Security Club

Sony has been getting repeatedly hacked. We’ve seen it before with the TJX incident, and many others, most of which never get reported, much less disclosed, or even discovered. In some of these cases, only email addresses are taken, or maybe passwords. In others, names and addresses are exposed, as well as medical conditions, social security numbers, and other very sensitive information. It seems to me that this is happening more often, and I think it’s for a few reasons.

Bigger Targets

The first reason is that targets are getting bigger and the rewards go up with size. Nobody is going to waste their time getting into a system with a few thousand random users when you can get tens of millions for the same effort. As more people use more sites, it’s only natural that there are going to be more million-user sites out there. This reason isn’t a big deal, it’s just the way things are.

Better Rewards

The second reason is that more companies are collecting more data about their users. This data is valuable, possibly the most valuable asset some of these companies has. Facebook and Google make much of their money from knowing about you, what you do online, the types of things you’re interested in, different ways to contact you.

Large companies like Sony can afford to take whatever information you give them and cross-reference it against various databases to get even more information about you. This lets them focus marketing efforts, tailor campaigns to you, shape product development and so on. This also lets them make the site more easy to use with pre-filled information, to increase sales and conversions.

We don’t even really question when a site asks us for our name any more. What’s the harm, right? Sure, I’ll give them my ZIP code too, and maybe even my phone number, they probably won’t call me anyways, right? Now ask yourself, why do you need to give your name, mailing address and phone number to a company to play a game where you are a pseudonymous elf?

The real answer is that they don’t. They might need it for billing purposes, but billing databases are kept much more secure for reasons I’ll explain later. They ask for this information because it’s free, and because you’ll give it to them, and because it’s valuable to them. It’s probably not protected very well, and when it gets stolen everyone shrugs, changes the password on the database, emails the FBI to make it look like they care, and gets back to more important business like social media strategies.

No Penalties

The companies involved are embarrassed and probably suffer some losses as a result, but these are mostly minor injuries. The news stories spin it to make the intruders the sole criminals, and lose interest. The only people who really pay for these incidents are the people whose data has been stolen. There are no requirements on what companies have to do to protect this information, no requirements on what they need to do if it is compromised, no penalties for being ignorant or reckless. Someone might figure out that it’s going to cost them some sales, and they put some money in the PR budget to mitigate that.

This is the reason why billing information is better secured. The credit card companies take steps to make sure you’re being at least a little responsible with this information. And in the event it leaks, the company who failed to protect it pays a real cost in terms of higher fees or even losing the ability to accept cards at all. These numbers make sense to CEOs and MBAs, so spending money to avoid them also makes sense.

How to Stop It

There are obviously a large number of technological measures that can be put in place to improve security, but there’s one that is far simpler and much more foolproof. But first, let’s look at banks. Banks as we know it have been around for a few hundred years. I’d bet that you could prove that in every single year, banks got more secure. Massive vaults, bullet-proof windows, armed guards, motion detectors, security cameras, silent alarms, behavioral analysis, biometric monitors, the list goes on and on, and all of these things actually work very well. But banks still get robbed. All the time. When was the last time you heard of a bank robber getting caught on their first attempt? They are always linked to dozens of other robberies when they do get caught. Why?

Because they’re full of money.

They can make it harder to rob them. They can make it easier to catch the people who did it. But the odds don’t always matter to someone who sees a pile of money sitting there for them to take if they can bypass these tricks.

People break into networks for many reasons, but the user data is often the pile of gold that they seek. So the most effective way to stop someone from breaking in and stealing it is to not have it in the first place. This advice works in 2011, it will work in 2020. It works on Windows, OS X and Linux. It works online and offline, mobile or laptop, and so on.

“The first rule of security club is you try not to join security club: minimize the amount of user data you store.” – Ben Adida

So if you’re in a situation where you need to figure out if your data is secure enough, or how to secure it, start with this question: Do you need it in the first place? Usability people say they want it. Marketing people say they need it. If you’re an engineer, it’s a losing battle to argue those points, because they’re right. Stop convincing people why you shouldn’t do it, and put a cost on it so they have to convince each other that it’s worth it.

Anyone who went to business school knows the cost/value balance of inventory. It’s pretty straightforward to discuss whether a warehouse should be kept opened or expanded or closed. Nobody wants to store anything for too long, or make too much product or have too many materials. But ask them about how much user data you should be storing and the response will be something like “all of it, why wouldn’t we?”.

So make sure that the conversion bump from using full names asking age and gender and doing geo-targeting covers the cost of the security measures required to protect that data. Make it clear that those costs are actually avoidable, they are not sunk. They are also not a one-time investment. They should show up every quarter on the bottom line of anyone who uses that data. And if nobody wants to pay for it, well, you’ve just solved a major part of your security problem, haven’t you?

Update 10/18/2011: “FTC Privacy Czar To Entrepreneurs: “If You Don’t Want To See Us, Don’t Collect Data You Don’t Need

Ideas are like rabbits

I’m not an advocate or follower of any particular productivity framework, or even that you should have one, but I’ve recently rediscovered a fragment of one that has been very significant. The short version is that writing down ideas makes room for more, the long version follows.

As hinted at in my previous post, I’ve been experiencing a bit of overwhelming intellectual stimulation lately. I credit this to my new freelancing ways. I can spend an hour, or a day following a thought, where before, I had to run it alongside my work responsibilities. Not to say I have no responsibilities to my clients, but I think I’ve set expectations to the point where I can balance things better.

Last week I was feeling a bit overwhelmed with tasks, and went back to a GTD technique which is to essentially write down everything you need to do. There is a cathartic aspect to this, as well as the feeling of “oh, well that’s no so bad” once you see the list. In the past, my list was 20, 30 maybe as many as 50 items. This time, I railed off over 200 in a row, and many more in the following couple of days. This did NOT instill a feeling of “oh, well that’s no so bad”.

Once my brain was sufficiently debriefed, I looked at the list. I noticed that most of the things were my own projects. Research this, test that, learn that, add feature X to library Y, and so on. It turns out that many of my todos were more idea-related than work-related. And almost everytime I looked at one, others would pop up. I guess this makes it more like mitosis than rabbits, but you get the idea, and rabbits are cuter anyways. Regardless, it was, and is, out of control, and it’s great.

This is not a new invention, it’s basically brainstorming, and there are other people doing it too. I think the part of it that’s new for me is that I’m not drawing any distinction between ideas and tasks, and I’m not seeing any value to doing so. I’m not getting overwhelmed by tasks I haven’t started because in fact, I have started them, by logging ideas related to them. For software at least, expressing ideas is not far removed from doing the actual work, so I’m almost tricking myself into being productive.

There are two problems, however. The first is that my list is scaling poorly, and there are no tools that work for me. I’ve tried mind-mapping in the past, and might try it here, but am not especially hopeful. The second problem is that I simply don’t have enough time to do it all, and I’m afraid no program will ever help there.

Freelancing vs. Contracting vs. Employment

I’ve been freelancing for a little over two months now, and already it has been an exciting, rewarding experience. I figured I would share a few observations.

What do I mean by “freelancing” as opposed to contracting. I admit there is no official differentiation of the two, this is strictly my own, and I apply it narrowly to software/knowledge work.

I see freelancing as the extreme end of transient employment. They may be hired on a per project basis, or a per day basis. There isn’t any implicit availability, they’re booked (and paid) or you’re not. They don’t go to meetings that aren’t very relevant, or get unwillingly reassigned. If there are no projects where you can offer expertise, you’re done. If a company tightens it’s belt, freelancers are the very first to go, with no notice, no severance.

I see contracting as provisional employees. They aren’t vested in the company, but they essentially perform like an employee. They probably go to company-wide meetings, fit into the normal reporting structure, etc. After the freelancers go, the contractors are next in line. Usually contractors are given time to “wrap things up” or have a planned end date.

Employees are, well, employees. They work for the company, and only for the company. Hopefully if the company makes a lot of money, the employees benefit, where the previous types don’t. Many people think employment offers job security, but short of official agreements like tenure or unions, I disagree. I define job security as the ability to get a job, not to keep one. I’m not cynical about fatcat CEOs laying people off for fun, I’m just realistic in terms of what employment actually provides.

The reason I choose freelancing is that I want to be intellectually promiscuous, at least for now, and I want that arrangement to be very clear to clients. I have a self-imposed 20 hour per client per week cap. This may sound silly to you, and it certainly hasn’t been popular with clients. It’s a tough sell, and it has cost me some otherwise good opportunities. I admit I haven’t really mastered it yet, but I think I’m getting better at it, and am grateful that my clients have been accommodating. On the other hand, I don’t think that I’d be nearly as stimulated as I am now, but that’s a topic for another post.

Earlier to Bed, Earlier to Rise

About 6 months ago I shifted my schedule by 4 hours, literally overnight. Whatever I was up against, whether it was insomnia, sleep addiction, Delayed Sleep Phase Syndrome, or just being a night-owl, it was getting worse. Also, the summer was coming, I had a shiny new grill, and I wanted to get home early enough that I wasn’t using it in the dark. Much to my surprise, it actually wasn’t very difficult. Here’s how I did it:

  • Consistency – Probably the most important part. Go to bed at the same time every night, no matter how tired or wired you are. Lay there for hours if need be, in a few days you’ll be asleep earlier. Get up at the same time, no matter what, even on weekends. I had a few nights where I got 3 or 4 hours of sleep and needed energy drinks to get me through the day, but that changed fairly quickly. I was able to ease up on the schedule after a while, but I try not to deviate by more than an hour or two.
  • Don’t do it alone – I’m not sure I could have pulled this off by myself. Reeny didn’t even really have to do much, other than some encouragement and being an early-riser herself.
  • Get up first – I try to get out of bed first. Some mornings this aspect is what gets me moving. If she can get up, why can’t I?
  • Measure success daily – The point of this is to get up early, not to become an early riser. Even after 6 solid months, I know that I’d slip back to my old schedule within a matter of days on my own if I allowed it. But that’s OK.

Also, I changed my schedule a month or so before I changed my work schedule. I think this helped alot, because I didn’t have that additional stress.

The 3 Ingredients Necessary to Make a Really Good Developer

I’ve been doing development long enough that I can now look back and have some perspective on the art/craft/profession. I’ve been asked many times “how do you become a developer?” and I now have a decent partial answer. They are not being “super smart” or “good with computers” or things like that. I think those are artifacts of these other attributes. I’d also guess that these apply to engineering in general, but I’ll limit myself to my own turf.


Good developers have a compulsion to understand how things work. they open files with text editors to see if its just xml or a zip file with a different extension. They run benchmarks against things that don’t seem to matter. They add query parameters like debug=true to websites. They try to break stuff. And not just software, they probably know how an internal combustion engine or an air conditioner works. They probably can tell you a bit about how the minimum wage affects inflation. My grandmother used to give me old radios and gadgets strictly so I could disassemble them.

This attribute is probably the one that separates the wheat from the chaff the most. There are lots of people who can code, or manage a system, but the ones that excel will need to understand how things work, and know that every juicy answer yields even more delicious questions.


The ability/requirement to focus is the subject of many other blog posts, but I view focus in a slightly different way. Focus is not eliminating distractions or even maintaining “flow”, focus is the ability to keep a problem in your head until you’ve solved it. Distractions can hamper this, so can multitasking or other external factors, but good developers can work on something, go to lunch, or go home for the evening, and pick up right where they left off.

Hard Work/Genuine Interest

I think there is a certain amount of innate aptitude, but I don’t think development is an exception to the 10,000 hour rule Malcolm Gladwell popularized. Luckily, its a trade where we can log those thousands of hours at an early age and make it look like we’re goofing off. I started with LOGO in the second or third grade, moving onto translating my piano music into BASIC, learning that a coda is just like a GOTO. On to writing databases to track fantasy baseball status with MS Works, and so on. Sure, we spent many college nights taking over IRC channels with bots, and crashing MUDs with scripts and floods, and that may have looked like simple nerd mayhem, but those experiences have tremendous value in the “real world”.

You can know all the buzzwords and put on a good show, but you can’t really fake the level of interest that side projects demonstrate. There are plenty of good-enough developers out there who punch in and out, and there are even jobs where you do cool enough stuff that you don’t feel compelled to break out of the rut (we try to be this way), but if you still need to hack on your own, you’ve got potential.

Fortune smiles on those who smile back

I’ve always considered myself a pretty lucky person, whether it’s spotting opportunities, avoiding bad ones, getting good jobs, etc. This article claims that you actually do make your own luck, and the way that happens jives with how I go about things. Some snippets:

  • Lucky people tend to respect hunches
  • Lucky people try to introduce variety into their lives
  • Lucky people tend to see the positive side of their ill fortune

So, if you’re feeling unlucky, take a deep breath and try something new.

Buying a car

I won’t say I’m some kind of genius buyer or that I have a bulletproof system, but I think I’ve done pretty well when I’ve gone shopping for a car, and this article backs up some of my ideas. I don’t think any tricks or deceptions are really going to help you, your opponent in this game is likely to be much more experienced than you. My rules:

  1. Make it clear to the dealer that under no circumstances, no matter what, will you be making any decision today, and that you need real numbers, in writing. This is not a trick, you really do need to walk away and sleep on it. The pressure will mount when he realizes you’re serious, and it’s hard to resist, but it’s well worth it. You’ll have real numbers to review, show someone else, fit in your budget. If you get the “I can’t hold this car for you for any longer” line, ignore it. Either he’s bluffing or he’s going to sell the car to someone else. Either way it’s no big loss for you, there are always other ones out there.
  2. Say as little as possible (not difficult for me). The article mentions not talking about credit or how you’re going to pay for your car, which seems obvious to me. Don’t talk about trade-in (if pressed, be indecisive, “my sister might buy it off me”) or how long you’ve waited for this model to come out, or anything like that, until you get the numbers from #1. Do your research, but don’t go in with a bunch of stuff you found online about invoice cost and think you’re going to get the guy to sell the car and not make a profit, you’re not.

Other tips: If you’re leasing, buy early in the model year. If you’re buying, buy later. And try to take something off the lot, you lose alot of wiggle room when you need to order it.

Gift Cards

Firstly, happy thanksgiving everyone.

Tomorrow is the biggest shopping day of the year, and all I ask is that you consider not giving gift cards. Over $8 billion per year in gift cards are given, and not used. If cards offered some kind of built-in discount ($45 for a $50 card) then they might be excusable, but they are essentially a crippled form of cash. Think about it, would you give someone stamps?

To me, gift cards say the following to your recipient:

“I’d like to give you money but I’m afraid you’ll spend it on drugs”

“I don’t know you well enough to even attempt to pick something out, but I’m absolutely sure what store you’d like to go to”

“I’m too lazy to go through the store and actually find something for you”

“I forgot about getting you a gift, so just be glad I had to stop for gas”

“You have bad taste and shop a crappy stores, so I’m forcing you to shop at a good one”

If you’re happy saying those things (sometimes I am), then gift cards are perfect. Otherwise, take a moment to try and think of something original, or just go with good old-fashioned cash.

The Apple … Store?

What do I do with this pretty green paper?The Natick Mall was a big mall, and now it’s a really big mall (and called the Natick Collection). One of the new stores is an Apple Store. I’ve been in Apple stores before, but not since they added the “Genius Bar” which is where the checkout lines used to be. When I went to pick up my new keyboard, I found it easily enough, the store is small and has an open layout. The first part of my mision complete, I looked around for where I’m supposed to pay for my item.

I wandered to the middle of the store, and saw another man looking around with an iPod box in his hand. It was obvious we were both trying, and failing, to do the same thing, which was to give someone money. I then walked to the back of the store, where there was a line of people, and waited in line. When my turn came I presented the product I wished to purchase, as well as my credit card. The “Genius” told me that the “Bar” was only for help and not for sales. “Who will take my money?,” I asked. “Anyone else,” said the Genius. Everyone else that had a nametag and a black shirt, Genius or not, was busy.

I was very tempted to place the keyboard in the middle of the floor and leave, go home, and order it online. However, I did really want it, so I waited for someone to finish explaining that all the software the person assumed was on the $2000 laptop they were about to buy (Word, Excel, and Photoshop) was extra, but “don’t worry, all the cool stuff is free,” quoth the Genius. After a few more minutes hovering behind the tentative victim, who reconsidered and left the store, I was able to get the black-shirted employee’s attention and he sold me my device from a handheld contraption.

Much like bad engineering is often identified by excessive cleverness, bad design, whether it’s a website or the layout of your store, is often identified by being excessively reductive. If you have a store, and want people to buy stuff, don’t feel offended that you need to stoop to having a sign that says “Pay Here”.