We’ve all heard the phrase, “What gets measured gets done” but what happens when there’s nothing to measure? Recently, I was involved in a project where there was noticeable delay in getting the numbers behind various performance indicators. As it turns out, the stall was due to the fact that there was so little activity to report, people were concerned that showing “no measurements” equated to showing “no work,” which I suspect was never the intention of the Management By Objectives (MBO) process.
Poorly written code creates exceptions. Bad deployment extends service outages. SLA violated due to extreme acts of nature. Let’s face it, bad things happen as part of life, and also because people are human and mistakes are made along the way. An analogy may be made about going to restaurant and ordering some food, the entire dinner/experience depends on a chain of events starting from freshness of ingredients, to expertise in the kitchen, to something as simple as hospitality and greetings. When something goes awry at the restaurant… someone on the staff will take ownership and assume responsibility. Often with that, comes an apology and some immediate offer of amelioration. We’ve come to expect that as part of customer service. The same analogy quickly breaks down when applied to the technology industry. Ironically, when things go badly, we tend to blame the technology.
NFC [ Near Field Communication ] is a clever outgrowth from RFID. This group of short-range wireless communication standards will enable all kinds of conveniences previously un-attainable with our so-called mobile devices. Mostly phones, but practically any un-wired NFC-capable device, eventually, will be able to communicate witho other NFC-capable devices, giving the consumers a wide range of features for commerce, information exchange and ad-hoc authentication. Unfortunately, NFC continues in the trend where design for security came in as an after-thought, rather than a primary focus, going in. Perhaps it’s not fair to place the security burden on NFC, after all, it’s merely a low-level transport mechanism. What’s the worst that could happen?
I have been fortunate enough to work with highly competent people, most of my professional life. Whether they were software engineers, system administrators, project managers, business analysts or executives. Each has been smart, savvy, extremely skilled in their craft and very often, great leaders. In cases where they were my peers, they were great partners in accomplishing whatever challenging tasks at hand. That a group of people were successful and continued to be successful can be attributed to the fact that we trusted one another to do the right thing, and provide the feedback, understanding and support when needed. Trust is the hallmark and the foundation of a great team.
At a glance, it may not be immediately be clear how ops engineers and software engineer would see eye-to-eye on very many things. For the sake of uptime, ops tend to dislike change, while developers create and enhance, by continuously introducing refinements ( “change” ) — two seemingly opposing ends of the spectrum. However, the part that cause one group to resemble the other is the inconsistency of people. When it comes to being human, one type of engineer may be indistinguishable from the other. The reliance on people to “do the right thing” repeatedly, ironically, is the greatest threat in most organizations when it comes to productivity and efficiency. It is the people that’s most likely to break down. You, the people, are the weakest link.
It’s a simple to envision scenario. As a perspective shopper crosses the brick-and-mortar threshold, between embedded RFID and NFC, what’s inside of my wallet is quickly scanned. This isn’t your grandparents’ era of business analytics based on years and years of historic data warehouses, this is near-real time data gathering and heuristic algorithmic triggers that may sample the cologne I’m wearing, track my line of sight eye movements between the aisles and possibly even processing bits of my DNA left behind. Am I describing some scene from Minority Report? Hardly. This is active pursuits by some of the top mobile consumer technologies company currently. Remember last holiday season’s attempts to track supposedly anonymized GPS signals inside of malls?
In 1995, there were approximately 5 million mobile connections. A short 15 years later, that number is closer to 5 billion a number that’s rapidly approaching and will handily surpass the actual population of the planet. Look around, and look on your person, it’s likely you’ll find a smart phone, maybe a tablet or even an older MP3 player. This isn’t even counting such antiquated computing resource like a laptop, and it’s easy to see why the calculation is going to average over four such devices per person. To say there will be growth in mobile is a bit of an understatement, once you consider all the other “widgets” yet to come — from embedding into appliances to health-related devices, like glucose meters, heart monitors or even plain old thermometers. My point is, lots of mobile (platforms) invites for lots of mobile apps. Seems like daily, that I hear about someone becoming a mobile application developer.
With every new job, there is a short but finite honeymoon period — it’s called that, because similar to marriage, there is an initial rush of adrenalin and endorphins and obviously, the promise of the new opportunities — if there was not promise, why bother leaving one position for another? — and everyone bask in that glow. In time, those feelings might change, and reality will gradually come back into focus. Familiarity will erode the novelty and the real challenges of the role will become apparent. Some employees already recognize this, but many are not fully aware/cognizant… your first ninety days on the job holds the greatest indicator of nearly all your future success in that role.
I love information technology. I’ve been fortunate, in that I’ve always known what I wanted to do [professionally] and then be able to pursue that with vigor and passion. Over time, as I move up and through my career ladder, I’ve deliberately aligned myself with people who’ve garnered my respect, and conversely, people who recognize my values. As such, I’ve worked for a series of companies fitting a certain profile. Until recently… with some changes in my [personal] life, I suddenly find myself craving something different, something outside of what I’ve known. Making career changes is not the simplest of tasks and required that I exercise some skills I’ve not used in some time.
This week, an incident happened with Knight Capital when their “trading algorithms” allegedly cost the firm hundreds of millions of dollars. Within hours of the story, various camps have been quick to denounce the algorithms and the automation that was supposed to save the day. Of course, the problem is in automation, because automation is supposed to reduce errors and prevent outages and boost security and mitigate risks and improve the bottom line and make ice cream sundaes with a cherry on top. Except when it doesn’t, and now this latest mishap only adds to the argument against such automated practices.
Mobile is changing our lives. We now have nearly un-dreamt amount of computing resources in our pockets, and it has deeply enriched our day to day experiences, especially for the current consumption-centric life styles we lead. But, companies seem to be resistant in adopting the same outlook, and are in fact, not embracing the BYOD movement. MP3 players were OK, but corporate IT seems so resistant about hooking up your Samsung Galaxy Nexus for Email, or adding you to the WiFi network. Don’t they get the value? That’s just the business being slow and monolithic and missing out on the wonderful opportunities, right? Not so fast.
The sphere is lit up with the latest tale of woe, which has befallen a prominent writer in the technology space. It is a terrible event, to experience this particular invasion in one’s life, and not to mention the loss of not just the sense security but the actual loss of invaluable data, especially pictures of children that cannot be replaced/retaken. While I empathize with the plight to reconstruct his life, and appreciate the journalistic approach toward soliciting insight from the alleged hackers… I’m not entirely in agreement with the finger-pointing to Amazon and Apple. At least not in the same way that’s being discussed. Yes, two-factor authentication is desirable. Yes, it’s a good lesson for security vs. ease-of-use. Yes, entrusting information to others expose oneself to risks, when the other party isn’t demonstrating the same diligence at managing your information. However, the failure somewhat overlooked, once again, is that social engineering was the attack vector — similar to the CloudFire incident from a few months ago — and no amount of technology will solve this no-tech grandfather challenge.
Yesterday morning, along with hundreds of thousands others online, I watched the live HD video feed of the Mars Science Laboratory Curiosity successfully touch down at Gale Crater as planned/designed. It is a significant milestone, and quite the hallmark of success for a complicated mission. I couldn’t help but think about the dichotomy that is NASA — the rare mix of size, bureaucracy and performance. Over the years, we’ve witnessed their triumphs and their failures, as well as some epic recoveries from disastrous missteps that plague the largest of enterprises. One observation became clear to me, as I listened to the debriefing panel: if you’re not making something better than you’re not relevant.
I’ve already proposed an approach that will encourage Ops to avoid doing more work. Now, I’m going to expand on that less-effort trajectory, and share the following fortune-cookie wisdom: “Doing nothing is better than doing something…” although, you have to add “…stupid” to the end of that, to truly gleam this particular gem. Let’s face it, if the smartest and brightest people were always at the helms, there’d be a real dearth of topics for discussion here at feyn.com. Because there are under-qualified decision makers in the mix, who often measure performance with misapplied KPI or othere misguided metrics, there is a constant push to demonstrate value by doing something. That is probably the worst combination when it comes to operational soundness and security — doing something for the sake of doing, especially when there is an unlikelihood of doing something smart.
It still amazes me, sometimes, that SQL Injection ever came into vogue, becoming one of the poster children of web application vulnerability. It’s outright jaw-dropping that in 2012, an iconic web company would fall victim to this technique. I could go on and on, about the number of things that went awry and/or should’ve been done. But this appears to be a chronic failure, with each generation of software engineering re-inventing the same bug all over again, like an endless nightmare of unlearned remedial lessons. SQL injection attack is a variation on one of the oldest secure computing tenet no-no’s, and that is the implicit granting of permissions.
I started out titling this as The Challenge With Mobile, but the thoughts that keep me awake and go bump in the night are really troubling. I wonder and worry if people even recognize this brave new, slightly dystopian, world of technology we have created for ourselves — one which the phone is never off. An always-on and always-connected digital frontier, full of irresponsible citizens who fail to exercise their civic responsibilities on minding their own perimeter defense… thus as a result, endangering my co-existence within that space. If the initial wave of personal computers joining the Web unleashed a wave of malice and destruction, you ain’t seen nothing yet.
As I watch the flight attendant go through the pre-flight safety speech, I cannot help but wonder how many people are paying attention, and more importantly, in a “real” emergency, if people will actually find their nearest exits. That’s not just a problem plaguing airline passengers. I routinely observe managers, developers and engineers ignore smart practices and safety procedures, and head blindly into tasks without proper planning, ill-informed, or worse yet… motivated by fear. It’s not wonder they, along with their code and systems, end up in a prison of their own creation — the kind of legacy scenario we retell like ghost stories, nonetheless, people continue to not heed this information. Knowing where the exits are will help you to avoid getting trapped in your burning jail cell.
Since I’ve already started the fire for more Agile in operations, it makes sense to actually discuss what exactly is involved in doing just that. After all, this isn’t just envy of my fellow software development brethren– then again, who wouldn’t want to be a hip and Agile developer? — these are real methodologies and enlightenment gleamed through blood, sweat and tears and savvy Ops should outright
borrow steal those tough-earned wisdom from the software teams. If nothing else, only to avoid doing any real work so that we may continue to be grumpy and misanthropic stonewalls that system administrators are known for. And play StarCraft.
Management loves, and loves to tout about, training. Management distrusts training, because it highlights broken people, systems and processes. How can you love and distrust something at the same time? The dichotomy is a simple reflection that as it is designed today, many if not most training programs are ineffective and are nothing short of last-ditch efforts at salvaging un-qualified employees. This is especially true within the technology sector, a group of professionals that may benefit the most from training yet reaps the least as a result of mandate, motivation and momentum associated with training. There has to be a better way.
Go to a developer-oriented gathering and you’ll hear this: “I have no interest in learning <xyz>” where <xyz> represent some kind of operational tasks or knowledge. Why should they? System administration is not really essential to software engineering, and conversely, ops teams have similar disinterest in writing code. Or they would be doing each other’s job already. That doesn’t mean there aren’t lessons to be learned from one another. In fact, the emergence of devops reflect just that recognition. It’s time for operations to adopt and apply the same discipline and knowledge that their brethren in the software camp have gradually refined over the years. It’s time for agile operations.
As problem solvers, we dream of a positive vision of the future, based upon the belief that the challenges and problems we face are solved by good design. OK, stop the playback. Back in the real world, the dominoes occasionally get knocked down in sequences un-imagined and worse, in ways where our complex and richly-integrated systems cannot address. Some of it will be act-of-god happenstance, some will be introduced by the ever fallible humans, while others are just malicious intent. It’s a harsh reality, but that is and have always been the Internet in spite of funny cat GIFs. When you are creating a solution — from authentication to authorization — make sure the design takes some consideration for all intents, not just the ones derived from planned and expected user stories.
It’s not the easiest pill to swallow, and more importantly, imagine trying to convince the management team to not only implement an external security review program, but to provide incentives for the resulting discoveries — that’s right, we’re going to pay others for our mistakes. Yikes! Let’s face it, there will be bugs in software, despite development process, review and QA. Items will get missed, and unintended feature or behavior will creep into the code base. The systems have become complex. The interactions are not always planned or even manageable with 3rd parties. Likely, only non-developers won’t acquiesce to that simple truth. It’s an understandable sentiment by the business stakeholders, as their focus isn’t on design or implementation of complex application logic. However, there should be one common ground within any organization, and that is the need to be diligent stewards of their customers, and by extension, their customers’ information. Security is the bedrock of excellent customer service.
The constant and rapid pace of technological innovations creates easy opportunities for advancement. In this era of fast adoption and, occasionally, fast expiration, it’s not easy to slow down and examine how the changes have affected our lives. While I love the utility available to me in this inter-connected world, I am not a fan of the dichotomy of providing free service and requiring business profitability that has emerged as the default playbook for achieving and measure success as a company. Consumers have become increasingly naïve in their willingness to give up the power of purchase, and in turn, companies see the individual not as a customer, but simply another addition to the user base collection. When there is no price to pay, you are not a customer; you are just a product being sold.
A lot has been written about execution. Yet it clearly remains a challenge and an elusive goal to both individuals and teams. I could start espousing my own theories of execution, but I have no desire to add to the stream of management mumbo-jumbo regarding roles, responsibilities, metrics and results. Make no mistake, it is precisely the desire for results — the point B, in going from point A to point B — that leads us to examine and question execution. Too often, even capable people [and teams] focus on making history, when the focus should be on making impact.
Work in software development long enough, and one day, you too will hear this phrase uttered by someone, “I used to code.” While the intention may be one of empathy or solicitation, as the identification of the supposed, shared, past is meant to build bonds. Inevitably, this utterance almost always forms a divisive line between those who write software and those who’ve stopped writing software to perform another role. The simple observation is this: developers seem to not respect careers paths past the immediate creation of code, while management — be it project, or product, or even executive — usually resort to this declaration, as some form of critique on effort, resourcefulness and most likely, timeliness of delivery.
Sleek UI design and smooth user experience have become the norm, and a whole generation of users have grown up without knowing and understanding the risks of being online. Who could blame them? Being conscious and aware takes effort, and the marketing machines routinely churn out the chorus of “let us take care of it for you.” I mean, who would want to be concerned with virus/malware, that’s so… “PC” in this post-Apple world. A sea of [Mac] users have been groomed for the easy, hands-off, existence. Their complacency is to be expected. And ripe for exploitation.
True operation mavens know that downtime is inevitable. It’s going to happen, despite your best efforts. A blip, a stumble, some cable will get cut. Increasing the “nines” carries quite the price tag, and may not be the best way to maximize ROI. The plans for disaster recovery needs to be balanced, so that focus isn’t solely on the prevention of catastrophes. Equally important, is the rapid recovery for business continuance. Because that is the true goal of uptime — to serve pages, apps and data, to provide for the customers, and continue the revenue stream. This is no longer an insurmountable task, given the resources and knowledge at hand.
As much as I value and protect my own privacy, when the roles are reversed, I like to be Big Brother at every step of the way. Perhaps, that is why I go to some extremes when it comes to protecting my personal information, because I’m very aware the kind of “Big Data” collection and what will yield from data mining the habits of people on every aspect of their lives. As it turns out, defending the one is not sufficient, because you cannot police the entire [social] network.
The security wires are still buzzing about the LinkedIn compromise. Again, as I’ve stated recently, a good post-mortem takes time and it’s best to ignore all the hype and speculation until most — if not all — of the facts can be established. What is surprising, is how much coverage there is about LinkedIn’s problem, as compared to the near-complete silence on Verisign’s management not being made aware of breaches dating back to 2010 that only came to light in 2012. That news is scary. This story is just irritating because of the number of opportunities for LinkedIn to have performed this upgrade without the hand being forced.
All the software and audit and compliance in the world is useless, when a single person opens the door for the Big Bad Wolf to waltz in. Yes, code review is important. Absolutely, audit is essential. And without a question, process can save lives. None of that matters if the person entrusted with the key is readily duped by conversation. Social Engineering, it’s a grand-daddy when it comes to security risks. Sadly, technology has yet to come up with the panacea for stupidity. Just look at what happened to CloudFlare.
Successful organizations thrive by their talents [people], and it’s mostly a losing battle because so many hiring decisions are simply… bad. Over the years, pundits and experts offer up many theories and philosophies on how to recruit, and then retain, superior personnel. It really comes down to just three things — Proficiency, Passion and Personality. That’s the secret. No more. No less. Interviews, tests and profiles are but the tools to establish how a candidate measure up under each areas.
The question is simple — do I trust the entity behind a particular website? The answer is less so, unfortunately. Misguided efforts at [micro]managing cookies, User Agent IDs and IP proxies betray the simple fact that I cannot hide from being myself. This was a slightly painful realization, once I had a glimpse behind the curtains and saw that the Wizard is not only great and powerful, He is everywhere, and rightly so. In a world of constant vigilance, even the ones casting no shadows are as visible as the endless tweeting of teeth brushers.