Recently I’ve received a hand-full of reports of a security issue in Factor.io. The attack goes something like this…
The “right” behavior is for the app to block access as essentially the user is replaying cookies that should be invalid. This requires tracking of all the sessions on the server-side.
I started doing some research into this issue. I learned a couple things. First, this is an incredibly prevalent issue and likely one that majority of websites have. And second, it is relatively low risk.
It is prevalent because in most cases the way sessions are handled is to store the session in the cookie without storing it server-side. So when you log out, it deletes the cookie but doesn’t do anything on the server/database. I suspect it is done this way because it improves the performance (less call to the database), and because this make is possible to have multiple sessions (i.e. logged in to the same websites from multiple locations), without having to track all those sessions server-side.
Under the hood we use Devise, which is the most popular system for AuthN/Z for Rails-based applications.
As potential white-hat hackers, it would be tremendously beneficially to the developer community if you provided a solution to Devise that handled multiple sessions in a performant way.
As such, we will not be fixing this issue. The reality is that the folks behind Devise do a much better job of building and testing their framework than we ever could. If I were to create a divergent implementation I would be at high risk of introducing other security vulnerabilities to the system.
My grandma was born in Poland before World War II. She saw the German invasion, Polish uprising, Soviet invasion, followed by 44 years of Soviet occupation (economic depression), raised three kids, saw 5 grand children grow up and now has 7 great grand children. She saw a lot, but computers weren’t one of them. She never learned to use a computer and the most sophisticated technology she uses is the TV and radio.
I, on the other hand, grew up on the opposite end of the technology spectrum. I also grew up with a very international family. Over the past decade my family has been living in Germany, Norway, China, South Korea, and Michigan all while I’ve spent most of my time in Seattle and Portland. Skype is our primary communication medium as so many other immigrant and international families.
I wanted to see my grandma when we talk. I also want her to see pictures of her children, grand children, and great grand children as they grow up. How do I bring that capability to a person who’s never used a computer and lives across the world?
My first option was a computer. A Windows-based system is out of the question, even technologically competent people struggle using Windows. Mac might be a good option, but it is overkill and still too complex as there are too many things to screw up. Smart phones are much simpler, but the screen is too small. This leaves me with one obvious choice, the tablet.
I got a Samsung Galaxy 4 Tab for her. When I unboxed it I started stripping everything away. Any nob, button, configuration, choice, etc is not a “feature”, it is a complication. While I had only a skeleton left, I it was still too complicated. Apps, multiple screens, swipe gestures, numerous default apps, web browser, etc. can be hard to learn and prone to error.
"I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail." - Abraham Maslow
As a developer, I think I can solve this with code.
Welcome to “Grandma OS” V1. I just started the mock-ups and some prototype code. My goal is to get this done in less than a week only working in the evenings. Here is how it works.
First, this is what’s known as a “Launcher” on the Android OS. It isn’t actually an OS in the traditional sense, but it is more of a home screen. Each Android device has a “Home” button on it, when you hit that button this is the screen you get. And if you are in another application, you can always hit the home button and come back here. It’s your safe place.
Notice that there is no top menu with the time, battery status, etc. I made this app full-screen so that it cuts any other interactions out.
The top two sections include some basic information my grandma uses every time. The time (in Polish), and the weather. The weather just shows an icon for the current weather, the low/high, and current temp (in Celsius). I may set it up that clicking this will load more information like a carousel, so that she can click on it once to get the 5 day forecast, then the details of today like the humidity, etc, and then rotate back to this view.
The three pictures include my mom, sister, and me. By clicking our faces it will immediately start making a Skype call. Skype itself is complicated so this makes the interaction much easier. Once she’s done with a Skype call she can just press the home button to exit out of Skype.
Lastly, the bottom is a rotating photo gallery. It will show the latest photo taken by my family and extended family on Facebook. It will rotate through every 10 seconds, or by clicking on the picture.
It comes close to being the worlds simplest user interface to a computer.
I’ve managed teams as small as 4 and as large as 300, and I’ve been on dev teams in the 1,000s (Windows Server). Many of the features in popular PM tools may be useful for large (100+) dev teams, but most of those tools are used by teams much smaller (<50). If your team is less than 50 people your PM tool can become a distraction, not a utility.
This is a list of “features” in Jira which you should never use. I pick on Jira but these are applicable to a number of other tools.
Alternatives: There are only two tools I can recommend: Github Issues and Trello.
I needed some decor for my home office and my Factor.io HQ office. Across the street from Factor.io, there is a new antique store. After browsing around I came across a few really cool vintage boating/sailing maps of the Puget Sound dating back to the 1960s. They were pre-loved with some markings for sailing routes, markers, and wear-and-tear; making them look vintage. They were only $8 a piece so I purchased four. This was more than I cared for, so I wanted to sell them online, but also use this as a little business experiment.
As my engineering instinct told me, I should build a website for this. But the lean startup practitioner in me told me otherwise. I needed to run numerous experiments to validate the market for such a product. Starting with wasting a ton of time on an app was a terrible idea. So here is a path I took for scoping down my initial idea to the MVP.
Done! My initial idea was to build an app that would have taken me up to a week if not more. After scoping my idea down I was able to accomplish the same in about 5 minutes.
Years ago I was the Director of Product at AppFog, a platform-as-a-service company. We wanted to build a feature, but the cost was high and there were many unanswered questions. You can read the details in the article I published “Lean Startup in practice at PHP Fog" but here is just a snippet from the intro.
We are a PHP PaaS (“cloud-based PHP hosting service”) and customers host their sites on our service. Potential and existing (and lost) customers asked if they could use their own SSL certificates for their own domain name, a feature we called “custom SSL”. We needed to build this feature, we just didn’t know the details.
This was a highly uncertain feature. There were many things we didn’t know: (1) if people were willing to pay for this, (2) how much they were willing to pay, (3) did they need to update, or was creating/deleting sufficient, (4) whether they needed them for root level domains (foo.com) or sub domains (bar.foo.com) or both. Asking these questions wouldn’t yield great results, we had to design experiments to test our hypothesis.
In order to implement the minimal viable feature, we built a form on the Rails-based front-end. Once the form was filled out and the information stored securely, an email was sent to Mike, our DevOps Engineer, letting him know he needed to get to work. We called this the “Mike API”.
All too often entrepreneurial engineers think about the implementation of their product. As a developer you know how to build stuff. So for you product development is the least risky part, getting market validation is the hard part. When you are thinking about implementation, think how you can most heavily leverage your “Mike API”, so you can focus on traction not implementation.
I have a 10 month old son, a busy wife, a house, and I am a startup CEO. I also find the time to learn to sail on the weekends, go hiking with my son, go to concerts/operas/plays, build a smoker, and cook. I was recently asked how it is that I manage to do all that. Here is a list of my productivity habits:
About 90% of my reading is business, 10% is leisure.
I will read that in time blocks. You will see “Read XYZ” on my to-do list as a task. I have a couch in my office with a coffee table which I reserve for reading at the office. Just like my other tasks, these readings align with something you will see on my quarterly plan.
Leisure reading usually happens on vacation flights (read Inferno last week on my way to/fro Cabo), or sometimes in bed.
Sometimes I am stuck with something mundane and passive like sitting at a red light, in a line for the bathroom, sitting on the toilet, or strolling from my car to the office. These are the times my phone comes out and I do one of four things: read Facebook, read Twitter, read blogs (via Digg Reader), or read Hacker News. I generally don’t read, I just skim, post a quick comment, or mark interesting things to read later via pocket.
For everything I could be doing I try to find a special balance where I can get 80% of the value but only doing 20% of the work. I apply this to eating, working out, feature prioritization, marketing, etc.
The Pomodoro Technique is a time management tool which helps focus work for 20 minutes while eliminating distractions, eliminating burnout, and clearly defining scope of work. I have my own little variation of this technique: