I spend a lot of time working in software houses. One of the nastiest things that I see again and again and again, is developers attempting to roll their own security and authentication mechanisms.
Spend a moment and think about how many security incidents the big companies (Google, Apple, Microsoft, etc.) have had over the years. Now think about how much effort they've put into doing it right, yet they still have issues at times.
The scary part about trying to do this yourself is that you often don't even know how scary what you are doing is.
Apart from the ones who do a reasonable job of password hashing, etc. I also see a surprising number who still store plain text passwords, or think that applying some "special algorithm that they wrote" to "encrypt" passwords or other private information is acceptable.
I cringe every time I see someone who's written a algorithm that does obfuscation on a value before storing it. Worse is when they refer to it as "encryption" within the organization.
So my post today is just a simple plea:
Please don't do this.
The minute you find yourself writing "encryption algorithms" or authentication code, just stop. Just because you think you've got away with it for years, don't tell yourself that you don't have an issue.
I've seen the outcome at sites where this all goes wrong, and it's not pretty. You do not want to be anywhere near it when the finger-pointing starts. It all ends in tears.
One of the software houses that I've done some work for over the years has had a number of unexpected issues with their clients and had to shed quite a lot of their staff. This is always a concerning time and I'm seeing a lot of worried and unhappy people. Either they don't think their jobs will last, or they are upset at having been moved to roles that they don't want.
Many see no option but to try to stick it out, even if they hate what they're doing.
When I was young, the perceived wisdom was that it was best to get a job with a large company, as they have the stability for long term employment. I saw friends heading into banks, government departments, and Fortune 500 companies.
I'm sure there was a time long ago where this worked but I think the concept of stable employment at large companies is almost illusory nowadays. In so many organizations that I deal with, I see pretty regular churn, and whole teams of good people discarded, almost at a whim.
By comparison, my friends that have created their own jobs have had by far the most stable and satisfying careers. Many have built something up and are still doing it, even if the specifics have evolved over time. The other argument for larger companies has been that higher income can be achieved, yet many who have created their own jobs have now earned far more than if they'd joined a large company.
One of the beauties of being in these companies only on a part-time contract basis, is not being concerned when these seismic changes occur with organizations.
The way that I see the world evolving, I think it will be more important than ever to be in control of your own destiny. While it can be useful to get a good grounding in a business area from a larger company (to perhaps get a better understanding of the norms and professional standards of your industry), your future is likely to be brighter if you take care of it yourself, rather than outsourcing it to the whims of some company that you don't control.
You need to be prepared to also take on the responsibility of your own career development ie: get yourself trained on useful areas, keep across new technologies, learn new skills. Be prepared to invest in yourself, not be someone who is whinging because your company isn't developing your career the way you'd like.
And while you're at it, find something that you love to do.
Over time, I can see there being far less traditional 9-5 full-time job roles available, particularly at the lower-skilled end of the market. Don't be one of the "oh woe is me – who will give me a job now?" people.
Design your own job; take the initiative to make it happen. It may take a while but start today; invest in yourself, and take control of your own future.
I have many friends who would have checked the calendar when they first heard that Microsoft was buying Github. They would have guessed it was April 1st.
I think it’s another pretty bold strategic move by Satya Nadella.
It’s been interesting to see all the naysayers coming out of the woodwork to beat up on the idea of Microsoft owning Github, as though it was going to be the death of Github. Almost every single time I hear a justification though, it is based on their opinion of Microsoft or something they did often decades ago.
People outside the Microsoft camp seem genuinely unaware of the seismic changes that have happened within Microsoft in recent years. As someone who has worked with them and followed them closely for decades, I can tell you that it is a very, very different company now. If your opinion of them is based on anything more than a few years old, it’s time to re-evaluate your stance.
Microsoft is already a heavy user of Github, and is the largest contributor to open source software on the planet.
But more importantly, their acquisition puts Github into a solid financial position that it did not have before. Github was pretty much at a crossroads, had a few suitors, but in any rational evaluation, Microsoft was the best positioned for this.
From Microsoft’s point of view, I can see how it will beautifully mesh with many ongoing changes within the company, particularly as things like Azure Functions take hold. It also provides more certainty for existing Github enterprise customers, and will introduce a whole new raft of enterprise level customers to Github.
The one big concern that I have is around identity. This is an area that Microsoft hasn’t yet sorted out. There are still too many issues with Microsoft Accounts vs Organizational Accounts and so on. There needs to be a good plan to integrate the Github identity system.
The industry is clearly trending quite quickly towards Software as a Service (SaaS) applications. Rather than building monolithic chunks of code, new applications are often constructed by combining a variety of platform services, themselves usually delivered as Platform as a Service (PaaS) offerings.
Any application layers that you build above these services though, are only as good as the underlying services. And that's where things can go very, very wrong quite quickly.
I was at a software house recently where the management that I talked to said they couldn't ever be offline for more than about four hours. In fact, anything more than two hours would be a problem. The IT people at the same place told me that backups of their primary database were taking over eight hours, and that restores would be longer. I'm often left wondering if these groups of people within the same company even talk to each other. Clearly there was an expectation gap.
I was also recently working at another ISV (Independent Software Vendor) that was looking to provide a SaaS offering, and were offering their end customers an SLA (service level agreement) that said they'd always be back up and running within 4 hours. But the data centers that they were depending upon had an SLA showing that loss of a region could involve an outage of one full week. (And the customer data could not go to another region)
What makes this worse is the current trend for many of these services to be impenetrable by phone or for anything urgent.
One of our suppliers had a major outage last week because one of their own suppliers (NameCheap) had decided (incorrectly) to disable their DNS entry because of spam reports. So our supplier was offline, and could do nothing except email NameCheap's support team and hope they would respond soon. They told us that there was no way for them to call NameCheap.
But even if that's the case, NameCheap isn't alone on this. It's a common trend. If you are building any sort of SaaS offering though, you need to realize that you are only as good as your weakest link (or in this case, SLA).
For many years, I was blogging at sqlblog.com and I was a big fan of what Adam Machanic and Peter DeBetta had done there. Eventually though, community server was on its last legs, and WordPress seemed the obvious platform for a blog. Fellow MVP Adam Machanic made it really easy for me to migrate to a WordPress site with a tool that he had created.
I headed off to BlueHost with high hopes, but those hopes just haven't been fulfilled. I've had a number of times that things just stop; it's hard to get to the bottom of what's causing it; the support is really glacial at times (ever had a chat with someone who is having a conversation with 10 other people at the same time?); and it turned out that what's broken was something that apparently I was responsible for but didn't even know existed.
All I wanted for the blog was a managed service.
So today is the start of a new period. I've headed to Site Ground. Their reputation for service seems great; they claim to really have a managed WordPress service; and they seem pretty easy to deal with.
My initial sales and migration experiences have both been very positive. Prompt, courteous, and in clear English. Their offer to transfer the content for free was a major bonus. I worked out how long that was going to take me over our current Internet connection and figured it was better to let them do it. I have to say it was pretty seamless.
I have high hopes again, and I'll let you know later if those hopes were warranted.
I was using my iPhone and I chose to use the web option to connect. I'd say it must have flipped me across to using Skype for Business anyway. (It is installed on my phone).
I thought there would be a large number of people in the meeting, and that we'd be muted the whole time, so when it asked if it was OK for the app to use the microphone, I said "no". Clearly I should have just left myself muted instead of disabling microphone access.
Once, I got into the meeting though, I found it was a relatively small group of people on the call, so I set about trying to re-enable the microphone. Try as I might, I couldn't find any way within the app to do that. It showed me unmuted but still wouldn't let me speak.
I then presumed that it must be a setting in the iPhone that had been turned off. I looked in Settings, for the Skype for Business application, and didn't see it. I tried the settings for Skype and they had no effect. I even restarted the whole phone, and re-entered the meeting. Still nothing.
For the life of me, I couldn't work out how to re-enable microphone support in the app.
Turns out the reason is simple. I was looking in the right place. I had looked down the application list, but as they are shown alphabetically, I was looking down near "S".
This is where it was:
In the list, Skype for Business is just labelled "Business". I've got a lot of apps, and there's zero chance that I would have thought to look there.
One of the changes that has happened with Windows in recent years is the concept of forced updates. Basically, you're going to get updates from now on, like it or not. Generally that's a good thing. You can delay them for a little while but not for that long. In the Advanced options update Updates, you can see this:
So you aren't going to delay them for that long.
Now what does this have to do with tempdb I hear you ask?
Well, tempdb gets recreated each time SQL Server starts, and that's normally in two situations:
You shutdown and restart the computer that it's installed on
You restart the SQL Server service
Now Windows 10 out of the box changes that behavior. If you shut it down, and start it up again, you'll find that objects that you had in tempdb are still there. That's because a shutdown and power up are no longer the same as a restart. Choosing shutdown actually hibernates the computer and power up just brings it back from hibernation.
So SQL Server didn't get restarted.
I generally find this when I go to create a demo table in tempdb, just after restarting my machine, only to find the table is already there.
You can change that by this setting in the power options for Windows 10:
Note that I've chosen to not have fast start-up enabled. When you turn it off, shutting down actually does a shutdown.
OK, so we can see how this affects SQL Server, but what does it have to do with forced updates?
Well it's because after Microsoft applies a forced update, I keep finding settings like this "automagically" reset for me, back to the value that I didn't want. I really wish they would not do this.
There is an old saying about not reinventing the wheel yet this is something that I see happening at client sites every day. I see two main reasons why this happens:
There are so many tools and frameworks in this industry, that you can't be expected to know them all. I remember when I worked a lot with the .NET framework. I'd go into client sites and see them designing and building classes that were already in the framework. Worse, the framework classes were usually very well designed and tested.
The challenge was that with thousands and thousands of classes (at release I think .NET was over 6,000 classes), it's hard to know what's in there.
I see developers working with SQL Server and creating tables to hold queues. A table seems the natural way to store queue data but the problem is that it doesn't have many of the semantics that are needed for a great queue.
When I describe Service Broker, the developers are often very surprised to learn that SQL Server already contains a fully transactional queue, already there, right in the database. Often it has all the capabilities that they are trying to implement themselves.
More importantly, Service Broker includes support for things they hadn't even considered. Building a queue sounds simple, but it really isn't.
For example, if you take an entry off the queue, try to apply it, and the transaction rolls back, what happens next? Does your application just stop? Does it try to take the entry off the queue and apply it, only to go bang again?
The biggest problem I've seen with Service Broker is that Microsoft promoted it to database people, as it was part of the database. That's completely the wrong target market. It should have been promoted to developer leads and technical architects. I think the marketing for this was completely misdirected.
Not Invented Here
The other common reason that I come across is the "Not Invented Here" syndrome. There are clients who simply won't ever use code that someone else has created. They are usually concerned about one of these:
Takes too long to learn
Won't do exactly what I want
Don't want a dependency on it
I can't always dismiss this but I do note that the same people won't write their own database management systems or operating systems. (Although I think many of them would prefer to if they had time)
The problem with this is that the outcome for their own clients is usually substandard, and worse, their products are likely to become noncompetitive.
For example, you can write your own reporting system and/or dashboard system, but you'll probably get a better outcome if you use Reporting Services and/or Power BI. I've seen some of my own clients write their own reporting systems, but they are extremely low-functioning, and are generally unable to be integrated with any other tools that their customers use.
When you are starting to create new functionality, at least please consider that what you're after might already exist, and in a better form than you would ever have time or experience to create.