Software For All Seasons

The Uncommon Security Common Sense

2011-11-23T00:08:00.000-08:00

I can not claim that I actually counted or classified all the reasons peoples cite for not taking security (or for that matter sound and well thought through system design) seriously from the start, but the three following lines seems to be the most common ones:

1- The "it is too contained" line: So what is the big deal? at worst it may affect a very small percentage of my users.
2- The "it is too early" line: Oh my system/site/project is too small and we only have a few users, we really don't have time/resources for this.
3- The "it is too small" line: My project is too small or too obscure for anyone to care.

By the way, I have heard these lines or their equivalent not only when it comes to security engineering (or re-engineering) but also in designing business policies or risk management measure to prevent fraud, or in general negative user experiences as well as general system design.

Now to be fair, these reasons all sound like "common sense", after all why would you take on additional cost and time for your project or accept the expense and risk of re-engineering your code to fix an issue that may only affect 1% or 0.01% of your users? or why should you spend two weeks to fortify a system that takes you 3 days to design and it is "just an experiment"? and finally who really cares about a small project some where with some obscure URLs that takes an email address as one of its inputs and shows some useful error message if the email is not registered? does ANYONE really care?

Well, as it turns out, security common sense (like many other form of common sense) is actually quite uncommon ! Let's look at these frequently cited common sense logic a bit closer.

To demonstrate the fallacy behind the first logic (it is too contained, it only affect 0.01% of users) I cannot think of any better illustration than the words of presidential candidate Herman Cain where he said that "for each woman who has accused him of harassment there are probably thousands who haven't" and he is 100% accurate and right! But does that make any difference? In all likelihood his presidential bid is all but over. Or could the Washington D.C police chief during the "D.C Sniper Attacks" have possibly argued that the whole thing was not a big deal b/c only 0.001% of D.C metro population were actually killed and therefore there is no need for massive mobilization of police, FBI, ATF and even secret service !?

The same math is thru for security, it does not matter if only 1000 users out of 10MM become victim of a
poorly secured or design system. What matters is how many people hear and learn about it - and you can be
sure that at least in this day and age that number is a few order of magnitude larger than the actual number of
victims. The sense of insecurity that this causes in the rest of the user community and its economic cost is the real math that matters not the fact that only 1000/10MM=0.01% users were affected.

The second line "it is too early" or its equivalents "we don't have enough time or resources" is the most commons line not only in security matters but also system design and architecture aspects as well. What is interesting here is that the exact premise cited for not focusing on security (or sound design for that matter), is why security should be taken seriously i.e. "I am too new to afford not to be secure", if you are releasing a new product (or brand or a site) you REALLY DO NOT HAVE A SECOND CHANCE TO MAKE A FIRST IMPRESSION. If you are not secure, or if your first few user gets taken advantage off (think of AirBnB incident) you are doomed. To further demonstrate the risk in this argument I submit the following picture of one of the more famous car design mistakes : Honda Odyssey 1998

Honda designed this in a hurry to get into the growing minivan market dominated by Dodge/Chrysler. They decided to differentiate by replacing a convenient power sliding door with a traditional door! Imagine what would have happened of this was a new no-name company without Honda's established brand? Of course Honda corrected the mistake in 1999 model and beyond and went on to have one of the most successful Minivans. But if you are not Honda, you better spend time and money on designers and marketers to tell you, in the first try, that whoever buys a minivan *needs* a sliding door.

Now we get to the third line "Who really cares about me?" I have to admit that I have the most sympathy with people who resort to this logic. After all it is tough to imagine how capable and resourceful the modern fraudester/hacker community is without actually having a brush with them. I do not get into the details - if you are interested you can briefly scan Rick Howard's excellent book "Cyber Fraud, tactics, Techniques and Procedure" - for the purpose of this writing I'd suggest you assume the following is true:

In the game of "Who wants to break into my system" your adversary is more motivated (financially or politically) than you are, more experienced than you are, is more innovative than you are, is more nimble than you are, wants it worst than you do, has a smaller cost base than you do (and therefore) all he needs is 0.01% (or smaller) of your users - the ONLY advantage that you have is that you right the rule of the game. Do not give up that advantage easily. You WILL lose the game.

Btw, the end point URL that takes an email and very nicely checks and display an error if email does not belong to a valid user - was actually found (although it was a little obscure URL not linked to from anywhere - and used to extract valid company X user emails (cost $5000+) from a large list of non-verified harvested emails (cost $50) - a vital part of phishing industry value chain.

OIX Attribute Exchange Summit - Washington DC

2011-11-06T19:18:00.000-08:00

Open Identity Exchange (OIX) is holding this year's Attribute Exchange Summit in Washington, DC.

Identity attributes are core of the concept of digital identity. As federated identity ecosystem getting more mature and adoption grows among more sophisticated RPs - with more consequential use cases such as government, health, education, commerce ... - so does the need for wider sets of attributes with more accurate and fresh values. This presents both tough challenges and opportunities for IDPs.

The challenges center, as one may expect:, around aggregating, correlating, transform and maintaining fresh copy of attributes in a cost effective manner and in a way that it does not compromise the privacy (and other rights) of the principle owner. IDPs can differentiate based on the range of attributes they provide in this way and there in lies the opportunities.

I will be talking more about identity attributes, their life cycle, uses cases and how they help establish and elevate trust among parties to commercial transactions (online and off-line) as part of a panel with Don Thibeau, OIX/OIDF chairman and Abbie Barbir, VP BoA.

If you are planning to attend, I'd be happy to hear from you.

OAuth vs. OpenID Connect ?

2011-10-17T22:58:00.000-07:00

OpenID Connet 1.0 Spec is finally released (actually it was release back in Aug). Its release was accompanied by two predictable categories of questions/sentiments, one not very well informed and the other one a legitimate question:

- OpenID is dead

- OpenID Connect is really OAuth so why do we need a new protocol?

Granted, this is normally coming from software engineers and social application programmer community and not from identity community, but I feel they are significant enough to be addressed, especially at the time that more and more entities contemplating to become identity providers and they need to decide which protocol they should implement.

First, on the demise of “OpenId”: It is true that the earlier versions of Open ID (version 1 and version 2) are, for all intent and purposes, depreciated and will not gain a whole lot of traction. But the general idea of “Open” standards for communicating between RPs and IDPs that enables users to provision fewer accounts and have a portable identity while still maintaining control over their privacy and data is alive and well and actually is even more vital than before.

Second, on relationship between OAuth and OpenID Connect, OAuth is a general protocol for authorizing an agent to access a resource on behalf of resource’s owner. OAuth does not assume any particular knowledge about the resource itself. What does this mean? Let’s go back to the canonical OAuth use case of a user who would like to authorize a printing services to access her photos from a Photo service provider. Now imagine that the photo service is slightly sophisticated and recognizes a few properties associated with photos e.g. resolution, size, whether they are shots with no humans, and if there shots with humans, who appears in the photos – basically let’s assume the resource served by SP has more semantics that simple “access”.

Now imagine that the user wants to grant access to only JPEG photos of himself and not a full access to all photos. How would the IDP encode this semantics in the authorization request and response? How would the SP know that they should only provide access to a subset of images?

To be sure, this is doable using OAuth, but the implementer has to add additional parameters to request and response or possibly constraint the input values of some other parameters.

A protocol that is built this way to access a specialized resource, would be a photo access protocol built on top of OAuth.

In essence this is exactly what OpenID Connect it: It is a protocol built on top of OAuth that supports features that are often desired and used when the resources being delegated is “identity” and attribute about an identity.

To illustrate the point, here are what we, at eBay, had to do for an internal authentication protocol on top of OAuth:

Force Authentication: adding parameters to authorization request to force users to authenticate no matter what the authentication state with IDP is

- Authorization Behavior: adding parameters to authorization request to indicate to IDPs whether it should display the consent page and how to display the login page (overlay, full page)

- Standard Claim Set: Defining the default set of attributes returned by IDP

- Requested Attributes: adding mechanism to allow RPs to ask for additional attributes, and annotating them to indicate whether explicit user consent is required.

- Authentication Context: adding a fragment to response to communicated authentication context (single v.s multi-factor, PIN vs. Password, number of retires etc.)

- Protection: adding parameters to indicate how access tokens should be protected (encryption, signature and order of operations)

- Token Validation end point: adding an endpoint to introspect access tokens on demand.

These are all features and facets that OpenID Connect enables in a standard and interoperable fashion. In absence of a standard such as OpenID Connect though, any RPs integrating with our IDP had to implement basically a proprietary protocol, be it on top of OAuth.

The point is that if you want to operate an IDP and you want to use just OAuth, you have to add a few things to OAuth, depend on the depth of your requirements, to make it work for “Identity” resource. This is exactly what Facebook did with FB Connect – and they also did a good job of wrapping it with JavaScript plug-ins. The goal of OpenID Connect is to use OAuth as the basic access authorization protocol and add identity specific features to it so that it becomes a standard “identity protocol” that can enable seamless interoperability.

PayPal Access & Commercial Identity

2011-10-12T22:15:00.000-07:00

Today eBay Inc. announced an identity and attribute provider product called PayPal Access. Some described as a "Facebook Connect for Commerce", others described it as an easy registration tool for mobile site. Today at the X,Commerce Innovate Conference someone suggested to me that this is the first step for eBay Inc. to offer full cloud based user management for e-commerce sites and merchants. You can also see the official press release from eBay Inc. here.

Most of the press and coverage today focused on "Consumer Identity" - or more accurately Consumer Commercial Identity - and the benefit of PayPal Access for consumers and online merchants visited by those consumer. Consumer identity is indeed one facet of "Commercial identity" - but there is another side to commercial identity, a less understood - and arguably less sexy - side and that is Merchant Identity. What do I mean by this? Let's look at a scenario:

Merchants themselves are consumers of so many online and offline services (think of it as B2B services) - a company that sells on eBay - or any other online channel - has an eBay account, an account with a shipping company (FedEx), a Facebook account, perhaps another account with a email marketing service, bank account etc. Clearly merchants suffer from the same "account and password hell" that consumers do - but this hell is a lot deeper and hotter for merchants, consider these facts

- Most merchants have employees/contractors who create these accounts on behalf of the merchant,
- A lot of these employees (for smaller merchants) are part time or temps
- Employee turn over is high

Here in addition to the usual forgetting one's password - which for merchant leads to loss of productivity and money - sometimes the person who created the account simply leaves - if you are lucky and s/he good terms, you end up having to chase the employee and restore your access, if not, you are exposed to unauthorized access by the employee or down right "account take over".

You might say, what is the difference between this and consumer identity, these employee are consumers to and technically there is no difference. But look closer. Merchant use cases are fundamentally different. In consumer identity use cases, a consumer is a principle and gives consent on his/her own behalf to a agent (another site or application), the IDP itself recognizes the consumer is the principle and allows her (and ONLY her) to change or revoke this access. In Merchant cases, what appear to be the consumer is really not a principle binded to the merchant identity but an employee. In this case IDP must recognize this "hierarchical relationship" and allow and "admin" employee of merchant to monitor and manage the life cycle of tokens (and identities) of employees.

In the use case above, merchant X would not reveal its primary eBay user name and password to any employee, the would provision an account for each employee. Employee then logs into eBay using her own account - and via PayPalAccess - All the while PayPal Access monitors and manage all the tokens issued to all employees of merchant X. Should an employee leave or changes function, the token can be revoked by merchant X admin regardless of employee's decision.

If this sounds familiar to LDAP or ActiveDirectory, b/c it really serves the same function: Enterprise Identity, in this case enterprise is really a merchant. This is not unexpected in the world where enterprise identity, consumer identity (a.k.a social identity) are converging - and there is a need for a cloud based enterprise user management.

Please note that this is NOT an annoucement (or leak) for PayPal Access Cloud-Base user directory. IT IS NOT, REALLY. I just wanted to point out the there is two sides to commercial identity, a sexy side (consumer) and a side that can make you money (merchants).

In the next post, I will write a bit about Consumer Commercial Identity and how it may be different that social identity.

Magician vs. Engineer

2011-10-08T22:36:00.000-07:00

Steve Jobs, the man, died a few days ago. Steve Jobs the symbol and the icon in all likelihood lives on for a long time. In this status he is joined perhaps only by one other man: Bill Gates (whether people agree or disagree with his business tactics, feel that MSFT produced low quality or hard to use software... no one can deny the fact that he was one of the first few who realized that software would be the key to pervasive computing, co-founded the first real software company and put software engineering as a profession on the map).

That is why I was so excited to watch them being interviewed on the same stage and at the same time @ D5 in 2007. When the news of Steve Jobs passing came out, I went back and watched it again and this time I found it simply fascinating - the session is about 1.5 hours, an hour the interview and 30 minutes Q&A.

It is long, but it is well worth the time.

After about 4.5 years, and with hindsight, it is so amazing to see Steve Jobs explaining his vision about "Post-PC" era and superiority of native applications, merits of integration of hardware and software, and in general, what we can only now recognize as a general description of iPad. (with the notable absence of any reference to App Store)

Interestingly, Bill Gates, in response to what he sees as post PC era, talks, spot on, about tablet computing, significance of touch and the "convergence device". Keep in mind that MSFT had been doing basic research in this field for a long time.

In my view, both men shared the same over all knowledge of trends and technologies in 2007, both knew that a device that is basically touch enabled and connected will dominate the future. Then why Apple was able to come up with iPad and MSFT ended up with a few tablet from bunch of manufacturers that only a few ever saw live in action, let alone use.

Amazingly, Bill Gates answers this question himself - in what I think is the most interesting exchange of the interview: a member of audience (a woman @ about 1:22 into the video) asks both Jobs and Gates "...What did you learn about running your own business that you wished you had thought of sooner or first by watching the other guy". Bill Gates volunteers an answer first and says:

"...he (Steve) has an intuitive taste for product and people, we sat in Mac product reviews and question would come up that I would view it as engineering question b/c that is how my mind works and I'd see Steve make a decision based on a sense of people and product that is even hard for me to explain, the way he does things are just different and I think it is magical and in that case WOW" (he never mentions what that case was)

There, ladies and gentlemen, you have it! This is why MSFT and Bill Gates, as great as he is, with all the knowledge of trends, technologies could never quiet come up with that "convergence device". They (or any one else) did not have that magical "intuitive taste for product and technology". As Bill Gates said it, it is even hard for him to explain let alone replicate that intuition.

A lot of things have been said and written about Steve Jobs greatness, but none captures and express the essence of what Jobs did better than the description given by the only other icon of modern computing Bill Gates: intuition vs.solution , soul vs. mechanics, empathy vs. sympathy ..Magic vs. Engineering.

Interviewing @ eBay Part V - Dir. and VP of Engineering

2011-09-22T22:02:00.000-07:00

My base line for interviewing senior engineering management is the following, non-scientific, completely made up, definition:

Job of a manager is to develop & allocate resources and manage execution of projects to satisfy time, budget and quality constraints and to minimize risks and promote efficiency (repeatability of the whole process). Leadership (as in the ability to inspire and influence change) is desirable, and indeed necessary the higher one goes in the management chain.

Based on this, there are five types of questions I’d normally ask,

· General/ice breaker: One or two questions based on resume or general questions such as Why eBay? Why now

· Technical Management : Ability to manage large teams, projects, timelines, budgets and plans

· Leadership: ability to conceive , evangelize and cause positive change

· Personal: I mean to assess personal integrity, awareness, reflection

· Field Specific: Needless to say, a director of DB engineering gets specific DB questions, director of commerce must know details of order management and payment processing VP of personalization get collaborative filtering and VP of applications get “how you build a large web app” question.

Here are the current (and expanding) bank of question I’d normally draw from, please email me or comment if you have other suggestions...

- General

o First 90 days at eBay?

o Why eBay, Why Now?
o Talk about the most defining event in your professional life.

o What are the 2,3 interesting and promising trend you see?

o What is leadership to you? What is management to you?

There are safe and conservative answers for these questions, however answers that reflect
measured risk taking and authenticity are always preferable.

- Tech Management

o How would you structure an engineering org?

o How do you measure the progress and success of a project?

o How do you decide the allocation of engineering resources in multiple locations?

o How do you manage promotion process?

o How do you allocate bonus budget among your team members?

o How do you see your relationship with product and architecture function?

o How do you manage your hiring process? Who would you hire?

o A new technology for part of your stack is emerging (e.g. a new presentation technology or a better and open sourced database, new JVM or cache …) would you replace your existing technology stack with the new one, why or why not?

o How do make sure knowledge sharing is effective among your team members?

o How do you ensure the quality of your delivery?

o What is the most important job of a technology manager (pick one!), why?

o How do you monitor the day to day tasks and assignment of your team?

o What is your view about innovation? How do you practically manage an “innovative” team?

o How do you deal with “NIH” – Not Invented Here – issue?

o What is your talent development philosophy?

o How do you chose and prepare your successor?

o Would you direct your team to execute on a course of action you do not support?

o How do you increase productivity? How do you measure it?
o How do you empower your team to do "the right thing"? even when there is no time or budget for it?

- Technology

o How do you manage development life cycle? What development life cycle do you use?

o What is the current technology stack you are using? What are the benefits? What are the drawbacks? Why it was chosen? (please don’t say “I don’t know, it was chosen before I join”)

o How do you plan for migration from an old, stable large system to a newer version of the same system?

o How do you feel about redundant work? is there an occasion that It may be useful?

o When do you use open source? What are the challenges? When do you use vendors?

o What is Agile to you? What are the benefits and challenges?

o What 2,3 question you would like to ask about eBay technology?

o Explain the CAP theorem.

o What are the measures/steps you take when your system is in operation?

The Person

o How do you stay current of state of technology? What part of stack are you interested in the most?

o How have you improved over the years as a manager?

o What is your proudest moment as a manager?

o Tell me about your biggest mistake, how did you realize it was a mistake? What did you do afterwards?

o What is one criticism that your subordinates make about you?

o How can twitter be used to improve eBay?

o How do you improve eBay? Now, I just told you to do something else – that you feel is not right - , how do you react?

o What is your dream company to work for? Imagine now that you have an offer from that company, what should eBay do so that you work for eBay instead?

- Leadership

o How do you deal with a “failing” project? Or a project in crisis?

o Your plan requires the cooperation of another team, but that team has its own priorities and plans, how do you convince them to allocate time and resource to your project?

o How do you influence and convince a group of people over whom you have no authority? Give an example

o How do you mentor/coach your team member?

o You receive a call at 2am telling you that the entire search (or checkout) is down, what do you do?

o Two senior technical leaders (or teams) escalate a technical difference to you (MemCache v.s NoSQL or doing it now vs. doing it in the future …) how do you settle the matter?

OpenID Tech Summit - Mountain view, CA - 9/12-13

2011-09-11T21:13:00.000-07:00

I am attending the OpenID Tech summit tomorrow (Monday) and Tuesday at the MSFT Silicon Valley campus.

There are two main topics, first the official announcement of OpenID Connect - a standard built on top of OAuth 2.0 to that allows RPs obtain connect and obtain extensible profile information about an identity - and second is the introduction of a concept called Account Chooser - a UX pattern for federated login pages proposed based the experience of Google in dealing with federated authentication scenarios.

I am also part of a panel discussion on "Identity Schizophrenia - How users want to apply their online identities" moderated by Allen Tom, OIDF Board Member. It is scheduled for Tuesday September 13 @ 1:40pm. For a full schedule of the summit see here.

It should be interesting ... If you there tomorrow, please do stop by and say hi ...

Interviewing @ eBay Part IV - Product Management Interview

2011-09-10T18:36:00.000-07:00

First let’s review, very briefly, what product managers are expected to do – I also highly recommend you read the following Q&A from Quora contributors:

What are your top 3-5 books or resources for tech product managers?

What are the best books for Product Managers

In my view the core of product management role is to understand firm’s resources and capabilities, existing products and markets, customer needs and wants, existing and adjacent market dynamics and economics and use the intersection of these four factors to conceive of and design new products or improve and evolve the existing ones in a manner that is profitable for the firm - i.e. reduces costs or increases revenue.

That is indeed a tall order, and rarely can be performed by one person – it is a role – but an individual product manager should perform any part of this role.

(Notice that we are not talking about product marketing manager, project manager or program manager, the focus is only product management as it is defined above)

In addition to – or to accomplish - this core function– product managers at eBay work closely with business to understand the markets and trends, participate in conception of ideas, communicate and get buy-in from all stake holder (formal, actual or both), help marshal resources and come up with execution planning and ensure the success roll out – and post roll and operations out activities.

To me, the core traits of a product manager are clear and analytical thinking ability, communication and influence and discipline (in capturing assumptions, solutions, exemptions, follow ups, coordination as required by the breadth of activities above etc.)

In a typical interview (45 min) you can expect 4,5 questions from below list:

- Technical questions:

Most eBay products are either technology-based or have a strong technology component to them, so you have to understand technology (as in software engineering, operations, statistics …) also you need to build credibility with engineers, for these two reasons expect a few technical questions, I don’t personally ask you to code, unless you volunteer to (a plus) or you state on your resume that you are “fluent in Java”, then I consider it a fair game. By the way if you are applying for a “Technical PM” please read the “architect” interview post. These two jobs are almost the same at eBay.

o What is the general architecture of a web application, how about a mobile application?

o Your product has to use service of a service provider – the service is available online – what are the list of question you would like to know about this service provider?

- Analytical ability

o What is BMW’s revenue (do not look it up, I actually change the company randomly)

o In a marketplace the actual instance of fraud is decreasing, but the perception of fraud is increasing, what is going on?

o What data/information you’d like to know in order to estimate eBay revenue

- Business and Strategy

o Typical management consultant questions on strategy, competition, profitability, new markets etc.

o How do you grow eBay revenue by 20% in one year?

o What adjacent markets eBay should consider entering?

o Should eBay expand into Japan?

o Should eBay buy ETSY?

o Should eBay buy Yelp?

- Product Design

o How do you improve eBay buying experience, how about selling experience?

o Should eBay accept Facebook Identity, if so, what are the considerations?

o What do you think about “Social Commerce”, hype or real?

o How do you incentivize excellent selling behavior on eBay?

o How would you plan the launch of a product? Say fashion vault in Germany or integration of a new shipping carrier into the system.

o How should eBay verify and confirms the identities of all sellers and buyers?

o How best you think eBay can combine e-commerce and offline commerce?

o What are the risks an electronic marketplace faces?

o How should eBay implement “calendar of event” feature for sellers?

o How do you improve eBay feedback system?

o You are asked to improve eBay registration performance, what would you do?

o What set of metrics would you use to measure the health of a marketplace?

- Awareness of markets and trends

o Which companies eBay marketplaces should acquire

o What are the eBay main competitors and why?

o What trends (technology, consumers, economical, social etc.) will impact eBay business and how

o Describe the economy of electronic payment industry

o What are your favorite products and why (please be prepared to mention something other than iPad or iPod)

o What is the biggest product blunder in your mind and why

o Which web sites do you visit regularly?

- E-Commerce and Payment

o How do you design a multi-merchant shopping cart

o What is the “e-commerce funnel” – how do you optimize it.

o How should “best match” algorithm be designed?

o What are the risks an electronic marketplace faces?

o You meet an eBay seller that complains about low sales volume, what would recommend him to do?

o How do you measure the success of a shopping cart?

o How can you use one's FB and Twitter accounts to improve searches on eBay?

o How would you design an effective refund experience, how do you measure its effectiveness?

- Personal qualities and fit

o How do you influence people?

o What is leadership to you? Give me an example where you demonstrated leadership

o Tell me about the most interesting project you worked on in your career

o Suppose a technical leader is telling you that your product requirements is not implementable, what do you do?

o How do you ensure that your product idea/project get priority over competing ideas/products?

Of course, the list of question changes from time to time and you may not get the same exact
question, but this is the general flavor of your interview. Again, if you happen to see this post
before you interview, please let me know.

Interviewing @ eBay Part III - Software Architecture Interview

2011-09-09T22:18:00.000-07:00

I don’t know of any job title/role in technology that is more controversial, and evoke more emotional reaction, than that of an “architect”. Engineer, engineering manager, product manager, accountant, business developer etc. all have almost the same definition/responsibilities from company to company, architects role though vary widely: in some firms one cannot do anything without an architect permission and in some others the role is completely eliminated.

You should first know that architecture is a role with a wide definition (TOGAF alone defines five types of architect - enterprise, business, data, application, IT). EBay architects play a combination of tech lead, internal evangelist, tech management and product management, and role is often the agent of change for eBay technical direction, tech stack, technology choices, process and methodologies …

Interviewing and selecting an architect is especially challenging. In addition to core skills of a software engineer (yes if you are interviewing for an architect position, you should be comfortable coding – no Java guru, but be able to code), the main attributes I am looking for are:

- Integrity: Change in technology often brings about change in organization and power structure, people currently in power know this and may not be enthusiastic about it, architect should have the integrity and courage to call for change when it is not popular.

- Leadership: integrity and courage is necessary but not sufficient, in this role you should have leadership i.e. the ability to influence, inspire and induce change in direction (often major changes) in a way that people want to make the change, not forced to (you will have no formal power anyway)

- Clarity : last but not least, architects MUST bring clarity to situations where goals are unclear, definition of problem is fuzzy, needs are uncertain, data is incomplete, assumptions are inaccurate, yet delivery is urgent and pressure is high …bringing clarity to all aspects of such situations are often the most important function of an architect at eBay.

So for interview, expect some of the core software engineering questions, with much more emphasis on modeling and problem solving plus few of the followings:

- When you are asked to “architect” a system – say photo album app – what does that mean to you? What tasks do you perform? What would be your deliverables? How would you interact with engineers?
- How do you ensure the delivered system conforms to your architecture?
- Model and Design eBay
- From the time you type in www.ebay.com , to when you see eBay home page, explain what happens under the hood, at all layers
- How does Ajax-style interaction impact a traditional/classical page-oriented architecture? What are the changes it would force to the classic architecture.
- How would proliferation of Mobile application impact the classical web based architecture?
- Explain Map/Reduce in simple but reasonably accurate term, in a way a marketing person can appreciate it.
- Describe challenges and best practices in developing a distributed system – such as SOA based system.
- Describe the qualities of a well-designed API or service interface .
- Describe your favorite application development framework or design, explain its benefits and shortcomings (e.g. Spring or Struts, or your own framework)
- Compare and contrast SQL and NoSQL DBs, when do you use each?
- How do you store a social graph like LinkedIn or Facebook?
- How do you decide to buy or build a piece of technology?
- eBay, as other online merchants and markets, has a policy against sale of fire arms, how do you design a system to enforce this policy?
- How do you design an application – such as a cart or check out flow - in a way that product and UI folks can experiment with and optimized different aspect of it?
- At any given time, eBay support a set of widely used browsers, for the rest, it display a warning message and asks users to upgrade to another browser. How so you design this system?
In a large and distributed system, how do you ensure data-consistency for critical functions such as authentication/login
Discuss a few significant technology trends, why do you think they are important? How would you anticipate their impact on current architecture/system?
What would you do in your first month of working for eBay

If some of the questions sound vague, it is because they are! (btw, they are a lot clearer than what you'd face with in reality). Remember that you need ask questions, seek and bring clarity to the problem definition before you jump into the solution.

Again if you are interviewing for a particular specialty such as Security, I18N, Messaging, Operations etc. you should expect particular question in those areas (I will post a list of question for my security and identity architecture interview later), but for system and application architecture, be prepared for at least 3 or 4 questions from the list above.

Interviewing @ eBay Part II - Software Engineering Interview

2011-08-31T00:23:00.000-07:00

I am writing this hoping that candidate interviewing with eBay find this BEFORE their interview (if you did please let me or your interviewer know), but if you are not interviewing with eBay you may still find it useful.

Be prepared for the following category of questions:

Explain a project or a problem you worked on

Be prepared to talk in some detail about an interesting, or challenging, important and otherwise mentionable project in your career. Even if you are fresh out of school, there must have been some special class or final project. You should clearly talk about the problem, and describe how you arrived at the solution, your implementation and result …what you learned, where/if you failed, how you fixed it etc. The way you communicate, what you choose to communicate is almost as important as what the project actually was. So be direct, clear and to the point. Be prepared to defend your choices. Do not play it “safe” by saying “..well this was not my decision”, or “Oh..I didn’t like this approach, my boss asked me to do this” etc.

- Data Structure and Algorithm

Brush up on basic computer science, know data structure. You will be asked a few questions about graphs, hash maps, trees and complexity. Familiarize yourself with how graphs are represented in memory and in persistent storage, how maps and hash maps are implemented, how to traverse trees – basic stuff. Please DO NOT trivialize the questions by saying “oh, there is APIs for this in Java, I never need this in real life”. This, in addition to demonstrating bad judgment and wrong situation assessment, does not get you off the hook! You should demonstrate that you are an engineer not a technician.

- Programming Language

Well, you are applying for a software engineering position, so you must know one or more modern programming languages very well (at least much better than I do) – eBay is a Java shop, so knowing Java really helps. You should be proficient in basics (variables storage classes, access modifiers, memory management, basic object orientation) as well as advanced features such as multi-threading and concurrency, generics, network programming etc.

You will be asked to write code or code snippets on the white board. I am amazed how many people are surprised when they are asked, for example, to write a simple singleton class on the board. It shows how comfortable you are with coding, syntax does not matter at all, so don’t be shy.

- Basic Modeling

You are expected to know how to model basic stuff for example a simple book store, or an email client. You should be able to break it up to basic entities and their relationships. Sometimes I ask candidates to model “eBay Marketplace”, do not be overwhelmed, you are not expected to model entire eBay, do as much as you can and do “out loud” thinking. You approach is as important as final design.

- Problem Solving

We are engineers, we solve problems. So you have to be able to frame and analyze problems, recognize tradeoffs in different solution and pick one. So prepared for questions such as “Estimate eBay marketplaces revenue” or “What happens if minimum wage is raised to $100/hr” or “Is hybrid cars more economical or full electric cars?”, “how do you prevent a corrupt DBA from stealing eBay data”, it goes without saying that the actual answer is not really as important as how you think thru the problem.

- “Soft Stuff” - General attitude, fit, personal qualities

These may or may not be actual questions, but I’d like to see evidence of several personal qualities for example that you have passion, you care about the stuff that you are tenacious and don't give up easily, that you recognize your mistake you learn from it, that you know what a reasonable compromise is and are willing to reach one, that you can deal with conflict in a constructive way – and for more senior candidate - that you can influence people around you especially on why and what and not simply on how. Also I ask our candidates to tell me what they think a few major trends in technology are and why

- And finally, please know the company

Last but not least, please familiarize yourself with eBay if you are not familiar with it, nothing gets your rejected faster than saying “eBay? Who uses eBay? I am really not familiar with it” – OK, this is an extreme case but hey it is real. It is

Of course if you are being interviewed for a particular area, e.g. security, Hadoop or Eclipse tools development, you should expect a few questions in addition to the above in each particular areas, for example in security, you should be very comfortable with authentication protocols and practices (zero proof, Diffie-Hellman algorithm, Kerberos etc.) authorization techniques, RBAC, ABAC, XACML , basic cryptography etc.

You may ask, how about other stuff, such as JavaScript, CSS, SQL, Unit Test etc. etc. Yes there are a lot of technologies and techniques used in building large internet apps, but my beleife is that if you know the basics and possess the basic qualities, even if you don’t know the rest, you will be a successful productive engineer.

Interviewing @ eBay, Part I - The basics

2011-08-26T23:07:00.000-07:00

When someone interviews with eBay, s/he is given an interview schedule with the name and title of all interviewers, the natural expectation (at least mine) is that s/he searches for the name of all those people as part of the pre-interview preparation. I view this as minimum due diligence that a candidate should do 11 years into the 21^st century. So I hope whoever interview with me at eBay finds and reads this post (if you do, please let me know)

Now that you found this, I will give you a leg up over other candidates: in the series of four posts, I tell you what questions I would be asking in my interviews for four positions:

- Software engineer
- Product Managers
- Software Architects
- Engineering Managers (Sr. Managers, Director, Sr. Director and VPs)

Before we start with specific position, let me first cover the common questions and aspects for all interviews.

I look for the following “necessary” – but not sufficient - qualities that make a candidate productive. In a nutshell, person should be smart, know his field, willing to work hard, willing to compromise and get things done and get along with people under a range of circumstances.

Smart: I am not talking about genius, or someone that can solve puzzles in 10 seconds, but some one that is generally sharp, can think on his/her feet and is solve problems. One of the clearest indication of it is whether someone listens to question, asks follow up questions to clarify what is being asked and then clearly and directly answers that question and then stop. No rambling, no answering other questions and no circular, perpendicular or random answers!

Knowledgeable: Candidate must have proficient level of knowledge in his/her domain, this is separate from being smart, each field requires certain level of experience and formal education – I expand on this with specific question in each of the fields above.

Work ethics: Regardless of how smart and knowledgeable one may be, s/he has to be focused and will to work hard. Real engineering tasks are 10-20% about great ideas, and 80% about grunt work, boring details, dealing with plumbing, debug, re-build, fine tune etc. If you are not willing to do that, you won’t be successful.

Pragmatic: You must be willing to compromise, change course, give up credit, change your familiar and favorite terminology etc. to get things done. All the smarts, knowledge, hard work often is wasted if you cannot get it done and out at the end. I ask what you are willing and what you are not willing to compromise on for a given project and why, what you would do if you feel a wrong decision was made…

Culture fit: The last of the “necessary qualities” is the ability to get along with others under all sorts of circumstances: uncertain and insufficient data, deadline pressures, failures, inter personal and inter group rivalries … under all those conditions, you should be able to maintain your relationships and get along with others. One of the greatest indicators of whether someone can do it by the way, is sense of humor.

Next post: my list of questions for Software Engineering positions.

On Bullshit...

2011-08-16T00:25:00.000-07:00

As some one who

1- Deals with his fair share of a BS
2- Needs to have definitions for everything

I have been missing a formal definition for BS. Courtesy philosopher Harry G. Frankfurt book "On BullShit" - via Ian Bogost post - that issue has been remedied now.

"It is impossible for someone to lie unless he thinks he knows the truth. Producing bullshit requires no such conviction. A person who lies is thereby responding to the truth, and he is to that extent respectful of it. When an honest man speaks, he says only what he believes to be true; and for the liar, it is correspondingly indispensable that he considers his statements to be false. For the bullshitter, however, all these bets are off: he is neither on the side of the true nor on the side of the false. His eye is not on the facts at all, as the eyes of the honest man and of the liar are, except insofar as they may be pertinent to his interest in getting away with what he says. He does not care whether the things he says describe reality correctly. He just picks them out, or makes them up, to suit his purpose."

WOW ..didn't know there were so much academic work done on BS.

Social Norms, Market Norms and IDPs

2011-08-16T00:05:00.000-07:00

Last week LinkedIn caused a backlash and lost a lot of good will – including mine – by opting everyone into their social advertising program. Before that there was (and still is) a LOT of discussion – and disagreement – about Google+ strict real name policy and the words facebook and privacy can almost be used as antonyms…

But why users react so strongly to use of their identity, relationship and data by these networks, after all most people, I presume, understand that companies like Google, FB, LinkedIn etc. are for profit firms with the goal to make money, and that is a the core of most of their policies (and not that anything is wrong with that!).

As someone once said “if you are not paying them, you are not their customer, you are their product”, and, as harsh as it sounds, they do (and have to) sell their product one way or another.

I am not claiming that one unified theory explains the users’ strong reactions to them - and possible solution - but Dan Airely in “Predictable irrationality” may come close. If you have not read “Predictable irrationality” you should. It is an easy read and a very enlightening book – not to mention entertaining – by behavioral economist Dan Airely.

Among many interesting observations he makes is the notion of “Market and Social Norms”. It is basically a very simple and common sense notion: All of us live in two worlds simultaneously, a social world where exchanges of good and services are regulated by social norms, the need for being part of a community and a delayed- reciprocity, and a market world where exchange of goods and services are regulated by a cold, sharp edge rules of the market, prices, interest rates, cost and benefits. Life is good as long as these world are kept separated (as George Costonza famously pronounced) – but when you mix the two the real trouble starts and “it blows up”.

Airely gives a few examples: You go to your mother-in-law for thanksgiving and offer to pay her a large sum for the sumptuous spread she put on the table for you … and next year you’d be sitting in front your TV with a frozen dinner. Or more vividly, the example of a guy who takes out a girl to three or four expensive dates and finally brings up the subject of money and how much the romance is costing him! …and of course suffers the dire consequences. Next time he will sure remember Woody Allen’s word of wisdom: “The most expensive sex is a free one”.

The “Social Networking” sites and identity seems to be a classic example of crossing social and market norms. The use of social networking sites is free and there is no other signal that the relationship between user and network operator is a market or commercial relationship. Users may feel/perceive that they are dealing with a “host” one that allows them to interact with their friends, family and catch up on “social” stuff …you know, everyday life that is so outside the “market norms”. I don’t have data but I feel users do understand that these sites have to make money, and are OK with some ad poping up from time to time or being displayed alongside their content, but I doubt that most people understand how those ads relates to their data (posts, searches, conversations etc.) . Every now and then someone (say WSJ or some tech blog) reminds them of how their data is being shared with others – or why the need to “report” accurate names – and that is the moment where “worlds collide”.

Maybe (and only maybe), if an identity provider (or social network) actually started an informed conversation with its users about the data sharing and gave them meaningful control, can it bring the relationship to the “market world”. In that world users are not the network “product”, but informed partners. For example, if an identity provider (or network operator) makes it clear to me that they can get me a good deal on a camera lens with free shipping if I give them my shipping address and the consent for them to obtain the shipping history to that address from a few large merchants, then I may be happy to share my address – that is firmly a relationship in market domain – and I am happy, but when I start to see ads from drunk-driving lawyers in Denver area b/c I searched for “maximum legal blood alcohol level” - I was taking an online traffic school exam to clear a ticket – while attending a conference in Denver area, that is crossing the line, and that is when I might have come close to understanding how that girl felt on the fourth date in Dan Airely’s example!

BrowserID...and the search for perfect Identity Selector

2011-07-20T22:34:00.000-07:00

This is a long post, and here is the gist of it:

In general I think we, as identity community, are still looking for a practical solution to a simple yet adequate "identity selector", CardSpace represent a solution on the rich and complex end and BrowserID represent a solution on the simple (but not rich) end, every solution is a valuable iteration to the final solution of the perfect identity selector - I feel the iterations will continue.

Now, here is for those you are interested in the details:

A few days ago Mozilla announced the availability ofBrowserID. Identity is a hot topic these days, so almost immediately the community (and my mail box) was buzzing with predictable questions such as:

Is BrowserID the next generation of OpenID?
What are the differences between OpenID and BrowserID?
Will BrowserID is the answer to Identity on the web?
Is BrowserID secure?
What is the relationship between BroswerID and OAuth or OpenID Connect?
Should I implement BrowserID now?

All legitimate questions to be sure, but perhaps a few of them could have been clarified more easily if Mozilla had called this feature, say, “Verified Email” – after the title the specification the BrowserID is based on (see Averified email protocol for the browser). I think that would have been a name that reflected the intent and use of this feature and helped answered these questions.

In this post I write about where I think BrowserID would fit in the space and, as risky as it, venture a guess as to whether it will be adopted by identity providers and relying parties (not wise I know…but hey this is a personal blog) - if you want to read more about the implementation details of BrowserID see a very good writeup by Lioyd Hilaiel here, and I also recommend reading Dick Hardt notes on BrowerID as well.

To start let me summarize what BrowserID is. BrowserID is a protocol for

- Verifying users email addresses (as many as a use wants) as reported by an email provider (or Identity Provider)

- Storing it in browser (Firefox as of now) safely - or one would hope so.

- Transmitting email address safely to a "relying party" that is a site that requires an email address securely.

It uses PK cryptography to ensure integrity of all communications. BrowserID requires two key pairs, one generated by IDP (email provider) to sign the assertion (email x belongs to subject y) and another key pair generated later by browser to sign the (subject+email+IDP public key) token and pass it on to relying party (that is your web site). So it is reasonably safe and uses a subject confirmation method known as "Holder of Key.

So how should one use BrowserID? is this OpenID? is this a replacement for OAuth?

I think the proper use of BrowserID, if it ever gets support from other browser vendors, is to replace the annoying "email verification dance". BrowserID is a fantastic lower level solve for this problem. Is this a replacement for OpenID or OpenID Connect? I think not! does it replace OAuth, absolutely not, there are simply two different things.

BrowserID, in my view, really is not an ID - my definition of identity is something I can replace registration with, not just login panel.

An identity is more about attributes than about authenticating an identifier (such as email address). and BrowserID is by design is silent about that matter, in the words of Mike Hanson, the author of Email Verification Protocol:

"The idea that led to the BrowserID work was not "how can we fix identity on the web", but "what is the smallest possible claim we could make to make progress on the browser as a claims agent?"

And

"...Attribute exchange is deliberately out of scope"

Mike states the design goals clearly and the solution achieve its goals perfectly, the only thing that complicates the matter is the name BrowserID and the fact that identity means so many things to so many people.

Will BrowserID be adopted widely as a form of identity? will it replace your login button? I have my doubts on both counts.

First off, let me say that I would use BrowserID for email verification (if it is adopted by consumers), it is a very elegant solution for that. As for wider adoption as a form of identity, let's look at the three main actors in any identity ecosystems: RPs, IDPs and User/Consumers.

For a large number of relying parties, an identity provider that simply asserts one attribute (email address) is not valuable enough to dedicate scarce real estate of "login page" to (and add to their NASCAR complexity), RPs would opt for richer IDPs (Facebook, G+, Twitter etc.), that way they not only get an email address by rich set of information about a user (you may ask how about privacy? more on that later).

IDPs (for example email providers such as Gmail, Yahoo, MSN etc.) also do not have clear cut incentive to support BrowserID - maybe receiving fewer number of "confirmation emails"? Entities such as FB and Twitter are unlikely to support BrowserID (x@y.com does not have to be a real email address, it is simply an identifier so FB could decide to support user@facebook.com) since they are strategically dedicated to have a presence on RPs login pages and not to be inter-mediated by Moziall's sign-in button.

There are also a few questions on the users adoption, prime among them is what happens when a user switches browser or device (with most user today using more than one device/browser to access the internet)

and to lesser degree whether general population of user will sufficiently understand the use experience.

Finally I have to say I am impressed by one aspect of implementation (which I assume was a lesson learned from CardSpace lack of adoption) and that is the near dead simple implementation for RP sites.

In general I think we, as identity community, are still looking for a practical solution to a simple yet adequate "identity selector", CardSpace represent a solution on the rich and complex end and BrowserID represent a solution on the simple (but not rich) end, every solution is a valuable iteration to the final solution of the perfect identity selector - I feel the iterations will continue.

Identity and E-Commerce: Talk @ Cloud Identity Summit 2011

2011-07-19T21:05:00.000-07:00

I am attending Cloud Identity Summit in Keystone, CO. It is fast becoming THE identity conference of the year where you can see all, be it small group of, "identeratees".

I am also giving a talk tomorrow (7/20/2011) @ 4:00pm titled "Role of Identity in E-Commerce' where we share our findings and observations over the past year while building an identity provider for e-commerce sites.

You can see the presentation here:

Identity and E-Commerce

View more presentations from Farhang Kassaei

The slides are not meant to be read, but to support my talk, so they may feel a bit choppy when you read it.

If I want to summarize it, it is

"A viable commercial identity is a Super Identity, one that is not just an identifier but a complete, accurate and up-to-date federated profile compose of attributes from multiple trusted providers, obtained with users' consent and control in exchange for real value"

If you attend the talk tomorrow, please stop by and say hi.

UMA - User Managed Access - Webinar , July 13 9 AM PST

2011-07-12T10:25:00.000-07:00

UMA Working group is holding a Webinar tomorrow @ 9am PST. See UMA home page for full details.

If you own/author public APIs or if you write applications that access such APIs, chances are you have heard or know about OAuth, UMA is the next thing you should know about.
No you don't need to implement this tomorrow, but it informs your opinion about a very important and emerging topic: where the right intersection between access to an individual's information and enabling individuals to control that access should be. UMA aims to be the corner stone of that enablement.

Attend tomorrow's Webinar to learn more about UMA.

Power to the People - Data Sharing Power That is - UMA Draft Recommendation Released

2011-07-12T10:13:00.000-07:00

After more than a year of hard work, UMA WG (User Managed Access Working Group ) announced the draft recommendation for UMA protocol.

UMA is a communication protocol and is defined by its formal FAQ as

User-Managed Access (UMA, pronounced "OOH-mah" like the given name) is a protocol designed to give a web user a unified control point for authorizing who and what can get access to their online personal data (such as identity attributes), content (such as photos), and services (such as viewing and creating status updates), no matter where all those things live on the web.

Former colleague and current lead of UMA WG @ Kantara Eve Maler gave a very good presentation last year at Cloud Identity Summit that you can see here. There is also a Webinar on July 13.

To explain UMA and what it tries to do, I feel an example works the best (the spec and the terminology are not the easiest way to understand UMA).

Alice is an on demand speaker and celebrity chef, she travels a lot. She uses

A Calendar application,

A general purpose social networking site

A niche professional networking/community site of food enthusiast

Owns a selling account with a popular marketplace for high end kitchen gadgets and appliance.

(All above service are called resources and Alice is a resource owner)

She uses the services of several useful applications:

Travelers Guide: An application that recommends restaurants and activity in all major cities based on Alice’s preferences of profile on general purpose social network.
Chef Tracker: An application that notifies Alice’s professional connections and fans when she is coming to their town and where she speaks.
Merchandise Lister: A web application that lists Alice’s autographed recipe books and limited edition appliances to multiple online channels including the marketplace.

(All above are called consumer or requester)

Alice can grant authorization to the three applications above using OAuth directly. In this case the four resource servers (Social network, professional network, calendar server and marketplace) each maintain Alice’s authorization to respective application(s).

However Alice (a busy professional) does not have a centralized and easy to access location where she can see all the authorization she granted to different applications. It is true that each resource server maintains a record of Alice’s granted authorization, but since each server has a different way to display the authorization (and they often buried in random places around the resource server) it is unlikely that Alice ever gets a clear view of how different applications are using her information.

Or alternatively, Alice can go to a one server – called Authorization Manager (AM) – and give authorization to three applications at one place.

The benefits are clear. Alice can literally see all applications that access her information (and the extent of their access) at one place. For example Alice can limit the access of Travelers Guide to one week (during which she travels)

To understand why UMA is important and what UMA does, we should first understand some of the implicit assumptions (or some may argue simplifications) behind OAuth 2.0 authorization.

OAuth 2.0 does require an authorization step, where the “resource owner” authorizes a consumer application to access a resource on his/her behalf. This authorization however requires and assumes:

Authorization is performed at the time of resource access by consumer
Resource owner should be present to grant authorization
Authorization assume that future access to resource is always made on behalf of resource owner by requester (consumer application) – not on behalf of someone else (say Alice’s assistant in the example above) - This is very important point and deserves its own post :-) OAuth scope does not cover this class of use cases at all.

And more importantly in my view (and from giving the power back to people point of view)

Resource owner (user) has to keep track of application/consumers s/he has authorized to access various resource on his/her behalf (how many of you know how many application you have authorized to access the collection of your online accounts? And exactly what type of privileges you granted to them? Think about it!)

Now, granted, this is not OAuth problem, by it is the byproduct of individual consumer obtaining authorization to access variety of resources individually.

UMA is set to address all the above with the introduction of a central Access Manager (AM – in UMA terminology) and, the protocols to connect Resource Server and Consumer to AM.

UMA is an ambitious undertaking (in my experience all authorization initiatives are!) primarily because its success depends on whether users (resource owners) can successfully express policies the govern consumer access to the resources owned by them. This is the linchpin of any authorization project I have ever seen or been part of.

Whether UMA is adopted and implemented as a viable product is remained to be seen, but UMA protocol is a firm step in the right direction.

In the next entry, I will focus on UMA model and associated communication protocol among its participants.

Decision Making Biases

2011-06-20T23:16:00.000-07:00

We all make decisions, and I suspect we feel we make most of those decision objectively... or do we?

Here is a great article from HBR about decision making biases (free access till July 4, 2011), the best part is the survey link at the start of the article. Once you answer the survey, it compares your answers to other respondents' answers and grade your decision making biases from low risk to high risk for the following biases:

Pattern Recognition Bias - The "Oh, I have seen this before. Here is what are going to do ...."
Action Orientation Bias - The need and bias for action in part of decision maker
Stability Bias - The need to do as you have always done it
Social Harmony - The "group think", or "here is what everybody else think/say we should do ..."
Process Orientation Bias - Speaks for itself
Self-Interest Bias - simply put, thinking what is good for you is good for the firm or whoever suggest an option, always makes it with the best interest of firm in mind.

The one, the jumps at me in particular is the "Social Harmony" bias, specially harmony with upper management. This is one bias I have seen so predominantly is most all decision making. Specially when upper managements do not formally separate discussion and decision and simply voice a strong opinion in a debate. Expressing dissent after that becomes so risky that even if you don't have the bias, you are likely to adopt one temporarily !

W3C Workshop on Identity in the Browser

2011-06-20T22:54:00.000-07:00

OK, it is a a little old, but this was an interesting get together of identity community discussing the role browser can play in managing users identity and perhaps authentication. Although it did come up that in the age that more or more people use embedded apps, any identity solution based on the assumption of a runtime environment called a browser may not be sufficient.

What I feel was the most insightful comment though was in the last paragraph of Dick Hardt position paper titled "The Chicken,  the  Egg  and  the  Rooster: Why  Internet  Identity  is  Still  Unsolved":

Identity  is  more  than  authentication. The  success  of  Facebook  et .al.  is  driven  by 
access  to  information  about  the  user  rather  than  just  which  user  it  is.  A  broadly 
adopted  solution  will  enable  the  user  to  share  profile  information  and  delegate 
authorization.

This is the key point that I some times referred to it as "Pizza and Delivery", authentication, SSO is like delivery mechanism, but RPs are interested in "information about the user" or attributes and profile, not how it is delivered to them. Much like people who order pizza are interested in pizza not how it is delivered.

...on a mote of dust suspended in a sunbeam

2011-05-25T22:39:00.000-07:00

The famous "Pale Blue Dot" photo showing earth as seen from the edge of the solar system:

"Look again at that dot. That’s here. That’s home. That’s us. On it everyone you love, everyone you know, everyone you ever heard of, every human being who ever was, lived out their lives. The aggregate of our joy and suffering, thousands of confident religions, ideologies, and economic doctrines, every hunter and forager, every hero and coward, every creator and destroyer of civilization, every king and peasant, every young couple in love, every mother and father, hopeful child, inventor and explorer, every teacher of morals, every corrupt politician, every ‘superstar,’ every ‘supreme leader,’ every saint and sinner in the history of our species lived there — on a mote of dust suspended in a sunbeam." Carl Sagan

Also illustrated by the photo is the superiority of imagination over knowledge ... knowledge sent the Voyager to the edge of the solar system and beyond, but imagination (by Sagan) turned its camera toward earth to take this photo - perhaps one the most impact-full photos of all time.

To OSGi or not to OSGi ... that is NOT the question

2011-05-15T22:05:00.000-07:00

The topic of OSGi is attracting some attention these days, at least in my neck of the woods. The short of it is that a lot of web application developers are asking whether they should use OSGi or not. My answer: this is not the question you should be asking!

Yes, I know that the popular narrative is that OSGi makes your system more modular, makes dependency management a thing of the past, certainly solves all CLASSPATH issues, allows you to have multiple version of the same bundle running at the same time and enables you to start, stop, and deploy new bundles without restarting your framework (or server).

The reality though is that OSGi is a component technology (much like SOA or EJB) and a tool, it perhaps can make a well design system be implemented with more ease and fidelity to its original design, but it can NOT do anything for a poorly designed or organically grown system and in fact makes it more complex. So the right question to consider is what qualities my system has to have so that OSGi can actually help me?

To me, the answer is similar to SOA system, or any granularly componentized system,

1- Granularity and boundaries of components: This is perhaps the most important aspect of a distributed system. OSGi unit of component is a "bundle", physically bundle is a jar file, it can logically be a Java class or a full subsystem - such as Jetty or a large web application - or anything in between, OSGi does not offer any hint here - nor should it. Granularity of modules is an architectural matter. For existing system, this (breaking the system apart into logical modules) is almost always the most difficult step toward any modularization. If your system already does not clear module with defined boundaries, and if it is organically grown, there is no easy or automated way to decide what modules are, needless to say that simply creating one massive OSGi module does not help you at all and simply add one more layer of useless abstraction on top of everything else. Your best bet here is to use a dependency graph tool and try to isolate and bundle packages/jar files based on some topological sort method. This often requires refactoring of existing code to remove bad dependencies and transform the graph into architecture layering you intend. This brings me to the second aspect of a well design modular system.

2- Layering and velocity: In order to define your logical modules correctly, you need to define some form of layering that informs your dependency management i.e. a lowest layer (let's call it Kernel), with no dependencies but the standard runtime, one layer above (say Core), with dependency on Kernel. Core is a layer and may include multiple logical module (jars/packages), then you may have Service and Application layer etc. You need to decompose and map your entire code based to your own pre-defined layer and in addition decide a velocity (release cycle) for each layer, as well as whether your release of lower layer would be forever backward compatible or it would impact higher layers. (more on this in 4)

Again OSGi does not offer help here - and nor should it - it simple is a technology.

3- Dependency Management: defining layers does not guarantee that dependency schema will be enforced, still you need to manage it (preferably using tools and automatically) to make sure that for example your Kernel does not depend on your Core layer or there is no cyclical dependencies among your logical modules. More tricky yet is the nature of dependencies. If dependencies are not managed you may notice that there is a very large module in say , Core, layer with a large number of services and applications depending on it. At first glance it may look like a useful module! but the large size should make you suspicious, often time the upper layers simply leak what should be located in application or service layer down to lower layer - lack of engineering disciplines, knowledge, time of all above.

In this case, OSGi would help you capture and discover the dependency, but does not tell you that they should not be there to begin with.

4- Version-ing policy: As I said in (2), well designed systems has layers, from “lower” layer to “upper” layers – based on topological sort of dependency graph. Typically each layer has a version number visible to other layers (some may choose to have each module in a layer to have a version number visible to all other module in upper layer, this makes life a bit more difficult for module in upper layers). One should decide how many active version of each layer (or module) to be active at any given time. This, seemingly straightforward, decision have significant implications, options are

- If at any given time you maintain only one version, everything is a bit easier, but you either have to maintain perpetual backward compatibility or force all the upper layer change at the same pace with lower layers.

- If you maintain multiple version, you don’t need to be backward compatible and you may transition upper layer gradually – very desirable. But you have to deal with two version at the same time (not only at runtime, but development branches, testing …)

For most web application, people maintain one version and deal with the downsides – often in form of a backward compatible changes. OSGi can help with maintain multiple version at the same time - something that is certainly useful for client side application, for web application most people I talked to are not planning to use this feature.

5- Testing strategy: Distributed systems are tough to test. A monolithic system is one large binary, you can build, deploy it and test it. For distributed system, test environment has to be setup, one would build only his module, the other module you depend on must be ready (either as out of process services in SOA, or bundles in OSGi) and have the right version. If you are using, say, five modules and each of them has two active version, there are 32 possible combinations you need to test (to be exhastive) – one reason having only one version at the time is often preferable. Again OSGi does not help you with designing your test strategy, you should have one regardless of technology you use to modularize you system.

6- Deployment: Last but not least is deployment of your system/web application. You need to decide whether to deploy OSGi framework as a web application under you Servlet container, or deploy your servlet container as a bundle in your OSGi framework. If you are using SOA, you need to decide where to deploy each service and how to bundle service stubs with your application (if any stubs are needed), or you may use a combination by deciding that each service stub is an OSGi bundle. In any case, there should be a clear design for correct deployment of a distributed/modular system.

If you design a system in a way that these aspects are taken into accounts, then OSGi probably helps you implement it easier - although for web applications the issue to "two runtimes" is a bit too much for my taste - but then again if all the above aspects are taken into account, you may not have an urgent need to OSGi anyway (banks offer credit of people with good credit but probably the don't need it anyway....). Often times engineers and managers who work on poorly designed or organically grown systems, and in an effort to reduce complexity and increase productivity of people working on them, stumble upon OSGi...if you fit into this category, my recommendation is to focus on fixing the underlying issues that makes your system complex, inter-dependent and coupled. Until you do that, OSGi (or any other alphabet soup of technology) will not help you.

2011 OpenID Retail Summit - March 8 @ PayPal Offices

2011-03-07T23:28:00.000-08:00

Our collegues at PayPal are hosting the OpenID Retail Summit tomorrow from noo to 5:00pm. It sounds like it will be an interesting exchange of ideas between identity providers and retailer (as relying parties). I will be presenting our experiences (and wishes) as large relying party tomorrow @ 3:00pm.

I will post the presentation and a short post tomorrow.

CardSpace II : "Change of Authentication Behavior"

2011-03-07T23:20:00.000-08:00

After I wrote a short post on announcement of end of life for CardSpace, Kim Cameron (a great visionary in the field of digital identity and someone I learned a LOT from but never had the opportunity to meet) reflected on it here.

A few people (independently) emailed me and asked me whether Kim is implying that Card Space lack of adoption, at least partially, was “eBay’s fault”.

I read his post, partially quoted below, a few times and although to me it more sounds like a reflection, but I see how one may think that way. So, I decided to add a bit more details to my original post on “change of behavior”.

“In the history of computing there have actually been plenty of cases where users DID change their behavior - even though at first only a few people could understand or use the new alternatives. But those “early adopters” were able to try the new inventions on their own. They didn’t need anyone else to approve something or decide they would like it first. Once convinced, they could show the new ideas to others.

When Visicalc appeared, I don’t know how many people in IT would have bet that every accountant in the world would soon be throwing out his pencils and starting to use spreadsheets for things no one can even now believe are possible! The same is true for a thousand other applications people came to love.

But because authentication doesn’t stand on its own, users never got the chance to start using Information Cards “just because they felt like it”. They needed web sites to make the same bet they did by implementing Information Card support as an option.

Web sites didn’t want to bet. They wanted to keep to “the matter at hand” and prevent their users from getting lost or distracted. The result: a preemptive chill settled over the technology, and we never really got to see what users would make of it.

My conclusion: regardless of what new features they support, user centric identity solutions need to be built so they work with as many existing web sites as possible. They can’t require buy-in from the all the big web sites in order to be useful.”

I agree that users, and people in general, do change their behavior, and sometimes relatively quickly – if there is a direct and tangible benefit for them to do so.

In case of CardSpace, our end users simply did not perceive the benefits, besides they had to download a large binary and deal with unfamiliar experience. Ashih Jain's post capture the sentiment around the time we were experimenting with CardSpace – 2008 - (One seller kept asking me why I was asking him to “do all this just to login” ).

eBay is in the commerce business, we do take reasonable risks in changing people’s behavior around commerce related activities such as listing, classification, payment, feedback, finding, shipping, trust etc. but for login and authentication we rely largely on users' already learned behavior (or as Andrew Nash refers to it the established “steady state” of authentication).

Perhaps one way to get a large number of users familiar with Card Space, and generate consumer demand for it, was full adoption within MSFT (including Windows login panel). Microsoft owns one of the largest (if not the largest) user-facing authentication experiences in the world, if they had fully supported Card Space everywhere a login panel appears today, maybe adoption story for Card Space would have been different. That would have made it much easier for company like eBay to adopt it as well.

It is Finally Official: The End of MSFT CardSpace

2011-02-21T15:06:00.000-08:00

There were a few things I wanted to write about recently ranging from all the discussion around OSGi in the Java community (and eBay) to what I would expect from an industrial grade Identity Provider (hint: it is not about which protocol it uses) and from when not to use No SQL to the emergence of a little known art and science called Entity Resolution, but let me resume my posts after a month with this: Microsoft announced that it would not ship CardSpace 2.0.

Having worked on a authentication concept with MSFT for eBay sellers, I had mixed feelings about this. On one hand I was on the record not supporting the use of CardSpace for eBay sellers (or buyer). On the other hand I am concerned that technical community discounts the significance of Claim Based identity altogether and concludes that "FaceBook Conncet" is all we'll ever need.

There is a good reflection (from an insider's point of view) on Card Space here. (courtesy Gunnar Peterson) My personal view (and the reason I didn't support the adoption of Card Space at eBay) though centers around the challenges of "Change of Behavior" required by Card Space.

Basically, CardSpace failed b/c it requied uses to change their behavior. See, the "User name and password" protocol (a simple challenge and response) IS a protocol, one where a human being (a normal user) is a participant in. It has taken about 20-30 years (depending on how you count) to train users what to do when they see a "login panel" , the "login panel" contract is so widely understood that despite all of its short coming is the most viable remote authentication protocol we have today. It is flawed, it is costly, it is not secure, but it is a widely understood by users on the other end of the protocol. CardSpace, despite all its advantages, was not understood, would (and did) make people confused, they did not know what to do when the CardSpace screen popped up ... a technology whose adoption depends on change of a strongly learned behavior is unlikely to succeed (or at least I didn't think eBay sellers - not the early adopters of technology - would learn and accept it).

It also didn't help that a lot of browsers didn't support it (installing a plug-in does not count), and the fact that developers didn't know how to issue cards (or validate, update or revoke them).

Having said that, I did like the idea of decentralized identity provider and not having any one identity provider to be THE identity provider that everyone else had to rely on (putting user in control of their own identity). Compare this with a world where one identity provider (be it facebook or Google or twitter or anyone else) is the dominant identity provider because it is easy for RPs to embed a simple button and for users to click on it.

Kingdom of Nouns ...

2011-01-02T21:50:00.000-08:00

The other day I took advantage of a rare couple of hours of peace and decided to catch up on my blog readings, I came across a nice post by Joel Spolsky from the Joel on Software fame on Map/Reduce. The post is probably one of the clearest writing on origin of Map/Reduce and what it does - if you haven't read it I highly recommend it, even if you are a Map/Reduce pro - in the course of explaining Map/Reduce he talks about how thinking in terms of functional languages made inventing Map/Reduce possible and implying that if one only think in term of OO languages where functions (or verbs) are not first class citizens coming up with an abstraction such as map() or reduce() function is tough. He includes a link to another interesting post title "Execution in Kingdom of Nouns" that contends that Java is a kingdom of nouns and verbs are "owned" by nouns. I like this post too, especially the witty narration. However I disagree with conclusion (or implication) that one can not effectively or elegantly model certain class of thoughts and abstraction with a statically typed language like Java.

Look at any natural language, they ALL seems to be kingdom of nouns. Look at how babies start to talk, they almost excursively uses nouns for a while and THEN add verbs to form sentences (or form thoughts). The core example of the post for taking garbage out that I copied here:

get the garbage bag from under the sink
  carry it out to the garage
  dump it in the garbage can
  walk back inside
  wash your hands
  plop back down on the couch
  resume playing your video game (or whatever you were doing)

(italic emphasis is from original post)

This example is there to show that a normal function is a sequence of verbs and

can be easily expressed without needing a "noun", but the noun here is hidden,

it is the "subject" that is actually doing it. In a function language like JavaScript

the replacement would be the "global" scope, or some form of function that author would

create called "takeOutTheGarbage()" and call it from different "context"s, those context

would be the nouns.

I admit,I am not a language guy, I am more of a modeling guy but i do think that

type spaces formed around collaborating nouns (subject, objects etc.) are capable of modeling and asbtracting

any concept/thoughts. I do agree that some folks in the "Javaland" overuse classes and have too many

factories and adapters, mediators, visitors etc. but this is more of a "fashion" issue than a basic

OO modeling issue.

I also agree (and have seen) that functional languages are better for certain tasks

but I wishing for live in a "kingdom of verbs" is a bit extreme in my view, after all

verbs are all performed by somebody/soemthing unless you prefer to live in the land of anonymous.

Best description of what architecture is ... by Charles Darwin (yes, THE Charles Darwin)

2010-12-26T16:07:00.000-08:00

Here is a quote attributed to Darwin:

"It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change."

Right there, for me, is the best definition of software architecture I have seen. Software architecture is whatever you do that allows your system to be adaptable to whatever changes its environments throws at it (scale, hardware failure, legal changes, change of business model, new forms of distribution etc.), better yet Darwin goes to to say

"In the long history of humankind (and animal kind, too) those who learned to collaborate and improvise most effectively have prevailed."

So in his view the keys to adaptability are collaboration and improvisation, which I'd translate it into modern systems as "Communication" and "Experimentation". Communication is THE key to collaboration and a quality lacking in a large number of leading engineer/architects. The core communication skill here is not about communicating what one's particular solution to a problem is, but more a style that is about inquiry, a style that illicit input and views from all significant parties and synthesize them into models and hypothesis and communicate them back and form common understanding (does your architect do that?)

Experimentation is both a personal quality and something that must built into any system as a first class architecture requirement. Experimentation is generally under-valued in architecture discussion. Systems in general have multiple views, the most popular being the 4+1-views, I would add an "Experimentation View", a view of architecture that describes which sub-systems can be experimented with and in what ways, and how would an experiment success be measured. More on "Experiment View" later, but for, I am even more convinced that analogies with and inspiration from biological systems is worthy guide for designing software systems.

Cannonical Use Cases for a Relying Party

2010-12-22T21:50:00.000-08:00

I have always felt that in identity community we spend most of our time discussing identity providers and their concerns (such as token format, protocol etc.) and do not spend enough time on and attention to relying parties. At eBay we play both roles i.e. we are both an identity provider (we provide sellers' identity and attributes to 3rd party developers) and relying party (accepting identities provisioned outside eBay marketplaces as eBay users). I can say that building a architecturally sound relying party is as challenging as building an identity provider.

In this post I simply want to enumerate the major use cases that any major relying party (that is anyone that for example plans to accept Facebook Connect) has to account for. I used the qualifier "major" to denote that these use cases are important if a given relying party has millions of uses and many services and applications (much like eBay does).

The list of use case are:

1-Sign-In and out

2-Connect and Reception

3-Link/Unlink

4-Profile Access Extension

5-Role Elevation

6-Recovery

7-Disconnect

8-Force Authentication

9-Customer Support

10-Capturing Alternative/Second Secret

and here is the descriptions:

1-Sign-In and out: This includes changes to your standard sign-in page to make it a "federated sign-in" page. The challenge here is mostly user experience i.e. how to design the UI correctly to achieve two goals:
- Not confuse existing users who will not sign up with external IDP
- Communicate to the user of external IDP what they need to do (without creating the NASCAR problem)
There are also techniques for detecting the IDPs that user may have an account with and to show a "smart" list of IDPs

2-Connect and Reception: Once users clicks on "Connect" button (if you are using connect style IDPs such as FB) or entered her OpenId URI (although this is unlikely to be adopted by users), the user is send to IDPs to sign-in and given consent to his/her information to be send to you site - let's refer to this process as Connect - then user is sent back to your site to a page/application that we refer to as "Reception". This is the processes that greets the users for the first time and provision an account in RP for him/her. I use the word "reception" to make it distinct from "registration" which is when provision is done based on data collected by RP itself. The reception process is significant b/c it covers the gap between data received from IDP and what is needed for a user to be provisioned, also it assigns the roles for new user. These roles are typically minimal since data coming from external IDPs are normally not trusted or verified. Also during reception token received from external IDP together with associated meta data is stored in a central location accessible to different functional units (application) of RP

3-Link/Unlink: Another use case (often part of reception) is to detect whether the user connecting to RP is one who already has an account. The detection can be done based on mapping the data received from IDPs to existing account, the simplest form is to check whether email addressed returned by IDP already exists.Once an account is detected, user has to prove s/he actually owns it (normally by providing password) and the accounts are link. Since architecture hygiene calls for symmetric operation, you should also allow for unlinking of accounts.

4-Profile Access Extension: RP obtain a token during reception (such as OAuth token that comes with FB Connect), this token stores a set of access permissions to user resources (perhaps hosted by IDP). Any large RP has a set of applications that will use this token (for example MyeBay application as well as eBay Search Application) it is likely that one of these applications requires more information/access privileges that user originally consented to, in these case RPs should provide a central capabilities that conduct the process of requesting, receiving extended permissions from user and updating token meta information associated with user

5-Role Elevation: The first time users connect to RP they are granted a certain role (roles), normally this is a basic role since data provided by most IDPs are not reliable (eBay as an IDP does provides verified reliable data), at some point during the user's life cycle, users needs to perform an action that requires higher role assignment, in this cases RPs should provide capabilities to assign users higher role, this normally requires users to enter more information or go thru verification. This processes produce more attributes that will become part of users profile at RP.

6-Recovery: Every RP always has to establish a method for externally provisioned identities to authenticate WITHOUT the presence of external IDP. What does this mean? suppose you accept FB Connect and FB is down for 6 hours (an event that recently happened), further imagine that you operate a site that every minute of users not being able to login means financial loss. What do you do in this scenario? You may say, this is easy, ask users to enter a password during the first time reception, but wouldn't this defeat the whole purpose (or a big part of it) of users not having to remember many passwords?

7-Disconnect: All RPs must provide the capability for a user to "disconnect" i.e. close the account that was created based on an identity provided by external IDP. I personally believe that user owns his/her data and if user wants to disconnect and remove all of his/her activities from the record. s/he should be able to (to the extent that is legal)

8-Force Authentication: This is actually a capability of IDP, but RPs need to use this when they require user to be authenticated regardless of session's authentication state as seen by IDP. For certain operation RPs require a fresh session (or session that started in the past N minutes), in this cases RPs should request a forced authentication (I am using SAML terminology here) from IDP.

OAuth protocol and "Emdedded Browser" : Illustration of a simple security decision making framework

2010-12-06T22:16:00.000-08:00

The discussion about whether to use an embedded browser or a full browser while performing OAuth protocol ,although passionate, is nothing new. Instead of expressing a position (I am for a full browser for the record), I want to use this case to illustrate a simple framework I use to make security design/implementation decision.

For every question/decision we designate one engineer as "good guy" and one engineer as "bad guy" and we ask each how this decision help or hurt you. I emphasis that it is critical to think and view a decision from a bad guy point of view. Most of us are basically not fraudsters and think in terms of "getting things done" and "being helpful", we rarely look at a feature and think to ourselves "How can I abuse it" (if you do, please contact me, I may have a job for you), so we assign an engineer just to do that.

Of course we want all our decision to be just as shown in the figure above :Help good guys and hurt bad guys. But that is not always the case, take using the embedded browser (and not a full pop up) to perform OAuth. This decision looks more like this:

It helps good guys (by not having every app render a login panel, perform authentication and deal with errors etc.), but it also helps bad guys (as illustrated nicely by my friend and colleague Yitao Yao here - facebook is only one example) by making phishing easier. (it is worth pointing out that having application capture user secrets directly is along the counter diagonal in matrix above: hurts good guys and helps bad guys)

Does this mean you should never do this? I wish there was a simple and universal answer, but there is not.
In general you should not use embedded browser unless there is a good reason and more importantly the decision maker is fully aware of the risk (at least seen the matrix above and know the bad guys will benefit). Mitigating circumstances could be unattractive economy of fraud (your application is not a prime target fraudsters), you believe fraudsters can not effectively distribute their application to a large enough group of people, your user base is exceptionally savvy (I envy you) or your mobile operator has a good control over nature of applications and what they do (think Apple-like).

Kitchen Meeting

2010-12-05T21:51:00.000-08:00

I started an experimentation a few weeks back. Instead of scheduling and holding a meeting in one of eBay's formal meeting rooms, I tried to meet with people in kitchen or cafe (or starbucks across the street from the Hamilton campus) - now this is partly b/c it is getting too tough to find a free room, but I also had a hypothesis that when people meet in informal setting - specially a place that has to do with eating - they are more likely to collaborate.

I have to say the results are mixed so far, on one hand it indeed does make a difference, people seem to be friendlier and more willing to see "the other side" of issue - whatever it might be. However I also noticed that they are more likely to "forget" or back-off from agreements or conclusions that were reached too.

For now I keep doing this as much as I can, at least it gives me an incentive to keep the number of people in a meeting to 3 people max, this alone helps increase the effectiveness of meetings.

PayPal Identity Services Talk @ PayPal Innovate 2010

2010-10-27T22:45:00.000-07:00

Today at the PayPal Developers conference Ashish Jain, my friend and colleague and PayPal’s point man on all things identity, talked about PayPal vision of identity and PayPal Identity Service in his presentation titled, not surprisingly, “PayPal Identity Services”.

If you are involved in the world of internet, as a developer or even an observer, or if you have attended any web related conference in the past 12-18 month (including our own DevCon) you must be familiar with the core identity problem: users have too many accounts, too many password, too often they forget them, it is too easy to phish passwords and too expensive for companies to support users who either forgot their passwords or have had their account taken over …. Ashish talked about it in his presentation (as it is mandatory for these presentations, including mine, to recount the carnage first).

You may have guessed the next step, PayPal, among many others, offers to be an Identity Provider (IDP). Your one and only account you ever need (at least for whenever you want to shop on the Internet).

You may think, so what? There are so many other identity providers (most notably Facebook) … but (as Lee Corso of ESPN says) “not so fast my friend”, there is actually a difference in this game of being identity provider between PayPal and everyone else, what Ashish, modestly, calls “Qualified Data” (interestingly the second bullet point in his slide – why not the first? I have to ask him).

See, as it turns out providing identity (as in what an IDP does) it is not that hard, pick a protocol (OpenID, OAuth, SAML …) and transfer identity data (unique identifier, name, email, phone number etc.) from the IDP to Relying Party (RP). You can do that in few hours (literally), what turns out to be hard (and expensive and complex), is providing “High Quality” identity, as in identity data the someone actually validates and make sure they are accurate and up to date and actually owned by the person who claims s/he owns it. This is what Ashish means by “Qualified Data”. Now if you are a merchant, which identity you rather rely on? An identity from a site that simply takes users claims (about what her name is, where she lives etc.) and toss it over to you or from PayPal where this set of data is verified and maintained and by the way you know that there is a valid financial/payment instrument attached to it?

Too often people responsible for building an identity provider argue endlessly about merits of protocols, compare OpenID to OAuth and talk about how complex SAML is. In the process they miss the much bigger point: what matters is the quality of identity provided not the means by which it is provided.

This is what make PayPal identity (regardless of whether they use OpenID or OAuth or anything else) potentially the most interesting and useful identity in my view.

Ashish also shows a demo where PayPal OpenID service is wrap by Gigya API. Gigya is an aggregator of identity provider, instead of learning multiple APIs from different IDPs, developers simply deal with Gigya API. It is an interesting concept. Check them out here.

It would be interesting to see how far PayPal push their Identity Service (both in terms of end user adoption and merchant adoption) and whether or not they offer different classes of identity (based on data quality) and respective financial assurance levels.

My old blog post on PayPal Platform

2010-10-13T21:11:00.000-07:00

I found this old blog that I posted after 'Next Gen PayPal Platform" in eBay DevCon 2009. I am adding here for the record and also b/c the format of the session and the ideas that were generated was very interesting.

Looking back, you can also track which ideas PayPal actually implemented ...

MongoDB is Web scale ...

2010-10-07T00:48:00.000-07:00

This is a funny clip - produced by the xtrano rmal technolog - courtesy my friend Gunnar Peterson. It pokes fun at people jumping on No SQL and MongoDB bandwagon. I have to say I can relate to the sentiment, No SQL, KV storages etc. are suited for certain use cases and access pattern, but a vast majority of day to day use cases can be handled just fine with SQL.Even if you are Mongo fan it is fun to watch this.

- Warning: The clip uses adult language.

Login Failed, Try Again: 10 Best Practices for Authentication in the Cloud

2010-09-22T23:28:00.000-07:00

Here is the deck for my presentation at 2010 JavaOne. It summarizes our experience and leanings in creating an identity foundation for eBay application platform (AP). In retrospect a lot of the lessons seems like "Motherhood and apple pie" but I suppose there is knowing and then there is understanding. Also what I have seen is that in general there is not a deep understanding (or even awareness) of identity architecture as a first class enterprise infrastructure among enterprise architect and software engineers.

Anyway, the deck is designed to be talked over, so simply reading it may not be as interesting.

JaveOne 2010 - Distributed Identity Architecture

View more presentations from farhangkassaei.

LSE economist answers: "Why are terrorists often engineers?

2010-09-20T23:00:00.000-07:00

IEEE Spectrum has an interesting podcast here title Why are terrorists often engineers.

Basically two hypothesis:

- Engineers are smart and high potential people and when/if they don't find ample employment opportunities they become frustrated
- Engineers have orientations toward hierarchy and order that is also a common theme with fundamentalism.

Also interesting (according to the LSE researchers) engineers are more religious and right leaning compare to others - one wouldn't guess that living in the Bay Area.

JaveOne 2010 Talk

2010-09-19T21:28:00.000-07:00

Latest details I received from conference organizers today (it is kind of late, isn't it?) about time and location of my talk @ JavaOne:

ID# : S314414
Title : Login Failed, Try Again: 10 Best Practices for Authentication in the Cloud
Track: Enterprise Service Architectures and the Cloud
Date : 23-SEP-10
Time : 14:00 - 15:00
Venue: Parc 55
Room : Cyril Magnin I

what is a "Platform"?

2010-09-19T21:22:00.000-07:00

Usually the answer to the question “What is X”, at least in the context of software engineering, is given in two different ways:
- What does X do or what is X supposed to d.
- How does X work.
The former is more of philosophical answer and the latter more of a pragmatic one. For example, “what is a service?” could be answered in one the two ways:

- A unit of functionality that is exposed thru a well defined interface and is loosely coupled to its consumers, it is autonomous, reusable, discoverable and stateless.

Or it can be answered as

- It is a unit of code exposed thru a WSDL and invoked using SOAP and it is language neutral

Those who know me know that I am more inclined toward philosophy. So when I attempt to answer “what is a platform?” – as I had to recently when we were building eBay Application Platform - I opt for what it does.
To me the answer is simple, at least in the realm of software engineering:
A software platform is any set of functionality that increases developers’ productivity, plain and simple.
Operating systems do that, languages do that, APIs do that so do IDEs such as Eclipse. So what is the difference between tools and platforms? Tools are not programmable, platforms are. In other words developers can “program” platforms to suit their needs. In other words tools are used to accomplish one task, platforms can be used (i.e. programmed) to perform different tasks. Some platforms start as tools (like Eclipse, Excel) but evolve to become a platform.

Why, besides philosophical clarity, is this important? It can be used to define a clear goal and metrics for success of whatever is called a “Platform”.

Authorization: One Step At a Time

2010-09-07T22:03:00.000-07:00

In my experience authorization (much like identity and authentication) is a poorly understood topic by most engineers, architects and product managers. The prevailing narrative about authorization is magic box protecting a resource that knows every policy applicable to a resource and how to correctly enforce them, or at least know who can access the resources and in what way.

Both of these views are inaccurate (or partially true) and often lead to construction of single layer, complex to implement and impossible to manage systems.Authorization by nature is a hierarchical filtering mechanism; the operating keyword by far is hierarchical. The successful authorization systems are the ones that consist of several collaborating layers of authorization and filtering, each layer controls one dimension of access.

For example, imagine a company with a few departments: Executives, Marketing, Accounting, Sales and Product Development. Further imagine that each department has resources (data and services that operate on data) and applications (software users use to access services, view and manipulate data). In particular accounting has three applications: a data entry application, reporting application and a full book management application (web based or native app does not matter here). Here are the logical authorization rules expressed as typical requirement statements:

1. No person or application in marketing can access any resources in accounting
2. Data entry application cannot access account payable, any payment services or reporting services
3. Reporting applications cannot make any changes (write, edit) data
4. Full Book Management application can perform any function
5. Only Accounting manager can pay an invoice greater than $1000
6. Only CFO can run quarterly profit and loss reports.

Do you see the hierarchy here? Can you translate it to AuthZ system hierarchy?

Rule (1) talks about a large granularity “department”, rules 2,3,4 talk about applications and rule 5,6 talk about roles within a particular application or set of apps.
The first rule should be enforced thru a router or a gateway that blocks access to any application from marketing department. That is an effective isolation mechanism implement an authorization rule.
Second set of rules (2,3,4) should be enforced via a system level guard that only operate in request headers and tokens binded to them. Examples of such systems are ESB or pipeline style authorization handlers.
The last set of rules 5,6 should be enforced with an application level authorization system or guard that is aware of different roles within an application and their privileges vis-à-vis resources.
Now what happens if you collapsed three systems into one? Well in short the authorization system becomes complex to implement and tough to manage and three different layers with three different velocity of change would become one constantly changing piece of code.

The authorization system must scan everything in request, from originating IP address, to headers identifying calling application to payload determining parameters of operations. It has to understand a wide range of concerns from deployment (impacting IP addresses) to business logic ($1000 limit).

Authorization is tough but single layer authorizations systems like this are nightmares of manageability.

Imagine what would have happened if all checks at the airports (from entry to the terminal till when you sit in your seat inside the plane) would have been performed by the security officer upfront who today only checks your driver license and matches that with your ticket? At the airport there is three different levels: The guys who check your driver license and ticket, the TSA guys who check your bags and the crew at the gate who check your ticket and make sure you don’t sit in first class.

CAP Therom and Digital Identity

2010-08-08T14:31:00.000-07:00

If you read this blog chances are you are familier with the CAP theorem, it basically states that any distributed system operating at scale can choose at most two of the followings three:
- Consistency
- Availability
- Partition Tolerance

There other examples of pick any "2 out of 3" in life are:

- The management rule of thumb: Good, Cheap, Fast
- Graduate student dilemma: Fun, Grades, Sleep (replace fun with your own idea of it)
- Investment advice: Low Risk, High Return, Legality - if you pick low risk and high return chances are you are compromising legality :-)

They way I look at all these "rules" is that the space of each of these domains offer only two degrees are freedom and once you choose two points (that effectively determine or fix your degree of freedom, the third point will be chosen for you)

For example in "Good, Cheap, Fast", your degrees of freedom are basically time and money, once you choose how much time and money you want to spend all three qualities are determined. So now, if you choose time and money not directly, but indirectly via the choice of say good and fast, you automatically also chosen "not cheap".

Interestingly digital identity offers the same 2 out of 3 dynamics among the three main attributes of

- Quality of Identity
- Usability
- Cost

"Quality of Identity" is a measure of how uniquely a set of data represents a real world person and how strongly an IDP stands behind such assertion (for example whether IDP guarantees up to a certain amount damages resulting from inaccurate data), usability is how easy it is for IDP to provision such identities.

It is clear that if an IDP chooses to provide high quality identity and also wants to makes its provisioning easy to use (or scalable for that matter), it has to spend a lot of money.

In practice though, IDPs segment the user base and only provide high quality identity for users to whom maximum credit are extended (e.g. users who can sell the most on eBay).

Enole - A New Identity Linking Startup

2010-07-12T13:52:00.000-07:00

The other day, via Venture Beat, I learn about a new start up called Enole. Since the company is in Identity domain I was naturally interested and start looking around. The idea is as interesting as it is old: to unify all identities online and offline and to carry it with you with your cell phone. (use your fav search engine to look for products, ideas and patent on storing all sorts of identity information on cell phones ranging from credit card to login name and passwords to codes that unlock cars and doors etc.)
However it is often not the novelty of an idea that sets a company apart but the strength in execution and market strategy. So with a bit of healthy skepticism I looked at the site.
There is the usual marketing and hype in the web site – which I completely understand. Beyond the hype Enole is a service that allows a developer/application (identified by a pre-issued token) to link up a user and a device. A user simply means an identifier string (email or any other string). So effectively there is a link among three entities Application that creates a link, user and device.
The rest of the API is about the basic create, update, query of link, users and devices. However there a few key questions that are not answered in the documentation:
- Can an application that has not created a user or device query them?
- How does the system deals with duplicate email addresses and identifiers across multiple applications?
- If another application picks up my devices unique id, can they query Enole DB? If they can and get my information, do I need to authorize (OAuth style) the
information before application can use it?
- How would a user remove his/her account.
- How the "sign-up" tokens are stored and what happens if they are compromised

In essence, the API document describes the CRUD operation of user, device and link entity but does not describe a formal authentication protocol between users, devices etc. As such it can not really be evaluated in details.

Additionally, it is not very clear how end users (not developers) are in control of their own identity and information. This is really big for any company that has ambitions in the identity area.

Also, if you have been reading my blog regularly you know that I give a LOT of significance to the language and terminology one uses to describe either her problem or solution. The language used in Enole site is not that of identity, authentication or communication protocol domains. This, to me, is not the most positive sign.

Having said that, I think Enole is an early stage start up and like any other early stage start up their original idea will evolve, I will keep an eye them to see how they evolve and how their technology be used.

Recall and Precision: It is not how many bad guys you caught, it is how many good guys suffered

2010-07-03T16:44:00.000-07:00

The measurement of "Recall and Precision" is front and center in all of our fraud prevention measures and algorithms, you can read a general description of this concept and the mathematical definition in Wikipedia, but I have had better luck explaining the concept with this example:

Imagine there is a band of armed rubbers (say 5 guys) in your town and you sent your best cops to round them up. After a day they come back arresting a group of men. How do know if they did a good job?

The obvious answer is whether they have arrested ALL the gang members. So the measurement is "how many gang members have they arrested?" in this regard 5 is better than 4 and 4 is better than 3. Simple

But is that enough? Let's imagine three out comes

1 - The cops came back having arrested 5 guys, all of them gang member. This is perfect, they arrested ALL the RIGHT people, and ZERO WRONG person, recall = Precision = 100%.

2 - The cops came back having arrested 10 guys, 5 gang members of 5 random and innocent guys. In this case recall=100% but precision is 50% - which in this case is clearly not acceptable (even worse they could have arrested all men in the community, recall still would be 100% but precision would be near zero - that is called Carpet Bombing)

3- The cops came back with 3 guys, all gang member, no innocent guys was arrested. In this case recall= 60% but precision=100% - this is called Proof Beyond the Reasonable Doubt i.e. a philosophy of design whereby it is better to let a bad guy go free then to harm a good guy.

In modeling risk and fraud and designing algorithms to prevent them, we always have to measure the algorithm based on their recall and precision. Low precision methods typically cost a lot in term of customer support and friction in user experience, low recall algorithms and method result in higher losses for the company.

in designing a Risk Management strategy, I tend to side with lower recall then lower precision and then manage the ratio of loss/revenue with the higher revenue generated by higher precision - or right customer who were let in.

What if the cops came back with 10 guys, 5 are gang members and 5 are innocent? in this case they arrested all gang members (100% catch rate or 100% recall) but

Special Forces, Regular Army and Start ups

2010-06-25T23:19:00.000-07:00

From time to time I advise start ups on mostly technical matters, inevitably they ask me for referrals to hire engineers or help with editing their job postings.

Typically they email me a very detailed and specific job description for a, say, Data Architect or Ajax messaging programmer or Java Engineer complete with an obscure list of libraries and technologies that the candidate expected to be master in (probably those technologies were suggested by their VC to them in their last meeting)

Start ups should be built like special forces, with a few brave and smart generalists with a lot of heart and "get it done" attitude, not by deep specialists in any certain area - I am talking about the first few engineers here - a statistical modeler with no programming skills or a Data Architect with focus on data replication makes a fine contractor for a short time to advise your core engineering team, but should not be one the first 5 engineers you hire.

Wanna Make Your Life Hard? There is an app for that, or maybe 100,000

2010-06-25T22:54:00.000-07:00

These days it is not uncommon to find some one with 100+ apps installed on his/her phone (maybe you are one of those?). I imagine most of those apps are used once or twice and will never be used, the only time you see them (or their icon) is when you scroll past by them to get to your 2 or 3 (or five) apps you actually use frequently.

This app mania clutters UIs and waste a lot time, and I can't help but thinking "do we simply forget all the lessons and progress of last 10-15 years simply because a device came along with attractive aesthetics?"

What happened to "browser is the operating system?" in the days that most desktop apps are moving to cloud and being delivered thru browsers, why is it that most (if not all) mobile apps are native code? Yes native apps still have certain capability that browsers do not offer YET, but with HTML 5 and Web Kit (and maybe with a little bit of industry support to close the remaining gaps) browser based apps would be sufficient for large majority of mobile apps.

Don't get me wrong, there will always be need for native apps, but much like with desktop, over time only a few apps will be privileged to be native, most other will and should be browser based standard, write one, run on any browser apps.

This makes development of mobile apps simpler and more cost effective, instead of maintaining three apps for iPhone, Andriod and Blackberry, most developer only maintain one version, and you only install a few apps that truly need to be native apps.

"My Dad is 50 years old, weighs 30 lbs and is 40 ft tall...I like him b/c he is silly"

2010-06-14T22:18:00.000-07:00

A very competent and respected colleague of mine, in his early 30s, 5’9” and reasonably proportional I might add, has the following written by his 5 year old son posted in his cube:

“My dad is 50 years old, 30lbs and 40 feet tall and I like him because he is silly”

Besides it being funny and making me think what my daughters really think about me, it reminds me of how our products can be perceived and used by other engineers: They way they see it not they way “they are”.

If you are developing systems, services and products for other developers, it is important to understand that your will be used they way others understand it and not the way you planned it to be used. I have seen a session service used as a general purpose cache, ESB riddled with use-case specific routing logic, authentication service used as data pre-fetch mechanism and presentation logic (in XSL) saddled with complex and critical business logic – of course in XSL. All examples of how we all use tools to solve our problems regardless of whether or not the tool is meant for it (remember eating jelly with knife?)

The first solution of course is documentation, but here is what that documentation should include:

- Real world, working and end to end examples of the right way to use the services/product

- Examples should be cut-and-paste able (to the extent possible)

- Realistic examples of wrong way of using systems, updated periodically as new misuses surface

- Direction and pointers for how to address the original need leading to the misuse.

- Address of a user (or expert monitored) forum where users can get help

Presentation for my eBay DevCon 2010 Talk

2010-06-10T11:44:00.000-07:00

Here is the slide deck for my talk @ eBay DevCon 2010" The User Who Came In From the Cloud.

If you ever wanted to consume identity from external identity providers (Facebook, Google, Yahoo, PayPal etc.) you may want to check it out.

The userwhocameinfromthecloud devcon2010-v_5

View more presentations from farhangkassaei.

"Failure is not fatal, but failure to change might be" John Wooden

2010-06-04T22:12:00.000-07:00

John Wooden, the Wizard and West wood, passed away today. I imagine most of the readers of my blog probably do not know him, you can read all about him by visiting his official web site.

He was the embodiment of the word "coach", not only did he win 10 national championship (7 consecutive), he developed players and MEN.

I am a Big Ten guy and never cared much about Pac 10, but I learned about Wooden by leanring about his amazing basketball dynasty at UCLA - anyone who ever worked with young 20 year old programmers can appriciate what it takes to get them focus on a goal and develop the decipline to achive it - then I read his books and his favoriate maxims. And only then I truely appriciated why they call him "The Wizard".

Of course he was not a software architect, but what said about "...failure to change" should be on top of every architect's mind, he proved it by architecting a system that work flawlessly level in 12 different environments. How many of us can create a system that works in 12 different environments?

Yet again, make me convinced that the essence of architecture is about changing gracefully.

eBay DevCon 2010 Talk and The Spy Who Came in from the Cold

2010-05-29T11:46:00.000-07:00

I will give a talk on federated identity and best practices for relying parties at this year's eBay Developers' Conference in San Jose. The talk in start @ 1:30 pm on June 10th, the location is San Jose Fairmont Hotel in grossly under rated San Jose's beautiful downtown.

The title for the talk is "The User Who Came in From the Cloud". It is a play on my favoriate cold war spy novels of all time "The Spy Who Came in from the Clod", if you are into spy novel or cold war buff, I recommend reading the it.

LinkedIn Recommendations Negatively Corelate to Performance?

2010-05-16T21:25:00.000-07:00

I always wondered how true LinkedIn recommendations really are, it is a given that there is strong positive bias in them, after all you ask for those recommendations presumably from people that liked what you did. Still I was curious to see whether it has a correlation with performance, now, rather unscientifically, I am arriving at the conclusion that it does. but negatively !!

I interview a lot of people, due to the nature of my job I also know and work with a lot of people. These people range from junior engineers to mid-level manager and to senior executives and from smart, talented and competent to not very effective and some times down right "wrongly casted". For all my interviews and recently for people I worked with that, in my view fall into extremes of performance I looked them up in LinkedIn. The outcome was surprising: The competent people almost never had any recommendations and half the time not even a complete profile. On the other hand, the people on the less competent side of the spectrum often had glowing references from half dozen folks. Why is it? I can not be sure, but here is my guess:

The less competent people know where they fit in the performance curve, they anticipate needing to look for a job sooner than later so they make sure their affairs are in order. They ask for references more frequently and are likely to get it since, first, people are or would like to be nice and helpful, second, they expect reciprocity.
On the other hand, more competent folks either do not expect a job hunt and if they need one often get it thru their own network (either follow their bosses or other colleagues who do whatever they can to get them to join them in their new gig).

To be clear, I do not hold anyone's LinkedIn recommendations against them, I am just stating an observation over the past 18-24 months.

Appholes!

2010-04-29T23:35:00.000-07:00

Jon Stewart is a communication genius - as evident by the title of this post borrowed from him. He some how mastered the art of hiding behind comedy shield and turn serious when he needs it to make his point. He has become the nations moral compass of sorts. But that is a different story.

I read Jobs' Thoughts on Flash where he describes Apple's reasons for banning popular Adobe's Flash technology from Apple products. All the while thinking to myself " you got to be kidding me!".

Where are all the MSFT bashers of mid 90s and early 2000s? Half the countries in the world would have dragged MSFT to their highest court if they ever did such thing. After all MSFT didn't ban NetScape browsers, it simply made its own the default.

Back then, MSFT made the same claim as Apple does today:

"Our motivation is simple – we want to provide the most advanced and innovative platform to our developers..."

Why is there no outrage this time around in the tech world? Why the double standard?

Now, banning Flash is only one example, Apple's reaction to Gizmodo is also something that makes you wonder. Listen to Stewart version of it:

The Daily Show With Jon Stewart

Mon - Thurs 11p / 10c

Appholes

www.thedailyshow.com

Daily Show Full Episodes

Political Humor

Tea Party

xAuth: Second Tier IDP Club

2010-04-21T23:24:00.000-07:00

I learned today that the toolbar company Meebo today announced a proposed standard called xAuth to solve the so called NASCAR problem of OpenID.

The essence of the solution is to create a centralized database (xauth.org) where users preferred IDPs are listed. For example if you use Google Friend Connect then xauth.org DB saves that preference for you. Now the publishers/RP that you visit, make a call to xauth.org (upon your visit) and learn that you prefer to "login" using GFC and only show that logo to you instead of a dozen logos from FB, Tweeter, Yahoo, AOL, Google, Microsoft, VeriSign and whoever else who jumps on federated ID band wagon.

My initial reaction (emphasis on initial) is "Are you serious?" and "Is it opt-in or opt-out" (apparently it is opt-out).

Two comments:
1- Of course collecting all people's information in one central database make a lot of things easier/smoother or more efficient, but there is a reason we don't do it (at least not yet), regardless of how noble the initial intent maybe.

2- And this is important, identity provider business is one of those things that have a real network effect, that means by definition and nature, in the IDP business there can not be dozen winners, it is a winner take all type of a game (or maybe a few - two, three) winners at most. NASCAR problem exists because no one wants to admit that it will not be one of the winners. But time will take care of this. For now support for xAuth seems to have become an admission of membership to "Second Tier IDP Club". after all if you think you are going to be one the winners, why would you want to remove your logo from the NASCAR race?

Identity Assertion Framework Talk @ Stanford Presentation

2010-04-19T10:46:00.000-07:00

Here is the presentation for my talk today @ Stanford.

eBay Identity Assertion Framework (IAF)

View more presentations from farhangkassaei.

You can download the presentation for eBay's Identity Assertion Framework now. The talk is today (April 19, 2010), here is more information on time and place.

I have promised to write a bit more about IAF to a few people and I intend to keep my promise.

10 Decisions a Relying Party should make.

2010-04-07T22:59:00.000-07:00

Open and federated identity schemes such as OpenID, InfoCard, FBConnect, GFC or sometimes even SAML getting a lot of attention these days, with OpenID capturing the biggest mind share.

A lot has been written (and standardized) about Open Identity protocols, transport binding and token format, (things that are primary concerns of IDPs - IDentity Providers). However I feel less attention has been paid to changes that Relying Parties (RPs) have to make to their systems (user experience and design, identity and account structure, session management etc.), after all there is a big difference between provisioning your own identity and performing your own primary authentication, v.s. relying on some one else to do it for you.

Here is a list of 10 things (you know it had to be 10 !) that you need to think about and decide if you are planning to be a Relying Party:

1.    Decide which IDPs to accept: Not all IDP are created equal of course.
2.       The design of the sign-in and registration page: in way that encourages the use of OpenID but not confuse users who do not use OpenID or do not know what it is.
3.   Covering the "Information gap": How to capture information you need and is not provided by user's IDP during initial session, also determining whether you can call IDP (thru back channel) and ask for more (or updated) information about a user.
4.   Privileges: Decide whether an OpenID user of your site has all the privileges of a local user or do they need to create a local account before they can perform certain activities.

5.       Covering the "trust gap": Do you need IDP to provide some level of assurance (or verification) of the attributes it is providing you. For example if IDP provides user's home address, do you need this address to be verified?
6.       Account Linking - decide whether you plan to become a true RP (i.e. no local account with local user name and password) or upon initial OpenID session, you plan to ask user to "register" with you site and create a local user name and password.
7.       Session Management:Do you plan to sync you local session with IDP session length (or shorter or longer?) regardless will you "force re-authentication" for certain activities?
8.       Profile Change Management: How do you plan to deal with users' who lose/forget their OpenID, is it important for you that a user
9.       Account Cardinality: How many local account will you allow to be associated with one OpenID identifier, conversely, can an OpenID account be associated with multiple local accounts?
10.   Logout: Whenan OpenID user logs out of your site, are you planning to report that to IDP for federated logout?

And if you are looking for controversy, consider the issue of "reporting adverse behavior" i.e. if a RP experienced an adverse behavior from a user with OpenID, should the RP report it to the IDP? If you consider IDPs equivalent to robots then, it seems like the Three laws of Robotics says no, but if you think of IDP more like credit bureaus (or evolving to become more like identity bureaus) then the ChexSystem indicates otherwise....

Key to Scalability: Distributed System Development

2010-04-02T22:51:00.000-07:00

Today I came across this nice presentation about Google internal architecture practices by Jeff Dean.plenty of valuable advice and common sense (the most uncommon of all senses). I just wanted to highlight one item that I feel is a bit under-appreciated - on page 20 when he talks about key attributes of distributed system, there is on bullet point that reads:

Development cycles largely decoupled
– lots of benefits: small teams can work independently

On one hand this is so obvious! After all they are "distributed" systems, how can they have coupled life cycle, on the other hand in so many people complain about lack of productivity and agility in large "distributed" systems. When you look closer, you find out that they have fairly decoupled system initally, more or less get the boundaries right, however they coupled the life cycles of all applications and services together !!

This means the whole organization releases with one giant push, the whole system all together. Everyone has to be on the same page, over time this unified "beat"brings down the boundaries and soon "the distributed" system becomes a monolith.

I will write a few more entries about the basic principles that enable true distributed (and autonomous) application development.

By the way, Here is eBay version of scalability advice (a bit dated but updating it is in my todo list) by Dan Pritchet.

eBay Social Shopping w/ Google Friend Connect

2010-04-02T22:27:00.000-07:00

Today, with Jay Patel's post on Google Social Web Blog, we released the alpha version of eBay Social Shopping gadget. It is a little cool Gadget that allows any sites (that is registered with Google Friend Connect), to surface eBay inventory and mix it with social functions such as recommendation to friend, rankings, sharing eBay activities (bid, buy, watch etc.) with friends etc.

You can read more about it by visiting ess.ebay.com and see our demos.

Meetings kill Loose Coupling

2010-03-31T22:37:00.000-07:00

There is a brilliant, yet underutilized, sociological observation called the Conway’s Law. It was stated by Mel Conway in his 1968 paper. It states that:

Any organization that designs a system will inevitably produce a design whose structure is a copy of the organization's communication structure.

The key phrase is “communication structure”, that is roughly, but not always, equal to organization structure.
You may have not heard of or read his paper, but I am sure you have seen the effect of his observation:

If you have two teams called Application and Kernel, then chances are you end up with two deployment units called applications and kernel (jars or folders or zip files or any other form of bundling code), on the other hand if you engineering organization has two teams called Books and Games, then you end up with a book and a game application, if there is no other team/group, it is unlikely that you can see a kernel or core subsystem that encapsulate the common construct between the two.

Now, we all know about the principal of loose coupling, and how it enables flexibility, efficiency, increased productivity etc. One very effective way of creating loose coupling between two system (let’s call then consumer and producer) is to make sure that members of the producer team do not meet with members of consumer team! You may convey requirements to them, but forbid meetings. If there is not communication, it is hard to build hard coupling. It is a bit strange and counter-intuitive, but we have used this with success in building key infrastructure services.

I have found out that a good early predictor of the level of coupling (or quality of interfaces in general) of a system is the list of invitees to their early design meetings. Whenever one of few engineers from a future consumer is part of the meeting, there is a good indication that they systems will be somehow coupled (either thru the types or domain values of parameters passed or the way errors are handled, the marshalling of the result, or even the terminology used) – This of course is a generalization, the team somehow has to collect requirements, or share result s and get early feedback, this is all OK, but if your goal is to create “loosely coupled” system, you should make sure your communication structure, are loosely coupled as well.
Take a service that verifies a credit card number to ensure validity and that a provided name indeed matches credit card issuer record. This service may have a method/operation in its interface:

Result VerifyCreditCard(UserId id)

It assumes that somehow the service can obtain a credit card number from a supplied UserID. This is a very tightly coupled interface that shows the service provider has had too much knowledge about its consumer.
Here is a less tightly coupled (better) example:

Result VerifyCreditCard(CreditCard card, BuyerName buyerName)

This is not too bad, but the choice of “BuyerName” indicates that the provider has the knowledge that consumer (the one she probably met with) happens to deal with principals that are buyer.
Consider a loosely coupled version that one would probably write if there is no additional knowledge of potential consumers

Result VerifyCreditCard(CreditCard card, Name name)

Communication channels are very important interface design, this means people in each design meetings should be selected carefully, if system A should not be dependent on system B, the best way to ensure it, is to reduce communication between developers of system A and system B.

Evolving Gracefully - Example I

2010-03-30T22:07:00.000-07:00

In my posts, "What is Architecture", Part I and Part II, I argued that architecture is essentially what enables a system to evolve gracefully and traverse an optimal path in response to changes (requirements, assumptions, context, inputs etc.). In this post (and in a few more) I give examples of such changes and possible optimal/graceful (or non-optimal/disruptive) responses of a system.

Take "Accessibility Requirement" as an example. Few software systems are designed with the explicit goal of accessibility as one of the main architecture and design goals. However, some systems at some point must comply to certain accessibility standards and guidelines (it is good usability practices, the right thing to do, good business and the law) - see a very good introduction to accessibility from WebAIM.org here.

Now, if some one came one morning and asked you to make sure every image in every single HTML page of your site has an alt tag, what would be your response? Remember this maybe 1000s or image tag in 10s or 100s of applications produced by developers across three continents.

If your architecture (and the design and implementation of it) decoupled model construction from actual rendering, and a centralized rendering engine that takes a data structure (such as DOM) and uses a rendering strategy to produce XHTML, then your architecture (and you) has no problem responding to this new requirement easily. You'd simply make sure that when the render visit an element, it finds an alt attribute. This is an optimal response to change. Although the system was not particullary designed with accessibility in mind, since it was built based on the right architecture, it can evolve to accommodate change.

However, if the 1000s HTML pages on your site are produced by 100s of JSP scripts, a few PHP scripts, some XSL, a few instances of dynamically created tags in JavsScript etc. You would have a nightmare on your hand. This is an example of architecture that can not evolve ...

Identity Assertion Framework (IAF) Talk at Stanford

2010-03-29T20:47:00.000-07:00

I will give a talk about eBay's framework for handling federation, federated token services and distributed authentication - called IAF - at Stanford on Monday April 19th, 2010. Here is a brief description The talk is part of the Stanford Security Seminar.

This is an area that is poorly understood by software developer and architects that are new to security or authentication. I will write more about the topic of "authentication" and eBay's framework for handling it in more details. Look for under the label "Identity" and "Security".

What is Software Architecture - Part II

2010-03-26T21:12:00.000-07:00

In part I, I offered my view of software architecture by illustrating what "architecture" does for you: Allows you to deal with change optimally. This is basically saying architecture is what allows a system to change with out changing fundamentally what it is (forgetting about Dialectics for a moment). In other words:

Architecture is what enables a system to evolve gracefully

You may ask, how else a system would change? How is this for an example? Don't let the glitz and glitter fool you. This is an example of architecture that fail to evolve according to the changes in its context and accumulation of demands for change finally resulted in its destruction. However, I doubt that you see an implosion of Taj Mahal - architect Ustad (Master) Ahmad Lahouri - any time soon.

Now you may say, well these are building, what do they have to do with software? I don't want to over play the building metaphor, but software systems acts similarly. How many times you have seen a multi million dollar investment in, say, customer support system or CRM system or messaging infrastructure or authorization system etc. only to scrap them two, or three years later by another multi million dollar system?

On the start up side, often the first and only concern is to make it work and to survive, but when time comes to scale, they often have to re-write from scratch, that is the software counterpart of a Vegas hotel implosion.

In my next post, I will give you a few software and system examples of graceful evolution courtesy of good architecture practice and "implosion" for lack thereof.

What is Software Architecture - Part I

2010-03-25T21:51:00.000-07:00

My job title carries the word “architect” - although my Mom never fails to point out that I am not a real architect like my brother is. This title among the software engineering community in general and in the Silicon Valley in particular almost always is received as an incomplete description of what a person does. People always expect an additional clarification; they give you an inquiring look “… so what is it exactly that you do?”
The title reminds me of “food supplement” industry, unlike drugs it is unregulated and anyone can claim anything from magical weight loss pill to cure for emphysema powder. In our industry too, anyone can claim the title and define it as he s/he sees fit. The title also conjures up images of a two-class software society: a lower class of software engineers who actually code and a ruling, elite class of architects that do not code or even read and understand code– and inevitably overtime lose touch with reality. Out of concern for the latter, some companies even eliminate the title altogether.
But what do exactly architects do?
I try to answer this question by answering the closely related question: What is Software Architecture?
Let me get to the bottom line first and explain later: I view architecture as a discipline that enables system to deal with change in optimally.
There are two key terms in this definition, change and “optimally”.
Let’s start with change.
Non-trivial software is a system, and like any other system is subject to change over time. The change happens in all aspects and along all dimensions: scale, cost, expectations, visibility, criticality, operating environment, competitive landscape, technology, economy, people, organization etc.
One prominent and widely known example of “change” is rapid growth in demand from a software system or what is commonly known as “scale”. Our general expectation of well architected system is to handle the scale gracefully and with no disruption. However some systems crash and need to be fully re-designed for the new level of demand (remember early days of Tweeter ?)
To be presicous, this type of scale is scalability to handle homoginous user i.e. all users of eBay were assumed to be individual buyers and sellers (no medium to large sellers), all facebook users were assumed to be college student or all users of an enterprise system could be assumed to be internal users.
Another example of change is scale of operation or non-homoginous user demand i.e. the system dose not necessary experience a change in volume of demand from one type of users, but has to handle demand from different types of users for example eBay wanting to deal with large merchants, or facebook wanting to open its platform to everyone (not just college students).
These were only two example of change in form of scale. What differentiate a well architected system from a “system that works” is how well systems respond to those changes.
The second key term in our definition was “optimally”. Optimally means the change can be absorbed and handled by the system with no (or minimum) disruption and in other words system is designed in a way that the scope of change is predetermined and extent of it is contained: no crisis, no building the system from scratch, no revolution! They system simply evolves along a smooth path. That is the essence of architecture (at least the software kind).
The pictures below depict the graceful and disruptive response to change:

This one, shows the same change scenario but one where change is handled gracefully, presumable with a well architected system.

In the next post, I will give a few examples to make this view of what architecture is clearer.

SDForum Talk on Open eBay

2009-10-27T22:14:00.000-07:00

I will be giving a talk at SD Forum about the architecture of "Open eBay", the platform for developers to deploy their application inside eBay.com. You can an abstract and detailed information here.

2009 Web 2.0 Talk @ SF

2009-03-31T22:12:00.000-07:00

I will be giving a talk @ SF, Web 2.0 introducing the new eBay Open Platform. This is a platform based on Gadget/OpenSocial and opens up eBay's Selling Manager to all 3rd party developers.

Look for this platform to be used in wider scope at eBay to open up other areas of the site including buying flows to 3P apps.