Saturday, November 30, 2013

Work Life: Implementing Password Storage for a Login System

With work calmed down a bit, I have returned back to refreshing some programming skills. At first, I was reading on some Python but then had an idea that I wanted to start designing so went back to C#. Although I will be using C#, this post will primarily focus on the design implementation because I found it interesting. Each time I implement the login system, I always seem to learn a new little tidbit.

Most of the practices that I exercise does not completely prevent serious hackers. The basic practices will prevent most common intruders and at least make it more difficult for serious hackers. There is little that can be really done against brute force if someone gains access to the password files. Since access to password files is more a network security, that won't be covered in this blog.

By implementing the following, basic users like developers and db admins should not be able to just read the password. This would also means non-technical user who "accidentally" gains access to the files would also have difficulty reading the password. In other words, I should not be able to read the password just by logging into the database because I need to troubleshoot other issues even though I have access to the files. In actuality, I wouldn't be able to reverse the password without going to extreme lengths even if I was the developer or db admin.

Encryption / Hashing Password

Because the password needs to be stored some place, the password must be at least be made unreadable. Today, this can be done very easily with most programming frameworks. Basically all that needs to be done is to use hash algorithm.

Hash algorithm is asymmetric in cryptography meaning that it is extremely difficult to reverse the hash. In most cases, this is sufficient for security implementation of a system. In some cases, you may want to be able to reverse the hash. In those cases, you want to use normal encryption algorithms.

One example that you may choose to use an encryption algorithm is when you need to implement a solution to automatically connect to another system that requires a password. In other words, the password needs to be stored then used to pass to another system. These could be used to access APIs, Web Services, screen-scraping, etc.

Although neither are perfect, anyone hacking into the system would require a certain level of knowledge thus eliminating even basic developers and db admins. There are other layers that can be added to prevent external hackers which I won't be expanding here.

Salt

In conjunction to hashes, salt should also be used with the password. This is an extra "random" data appended to the password. The random data is still something that is based on certain information that needs to be stored. That data could also be encrypted.

In some cases, the user id could also be used as the salt. Although not random, it does make it more difficult for dictionary hackers by creating a different hashed password. This primarily protects users that have the same passwords.

I am not sure what the big advantage is to using a purely random salt. Even if the salt is known, this does not make the hashed password any easier to decrypt. Brute force is more likely to be used which means that the hacker already has access. This means the hacker most likely has access to the salt values. It does add a level of complexity to the hacker, but unlikely orders of degree in difficulty.

To me the most important is to at least differentiate similar passwords. By doing this, a hacker could not just search the table for another user with the same password which can be easily done by a developer or a db admin. All that needs to be done is query the password database with the same hashed password.

Disable Bit

In the table, I like to also include a disable bit. In the off-chance that a password or all passwords have been compromised, all it would take is a simple update to force users to update their passwords. This of course requires that the code makes use of this bit. If it doesn't, this is quite a moot point.

If this is a for a corporate industry level, there should be policies behind enabling passwords if that is an option. It is important to make sure the identity of the person is indeed in satisfaction to the company. For my site of lowest importance, I would force a password change. If I only enable the password, the hacker could just be trying to test to see if it was the same password. By changing the password (assuming that the requester is the hacker), the original user will not be able to sign-in thus triggering the user to either change the password again or inquire why it doesn't work. Hopefully by this point, the user should have received an email of the first password change. If not, likely the email has been compromised. Although I wrote that a bit convoluted, I am basically saying that it is more troublesome to the hacker when the password has a forced reset because he does not get anything out of it. 

Audit Log

On top of the above data structure, I like to keep an audit log of any activity especially sign-ins. One great use is to find dictionary hackers or sql injection hackers. With an audit log, you can find particular patterns to how data is entered. 

If there have been several failed attempts by the same or similar users, there is a good chance that it is a dictionary hacker. Once identified, certain actions can take place. You can automatically blacklist the ip or user. If user, you may want to warn the user that someone has failed to attempt to sign-in a certain number of times (in the off-chance that it may actually be the user who forgot their password). I think a 100 attempts within one sitting (~5-10 minutes) is a range to set an alert. Most people won't try more than 50 times (include frustration entries) before they quit or request for a password change.

If sql injection hacker, you can easily identify that someone is trying to compromise your system. Just remember to check for sql injection before the encryption. There should not be a need to do an exception rejection of password if using encrypted/hashed password because the sql injection would also be encrypted/hashed which would make it unreadable to the sql engine. This check is primarily to identify potential threats.

Side idea: I think it would be a neat idea to have a client-side password encrypter or hasher. Basically whenever you enter into a password field, whatever you type in will be encrypted/hashed before sending to the server side. This would at least allow users to appear to have multiple passwords (by using different keys like site name into the algorithm). This would prevent multiple accounts from being compromised if a single system is compromised. 

MS SQL Insert

I did not find it intuitive in how to insert a binary, so I figure this might help someone (ie my future self... why is he so forgetful?). 
string s = "INSERT INTO LGN (UserPassword) VALUES (@binaryValue)";
string c = "data source=.\\XX;Initial Catalog=XXXX;Integrated Security=SSPI;";
SqlCommand cmd = new SqlCommand(s, new SqlConnection(c));
cmd.Parameters.Add("@binaryValue", SqlDbType.VarBinary, 500).Value = text;
cmd.Connection.Open();
cmd.ExecuteNonQuery();
cmd.Dispose();
Of course, use your normal try/catch/finally clauses. 

Cons

There is a disadvantage to hashing the password in that you cannot edit the password once it is set without having the user reset their password or login again. A scenario where you want to edit the password is if you need to add salt or change your key.

There is a collision in hashing the password which is around 0.001%. This means that there is a very rare scenario where two passwords end up with the same hash password. Although a possibility, the amount of attempts should trigger other security issues that can still address this con.


Reference:
http://money.cnn.com/2012/06/06/technology/linkedin-password-hack/index.htm
http://en.wikipedia.org/wiki/Salt_(cryptography)

Monday, November 25, 2013

Review: Google Webmaster Tools and Google Analytics on Blogger

I've used these tools before on regular websites that attempts to market their products. That was a while back and the tools have changed quite dramatically since I've last played around with them. I was by no means a professional at these tools back then, much less now.

But to fulfill my curiosity, I implemented Google Analytics a while back and Google Webmaster about a week ago. There was some fascination to which posts are clicked on and which ones are visited. At the start of my use of analytics, there was some influence on which topics I was going to write next. There was a slight need to fill what my current audience was looking for. Although I was happy there was a large audience for a couple of the posts, the posts were not my primary interests. I returned back to just writing whatever was on my mind at the time.

Google Analytics

This tool allows you to track the traffic that comes onto your site. It provides data primarily on the visitor which means it tracks where they came from, search terms they used to get to your page, how long they were on the page, etc. There are a lot of information but I found myself primarily just looking at the search terms used (Acquisition > Keywords > Organic) and location (Audience > Geo > Location) because I find it interesting how they are getting to my blog and where they are coming from.

One nice thing about Analytics is that the visitor count is closer to actual count, in my opinion. Blogger provides much larger numbers because it also includes all the sites that try to get your attention by crawling your site thus making you curious about who they are. About 90% of my traffic is from those visitors with no intentions of using or reading the content. I dare not provide examples as that would just feed into providing more free marketing for them.

I believe the reason for the actual count is that most crawlers will not execute the scripts, thus not added to Analytics. If Analytics had a filter for that kind of traffic, I was hazard a guess that blogger would have implemented the filter.

Analytics is more of a marketing tool. You can use this to determine which of your pages are popular, determine if your keywords are working, and drive your site accordingly. Since a lot of the data is oriented around the visitor, a company can make use of the data to focus on key solutions that are not performing or use the data to clean some solutions that are not getting any traction.

Also, Analytics can be useful for campaigns or promotions. If you market your pages on other sites like Google Ads or your industry pages, you can determine if the cost of the ad is worth the traffic generated from those sources.

Google Webmaster

I actually prefer webmaster to analytics because I am not marketing my website. For marketing, both tools are useful. What I like about this page is the actual number of impressions and click-through (CTR) on certain queries (i.e. search terms).

This fascination does not help me any bit for my blog, but it does fill a tiny bit of curiosity on how Google ranks their pages. Also there is an unfounded joy of seeing that some of my pages are ranked in the top 10 of certain searches. There is also a content keyword where it shows you how Google "ranks" certain keywords for your site. For example if I write a lot about software engineering, it would rank "software engineering" as a high relevance to the site. So it was no surprise to see life and interview on the list. Surprisingly, Google was ranked first which I do not have a lot of content on (I have no explanation for this).

For webmasters, there is a feature that allows you to find any dead links. This is extremely useful to identify those pages and should be addressed because it does hurt marketing if the pages are not coming up. 

One feature that I found fun was the Links to your site. I just received data today on it but hope to see more relevant sources.

Overall

Both tools are useful for companies for their websites if you do not mind the conspiracy theory behind Google's tracking of your sites data. If you are writing a blog to cater to your audience, this can also be useful. For those who just write whatever is on their mind with little care to who is visiting, then these tools are not needed. For those who are curious, these tools are free and easy to implement. 

I have not explored all features. And some I have not quite figured out how to use yet.


Reference:

Tuesday, November 19, 2013

Review: Open Lord Intrigue Card from Lords of Waterdeep

If a player is used to play Lords of Waterdeep prior to the expansion, this card will initially appear to be extremely Overpowered (OP). I've been a victim to this card twice and still do not quite have a solution to this. Both times played in the second round. Basically this card prevents players from using attacking intrigue cards on the wielder (OL - Open Lord).

After thinking over the game, I find that this card seems OP because it changes the dynamics of the game once it is played. Because now everyone has to share in the responsibility in preventing the OL from taking too big of a lead. Similar to the affects of IO or Wisp from DOTA, or playing against the score leader in Hearts, the card game. So to prevent the OL from winning is very difficult if you are playing with selfish players or new players. Revealing the lord is not a huge drawback because around Round 3 or 4, you have a pretty good idea which lord each player has anyways.

Two Players

To me this card is extremely OP for two player games because I did not have another player to play with. This means that I cannot play the attack intrigue cards at all which is a good percentage of the cards. That means that I will waste a lot of moves getting cards I cannot use. At the same time, because I cannot play them, I cannot use the Harbor which essentially gives you another half agent to an extra agent because you can replay him later. In two players, there are lots of open space and the intrigue cards give you the resources that you can attempt to block. At least with a third player, you can play the attack cards on someone else. This then leaves you with utility cards where half of them also benefits someone else, like two resources and give one to your opponent. Of course in two players, there is only one other opponent. I was completely crushed in this game. This was also the very first time I played this expansion so I did not know any of the new cards or mechanics.

Three Players

The second time we played with three players. We both still lost but it was much closer in score but really required both of us to "gang up" on the OL. By ganging up, we just used utilities between the two of us and avoided using attack cards. We had the building that let you discard intrigue cards which also helped. What hurt me was that I was the building lord which I had to spend half the game just getting the castle rook to have first dibs to the buildings, and of course the unfortunate luck to not getting quests that gave me buildings.

Conclusion

I feel this card is still overpowered but would like to play against it a few more times to get a better feel. But it definitely changes the game play once it is revealed. There are probably some lord combinations where it does not work very well like the building one.

On the rest of the expansion, I feel like there are a lot more intrigue cards that benefit the wielder without any penalties. At least in the original, the benefit was about an extra move like getting the same resources as if in another spot or take extra resource while giving something to someone else. There was one that just gives control of a building. Taking one that has a cost of 8 is basically stealing someone else's two turns for not even 1 turn... which basically means a 3 turn swing.

I am still split on the new mechanics. The corruption is interesting, and underworld quests cost a lot more (of course for more rewards).

Monday, November 18, 2013

Life: Detached Life, Attached Life, What Life Do I Want?

Do I want to rage in my life or observe from a detached point-of-view? Here I want to differentiate "I" from "us" because I want to be clearer that this is a choice that an individual cannot take both extremes. Most of us will fall in between the two, but we will likely lean more towards one than the other.

And as I ponder on this thought, my curiosity is more on what made me decide the path to take and what made you who you are. The more that I think on it, the harder it was to imagine that I made my choice without the world around me. It is like a void that I filled.

My life has taken me towards a path, while my talents have driven me towards a subset of those paths. Given all the choices I've made and the choices of the people around me has made, my one single path is the one that I lived. My future may have infinite paths, but not all paths are available to me.

I will never know what it was like to be homeless, parent-less, and the same time I will also not know what it is to be king or wealth beyond my imagination. I can guess, but I'll never know. It is just life to me because there is nothing I can do about what is. This does not make me sad or happy.

By the same thought at the more extremes, do criminals exist because of the situation they were put into? I am not perfect. Assuming that everyone is imperfect, there are bound to be "cracks" in society that almost seem like it necessitates the existence of "evil" within our world.

So to solve our worldly issues, we cannot "not" care about the world around us. To me, the solution is to strive to be self sufficient and be able to help at least one other person so that my idea can survive. If I can help at least two other people, then I have at least made the world a better place. Eventually those two people can help at least one other person.

I can choose to be a more pro-active person or an indirect person. I believe both paths can solve our problems. To reach the point to safely guide someone else, we need to reach a point where we are comfortable with our existence. Whether you find your sufficiency through a god, multiple gods, no gods, science, nature, personal faith, or even questionable existence, I believe we all seek a greater truth and we can all reach there faster with everyone. For a Buddhist monks see things that a pope does not see which neither can truly see what you nor I see. By sharing our vision, we can see a bigger picture... hopefully, we'll see that none of us are wrong. We just saw it differently.

Reference:
https://www.youtube.com/watch?v=Yb-OYmHVchQ
“Man is literally split in two: he has an awareness of his own splendid uniqueness in that he sticks out of nature with a towering majesty, and yet he goes back into the ground a few feet in order blindly and dumbly to rot and disappear forever.” -Ernest Becker

Review: Snagit - Screen Capture Application - My First 10 minutes

While trying to take screenshots of the search results of HealthCare.gov site, I could take taken a screenshot of the drop down results. Each time I tried, the drop down result would disappear because I clicked out of it. I tried using the Windows Snipping Tool which I found rather useful for normal screenshot uses.

After trying again a few more times, I recalled using SnagIt with a previous company that was easy to use for this type of screenshots. Unfortunately, this is a new version and I am a little too poor (at the moment) to pay for the full version, so I used the trial version (full version is $50 pre-tax). Easy to download and install. The interface has changed a little since the last time I used it (about 4 years ago).

At first, I was excited because it worked just as I remember although the screen flickered for a moment. I did this by hitting the Print Scrn button. It immediately brings up the capture tool with the drop down still on-screen for capture. I noticed the results were not the same, so I tried it again on the home page.

This time it did not work... very odd. I went back to the other page and tried again, and did not work. No matter what I tried with mouse clicking or keyboard shortcuts, I could not get the results that I got the very first time I tried.

Fortunately, Snagit also has a feature to video capture the screen. I quickly enabled video capture and recorded 2-3 seconds of me entering in the search until I saw the drop-down then ended the video capture. This quickly brought up the snagit tool with the video. At this point it did take me a while to figure out a way to take an image of the video. It was actually in a simple location (right next to the video console with the play, rewind, forward button)... the Capture Frame button.

So I figured all that in about 10 minutes so the interface was relatively easy to use, although I was already somewhat familiar with the product. I saw some familiar features like quick editing of captured images which I completely missed when using Microsoft's Snipping Tool and the very basic Print Scrn feature. Perhaps I should focus on more screen capturing posts and videos for the remainder of the trial version :P

I totally recommend this product for screen capture if you can afford it. There a bunch of other features that I haven't looked at yet either, but I liked all the features from its older version that I couldn't find elsewhere (not that I tried really hard to find other screen capture solutions).

Reference:
http://www.techsmith.com/snagit.html
http://download.cnet.com/Snagit/3000-2192_4-10004813.html

Work Life: HealthCare.gov - Search Returns SQL Query-like Results

I didn't think this would actually work after reading this on a blog. What you see as the results are some sql queries. Although it looks kind of dangerous at first, these results are likely from other users entering these terms likely trying to hack into the website. Or also very likely (and hopefully), these could also be from third-party vendors who do website security checks because these are fairly common tables that you would try if you were going to guess at what the table names are.

Even if the attempts were legal, the results are very poor. I even tried one just to see if there were any results. After a few more times, I also noticed that the suggestion results changed. This may potentially just be other people trying the search terms after seeing the post thus skewing the results as well.

My interest in this is primarily on the software release and software testing side. After these spotlight issues, these are the type of things you would consider in a typical software test. I've learned my lessons in this same area over a decade ago. Even then, I've had preventions to these types of attacks. So although I cringe at the thought that something like this could come about, I am also somewhat relieved that this can be overlooked even at such a product with that level of scrutiny. 

In this case, the suggestion feature still works. The results are just not very good quality for your standard insurance seeking web visitor. Even as an software engineer, this probably wouldn't help me find what I want although it would be neat to customize my own search query. I could perhaps write something that would be specific to my needs instead of a common person's template.

But let us say that this does happen to your company, how do we prevent this from happening in the future? My quick take on this is that there is no good process to prevent something like this because it is a type of issue where once you've identified it, the issue will be fixed thus highly unlikely this will reoccur. For regression testing, you would add this to your set of search terms to look out for. I am sure that they most likely have sql injection prevention implemented in the back-end, but that does not necessarily mean that the search results would be ok. In the regression test, it would be important to make sure that the results are also good.

But how do you test result quality? At first glance, this does not appear to be something that can be automated because there are just too many ways a user could enter information. The search does not have a clear measurable method to evaluate what a good result is. These are things that search engineers battle everyday and still try to improve. Even if you find the right formulas for the common users, you may find someone trying to exploit the algorithm thus throwing the results off.

From what I can come up with at the moment, the best method is to investigate the more likely sql injection queries and have exceptions to those searches. This would not prevent other poor searches, but at least it would prevent some bad publicity while the program team figures a way to improve the algorithm.




Reference:
https://plus.google.com/111405772080232969785/posts/P1ZEXFo681C

Life: Violent/Negative Impacts of Video Games

One of the big topics in today's parenting is about violent video games on children. There are lots of research, articles, and opinions on this topic. I think this does not only impact children but anyone who plays violent video games of any age.

I think these games do not make me any more violent than if I did not play violent games. It is possible that some people may learn to use violence as a coping mechanism, but I think this is more a lack on society in teaching the person alternative ways to cope with certain feelings. The problem is even worse with video games because it also takes people away from society thus forcing more stress on parents or guardians to focus on this behavior. In the past with other media, there was still at least some interactions with other people. Watching tv, movies, and/or listening to the radio allows other people to also be in the same proximity. So, violent shows and movies have similar impact but some social norms are still expected. It would be interesting to see impacts on people who do the same activities but by themselves.

What I think video games do to me is desensitize me from the violence. By this I mean that it is less shocking when reality presents me a similar situation. For example, seeing guns is less shocking because I see them in all the games. Although I have been taught to be careful, there is still some fear to be around them but after so many games, movies, and even the news, there is also a curiosity or cool factor to them. I would not be surprised that people with different exposure levels could be less inclined to stay away from things that could be very fatal or sadly excited to test to see if it is real.

To borrow from another genre of horror games, some things are less scary now because I am more used to seeing creepy creatures, blood, and other creepy music. Although this can be seen as a pro, this also shows how my increased exposure to certain things made me immune to certain feelings. Thus with violence, many people are "losing" the natural protection from violence which was our fear to violence. Perhaps that was not the best way to protect ourselves as we see our world compared to the past.

There was an article stating that criminal violence has actually gone down during the growth of video games among the youth. Unfortunately, I am not familiar with what can make an individual take the leap to that level of violence. Possibly since they act out earlier, these issues can actually be addressed before they are stressed to commit a larger crime. Another possibility is game addiction which prevents them from physically going out to commit crimes. Or maybe they lack so much social experience that they can no longer simple mix in with the crowd thus making them stand out more.

To me, the main problem is education which means parenting for many families. What makes education difficult is the changes in the way we educate others. Each generation faces different exposure and different values. I'm sure society thought the 80's families were more violent due to the exposures to violent tv shows and movies. Before that, possibly blamed radios. Today's education issue is probably more pronounced than before due to many combinations of improved communications primarily in marketing (internet) and our society values in placing economic values over social values (free market). This may not be technically better or worse, but definitely requires a different method to address different underlying issues although the underlying issues may share the same outcomes.

Education is not the soul responsibility of the parents although they are the core source for many children. It is all of our responsibilities to promote people around us, including friends, siblings, family, and even our parents. For parents, parenting shouldn't stop even after the kids leave to lead their own lives (hopefully at a lesser level than before). I may not understand everything my parents tell me, but I am still listening even if I retort that our world is not the same. Sometimes it just takes a lot of repetition for the lesson to hit home, and sometimes it really is a different world.


Reference:
http://videogames.procon.org/#pro_con
http://www.aacap.org/AACAP/Families_and_Youth/Facts_for_Families/Facts_for_Families_Pages/Children_and_Video_Games_Playing_with_Violence_91.aspx
http://www.drphil.com/articles/article/297
http://www.pamf.org/parenting-teens/general/media-web/videogames.html

Friday, November 15, 2013

Work Life: Working Remotely

I have worked in the office or at client's site for most my career. The experience is as normal wherever I worked. I have the good chance to work remotely for over a year. Well, I work remotely most of the time because I technically still have an office that I go to once in a while. I just want to state that because it is not exactly the same as working remotely all the time.

I did not have a lot of problems transitioning to the new work-style. Overall, my work quality has improved and my time management probably is a little better. I do miss having some face-to-face conversations. I think one of the easy aspects of the transition is my seriousness to working professionally. Another factor is that the entire team is spread around the country with a handful in the other hemisphere, so we are all used to teleconferencing even when in the office.

In my line of work, I do a lot of teleconferencing with desktop sharing similar to GoToMeeting or WebEx. I work with a lot of people. I become more serious with formality the larger my meeting is. I will be a little more lax as there are fewer people. As a software release manager, my role entails a lot of meetings. I do not have to do a lot of active participation in most of the meetings, but still have my share of meetings where I am the host.

There are some annoyances working with some other remote users. Those with kids and dogs are particularly frustrating at times. Some users just cannot separate their personal lives from the background. When people cringe just by seeing you sign into the meeting before the voice is connected, that is a poor sign that something needs to be done. If their dog cannot stop barking, then the user needs to find another location to work. I am fine with people who had to stay home for an emergency or have some background sound due to other extraneous situations. I'll even let some construction or even just a bad day (or even two). But if you have loud background distractions practically all the time, then you need to find a different place.

Because I'm in meetings a lot, sometimes there is some downtime waiting for people to attend. During these times, I'd use the time to cleanup my work area which also happens to be the same area for personal use. The frees up a lot of time outside of work. Other times, I would just move over to my exercise fitness ball and do a few crunches. Not only healthy for me, but really helps give me energy to focus on my meetings. Because you are not far from other chores, I can also cook and/or do laundry during my lunch breaks. This also saves a lot of time outside of work and healthier. All of these adds up so by the end of the day, I can actually relax and not have to spend my time working on personal chores which are not difficult but time-consuming (like laundry which is two 5 minutes and most of the time is just waiting).

Because I can relax more effectively, I wake up more naturally and rarely have the afternoon burn out. I work more effectively which also helps me make more use of my time. So working home is quite beneficial for my employer.

The part that I miss is the interactions with other people. I do not feel as emotionally invested with coworkers. Interactions are a bit more impersonal which in turn actually helps me run my meetings more effectively. Although beneficial for the employer, there is slightly less personal feel to it.

If I could change something, it would be nice to have video conferencing but the companies bandwidth will unlikely hold up since we could have up to 30+ people in a meeting. Alternatively, maybe just a "white noise" video conference of your immediate team even if no one is talking. It will be virtually like being an office except you can actually mute if you need silence or "peek" over at someone and see what they are working on or just listen into their meetings without having to bug them about their schedule or for an invite.

Also, I think some people will have a little easier time empathizing with others. I've found that some people feel that they are singled out but not realize that the other person is just that way with everyone. They just do not see it because you cannot see that sort of thing from a remote location. There have been several conversations with colleagues where I just say that they don't have to stress on it because the person is like that to everyone.

So there are some new social norms remote users have to be more aware of. Because I have lost the visual aid, I have to be more careful on how I deliver my messages. Too quiet and they think you are not confident in what you are saying. Interrupt too much and they think you do not respect them (there is a very slight lag time that most people do not realize but makes it easier for certain types of people to interrupt others). Talk too much and you will likely lose your audience without even knowing it. Multi-tasking is very common in remote users.

A good sign that your meeting is losing its focus when more and more people respond with "sorry, can you repeat that?" There are all sorts of variations of the question but basically they are saying that they were not paying attention to the meeting and was working on something else.  This is ok if the person is not an integral person to the meeting. Those people should not be a permanent member of the meeting though. But when your crucial participants say that more frequently, the agenda of the meeting is somehow lost and should be restructured.

Another problem with remote users is that it is now so easy to attend meetings that you do not need to be attending. I've been on meetings where there were 50+ people and only 10 people really needed to be on that call. Worst is when those 10 people go even further off-topic or extend the meeting longer than necessary. Personally, I think if only 20% of the people on the call is actively participating then the meeting needs to be restructured. Also on this topic, I always find it ridiculous when meetings have both the team's manager, team members, and both are inactive. If that were the case, the manager should kick off his team and have himself or another member stay on to later summarize key points for the team. There is no reason for the entire team to be wasting time listening to a lot of topics unrelated to them.

Financially, it saves both parties. The company saves on office space and utilities while employees save on gas (and probably eating out for the younger generation). There will less complaints about working extra time here and there because they also save commute time (although employers/bosses should not expect this if they did not expect this in-office). Particularly for IT, this also makes it easier to transition to more flexible hours. Work four hours in the morning, then stay up really late for a late night install.

My opinion on working remotely is that it works for some people but not all people. In general, it works and should be considered as a solution but do not expect that everyone will thrive in such an environment even those you know who have good work ethics in the office.

Wednesday, November 13, 2013

Question: Max 90 days of audit logs?

In one of my meetings, one of the new requirements was to keep a audit logs only for 90 days. Up to this point, the audit logs were kept for 1 year. This was according to a new mandate that I am not familiar with.

What is the reasoning behind mandating a shorter period of audit logs? I can understand if it was stated as keeping a minimum record, but not even allowing more logs seem odd to me.

Monday, November 11, 2013

Life: Designing Graphical Interfaces for Seniors and Understanding Their Obstacles

Although there were few lessons that my parents can teach each year, I still learn many things from them without them tell me their experience. One of those things is technology. I'm in a world where we want things smaller, more portable, sleeker, cheaper, etc., my parents' generation complain more and more after each "upgrade" in their lives.

They eventually adopt but not because they really want to but more that they are forced to. At least with hardware, it is easier for them to see that things have changed. But with software moving more agilely, I am burdened more and more on explaining why certain things are happening. For some reason, it is harder to explain something that has changed in software. They are used to change, but sometimes the way software changes, changes.

For example, my mom just complained about the recent change in Yahoo! mail. To me it looks nice and a smooth interface. But to her, the problem was that she could not read the email as well as she used to. The font is thinner, the background color is a medium blue which made it more difficult for her to read. This was more difficult for me to understand because there was no problems for me to read what she was pointing at.

Surprisingly, I thought it would have been easy to change the colors but it did take me a few minutes that there is no configurations to do that. The way you have to change it is to change the theme. There was also another option which is to return back to basic mode, but there is no way my parents would know to do that. I do not regularly use Yahoo! mail so it was difficult for me to know too since I did not really know what it used to look like.

Because the changes are agile, my mom had an earful from me on trying to figure what she did to make the changes. To my embarrassment, I did not consider that the software made the changes on their own (of course, I wish she could explain problems better than "it is harder to read now" then repeating it as if the tone can explain the problem better).

The hardest part is when they ask why? How do I answer that within five minutes to someone who has practically zero interest in programming except that her son gets paid doing it? Either way, I tried and she will likely forget by the next time we have this conversation but at least the result is better than just saying that she won't understand. Who knows... maybe one day all the conversations will just click together (my hopeful thinking).

While on this topic, this makes it more complex for designers to consider all the demographics. Of course, time to market will dictate that you target your main audience. But certain things like the Affordable Healthcare (Obamacare) website could be geared to be more friendly towards seniors and/or non-English speaking citizens. Although I like to see more things on the screen (which is usually accomplished by having smaller text), I can survive reading bigger fonts and scroll a little more.

Actually if there was an example to provide, the older generation seems to love those chain mails with power points: huge fonts, each slide is very brief, very simple instructions (if it exists), and easy to use. Even my mom understands the jokes (some of them I was surprised that she even understood). They do not even seem to mind that some of the decks are 20 to 50 slides (although I do not recommend the length, but if necessary they prefer more brief messages than a short blurb).

In that in mind, one of the features I really like is the browser's ability to zoom. This seems to solve a lot of problems even with older coworkers. Although when screen-sharing, this becomes a little dicier depending on who and how many people are on the bridge. A presentation changes quite dramatically when you are comparing different options on a single slide as opposed to multiple slides. I think this adds unnecessary stress on the presenter but one that cannot be avoided at this time especially when the higher up the ladder you go, the older they get (usually).

Fortunately, I have not (at least to my knowledge) had a "senior" moment yet. But someday, I will also be in the same boat and hopefully by that point software development would have grown to already consider these factors so that I wouldn't even realize that I am getting older (one dares to dream).

Sunday, November 10, 2013

Life: TD Bank Debit Card expired and Dormant Bank Accounts

I was just checking out some features on the TD Bank website and TD Bank mobile app and ran into some problems. So, I went to a branch and inquired about it. I didn't have to wait long probably because it was a mid afternoon Friday.

While they the representative was looking into it, she found also noticed that my debit card had expired because I haven't used it for a while. I found this odd because I thought they typically send a new card. Since I almost never use a debit card, I haven't actually bothered to check before.

At the same time, I have also learned that there is such a thing as dormant accounts where if the account is inactive for a period of time, the bank turns your money over to the state. I found the website that you can go to find unclaimed money by visiting missingmoney.com (link provided below). Some states may have their own site, so you may want to try that first. I found using the search term "Unclaimed Property" plus your state will find most state's site.

At first, I thought this practice was odd but I could see some value to this although I cannot really find the real reason online yet. Although I find 1-3 years to be too short but seems like the government has shortened this over a period of time. I am also not sure how long the funds can stay in the unclaimed funds for each state. One benefit is that it does protect you from the bank creating new policies that may "legally" take your money over a period of time since most banks have the open clause to change their policies at any time. I believe most policies take affect within a year. One of the policies could be to add fees due to inactivity. Then at some point additional fees below a minimum amount. If there was no minimum amount, the bank could also add a policy for that as well. Not great customer service policies but sounds legal. I'm not sure what other reason there could be.

If longer than that, the policy would also be good for long term inactivity. Perhaps your parents invested money in your account that you did not know about. Or you had an account that you forgot about because it had low funds. By turning the money to the state, you now have a centralized place to find your funds. Also I think this may also include retirement funds. So if you had a 401k from previous company and forgot to change your address, those funds may also go towards that (I am guessing at best).

Also, if the person has the bad fortune of getting into an accident with long term health problems, or death, or anything that prevents them from communicating their accounts, friends or family could see if the person had funds to be possibly used for bills or inheritance. I can see how the shortened period would help this case.

I'm not sure if this is true, but you may want to also check if CDs may fall under the inactivity rule. It sounds odd that CDs would fall under that but there was a site with complaints. I did not investigate farther if this was legitimate or not because I have not owned any CDs.

All in all, the experience was very nice at TD Bank. I did get my services enabled. I was in a hurry and didn't ask what caused the problem (although I should have), but my guess is that it may have been flagged as dormant. I had a small fund account sitting there for a couple years because it was for some charity. I would definitely give TD Bank more consideration in the future. The rep even mentioned about mortgages but did not "sell" their service and was more conversational which I actually do appreciate. I had poor experience with a branch with another bank in nyc that sells even another account every time I go in just to get a check. It was only that branch though because I did not have that problem in other states.


Reference
http://www.ehow.com/facts_5009248_what-happens-dormant-bank-accounts.html
http://www.whec.com/news/stories/s2964818.shtml
http://www.city-data.com/forum/new-jersey/21417-nj-will-confiscate-you-bank-accounts.html
In general - http://www.missingmoney.com
For California - https://ucpi.sco.ca.gov/UCP/Default.aspx

Friday, November 8, 2013

Life: Sleeping - Changed Beds

I switched from a standard innerspring bed to the box-spring. Fortunately, the box-spring is flat enough for me to sleep on. As for why I ended up sleeping on the box-spring is because my mom needed a mattress. The details into that is odd and not important for this post.

Historically, I have been able to sleep anywhere. I have no problems sleeping in a chair, on a plane, train, hardwood floor, on multiple chairs, and probably even standing up. I actually was a little uncomfortable for the first couple days on the box-spring. I did not have a lot of problems falling asleep, but was a little sore when waking up.

After a while, I did get used to sleeping on it. And what inspired me to write this post is that I actually feel a bit more refreshed than usual. It takes less time to "wake-up" and more focused on morning tasks. I am not exactly sure why that is.

Looking back, I want to say that I do have a tendency to feel better after changing where I sleep. Every so often, I would choose to sleep on the couch and would feel like I had "better sleep" but it would wear off. Then I would have better sleep when I switch back to my bed.

Sleeping or napping in a sitting position has never been as beneficial unless it is in a car. Even sleeping in the car does not compare to sleeping lying down. I've camped outside a couple times and do not recall being grumpy about it but then exercise (ie hiking) typically helps me out of the haze quickly.

Thursday, November 7, 2013

Interview: Talent Shortage or Poor Hiring?

Read another article by the Evil HR Lady on talent shortages. I believe there is a talent shortage but not in the same sense that the article discusses. Judging from my interviews, I can tell that most of my coworkers were qualified for the job but were they good? That is a different question. When they say talent, do they also mean that they are talented or has sufficient skills to do the bare minimum?

Sure they had the qualifications and some even had better qualifications, but they lack ability to adapt to many of the changes that occur in the technology field. I believe one of the entropy to company growth is the inability of some people to grow independently. I do not know how many hours I have wasted training people who just have no interest or will to learn something new.

I am one of the few people who is not part of the legacy employees who have been there for 20+ years. Initially, that sounds like they would have great wisdom but much of it have been obsolete a long time ago. They were impressed by classic asp solutions where ASP.NET has already been around for a decade. Agile has been around for a decent amount of time now, yet we have struggled with its adoption for a couple years now and still not fully implemented. I found that the problem is not because we did not have the talent, but that we also had poor talent. Because they were unable to adapt and change, technology and process was more difficult to adapt and change. Because we also live in a culture where our tools also have to be foolproof to the lowest denominator, solutions that we used to manage projects, time, and defects also must be adapted for the new process as well as people unable to adapt at the same speed.

While I'm kind on the topic of poor hiring, I always found it amusing when I saw requirements for 10+ years of a certain technology when it has been around for less than 10 years. I recall around 2008-2009 that positions required 10+ years of ASP.NET experience when the initial release was around 2002. It was not programming in general as if it was grouped with C++ or java. I have even confirmed that with recruiters.

All job positions require "excellent" communication skills and yet most people I work with do not have excellent communication skills and a good number with sub-par communication skills. So what do they mean by excellent communication skills? I consider mine to be rather poor yet my documents and decks are used, adopted, or made into templates. Many even going up several levels higher than I had intended for the documents to go. This is rather discouraging that even managers are not even at par with my work. Besides actual artifacts, very few people have empathy to fellow coworkers. Everyone has their own views and very stubborn with that state-of-mind, and I always seem to be the center of repairing inter-departmental relations or supporting good talents.

But I am not without my faults either. Unfortunately, one of my weakest abilities is regurgitating information. I cannot just list out items that do not occur on a regular basis. For example, I am not good at answering definitions of OOO, polymorphisms, encapsulations, etc. I know what they are and can write examples, but I cannot just spew out the formal definitions without preparing before an interview. So, I do not do well in traditional interviews especially with general recruiters. Fortunately, this "problem" helps me to stay consistent with documentation which I have learned is very important for audits. Sadly, most people come to me when there is an audit because I tend to have the information and also find them but distracts me from my value to the company.

So to end this post, I have made a mental note of a lot of people that I would hire if I had the chance to. Many of them do not look very impressive on paper but have the ability not only to learn but to excel at providing their value. Typically, they're problem is that they are weak in presenting themselves or too humble. And those I believe are the real talents that companies should not only hire and retain, but also change business cultures around. Talents that do bare-minimum work that can be explained on paper, I do not consider them to be talents. But if employment industry believe they are considered talents, then yes there are plenty of them but I wouldn't keep many of them long if I had my own company or team.

Reference:
http://www.inc.com/suzanne-lucas/theres-not-a-talent-shortage-you-just-stink-at-hiring.html

Wednesday, November 6, 2013

Complaint: Google Analytics - Demographics and Interest Reports - New Tracking Code

I was playing around with Google Analytics and stumbled across the Demographics and Interest Reports which seemed interesting at first but it brings me to a page to say that I need to make a change to the scripts to have this work.

Why didn't they just give me the proper scripts to begin with? I have the option already enabled. This is quite a hassle even though I know how to do the work. Then again, after trying to follow the instructions I could not find what they needed me to change.

The instructions is to change:
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
To:
ga.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'stats.g.doubleclick.net/dc.js'; 

And no where in the script do I have these lines. The code surrounding the lines are not supposed to change but even those are not what the script was provided by Google Analytics. What is provided to me is the follow:
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
  ga('create', 'UA-xxxxxxx-x', 'xxxxxxxxxxxx.blogspot.com');
  ga('send', 'pageview');
Figuring what the changes are, I could deduce that I change google-analytics.com/ga.js to stats.g.doubleclick.net/dc.js. But then I checked the privacy policy and noticed that that this also required me to update my privacy policy. At this point, this is just too much of a headache so decided not to move forward this change until I figure out what to do about the privacy policy part. Whatever reason for not implementing the change, I find it odd that the instructions to update the script is not correct for me which I would expect from a company like Google.

Release Management

Who's responsibility was this issue? For my team, this would appear to be needed from our product team. It is also odd that no one has a checklist to make sure that documentation should be updated since the instructions appear to have been for an older version (here's an example to publish versions for those people who believe version numbers are practically obsolete due to new agile processes). None of the steps after product would really check on this change because it wouldn't exist in the requirements since it was missed. This wouldn't have a chance to be caught until much later in the process like User Acceptance Test (UAT)... possibly System Test (ST) if they did some free-style testing which I find unlikely since most corporations would have the team follow test scripts which would exist since there was no requirement. Also odd is that even after all that, a user like myself should have reported this by the time I got to this (although I am making a huge assumption that this feature has been out for while). But Google typically had something like a "did you find this helpful" and of course, it does not exist for the one time I looked for it.

So even after all that, there is a chance that I have missed a step somewhere. I am not sure where I skipped a step and if it wasn't that intuitive then something at least needs to be improved.

Reference
Instructions to change - https://support.google.com/analytics/answer/2444872?hl=en&utm_id=ad
Policy requirements - https://support.google.com/analytics/answer/2700409
Google Analytics - https://www.google.com/analytics

Sunday, November 3, 2013

Cooking: Chicken Innards/Gibblets and Cutting Chicken

I started to buy whole chickens to practice cutting them. To my surprise, there were some extra parts. The heart and liver were easy to identify. I had some trouble finding the joints to cut but eventually I had all the different parts.

The second time, I bought chicken from Costco. This time there were more gibblets which I did not know what they were. There is this mushy looking thing where a part looks kind of like intestine. It is a light color than the dark brown/red color of the other gizzard. There was also a part that had a whitish color. This I found later was the gizzard. There's also a dark brownish color with something hard inside which I think is the neck but the color is kind of weird.

The links below helped identify a few things.

Reference:
http://www.thekitchn.com/what-are-giblets-65220
http://www.nytimes.com/video/dining/100000002155362/cutting-up-a-whole-chicken.html

Saturday, November 2, 2013

Cooking: Parsley vs Cilantro/Coriander - Visual Aid

So the other day I learned about parsley because I meant to buy cilantro. I just figured it was a different name like coriander since I bought it in an asian mart where they do not always use the proper names. Fortunately, I was splitting my vegetables with my mom since I cannot eat all the vegetables that come in bunches (parsley, green onion, spinach, napa). She was surprised that I bought parsley which I said I was going to use with guacamole or salsa, then she started laughing that I bought the wrong vegetable. Sigh... at least someone had a good time out of my misfortune. In retrospect, I'm surprised she knew what I was talking about since I've never seen her make salsa or guacamole.

Of course later, I went online to see the difference and to my newbie eyes... they still looked the same to me! After staring at it for a while, I thought I figured out the difference. A few days later, I went to buy cilantro because I still needed them with the avocados that I bought. Of course at the supermarket, they didn't organize the signs with the vegetables. It was like the world was testing me... and the world won.

I was staring... and staring. I thought parsley had slightly larger leaves. After some more staring and nervous now that someone might think that I was crazy staring at the two for so long, there started to look the same again. So I chose the one that appeared closest to the cilantro sign which smelled like cilantro... at least I thought that was the smell of cilantro. Then when I checked out, I noticed on the receipt that it said parsley. Oh no...

I still had some parsley leftover, and I am seriously blind to the differences. Then I checked again online, and I found this nice site on Better Recipes which gave a great tip that Parsley had pointy leaves while Cilantro had curvy leaves. So I had ended up buying the correct one (the second time around). Parsley went very well with my chicken soup which I am think I am getting better at. I haven't quite figured what to do with the liver and heart they leave for you in the whole chickens.


Reference:

Friday, November 1, 2013

Complaint: Curly Braces with Confluence v3.x (Jira) and SharePoint

There is an issue with Confluence when using curly braces and URL. This should be easily replicated by typing in any URL with curly braces, like http://test.com/?param={test}. Another example is to copy the URLs in Sharepoint into Confluence.

What happens is that Confluence attempts to convert the curly braces as macros. At the same time, it tries to convert them into clickable links. I was unable to find a way to disable this. I even tried to use the forward slash, '\', to disable to display the curly brace. Since that did not work and I could not disable the conversion, I removed the http portion which helped display the link.

The workaround to fix this problem is to convert the left curly brace with %7B and right curly brace with %7D. For example, http://test.com/?param={test} will become http://test.com/?param=%7Btest%7D. What I do not like about this workaround is having to listen to people complain about having to do an extra step, or even worse not pay attention and not change the braces because not making the change really messes up the page especially if they are embedded in tables.


I apologize that I do not know which version of Confluence is being used. I do not have access and couldn't find it before having to leave work.


Update 1/27/2014 - I have found that the latest this version is 3.x.

Reference

Work Life: Upgraded to Confluence 5.1.5