It's not quite the end of January, but there's already alot of "new" in my new year.  There's a  new car, some new gadgets, and on the work front a new project and a new team.

As you may have heard, Charles Fitzgerald, left Microsoft to head to a startup. Charles was the GM that my old team, platform incubation, reported into. Charles set the mission for that team, and was the major stakeholder for Tafiti and several other internal facing projects that I worked on. Charles was a great GM, and while this is a loss for MS, I'm confident we haven't heard the last of him.

With Charles' departure, Scott and I will be moving to different roles in the company. I am happy to report that I am now officially part of Simon Guest's team.   

One of the few negatives about my last role in incubation was that it was inherently secretive, as parts of the work could be patented. As a result, after delivering my book on CardSpace I mostly dropped off the public scene, save for promoting Tafiti. With Simon's team having a key focus on talking about architecture with the broader community, this is something that will change, and you'll see me engaging more publicly on architecture related subjects. Simon's team has a big focus on Software+Services, which if you've read the blog for awhile know is something I've been looking at for some time in and outside of Microsoft. Expect to see me blogging more, podcasting/screencasting more, and writing the odd article or two. (No more books for awhile, though. Having written or co-written 3 books in 2 years, I've committed to my wife not to start another one until 2009)

I also mentioned there's a new project. I'll be carrying over a project with me from incubation to Simon's team as well. Nothing I can share at the moment, other than it will be public focused and it's going to be a key focus for me for a good portion of 2008.

While this project is big, there's another project I'll be working on that's even bigger.  This is a longer term project, estimated to last decades with a budget estimated to be in the seven figures. Oh, and it has nothing to do with software. My wife and I are expected our first child, a son, to literally arrive any day now. While there's alot of great 'new's in 2008 already, this will surely be the best.

Here's hoping your 2008 is going well, and I look forward to engaging with the community more broadly once again.  If there's anything you'd like to see me engage on - be it in blog, article, or podcast, let me know. As always, I can be reached at mmercuri@microsoft.com

Being on an incubation team, many of the projects I'm attached to are not discussed with the public. Today, however, is a great exception to that rule.

I'd like to introduce you to Tafiti.

Tafiti, which means "do research" in Swahili, is an experimental search front-end from Microsoft, designed to help people use the Web for research projects that span multiple search queries and sessions by helping visualize, store, and share research results. Tafiti uses both Microsoft Silverlight and Live Search to explore the intersection of richer experiences on the Web and the increasing specialization of search.

You can try Tafiti following these steps:

·         Go to http://www.tafiti.com

·         Enter a search query

·         Drag interesting results to the shelf on the right.  Each box on the shelf can be used to save a related set of results.  Shelf contents can be saved and shared. 

·         Use the carousel at the bottom left to do different types of searches (image, blog, etc.)

·         Visualize your results using the Tafiti Tree View.

I did a video interview with Channel 10 on this that has just been posted here.

http://www.on10.net/Blogs/larry/first-look-microsoft-tafiti/

I also did a standalone walkthrough you can get to here:

http://www.tafiti.com/walkthru.html

More to come as the week progresses....

No, not the DaVinci Code, but his Codices.  Leonardo DaVinci's two notebooks, the Codex Arundel and the Codex Leicester, are being brought together digitally. This is the first time that the two parts have been together since DaVinci's death in 1519.

The British Library owned the former, Bill Gates owned the latter, and they've brought them together in an WPF Browser AP.

You can experience “Turning the Pages” 2.0 here www.bl.uk , following the link with take you to http://ttpdownload.bl.uk/browserapp.xbap

Mercuri's "Services SLA Paradox"

Paid services haven't taken off because there aren't SLAs from Service Providers.
There aren't SLAs from Service Providers because people aren't paying for services.

-----------------------

When someone gives you something for free, they have no obligation to you and you have no recourse if something goes wrong. When I was a student, if I was moving to a new apartment, my friends would would help me pack up my old place, load the truck, and unload it at my new apartment.  Sometimes people would show up late, sometimes things would get broken, but hey, they were doing me a favor, so I had no room to complain.

When I move now, I hire a moving company. Why? Because my time is more valuable to me than it was 15 years ago, and I also have much more expensive stuff.  If I was scheduled to move out of a house on the 31st, and the mover's truck broke down, I'd want to make sure the company could swap in another truck from their lot. If my $4,000 television is dropped, I want someone who's insured and who's going to make it right.

Today, we have a number of people giving away services - Google, Yahoo, Flickr, Amazon, StrikeIron, etc.  While there are exceptions like Amazon and StrikeIron that are doing some good work in the utility services space, where they're doing metered usage, I've had a hard time finding SLAs anywhere else. People are doing interesting mash-ups with 'free stuff', but is anyone willing to put free stuff in their application for any key piece of functionality? If you do, and you don't have SLAs, you're a gambler, and for your sake, I hope you're very lucky.

At the Web Builder 2.0 conference held earlier in the month, Day 1's keynote had a speaker who talked about Ajax and mashups, using his company's product as an example.  At the end of the presentation, he opened up the floor for Q&A, at which point I asked him two questions - "what about SLAs" and "what about federated identity".  The answers? 

SLAs: These services are free, so there are no SLAs.

Identity: These services (Yahoo) are free, so that's not an issue.

I find it amazing that people don't pro-actively address the SLA and Identity issues, and I find it borderline irresponsible that 'experts' ignore or wave off these questions when raised. The need for SLAs should not be such a surprise, people who've spent time looking at the space at this have written about it, myself having done so back in 2001  ("14 Best Practices for Selecting a Web Service Provider", 2001, .NET Magazine, Fawcette) Yes, it's cool to include maps, search, and images in my application but if the service code go down - or disappear entirely - at any time, for many scenarios they're a non-option.

If you want to use services for anything real - and by real I mean something you'd use in a key area of an Enterprise or Commercial Software/WebSite - you need to have a Service Level Agreement. Using a service effectively moves a third party from being a vendor to being a business partner. The service provider controls the hardware, the bandwidth, the support, etc. but the service interactions are exposed through your application, with your brand, and your reputation attached to it.

With today's lack of SLAs, if the service goes down for an hour on Thursday, it goes down for an hour on Thursday. Moreover, there's no guarantee that the service is going to be around for a week, a month, a year, etc.  Google just announced (http://news.com.com/2061-10812_3-6145053.html) that they're no longer taking on new customers for the SOAP API they'd been offering. They're moving new customers to an AJAX API. If you were evaluating this and building this functionality into a spec for a smart client application you were developing, and now it's gone, sorry charlie. What were you expecting? You're not paying for it, so you can't complain. Without an SLA, no promises are ever made  made by the provider, so there are no promises to break.

My argument is that SLAs are late to the game, because people aren't paying for services and people aren't paying for services because there are no SLA's. Something I've shamelessly named 'Mercuri's Services SLA Paradox'.  There are some positive movements in the right direction - Amazon and StrikeIron come to mind - but they are definately the exception and not the rule.

If you're like me, you'd like to be able to leverage and mashup services that you can depend on. If we collectively don't stand up and insist on these, we're stifling innovation. I challenge you to ask the providers - at conferences, in forums, online and in person - "What is your SLA for your services and what will it take/cost for you to offer me this service in a dependable fashion?"

Consistency in tags is something that's a pre-requisite for the opportunity to do something meaningul with context, affinity, and trust for the next generation web. 

There's a blogger from Australia who had run across the DotNetRocks podcast, and had some questions about what InfoCenter is and what InfoCenter isn't.   Quite frankly, I've been amazed at the response, considering the CTP isn't yet evailable.

At any rate, one of the questions that came up was around the value and/or role of the aggregator of feeds  - not just software, but the humans who inject domain expertise and experience in putting together an aggregated blog. People who involve software and people to bring together a noise-free, targeted feed.

For this, I look to the last letter in RSS? That S stands for Syndication.  Effectively, the way I see the world is that every blogger is a production company, generating syndicated content. While we can broadcast our own content via our blogs, there's also interest in repackaging our content and leveraging it in other places.

Just like in television, people generate revenue by hiring program directors / editors that compile a group of syndicated content into a product or programming schedule and sell ads based on viewership.

While the underlying value is in the content, there's tremendous value in the aggregation of particular content by people we trust and who we hold up as experts in a particular area.

We all have the opportunity to become program directors of RSS content, what needs to be figured out is how the revenue stream works back for the creator of the content.  In the syndicated television world, you buy rights to a show for a particular period, for a particular market. The payment, as I understand it, is established up front.

On the web, it would seem this would be more fluid, and as a result there needs to be a way for either the syndicator to specify ads to be shown in conjunction with their content, or for networks/program directors to provide incremental revenue back to the networks/program directors.

Awhile back, I wrote about how Wikis and community sites would be our new memorials (Wiki as memorial? http://www.marcmercuri.com/PermaLink.aspx?guid=0f22d71f-8eed-4f32-a1da-7ced952bc97f).  In that piece I commented on how Wikis and community sites like MySpace and space.msn.com would become the memorials of the digital age

“If you look at spaces.msn.com and myspace.com, you're starting to see the dawn of things happening.  What is 'cool' for todays teens will become institutionalized, and we'll start to see people taking technology in interesting places to build these interactive histories and memorials.”

I ran across an interesting article this morning on the Associated Press wire “MySpace generation preserves memories online“(http://www.msnbc.msn.com/id/13526522/).

It looks like it's starting...

As long as I'm blogging about cool stuff, have you seen RoboCast yet?

http://www.francisshanahan.com/robocast/

Francis Shanahan has put something together that's pretty cool.  It will take your blog entries, “read them” using the Speech APIs, and record the audio as MP3s. Effectively taking written content and making it a podcast, no human voice work required.

When I first saw it, I thought - pretty cool. When I thought about it a bit more, I realized it opened up the option of podcasting to individuals who may not have the opportunity otherwise due to certain disabilities. That takes it from pretty cool to very cool for me.

Ok - this has nothing to do with WCF or WF, but I've got tell you about this great piece of software I'm using called Orb.  As you may have gathered from my blog, I travel.  Alot.

Even though I have a MediaCenter PC, a TiVo, and a ComCast DVR, up until recently I haven't had remote access to my recorded content.

While on my last trip (Las Vegas, Notes2.NET Conference), I picked up a Slingbox for use on this conference (FinServDevCon) While the slingbox is cool, there was more that I was looking for. Orb gave it to me - and it was free and installed in <5 minutes.  I'm currently working on this entry while watching a recorded show on my home machine from Comedy Central streaming to my laptop over the hotel internet connection. Now I work at Microsoft, and I've had friends who had streaming video to their phones 2 years ago - but this is something anyone can set up and get going in minutes.

If you travel alot and you've got a media center, you should definately check out Orb (www.orb.com). 

Over the weekend, John Vlissides, one of the 'Gang of Four' passed away. In an interesting use of wiki, a memorial has been put up where people are placing anecdotes.  http://www.c2.com/cgi/wiki?JohnVlissides

In a connected world where we regularly interact electronically with people beyond the borders of our respective geographies, the traditional ability to mourn and share rememberances as a physically congregated group becomes less realistic.  The need to mourn and share remembrance remains, however, and it will be interesting to see how the same technology that facilitates the connections is re-mixed to facilitate handling disconnections.

I found the Wiki As Memorial interesting, and thought back to the funerals and wakes I've attended in the past. The major focus was on celebrating the life that had been lived. While written anecdotes and stories will always have their place, when I looked back what I remembered most about those events was the stories, the facial expressions, and the tid bits of family history that would leak out.  Those small stories that may not be long enough or meaty enough to warrant writing down, but trigger a succession of smaller stories that define an individual,  a significant event, or a shared understanding. All of which is lost in words alone. 

If you look at spaces.msn.com and myspace.com, you're starting to see the dawn of things happening.  What is 'cool' for todays teens will become institutionalized, and we'll start to see people taking technology in interesting places to build these interactive histories and memorials.

Digitized media - and the rapidly decreasing costs to create and share it - mixed with third party content is how I think we'll handle it. Recording our stories, storing them in a shared media driven Wiki/RSS hybrid, linking them to information in third party stores and sharing them out to a set of individuals be they friends, families, or the world. 

There are certain stories that only come out at events like weddings and funerals, and are relayed so much better by the people who lived them and/or were impacted by them. Imagine a personalized Encarta for your family, with pervasive digital media story telling from events like these, with links to relevant information (i.e. information on where the individual came from in Italy), with links to similiar sites of their friends. Imagine taking the evolution of the spaces concept forward 10,20,50 years and the rich media historical tapestry you end up with.

I've had an interesting day today. Checked into the airport this afternoon, and had a debate with the woman at the counter about my reservation. I received my ticket and was surprised to see I wasn't sitting in business class.

The funny thing is, I had an itinerary and record locator that indicated that I was in business class, but our check in clerk claimed I didn't.

A quick call to her supervisor came back with a confirmation that I did not have a business class seat. The options - take a business class seat for another $200 Euros or take a seat in coach. There was some additional discussion on my part, but I was amazed at how uninterested and unhelpful this particular individual was.

Before leaving the desk, I requested that she use my air miles card from a partner airline. Her response, which struck me as a bit odd, was that there was no need, as I was a gold member.

I begrudgingly took the coach seat and made my way to security. While in line I was thinking about her comment about my being a gold member. While I'm gold on other airlines, this (and the partner) weren't one of them.

I rechecked my ticket.  Not sure who Vincent Mercier is, but he sounds a bit more French than this guy who grew up in Tewskbury, MA and knows just enough French to be either polite or offensive. I returned to the desk, pointed out the mistake and  had my business class ticket in hand.

When sitting in the airport lounge a bit later, I thought about what had just transpired.  Air France has asked initially for my passport, to check claims of identity. That claim wasn't used successfully by the requestor, and a secondary claim - my reservation locator - was provided. Again, this wasn't used. Without success, the workflow required an escalation to another service - the supervisor - and again there was a failure. Here it was based on the information provided by the initial requestor.

It stresses the potential for a breakdown in an identity valdation scenario which involves a human component. The difference between Vincent Mercier and Marc Mercuri is fairly  obvious, but the check-in cleark may have done some faulty pattern recognition based on seeing MERC in both.

Had this been a machine driven interaction, this would likely have gone flawlessly. A selection of destination city would have been used to limit the number of potential name matches and from that subset, the name would have been valdated either 1:1 or possibly with something along the lines of a Soundex).

What makes this breakdown of 'the system' incredibly alarming is that there was no validation of claims from that point forward - once ticket was in hand, I had free access to the system, boarded the plane, disembarked in Paris and am now in my hotel. 

Sure, I provided the token assigned by the airline (a boarding pass) at security - but there was no requirement/check of my passport.  If I had continued through with my initial, erroneously issued token (the ticket in someone elses name), I would surely still be in Paris eating the French interpretation of Cajun Chicken wings.

In this specific context, an identity breakdown has horrific potential. Suppose the mistaken identity had occured not with a guy less interested in connecting systems as disrupting them -  a terrorist.

There were no further checks for identity (intra-EU flights do not have passport control), so someone who slipped through the system could now be freely traversing France.  Given the political climate here in Paris this week (for those unaware, there have been riots and indivduals setting fire to cars in France), it's even more alarming.

With the recent move to self-service kiosks for check in, the mechanisms I mentioned earlier are helping avoid this issue. Introducing some of the technology used there in the human interaction piece (i.e. scanning of passports and system retrieval of information) would help solve the issue, surely.

But that answer begs different questions. We do quality assurance of the software systems, but how do we and how much time do we do testing of the human components in connected systems? And once you've established your test plan, and you go to 'rtm' of the process/workflow, how do your federated users report bugs? In this particular instance we're not talkng about a situation that results in some bizarre behavior in an IDE,  we're talking about international security in the heart of Europe. The clerk surely isn't going to tell her manager, as it points out big mis-step on her part.  There's no contact information on the boarding pass or airline timetable. Going to the Air France web site, I went to the link to their corporate office, which is entirely in French.  I'm on a hotel internet connection at 90 cents per minute, chances are I'm not going to spend an hour navigating their site to let them know about the issue, resulting in an open loophole in a frequently used workflow with potential for failure far, far worse than any blue screen.

In this particular scenario, the issuance of a false token was an 'honest mistake', but suppose that it wasn't.  Imagine if a terrorist cell had someone working behind the ticket counter, what checks are in place to prohibit <i>intentional</i> bad issuance or trust violations?

This isn't just with transportation companies, it spans verticals. For example, if John Smith is caught owing $200,000 in taxes, and the workflow for resolving this dispute is handled by Bill Jones who makes $20,000 per year, John paying $50,000 to Bill Jones to make this whole matter disappear happens. Depending on the country, it happens alot.

These example involved a relatively simple workflow, this obviously gets more complex when dealing with interactons that run multiple partners/parties deep.

If you have a business with a high volume of transactions or high value transactions with consumers or areas with complex workflows , how do you / would you handle these situations? What types of SLAs and legal terms do you have in place to handle scenarios where a human taints the system with a manual violation of trust in a federated scenario?Feel free to speak in the third person and without corporate identities, I'm curious how/if this is being addressed.