atperson

So if people with Web 3.0 minds are seeing the same things that I am seeing, it would be neat. Things are evolving so that the at sign precedes an entity (person or other) and it seems to me that machines can understand this and already do. They can then understand that @person is a thief is a triple where @person and thief have a relationship. The @person was first an email convention (if it was not something before that as well) that required a domain. Now with Twitter, there is no domain. You can message @person just by using @person. And now social media platforms outside of Twitter are laying the foundation for a heck of a lot of good data regarding people and entities.

I just thought it was interesting. Someone smart could do something smart with this. Today, that isn’t me

Happy Thanksgiving.

Josh ( @joshuamilane )

Agile User Experience Projects – UX and UI and Dev overlap

The UX/UI experience in Agile projects is always fun, and the below is very sage, I think, when dealing with custom development… but what about implementing a platform? How does this approach fail? It does, in some cases, for good reason. Where does the skill set overlap between UX/UI people need to merge with development in these cases? OR, do we act truly Agile and just talk? Not working ahead, but along side of…?

UX: The Gatekeeper RoleThe two main recommendations for ensuring good usability in Agile projects remain the same as in our original research: Separate design and development, and have the user interface team progress one step ahead of the implementation team. That way, when it comes time to build something, it’s already been designed and tested. And yes, you can do both in a week or two by using paper prototypes and discount user testing. Maintain a coherent vision of the user interface architecture.

Create the initial vision during a “sprint zero” period — before any implementation has started — and maintain it through annual or semi-annual design vision sprints. You can’t just design individual features; they have to fit together into a coherent whole — a whole that must be designed as well. Bottom-up user interface design equals a confused total user experience the Linux syndrome.

From:  Agile User Experience Projects Jakob Nielsen’s Alertbox.

SharePoint 2010: Enterprise and Web

I need to see a demo of this thing, because MOSS for external facing sites has, in my experience, been a pretty ridiculous undertaking.

Microsoft has huge plans for SharePoint to break down the silos between the enterprise and the web (which includes the cloud). That’s right, even though their original intention for SharePoint was not for externally based websites, they have now embraced the Internet and are offering SharePoint 2010 as a single platform for your Intranet and Internet needs.

To help, they have added two new SKUs to SharePoint 2010:

* SharePoint for Internet Sites Standard: Rizzo told us that Microsoft was astounded by the adoption of SharePoint for Internet websites. They believed they had a great solution for high-end websites but at a price point that SMBs could take on. SharePoint for Internet Sites Standard is the standard on premise version.

* SharePoint Online for the Web: This is similar to SharePoint Online that exists today, but it’s for internet websites. It will have both dedicated and SaaS versions, with an emphasis on shared hosting to keep costs down for SMBs.

via SharePoint 2010 Breaks Down Silos Between Enterprise and the Web.

Meanwhile, MOSS was supposed to do that to begin with, no?

You’ll notice the lack of “Office” in the name of the product. That is not accidental or casual. I guess the Office Team at MS wasn’t that good at managing server software. Either that, or it’s just a paradigm shift for the Product Owners (how many must there be?).

SharePoint 2010 is supposed to be the real deal, as is Windows 7, but I have yet to be convinced or see enough to know if this is not just more of the same.

I am looking forward to my first SharePoint 2010 implementation. I really want to like that product but just cannot get behind MOSS and root for the likes of Alfresco. If all goes according to plan, I hope to be involved in implementing SharePoint 2010 in Q1 of 2010. Kinda early, but let’s see… I don’t know enough about it to assess that risk

Josh

Very Cool: Adaptive Learning App with Hooks and Links

“Unlike other memory applications, Smart.fm takes a social approach, letting users share their lists and add comments to other lists. And in the future, Lewis says, there will be more ways to pull information into the system. The company is working on integrating with Freebase, a site that collects user-generated databases. Once the effort is complete, Smart.fm users who are interested in a particular topic should be able to access information about it from Freebase automatically.”

via Technology Review: An App so You’ll Never Forget.

Look into this. The tiny quote I pulled doesn’t scratch the surface of what is really going on here. The implications are obvious and stunningly powerful. While it is not quite like sitting in the chair on the Matrix and getting Kung Fu downloaded directly into your head, the fact that smart.fm has partnered with Freebase is wicked cool, and for some reason (I should probably figure out what this reason is before I post this, but I am in kind of a rush) I think this will be good for the Berners-Lee Semantic Web (as opposed to the Google Semantic Web). Psyched.

Josh

PCI Compliance and Requirements

Compliance is not just a pain in the tushy. While it can be difficult to achieve, the standards for compliance have a sort of soft interpretation. For 508 compliance, there are elements that can be interpreted. Ultimately, a human being or group of human beings have to assert that a site is 508 compliant. Unless that person has the authority to officially dub a site compliant, it is compliance-minded. That’s all. Sometimes that is enough and the compliance police do not come looking.

I have written a bit about 508 compliance and W3C assessability standards. I am not a fan of standards that can be interpreted. That is not really a standard. PCI compliance is a bit nicer in that regard, so I will talk about it a bit today. Hang onto your hats. This is about as sexy as it gets.

There are 12 points (requirements, really) that must be satisfied for a site or site collection or System to be PCI compliant.

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

First, what is the motivation behind this? Your safety as an online consumer, ostensively. If you read my blog on any kind of regular basis, however, I tend to think there are other forces at play. Just like SOX Compliance, PCI compliance keeps a lot of companies in business. PCI Compliance experts. But they are not the genesis of this requirement. The credit card companies are. It limits their liability. It puts the onus on the site owner. I do not know if that is a good thing or a bad thing, but as with most things, I would bet the answer is “a little of both”.

So how do items like #6 become proven true or false? The Payment Card Industry Data Security Standards (PCI DSS) Information Security Policy & Procedures Manual sets forth these measures (requirements, really). And the reason I keep saying (requirements, really) is that requirements can be interpreted until UAT takes place. Sure, you can go Agile and you can go JIT, but it does not make sense to here. This is one occasion where yoru developers, stakeholders, phone support staff, and anyone who has anything to do with a transaction will be relevant is a very real and direct manner. You are better off, in my experience, joining forces with one of the organizations capable of dubbing you compliant early. That is in contrast to building, engaging, and changing/adapting. Ultimately, it will be up to your qualified PCI Compliance Agent if your application was designed with security best practices in mind, or if your application is secure. The way they determine this is up to them, although there is more detail behind these requirements – as you would expect with any project… a purely Agile approach would tend to leave people saying “that’s not really what I meant, so let’s iterate.” Why iterate when the deliverables are monitored by those who accept them and who know what they mean?

Point 6 “means”:

• Deliverable: A formalized Security Patch Management Program employee, complete with his/her roles and responsibilities.
• Deliverable: Comprehensive inventory of all “system components” directly associated with the Cardholder environment.
• Deliverable: Comprehensive inventory of all other I.T. resources not associated directly with the Cardholder environment.
• Deliverable: Subscribing to industry leading security sources and additional supporting resources for vulnerability announcements, and other security patch management alerts and issues.
• Deliverable: Procedures for establishing priorities in regards to security patch management. This will include, but is not limited to, the following: 1. Significance of the threat. 2. The existence and overall threat of the exploit. 3. The risks involved in applying security patch management procedures (its affect on other systems, resources available along with resource constraints). 
• Deliverable: The creation of a database of remediation activities that needs to be applied.
• Deliverable: Test procedures for testing patches in regards to remediation.
• Deliverable: Procedures for deploying, distributing and implementing of patches and other related security hardening procedures
• Deliverable: Procedures for verifying successful implementation of patches and other related security hardening procedures.

These are not litmus test deliverables. They are required. The flaw is that we have requirements with detailed discovery yet the requirements are not positive assertions of anything but a hypothesis not proven true or false. They are pointers. Specific documents make up the larger requirement. This is fairly well defined, but still, there is that final UAT (that is indeed stretching it a bit but hopefully my intent is clear) where the dubbing agency says “Yes, PASS”. They are usually very willing to help you fulfill these requirements and create these deliverables.

To protect cardholders and personal information, organizations must not only employ best practices, but they must also pay to have themselves audited. This seems fair, I suppose. I also respect that this is not a rigid set of requirements, but a yielding and forgiving one. It makes sense to temper things with a bit of reality. Still, it is not a standard, in my mind.

If a platform is ever able to say it is PCI compliant (or more likely, a framework), it would be very interesting. To build a framework so that departure from these guidelines is impossible would seem an attractive project for someone.

I am all for complaince, and I am all for standards, but I simply do not believe that PCI Compliance is a gauge against a standard. Advice: get audited by a PCI Consultant early. Let them tell you what they need. It may be less than you would do on your own and the money you spend on them will be money you save internally (lower project TCO). And as always, best practices in your SDLC and intelligent (common sense) design and architecture will be more valuable than whatever cute name you give your process.

AJ Ayer called something that could not be proven true or false “nonsensical”, but I think this is a little different than that. PCI Consultants need to be honest and earnest or they will have no authority. The intent, and the discipline, is valuable here, and I dig that very much.

Thank you,

Josh