# Monday, 04 December 2006

My recent post of a joke about a priest and a politician highlights a privacy issue: sometimes any sufficiently specific information can become identifying information. If the priest had referred to "one of the first confessions" instead of "my very first confession" nobody would have learned anything when the late-arriving politician told the crowd he was the very first to give confession to the then-new priest. Similarly when a CIA operative was identified in the USA, at one point the person who identified her took refuge in pointing out he hadn't named her, hadn't said "X Y is an operative", but instead had named her husband, "A B is married to an operative." Of course that was equivalent to naming her.

Similarly, when you're worrying about privacy in an application, it's not as simple as naming some fields you shouldn't include in the system. That's a good first step, for sure: why does this application have a field for Social Insurance Number, what do we use it for? Why do we need to keep it after that? But it's not the whole story. For example, we may need everyone's home phone numbers, but do we need them on the main screen or would it be better to make people click to see the more private information. Can we use role based security to show private information only to managers? This takes some thought.

Microsoft is offering a 49 page Privacy Guidelines whitepaper you may find helpful. The introduction says:

The purpose of this document is to propose a baseline for establishing this higher bar.  It offers guidance for creating notice and consent experiences, providing sufficient data security, maintaining data integrity, offering customer access, and supplying controls when developing software products and Web sites.  These guidelines are based on the core concepts of the Organisation for Economic Co-operation and Development (OECD) Fair Information Practices and privacy laws such as the EU Data Protection Directive, the U.S. Children’s Online Privacy Protection Act of 1998 (COPPA), and the U.S. Computer Fraud and Abuse Act (as amended 1994 and 1996).  In the interest of developing a common set of industry best practices for privacy, we invite the community and other interested parties to participate in an open dialogue. 

It discusses categories of information, retention, consent, notice, and a few things that are web-specific like cookies. A good place to start your thought process.

Kate

Monday, 04 December 2006 15:16:45 (Eastern Standard Time, UTC-05:00)  #    
# Sunday, 03 December 2006

Technology Review has an interview with the father of C++. Some notable quotes:

  • There has to be languages for those experts to use--and C++ is one of those languages.
  • I want elegant and efficient code. Sometimes I get it. These dichotomies (between efficiency versus correctness, efficiency versus programmer time, efficiency versus high-level, et cetera.) are bogus.
  • There are just two kinds of languages: the ones everybody complains about and the ones nobody uses.
  • The main reason for C++'s success is simply that it meets its limited design aims: it can express a huge range of ideas directly and efficiently. C++ was not designed to do just one thing really well or to prevent people doing things considered "bad." Instead, I concentrated on generality and performance.

Read the whole thing!

Kate

Sunday, 03 December 2006 15:03:02 (Eastern Standard Time, UTC-05:00)  #    
# Saturday, 02 December 2006

UAC got you all confused? Do you think the best thing to do is turn it off? Maybe this article on TechNet will help a little. It's quite long, and not entirely developer focused, but it's a good place to start understanding what UAC is for and why it would be best not to turn it off.

Kate

Saturday, 02 December 2006 08:26:32 (Eastern Standard Time, UTC-05:00)  #    
# Friday, 01 December 2006

From Beyond Code, this made me smile:

Sorry for the delay
A priest was being honored at his retirement dinner after 25 years in the parish. A leading local politician and member of the congregation was chosen to make the presentation and give a little speech at the dinner. He was delayed, so the priest decided to say his own few words while they waited.

"I got my first impression of the parish from the first confession I heard here. I thought I had been assigned to a terrible place. The very first person who entered my confessional told me he had stolen a television set and, when questioned by the police, was able to lie his way out of it. He had stolen money from his parents, embezzled from his employer, had an affair with his boss's wife and taken illegal drugs. I was appalled. But as the days went on I knew that my people were not all like that and I had, indeed, come to a fine parish full of good and loving people.".....

Just as the priest finished his talk, the politician arrived full of apologies at being late. He immediately began to make the presentation and gave his talk. "I'll never forget the first day our parish priest arrived," said the politician. "In fact, I had the honor of being the first one to go to him in confession."

Moral: Being late can be (very) costly.

Kate

Friday, 01 December 2006 08:13:25 (Eastern Standard Time, UTC-05:00)  #    
# Thursday, 30 November 2006

Like Dilbert, this list of top 20 excuses developers give to testers is only funny because it's true. I'll tell you that the answer listed as #1 there is banned in our offices -- and we have quite a bit of process in place to make sure deployments are complete, for just that reason. Personally, I find #8 the funniest - and again, only because I have in fact heard it... mostly from former employees :-). Number one winner in the comments: Billy Hollis - "We're not shipping your machine."

Kate

Thursday, 30 November 2006 09:02:24 (Eastern Standard Time, UTC-05:00)  #    
# Wednesday, 29 November 2006

To follow up on my post about pinning pointers, let me ask one of those tricky questions that someone asked me. If I have an array of things, how do I pin the whole thing? If I ask for a pinning pointer based on element #3 of the array, can I use pointer arithmetic from that pinned pointer to reach elements #4 through #11? Do I have to pin each element one at a time?

The answer is that pinning any element of an array pins the whole array, and that once you have a pinned pointer to one element of the array you can do the usual pointer things. This includes not only incrementing it to move through the array, but if it's a char* you can pass it to things that expect strings and those things will never know the difference. Here's an example from MSDN:

array<Byte>^ arr = gcnew array<Byte>(4);
arr[0] = 'C';
arr[1] = '+';
arr[2] = '+';
arr[3] = '\0';
pin_ptr<Byte> p = &arr[1];   // entire array is now pinned
unsigned char * cp = p;
printf_s("%s\n", cp); // bytes pointed at by cp will not move during call

This sample prints out ++.

Kate

Wednesday, 29 November 2006 08:42:29 (Eastern Standard Time, UTC-05:00)  #    
# Tuesday, 28 November 2006

As I mentioned earlier, I recorded a DNR episode while at Tech Ed Developers in Barcelona. A bunch of us got together to talk about Agile development. As I said at the time, at Gregcons we're not "formally Agile" (stop laughing) but we do a lot of things that fall under the Agile umbrella, because they just plain make sense.

I haven't had a chance to listen to the recording yet, but Scott Bellware has, and he liked it. Among other things, he says:

Kate Gregory nailed a quintessential a-ha moment in agile adoption: "You go through this phase of saying, that's way too extreme; I would never do that; what kind of weirdo does that?.  And then a year later, you're doing that."

Agile practices go deep and often work at subtle levels.  The very practice of agile development puts the sharpness in your perspective that you'll need before you can see the difference between pre-agile development and agile development.  Kate's statement perfectly captures this experience of the agile practice paradigm shift.

Happy to help, Scott. Thanks for listening!

Kate

Tuesday, 28 November 2006 07:34:03 (Eastern Standard Time, UTC-05:00)  #    
# Monday, 27 November 2006

I use search engines for a variety of reasons. Sometimes I want to find out how to do something. Other times, I want to find the official page about something so I can link to it here or send it to someone. Since most of the things I want to learn are related to things I already know, and since I blog about a lot of what I know, I have a bit of an occupational hazard:

One of my mentoring clients complained about this to me. "I decide to search the Internet instead of calling you to ask and what do I find? A bunch of stuff you wrote!". Believe me, it's worse when all I can find is a bunch of stuff I wrote. And Peter Near, a fellow MVP, Flyertalker, and Ontarian, has the same problem.

I would get in the habit of excluding gregcons.com from my search results if not for two things: first, a lot of my stuff is published on other sites, and second, from time to time my old words help me remember something I'd forgotten. So I guess I'm stuck with it.

Kate

Monday, 27 November 2006 07:25:06 (Eastern Standard Time, UTC-05:00)  #