All posts by awgibbs

Irresponsible And Grasping

I have to hand it to the Data Scientists: after a quarter century the Internet is finally serving me ads for products and services that I end up buying.

But that is only tangential to this post which is actually about protecting your credentials and encouraging responsible behavior.

Phishing remains a potent vector for initiating exploitation workflows and the first line of defense is Internet user education and hygiene.  Worrisomely we see powerful actors encouraging sloppy security practices in this realm for the sake of workflow expediency and intelligence gathering.

Consider a model that has become common within the FaceBook iPhone app that starts with an inline ad that includes a “Shop Now” button.

Clicking that button launches not the default web browser but rather an In-App Browser.

As I prepare to check out I am steered toward PayPal as an option.

And then I am asked to put my PayPal login credentials into this sub-window.

Let’s stop and reflect on that…  I am inside the FaceBook app, nested in which is an in-app browser that says I have a secure connection to a third party merchant, and I’m supposed to feel good about entering the password to a third party financial account.  We are in a world where Phishing Countermeasures 101 is “Don’t Click Links In Emails” and we have a consumer facing Big Tech company with a billion users of widely varying sophistication training people to enter sensitive credentials into unverifiable places.

Shame.

My workaround: Leave the FaceBook app and go directly to the merchant’s web site.  And if I am going to use PayPal then I will log into it via a discrete tab in my for-realz browser so that I know the connection is secure and my PayPal credentials are only going to PayPal.

This had been bugging me for a while but now let’s get to the even more egregious example that goaded me into writing this morning when I attempted to link a bank account to Expensify.

Alright, let me plug in my bank routing and account numbers…

e1.png

Er…  Log into my bank account?

e2.png

Plaid…  Um, ok…

e3_2.png

Whoah.  Fuck.  You.  NO!  I have no idea what is happening to my bank password in this workflow.  And even if I did I don’t want anybody but me to have it!

e4_2.png

Wow.  As I back out from their credential harvester app I discover that the more responsible workflow is available as an Easter egg!

e5.png

Yay!  I can get reimbursed without doing something that feels excessively dirty.

e6.png

But, again, what are we training Internet users to do by subjecting them to workflows like this?

Or, to ask another question: Why are we desensitizing Internet users to engaging in highly risky security practices?

Two answers: to retain attention and to harvest intelligence

In the case of the FaceBook app it all comes down to keeping you in-app and clicking.  Having you divert to an external browser risks disruption to your social media flow state which affects FaceBook’s bottom line.

In the case of Expensify and Plaid it appears even more nefarious.  A perusal of Plaid’s privacy policy makes it seem like they have bigger designs on your account credentials than just  performing systems integration.

It starts off sounding warm and fuzzy…

p1.png

But breezing past the marketing and getting down to brass tacks it reads a lot more scarily…

p2.png

Gross!  All I wanted to do was configure Expensify to push payments to my bank and Plaid is trying to get in the middle and hoover up EVERYTHING.

On a personal level this feels manipulative and violating.  On a societal level this feels like an externalization of costs, a form of cyber pollution in which certain commercial entities are acting in narrow self-interest in a fashion that harms the overall security of the Internet and its users.

Do not fall prey to this manner of thing.  Practice defensive surfing to keep your credentials safe.

Surviving Telework

The benefits of SCIF-life tend to exclude telework.  And you’ll count yourself lucky if your phone does not fry in the parking lot come summertime.  Nonetheless in the underlying restrictions one finds a wealth of under-appreciated inducements to stay focused and productive.  As we roll into this new socially distanced phase I am thankful to have had a few years of post-government life to practice operating in an increasingly fluid and virtualized modality.  I can imagine the shock others may be experiencing as they go full-remote for the first time with no preparation.

To avoid both personal and professional misery I suggest pondering three areas:

  1. Habit / Environment
  2. Ergonomics
  3. Communication

Habit / Environment

With the breakdown of natural boundaries between personal and professional reality, sustaining habits and protecting focus become crucial.  You must cultivate environmental cues to get into the zone and erect barriers both physical and virtual to protect it.  Failure to do so will leave you sluggish, distracted, frustrated, and ineffectual.

If at all possible do NOT attempt to work in a setup that your brain associates with leisure.  I recall, shortly after leaving the government, my first unexpected telework day at Bridgewater being borderline wasted.  I did not intend it to be, but I had flopped unshowered onto a beanbag chair in front of my wide screen TV, thereby adopting a context and posture that my brain associated with computer gaming on a Saturday morning.  FAIL.

Instead start by grounding yourself in a boot sequence that runs independent of where your work day will be.  For me that is coffee, breakfast, hygiene, and clothing, followed by getting to a standing desk with a proper keyboard, mouse, and monitor.  Your approach can be different but you need something to provide the cue to get into the zone.  You may also wish to take a walk that simulates your morning commute (though maybe not right now).

And then you must stay in the zone. Visually and acoustically isolate your home office setup from other household goings on.  If possible get yourself in a room with a door that you can shut.  Leverage headphones and a noise generator to enhance that isolating effect.  Negotiate and maintain clear boundaries and protocols with your cohabitants (pets and humans alike).

Ergonomics

Do not get hurt.  Suffering repetitive strain injuries in a proper office environment is all too easy.  In working at home unmindful of such things one courts disaster.

Get yourself an adjustable desk and spend as much time standing as you can manage.  Ensure that your monitor is at a height that your neck and spine can maintain a neutral posture.  If you must sit, the most important thing is having enough padding to prevent pressure points, not the “support” that fosters a weak core and ultimately a range of musculoskeletal injuries.  And when you are standing, do so on an anti-fatigue mat, avoid extended static positions, and continually stretch as a matter of course.  Consider getting a fidget bar.  Maybe keep yourself honest with an Upright GO.

Avoid working directly on a laptop for any serious amount of time.  Certainly you can use a laptop, but do not interact with it directly.  This device, for all its wondrousness, is an ergonomic disaster.  The reason comes from your need to independently adjust your input and output devices’ relative locations.  This in turn stems from the simultaneous requirements of viewing your monitor at a height such that your neck and spine can remain neutral while keyboarding with your shoulders back, your upper arm segments perpendicular to the floor, your lower arm segments parallel to the floor, and your wrists aligned with your lower arms in a neutral posture.

While there may be many options that suit your purposes, I personally fell in love with the Comfort Keyboard ~15 years ago when my government agency’s ergonomics folks introduced me to it at a time when I was scared that carpal tunnel syndrome was going to derail my nascent career as a software engineer.  This keyboard in particular exemplifies the idea of having multiple independently adjustable axes.  I’ve never used another keyboard since discovering this one and the terrifying pain that drove me to find it has never returned.

Also beware the multi-monitor trap and arrange your desktop windows mindfully.  You do not want to be spending any significant amount of time with your neck twisted or tilted.  Whatever tasks are consuming your focus for substantial periods ought be front-and-center.  Position windows to avoid having applications continually drag your focus off-center.  And if you have multiple monitors, ensure that one sits directly in front of you and others are leveraged only for peripheral awareness and/or very brief tasks.  For most folks a single massive monitor proves a superior option to multiple smaller ones.

Lastly, take breaks deliberately and switch up modalities even if just briefly to prevent rigor mortis.  Stand, sit, lie down, walk, and stretch.  Don’t eat lunch at your desk.  Take a break for some some leisure items and chores (but time box them and only start them once you’ve fully flushed your latest work context).

Communication

Communicating in a quality way can prove difficult under the best of circumstances.  And having an entire company doing remote work, especially when transitioning to that modality en masse and without warning, is far from the best of circumstances.   Worse still, the high-bandwidth and serendipity-driven nature of in-office life often serve as crutches that form and harden bad practices.

In everything you communicate, remain aware of how your engagement style and choice of medium either fosters or undermines effective knowledge transfer.  When transmitting, aim to be precise, concise, transparent, and transactable.  When receiving, assume noble intent and ask for clarification.  Think carefully about the urgency of your requests and strive for asynchronous messaging and batch-mode operation to preserve the focus and efficiency of others.  But also recognize when a problem requires a high-bandwidth and low-latency interaction and elevate your communication to the appropriate medium.

Consider the full range of your communication tools and how each one of them presents an opportunity to empower or hinder your co-workers in a way amplified by remoteness.

Stand Ups — Your organization likely consists of very different people when it comes to their skill profiles, social patterns, communication style, self-sufficiency, and comfort raising problems.  Your daily stand-up meeting represents the one opportunity to cut through all of those challenges and keep people happy and delivering.  It can also prove a quagmire without good protocols and enforcement.  Keep it simple — What did you do yesterday, what are you doing today, what promised deliverables are at risk, and how do you need help?  Everybody should be able to cover this in about a minute.  Maintain a “parking lot” for follow-up items so that you get around the room quickly instead of rabbit-holing.  And then be damned sure that all of the requisite follow-on conversations happen to get people the help they need and re-examine at risk deliverables.

Instant Messaging — Prefer posts to public channels over DMs to foster awareness and crowd source solutions serendipitously.  Leverage threading to ensure that channels remain skim-friendly and searchable while individual messages have the necessary context.  Refrain from flaring individuals or channels unless you have an urgent need to preserve focus.

Email — Be inclusive to ensure adequate transparency, clear about how you view different recipients, and mindful of wasting bandwidth.  Use the “To” line to indicate the people from whom you need something, the “CC” line to provide transparency while indicating optionality, the “BCC” line to let someone know you’re on the task while eliminating future chatter, and the “Subject” line to make inbox skimming efficient.  Leverage distribution lists to assist in adequate dissemination of information.

Issue Logs — Don’t wait until sprint retro day to dredge up things from your tired brain.  Document problems as you run into them.  Simply record the concrete bad outcome in an open-minded way.  Save diagnosis and design for later when the pain signal warrants, the frustration of the moment has bled off, and you can leverage others’ insights to get to root causes and iterate on systems to make them more resilient.

Ticketing Systems — First and foremost, just write it down, for all values of “it”.  Always.  Facing the headwind of tech debt, document it in the backlog for triage.  Having tripped over a bug, write a really clear description and include system output, screen shots, or videos to make it easy to reproduce.  Planning a sprint, write really clear user stories such that a ticket can stand on its own for a developer to know they are done and a tester to believe or refute that claim.  And, most crucially, continually update your evolving understanding of the goals or problems in the ticket instead of relying on out-of-band renegotiations.  Few things are more contentious than what “done” means when you don’t have a written agreement.  Treat your ticketing system as the system of record where your latest synthesized understanding lives.

Version Control Systems — Your VCS is not just where you push code to get reviews, maintain deltas, and trigger system deploys.  Done well this is your opportunity to have an assortment of out-of-band conversations with a variety of individuals wrangling different situations.  Technical leaders looking for patterns and problem areas, team leads trying to keep things on track, individual contributors looking for inspiration, and bug hunters seeking root causes will all thank you for taking your commit messages seriously.  Write a pithy summary line that captures the essence of the “What?” and fits inside summary line length constraints of your tooling.  Embellish in prose form within the message to summarize the “How?” and “Why?” if it won’t be evident from reading the diff.  Squash your branch to a single commit before merging and clean out your in-progress junk comments like “whoops”, “damn it”, “adding debug statement”.

Automation — Automate processes not just to improve efficiency and repeatability but also to tell a story of how things are supposed to work.  Structure code repositories the way a librarian would to foster discoverability.  Lay out the source code in projects the way an author of a book would to afford comprehensibility at multiple levels of zoom.  Craft logging and exception handling to be equally useful to humans and computers alike.  Think carefully about how you decompose logic into units and put serious effort into giving them meaningful names that communicate their purpose.  Or, if that’s too many things to remember, just remind yourself to always code as if the person who ends up maintaining your code is a violent psychopath who knows where you live.

Parting Advice

Wash your hands, stop touching your face, find a way to exercise, resolve to stay calm, support your medical professionals, and if at all possible #staythefuckhome.

 

Three Options

Over a lifetime of wrangling projects and relationships one repeatedly encounters a decision point with three options around managing sub-optimal outcomes.  These options exist in all contexts and carry similar costs, benefits, and risks.  Maintaining awareness of them and choosing deliberately between them makes all the difference.  These options are:

  1. Renovate
  2. Tolerate
  3. Separate

I imagine that many of my most expensive mistakes in life stem from losing sight of this or failing to prioritize making such a hard decision.

In my time at Bridgewater Associates I had many opportunities to reflect on this meta-challenge, perhaps provoked in substantial measure by staring at the Dot Collector (jump to 9:00) and thinking on the oft thin line between “Problems – Not Tolerating Them”, “Determination”, and “Practical Thinking” in many contexts, a realm where “Seeing Multiple Possibilities” and “Dealing With Ambiguity” hold central importance.  A high tolerance for pain is a powerful but dangerous personality trait.  One must take great care to separate “can” from “should” here.

For the sake of brevity I will focus on the application of this thinking to Software Engineering in a highly entrepreneurial context, a domain with which I have wrestled for most of my career at many different kinds of employers.

The key elements where one will have investments and opportunities include:

  1. People
  2. Product
  3. Process
  4. Technology
  5. Market

Wisdom involves constantly making an explicit decision between renovation, toleration, or separation for matters in each of these realms.  Meanwhile the criteria by which one ought reason about ongoing approaches include:

  1. Present Value
  2. Future Value
  3. Support Cost
  4. Opportunity Cost
  5. Risk Profile

As a Maker who takes pride in one’s work, therein resides a strong desire for continual and unending improvement, but the optimal capture of value generally comes from an implementation that falls far short of perfection.  As a Dreamer who can imagine the applicability of one’s work to many problems, therein resides a tendency to keep fighting for one’s envisioned utopia, but there is no validation of your ideas quite like users, funding, and revenue.  As an Entrepreneur one needs to be both of these things, but within reason, tempered by humility, practicality, and data-driven analysis that underpin ruthless prioritization, fanatical focus, and judicious risk management.

Dijkstra perhaps nails a central problem in insisting that ‘we should not regard [lines of code] as “lines produced” but as “lines spent”‘.  With every line of code we produce we create a maintenance burden, increase the cognitive load to add other new features, forgo countless other opportunities, decrease the system’s reliability, and add complexities and risk around security.  Sometimes Good Enough is truly Good Enough.  Use that third-party tool that gives you 90% of what you need and move on.  Maybe tolerate that annoying but rare bug with a frustrating but bearable manual remediation approach.  Or, which is a much harder pill to swallow, but sometimes the right choice: Burn it down.

Letting go of things is hard.  Firing people, abandoning products, scrapping processes, ditching technologies, and leaving markets HURTS.  But being willing to do so is key in being able to innovate.

If you want to win, then you have to be agile.  If you want to be agile, then you have to be able to pivot quickly _and_ progress rapidly.  This entails a combination of:

  1. Continually making the right foundational investments
  2. Maturing processes in sync with value realization
  3. Aggressively pruning fruitless approaches to free resources

Tech has gotten incredibly complicated, most problems have multiple acceptable solutions, and having your engineers slog through duplicative, non-differentiating, infrastructure-level sludge as you progress through a series of application-layer pivots is horrifically expensive, so some foundational investments in DevOps and Data Engineering are critical.  Bias toward continual renovation here, but don’t prematurely optimize and don’t be afraid to give up on tech that isn’t working.

Change control and automated testing are wonderful things for maintaining agility but treat them as a double-edged sword.  They are wonderful for being able to move fast _without_ breaking things when you’ve gotten proven value creation whose disruption would be seriously damaging to client relations.  They can prove a pointless encumbrance when you don’t even know what you ought be building and nobody cares about it yet.  Unless you find yourself subject to undue risk or drag then be prepared to tolerate shortcomings in these realms.

When wrangling application-layer development: fail fast, fail often, and do so in a highly informed way.  In the short-term, leverage usage telemetry and analytics to understand how people are employing your system and where their engagement breaks down.  In the medium-term, gauge interest by a willingness to become a paying customer. In the long-term, customer retention and market capitalization tell the story.

Give people what they want enough to pay to have.  Time-box your bets on things where you can’t seem to get that signal.  Focus and prioritize your efforts as if those were your most important tasks because they are.  Always remember all of your options.  Steer clear of the Sunk Costs Fallacy.  Be willing to set fire to what is not working and use its light to guide your way.

Layered Convergence

Enormous benefits follow when software engineers share a tech stack.  Thus upon finding a fragmented ecosystem a newly arrived technical leader will experience great temptation to rush convergence.  A gentle touch and an iterative approach, however, will likely yield the best results with the least resistance.

Instead of attempting to fast-forward to the desired end-state, consider layering in convergence with these stages:

  1. Shared component technology
  2. Shared implementation patterns
  3. Shared software libraries
  4. Shared managed services

Taking this iterative approach, one more evolutionary than revolutionary, not only allows incremental value capture along the journey, but also yields a groundswell of support and a multitude of use cases while minimizing risk and speculation at the earlier stages.

Consider the benefits that begin to accrue and subsequently compound:

  1. Local technical guilds
  2. Key-man risk reduction
  3. Employee/project mobility
  4. Operations support sharing
  5. Burn-out risk reduction
  6. Tool chain maturity
  7. Application feature focus
  8. Feature delivery acceleration
  9. Compliance burden reductions
  10. Disaster recovery robustness

Why not capture as many of these benefits as soon as possible?  Continually enlist the help of others and you will be perpetually delighted at how fast your vision becomes reality.  Accelerate that recruitment by showing people a better way and encouraging their willing participation.

Channeling

My cats abhor my new Dyson vacuum cleaner

Screen Shot 2019-08-10 at 11.45.30 AM

I need but pick it up to trigger fierce hissing and scurrying.  I, however, keep finding reasons to love it.

With every use it reminds me of the need and attendant procedures of cleaning its filter. Pop it open, carry it to the sink, and there again one finds embedded language agnostic instructions.

This represents subtle genius.  Users lose paper instruction manuals.  Online documentation is out-of-sight and out-of-mind.  Put it in plain sight, however, and you channel users toward the desired behavior.  Customer satisfaction goes up.  Support costs go down.  Everybody wins.

A few months ago I found myself overhauling the DevOps pipeline at Finite State.  To that end I crafted a DSL against which a code generator runs that stamps out the CloudFormation to instantiate a CodePipeline in AWS with everything you need either to generate a production system, a test system, or a fully realistic dev-int environment.

Usage is fairly simply and yet when a new engineer shows up things like this can prove quite mysterious.  What do to?  Exactly what an enterprising colleague of mine did totally reflexively without being asked: he created and homed detailed instructions in the README.md of our GitHub mono-repo so it’s the first thing any developer will bump into when arriving at our system.

Make it impossible for your users to be confused and do the wrong thing.  The dividends you will reap are enormous.

Don’t Make Me Think

Consider the following two user interfaces…

2019 Dodge Grand Caravan:

dodge_grand_caravan_2019

2019 Subaru WRX:

subaru

The Caravan I just employed as an Enterprise rental from Stamford to Columbus.  Its fold-down seats are kind of awesome, allowing it to transform effortlessly from minivan to cargo van.  It proved perfect for transporting a mix of precious belongings and my feline companions, the latter of which I wanted sharing a climate controlled space with me.

The WRX I enjoy as my everyday car.  I acquired it last fall when, heartbreakingly, I lost my beloved Audi S4 in a flood.  The WRX remains one of a vanishingly small number of cars one can acquire in the US market that offer both AWD and a fully manual transmission.

But these are not the features under consideration today.

Imagine that you find yourself on the road in your rented Caravan just shy of Columbus and suddenly in an epic downpour.  The 18-wheeler in front of you brakes hard and engages its hazard lights.  You likewise brake hard and reach to engage your own hazard lights when…  fuck, where the hell is the button?  You look up and in your mirrors see another 18-wheeler barreling toward you, oblivious to the emergent conditions.  In desperation you slam on the gas and veer rightward into the breakdown lane.  The following 18-wheeler belatedly realizes the crisis it has created and veers leftward.  The two of you collaborate to thread the needle, catastrophe avoided by the narrowest of margins.

Suppose you find yourself in such a moment while driving the WRX and wish to engage your hazard lights.  Your right hand’s fingers relax, your triceps contracts, your hand finishes opening, and your palm mashes the giant red button that inhabits a space all its own.  DONE.  Crisis (hopefully) averted.

Consider, now, the same situation, but you are piloting instead the Caravan, as I was.  You look for the hazard light button in the conventional region but it is nowhere to be found.  It is hiding.  Its red matches the color that indicates heat for the climate control system.  Its size measures less than half of the adjacent buttons of purpose far less desperate.  Its location is well below the plane of where one’s eyes naturally travel and requires that your arm first drop and then thrust and furthermore poke with a single finger.

Which UX would you prefer in an emergency while piloting an unfamiliar vehicle?

How many lives have the UX designers of Dodge cost with the careless placement of a single button?

Your choices as an engineer can yield weighty consequences even if you never get to see them directly.  Have empathy for both the novice and the expert, the casual user and the crisis-beset operator…  Your efforts to mind the details may make all the difference.

Time Well Spent

Facebook continues to improve its ad targeting on me.  I’m not sure how to feel about that, but Timeular is nonetheless interesting.

I imagine Timeular would exhibit a strong Observer Effect.  That may or may not be a good thing.  Depending on the kind of work you are instrumenting, it may squeeze out wasteful time, and it may serve as harassment that prevents attainment of Flow.  For many folks, passive analysis of digital exhaust streams may prove more effective.

I recently read Silence: In The Age Of Noise by Erling Kagge after a Lunch With The FT article piqued my curiosity.  Memorable among the stories was an interview with a Space-X manager who noted that the only times he could perform deep thinking were in the toilet, in the shower, on his commute, etc.  It made me reflect on my evolving work patterns through time and their implications.

For the majority of my career, up until ~2.5 years ago, I did the bulk of my work physically located in a SCIF and digitally located on networks that were ruthlessly segmented.  With the benefit of hindsight, I look back on this arrangement as wonderful. While security concerns drove the arrangement, the benefits to knowledge work proved substantial.

You could not bring cell phones into the building.  You could not connect to the Internet from your primary work station.  Want to use your cell phone?  Walk out to your car.  Want to use the Internet?  Use a physically distinct work station.  This probably sounds crazy if you have not lived it, but actually it is kind of awesome in its own quirky way.  By imposing a transaction cost on this context switching the environment discouraged flitting between work modalities in a way that destroys focus.

I remember telling people during this time of my life that I did some of my best work sitting in the toilet at the office.  I might wander there in a trance like state, having loaded a complex problem into my head but not yet worked out a solution, and sit in a sensory deprivation chamber while I cogitated.  Now, thanks to the technology of Apple and Facebook, as well as the reduced paranoia of a non-governmental employer, I can use my toilet time to watch cat videos or read about North Korea’s nuclear ambitions.  Using that time as I perhaps ought takes a conscious effort and serious discipline.

For many years I took for granted the cognitive boundaries that my employer engineered for me.  Now I must engineer them myself.