Safety First: A New Mantra for America

I don’t ever watch the news on TV.  Maybe once a month, generally while sitting in a waiting room of some sort where you can’t help but listen to the TV blaring away in the corner.

A few months ago I was in that situation, and listened to Mayor Bloomberg utter the now all too common refrain that “safety of residents was his top priority.”  I don’t want to focus in on the specific situation he was referring to or anything along those lines, I just want to comment briefly on a once-bedrock notion that seems to have been lost permanently from the American Psyche: safety or security is not an ideal in and of itself.

Let me explain.

If you hang around geeks long enough, you’ll hear them discuss the security and safety of their computers.  There’s lot of things to secure (and thus talk about) too: their code, their servers, even security of non-computery things and other physical devices.  At some point, you’ll hear a version of this statement: “The only secure computer is one that’s turned off, unconnected to anything, encased in a block of concrete, sitting in the bottom of the ocean…and even that’s not going to be completely secure!”

What’s really being said here is that security is not a binary function of yes/no but a continuum between two mutually exclusive goals: utility and security.  In other words, security is a process during which intelligent and thoughtful trade-offs have to be made just to get stuff done.  This is why you will find nerds, geeks, and other computer professionals disproportionately critical of many modern security measures, processes, and other “security theater” institutions like the TSA.  Computer people already have a wealth of experience trading perfect security for reasonable security in order to achieve things, and we’ve done so without coercion or legislation or massive cost to the user.  The technology security analyst’s job is literally right on the pain point between these two opposing priorities and it’s often not pleasant, but that’s their job.

Back to America and our newfound obsession with safety and security.  Ben Franklin has an iconic quote (often paraphrased) which we seem to have lost sight of:

Those Who Sacrifice Liberty For Security Deserve Neither.”  

It’s as clear a signal from the framers of the United States as to what kind of country we were to be.   There’s an even more powerful quote which I’ll discuss in just a moment.

I’m not a George W. Bush fan, but I eagerly bought his book “Decision Points” when it came out and very much enjoyed reading it.  It clearly wasn’t ghost written, which was refreshing.  He plays fast and loose with the facts in a few places, and revises history in others, but the first chapter is genuinely inspiring as he documents his battle with alcoholism.

I found myself respecting him more after reading the book and I also gained a lot of insight into his thought processes.  Over and over again he justifies his, uhh, decision points by claiming that his primary duty was to keep Americans safe.  If you listen to talk radio even just a little this is a refrain you’ll hear over and over again.  We have to keep Americans and America safe.  We have to keep our allies safe.  It’s mentioned by commentators, newscasters, senators, congressmen, presidents, and people. Safe. Safe. Safe.

Except Bush, talk radio personalities, and anyone else who believes that safety is our ultimate priority are all wrong.  The founding fathers knew what they were doing when they designed the oath of the office of the President of the United States:

I, <name>, do solemnly swear (or affirm) that I will faithfully execute the Office of President of the United States, and will to the best of my ability, preserve, protect and defend the Constitution of the United States.

Presidents and Congress are to protect our Constitution, not Americans, and in doing so they protect America.  Pure safety is unatainable, and to get as close as we can to pure security means totalitarianism, and no happiness, life or liberty.  Just like with the almost-safe computer sitting in the bottom of the ocean, a purely safe life means being locked in a room in the bottom of the ocean where nobody can harm you.

We need to stop pursuing this idea that the end goal of America and Americans is safety.  I don’t want to live a safe life.  I want to live a fulfilling life, one that’s full of adventure and creation and freedom.  

We need do a better job at educating ourselves about the true risks in life.  The reality is that it’s much more dangerous to drive and pickup a pizza than to fly.  I’m more likely to get hit by lightning than be a victim of terrorism.  

There are dozens and dozens of examples that document how we’re living in an age of extreme safety and relative security, and none of this is due to security checks or military spending or increased wiretapping.  I’d encourage you to do the research and see if you come to the same conclusion.  

Back to the American oath of office.  Think of how natural it would have been to make the chief goal of our President be the security of his people.  Swearing an oath to the constitution was no accident.  Think of how easy it is to make bad decisions if all you care about is safety.

We have a higher calling in life than to be safe.  Most of history’s meaningful changes have been very unsafe affairs.  We should expect our leaders to understand this and we shouldn’t accept safety as our prime directive or even as a goal in and of itself.

Moneyball and Software Development

I really enjoyed the book Moneyball.  I didn’t enjoy the movie as much.  The pacing seemed off and Brad Pitt seemed like a bad choice for the lead.  There also seemed to be this intense desire to inject drama and controversy into the film’s plot which was ironic when the point of the book is exploring a purely rational approach to a very subjectively emotional game.

Read the book, watch the movie.  The question that many will ask following experiencing either is “How could economic theory apply to my profession?”  I’d like to spend a few minutes thinking through some Moneyball implications with regards to Software Development.

fashion driven

Talent vs Grit

hired at enty level

flame out

amazing programmers start their own companies or are never heard from

Maybe more than any other profession, software development is impossible to “game”.  In other words, good programmers really are good, and you don’t see guys who don’t do a good job churning out software that works.  Yes, it is possible to have some sort of awful application made by crappy programmers, but eventually you’re going to have to pay the piper and address the technical debt you’ve been accumulating. 

Privacy on the Web

The last couple of weeks have been quite eventful regarding Privacy issues on the web, although, it’s unclear to me how much of this has been noticed by the general consumer.

  • Facebook has released updates to its platform, which bring about two privacy-impacting changes: your life’s “timeline”, and the inability to logout from Facebook as they’ll continue to track you across the web.
  • Amazon’s new Kindle Fire tablet, with it’s “all new but not really” cloud powered browser, Amazon Silk.

As a stockholder, I love Amazon’s new tablet offerings.  For the Fire, the price is great, the physical seems good, the OS looks good in the screenshots.  The only real disapointment to me on the Fire was the pretty miserable battery life (only 8 hours?).  The release of these devices is perfectly in line with Amazon’s true mission statement as being the World’s Best Fulfillment company.  Whether they’re delivering books, baby formula, computing power or movies, they’re the ones fulfilling it, and the Kindle line of products continues to be a digital extension of Amazon’s famous, highly efficient warehouses.

As an armchair privacy advocate (hey, I donate to the EFF and Software freedom!  And I use Tor!) I’m reasonably troubled by the Amazon’s cloud browser.  Unlike what millions of nerds thought when they watched the video, this is not new.  Opera’s been providing this service on their mobile browser for years.  This is how many high latency (read: Satellite) providers implemented their browsing experience.  This is how Blackberry used to provide their browsing experience.  It works by keeping a persistent connection open to Amazon’s cloud and heavily cache content saving DNS lookups, connection initiations, and on being able to prefetch common navigation paths.  Amazon does get points for telling us they’re going to track our browsing habits in the Terms of Service, but this is yet another one of those small but troubling erosions of privacy that I believe the normal consumer is simply unable to rationally comprehend. 

Except this IS different from Opera/Blackberry/Others, because Amazon has a much higher incentive to use this data in initially innocuous but eerily invasive and potentially damaging ways.  Remember, as a shopper and a stockholder of Amazon, one of my favorite assets of theirs is their incredible recommendation engine, which is now being bolstered by information on what websites you visit, in what succession, and how long you spend there.

We need a Privacy Nutrition Facts.  It doesn’t need to be regulated, but it should be voluntary, easy to read, and prevalent.  Just like how Firefox and Chrome solved the Phishing problem by warning you when you’re on a risky domain (combination of crowd sourcing and URL parsing looking for those password strings), we need a way of accurately conveying risk to the consumer. 

Are we all sure that we want to be offered books about marriage counseling due to a few Google searches?  Do we want ads about relocation options and moving supplies appearing on my work browser because I visited a job board last week?

Don’t we at least want the option of making the above decisions without needing to have a Computer Science degree or reading in-depth technical blogs or reviews of every major new product?  I do.  Just like Apple removed a lot of maintenance work from my life with their products, at some point it’d be great to not have to spend time on security due diligence with every gadget or service my extended family purchases.

And as for Facebook – they’ve long been almost blatant about how little they care about privacy.  The new flap over them tracking you around the web even after explicitly logging out is crazy and was defended by some as an “oversight” or part of the new strategy of “frictionless sharing.”  I’d go so far as to say they’re now actively endangering users on the web, and it’s their “aww shucks” attitude fronting for their true corporate priority of privacy non-priority that makes it particularly infuriating.  But at least in my opinion, most of the “Aww shucks” is coming from new/young/sniped-from-Google-or-elsewhere employees of Facebook who desperately need to justify the mental model they have of Facebook as a company who cares about its users.  I don’t think there’s any confusion over the true corporate intentions, which are evidenced by action after privacy eroding action.  

Lets just say that I’ve added rules to Adblock to torch all Facebook cookies ( see here , there are also some plugins that do this for you now as well).  It does seem that they’ve tweaked their disingenuous logout procedure some in response to the controversy, but how many of their 500 million users are even aware that this every happened?  And they still track you, just “not as much”.  In healthcare we’ve learned that deidentification of large data sets is almost impossible, and AOL’s CIO got fired for not learning this when he release de-identified search results – when will we learn this with social networking as well?

To sum up – privacy is really important, and in many ways it has become an even more urgent problem with the variety of broadcast style mechanisms we have out there that are learning our habits and likes and dislikes, increasingly with an eye towards monetization.  Maybe it’s the next great must-have plugin – a crowd sourced privacy grade for sites and application.


PHP Sucks!

Software development is a remarkably fashion driven industry.  I’m definitely guilty of the default “newer is better” mindset that many technologists have, but one of the more bizarre fashion statements I hear constantly nowadays is “Oh, I mean, you know how PHP sucks.”

I hear it at conferences, from developers old and young, in companies large and small.  Modern languages like Python and Ruby are better designed, maybe have cleaner syntax, have a few features that PHP does not, maybe even better library support, and they’ve got Rails and Django.   It’s natural to conclude that PHP Sucks!

A few years ago when we started incorporating Ruby into our platform, this gospel was so well ingrained that when we found that long-running scripts chewed up a lot of memory we blamed PHP.  Because it sucked!  People were actually rewriting scripts into Ruby because they could run for a day without running memory, until someone noticed that there was a leak in our internally built database abstraction layer (wich Ruby didn’t use), fixed it, and made PHP suddenly so much better.

But when I talk to developers and hear that statement, I like to drill in on why they think PHP sucks and here are the common reasons, in no particular order:

  • We use PHP it at work and there’s so much legacy garbage code.
  • PHP encourages bad programming.
  • PHP doesn’t have the developer mindshare that Ruby enjoys.
  • All the best companies use Python/Ruby.

PHP is older.  It has a good 5-6 years on Python and Ruby and that includes an incredible amount of growth for the web.  It was heavily used prior to frameworks and Ajax and Web2.0 and standards around TDD for the web.  Legacy garbage code is not the fault of the language, it’s the fault of the developer.

PHP does not encourage bad programming.  Bad programmers or bad organizations encourage bad porgramming.  Blaming PHP for our lack of discipline is setting everyone up for failure the second time around with a different language.  I’ve seen just as much bad Ruby code as PHP, it’s just there’s usually less of it because there’s only been a few years for the Ruby stuff to accumulate.

PHP doesn’t have the same developer mindshare on the cutting edge, at least as far as I can tell, and there is some merit to the idea of using what is being progressed, but there are good PHP alternatives to a lot of the key cutting edge Ruby or Python projects.  Looking for a good framework?  Check out Symfony2.  Behavior Driven Design guys should check out Behat.  Heroku and several others now support PHP.  My guess is that “new car smell” of a new framework and new project is what people are really after.  Spin up a new project on PHP and use some of its modern conveniences and see if you agree.

Many good companies use Ruby or Python, many use PHP.  Here’s a company defending its use of PHP a year ago.  There are still more lines of PHP code out there in some really great products written in PHP.

Bottom line: PHP doesn’t suck.  Guns don’t kill people and neither does PHP.  I’m not saying that Ruby and Python and PHP are all equivalent, but I am saying lets put down the fashion statements and really say what we mean.  Without truly understanding our reasons behind language choice, we’re doomed to make really stupid mistakes like the anecdote above, and faulty decision making processes that hide true requirements produce bad decisions.

I also like trying new things.  My last two projects were a Rails and Django project.  But when asked why I was using them, I said “to learn” not “PHP Sucks!”  


Lack of 301 Redirects with Posterous is Really Dumb

Posterous’ lack of any kind of 301 redirect for imported URLs is really really dumb.  For the life of me I can’t figure out how their so-called migration process could be considered finished and ready for use without this, especially since the default WordPress URL scheme is different from theirs.  Even worse, as far as I can tell, there’s no way to customize the 404 to even point users to the fact that they could go to the main domain and search for what they were looking for.


Goodbye WordPress (For Now) ran on flat files for the first year or so, then I built a custom blog engine (this was before WordPress or really even blogging had been coined).  Then from about 2003 until today I’ve used WordPress.  The problem is that WordPress has become really time consuming to manage.  You need a server, which needs to be upgraded, and there are new updates coming out all the time.  These updates can break your theme, will break your plugins, and generally require a lot of fiddling.

I need this to be as simple as possible, so I made the switch to Posterous, and we’ll see how it goes.


  • Comments are gone, sorry.  Maybe one day I’ll fish them out of the wordpress XML, but I doubt it.
  • Formatting is a little messed up on some posts.  I’ll probably fix the more popular ones at some point.
  • Links are broken – this one is actually really annoying and is something Posterous should address.  If they don’t want to support your old URL scheme, they should offer to redirect them sanely.  Or at least provide you guidance on their 404 page to click through to the blog you’re trying to hit.

Oh well – the advantages of less maintenance and less friction overall are worth it for now.

Web Development on Mac OS X (Lion)

Others have written about this before,  but I’ll underscore the sentiment that managing a local development environment on OS X where that environment requires Open Source Software is a royal pain.  At the companies I’ve been involved with, we generally eschewed local development environments and instead gave everyone access to a development server that included the requisite databases and web servers and vhost entries.  It worked OK, but there are some significant drawbacks.  Namely, unit testing, environment experimentation, single point of failure if the dev environment goes down, and the needs of a developer to refresh their own copy of a dev database or make other similar changes tend to suffer.As a hobbyist with a simpler environment, or as a developer that’s deploying to Heroku or other cloud platform, local development is the way to go, and here is where Mac OS X makes life difficult.  There are several package management systems out there that tend to step on each others’ toes (and it seems language and framework ecosystems always prefer the one that you’re not using).  Mac OS X also tends to haphazardly ship versions of Python or Ruby or whatever that are a couple of versions behind, then not upgrade them until they do an OS refresh.  That refresh (cough, Lion) will fail to mention it’s upending your world until you try to use your environment that’s always worked.Here’s my solution: just use VirtualBox.  Deploy an Ubuntu or Debian server, link that server to your local development directory and you’re done.  Then use the excellent package management that Linux affords to setup your environment in about ten seconds.  This has another advantage in that you can also use all your deployment hooks (Chef or Puppet) that you’re using on your production servers.Once you’re up and running, here’s how I work: I edit and run git from outside the virtual machine, and run the environment and web browser from within the machine.  Still todo: see if I can use my OS X browser to hit the virtual machine’s private IP so that all my tools are running externally (a little easier for workflow) so the virtual machine is just acting like an external server.Now you have a fully fledged (free, and always available) server, and you can still retain your Mac toolchain when and where you want it without worrying about Apple and OS X pulling the rug out from under you.  Remember: encapsulation of a work environment is just as important as encapsulation of code.