Category: Uncategorized

Deviation From Expected

Someone sitting at a distance asks for the water bottle near me. I pick up the bottle and throw it at them. Surprisingly, the cap is not screwed. Water splashes all over. When a bottle has its cap on, we usually expect it to be screwed tight. When something deviates from the expected, unless there is an indication saying so, it creates trouble and confusion.


The same principle applies to systems and application design. For example, let us say that you have a development server where someone is running a production cron job. Since this is a development server, someone might take it down for experimentation. No one expects the non-availability of a development server to have untoward consequence.

Whenever you deviate from the expected, ensure you scream from the top of your voice so that it is not missed. Documentation, common conventions and putting in the right processes are some of the ways to mitigate this. The best is not to do it. Whatever you are doing, it always helps to ask, is this a deviation from the expected? If I am not part of the inner circle, would I expect it to be like this?


New Feature Efficacy

You have an established product and you introduce a radically new/different feature. You are very enthusiastic but the metrics show users are hardly using the feature.

There could be two reasons:
1. Users do not see a value.
2. Users are not incentivized enough to try.



In order to decide whether to put in more effort, it is very important to zero in on the above. If this is indeed resistance to newness, there might be multiple ways to gently nudge your users towards the feature.

One simple way to figure this out is to measure the stickiness of the feature. Of the small percentage of your users who do interact with the features, how many of them come back to it subsequently i.e once people are acquainted with the feature, do they come back to it later? If you see stickiness in this cohort, it is a good indicator that the feature is of value, you are doing a bad job in educating your users and leading them to it. If not, it is time to cull the feature and invest that time and energy in something else.

Resolving Disagreements

When you disagree with something, either you do it because you think your idea is better or you want to keep your ego intact. Let us ignore the latter and focus on the former where the intention is to let the best idea win. When a group of people sit down and try to resolve disagreements, many a time, it goes nowhere. Sometimes you get this strange feeling of things going around in a circle. This is due to whataboutery and shifting goal posts. You start with an objective, as the discussion progresses, statements lead to counter statements and at the end, no one knows what they are trying to resolve.


One simple hack to keep discussions on track is to write things down. Project a shared document where you note the objective and the point of contention. Whenever matters go awry, point people to the shared document. This helps everyone involved to stay focused and not to shift goal post as the discussion progresses.

Irrespective of how rational and mature one is, when someone disagrees with something that one believes to be true, one tends to become defensive and shift goal post without truly being aware of it. Writing things down makes one aware of this and helps course correct.

My View

I was looking at Jimi wallets online. Someone peeked at my laptop and asked what is it? I explained it is a rugged waterproof wallet. The other person’s immediate reaction was – Why would anyone need this? This person has never faced the fury of rain while cycling outside.


Whenever I explain startups spending marketing dollars to acquire users even when they are not generating any profit, I get a dazed look from people coming from a traditional business background. It is difficult for them to grasp the concept of betting on explosive future growth at the expense of today.

Phil Knight, in his book Shoe Dog, writes a lot about how his bank was asking him to preserve capital when all he wanted to do was grow Nike at all costs during its fledgling years.

A lot of prolific US citizens opinionated that Trump had a naught chance at US presidency. The same goes for Brexit.

What is common in all these situations is a difficulty in viewing the world from a lens not tarred by our own experiences. Even if you want to do this, it is extremely difficult to implement because you do not know where to draw the line. Tomorrow, if someone tells you that she has invented the perpetual motion machine, what do you do? Do you dismiss it outright or be skeptical of this person’s claim?

In all these scenarios you have to do suspend your rational mind and view things from a radically incongruent perspective. It is easy to write this but extremely difficult to implement.


Zoho’s domain was inaccessible for a while. This is an embarrassing event for a software organization.

Whenever I hear of events like this, I am reminded of a couple of pages in “The Black Swan“. Taleb calls it “A new kind of ingratitude”.

The idea presented by Taleb essentially boils down to a person who takes steps to prevent something catastrophic from happening. Since that person has taken steps to prevent the catastrophe, the catastrophe never occurs. Thus the person never gets his due and dies a silent hero.


This is a very fascinating thought that keeps repeating in all aspects of life. Whenever it floods, we make a big deal of politicians who fold their sleeves and get into action. What about that politician who took the necessary steps to prevent flooding?

Whenever there is a production issue at work and a team goes out of their way to put out the fire, that team is lauded. What about those teams that took steps to prevent something like this from occurring in the first place?

Software security is one big area that falls in this category. If you have a great security team, life would go on humming silently. You need to have the right tech leadership to recognize this otherwise it falls bang into ingratitude category.

This is a very obvious thought but Taleb has done a great job of giving structure to this idea. If you keep your eyes open, you see this happening around you all the time.

Micro Versus Macro Solutions

Imagine a person who walks from her home to office. Frequently she is late to work as she takes time to cover the distance. She wants to improve her pace. She goes to a walking expert to get tips on increasing her walking speed.


One solution to the problem is to use some other means of transportation instead of walking. If you go to a walking expert, you are going to get tips on improving your walking speed. The expert is not going to ask you to forego walking and use a different mode of transportation. Also, if you are deeply attached to the idea of walking, you might not think of a solution beyond walking. Improving your walking speed is a micro solution whereas using some other means of transportation is a macro solution.

The above is a contrived example but something we come across in our professional and personal lives, both as solution givers as well as ones facing a problem. Programmers sometimes try to optimize the hell out of a piece of code while the right approach might be to chuck the code and use something else. Organisations try to nail down a process to the last mile while a sensible solution might be to completely do away with the process.

We lean towards micro solutions when we are either deeply entwined in a problem or are the domain expert in that particular area. In these situations, we tend to think within the bounds of a problem and not outside.

When you come up with a solution, bracket it as micro or macro. Being aware is the first step towards becoming better at anything. Also, outside view helps. Find someone who is not an expert in the domain or one who is not acutely aware of the problem. Run your solution through them. They might lead you to a macro solution or make you aware that what you have is a micro solution. Taking time and mind off a problem helps too like how Archimedes had his eureka moment.

Last but not the least, take a walk.

Ode To Queues

If you have a producer with an uneven rate of production and a consumer which cannot keep pace with the producer at its peak, use a queue.

If you have a workload which need not be addressed synchronously, use a queue.

If your customer-facing application is riddled with workloads which can be deferred, move these to a queue thus making the customer-facing application lean and mean.


Think of a queue as a shock absorber.

There are workloads which need to be processed immediately with sub-millisecond latency and then there are ones where you have the luxury of taking time. It is advisable not to mix these in an application. The second kind of workload can be addressed by moving it to a queue and having a consumer process them.

For example, consider a scenario where you are consuming messages and persisting them in a data store. These messages are coming in at a variable rate and at its peak, the data store cannot handle the load. You have two options. Scale the data store to meet the peak load or slap a queue in between to absorb the shock. Queue solves this problem in a KISS manner.

Queues enable applications to be highly available while giving enough room to manoeuvre. As long as the queue is highly available, the chance of message loss is almost nil. Since a queue is durable, you need not perfect your consumer’s high availability, you get leeway to manage.

With applications embracing microservices paradigm, there is a lot of API back and forth. Not all API consumption has to be in real-time. Whatever can be deferred should use a queue as the transport mechanism.

Queue introduces a bit more complexity into an application but the advantage it brings to the table makes it a worthwhile investment.

Process Introduction

Whenever a new process is introduced, there is always going to be some discomfort. The cause can be categorized into:
1. Uneasiness due to newness.
2. There is a problem with the process itself.


Category one is due to human nature. Deviation from an established routine causes queasiness and a yearning for the old way. It takes over-communication, repetition and sometimes “just giving it time” to tide over this initial phase. This is usually a short-lived phenomenon.

Category two is the troublesome one. When someone complains about a newly introduced process, it is extremely important to get to the source of this discomfort. Prod as to whether the reason for disapproval falls into category one or two.

A good process has to roughly follow the Libertarian Paternalism idea popularised by Behavioural Economist Richard Thaler. The process should be a nudge towards better behavior rather than a dictatorial dictum. A process whose intention is to police people does not end up well.

A new process introduces some amount of friction but this friction has to be local, not global. This friction should not slow down the task at a global level, instead, it should aid speed, agility, and stability.

Take the checklist process as an example. It nudges people towards being more aware and aids better behavior. It does introduce friction at the local level but on the whole, globally, the task speeds up with a much better result on an average.

It always helps to think along these lines to figure out whether a new process is worth its salt. Instead of introducing a new process and then reneging, put in the effort to evaluate the efficacy of a process beforehand.


Checklists have been in vogue for quite some time now. Probably Atul Gawde’s book The Checklist Manifesto kickstarted this. I have been late to the party but once I arrived, I never left. A checklist is an amazing tool to organize personal as well as professional life.



Hospitals have figured out that by following simple checklists they can reduce the surgical mortality rate by a big percentage. The airline industry, which is an epitome of the highest possible standard in safety and training, relies on checklists for fail-safeness.

Who does not forget daily chores? Who has not kicked themselves for being late on bill payments? A to-do list solves this problem. There are tons of to-do apps out there, just pick one to start with. Apart from solving daily trivial problems, a checklist is a great way to keep track of long-term goals too, be it saving more, losing weight or adopting a healthier lifestyle.

Professional life requires one to regularly follow-up. A checklist is a great way to list down the follow-ups needed. On the flip side, no one likes doing follow-ups. If you want to be one of those rare people who respond without requiring to follow up, use a timebound to-do app to keep track.

Checklist brings efficiency to project management. Having a checklist of all the tasks to be accomplished before taking a project live leaves little room for ambiguity, misses and last minute scurrying.

A short-term or throw away project may not justify the time spent in automating disparate tasks related to the project. In this scenario, a checklist is a great substitute.


All organizations have an onboarding process. Make a checklist out of it and hand it over to employees on the day of joining. All software projects have some common alerts and metrics needed. Checklist them. Once you do this, you do not have to bother about this for every new project. View checklist as a temporary substitute while you scout for software to automate these.

In short, a checklist can be used as a Swiss Army knife to organize and automate life. A checklist institutes repeatability eliminates ambiguity and improves efficiency.

PS: Link for the above comic from XKCD.

Software Security

Some disparate thoughts on security in no particular order.

Many security bugs can be avoided by making a clear distinction between authentication and authorization. When one logs into Facebook, one uses a username and password. Facebook lets you log in only once it is sure that you are the owner of the account by verifying your password. This is authentication. Once you log in, you cannot view all your friends’ photos. You can only view those photos which your friends have authorized you to view. This is authorization. There is a class of security bugs that arise because developers have not made this distinction.


A lot of security is knowing what not do. Security by obscurity and hand rolling security algorithms and protocols are the two things that immediately come to my mind. For example, while storing passwords, instead of coming up with an elaborate custom secure storage scheme, employ the industry standard bcrypt.

There is a thought process that you will do better security by having tons of access control. One of the manifestations of this is restricting SSH access to production boxes. Unless you have invested tons in tooling, this slows down teams drastically. In today’s world, where speed is paramount, this does not work. Under pressure to do things fast, teams find ingenious ways to circumvent these controls. Strict access control only works in organizations which are fine with taking things slowly but this usually stifles productivity and leaves a bevy of frustrated developers. The only way around this problem is to have the most necessary access control and take care of the rest through tooling. An example is how Netflix uses tools to enable developers to SSH into production boxes without compromising security.

Security implemented in a naive manner goes against the human nature of seeking to accomplish tasks in the least restrictive manner. If you do not invest in tooling, security always gets in the way of accomplishing things.

A less intrusive way of doing security is to configure systems with sane defaults. An example – when you provision a server, ensure that it is fortified by default. If you are using external tools, configure them with defaults. For example, if you are using Slack, configure it so that only people with your organization’s email address can sign up. Carry out a periodic audit of systems. This could be anything from periodically scanning SSH access logs to repository audits to ensure secrets and passwords are not leaked.

No writeup on security can be complete without touching upon compliance. There are tons – PCI, HIPAA, SOX etc. All these come with their own baggage. One simple way around this is to first understand what and all parts of your application have to be under the scope of compliance. For example, if you have an e-commerce application taking credit card information, you have to be PCI compliant. But this does not mean your entire application has to be under the scope of PCI audit. You can smartly bifurcate the application into parts that deal with payment and parts that do not. Once this is done, only the parts that deal with payment have to be under PCI scope.

A final note, security is a never-ending concern, there is nothing called enough security. Where you draw the line is up to you.

Here is a hilarious comic by XKCD on teaching a lesson to people who do not follow security practices.