The art of building software

Tuesday, May 27, 2014

Netflix Company party from 1999

I just found this vintage video I shot at a Netflix party last century back when they were just renting DVDs.  Thought I'd share.  So much has changed at Netflix since then.   I got a clip of Netflix CEO Reed Hastings predicting the future right at the end - do you think he was right?

Friday, December 20, 2013

If you find you are riding a dead horse, the best strategy is to dismount

One of the themes I think is transferable across all parts of life, including software development, is the question of when do you keep pursuing some goal, and when do you realize you need to change your course (or "pivot") and give up?  Here's a series of interviews I produced and edited into a podcast format on this topic.

Interestingly, all three people I interviewed interpreted this as an example of when they persevered.  I should do another series of interviews on when people decided to quit.  Maybe splice the two together.  That would be interesting.  I'll update this posting when I conduct more interviews.

Wednesday, January 25, 2012

The importance of factoring large numbers

Here's a simple math question for you: What two integers do you have to multiply to get 15, other than 1 and 15?
Prime Numbers, from Nerdy Baby
Most people get that the answer is 3 and 5, because 3 x 5 = 15.  That one's pretty easy to figure out.  Of particular note: The numbers 3 and 5 are prime numbers, meaning that 3 and 5 can not be divided evenly by any other integers other than 1 and themselves.  Numbers like 15 are called semiprime numbers, because they can be factored into exactly two prime numbers.  This cool chart teaches babies about the first few prime numbers.

Here's a harder one for you.  What two prime numbers do you have to multiply to get the following semiprime number?
Yeah, that's a pretty big number - it has 617 digits in it.  I don't know the answer, and I believe no one alive knows the answer.  Until just a few years ago, the RSA corporation who originally asked this question offered a $100,000 prize to the first person to come up with the answer to that question.  They called this the RSA Challenge.  They multiplied two large prime numbers together to get the monster above, and then threw out the piece of paper on which they had recorded which two prime numbers they multiplied together - so no one alive has the answer.

How long would it take a typical computer to figure out the answer to RSA's challenge?  According to Digicert, one of RSA's competitors, it would take 6,400 trillion years using a standard desktop computer, and using the fastest method known (called the general number field sieve) for coming up with the answer.  Using the fastest supercomputers today might drop that number down to only a few trillion years.  You could further improve that by using several other techniques, but still, we're talking about a much longer time than the human lifespan.  Here's a cool video from Digicert that is fun to watch and puts this into perspective:

Though it's impossible to figure out the answer using today's technology, it's easy to check whether someone has the right answer by taking two numbers and multiplying them together to see if that equals the number above.

Since I mentioned two Internet security companies - RSA and Digicert - I would be remiss of I did not mention the name of the company that originally invented this stuff.  That company was Netscape, which was once a high flying Internet company but crashed and burned and ended up getting bought by AOL for 4.2 billion dollars.

The reason this is so important is that our Internet security relies on the fact that it's currently impossible for anyone to figure out the two prime factors that are multiplied together to get numbers as big as the example shown above.  RSA is one of the leading vendors of Internet security products based on this simple mathematical exercise, and they wanted to prove to themselves and the rest of the world that our Internet is secure.  Every time you access your online banking or use your credit card or login to some web site, you use a security technology which at its core relies on the impossibility of factoring large numbers.

I think RSA has made their point, at least for now: hackers generally don't try to solve this problem but instead rely on numerous other types of attacks.  Here's why.  Let's say you're a bank robber trying to break into the bank's vault.  You're not going to try to break into the front door of the vault by brute force, say with a bomb.  Instead, you might get your own safety deposit box in the vault and just walk right in as if you're going to your own safety deposit box, and then pull out your gun and demand that a bank executive empty out other people's safety deposit boxes for you.  Similarly, hackers don't try to break the secure semiprime key by finding out what two prime numbers need to be multiplied together.  Instead, they attack weaker parts of the security protocols having nothing to do with factoring large, semiprime numbers.

It may surprise most people to learn that the latest Internet security protocols can easily be cracked by hackers in seconds, using techniques such as ARP spoofing or ARP poisoning, and then doing what's called a "Man in the middle" attack.  You are most at risk if you are using a public WIFI connection, even if you are using secure Internet protocols such as SSL.  These attacks have nothing to do with factoring these large semiprime numbers, and will go right through your anti-virus software and firewall software.  Other techniques let you discover any passwords saved in a user's browser, or crack your Facebook password.  You are also vulnerable in your own home.  If you don't set up your own strong, WIFI router password (something you actually have to explicitly do), then you are vulnerable.  I'm not going to link out to this information, but if you're really interested, you should be able to easily find detailed How-To videos if you look around.  Once you know this, you may never want to use a public WIFI connection again!

Most people don't know how vulnerable they are when they are connected to a public WIFI connection.  Let's say you're carrying your iPhone or Android in your pocket, and you walk into your local coffee shop and connect to the free WIFI there.  Once you've done that, a hacker could easily steal your passwords, even if you never take your phone out of your pocket.  Scary, huh?  These hackers are not attacking the semiprime numbers in the security protocol.  Instead, they are acting like the bank robbers, and attacking other parts of the protocol that really are weak.

It's possible to defend yourself against these types of attacks, but as of today, you have to know what you're doing if you want to protect your computers and cell phones, especially if you're connected to a public WIFI.  I believe that our computers and devices will get smarter over the coming years so that they will not be vulnerable to these attacks. However, at the heart of it all, are still these large semiprime numbers.  If someone figures out a way to crack them, there's no easy way to fix this.

If someone could answer the RSA Challenge, they could crack the large semiprime numbers at the heart of the security protocol - it would be like having a way to walk right through the bank vault door even if it were closed and locked.  While no one possess anywhere near sufficient computing power to answer RSA's challenge, if someone magically came up with the answer, anyone could quickly verify that they had the right answer because it would be super fast to multiply the two numbers together to see if that equaled the number above.  Fundamentally, the fact that it's too time consuming to calculate the answer but trivial to check the correctness of the answer, is what secures the network connection between your computer and all servers on the Internet.  If you could answer RSA's challenge, our Internet security would vanish in an instant.

In the 1990's our government used to consider this type of computer security to be equivalent to possessing a nuclear weapon - it was classified as an armament.  They have since changed this stance, but their former stance shows you how important this kind of security is to our nation, and to nearly everyone who uses the Internet.  I think we're fortunate that the government changed their view on this before the 9/11 attacks.

Hypothetical intel Quantum
computer chip
But the day is coming when quantum computers will be able to break into any secured Internet connection, because unlike the computers of today, quantum computers will be able to solve the RSA challenge in a reasonably short amount of time.  And when this happens, our government could well classify these new computers as equivalent to nuclear weapons again because they would destroy all privacy and security on the Internet.  How soon this will happen is a matter of debate, but I believe some time this century we will have the technology, perhaps as soon as a few decades from now.  And then it's only a matter of time before the cost of these devices comes down and then that's it - we need to change the fundamental security architecture of the Internet that we've relied on since the dawn of the Internet.

Knowing that this day is coming, some people formed the PQCrypto conference to pool together great minds to prevent this from happening - but they haven't yet figured out a solution.  Assuming they or someone else does eventually come up with a counter measure, fixing this problem will be a project equivalent or worse in risk and size to the Y2K problem that we were all worried would bring down the Internet, and that cost over $300 billion dollars to fix according to the BBC.

Tuesday, May 31, 2011

Software Development Tribal Culture

Often overlooked and underappreciated, among the most important factors in determining the success of every software development tribe is its culture.  I'm using the word 'tribe' rather than the more traditional word 'team' to reference the anthropological roots of culture, because I think the elements of culture that make modern software development teams successful can trace their origins to primitive tribal societies.

There's a difference between your tribe's culture and its processes.  Processes are usually documented in some form and represent the ideal of what you're supposed to do.  You can most likely read about your "development process" somewhere, and you might read words about Agile development or waterfall methodology.  At a more detailed level, you might also find the documentation for your check-in process, or the bug fixing process.  These are all processes.

In contrast to processes which might represent a sort of ideal of what you're supposed to do, culture represents the reality of what you're actually doing, and consists of memes that are communicated amongst tribal members.  Do you remember your first day, when you joined your software development tribe?  Remember that "drinking from the fire hose" feeling where your brain was in overload mode because it was taking in so much new information?  You were integrating and melding with your new tribe, drinking in its culture and grokking its memes.  It doesn't matter if your new tribe works in a bank and wears suits every day, or if they dress in kilts and boots and have a dog named Blue who likes to hang out in the kitchen, or if they wear leaves around their genitals and carry spears and hunt big game (or dogs named Blue).  You have to do more than form relationships with the key people in your tribe and find out where the rest rooms and gazelle are: you have to meld with your new tribe's culture.

On the other hand, if you are the person starting a new tribe as opposed to joining an existing one, you should be very conscious of the kind of culture you want to create.  The first people in a tribe usually play the greatest role in creating its culture.  Cultures are a fluid thing and are usually not under the direct control of any individual even though all individuals may contribute to the culture.  Past experience can be especially useful when forming new cultures.

Culture exists at multiple levels within larger organizations.  You may have a divisional culture that is broader than your development tribe's culture, and a company-wide culture as well.  In larger organizations, you sometimes see cultural wars between competing tribes, even as they cooperate on some levels as well.

For purposes of understanding software development tribal culture, I'm going to break down culture into these elements:

  • Symbols and language, which often take the form of neologisms and new meanings for existing words, but they also appear in visual and auditory form as well
  • Rules that govern interactions among tribal members and with the world at large
  • Values - what you spend time and money on
  • Knowledge that allows you to control various elements of the world, cyber and physical
  • Wisdom and vision that encourages you to pursue the "right" goals

These elements of tribal culture are not just limited to software development tribes, but can be found in all sorts of teams such as sports teams, schools, companies, and indeed at any level of social organization up to nation states and beyond.  These elements of culture are often only partly documented in online or printed forms, and to a large extent must be learned via personal interactions, whether in the flesh or virtual.  That takes time.

I find it fascinating to ponder where this magical culture actually exists.  If all the electricity went out and there was no Internet, your culture would still survive.  It also survives the departure of any individual of the tribe as it is spread amongst all the tribal members.  I once wondered whether culture can survive the death of all of the members of the underlying society.

Let's take a look at how these things manifest in your software development tribe.

Symbols.  You know those acronyms you throw around now?  You had to learn each of those.  At the high end, cultures like Microsoft create thousands of acronyms.  Here's one public list of 451.  Then there are all the software module names, machine names, names for conference rooms, product names - the list goes on and on.  You have a corporate brand identity, product logos, and maybe even a sonic brand.  Your brain needs to understand the meaning of all these new symbols.

If your tribe uses a lot of symbols, or at least if you find yourself feeling like you're listening to a foreign language more often than you'd like, you may want to start your own dictionary.

Rules. Rules can be expressed in many different ways.  As software developers, we're familiar with the pattern for a rule consisting of a condition and an action.  While your tribe's rules could be expressed in that format, since these rules are executed by wetware and not software, I find it more convenient to express these as questions.  Rules can answer these sorts of questions which are found in most software development tribes:
  • When you sit down in front of your computer to work, how do you know what to do?
  • To what extent can you integrate your personal (family & friends) life with your business life?
  • If you would like someone else to do something, how do you do that?
  • When is it really OK to work from home?
  • How much time off do you get?
  • If someone comes to you and asks you to make a change to your code, is it OK to make that change?
  • What kind of testing should you do before you check in your code?
Values.  Values are what you spend time and money on.  Here are some examples of values:
  • Does your tribe maintain thorough unit tests and automated functional tests?  If so, then it values long term quality.  Some times you don't need long term quality because the code will have a short life time, and in that case, it could be entirely appropriate not to value such testing.
  • Do developers have multiple monitors and screaming-fast development machines?  If so then the art of software development is most likely valued by your employer (i.e., you have a higher salary).
  • How much time and money do you invest in your build, test, and release process?
  • Do you get paid to invest time in staying current in the art of programming by getting to attend trade shows or classes to learn new things?
Knowledge.  Knowledge bases capture some of your tribe's cultural knowledge in a written form, while the remainder exists as tribal knowledge.  For example, you need to know your tribe's system architecture in order to extend its code base in a good way.  So you might start by reviewing system architecture documents.  Most likely the actual architecture is different from the documented architecture and you may well have questions about the architecture that you can best answer by asking someone and drinking in some tribal knowledge.

Knowledge can also be thought of as answering these sorts of questions:
  • How do I set up my development machine?
  • How do I check in my code?
  • How do I log a bug?

Wisdom.  Sometimes ordinary knowledge is insufficient to make the big decisions.   I once recounted the story of when I was once part of a massive development team with many dozens of staff-years of effort invested in a very large product, and the CEO of the company decided to kill the project.  How did he know that this project was a dead end and that he needed to pull the plug?  It was wisdom.

Dakota tribal wisdom says that when you discover you are riding a dead horse, the best strategy is to dismount.  This is one of the most beautiful metaphors I've heard.  How do you just "discover" that you are riding a dead horse?  And how can the simple act of dismounting a horse turn into a strategy?  It turns out this metaphor shows itself all the time in various parts of our lives.  How do you discover when it's time to leave a job, a relationship, or change a habit that's no longer working?  And then how do you form a strategy to address your new discovery?  It's a bit of a magical process, usually accompanied by insight, inspiration, some trepidation, and a feeling of reaching a turning point.

Wisdom also guides our software development.  How do you know when your code design isn't working out and you need to redo it?  What about if you're just stuck on a bug and your existing approaches at fixing it aren't working?  How do you know whether to build or buy some technology?  Should you write your server code in Ruby or Java?  And when you're interviewing, how do you decide which person to invite to join your team?  Even harder, how do you know when it's time to let a team member go?

Putting it all together.  Frank Addante starts off his article Start-up Step 1: A Culture Plan for Inc. by saying "Great culture doesn't just happen - you need to make it happen."  I hope that by breaking out culture into these individual elements and giving examples of how they manifest in software development teams, you can be more aware of the role that culture plays in modern software development teams.  With such awareness, team founders and team members can more consciously and carefully choose or at least guide the culture that best suites them, rather than letting it evolve more haphazardly.

Friday, May 13, 2011

Online Social Fetishes

A Zuni Fetish
A fetish happens when someone ascribes more value to an object or concept than it intrinsicly has.  As I researched fetishes for this article, I found them to be a surprisingly deep area of inquiry with multiple meanings and applications.  As usual, Wikipedia has a number of excellent articles on the topic that will most likely give you (as it did me) a much deeper understanding of fetishes, and in this article I will use the word "fetish" as described in Wikipedia.

In the online world, we have a "social fetish" when we ascribe more value to an online social experience than it intrinsicly has.  Some examples to give you an idea of what I mean:
  • You need a Facebook account to stay well connected with your friends and family
  • You need a LinkedIn account to find a job
  • You need a dating web site  to find a better mate
  • You need a mobile device to survive and thrive in this modern world

I'm going to get uncharacteristically personal for a moment and let you in on a little secret that I suppose will no longer be a secret now.  After leaving a Principal Development Manager role at the mobile phone division of a major software company, I spent about a year without owning or using a mobile phone.  It was quite an eye opener for me.  I certainly noticed the large number of broken, decaying pay phones scattered around our country.  People suddenly didn't know how to meet me somewhere on time.  And I would get on a train and see nearly everyone interacting with their mobile devices.  I think this experience served to make me more sensitive to online social fetishes.
Advertising encourages the fetish-izing of the product or service being promoted by associating things we already take as valuable - for example healthy, sexy looking people - with the thing they're advertising.  How else, for example, could we Americans be convinced to pay up to 10,000 times more for a gallon of bottled water than we pay for a gallon of tap water?  How many of us have taken the time to see whether bottled water is actually any cleaner than tap water?  Most people don't know about this study that found bottled water often exceeded the U.S. Environmental Protection Agency's level for heavy metals, or this study which showed that bacterial contaminants in bottled water exceeded that found in tap water, or this study which found no difference in water quality between tap and bottled.  The online social world is no exception.

We've been convinced we need to invest time and money in using online social tools in order to be successful in our personal or business lives.  But how many of us that have used dating sites have actually checked the statistics to see if getting matched on a dating site works out any better (or worse!) in the end than getting matched not-on-line?  (Update in February 2012: Online dating survey suggests it's no better than meeting at a bar.)  [Update in February 2013: Online Dating Study Determines Users Have Only .03% Chance of Finding Lasting Love]  Good hard data is surprisingly hard to find, and you would think that sites like eHarmony would feature such data front and center on their web site if they had it, but they don't - try to find it on their web site.  Disclaimer: I could have spent more time trying to find this data so it may well be out there, I just couldn't find it.  If you find it, post a comment here and let me know!

Interestingly enough, with the advent of viral marketing techniques, we now do the advertising for social web sites when we bring new people into our network.  LinkedIn doesn't need to show you an ad during the Superbowl because their users are actively recruiting new users into the nework while the superbowl is actually going on!

The reason we're worth so much to Facebook is that while we're sitting for 11.5 minutes per day in front of Facebook interacting with our network, Facebook is pushing ads to us based on all the personal stuff we've entered into Facebook, and enough of us are clicking through on those ads that Facebook is making many hundreds of millions of dollars in advertising revenue per year.

Another way to look at the fetishizing of social web sites is to look at the market value of companies like LinkedIn.  LinkedIn is valued at approximately $3B.  With approximately 100M users, that means each user is worth about $30, even though the net revenue per user per year is only $2.40.  Facebook is worth $50B divided by 500M active users makes each user worth about $100, and again the net revenue per user per year is much lower.  The reason these companies are valued at such a multiple of their earnings or revenue, is that those of us valuating online social businesses also have an online social fetish.

I'll give an example to show how all these levels of fetishes work together.  Think back to the first time you registered with Facebook or LinkedIn.  Did someone invite you?  If so, that was viral marketing.  Did someone tell you about it?  If so, that was word of mouth marketing.  Read about it online?  That would be online marketing.  Now that you suspect that there's value there, you invest time and perhaps some money in building your profile, network, and content, and you begin to believe that you need this magical social account in order to stay connected with your network.  Enter your online social fetish, and then perhaps even add some level of addiction for some of us.  Then you spend your 11.5 minutes per day in front of facebook, and while you're doing that, you occasionally click on an ad, and ka-ching Facebook's coffers fill up.  All the people in the finance world and wall street who put the official value on companies are using Facebook themselves, and so they too are caught up in the same personal fetish.  So they attribute a significant value to Facebook far in excess of its earnings.

Karl Marx
Some argue that one of the reasons Karl Marx used the word "fetish" when he coined the phrase "Commodity fetishism" is that he was trying to show that the same force that drives so-called "primitive" cultures to, for example, believe in the power of voodoo dolls, also drives so-called "civilized" cultures to believe that, for example, a $100 bill is actually worth $100 when in reality it is a nearly worthless piece of paper, or that an online dating web site can actually improve your chances of having a successful relationship even though there is no data to that effect.  I'm making a similar comparison here.  Look for hard data before and after all these social tools, in each domain which they claim dominance: Family, friends, jobs, dating, etc.  Is the quality of relationships we're seeing now better than it was before these tools were around?  If so, where's the data?  If not, why do we invest so much time and money in these online social services?  Is it an online social fetish?

Wednesday, May 4, 2011

Famous LinkedIn Profiles - Social Media vs. Social Networking

Seems like everyone has "social media" in their profile these days, or at least about 600,000 on LinkedIn do at the time I am writing this (search for social media on LinkedIn to see).  That number is growing by almost 1,000 new people per day, so you will see a higher number if you click on that link now. This got me wondering about the difference between two terms we all use a lot to describe Internet-based applications: Social Media and Social Networking; what is the difference?  Social media allows anyone to broadcast content that others can discover, share, and comment on, while social networking allows people to connect around shared interests.  Both types of software are used as part of broader marketing campaigns and both generally rely on viral marketing to bring in new users and so can grow at exponential rates.

The latest trend in advertising is to tie celebrities and authoritative voices into interactive advertising campaigns, although arguably this isn't all that new since advertisers have been using celebrities to market their products for years, known as the "celebrity endorsement". describes a case study where they recruited influential bloggers to lead as ambassadors as part of a large scale marketing campaign.  Say Media took this one step further when they acquired the Typepad blogging platform last year.  This is social media.

There is a special case of social networking I'd like to zero in on for this blog posting: What happens when famous people use social networking tools?  In some cases such as the examples I give below, I think these people are trying to use social networking platforms as if they were social media platforms, and in my opinion, this usually fails spectacularly.  Barack's campaign (read more below) is one notable exception, but that was unique because his campaign invented a new way to use social networking tools, and I'd hesitate to call this either social networking or social media.  I think we need a new term for this.  Any ideas?

I recently discovered that a number of famous people appear to have their own LinkedIn profiles.  At least I'm assuming these are real as I expect they would have been torn down if they were fake.  (If anyone thinks any of these are fake, please let me know!)  Here are my personal favorite examples of celebrities trying to use LinkedIn as if it were a social media platform.  I've just requested a direct connection with all of them.  If I get any responses, I'll come back and edit this blog posting and let you know who let me in!

Sarah Palin's profile is just downright funny to read - her summary ends with such badly written English, you have to wonder how this could still be here online, but there it is:
"My fellow Americans, come join our cause. Join our cause and help our country to elect a great man the next president of the United States. And I thank you, and I -- God bless you, I say, and God bless America. Thank you."

Bill Gate's profile is awesome in it's conciseness.  With only 38 connections it's pretty clear Bill is not using LinkedIn for its social networking capabilities.  I'm guessing he wanted to try it out at some point and just abandoned his account.  Maybe he thought his profile description would be a good way to describe himself to the LinkedIn community.
The man does not need to say much in his profile.  He calls the Gates Foundation, the largest foundation in the world, "A humble initiative", and Microsoft, one of the most dominant software forces in history, "A small monument".  A bit of false modesty?  He never finished college though, so I don't know.  One of his public recommendations appears to be this comment which probably wasn't meant to be public so I am a bit surprised that he'd post this:
"Great job on your promotions. Please contact executive assistants at MAP92112 @ to work out details of future promotions."

Like Gates, this guy doesn't need to say much.  His job description for being President simply says, "I am serving as the 44th President of the United States of America."  This is the complete opposite of Bill's profile: millions of connections - over three million on facebook alone.  This is not social networking in the sense that most people think of when they think of LinkedIn, yet at the same time, he never posted anything new on his LinkedIn profile so there could not have been much social media going on either.  I think this was something else, neither social media nor social networking; it was a badge his fans could put on their profile to show their support to their own network.

Talk about not needing to say much, Britney has the shortest profile of the group.  This is the entire profile:
It's Britney Bitch!
Dancing and singing

With only 23 connections and not being open to accepting new connections, I'm guessing she's not using LinkedIn.  I think the only reason she has a profile there is to provide a link to her real fan site.

Wednesday, April 27, 2011

Ruby and the Three P's versus Java and the Argonauts

There's a cultural war going on between developers that use late bound languages to build web applications and services, and those that use early bound languages.  This job trends graph from hiring site may help explain what is going on.  You can see the trend for the early bound languages has continued to grow as a group (with C++ dragging down the pack).  A look at Ruby and Python will show that these are growing at much faster rates than the early bound languages, but the absolute number of jobs available for these languages is only a fraction of those available for the early bound crowd.  In order to grow, the Ruby and Python movements need to get programmers from the top three languages on the graph, which are all early bound languages: Java, C++, and C#.  They also need to recruit younger developers.  This cultural war is one technique the late bound crowd is using to get a developer audience.

This video is pretty funny, and the whole series is quite effective at capturing this cultural war.

Another interesting data point is a comparison of Ruby and Java salaries (see below).  This salary data from shows that entry level Ruby programmers make almost 20% more than their Java counterparts.  What accounts for this?  I don't know - if you have any thoughts please let me know!

This advantage disappears as the programmer gets older though.  I think this reflects something else I've noticed about this cultural war: Late bound adherents tend to be younger than their early bound peers.  I think this is because the late bound crowd needs to recruit "new" people to the fold, which will generally be younger people.

Ruby on Rails Median Salary (U.S.)
By total years of professional experience
Java Media Salary (U.S.)
By total years of professional experience