afongen

Jon Udell shares a sadly amusing anecdote about the sort of thing that gives PR flacks a bad name.

I share this not only because it’s sad and funny, but because it means Jon’s likely to write about GData. I’m looking forward to that, because I have a hunch that GData will be important. Stephen O’Grady explains why in far more detail than I have time for, so just go read that. Or since they’re having problems with their web host, read a cached version. Fundamentally, a relational database isn’t always the best solution for storing and manipulating data, and as Adam Bosworth has argued, we need new ways to access/manage our data in its various stores. GData, an Atom-based format, is a step in that direction.

I’m taking a more active role in the direction of my career, moving it in new directions, and I think it’s time for a retrospective.

Until a few years ago, I worked on a team that supported primarily department web sites (for the Office of the Chancellor at Minnesota State Colleges and Universities). I thought of myself as mostly a backend guy: PHP and mod_perl web development, Apache and MySQL administration. The others on my team did more direct support of department users. Or so I told myself. In retrospect, I did a lot more user support and was more closely connected to the front end than I believed. I was (am!) still the web standards advocate leading the way in CSS adoption. I was (and am) the accessibility guy, leading accessibility instruction for our college & university webfolk and even faculty. I don’t say this to toot my own horn, but rather to highlight that even though I thought of myself as a backend developer, I was very closely tied to the user experience. Certainly my Java programming colleagues on the other web team in the office knew this, but they readily admitted to hating HTML, CSS, and JavaScript, so were eager to find someone who gave a rat’s ass about that side of the work.

Not much has changed, come to think of it.

When my position got shifted in a reorg and I got moved onto the Java team working on enterprise web apps, I became the UI guy. On a team of Java programmers, most of whom were new to web development, this made sense and it’s a role I readily took up. Our web apps look like crap. They could use some updating. The team structure was a mistake: hiring began before our supervisor was brought in to weigh in on skillsets that we needed for web development, so we ended up with a team who all think of themselves as Java programmers instead of web developers. Sure, they’re smart people and decent programmers, and maybe web development isn’t rocket science, and I mean no disrespect to my coworkers, but geez it makes a difference in the quality of apps you produce. But I’ve already written about that and will write more.

My role right now is primarily defining the user experience. I work with business analysts and stakeholder groups to spec out the user interface and application flow, and help the developers work out the annoying details like how to do something with JavaScript or CSS. It’s fun work. The past year or so I haven’t been too involved in much coding — and that’s okay, since I’m not a huge one for JSP and my feelings about Java as a web development platform are known and not favorable. :)

Another part of my role that I’ve been trying to expand is web application security. So far there aren’t a whole lot of people pushing very hard to make it part of my job, but that situation is improving.

What’s missing is a connection to education. No student contact, although I’ve been working on software for student services. I don’t feel a connection to online learning, to educational technology … I’m privileged to be a part of an educational system: I grew up wanting to teach and still want to be involved in education, but really I’m not. Organizationally we’re divided sharply between academic and administrative systems, and I’m on the admin side. I hope that distinction will blur, that we can put development resources more directly toward educational goals, but we’ll see.

A recent meeting also made me realize that I feel out of touch with open source software. I’ve taken it for granted. Almost everything I work with is open source — web frameworks, JBoss, Eclipse, LAMP —. Some of that has been a struggle, and and it’s easy to forget the struggle and overlook when open source isn’t even on the table in places where it makes sense: data warehousing, content management systems. (Actually, I didn’t overlook open source in the CMS question, I threw up my hands in disgusted exasperation after six years of inaction.) Anyway, open source is making inroads into our colleges and universities, and I want to find a way to be a part of that.

I feel like I did in college, when I spent an ungodly amount of time wrestingly to unify courses of study in French, historical sociolinguistics, religion, and medieval history. I want to bring together web standards/user interface/user experience, dynamic languages, agile software development, open source, educational technology, and security, all while still trying to do the day-to-day work necessary to get software out the door.

Which we barely do, but that’s another story.

Sometime in the last few months, it struck me that I haven’t been taking active charge of my career, I’ve just been going wherever events have taken me. That’s not entirely true, of course, since I did get the hell out of my HR job when I realized that it was being pushed in a direction I didn’t like. I don’t want to just float along anymore.

I have decided that if I need a focus in my career, it won’t be user interface. It will be security. Through everything I’ve done, that’s been a common thread. As I mentioned here a short while ago, software security is a big problem, the elephant in the room that is partly responsible for what Noam Eppel describes as The Complete, Unquestionable, And Total Failure of Information Security. At MnSCU, we’re taking steps in the right direction toward improving software security, but we can always do more. I’m running up against a wall in what I can do as a single developer to infuse security into our software development life cycle. I can work from the bottom up, but I’m realizing that we also need to work from the top down. Secure development should flow from and be traceable to policy, to help identify standards and establish metrics. But all the policy and best practices in the world won’t help if the developers don’t know how to write secure software, and the architects don’t know how to, well, architect with security principles in mind. We need to approach the problem from both directions to be successful.

My secret goal over the next few months is to lay the foundation for more of that top-down software security work, while continuing to push more aggressively up from the bottom.

And in terms of professional development, I may well pursue more schooling. I have a lot to learn.

So expect a lot more writing about security here. Along with everything else, of course. Plus ça change…

Bill de hÓra, Using IM for grid computing:

When I look at the OGSA stack I’m fairly sure XMPP is to Grid and JINI as HTTP was to WS and CORBA. Give it a few years – instant messaging is where real commodity grid action will take place.

Yes. I’ve been poking at Jabber for four or five years now, drawn not only by the idea of open source and open standards for instant messaging, but also what the idea of presence might mean to software. Grid computing is a fascinating problem space, one for which I feel I have an insufficient computer science background to completely grok right now. But from what little I understand (not much more than you get from Tim Bray’s explanation), XMPP and something like the Jabber XCP would be a good fit.

From a comment by James Governor on Bill’s post, I see that Coté discussed what presence might mean for systems management, well worth reading. I wonder if the Open Management Consortium people are thinking about this. He also gives an example of how presence might be used to facilitate messaging at a transaction or business object level in application programming. That’s the sort of thing I’ve been thinking about on and off over the years. A platform like Java’s may have its own messaging framework or three, but cross-platform messaging using something other than SOAP and HTTP would be nice. Coté touched on this, too, with his comments about the web services monoarchitecture. Seems we’ve been here before… Presence just adds a whole new interesting wrinkle.

Bill also points to ejabberd. Why? Because it’s written in Erlang, a language that was designed for distributed, concurrent programming, which seems obviously useful for grid computing. Erlang may well be my next language. I’ve been thinking that it might be Smalltalk, or Lisp, or Haskell (the latter because I want to work with more and different examples of functional languages) but Erlang is a contender. The problem is that as I have not needed to solve many concurrent programming problems, I may not be ready for Erlang until i’ve got a few more years programming under my belt, or a really nasty project to work on that fits nicely in its problem space. Like, say, a large, distributed IM and presence messaging network for which I want to use ejabberd.

After just a year of benign neglect, the grass in our front yard has given up and died. If it happens that easily, it tells me that we’re dealing with a non-native grass. I’m not one to obsess over my lawn, so I’m not about to fertilize the hell out of it every year for the sake of a grass that doesn’t even belong here. No, now we’re on a mission to turn our front yard into a native prairie.

Perhaps that’s a bit extravagant. (Are prairies extravagant?) It’s a small lot; I don’t know that it will count as a prairie. But they will be prairie plants.

Over the next several years, we’re replacing our front lawn — such as it is — with grasses and flowers that are native to this area, that thrive in medium-dry soil and lots of sun, that will require less maintenance and be better for the environment. We started by going out to Landscape Alternatives, a nursery that specializes in just this sort of project. They’re great people who really know their stuff. I heartily recommend them.

We’re starting this year by tackling the 4-5 foot hill going down to the sidewalk. We’ll lay down six or more layers of newspaper covered with wood chips, to kill the grass and weeds that are there now. Then we’ll put in the plants, one every square foot, water it a bit, and carefully weed over the next year or so. After that, the plants should come back happily on their own, and suppress most weed growth on their own.

Over the next few years, we’ll move back toward the house bit by bit. We’ll have a stone path, a bench, even a hammock and a koi pond! Maybe not the pond. Neither of us is a gardener, so even this year’s small step is an ambitious project. But I’m very much looking forward to it.

I spent the weekend with Friends in the woods at Northern Yearly Meeting. Kiara’s the Quaker in the family; I just tag along for the good parties. Since my beliefs and values are very much in line with the Quakers, I’d attend Twin Cities Friends Meeting with Kiara were my time in meeting not overwhelmed by a voice in my head screaming “THIS IS WRONG THIS IS WRONG GET OUT GET OUT NOW!” I take that as a message that I shouldn’t be there. :-) But I do go to NYM with her and the kids.

I value this weekend as a rare opportunity to enjoy long stretches of contemplative silence — among those who do not question the value of silence.

This year NYM was again at the Wisconsin Lions Camp, in a quiet, wooded area northeast of Stevens Point. Attendees have the option of sharing a cabin, which we did last year, or tenting in the woods, our choice this year. We arrived after dark, stumbling through the woods to find somewhere to pitch our tent, vainly trying to hush Owen so as not to wake others around us. Pretty comical in retrospect. We set up the tent a ways back in the woods from the camp, only to discover in the morning that we’d walked right past the main tent area. Still, we liked being in the woods: it was quieter, and I liked seeing the night sky through swaying pine trees. The boys slept well in the tent, not even waking up during the violent thunderstorm that swept through and sent many of the other tenters scurrying inside.

I don’t say this to brag. Were we not camped away from the others, we would have been alerted to golf-ball-sized hail as well, and sought shelter on the graciously volunteered cabin floors.

Owen spent his mornings in child care, playing with other kids his age. It tuckered him out so he would sleep soundly if we could get him too nap. On Sunday, he wouldn’t nap so I took him for a walk around the lake. He made it halfway around before asking me to carry him, and fell asleep in my arms 5 minutes later. Let’s just say I got my workout this weekend, although not one that my chiropractor would approve.

Kiara wasn’t able to attend much of the business meetings (Meetings for Worship with Attention to Business; the Quaker decision-making process is fascinating) because she had Alec in the infant/toddler care, but we’re working on a way to change that next year. And she did discover that she likes sacred harp and shape note singing (not sure if there’s a difference).

And me? When I wasn’t establishing that no, we hadn’t lost the keys, they were locked in the car, I was either in the woods on a walk around the lake, or playing with Owen. It was a good weekend.

It looks like OWASP is running on new software, MediaWiki by all appearances. Hopefully that will work better than whatever they were using before. I know that getting the local chapter pages updated has been an ordeal.

I gave a talk about web application security testing last year and started to write up my notes, but somehow I never quite finished them. I’m unlikely to do so in this format but thought I’d at least post the notes as they stand. Things have changed in the past year: I have a better handle on threat modeling (and Microsoft has released a couple new iterations), we’ve seen great new tools like Firebug released, the Build Security In portal was released (although I still think it’s of more interest to developers than architects, which is an okay thing), there’s been more work published on abuse/misuse cases, a new OWASP Guide was unleashed…

So on the off chance they are of value, here they are: notes for Web Application Security Testing talk.

Kiara just told me that she was talking with some kids who regularly watch Smallville, and had no idea that Clark Kent becomes Superman.

Just had to share.

What a damning title for this post.

Peter Williams has started working with PHP. He comments mostly about the syntax and with the understanding that he’s writing about PHP 4. Some of that has been improved upon in PHP 5: exceptions, for instance, to which Matt Zandstra has written a good introduction. I agree with a lot of what Peter says. DHH has a point: PHP is not pretty to look at, and sometimes it’s ugly to use. Using -> as a method invocation operator is unpleasant (Perl does the same thing, but in Perl 6 it’s a .). It’s a small thing, but small things add up. I don’t like to use PHP because I like the syntax of the language or because it’s a joy to write PHP code. I like to use PHP because it gets the job done, sometimes quite powerfully. And it’s a helluva lot better in PHP 5.

It is a joy to write Ruby code. Just want to say that. Coming from Ruby to PHP, that’s gotta be hard.

At first I thought Peter was being a bit over the top complaining about PHP’s requiring explicit statement terminators. Then I thought back to how much time I’ve spent tracking down bugs that turned out to be a misplaced or missing semicolon. He’s got a point.

So I should explain the Hughtrain cartoons. Just so we’re clear, I’m not quite as bitter as you’re about to think I am.

I work in IT for a large public higher education system.Not long ago I had a revelation that almost all the technology innovation I see at work isn’t happening in IT. Instead I see it coming from a few people in particular within Academic and Student Affairs who push for tech innovation to support the educational mission of the system, often introducing technology themselves because IT is out of touch. I realize that some of this is because ITS at MnSCU has been pathetically underfunded and can barely manage skeleton support and subsistence. And I’m not being entirely unfair to my IT colleagues: I said almost all technology innovation. But still.

You might picked up on it here if you’ve been reading along the last couple years, but I’m more than a wee bit frustrated with a development process that strongly favors multi-layer committee approval of every damn little thing, and careful planning of work months in advance. See, we operate at the intersection of higher education and state government. This tends to slow things down a tad and quash any chance of doing anything even remotely cool or even useful.

There. I came out and pegged myself as a developer: I want to build cool shit. But it’s not really that simple. I keep thinking that we’re operating in a post-Cluetrain world, that the lessons have been absorbed and that people are clued into what’s happening with what’s been happening with web development the last few years [1], and reality keeps smacking me down. I am consistently disappointed by the caliber of the web apps we’re slowly churning out. Top-down, faceless, human-less “enterprise” development. Our intranet is stagnant, except it’s brand-new and public-facing. Unless we break free of what is pretty damn close to a waterfall method, we’re screwed. I believe that we’re committed to doing a good job, I just don’t think that many of us are all that interested in doing a totally fucking amazing job.

But hey, that’s me.

I still have hope of sneaking something in. I’m finding ways to push the confines of narrowly defined use cases that still meet the specs and that make the apps better. And at least I’ve started telling my coworkers that I think it’s our job to write kick-ass apps — or rather, apps that help users feel like they kick ass. I’ve obviously been brainwashed by Kathy Sierra. Thing is, she’s right.

Pity no one liked my idea of running the student housing application as a first-person shooter. Just as well, I don’t think that the oughta-be-Quaker in me would be comfortable with the violence. I wonder if anyone will bite at running registration like fantasy football? :)

There. Now I’ve pegged myself as a developer and completely loony.

[1] – i.e. Web 2.0 — yes, I use the term willingly. Now you know I’m loony.