Recently, I assisted our audit team to performed a technical audit on a public listed company in Malaysia. While the details of the audit are confidential, I would like to share my experience since this was the first time that I did such an audit before. Needless to say, it was quite interesting.

On our first visit, we got there early and I was promptly introduced to the director and development team as the newest member in our audit team. I said my greetings to everyone and took a seat in the centre of the meeting table since nobody else took it.

Water was then brought in by the tea lady. She brought in a number of glasses and two jugs of water. Unfortunately, we weren’t served the water and since I was rather thirsty, I got up and served everyone a glass of water. My audit team members remarked that I was really sweet in doing so – I was just doing it because the tea-lady placed it all on the table and left.

Since this was my first time exposed to this project, I asked for a quick briefing on the product that they have developed. Before this, I already knew their main objectives but I was still curious as to how they would go about achieving them. As they explained things to me, I began to probe their system and their understanding of the issues involved.

The development team was fairly nice to me and explained things that I had difficulty understanding to me. For example, I couldn’t understand why they had chosen certain cryptographic ciphers and used them in a certain way, which resulted in reduced security. I let them dig their own grave.

In fact, the rest of my audit team remarked that I was extremely nice to them because I did not go on the attack. There was no need to come out guns blazing when they were doing such a good job of cornering themselves. During the product demo, I asked them to run the thing a certain way – and the thing crashed, which demonstrated a lack of robustness.

So, we were quite disappointed that it didn’t work. As the audit team, we try not to fail anyone and personally, I try my best to pass other people. So, we told them to fix things and to arrange for another session. We’ll give them another chance.

On our second meeting, I got to meet the CEO of the company who decided that it was important enough to grace us with his presence. This time around, the tea-lady brought in the water and placed it on the table without serving too. However, the director got up and served me a cup of water instead.

The treatment this time was totally different. It was “Dr. Shawn” this and that from the development team, “Dr.” this and that from the director and “Doc” this and that from the CEO (it got shorter as we went up the hierarchy). However, as the CEO tried to drag some wool over our eyes with his charisma, I was forced to take out my pistols and shoot down some of his points.

In the end, they tried to do a proper demo but even that did not pass satisfactorily. I spoke to the development team and we were all in agreement that the system did not perform as it was supposed to. In fact, their external consultant and team lead privately told me that they would need another few months to finish the product.

After the poor showing, the CEO was visibly furious and started to bark at his people. Our audit team were quite sympathetic with the development team because we knew that they were all going to kena after we left. It is sad, but they were not able to deliver what they promised to.

On a more personal note, I could appreciate the problem that they were trying to solve. In fact, I even told them that there was clear value in certain parts of their product. However, I do not have the confidence that they would be able to solve it since they failed to demonstrate sufficient technical competency. There was also sufficient inconsistency in their speech versus the actual product that they developed to further weaken my confidence.

Anyway, I have a couple more companies to audit after Raya and I am looking forward to more excitement!

Don’t let your mouth write checks your ass can’t cash

I had better make a note of this while the memory is still fresh in my head.

I was brought into a meeting by my boss today, to explain why it is that it is so difficult to deliver the system that we needed to deliver by a set deadline. On one side, my boss has been making promises of delivery without checking to see if the thing can be done. On the other side, I just cannot deliver the thing that they need within the time-frame that they want it by. So, I said this during the meeting with my CTO present. He asked me why and so I gave him the reasons.

Firstly, I said that I will not be around for a couple of weeks next month because I need to go back to Cambridge (some other people would also be going for their Umrah next month). My CTO threatened to cancel my leave application and that I have my priorities wrong. He asked if I agreed with him that my priorities were the wrong way around and I totally agreed with him that my personal priorities should be myself first.

Secondly, I said that the machines that we got arrived very late. In fact, we ordered the machines in Oct 2009 but due to various fiascos we only got the machine in Mar 2010. He said that this was not his problem and I told him that it was not my problem either. The problem started because our vendor refused to process our purchase due to substantial outstanding payments that our organisation had with them.

Thirdly, I said that I needed time to make things work because I do not have expertise in this area, which is true. My area of interests and expertise is in computer architecture and chip design. I am not interested at all with writing web applications or doing systems administration work. I am most certainly not an expert in these areas as I only do these things in a limited way for my own purposes at home.

It was right after I mentioned the first point that he advised me to leave. He said that I had my priorities the wrong way around and that he did not need people like me around. I totally agreed with him on that too – I am most certainly not needed by the organisation, which is the reason why I was put to work in a totally alien field to me.

What my boss needs to do is to hire more people, which was what I told my boss last week. If he gave me six people to do the work, I might be able to deliver it on time. I am single-handedly doing the work that another department has more than twenty people doing. While it is not that difficult, there is only so much that ten fingers on a keyboard can do at a time.

Furthermore, my colleague helping me out with this work is already leaving at the end of this month. So far, she has been handling the Windows portions and documentation work. I do not know anything about Windows and the documentation is all written in Word. I would not touch any MS stuff after she leaves.

Anyway, at least I finally got some face time with my CTO and got to put a few words across. Goodness knows that I have been trying for months to schedule an appointment to see him, months ago, to no avail and I have already given up. He probably did not think that I was his problem to handle either.

On another note, another manager said that I am an easy person to manage – which is true. I am honest, rational and logical. If something can be done, and I can do it, I will say that I can do it. If something cannot be done or I cannot do it, I will say that I cannot do it. I won’t weasel around and promise to deliver a system that I cannot. That’s all.

PS: Today, I turned down the invitation to have breakfast with my CEO tomorrow. He likes to touch base with the staff to get some ‘honest’ feedback. Unfortunately, since I did not think that I would have anything positive to say, I decided that it was best for me to stay away. However, I like this idea and I think that I will adopt it in the future – but less formally. If I had been invited a year ago, I would probably have gone but now, I kind of doubt that it would be a good idea to go.

I was asked to help conduct a job-interview last week. The candidate claimed to have some direct experience in embedded software programming. Unfortunately, the candidate met me. I only focused on asking the candidate questions about things that the candidate had direct experience working in.

Firstly, the candidate claimed to have written software for a variety of processors – almost a dozen of them. However, what the candidate failed to mention was that they all belonged to the same architecture – ARM. This is a slight-of-hand trick. Unless the interviewer knew his stuff, he would not know the variety in the ARM eco-system. But this stretching of the truth is fine with me – because at least the candidate had some experience writing software for one of the world’s most popular processor.

However, what I could not forgive was that the candidate did not know the thing that sets the ARM7TDMI processor apart from its predecessors – the introduction of the Thumb instruction set. The candidate claimed to have worked closely with the ARM7TDMI. Since the candidate failed to know the architecture, this limits the ability of the candidate to do embedded software programming. In order to do embedded programming well, the programmer needs to know the quirks of the hardware architecture and exploit it to their advantage.

Secondly, the candidate claimed to have helped solve some problem with their current project, dealing with null pointers. So, I asked the candidate how they found out the problem was the problem. Turns out that the candidate used the technique that I dub – random bandaging – trying random things until something works and then claim that the problem is solved, without understanding the under-lying cause. That is a problem that I have with my apprentice as well, but it is fine because we can always ask for proof and train our staff to investigate things.

However, what I couldn’t forgive was that the candidate – when asked what a null pointer was – looked at us incredulously and claimed that a null pointer was a pointer to a random memory location! Sigh. I thought that the name of the pointer should be a dead give-away. If the candidate had mentioned that it was a pointer to the null or zero memory address, I would have given half a mark. If the candidate could tell me that it is architecture specific and is just defined as an invalid memory address location, I would have given full marks. But it most certainly does not point to a random location – and that is a failed understanding of what a pointer is.

Thirdly, I wanted to test that the candidate could actually write code and understand how the code works. So, I got the candidate to write a simple for-loop that counts from 0-99. Thankfully, the candidate got this right. Then, I asked the candidate what would happen if I compiled the code as it is. The candidate didn’t know what would happen – the code block would be optimised away by the compiler because it does not do anything. That was still fine. Then, I asked the candidate to output the numbers on screen. The candidate used printf to do it.

So, I asked the candidate when is printf not supposed to be used. Surprisingly, the candidate said that it should not be used in interrupt routines. I was seriously impressed! Then, I pressed the candidate for why it should not be used and the candidate said that it was slow. Again I was impressed! Finally, I asked the candidate to think of any reason – even one – why it was slow but the candidate could not think of even one. Then, the candidate confessed to have only read the information online and did not actually know the reason why. Fair enough.

To me, at the very least, the candidate had a bit of working knowledge but I would still classify the candidate as quite a noob when it comes to embedded programming. Experienced nonetheless though – but still a noob.

Let me add – knowing the right answers to the questions is easy. Knowing why is the difficult part.

I learned something interesting today – if you have to choose between transferring files between two machines via a flash drive or a gigabit network, choose the latter. The transfer speeds are blazingly fast on a gigabit network. I managed to move a bunch of DVD isos across the network at speeds of about 250Mbps. Flash drives generally transfer at a tenth of the speed.

Oh yes, I’m playing with a bunch of servers at work these days – ones that cost the price of a car and sound like jet planes taking off whenever they are powered up. Vrroooom!

I was recently asked to talk about my project at work to a bunch of guys who were going to use it. During part of this presentation, I mentioned that we can use a temporary unique identifier to identify something. I suggested using a UUID. Only one of the audience, a certain Dr from a certain national body of higher education, asked me for an example of UUIDs. So, I told him that they are random numbers, usually 128-bits in length.

Then, he asked me for an example of a 128-bit random number…

I think that I must have given him ‘the look’ as another member of the audience, a certain contractor who works with us, stepped in and mentioned that they need not use UUIDs but can use anything they want including any sort of random number. I looked at him, smiled and said that he was correct.

Seriously, this certain Dr has been giving me a lot of doubts about his credentials recently. However, I decided to give him the benefit of the doubt as I did not know his background. He could be a PhD in English Literature for all I know. Even if he was a PhD in IT, it could still be something random like e-commerce instead of something technical like security.

As a result, I decided to check him out using my dear friend, Google. Turns out that he was doing a PhD in computer graphics and such, more than a decade ago. So, this person should have easily understood the meaning of a 128-bit random number and not ask me for examples of what UUIDs are.

So, it makes me wonder what this person is trying to do. He asked me not to be so negative the other day and I corrected him. I am not the one who is negative. I am absolutely positive even if I may be on a short fuse. He can ask me to relax a bit and not so stressed up but I am most certainly not negative.

I guess that he is not an English major after all.

I came out of a 2-hour meeting today, thoroughly exhausted. The reason being that I was doing the talking for most of the two hours non-stop. I was told to give a short half-hour presentation thing, the same one that I have been giving to a number of other groups. It usually involves me talking for about 5-15 minutes and then a short discussion for about 15-30 minutes or so. I have done this a number of times and it is not an issue.

However, I have also done this talk with this group of people for a number of times – each round dragging on longer than the last.This 2-hour meeting must be a record somewhere. Even our CTO commented that their budget meetings dealing with billions, do not take as long as our little problem. The problem is that some people are either too dumb or too lazy to do their work. I sincerely hope that it is the latter.

After about 90 minutes, I was seriously exhausted. So, I told everyone in the room and apologised because I may start blabbering away since my brains were already mush. But the meeting wasn’t a whole waste. I ended up drawing three fairly nice diagrams. I really liked one of them.

I have spent more than 12 years of my life teaching. I have taught all kinds of students including some really bad apples. Many hundreds of students have passed through my hands. However, this is the first time that I have had to face this brand of stupidity.

I have always said – I do not suffer fools.

I have just recently been informed that as part of the cost-cutting efforts at work, I will no longer be entitled to business cards.

!!!

Well, it is not that I have a great need for business cards. However, I do sometimes wonder how the management goes about selecting things to cut. A set of business cards do not cost very much. Let us say that two boxes cost about RM30 at normal prices. If we factor in a 100% markup in order to support our affirmative action policies, let us say that it costs RM60 for each person.

Now, let us say that there are about 500 people who are affected by this decision (I’m not sure of the numbers but our company is under 1000). That means that our company would be able to save about RM 30,000 but the question is how is this money spread out.

The thing is, the bottom feeders like me are unlikely to give out many business cards because we do not normally meet lots of customers or vendors. That is probably the logic driving the decision to cut this cost because it does not apply to our senior management who are free to print as many cards as they want (talk about leading by example).

Let us say that us bottom feeders give out a card each week. So, two boxes of name cards would last us about four years each. So, that’s a savings of about RM 7,500 per annum. Wonderful, I can hear our finance department screaming in ecstasy now. I wonder which bright spark came up with such a brilliant idea to save the few thousand each year.

As the saying goes – “Penny wise, pound foolish” – let us shave off a few pennies here and there while the pounds continue to leak out various pipelines.

Moral of the story is: just be glad that they’re not cutting jobs… yet!

PS: I think that we spend more than that on toilet paper. I wonder if they would be cutting that too.

You know what, I did not realise that anything untoward was happening within our opposition coalition. In fact, even after everyone started making a big fuss about MPs quitting and aligning themselves with the ruling coalition, I still did not feel like anything special was happening. Then it dawned on me – I have become politically numb with all the random sandiwara that happens and am no longer able to respond as expected towards political news.

On one side, people are painting the picture of a crumbling opposition coalition – fraying at the edges after being attacked for so long by so many people. However, I see the very same thing happening with our ruling coalition as well, also fraying at its edges after being worn for so long by so many people. So to me, crumbling political coalitions seem to be the norm in Malaysia.

On the other side, people are screaming like victims – victims of their own devices. They sowed the seeds of political expediency and are now reaping the harvest. I have often harped that our people do not have much of a choice when it comes to electing their representatives. That is why I have been trying to drum into people’s heads that there are four possible outcomes on a ballot sheet with two boxes.

Personally, I see these games as all part of a war of attrition, that all sides will lose in the end.

On a more exciting note, I had to fill up my personal evaluation form today. It was fun filling it up because I got to rate my own performance, which was naturally exemplary. However, I found it vexing that I could not rate my boss. I believe that performance evaluations should go both ways. Otherwise, the bosses would never know if they were a good boss because the people under them have no voice. Any honest evaluation, that is.

According to Wikipedia:

Wayang Kulit is a very unique form of theatre employing the principle of light and shadow. The puppets are crafted from buffalo hide and mounted on bamboo sticks. When held up behind a piece of white cloth, with an electric bulb or an oil lamp as the light source, shadows are cast on the screen.

Wayang Kulit plays are invariably based on romantic tales, especially adaptations of the classic Indian epics, “The Mahabarata” and “The Ramayana”. Some of the plays are also based on local happenings (current issues) or other local secular stories. It is up to the conductor or “Tok Dalang” to decide his direction.

The Dalang is the genius behind the entire performance. It is he who sits behind the screen and narrates the story. With a traditional orchestra in the background to provide a resonant melody and its conventional rhythm, the Dalang modulates his voice to create suspense thus heightening the drama. Invariably, the play climaxes with the triumph of good over evil.

The modern wayang kulit is actually quite elaborate, but it still sticks to its historical roots. It is still a form of theatre and a platform for story-telling. The electric bulb or oil lamp has been replaced with the technology of rear-projection screens like that used in the Smart Board 3000i. Instead of having a shadow play, we now have Powerpoint slides and Flash animation. Instead of having puppets made of skin, we now have life-sized skin puppets on a string.

However, the Dalang is still the genius behind the entire performance and his job is to sell vapourware hopes and dreams.

I’m writing this blog entry to let others know what to do if they are ever annoyed by the red-tinted address bar that you get in IE8 when you try to visit a secure SSL website using a self-signed certificate. This is quite common in development environments. The straightforward thing to do, that every developer knows, is to import the certificate into a trusted store, but for some unfathomable reason this is not so simple with IE8. Maybe it is not so unfathomable – Windows sucks as a development environment and assumes that all its users are idiots.

The catch in IE8 is that you cannot let IE8 decide where to store the certificate. You need to manually tell IE8, during the certificate import process, to put the certificate into the Trusted Root Certificate Authority Store. Once you do this, you will be able to see the certificate in the correct store – the annoying red-tinted address bar will disappear and a nice lock will appear instead.

But the most important thing is to never develop a browser specific application that cannot run in any other browser other than IE. If you do that your application is already broken even before it is ever used. There is no reason to stick with IE only because that just demonstrates your lack of insight into web development.

Frak it – idiocy is indiscriminate.

PS: I do not understand why I need to make infrastructural changes in order to support a wayang kulit – changes that will end up breaking a lot of things and require a lot of time to verify and then more time to undo.