Month: November 2022

Tell Me About Yourself–Engineering Leader Edition

Posted on by Scott

The following tweet starts an excellent thread of questions that I’m taking as a starting point for this post looking back over the past 5 years with my current company:

When was the last time you promoted someone on your team?  How did it happen? My organization works in a way that promotion decisions are actually approved (or rejected) at a much higher level than mine.  But I’ve advocated successfully for promotion for two of my direct reports, both during the pandemic.

The first was a recent college graduate who spent the 18 months of his professional career on my team.  While I wasn’t his manager for the entirety of that time, I encouraged him to work on communication across various channels (Slack, email, documentation, pull request comments, etc).  I did what I could to put opportunities in front of him to grow and showcase his skills.  What he did on his own (in addition to pursuing a master’s degree in computer science on the side) was earn AWS certifications.  He passed 4(!) in a single calendar year.  So when it came time to year-end reviews, there were a lot of accomplishments to point to as well as positive feedback from people outside our team from their experiences of working with him.  He was the first direct report I had who earned the highest possible year-end rating: exceptional, and the first promotion (to senior engineer).  He’s still with the company today, and received another promotion (to principal engineer) in the same cycle I received a promotion to senior manager.

The second promotion was for someone who had been with the company longer than I had.  From what I was told she had been submitted for promotion once or twice before but had not been selected for promotion.  She was (and is) one of those engineers who leads much more by example than by talking.  Having observed over the years that the review process tends to overindex on software engineers that present well, I became the person in meetings who consistently pushed people to consider written communication as well as presentations in judging the quality of an engineer’s communication.  I also recommended she take the technical writing courses offered by Google.  These steps, plus highlighting her numerous critical contributions to the team’s success during another year-end review cycle appear to have been enough to get her promoted to principal engineer.

Why did the last person in this role leave?  It’s been long enough that I don’t actually recall why the previous leader of the team moved on.  I presume they found an opportunity with another company.

How do you nurture psychological safety in your team?  Regular one-on-ones (I follow a weekly cadence for these) has been important to nurturing psychological safety.  Because I joined the team to lead it after work-from-home began, Zoom meetings were really the only avenue available to build the rapport necessary for my team to trust me.  I also started a technical book club with the team, with the intention of giving my team exposure to software design and implementation principles outside the scope of our current work, along with providing opportunities for each member of the team to lead discussions and explore ideas.  It seems to have had the additional benefit of building everyone’s comfort level with, and trust in, each other along with all the other things I’d intended it for (including ideas originating from book club showing up as production enhancements to our software).

When was the last time you supported a direct report’s growth, even if it meant leaving your team or company?  In my previous department, I had staffing responsibilities for two teams for awhile: one composed entirely of contractors in addition to my own team.  In helping a scrum master friend of mine diagnose the causes of the contractor team struggling to be productive, I concluded that the main issue wasn’t technical expertise but the lack of a leader to help remove impediments and connect them with others in the organization who could help their tasks move forward.  I proposed this as a leadership opportunity for one of my direct reports and got buy-in from higher-level management.  He was so successful in the stretch opportunity I created, he got promoted after leaving my team.  Not long after that, he left our organization to join Amazon as an engineering team lead in Seattle.  He’s currently a principal software engineering manager with Microsoft in Atlanta.

Can I speak to some women on the team to hear more about their experience?  Two of the engineers on my current team are women.  If all goes well, another one of them will be promoted to principal engineer by virtue of her performance over the past 18 months.  While it will likely mean losing her to another team, her getting promoted and gaining new opportunities that my team’s scope doesn’t provide is more important to me.  I see it as another opportunity to build up another engineer in her place.

2FA/MFA Revisited

Posted on by Scott

Seven(!) years ago, I wrote a bit about security breaches and how two-factor authentication mitigates that risk. Today is as good a day as any to revisit the subject because of this:

The results of Elon Musk and friends turning off one of the microservices responsible for two-factor authentication for accessing your Twitter account.

In the years since I wrote that post, the availability of multi-factor authentication as an option for securing access to websites and other online systems has only grown. Face ID came out with the iPhone X and expanded to other parts of Apple’s hardware lineup, and YubiKeys have become far more prevalent in usage. The previous iteration of this blog didn’t have MFA protecting admin access, but the current one does. The websites that give me access to my brokerage account and various retirement accounts are now all protected by some form of MFA. The issue highlighted in the tweet above is specific to using SMS as the second factor for gaining access to your Twitter account. The service responsible for sending the code you type in to verify that you’re the legitimate accountholder was turned off. So for those users who only had Text message as their Two-factor authentication option, they might not have been able to get back into their account as a result.

In my case, I wasn’t impacted because I’d actually turned Text message off as a second factor in favor of two other options: Authentication app, and Security key. Authentication app options include Google Authenticator, Microsoft Authenticator, Authy, Symantec VIP, and many others. Once installed on your mobile phone, they all work in a similar way: they generate a random sequence of 6-8 numbers every 30 seconds. If you’ve set up an online account to require such a number for access, you must provide it (along with your username and password) before the 30 seconds expires to gain access. Security key eliminates the stand-alone app requirement in favor of plugging a physical key (like the Yubikey 5Ci which I use) into whatever laptop or mobile phone where you’re trying to access an account and touching it to generate a code that give you access.

MFA options in descending order of difficulty for hackers to breach:

  1. Security key
  2. Authentication app
  3. SMS

To be clear–SMS as a second factor is much better than nothing. But if you don’t also secure the account you have with your cellphone provider with MFA and/or a PIN, a determined attacker could take over your account and redirect the SMS message to a device they control. An authentication app is much more secure, but as I discovered to my chagrin when researching this post, not impenetrable. The security key option is the only one of the three that requires physical access to you (and/or your stuff) in order to steal the thing necessary to get access to your accounts. For that reason, I’ve been switching my online accounts to use the security key option wherever it’s available.

The advice from seven years ago to use a password manager still holds. 1Password remains my preferred option for this. They’ve added support for MFA to their product, which is an option worth considering for less-technical users who don’t want to use a stand-alone authentication app or a security key.

The most detailed piece on the potential consequences of not using MFA remains this Wired piece from a decade or so ago. This is the sort of thing that what I’ve shared in the previous paragraphs is intended to help more people avoid.

Your Mastodon Experience May Vary–And Not Always in a Good Way

Posted on by Scott

While my own experience on Mastodon has been a positive one so far, my experience is by no means universal.  As more prominent accounts from Twitter have joined, particularly those of black folks (and especially black women) I’ve followed there for awhile, they’ve begun to share details of consistently negative experiences on Mastodon.

Her experience has been difficult enough that the Mastodon post sharing that she was taking a break from that platform linked to the tweet above.  It’s hard to imagine a more damning indictment of how a platform treats people from marginalized communities than posting that criticism on Twitter, a site that has done far less policing of slurs against black people in the wake of Elon Musk’s purchase.  Trying to summarize her thread wouldn’t do it justice, but if there is any common thread between her negative experience and that of other black people on Mastodon it is around the content warning feature (abbreviated CW as shown below).

Mastodon posting window with CW button circled in red

Dr. Prescod-Weinstein’s objection to the name of the feature is a function of being a rape survivor.  The other pushback I’ve seen most often is around the use of the feature for posts regarding racism.  Elon James White, who I first started following during his coverage of Ferguson in the wake of the protests of Michael Brown’s shooting death by police officer Darren Wilson, refuses to use it for discussions of racism.  Mekka Okereke, director of engineering for the Google Play online store, has a more nuanced viewpoint, which separates whether or not white people want to hear about racism from what is effectively a mislabeling of the feature.  He summarized his feelings on this as follows:

Feels very very much like “Ban teaching civil rights, so white kids don’t feel bad.”

When I did a bit of searching to try and learn more about content warnings and trigger warnings in their original context, it seems that the original scope of such terminology was limited to things that could cause someone to recall a traumatic experience they had.  My primary takeaways from one piece in particular was that broader, more casual use of the term “triggered” ended up both being conflated with people being “too sensitive” and conflating trauma with mere discomfort.  “Conflating trauma with mere discomfort” ends up being a great summation of the way far too many white people still respond to black people merely describing the racism they’ve survived.

Mastodon (and the Fediverse)’s turn in the spotlight, and the negative experiences of at least a few black people on it I follow make it a microcosm of both the best and the worst aspects of tech more broadly.  A few of the best aspects: software a young man named Eugen Rochko first started writing in 2016, has held up rather well all things considered against a significant increase in usage and attention.  It’s open source, so not only can you see how it works, you can suggest changes, or even make a copy of it and make changes yourself if you have the time and expertise.  It uses a decentralized social networking protocol that doesn’t just interoperate with other Mastodon servers, but with other social networking applications that use the same protocol.  Despite the good–which is significant–Mastodon is just as susceptible to some of the negative aspects of the for-profit tech industry it intends to be an alternative to.  The most obvious negative aspect is the gatekeeping.  Despite beginning my professional career just a few years after the founder of Mastodon was born, it would take over 15 years of that career before I would find an employer where there was more than one other person who looked like me writing software for a living.  Software engineers who are Hispanic or Latino aren’t that much less rare than black software engineers.  Today, the percentage of women in technical roles is projected to be around 25% by the end of this year.  But the history of computing predates the machines that do it today, and a much higher percentage of those literal human computers were women.  Those women who do persevere through the gatekeeping that would prevent them from entering the industry ultimately end up leaving at unfortunately high rates because of the hostility to women that still persists in too many work environments.

Tim Bray (co-author of the XML spec and contributor to numerous web standards), shared this piece as one of his first posts on Mastodon.  I have no doubt that he meant well, and that the author of the piece meant well, but when you title a piece “Home invasion” when talking about new users of a platform you’re used to, that comes across as incredibly hostile.  The same author that talks about trans and queer feminists building the tools, protocols, and culture of the fediverse makes not a single mention of people of color in his piece–not unlike the commercial tech companies in general, and Twitter in particular that are among the targets of his critique.  The entire piece is worth reading in full to understand the author’s perspective, but I will pull quote and highlight one paragraph that seems most emblematic of the blind spot that some veteran Mastodon users appear to have:

This attitude has moved with the new influx. Loudly proclaiming that content warnings are censorship, that functionality that has been deliberately unimplemented due to community safety concerns are “missing” or “broken”, and that volunteer-run servers maintaining control over who they allow and under what conditions are “exclusionary”. No consideration is given to why the norms and affordances of Mastodon and the broader fediverse exist, and whether the actor they are designed to protect against might be you. The Twitter people believe in the same fantasy of a “public square” as the person they are allegedly fleeing. Like fourteenth century Europeans, they bring the contagion with them as they flee.

To see yourself (as a new user of Mastodon and a long-time user of Twitter) be described as someone bringing contagion hits a lot differently when you’ve endured racism in real life as well as online, and when you’ve had to overcome–and are still overcoming–so many barriers in both places merely to be included, much less respected.  And were the author to be called on this huge blindspot publicly, I have no doubt that he would respond with the same sort of defensiveness that Dr. Prescod-Weinstein described, and that Timnit Gebru, another recent joiner of Mastodon has also described.

As I said at the start of this piece, my own experience with Mastodon has been a positive one so far.  Some of it is a function of having participated in online communities for decades (as far back as the Usenet newsgroups days), and even becoming a private beta tester one of the newer ones (StackOverflow.com) before it went public.  But those communities too had their gatekeepers, mansplainers, and jerks.  Certain open source projects are unfortunately no different in that regard either.  There’s something to be said for understanding the pre-existing culture of a place–even if it is virtual.  That said, the idea that culture is static–and should remain so–is a perspective that it seems some Mastodon veterans would do well to change.  Otherwise, they risk perpetuating the same harms as commercial social media–just without the financial rewards.

Exploring Mastodon Continued: Timelines and Federation

Posted on by Scott

While checking out the Mastonaut desktop client for Mastodon, I came across the following diagram explaining the visibility of a toot:

The Visibility of a Toot

Still reading? I appreciate your patience. I don’t blame any of the folks who noped out of this post after seeing that diagram. It’s a consequence of the servers thing I mentioned in my previous post on exploring Mastodon. It’s one of many features that highlight who the target audience for Mastodon really is (people like me who used to write software for a living, or still do).

Even for me, the Home timeline is the only relevant one because it will display toots from people I follow–regardless of what server they’re on–toots those people boost, and your replies. The Local timeline shows toots from people on the same server where you registered whether you follow them or not. The Public or Federated timeline appears to show toots from people across all the Mastodon servers (again, whether you follow them or not). We’ll see if more time on Mastodon confirms or changes my understanding of the timelines.

Exploring Mastodon Continued: Verification

Posted on by Scott

As I mentioned at the end of my first post on Mastodon, I’ve been following Martin Fowler’s notes on his own journey.  His November 1 memo on verification interested me, especially in light of Twitter’s recent update to charge $8 for the blue check mark.

As Fowler explained it, Mastodon being decentralized (unlike Twitter) means verification is up to each server.  Whoever runs it can verify members however they wish–or not at all.  The approach to verification he describes and implements is what he calls cross-association.  By adding a <link> element to the <head> of his personal website with an href attribute for his corporate Mastodon profile, Mastodon “sees” the link and marks it as verified.

I followed Fowler’s example to do the same thing with my Mastodon profile.  I updated the header.php of the WordPress theme I’m using this way:

<head>
<meta charset=”<?php bloginfo( ‘charset’ ); ?>”>
<meta name=”viewport” content=”width=device-width, initial-scale=1″>
<link rel=”profile” href=”//gmpg.org/xfn/11″>
<link rel=”me” href=”https://mastodon.cloud/@genxjamerican”>
<?php wp_head(); ?>
</head>

With that change made, my Mastodon profile now looks like this:
Mastodon profile with verified metadata for a website

This way, people who follow me on Mastodon know that I control this website as well.

Navigating the Latest Social Media Shakeup: Exploring Mastodon

Posted on by Scott

In the wake of Elon Musk closing a deal to buy Twitter (after trying and failing to back out due to buyer’s remorse), the scramble to explore alternatives reminds a little bit of the very early days of social media.  I’m old enough to remember social networking sites like Friendster and Orkut, and there were plenty of others I’ve forgotten who never gained critical mass and flamed out.  I joined Twitter in 2009, and over the past 13 years it has grown to become the social media platform I find the most valuable.  Having heard people mention Mastodon in the past as an open source Twitter alternative (Trump Social even tried to use the codebase without attribution), I created an account—@genxjamerican@mastodon.cloud—to see how Mastodon compared for myself.

TL;DR

I’ve only been on Mastodon a week, but if I were to try and distill my advice of getting started into just a few points they would be:

  1. Follow @joinmastodon on Twitter first to start learning more
  2. Use a mobile app to smooth out (some) of the rough edges of the experience (including account creation)
  3. See if people you already follow on Twitter are cross-posting on Mastodon and follow them first

Signing Up

I don’t recall why I chose mastodon.cloud as the server to sign up with, but creating an account was straightforward enough.  It appears to be one of the largest Mastodon servers, along with mastodon.social, the original one operated by the German non-profit of the same name.  Using the official Mastodon mobile app, or one of the third-party apps makes the process a little slicker.  Stick with one of the largest servers unless you come across a particular server/community that really interests you.

Following People

I started by following people I know from Twitter who signed up for Mastodon and still post on Twitter.  The Fedi.Directory is where to look for interesting accounts to follow.  Their account (@FediFollows@mastodon.online) has been a good one to follow for someone like me just starting out.

Unfollowing, muting, blocking, and reporting all appear to work similarly to the way they do on Twitter (though I’ve had no need to do any of those things after so short a period of time).

Enough Lurking, Time To Post

A post (or a reply to a post) in Mastodon is called a toot, and they can be up to 500 characters long.  Sharing the post of someone you follow is called a boost.  You can favourite posts as well, though that only puts the toot in a list of your favourites (instead of sharing that fact with whoever follows you).  You can add content warnings (CWs) to your posts, so someone has to click through to see the content.

Posts can include pictures, but it doesn’t look like you can post videos. I follow @AmiW@mastdon.online and she posts pictures of street art from all over the world.

You can also send direct messages to people–if their accounts allow it.

There does not appear to be any such thing as quote-“tooting”.

What’s Next?

For me, spending more time on Mastodon exploring the features and looking for bigger and better guides to and explorations of Mastodon by others.

Martin Fowler is writing a whole series of posts on his exploration of Mastodon that I’ll be following with great interest.