tag:blogger.com,1999:blog-34429443371173801192024-03-13T15:13:14.595-07:00Software For All SeasonsOn Software, Systems and People who Build Them.Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.comBlogger69125tag:blogger.com,1999:blog-3442944337117380119.post-16576891094260521122014-10-05T22:27:00.000-07:002015-06-13T16:49:43.064-07:00API vs. Service - Terminology Matters<br />
<br />
Those who know me or worked with me know that, in technical context, I am a stickler for accurate terminology and non-ambiguous usage of words. I owe it to my high school algebra teacher who tried valiantly to teach us (a group of 11 grader geeks in <a href="http://en.wikipedia.org/wiki/Alborz_High_School" target="_blank">Alborz high</a> school in mid 80s) <a href="http://en.wikipedia.org/wiki/Field_(mathematics)" target="_blank">Field Theory</a>. As it is the classic methodology, he would spend so much time on setting up the problem, introducing terms, definitions, axioms, propositions, properties, lemma ..that by the time he got to the main theorem, he had lost most of us. When we objected, he would say<br />
<blockquote class="tr_bq">
If your words don't have accurate meanings, you sentences are ambiguous, when you utter ambiguous sentences, your arguments are confusing and when arguments are confusing, you start a war. </blockquote>
We were way too young to understand the wisdom in these words then, but I am a believer now.<br />
<br />
In the past few years, I have seen very frequently the two terms API and Service used interchangeably. They are not the same! Granted, there is no official definition but I would like to offer one that helps in all discussions regarding both APIs and Services.<br />
<br />
Service is a software component, one with well defined contract and boundaries (both code and data), services are build by Service Providers (or Producer). Service orientation is a style of architecture for building distributed systems.<br />
<br />
API on the other hand, describes consumers view of the world. API is what is exposed to consumers and determine the programming model by which consumers interact with producers.<br />
<br />
Services are often exposed as APIs. APIs MAY (or may not) be implemented by a service. Figure below illustrates this concept:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
<br />
API endpoints are denoted by eN. In this picture, API e1 is an aggregation of three operations each belonging to a service. API e2 on the other hand is a simple delegation (or routing) to one operation of Service 1 (S1.O1)<br />
<br />
This picture defines what API and a Service is clearly and allows us to separate consumer concerns from producers concerns, for example API consumer (and API type space) may include a definition of a User that includes a unique identifier, email, a brand name and a reputation indicator. Consumers expect an endpoint to supply this type - they call this endpoint an API - however no sane domain model would encapsulate and implement the notions of Identity, Branding and Reputation in one service. The User API end point aggregate (and transform) the output of the three services, but more importantly allows producers to build services with right boundary and granularity independent of how they need to be consumed.<br />
<br />
As the last point, I have to emphasis that our STRONG preferences is to keep the API intermediation layer "dumb" and simple, actually we often encourage simple delegation, and rarely aggregate or transform outputs and almost never do anything remotely resembling business process orchestration or anything involving business logic (aggregation and transformation are strict mathematical operations not business logic). All API ecosystems need to have an intermediation layer, but it has to be kept as dumb as possible (but not dumber).<br />
<br />
Now that I defined APIs and Services, in my next post, I will focus on Portfolio of Service - a collection of coherent services that power APIs (usually at a scope of a company or large domain). I specifically list the lessons we learned from designing, implementing and operating CommerceOS.<br />
<br />
<br />
<br />
<br />
<br />Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com3tag:blogger.com,1999:blog-3442944337117380119.post-21832062103192011712014-09-14T16:24:00.001-07:002014-09-14T16:24:22.511-07:00CommerceOS Part V - Processes, Metrics and Measurement <br />
<br />
Part I of this series of posts, described the what CommerceOS, Part II explained the structure and overview, in part III we focused on the standards that make a Microservice portfolio work. Part IV was an overview of Shared Services, in this post (the last part) - I write about processes and metrics.<br />
<br />
<h3>
Processes</h3>
Platforms at their core are abstractions of capabilities. Their value comes from encapsulating frequently and commonly use capabilities, normalize their variations and expose them for use - freeing up applications/consumer to focus on less common (and therefore more value add) capabilities.<br />
<br />
Platform are built based on standards, and maintained and enhanced via processes - without processes platforms simply deteriorate over time. This is akin to the second laws of thermodynamics - entropy of systems always increases UNLESS you spend energy - and energy in this context translates to processes. It is very unlikely that a portfolio of services, especially with higher level business domain abstractions and their nuances survive for a long time without some form of processes. The key though is to have meaningful process. We have three criteria for designing "meaningful" processes<br />
<br />
- Process should have a clear and measurable goal.<br />
- Processes should be transparent with clear decision making process<br />
- Processes should have a SLA (time bounded)<br />
<br />
CommerceOS defines only three processes, all at the portfolio level, they are<br />
- Process for adding of a new service to the portfolio<br />
- Process of adding a new standard to the portfolio<br />
- Process for cross domain, portfolio-wide decision making<br />
<br />
1- Service Life Cycle: Ensures the followings<br />
<ul>
<li> A given service is neither duplicating (doing the same thing with different name) nor diluting (doing different thing with the same name) existing capabilities. If Order/Cancel and Order/Refund do "the same thing" - we have a duplication. It leads to confusion and more than likely major bugs - after all the intend to do the same thing, but over time functionality diverges and depending on which API is called Order is either not properly canceled or refunded. If User/Order and /Order return types that are drastically different (especially semantically), that is an example of "Dilution" - in this case of Order type. </li>
<li> Extracting potential new types for the common type space</li>
<li>Ensuring an audit opportunity for security, legal and regulatory functions.</li>
<li>Automated assessment of a service (once implemented) against a set of standards</li>
</ul>
<br />
2- Portfolio Standards and Type Space: Process controls adopting a proposal for standardizing some aspect of system. The standard process ensure that<br />
<br />
<ul>
<li><b>Standard is really needed </b>- Since all service providers and consumer must comply with standards (and they are implemented in service and application run time) the bar for adopting a standard is high. The goal is to standardized only what must be standardized - no more. </li>
<li><b>Standard define behavior not implementation choices:</b> Also we try limit the standards to aspects of interaction between services and applications or services and operational tools//system and not service implementation. This is an important distinction. We have no standard on language, technology stack, data technology etc. </li>
<li><b>Standard is automatically testable</b> - Otherwise it is not scalable to test all service for standard behavior manually.</li>
<li><b>Standard is properly documented and implemented</b> - For all standards we build support in services, application run time and libraries, or in portfolio tools</li>
</ul>
<br />
<br />
3- Decision Making (Huddle): Service and application teams are autonomous, they own all the decisions made regarding the code and systems they own (and accountability that comes with it) - however, there are always decisions at the portfolio level i.e. decisions that impact multiple teams. These decisions are often tactical and made in context of large projects (strategic decision are lframed in form of standards) and the often relate to either orchestrations of complex business processes or migrations related decisions that impact other services or applications. The decision making process calls for<br />
- Clear documentation of question(s) in hand<br />
- Clear documentation of options and proposal<br />
- Identification of decision maker<br />
<br />
Debate and transparency are encouraged, the discussions are time-bounded and produces one of four Outcomes:<br />
<br />
<ul>
<li><b>Agree, Implement</b>: Everyone implements the decision.</li>
<li><b>Agree, do not implement</b>: Tech debt is captured for the team(s) that don't implement the decision.</li>
<li><b>Disagree, Imprement</b>: Dissenting view is acknowledged and recorded. </li>
<li><b>Disagree, do not implement</b>: One time escalation to a team of 3 senior technologist to make a final decision </li>
</ul>
<br />
<br />
<br />
<h3>
Measurement </h3>
In general, there are <a href="http://softwareforallseasons.blogspot.com/2012/09/primary-goals-and-strategic-metrics-vs.html" target="_blank">two types of metrics</a>, strategic metrics and operational metrics. In this context, strategic goals are the main reasons a platform is built (a car is built to transport people), operational metrics show the platform health (a car engine temperature must be within a certain range).<br />
<br />
CommerceOS has the following the following primary goal<br />
<br />
- Improving the productivity of application developers who develop apps to facilitate all form of commerce using any technology stack, on any device/screen or platform globally.<br />
<br />
Of course to achieve this goal, there are plenty of operational goals, the major groups of operational metrics are:<br />
<br />
<ol>
<li><b>Service Production Metrics:</b> Encapsulating all eBay Marketplace capabilities in form of RESTful services </li>
<li><b>Service Consumption and Adoption Metrics:</b> Exposing capabilities to all marketplace participants on all device, platform and geographies </li>
<li><b>Non-functional Aspects: </b>Improving all non-functional aspects such as scale, quality, availability, security, cost etc.</li>
</ol>
<br />
<br />
The primary goal is not easy to measure. One way we experiment with measuring the goal is by Application developer NPS assuming that a diverse and wide range of application developers are included.<br />
<br />
The operational metrics categories above are measured by a large set of metrics such as<br />
- Coverage (% of resources/noun and verbs in marketplace dictionary that are exposed as services)<br />
- Adoption (% of traffic enabled by services)<br />
- Uniformity (% of device/mobile and web traffic using THE SAME set of service)<br />
- Security (wide range of metrics here, require its own post - but primarily # of security issues reported per period)<br />
- Availability (large set of metrics here per service)<br />
- Quality: Number of P1,P2 bugs reported for a service<br />
- Compliance - Number of standard each service is compliant with (with a core set as mandatory)<br />
<br />
<br />
<br />Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0tag:blogger.com,1999:blog-3442944337117380119.post-25116377086388339092014-09-13T23:44:00.001-07:002014-09-15T15:15:50.284-07:00What is CommerceOS - Part IV - Foundations and Shared Services<br />
Part I of this series of posts, described the what CommerceOS, Part II explained the structure and overview, in part III we focused on the standards that make a Microservice portfolio work. In this post I will focus on shared services. Let's start with the natural question<br />
<br />
<h3>
What is a Shared Service:</h3>
<br />
Of course most services are written to be re-usable and to be "shared" among multiple applications and services. But naturally the scope of use varies for each service. At the lower levels of any dependency graphs, in any service portfolio, there are services with much wider scope of use, a lot more services depend on them and their function is less domain specific and is more generic and "platformy" functions.<br />
<br />
Although there are no fast, easy and mathematical rules to define a "shared service" - we have defined a few criteria:<br />
<ul>
<li> Shared service can not depend on any business services (basic sanity of dependency graph)</li>
<li> Shared services are deployed and are accessible to all other services - they are part of the services runtime.</li>
<li> Shared service have more stable interfaces and slower release cycle - this is normally the case since the functionality is not business specific, so it does not change with business requirements.</li>
<li>Shared service is, conceptually, something that is useful/applicable to any company (not just eBay marketplace), so at least in theory, they can be either open sourced or made available to different business/company.</li>
</ul>
The following services are CommerceOS list of shared services (at the time of this writing)<br />
<br />
<ol>
<li><b>Identity and Access Management:</b> Provisioning Identity for all Apps and Services. Plus an OpenID Connect based authentication protocol and a SAML based JWT based security token services. </li>
<li><b>Billing</b>: Multi-Tenant billing and invoicing based on billing event stream. </li>
<li><b>Messaging</b>: Few internal message buses, primary message bus is an internally developed light-weight and highly scale-able Business Event Stream (BES) - it is a publish-subscribe only messaging system. Transitioning to AMQP based messaging system to support wider set of messaging semantics - some use of Kafka.</li>
<li><b>Logging: </b>Distributed logging, uses TIBCO message buses, stores in HBase and integrated with Hadoop. </li>
<li><b>Monitoring:</b> A real time version of Map-Reduce (Red Lemur) - similar to Apache Storm. </li>
<li><b>Tracking:</b> of API calls and user activity events. Custom event API, types and structure, over TIBCO buses, </li>
<li><b>Config and Metadata:</b> Custom key/value pair service transitioning to Zookeeper based config management </li>
<li><b>Content Management:</b> A template language for defining content and its variations, translation workflow and a run time distributed content repository backed by MongoDB and managed by ZooKeeper</li>
<li><b>Discovery and Registry:</b> A build time registry tool based on Google Discovery Doc (GDD) and backed by a Casandra cluster. </li>
<li><b>Routing and Inter-mediation:</b> WSO2 based ESB, kept simple. Only provides routing and location transparency. Most composition and transformation of lower services are done by higher level application services, intermediary layer is kept "dumb" as much as possible. </li>
<li><b>Crypto Services:</b> HSM based hashing and encryption service, based on each tenant security policy.</li>
<li><b>Object Storage:</b> HBase-based storage for images (or any BLOB)</li>
<li><b>Caching:</b> Memecahed based API/Protocol implemented by Couchbase </li>
</ol>
<div>
<br /></div>
<div>
Shared services are <b>multi-tenant</b>, and can be consumed either as a service (majority of cases) or as a separate private instance (a few cases). Shared services comply with the rest of CommerceOS standards. The access to shared services are controlled by tokens provisioned by CommerceOS STS (secure token service) based on the provisioning rules for each application or service.<br />
<br />
<br /></div>
Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0tag:blogger.com,1999:blog-3442944337117380119.post-32992702160684116332014-09-11T15:03:00.001-07:002014-09-13T23:40:59.945-07:00What is CommerceOS Part III - Standards <br />
In the first part of this series I described the goal and motivation of eBay CommerceOS initiative and that CommerceOS is eBay version of Microservices. In the second part I described the five major components of CommerceOS (technology, processes and org). In this post, I will focus on one of those components: The standards and patterns.<br />
<br />
Let me start with an example: Service/API authentication:<br />
<br />
Most eBay applications use between 20-50 services, lots of them require application as well user's identity (for security and functional reasons) - imagine if each service (or domain of services) accepted a different type of token with different issuer, different syntax and validation semantics and different binding of that token to protocol (in the body, in the header with different names, combined with other headers etc.). An application would have learn and then write a lot of boiler plate code to obtain token, store and then submit via request to different services, then it would have to parse and learn the error semantics for all types of authentication done by each service. All these activities make the code more complex to write, test and operate and they do not add any value to the main function of the app. Now extend this across all types of horizontal concerns and you get an idea why standardization backed by run time libraries is a must for any service portfolio at scale.<br />
<br />
CommerceOS defines a set of standards and implement them in our framework for developing services (called Raptor) - this does not mean that eBay MP does not allow or discourage services to be built using any other technology stack, but if a service is built using the standard libraries and run-time - it gets the support of all standards.<br />
<br />
Pattern and standards include about ~30 different aspects of service design, including<br />
<br />
<ol>
<li> Identity & Access Management, </li>
<li> Base Request & Response standard and extended headers</li>
<li>Compact Header Encoding (more efficient use of headers)</li>
<li> Tracking </li>
<li> Internationalization </li>
<li> Error Handling </li>
<li> Version Management </li>
<li> Service Descriptor </li>
<li> Service Life Cycle, Registry and Discovery </li>
<li> Addressing and End Points</li>
<li> Sorting, Pagination, Filters and Views </li>
<li> Instrumentation of Services</li>
<li> Messaging and Events</li>
<li>Security</li>
<li>Migration </li>
<li>Fail-over and Recovery </li>
<li>Multi-tenancy </li>
<li>Integration (with 2nd and 3rd parties)</li>
<li>Configuration and Metadata Management </li>
<li>Content and Translation </li>
<li>Persistent Storage, Replication</li>
<li>Failure and Recovery </li>
<li>Service Modeling & Interface Development Model (IDM)</li>
<li>Multi-Tenancy </li>
<li>Base-API Operation (operations that all APIs must answer)</li>
<li>Escape Response </li>
<li>Asynchronous Service Design </li>
</ol>
<br />
One significant CommerceOS activity stream centers around design and then implementation of pattern and standards. We focus a lot on correct and accurate documentation <b><u>followed by</u></b> implementation in run-time libraries and or as shared services. CommerceOS also defines a process for developing and adopting a new standard. This process is modeled after and is very similar to Internet standard development process (working groups, open discussions, editors) - with the exception of it has a solid timeline to time bound the process. This way all service providers and application developer can participate and/or comment and influence the standard.<br />
<br />
In the rest of this series of post, I will go into a bit more details on some of the more significant or interesting standards (if you want to know more about any standard I didn't explain just contact me). In the next post (part III) I will focus on the two sets of principles/patterns that formed our thinking around portfolio design and individual service design and how we measure goals and operational metrics. <br />
<br />
<b>Service Descriptor and Interface Contract</b><br />
<br />
CommerceOS emphasis on a formal contract. We use Google Discovery Document (GDD) as the basis of our service descriptor and we extend it to include aspect of service contract we need to manage the service life cycle during build time or run-time. In Java environment, Service interfaces are annotated using a standard annotation library, our discovery tool then generate JSON based discovery document that is used for interoperability with the rest of our tool set used by application teams, product manager in other product teams, tech writers etc.<br />
COS service contract has four main parts<br />
<br />
<ol>
<li>Service meta data, this include the basic meta data as well as attributes for financial, regulatory and legal needs such as whether a service handle financial data (what types) - whether a service handles personal data, location of personal data etc.</li>
<li>Service interface and types as describe in Google Discovery Documents</li>
<li>Service instrumentation contract - this is the contract service has with its operational environment and defines events service generates and consumes (including events required for technical and business health monitoring)</li>
<li>Service admin contract, loosely JMX based API for adminstartor to set or get certain attributes and influence service behaviors </li>
</ol>
<br />
Service teams own the contract and its maintenance, but syntax and semantics are standardized.<br />
<br />
<b>Service Versionning</b><br />
<br />
CommerceOS services must be versioned, we use Major.Minor.Maintenance format. Service team need to declare/decide how many back versions they support. No team is allowed to support zero back version and break backward compatibility - since this forces all applications to migrate.<br />
We allow multiple versions to be alive at the same time, API Router will ensure a given request goes to the right end point. Data and entities are designed to be backward compatible.<br />
Services are not allowed to be perpetually backward compatible since this practice erode code quality and accumulate significant "dead code" that leads to drop in agility and complexity of test. <br />
<br />
<br />
<b>Service Life Cycle and Registry</b><br />
<br />
One of the most significant decision for CommerceOS was to standardized and establish a widely understood set of mile stones (called life cycle) for service development. This may sound like the dreaded "G" word (Center Governance) - but in practice a large org can not plan an optimal and rapid release cycle without it.<br />
<br />
Before the life cycle standardization, the only defacto mile stone for service team was "live to site" i.e. when the service end points were available and functional in production. Application developers (web and mobile) would then start their serious development, effectively serializing the timeline i.e. Delivery time = Max(Services Delivery) + App Delivery.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNRVvL6KBVvJF84cThut2K4BftHdJylsEZcKDw-OuW5JAc1AT_2mpXiNVPgDsifSvwJQfN8GCctgwPlbmpMVGbTnBwI2N9tdUz-rzq8G0YgvPMP9GVi53rwvwQHjWA0x4UhSjYbjkfwEs/s1600/LifeCycle.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNRVvL6KBVvJF84cThut2K4BftHdJylsEZcKDw-OuW5JAc1AT_2mpXiNVPgDsifSvwJQfN8GCctgwPlbmpMVGbTnBwI2N9tdUz-rzq8G0YgvPMP9GVi53rwvwQHjWA0x4UhSjYbjkfwEs/s1600/LifeCycle.jpg" height="320" width="400" /></a></div>
<br />
Without a wide understood and supported mile stones, service team often change their service implementation and interface till the very end of a project timeline, forcing application developer to wait till the "dust settles". CommerceOS establishes a set of mile stone, the first of which is "interface published" this mean the service descriptor is ready, and an end point is exposed that can respond based on the service descriptor - this end-point, in concept, is similar to Java Proxy API - in that it can produce a "fake" response to the request based on the contract - no real implementation required. Application development can practically starts at this point, to a large degree decoupling app development time from service development time.<br />
<br />
Service teams can change the interface - but often the thoughts and consideration that went to interface design leads to more or less stable interfaces, the implementation can change freely at any time. This align with one of our portfolio principles of "Stable interface, agile implementation".<br />
<br />
<b>Base Request and Response</b><br />
<br />
CommerceOS services and application talk over http, but the exchange has to happen with a common dialect i.e. certain semantics has to be expressed and binded to the underlying HTTP transport in a common way - this saves individual service provider and app team time to re-invent the wheel also prevent a lot of bugs and issues. Base request and response define a set of common headers and encoding that all COS service and apps understand, a few examples are<br />
Syntax to express compact headers, Authorization headers, Identification of request and request chain, serialization and encoding of request and response, session identification, location, locale and cultural preferences bindings to the protocol, the proper use to HTTP header v.s body and alternative binding to HTTP body.<br />
<br />
<br />
<b>Migration</b><br />
<b><br /></b>
One of the practical and most important aspects of establishing service or micro service architecture for large companies with "legacy" code is migration. By migration, I specifically mean migrating either monolithic applications with direct data access or application the use older, legacy services to application that consume contract based micro services. We have established a pattern, called <b>"Bay Bridge"</b> for service migration. It has four major steps<br />
<b><br /></b>
<b>- Smoke Test: </b>Turn on new service (with new data storage), only use it for a very small number of traffic for a few consumers, dual write into (and read from) both new service/storage and old/legacy storage. primary source of truth still is the legacy.<br />
<b>- Load/Sync: </b>Copy/transform data from legacy storage to the new service storage as appropriate. This phase itself may include smaller phases depending on data. The more long lasting data/entity is the more critical this phase is e.g. User is a very long lasting entity while an Auction listing may last only 7 days or a session may be stored only for few hours. The main goal of this phase is to bring new and legacy storage to parity.<br />
<b>- Fly with Safety Net: </b>Dual read/write continues, but the primary is the new storage/service now<br />
<b>- Clean up: </b>Old storage is cleaned up and deprecated<br />
<br />
<br />
<b><br /></b>
<br />
<b>Persistence</b><br />
CommerceOS allows services to choose their own persistence storage and technology, depending on types of data a service handles (preferences vs. financial data or blog post vs. password and credential) there are pattern for whether systems should prefer CA (financial), PA (most anything)<br />
<br />
From logical point of view, services team are required to have isolated storage i.e. no other service or application should read/write directly from primary database of other services - sometimes (especially with bulk data) it is not efficient to consume a classic service interface (serializing and deserializing is too much over head) - in these cases service must expose a "data feed" - push style, and still should not allow other services to directly read its primary storage.<br />
<br />
Services are required to register they database and structure of logical entities stored (there is no "governance" of such entities just registration for discovery process)<br />
<br />
<b>Fail Over and Recovery </b><br />
<b><br /></b>
There two types of fail over and recovery in CommerceOS, Transparent and Degraded.<br />
<br />
Transparent failures are the failure of stateless application server/service or database hosts. application servers are all running behind load balancers with virtual IPs (and sometimes load balancing is done using run-time discovery ZooKeeper style) - database failures are handled by partitioning data and replication (Casandra style) the typical failures of services and databases are handled without service code realizing the failure, the system continue to operate with no impact.<br />
<br />
The other types of fail-over is "degraded" - in this case failure is not transparent to a service for example when an Pricing service (that calculate total order price) calls an Incentive calculation and receives a failure - say due to yet another system failure in Incentive subsystem that could not be handled (e.g. it uses a non-partition, non-replicated DB that failed) - the Pricing service now has to "degrade" its function in a way that it still calculate the total order price. This is a higher level and more domain specific handling of failure yet a few aspect of it can be abstracted and implemented in run-time. In particular, we define light-weight processing framework. It is pipeline based programming model, each pipeline has a series of phases, phases can be assembled dynamically at run-time. each pipeline is executed by an Executor that is the main run time for pipelines. each phase can be annotated as required, optional, alternative. Each phase has a few life cycle state, the two most important ones are up and down. If a required phase is down, and if no alternative is designated, the pipeline fails, if an optional phase fails executor executes an alternative as designated, if no alternative is designated process continues.<br />
This simple framework provides an abstraction for degraded functionality.<br />
<br />
<h3>
Escape Response</h3>
<br />
Escape response is a small, yet important, aspect that illustrates the need for standards in a give portfolio. An example illustrates the concept, imagine that due to a security breach, you need all users to change their passwords. You can change 100s of applications to message the user for password change. What do you do?<br />
<br />
Applications make service calls all the time, a particular response header is called "Escape Response" and it include an end point and a unique number. All application know (and it is implemented in the service invocation library as well) that if they see the escape header, they must re-direct (device and platform specific) user to the given end point. This "escape" path allows the system to take over from any compliant service using a standard syntax, semantics and protocol binding.<br />
<br />
<br />
<b><br /></b>
<br />
<br />Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0tag:blogger.com,1999:blog-3442944337117380119.post-42947999847681946342014-09-11T15:03:00.000-07:002014-09-18T22:12:26.669-07:00What is CommerceOS - Part II - Basic Structure<br />
In the <a href="http://softwareforallseasons.blogspot.com/2014/09/what-is-commerceos-part-i.html" target="_blank">first post of this series</a>, I described the motivations and goals of CommerceOS. I stated that CommerceOS is eBay MP version of Micro Services, It is a portfolio of services (RESTful and deployed in the cloud) that enable developers to build applications that facilitates commerce among people and/or entities, on any device, any language, rapidly, economically and securely.<br />
<br />
In this post I will start describing some technical details, best practices and what we learned from building a service portfolio at scale.<br />
<br />
The easiest way to start describing CommerceOS is with this basic picture illustrating the over all topology of the system<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9KT8-iPFED-SK7eQMRDbRv2fYBA461Br7cl17f-4XEy12rpuJqedZAz9xYqIfvP480xO4QMF1_7bGBRtI_-i1Ak59ee9TH3NgbCZaoXLf7YMnIL0RqLpu3B_mqcN3KV9REZgVhyphenhyphenPQdoo/s1600/COS1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9KT8-iPFED-SK7eQMRDbRv2fYBA461Br7cl17f-4XEy12rpuJqedZAz9xYqIfvP480xO4QMF1_7bGBRtI_-i1Ak59ee9TH3NgbCZaoXLf7YMnIL0RqLpu3B_mqcN3KV9REZgVhyphenhyphenPQdoo/s1600/COS1.jpg" height="328" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
This diagram shows a high level logical architecture of the ecosystem and its main components<br />
<br />
- <b>Applications</b>: this includes applications on mobile, and all other devices, web apps as well as 3rd party applications, merchant and partners back ends. etc. Basically all consumers of CommerceOS portfolio. The number of applications using CommerceOS services are in the range of 10s of thousands and those include eBay applications (1st party) as well as partners and 3rd party apps<br />
<br />
- <b>Services Portfolio</b>: These are services and business capabilities that enables marketplaces operations as well as Commerce primitives used to build any commercial app. Examples are Listing, Checkout, Order Management, Listing Details, Watch List, Cart etc. These services are often (but not always) multi-tenants. Collection of these services is called "The Portfolio", The number of services in CommerceOS portfolio is the range of 100s built by team across the globe.<br />
<br />
- <b>Shared Services:</b> core platform capabilities such as Identity & AM, Security Token Services, Session, Tracking, Messaging (of all types) etc.<br />
<br />
- <b>API Middle Tier</b> : Part of "shared services" is a middle tier that mainly functions as simple router connecting API request to internal services implementing them.<br />
<br />
<br />
CommerceOS is structured into five major activity streams (and similar organization structure), each essential to build and operate a Microservice ecosystem at scale. The tracks are<br />
<br />
1- Standard and Patterns<br />
2- Services Portfolio<br />
3- Foundations and Shared Services<br />
4- Evangelism and Advocacy<br />
5- Governance, Metrics and Measurements<br />
<br />
<h3>
<b>Standards, Pattern</b></h3>
The first observation about an ecosystem with 1000s of apps and 100s of services is that if key aspects of service interface and implementation - such as error handling, tracking, identity internationalization, version policy, monitoring, billing etc. - are left to each service team to decide, developing an application that consumes on average 20-50 services will be extremely difficult and unproductive task. This approach may also creates legal liability (dealing with financial or personal data). A decision we made early on, was to formally define (and carefully document) standards that make all components work together. This may not be what you expect from a Micro service portfolio, but we learned that formal documenting of standards (and versioning them) is extremely valuable both for system developers who would be implementing those standards in form of run time libraries and shared services as well as service and application developers to learn about the portfolio in general. See part III for more detailed on standards<br />
<br />
<h3>
Foundations and Shared Services</h3>
A portfolio of services requires three major foundation pieces<br />
- <b>Run time libraries</b> for services (in supported tech stacks)<br />
- <b>Shared Services</b> that are used by the entire portfolio (and you really don't want replication of any of its functionalists), services such as Identity and Access Management, Caching, Messaging, Crypto Services, config, registry and discovery, content management)<br />
- <b>Productivity Tools</b>: Vital for operation of portfolio are tools (and dash boards) for monitoring, recovery, synchronization, life cycle management, learning and exploration tools etc.<br />
<br />
See part IV for more information<br />
<br />
<br />
<h3>
Service Portfolio </h3>
<br />
This is the actual portfolio of business capabilities, the services are designed and built by de-centralized (and global) services teams - they are often between 3-10 people, and they are free to use any technology stack they see fit - of course if they use the eBay standard Java/Spring based framework (called Raptor) they get a lot of functionality for free - but they don't have to. Services must publish their descriptor formally and some elements of their type spaces (such as User, Listing, Order, Cart, Claim, Product etc.) are standardized (i.e. they are part of a Common Type Space) - services also need to declare events they produce.<br />
<br />
<br />
<h3>
Evangelism and Advocacy (E&A)</h3>
<div>
This may be one of the most significant, yet poorly understood, area of any service portfolio management. People often view this as "soft skill" area. However, they are vital to BOTH adoption and evolution of service portfolio. Let's see what they are</div>
<div>
<br /></div>
<div>
- Evangelism: Main goal is to make sure application developer community (especially internal one) know all capabilities in the portfolio and how to use them. It includes documentation, sample codes, sample requests sets (especially for edge and error cases) as well as basic performance characteristics of a service. Without proper evangelism, developers will not know what capabilities exist, and how to use them properly, as the result, they will re-build the same capability (often with slightly different name, semantics and implementation).</div>
<div>
<br /></div>
<div>
Advocacy can be thought of as the reverse of evangelism - its primary goal is to make sure services cover all the right capabilities application developers need. Through advocacy (and collecting requirements) - we learn whether we need to introduce (or promote) a new type to our common type space, or whether we need a new service (such as integration with certain data provider - such as phone IMEI or business address provider). </div>
<div>
<br /></div>
<div>
Both E&A are critical in re-use at scale - re-use (especially at the domain capability layer) is not developers' natural reaction. The higher you are on the stack, the tougher the re-use become. It is less likely that a team (or engineers) rebuild JVM, or a messaging protocol, but business abstraction such as Identity, Cart, Order, Search Result, Listing, Invoice etc. as well as processes that operate on the, are duplicated all the times. E&A is the key to get some level of re-use at the business domain.</div>
<br />
<br />
<h3>
Governance, Metrics and Measurements</h3>
<div>
The last major area of activity for CommerceOS is Governance, Metrics and Measurements. A lot of people believe that no governance should be required in developing a Micro service portfolio, this only leads to chaos - particularly for application developers that often consume a large number of services. A more sensible suggestion is "decentralized governance". This sounds like a good idea, but the devil is in the details. CommerceOS adopted a light - but well defined - governance model and processes that enables it. I fully realize that this may not be a popular concept in today's environment driven by buzzwords such as "autonomy" and "agility", however my personal experience is that</div>
<div>
- Right level of governance makes everyone job mush faster and less painful</div>
<div>
- Process has to be transparent, objective and driven by an explicit and measured SLA - what people hate is arbitrary process run by "people who think they know more than you do".</div>
<div>
<br /></div>
<div>
Having said that, CommerceOS defines processes to govern three aspects</div>
<div>
<br /></div>
<div>
<ol>
<li>Adding a service into CommerceOS portfolio (or deprecating of a service)</li>
<li>CommerceOS Common Type Space</li>
<li>Adoption of an standard or pattern into CommerceOS</li>
</ol>
</div>
<div>
Each process is well defined and has largely objective criteria.</div>
<div>
<br /></div>
<div>
See part V for more details.</div>
<div>
</div>
<br />
In part III, I will go over the standards and patterns that make all services and apps interoperate successfully, Part IV focus on Foundations and Core Services and part V talks a bit about processes and measurements.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0tag:blogger.com,1999:blog-3442944337117380119.post-19223057331195840142014-09-01T16:30:00.000-07:002014-09-18T22:11:03.675-07:00What is CommerceOS - Part I - Introduction<br />
I am often ask what is CommerceOS, equally as often I answer based on what a successful end state for CommerceOS looks like: It is a set of capabilities exposed largely as RESTful APIs that allows anyone to rapidly, cost effectively and securely develop applications that facilitate commerce between or among real or legal entities, on any platform, device or language, globally.<br />
<br />
This means if you want to develop an application for a consignment store to sell its merchandize online (on or off eBay) CommerceOs makes it easy for you. If you work for a large multi-national corporation and want to list your products on eBay and on your site, then let local, regional and international buyers purchase your product, CommerceOS is your APIs. If you want to write a pop-up app on iPhone and Android that showcases adventure riding gears and products by mashing up content and pictures with commerce and community, CommerceOS should make your job easier and cheaper, and of course, if you are an eBay mobile developer, CommerceOS APIs enables you to build your applications ...and countless other scenarios like these, you got the picture.<br />
<br />
This answer, although accurate from utility and use point of view, does not describe CommerceOS from technical and architectural point of view. A casual observer may not appreciate the technical, process and organizational complexities that should be overcome to achieve CommerceOS vision. In this series of posts I try to explain CommerceOS from technical aspect.<br />
<br />
The rest of this post dive a bit deeper into motivations and problem definitions, in the <a href="http://softwareforallseasons.blogspot.com/2014/09/what-is-commerceos-part-ii.html" target="_blank">second part</a>, I will focus on how we have approached the problem and architectural details of CommerceOS. <a href="http://softwareforallseasons.blogspot.com/2014/09/what-is-commerceos-part-iii-standards.html" target="_blank">Part III</a> explains set of technical standards and patterns used by all CommerceOS services and consumers, and are the basis of interoperability of the entire system. <a href="http://softwareforallseasons.blogspot.com/2014/09/what-is-commerceos-part-iv-foundations.html" target="_blank">Part IV </a>is a review of a few core services of CommerceOS called "Shared Services". Finally <a href="http://softwareforallseasons.blogspot.com/2014/09/commerceos-part-v-processes-metrics-and.html" target="_blank">Part V </a>deals with process we use to maintain and enhance the platform.<br />
<br />
First a bit of a context. Back in 2009-2010 timeframe (where CommerceOS transformation started) eBay had a global engineering workforce in the range of thousands (as it does today). The collective job of this engineering team was to work on an essentially web-based architecture (like so many other web era companies). This architecture assumed (perhaps more implicitly than explicitly) that<br />
<br />
<ul>
<li>Buyer interacted with marketplace largely via a web browser, running on a desktop/laptop.</li>
<li>Sellers were small(er) and interacted either via web UI or APIs designed to replicate Web UI - essentially APIs were designed for sellers.</li>
<li>API code base and the business logic powering web UI were largely two independent code basis.</li>
<li>Data and table were shared among all applications and services. Systems were single tenant and monolithic from identity and tenancy point of view. </li>
<li>Both data and code for all subsystems/capability (such Identity, Checkout or Payment services, Search) was hard to isolate and package independently.</li>
<li>Operation technology was fixed capacity, manually provisioned, under-utilized.</li>
</ul>
<br />
<br />
The platform was stable and scalable (albit with scale-cost characteristic by, then, current state of technology - fixed capacity, built for burst) with its own set of processes that made it possible for global teams to get their job done. However, in 2009-2010, it was very clear that we are a few years into development of trends that would re-shaped (or ram through, depending on your point of view) traditional web-based architecture and require a different scale-cost and productivity trajectories. These trends were:<br />
<br />
1- The ever present mandate for efficiency and cost control driven by the need to expand or at least preserve margins or reallocate resource. This is natural trend for any market and segment as they become more mature and scale.<br />
2- The mobile and connected device revolution which was shifting more and more of traffic to non-web, non-PC devices.<br />
3- The advances in cloud computing that drove the operation cost down, but demanded functionality to be packaged cleanly and independently to be deployed wherever capacity was available.<br />
4- The shift of eBay merchant mix from smaller, more casual, lower volume sellers/merchant to larger, more architectural and operationally formal and higher volume sellers.<br />
<br />
(I will talk about how technologies known as Big Data changed and impacted eBay architecture in a different post)<br />
<br />
It was very clear that the forces of the four factors above require a different architectural approach from what, then, current web-oriented architecture was. We needed to bring down the cost of both infrastructure and operation as well as increase the productivity of our developers to address #1 above.<br />
<br />
To address the multi-screen revolution (#2), we needed more than just a set of APIs (which eBay has had since 2003) - eBay marketplaces needed all screens (included desktop) to consume one set of APIs not two sets of code-bases one power the "main" web UI and the other to power all API/devices. This is a much harder problem than simply developing APIs. Additionally, we needed all APIs, regardless of which one of nearly 100 teams across the globe develop it, to look like a coherent portfolio of APIs (given the laws of thermodynamics, you can guess how tough this is).<br />
<br />
To take advantage of promises of cloud computing (elasticity of capacity, better resource utilization, related cost saving etc.) we needed our business logic and data to be encapsulated in well-defined and isolated modules, with clear dependencies that lend themselves to packaging suitable for cloud environment. Refactoring code to isolate systems and services is tough enough, but separating shared data and isolating storages and tables are an order of magnitude more challenging.<br />
<br />
And finally, the larger, more sophisticated our merchants and partners became, the more we needed to use formal integration methodologies and feed-based interactions built on de-facto industry standard models of Order, Product, Inventory, Cart, Returns and less on auction-centered models such as Item, transaction etc. This represented a deep change in entity and domain models and re-architecture of code and, perhaps more importantly, migration from old models to new models.<br />
<br />
Given where we were and where we wanted to evolve marketplace architecture, we came up with a definition of a vision for CommerceOS as the basis for alignment and execution, knowing full well that no one paragraph accurately covers all aspect of this initiative. Having said that, here is the definition we came up with:<br />
<br />
<span style="background-color: #f3f3f3;"><span style="color: blue;">CommerceOS is eBay MP initiative to transform its architecture in such a way that large majority of its platform capabilities and business processes are exposed as RESTful APIs in the cloud in such a way that all marketplace participants can consume them, uniformly, securely, effectively and with high quality.</span></span><br />
<br />
This may sound a bit abstract, but let me parse it:<br />
<br />
The primary goal is to <b>"transform architecture"</b> - this means both technology stack (for services and applications) and processes not just technology (it never works that way).<br />
<div style="text-align: justify;">
<br /></div>
<b>Platform capabilities and business processes</b>: That basically means everything that MP does from identity, verification of attributes, and caching to listing, pricing, order management and search need to be re-designed as RESTFul services and exposed to correct consumers. The modifier "<b>Majority</b>" indicates that some interactions are not strictly RESTful for legacy or integration requirements. We are pragmatic about it.<br />
<br />
Our services are <b>RESTful</b>, it is a de-facto standard and we developed a few internal spec to uniformly covers aspects such as use of non-http verbs, security, tracking, internationalization, filtering, constraints etc.<br />
<br />
The deployment target for services is "<b>Cloud</b>". This is not a feel good or casual term, it strictly mean that a service must be produced in a way that it can be packaged fully isolated from other services with well known dependency, clear version number. This allow us to deal with a unit of capability as a building block and use technologies such as Docker effectively (we had a few de-tour here with OSGi but course corrected).<br />
<br />
<b>"All participants"</b> indicates that the consumers will be applications written not only for buyers and small sellers who interact with marketplace via a browser, but everyone else <b>on all devices</b> including large sellers who never interact via ebay.com, CS and their internal tools, partners such as logistical service providers as well as internal eBay staff and, of course, eBay application on all devices.<br />
<br />
Then there is a set of non-functional requirements, each key to how APIs are built, they include<br />
<br />
<b>Uniform</b>: basically one code base supporting all consumer, with no "primary" web consumer.<br />
<b>Secure</b>: self-explanatory, platform MUST be secure with well defined identity, access management and auditing. Secure also include availability.<br />
<b>Efficient</b>: APIs must be efficient to consume, i.e. application developer must spent min amount of time and effort to consume it (docs, samples and sandboxes), APIs also should be cost effective to operate (see cloud requirement)<br />
<b>High Quality</b>: An umbrella term covering functional quality (no-bugs) as well as performance.<br />
<br />
CommerceOS started with this vision definition and context, in the next post, I will describe the architecture and structure of CommerceOS, both as a technology platform and from organization/process point of view.<br />
<br />
<br />
<br />Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0tag:blogger.com,1999:blog-3442944337117380119.post-61079995676335020182012-11-24T15:47:00.002-08:002012-11-24T15:47:32.890-08:00Via Quora: How has eBay's review system evolved in the past few years?<br />
<br />
The feedback system and "feedback score" is one of the first things associated with eBay (maybe second only to auction). The main purpose of any feedback system is to harness the "signals" community members send to "feedback processor" to encourage and "enforce" desirable behavior. Anyone who ever thought about or design a rating or feedback system knows that the task is not as easy as it may first seem. And the first step is to understand what the different attribute of a feedback system is.<br />
<br />
A member of Quora community asked me to answer the question "<a href="http://www.quora.com/eBay/How-has-eBays-review-system-evolved-in-the-past-few-years">How has eBay's review system evolved in the past few years?</a>". The question provided me with an opportunity (and a little push) to talk about six attributes of any feedback system. See <a href="http://www.quora.com/eBay/How-has-eBays-review-system-evolved-in-the-past-few-years">here for the full answer</a> and if you are not using Quora, I strongly recommend you consider using it. It is addictive. <br />
<br />
Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com3tag:blogger.com,1999:blog-3442944337117380119.post-65380517053073452442012-09-14T15:30:00.000-07:002014-09-14T16:06:12.551-07:00Primary Goals and Strategic Metrics vs. Operational Metrics <br />
<br />
Measurement is key to any successful engineering effort, the key is what metrics you choose to measure and how to interpret the measurement. In general there are two types of metrics associated with two different types of goals<br />
<br />
- Primary (or strategic) goals and related metrics<br />
- Operational Goals and related operational metrics<br />
<br />
When goals are defined, It is very important to define which category a goal belongs to so that progress (or lack thereof can be measured accurately).<br />
<br />
An example makes the difference between the two of metrics clear. Imagine you want to drive from San Francisco to Los Angeles. Your goal is very clear: getting to L.A. and the metric associated with it is also clear, how far are you from L.A. (or how far have you traveled so far). You drive a car, so you measure your car's engine temperature and fuel level - these are your operational metrics.<br />
<br />
You can keep your engine temperature within a reasonable range and maintain proper fuel level, but these are not the goals of your trip. If you are happy simply b/c your engine does not overheat, and you are not concerned with how far from L.A you are, you are not measuring the right metrics.<br />
<br />
Distinction between primary goals and operational goals is not always as easy to spot. Imagine you are designing an Order Management service (or any other service) - it is easy - maybe even common - to measure number of calls to the service per hour, day etc. and assuming that the goal is being achieved. However, if you service can only be called by one type of client (b/c it is the only one that can supply an input parameter for example), are you really achieving one of the most important (and common) goal of service design which is re-use of a capability by all consumers? Here, number of calls is an operational metric, it has to be measured, it may be necessary but not sufficient. The measure the primary goal - you need to measure the diversity of consumers (across languages, device, platforms)<br />
<br />
For another example assume you deploy a distributed cache service - the goal of any cache service is to improve performance (and scalability) - again,it is easy to measure metrics such as number of calls to the service or even more specific metrics such as "hit rate" -but the primary goal here is to measure - from consumer point of view - performance and scale improvement.<br />
<br />
One main reason, operational metrics are often measured, and used for decision making, instead of primary goal or strategic metrics is that they are generally easier to measure. It is certainly easier to measure "number of calls" to a service than whether a service increases its consumer productivity. <a href="http://www.howtomeasureanything.com/" target="_blank">"How to Measure Anything"</a>, by Douglas Hubbard is a great resource for techniques to measure hard to quantify goals and metrics.Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0tag:blogger.com,1999:blog-3442944337117380119.post-14982307140760023402012-03-14T23:12:00.000-07:002012-03-14T23:12:43.218-07:00What really is this "Managed Market Place" anyway?I work for a division within eBay Inc. called "Managed Market Places". The name is a bit curious. I was asked, more than once and by range of people, what really "managed marketplace" is? Is it a new type of marketplace by eBay (no it is not!), is it a vertical/niche marketplace within eBay (no it is not!), some one on Quora even interpreted it as it means that eBay simply "manages" the marketplace as oppose to growing it! ( if this was the case why would eBay announce that to the whole word by labeling it as such?)<br />
<br />
So then what exactly is MMP (as it is known internally) and why is it important?<br />
<br />
the nature of the Internet lends itself perfectly to the basic concept of a "marketplace": a mechanism for buyer and seller to find each other. Marketplaces were and still are an important and growing part of the internet. The growing list of niche marketplaces include etsy, zarrly, odesk, airbnb, taskrabbit, yardsellr, zimride and many many more. (not to mention marketplaces from facebook, google, yahoo and other major players)<br />
<br />
At the first glance, it looks simple enough: create a site that brings the parties to a transaction together (from buyer and seller of antique to two people who want to share a ride or a room), and either take a cut of the transaction or make money by advertising. This is indeed the basic concept behind a marketplace - or an unmanaged marketplace. Marketplace itself is not a party to any transaction. Buyer and seller deal with each other directly and take the risk (or bulk of the risk) of direct transaction. EBay operated, more or less, as an un-managed marketplace for a while too.<br />
<br />
In managed marketplace on the other hand, neither party to a transaction takes a risk, in other word marketplace guarantees the success of transaction, no risk (at least ideally). Of course a managed marketplace can "manage" other aspect of interaction such as inventory, quantity, price, promotions etc. as well but for now we only focus on risk as it is the focus of eBay MMP as well.<br />
<br />
The evolution of simple internet marketplaces to managed marketplaces is an important trend, as the Internet users become more sophisticated and demand more from services they use online. The <a href="http://travel.usatoday.com/destinations/dispatches/post/2011/07/plot-thickens-airbnb-renter-horror-story/179250/1">AirBnB incident</a> back in July of 2011 is a perfect illustration of how "unmanaged" marketplaces will be forced to offer a higher level of assurance/risk mitigation and become managed marketplaces.<br />
<br />
What does it mean from systems and architecture point of view? Here are five main aspects that is particularly different in dealing with managed marketplaces<br />
<br />
1- The first significant change is that of people's mind set: You have to see yourself in risk management business, or at least assume that risk management is a major part of your operations. What this changes first, and foremost, is that you now have to identify, assess, prioritize, mitigated (or plan to) and measure risk. In all likelihood all of these activities (and the tools and systems you need to perform them) are new to you if you are dealing with a simple/un-managed marketplace.<br />
2- Central to any consumer risk management scheme is "Identity", and I don't mean OpenID or OAuth or SSO... I meant attribute, assurances, verification, accuracy, uniqueness or mapping a real world entity to a digital identity (Entity Resolution)<br />
3- Data is the core to efficient risk management, and big data and your ability to collect and analysis them becomes central to your ability to operate the marketplace at a reasonable cost (minimum losses)<br />
4- Coherent Architecture become even more important. Simply because your systems becomes more complex and more integrated. A simple marketplace is just that, a marketplace site/application. A managed marketplace would include identity provisioning and verification, risk definition, measurement, management at user and at transaction level, a system for filing claims and disputes, systems dealing with ever changing legal and business landscape that enforces what you can and can not do with data you collect and finally integrating all these system in a productive way (seamless but without coupling them)<br />
5- Even Driven and Complex Event processing: This already has a big role in distributed system, but it plays more and more important role in distributed risk management. Real time assessment of risk becomes critical and due the cost/performance of risk assessment, incremental assessment or risk based on primitive and complex event generated over entire session (or even life time of a user) will be the only practical solution.Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com6tag:blogger.com,1999:blog-3442944337117380119.post-48837985958335656972011-11-23T00:08:00.000-08:002011-11-24T14:58:05.110-08:00The Uncommon Security Common SenseI can not claim that I actually counted or classified all the reasons peoples cite for not taking security (or for that matter sound and well thought through system design) seriously from the start, but the three following lines seems to be the most common ones:<br />
<br />
1- The "it is too contained" line: So what is the big deal? at worst it may affect a very small percentage of my users.<br />
2- The "it is too early" line: Oh my system/site/project is too small and we only have a few users, we really don't have time/resources for this.<br />
3- The "it is too small" line: My project is too small or too obscure for anyone to care.<br />
<br />
By the way, I have heard these lines or their equivalent not only when it comes to security engineering (or re-engineering) but also in designing business policies or risk management measure to prevent fraud, or in general negative user experiences as well as general system design.<br />
<br />
Now to be fair, these reasons all sound like "common sense", after all why would you take on additional cost and time for your project or accept the expense and risk of re-engineering your code to fix an issue that may only affect 1% or 0.01% of your users? or why should you spend two weeks to fortify a system that takes you 3 days to design and it is "just an experiment"? and finally who really cares about a small project some where with some obscure URLs that takes an email address as one of its inputs and shows some useful error message if the email is not registered? does ANYONE really care?<br />
<br />
Well, as it turns out, security common sense (like many other form of common sense) is actually quite uncommon ! Let's look at these frequently cited common sense logic a bit closer.<br />
<br />
To demonstrate the fallacy behind the <b>first logic</b> (it is too contained, it only affect 0.01% of users) I cannot think of any better illustration than the words of presidential candidate Herman Cain where he said that "for each woman who has accused him of harassment there are probably thousands who haven't" and he is 100% accurate and right! But does that make any difference? In all likelihood his presidential bid is all but over. Or could the Washington D.C police chief during the <a href="http://en.wikipedia.org/wiki/Beltway_sniper_attacks">"D.C Sniper Attacks</a>" have possibly argued that the whole thing was not a big deal b/c only 0.001% of D.C metro population were actually killed and therefore there is no need for massive mobilization of police, FBI, ATF and even secret service !?<br />
<br />
The same math is thru for security, it does not matter if only 1000 users out of 10MM become victim of a<br />
poorly secured or design system. What matters is how many people hear and learn about it - and you can be<br />
sure that at least in this day and age that number is a few order of magnitude larger than the actual number of<br />
victims. The sense of insecurity that this causes in the rest of the user community and its economic cost is the real math that matters not the fact that only 1000/10MM=0.01% users were affected.<br />
<br />
The <b>second line</b> "it is too early" or its equivalents "we don't have enough time or resources" is the most commons line not only in security matters but also system design and architecture aspects as well. What is interesting here is that the exact premise cited for not focusing on security (or sound design for that matter), is why security should be taken seriously i.e. "I am too new to afford not to be secure", if you are releasing a new product (or brand or a site) you REALLY DO NOT HAVE A SECOND CHANCE TO MAKE A FIRST IMPRESSION. If you are not secure, or if your first few user gets taken advantage off (think of AirBnB incident) you are doomed. To further demonstrate the risk in this argument I submit the following picture of one of the more famous car design mistakes : Honda Odyssey 1998<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://trialx.com/curetalk/wp-content/blogs.dir/7/files/2011/06/cars/1998_Honda_Odyssey-2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://trialx.com/curetalk/wp-content/blogs.dir/7/files/2011/06/cars/1998_Honda_Odyssey-2.jpg" /></a></div><br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div>Honda designed this in a hurry to get into the growing minivan market dominated by Dodge/Chrysler. They decided to differentiate by replacing a convenient power sliding door with a traditional door! Imagine what would have happened of this was a new no-name company without Honda's established brand? Of course Honda corrected the mistake in 1999 model and beyond and went on to have one of the most successful Minivans. But if you are not Honda, you better spend time and money on designers and marketers to tell you, in the first try, that whoever buys a minivan *needs* a sliding door.<br />
<br />
Now we get to the <b>third line</b> "Who really cares about me?" I have to admit that I have the most sympathy with people who resort to this logic. After all it is tough to imagine how capable and resourceful the modern fraudester/hacker community is without actually having a brush with them. I do not get into the details - if you are interested you can briefly scan Rick Howard's excellent book <a href="http://product.half.ebay.com/Cyber-Fraud-Tactics-Techniques-and-Procedures-by-Kellie-Bryan-and-Rick-Howard-2009-Hardcover/66819436&cpid=1388234078">"Cyber Fraud, tactics, Techniques and Procedure"</a> - for the purpose of this writing I'd suggest you assume the following is true:<br />
<br />
In the game of "Who wants to break into my system" your adversary is more motivated (financially or politically) than you are, more experienced than you are, is more innovative than you are, is more nimble than you are, wants it worst than you do, has a smaller cost base than you do (and therefore) all he needs is 0.01% (or smaller) of your users - the ONLY advantage that you have is that you right the rule of the game. Do not give up that advantage easily. You WILL lose the game.<br />
<br />
Btw, the end point URL that takes an email and very nicely checks and display an error if email does not belong to a valid user - was actually found (although it was a little obscure URL not linked to from anywhere - and used to extract valid company X user emails (cost $5000+) from a large list of non-verified harvested emails (cost $50) - a vital part of phishing industry value chain.Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com2tag:blogger.com,1999:blog-3442944337117380119.post-29840335218339558642011-11-06T19:18:00.000-08:002011-11-06T19:18:31.883-08:00OIX Attribute Exchange Summit - Washington DCOpen Identity Exchange (OIX) is holding this year's<a href="http://openidentityexchange.org/events/attribute-exchange-summit"> Attribute Exchange Summit in Washington, DC</a>.<br />
<br />
Identity attributes are core of the concept of digital identity. As federated identity ecosystem getting more mature and adoption grows among more sophisticated RPs - with more consequential use cases such as government, health, education, commerce ... - so does the need for wider sets of attributes with more accurate and fresh values. This presents both tough challenges and opportunities for IDPs.<br />
<br />
The challenges center, as one may expect:, around aggregating, correlating, transform and maintaining fresh copy of attributes in a cost effective manner and in a way that it does not compromise the privacy (and other rights) of the principle owner. IDPs can differentiate based on the range of attributes they provide in this way and there in lies the opportunities.<br />
<br />
I will be talking more about identity attributes, their life cycle, uses cases and how they help establish and elevate trust among parties to commercial transactions (online and off-line) as part of a panel with Don Thibeau, OIX/OIDF chairman and Abbie Barbir, VP BoA.<br />
<br />
If you are planning to attend, I'd be happy to hear from you.Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0tag:blogger.com,1999:blog-3442944337117380119.post-73727537822418308702011-10-17T22:58:00.000-07:002011-10-17T22:58:44.340-07:00OAuth vs. OpenID Connect ?<div class="MsoNormal">OpenID Connet 1.0 Spec is finally released (actually it was release back in Aug). Its release was accompanied by two predictable categories of questions/sentiments, one not very well informed and the other one a legitimate question:<o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoListParagraphCxSpFirst" style="margin-left: .75in; mso-add-space: auto; mso-list: l0 level1 lfo2; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]-->OpenID is dead<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: .75in; mso-add-space: auto; mso-list: l0 level1 lfo2; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]-->OpenID Connect is really OAuth so why do we need a new protocol?</div><div class="MsoListParagraphCxSpMiddle" style="margin-left: .75in; mso-add-space: auto; mso-list: l0 level1 lfo2; text-indent: -.25in;"><br />
</div><div class="MsoNormal">Granted, this is normally coming from software engineers and social application programmer community and not from identity community, but I feel they are significant enough to be addressed, especially at the time that more and more entities contemplating to become identity providers and they need to decide which protocol they should implement. <o:p></o:p></div><div class="MsoNormal">First, on the demise of “OpenId”: <span> </span>It is true that the earlier versions of Open ID (version 1 and version 2) are, for all intent and purposes, depreciated and will not gain a whole lot of traction. But the general idea of “Open” standards for communicating between RPs and IDPs that enables users to provision fewer accounts and have a portable identity while still maintaining control over their privacy and data is alive and well and actually is even more vital than before. <o:p></o:p></div><div class="MsoNormal">Second, on relationship between OAuth and OpenID Connect, OAuth is a general protocol for authorizing an agent to access a resource on behalf of resource’s owner. OAuth does not assume any particular knowledge about the resource itself. What does this mean? Let’s go back to the canonical OAuth use case of a user who would like to authorize a printing services to access her photos from a Photo service provider. Now imagine that the photo service is slightly sophisticated and recognizes a few properties associated with photos e.g. resolution, size, whether they are shots with no humans, and if there shots with humans, who appears in the photos – basically let’s assume the resource served by SP has more semantics that simple “access”. <o:p></o:p></div><div class="MsoNormal">Now imagine that the user wants to grant access to only JPEG photos of himself and not a full access to all photos. How would the IDP encode this semantics in the authorization request and response? How would the SP know that they should only provide access to a subset of images? <o:p></o:p></div><div class="MsoNormal">To be sure, this is doable using OAuth, but the implementer has to add additional parameters to request and response or possibly constraint the input values of some other parameters.<o:p></o:p></div><div class="MsoNormal">A protocol that is built this way to access a specialized resource, would be a photo access protocol built on top of OAuth.<o:p></o:p></div><div class="MsoNormal">In essence this is exactly what OpenID Connect it: It is a protocol built on top of OAuth that supports features that are often desired and used when the resources being delegated is “identity” and attribute about an identity.<o:p></o:p></div><div class="MsoNormal">To illustrate the point, here are what we, at eBay, had to do for an internal authentication protocol on top of OAuth:</div><div class="MsoNormal"><o:p></o:p></div><div class="MsoListParagraphCxSpFirst" style="mso-list: l1 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span></div><div class="MsoListParagraphCxSpFirst" style="mso-list: l1 level1 lfo1; text-indent: -.25in;"><span><span><span style="font: 7.0pt "Times New Roman";"> <b> </b></span></span></span><!--[endif]--><b>Force Authentication:</b> adding parameters to authorization request to force users to authenticate no matter what the authentication state with IDP is <o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]--><b>Authorization Behavior</b>: adding parameters to authorization request to indicate to IDPs whether it should display the consent page and how to display the login page (overlay, full page) <span> </span><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> <b> </b></span></span></span><!--[endif]--><b>Standard Claim Set</b>: Defining the default set of attributes returned by IDP<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]--><b>Requested Attributes</b>: adding mechanism to allow RPs to ask for additional attributes, and annotating them to indicate whether explicit user consent is required.<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]--><b>Authentication Context:</b> adding a fragment to response to communicated authentication context (single v.s multi-factor, PIN vs. Password, number of retires etc.)<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]--><b>Protection</b>: adding parameters to indicate how access tokens should be protected (encryption, signature and order of operations)<o:p></o:p></div><div class="MsoListParagraphCxSpLast" style="mso-list: l1 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> <b> </b></span></span></span><!--[endif]--><b>Token Validation end point:</b> adding an endpoint to introspect access tokens on demand.<o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoNormal">These are all features and facets that OpenID Connect enables in a standard and interoperable fashion. In absence of a standard such as OpenID Connect though, any RPs integrating with our IDP had to implement basically a proprietary protocol, be it on top of OAuth.<o:p></o:p></div><div class="MsoNormal">The point is that if you want to operate an IDP and you want to use just OAuth, you have to add a few things to OAuth, depend on the depth of your requirements, to make it work for “Identity” resource. This is exactly what Facebook did with FB Connect – and they also did a good job of wrapping it with JavaScript plug-ins. The goal of OpenID Connect is to use OAuth as the basic access authorization protocol and add identity specific features to it so that it becomes a standard “identity protocol” that can enable seamless interoperability. <o:p></o:p></div><div class="MsoNormal"><br />
</div>Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com2tag:blogger.com,1999:blog-3442944337117380119.post-69671367980982147202011-10-12T22:15:00.000-07:002011-10-12T22:20:29.875-07:00PayPal Access & Commercial IdentityToday eBay Inc. announced an identity and attribute provider product called PayPal Access. Some described as a <a href="http://www.zdnet.com/blog/btl/paypal-access-becomes-the-facebook-connect-for-online-payments/60550">"Facebook Connect for Commerce"</a>, others <a href="http://www.digitaltransactions.net/news/story/3236">described it as an easy registration tool for mobile sit</a>e. Today at the X,Commerce Innovate Conference someone suggested to me that this is the first step for eBay Inc. to offer full cloud based user management for e-commerce sites and merchants. You can also see the official press release from eBay Inc. <a href="http://www.ebayinc.com/content/press_release/20111012006418">here</a>.<br />
<br />
Most of the press and coverage today focused on "Consumer Identity" - or more accurately Consumer Commercial Identity - and the benefit of PayPal Access for consumers and online merchants visited by those consumer. Consumer identity is indeed one facet of "Commercial identity" - but there is another side to commercial identity, a less understood - and arguably less sexy - side and that is Merchant Identity. What do I mean by this? Let's look at a scenario:<br />
<br />
Merchants themselves are consumers of so many online and offline services (think of it as B2B services) - a company that sells on eBay - or any other online channel - has an eBay account, an account with a shipping company (FedEx), a Facebook account, perhaps another account with a email marketing service, bank account etc. Clearly merchants suffer from the same "account and password hell" that consumers do - but this hell is a lot deeper and hotter for merchants, consider these facts<br />
<br />
- Most merchants have employees/contractors who create these accounts on behalf of the merchant, <br />
- A lot of these employees (for smaller merchants) are part time or temps<br />
- Employee turn over is high<br />
<br />
Here in addition to the usual forgetting one's password - which for merchant leads to loss of productivity and money - sometimes the person who created the account simply leaves - if you are lucky and s/he good terms, you end up having to chase the employee and restore your access, if not, you are exposed to unauthorized access by the employee or down right "account take over".<br />
<br />
You might say, what is the difference between this and consumer identity, these employee are consumers to and technically there is no difference. But look closer. Merchant use cases are fundamentally different. In consumer identity use cases, a consumer is a principle and gives consent on his/her own behalf to a agent (another site or application), the IDP itself recognizes the consumer is the principle and allows her (and ONLY her) to change or revoke this access. In Merchant cases, what appear to be the consumer is really not a principle binded to the merchant identity but an employee. In this case IDP must recognize this "hierarchical relationship" and allow and "admin" employee of merchant to monitor and manage the life cycle of tokens (and identities) of employees.<br />
<br />
In the use case above, merchant X would not reveal its primary eBay user name and password to any employee, the would provision an account for each employee. Employee then logs into eBay using her own account - and via PayPalAccess - All the while PayPal Access monitors and manage all the tokens issued to all employees of merchant X. Should an employee leave or changes function, the token can be revoked by merchant X admin regardless of employee's decision.<br />
<br />
If this sounds familiar to LDAP or ActiveDirectory, b/c it really serves the same function: Enterprise Identity, in this case enterprise is really a merchant. This is not unexpected in the world where enterprise identity, consumer identity (a.k.a social identity) are converging - and there is a need for a cloud based enterprise user management.<br />
<br />
Please note that this is NOT an annoucement (or leak) for PayPal Access Cloud-Base user directory. IT IS NOT, REALLY. I just wanted to point out the there is two sides to commercial identity, a sexy side (consumer) and a side that can make you money (merchants).<br />
<br />
In the next post, I will write a bit about Consumer Commercial Identity and how it may be different that social identity.Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com1tag:blogger.com,1999:blog-3442944337117380119.post-49340763637026209392011-10-08T22:36:00.000-07:002011-10-08T22:36:12.868-07:00Magician vs. EngineerSteve Jobs, the man, died a few days ago. Steve Jobs the symbol and the icon in all likelihood lives on for a long time. In this status he is joined perhaps only by one other man: Bill Gates (whether people agree or disagree with his business tactics, feel that MSFT produced low quality or hard to use software... no one can deny the fact that he was one of the first few who realized that software would be the key to pervasive computing, co-founded the first real software company and put software engineering as a profession on the map).<br />
<br />
That is why I was so excited to watch them being interviewed on the same stage and at the same time @ D5 in 2007. When the news of Steve Jobs passing came out, I went back and watched it again and this time I found it simply <b>fascinating</b> - the session is about 1.5 hours, an hour the interview and 30 minutes Q&A.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/zmInRZ2d-bI" width="420"></iframe><br />
<br />
It is long, but it is well worth the time.<br />
<br />
After about 4.5 years, and with hindsight, it is so amazing to see Steve Jobs explaining his vision about "Post-PC" era and superiority of native applications, merits of integration of hardware and software, and in general, what we can only now recognize as a general description of iPad. (with the notable absence of any reference to App Store)<br />
<br />
Interestingly, Bill Gates, in response to what he sees as post PC era, talks, spot on, about tablet computing, significance of touch and the "convergence device". Keep in mind that MSFT had been doing basic research in this field for a long time.<br />
<br />
In my view, both men shared the same over all knowledge of trends and technologies in 2007, both knew that a device that is basically touch enabled and connected will dominate the future. Then why Apple was able to come up with iPad and MSFT ended up with a few tablet from bunch of manufacturers that only a few ever saw live in action, let alone use.<br />
<br />
Amazingly, Bill Gates answers this question himself - in what I think is the most interesting exchange of the interview: a member of audience (a woman @ about 1:22 into the video) asks both Jobs and Gates "...What did you learn about running your own business that you wished you had thought of sooner or first by watching the other guy". Bill Gates volunteers an answer first and says:<br />
<br />
"...he (Steve) has an intuitive taste for product and people, we sat in Mac product reviews and question would come up that I would view it as engineering question b/c that is how my mind works and I'd see Steve make a decision based on a sense of people and product that is even hard for me to explain, the way he does things are just different and I think it is magical and in that case WOW" (he never mentions what that case was)<br />
<br />
There, ladies and gentlemen, you have it! This is why MSFT and Bill Gates, as great as he is, with all the knowledge of trends, technologies could never quiet come up with that "convergence device". They (or any one else) did not have that magical "intuitive taste for product and technology". As Bill Gates said it, it is even hard for him to explain let alone replicate that intuition.<br />
<br />
A lot of things have been said and written about Steve Jobs greatness, but none captures and express the essence of what Jobs did better than the description given by the only other icon of modern computing Bill Gates: intuition vs.solution , soul vs. mechanics, empathy vs. sympathy ..Magic vs. Engineering.Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0tag:blogger.com,1999:blog-3442944337117380119.post-50943427643688294632011-09-22T22:02:00.000-07:002011-09-25T23:51:45.637-07:00Interviewing @ eBay Part V - Dir. and VP of Engineering<div class="MsoNormal">My base line for interviewing senior engineering management is the following, non-scientific, completely made up, definition:<o:p></o:p></div><div class="MsoNormal"><br />
</div><blockquote><span class="Apple-style-span" style="color: blue;">Job of a manager is to develop & allocate resources and manage execution of projects to satisfy time, budget and quality constraints and to minimize risks and promote efficiency (repeatability of the whole process). Leadership (as in the ability to inspire and influence change) is desirable, and indeed necessary the higher one goes in the management chain.</span></blockquote><div class="MsoNormal"><o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Based on this, there are five types of questions I’d normally ask, <o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoListParagraphCxSpFirst" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level1 lfo2; text-indent: -.25in;"><span style="font-family: Symbol;">·<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>General/ice breaker: One or two questions based on resume or general questions such as Why eBay? Why now<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level1 lfo2; text-indent: -.25in;"><span style="font-family: Symbol;">·<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Technical Management : Ability to manage large teams, projects, timelines, budgets and plans<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level1 lfo2; text-indent: -.25in;"><span style="font-family: Symbol;">·<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Leadership: ability to conceive , evangelize and cause positive change<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level1 lfo2; text-indent: -.25in;"><span style="font-family: Symbol;">·<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Personal: I mean to assess personal integrity, awareness, reflection <o:p></o:p></div><div class="MsoListParagraphCxSpLast" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level1 lfo2; text-indent: -.25in;"><span style="font-family: Symbol;">·<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Field Specific: Needless to say, a director of DB engineering gets specific DB questions, director of commerce must know details of order management and payment processing VP of personalization get collaborative filtering and VP of applications get “how you build a large web app” question.<o:p></o:p></div><div class="MsoNormal" style="margin-left: .5in;"><br />
</div><div class="MsoNormal"> Here are the current (and expanding) bank of question I’d normally draw from, please email me or comment if you have other suggestions...<o:p></o:p><br />
<br />
</div><div class="MsoListParagraphCxSpFirst" style="mso-list: l1 level1 lfo1; text-indent: -.25in;"> -<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span><b>General <o:p></o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';"><br />
</span></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>First 90 days at eBay?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Why eBay, Why Now?<br />
<span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Talk about the most defining event in your professional life. </div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What are the 2,3 interesting and promising trend you see?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What is leadership to you? What is management to you?</div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><br />
</div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;">There are safe and conservative answers for these questions, however answers that reflect<br />
measured risk taking and authenticity are always preferable. </div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -.25in;">-<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span><b><o:p> </o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -.25in;"> -<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span><b>Tech Management<o:p></o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How would you structure an engineering org?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you measure the progress and success of a project?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you decide the allocation of engineering resources in multiple locations?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you manage promotion process?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you allocate bonus budget among your team members?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you see your relationship with product and architecture function?<b><o:p></o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you manage your hiring process? Who would you hire?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>A new technology for part of your stack is emerging (e.g. a new presentation technology or a better and open sourced database, new JVM or cache …) would you replace your existing technology stack with the new one, why or why not?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do make sure knowledge sharing is effective among your team members?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you ensure the quality of your delivery?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What is the most important job of a technology manager (pick one!), why?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you monitor the day to day tasks and assignment of your team?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What is your view about innovation? How do you practically manage an “innovative” team?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you deal with “NIH” – Not Invented Here – issue?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What is your talent development philosophy?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you chose and prepare your successor?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Would you direct your team to execute on a course of action you do not support?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you increase productivity? How do you measure it?<br />
<span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you empower your team to do "the right thing"? even when there is no time or budget for it?</div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';"><span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span><b><o:p> </o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -.25in;">-<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span><b>Technology<o:p></o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you manage development life cycle? What development life cycle do you use?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What is the current technology stack you are using? What are the benefits? What are the drawbacks? Why it was chosen? (please don’t say “I don’t know, it was chosen before I join”)<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you plan for migration from an old, stable large system to a newer version of the same system?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you feel about redundant work? is there an occasion that It may be useful?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>When do you use open source? What are the challenges? When do you use vendors?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What is Agile to you? What are the benefits and challenges?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What 2,3 question you would like to ask about eBay technology?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Explain the CAP theorem.<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What are the measures/steps you take when your system is in operation?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -.25in;"><b> The Person<o:p></o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you stay current of state of technology? What part of stack are you interested in the most?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How have you improved over the years as a manager?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What is your proudest moment as a manager? <o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Tell me about your biggest mistake, how did you realize it was a mistake? What did you do afterwards?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What is one criticism that your subordinates make about you? <o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How can twitter be used to improve eBay?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you improve eBay? Now, I just told you to do something else – that you feel is not right - , how do you react? <o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What is your dream company to work for? Imagine now that you have an offer from that company, what should eBay do so that you work for eBay instead?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -.25in;">-<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span><b><o:p> </o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -.25in;"> -<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span><b>Leadership<o:p></o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you deal with a “failing” project? Or a project in crisis?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Your plan requires the cooperation of another team, but that team has its own priorities and plans, how do you convince them to allocate time and resource to your project?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you influence and convince a group of people over whom you have no authority? Give an example <o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span> How do you mentor/coach your team member?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>You receive a call at 2am telling you that the entire search (or checkout) is down, what do you do?<o:p></o:p></div><div class="MsoListParagraphCxSpLast" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l1 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Two senior technical leaders (or teams) escalate a technical difference to you (MemCache v.s NoSQL or doing it now vs. doing it in the future …) how do you settle the matter?<o:p></o:p><br />
<br />
<br />
</div>Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com1tag:blogger.com,1999:blog-3442944337117380119.post-63823749968952824052011-09-11T21:13:00.000-07:002011-09-11T22:18:58.738-07:00OpenID Tech Summit - Mountain view, CA - 9/12-13I am attending the OpenID Tech summit tomorrow (Monday) and Tuesday at the MSFT Silicon Valley campus.<br />
<br />
There are two main topics, first the official announcement of <a href="http://openid.net/connect/">OpenID Connect</a> - a standard built on top of OAuth 2.0 to that allows RPs obtain connect and obtain extensible profile information about an identity - and second is the introduction of a concept called <a href="http://accountchooser.com/">Account Chooser</a> - a UX pattern for federated login pages proposed based the experience of Google in dealing with federated authentication scenarios.<br />
<br />
I am also part of a panel discussion on "<span class="Apple-style-span" style="font-family: Calibri; font-size: 16px;"><strong>Identity Schizophrenia - How users want to apply their online identities" </strong>moderated by Allen Tom, OIDF Board Member. It is scheduled for Tuesday September 13 @ 1:40pm. For a full schedule of the summit see <a href="http://openid.net/tag/summit/">here</a>.</span><br />
<span class="Apple-style-span" style="font-family: Calibri; font-size: 16px;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Calibri; font-size: 16px;">It should be interesting ... If you there tomorrow, please do stop by and say hi ...</span><br />
<span class="Apple-style-span" style="font-family: Calibri; font-size: 16px;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Calibri; font-size: 16px;"><br />
</span>Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0tag:blogger.com,1999:blog-3442944337117380119.post-1415202622786830262011-09-10T18:36:00.000-07:002011-09-10T18:36:56.460-07:00Interviewing @ eBay Part IV - Product Management Interview<div class="MsoNormal">First let’s review, very briefly, what product managers are expected to do – I also highly recommend you read the following Q&A from Quora contributors:<o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><span class="apple-style-span"><b><span style="color: #161f21; font-family: Helvetica, sans-serif; letter-spacing: -0.75pt; line-height: 115%;"><a href="http://www.quora.com/Product-Management/What-are-your-top-3-5-books-or-resources-for-tech-product-managers?q=product+management+boo">What are your top 3-5 books or resources for tech product managers?</a></span></b></span><o:p></o:p></div><br />
<div class="MsoNormal"><span class="apple-style-span"><b><span style="color: #161f21; font-family: Helvetica, sans-serif; letter-spacing: -0.75pt; line-height: 115%;"><a href="http://www.quora.com/Product-Management/What-are-the-best-books-for-Product-Managers?q=product+managment+book">What are the best books for Product Managers</a></span></b></span><o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoNormal">In my view the core of product management role is to understand firm’s resources and capabilities, existing products and markets, customer needs and wants, existing and adjacent market dynamics and economics and use the intersection of these four factors to conceive of and design new products or improve and evolve the existing ones in a manner that is profitable for the firm - i.e. reduces costs or increases revenue. </div><div class="MsoNormal">That is indeed a tall order, and rarely can be performed by one person – it is a role – but an individual product manager should perform any part of this role.<o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoNormal">(Notice that we are not talking about product marketing manager, project manager or program manager, the focus is only product management as it is defined above)<o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoNormal">In addition to – or to accomplish - this core function– product managers at eBay work closely with business to understand the markets and trends, participate in conception of ideas, communicate and get buy-in from all stake holder (formal, actual or both), help marshal resources and come up with execution planning and ensure the success roll out – and post roll and operations out activities. <o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoNormal">To me, the core traits of a product manager are clear and analytical thinking ability, communication and influence and discipline (in capturing assumptions, solutions, exemptions, follow ups, coordination as required by the breadth of activities above etc.)<o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoNormal">In a typical interview (45 min) you can expect 4,5 questions from below list: </div><div class="MsoNormal"><br />
</div><div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">-<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span><b>Technical questions: <o:p></o:p></b></div><div class="MsoListParagraphCxSpMiddle">Most eBay products are either technology-based or have a strong technology component to them, so you have to understand technology (as in software engineering, operations, statistics …) also you need to build credibility with engineers, for these two reasons expect a few technical questions, I don’t personally ask you to code, unless you volunteer to (a plus) or you state on your resume that you are “fluent in Java”, then I consider it a fair game. By the way if you are applying for a “Technical PM” please read the “architect” interview post. These two jobs are almost the same at eBay.<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle"><br />
</div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What is the general architecture of a web application, how about a mobile application?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Your product has to use service of a service provider – the service is available online – what are the list of question you would like to know about this service provider?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">-<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span><b>Analytical ability <o:p></o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What is BMW’s revenue (do not look it up, I actually change the company randomly)<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>In a marketplace the actual instance of fraud is decreasing, but the perception of fraud is increasing, what is going on?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What data/information you’d like to know in order to estimate eBay revenue<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">-<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span><b>Business and Strategy<o:p></o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Typical management consultant questions on strategy, competition, profitability, new markets etc. <o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you grow eBay revenue by 20% in one year?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What adjacent markets eBay should consider entering?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Should eBay expand into Japan?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Should eBay buy ETSY?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Should eBay buy Yelp?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">-<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span><b>Product Design<o:p></o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you improve eBay buying experience, how about selling experience?</div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Should eBay accept Facebook Identity, if so, what are the considerations?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What do you think about “Social Commerce”, hype or real?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you incentivize excellent selling behavior on eBay? <o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How would you plan the launch of a product? Say fashion vault in Germany or integration of a new shipping carrier into the system.<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How should eBay verify and confirms the identities of all sellers and buyers? <o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How best you think eBay can combine e-commerce and offline commerce?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What are the risks an electronic marketplace faces? <o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How should eBay implement “calendar of event” feature for sellers?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you improve eBay feedback system?</div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span><o:p> You are asked to improve eBay registration performance, what would you do?</o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span> What set of metrics would you use to measure the health of a marketplace?</div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">-<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span><b>Awareness of markets and trends <o:p></o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Which companies eBay marketplaces should acquire <o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What are the eBay main competitors and why?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What trends (technology, consumers, economical, social etc.) will impact eBay business and how <o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Describe the economy of electronic payment industry <o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span><o:p></o:p><span style="font-family: 'Courier New';"><span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What are your favorite products and why (please be prepared to mention something other than iPad or iPod)</div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1in; text-indent: -0.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1in; text-indent: -0.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What is the biggest product blunder in your mind and why</div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1in; text-indent: -0.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Which web sites do you visit regularly?</div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">-<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span><b>E-Commerce and Payment<o:p></o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you design a multi-merchant shopping cart <o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What is the “e-commerce funnel” – how do you optimize it.<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How should “best match” algorithm be designed?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What are the risks an electronic marketplace faces? <o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>You meet an eBay seller that complains about low sales volume, what would recommend him to do?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you measure the success of a shopping cart?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How can you use one's FB and Twitter accounts to improve searches on eBay?</div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How would you design an effective refund experience, how do you measure its effectiveness?</div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span class="Apple-style-span" style="font-size: 9px;"><br />
</span></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">-<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span><b>Personal qualities and fit <o:p></o:p></b></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you influence people?<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>What is leadership to you? Give me an example where you demonstrated leadership<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Tell me about the most interesting project you worked on in your career<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>Suppose a technical leader is telling you that your product requirements is not implementable, what do you do?<o:p></o:p></div><div class="MsoListParagraphCxSpLast" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><span style="font-family: 'Courier New';">o<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span>How do you ensure that your product idea/project get priority over competing ideas/products?</div><div class="MsoListParagraphCxSpLast" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;"><br />
</div><div class="MsoListParagraphCxSpLast" style="margin-left: 1.0in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;">Of course, the list of question changes from time to time and you may not get the same exact<br />
question, but this is the general flavor of your interview. Again, if you happen to see this post<br />
before you interview, please let me know.</div><br />
<div class="MsoListParagraphCxSpLast" style="margin-left: 1in; text-align: left; text-indent: -0.25in;"><br />
</div>Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com8tag:blogger.com,1999:blog-3442944337117380119.post-55252615662706553332011-09-09T22:18:00.000-07:002011-09-09T22:18:13.522-07:00Interviewing @ eBay Part III - Software Architecture Interview<div class="MsoNormal">I don’t know of any job title/role in technology that is more controversial, and evoke more emotional reaction, than that of an “architect”. Engineer, engineering manager, product manager, accountant, business developer etc. all have almost the same definition/responsibilities from company to company, <span> </span>architects role though vary widely: in some firms one cannot do anything without an architect permission and in some others the role is completely eliminated.<o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoNormal">You should first know that architecture is a role with a wide definition (TOGAF alone defines five types of architect - enterprise, business, data, application, IT). EBay architects play a combination of tech lead, internal evangelist, tech management and product management, and role is often the agent of change for eBay technical direction, tech stack, technology choices, process and methodologies …<o:p></o:p></div><div class="MsoNormal">Interviewing and selecting an architect is especially challenging. In addition to core skills of a software engineer (yes if you are interviewing for an architect position, you should be comfortable coding – no Java guru, but be able to code), the main attributes I am looking for are:<o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]--><b>Integrity</b>: Change in technology often brings about change in organization and power structure, people currently in power know this and may not be enthusiastic about<span> </span>it, architect should have the integrity and courage to call for change when <span> </span>it is not popular.<o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]--><b>Leadership</b>: integrity and courage is necessary but not sufficient, in this role you should have leadership i.e. the ability to influence, inspire and induce change in direction (often major changes) in a way that people want to make the change, not forced to (you will have no formal power anyway) <o:p></o:p></div><div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]--><b>Clarity</b> : last but not least, architects MUST bring clarity to situations where goals are unclear, definition of problem is fuzzy, needs are uncertain, data is incomplete, assumptions are inaccurate, yet delivery is urgent and pressure is high …bringing clarity to all aspects of such situations are often the most important function of an architect at eBay.<o:p></o:p></div><div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><br />
</div><div class="MsoNormal">So for interview, expect some of the core software engineering questions, with much more emphasis on modeling and problem solving plus few of the followings:<o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"></div><ul><li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>When you are asked to “architect” a system – say photo album app – what does that mean to you? What tasks do you perform? What would be your deliverables? How would you interact with engineers?</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>How do you ensure the delivered system conforms to your architecture?</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>Model and Design eBay</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>From the time you type in www.ebay.com , to when you see eBay home page, explain what happens under the hood, at all layers</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>How does Ajax-style interaction impact a traditional/classical page-oriented architecture? What are the changes it would force to the classic architecture.</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>How would proliferation of Mobile application impact the classical web based architecture?</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>Explain Map/Reduce in simple but reasonably accurate term, in a way a marketing person can appreciate it.</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>Describe challenges and best practices in developing a distributed system – such as SOA based system.</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>Describe the qualities of a well-designed API or service interface .</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>Describe your favorite application development framework or design, explain its benefits and shortcomings <span> </span>(e.g. Spring or Struts, or your own framework)</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>Compare and contrast SQL and NoSQL DBs, when do you use each?</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>How do you store a social graph like LinkedIn or Facebook?</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>How do you decide to buy or build a piece of technology?</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>eBay, as other online merchants and markets, has a policy against sale of fire arms, how do you design a system to enforce this policy?</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>How do you design an application – such as a cart or check out flow - in a way that product and UI folks can experiment with and optimized different aspect of it?</li>
<li><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span>At any given time, eBay support a set of widely used browsers, for the rest, it display a warning message and asks users to upgrade to another browser. How so you design this system?</li>
<li>In a large and distributed system, how do you ensure data-consistency for critical functions such as authentication/login </li>
<li>Discuss a few significant technology trends, why do you think they are important? How would you anticipate their impact on current architecture/system?</li>
<li>What would you do in your first month of working for eBay</li>
</ul><!--[if !supportLists]--><o:p></o:p><br />
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoNormal">If some of the questions sound vague, it is because they are! (btw, they are a lot clearer than what you'd face with in reality). Remember that you need ask questions, seek and bring clarity to the problem definition before you jump into the solution.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Again if you are interviewing for a particular specialty such as Security, I18N, Messaging, Operations etc. you should expect particular question in those areas (I will post a list of question for my security and identity architecture interview later), but for system and application architecture, be prepared for at least 3 or 4 questions from the list above. </div><div class="MsoNormal"><o:p></o:p></div>Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0tag:blogger.com,1999:blog-3442944337117380119.post-5539484800969817802011-08-31T00:23:00.000-07:002011-08-31T00:23:56.984-07:00Interviewing @ eBay Part II - Software Engineering Interview<br />
<div class="MsoNormal">I am writing this hoping that candidate interviewing with eBay find this BEFORE their interview (if you did please let me or your interviewer know), but if you are not interviewing with eBay you may still find it useful.<o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Be prepared for the following category of questions:<o:p></o:p></div><div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-</span></span><span><span><span style="font: 7.0pt "Times New Roman";"> </span></span></span></div><div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><!--[endif]--><b>Explain a project or a problem you worked on<o:p></o:p></b></div><div class="MsoNormal">Be prepared to talk in some detail about an interesting, or challenging, important and otherwise mentionable project in your career. Even if you are fresh out of school, there must have been some special class or final project. You should clearly talk about the problem, and describe how you arrived at the solution, your implementation and result …what you learned, where/if you failed, how you fixed it etc. The way you communicate, what you choose to communicate is almost as important as what the project actually was. So be direct, clear and to the point. Be prepared to defend your choices. Do not play it “safe” by saying “..well this was not my decision”, or “Oh..I didn’t like this approach, my boss asked me to do this” etc. <o:p></o:p></div><div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><span><span><br />
</span></span></div><div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]--><b>Data Structure and Algorithm <o:p></o:p></b></div><div class="MsoNormal">Brush up on basic computer science, know data structure. You will be asked a few questions about graphs, hash maps, trees and complexity. Familiarize yourself with how graphs are represented in memory and in persistent storage, how maps and hash maps are implemented, how to traverse trees – basic stuff. Please DO NOT trivialize the questions by saying “oh, there is APIs for this in Java, I never need this in real life”. This, in addition to demonstrating bad judgment and wrong situation assessment, does not get you off the hook!<span> </span>You should demonstrate that you are an engineer not a technician. <span> </span><o:p></o:p></div><div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><span><span><br />
</span></span></div><div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]--><b>Programming Language<o:p></o:p></b></div><div class="MsoNormal">Well, you are applying for a software engineering position, so you must know one or more modern programming languages very well (at least much better than I do) – eBay is a Java shop, so knowing Java really helps. <span> </span>You should be proficient in basics (variables storage classes, access modifiers, memory management, basic object orientation) as well as advanced features such as multi-threading and concurrency, generics, network programming etc.<o:p></o:p></div><div class="MsoNormal">You will be asked to write code or code snippets on the white board. I am amazed how many people are surprised when they are asked, for example, to write a simple singleton class on the board. It shows how comfortable you are with coding, syntax does not matter at all, so don’t be shy. <o:p></o:p></div><div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><span><span><br />
</span></span></div><div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]--><b>Basic Modeling <span> </span><o:p></o:p></b></div><div class="MsoNormal">You are expected to know how to model basic stuff for example a simple book store, or an email client. You should be able to break it up to basic entities and their relationships. Sometimes I ask candidates to model “eBay Marketplace”, do not be overwhelmed, you are not expected to model entire eBay, do as much as you can and do “out loud” thinking. You approach is as important as final design.<o:p></o:p></div><div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><span><span><br />
</span></span></div><div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]--><b>Problem Solving <o:p></o:p></b></div><div class="MsoNormal">We are engineers, we solve problems. So you have to be able to frame and analyze problems, recognize tradeoffs in different solution and pick one. So prepared for questions such as “Estimate eBay marketplaces revenue” or “What happens if minimum wage is raised to $100/hr” or “Is hybrid cars more economical or full electric cars?”, “how do you prevent a corrupt DBA from stealing eBay data”, it goes without saying that the actual answer is not really as important as how you think thru the problem.<o:p></o:p></div><div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><span><span><br />
</span></span></div><div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]-->“<b>Soft Stuff” - General attitude, fit, personal qualities</b> <o:p></o:p></div><div class="MsoNormal">These may or may not be actual questions, but I’d like to see evidence of several personal qualities for example that you have passion, you care about the stuff that you are tenacious and don't give up easily, that you recognize your mistake you learn from it, that you know what a reasonable compromise is and are willing to reach one, that you can deal with conflict in a constructive way – and for more senior candidate - that you can influence people around you especially on why and what and not simply on how. Also I ask our candidates to tell me what they think a few major trends in technology are and why <o:p></o:p></div><div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><span><span><br />
</span></span></div><div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><!--[if !supportLists]--><span><span>-<span style="font: 7.0pt "Times New Roman";"> </span></span></span><!--[endif]--><b>And finally, please know the company<o:p></o:p></b></div><div class="MsoNormal">Last but not least, please familiarize yourself with eBay if you are not familiar with it, nothing gets your rejected faster than saying “eBay? Who uses eBay? I am really not familiar with it” – OK, this is an extreme case but hey it is real. It is <span> </span><o:p></o:p></div><div class="MsoNormal">Of course if you are being interviewed for a particular area, e.g. security, Hadoop or Eclipse tools development, you should expect a few questions in addition to the above in each particular areas, for example in security, you should be very comfortable with authentication protocols and practices (zero proof, Diffie-Hellman algorithm, Kerberos etc.) authorization techniques, RBAC, ABAC, XACML , basic cryptography etc. <o:p></o:p></div><div class="MsoNormal">You may ask, how about other stuff, such as JavaScript, CSS, SQL, Unit Test etc. etc. Yes there are a lot of technologies and techniques used in building large internet apps, but my beleife is that if you know the basics and possess the basic qualities, even if you don’t know the rest, you will be a successful productive engineer.<o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div>Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com5tag:blogger.com,1999:blog-3442944337117380119.post-63487882350104947752011-08-26T23:07:00.000-07:002011-08-31T00:25:07.461-07:00Interviewing @ eBay, Part I - The basics<div class="MsoNormal">When someone interviews with eBay, s/he is given an interview schedule with the name and title of all interviewers, the natural expectation (at least mine) is that s/he searches for the name of all those people as part of the pre-interview preparation. I view this as minimum due diligence that a candidate should do 11 years into the 21<sup>st</sup> century. So I hope whoever interview with me at eBay finds and reads this post <b>(if you do, please let me know)</b><o:p></o:p></div><div class="MsoNormal"><b><br />
</b></div><div class="MsoNormal">Now that you found this, I will give you a leg up over other candidates: in the series of four posts, I tell you what questions I would be asking in my interviews for four positions:<o:p></o:p></div><div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"></div><ul><li>-<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span>Software engineer</li>
<li>-<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span>Product Managers</li>
<li>-<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span>Software Architects</li>
<li>-<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span>Engineering Managers (Sr. Managers, Director, Sr. Director and VPs)</li>
</ul><o:p></o:p><br />
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;"><o:p></o:p></div><div class="MsoNormal">Before we start with specific position, let me first cover the common questions and aspects for all interviews.<o:p></o:p></div><div class="MsoNormal">I look for the following “necessary” – but not sufficient - qualities that make a candidate productive. In a nutshell, person should be smart, know his field, willing to work hard, willing to compromise and get things done and get along with people under a range of circumstances.<o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><b>Smart</b>: I am not talking about genius, or someone that can solve puzzles in 10 seconds, but some one that is generally sharp, can think on his/her feet and is solve problems. One of the clearest indication of it is whether someone listens to question, asks follow up questions to clarify what is being asked and then clearly and directly answers that question and then stop. No rambling, no answering other questions and no circular, perpendicular or random answers!<o:p></o:p></div><div class="MsoNormal"><b><br />
</b></div><div class="MsoNormal"><b>Knowledgeable</b>: Candidate must have proficient level of knowledge in his/her domain, this is separate from being smart, each field requires certain level of experience and formal education – I expand on this with specific question in each of the fields above.<o:p></o:p></div><div class="MsoNormal"><b><br />
</b></div><div class="MsoNormal"><b>Work ethics</b>: Regardless of how smart and knowledgeable one may be, s/he has to be focused and will to work hard. Real engineering tasks are 10-20% about great ideas, and 80% about grunt work, boring details, dealing with plumbing, debug, re-build, fine tune etc. If you are not willing to do that, you won’t be successful.<o:p></o:p></div><div class="MsoNormal"><b><br />
</b></div><div class="MsoNormal"><b>Pragmatic</b>: You must be willing to compromise, change course, give up credit, change your familiar and favorite terminology etc. to get things done. All the smarts, knowledge, hard work often is wasted if you cannot get it done and out at the end. I ask what you are willing and what you are not willing to compromise on for a given project and why, what you would do if you feel a wrong decision was made…<o:p></o:p></div><div class="MsoNormal"><b><br />
</b></div><div class="MsoNormal"><b>Culture fit</b>: The last of the “necessary qualities” is the ability to get along with others under all sorts of circumstances: uncertain and insufficient data, deadline pressures, failures, inter personal and inter group rivalries … under all those conditions, you should be able to maintain your relationships and get along with others. One of the greatest indicators of whether someone can do it by the way, is sense of humor. <o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Next post: my list of questions for Software Engineering positions.<o:p></o:p></div><div class="MsoNormal"><br />
</div>Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0tag:blogger.com,1999:blog-3442944337117380119.post-11259032720038646022011-08-16T00:25:00.000-07:002011-08-16T22:03:52.077-07:00On Bullshit...As some one who<br />
<br />
1- Deals with his fair share of a BS<br />
2- Needs to have definitions for everything<br />
<br />
I have been missing a formal definition for BS. Courtesy<a href="http://www.bogost.com/blog/gamification_is_bullshit.shtml"> </a>philosopher Harry G. Frankfurt book "<a href="http://product.half.ebay.com/_W0QQprZ43543635">On BullShit</a>" - via <a href="http://www.bogost.com/blog/gamification_is_bullshit.shtml">Ian Bogost post</a> - that issue has been remedied now.<br />
<br />
"<span class="Apple-style-span" style="background-color: white; font-family: sans-serif; font-size: 13px; line-height: 19px;">It is impossible for someone to lie unless he thinks he knows the truth. Producing bullshit requires no such conviction. A person who lies is thereby responding to the truth, and he is to that extent respectful of it. When an honest man speaks, he says only what he believes to be true; and for the liar, it is correspondingly indispensable that he considers his statements to be false. For the bullshitter, however, all these bets are off: he is neither on the side of the true nor on the side of the false. His eye is not on the facts at all, as the eyes of the honest man and of the liar are, except insofar as they may be pertinent to his interest in getting away with what he says. He does not care whether the things he says describe reality correctly. He just picks them out, or makes them up, to suit his purpose."</span><br />
<span class="Apple-style-span" style="background-color: white; font-family: sans-serif; font-size: 13px; line-height: 19px;"><br />
</span><br />
<span class="Apple-style-span" style="background-color: white; font-family: sans-serif; font-size: 13px; line-height: 19px;">WOW ..didn't know there were so much academic work done on BS.</span>Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0tag:blogger.com,1999:blog-3442944337117380119.post-41927174703068574232011-08-16T00:05:00.000-07:002011-08-16T00:05:31.574-07:00Social Norms, Market Norms and IDPs<br />
<div class="MsoNormal">Last week LinkedIn caused a backlash and lost a lot of good will – including mine – by opting everyone into their social advertising program. Before that there was (and still is) a LOT of discussion – and disagreement – about Google+ strict real name policy and the words facebook and privacy can almost be used as antonyms…<o:p></o:p></div><div class="MsoNormal"><br />
</div><div class="MsoNormal">But why users react so strongly to use of their identity, relationship and data by these networks, after all most people, I presume, understand that companies like Google, FB, LinkedIn etc. are for profit firms with the goal to make money, and that is a the core of most of their policies (and<a href="http://www.youtube.com/watch?v=GZPcGapl2dM"> not that anything is wrong with that!</a>). <o:p></o:p></div><div class="MsoNormal">As someone once said “<a href="http://techland.time.com/2010/10/15/facebook-youre-not-the-customer-youre-the-product/">if you are not paying them, you are not their customer, you are their product</a>”, and, as harsh as it sounds, they do (and have to) sell their product one way or another.<o:p></o:p></div><div class="MsoNormal">I am not claiming that one unified theory explains the users’ strong reactions to them - and possible solution - but Dan Airely in “Predictable irrationality” may come close. If you have not read “Predictable irrationality” you should. It is an easy read and a very enlightening book – not to mention entertaining – by behavioral economist <a href="http://danariely.com/">Dan Airely</a>. <o:p></o:p></div><div class="MsoNormal">Among many interesting observations he makes is the notion of “Market and Social Norms”. It is basically a very simple and common sense notion: All of us live in two worlds simultaneously, a social world where exchanges of good and services are regulated by social norms, the need for being part of a community and a delayed- reciprocity, and a market world where exchange of goods and services are regulated by a cold, sharp edge rules of the market, prices, interest rates, cost and benefits. Life is good as long as these world are kept separated (<a href="http://www.youtube.com/watch?v=uPG3YMcSvzo&feature=related">as George Costonza famously pronounced</a>) – but when you mix the two the real trouble starts and “it blows up”.<o:p></o:p></div><div class="MsoNormal">Airely gives a few examples: You go to your mother-in-law for thanksgiving and offer to pay her a large sum for the sumptuous spread she put on the table for you … and next year you’d be sitting in front your TV with a frozen dinner. Or more vividly, the example of a guy who takes out a girl to three or four expensive dates and finally brings up the subject of money and how much the romance is costing him! …and of course suffers the dire consequences. Next time he will sure remember Woody Allen’s word of wisdom: “The most expensive sex is a free one”.<o:p></o:p></div><div class="MsoNormal">The “Social Networking” sites and identity seems to be a classic example of crossing social and market norms. The use of social networking sites is free and there is no other signal that the relationship between user and network operator is a market or commercial relationship. Users may feel/perceive that they are dealing with a “host” one that allows them to interact with their friends, family and catch up on “social” stuff …you know, everyday life that is so outside the “market norms”. I don’t have data but I feel users do understand that these sites have to make money, and are OK with some ad poping up from time to time or being displayed alongside their content, but I doubt that most people understand how those ads relates to their data (posts, searches, conversations etc.) . Every now and then someone (say WSJ or some tech blog) reminds them of how their data is being shared with others – or why the need to “report” accurate names – and that is the moment where “worlds collide”.<o:p></o:p></div><div class="MsoNormal">Maybe (and only maybe), if an identity provider (or social network) actually started an informed conversation with its users about the data sharing and gave them meaningful control, can it bring the relationship to the “market world”. In that world users are not the network “product”, but informed partners. For example, if an identity provider (or network operator) makes it clear to me that they can get me a good deal on a camera lens with free shipping if I give them my shipping address and the consent for them to obtain the shipping history to that address from a few large merchants, then I may be happy to share my address – that is firmly a relationship in market domain – and I am happy, but when I start to see ads from drunk-driving lawyers in Denver area b/c I searched for “maximum legal blood alcohol level” <span> </span>- I was taking an online traffic school exam to clear a ticket – while attending a conference in Denver area, that is crossing<span> </span>the line, and that is when I might have come close to understanding how that girl felt on the fourth date in Dan Airely’s example!<o:p></o:p></div>Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com1tag:blogger.com,1999:blog-3442944337117380119.post-81180912961454229172011-07-20T22:34:00.000-07:002011-07-25T00:36:46.302-07:00BrowserID...and the search for perfect Identity SelectorThis is a long post, and here is the gist of it:<br />
<br />
<blockquote>In general I think we, as identity community, are still looking for a practical solution to a simple yet adequate "identity selector", CardSpace represent a solution on the rich and complex end and BrowserID represent a solution on the simple (but not rich) end, every solution is a valuable iteration to the final solution of the perfect identity selector - I feel the iterations will continue.</blockquote><br />
Now, here is for those you are interested in the details:<br />
<br />
<div class="MsoNormal">A few days ago Mozilla <a href="http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in">announced the availability ofBrowserID</a>. Identity is a hot topic these days, so almost immediately the community (and my mail box) was buzzing with predictable questions such as:</div><ul><li>Is BrowserID the next generation of OpenID?</li>
<li>What are the differences between OpenID and BrowserID?</li>
<li>Will BrowserID is the answer to Identity on the web? </li>
<li>Is BrowserID secure? </li>
<li>What is the relationship between BroswerID and OAuth or OpenID Connect?</li>
<li>Should I implement BrowserID now?</li>
</ul><div class="MsoNormal"><br />
</div><div class="MsoNormal">All legitimate questions to be sure, but perhaps a few of them could have been clarified more easily if Mozilla had called this feature, say, <b>“Verified Email”</b> – after the title the specification the BrowserID is based on (see <a href="http://www.open-mike.org/entry/verified-email-protocol">Averified email protocol for the browser</a>). I think that would have been a name that reflected the intent and use of this feature and helped answered these questions.<br />
<br style="mso-special-character: line-break;" /></div><div class="MsoNormal">In this post I write about where I think BrowserID would fit in the space and, as risky as it, venture a guess as to whether it will be adopted by identity providers and relying parties (not wise I know…but hey this is a personal blog) - if you want to read more about the implementation details of BrowserID see a very good writeup by Lioyd Hilaiel <a href="http://lloyd.io/how-browserid-works">here</a>, and I also recommend reading<a href="http://dickhardt.org/2011/07/browserid/"> Dick Hardt notes on BrowerID</a> as well.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">To start let me summarize what BrowserID is. BrowserID is a protocol for </div><div class="MsoNormal"><br />
</div><div class="MsoNormal">- Verifying users email addresses (as many as a use wants) as reported by an email provider (or Identity Provider)</div><div class="MsoNormal">- Storing it in browser (Firefox as of now) safely - or one would hope so. </div><div class="MsoNormal">- Transmitting email address safely to a "relying party" that is a site that requires an email address securely.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">It uses PK cryptography to ensure integrity of all communications. BrowserID requires two key pairs, one generated by IDP (email provider) to sign the assertion (email x belongs to subject y) and another key pair generated later by browser to sign the (subject+email+IDP public key) token and pass it on to relying party (that is your web site). So it is reasonably safe and uses a subject confirmation method known as "Holder of Key.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">So how should one use BrowserID? is this OpenID? is this a replacement for OAuth? </div><div class="MsoNormal"><br />
</div><div class="MsoNormal">I think the proper use of BrowserID, if it ever gets support from other browser vendors, is to replace the annoying "email verification dance". BrowserID is a fantastic lower level solve for this problem. Is this a replacement for OpenID or OpenID Connect? I think not! does it replace OAuth, absolutely not, there are simply two different things. </div><div class="MsoNormal"><br />
</div><div class="MsoNormal">BrowserID, in my view, really is not an ID - my definition of identity is something I can replace registration with, not just login panel. </div><div class="MsoNormal">An identity is more about attributes than about authenticating an identifier (such as email address). and BrowserID is by design is silent about that matter, in the words of Mike Hanson, the author of Email Verification Protocol:</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">"<span style="font-family: Calibri, sans-serif; font-size: 11pt;">The idea that led to the BrowserID work was not "how can we fix identity on the web", but "what is the smallest possible claim we could make to make progress on the browser as a claims agent?"</span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><span style="font-family: Calibri, sans-serif; font-size: 11pt;"></span>And</div><div class="MsoNormal"><span style="font-family: Calibri, sans-serif; font-size: 11pt;"> </span></div><div class="MsoNormal"><span style="font-family: Calibri, sans-serif; font-size: 11pt;">"...</span><span style="font-family: Calibri, sans-serif; font-size: 11pt;">Attribute exchange is deliberately out of scope"</span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Mike states the design goals clearly and the solution achieve its goals perfectly, the only thing that complicates the matter is the name BrowserID and the fact that identity means so many things to so many people.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Will BrowserID be adopted widely as a form of identity? will it replace your login button? I have my doubts on both counts.<br />
<br />
First off, let me say that I would use BrowserID for email verification (if it is adopted by consumers), it is a very elegant solution for that. As for wider adoption as a form of identity, let's look at the three main actors in any identity ecosystems: RPs, IDPs and User/Consumers.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">For a large number of relying parties, an identity provider that simply asserts one attribute (email address) is not valuable enough to dedicate scarce real estate of "login page" to (and add to their NASCAR complexity), RPs would opt for richer IDPs (Facebook, G+, Twitter etc.), that way they not only get an email address by rich set of information about a user (you may ask how about privacy? more on that later). </div><div class="MsoNormal"><br />
</div><div class="MsoNormal">IDPs (for example email providers such as Gmail, Yahoo, MSN etc.) also do not have clear cut incentive to support BrowserID - maybe receiving fewer number of "confirmation emails"? Entities such as FB and Twitter are unlikely to support BrowserID (x@y.com does not have to be a real email address, it is simply an identifier so FB could decide to support user@facebook.com) since they are strategically dedicated to have a presence on RPs login pages and not to be inter-mediated by Moziall's sign-in button.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">There are also a few questions on the users adoption, prime among them is what happens when a user switches browser or device (with most user today using more than one device/browser to access the internet)</div><div class="MsoNormal">and to lesser degree whether general population of user will sufficiently understand the use experience.<br />
<br />
Finally I have to say I am impressed by one aspect of implementation (which I assume was a lesson learned from CardSpace lack of adoption) and that is the near dead simple implementation for RP sites.<br />
<br />
In general I think we, as identity community, are still looking for a practical solution to a simple yet adequate "identity selector", CardSpace represent a solution on the rich and complex end and BrowserID represent a solution on the simple (but not rich) end, every solution is a valuable iteration to the final solution of the perfect identity selector - I feel the iterations will continue.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"></div><div class="MsoNormal"></div><div class="MsoNormal"></div><div class="MsoNormal"></div><div class="MsoNormal"></div><div class="MsoNormal"></div><div class="MsoNormal"></div><div class="MsoNormal"></div><div class="MsoNormal"></div><div class="MsoNormal"></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div>Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0tag:blogger.com,1999:blog-3442944337117380119.post-54755208415986093202011-07-19T21:05:00.000-07:002011-07-19T21:09:17.829-07:00Identity and E-Commerce: Talk @ Cloud Identity Summit 2011I am attending Cloud Identity Summit in Keystone, CO. It is fast becoming THE identity conference of the year where you can see all, be it small group of, "identeratees".<br />
<br />
I am also giving a talk tomorrow (7/20/2011) @ 4:00pm titled "Role of Identity in E-Commerce' where we share our findings and observations over the past year while building an identity provider for e-commerce sites.<br />
<br />
You can see the presentation here:<br />
<br />
<br />
<div id="__ss_8640465" style="width: 425px;"><strong style="display: block; margin: 12px 0 4px;"><a href="http://www.slideshare.net/farhangkassaei/identity-and-ecommerce" target="_blank" title="Identity and E-Commerce">Identity and E-Commerce</a></strong> <iframe frameborder="0" height="355" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/8640465" width="425"></iframe> <br />
<div style="padding: 5px 0 12px;">View more <a href="http://www.slideshare.net/" target="_blank">presentations</a> from <a href="http://www.slideshare.net/farhangkassaei" target="_blank">Farhang Kassaei</a> </div></div><br />
<br />
The slides are not meant to be read, but to support my talk, so they may feel a bit choppy when you read it.<br />
<br />
If I want to summarize it, it is<br />
<br />
"A viable commercial identity is a Super Identity, one that is not just an identifier but a complete, accurate and up-to-date federated profile compose of attributes from multiple trusted providers, obtained with users' consent and control in exchange for real value"<br />
<br />
If you attend the talk tomorrow, please stop by and say hi.Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0tag:blogger.com,1999:blog-3442944337117380119.post-54096572658772902492011-07-12T10:25:00.000-07:002011-07-12T10:25:23.269-07:00UMA - User Managed Access - Webinar , July 13 9 AM PSTUMA Working group is holding a Webinar tomorrow @ 9am PST. <a href="http://kantarainitiative.org/confluence/display/uma/Home">See UMA home page for full details.</a><br />
<br />
If you own/author public APIs or if you write applications that access such APIs, chances are you have heard or know about OAuth, UMA is the next thing you should know about.<br />
No you don't need to implement this tomorrow, but it informs your opinion about a very important and emerging topic: where the right intersection between access to an individual's information and enabling individuals to control that access should be. UMA aims to be the corner stone of that enablement.<br />
<br />
Attend tomorrow's Webinar to learn more about UMA.Farhang (@farhangkassaei)http://www.blogger.com/profile/10216650661623100973noreply@blogger.com0