Talk About Quality

Tom Harris

Security: Small is Beautiful

with 2 comments

A Story

Imagine a new procedure for your next group event. First, I tell you that you have too much stuff, so leave all your bags — backpacks, jackets, etc. — on the sidewalk outside. Then I round up some friendly volunteers off the street, and pay them minimum wage to watch your belongings. Finally, I gather some more volunteers and send one to each of your homes to browse around while you’re not there.

With Too Much Personal Data, Security Is Broken

Sounds crazy, but this is the current situation with information security. With Moore’s Law to thank, we all have much more personal data — mostly photos and videos — than we can store and protect ourselves. So we put them “In The Cloud” on some provider’s remote server. Other personal information such as financial, medical, and government records, are stored at bank, hospital, and government data centers that don’t always do the greatest job of protecting them. (Think store credit card breaches.) Meanwhile, on the most common computer we all operate — the smartphone — we run apps written by strangers that ask permission to do just about anything on our phone. And we grant that permission.

Self-Securing to the Rescue

Is there any hope? I think there is — there has to be — but it’s not in more network firewalls or PC antivirus programs. (Still, better keep those running until better alternatives are available!)

Here’s what I see as trends for a 3+1 solution:

  1. Firewalls not per network, but per application: protecting itself against virus infiltration and data theft
  2. Every task individually sandboxed, so that no task can be hijacked to do hackers’ bidding
  3. All data encrypted so even if it’s stolen or intercepted, it’s not useful or public

All these methods are available, some even with operating system support and commercial products.

The “+1”: Authentication

With every application and file locked down from the wrong people, the rightful owners still need access. So we need reliable, personal, easy-to-use authentication as well. Biometrics seems to be the way to go, but it has to be distributed back to the owners — each of us — otherwise we’re just creating another central database waiting to be stolen.


While these technologies are on the way, there are still challenges from competing interests and behaviors.

One is governments — even the ones trying to protect us. The first encrypted e-mail service shut down rather than submit to government surveillance, and a second one followed soon after, even without any immediate legal threats.

The other is us — businesses and clients not ready to do our part for personal information security. I could mention easy-to-guess passwords, but here’s a better example. The other day I received a personal file by e-mail from an insurance company. The file was attached, encrypted. Sounds fine, right? Except the insurance company’s software generates the e-mails with (a) the encrypted file attached; (b) the text of the unencrypted e-mail saying that the password is my id number and (c) my id number in the subject of the e-mail!

My Prediction

It’s going to take a while, and more denial of service events and data breaches, but the current situation is untenable. Governments and the information security industry, including big players and startups, will work together to develop and deploy standards, and easy-to-use systems, that delegate security to each application and file, and authentication to each legitimate user.

Until then, go outside to the sidewalk and see if your stuff is still there where you left it.

I presented these thoughts at the recent CyberJLM #3 in a 5-minute, no-slides, lightning talk format.

Written by Tom Harris

December 28, 2014 at 11:37 pm

Posted in Cybersecurity

Agile Revolution Breaks Into Business and Life

with one comment

Agile has been transforming software organizations one by one since the turn of the millenium.

Quadrupling productivity while making people and teams happier.

Modern work and life is knowledge-oriented, fast, and ever-changing. That’s what Agile addresses.

Why doesn’t anyone outside of software development adopt it?

Steve Denning, in a 2012 Forbes Magazine article, called it The Best-Kept Management Secret On The Planet.

It’s still pretty secret, but it shouldn’t be. The word “software” appears only once in the four statements of the Agile Manifesto. Three times in the Principles of Agile. Just replace “software” with “anything”.

Need confirmation? Try Ana Willem’s Should Non-technical Organizations model Agile principles? (no brainer).

So who’s doing it? Who is being Agile in their business or their life?

Here are the very few examples I’ve found so far:

Can you share more?

Written by Tom Harris

December 18, 2014 at 9:34 pm

Posted in Agile

Agile Travel — Does it Pay?

leave a comment »

Can you get quality and on-time performance at less cost, based on discipline, openness, and prioritization by value to the customer? Agile says you can. I decided to put it to the test even while traveling to an Agile conference in London (RallyON Europe 2014), by traveling a no-frills airline into Luton, UK. You guessed it, it’s EasyJet, the airline where the only thing that’s free is the orange color scheme that makes everything from the check-in area to the seat headrests look like a children’s playground.

My no-frills experience started while packing. Several readings (or viewings — they have a video too) of the EasyJet cabin baggage policy. One carry-on bag allowed. ONE. They make every effort to be “open and upfront” about that. And two size limits: a normal one that they might still check (for free) if the flight is crowded, or a really small one — 50cm x 40cm x 20cm — that they guarantee you’ll be able to take on the plane.

So I got that into my head. Flying a no-frills airline is easier if you’re prepared. Pack light. Pack only the one bag. Make sure it meets the guaranteed carry-on requirements. (Tip: While EasyJet allows online checkin for all flights up to 30 days in advance, don’t check in until you’ve made up your mind about bags and seats, because after that, at check-in, the prices are higher.)

I measured all the carry-on bags we had in the house, then put them aside and chose a medium-sized day pack instead. Packed minimally and measured. It just fit the guaranteed carry on baggage size as long as not filled too fat. Nice clothes for 3 days, a laptop, a few other small essentials. True, I’ll have to repack carefully each night so I’ll be ready for the return flight. Trading that discipline for the convenience of just throwing everything in to a large suitcase at the end of the trip. Added benefit is that I’ll be able to walk or metro easily wherever I need to get to, hands free. Just the light backpack. Less is more.

Trip to the airport. I was traveling from a warm climate to a colder, rainier London, so I was a bit warm wearing my layered sweater and rain jacket. I took them off when safely seated on the shuttle bus, and to be sure to remember them, I repeated the mantra: “You have 3 items: jacket, sweater, backpack”. The sweater would actually prove useful later — over a short-sleeve polo it kept me comfortable on the air-conditioned flight. No need for one of those airline blankets. Which EasyJet does not supply.

At the aiport. On arrival, I discovered that EasyJet departed from an old terminal rather than the new one I was used to, so I jumped off there and asked my way around. Separate terminal for check-in but I realize now I probably didn’t have to go there. My boarding pass did say that I could have gone directly to security, passport control, and gate at the main terminal. But everything was smooth and not crowded at the EasyJet security and passport areas and shuttle back to main terminal was quick too. Let me out straight into duty free as a transit passenger.

Onboard. The phrase that comes to mind is “nickel and diming“: EasyJet charges extra for everything. But I changed my mindset — can’t think about it that way. Instead, I used the significant savings on the main ticket price to feel better about adding on any extras. EasyJet believes their system is better for the customer: I pay only for what has value to me.

One extra I found worth it for peace of mind was to choose seats beforehand. That way I didn’t have to wonder what seat I would get and how cramped it might be. I probably should have paid even a bit more to get the extra legroom seats because for someone with long legs, the seat spacing was tight enough to hit my knees unless I sat up really straight the whole time. Not that that was so difficult: the obligatory announcement on take-off to “put your seat backs in their upright position” is superfluous on EasyJet as the seats do not recline. Just as well, because if they did, nobody would have any space at all!

The “speedy boarding” extra charge  might have been worth it too, to board sooner, but I made up for it by being first in line for the general boarding. I stood (rather than sat) at the gate for the 10 minutes it took to board the “speedy boarding” people first. In essence, I got to be the last speedy boarder without paying the fee. I guess that’s called advanced flow control … or just gaming the queue.

What about the infamous 50 cm x 40 cm x 20 cm x 1 bag rule? I had never seen it in person so I even brought along a measuring tape to make sure and prove it if I had to. But the EasyJet metal sizer stand was mostly there as a prop to support the gate staff’s emphasis of the 1 bag part. Nobody’s bag was actually tested in the sizer. The tally: two or three cases of, “That’s not one bag, sir, that’s three — please arrange it as one bag and return to the gate when you have done so.” A few got, “That purse, it’s not duty free — you’ll have to put it inside your carry-on suitcase.” Which they actually did, with minimal complaint. One or two people slid by with a regulation carry-on but also another bag.

The real challenge to on-time take-off was when people boarded the plane. Since I had been on the first shuttle bus, and thus already seated by the time most people boarded, and I had a row 8 aisle seat, I had a good view. There wasn’t any pushing or shoving — people were relatively polite and quiet. But to board a 180-seat, one-aisle plane where everyone has the maximum-size carry-on took quite some time as people worked to fit their bags into the overhead compartments. And then, remembering what they would want during the flight, standing in the aisle blocking progress while they got it out. Echoing the recorded announcement, one or two passengers assertively and vocally encouraged people within earshot to please sit down in their seats so we wouldn’t miss our turn at takeoff. I admit that I was one of the two. But in the end, all were seated, only the very last few people boarding had to use their precious under-seat footroom to stow a bag, and we took off 20 minutes late. Since that was followed by the flight staff’s announcement that we would nevertheless be landing on time, I gather that EasyJet includes the slow boarding process as part of their scheduled flight time.

The flight itself. Cramped legroom but survivable, especially if you get up and walk around every so often, which is a good idea on any flight. There is food service, and you pay even for a cup of tea. But if you want one, you can afford it: you saved 80 cups of tea by flying EasyJet instead of the non-budget competitor. They actually came through twice during a 5-hour evening flight, and still had a reasonable selection of hot and cold foods. If you buy more than GBP 5, you can even use a credit card to pay. Otherwise, cash on the barrel — well, on the trolley.

I didn’t buy any food on the plane. I had used my cheap gold card (i.e. not American Express which is great but costs money) to get into the cheap airport lounge, and I ate there instead. But if I had been more hungry, the egg salad sandwich would have been fine.

Newspapers cost money too. I brought my laptop to read from instead. (Essential Scrum by Kenneth S. Rubin.)

During the flight, there was also some kind of duty free service. It’s for people who must have an overpriced, underfed Paddington Bear. To be fair, I don’t really know if they were overpriced, because I didn’t even ask.

They are efficient on the food service. For example, my neighbor’s selection (twice!) was “tea, 3 milks, 2 sugars”. It was only by the second time that I realized how they served that. No pouring here. Instead, a large paper hot cup, filled and covered, and a second paper cup with cigar-sized packs of sugar and dehydrated milk. Worked for my neighbor, and the flight staff came by promptly after each time with a bag to collect trash. Now that I think about it, the food service was much cleaner, quicker, and more comfortable than on full-service flights. No sitting for a half hour waiting for your food while the rest of a 300-seat plane is served, and then another half hour with the leftovers on your tray table, preventing you from resting, working, or even getting up to walk around. People who wanted to eat got to, and yet air was fresh and aisles were clear pretty much the whole flight. Approaching the end of the flight, they came through a third time with food and gifts, and announced they even sell bus tickets!

Cramped? (I was.) Hungry (I wasn’t). But those were my choices. Next time I’ll know to buy extra legroom.

In summary, an agile experience: EasyJet has a system which requires discipline from staff and customers. In return, they provide a quiet, clean, on-time flight for half the price.

Tomorrow morning, EasyJet’s orange cousin, EasyBus!

Written by Tom Harris

November 11, 2014 at 3:09 am

Posted in Agile

Tagged with

Agile Why and How

with one comment

Ask about “Agile” and everyone will start with the Agile Manifesto. It serves us well, seems short — only 4 sentences. But then there are 12 principles as well, so I guess 4 sentences weren’t enough.

After trying, and learning, and delivering some good software, we’re also getting the message clearer.

Why Agile?

To put working code in front of the customer quickly, so they discover better what they want, and tell you.

How to do that?

Reduce batch size, and limit work in progress.

Today’s thanks go to Rex MorrowDele SikuadeKen Clyne, and another coach who’s known me all my life.


Written by Tom Harris

October 23, 2014 at 8:50 am

Posted in Agile

Whole code awareness

leave a comment »

Busy software developers tend to think of refactoring as a luxury activity, and separate from writing new code or fixing defects. At first glance, the latter two activities clearly contribute to why we write software — to get new, working functionality from hardware — while refactoring, by definition, doesn’t change the software’s behavior at all.

But if we recognize that every code change or addition may affect both the dynamic behavior (what the software does), and the static behavior (how easy it is for the developer to modify it as desired), then all three code-change activities come together. Every code change, whether it’s refactoring, new code for new feature, or changes to fix a defect — and no matter how small a change — is a change to the entire codebase with the purpose of increasing its value.

This mindset is what motivates code quality engineering practices such as in-person design and code review, static analysis, and automated whole-system regression testing (including load testing and robustness testing). As well as, of course, refactoring!

And while time and resources for these activities can be planned as part of any software development methodology, it seems easier in Agile. Include all these activities regularly in sprint tasks per user story, evaluate them all in planning based on their size (cost) and their benefit (value), and get them done regularly. Apply this whole-code awareness, and watch defects decrease and velocity (and enjoyment) increase!

Thanks to Will McKinley for the post Code Refactoring – Dealing with Legacy Code that made me ask myself what are the differences, and similarities, between refactoring and other types of code changes.

Written by Tom Harris

April 26, 2014 at 9:42 pm

Posted in Agile

Tagged with ,

I’m in Software

with one comment

When somebody asks me what I do and I say, “I’m in software”, or “I’m in computers”, they usually give me a “Oh, that’s nice,” but it’s clear they aren’t any wiser than before they asked. Why is that such a conversation-stopper? If you’re a lawyer or a doctor, people think they know, and jump right in.

Maybe that’s because lawyers deal with people and justice, or at least arguing, which sounds familiar. And doctors — well, everyone’s been to the doctor. The drama of dealing with people is what gets lawyer and doctor shows on TV, and I’ll be the first to admit that my picture of what they do comes straight from there. Really that means I have no clue.

After a bit of thought, I realize that software is more like art, if that helps.

(Right — saying you’re an artist is like saying you’re in software, only poorer.)

But really, it can help.

The solution to explaining what “I’m in software” means is to realize that software, and software development, is really three very different things. To the software developer, it is code — lists of instructions to make a generic machine behave in a specific way. To people in general, it is invisible: as mobile phone users, airplane travelers, or just people turning on the faucet and getting water, the world is full of things made of plastic and metal that behave or respond more actively than a cup or a pair of scissors. And finally, software development, the activity that goes on in a hi-tech software office, includes a good deal of accounting, scheduling, and event planning.

This triple personality parallels art. When someone tells you they’re an artist, do you think of paints, chemicals, brushes, and canvas? Or paintings on the wall? Or the business of running an art gallery?

I’m pretty sure most people hear “artist” and think of paintings. But the “what the artist does all day”, whether it’s looking, thinking, or carefully mixing paints, is invisible in the painting. We see the painting and know nothing about the work life of the artist.

So being in software, like being an artist, means doing something unseen to materials and creating interactive things that everybody then takes for granted.

Probably the only way forward for more people to understand what’s “in software” is to take them into the studio — the hi-tech office — and let them try their own hand at coding a mobile phone app. Or on the other hand, attending a project meeting.

Say, why aren’t those kinds of experiences available at the local computer or science museum — not playing with the things, but making them come alive?

John Hollar and Grady Booch, are you listening?

Written by Tom Harris

October 29, 2012 at 8:35 pm

Posted in Technology and Society, Work

Tagged with

Error-Proofing Made Simple

leave a comment »

Error-proofing is preventing errors rather than just warning about them.

With compiler warnings, that means setting warnings-asCannot throw away fast-food tray by mistake says Mark Graban-errors in your compiler so you cannot complete your build. Yes, you also need tests that can fail and a source control system that refuses promotion of versions that fail test. And code review to ensure that code changes to address compiler warnings only improve the code. But the key is warnings-as-errors.

While error-proofing is simpler with fast-food trays, the idea is the same. Read “Simple, Brilliant, Error Proofing at the Amazing In-N-Out Burger” (Mark Graban  |  04/11/2011  Quality Digest) and look for where else you can error-proof your process.

Written by Tom Harris

May 2, 2011 at 1:19 pm

Posted in Prevention

Tagged with ,