Wednesday, December 21, 2016

The bug of security theater


It seems like the Internet and web-based services have been around forever and work well – from anywhere, just open up a browser on any device that supports Internet browsers. Well, at the end of 2016, there is a new bug going around, preventing many different services from serving. The bug of security theater.

After many a security breach, billions of records exposed or stolen, millions of people affected in some serious or minuscule or unknown ways, the providers have learned that security matters. However, security breaches are still relatively rare, unsystematic, and often caused by an ‘oops’ – some singular event that wasn’t supposed to happen, like operator error.  In many cases, there is simply not enough information how to prevent the break-ins and unwanted exposure or loss of data. In other cases, providers may be able to do somewhat better – but at the great expense of re-training staff, updating and enforcing stricter policies, and re-working technical systems.  

Still, there is something that is relatively cheap and easy to do, and improves security – at least in the eyes of users and media.  Security theater is commonly show-cased in the user interface. Many-factor authentication, secure codes sent by email or text message or by audio in a phone call, highly sophisticated personal and public questions going back many years for the users to answer – all for the privilege of accessing the same old web-based email account.

Many providers are requesting a smart phone# to authenticate against, which is good for them – more data, but bad for us – more advertising phone calls.  Many providers require a live exchange of data over the phone or email before allowing access, which is hardly good for them, and definitely bad for us – the wait times are often unreasonable.  Still others insist on following up online communication with a phone call – which is bad for everybody, because if we wanted to communicate by phone, we would not bother with online access at all.


Security is different from security theater.  Security is hard, and should enable us to do more business. Security theater is cheap, generates false sense of being protected (and very real frustrations), and prevents us from doing things we want to do. 


Monday, December 12, 2016

Conversations on diversity


I want to share a few  interesting conversations with or about women in technology industry: 

A young white American male, on attending Grace Hopper Celebration - a conference by and for women in computing
- It felt really weird to be part of the small minority of men there. I usually feel like I belong when I go to technology events, but this was different. 



A different young white American male, works in a heavily male-dominated office
- So, as a member of the majority, what can I do to welcome more women to participate in tech?
Another young white American male, same workplace
- But we welcome women! We are a total meritocracy.  Women just do not apply.



Mid-career software professional, female, working in the public sector
- Yesterday, I suggested researching a way to automatically add new users to "AR" group. I told it three times. It was ignored and dismissed. By the end of the meeting, Garry said exact same thing. Adolfo carefully recorded it in his plan of action.
Experienced white male, in response to the woman’s comment above
- Sad that it upset you so much. How much easier would be your work if you just shrug and ignore, even better, do not notice these little injustices. The credit, that little bit of authorship honor, was stolen from you. The whole incident was a waste of time and emotions.



Another professional woman
- I get a flood of emotion when I realize that consistently in our staff meetings one of my male coworkers echoes my comments or objections loudly for the whole group, either in agreement or augmenting them with his own thoughts in legitimate discussion. This is a first in my career that I feel consistently heard, even with the many female coworkers I've had. And he is raising a daughter.




Saturday, October 29, 2016

Brilliant hare?



We called him Tortoise because he taught us. - Lewis Carroll




In a conversation about work, a colleague mentioned that a person who was perceived as absolutely brilliant by everybody who knew him. People believed he was brilliant, because he was always coming up with answers for every complicated technical problem or question very quickly.

Being quick is important for success. ‘Quickly’ is one of the more popular words in LinkedIn recommendations. Speed-reading, speed-listening, and occasionally even fast typing, are considered good and important skills for technology workers.

Yet, quick can be an enemy of good. Quickly pushing out code typically leads to bugs, technical debt, and poor architecture. Quick decisions often turn out to be poor – or maybe not, but only if they happened to be lucky, rather than well thought through. The engineer everyone’s raving about for quickly fixing bugs, is quietly introducing dozens of new ones.

“Thinking, Fast and Slow” by Daniel Kahneman talks about the different ways people are wired to think, one by applying simple rules and pre-existing biases, another for consciously considering all available information. The ‘quick thinking’ leads to stereotyping, emotional, and subconscious choices. The slow option is the opposite – calculating, conscious and effortful.


It may be time to rethink what it takes to be brilliant. Slowly.