Innovation is Saying “No” to 1000 Things

People think focus means saying “yes” to the thing you’ve got to focus on. But that’s not what it means at all. It means saying “no” to the hundred other good ideas that there are. You have to pick carefully. I’m actually as proud of the things we haven’t done as the things I have done. Innovation is saying “no” to a thousand things.

Steve Jobs as attributed by Nassim Nicholas Taleb in Antifragile: Things That Gain from Disorder. 11h 26m 15s

By the way, as you can see I’m making progress on Taleb’s book and loving it.  Some of it is a bit dense for listening to at 3x so I have to slow it down and re-listen. Very well-reasoned and thought-provoking ideas.

Ironically this quote isn’t one of his own ideas but support for his ideas. I might have to listen to it a second time in order to pull out small quotes that really represent the whole. Kinda feels like swimming in deep waters right now.

I will say that Taleb talks a bit about ADHD and formal education. As a parent with at least one young child with ADHD these strike close to home. (ADHD runs in my family like the Force does in the Skywalkers.)

The tension between what fits the mold and what fits the child — the possible systematic harm from having a mold. Good questions.

Google’s foobar is Clever Recruiting

I just finished up the second day of Google IO Extended Utah.


During the conference my friends and I noticed that little slips of paper with cryptic messages were in our goody bags.

Playing with the information on the slips we found a code challenge system called foobar.

Looks like it is by invitation only. When you beat level 2 you are given a single use link for referring others into the system.

When I finished level three the system printed out this message:

[#1] The code is strong with this one. Share solutions with a Google recruiter? 
[Y]es [N]o [A]sk me later:


As a hiring manager I think this is genius! I’ve used code challenges during the hiring process and reading someone’s code is very illustrative.  What’s more, the time limits in the challenge system are very generous and allow the applicant to really shine.

My employer puts on a large conference every year and I’ve wondered why we don’t do more to use it for low-key recruiting like this.

If this technique is over-played then people may become wary of sending their people to conferences since it gives them even more exposure to the competition’s recruiters.

In this case what Google is doing is very classy and low-key. If you went to IO and overlooked those slips then give it another shot. If you know someone that went, see if you can get them to refer you. The challenges are fun!

Will EJS Escape Save Me From XSS? Sorta

If you’ve never had your website reported for cross-site scripting (XSS) vulnerabilities then you’re missing out. Of course, it’s great to get it right the first time. But it’s hard to beat that sense that you’re wide open for attack, it’s your fault, and everyone knows it thanks to some white-hat hacker.

This raises the question how to generally protect against XSS. Of course, there are a lot of ways to screw up. Here’s one of them.

Here’s Your Broken Code

You have a value on the server (like locale) that you want accessible on the client. You realize that you’re building the whole page in EJS anyway so why not plop a script tag on the page and pop a var into it? So, we render it right into some JavaScript like this:

var lang = "<%- locale %>";

Here’s the problem: What if locale‘s value is en"; doEvil(); "throw away string literal? Now we render into a JavaScript execution context the following code

var lang = "en"; doEvil(); "throw away string literal";

Which is valid AND EVIL code.

Does <%= Do the Necessary Escaping? Erm…

What if we use the escaping capability of EJS? Are we safe? Sorta.

Let’s bust out the REPL.

$ node
> var ejs = require('ejs')
> var locale = 'en"; doEvil(); "throw away string literal'
> ejs.render('var lang = "<%- locale %>";')
'var lang = "en"; doEvil(); "throw away string literal";'
> ejs.render('var lang = "<%= locale %>";')
'var lang = "en&#34;; doEvil(); &#34;throw away string literal";'

You see that using the back fat arrow (<%=) does prevent the evil from running in this case. But it isn’t really a safe technique in general.

What if you had a number instead of a string? What if you wanted to do the same thing to it? Continuing in the REPL the sample attack would look like this:

> var onServer = '6; doEvil();'
> ejs.render('var count = <%= onServer %>')
'var count = 6; doEvil();'

Notice that the escaping doesn’t help because there are no quotes in the attack string. In order for escaping to really work it would have to escape semicolons, too.

So, you’re kinda safe as long as you are using strings OR at least match the untrusted string with a RegEx like /[^;'"]*/ and use the matched text instead of the full text.

My Tools Have Betrayed Me!?

Why is EJS so broken? Why doesn’t escaping help you escape?

It isn’t broken. The problem is that back fat arrow is an HTML escape and you are rendering text into a JavaScript execution context.

For escaping to be reliable you have to match data context with escaping algorithm.

In this case the context is JavaScript and the algorithm is HTML. Close. But missed it by that much.

What’s the Right Way?

The Right Way™ to do this is to render it into a meta tag like this:

<meta name="lang" content="<%= lang %>">

Notice that here the escaping algorithm (HTML) matches the data context (HTML).

Then you get the value using code like this:

var metas = document.getElementsByTagName('meta');
var i, l = metas.length, lang;

for (i=0; i < l; ++i) {
  if (metas[i].getAttribute('name') == 'lang') {
    lang = metas[i].getAttribute('content');

Looking at the Right Way™ it’s no wonder that we take shortcuts.

But seriously, the Right Way™ is much less XSS error prone.

For other ideas on how to get meta data from the DOM using JavaScript you can always Stack Overflow.

Are You Being Wooed?

An interesting and short article went over the predictable labor shortage caused by the difference between the sizes of the Baby Boomer and Gen X population groups. It talked about Employment Branding.

The technical term is “Employment Branding,” and it’s how companies woo top talent. They showcase their company culture, values, benefits, perks, executive team, staff members, business mission, and anything else that will make a great candidate want to work for them instead of their competitor.

… Google, Zappos, Amazon, and Facebook aren’t the only hot employers on our planet. They’re just the ones that embraced Employment Branding when others didn’t. But soon, we’ll be seeing companies of all shapes and sizes strutting their stuff in hopes of catching our eyes. It’s going to be a great year!

Has this been true for you? I know I talk up our unique workplace — especially for top candidates. How prominently has “Employment Branding” featured in your recent job interviews?

Happy Memorial Day

Just finished putting up flags around my neighborhood with my two oldest sons. (It’s a Cub Scout fundraiser.)  I hope you have a meaningful day.

You might try out for finding out more about your ancestors today.  I admit I’m biased. I’ve written code there.

(My words are my own and no-one else’s. They are particularly not my employer’s or the BSA’s.)

An Irritable Programmer Calls 911

Operator: Please state the nature of your emergency.

Programmer: I need immediate assistance.

Operator: Are you injured?

Programmer: Look lady, I don’t want to turn this into a status meeting.

Status is Not Stupid

I’ve noticed people saying the word “status” with scorn: “Now, instead of getting work done we’re just reporting on status.”

In fact, I’ve heard people use the s-word to complain about stand-up meetings that had team mates reporting to each other on what they got done and what they were going to work on.

Teamwork: It’s Better Together

I’ve particularly noticed this sort of dislike on teams that are really more like bundles of developers: I work on my thing, you work on yours, and each has nothing to do with the other.

However you describe it, the daily stand-up (or scrum) meeting is for the team to understand where they are, see what needs working on, and make a plan for the next day of work.

I’ve found that a team really shines when teammates work on related things together rather than independent things apart.

If you find yourself dreading stand-up then maybe your team is in a rut. In late 2011 I felt like my team’s stand-up had lost their edge.

It seemed that people felt an obligation to talk for a certain amount of time just to justify what they did yesterday. I also felt like we were spending time in the meeting doing bookkeeping that could have been done before hand.

I was the scrum master at the time so I wrote up this guide to shake things up for a few days.

Stand-up For Today

Don’t Do This:

  1. What I did yesterday.
  2. What I’m doing today.
  3. How I am blocked

Do Do This

  1. What did I do or learn that will probably affect others?
  2. What will I do that affects others?
  3. What is impeding me?
  4. How can I help others today?

Assumptions That Make This OK

  • Everyone is working their hardest.
  • We’re all keeping the scrum board up to date.

Insist on Fast Paced Status

You can absolutely have a productive stand-up using the traditional questions (The ones I struck out above.) I just found we were in a rut. We were talking about ourselves individually in a group setting instead of focusing on the team aspect.

Merge Pull Requests Like a Legendary Project Maintainer

If you haven’t written code on GitHub then stop what you’re doing and make something out there. (You really should have a portfolio on GitHub.)

When you’re working all by your lonesome it doesn’t come up much, but add another person to the mix and pull requests can get stressful and laggy real fast. If you’re ready to upgrade your workflow then read about the better way to merge pull requests.

If you don’t learn how to use the hub command line tool then you’ll often find yourself having to decide how bad the request has to be before you’ll throw it back for polish.

Git OCD types will be particularly gratified now they can easily tweak pull requests before merging them. Now you can fix little problems here and there while still giving proper props.

Thanks to Jamis Charles for posting this link.

Embrace The Right Stress

An excellent article in a recent Wall Street Journal lays out a better way to deal with performance anxiety. Though most of us (91%) think of calming down as the proper response to stage jitters the proven better alternative is to welcome the anxiety as a performance enhancer.

In other words, it’s better to tell yourself, “I am excited,” than to give the aspirational lie, “I am calm.”

Not only does your audience rate you better, and your performance on objective criteria rises, but you will find the event less taxing.

According to the article this simple trick of stress-mindset may even be effective at avoiding burnout.

The article doesn’t mention this, but it seems wise to see that there is a difference between the stress that accompanies a moment of high-performance, and the chronic stress of worry.

I’m sure you should still find times in the day and week to unplug and seek a lower level of energy. But in the moment when performance is necessary it is clearly better to be truthful about your emotions, accept them, and have faith that they will elevate your performance.

Column Mode versus Slow Mo’

Sublime Text’s column mode makes it really easy to create multiple cursors and make repetitive edits. This comes in handy all the time. 

On Mac, Sublime Text’s default key-binding for entering column mode conflicts with the system’s default key bindings for the “slow-mo” version of mission control.

I like mission control. I hate slow mo. Apparently you can’t have one bound to ctrl-up without the other bound to ctrl-shift-up.

Luckily it’s pretty easy to modify the sublime text shortcut from ctrl-shift-up (and down) to ctrl-alt-up (and down).

Just add the following bindings to your user key-bindings:

{ "keys": ["ctrl+alt+up"], "command": "select_lines", "args": {"forward": false} },
{ "keys": ["ctrl+alt+down"], "command": "select_lines", "args": {"forward": true} }

Of course, take care to get the line-ending-commas right if you already have bindings in that file.

I hope that helps you.