Archive for May, 2006


Northern Yearly Meeting

I spent the weekend with Friends in the woods at Northern Yearly Meeting. Kiara’s the Quaker in the family; I just tag along for the good parties. Since my beliefs and values are very much in line with the Quakers, I’d attend Twin Cities Friends Meeting with Kiara were my time in meeting not overwhelmed by a voice in my head screaming “THIS IS WRONG THIS IS WRONG GET OUT GET OUT NOW!” I take that as a message that I shouldn’t be there. :-) But I do go to NYM with her and the kids.

I value this weekend as a rare opportunity to enjoy long stretches of contemplative silence — among those who do not question the value of silence.

This year NYM was again at the Wisconsin Lions Camp, in a quiet, wooded area northeast of Stevens Point. Attendees have the option of sharing a cabin, which we did last year, or tenting in the woods, our choice this year. We arrived after dark, stumbling through the woods to find somewhere to pitch our tent, vainly trying to hush Owen so as not to wake others around us. Pretty comical in retrospect. We set up the tent a ways back in the woods from the camp, only to discover in the morning that we’d walked right past the main tent area. Still, we liked being in the woods: it was quieter, and I liked seeing the night sky through swaying pine trees. The boys slept well in the tent, not even waking up during the violent thunderstorm that swept through and sent many of the other tenters scurrying inside.

I don’t say this to brag. Were we not camped away from the others, we would have been alerted to golf-ball-sized hail as well, and sought shelter on the graciously volunteered cabin floors.

Owen spent his mornings in child care, playing with other kids his age. It tuckered him out so he would sleep soundly if we could get him too nap. On Sunday, he wouldn’t nap so I took him for a walk around the lake. He made it halfway around before asking me to carry him, and fell asleep in my arms 5 minutes later. Let’s just say I got my workout this weekend, although not one that my chiropractor would approve.

Kiara wasn’t able to attend much of the business meetings (Meetings for Worship with Attention to Business; the Quaker decision-making process is fascinating) because she had Alec in the infant/toddler care, but we’re working on a way to change that next year. And she did discover that she likes sacred harp and shape note singing (not sure if there’s a difference).

And me? When I wasn’t establishing that no, we hadn’t lost the keys, they were locked in the car, I was either in the woods on a walk around the lake, or playing with Owen. It was a good weekend.


New OWASP site

It looks like OWASP is running on new software, MediaWiki by all appearances. Hopefully that will work better than whatever they were using before. I know that getting the local chapter pages updated has been an ordeal.


Web App Security talk notes (incomplete)

I gave a talk about web application security testing last year and started to write up my notes, but somehow I never quite finished them. I’m unlikely to do so in this format but thought I’d at least post the notes as they stand. Things have changed in the past year: I have a better handle on threat modeling (and Microsoft has released a couple new iterations), we’ve seen great new tools like Firebug released, the Build Security In portal was released (although I still think it’s of more interest to developers than architects, which is an okay thing), there’s been more work published on abuse/misuse cases, a new OWASP Guide was unleashed…

So on the off chance they are of value, here they are: notes for Web Application Security Testing talk.


Cultural Literacy

Kiara just told me that she was talking with some kids who regularly watch Smallville, and had no idea that Clark Kent becomes Superman.

Just had to share.

PHP, Ruby

Sure it’s got warts, but it does the job.

What a damning title for this post.

Peter Williams has started working with PHP. He comments mostly about the syntax and with the understanding that he’s writing about PHP 4. Some of that has been improved upon in PHP 5: exceptions, for instance, to which Matt Zandstra has written a good introduction. I agree with a lot of what Peter says. DHH has a point: PHP is not pretty to look at, and sometimes it’s ugly to use. Using -> as a method invocation operator is unpleasant (Perl does the same thing, but in Perl 6 it’s a .). It’s a small thing, but small things add up. I don’t like to use PHP because I like the syntax of the language or because it’s a joy to write PHP code. I like to use PHP because it gets the job done, sometimes quite powerfully. And it’s a helluva lot better in PHP 5.

It is a joy to write Ruby code. Just want to say that. Coming from Ruby to PHP, that’s gotta be hard.

At first I thought Peter was being a bit over the top complaining about PHP’s requiring explicit statement terminators. Then I thought back to how much time I’ve spent tracking down bugs that turned out to be a misplaced or missing semicolon. He’s got a point.


Smarter and Faster, Part II

So I should explain the Hughtrain cartoons. Just so we’re clear, I’m not quite as bitter as you’re about to think I am.

I work in IT for a large public higher education system.Not long ago I had a revelation that almost all the technology innovation I see at work isn’t happening in IT. Instead I see it coming from a few people in particular within Academic and Student Affairs who push for tech innovation to support the educational mission of the system, often introducing technology themselves because IT is out of touch. I realize that some of this is because ITS at MnSCU has been pathetically underfunded and can barely manage skeleton support and subsistence. And I’m not being entirely unfair to my IT colleagues: I said almost all technology innovation. But still.

You might picked up on it here if you’ve been reading along the last couple years, but I’m more than a wee bit frustrated with a development process that strongly favors multi-layer committee approval of every damn little thing, and careful planning of work months in advance. See, we operate at the intersection of higher education and state government. This tends to slow things down a tad and quash any chance of doing anything even remotely cool or even useful.

There. I came out and pegged myself as a developer: I want to build cool shit. But it’s not really that simple. I keep thinking that we’re operating in a post-Cluetrain world, that the lessons have been absorbed and that people are clued into what’s happening with what’s been happening with web development the last few years [1], and reality keeps smacking me down. I am consistently disappointed by the caliber of the web apps we’re slowly churning out. Top-down, faceless, human-less “enterprise” development. Our intranet is stagnant, except it’s brand-new and public-facing. Unless we break free of what is pretty damn close to a waterfall method, we’re screwed. I believe that we’re committed to doing a good job, I just don’t think that many of us are all that interested in doing a totally fucking amazing job.

But hey, that’s me.

I still have hope of sneaking something in. I’m finding ways to push the confines of narrowly defined use cases that still meet the specs and that make the apps better. And at least I’ve started telling my coworkers that I think it’s our job to write kick-ass apps — or rather, apps that help users feel like they kick ass. I’ve obviously been brainwashed by Kathy Sierra. Thing is, she’s right.

Pity no one liked my idea of running the student housing application as a first-person shooter. Just as well, I don’t think that the oughta-be-Quaker in me would be comfortable with the violence. I wonder if anyone will bite at running registration like fantasy football? :)

There. Now I’ve pegged myself as a developer and completely loony.

[1] – i.e. Web 2.0 — yes, I use the term willingly. Now you know I’m loony.


McGraw is right.

I am so pleased to be working with people who are clued in enough so I can have conversations like this:

Me: John, I’m glad that we’ve finally got Board policy addressing data security and privacy, and we’re putting in place practices and training to address network security, wireless security, and so on, but—

Him: But Gary McGraw is right.

Me: Yes, exactly.

Here’s the thing. We have paid far too much attention to network security and not nearly enough to application security. That’s what Gary McGraw has been saying, and thankfully our security guy knows it. Software security is the new frontier. Or really, it’s been the frontier all along, we just haven’t acknowledged it.

So what do I do? I’m going to have a very busy summer, jump-starting our secure development process and trying to get policy to match what our process should be, so practice can flow from policy. This is nothing official to my job, it’s just something that I care a lot about and am going to do. It’s a start.


Books I’m Reading

I was in a boring meeting and killed time by jotting down a list of books that I’m either reading now or plan to read in the next couple weeks.

  • Ruby for Rails by David Black. You can’t get far in Rails development without knowing Ruby well. This is a good introductory Ruby book that goes into more detail than you’d expect and still comes off enjoyably readable. Glenn Vanderburg talks about the notion of using Rails not as a framework or domain specific language for web applications in general, but as a DSL for your web application. If you understand Ruby well, and you understand how Rails ticks, you’re on the way to doing this.
  • A Little Ruby, A Lot of Objects. I’ve mentioned this before. A good way to grok OOP, Ruby style.
  • Programming Ruby. The PickAxe is the standard with good reason.
  • Best of Ruby Quiz. A language’s syntax is the easy part. To become proficient, I need to use a language to solve real problems, feel my way around the idioms.
  • PHP 5 Objects, Patterns, and Practice. I’ve been itching to get back into PHP programming, and I immensely enjoyed this book’s practicality and clear-headedness. I don’t think anyone does a better job writing about PHP than Matt Zandstra. If you want to understand OOP in PHP, both from a mechanical/syntactic perspective as well as design philosophy, this is a very good place to begin.
  • Facts and Fallacies of Software Engineering. My introduction to Robert Glass’s work, I return to this book periodically as a touchstone. Grounded in years of research and practice, Glass discusses what ought to be common knowledge but often isn’t. We keep making the same mistakes and we need to be reminded of that so we can do better.
  • Software Conflict 2.0, again by Robert Glass. A collection of essays from 1990, still very much relevant.
  • Rising Stars, vols. 1-3. J. Michael Straczynski wrote a comic book series? It is marvellous, as you would expect from the man who brought us Babylon 5. (Actually, he’s written more than one comic, but I really like this one.)
  • How to Break Web Software. This is aimed more at software testers than I expected, which was a foolish assumption on my part. A good book. Oh, which reminds me, I need to reread the OWASP Guide 2.0.
  • Software Security, Gary McGraw’s latest, focusing on building in security throughout the development lifecycle. I’ve come to a point where I need to start suggesting policy and practice. There aren’t many better places to start than Gary McGraw. I am also eagerly awaiting Michael Howard and Steve Lipner’s upcoming book about the Microsoft SDLC: The Security Development Lifecycle.
  • Getting Real. Nothing new if you’re familiar with 37signals and their philosophy, but an engaging and exciting read. I find myself listening to Jason Fried over and over again.
  • In the Company of the Courtesan. I heard an interview with the author and got sucked in.
  • Shooting the Thorn Tree. Kiara’s Masters thesis. Well, one of them.
  • Designing Interfaces. Yes, I am the user interface guy on our team.
  • My Job Went to India. I’m not afraid of my job being outsourced, but I have been too complacent in driving my career. Time to take control.
  • The Career Programmer: Guerilla Tactics for an Imperfect World. Cuz man, things get nuts.
  • Beyond Code. See above.
  • Spies Among Us. The local OWASP chapter discussed this last month but I couldn’t attend the meeting.
  • Digital Identity. Phil Windley’s high-level discussion if identity management. I really, really need to wrap my head around what’s happening in this space.
  • The Great Transformation: The Beginning of Our Religious Traditions. Karen Armstrong’s latest.
  • Garth Nix’s Abhorsen trilogy. Have I mentioned that I’m a sucker for teen fiction?

Okay, got to get cracking.


Another Scene From My Life With Owen

The other day Owen sat down to a snack of crackers and cheese: a round of camembert and French raw sheep milk cheese whose name escapes me. It was the first time he had ever had either one. Owen bit into a cracker and his face lit up.

“I love camembert. Camembert is my favorite cheese in the whole world!”

We are warping the poor kid.


Rails, Ajax, and Al Essa: MnSCU IT Conference Redux

My presentations at the MnSCU IT conference a couple weeks ago were mixed.

The Ruby on Rails talk did not go well. I decided to start with a demo to give some flavor of what Rails development is like and how very little code it takes to get up and running. I had trouble with the demo so ended up behind schedule and didn’t get to talk enough about what I really think is important. I like Rails well enough, but about a month ago I realized that I wasn’t all that interested in talking about it. To my mind, it’s a bit over the top to claim that it’s the future of web development, although its release did mark the emergence of energetic activity in the web app framework space that embraces DRY and convention over configuration. Less code. Rails is interesting and downright fun, but so are the similar frameworks that came out at about the same time: Django, TurboGears, Symfony, CakePHP… I wanted to focus not on Rails but on the ideas it represents, but I didn’t leave enough time. I had hoped, too, to talk about share nothing architectures and spend a little more time plugging dynamic languages. But it’s over, and that’s just fine. I don’t think I’ll be doing many live demos in the near future, and I might stay away from Big Idea talks — or at least structure them differently.

The Ajax presentation, which I did in collaboration with Dave Kruse, webmaster at South Central Technical College, was much better. Planning for it, Dave and I struggled with how to address the fact that the audience would have all sorts of skill levels ranging from knowing nothing about Ajax or even JavaScript, to understanding XMLHttpRequest at a really deep level. We opted to avoid lots of technical explanation and code examples. Instead of focusing on the technical, we talked more about the ways in which Ajax is changing how people experience web apps, what they expect from them, and how to ensure that using Ajax improves the user experience. Because that’s what it’s all about.

Would like to have had more handouts, but time got the better of me and flu got the better of Dave, so that didn’t happen.

During breakfast before the session, I threw together some code examples using Prototype, which I did end up showing since we had some time left. Also at breakfast, Dave worked on some Flash animation illustrating the difference between traditional web application interaction and Ajax-style asynchronous requests. He dismissed them as hopelessly cheesy, but despite the lack of polish I think they do a better job of visually representing Ajax at work than anything else I’ve seen. I’ll try to get Dave’s permission to post them here.

MP3s will be available at some point.

The best part of the conference was the conversation, connecting with my colleagues on the campuses. Face-to-face is a Good Thing. Getting to work with the amazingly talented people at our colleges and universities is one of my favorite aspects of my job.

The next best thing was the introduction of Al Essa, who started working with us a few weeks back as Associate Vice Chancellor / Deputy CIO, and from what I saw at the conference people are impressed. As they should be. I’m downright giddy about Al joining us. This Educause interview with him should make it clear why: he’s thoughtful, articulate, and apparently values many of the same things I do: open source, Web 2.0 (yeah, yeah), dynamic languages… Even in his first weeks here, sounding out the territory, I get the sense that he has Ideas.

And he blogs. Check. I’m pretty sure I ended up at his blog via Stephen O’Grady, which is another good sign.