All posts by phynds

Management, Software Dev

Who decides the roadmap for commercial software

Most of the people I know feel uniquely qualified to say how a particular commercial software product should work based on their experiences of using it. It doesn’t matter which product you pick, it is always the same. The problem with this is that it is almost impossible for an individual to be objective about whether their use of a product is mainstream or even typical. The consequence is that listening to the advice of all your customers is a good idea, but you have to pick and choose which suggestions you actually implement as part of your roadmap.


Ultimately it is the vendor that decides what they will offer. The customer often gets confused about who is steering the boat. So I respect and completely understand the position that a commercial software vendor has the right to decide that some complained about aspect of the product is “as designed” if they believe it is not important to their plans for the product. The other side of this coin is that it is your customers that decide if you have run the boat onto the rocks or not. And they tend to vote with their feet.


The best course is to always get as much feedback from your user community as possible and pick through that information objectively. One great question is whether the customer would pay more for the product if it had their proposed feature, character or ability. If the answer is no then that should tell you something.

Management, security

Virus Prevention Advice and Policy

3 Comments

I sent the following email out to our entire company today and afterwards thought it would be interesting to post if for no other reason than to compare notes with others who grapple with these same issues (i.e. everyone). If you have a company of any size at all I would highly recommend sending out semi annual reminders like this one. It helps alot to remind people of the dangers and sets the tone for new employees who have joined since the last reminder. Above all you will note that the message is maturity and responsibility.


The subject of the email was the same as this post (Virus Prevention Advice and Policy) and below is the text:


It is that time again and we are starting to see warnings about worms and viruses passed along by friends and family so I wanted to take this opportunity to remind everyone of how we keep our own network safe and free of these destructive monsters.


Some rules of the road for using company email and company computers:


1. If you did not expect it then don’t click on anything in it. This general rule will help you deal correctly with most emails and web pages. If you go to a site expecting to download something be sure that you are on the correct site (many common typos of URLs host malicous copies of the popular site). If your brother sends you a message called, “Kids latest pictures” and it was not something you expected, do not click on links or attachments until you have verified that it was indeed sent by him. Our last major virus here at the company was the result of just such a message being clicked on by an employee who did in fact get pictures from her brother quite often, but this time it was a virus that was sent by her brother’s computer instead. It took us 2 days to clean up the mess. A better policy is to only open personal email attachments at home while you are not connected to our network.


2. Be paranoid, but try not to be crazy. If you get an email from yourself that is some form of spam then welcome to the club. We can’t stop the spammer in Asia from using your email address to send the world spam and if you use the address long enough it will certainly happen that you and others you know will get spam that looks like you sent it. It will pass, but we can’t fix it. See rule #1 as this fact should also make you more cautious of anything you get that you didn’t expect even if you converse with the user often.


3. A great many viruses and malware are picked up by browsing the web. Visiting site like Youtube.com and MySpace.com is often a bad idea unless you know exactly what you are doing, why and accept the consequences if the result is 2 days of lost time to the company.


4. There is a reason you can’t install things on your computer. We limit what the average user can install on their computer so that if a mistake is made, it is less likely to have a lasting effect on our network. In most cases, if it isn’t already installed on your computer you don’t need it. There are exceptions, but be sure you have a cogent argument for why you need Software X on your work PC. We also use specific version of MS Office products as a hedge against system outages. We do pay attention to the newest versions and will upgrade when the time is right, but no sooner. If there are business reasons why you need a specific version of something please let me know and we can make a business decision.


5. Keep up the good work. We have an amazing track record here for having staff that do the right thing. Most companies get hit by a virus once a quarter or more and we are typcially only seeing an event every other year. This is in spite of the fact that we do not block sites or regularly check browsing logs to police what people are doing. My only caution on this point is that while we all enjoy this open environment it is dependent on our continued vigilence.


If you have any questions please feel free to contact me or anyone else on the technical staff and we will be happy to help you navigate the mean streets of the Internet.


Thanks
Patrick

Development

Stealing Jobs: from offshoring to robots

1 Comment

I noticed an article on Wired about robots stealing jobs and got to thinking about outsourcing, this down economy and all the conversations I have had (calm and otherwise) about jobs moving offshore.


Ultimately I don’t see any reasonable way to stop jobs from following a well established lifecycle that ends in automation. If you take any task that is currently done by a robot you can probably look far enough into the past to find a point in time when it was cutting edge technology and either a skilled technician or fine artisan performed the function for premium pay (Dot Com boom html programmers for our purposes). As time goes on the task or job becomes well understood, well documented and even taught in all the schools around the world and since the task is still highly paid (that has eroded by now) it attracts alot of people who want that job. Then the task moves toward commodity and the formerly highly paid technicians and artisans have chosen from exactly two courses of action. They have either moved on to the new cutting edge thing or they are moaning about the erosion of their value in the marketplace (blaming the marketplace of course and never themselves). Then it gets worse for this latter group since eventually (and eventually comes quick in the 21st century we have found) the commodity task is recognized to be cheaper to be done offshore. For high tech India and Egypt are hot along with many other locals (I just have most of my experience with offshore teams in these countries). The formerly high end task is drone work now and can be done by a bright student from any continent so the work flows to where it can be done most inexpensively. This is the point of maximum complaint by those who remember making $100 an hour for doing this task. They then stop paying attention just in time for that task to be automated by a program, system or abstraction layer so that no one would ever pay for it to be done by hand ever again. At this point you could probably hear people in the offshore tech districts complaining. This is progress. It is painful, but it is also inexorable, you cannot stop it and you shouldn’t try to slow it down. Instead you should be like the other group of highly skilled technicians and artisans and find the next big thing and constantly hone your skills. This is absolutely doable in our high tech field.


I know this post will come off as callous to some and I am sorry if I am too blunt for some, but especially in times like these we have to stop looking back wistfully at the past and grab our books and browsers and dig in to invent and shape the next revolution. I personally think that energy and the technology that helps with conservation is the next big thing, but there is still lots of room elsewhere. If you view the lifecycle of a job as a good thing you see that it has freed us from farming our own food, making our own clothes and has allowed so many of the things that are best in our civilization. Embrace it or be marginalized.


Finally my apologies to those stock boys out there who have had their hopes and dreams shattered by R2D2.

Development, Web Hosting

Has the Open Cloud Manifesto jumped the gun?

2 Comments

In my business we deal with companies that are by their very nature risk averse and hence I only play with the newest tech for our internal projects, the occasional customer emergency and in my free time. Even so I have watched Microsoft’s Azure pretty closely and while I am confident that eventually we will take cloud computer for granted as we do dynamic web technologies now, I am also pretty sure that we still don’t know exactly what and how the real impact will take shape. Without clear SLAs and Pricing I just can’t gauge how reasonable it will be for a customer of size X with application of type Y to opt for Azure or any other cloud computing platform. That belief also drives me to think that the Open Cloud Manifesto is at best irrelevent and at worst a major impediment to getting where we want to go. If we don’t know what the best end state will be because we have yet to really evolve the technology in the real world then how can a group of people (any group) really hope to lay out the rules of the road. There isn’t a road built yet after all.


It has been proposed that guidance is needed to ensure that solutions are “open”. I can only assume that this means that they want code deployed on vendor A’s platform can be moved to vendor B’s platform unchanged (the classic case of wanting to not gamble on vendor lock in). While that is not specifically stated, I just don’t see any other interpretation that makes sense.

Time will tell, but I suspect we are several years of market testing and evolution from a point where we can even begin to have this conversation intelligently.


To read more on this topic I will point you to blog posts by Chris Auld and Michelle Bustamante. I must say that I agree with them for the most part.

Management, Software Dev, Speaking

NH Code Camp Presentations

4 Comments

I promised to upload my presentations from last month’s New Hampshire Code Camp so here they are…

I delivered the keynote address for the event covering how to survive as a developer in this depressed economy.

NH Code Camp Feb 2009 Keynote.ppt (592.5 KB)

I also got to debut a new session on How to prevent project failure and a follow on called Project Specification for Survival and Profit. The reviews on that second session have caused me to combine them a bit and create what I think is a single, better session that I am going to be presenting at the Boston Code Camp tomorrow.

How to prevent project failure v1.ppt (559.5 KB)

Project Specification for Survival and Profit v1.ppt (464 KB)

Sorry for the delay in posting, lots of travel lately, but that is not unusual for me…

security

A suggestion for replacing UAC

11 Comments

I am here at the PDC in Los Angeles this week and have heard quite a bit of grumblings about UAC. The MS employees on stage and elsewhere are basically saying that UAC is a necessary evil so that clients do not become vulnerable due to unauthorized software install (and other admin level actions). The developer side of this argument is that UAC is a blunt instrument like a security guard in your house that keeps asking you for your passport. You can’t argue that this guard will make your house safer, but he is also going to drive you crazy until you decide to fire him altogether. That is what we are seeing in the field with so many people simply shutting off UAC.

Now that Windows 7 is in sight it might be too late for my suggestion of how we might get the best of both worlds relative to secure software install. My idea is that when you go to install software you should be presented with a Capcha style challenge which ensure a real person is at the helm. Once that Capcha dialog is completed successfully the OS should track that this install is authorized and therefore exempt from future challenges since we know this is not malware (or at least not secretly installed malware).

Since this idea just came up this morning I am guessing I am missing some aspects to this approach that are problematic, but on first look I think this approach could help make things more secure while not destroying user productivity.

If you agree then bring this suggestion up to the people you know at MS. That is what I am going to try to do later today.

Development, Software Dev

Code Optimization when speed is not the only goal…

9 Comments

I have worked on many software development projects, both commercial and line of business and every single time I talk about optimization to a developer they always jump to the same conclusion. They think I mean speed of execution. I grant that the majority of the time when people talk about optimization that is what they mean, but it is not 100% of the time correct. Often I care more about the maintainability of an application especially if I know it is destined (or doomed) to morph quite a bit over the next year or so. In these case it is often an application that will be used by employees and many of the standard assumptions do not apply.
Take our Intranet for instance. It is only used by employees and our closest contractors. We use it for tracking customers and projects, for forecasting sales and even timesheets. I don’t care if it is 5% slower, I want it to be adaptable since we are an agile company. I don’t mess with the code every week or even every quarter, but the code is written in such a way that I or any other developer on staff can go in and very quickly add a field or add other features very quickly. We didn’t sacrifice security (that would be unacceptable), but we did forgo the multi tier architechure and stored procedures for parameterized queries. This is a sin in many circles, but if the application’s backend is single use (only one application) then there is much less advantage to all the abstraction. I am sure the arguments will flow down on me now, but I see the same drive for complexity without purpose (real advantage I mean) in the Java world where code portability is everything and yet almost no one ever avails themselves of that costly feature.

The next time someone asks you to optimize something ask them if they mean for performance or maintainability and let the funny stares begin…

Uncategorized

Technical Consulting

Life changes pretty fast sometimes when you aren’t watching. I woke up today and realized that much more of my work is involved in keeping projects on the straight and narrow and much less is spent making database fields show up in the right place and with the right user access set. For that reason I am changing gears and will leave most of the technical details of our projects to

Uncategorized

EDC 2008 Session on Index Optimization and Performance Tuning

3 Comments

I have recently finished my last presentation here in Cairo at the EDC 2008 and wanted to start getting my presentations uploaded for all those who were asking about them. To make things run faster I am uploading them each in their own post especially since the AJAX example hasn’t been packaged yet.

I covered Indexing in SQL Server including what works and what does not work. I was very happy that my friend Mohammed Meshref from the Microsoft SQL Server team was on hand to both help and to be picked on ;)

Thanks
Patrick


EDC08 SQL Indexing and Perf Draft 2.ppt (546.5 KB)

security

Security Mindset

6 Comments

I have often thought about the mindset required to be good at the security game. I hang out with Duane Laflotte alot and he has the whole hacker mindset which lends itself nicely to security even when you aren’t trolling on the dark side.
But it was an article that got picked up on Slashdot today about Bruce Schneier’s thoughts on this subject that revived the thread for me.
I have what I think is an interesting twist on this perspective in that I believe that the only way to teach what Bruce is holding out as unteachable is what I believe taught me to think this way. When I grew up I didn’t think the way Bruce Schneier thinks. But I do now. The reason I believe is the military. When the Army trains infantry leaders it teaches them how to defend while looking always for ways to attack. The mild mannered programmer is taught to build, but if part of that training put in their mind that to be successful they had to tear down the abilities and infrastructure of the hackers then we might get a different result.
There is nothing to make you think like a hacker than to stand on a hill and realize that you are defending it at dawn and if you fail you and all your soldiers die. It also makes you want to get that unfair advantage and lay traps for the enemy. During a major training exercise in Germany I put soldiers in foxholes with signal mirrors and had them flash the enemy armor to draw fire while our vehicles flanked and destroyed them.
So I think if you want to be a hacker and you don’t think like one I think the Army recruiter would be happy to help get you trained…