Sunday, July 17, 2011

What a product is

A product, they will tell you, is a set of features bundled inside the same package.

The problem is it makes you believe that your product is defined by only two things : features and package.

So you'll be tempted to add more feature to make a better product.

Your product is also defined by everything you decided to not include.
As with packaging, now, less is more.

Friday, July 15, 2011

Investing in curiosity, not only in money

Investing is not about giving money and expecting to have more money.
This capitalist investment.

Investing is about giving resource and expecting more.

Time is the most precious resource you have.
Unfortunately, you can't expect more than what you are given.

Investing time for money is a smart move, until you earn more than what you need to live.
Investing more than what you need is what economist call waste.

So now you have enough money, where to invest your time ?

In my case, I found that having guts to test new things and leaving the comfort zone without any fear of loss, is something that make every second of my time worthwhile and fun.

Investing in curiosity is definitively a good move.

Monday, July 11, 2011

Developers, who are you working for ?

2 years from now, my boss or customer was just another layer in my code.
They were something I could abstract, and not think about.

My approach these days is different. All my work is justified from the point of view of personas. This observation seems obvious, but the implication in my work is big.

For example, as a developer, you were asked to make your code extensible. But can you tell me what persona is wanting extensibility ?
Your boss ? It's not a persona, he will not create extensions to your code.
You ? another developer ?
In both case, you need to treat them as one persona, and a persona has use cases.

In other word, you need to ask why they need extensibility.
Being a good practice, is not a response.
Saving time is not a valid response either.

You can only save time to a persona by knowing why he needs you.
Because simplicity is about moving complexity at the right place for the right person.

So you better need to know with who you are dealing with and why.

I've seen this approach has two advantages :

  • By asking questions to your persona, most of the time you can remove useless feature before wasting time.
  • By asking questions, you can add constraint to your code, and constraint is what will make your code easy to explain and understand. It will improve your design without any extra layer.

I've taken this example for developers, but any creative works is in the same case.
When an enterpreneur don't know what persona will use his project he will refer to them as "people".

People is a persona too. But be careful...
People don't care about you.
People does not have money.
People know nothing about everything.
People is capricious.

By asking why people would care about you, you will see that in most case, people is not someone you want to work for.

Sunday, July 3, 2011

Security is about accepting risks

Not long time ago, Dropbox made a terrible mistake : they let the door open on data of all of their users during 4 hours.

A friend of mine, as well as thousands of people were screaming at Dropbox and how much it was unacceptable and crazy to store data here.

I'm a developer, and by no way I defend dropbox about their mistake, but I want to put things into perspective : some of the worse security breach are your own habit and they are way more dangerous than dropbox's mistake.

So the problem is : a developer of the DropBox's team made a mistake, and removed authentication on the service during 4 hours. Everybody who known the email I used in dropbox during that time span could access my data.

I have my bank account and passwords stored inside dropbox, so what are the chance to get my money stolen ?

  • A skilled hacker need to be aware of the security breach in a 4 hours time span

  • He needs to create a program to dump all files of all dropbox accounts

  • He needs to know my email account and put in his lists(these were not leaked)

  • He need to find the file where I store my passwords (more than 100 000 files are stored in my account)

  • If he finds the file, he needs to find to which service each password belongs to.

A skilled hacker would earn more money by using some of the worse security breach in the world: the coffee time.

You have way more chance that someone in your work place will use your computer when you are away without locking your session.
By accessing your unlocked computer he can :

  • Check your emails, and resetting your gmail account password to look at them at home

  • He can reset all passwords of website you are logged in your current session, and use them on your behalf

  • He can install spy

And how about the email/password you use in every website in the web ?
A little math here, imagine that you use the same password and email on every site (In fact, same password is enough because we can always find other logins you by searching in google, and looking at what you leave on the web -blog, forum posts, social website-.)
Imagine that each site have 1% chance to be hacked.
After 20 registrations on different websites you have 1-0,99^20 = 20% chance that your password will be stolen. (Yes, maybe less if the site only store a hash of your password in database, but it's not often the case, and even if it is, cloud technologies permit hackers to buy considerable computing power to brute force for cheap a lot of hash).

Your habits are the worse security breach : it does not take skills, and the target of the attack is precisely defined. (it's you)

Good security is not about having a castle to protect your data.
Good security is about accepting the risk and be aware about the biggest ones and how to fix -or at least minimize- them.