New Altien Document Manager screencasts

We have updated the demos section on our website with a new batch of screencasts which show a bit more of what ADM has to offer. The Topics covered are:

1. Introduction to ADM
2. Accelerate to FileNet P8
3. BPM Integration
4. ADM Application Integration
5. ADM Sync
6. Versioning & Workshare
7. Advanced Property Management

All feedback is welcome.

Security flaws and public web betas

Following up on my previous post, events of the past week have shown a much more obvious reason for the missing security model in Google Base - it isn't secure even in its present state. Jim Ley first pointed out a cross-site scripting flaw last Wednesday: More Google security failures. CNET reported another error which allowed the sea of porn already uploaded to Google Base to bypass the Google SafeSearch filter (see Google fixes glitch that unleashed flood of porn). Apparently, both these issues were fixed quickly but I don't expect this to be the end of it and the publicity can only attract more hackers.

Jim Ley also made a very prescient post ten days before the Google Base launch ( Public betas risk all our data) in which he wrote:

There’s been a big increase in making all your website projects beta in public, however most companies seem to have decided this means they can avoid actually testing their product before they release it. It wouldn’t matter much if was Joe’s random web application, but it’s not these beta products share the same domains as existing heavily used sites. This means domains are trusted by users, but people are expecting something different, this means that both compromised site phishing attacks like I described when I demonstrated the Google flaw last year, and attacks on user data stored on the same domain become very easy for an attacker. I’m not a security consultant, I’ve no idea how to hack sites, I don’t go looking, but it’s trivial to find cross-site scripting (XSS) flaws in these beta’s, it’s almost too difficult to miss them, which is why I believe the public betas are getting so little testing that there are bound to me more.

There has undoubtedly been a big increase in public web betas, and also an increase in the duration of these betas (Gmail is still in beta almost 20 months after its launch). My first thought is that this must be a reaction to litigation risk, but looking at the Google Base terms of service I think they have this well covered! Nevertheless, flagging a service as beta should warn potential users of its weaknesses and help mitigate PR risk. If an unwitting user were to suffer because confidential data were exposed through using one of these beta services then public reaction is likely to say "it's a beta - you should have known what you were letting yourself in for".

I think this does raise a problem for the many Web 2.0 startups that should be emerging from their beta phases quite soon, unless they have deeper pockets than I imagine. Particularly in the web-based office space, once people start to pay for a service I expect they will want to use it to create content that is not public. I expect most of these companies will follow Google's Limitation of Liability clause:

YOU EXPRESSLY UNDERSTAND AND AGREE THAT GOOGLE SHALL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES.....RESULTING FROM.... (iii) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSIONS OR DATA

It remains to be seen whether concerns over security and consequent liability will hinder the development of these businesses and it probably won't until something really bad happens. However, it does reinforce my view that if you have developed a brilliant Ajax application which is attractive to businesses (rather than individuals) you will probably see a faster return if you offer an intranet deployable version as well as a hosted service version. Before its acquisition by Yahoo, Oddpost was pursuing both routes to market, although I have no idea if they had any success with the corporate deployable version. But this is a topic for another day.

Google Base has got us all guessing

The covers have finally been taken off Google Base and there seems to be little consensus in the blogosphere on its likely impact. Some quite strong negative reaction (see Techcrunch Google Base Launched. Yuck. ) but mostly a wave of speculation.

Michael Parekh hits the nail on the head regarding the implications for Google's Search business and also neatly summarizes the way in which most commentators on GBase have reflected their own particular fixations:

To put in mainstream terms, Google Base is a Lego set for users to submit and categorize any kind of content that's important to them.

This makes Google Base kind of the elephant being described by blind-folded folks:
1. "It's Online Classifieds" and will go after Craigslist.
2. "It's Online shopping" and will go after eBay and Amazon.
4. "It's an Online repository for photos, music and videos" and will go after Flickr, iTunes and others.
5. "It's a way to tag content" and will go after del.icio.us and others.
6. "It's a way to to put resumes online" and will go after Monster, Indeed and others.
7. "It's a way to do online photos, music, videos, etc." and will
go after Flickr, iTunes, and others.
8. "It's a way to back into online databases, potentially word processors and spreadsheets", and so go after Microsoft.

I'm not sure what happened to item 3, and 4 and 7 are the same, but its number 8 that I think is significant (but then that's the closest to my particular fixation.) Google Base looks to me like the beginnings of a general purpose content management platform. As Phil Windley and others point out, what is missing is a simple, flexible API. Charlene Li at Forrester puts it well and looks to the longer-term implications:

But as comments to my original blog post on Google Base point out, just having the data isn't enough - you've got to be able to DO something with the data and no, just being able to search the information isn't nearly enough. And this is where I think Google is on to something very big. At its core, Google Base is just one very big database of highly structured information. I can't believe Google will just let it sit there, and instead, will develop APIs on which developers can build applications, in much the same way it allows them to create mash-ups around Google Maps. So rather than have to figure out, build, and maintain lots of different applications, Google will allow developers to access the information, on the condition that the applications be "Base enabled".

Does this sound familiar? Microsoft's Windows Live and Office Live are built on a similar premise (albeit sans database -- at least for now) where Microsoft supplies the backend infrastructure and hosting, some tools and data, and a place where developers can market their applications to users.

And in her conclusion she points to the issue that has been bugging me the most - why is there no security model in Google Base?

One last thought on Google Base - right now, anything I post to Base is public, but I may want to keep something private, or accessible to a specific social network. At some point, Google is going to have to allow users to set up these permissions, which adds a layer of complexity to searching. If I'm doing a search for a particular recipe, and I have permission to look at my extended family members' Base content, Google would have to parse out that information in real time. Not an easy feat, at least on the surface.

So why build a content management system with a rich(ish) metadata model but no security model? It seems like a really strange decision because these have always been the two fundamental components of content management. Sure, building an ECM-style, role-based, hierarchical security model that works at an item and container level might have been a bridge too far, but basic private/public flagging and a simple "invite to share" mechanism must be in their kitbag.

I think this omission is very deliberate. Part of the decision may come from the general restriction of functionality in this first release. This in itself is pretty cunning - put out a tool with limited functionality and little explanation and see what the market says you should do next. Given the 60,000+ blog entries generated so far they should have plenty of ideas!

I also feel the lack of security is somehow connected to Google's slant towards personal rather than enterprise applications because without controlled sharing, GBase is pretty useless for companies. However, it is OK for sole-traders to post their wares on GBase and this is one of the use cases suggested by Google themselves (and the root of the eBay killer palaver). So this could simply be another reflection of Google's rather hypocritical "Robin Hood" positioning.

The other thought that occurs to me (and which I feel is more probable) is that the launch of GBase has been carefully calculated. Google's stated aim is to "organize the world's information". If they had added the security model, GBase could have been presented as a ubiquitous and infinitely scalable store for all the unstructured content (private, shared & public) generated by individuals and enterprises. Because it has a metadata model, the content can actually be "organized" rather than simply found.

But what would the public reaction have been? Would you trust Google to look after the entire contents of your hard disk or company shared file servers? I'm sure plenty would but paranoia about Google's ultimate potential power is growing. Maybe a softly-softly approach is just what Google needs at present.

So what does GBase actually do today? My first impressions are that the interface is pretty clunky (although given that Altien's entire focus is on making user-interaction with content management systems as efficient as possible I admit to strong bias). For my first use case I tried to add the latest Altien Document Manager Brochure. I created a new Item Type "Brochure" and started adding attributes: Company, Product, Version etc. I added some "Labels" (what's wrong with tags?) and the URL to the PDF on our website. I then tried to Publish it but my content was "Disapproved" because "Altien" is a misspelling. We had this same problem when we started with Adwords. Obviously those dictionary extensions are not in GBase yet. So I appealed for review (pointing out that Altien is our company name and trademark). More than 24 hours later it is still "disapproved".

Not to be deterred I thought I'd follow one of the suggested use cases and add a "Product" entry. Unfortunately the only products I have that are not Altien branded are my children so I entered the details for my two year old daughter and this time I passed the thought police first time. So far no one has reported this as a bad item nor have I had any offers. Others have pointed out that GBase will be chock full of spam in no time. Maybe then we'll see the security model implemented.

Back from Vegas

Just about recovered from last week in Vegas. I'd like to send a big thank you to everyone we met with - it was a great event and your feedback on ADM has given us a lot of confidence. Some of the Altiens liked Vegas so much they tried to disguise themselves in the hope I would let them stay.

Tuesday I gave a presentation at a UK government sponsored trade & industry event on IT SMEs exporting to the US. My main conclusion, which I doubt helped many there, was that you need to find an active, focused, relatively-small community you can connect with regularly (even if you have a decent marketing budget). That's what we found in the FileNet UserNet and we've met most of our US customers through the event in one way or another.

Launch of Altien Document Manager

Today we made a major announcement - the launch of the Altien Document Manager suite. This includes significant enhancements to our existing products and some important new ones as well. This is the culmination of a year of hard work by everyone at Altien and it is an exciting time for the company. We will be giving presentations and demos of the new products at the FileNet UserNet conference in Las Vegas next week.

The other rather obvious piece of news is that we've started a blog. Please post a comment - it will make us feel loved.