Friday, December 13, 2013

Effective meetings begin with a focus on purpose

I'm all for eliminating meetings... but focusing overmuch on eliminating meetings is just as harmful as the mindless meeting culture. Meetings have their uses. I contend that if we focus on having purposeful, effective meetings, the number and frequency of meetings will automatically be reduced.
There are really only three kinds of meetings, because there are only three reasons to have a meeting:
  • Conveying information
  • Making decisions
  • Solving problems through collaboration
If you're clear on what the purpose of your meeting is, and there isn't a better way to accomplish that goal, then have that meeting. The very exercise will result in fewer, better meetings.

Meetings that convey information

Status meetings are by far the most common meeting in this class. Stop that. The only useful status meeting is a Standup, and then only if it's run properly. The vast majority of status is much more effectively communicated through text or images that can be explored and referenced at people's own pace. Status meetings typically occur when people are bad at contributing to a status document or database of some kind—but using a meeting for accountability is harmful in the extreme. There are other management tools available to hold people accountable for communicating status.
Announcements are valid things to hold meetings for, but only if it's important that the vast majority of affected parties receive the information at the same time, or if a Q&A session will be profitable. For example, announcing particularly good or bad news is probably best done in a meeting. However, announcement meetings are way over-used. Everyone thinks their announcement is important, but most of them aren't that big a deal: send an email instead.
Ramp-ups are essentially unstructured classes that are designed to quickly familiarize a small group of people with deep or complex information. Most such meetings are best turned into either training or quality documentation, because these are much more repeatable. However, there are cases where new people need to be quickly brought up to speed on a problem or requirement, and a ramp-up meeting can be appropriate. Good ramp-up meetings are focused and generally precede some kind of problem-solving work.
Note the absence of meetings to "discuss" anything. Discussion meetings are absolutely pointless and should be terminated with prejudice.

Meetings to make decisions

Effective decision-making meetings should exclude explanation of the problems at play. Documenting the problem space and possible solutions should occur before the meeting, with sufficient time for attendees to review before the meeting begins. If the decision is urgent, allow a few minutes at the start of the meeting for people to read the documents.  If you're explaining the problem in a decision-making meeting, you have failed.
The meeting should be very narrowly focused. Give attendees as much information as possible beforehand, and be clear about what decision needs to be reached at the meeting's end. If you leave the meeting without a decision made, it usually means there was insufficient preparation on the host's part.

Meetings to solve problems through collaboration

Sometimes it can be very useful to sit in a room (real or virtual) with a bunch of invested people and work through a problem. This is, in my opinion, the best sort of meeting. These work best if the problem is well-defined ahead of time, and if the meeting is kept relatively informal but on-task. Leading a collaboration meeting means being willing to kill "rat holes" (unproductive digressions), table—and note for later—interesting discussions that are off-task, and generally herd cats. 
However, far too many of this type of meeting get called. Collaboration meetings should only occur when the real-time interactionamong the entire group has significant merit. Many collaboration meetings are better done through exchanging messages, use of revision systems, or judicious parcelling of work. 

Tuesday, June 25, 2013

Tech is neutral, evil lurks in the hearts of men

What do nuclear power, "big data" mining, and strong cryptography have in common? All three are technologies that have been blamed for great ills. The thing is, technology itself is neutral. Even technology that is developed for evil purposes is, of itself, neutral --it is the people using it that are good or evil or in-between.

Consider nuclear power. Nuclear research was undertaken with the express purpose of creating a devastating weapon of mass destruction; from this, many concluded that nuclear science was inherently evil, and because of it's potential for death and destruction, should be banned. And nuclear war turns out to be very deadly indeed: the bombings of Nagasaki and Hiroshima may have killed close to 250,000 people.

And yet the very same research has led to medical technology that benefits upward of 20 million people a year in the United States alone. And power systems that operate where none other can. And potential for interstellar travel. And a better understanding of our universe.

And so the story goes with other things. For years the US effectively prohibited the export of strong cryptography, on the basis that it could be used by foreign powers to protect secrets. The FBI regularly proposes schemes to let them listen in on encrypted communications by neutering effective crypto, on the basis that criminals can use cryptographic techniques to hide from law enforcement. And the NSA continues to hold the position that encrypting your data makes you a suspicious person.

Yet at the same time, the NIST has worked closely with the intelligence community to ensure that there are standards for strong cryptography, like AES, because they know that using good crypto protects businesses and domestic interests.

Both of these examples illustrates something very important: the technology itself isn't good or bad, but it can be used for good or bad purposes. Evil isn't embodied in technology, evil lurks in the hearts of men.

And thus we come to data mining and "big data" technologies. The ability to store vast quantities of simple data, including the sort of metadata storage and analysis the NSA has recently been caught out for, and perform fast, deep queries to find patterns is extremely powerful. If the British had the techniques -- not even the technology, just the math -- during the American Revolution, Paul Revere would have been in a world of hurt

These "big data" systems have significant privacy implications. Facebook knows you're gay. Target knows your teenage daughter is pregnant.That's scary. And the fear of those capabilities is leading to calls to stop data mining.  Once again, the technology is being blamed for the bad acts of people.

The same data-mining technologies that can erode our privacy can be used to diagnose cancer and predict the prognosis for patients (PDF), or to make sense of the huge number of inputs from a pediatric ICU.

What we need is not a ban on the technology of data mining, but a social and legal framework for preventing bad uses of technology. Put another way: it's the people, stupid.

Monday, May 27, 2013

Casual -ism doesn't make you evil. But still.

An -ism is a bias against someone based on their membership in a group they didn't choose to belong to. Sexism is a bias against someone because of their sex (because of the way our society developed, the majority of sexism is bias against females). Racism is a bias against someone because of their race. Classism is a bias against someone because of the socio-economic class they were born into (or were put into due to circumstances outside their control). And so on.

There is, sadly, still some pretty horrible and deliberate -ism in our society. The KKK still exists. There are people who think women shouldn't be allowed to work outside the home. There are people who think if you're gay you should be killed.

Fortunately, though, we've mostly moved beyond such overt bigotry. What largely remains are two things -- systemic or structural -isms, and casual -isms.

Systemic or structural -isms are biases that were long ago "built into" how certain components of our society works. In most cases, they aren't deliberately being perpetuated; rather, change is hard and slow and requires significant effort by people who care strongly about equality. By way of example, there are drastically fewer women in technology fields, not because there are a large number of people trying to keep them out, but because our social and educational systems tend to be built in a way that discourages girls and women from developing and pursuing the interest. And a host of other reasons, too.

For another example, there still are fewer people of color graduating from college than you'd expect based on the proportion of the general population that are people of color. A big part of this is that people of color are far more likely not to have access to the resources that encourage them to attend and prepare them to be successful in college, in part because the 50 years after the Civil Rights Movement isn't long enough to fix the historical disadvantages (e.g. people of color are more likely to be poor, because the most common way to be wealthy is to inherit some significant portion of your wealth -- it's a vicious circle).

These kinds of -isms are typically vestiges of more overt bigotry in the past, that haven't yet been eliminated. That doesn't make them "ok" or "not a big deal"; being on the short end of systemic -isms sucks. But part of why such -isms take so long to dismantle is the other kind of subtle -ism.

Casual -isms are unconscious biases, often fed by the structural and systemic -isms that still exist in our society. (This sort of feedback loop, where systemic bias feeds casual bias feeds systemic bias, is why both are so difficult to solve.) Most people will perpetuate some casual -ism at some point; it doesn't make you a bad person, it isn't deliberate.  But it's still hurtful.

For example, when a company lists an engineering position and says of the qualified applicant "he will be able to think on his feet", the author and approvers of that language reveal an unconscious belief that engineering candidates -- at least the good ones -- will be male. Now, if you ask the author, he or she will almost certainly say "no, that's not what I meant at all! Of course a woman can be a good engineer, and we would hire a qualified woman if she was the best candidate."  And he or she will really believe that! They aren't a bad person at all!

But it's still sexism. It reveals that there is a bias. Whoever wrote that tends to think that engineers are men. Given our social history, it's not an unreasonable bias. It doesn't make you a bad person if your default mental image of an engineer is a man.  But it does make you an unwitting accomplice to the very systemic sexism that gave you that casual bias in the first place.

And of course, other -isms operate on similar principles.

So while letting slip a casual -ism doesn't make you a bad person, it's still something you did that was harmful in some small way. It's still something you did to contribute to the problem, in much the same way accidentally dropping a candy wrapper and not realizing it contributes to a litter problem. But I'd hope that you take steps to try to avoid dropping wrappers. And I'd certainly expect that if someone calls your attention to it your reaction would be "whoops, sorry about that!" rather than outrage.

And that's really all I'm asking of people who get called out on casual -isms -- acknowledge that you made a mistake, and work to correct it.

Monday, May 20, 2013

What using a Chromebook has taught me

I bought a lovely Samsung ARM-based Chromebook about a month ago, and I've been using it every chance I get.  Here's a few things using it extensively has taught me:

"Disposability" is amazingly freeing. This thing is $250, which isn't cheap enough to not care about it, but cheap enough that loss or permanent damage is more of an annoyance than a serious problem. This combined with knowing that everything I do on it is pretty much instantly synced online means that I just don't stress much about losing or breaking it. That's caused me to bring my Chromebook along in a lot of circumstances where I'd have worried about bringing a valuable object -- and that's meant that I write and "work" more. I like that.

Real keyboards are nice. I used to carry a Bluetooth keyboard with me when I thought I might want to take notes or write on my iPhone or iPad. But they technically don't allow those on planes, and it's annoyingly difficult to use the keyboard+mobile-device combo without a solid surface. And let's face it, the iOS keyboard is just really not great for anything long-form (crazy outliers like Patrick Rhone notwithstanding).  Having a "real computer" of sorts that I can comfortably balance on a knee while I type is surprisingly enjoyable.

Most of the time, I need less computer than I think I do. Web apps have gotten amazingly good; but that doesn't help much when you're disconnected. Or if you need to do "serious" work.

If you do any serious computing, a Chromebook doesn't replace a traditional computer. There are some things that there just aren't good web apps for -- and so I found myself using SSH and some form of Remote Desktop or other on a fairly regular basis. In some ways, this was great: working on high-end machines using the Chromebook as a sort of "window" to my real computing resources was the best of both worlds. Until the WiFi got sketchy. Or there was any sort of connectivity problem.

It's amazing how many places have free or cheap WiFi.

But the major thing I've learned from using a Chromebook as much as possible is that tools can spoil you. 

I wrote several pieces of analysis software for my current client using my Chromebook. There are not good development environments on the web yet (though Koding is both interesting and promising), so I did this via SSH. Which means I used vim and tmux to write and debug on a remote machine. And you know what? After an intial "this is weird" adjustment period, I got a lot more done.

Sure, the first pass went a little more slowly without the neat IDE features... but I was closer to my code. I knew it better. I had fewer distractions in the full-screen terminal session (which was required thanks to the tiny monitor). I read docs using command-line tools, which meant I was less likely to get side-tracked by some interesting add or notification.  I got more done.

I didn't have any games locally installed. Sure, there are plenty of time-wasters on the web, but somehow they're not as appealing as a handy shooter. If I wanted to play anything more than a casual game, I had to switch contexts -- I had to pull out my phone or my Vita. And with that, I was more aware. Hey, I'm not working right now. The games were more relaxing, and less of a distraction.

When network connectivity got poor or disappeared entirely, I didn't have a lot of options. I could write, thanks to Google Docs' offline support. And without anything on the machine to provide easy distraction, I wrote. I wrote more. I wrote more clearly.

The end result of this, though, was not to give up my tools -- and certainly not to give up my beloved MacBook Pro. Rather, it was to much more carefully consider what having a tool (or a toy) will actually do for me. To install only things which will meaningfully improve my ability to do those things I want to do -- to get work done (even if "work" means hobby-work).

And so I rebuilt my MacBook Pro today with these lessons in mind. And whereas I'd previously been frustrated at trying to keep my 128GB SSD free of anything that didn't need to be fast, and make sure I carefully managed my 500GB pack of spinning rust so it wouldn't run out of space... now my entire footprint is less than 20GB.

Monday, May 13, 2013

PowerPoint (and friends) for the novice presenter

Don't. Just.... put down the mouse. People are there to hear you and your ideas. They aren't coming to look at your slides. For the vast majority of presentations, you'll be much better off not producing any at all, and just being prepared to talk to people.

If there's detailed data for your audience to see and digest, make a handout. You'll convey more information, do it more accurately and completely, and save yourself a ton of distraction.

Advanced use

Visual aids, used wisely, can enhance a presentation. Some things are easier to show than to tell. When there's a specific concept or idea that people need to see, then using a PowerPoint or similar "slide" can be useful.  Learning to do this well takes a long time, and I can't teach you in a blog post.

But here are some rules of thumb:
  1. Slides are not your presentation. They are only a tiny part of it.
  2. Slides should add to, never repeat what you're saying or distract from it
  3. If you use a bullet, you're probably doing it wrong
  4. A data-presentation slide is, at best, an overview of the data. Details belong in handouts, not on a screen
  5. If you only had a whiteboard, would you draw this during your presentation? If not, don't put it on a slide either
  6. If your presentation involves moving from slide to slide, you probably are using way too many slides. Spend most of your time with the projector "blacked out", and bring up relevant slides only when necessary
  7. If you're not sure whether a slide is needed, it probably isn't
Think of more? Tell me on Twitter @DarrenPMeyer.

Tuesday, April 16, 2013

I don't care what you believe

I want to make one thing perfectly, crystalline clear: I don't care what you believe.

If you want to believe that the entire universe was created 500 years ago when a magical purple manatee shat it out while swimming through the Æther, fantastic. You go ahead. I hope it brings you much happiness.

Here's what I actually care about:

  1. You accept that your individual successes and failures are strongly related to the communities in which you live, work, and play
  2. You take tangible action to help those in need
  3. You use whatever privilege you have (earned or unearned) to help those less fortunate than yourself
  4. You make an effort to adopt and follow a rational code of ethics
  5. You respect and value a diversity of being, ideas, backgrounds, and cultures
If your love for the magical purple manatee motivates you to do the above, yay for you. I'm glad you found a way of processing the world that helps make you a good person. But the moment your love for the magical purple manatee becomes more important than being a good person who does good things, you fail humanity.

So, again: I don't care what you believe, but dammit, I care what you do with it.

Thursday, April 11, 2013

UserID-based salts are insufficient

When storing "inbound" passwords -- passwords your application will use to authenticate people and other applications to it -- there are a handful of options:

  1. Clear-text in some "secured" data store. Bad idea because if it's compromised, 100% of your accounts are breached.
  2. Encrypted. Bad idea because it relies on the discovery of a single secret (the private key); again, if breached, 100% of your accounts are breached.
  3. Hashed. Not too bad, assuming a modern hash function. But vulnerable to Rainbow Table attacks, so not exactly "good" either.
  4. Hashed with a "salt" (a.k.a. a "nonce"). If you do this correctly -- one salt per password stored, using a modern hash algorithm -- considered best practice.
As with most security things, the devil is in the details. Many developers I've spoken with worry about generating unique salt values for performance reasons. A solution I've seen in more and more code is to use the User ID (often an e-mail address) as the salt. The logic is that the salt is already stored, so there's no overhead to generate it and no database engineering work to accommodate salt storage.

Unfortunately, using a UserID -- especially if it's an email address -- is simply not good enough.

The goal of using a salt is to make it computationally unfeasible to generate rainbow tables. Rainbow table attacks work on "unsalted" hashes because you only need to hash every possible password once, after which you can simply look up the hash. Salting the hash means that you have to generate a complete rainbow table for every possible salt value -- a task that is orders of magnitude harder (computationally) than generating a single rainbow table.

However, generating a single rainbow table for SHA-256 8-character passwords on a commodity GPU only takes a bit over 90 days. If I'm attacking an individual, that's worth it. And if people are using the UserID as a salt, then I only have to do this once to build a rainbow table that will attack every such hash the user has. In other words, if multiple services use UserID for a hash, then with one rainbow table, I can attack a given user's account on all of those services.


Firstly, generate a unique, long, cryptographically-sufficient salt every time a new password is set. Not per-user.  It really doesn't take that much of a performance hit -- and if every bit counts, pre-generating a pool of salts from which to pull is a possibility.

Secondly, increase the hash work factor. After selecting a salt, do:

hash = sha256( salt + password );
for (i=1..work_factor) {
    hash = sha256( salt + hash );

This means that the time to brute-force is multiplied by "work_factor"; this hurts the attacker far more than the provider. Setting the work_factor to 10,000 or more should stymie all but the most determined attackers while having negligible performance impact on your application (remember you only have to do this when the password is set or checked, it isn't being done with every request or every operation).

Wednesday, March 27, 2013

Why do conservatives oppose same-sex marriage?

Maybe I just don't completely understand modern conservatives. I'd like to. My understanding of conservative values is:

  1. The Constitution is highly valuable, and we should interpret it in line with the intentions of the Founding Fathers
  2. Government should be only large enough to do that which private concerns cannot or should not
  3. The Federal government should not impinge the rights of the States
  4. Personal liberty should be protected, especially when it's a liberty enumerated in the Constitution
So let's look at same-sex marriage bans, and particularly the extremely-poorly-named "Defense of Marriage Act" (DOMA):

  1. The Fifth Amendment requirement for due process, and the Fourteenth Amendment's "equal protection" clause (no state shall ... deny to any person within its jurisdiction the equal protection of the laws), seem to require that State's not create classes of people for whom the laws or their implementation are different. Isn't telling someone they can't marry the person they love as the result of their sexual orientation a problem here?
  2. The First Amendment guarantees freedom of religion, which means that the government shouldn't be passing laws that serve only to enforce anyone's religious belief. Since the majority of the objections to same-sex marriage are religious – and since there are religions that permit same-sex marriage – isn't the government interfering in free exercise of religion if it tells a church that it will only recognize some of that church's marriages?
  3. Some States have decided to ban same-sex marriages, and others to formally recognize them. DOMA says that even if a State decides to recognize a same-sex marriage, the Federal government won't.  Isn't this the Federal government interfering in States' rights? Why does the Fed get to tell the States it won't recognize their marriages?
  4. The idea of personal liberty is that individuals should be free to do as they please as long as it doesn't harm anyone else (by impinging on others' rights). If the gay couple next door wants to be married, how does that harm anyone else? What justification does a conservative have for butting into their personal lives and deciding what they're allowed to do?
To me, any one of those should be sufficient reason for conservatives to oppose any effort to restrict same-sex marriage.

Is the moral outrage that the religious conservatives feel so overpowering that they're willing to compromise their other principles to ensure that no one can offend their delicate sensibilities on this topic?  I really don't get it.

Tuesday, March 26, 2013

How not to do a live technology demo

  • Use a tiny font that you chose for its ability to fit lots of data on your laptop screen
  • Make sure your theme is a low-contrast theme with a lot of dark colors
  • Prepare your demo on a high-resolution screen, and don't use the native resolution of the projector
  • Switch quickly between various windows and input/output sources. The audience will understand what's going on, they don't need any visual cues about what you're changing from and to
  • Make sure you use a cool-looking window theme. It won't distract from your demo, especially if your audience doesn't think it's as cool as you think it is
  • When your demo doesn't go exactly to plan, make a predictable joke about how hard technology demos are
  • Under no circumstances have a screen capture or other form of video to use in case there are difficulties with your live demo. Your audience will enjoy watching your troubleshooting skills

Monday, March 25, 2013

Well, pretty much all blogging software sucks

All I really wanted was a simple system. Something where I can easily -- that is, with little friction -- share things I find interesting as well as longer-form writing.  Something that allows me to focus on writing (for example, supports Markdown syntax). Something that doesn't require hours of time every month to patch and keep updated because it's been written to support all kinds of inherently risky technologies and is popular enough to be targeted by, well, everyone (Wordpress, I'm looking at you).

Of course, I wanted the basic things that make a blog a blog -- a syndication feed in Atom or RSS, a chronological archive, and a front page that shows the several most recent posts. Categories and tags aren't necessary for what I do, but if they're there, I will use them.

Oh, and if I need to switch off of the platform, then I want an easy export or access to the raw data of my posts, primarily in the format in which I wrote them (plain HTML or Markdown).

Every. Single. Platform. Seems to have either pushed to the "super-lightweight-static-site-generator" end of the spectrum, or "heres-a-rich-CMS-you-can-use-it-to-blog-I-guess" end. Blogger was, sadly, the closest thing. So here I am. Enjoy, I guess?