jump to navigation

Legislation needs to push privacy liability to the strongest party 2015/03/02

Posted by Angelo van der Sijpt in Uncategorized.
add a comment

Over the past five weeks, I’ve followed DelftX University‘s excellent Economics of Cybersecurity course, which is concluded with an essay on my opinion of a topic in this field. I’ve picked the incentives that relate to privacy, and how regulation is the only feasible way to bend the outcome to one in line with the common good.


 

Coming from a technical background, my main experience in security has been around security measures (known as “controls” in this course). I have noticed that technical measures rarely tell the whole story: there is no black and white in this matter, and decision makers don’t have a use for “this is just safer”-type arguments. This applies not in the least to privacy-related concerns: while it intuitively it seems obvious that privacy should be a concern, it can be complicated to construct it into a business decision.
The technology field has some uncommon incentives, most having to do with restricted friction that technology brings, that make it impossible for a market-driven situation to shake out such that the privacy concerns of the public are served best. I therefore believe that regulation is needed that pushes the liability to the party best suited to control privacy.

As a software professional, I am well aware of the non-intuitive relations within the world of technology. The lack of natural friction on transactions opens the door for extremes in either direction of market share: either a huge number of small players in a race to the bottom (e.g., the current state of health- and fitness-related products and software), which later progresses into a practical monopoly for the player who understands this game the best.
In both situations, either pre- or post-monopoly, market parties tend to make the choices that make best sense for their business goals. The winner-takes-all dynamics of this market means that the effects are amplified once one party reaches a practical monopoly situation. From my personal experience, I’ve seen that the direct business-incentives for user privacy are never those of the commons. This is exacerbated by (a) either unknowing or intentional company policy to make use of the wealth of information that many market parties are currently laying their hands on, and (b) the fact that most consumers currently willingly divulge information for marginal benefits, putting no pressure on market parties to change this situation.

The current situation—-customers don’t care, market parties are driven by business incentives—-is an unstable balance, waiting to break. On the one hand we see data abuses, breaches and security flaws running wild in various industries, such as insurance (Anthem), automotive (BMW) and appliances (Netatmo) which don’t get the backlash one might rationally expect. On the other, we see an unwitting movement towards trust no one (TNO) systems, such as Whatsapp’s inclusion of TextSecure’s end to end encryption, producing marginal security awareness in the public.

Some time in the near future, I expect these two trends to meet, likely in a large-scale breach whose effects will reverberate in the minds of the public. This can undermine public trust in all market parties that process private information, not just the bad apples of the industry, potentially halting technological progress as the public cannot distinguish good actors from bad ones, and turn their backs on both.
The situation outlined above shows that market pressures will not produce any of the desired effects. Privacy, in this sense, becomes a communal asset, which needs (minimal) legislation to shepherd it.
In situations of security, mainly banking, it has been shown that pushing liability to the party best suited to affect it, provides the proper results.
The European Union’s General Data Protection Regulation (GDPR), which is expected to be adopted by most EU member states in 2015, and will become enforceable starting 2017, provides just this framework for putting liability with the correct party.

 

Conversing Worlds column on Talent (Dutch) 2015/03/01

Posted by Angelo van der Sijpt in Uncategorized.
add a comment

For the February 2014 edition of Luminis’ Conversing Worlds magazine, I wrote a column on Talent.


Toen ik bij Luminis aan boord kwam, was één van de eerste dingen die mij geleerd werd dat “Luminis talent niet dun uitsmeert.” Dit in tegenstelling tot klassieke consultancy, waarin ernstig groene medewerkers onder leiding van een overwerkte senior uren verbranden. Dat model werkt vooralsnog prima, dus waarom moeten we weer tegendraads zijn?

“Vooralsnog” is het toverwoord. Het klassieke model is commodity, en lijdt onder dalende tarieven, outsourcing, en erger nog, het helpt onze klanten niet meer. Als het er écht toe doet, kiezen gerenommeerde partijen niet voor de vertrouwde supplier, maar voor een klein clubje uit het Oosten des Lands. Dat is het resultaat van reputatie, track record, en ja, talent. En daarom zijn we tegendraads.

Talent? Ik geloof niet in rock stars of ninjas: het ergste wat je kan overkomen is alles wat je doet je zonder moeite lukt, terwijl je omgeving je vertelt hoe goed je bent.

“The first rule of Imposter Syndrome Club is that you aren’t good enough to be in it,” las ik recent. Je kent het wel: je vindt dat je goed bezig bent, maar er knaagt een gevoel dat zegt “straks val je door de mand.” Dát is het soort onrust dat ik in gedachten heb.
Talent moet rijpen en groeien, en dat kan zeer doen. Je leert het meest van ervaringen waarin dingen niet gaan zoals je wil, waarin je onvrede voelt over je eigen handelen: je vraagt je af waarom je op een plateau zit, waarom het andere makkelijker af lijkt te gaan. Je kunt het groeiproces niet versnellen, maar je kunt het sturen.

Af en toe spring ik met een parachute uit een vliegtuig, en binnenkort doe ik mee met een obstakelrace met veel waterhindernissen, terwijl ik een hekel heb aan water. Ik doe die dingen niet omdat ik alles durf. Ik doe juist omdat ze eng zijn.
De comfort zone heet zo om een goede reden: je bent er op je plek. Maar met die knagende onrust, is ook je comfort zone niet zo comfortabel. Daar kun je gebruik van maken: deel die onrust, ga op zoek naar uitdagingen, en neem daar ook collegae en anderen in mee. Het kan eng zijn om je skills te etaleren, maar het ergste dat je kan overkomen, is dat je iets nieuws leert.

Genoeg over jou, wat betekent dit voor je organisatie? Malcolm Gladwell–ook bekend van de 10.000 uur oefening om expert te worden–spreekt wel over The Talent Myth. Hij stelt dat talent bestaat, maar dat dit slechts een kleine factor voor succes is. Organisaties die talent aantrekken omdat het talent is, komen op termijn bedrogen uit. Werkelijk succes, zegt Gladwell, zit ‘m in het vermogen om talent te laten groeien.
Het tweede wat ik geleerd heb in mijn Luminis-tijd is dat alles kan, maar je alles zelf moet doen. Dat geldt ook voor de ontwikkeling van je eigen talent. We zijn geen GE, waar voor talent een uitgestippeld pad met afgemeten uitdagingen klaarligt. In plaats daarvan zijn we een organisatie waarin iedereen zijn eigen uitdaging kan zoeken.

Talent trekt talent aan. Maar iedereen die wel eens met Clickets (plastic knikkertjes met een magneetje daarin) gespeeld heeft, weet dat zelfs magnetisme tegenhouden kan worden als de Clicket stil ligt. Op de vloerbedekking heeft-ie gewoon een zetje nodig.
Wij zullen zelf moeten zorgen voor die beweging. Luminis Arnhem heeft dan ook voor 2015 als overkoepelend thema in het businessplan “naar buiten!”

In welke fase van je carrière je je ook bevindt, de ontwikkeling van jouw en andermans talent is jouw taak. Wees niet bang, durf te delen, en maak er wat moois van!

Seven years of Luminis (Dutch) 2015/02/01

Posted by Angelo van der Sijpt in Uncategorized.
add a comment

In the October 2014 edition of Luminis’ Conversing Worlds magazine, the 12,5 year anniversary edition, I wrote up my thoughts on my personal history.


Meer dan de helft van Luminis’ bestaan heb ik meegemaakt: in 2007 binnengekomen bij wat toen nog Luminis iQ Products heette, en na wat omzwervingen nu als fellow aan de slag binnen Luminis Arnhem. Ik voel me daar het technisch geweten naast onze directeur, Jeroen. Het maakt mijn rol alleen maar uitdagender dat Jeroen ook een technische achtergrond heeft.

Als ik in de afgelopen jaren iets geleerd heb over Luminis, dan is het “alles kan, maar je moet het zelf doen.” Er is een minimum aan structuur, maar zodra het gaat over je eigen ontwikkeling, die van je kern, en hoe je de meeste waarde kunt creeëren voor ons en onze klanten, ben je op jezelf aangewezen. Je krijgt die vrijheid, maar ook die verantwoordelijkheid. Niet iedereen kan daarmee omgaan.

Wat deze organisatie uniek maakt is de mix van focus: zowel het écht begrijpen van de wereld van de klant, als het serieus nemen van software engineering als totaaldiscipline.

In zeven jaar Luminis heb ik meegewerkt aan het binnenhalen en zien verdwijnen van grote opdrachten, heb code geschreven waarop ik trots ben en code waarvoor ik me schaam, heb prachtige en volkomen foute designs gemaakt, en heb op het laatste moment demo’s gered en verpest. Wat mij het meest bijblijft is het gevoel van een bruisend team dat samen gaat voor het resultaat waar de klant écht wat aan heeft. Dáár krijg ik energie van!

Al twaalf-en-een-half jaar is Luminis in beweging. Voor mij is dat nu een verschuiving naar naar de “toegevoegde waarde.” Software maken is geen “kunstje;” als dat het wel is, kan iemand anders dat zeker goedkoper dan jij. De reden dat je als developer in dit rijke deel van de wereld mag werken, is omdat je de klik kunt maken: gebruik die rechter hersenhelft!

Mandatory Viewing 2014w34: “The SOLID Design Principles Deconstructed” 2014/08/22

Posted by Angelo van der Sijpt in Uncategorized.
add a comment

SOLID principles

In this December 2013 session at YOW in Melbourne, Kevlin Henny provides his claim that the SOLID principles are an open-ended set of guidelines, which aren’t as black-and-white as they seem. This talk works best when you have some experience applying (and maybe even explaining) the SOLID principles as they appear in code.

The best thing about this talk is how it shows that “it depends” is a real answer. It always depends, and there are no absolute truths; not in software engineering, not in life.

Are we all lost, then? Not really. Kevlin shows that there is value in the SOLID principles when used as a tool for learning, not as gospel.

Mandatory Viewing 2014w27: “Find the Right Abstraction Level for Your Tests” 2014/07/04

Posted by Angelo van der Sijpt in Uncategorized.
Tags:
add a comment

Finding the Right Abstraction Level for Your Tests

This week’s Mandatory Viewing is by Gerard Meszaros (the guy behind XUnit Test Patterns).

Gerard talks us through a topic most of us have run in to: you start out with a nice set of readable tests, and while your understanding of the system grows, you end up with lots of cruft in your test code. Your tests no longer describe what the system is doing, but how you need to use the components of your system to make something happen. Good as documentation, bad as specification.

Mandatory Viewing 2014w26: “Play by Play: Jim Weirich” 2014/06/27

Posted by Angelo van der Sijpt in Uncategorized.
Tags:
add a comment

Play by Play: Jim Weirich

This weeks Mandatory Viewing is Jim Weirich’s Play by Play. Pluralsight has put up this talk shortly after Jim passed away, as a tribute.

In this almost 90-minute session, you can watch Jim take a problem, and iterate through a vast number of API designs, trying to get a feel for how his designs influence the user’s happiness. Even if you don’t know Ruby, you can follow the process of someone who thinks in code, and isn’t afraid to say “let’s try this, and see what it does.”

The process of “trying out” what an API will look like before using it resonates well with me. I prefer to make my tests read as close as possible to the thinking process of an API user. Try to put yourself in the user’s IDE, and try to feel what he’s feeling while using your API; empathy with your user reduces the number of WTFs per minute drastically.

Notable quotes,

  • “The maturity of frameworks can be shown in how good their error messages are.”
  • “We’ve prove the basic technology works. We can write a proxy. Now is the task of finding the right API that works well… if it’s too complex to use, people won’t like it.”
  • “We explored a couple paths that proved unfruitful. I think that’s good in that you explore these things and you find that’s not really what I wanted.”

Software architecture as a wicked problem 2014/05/20

Posted by Angelo van der Sijpt in Uncategorized.
add a comment

While writing my master’s thesis, quite a few years ago, I wrote a trio of supporting papers to help me structure my thoughts. I recently came across them, and was surprised by how relevant they still are, even given what I’ve learned about software architecture in the past years. You might like them!

  • Software architecture as a wicked problem deals with what makes software architecture hard, and how this overlaps with planning problems.
  • An engineer is not a carpenter shows how software engineering is not a real engineering discipline. It contrasts software with other ‘materials’ we work with.
  • Architecting adaptive software is basically a readable shape of my master’ thesis. It deals with what adaptivity is, how you can’t design it into systems, and what factors you can use to make a system exhibit adaptive behavior.

Using XPath to match a key/value paired XML message 2013/03/15

Posted by Angelo van der Sijpt in Uncategorized.
Tags:
add a comment

In one of my current projects, we have an XML message that looks a little like this.

<envelope>
    <message>
    <message-id>1</message-id>
    <keys>first-name<keys>
    <keys>last-name<keys>
    ....
    <values>Angelo<values>
    <values>van der Sijpt<values>
    </message>
</envelope>

For testing purposes, I want to use XPath to get values from this, i.e. match first-name to Angelo.

After some fiddling, I wound up with this slightly ugly contraption. Might be useful for you one day, though I hope you can be spared…

//message/values[count(//message/keys[.="field-name"]/preceding-sibling::keys)+1]

Dealing with interruptions as a Scrum team member 2013/01/19

Posted by Angelo van der Sijpt in Uncategorized.
Tags: , ,
add a comment

For the last months, I have coached some engineering teams in a large software-intensive organization. Some are running fine, some need extra work. A topic that regularly pops up is “how do I handle all these interruptions during my day?”

I define an interruption as anything that makes you context-switch away from the work you’re doing for the team. So, questions from teammates are not interruptions. Neither is responding to email at the time of your choosing. Phone calls regarding different projects, or people showing up at your desk with unrelated questions are.

Scrum ask for a distraction-free environment, routing interruptions through the product owner. However, interruptions are a cultural phenomenon, not an organizational one. I will assume interruptions as a given of the current situation, channeling them in a productive manner, and slowly driving them out.

Company culture has its reasons for existence, and is hard to change. I believe there are three intertwined cultural components in interruptions,

  • “it has always worked like this”,
  • there is no pushback,
  • costs are hidden.

“It has always worked like this”

What and why

People have lost trust that goals and deadlines will be met. Especially with deadlines far into the future, there is a track record of slippage and work not getting done at all.

Managers have learned that anything not marked as urgent has a tendency to be left alone, and not get done. People get results by declaring emergency. And you know what? It works.

How to handle

This is ingrained into the organization, and hard to counter. Make commitments, and consistently meet them (“I’ll get back to you next Friday”). Make promises, and keep them, and people will learn to accept you deferring work. We will get back to this. I promise.

There is no pushback

What and why

As engineers, we are inherently nice. When faced with the choice to either shine in front of someone present, of diligently work on for someone that isn’t, we choose the former.

But, apart from an opportunity to please, is this work really that important?

How to handle

This is about personal choice and reputation: build up a track record of being dependable, and your pushback will be more gladly accepted.

Most interruptions are not that urgent at all, but our desire to please gets the better of us. To handle this well, we need to make a well-reasoned decision on the importance of the work before us.

Personal productivity methods provide some help in this. For instance, my personal favorite Getting Things Done forces you to make a choice for interruption over two minutes: Do, Delegate, Defer, Drop.

‘Defer’ can be part of your system, but is more effective as a team. If you decide to deal with your interruption demons, and to not be as available for the team as you could be, you’re hurting the sprint result.

There are many ways to handle this. For instance,

  • One of the teams has picked Tuesday as the ‘interruptions day’. For every interruption, they ask “can this wait until next Tuesday?”
  • The notion of core hours is written up best in chapter 10 of the Scrum Field Guide. In short, these are the hours every member is supposed to be available for the team. Outside of these hours your free to work the way you want, and any interruptions can be dealt with then.

About promises

Making promises and keeping them it not external behavior, it is part of who you are. Be dependable to both your clients, and to yourself.

If you make a promise to yourself to get some work done, treat it just the same as making a promise to someone else. If you need to break it, renegotiate. You can’t be dependable without being authentic.

Costs are hidden

What and why

We all know context switches are expensive, but just how expensive? How can you explain to the angry manager at your desk “ah, yes, well, you know, you bothering me will take roughly 22.6 minutes of productivity away. From another project.” Remember, as engineers we’re way too polite for that.

How to handle

Transparency. Don’t hide incoming work in some support process, taking away control from your product owner. Make it visible that incoming work hurts by keeping it on the same sprint board as the regular work, and show this pushes out planned work. Start counting interruptions, and show the correlation between interruptions and velocity.

I see interruptions as a part of the process, but we can make them exceptional. There are many ways to handle this, but picking just a few,

  • use short sprints, so this work can be planned in a regular fashion, or
  • spend time increasing product quality, so we end up with fewer emergencies.

So?

Well, what does that mean for you? What can you, as an engineer, do?

Always wonder “what is the most valuable thing I can do at this moment in time” by consciously making the Do/Delegate/Defer/Drop decision.

Build up a track record of dependability: make promises, and keep them. Real emergencies are rare.

With your new aura of dependability, use it to manage interruptions even further. Ask people’s input to be less disruptive: don’t call, email. Don’t visit your desk, create a well-written bug report. Use IRC if you must. This leaves you free to handle the interruptions regularly, but when you choose to.

Every interruption is a chance to shine. Shine only at your own terms.

Markdown in the browser, without additional tools 2012/11/28

Posted by Angelo van der Sijpt in Uncategorized.
Tags: , , , ,
add a comment

Today I ran into a typical documentation problem.

  • Organization uses mainly Word, but I don’t use word.
  • I want a solution that, while the documents are checked into subversion, is navigable in the browser.
  • So, HTML is probably good, but I’m not going to write HTML by hand.
  • I don’t want any server-side code, and I also don’t want to check in ‘compiled’ HTML.

So, I wanted to write Markdown, and needed some way of processing it in the browser. Enter: Showdown.

Showdown is a Markdown processor, written in Javascript. I ended up with documents that look roughly like this,

<div id="content">
<!-- This div contains all content in Markdown. -->

Showdown is

- legend...
- ...wait for it...
- ...dary!

<!-- End of div with markdown -->
</div>

 <!-- This script translates markdown to readable HTML -->
<script src="https://raw.github.com/coreyti/showdown/master/compressed/showdown.js" ></script>
<script>
var converter = new Showdown.converter();
var content = document.getElementById('content');
console.log(content);
content.innerHTML = converter.makeHtml(content.innerHTML);
</script>

which gives me a page that says the following,

Showdown is

  • legend…
  • …wait for it…
  • …dary!

Isn’t that an awesomely simple solution? Just type Markdown in the predefined div, save, commit, and enjoy.

Oh yeah, subversion

When using this solution in Subversion, remember to set the SVN mimetype to text/html, so the file can be viewed in the browser. You can do this using


svn propedit svn:mime-type <file>

Follow

Get every new post delivered to your Inbox.