Category Archives: Trip Report

Scaling Cloud Applications – Birds of a Feather (“BOF”) Session at TechEd

Today at TechEd in Atlanta, I served as discussion leader for a Birds of a Feather (BOF) session on Scaling Cloud Applications. The session had around 20 people in the room, and an unknown number watching the live stream, some of whom actively participated over Twitter.

"Bird's Nest" Panel

Some of the topics discussed:

  • SaaS vs. PaaS vs. IaaS, including the blurring of the lines between them
  • Scale Up vs. Scale Out vs. Scale back down — elastic scale means you pay for what you use — just start (or stop) using the resources you need and the billing will reflect this usage
  • Scale has many dimensions, some of which are Geographic Distribution of and Number of Users, Amount of Data, and Needed Computation Power
  • Cloud applications are architected differently, often decoupling user-facing functionality from services – the front-end may communicate with the back-end using a reliable queue (such as offered by Windows Azure); see CQRS pattern
  • There are many application architecture concepts that are shared across applications built for most cloud vendors – for example, the loosely coupled front-end/queue/back-end scenario mentioned above can be implemented on Windows Azure (which provides Web Roles, reliable queues, and Worker Roles) or Amazon (which allows you to build and upload a Virtual Machines for front-end and back-ends, plus offers a reliable queuing service), other cloud platforms, and even on-premise – the cloud services just make these more natural to implement
  • Improving latency for cloud applications might be facilitated through a Content Delivery Network (CDN), geographic load balancing (such as through Windows Azure Traffic Manager), and other techniques

Many thanks to all who participated, including:

The BOF events were very well run by the INETA team (Chris Pels and a few others).

If you want a more structured treatment of some of the same scalability concepts, feel free to check out my talk on Cloud Scalability Patterns coming on June 1/June 2 via the GITCA “24 Hours in the Cloud” event. Here is the generic event description – follow the link to find out when my talk is slotted in.

Come and get your Cloud geek on! On 1st June, 2011 GITCA and Microsoft are running an event called “24 Hours in the Cloud”. There will be 24 one hour sessions around the world covering a wide range of Cloud Computing topics. The presenters will be live on twitter to answer your questions. I will be one among them. There is something for everybody, developer, IT pro and SQL enthusiast. There is no question that Cloud Computing is here to stay and this is a unique opportunity to be educated and gain an insight as to where Cloud Computing is going. Stay tuned for more details, such as how to join the “Cloud 24 hour party”, as the event date approaches.

If you have more questions on the topic, feel free to put in on twitter (@codingoutloud), you can comment on this blog post, or you can email me (coding out loud at gmail). And, finally, below you can find the  Twitter stream from the live event – latest on top, earliest on bottom – (which I salvaged via Scale on!

@techedbof20117 hrs ago
BOF12-DEV on Cloud Computing is now coming to an end. #bofdev #msteched

@techedbof20118 hrs ago
Mobile apps are a big area for growth in the cloud computing area.
#bofdev #msteched

@techedbof20118 hrs ago
Talking about moving existing apps to the cloud as we near the session conclusion.
#bofdev #msteched

@techedbof20118 hrs ago
When you scale you can select the instance size in Azure. #bofdev #msteched

@techedbof20118 hrs ago
Decoupling front end from back end processing is an important concept. #bofdev

@techedbof20118 hrs ago
For scaling, one experience is knowing how much work to do and
how much an instance can process in an hour. #bofdev #msteched

@techedbof20118 hrs ago
Would be nice if the Azure platform would monitor and scale for you.
#bofdev #msteched

@techedbof20118 hrs ago
@itagsubbu Great to have you join us. #bofdev #msteched

@itagsubbu8 hrs ago
@techedbof2011 Thanks for asking my question. I am watching this live event.
#bofdev #msteched

@techedbof20118 hrs ago
@itagsubbu Yes you can scale either on a scheduled basis or in a programmatically
#bofdev #msteched

@itagsubbu8 hrs ago
@techedbof2011 #bofdev #msteched Can we scale up for certain period in an year?

@rileybeebs8 hrs ago
RT @jmilgram: Getting ready to attend Bill Wilder @codingoutloud Designing Scalable
Cloud Applications #bofdev session at TechEd #mstech ...

@techedbof20118 hrs ago
Gmail is an example of SaaS #bofdev #msteched

@techedbof20118 hrs ago
How do you get resources to the cloud platform? #bofdev #msteched

@techedbof20118 hrs ago
IaaS eliminates the infrastructure but you admin, for PaaS both roles are eliminated

@techedbof20118 hrs ago
As you scale out across geographically dispersed data centers what is the impact on
SQL Aszure costs? #bofdev

@jimoneil8 hrs ago
blurring of IaaS and PaaS is something interesting as well... becoming less of a
differentiator? #bofdev

@techedbof20119 hrs ago
Silverlight app has 50K updates/sec #bofdev

@techedbof20119 hrs ago
Silverlight app that was not designed for the cloud. What to do? #bofdev

@techedbof20119 hrs ago
Thoughts on WPF app w/ Azure backend? Are you doing that? #bofdev #msteched

@techedbof20119 hrs ago
BOF12-DEV on designing scalable cloud applications is getting started
#bofdev #msteched

@TashasEv9 hrs ago
RT @jmilgram: Getting ready to attend Bill Wilder @codingoutloud Designing Scalable
Cloud Applications #bofdev session at TechEd #mstech

@TashasEv9 hrs ago
@rileybeebs I haven't forgotten about you! just haven't been able to leave the
#BOFDEV sessions at all yet!

@TashasEv9 hrs ago
The next #MSTechEd #BOFDEV : Designing Scalable Cloud Applications lead by

@techedbof20119 hrs ago
The next #MSTechEd #BOFDEV : Designing Scalable Cloud Applications
lead by @codingoutloud

@techedbof20119 hrs ago
RT @jimoneil: RT @codingoutloud my 1:30 TechEd session on Designing Scalable
Cloud applications #msteched #bofdev << will be heckling from afar!

@jimoneil9 hrs ago
RT @codingoutloud my 1:30 TechEd session on Designing Scalable Cloud applications
#msteched #bofdev << will be heckling from afar!

New England Code Camp 15

I attended New England Code Camp 15 today and attended a bunch of interesting talks, and I also gave a couple of talks myself. (Links to my slide decks are included below.)

At my talks, I mentioned the Windows Azure Pass – a 30 day FREE pass for using Windows Azure Compute (IIS or Worker Roles), SQL Azure, Azure Blobs/Tables/Queues, etc. If you didn’t get a handout at talk, no worries! – You can still access the offer: Go here and use Promo Code BILLONAZURE. Let me know if you have any questions or if you use the promotion.

Talks I attended:

  • Maura Wilder and Joan Wortman‘s talk on the Ext JS JavaScript framework (which I learned has an incredibly rich widget library and robust  programming model).
  • Richard‘s talk on becoming a better developer.
  • Ben Day‘s talk on 7 Lessons Learned during his first large Silverlight dev project. Find out more by reading Ben’s article on same topic, starting here.
  • Steve Maier‘s talk on using Azure-hosted WCF services to serve as your mobile application’s back-end.
  • Chris Bowen on HTML 5.

My presentations (including links to the PowerPoint slide decks):

Many thanks to Chris Pels, Chris Bowen, and especially Patrick Hynes for such a great event! Thanks also to Telerik and Wintellect for sponsoring our food!

Also enjoying hanging out afterwards at Uno’s with Maura, Joan, George Babey, John Garland, Jesse Liberty, Pat Tormey, Chris, Veronica and Shawn Robichaud, Ron, and several other folks I didn’t get to say hello to…

Boston Azure Firestarter Wrap Up

Boston Azure Firestarter a Success!

We had 60-something folks attend the Boston Azure Firestarter (more photos) on May 8, 2010 in Cambridge, MA. This event provided both talks about important Azure concepts and hands-on-roll-up-your-sleeves-and-write-some-code Labs. Yes, attendees brought laptops! Feedback was positive. Many thanks to all the folks who helped make this event possible. This was a Boston Azure cloud computing user group event, supported by and hosted at Microsoft.

Many Thanks!

Those who helped prepare for the event, work the sign-in desk, help with technical problems, and handle the pair-programmer matching service included Nazik Huq, Chander Khanna, Joan Linskey, and Maura Wilder. Jim O’Neil and Chris Bowen (our East Coast Microsoft Developer Evangelists) were also on hand for trouble-shooting and general support and help.


Here was our speaker lineup:

  1. David Aiken from Microsoft’s Windows Azure team came from the left-coast in Redmond to the right-coast in Boston to keynote the event. David gave many demos, a couple of which were My Azure Storage and his new URL shortening service
    David’s keynote was followed by:
  2. Bill Wilder: Roles and Queues talk + lab (
  3. Ben Day: Azure Storage + lab
  4. Andy Novick: SQL Azure + lab (
  5. Jim O’Neil: Dallas and OData (
  6. Panel Q&A (in the order shown in photo below): Mark Eisenberg (Microsoft), Bill Wilder, Ben Day, Jason Haley, and Jim O’Neil

After hours, a smaller group unwound at the sports bar over at the Marriott. This included Jim O’Neil, Maura Wilder, Joan Linskey, Bill Wilder, Sri from New Jersey, (okay, other names are vague!) …

Steve Krug on Rocket Surgery Made Easy from Dec 2010 BostonCHI Meeting

Rocket Surgery Made Easy

Steve Krug speaks at BostonCHI

Notes from 08-Dec-2009 meeting

  • Steve’s new book – Rocket Surgery Made Easy – due in bookstores in a couple of weeks – material from this talk will be in his book…
  • Passed a copy of his book around through the audience for quick peek
  • 150 or so people in attendance

Writing process

  1. writing process: collect years of notes
  2. need deadlines to force you to write (and finish)
  3. collect relevant articles for each chapter and post them all on a wall
  4. once you’ve begun to panic, start throwing things overboard
  5. Outline, write, iterate
  6. get help
  7. throw things overboard (save for next book?)
  8. FAQ at the end of every chapter – good idea
  9. Doing usability (vs How to Think About Usability)

Doing Usability

  1. A morning a month – that’s all we ask
  2. Run tests – with whole team – at our site – scheduled monthly and well ahead of time – and debrief immediately after over lunch
    1. maybe do right before iteration planning
    2. company-sponsored lunch
  3. Start earlier than you think makes sense
  4. The sooner you get information, the better use you can make of that information
  5. Don’t wait until the site is “finished” – test it as soon as it is testable
  6. Don’t worry that “you already know about the problems”
  7. If you have nothing built, test other people’s sites
  8. Are you working on the site? –> Yes ==> test now!
  9. Recruit loosely and grade on a curve
  10. Beware implied domain knowledge
  11. Some testing can be done w/o your target audience
  12. Usability testers say many things that are similar to what therapists say – “what did you expect to happen when you did that?”
  13. Keep yourself out of it! It is about the user and what the user being tested is thinking.
  14. Make it a spectator sport
  15. Get everyone to come and watch the test – frequently the observers suddenly just “get it” that they are not their users
  16. Have high quality snacks. Keep the sessions short and compact. Do them on site. Make it easy for everyone to join in, hard to have a good reason to skip it.
  17. Record sessions with Camtasia ($300). Get a good USB desktop microphone ($25). Don’t record user’s face (“useless and distracting”). Use a screen sharing service (like GotoMeeting, $40/month?) to control the UI. High quality audio is important, and should be channeled to the observation room via GotoMeeting or Skype.
  18. Focus ruthlessly on a small number of the most important problems
  19. Serious because everyone will come across them, or serious because for those who do encounter them will be seriously impeded.
  20. Don’t feel you need to come up with the “perfect” fix
  21. Ask everyone in the observation room to write down the three most important issues they observed. These are raised at the debriefing session over lunch.
  22. When fixing problems, always do the least you can do ™
  23. Prioritize the list, then work your way down the list until you run out of time/resources
  24. Sometimes a tweak is better than a redesign – don’t get suckered into a redesign – the perfect is the enemy of the good!
  25. Focus on the smallest change we think we can make to address the problem we observed
  26. Q&A
  27. Remote Testing?
  28. Remote testing is handy – saves travel time, recruiting pool grows, … do over skype or GotoMeeting.
  29. How to get it off the ground? Try a group usability test of competitor’s site – everyone can get behind that. Do one and hope people get enthused about it. Make the cost of swinging by to watch the testing really small.
  30. Be very cautious about asking users how to fix the problems they’ve encountered. “Users are not designers.” “Hopefully you know a lot more than they do about design.” Listen to them, but be careful that they’re ideas are not well thought out. The purpose of testing is to “inform your design intelligence”.

NEJUG ~ JSR-299 – 08-Oct-2009

Very rough notes on JSR-299 by Gavin King from NEJUG Meeting of 08-Oct-2009


  1. Will enable deployment with subset of JEE feature set – so can leave out parts you don’t use – thinner footprint, less complexity?

Theme = Loose Coupling

  1. decouple server and client via well-defined types and “qualifiers” (beyond Interfaces)
  2. decouple lifecycle of collaborating components via
    1. server-side lifecycle management by Container
    2. allow stateful components to interact like services via message-passing
  3. decouple orthogonal concerns via Interceptors
  4. decouple msg producer from consumer via Events

Theme = Strong Typing

  1. eliminate lookup using string-based names
    1. enables smarter auto-complete, more power in compiler type checking

What’s unique?

  1. implementations of a type may vary at deployment time – without need for central list of available implementations
    1. no need to explicityl list beans (e.g., Spring) or use Java-based DSL (Guice)

What kinds of things can be injected and how?

  1. Most java classes
  2. EJB session beans
  3. Objects returned by producer methods
  4. Java EE resources (e.g., JMS topics/queues)
  5. Persistence contexts (JPE EntityManager)
  6. Web service references
  7. Remote EJB references
  8. anything else can be supported through SPI (flexible extensibility via metamodel)
  9. Can define business-sensible attributes to specify injection types (e.g., InformalGreeting extends Greeting class, then have an @Informal attribute)
  10. Can use injected object in a JSF or JSP page – e.g., container will instantiate the right objects (construct as needed, etc.) and pass it is such as in: <h:commandButton value=”Say Hello” action=”#{printer.greet}”/>
  11. Beans may need to be stateful – this is supported too – handled as lifecycle attributes such as @RequestScoped for per-request or

Scopes and Contexts

  1. Extensible context model
  2. Dependent scope, @Dependent
  3. Built-in scopes
    1. @ApplicationScoped, @RequestScoped, for servlet we have @SessionScoped [e.g., Login state object may store username in a member variable], for JSF requests @ConversationScoped
  4. Custom scopes – third party frameworks can support via SPI
  5. KEY POINT: Client does NOT know anything about the lifecycle of the session-scoped object
  6. Conversation context is scoped INSIDE OF (DOES IT NEED TO BE WITHIN, or is it just defined as more granular a SCOPE than) a session – can have more than one Concersation that don’t know about each other – supports multiple tabs, wizards, AJAX and other multi-step sub-tasks
  7. Better abstracts some concepts – a set of mappings can be defined such that a class can loosely reference (my term), say, a value from another object (like the user’s first name, from the Login object), and the container will take care of all the heavy lifting and just insert that value – nicely separates lookup logic so your business logic code can stay cleaner and refer to (as in example above) their “first name”, not the Login object directly


    1. Perceived to be more flexible, more generally useful (there are very few uses for Aspects now – nothing new in 5-10 years!)
  2. Should be decoupled from implementation via semantic annotations
  3. Should be deployment-specific – e.g., can turn off my transaction support during testing
  4. Ordering of interceptors matters – so do this centrally so you can manage/understand it – don’t bing interceptors directly to components


  1. Reuse patters – not just Interceptor bindings!
  2. Capture roles of components using stereotypes
  3. A Stereotype packages up:
    1. a default scope
    2. a set of interceptor bindings
    3. the ability to specify that beans have names by defaults
    4. (more)
  4. Uses @Stereotype annotation


  1. Can be injected – as in void Login(@Observes LoggedIn loggedin)…

Proposed final draft of JSR-299:

Seam Framework reference implementation:

JBoss doc:



Value of more Type Safety in a world where Dynamic Languages are gaining traction

Debugging might be more challenging

Performance issues?

Complexity / tooling issues?

How is this different / better / worse than Spring?

Cure for Phantom Mouse Clicks on Acer Netbook Laptop Tablet from Microsoft PDC

If you attended the Microsoft PDC in 2009, you received what appeared to be an Acer Netbook, but in fact is technically an Acer Laptop (that’s what Acer support insists), though apparently is also a considered a Tablet – the Acer Aspire 1420P Convertible Tablet PC. But a Convertible Tablet at that… 

Talk about an identity crisis. Maybe we should just call it, more simply, the PDC Netabletible Convertilizer? 

If yours has trouble with “phantom mouse clicks” – where you are typing away, and it seems that somehow the left mouse button was just clicked, but you know you didn’t click it – that can be fixed with the simple act of installing the Synaptics driver for this machine that, weirdly, will not ever show up in Windows Update.  But since this is a pretty useful update, consider doing it the old fashioned way. 

Or at least it worked for me. Though belated, this blog post may save someone the challenge of finding the cure, which I thought more difficult than it oughta be. 

The PDC Netabletible Convertilizer may not be the only one out there with this problem.

As an aside, my PDC Netabletible Convertilizer also became more usable once I recalibrated the touch screen. (How does one do that? Type into the search field in the Start menu “calibrate touch” for a link to the right part of Control Panel to make this happen…)

Intuit as a Service

My notes from Intuit talk at Boston Cloud Meetup on Nov 3, 2009.

Per Alex Barnett of Intuit – only 12% of 4m Small Businesses not willing to use hosted data with SaaS.

Webware 100 finalists… best software solutions.

How do cloud-based apps Integrate?

  • Finance system know the project in Basecamp is done
  • Calendar know about CRM

Simplify by mapping services to a COMMON DATA MODEL (this is a REALLY big deal, IMHO).

QuickBooks have 4 m customers who have effectively agreed on a database schema… exposed an API to this data store. Nice…

The “Small Business Data Cloud” – available today from Intuit – as the Intuit Partner Platform.

native apps

  • Flex applications hold the logic
  • Server-side Java coming in development

federated apps

  • identity
  • data
  • billing
  • most of the action is over here (rather than native apps)

They expect to ship 1.7 m units of QB 10 over next 6-12 months – this will really launch the platform.

4 m users spending 4 b hours per year of screen time

25 million users within these Small Businesses

FAST TIME TO VALUE through SaaS solutions.

Intuit keeps 20% of the rate, rest goes to developers

Can have trial-periods, entitlements (monthly-charged extra features), more options coming next year.

Developers support the apps – Intuit supports everything else. – some Open Source in here

  • some code uses SAML
  • support Java, Python, Ruby, PHP, and .NET versions of code, such as SAML gateway

Intuit – SMB, 4m customers

Salesforce – Enterprises, 25k customers

Is it a per-user, or per-customer license? Intuit end-users don’t need a license.

Don’t need to license QuickBooks to use the overall platform – but there may be some synergies.

Intuit certifies apps for use in their marketplace. Federated apps go through a third-party security assessment – on Intuit’s dime today, though that may change in the future.

Top 10 Presentation Tips from Presentation Camp Boston

I attended Presentation Camp Boston, a bar-camp style conference, on 24-Oct-2009. There were many good ideas and presentation tips. Among them, these are my favorites.

Top 10 Presentation Tips

The top 10 presentation tips I took away from Presentation Camp Boston

From Kenny Raskin‘s keynote:

1. “Have a Passionate Purpose”

When you are speaking, it is not only about the content. If you mean what you say – you really believe in it – (which I believe Dale Carnegie refers to as conviction) – then you are more likely to be successful at conveying your message and persuading your audience.

Kenny shared a quote which was something like the following:

Who you are being when you are saying what you are saying says more about what you are saying that what you are saying.

Not just sell it – it was believe it + sell it both at once. This tip resonates with me and is consistent with a lesson from studying and performing improv; one of my instructors, Erik Volkert, really got across the difference between acting it out and really committing – and the impact that has on stage.

2. “The presentation starts before you are even in the room”

  • Find out who the audience is and what you want to say to them. What do you want them to FEEL. (“Know your passionate purpose!”)
  • As you are preparing to enter as a speaker, take a breath. Focus. Clear your mind.
  • As you enter, look your audience in the eyes. Before you say a word. Greet the audience. Pause… and let them respond.

3. Genuine eye contact != scanning

Eye contact is important. Don’t scan the audience and think that’s eye contact – you need to pause and connect with individuals one at a time – this may be for the duration of a thought or statement – or just until you feel you’ve connected. Some of your eye contact moments will be during pauses and are your opportunity to re-energize by breathing.

From Diane Darling‘s Talk about Networking:

Not about presenting to large groups, but focused on presenting to very small groups of one or a few other folks in a social / networking situation.

4. Business Cards from A-Z

Some wisdom on business cards:

  • You need business cards. And they don’t need to be plain and boring… Diane’s cards have a list of tips on one side – useful and “sticky“.
  • She advises to keep your business cards in one pocket, and the ones you collect in another pocket – just have a simple system to avoid fumbling.
  • Write on the business cards – you may forget later otherwise that this card is from someone you offered to send a link to an interesting paper, or perhaps they might be a future business partner. Handy, easy hack.
  • If you do give a talk to a group, be sure to have a stack of cards handy to share at the end.

5. “Own the room”

I am a highly functional introvert
~ Diane Darling, author of The Networking Survival Guide: Get the Success You Want By Tapping Into the People You Know

I love that quote! As a fellow introvert, that’s how I want to be. Diane builds a case for being highly functioning with a plethora of straight-forward tips on how to handle lots of business social situations. A couple of examples:

  • Prepare several generic ice breaker questions you can use when you meet someone new. A good format for such questions is “Tell me about ______.” You fill in the blank with “your job” or “how you got into this line of work” or “how you ended up at this conference” etc.
  • Wear your name tag close to your RIGHT shoulder (since that’s where the eye most naturally is directed during a hand-shake.
  • Don’t start with your name! Introduce yourself by saying something about yourself, and end with your name – it is easier to remember there.
  • Saturday Night “Live” != Saturday Night “Unrehearsed” — you will be more successful if you practice some of what you will say — like what is your brief introduction of yourself (your elevator pitch), ending with your name, of course!

6. Connect with the Gatekeepers

If you want to get access to key people who may be hard to get to, consider connecting with those people who control access – such as a personal assistant to the CEO.

From Edwin Guarin‘s talk, The Killer Presentation:

Edwin is an Academic Evangelist for Microsoft. His talk was called The Killer Presentation – Gettting to Point B.

7. Distributing Your PowerPoint Deck

Suppose you’ve given a talk, but now your audience wants a copy. Here’s how to do it, plus a couple of important benefits:

  • File > Save As… and choose either PDF or PowerPoint Show.
  • If you have Hidden slides – perhaps because you want “single source” for a slide deck that you use in multiple circumstances, but don’t want to maintain the bulk of the slides more than once – this will drop all those marked as hidden at the time you Save As.
  • If you have Notes, they are not included either. Sometimes your Notes are just speaking points, but perhaps they are not something you want everyone to see.

8. Spruce Up Your Talk with Images

You are preparing a deck, and you want to be memorable. You want that “just right” image or text effect.

  • Edwin recommends the use of royaty-free photos from  You need to create an account to access them, then are free to use them in your PowerPoint slides.
  • Note that you are not licensed to subsequently redistribute these images if they are embedded in your PowerPoint deck. I registered an account on web site asking for clarification – and there was a tad bit of ambiguity around the licensing (the license text seem to both suggest it was fine and also say it wasn’t) – so I sent in a specific question on this scenario. The response from support was that the PowerPoint cannot be posted for redistribution. I am not a lawyer. And I do not even play a lawyer on TV.
  • [In my talk, I advocate searching through Google Images advanced search and filtering by Usage Rights to only include images labeled for reuse (usually through Creative Commons).]
  • To embed an image that is too bright, overlay it with a rectangle – and set the transparency to accordinly to fade it a bit so that text can be seen on top of it.
  • Use SmartArt to snazz up your text… transform a bullet list into a ring, or horizontal property or other eye-candy fanciness.

From Brainshark demo:

9. Sharing Your Presentation After the Fact

Brainshark has a cool way for you to post your slide-deck to their free hosted service: you can upload both the deck *and* an audio track.

This is way better than just distributing the PowerPoint deck, which may not be of any use for people who didn’t attend the talk. Of course, you do need to create (or record) an audio track.

I am not sure how the slides and the audio are sync’d – like when in the audio track should slide 7 pop in – but my guess is that you are expected to record your voice while delivering the talk – and some agent on your desktop keeps an eye on when you transition between slides. If so, I wonder if it can also capture screen shots of non-PowerPoint activities – like if I pop up a web browers, or use Visual Studio.

From Bill Wilder’s talk on Better Tech Talks:

Yes, I am recommending a tip from my own talk. 🙂

10. “It is a Talk, not a Read”

Don’t even think of reading your slides to your audience.

  • If you cram all the text for your talk into your deck , you will be guilty of promulgating support for Death By PowerPoint.
  • Your audience can read faster than you can talk anyway – they will be done before you. And they won’t be listening to you while they read; they can’t do both at once.
  • Your audience will resent being read to. As Jack Welch is reputed to have said to a presenter reading him the slides: if everything is on the slides, then we don’t need you.
  • There are better tools for a stand-alone document – like blog posts, or word-processors. PowerPoint is a poor substitute when writing a document that is being prepared for general reading.
  • If you do need to capture more info than belongs in the slides, consider putting it into the Notes section, and then using dual-monitor capabilities to have your laptop display different content than the projector, and configure PowerPoint to know about this via:  Slide Show > Set Up Show > Multiple Monitors.

Cloud Security – A Business Tradeoff?

I took notes during the Boston Cloud Computing Group Meetup 23-Sept-2009 – the raw notes are below, but a couple of more noteworthy highlights appear first with some of my views interspersed.

Executive Summary – Key Take-Aways & Highlights

Notes from Javed Ikbal’s talk ( are in regular type. My editorial comments and thoughts are in italics or bold italics – so don’t blame these on Javed. 🙂

  • Key take-away – going to the Cloud is waaaay more about Business Tradeoffs than it is about Technology.
  • “There are 2 kinds of companies – those which have had a [data security]breach, and those which are going to have a [data security] breach” -Javed
  • Centralization of data makes insider threat a bigger risk -Javed
  • “On premise does not mean people are doing the right thing” –Javed – right on! I bet the majority of the fortune five-million (as 37 Signals refers to the medium and small business market) have insufficient IT – they just don’t know it. Any stats?
  • Someone from the audience stated there are more breaches in on-premise data centers than in cloud. Therefore cloud is safer. I don’t buy the logic. There could so many more publicized breaches in on-premise systems simply because there are so many more on premise data centers today. So this is easy to misinterpret. We can’t tell either way from the data. My personal prediction: today if there is a data breach for data stored in the cloud, people will not be able to believe you were reckless enough to store it in the cloud; 5 years from now, if there is a data breach for data stored on premise, people will not be able to believe you were reckless enough to store it locally instead of in the cloud which everyone will then believe is the safest place.
  • Someone from audience commented that business value of losing data will be balanced against business cost of it being exposed. This comment did not account for the PROBABILITY of there being a breach – how do you calculate this risk? I bet it is easier to calculate this risk on the cloud than on premise (though *I* don’t know how to do this)
  • Comment from Stefan: We can’t expect all cloud services to be up all the time (we were chatting about Google and Amazon downtime, which has been well documented). I completely agree – And many businesses don’t have the data to fairly/accurately compare their own uptimes with those of the cloud vendors – and, further, if the cloud vendors did have 100% up-time, that may destroy the economies we are seeing on the cloud today (who cares if it is 100% reliable if it is 0% affordable – that’s too expensive to be interesting)
  • Off-premise security != in cloud – different security issues for different data – Javed In other words, treat SSN and Credit Card data differently than which books I bought last year. But I can think of LOTS of data that is seemingly innocuous, but that SOME PEOPLE will balk at having it classified  as “non-sensitive” – might be my bookmarks, movie rentals, books purchased, travel plans/history, many more… not just those that support identity theft and/or direct monetary loss (bank account hacks). I think it would be a fine idea for data hosts to publicly declare their data classification scheme – shouldn’t we all have a right to know?
  • I think IT generally – and The Cloud specifically – could benefit from the kind of thinking that went into

Raw Notes Follow

The rest of these notes are a bit rough – and may or may not make sense – but here they are anyway…


  • Pizza & drinks, some social (sat next to Stefan Schueller from TechDroid Sytems and enjoyed chatting with him)
  • Went around the room introducing ourselves
  • People who were hiring / looking for work spoke up
  • Around 30 people in attendance
  • Meeting host: Aprigo – 460 Totten Pond rd, suite 660 – Waltham, MA  02451 – USA
  • Feisty audience! Lots of participation. This added to the meeting impact.

Twisted Storage talk

From Meetup description: Charles Wegrzyn – CTO at TwistedStorage Inc. (Check actually built an Open source cloud storage system back in ’05)

TwistedStorage is open source software that converts multiple storage
repositories, legacy or green-field, into a single petabyte-scale cloud
for unstructured data, digital media storage, and archiving. The Twisted
Storage Enterprise Storage Cloud provides federated search, electronic
data discovery with lock-down, and policy-driven file management
including indexing, retention, security, encryption, format conversion,
information lifecycle management, and automatic business continuity.

History of Building Storage Management software

  • Open Source
  • Been downloaded 75k times
  • Re-wrote – now version 4 – in Python

Common anti-pattern observed in real world:

  • Users storing “stuff” in Exchange since that was a convenient place to store it
  • Results in a LOT of email storage (and add’l capacity is easy to keep adding on)
  • Can’t find your data (too much to logically manage)
  • Backups inadequate
  • Complexity, complexity, complexity

The Twisted Storage Way

  • Federated storage silos w/ adaptors/agents
  • Provide enterprise capabilities spanning sites (access control, audits, search/indexing – including support for metadata, simplified administration and recovery)
  • Petabyte-scale
  • ILM = Information Lifecycle Management
  • Open Source
  • Work-flow (Python scripts, XML coming)
  • Policy-driven (“delete this after 2 years”, “encrypt me”) (Python scripts)

Twisted Storage Design Goals

  • Always available content (via replication)
  • No back-up or recovery needed (due to replication)
  • Linear scalability (scales out)
  • Able to trade off durability with performance
  • Supports old hardware
  • Minimal admin overhead
  • Support external storage systems and linkage
  • Portable – will run on Linux, Windows, (iPhone?) – due to portable Python implementation
  • Pricing: Enterprise Edition: $500 / TB up to 2 PB (annual), minimum $10k for first 20 TB (see web site for full story)
  • versus competition like Centera which charge $15k/Silo + Enterprise Edition

Info Security & Cloud Computing Talk

From Meetup description:  Javed Ikbal (principal and co-founder of zSquad LLC)- will talk about:   “Marketing, Uncertainty and Doubt: Information Security and Cloud Computing”

  • What is the minimum security due diligence that a company needs to do before putting it’s data in the cloud?
  • Since 2007, Amazon has been telling us they are “.. working with a public accounting firm to … attain certifications such as SAS70 Type II”  but these have not happened in 2+ years.
  • On one side of the cloud security issue we have the marketing people, whohype up the existing security and gloss over the non-existing. On the other side we have security services vendors, who hawk their wares by hyping up the lack of security. The truth is, there is a class of data for every cloud out there, and there is also someone who will suffer a data breach because they did not secure it properly.
  • We will look at Amazon’s EC2, risk tolerance, and how to secure the data in the cloud.
  • Javed is a principal and co-founder of zSquad LLC, a Boston-based information security consulting practice.

Javed is a Security Consultant

Also co-founded

Formerly worked in Fidelity (in security area)

Cloud Definition

  • Elastic – provision up/down on demand (technical)
  • Avail from anywhere (technical)
  • Pay-as-you-go (business model)

Cloud Challenges

  • Data stored in China – gov’t could get at it
  • We never have direct access
  • May be locked in? (for practical reasons)
  • March 7, 2009 from WSJ – Google disclosed that it exposed a “small number” of Google docs – users not supposed to be authorized were able to view them. Google estimated < 0.05% of all stored Google docs were impacted – BUT! – this is a LOT of documents.
  • Sept 18, 2009 from NYT – a recent bug in Google Apps allowed students at several colleges to read each other’s emails – this impacted only a “small handful” of colleges (like Brown University, for 3 days)
  • Google’s official policy for paid customers states “at your sole risk” and no guarantee it will be uninterrupted, timely, secure, or free from errors
  • Amazon states it is not responsible for “deletioreach” – Javedn, destruction, loss” etc.
  • Google will not allow customers to audit Google’s cloud storage claims
  • Amazon says PCI level 2 compliance is possible with AWS, level 1 not possible
  • SAS 70 Type II reports not meaningful unless you can see which controls were evaluated
  • “on premise does not mean people are doing the right thing” –Javed
  • Perception of more breaches in on-premise systems – but there are so many more of them, it is easy to misinterpret
  • Business value of losing data will be balanced against business cost of it being exposed – but this does not account for the PROBABILITY of there being a breach – how do you calculate this risk? I bet it is easier to calculate this risk on the cloud than on premise (though *I* don’t know how to do this)
  • We can’t expect all cloud services to be up all the time – right, and many businesses don’t have the data to fairly/accurately compare their own uptimes with those of the cloud vendors – and, further, if the cloud vendors did have 100% up-time, that may destroy the economies we are seeing on the cloud today (it may be 100% reliable, but too expensive to be interesting)
  • Off-premise security != in cloud – different security issues for different data
  • “There are 2 kinds of companies – those which have had a [data security]breach, and those which are going to have a [data security] breach” -Javed
  • Centralization of data makes insider threat a bigger risk
  • Customers should perform on-site inspections of cloud provider facilities (but rare?)
  • Ask SaaS vendor to see 3rd party audit reports – SalesForce has one, Amazon does not (Google neither? What about Microsoft – not yet?)
  • Providers need to be clear about what you will NOT support – e.g., Amazon took 2 years to provide an answer… Amazon/AWS disclaimers are excellent models
  • Providers need to understand they may be subject to legal/regulatory discovery due to something a customer did
  • Unisys has ISO 27001-certified data centers (high cost, effort)

Creating Secure Software

  • Devs care about deadlines and meeting the requirements
  • If security is not in the requirements, it will not get done
  • if devs don’t know how to code securely, it will not get done right (if at all)
  • Train your devs and archs: one day will help with 90% of issues!
  • Build security into your software dev life-cycle
  • Let security experts, not necessarily developers, write the security requirements
  • Secure Code Review can be expensive –  bake in an application security audit into your schedule, to be done before going live
  • (high customer extensibility + low provider security responsibility) IaaS – PaaS – SaaS (low customer extensibility + high provider security responsibility)

Jared Spool on what makes a UI Intuitive

Jared Spool spoke at a Refresh Boston user group meeting on Thu May 28 in Cambridge, MA. During his talk, which was titled What Makes a Design Seem Intuitive?, Spool delved into some common ways User Experience (UX) goes wrong and some ways to make sure this doesn’t happen to you. My personal notes/interpretations follow; if you think I got it wrong or want to offer alternative interpretations, feel free to comment.

Executive Summary

  • Understand your users and their levels of skill/knowledge 
  • Understand the skill level needed by users of your software
  • Identify any gaps between the actual and needed skills (see two points above)
  • Design the software to bridge these skill gaps (which may vary from one user to the next)
  • Test your assumptions with real users to make sure you did everything right (Yogi Berra was right when he said You Can Observe A Lot By Watching!)

How to Create Non-Intuitive User Interfaces

First, some counter-examples – easy paths to UX Failure – how to be Non-Intuitive:

  • Do the unexpected: Spool showed an example of a site that used * (asterisk) to indicated those field “not required” which is opposite of popular convention. UX Fail.
  • Implement non-standard & sub-substandard behaviour: Spool showed a beautifully designed (visually appealing) site  with custom scrollbar that didn’t work right (pretty but not functional). They had implemented their own scrollbar functionality to get the look they wanted – but a fully-functional scrollbar is really hard to do well – theirs was jerky and unpredictable. UX Fail. (Plus a bonus Form Follows Function Fail.)
  • Be non-intuitive: Spool showed “Hay Net” – a very simple site to help sellers and buyers of hay find each other. This site had two main choices on the front page – “have hay”, “want hay” – but user testing showed that about half the time “have hay” was chosen to find someone who has hay, and the rest of the time chosen when I am the one who has the hay. (This might qualify as what my old friend Julianne would call “Escher words” – where the meaning flips back and forth in your mind between alternative viable interpretations much like certain of M. C. Escher‘s artwork). Wording was not intuitive, even though it was very simple. UX Fail.
  • Add non-core features until your application is large and complex: The larger and more complex an app, the harder it is to keep it intuitive. This was a general comment from the Q&A, supported by examples in his talk [Wang dedicated word processors were very complex (requiring 1-2 weeks of training to use), supplanted by WordStar, supplanted in turn by simpler Word Perfect, later supplanted itself by simpler Word (after Word Perfect had grown more complex), and now Word is really complex – tens of toolbars, including one for editing 3D graphics]. But simple does not imply intuitive (see “Hay Net” example above). UX Fail, again and again.

Different Kinds of People

  • Key point: Intuitive is personal – maybe it works for me, not for you — it is unlikely that all possible users have identical knowledge
  • Prior experience of the user matters – where are the on the Knowledge Continuum?

What is this Knowledge Continuum you speak of? Imagine a continuum where the left-most end is “No knowledge” and the right-most end is “Full knowledge” and your UI is designed for users somewhere on that continuum. If the user’s current level of knowledge is less than the level to which you target your design, your software has a problem – there is a gap that needs to be overcome.

A design is intuitive if the Current Level of Knowledge = Target Level of Knowledge, or if the gap is small enough such that it can be bridged with good UI design. If the gap is too large, you may need training (whether online on in-person).

Two types of Knowledge

  • Tool Knowledge (for a specific tool – Word, Visual Studio, TurboTax)
  • Domain Knowledge (independent of this (or any specific) tool – writing, developing in C#, creating personal tax return with weak tax-code depth)

Techniques for Creating Intuitive Designs

  • Field Studies (watch your users in action)
  • Usability Studies
  • Personas
  • Patterns (reuse known good patterns)

Specific Examples for Creating Intuitive Designs

  • Bring Target closer to Current w/o resorting to training or help. This means your software needs to target the right knowledge level – find that target using the techniques listed above – remember: Developer/Designer does not have same knowledge level as User (at least mostly true).
  • Wizards can reduce target knowledge requirements (bridging that knowledge gap).
  • If your user base consists of very different Current Knowledge levels (e.g., home tax preparation vs. professional tax preparers) you can create two (or more?) specialized/targeted applications.
  • Every six weeks, every member of design team needs to watch users using the design for two hours.
  • Don’t hire an agency to design your experience. (Spool thought it was fine to have an agency implement your application, but you need to design it first if you want to be successful.)

Further Information

Here is an older article by Jared Spool on the same topic as this talk: (thanks Joan).

UIE Resources