My apologies for the flood of posts today, but I haven’t updated the external blog in a long time, whereas the internal email was still being distributed daily. I will try to do better in the future.

Orientation day

OK, it’s probably pretty obvious that I have been pushing education a lot recently.  Well, today my daughter is attending an orientation day at her new Junior High.  When I think back to when I was her age (yes, the world was black and white back then) going to Junior High was a big change.  Instead of staying in one classroom for most of the day I switched from one room to another and even the people I was with changed throughout the day.

I no longer had the advantage of staying with one teacher a little bit longer and picking up on a concept I missed.  I was no responsible for learning it on my own and, in the event I still couldn’t get it, only then was I going to talk to the teacher.  This was a big change in how my world operated up until then and it was really scary.  So, I empathize with my daughter.  I know what she is going to be going through and I will do my best to support her. 

This orientation day my daughter is attending is going to go a long way towards making her feel comfortable in her new school and comfortable with the process.

Now, fast forward ten years.  She’s graduated from school and has her degree/diploma and has come to work for your project.  What do you have in place as orientation material?  What do you have that will help her get over the initial fear of a new experience?  What processes are in place to help her become as productive as possible in as short a time as possible?  If you’re like most of us, the answer is probably “not much”.  We all know the need is there, but filling that need just never seems to be a high priority.

The next time you’ve got a few minutes, think of my daughter, think of other peoples children, joining your project this year, next year or the year after.  What needs to be in place?  What can you do to help?

Part of the Same Team

“We’re all part of the same team, right guys?”

A Project Manager sometimes says this to his team when they’ve made a decision without consulting him and the decision has some repercussions elsewhere in the project:  money, time, or credibility.

A developer might say this to the management team of the project when the Project Manager or Team Lead has committed to a date that the developer knows is unrealistic, unattainable, or even justifiable.

The business area may say this to the project team when the team seems reluctant to embrace the total vision of the project and seems to be cautious, nervous, or even afraid of the impact.

It doesn’t matter the perspective, nor does it matter the person who says it, when this statement is said there is an almost instant “us vs. them” mental image that pops into everyone’s head.  Well, maybe not everyone.  Some people, some teams, actually work well together.  They understand the impact of their decisions and, if there are far ranging impacts they discuss them with the required people in advance of agreeing to them.  They understand that even though a request seems simple, they should talk it over with the rest of the team in case something is actually much harder than originally thought.  They understand that being part of a team is a good thing and that teamwork can overcome many obstacles.

Each of us has the ability to shape our team.  Each of us has the ability to help guide the team.  This isn’t about being a Project Manager directing the team, it is about people being part of a team and committing to the common goals.

Five people working on the same project is not a team.  Five people, sharing the same vision and goals and working together, is a team. 


SQL Injection

Security of the data is important to every application.  Ensuring that only properly authenticated users receive access and that only properly authorized users view the data is critical to the success of an application.  Unfortunately, there are many ways to get access to an application and some of them are amazingly simple.  For this note, we’re going to talk about “SQL Injection” attacks.

Much like the name implies, a SQL Injection attack is the insertion of SQL code into an existing call in order to compromise security.  Essentially what happens is that the application fails to parse the data coming into the application and allows for people to insert SQL code into an existing SQL call to the database.  For details of how this is done, Steve Friedl of UnixWiz.net has an interesting example.

Is this information hard to come by?  No, it’s not.  The link above was actually the top one on the list that Google provided to me.  Detailed, step by step instruction on how to break into a poorly secured web site and the information is so easy to follow that even my daughters can try this out at home.  Many organizations have put standards in place to address this issue.  However, standards are only effective if they are followed and they aren’t necessarily going to be followed if the person doing the work doesn’t understand the reason why.

Essentially, this comes down to education.  Educate yourself on how to break into your system so that you can prevent others from doing so.  This doesn’t mean that you need to be a security specialist, but what it does mean is that you should be conscious of the techniques that people use so that you can stop them from being used against you.  Information is the key.  Let’s hope that this key is locking things up instead of opening the lock.


Do you ever have a few minutes to kill and you’re not sure what to do?  Get certified. 

OK, getting certified in something may take longer than a few minutes, but doing a test is an easy way to tell how close you are to the final goal.  For instance, there is a company called Brainbench that lets you write tests to “certify” yourself in various areas.   While many of these exams do cost money, I prefer looking up the “Free” exams.  Through this route I have taken an exam on Shorthand (I passed, but barely), Internet Security, Writing English, Typing, and others.

I’ve done these exams for a number of reasons, not the least of which is that I want to test myself to see if I actually know a topic.  I’ve been talking a lot about Education, recently, and how it is important to keep yourself informed about a topic.  The Brainbench site has a number of FREE exams right now on topics like .NET Framework 2.0, RDMBS concepts, Programming Concepts and Software Testing.  While I am not advocating this particular site, I am advocating education. 

If you are more serious about your education you can try for any one of a number of Microsoft certifications . There are a lot of sites that help you out with studying for these exams, with Transcender being one of the oldest companies in the business.  Or, for those who prefer studying at their own pace with a solid reference, most of the Microsoft exams have associated books.  (Imagine that, they charge for the exam and they charge for the book for studying.  What a racket!!!!) 

It doesn’t really matter which route you choose, just go out and learn.

Side Benefits

In a recent note we talked about moving historical records out of the main table into a history table or, depending upon the purpose of the historical records, an audit table.  One of comments that I got back was that had a number of additional benefits:

  1. Easier to write code to retrieve data – no fancy date handling required
  2. Easier to use ad hoc reporting tools – same reason
  3. Better performance due to simplified date handling and smaller table sizes (as only most current record kept)
  4. Can control access to current vs historical data easily by restricting access to the various tables
  5. Easier to archive, as you only need to worry about the history table

(Thanks Rob)

It’s easy to miss amongst the glitz and glamour of coming up with solutions that everything we do, every decision we make, has multiple ramifications.  What we may do to “simplify” something may cause severe repercussions in other areas, totally negating the positive benefits.  Sometimes we come across a solution that has both positive and negative impacts, but the positive impacts so far outweigh the negative that there doesn’t seem to be a reason not to adopt the new approach.

Coming up with alternatives can be quite difficult, which is where “peer review” comes in really handy.  Grab a friend or two, someone who has done some design work before, and show them your design.  Help them understand the problems and the solutions that you’ve come up with.  Peer reviews are tremendous tools in that they help to validate approaches and ensure that other possibilities have been considered.  (Don’t go overboard on documenting your design until after you’ve had a peer review, however, as the more time you invest in your solution the less likely you are to consider other options.)

Error Messages

Error message are vitally important to being able to debug an application that is having troubles.  One thing I should mention, though, is that the error message and subsequent call for action need to make sense.  For instance, the following error messages, or the actions they suggest, just don’t make sense or don’t help to debug the problem:

  • Keyboard not found.  Press F1 to continue.  (I last saw this on an IBM PS/2 model 55SX.  I paid $6000 for a machine which I felt like throwing out the window.)
  • An unexpected error has occurred.  (I last saw this on a number of different production applications in our own shop.  This doesn’t help.  Honest.  Any shred of additional detail would be appreciated.)
  • This is impossible.  (Last seen in one of our production applications.  You know, if I’ve seen it in an error message, it’s obviously not impossible.  BTW, I saw 20 occurrences of this.)
  • Invalid effective end data.  (Too bad there are about a dozen effective dates used at this point in the application.  No idea what date is being used or what table is being accessed.  Quick, call for a DBA!!!)

Sometimes we try to hold our clients hand and we use the excuse “Well, we want to make the error message friendly to the user”.  Fine, make it friendly, but you can still had more information.  For instance, on the effective date error if you added what date was incorrect you would not only make it more user friendly, you might actually allow the user to solve the problem themselves!!!  The “unexpected error has occurred” message is sometimes a catchall, but you can still add valuable information. 

No, none of these are perfect solutions, but you need to understand that while you might be covering up the sins of the application to the end user, the support personnel have no data to go on in order to fix the problem.  This prolongs the issue and makes the application actually look worse in the long run.  You might want to consider a two part error message:  first part user friendly, second part techie.  You could add “Report the error to the appropriate support personnel and give them the following data:  blah blah blah“.  Give the user both parts, but tell him to pass on the second part.  They will appreciate it, as will I.

Virtualization Technology

I was reading an article recently about virtualization that actually surprised me.  The Collier County School District in Florida is a very big proponent of virtualization technology.  Their technology plan calls for the replacement of traditional desktops with thin clients.  Users would essentially log into a virtualized desktop located at the District’s central computing center.  By loading up blade servers with lots of RAM they are trying to get 30 or more desktops per server.

Wow!  Thirty virtual machines per physical host!  We have not been nearly so aggressive, with our biggest servers handling 15 or 16 virtual machines.  Many of our servers are much smaller and we have a correspondingly smaller number of virtual machines.  Right now we have in excess of 190 virtual machines, some of these being used as desktops, while others are used as servers, both in a Development capacity and a Production capacity. 

With the upcoming release of Windows Server 2008, however, we plan to take even more advantage of virutalization technology.  Comments from Microsoft about the software being able to handle 512 virtual machines per physical machine, notwithstanding, we don’t plan on hitting that number any time soon.  What we do plan on doing is implementing features that will allow virtual machines to consume more CPU on the box on which they are hosted, features that will allow us to move a virtual machine from one server to another with no interruption to service, features that will allow us to create new virtual machines in minutes, in some cases in an automated fashion to handle heavier workloads.

Virtualization is a proven technology, just talk to any mainframe guy and he can tell you that multiple “operating systems” are run an IBM mainframe every day.  Great strides are being made in this area everyday and when they are ready to use we will be there.

DataSets vs. DataReaders

I am stepping into heretical territory here, so you will have to pardon my trepidation.  I am going to discuss something over which wars have been fought, reputations destroyed and live ruined.  Yes, you guessed it, I am going to discuss DataSets vs. DataReaders.

There has been much discussion of this topic behind closed doors and even the occasional directive stating that if you are passing large amounts of data from one tier to another, use a DataSet.  DataSets are indeed convenient mechanisms for transporting around a lot of information that can be stored in a table/row manner.  What happens, though, if you are retrieving a single value?  What if you are going to be retrieving data until a specific event occurs (time or data initiated) and then stop processing?  My contention is that these items may be better suited to a DataReader as opposed to a DataSet.

A DataSet is much lighter weight and is actually the underpinnings upon which the DataSet is built.  When you issue the Fill command to a DataSet it uses a DataReader to retrieve all of the data which it then passes back to you.  if you don’t need all of the data, however, you just chewed up a lot of processing cycles, processing memory, and your clients time, retrieving data that you are going to throw away.  If you are in a memory constrained situation or a time constrained situation it may be more appropriate to use a DataReader instead as that will give you more control.  Is it difficult to use?  Heck, no.

So, what is that I am advocating?  Education.  Learn the differences between a DataSet and a DataReader and when each is the most appropriate alternative.  Understand the weaknesses of each, not just the strengths.  Then, only then, make an intelligent, informed decision about the right tool to use. 

Single Point of Failure

Single Point of Failure.

There are probably a lot of really nice definitions our there, but I’d like to use my own.  In my world, a single point of failure is:

… a component, hardware or software based, which when it fails will cause the entire system, or an entire subsystem, to become unavailable to the users …

So, let’s give some examples:

  •  An application that only runs on a single web server has the web server as a single point of failure.
  • An application which uses only a single database server (non-clustered) has the database server as a single point of failure.
  • An application that relies on the Internet, but only has a single connection has their ISP connection as a single point of failure.

While we try to cover many of these different aspects when we design applications and infrastructures, sometimes things still don’t work.  For instance, in Production we’ve got clustered web servers, clustered database server, multiple Ethernet connections, redundant DNS servers, RAID disk storage and dozens of other redundant systems.  Sometimes, though, things just go south really fast and in a really bad way.  Recently we had an air conditioning problem with our server room.  We have redundant units that have multiple air conditioners in each unit.  Through a sad set of circumstances we ended up with only 1 of 4 units working. 

No matter what anyone does, there is no such thing as a full proof system.  There will always be some avenue whereby a single point of failure exists.  The target is to identify those areas and work on putting in redundancy, one step at a time.  It is a long process, but nothing worthwhile is ever accomplished quickly.