and the contract in fact does the exact opposite if you read the facts themselves rather than the whitewash conclusions drawn from them.
If you read the report you will find that this was not a Microsoft vs IAT contest at all. IAT was given the inside track against all the other bidders. Basically the contract was written in such a way that IAT was the only possible bidder for the $9.5 million contract.
One reason you can tell the deal stinks is that the whole point of adopting an outsourced model is that it allows you to scale your resources to your exact needs. If you need an extra 1000 seats you simply call up the vendor and send them a check. There is simply no rational justification for committing to purchase 15,000 seats in advance before you know what the demand is going to be. What you would do is to write a contract that allows you to purchase from 1000 to 15,000 seats in increments of 500 seats as required.
I have been involved in outsourcing procurement deals of this type for a very long time. Deals of this type are known as 'sweatheart deals', you know what they are as soon as you read the RFP. If you are not the favored bidder you can be absolutely certain that the only result of making a protest will be a whitewash investigation and your company being blacklisted in all future contracts.
This is not a party matter, the Mayor of Houston is a Democrat posing as an Independent but Republicans have pulled far larger scams in that citty. The biggest scam of all being the billions Enron and its accomplices ripped off California with the active help of Bush and Cheney.
Take a read of the comments in the OIG report, in particular the comments of the BMC and Advarion guys. The conclusions are pure whitewash but its much harder to hide the actual facts.
The contract was clearly a boondogle from start to finish and Piper gave IAT the inside track to win it. It was not only Microsoft that was frozen out, it was also IBM.Lotus (heard of them) and anyone else who could have provided the same functionality.
Well you could read the report. It is basically a whitewash job to save the Mayor's butt, but it can't do the job. As for whether Tatro has a hidden agenda, quite possibly but it seems rather more likely that his agenda is party politics than carrying water for Microsoft.
The report is actually pretty damning. The contract amount was $9.5 million, yet the report states that "Mr Piper did not understand the contract development and negotiation process and the time it would take".
If you have had any experience at all of city politics you know that a statement of that type is horsepucky. You do not get to be CIO of a city the size of Houston without understanding the difference between an RFP and a contract negotiation. The story that he came from private industry does not wash either, anyone involved in corporate procurement knows what an RFP is.
When you see a statement like that in an inspectors report it means precisely one thing, namely the inspector is pretty sure that something fishy went on but lacks the evidence to prove it.
The description of the bidding process demonstrates pretty clearly that the RFP was deliberately written to ensure that only one party could bid. It was written so narrowly that only IAT's application fitted. It was not only the Microsoft sales guy who was frozen out. The IBM sales rep would have bid if allowed additional time - which IAT did not need because they had known about the RFP two months beforer it was issued and in any case it described their product.
Its not just the Microsoft guy who thought the deal was stinky, the BMC guy also wondered why the city would replace an existing exchange installation that was fully functional with 'an untested product for $9 million'.
The Advarion guy also had some pretty good points, the contract was massively inflated from the start, the number of users was overstated, the number of simultaneous users was overstated. It was also plain wrong about a lot of technical issues. Why specify a 5Tb file storage device when it is easy to add extra capacity? "Many requirements do not state a problem to be solved but include required equipment, resources and programming design. Most of the time the City is concerned with solving a City problem, not a programming problem. The RFP includes software architecture and virtually useless features as requirements. This does not encourage proposal submittal but confuses software companies and discourages proposal submittal."
Piper himself admits that the contract price grew by $4.5 million because they had underestimated the cost of bandwidth.
The inspectors report does not actually clear Piper of all charges, the dispute over what was said to Microsoft is 'Not Sustained' rather than 'No'. It is interesting however to read the actual text used to justify these conclusions.
The RFP process is found to have been 'fair' because the vendors who were frozen out failled to complain about the process at the time. The fact that IBM and Centrix 'indicated that they could have entered a bid'. This is pure whitewash, IBM stated they did not enter a bid because the city did not allow enough time and Centrix did not enter a bid because they did not know from the RFP what the City actually wanted.
The inspectors report only considers the issue of whether the process was unfair to the bidders. The real scandal is that the whole project from start to finish was a collosal boondoggle that was a collosal waste of public money. It is typical of dotcom era and enron thinking rather than practical realities. $9.5 million has been spent on an IT infrastructure that we can confidently predict will never be used.
Basically IAT was awarded a contract for $9.5 million. There are several problems with this contract:
Call me a skeptic but I get somewhat suspicious when organizations start throwing arround $9.5 million contracts to companies that nobody has ever heard of for a product that nodody has ever heard of against a legacy product that can be bought in units of $500 a piece, I tend to think there is something odd.There might be a case for going for the other vendor, but I would want to see rather more of a track record with the city before I voted for spending $9.5 million on an untried product. Like doing a trial of 100 seats or so over an extended period.
The premise behind the contract appears to be that the CIO office will spend $9.5 million making a central purchase of desktop application software and this will save money becuase the departments won't have to buy office. The problem with this argument is that the departments that have already deployed office are not going to switch to a different platform just because the CIO office tells them to, particularly if the order appears to be to facilitate some scam.