Their creator has disavowed them. People cannot agree on what a story point even represents. The measure is different for every team that uses it. They sow confusion, create conflict, unreliable timelines, are easily gamed, demotivate and degrade the performance of your team.
For everyone involved, this is a waste of time. Let's deep dive into why Story Points are so broken and how to avoid dealing with them ever again.
I recently had the opportunity to speak to DEF CON 864 about the multiple layers of security automation within Gitlab, the open source tools that drive them and how the findings are managed and resolved.
The Carolina Code Conference is a welcoming and community-driven “polyglot” conference that’s set to take place in beautiful downtown Greenville, SC on Saturday August 19th, 2023 in the Greenville ONE building. This conference, which returns for the first time since 2019, invites coders of all experience levels to attend, plug into the development community, share their experiences and have a great time as well.
It might sound strange to hear that Microsoft, a company who goes to great lengths to protect computers and networks, is one of the biggest contributors to phishing and fraud on the planet. It's true unfortunately.
They aren't actually committing the acts themselves of course, but they are enabling the problem by withdrawing support for standards designed to help stop it. Here's why this is such a big deal.
UPDATE 4/12/2023: After years, Microsoft is finally fixing this by honoring p=reject. This is a huge improvement and deserves to be applauded. The work isn't done though. We need aggregate reports to avoid blind spots during our implementation. Offering the reports for enterprises is a great step though.
Lately, I’ve been spending a lot of time enjoying the Darknet Diaries podcast and it’s compelled me to finally share the entire story of the most intense year of my 20 year professional career. I was the sole developer hired by a company going through a circus-like ownership transition while criminals actively worked to defraud the 300,000 users of this 14 year old, high end marketplace.
We experienced late nights, numerous technical challenges, worked with abuse response teams, learned a lot of lessons about phishing and fraud, high emotions, death threats and at least one person lost a business that depended on the site. Here’s the story from start to finish, including how to prevent many of these problems on your own site. Buckle up.
Continuing our series from 2012 where I accidentally ended up combating phishing and fraud for a year, we move onto the spam issue. Everything that happened that year was an exercise in triage. Problems were everywhere on the system and in the marketplace. The site I was working on was the leader in a niche space but it wasn't just the phish who tried to capitalize on the chaos, it was our competitors too.
Spam takes a time investment and every time investment is a business decision. If you can't stop it completely, you can at least dramatically increase their costs...and have fun doing it.
DMARC deployment projects in larger organizations come with their own variety of challenges. A great many more people are involved, so there will be more communication, more approvals and more politics. Others will object on the basis of size. "Our company is simply too large!" some will say.
In the final section of our DMARC guide, we will discuss these common concerns and how to address the challenges. If 74% of the US Federal goverment did this in about a year, you can too.
Too scary? Messing with the configuration on your domain email is scary, especially if you're already sending a lot of it. You have to worry that you're going to screw something up and break all of the email communications for the entire company.
That's what I was worried when I first rolled this out and had no idea what I was doing. One of the reasons I'm such a big advocate for DMARC today is that it was painless, easy and involve no risk at all.
Email shouldn't feel like a dark art, but to a lot of people it does. Everyone should have DMARC setup by this point, but they don't. Here's the first piece of a 3 part guide covering why it works and how to set it up.
Since writing about how to reverse account takeovers last week I've decided to write a security series covering all the weird things I encountered back in 2012, when I accidentally ended up combating phishing and fraud for a year. In the last article, the first recommendation was to setup DMARC. So let's take a deeper look at why, how and what's involved in long term management once it's setup.
Today, Brian Krebs reported on account takeovers happening at Experian, one of the 3 major credit agencies. The first step after getting account access is to lock out the account owner, usually by swapping the email address. 10 years ago I dealt with this problem extensively, so I'd like to share how to solve it.
After 20 years in software development, my frustations with watching organizations hurt themselves from bad practices finally boiled over in my article, Reality Driven Development. The response and discussion from Hacker News lead me into the work of Donald Reinertsen, who laid out the math that validated everything I was experiencing. Much of the Scaled Agile Framework is based on his work, which lead into my journey with SAFe 3 years ago. Join me on December 9th for my first class, Leading SAFe 5.1.
In the last 2-3 weeks, after seeing a lot of recommendations, I decided to read the Refactoring UI book and then dove into TailwindCSS. Design has always been a huge gap in my skillset. As frontend complexity increased over the last decade, it seemed less and less worth it to invest time to fill it. Then came TailwindCSS.
In May I had the opportunity to present at the Anti-Phishing Working Group (APWG) Conference after spending some time cross referencing the APWG's eCrime Exchange data with dmarcian's historic DMARC reports to see if we could identify consistent patterns among known bad actors, as well as potentially identifying a wider scope to the attacks that any single entity could see. The results were interesting!
Over the weekend I got the chance to speak at the inaugural Carolina Code Conf in Greenville, SC. It's the upstate polyglot conference where just about any relevant subject is welcome, so I submitted a talk on Elixir. I also gave a lightning talk on DMARC thanks to our wonderful sponsor, dmarcian.
Not a lot of people know this about me, but I've almost exited programming at three different times in my career...because I wanted to get into project management at a high level. Ever since my first project management class in grad school, it just made sense to me...but after about 15 years in software it doesn't anymore. Let me explain how to fix it.
Elixir and Go have both grown significantly in popularity over the past few years, and both are often reached for by developers looking for high concurrency solutions. The two languages follow many similar principles, but both have made some core tradeoffs that affect their potential use cases. Let’s compare the two by taking a look at their backgrounds, their programming styles, and how they deal with concurrency.
This past September I took vacation time and paid out of pocket to drive to Orlando and attend ElixirConf with a few other programmers from Greenville who did the same thing. We weren't the only ones. Here is a belated recap from our combined notes and experiences.
A dive into the highlights of Elixir that make it the ideal platform for the web...and how all these questions were answered figured out 30 years ago. Presented to Upstate Elixir in Greenville, SC on Nov 16.
Email might be one of the most often overlooked pieces of any web application. Usually the biggest discussion around it in a project begins and ends with “and we’ll send them an email when this happens…”.
A little thought and some minor adjustments can help us avoid some problems that will grow as your project does. Let’s talk about email as a microservice.
Functions within PostgreSQL can be setup to return rows and included in queries just like any other table. Continuing with our theme of trying to push Elixir and Phoenix a little on this site rebuild, we will move our site search inside of a database function and experiment with different ways to call it from Ecto.
I'm at the borderline of obsessed with Elixir and Phoenix lately. I've avoided writing about it so far because it feels a bit too good to be true. In an effort to test my own enthusiam, I decided to rebuild this site with them in the most ridiculous way possible just to try to test some limits. Because I already have an unhealthy obsession with PostgreSQL, we're getting crazy with it too.
DISCLAIMER: This is not a "how to build a blog" article. If you do what I'm about to do, people will look at you funny (and probably should).
Containers are not a new thing, but implementing them was always a little more complicated than it needed to be. Docker made great leaps in simplification of containers and set the world on fire from there. Let’s look at why.
Bosun is a monitoring and alerting system developed by the good folks at Stack Exchange, then open sourced for the rest of us. It’s written in Go, meaning its monitoring agents can run anywhere that Go can drop a binary… which is just about everywhere. So what exactly does it do and how does it compare to the likes of New Relic, CloudWatch, Nagios, Splunk Cloud, Server Density, and other monitoring tools?
PostgreSQL has a great feature called Foreign Data Wrappers (FDW) that allows it to connect directly to outside systems. Although the setup can be a little complicated, once it’s available you can run queries with joins or subqueries against them, insert data, create views, etc. Heroku has dramatically simplified the process of using FDW with PostgreSQL and Redis thanks to Data Links. Let’s try it out.
As development teams push farther toward continuous delivery, deploying updates to an application without disruption to users is constantly becoming a more sought-after practice. Amazon’s EC2 Container Service helps to make that easier than ever with tight Elastic Load Balancer integration.
Backing up your data is one of the most critical activities for your application. Heroku PGBackups makes the entire experience pretty simple but comes with a lot of flexibility too, with a number of options for smooth restoration.
I read an article earlier today called The self-hating Web Developer that I found on Hacker News and it bothered me. It resonated with me as something that I professionally internalized over my career but it bothered me because Joseph encountered personal financial difficulty for both himself and his family due to the struggle. For that reason (and insomnia), I feel compelled to write this as reference to refer to for anybody else who may be struggling with the same thing.
Building an application with a microservice architecture is an excellent long-term decision if you can afford the increase in upfront time investment to do it properly. Heroku provides a platform that most developers know for simple deployment, but it also dramatically simplifies microservices architecture.
PostgreSQL is becoming the relational database of choice for web development for a whole host of good reasons. That means that development teams have to make a decision on whether to host their own or use a database as a service provider. The two biggest players in the world of PostgreSQL are Heroku PostgreSQL and Amazon RDS for PostgreSQL. Here's a detailed comparison.
At work earlier today I ran across an issue where one of our application queues got backed up and it got me to thinking about how queues are organized in general. The TLDR answer: use urgency and intensity.
Here are the slides from my recent presentation to UpstatePHP in Greenville, looking at Go (Golang) from a PHP Perspective.
In August I taught a course titled Ruby on Rails and PostgreSQL - Intro to Advanced in Greenville over the span of 3 weeks. Here is the compilation of slides from the class.
This presentation covers my experiences combatting phishing and fraud using DMARC and assorted other techniques in a large eBay-like platform for a niche market...when the site previously did everything over direct user email...for over a decade. Good times.
A couple of days ago, TechCrunch ran a column about Developaralysis that hit a little close to home. Developaralysis is defined as "the crippling sense that the software industry is evolving so fast that no one person can possibly keep up." This results in otherwise accomplished developers freezing up when trying to make decisions about the best language / framework / cloud platform to use for their project. There is a cure and it involves code. A code specifically.
SSH::Batch is a simple command line tool, written in Perl, that allows you to run shell commands over SSH across multiple servers. These days it seems most people turn to Puppet / Chef / Ansible for that type of thing, but sometimes your needs aren't that complicated. For that, SSH::Batch fills the gap nicely and it's really simple to get started.
Here's the video from the August UpstatePHP meeting in Greenville discussing SQL vs NoSQL and where they are useful for your development process. I represented SQL solutions (*cough* PostgreSQL *cough*) while Benjamin Young represented NoSQL. Ben has actively contributed to CouchDB, worked for Cloudant, Couchbase, organizes the REST Fest Unconference (happening again September 25-27th) and is the owner of Big Blue Hat. I am a gainfully employed programmer...so...there's that.
If you've spent any amount of time on this site you may have noticed that I'm fond of PostgreSQL...and Ruby on Rails...and that I dislike the general trend among Rails developers to ignore all of the amazing features in PostgreSQL that make your application better in favor of risking data integrity just so that all logic can remain in Rails. So here's my top collection of Rails gems to get at all that untapped power in PostgreSQL that you didn't know you had.
It's been about four years since we last took on a new project as a company. Work continued for existing clients for a long time after that, but the company itself was basically dead from that point. I was on vacation with my family last week and somewhat reflecting on exactly how I got there after ending up in a hospital bed in the middle of the night four years ago trying to keep it going. Here's how it happened.
NOTE: I still personally consult through Brightball.
I got a newsletter last night from Screenhero announcing version 1.0. The problem is that in the announcement, they also announced a change in pricing that will probably kill a lot of what they have going for them. And I hate that. I REALLY hate that. I've worked for companies where we had to invest a lot of time cleaning up bad decisions, so maybe it bothers me a little more. I really like Screenhero though, so I'm going to try to help. I wasn't doing a good job of explaining myself to them via Twitter, so this should hopefully be a better explanation of what I was trying to communicate.
Nearly a year ago I put together an hour long presentation on PostgreSQL to provide an overview of all of the benefits it provides you over other options in the database space. In hindsight, that wasn't nearly enough time because it has the capability to replace almost your entire application stack outside of the web server. In any case, here is an attempt to summarize all of the amazing functionality that you're cheating yourself out of by not choosing PostgreSQL.
Beginning August 18th I will be offering a three week evening class aimed at professional programmers who want to learn Ruby on Rails and PostgreSQL, with the goal of becoming proficient with both in a very short time.
Lightning talk introduce pair programming based on information gleaned from RailsConf 2014. Bulk of the credit for this presentation goes to Chuck Lauer Vose of New Relic and Joe Moore of Pivotal Labs.
An overview of Ruby, jRuby, Rails, Torquebox, and PostgreSQL that was presented as a 3 hour class to other programmers at The Ironyard in Greenville, SC in July of 2013. The Rails specific sections are mostly code samples that were explained during the session so the real focus of the slides is Ruby, "the rails way" / workflow / differentiators and PostgreSQL.
This is a presentation that I recently gave at UpstatePHP in Greenville evaluating the framework landscape in PHP. We discussed why there are so many, history, goals, benefits, concerns and ultimately a recommendation.
In a recent post I provided my initial impressions of Docker, which were glowing to put it mildly. After spending more time working with it, I've found that it does still have some additional drawbacks in certain situations just about every situation covered thanks to Vagrant.
After getting an intense look at Docker last night, I firmly believe that it is going to be the most disruptive server technology that we've seen in the last few years. It fills a much needed hole that's currently managed by very expensive solutions and it's being actively funded by some of the biggest players in the market.
This is a presentation I recently gave to provide an overview of PostgreSQL and some of it's excellent features, including full-text search, multiple built in datatypes, data compression and extensions.
Also, Morgan Freeman is narrating. You're welcome.
I've always been a proponent of the "right tool for the job" approach to programming. Different languages are well suited for different situations. Over the past 2 years I've spent a great deal of time with Ruby on Rails after coming from a background of PHP, Java and Perl. Here's how I got started and some of the lessons I learned along the way.
Web frameworks are great, don't get me wrong here. They provide a structure and consistency across projects that will transcend developers over the life of a system while dramatically simplifying the code base amongst other wonderful side effects. But what's the downside?
I'm obsessed with performance tuning. It's an itch that can never fully be scratched. A sickness that can never be cured. Here's the story of how I caught the bug.
I had the opportunity to visit the class of one of my legendary former professors yesterday and got to share a classic story about him...the time he gave us an impossible assignment.
Asking people for payment for work is a touchy subject for everyone involved. We've had the luxury of experimenting a little bit over our first couple of years, and here's what we learned.
When we first started out, we listed the thorough quality assurance review as an optional piece of our estimates. We had this incredibly naive idea that if we gave people the option to save a little money up front that they'd fully understand if there was anything that needed to be tuned up, post-launch. We learned our lesson...hard.
Have you ever been working on a website and needed direct access to the database, but couldn't get access without using something like phpMyAdmin? SSH tunneling can solve this common problem and a whole lot more.
In the age of Twitter and Web 2.0, we've started to see a lot of websites drop the standard www from their domain names. This could simply be a product of people following trends or just trying to be a little different, but the real question is "What are the drawbacks?"
Cake has a wonderful shell script function built into it called extract that will run through your code and create a .po file full of all of the text contained within your __('My text here') calls. You can then pass these files onto to translators to modify them for your languages. When you want to add variables though, you have to break it up into pieces which may change the context of the phrase. Here's a way around that.
I couldn't find any resources on setting up WYSIWYGPro with Cake so I developed this helper along with instructions for total integration with your system. If you've never used WYSIWYGPro, you should check out the demos. I've tried every WYSIWYG editor out there and none of the other ones even come close as far as I'm concerned.
PublishableBehavior allows the use of datetime fields for start and end ranges on content. Included functionality allows for checking published status, toggling to published / unpublished status, and adding conditions to a find to properly filter those results.
While working with the date/time input fields in Cake I got tired of having to select 3/6 drop down boxes to choose all of the date/time information and specifically of having to select 3/6 drop down boxes if I decided to clear the date. A little bit of jQuery will clear this right up though.
If you've spent anytime wanting to use ACL on your applications, you know how tedious it can be to manually enter your entire controller and action structure. This Task will handle finding and loading or updating all of those for you whenever you run it from the command line.