“Everything you need is here”


A co-worker of mine just got back from the Webmaster Jam Session and relayed this metaphor for Sharepoint, Microsoft’s CMS/Portal/EBTKS-ware, which we have been evaluating:

Implementing Sharepoint is a lot like building a house. It’s like a friend of yours says, ‘I know exactly what to do.’ And, he drives you to a Home Depot, drops you off at the front door and says, ‘Everything you need is here.’

Paraphrased from Jared Spool

* This post was originally published on September 26, 2007 at

Gmail auto-aliasing, or yet another reason to signup for Gmail


I’ve been slowly updating all of my online accounts to use my new Gmail account. There are many things to love about Gmail (ease of use, labels, ginormous storage limits), but one of my favorite features is auto-aliasing.

Follow up:

Auto-aliasing for Dummies

First, some background. An e-mail alias is just another name for an existing e-mail account. It’s handy in situations where you want to have a bunch of different e-mail addresses, perhaps for business sake, but you don’t want to have to deal with the hassle of logging into or maintaining multiple e-mail accounts. So for instance, you might have a personal e-mail account like, but then have a bunch of other e-mail addresses like and, both of which you set up to aliases of the first. All three are valid, deliverable addresses as far as your e-mail server is concerned, but all three go to the same mail box, and thus mail to any of the three addresses can be picked up under the single “” inbox.

(Note to SMTP nerds: I realize that this is probably not a completely accurate technical description, but it will do for our purposes here.)

Ye Olde E-mail Aliasing Task

On most mail services that I’ve used in the past, setting up an alias is a time consuming process that must be done in advance. For me, it would usually involve logging into my hosting provider’s control panel, selecting the domain I want to manage, clicking the link to manage all of the domain’s e-mail accounts, clicking the link to manage the e-mail account I want to create the alias on, and finally entering the new alias. This usually took somewhere in the realm of 10-15 minutes depending on how slow the control panel was responding. Considering this, I usually avoided creating e-mail aliases.

Aliasing Made Easy with Gmail

Gmail’s auto-aliasing feature lets you create aliases just by specifying an alternate form of your address. For instance, if your Gmail address is usually, you could create an auto-alias just be using instead. (The technical term for this type of aliasing is Plus-addressing.) Gmail will ignore anything after the plus sign for delivery of e-mail, but you can still use the extra alias information to create filters, run searches, or, as I do, to find out what web services are selling your e-mail address to marketing agencies!

Alias Your Way to a Spam Free Inbox

Yup, now every time I enter my e-mail address into an online form I’ll use an auto-alias to help me identify the site that I used it on. Typically I’ll just use the web site name as the alias, such as If I start seeing a ton of spam to that address (which come to think of it is unlikely anyway given Gmail’s awesome spam filter) I can create a new filter to automatically delete any mail addressed to that alias, as well as cancel my account with the offending site, or at the very least write them a scathing passive aggressive note.

Web Developers Take Heed!

I’m about to get technical, so skip over this if you have no idea what a regular expression is…

One unfortunate obstacle to using Gmail’s auto-aliasing feature is that many web sites use e-mail address validation filters that mistakenly report addresses containing a plus sign as invalid. This is a side effect of the fact that most e-mail validation schemes typically rely on a basic regular expression pattern which can’t possibly test for all valid permutations of an e-mail address. If you’re going to use a filter to test for a valid e-mail address, all you can really do is make sure that there is an @ symbol, followed by domain name of at least two-characters, followed by a “dot”, and ending with a TLD of at least two-characters. Other than that, the only real way to test for a valid, deliverable e-mail address is to send it an e-mail and wait for a response.

A lay-persons conclusion

So, if you’re not using Gmail by now – why aren’t you? It’s free; It’s web-based so it’s available anywhere you have access to a browser; It’s secure (you can use an SSL connection for even more security); It has a great built-in zero-configuration spam filter (7715 spam messages caught to date with only a handful of false-positives); You can apply multiple labels to e-mail conversations to make it easy to find things later; It’s got a great search tool (it is a Google application after all); You can import mail from any other account that supports POP3 (which is most accounts, Hotmail excluded); and now you know all about how to use auto-aliasing for fun and profit!

As an added bonus

Oh, and if you use a Blackberry or other mobile phone+EBTKS device, you can download Gmail for your phone! Woot for checking Gmail from the road!

* This post was originally published on September 26, 2007 at

A Few Things Worth Noting from the Web 2.0 Expo


I spent the majority of this past week attending the Web 2.0 Expo and Conference in San Francisco. The sessions were amazing and I had a really good time. I have an entire notebook full of notes that I need to transcribe, but here are a few of the more memorable things.

Application Delivery Systems – The CTO of Citrix talked about so-called ADS hardware components that can do everything from rules-based data filtering, data compression, TCP multi-plexing, dynamic caching, DDoS protection, and plenty more (price dependent of course). Some usage examples and results were provided by one of the guys from Foldera.

RSSBus – turn just about any data source into an RSS feed, including activity in a file directory, Excel spreadsheet changes, database query, etc. Installable on a network or via localhost. Runs as a small server using .NET framework. RSS feeds can be secured using standard NTLM methods. Single-point administration (no user-defined reports if using in multiple user environment). Reports can also be coded using just about any programming language: PHP Python, etc. Project generally based on Python.

mod_ndb – Apache module that allows querying a MySQL Cluster using HTTP 1.1 methods (get, post, delete). Cuts out the middle man (MySQL Server). Realizes most benefit when combined with a scripting language (such as cURL through PHP). Configured through Apache httpd.conf (no mention of support for htaccess) directives. Delivered with several output formats (JSON, raw), future release will support user-defined output formats. No built-in security, but could use other Apache auth mods (like mod_auth_mysql). Note that MySQL Cluster has many limitations of it’s own, and this is only relevant when using a multi-app-server/multi-Cluster setup. Interesting concept though. The slides will be online after next week’s MySQL conference. – The two founders gave an interesting talk on securing web applications. They detailed the concept of a Privacy Wall, which as one of them outlines on their blog means “don’t have any direct links in your database between your users’ “public” data and their private data. Instead of linking tables directly via a foreign key, use a cryptographic hash that is based on at least one piece of data that only the user knows—such as their password. The user’s private data can be looked up when the user logs in, but otherwise it is completely anonymous.” See blog link for an example. (Note also Wesebe’s Data Bill of Rights, which states that a users’ data is theirs to do as they please – including downloading or removing entirely)

Vulnerabilities 2.0 – Alex Stamos from iSec (white-hat security firm) gave a talk about the new vulnerabilities in web 2.0 applications (namely those using AJAX). Of special note, XSS attacks now include javascript-injection since many Ajax-enabled applications evaluate JS code directly. (Another session suggested using parse instead of eval, especially with JSON-like return structures) Also, no current Ajax-framework is secure out of box. Also, make sure to physically scan any code output from a client-side JS proxy interface (i.e. anything that transforms server-side code to client-side code) to be sure no administrative functions are being exposed. Don’t allow Ajax calls that change state using the same parameters for every user (e.g. “makeAdmin()” with no user id or other parameter).

The author of The 4-Hour Work Week gave a very short and very interesting talk (video link) about focusing on the few critical tasks rather than the trivial many. He also talked about outsourcing your personal life or anything else that would cost 50% or less of what it would cost you to do on your own. For example, if laundry takes you 4 hours a week to do and your time is worth A (total income/10k/2), then finding someone who can do it for B (A*4/2) each week is worth while. He applied this not just to personal tasks like laundry, but to menial business tasks such as writing reports, updating spreadsheets, etc.

I have plenty more notes, including from a few usability, design and mobility (“placelessness”) sessions. If you are interested in anything in particular, let me know. Otherwise I’ll keep posting excerpts from my notes once I’ve had a chance to transcribe them.

Oh, and in case you were wondering, “Web 2.0” is still very much undefined. To illustrate that, conference attendees got t-shirts saying “Web 2.0 is _______” with a spot to write in your own definition. Mine’s still blank. If it’s possible to define it after-the-fact based on the overall conference theme, Web 2.0 is about harnessing collective intelligence and the switch from surfing -> services, pages -> rich interactions, sites -> content experiences, and web masters -> everyone.

* This post was originally published on April 22, 2007 at

How To Remove Phantom Unread Events From Outlook After Importing iCal File


Originally posted to microsoft.public.outlook.calendaring Usenet group, April 10th, 2007

I just spend about 4-hours between yesterday afternoon and this morning trying to import an iCal file into Outlook 2003. No errors occurred during the numerous importing attempts, but afterwards the events did not appear on the days that they should have. Yet the number of unread/upcoming events next to the calendar name increased every time I tried to import.

I tried searching for the missing items using the Advanced Find dialog, but they would never appear in the results. I even tried exporting the whole calendar as an Excel file using a very wide date range (all events from 1970 through 2038), but the events were not listed in the export either.

Finally, I tried applying the predefined “By Category” filter to the standard Calendar view (available in the Advanced toolbar group). There were all of my phantom events – they included no information whatsoever and were in fact listed as email items rather than calendar items. I was able to delete them from that view and return my item count back to normal.

Now I just had to get around the importing problem. After searching various resources for an explanation, the best that I could come up with is that Outlook doesn’t like some Timezone data that tends to get included in iCal files that originate from a Mac client. No other information was included on what in particular Outlook didn’t like or if there was a direct work around, so I did some experimentation on my own. The solution is actually easier then you might expect. First, I imported the offending iCal file into a new Google calendar. Then, I downloaded Google’s rendition of the file from the Private iCal link under the Manage Calendars panel. Finally, I imported this new iCal file into Outlook using the normal Import/Export dialog. Now the events appear as expected.

If you’re interested in trying to this all yourself, you can find the original iCal file at – Import the file as-is into Outlook, then apply the “By Category” filter to see where they went to.

* This post was originally published on April 10, 2007 at

Assumptions And Requirements – Tips on avoiding scope creep


If you’re old enough, you might recall the old facsimile that use to adorn at least one wall of every office, back when facsimiles were in fashion, which compared the process of product design to a tire swing. You know the one. (Or perhaps you prefer the “Tire 2.0” version?)

I’ve recently been working on a project that has managed to creep wildly out of scope. About 300% out of scope, really. And I think the old tire-swing adage just about covers the reasons behind the scope creep:

  • The customer already had A
  • The customer asked for B, an update & rewrite of A
  • I understood it as C
  • I built it as D, adding in a few extra features that I thought were “cool”
  • When I demo’d the final version to the customer they discovered what they really wanted was E, which was a lot like A

Now that I’m almost finished building E, I have a few thoughts in mind for making sure this doesn’t happen with future projects.

  1. Save the analysis for later

    I have a bad habit of starting to analyze how to go about transforming something to a digital process while I’m still in the middle of discovery. I’ve always assumed that this pre-analysis would help me identify gaps or other obstacles while I was still with the client, thus leading me to ask more questions before leaving. In essence, I was trying to complete the discovery phase in a single meeting, something that is completely unrealistic as well as careless. Another problem with this approach is that it means that while I’m busy analyzing in the back of my mind, I’m only partially focusing on the client’s description of what they want. If I instead wait to start the analysis until after the initial meeting and accept that it may take several additional meetings before the discovery phase is complete, then I can focus all of my attention on getting the details of what the client is asking for. Any questions that come out later during the analysis phase can be addressed then.

  2. Discover the client’s assumptions

    It’s not enough for me to just listen to what the client is asking for. Often times there will be details that have gone unmentioned. Perhaps the client feels intimidated by what they perceive as my technological superiority. Perhaps they feel that a certain question is “stupid”. Perhaps they assume that something is already a given. Or, perhaps they just forget that they have inside knowledge about their organization that I don’t. For these reasons, it’s important to to try to uncover these assumptions during discovery. The easiest way to get at these is to ask questions about the current process, about the organization, and about the intended solution. Another method would be to ask for a list of measurable goals that will define the success of the project once it is complete. Basically, I need to keep asking questions until I’m out of paper or the client is out of time.

  3. Analyze the process, not the request

    Perhaps the foremost change I need to make when scoping out a project is to stop making the mistake of taking the project description from the customer as the be-all, end-all. The customer may be describing what they want, but is it really what they need? By taking the time to understand not just what they are asking for, but rather what they are trying to accomplish I will be better poised to deliver what they truly need.

  4. Understand my role(s)

    I may label myself and advertise my services as a web application developer, but most of the time it’s assumed that I’m acting as a consultant at the initial meeting. It’s only later, once the project is approved, that I start acting as a developer too. In my consultant role, it’s my job to make sure the client isn’t overlooking some process that is already in place that can be used as-is or with little modification. In some cases it might be my job to inform the client that they don’t really need my services because their problem is either already solved by an existing application, or doesn’t need to be or won’t benefit from being automated. In any case, my only task during discovery should be to understand what the client needs to accomplish and to guide them through the discovery process. That’s it. The “developer” can kick in later and pick apart the process during analysis. Until then, I must concentrate on solving the client’s problem.

  5. Shadow the users

    Chances are that the client hasn’t had a chance to work out all of the gaps or consider other alternatives when drafting their request. In order to help them discovery these missing pieces it is essential that I understand how the process currently works. Job shadowing is great for this. Once I identify the key people who are doing the work I can make arrangements to follow them for all or part of a day, watching their daily activities and observing the important parts of the process. It doesn’t need to be an interview, in fact I may not need to ask many questions at all. The important thing is that I observe what happens now, so I can translate that into an automated process later. I may even be able to find pieces of the process that can be eliminated or streamlined, perhaps by interfacing with other already automated processes. It may also give me insight into any restrictions that must be worked into the automated work flow. For instance, it may be discovered that a touch-screen interface is required at some access point due to environmental or physical constraints. These on-the-job observations will also help me understand not just what the project must accomplish, but how it will affect the greater organization.

Putting all of these into practice is sure to elongate the discovery phase, but I think that’s a good thing. Much of it will still be billable since much of the discovery occurs after the initial proposal. It may be difficult getting clients to see it that way (most of the time they want to know “how much and how long” at the end of the initial meeting), but I think I will be able to justify it knowing now what the alternative may result in.

Do you have trouble with scope creep? Got any other tips for keeping it under control? Please share in the comments section below!

* This post was originally published on April 4, 2007 at

Go to Top