Sunday, June 26, 2011

#DevTO - You don't just write code

#DevTO started out with @kevinkvs and @jonezy thinking about the need to have a regular meet up for developers in Toronto to share and learn from each other. I first heard of this idea on Twitter from Chris and was immediately intrigued and offered to help out. @clickflickca also joined in later on the fun and brings his experience organizing and running other events around Toronto.

A big part of our jobs involves learning; from yourself and others around you. The challenges you encounter are as wide as the job titles. The other big part of the job, is showing off how you solved that problem and what you have learned.

Some of us are lucky to have a team of awesome developers that you work with every day to learn from, bounce ideas off and show off the end result. Some of us might not have that daily. How to convince your boss that the database needs optimization? How can you reduce your build time in half? Need to know about common pitfalls building mobile sites? Got some IE6 horror stories and the scars to prove them? This is where #DevTO comes in.

No matter what technologies you have used, are currently using or are thinking of learning #DevTO is for you. The broader the audience the better. This event is not just limited to developers. Kevin co-founder and Community Cobra Commander of #DevTO said it best:


If you are liking the sound of this so far then make sure you RSVP to our second event tomorrow night:



Thursday, June 16, 2011

All developers are not created equal - hence not interchangeable

Earlier yesterday I came across this article on the New York Times: Thieves Found Citigroup Site an Easy Entry. At first I thought, "Man, another big site had their customer data compromised", but as I continued reading this incident is a little bit different; especially the nature of the attack that was described in the article. The marketing and PR departments for these brands - and in this case Citigroup - need to be a little more careful about the kind of technical information that gets released when shit hits the fan.
Think of it as a mansion with a high-tech security system — but the front door wasn’t locked tight.
After reading through the article and the retarded nature of the attack you can't think of it as a mansion with a high tech security system; not even close. Some context on this attack:

In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers.Once inside, they leapfrogged between the accounts of different Citi customers by inserting vari-ous account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.
So, all these thieves needed to do is basically log in with their own or even someone else's Citigroup account and lo and behold this account number was present in the address bar after login. Changing it gave them access to someone else's account. A little script to repeat this for thousands of accounts and scrape the details.

This process was described by "security experts" as "especially ingenious". Really?!? This is the oldest trick in the book; i.e. mess around with the URL until you get somewhere. These "security experts" should get fired if this kind of attack was surprising.

The "what can we do, we got hacked" wagon got extremely popular in recent years, especially this year, but this Citigroup incident is different. There is no excuse for being on the "we are retards, we got hacked" wagon. When your "high-tech security system" is composed of changing account numbers in URLs, then what else can someone find if they look harder?

How does one get to this position? I think at the root of the problem is the thinking that people working in technology are interchangeable cogs in a giant machine. When you are building the pyramids, yes you can get 40,000 slaves and have them drag giant slabs of rock into place and stack them with virtually no way for an error to occur. And yes you can get another 40,000 slaves and replace the first 40,000 and they will still drag and stack the rocks as good as the previous 40,000 did. That mentality works when the tasks at hand are fairly simple and mechanical such as building the pyramids, or the production line at Ford. It is absolutely not valid in technology, yet there are many executives, project managers, and software architects today that think its possible.

The other part of the problem has to do with measuring expertise. The above assumption that developers, architects, designers, etc. are interchangeable also leads to the flawed assumption that a developer with 10 years of experience can replace any other developer with 10 years of experience as well. It is easy to get to that assumption when you think of these tasks as mechanical such as building the pyramids, or putting the wheels on a car. 10 years of experience developing doesn't have the same weight it did 30 years ago. Most developers today got into while they are teenagers, and hence by the time they graduate university they already have 10 years of experience developing stuff. Also, there are more technologies today that are available to the average developer to experiment with and try out, than there was 30 years ago. Hence why building technology systems  and development in general is a combination of science and art. The Sistine Chapel would have looked different if Leonardo da Vinci painted it instead even if he got the same directions from the Pope. The Pyramids would have looked the same regardless where the 40,000 slaves came from.

So for an online application that has to do with people's credit card accounts to fail at this level doesn't give me the warm fuzzy feeling that I should be getting when I read "Citi has implemented enhanced procedures to prevent a recurrence of this type of event." - if I were a customer.

Where else did you not do the due diligence you owe your customers? What other skeletons are in the closet? The New York Article should have started out like this:
Think of it as a tent with a zipper — but the zipper wasn’t closed.

Saturday, February 26, 2011

Rogers OnDemand Online Vs. Netflix

A week after the condo I'm renting suffered from a bathroom flood fiasco, I sat down last night to watch some TV at home. Now, my whole unit is a mess, and furniture has been moved around so I couldn't really use my TV, instead I decided to use Rogers on Demand Online (RODO). However, I am also a Netflix customer, but for some reason I chose to try RODO.

Rogers On Demand Online

I first signed up to RODO when it was in beta and was invited to sign up for it via Twitter, back then I actually liked it, the streaming was decent and I was actually impressed. That was the last time I used it until last night. Of course I forgot my password, and I needed to reset it. Strangely the guys at RODO decided that I need to answer my hint question first before they e-mail the address I signed up with the reset instructions. So off I go to the Rogers tech support page, which now seems to have a "24/7" online support chat. Yeah right. I downloaded the software they wanted, and waited for someone to "be right with me" for  quite some time - probably 10-15 minutes - before I gave up. 

Next, I call the Rogers support team and tell them the problem, they reset my password and ask me to try again. However RODO still shows my profile has been locked and I need to reset the password. The support service lady resets it again, and I still can't get in. Then *drum roll* ... dropped call.

I'm getting a little agitated right now, but I still can't log in. Then I get an e-mail to my phone saying my Rogers' portal password was reset. Great, so she ended up resetting the password to the billing portal. Isn't it bad enough that we have all these different passwords to remember, now we need to remember different passwords for the same company?

So I call them again; this time the wait time is "greater than 5 minutes". What does that mean? am I going to celebrate my 28th birthday before someone helps me?. 20 minutes later someone gets to me, and they reset the password for the right service. Awesome, now lets watch a movie. 

I log in to RODO, everything seems okay, so I start browsing the shows and movies. I don't know what the logic was for some of these movies and shows, but it almost like different channels have different presentation. The stuff that I would normally watch via Rogers on Demand on my TV looks great on the site, and I see a picture and some description and ratings. However, when I look at the stuff on TMN or another channel, it looks different. Its garbage.

Anyway, lets get on with it, so I pick a movie and then to my horror the quality was crap - even pixellated - and it was lagging as well. Great, all this for nothing. Ok, let me try a show, maybe it was just the movie. I wanted to catch up on Modern Family, so started that. No. Same shit.

Okay, I'm out of here. I leave a comment regarding their service and that I'm going to Netflix. (I'll leave the rant about the TV version of ROD for another post, but for now think about this: how come they still can't figure out how to display the full movie name? Is it really rocket science? If someone knows, please tell me, seriously, please.

Netflix

So, after my unsatisfactory experience with RODO, I go do what I should have done from the start. Netflix. Now, I signed up to that on my PS3, which I can't use right now due to the mess after the flooding, so I need to reset my password because who knows what I set it to when I created the account from the PS3. Anyway, go to netflix.com, and reset my password. Holy crap, I don't need to answer my hint question, the password reset got sent to the e-mail, amazing! 45 seconds later I am logged into my Netflix account - and even fixed my billing address since I moved 2 months ago and Netflix hasn't been able to charge my credit card. I pick a movie (and yes the selection is not as new as ROD but there are still some awesome shows, documentaries and classics there, some even delivered in HD. 

Netflix got their streaming technology nailed. Awesome quality. Great streaming. You only need to wait a minute at the start while it sets the player up, decide on the quality it will send, and buffer the movie. So why is that? Why is it that Netflix can do such a better job at the whole customer experience thing, than Rogers could?

The answer is on the Netflix Tech Blog.

Netflix is a technology firm that delivers media. Rogers is a media/communications firm, using technology to delivery media. Similar to my post about Yahoo's Culture vs. Google's Culture, Netflix would definitely have a higher innovation ratio than Rogers because of this difference in both companies. When technology is viewed as a cost center (as it is most likely the case at Rogers), then you end up with sub-par client facing technology such as Rogers On Demand Online, and even the Rogers portal itself. This goes to most "corporate web applications" as well.

As we get more entrenched in an online world, the big corporate world needs to let go of the perception that "technology" is a cost center and not a partner for delivering excellent and innovative customer experiences.