ACCU (http://accu.org/) is "an organisation of programmers who care about professionalism in programming and are dedicated to raising the standard of programming". Bletchley Park (http://www.bletchleypark.org.uk/) was the wartime home of the British Code and Cipher school, where the Axis' Enigma military codes were broken.

The conference was organised by ACCU as a benefit for Bletchley Park, which, despite being one of the most importants sites both in the history of Computing and the Second World War, is continually starved for funds and struggles to remain open and intact.

Bletchley Park is well worth a visit even when there's not special event on, but this conference was exceptional. I've been to three conferences in the last few weeks (they call came at once this year), and they were fairly different from each other - FOWA (http://phase.org/blog/31336) was a big conference that mixed business and tech, Stack Overflow a slightly smaller one that was purely programming with tasters of various languages and systems, and this one was, for me, a bit of a wildcard. The focus was on security and cryptography, neither of which are particularly areas of expertise for me, although they're definitely interests. I'm also somewhat fascinated by the history of the Second World War, and of Bletchley Park and Enigma in particular.

So, I didn't particularly know what to expect, except that some big names would be speaking on topics that should be interesting; and that it would benefit Bletchley. Oh, and that it meant getting up early on a Saturday to get to Bletchley by 9:30.

When I got there, it was a distinctly chilly autumn morning, but bright sun meant that the park and Mansion looked stunning in the morning. The mansion, if you've never seen it, is a unique building; it's not even the same as itself, in that no two parts of it seem to share the same architectural style:



I managed to grab a quick coffee and danish before Tony Sale started his talk. Tony is, quite deservedly, something of a legend at Bletchley; not only did he help start the National Museum of Computing and Bletchley Park Trust, he's also an authority on Enigma and led the rebuilding of Colossus (the world's first electronic computer) from absurdly little evidence.

He's also, I discovered, an excellent presenter. His energy and passion while explaining 'How the Germans gave away their "unbreakable" codes' by human error was incredible, and not only is he an expert on the Enigma machines and Lorenz SZ encrypted teletype system, but he can also present that material in a way that's simultaneously easy to understand, technically complete and entertaining. His resounding cry of "DURRRRRR" when describing a particularly foolish operator error is something I'll remember fondly for a long time. The talk was obviously widely enjoyed and led to one of the most heartfelt rounds of applause I've heard at a technical presentation.

Video of Tony talking on some of these subjects, and a mass of information on Colossus, Enigma and the Lorenz system can be found on Tony's site at http://www.codesandciphers.org.uk/

After Q&A from Tony, and coffees, we were given a guided tour of National Museum of Computing, featuring the Lorenz intercept and decoding station, the replica Colossus 2, and some (marginally) more modern exhibits such as the Witch computer, early mainframes and desktops. It was great to see the Colossus actually running and explained by Tony. We also got an explanation of the replica Bombe - all elements visible on the standard public tours at Bletchley Park, but given today at a more involved and technical level for a much more technical audience.

Colossus:



The Bombe:




After that, lunch (a mass of buffet sandwiches, hardly Cordon Bleu but pretty edible) and then Phil Zimmerman.

Phil, of course, is the creator of Pretty Good Privacy, a project based on Public Key Cryptography that sought (as Phil put it) to give political groups such as the american peace movement, and similar groups worldwide, the privacy to operate without government surveillance and interference.

For his pains, and his attempts to export this cryptographic system (classified as a munition) worldwide, he spent years under federal investigation. While he still seems to feel he did the right thing, his new project takes a very different angle.

PGP, as Phil puts it, was "a reaction to government attitudes to cryptography that were born, in part, at Bletchley Park"; that is that cryptographic security and research had to be the preserve of governments and military, tightly controlled and under the utmost security.

Phil's new project is ZRTP, a secure but open-source telegraphy protocol which he classifies not as a political project to protect citizens from overzealous goverments, but as a necessary technological project to protect all of us - including governments and the military - from global organised crime. He cites the increasing risk of interception of voice communications as they move off relatively secure PSTN networks onto inherently public IP networks, populated by packet sniffers and zombie desktops, and thereby open to interception by crime syndicates which may use the information for blackmail, insider trading or aggression. This technology is used, for example, by police in the south-west of the USA working against Mexican drug smugglers, who would otherwise have the capability to intercept these communications.

As well as ensuring an encrypted channel for voice communications, the ZRTP protocol has an impressive range of measures to prevent interception by man-in-the-middle attacks, which I didn't quite understand well enough to explain here...

Phil also had a very long Q&A session and a lot of technical detail, which I won't cover in much depth, but I'll drop in a few quotes (which I hope are accurate if slighly paraphrased - none of this was recorded, sadly) which give the tone:

"You can make a case that ... the harm from governments losing the ability wiretap theis citizens ... is much less than the harm that would result from criminals wiretapping us".

"Our protocol ... will affect organised crime more than governments ... as criminals tend to be more interested in the content of messages (for blackmail, interception etc) whereas governments tend to have to rely on traffic analysis against criminals using codes and codephrases".

In a response to a question on how his product differed from Skype: "Skype... won't release source code, or even say how their security works. How can I trust that?"

"The UK and China - the two greatest observation infrastructures in the world... How do you guys put up with it?"

After a fairly involved - but fascinating - discussion of key exchange, entropy and crime with Phil, we changed tone again with a talk from Simon Singh, starting with Stairway from Heaven - played backwards.

The first time you hear this extract, even if you're told there's a voice in it, you won't hear much. Then, when you're told what the message is (Simon ran this through a karaoke-style word highlighter), it's so clear you can't believe it's the same recording.

However, all this proves is just how far the human mind will go to find patterns and messages where none exist.

Then, an example of the importance of code security, in Mary Queen of Scots' intercepted plot to overtrow Elizabeth the First, easily decrypted even back in the 16th century, which led to her execution.

Simon's main talk was about the Cypher Challenge which featured in his Code book, and how it was solved. This featured substitution cyphers and frequency analysis, book ciphers - and the importance of finding the right book, Enigma machines, and how to accidentally turn a triple-DES challenge into a single-DES one. The talk included a demo of Simon's very own original Enigma machine - which of course obeyed the universal law of demonstrations by refusing to encypher symetrically. However, Phil Zimmerman was almost entranced by it, a reaction I can thoroughly relate to!



Finally, back to the human ability to treat coincidence as revelation, courtesy of "The Bible Code", which claims that hundreds of prophecies are hidden within the Bible. However, the bible is a vast corpus of text, and once you give yourself loose enough rules, you can "find" messages all over it. However, you can also find remarkably similar messages in Moby Dick using those rules.

Simon's summary of a range of historical ciphers and code-breaking rounded the day off well, and was followed by a few words from Simon Greenish, Director of Bletchley Park. He recounted that, while Bletchley Park is one of the most important historical sites in the UK, at least in terms of technological and military history, it has existed on a shoestring. "It has often bumped along the bottom financially... and very nearly didn't make it on more than one occasion". Fortunately it's now in slightly less dire straits, but still needs more funds to do more than just survive - there are now vast amounts of repair and restoration to do, before fulfilling the plans that will make the site a truly outstanding museum.

Fortunately, the day raised around £7000 towards these efforts. It was an excellent day, and I'll be delighted to retun if, as planned, it's repeated next year.

This year's conference was a smaller scale that the last couple of years, and had a little more emphasis on marketing. It had relocated to Kensington Town Hall, and become a single-track affair with more shorter talks.

With this in mind, there was a certain lack of optimism as to the quality of talks we could expect. The conference also suffered, as it does every year, from the ability of (in this case) 800 geeks to crash every electronic communications network (WiFi, 3G, Edge) within a half-mile radius. Even the mains electricity browned out for a while.

Ryan Carson's introduction was as energetic as ever, but went into far more detail than anyone could ever care about on their "Hello App", which had been built as a way to help attendees find and meet each other, by allowing them to tag, via twitter, their locations & interests on a map of the auditorium. It would have worked far better if 1) it hadn't been feature-creeped to hell, 2) the wifi was remotely stable and 3) the Hello App server didn't keep crashing.

While the Hello App proved later in the conference to work pretty well, this undertested & overhyped start set a low tone for the conference to begin.

However, the first presenter was Kevin Rose (@kevinrose), a highly-respected and reasonably energetic speaker, who opened with "Taking your Site from One to One Million Users". While last year's conference talked a lot about the technical aspects of scalability, this year, and this talk, focussed more on the social and marketing requirements for achieving growth. This had a strong theme of "making the site rewarding for the user"; it's now taken as a given that users can find pretty much any site they want to, so a site will need to be genuinely compelling and useful to keep a user's interest.

Reward can come in various forms, including:
1) Saving the user time
2) Saving the user money
3) Enhancing the user's standing and reputation (even ego)
4) Providing an enjoyable experience

For example, in the sake of Digg, the site aims to help the user find interesting stories (1,4) while involving them in a community (4) where they can grow a reputation (3) by finding and posting the most interesting stories. Digg's model on this has been mainly stable for a few years, but they still add tweaks such as giving more prominence in a story to the user who submitted it, to enhance (3) above.

Kevin also spoke about http://wefollow.com/ , a directory service for twitter where users can add and categorise themselves. The service encourages users to advertise the service by sending a tweet listing the categories they've adopted when they join up. Rather than just sending a plug for the site, which contains no user interest, this aims to at least give the user some involvement in the message being sent on their behalf. This wasn't taken as completely convincing by the audience (it's not obvious that you can sign up without tweeting this ad) but it's still noteworthy that they're trying to draw a boundary between useful advertising and spam.

This contrasts with another talk by Chris Abad (@chrisabad), director of a company that took a lot of flak for the volume of tweets that their Spymaster (http://playspymaster.com/) game sent on player's twitter accounts; in-game events triggered tagged messages on a user's behalf, and the volume of this was high enough to irritate people for a while.

Chris defended himself and his company on the basis that none of these messages were compulsory, and very few of them were even enabled by default. The problem was that each (of about 20 types) of message would add 1% to a user's score for game events; some highly competitive users turned all of them on while playing intensively, which caused massive twitter traffic. The volume was also increased by the unexpected speed at which the game "went viral" and spread worldwide.

Part of the problem with sending tweets on a user's behalf (or providing offers or competition access for retweeting a message) is that twitter, and particularly the commercial adoption of twitter, is far too new for anyone to have really worked out what the rules are. Therefore, anyone who wants to use twitter to promote a product treads a very thin line between acceptable use and spamming.

The second talk of the day was very much marketing focussed and didn't really grab the audience's interest; the key idea in it was of evaluating the success of promotional techniques by making sure that the source of every account signup (free and paid) is recorded as part of the user's record. This enables later evaluation of the sources, and ROI, of "good users". The message was "this is important, do it from Day One".

Another theme that arose in this talk, and was prevalent throughout the conference, was that "Freemium works". This is the practice of giving users basic (but fully functional) access to a site or application for free, but giving them the option to upgrade to various levels of paid service. In fact, for pretty much any sort of paid web application, freemium is seen as "the right model". Off the top of my head I can think of numerous sites & apps for which this works; Spotify, Travian, Live Journal, WeeWar and Flickr to name a few. The trick is to strike a balance which makes the free service genuinely useful, and the paid level(s) worth the incremental cost.

Talk Three was barely worth mentioning. Badly prepared slides, a very lame running joke, and a list of "Javascript frameworks I do/don't like".

Session Four was also fairly dismal; designed as a plug for lead sponsors Microsoft, a panel discussion on the Hello App system which was still virtually unusable at this point in the day. The theme was little more than "we used ASP.Net MVC 'cos we wanted to try something new". The talk was far from compelling.

Session Five appears to have also left an indelible blank on my mind, but fortunately, after that, the talks improved greatly and the conference woke up.

Francisco Tolmasky (@tolmasky) of http://280north.com/ pulled out some stunning online & desktop apps. Essentially they've ported / copied Apple's interface builder (for iPhone and OSX apps) to a web format to produce incredibly fluid and effective HTML/JS/CSS interfaces for web or desktop use. As this was a product demo there's not really much point my trying to describe it, so take a look at http://280north.com/blog/2009/02/announcing-atlas/ , http://280slides.com/ and http://objective-j.org/

It's not often product demos, especially for coding tools, get spontaneous applause, but these did.

These apps, together with Vodaphone's JIL widgets platform (http://www.jil.org/) as demonstrated on their stand, also pointed to another theme of the conference - the use of web technologies on the desktop and as applets on mobile devices. 280's cappuchino apps join Adobe Air, OSX and Vista desktop widgets, as well as the Titanium and Fluid platforms.

After that, David Prager (@dlprager) spoke more on the theme of drawing in an audience to a site; his focus was on finding a real niche and then making life better for users in that niche. His examples included http://www.skimble.com/ and http://tv.winelibrary.com/ , and his premise was:

1) Find a real, defined niche (rather than a vague online group or community)
2) Provide a core feature that's genuinely useful to that group (that "makes life better"), and build it well
3) Only once you've developed that feature thoroughly should you start adding further features, or expanding into related fields.
4) Truly targeted niche sites are a gift for advertisers who want to reach a specific audience

Paypal's talk on their advanced payments API can be best described by sending you to the videos at https://www.paypal-changehowwepay.com/ and the Paypal X blog at https://www.x.com/blog/

Likewise, Facebook's Cat Lee appeared to be running purely from a prepared script, so see http://developers.facebook.com/ , particularly http://developers.facebook.com/connect and http://www.facebook.com/facebook-widgets/ (this latter is a fairly new integration tool for other sites)
Both Facebook and Paypal's new tools are interesting, but better described in their own words.

The next talk worth mentioning was Bruce Lawson's (@brucel) on HTML5, which backs off from the XHTML format in favour of specifying only as strictly as browsers require, but adds genuinely useful semantic markup and functionality such as headers, navigation and footers, directly embedded video, and multiple enhancements to forms, particularly in terms of front-end validation without Javascript. Again, trying to report a demo is of limited use, but suffice to say that this was very powerful stuff, very well received, and take a look at http://my.opera.com/ODIN/blog/2009/10/05/future-of-web-apps-london-html5

Bruce also came back for a second session on day 2, and was saved from the death of his laptop by quick assistance from the Microsoft team at the event, so it's a pity that his attempt to show IE's HTML5 capabilities quickly failed to a blank screen after the required hacks failed.

Chris Thorpe (@Jaggeree) of The Guardian gave one of the highlight talks of the conference on "How The Guardian is using APIs, Frameworks and Tools to Build a "Mutalised" Newspaper" (slides here). This was an engaging talk with a lot of content, in contrast with Lynne D Johnson's rather shallow and unconvincing talk on "The Future of Print" the next day. The Newspaper industry is undergoing massive change at the moment, in large part due to the influence of the internet, and many papers are in extreme difficulty. The Guardian is trying to buck the trend by embracing the new technology and by becoming a platform that interacts with (and solicits leads, content and evidence from) its readers. They're also looking at becoming news custodians or brokers, adding value to information by supporting it with their investigations and reputation.

NB: Channel 4 news are also reaching out to viewers a lot at the moment; any time a big story breaks they'll be seeking views and feedback (and indeed photos and video) on twitter as @channel4news

Day 2

Day Two started off with Aza Raskin (@azaaza) from Mozilla, who talked about the future of the browser and of integrated data; the possibilities inherent in a "you-centric" browser and internet which would know where it was, who was using it, their friends and trust relationships from multiple social networks, and their tastes in (for example) music, news, books, leisure activities. Such a browser could gather appropriate advice and recommendations for its user in their current context and act as an "intelligent agent" for the user.

Then came the Twitter Front End Engineering talk; the main thing I can recall from that was that Brit Selvitelle (@bs) announced Twitter Labs. He didn't however mention what it was or when it'd launch. He also covered optimisation; mainly in the sense of "don't". Specifically, don't waste time prematurely optimising (or future-proofing); you should have unit tests around code that will protect any refactorings required when the time comes. Brit also underscored the important point that you should empower users to do what they want rather than forcing them to use a site or app "your way"; successful sites are the ones that meet the user's requirements, not the ones where they are forced to meet yours.

Then came Simon Wardley (@swardley); always rather an impressive speaker, this time with about 260 slides, which he reckoned would "cause permanent damage to the audience". Fortunately Simon's unique style is to use photographs as (frequently comic) backgrounds to his points rather than bullet-pointing every single thing he says, and it works. His topic this year was "The Future of The Cloud", and started with the essential (yet generally unanswerable) question of "What is the cloud anyway?".

The answer was a continuation of the trends which could be observed at the last two years' FOWAs; the trend from rarity and novelty to commoditisation and ubiquity that happens for pretty much any technology. In this case it's the transition of software and hosting from bespoke items, to stock items, to "stuff-as-a-service" (aka Xaas) to white-label commodity. Particularly, the construction of application or service stacks on top of multiple services, which leads to an implicit risk when the user at the top of the stack doesn't know who's providing the services at the bottom of the stack, and has no business relationship with them. Simon made the point that almost no clouds or stacks are entirely private, and so transparency - both in terms of who's relying on what, and in the standards used to connect between them - is essential. Any cloud that relies on a single provider or closed interface at any point becomes as vulnerable as that weakest link, so open and interoperable layers are definitely to be preferred.

However, the cloud is very much here to stay, and even with inevitable collapses and failures, the risks of not using the cloud will greatly outweigh the risks of using it.

Next up: Yehuda Katz (@Wycats) talking on agile development as related (particularly) to development of, or in Ruby and Rails. I really need to get hold of the slides for this one to dig out the details, but the core theme was "just get stuck in, and don't get hung up on side issues, optimisations and future-proofing".

Vodaphone's talk was fairly missable; it turned into a truncated live-coding demo for on-phone apps; I'm not quite sure what was planned but it didn't seem to happen. More info, competition and free dev environment can be found at http://widget.developer.vodafone.com/appstar

I also skipped the accessibility talk as I'd seen it (or something very similar) twice before in favour of talking to Yahoo and Vodaphone about their services and dev platforms, and browsing the remaining stands. Audioboo's API also seems worth a look, but there's a deficit of data right now; start at http://twitter.com/Audiobooapi

Alex Hunter (@cubedweller) got very animated in his talk on the importance of your brand. The core seemed to be "giving a damn" about your brand; about yourself, about the service you provide your users. You need to truly define what your brand's about, not in "Miss World" terms of world peace, but in real concrete values that mean something to you. You need to both take pride in your reputation and be prepared to put it on the line. And you need to let your users connect with the people behind the brand - all of them - because "they can't connect with a building".

After a rather lacklustre and US-centric presentation on "the future of print", we got a unique (and very enjoyable) musical interlude from http://www.petergregson.co.uk/ , which was somewhat messed up by the failure of the speaker's network connection; for reasons I simply cannot understand, the podium didn't have a wired connection but was sharing the open-use, flaky wifi network.

Post-lunch, prize for worst graphic design (but a very good talk) went to Dave McClure (@davemcclure)'s "Startup Metrics for Pirates: AARRR!"; again I can best describe this by pointing you to the slides at http://www.slideshare.net/dmc500hats/startup-metrics-for-pirates-fowa-london-oct-2009 and telling you to turn the brightness on your screen down. It's actually a pretty good presentation on the importance of balancing features, user aquisition & rentention, and making money.

Chris Lea (@chrislea) of Virb also gave a very good talk on "Practical Advice for Managing the Growth of your Web App", which focussed on the difference between scalability and efficiency, two concepts that are often confused. Basically, scalability consists of the architectural decisions behind the coupling and componentisation of your app, which determine whether it can be moved to multiple servers and services. Efficiency, which is less important (because it leads to costs, rather than impossibilities) determines how many of those servers you need, and how long you can survive on existing infrastructure.

Recommended reading from this included the High Performance Web Sites book (http://oreilly.com/catalog/9780596529307) and the video versions at http://www.youtube.com/watch?v=QRUqVyP27Hw and http://www.youtube.com/watch?v=BTHvs3V8DBA

A quick Startups session called "Launch" then showcased @awaremonitoring, @gotestit and @broadersheet. Of these, http://GoTest.it was by far the most interesting (to me, anyway) as a very impressive, easy to use browser-based site test system; think Selenium but commercial, smoother and easier to use, and with automated multi-browser testing.

The final real talk was a slightly truncated but very impassioned one by Gary Vaynerchuk (@garyvee) which really focussed on "give a damn" and "just get on and do it", although again my memory's a bit short on detail right now. http://garyvaynerchuk.com/post/107300929/crush-it-why-now-is-the-time-to-cash-in-on-your should provide suitable background.

PHP London are pleased to announce their 4th annual UK PHP conference, building on the success of previous events and accommodating the continual growth of the PHP community and PHP development industry.

The event will take place on Friday February 27th 2009 at Olympia Conference Centre, London. Registration will commence in December 2008 and those interested in attending can create an account on the PHP UK Conference website at http://www.phpconference.co.uk/user/register and sign-up for notifications of updates to the website. Important announcements will also be made to the PHP London announcement mailing list:
http://lists.phplondon.org/cgi-bin/mailman/listinfo/phplondon-announce

The Call For Papers is now open and finishes at the end of November 2008. Speakers interested in talking at the event can submit their details at http://www.phpconference.co.uk/call-for-papers whilst potential sponsors can contact the conference committee using the form at
http://www.phpconference.co.uk/contact

All known information about the conference so far is available at http://www.phpconference.co.uk. We hope to see you at the event next year!

(I'm the treasurer of PHP London and on the organising committee of the conference)

After last's years FoWA, I summarised the show as having four main topics:

- Interoperability & APIs
- Identity & privacy
- XaaS (Xtuff as a service)
- Taking the web offline

This year, the primary themes were of scalability and social information exchange. This incorporated the first two points above, but the attitude towards them has changed; with the increasing maturity of the "Open Stack", interoperability is not a question of "how?" but "when?" (with an answer of "now, or very soon") and standardised APIs rather than custom ones. Even FaceBook, known as a non-adopter of the Open Stack, expect to support it in the future. The tone is "Interoperability is here, we're cleaning up the details".

One of the key details raised is identification/authorisation. The "password antipattern", and sites requiring it, take a particular hammering. Sites need to interoperate and share data, and if you fail to provide API methods to do so, expect to be shunned.

Xaas featured less visibly, with the exception of SalesForce who, as a major sponsor, used both their slots as raw sales pitches for their product. This was clumsy on their part; geeks don't like sales pitches, especially when they've been promised a technology talk. Web office apps are considered almost as commodities and were not particularly visible; there was no SlideShare or Huddle (or similar) stand or talk this year.

The "offline web" is still seen in large part the territory of Google Gears (still a beta), AIR apps and iPhone apps; connectivity is widely seen as more critical than offline access, or it may just be that connectivity is more prevalent than even last year.

Another noticeable aspect of this year's show was the reduced number of startup stalls; there was a definite air of "business as usual".

There was one more background theme; that of economic recession, but there was, albeit with due caution, the feeling that the web industry was large enough, flexible enough and robust enough to handle the situation reasonably well.

Scalability was the other large issue; there are a lot of web apps out there that have reached significant size, and all new ones should be prepared (if not prematurely optimised) to get big. Elaine Wherry of meebo put it well; "Scalability is a nice problem to have - until you have it".

Scaling is generally independent of the language used; Almost all well-coded apps will be I/O-bound, not CPU- or memory-bound, and so it's the application architecture that matters. That architecture should minimise its coupling and interdependence, both to eliminate single points of failures and to improve the "plugability" of scaling. Work should only be done synchronously when that's inevitable; don't keep the user waiting, and don't make every page a heavy load; if you have to do hard work for every page hit (rather than asynchronously) you can't back off when you need to.

Once more it's worth noting that good modularity and strong encapsulation are a good design decision for many reasons; not just for scalability but also for testability, development and maintenance.

The final key issue could be described as "human scalability", or "Drinking from the information firehose". There's frankly too much data out there for humans to absorb (FoWA itself was a microcosm of this), so it needs to be filtered and managed. Both Digg and Fav.or.it covered this, in terms of "finding relevance" and of presenting data; how to identify material of interest to each specific user; not merely the relevance of topics, but of supplier, format, tone, complexity and the viewpoint taken.

One problem raised with this was "If you filter data that precisely per user, don't you risk telling them only what they want to hear? Aren't you narrowing their horizons?" This is, as yet, a question without a solid answer; filtering isn't quite good enough for it to be critical yet. There's also the question as to whether apps should seek to "improve" their users, or merely give them the tools to do so.

Fear and Coding

aka Getting through the tough times

The future's dark (good times for Ninjas?)

Yes, we're talking finance again.

"Running on several times the amount of money that actually exists".

Between the hurricane and the flood.

How to get through it?

Work

Work even harder - not a good time for workers or employers to fail.

No large capital expenditures.

Avoid waterfalls! Can't guarantee long-term projects; we need NOW.
Get with Agile.
Prioritise features; code flexibly.

Avoid expensive licences (Oracle?) - Use OSS.

Get in the cloud. (but is it ready yet? What level should we be using? API, Host, App?)
'Ware Lock-In!

Become part of the conversation - IM will fracture; create your own and track what's being said.

Opportunities

What's needed?

Regulatory Technology (Banks may need new tech to handle inevitable new govt reg'ns).

Think about essentials - cost-saving sites on basics. Trade sites?

Legacy servicing (if re-builds aren't getting the OK)

Telecoms: we're all hooked on our phones, we won't be getting rid of them.
Micropayments.

iPhone: Cheap apps * 10 Million users= turnover!
(better go read that book)

http://steve-yegge.blogspot.com/2008/08/business-requirements-are-bullshit.html

Build something for you - it's easiest to evaluate your results & satisfy the market!

(spend project looking promising)

Fear vernture capitalists!
Terms and need for cash will get tougher

You

Avoid technology religion - spread skills.
Be designer *and* developer.

"If you're a designer and don't think you can code, you're wrong".

Uh, I beg to differ. Most developers who think they can code, can't

"Learn PHP from the WordPress code". Please, no-one do this, that code's terrible.

Contribute to OSS - it's a great networking / credibility move.

Publish! (for the same reason)

Be findable on google!

(I should probably put my name on this blog then...)

IE, hire people who are community active. Tim, I always try to, but frankly there aren't enough if you're not in a big-name company.


NB: All of the above also apply even without a depression.


PS: Network, Network, Network!

Cloud Computing / Salesforce

Hosted / shared system.

It's another sales presentation. Glad I missed it last night.
Dynamic app modification.

"Cloud computing: I don't have to worry about scaling." Uh, WHAT?
This might be useful for Sales and HR guys, but it;s boring the arse off the devs & designers.

OAuth

OpenID doesn't work so well on the desktop.

Userame / password (twitter model, email) ain't a good plan.

GMail account == google health, google checkout.

Password anitpattern (passwords are not confetti)

Check video for sequence

Central access control - revoke access per-site. Yay!

Friendfeed (again): Uses API key similar to EVE: Revoke is revoke-all.


OAuth is Authorisation, not Authentication.

XRDS is updated form of YADIS.

Services (as defined by Yadis) are swappable.

Portable Contacts: provides open standard for contact sharing. Supported by Plaxo.

Adoption

IP issues?

http://wiki.oauth.net/ServiceProviders

See: OnePassword for iPhone

Friendfeed

200 million blogs - 200 million views.

Twitter gives astounding reactions (certainly does!)

Firehose of content: Friends are the filter.

ASIDE: We face a firehose of content in our daily lives too. Definite tone of "how to cope" at this fowa. See also new Fav.or.it beta work.
Risk: hear only what you want to hear, Narrowing of experience.

Filters can still flood.

How do we define relevace? Interest to all, interest to those I know, importance to 1 person (personal)?

Topic clustering; comments, 'I like this'; Global importance.
reccomend by 2 or more friends - increase accuracy.

Realtime Friend Feed coming soon.

Scalability - Can't really change schema on multi-million row tables.
memcached to MySQL, stateless, replicated DBs

The comment problem - comment where and to whom?

API for getting comments *from* FF - but you still have to hunt & pull, and I'm sure it's not an open API.



"It's interesting that so many talks at #fowa end up being about collaborative filtering, recommendations and basically social science - robertgaal (Robert Gaal)"

Mapping

I can' tblog this, if I tried to keep up with Andrew my pingers would combust.

Meebo

"Scaling is a nice problem to have" - until you have it!

"Solving Sandy's Problem" - target audience is self - known audience.

Scaling reactively = ARGH!

"We're synchronous. That's hard."

Page persistence time: 2.5 hours.

*no* site content.

"We didn't have a DB server - we still don't need what we do have".

Start simple - use OSS tech, don't try and write it all yourself/at once.
Based on GAIM, but extracting /replacing the UI layer.

Turn on; 597 Diggs, servers melt.
Didn't scale before it was needed (known risk). You're probably guessing the wrong ones.

Effectively running 100's to 1000's of gaim instances.

Bottleneck: Not CPU, not memory: tools (Strace, gdb etc) showed gaim bug (double-free).

Don't prematurely optimise.

I'm at the Future Of Web Apps at Excel London. The whole world is twittering it. We seem to have just about swamped WiFi, 3G, GPRS and Twitter. Evidently, geeks don't scale.

Rather than join the twitter flood with every comment on the talks, I'll post them here and update this post.

Languages don't scale

Scaling == IO - else ur doin it rong. Should never be CPU-bound.
Therefore language is irrelevant to scaling.

- Don't share: Bottlenecks & SPOF!
- You should be able to *lose* a part of your cluster without your customers noticing.
- Keep your coders happy. They code faster & better.

Flickr hate testing? Flickr are muppets then!

Indexing matters!

Split the work into smaller chunks (don't try and do it all in the DB?)

Unix load cascades (yeah, we'd spotted that), so you don't get a nice failover warning.

Cache - and use memcache to do it. Digg(?) uses 1TB of memcache.

Cleaning up the cache (keeping it current) is hard work.

Can acheive 200-400% scaling by using *smart* caches.

Herd effect - Cache key expires, all webservers pounce on that at once and try and rebild it - a type of race condition.

Use "expiration jittering' (cf TCP fallback?)

Use queues! ("starling" at twitter; "gearman"? at digg). All large sites use it!

Partition data (again, share nothing). Compare horizontal / vertical partitioning (vrt more common).

Again, refer memcacheDB.

Summary: Scaling is in the architecture, not the language.

-- Questions:

Ops and Dev can't work independently of each other to scale!

Dopplr; Made of messages

Massive backend integration: asynchronous.

Only do essential work up front; queue the rest.

Read: (highly recommended): Enterprise Integration Patterns (Hohpe, Woolf et al)

Use polling to get progress state from queued systems - share the %age in shared memcache.

Result - no single path of control.


Message queueing lends itself to cloud scaling.

ActiveMQ (apache)

Mobile Future

We got us a live one here...

The future of mobile is about mobility, about computing anywhere (ubiquitous computing).
The device is secondary; it doesn't have to be one you carry around with you, it needs to be something you can use where you are.

Presence and location; devices can adapt to where you are. States and events are a part of presence.

See: tonchidot video - crowdsourcing.

Interoperability and open standards are essential.

Internet TV

It's got to be easy - internet TV needs to reach the same devices & quality as other formats.

Needs to be compelling and interactive.

(This is more a "how to sell your digital TV channel" thing than a tech one, and I'm also trying to fix some very old blog sync code that this is running on at the same time, hence the reduction in detail!)

Blowing up the social web

Socialweb.tv

All sites seem to ask for the argh-too-many questions on signup. This is a barrier to entry.

"Invite your friends! Give us your email password!" Really not a good plan. Need APIs and open standards.

Problem is of "finding people you know and sharing with them".

It's the interoperability, st00pid!

Too many services / social network is not scalable!

We need "distributed social networks": Very true, but it's not a trivial problem.


Side thought - not many small and unconvining startup stalls here this year.


See: pinax


We now have "the open stack" (last year's fowa was definitely looking at early experiments, starting to come together more now).


[ Identity & Profile (OpenID, hoard)
[ Discovery (XRDS-Simple)

ref: Plurk talk - adaptive UIs

[ Auth layer - Open Auth (eg let flickr post to my blog)
[ Relationships / Contacts - XFN, Poco
[ "Activities" - Atom etc??
[ Widget platform - Open Social

Still "Small pieces loosely joined" - pretty much last year's motto.

OpenID

Now accepted by > 25000 sites

Microformats
XFN: link rel="me"

Note: you're making yourself infinitely discoverable - once more the fascinating issue of data opennness and privacy, requiring a new concept of privacy and acceptance.

(Banks are *really* going to have to stop using semi-public data for "security")

Link openID to namecards?

Oauth

"Valet key for the web"

(very american phrase...)

Also "who can know what?" eg FireEagle, level of detail. (again, FE new last year)
eg Google, who can ask for address data?
Flickr can get address data from google via API - might want to use this.


Activities
"I've... posted a photo, blogged, flown to London..."

(Data aggregation from the cloud)



Stack (open social) users: MySpace, Y!, Google, Plaxo... but not FB!

Salesforce (BT)

Just caught the tail end of this - "Communification of web apps".
All communication, including voice, is data - full comms contact management / integration app inc voicemail transcribing.

Dragons

Phonefromhere.com - in-browser skype. Not great.

Raffle.it - ebay by raffle!?!

iPlatform - appears to be the iFrame for 2008 - could be a useful social platform share tool

Diary.com: It's not a social network or a blog, it's an online diary.
How is it not a social network or blog?

eRepublik: MMORTSG: Hasn't seen Travian? You don't get points for trying to out-speak the timer. Or is it Eve corps in a browser game?
It's Trivial Pursuit Risk!

For references to sites mentioned below, visit http://del.icio.us/wechsler/seenAtFowa

Over the last couple days I've been at the Future of Web Apps expo, held in Excel, London. This proved to be an extremely interesting and rewarding experience, if exhausting.

The show was structured as multiple tracks alongside an expo floor of (probably) about 20 stands. I spent most of my time in the 'Developer' track talks, in a room with a capacity of about 1200. The speakers I saw were universally of high quality and were generally world-class 'names' or experts in their field.

One thing that was striking in the talks (and in many of the stalls, I think I spoke to about 90% of them) was the strength of certain common threads:

- Interoperability & APIs
- Identity & privacy
- XaaS (Xtuff as a service)
- Taking the web offline

The core philosophy of the modern web has been described as "Small pieces, loosely coupled". In fact, the size of the pieces seems comparatively unimportant, but the coupling or interoperability is critical - web sites and services can no longer operate as islands.

For most people, the web serves primarly as a platform for interpersonal contact - not merely in the form of email, but in the newer technologies of blogging and instant messaging (and their hybrids of microblogging and moblogging) and in community sites such as facebook.

Supporting this, the assertion was also made that every site should have a community element - something that gives people a sense of belonging, a reason to stick around, and a personal investment in the site or product. Otherwise sites can be little more than posters on the wall, providing sterile information and nothing more. Even the 'online office tools' (such as Google Documents and Calendar, Zoho and Slideshare) which might seem to provide a counterpart to this assertion exist not merely as an alternative to desktop apps, but primarily to share documents and collaborate in their creation. This is taken a level further by direct collaboration apps such as Huddle, Webex, Thinkfold and yuuguu.

The primary goal then of these contact and community applications is information sharing. The critical question for each application is then what information to share with whom. An added level of complexity is then found in the problem of identifying user without requiring them to have a login on each individual site.

For example, when it comes to IM, a user may have an account on Skype, Yahoo! IM, Gtalk, ICQ, Jabber, AIM, Pownce, Jaiku, MSN messenger, Gadu-Gadu, MySpace IM, Groupwise, and Zephyr, to name but a sample of the more focussed IM products. Then you can add SMS, Email, Twitter, Pathable, Second Life in-world messaging, MySay, and internal messaging systems on any number of non-interoperable websites - without even getting into various forms of blogging which are often used as a group notification system.

(It may be appropriate here to stop and explain microblogging and moblogging. Microblogging consists of systems that are designed not for screeds of content such as this, but for short, transient messages which may be low-content, low value and/or have a limited lifetime of relevance. Moblogging is any form of blogging from a mobile, but tends to mainly be, due to device limitations, microblogging).

One solution to part of this is that provided by meecard or {mental blank here} - services which combine many of (but rarely all) of your IMs and/or IM identities in one place. Another is desktop clients such as Adium or Trillian which support (with greater or lesser tolerance by system operators) multiple IM protocols. However, these systems are essentially a domain-specific hack and do not solve the multiple password / multiple identity issue.

The management of inter-system message transmission can be provided by common APIs or micorformat data interactions, but this rapidly runs into the larger problem of multiple identity and remote authorisation. As ever, there are numerous (non-interoperable) solutions including openID, Oauth, BBAuth (from Yahoo) and Google Account Authorisation, which generally serve to remove the multiple password problem by asking one (central) web site to confirm a site vistor's identity; the user will generally then have to be logged into that central site.

The problem of authorisation is distinct from identity but often closely coupled; for the moment it is probably enough to define it as 'enabling one system to understand from another whether the user of the first system wishes to allow a user of the second system to access or modify information related to the first user, by means of identifying the second user in some way meaningful to the first system and then mapping permissions onto that second user'. Which is admittedly one hell of a mouthful, but far simpler than sinking into the minutiae.

One of the most evident cases where remote authorisation is critical lies with geolocation apps such as Plazes, Dopplr and Yahoo!s FireEagle (and possibly twitter). These serve to integrate a person's current location as a factor in service provision to provide services such as 'find a local shop' or 'find nearby friends'. Sharing with the world, for example, the fact that you've just travelled from your home to an airport, is unsafe. These data can easily be used for criminal purposes, so it is critical to be able to use a trusted location broker service which can then identify who you want to share this information with.

Leaving aside the identity issue, geodata also provides a clear use-case for cross-site data gathering, colloquially known as 'mashups'. Imagine you've an account with the FireEagle location brokerage service, and you want a map to the local non-corporate coffee house. This is generally one of those over-excited future predictions that never seem to come true, but it is actually now possible in certain situations. The method might be as follows:

Your cellphone notifies FireEagle directly of the cell ID it has just entered. Plazes corroborates this with the registered location of an open wireless network it has just passed through. You ask your mashup server for the route; it then authenticates with FireEagle for permission to know your location, possibly converting to a postcode via a third party. This data is then exchanged with a site such as delocator, which provides the locations of possible destinations. The source and destination data can then be sent to, for example, google maps, which then returns a graphical representation of your route to your smartphone.

As a possible extension, Plazes also notices that one of your friends is near to one of the cafes, by authenticating your identity and theirs, and then verifying that you each allow the other to know your position; it then informs you of this to help you make your choice. For extra points, it allows you to invite all your friends in a mile radius to join you.

This is clearly a complex operation, and relies on a number of other companies proving information and services far better and more cheaply than you could do yourself, and therefore involves much use of Xaas - Stuff as a Service, where Stuff may be authentication, identity ownership, information, location, or the hosting or software used by all parties involved. Delocator probably don't run and host their own servers. Plazes don't go out and make maps. Yahoo! didn't write the webservers they use. Each party in the pattern uses the others, and some not considered, as services, to make use of their expertise and economies of scale.

The remaining factor is that of 'taking the web offline'. With current technology, the above web app/mashup will only work while the smartphone's browser is connected to the web - once the user goes offline, even past searches and information will be lost. Two (at least) new technologies can tackle this, by allowing the service to work (albeit without new data) while the device cannot connect to the network, by providing local data storage and processing. A more evident application of this would be a webmail client which continues to work with downloaded emails while disconnected, allowing the user to read and reply to all existing mails, and can synchronise incoming and outgoing messages once the connection is returned. These technologies are Google Gears, which works inside the browser to provide local processing and storage, and adobe AIR, which allows html/css/js bundles to run as stand-alone apps.

Several directions and common themes are very clear at FOWA:

- Interoperability & APIs
- Identity & privacy
- XaaS - making best use of what other people do for you, cheaply

There is also an undercurrent that even startups will be so common as to become a commodity, and that the unit of hiring may now be the startup rather than the individual.

IoN, Simon Wardley may be the only speaker where you can hear the hyperlinks.

Yesterday I attended the UK's first PHP conference at LSBU. This was a low-cost, volunteer-run affair organised by the local PHP user group - and it was admittedly a little rough around the edges. However it was competently run and, taking it as an enthusiast's conference rather than a professional one, very much satisfactory. The conference was sponsored by O'Reilly, City Safe, Packt Publishing, Word Tracker and Propel Recruitment.

The conference took the form of a day of talks held in a university lecture theatre, with coffee and lunch breaks, but no lunch provided (something which the organisers may not have planned on, although there were adequate food sources nearby). Further, there were a number of technical hitches during the day when the venue's equipment either failed or wouldn't integrate with the speakers' equipment (which admittedly threw a couple of faults of its own). Fortunately, these were not overly disruptive (with enough geeks, all bugs are shallow) and the venue was modern and comfortable with excellent accoustics and high-speed WiFi.

Being an enthusiast's conference, with WiFi, the audience was well-equipped with laptops and were thus able to take notes and explore websites linked from the talks; I'm sure many notes were taken and blogs posted. As is common at PHP-London meetings, most of the laptops were Apple Macs; the combination of functional desktop and unix architechture seems to be a popular one among PHP developers.

The first talk was given by Derick Rethans on "ez Components" - a PHP toolkit providing useful base functionality such as configuration reading and management, caching, cli and mail tools (among others). To me, this talk was useful on the basis of the development and coding techniques used, as well as in bringing me up to speed on a few PHP5 developments I'd not caught up with. The use of function namespacing (as in this site's codebase, but sadly missing from PHP itself) was of interest as I was wondering if this was just some weird idea that only I used.

Besides technical discussion of such things as SQL connection pooling, the actual subject matter - the component library - was interesting (and something I could conceivably use in future). The tools themselves (although not fully described) seem distinctly useful, and the knowledge of the coding techniques used gave me confidence in the quality of the library.

Unfortunately the talk over-ran (I presume Derick is not a particularly praticed presenter) and we didn't get the full material before the break, but I certainly learned something from the talk and would suggest that anyone needing a component library take a good look at this one, which seems to fit the open source requirements of high code quality and active development.

After a belated break (it having been pointed out to the organisers that the sponsors would not appreciate being deprived of face-time with the participants) we moved onto the second talk, and the most visibly nervous presenter, Pavel Kozlowski with a talk on "Pico and Dependency Injection". Now, before this talk I'd heard a fair bit about "dependency injection" from Marcus (from whom I suspect I've learned a great deal) but never really understood what it was; the word "injection" for me having very negative connotations of SQL and code injection attacks.

In fact that's not the issued. Dependency Injection is, if I may make a stab at a definition, the problem of providing code elements with their functional dependencies closely enough to be effective, but loosely enough to make unit testing and isolated development pratcical. Methods of providing such dependencies vary from calling 'new' within the dependent object, through use of a DAO registry to a fully-fledged DI container such as Pico.

I won't go into much technical detail, as these concepts are still fairly new to me, beyond saying that Pico essentially acts as a dependency "broker" which accepts registrations by classes (in part) according to the interfaces they provide or the requirements of their constructors. I'll leave the rest to the Pico site itself.

Unfortunately this talk also ran out of time, although it was probably fortunate that the organisers were keeping on top of time by now; I'd have liked to here more but at least have a useful start point.

Lunch was a "seek and ye shall find" affair; I found a Nando's (portugese spiced chicken chain) and had a very pleasant meal in the company of a Swiss delegate, but found that Nando's idea of "medium" is rather hotter than my own. The lunchbreak also gave me a chance to get to the O'Reilly stand and feed my tech-book habit; I walked out with the SQL cookbook, PHP Hacks, a Podcasting pocket guide and (given to me for free later) an book on PHPUnit. Something of a haul, but 30% off for show prices helped. I also notice O'Reilly are releasing a "Head-First" series with a much lighter "voice"; personally I didn't think the cartoony elements were for me but I'm told they've been well received. Certainly the presentation of "Design Patterns" as "Why make your own mistakes when you can learn from others" is an interesting approach...

After lunch, Matt Zandstra - Author, Yahoo! senior developer and, to be frank, rather disappointing speaker. Matt's material on "The Template Path" was at best tangentially related to PHP and the presentation showed every sign of being an in-house training presentation. It didn't map well to the audience, who weren't generally interested in code specifics of in-house material they were unlikely ever to use. Yahoo! were actually recruiting at the event and I have to say I think Matt sold them short. I've got a copy of his book at the moment and will withold judgement until I've at least taken a look at it, but I really couldn't find much beyond a simple but interesing design pattern to take away from the presentation.

Update: Evidently Matt can write pretty well; the Zend.com PHP5 exceptions article is extremely clear and readable. I suspect that if he'd billed his talk as "stuff you can do at Yahoo! if we hire you" and it had been one of alternative tracks, the talk would have worked much better.

Following that, however, a much more interesting presentation by Christopher Kunz: "I've been told to scare you awake". Well it wasn't quite that terrifying (as I'd already been studying PHP security recently) but it did make the point that "there's always going to be one more vulnerability". Some wince-inducing examples of "wild code" were shown but I was already familiar with the issues presented (not that I'm entirely immune to them in my own code yet). There were also some valid points on vulnerability disclosure and responsibility.

The focus of the talk, however, was the PHP Hardening patch, designed for and by ISP administrators to protect themselves and their users from internal and external attacks. It's not a complete solution to security - it doesn't claim to be - but it's a good start, and seems to be compatible with most well-written code (at least my own apps still work when I recompiled PHP after adding it on this server). I'll let the patch speak for itself, but I strongly advise that you take a look at it, and also at Christopher's book (at least, once it gets an english translation - any volunteers?), at which I was able to get a quick look after the conference.

The final talk of the day was something of an oddball - Harry Fuecks of SitePoint basically talking about why AJAX was overhyped and tricky to use effectively (and often misused) (talk resources here). Harry, this isn't news! Any technology can suffer from these issues and it's down to the developer to work around them. Had this been a presentation on how to work around them it might have been more interesting, but in the end I wasn't told anything I didn't know (in fact I'd already solved some of the issues mentioned in my own implementations) and the negative topic was unsatisfying. It might have served better on a multi-track conference where there were alternative topics.

That said, Harry's actually a pretty good speaker, and with a better topic (and he's certainly got the material) I could have really enjoyed his presentation; certainly his site's extremely useful (if slightly over-commercial, to my mind).

After Harry's talk there was the gathering of the feedback forms and then the Closing (which I imagine the organisers didn't gather much feedback on...) which involved a number of book giveaways and the traditional "Thanks to all". Following this, a number of us repaired to Living Space for free beer (courtesy of CitySafe, who are hiring) and general chat and (nominally) blogging; it was at this point that I installed the Hardening patch on this server (and *then* discovered an XSS attack on one of the sites had recently succeeded - I think I know why, though).

All in all, a good event; certainly worth the time and money, and a very promising first event. Congratulations and thanks to the organisers, and thanks also to all sponsors and speakers.

Update: It occurs to me that, while not all the talks were "great", no-one can really expect every single topic at a conference to excite them and that this is really just an artefact of a single-track conference. It'd be interesting to see if next year's can be made multi-track.

Disclaimer: I am a member of PHP-London but was not involved in the organisation of the conference. Hopefully I will be able to help out next year if the group decide to repeat the exercise.

Well, that last-but-one post proved to be rather more prophetic than I'd intended. Rest assured that, like 99.999% of London's population, I survived July without getting blown up. In fact, it's been another case of "too busy doing to document":

I've launched another site off this codebase: http://www.londongamelist.org/

Calendar: there's a graphical calendar view in place now, which can synchronise from iCal (and thus, indirectly, from most PDAs).

Filestore: Improvements to the upload system - in paticular fixes to handle the fact that MSIE uses some very strange mimetype declarations on file upload (image/x-png and image/pjpeg in place of image/png and image/jpeg, for example) and the ability to set icons manually (as they can't generate for Really Big images).

PHP code quality: I've turned on E_NOTICE and E_STRICT error levels on several sites using this codebase, which means I've had a fairly major task of updating code to the strict PHP5 way of doing things, and made sure all variables are pre-declared. A long task, but it should cut down on future debugging. (there are probably a few stray notices floating around this site - do let me know!)

AJAX: Many ajax tutorials advise you to use text rather than XML as your ajax page format, but also advise that you use the line
http_request.overrideMimeType('text/xml'); to force the behaviour of your XMLHttpRequest object
The new Firefox 1.5 betas throw errors on this in the (now misnamed) JavaScript Console (it now serves as a fully-fledged error console) which I've explained in updates to this page on DevMo:
http://developer.mozilla.org/en/docs/AJAX:Getting_Started
These errors can be pretty tricky to debug, particularly when they appear as JS errors...

XSS: Nasty stuff. Cross-site scripting occurs when you accidentally let a user manipulate the content of your website, either by submitted content or URL manipulation. This codebase caught most of those tricks, but at a recent talk by Rasmus Lerdorf at PHP London I discovered one that I'd completely missed: PHP_SELF. Needless to say I've done quite a few bugfixes on that one now!

MySociety: I've recently joined the MySociety group (http://www.mysociety.org/), and submitted a few code fragments - this is probably going to be a focus of my coding efforts from here, although I'll still be working on this site's codebase, particularly if there's user interest. For a start, there's a couple of external libraries that I can now jettison, due to PHP5 improvements.

I've also been to Linux World Expo, looked at picking up some LPI and MySQL certs, bought an iPod Nano (yes, they *do* scratch far too easily, Apple!) and started listening to Podcasts. Busy life.