May
2014

Rescued from the ashes: I don’t hire unlucky people

categories: Developer Hell
1926 US advertisement for lucky jewelry . &quo...
“Why Be Unlucky?”. (Photo credit: Wikipedia)

Note: this was written by Raganwald on posterous.com, which unfortunately went belly-up April 2013. It is too important a lesson to let disappear, so I’m posting it here.

Bertram Wooster and Ernestine Anderson were staffing up their teams. Bertram was hiring trainees to work in the company’s retail stores, Ernestine was hiring software developers to build a new supply chain system for the company’s operations. “Bert,” Ernestine asked, “I have hundreds of resumés, how do I whittle them down to a handful of calls and a few interviews?”

Bertram smiled. He grabbed a pile of resumés from his desk, then started dealing the resumés out, first one back onto his desk, second into the recycle bin, third onto his desk, fourth into the recycle bin. When he was finished, he had thrown half of the resumés away. “It’s simple.” Bertram told Ernestine. “Just don’t hire anybody who’s unlucky.”

Ernestine tried that for a few weeks, throwing half the resumes out and the combing through the remainder looking for qualified applicants. She got nowhere, even if the people looked good on paper, when she talked to them on the phone it was quickly apparent that they weren’t capable of writing FizzBuzz. Meanwhile, Bertram was staffing up nicely.

Ernestine decided that the needed a new approach, so she went for coffee with Mark Fidrych to get his advice. Mark was the company’s CFO, and she worked closely with him on the company’s supply chain. Mark was also an angel investor on the side and he knew a little about the software industry. He nodded sympathetically when she explained that what was working for Bertram wasn’t working for her.

“Look,” he explained, “The essential difference between your situation and Bert’s is that Bert has a lot more qualified people applying for his positions. Sure, there are klunkers. But let’s say that half of the resumes he gets are decent. If he gets a hundred resumes and throws fifty away blindly, he’s still left with twenty-five decent ones on average. Essentially, Bert’s problem is how to organize his time, not how to find good people. When you asked for his advice, you described your problem in the same terms, so naturally he told you how he does it.”

“But you don’t really have a how-to-organize-your-time problem, you have a finding a needle in a haystack problem. There are way fewer qualified people applying for programming jobs. If you get one hundred resumes, you might have no qualified people, you might get one, if you get two or three in a hundred you’re doing well. If you have one good person in a hundred and you throw fifty away randomly, you now only have fifty resumés to sift through, but there’s a fifty-fifty chance you won’t find anyone worth interviewing, much less hiring.”

Ernestine nodded. “So,” she essayed, “I need to be a lot more selective about the resumés I discard because I have a much lower signal-to-noise ratio?” Mark stared at her blankly, then laughed as he caught her meaning. “Right!”

Ernestine stopped throwing half the resumés away and started treating her job as one of finding that elusive one good person in a hundred. It took time, and she found herself making a lot of adjustments.

two years later

Ernestine and Mark left to found a supply chain management company. Their startup grew quickly, and Ernestine found herself in a meeting with Oscar, an unkempt but talented team lead she had just promoted. Oscar was holding a stack of resumés and he wanted advice about hiring. Ernestine smiled and told him about her experience trying to implement Bertram’s advice, and how Mark’s advice turned things around for her.

Oscar seemed a little grouchy. “That’s a nice story,” he said, “but what specifically did you do?” Ernestine smiled, Oscar could be brusque. “Well,” she began.

“First, I stopped caring so much about little things like how ‘professionally’ a resume was formatted or whether the cover email had spelling mistakes. I realized that throwing people away because of a spelling mistakes was really another way of discarding half the resumés because you don’t want to work with unlucky people.”

“Wait,” said Oscar, “but surely all things being equal, the person who takes the time to get the email right is better than the person who doesn’t?”

“Sure,” agreed Ernestine, “But all other things aren’t equal. What if the email with the spelling mistake came from someone who’s really busy because they’re talented and have a lot to do in their current position?”

“No way,” argued Oscar, “If they want to work here, they’ll take the time to check their spelling.”

“That’s true,” agreed Ernestine, “And if I had fifty great people, I want to speak to the twenty-five who want to work here before I speak to the twenty-five who aren’t sure. But if I have a pile with ninety-nine duds and one good person, I’m more interested in finding that one good person first and deciding whether they want to work here second.”

“The problem with filtering people by spelling mistake is that we’re making up a little theory about whether a spelling mistake tells us something important about the candidate’s abilities. Which would be fine if we didn’t have anything else to go by, but we do have something else to go by, we have their resumé and their code samples and we can call them on the phone and talk to them. So I gnore the little theories and go with what really matters.”

Oscar considered this. “Ok,” he continued, “What else?”

“Well,” continued Ernestine, “I took the same thinking to everything I did when hiring. Every way of selecting or rejecting a person is either a direct measurement of their ability to do the job or an indirect measurement. Indirect measurements are things like computer science degrees. They—“

Oscar interrupted her. “Look,” he said, “University teaches you important things, things that are essential to doing your job. A degree is a requirement, and I don’t mean as a test of conformity.” Ernestine nodded. “Well, it’s true that nearly everyone we’ve hired has had a degree. But all the same, I didn’t sort resumes by degree or by school, I simply looked for relevant experience and reviewed the candidate’s code samples or portfolios when they had them to share. It turns out that almost everyone with the experience we wanted also had a University Degree.”

“But it’s dangerous to confuse correlation with causation. And especially dangerous to confuse correlation with necessity. If University is a great idea for a programmer, it will sort itself out when you look at their experience, look at their code, and interview them. I take the same approach to stuff like whether they blog or have hip hobbies like rock climbing. Most of our folks climb, mountain bike, or paddle, but I ignore that when looking at resumés.”

“After all, having the wrong hobby would be very unlucky. And I don’t throw unlucky resumés away.”

hiring programmers, not ascetics or rock stars

Oscar thought about that for a while. Ernestine continued. “Obviously, we don’t ask people to share their social media with us. But I try to resist the temptation to read anything personal about a candidate, even if it’s public. I don’t want to be subconsciously prejudiced for or against them. It’s a disaster if I miss the one in a hundred because they’re a friend-of-a-friend and I can see on their Facebook that they espouse political views I abhor. That’s not only illegal, it’s bad for business.”

“I also don’t want to be prejudiced in their favour because they seem to be a like-minded soul. If there’s only one in two hundred resumes worth considering, quite a few people are going to be really nice people that nevertheless aren’t right for us. The best thing is to avoid reviewing anything that isn’t pertinent to the task at hand, which means code or words about code.”

“They can spout all they want about politics and Freedom Zero on their blog, but if I’m considering them for a job, I don’t want to know what they think about stuff like that, and I stopped myself from reading anything off-topic when researching candidates. As far as hiring is concerned, having compatible opinions is a question of luck, not qualifications.”
Ernestine was warming to the subject. “Another thing I did was start advertising in plain English. We tried placing ads for ninjas, rock stars, and so on, but I discovered this was the cultural equivalent of advertising for white males who drink dry martinis. Not that white males who drink dry martinis can’t do the job, but there’s no real difference between advertising for a Ninja and throwing half your resumés away because you don’t like unlucky people. Either way, you end up with fewer resumés.”

Oscar spoke again. “But what if the Ninja ad attracts more qualified respondents than the plain ad?” Ernestine smiled. “When you’re programming, how do you know which code to optimize?”

Oscar smiled. “I measure. Premature optimization is the—Oh, I get it!”

“Right,” Ernestine continued, “I measure too. And you ought to. Advertising for people is no different than selling things online. You track everything and measure everything. You A/B test. You run analytics. And you don’t throw half of your market away.”

“But,” Oscar protested, “You say our problem is finding that one person in a hundred or one in two hundred. How does being so damn inclusive help? We still need to reject ninety-nine people.”

“Ah,” explained Ernestine, “What I do is raise the actual talent bar higher to make up for removing all the other hurdles between a candidate and an interview. You shouldn’t reject people because they don’t look or sound like the last good person you hired, but you can and should reject people who can’t do the job. I don’t give anyone a free pass. I don’t care if they say they have Lisp experience and I heard them speak at RubyFringe and they let it drop that they were talking to Brendan Eich at Christian Jaekl’s wedding. I grill them, hard, on actual programming and actual software development.”

Oscar nodded. “Thanks,” he said, then hesitated. “Hey,” he said, “I think I just realized why you hired me when so many other places wouldn’t even give me a phone screen. Thanks a lot.”

“No thanks necessary,” said Ernestine, “You’re a great programmer and you’re going to be an even better team lead. You belong here. We’ll do great things together.”

Enhanced by Zemanta

  • Comments Off on Rescued from the ashes: I don’t hire unlucky people

May
2014

Path technique: preventing duplicate directories

categories: tools

Forest PathWhat happens with the Path

The path is set via a myriad of config files. It is very easy to accidentally add the same directory to the path, and there is no built-in mechanism from preventing this situation.

While it has no impact on performance, it does make reading the path more difficult (for example, when trying to see if a particular directory is in the path).

Easy Fix

When you find your path cluttered up with duplicate directories, it is relatively easy to correct this. Simply use pathmunge to add directories instead of the typical

export PATH=/fizz/buzz:$PATH

Procedure

First, edit your /etc/bashrc (or equivalent) and add the following function:

pathmunge () {
  if ! [[ $PATH =~ (^|:)$1($|:) ]] ; then
    if [ "$2" = "after" ] ; then
      PATH=$PATH:$1
    else
      PATH=$1:$PATH
    fi
  fi
}

Now you can call this function in your ~/.bashrc, ~/.bash_profile, or wherever you need to add a directory to the path. There are two ways to do this.

Insert at the beginning of the path

Using

pathmunge /path/to/dir

is the functional equivalent of

export PATH=/path/to/dir:$PATH

Append to the end of the path

pathmunge /path/to/dir after

is the functional equivalent of

export PATH=$PATH:/path/to/dir

In either case, the directory won’t be added if it already is in the path, preventing duplicates.

Technique credit: Sam Halicke and Christopher Cashell at Serverfault.

Related articles
Enhanced by Zemanta

  • Comments Off on Path technique: preventing duplicate directories

Mar
2014

How to screw up estimates

categories: Developer Hell, web development
A historic black-and-white photo of a train wreck, illustrating the importance of accurate project estimates.
(Photo credit: Wikipedia)

“I need a time and cost estimate to develop a fizzbuzz mobile app on all minor mobile platforms (Windows/Blackberry/Symbian), and I need that estimate in 15 minutes.”

Enhanced by Zemanta

 

  • Comments Off on How to screw up estimates

May
2013

The law of Futility of Avoidance

categories: Developer Hell
Cisco Spaghetti
(Photo: Christopher Macsurak)

Given enough time, you will end up becoming responsible for supporting and maintaining the very system you’re the most desperate to avoid.

Day 43
(Photo: craig1black) 

  • Comments Off on The law of Futility of Avoidance

Feb
2013

Installing Internet Explorer on Mac

categories: tools

Edit (2014-07-11): Fixed URLs

When you need to develop/design a solution for the majority of corporate users, you will need to test it on Internet Explorer. If you have a Mac, setting this up on your machine is easy.

The original source for this information was OSXDaily. I cleaned it up and added additional information.

Intended Audience

TerminalIf you’re unfamiliar with using the terminal, these instructions will not help you. The point is to allow you to install Internet Explorer on Mac for the purposes of testing and developing web applications and sites. Ideally, you are one of the following:

  • Web Developer
  • Web Designer
  • QA Tester

If you plan on running Internet Explorer for other purposes (such as working with an IE-only site), then this is probably not the best solution for your needs.

Required software

  1. Oracle VirtualBox
  2. curl (from Mac Ports or other)

Procedure

Be aware, this process can take HOURS to do, may crash in the middle and cause you to start over, take up inordinate amounts of disk space, etc.

Install IE7 Only

curl -s https://raw.githubusercontent.com/xdissent/ievms/master/ievms.sh | env IEVMS_VERSIONS="7" bash

Install IE8 Only

curl -s https://raw.githubusercontent.com/xdissent/ievms/master/ievms.sh | env IEVMS_VERSIONS="8" bash

Install IE9 Only

curl -s https://raw.githubusercontent.com/xdissent/ievms/master/ievms.sh | env IEVMS_VERSIONS="9" bash

Install IE7, 8 and 9

curl -s https://raw.githubusercontent.com/xdissent/ievms/master/ievms.sh | bash

Notes

Once you have the virtual machines installed, fire them up, set up the Windows instance (install drivers, etc.), then take a snapshot. This is the one you will always use.

When you get a ‘you must activate’ notice, open a Windows cmd line and run

slmgr –rearm

You can rearm two times before it won’t work anymore. At that point, roll back to your snapshot and you can rearm again when you get the message. Obviously, when you roll back to your snapshot all changes will be discarded (that’s the point), so make sure you save any data on your host’s drive.

FAQ

Q. Where is the command line on my Mac?
A. It is not recommended that you use these instructions; instead try another solution such as Apple Boot Camp.

Q. How do I install/uninstall Oracle Virtual Box?
A. You can try looking for information on the Oracle Virtual Box website or contact the Genius Bar at your local Apple Store for assistance.

Q. Where are the windows snapshots stored?
A. In ~/.ievms/

Q. The download stalls or crashes.
A. If it stalls, check your internet connection; you may have to restart the install. In the event of a crash, examine the error message to determine the cause of the problem.

Q. Can you just install it for me?
A. Sorry, no.


  • Won Word

    To rearm XP, use: rundll32.exe syssetup,SetupOobeBnk

  • Comments Off on Installing Internet Explorer on Mac

Jan
2013

How NOT to ask for help

categories: Skills

When submitting  bug reports, it is a good idea to

A room full of computers all showing the BSOD

  1. Realize that you’re asking for help from people who (usually) have day jobs, and
  2. Expend at least some amount of effort to show you’re not expecting someone else to do all the work.

With that in mind, let me introduce to you the Best Bug Report Comment, Ever

First the bug report:

[snip]

I don’t have the exact errors to post because I deleted my compile log, but they are the same errors you get if you don’t have the bzip2 development libraries installed, which of course I do in /www

[snip]

Then someone helpful asks for more information.

Please recompile so that you can tell us te exact errors.

Derick

And then, GOLD:

The php developer who added/maintains bzip2 support will know what I am talking about. I am not going to compile when I know this! It would be a waste of my time.

Wow.

Now, not to worry; a few minutes later the submitter saw the error of his ways, compiled his code, posted the exact error message and got help.

Learning how to ask questions is a skill. Mastering this skill can only help, because everyone (even the Super-cool techno guru) has to ask for help at some point, so why not be as effective as possible?

Until I find another one. That place is GOLD!

Enhanced by Zemanta

  • Comments Off on How NOT to ask for help

Jan
2013

Do it correctly: decoupling presentation from content

categories: web development
Box model in CSS

Box model in CSS (credit: Wikipedia)

I recently ran across the anti-pattern of what I see as a common problem amongst designers and developers: coupled presentation and content. I’ve found that decoupling the presentation from the content makes things much easier to write, maintain and expand.

Here’s a simple example:

HTML

<section>
    <div class="margin-top-10">Lorem Ipsum</div>
</section>

CSS

.margin-top-10 { margin-top: 10px };
.margin-top-20 { margin-top: 20px };
(etc)

Take a look at what is going on here: we’re adding a 10px margin to the top of the div. DON’T DO THIS. You want your class names to be contextual, not descriptive of the style.

Rule of thumb

To change the layout, you should only have to edit the CSS, not the HTML.

Here’s where our anti-pattern falls down and will cause grief.

  1. You decide to adjust the positioning of the section. You can:
    • Edit the CSS, changing the class’s margin value and breaking every other element that uses that class.
    • Edit the HTML create a new class, then edit its CSS class definition. If you have to experiment with different margin values, you’ll need a LOT of classes. “Will 14px work or 15px? What about .25em? Argh!”
  2. You can’t have too many attributes in each class, because they will have unintended consequences for the other elements that are using them. Add a red border to one class because you need a border for a specific element, now you have red borders on ALL the elements that share that class. So, you’ll have to have many single- (or few-) attribute values, and include all of the necessary ones on the required HTML elements.
  3. The violent psychopath maintenance programmer (who knows where you live) will kill you in your sleep. You have made her job insanely hard by turning this:
<div class="margin5 blueborder mediumwidth floatingleft" ...

into this

<div style="margin:5px;border:3px blue outset;float:left;width:75%" ...

for no good reason.

The Cure

Think about the element in terms of content or a functional space. What is it and what does it do? In our example above, let’s assume it is the lede section of an article. Then we would do:

HTML

<section>
    <div class="lede">Lorem Ipsum</div>
</section>

CSS

.lede { 
  margin-top: 10px;
  border-bottom: 2px #9fe2f9 outset;
  float: right;
  position: relative;
  width: ...
};

By decoupling the content (div) from the presentation (style-dependent class), we are free  to adjust the style of that element by making whatever changes to the CSS and leaving the HTML alone.

“But,” you shriek, “I have common elements for everything! Rounded corners! Gradients! (except IE…) Et cetera!”

 

For this, we will turn to our trusty companions Less and/or Sass in a future post.

SASS: Style w/ Attitude

SASS: Style w/ Attitude

Related articles
Enhanced by Zemanta

  • Comments Off on Do it correctly: decoupling presentation from content

Dec
2012

Iterations in Less

categories: programming magic

Part of the beauty of Less and other CSS ‘compilers’ is to enable the author to automate tedious functions that normally must be coded by hand.

Cut Copy Paste

Cut Copy Paste (Photo credit: arthit)

Suppose you needed several classes that specified padding/margins:

.mRight50{margin-right:50px}
.mLeft50{margin-left:50px}
.pRight50{padding-right:50px}
.pLeft50{padding-left:50px}
.mRight25{margin-right:25px}
.mLeft25{margin-left:25px}
.pRight25{padding-right:25px}
.pLeft25{padding-left:25px}

No big deal, right? It wouldn’t take that long to type in; just cut and paste a bit.

Well, what if you needed them from 0-100 by 5s? (Never mind WHY you’d want to do this; this is a simple example.)

.mRight100{margin-right:100px}
.mLeft100{margin-left:100px}
.pRight100{padding-right:100px}
.pLeft100{padding-left:100px}
.mRight95{margin-right:95px}
.mLeft95{margin-left:95px}
.pRight95{padding-right:95px}
.pLeft95{padding-left:95px}
.mRight90{margin-right:90px}
.mLeft90{margin-left:90px}
.pRight90{padding-right:90px}
.pLeft90{padding-left:90px}
.mRight85{margin-right:85px}
.mLeft85{margin-left:85px}
.pRight85{padding-right:85px}
.pLeft85{padding-left:85px}
.mRight80{margin-right:80px}
.mLeft80{margin-left:80px}
.pRight80{padding-right:80px}
.pLeft80{padding-left:80px}
.mRight75{margin-right:75px}
.mLeft75{margin-left:75px}
.pRight75{padding-right:75px}
.pLeft75{padding-left:75px}
.mRight70{margin-right:70px}
.mLeft70{margin-left:70px}
.pRight70{padding-right:70px}
.pLeft70{padding-left:70px}
.mRight65{margin-right:65px}
.mLeft65{margin-left:65px}
.pRight65{padding-right:65px}
.pLeft65{padding-left:65px}
.mRight60{margin-right:60px}
.mLeft60{margin-left:60px}
.pRight60{padding-right:60px}
.pLeft60{padding-left:60px}
.mRight55{margin-right:55px}
.mLeft55{margin-left:55px}
.pRight55{padding-right:55px}
.pLeft55{padding-left:55px}
...

Ugh.

There’s a better way:

@steps: 100;

// Main Loop
.sidesX( @index ) when ( @index > 0 ) {
 (~".mRight@{index}") { .mRightX(@index); }
 (~".mLeft@{index}") { .mLeftX(@index); }
 (~".pRight@{index}") { .pRightX(@index); }
 (~".pLeft@{index}") { .pLeftX(@index); }

 .sidesX(@index - 5);
}

// End iteration at index zero
.sidesX( 0 ) {}<

// Individual class rendering
.mRightX( @offsetsize ) {
  margin-right: (~"@{offsetsize}px");
}
.mLeftX( @offsetsize ) {
 margin-left: (~"@{offsetsize}px");
}
.pRightX( @offsetsize ) {
 padding-right: (~"@{offsetsize}px");
}
.pLeftX( @offsetsize ) {
 padding-left: (~"@{offsetsize}px");
}

// Generate the CSS
.sidesX( @steps );
Enhanced by Zemanta

  • Comments Off on Iterations in Less

Oct
2012

Why Flash Intros are bad and you should feel bad for using them

categories: web development

Remember when flash introduction pages were all the rage? They were ‘cool’ from the web designer‘s standpoint, but utterly annoying and off-putting to the visitor. Fortunately, most people figured out that people visited their site for the content, not the snappy graphics (unless it was a gallery site), and certainly not for the mandatory intro pages.

Yet, some people still haven’t gotten the clue that the 80s called and they want their flash intros back.

xkcd: the seventies called

For those who remember with revulsion, here’s the old SkipIntro parody. The site is long gone, but it would be a shame to let it fade away!

SkipIntro

If you haven’t clicked on it, do it now! Relive the pain of the never-ending flash intro to the sound of weird Indian music and gunfire!

The OG SWF

For those who somehow can still play flash file (via a plugin or whatever), here is the original SWF:


Sep
2012

The Importance of Not “Designing” your own Security

categories: web development

Recently, at a client, I had the opportunity to review their security implementation on their website. I realized that it is very important to never try to design one’s own security, because of the Dunning Kruger effect. In a nutshell, folks who don’t know very much about security think they know “enough,” and folks who are very knowledgable (e.g., Bruce Schneier) realize they don’t know all that much.

So what does this mean? It means simply this:

Broken bike lock
Not so secure now, is it?

If you design your own security system, you’re going to get it wrong.

Here are some examples of how to get things wrong.

Storing passwords in plaintext so you can send the person the password if they forget.

When (not if) someone breaks into your database, they instantly own every single account. They can log in, view your user’s details and change them. Since most people reuse the same password for multiple systems, the attacker can try those passwords on other popular services, such as Facebook, GMail, LinkedIn, Twitter, etc.

Relying on application-level security to protect your data.

This is dangerous because it is hard to ensure 100% coverage. EVERY access point—of many—to your data must be secure. Failing to cover one point leaves the system wide open. A better solution is to apply security at the data-store level. Typically, this is done using triggers and stored procedures. Your RDBMS doesn’t support those (or weakly supports them)? Find another RDBMS.

Using the same salt for every password in the system.

You don’t understand what salts are for and how to use them properly.

Requiring “complex” (a number, upper- and lower-case letters and symbols but not very long) passwords.

Nope. Ineffective.

Relying on Two-Factor Authentication.

For now it is working, somewhat, but crackers are rapidly finding ways to circumvent this technique.

Relying on a “security question” in case the person forgets his/her password.

Oh, you’ll love this. You’re creating a weak password as a backup to a (hopefully) strong password. Fail.

Assuming by keeping the details of your implementation secret, you will be secure.

This is dangerous because you think you’re secure. In fact, you are less secure. Kerckhoffs’s Principle is always a good starting point for security implementation: if an attacker could see all of my code and had a copy of my database, could she/he break into my system?

Getting it right

The first step is admitting that you don’t know what you’re doing.

Now go find someone who does: there are plenty of security libraries out there for every language. Find one that is mature and widely used and implement it. Keep up to date on the library’s mailing list so you will receive alerts, and update whenever there’s a new version.

Security is hard to do. It is extremely hard to do correctly. Don’t fall into the trap of thinking you can get it right without years and years of study and experience.

Related articles

Edit (30 Jan 2026) – Formatting, fixed links, added missing image

  • Comments Off on The Importance of Not “Designing” your own Security