I was called out by Dan Rigsby to do this, so here she goes:

1. How old were you when you started programming?

   I believe I was 12 or 13.

2. How did you get started in programming?

   I remember learning some BASIC in school in either 6th or 7th grade. Ya know, you draw a blocky gun and make it fire a one pixel bullet across the screen. I remember that being pretty fun. Also, right around the same time I started playing with QBASIC at home.

3. What was your first language?

   BASIC/QBASIC

4. What was the first real program you wrote?

   Not counting school, the first real program I wrote was a spaghetti code version (chock full of GOTO’s) of a Choose Your Own Adventure book.

5. What languages have you used since you started programming?

   BASIC, QBASIC, C, C++, MIPS Assembly Language, VB, ADA, Java, C#, ASP.NET, Javascript

6. What was your first professional programming gig?

   I was a lab TA for the CS101 Java course at Purdue, so that was my first job involving programming, but my first job actually programming was at Raytheon. I worked there for six years before coming to Interactive Intelligence in 2006. At Raytheon, I worked on various project for the Army and Navy involving mortar aiming applications, handheld applications, route planning applications for helicopters and many other things. If I tell you anymore I’d have to kill you.

7. If you knew then what you know now, would you have started programming?

   Definitely. Whenever I get asked what my dream job would be I always reply that it would be doing what I’m doing now (programming) or touring in a band. I deeply enjoy them both. But I must admit that programming for myself and writing whatever I want to write at the time would definitely be better than the maintenance programming I sometimes still have to do.

8. If there is one thing you learned along the way that you would tell new developers, what would it be?

   Don’t waste time. I can think of numerous times in college and after college that I just screwed around and did other things when I could have been honing my skills more and keeping myself up to date. I’m trying to get myself back up to date now and it would have been easier if I had just spent the time after college to do so.

9. What’s the most fun you’ve ever had … programming?

   I love programming for fun. Right now, my extracurricular programming activity is writing Bitter a Twitter/social networking client. In my spare time, I’ve also written a chat program, an email application, an account/password manager, an RSS aggregator and several Pocket PC applications including a file explorer, an RSS aggregator, a network scanner, and various other tools. I just find it a great way to learn and to me it’s extremely fun.

10. Who are you calling out?

    I want to call some fellow bloggers and non-bloggers alike (to see if they’ll actually start):

    • Aaron Lerch
    • Scott Bauer
    • Jeff Moser
    • Kyle Brown
    • Jake Robinson
    • Evan Byl
    • Brian McGreer
    • Todd Zerbe

I conducted an initial test run of a card sort today for my Twitter client Bitter. A card sort is a usability technique in which you hold sessions with potential users of your application and you, well, have them sort cards. Each card will contain a label used in your application. In an open card sort, the users will create groupings of cards themselves and name each grouping. In a closed card sort, the users will group the cards into the group names you provide them.

If your application is a web site, a card sort could help you organize the pages and links that belong under each section for your site’s navigation. If your application is a traditional desktop app, a card sort could help you organize the menu items under a top level menu. For my card sort, I used the labels from my options dialog (and even some potential future labels I plan to add) and had the user sort them.

I expected to end the card sort session with several groupings and have a better idea of how others may view the labels. I did indeed end up with that, but discovered several other things in the process that I didn’t expect. There were a couple assumptions I had made about how the options were to be used with the currently logged in user and the card sort showed me that those assumptions may not necessarily be made by other users.

Another thing I found was that you need to carefully think about and decide what to put on your cards. You have the choice of simply putting the label on the card, or you can put the label and a description of the label on each card. If you put just the label, then you’ll likely have the same problem as me of context-sensitive labels. For example, I have some labels named “New Tweets”, “New Replies” and “Sent Direct Message” among others. By themselves, you aren’t quite sure what they refer to, but once you see them grouped under the “Sounds” section it becomes more obvious. So should the cards stay pure and say precisely what the label will say in the application or should you muck with your independent variables and change the cards to include context like “New Tweets Sound“? That’s something you need to weigh the pros and cons of and determine for yourself and also probably consider when analyzing the results of the card sort.

Also, let your participant talk during the session. Let them ask questions. All this is valuable information. You can then ask yourself why the participant said this or that or why they asked what a certain card meant. You may think the answer is obvious, but maybe it’s not. But if they do ask you what a specific card means, ask them what they think it means. That’s yet more valuable information.

It’s also a good idea to video record the whole thing. It’s impossible to take notes and get everything during the session. Also sometimes you’ll see things on the recording that you didn’t see during the session. Just make sure you get permission first.

Overall, even though this was just an initial test run of a card sort, I can already see the benefits. I did this run through to see what works and what doesn’t work and now have a pretty good idea. If you are writing an application whether in your own free time or professionally, a card sort is a good idea. It doesn’t even have to be formal. Asking a coworker to take a few minutes and come over to your office for a quick card sort would work fine. Often times we just get so close to our applications, that we lost perspective. We get tunnel vision on how it’ll be used and how things will be used and interpreted. A card sort is simply a tool to get other perspectives and to rid yourself of tunnel vision.

Do have you a blog? Do you like word clouds? Do you wear shirts? Well then do I have a web site for you!

Just follow these three easy steps:

1) Go to SnapShirts.com, click "Custom" and enter your blog address:

2) Generate your word cloud:

3) Order your shirt:

It’s just that easy!

So what’s got two thumbs and loves his blog word cloud T-shirt?

Scott has been receiving emails from Sprint for several months now. The emails are kind and courteous and they thank him for his payment. They’re in plain text, no links. It’s not spam. It’s a real email from Sprint. The problem is that it’s not for Scott’s account. The emails are intended for another Sprint customer, but are for some reason being sent to Scott. Scott emailed Sprint’s customer service about the situation, but armed with only Scott’s email address that they had been sending payment receipt emails to, they just couldn’t figure out who should actually be getting the emails.

So Scott and I decided to set out and see what we could find out from just the email address. First, we went on to Sprint’s site and saw the login area of the webpage:

The "forgot username" link looked inviting, so we clicked there. Now all we have to do is enter the email address:

Email address entered and sent. Shortly afterward we received an email with the username. Success! But wait, what’s this? The email conveniently contained a link to the forgot password page:

Ok, Sprint, now you’re just making this too easy. We entered the email address and username and then received another email with a customized link to set a new password. Yes, that’s all it took. We now have full access to this guy’s account and all because he put in the wrong email address. We’re nice guys and all, so we logged out and sent an email to Sprint with the username to see if they would finally rectify the situation.

So here’s the question of the day: Is Sprint’s site truly secure? Should an email address really be treated as the key to the kingdom and allow anyone with access to the email address access to everything else? Shouldn’t at least one security question (no matter how secure (or insecure) they actually are) have been asked somewhere in this process? The concept of security and usability being at odds has been floated around a lot. Making something more secure tends to make it less user friendly and vice versa and while everyone wants their web site and application and product to be as easy to use as possible, security simply shouldn’t take a back seat.

In a world where multi-factor authentication is readily available, something like this just shouldn’t happen. There are plenty of different one time security tokens (some with screens and some that act as virtual keyboards), finger print scanners, and many other solutions that are orders of magnitude more secure than a password (especially passwords with an email address backdoor).

So when you’re designing your next web site, or web application, or regular desktop application, stop and think through all the different avenues that deal with authentication and security. Think about what can be done if an attacker has only one authentication factor, or if an attacker gains control of the email address associated to a user’s account, or if an attacker figures out one or more answers to your security questions. Are you comfortable with what the attacker can or cannot access? Is a little loss in usability and ease of use worth the extra security to prevent these sorts of attacks?

What scares me is that had Scott and I been not so nice of guys, we could have signed this poor sap up for Sprint’s Family Locator service and tracked him and his family right on their web site:

Now tell me how secure that is…

I’ve been thinking about how to do this recently with Bitter. When you have an update for your application that you want your users to have, how should you push it down? I see four distinct levels of updating:

Manual Check and Web Page Download

You can require the user to manually go the web page, check for a new version, download it and copy it over the old application. This is obviously the worse way to go from a usability perspective, but also requires little to no work for the developer (other than packaging up the new version). This is probably ok for applications that are seldom used, not popular, or maybe only for a select group of users, but not ok for anything other than that.

Automatic Check and Web Page Download

In this scenario, the application would automatically check for updates and alert the user of such, but would still require the user to actively download and “reinstall” the application. This only requires the application to download a file stored on the file that contains the currently released version number and compare it against it own. The developer would also need to manage the version number file and update it accordingly. Not difficult to accomplish and it gives you a little more bang for your buck.

Automatic Check and Automatic Download

With this version, the application would both check and compare the versions and then would automatically download the new version of the application with the user’s approval. It may also even copy the application in place over itself and restart the application. This is what I’ve currently done with Bitter as I document in this post. This is still not that hard to accomplish. In .NET, I showed that doing this is only about 10 lines of code of any real meat (not counting exception handling, logging and message boxing).

Automatic Check and Automatic Install

Here the application automatically checks for updates and automatically installs updates. No user intervention required or possible.

So what’s the best way to go? With Automatic Check and Automatic Download, the user still has to tell the application to download and install the updates. It’s up to the user. In Automatic Check and Automatic Install, the user has no choice. He is going to get the update or he ain’t running the application.

One of my new favorite applications Digsby, uses the Automatic Check and Automatic Install approach. When you login, it will check for updates and automatically install them. You don’t have a choice. This is good because the user doesn’t have to do anything special. They will always be up to date. This is good for the developer too, since the developer knows that if you are running the application you will have the latest version (or at least the next time you start). But what if you don’t want the update? It’s not uncommon for developers to introduce new features as well as new bugs into an application in an update. If you know about the new bug introduced in the next version, but need to login, what are you going to do? You don’t have a choice but to accept the update, get the bug, and hope another update with the bug fixed will be coming soon (and hope that no other additional bugs will be introduced as well).

On the other hand, if you don’t force updates, your user base could become this heterogeneous mixture of versions that you have to support and that your website has to support. If version 1.0 is checking for updates in a certain path, but the current version is checking for updates in another path, you either need to support both paths for an indeterminate amount of time or just let v1.0 break. Not only that, but users running older versions might request features that are already fixed and they have no real obligation or motivation to move to the next version. They could stay there using v1.0 until our insect overlords come and take over. Is that ok (the versioning thing not the insect thing)?

One more facet to consider with support is that businesses typically want to test Windows updates before deploying them across their organization. This often means that organizations and the multitudes of computers behind them can be several versions behind the current one in whichever OS they are using. If this describes the situation of your application, then the decision is already made for you. No auto updating otherwise your application will be passed up for another that does allow less-automatic update installation. However, most of us (thankfully?) aren’t in that category.

Arguably one of the best if not the best free Photoshop-like applications out there, Paint.NET, does not force you to update. It shows you that an update is available when you start up the application and you can check for updates through the menu, but you aren’t forced to update. And you know where it’s gotten them? I’m running version 3.10 on both of my home computers even though the current version is 3.31. I’ve seen the update dialog for months now and still haven’t installed the update. I’ve not intentionally not installed the application, it’s just that the version I have seems to work fine and I really don’t know how much trouble it will be or how long it will take to install the new version even though I’ve never tried. I simply don’t want to be bothered with it.

Where does that leave us?

The Automatic Check and Automatic Download method gives the user more control and keeps the user in the loop, but… it keeps the user in the loop. Most users don’t care about versions, they always want the latest. That may mean that we should use the Automatic Check and Automatic Install method, right? But doing that will piss off the 1% of users that actually want to control their versions let alone the business users. And what’s worse is that this method is all or nothing. You can’t let most users automatically update and then let other users choose which version they want. If that’s the case, then you’re automatically back in the Automatic Check and Automatic Download way of things with the support troubles and versioning nightmare.

So what’s it going be? Should you just cater to the common case or do you want to attempt to make all your users happy?

In my quest to make my Twitter client Bitter as easy to use as possible, one upgrade I had considered was making it auto-updateable. You click a button, it updates. Done.

As most things in .NET, it turned out to be relatively simple. You download the file, you move it on top of the running app, you restart… all neat and tidy. So without further ado, here’s the code:

private void UpdateApplication(string applicationDownloadURL)
{
    string downloadedFilePath = System.IO.Path.Combine(System.IO.Path.GetTempPath(), “bitter.exe”);

    // download the exe
    bool shouldContinue = true;
    try
    {
        WebClient wc = new WebClient();
        wc.DownloadFile(applicationDownloadURL, downloadedFilePath);
    }
    catch (Exception ex)
    {
        shouldContinue = false;
    }

    if (shouldContinue)
    {
        // get running app path
        string appPath = Application.ExecutablePath;

        // copy over running app
        try
        {
            // create archive’s app path
            string archiveAppPath = appPath + “.old”;

            // delete any old archived apps, archive the current app
            // and move the downloaded app in place
            System.IO.File.Delete(archiveAppPath);
            System.IO.File.Move(appPath, archiveAppPath);
            System.IO.File.Move(downloadedFilePath, appPath);
        }
        catch (Exception ex)
        {
            shouldContinue = false;
        }

        // restart the app
        if (shouldContinue)
        {
            Application.Restart();
        }
    }
}

Of course you should add logging and user feedback where appropriate. This is just skeleton code that gets the job done. Enjoy!

On Friday, I finally released version 1.0 of my Twitter client Bitter. Bitter is a .NET application with a tabbed interface similar to multi-tabbed web browsers (which should be all of them by now). I usability tested it with a team of twelve people for the whole week before and received lots of good feedback. With almost only minors issues being reported, I finally released it to the public on Friday. So far I’ve received only compliments and feature requests… so don’t be the first jerk out there to break that streak!

Anyway, if you’d like to give Bitter a try just download it from the site. And definitely let me know what you think and what you’d like changed.

On one side we have Subversion and on the other we have Live Mesh. With the former we have a solid, proven, and somewhat aging version control system. With the latter, we have Microsoft’s brand new (but actually not) Internet-friendly synchronization masterpiece.

With Subversion, you can easily commit changes, view different versions, and generally maintain your source code. Several different clients can all get updates from and commit changes back to the server in the typical client server model:

With Mesh, multiple computers (including an optional virtual desktop call "Live Desktop") are automatically kept in sync. Any number of clients can be added to the user’s Mesh network:

This is great and all, but each technology by itself is limiting. With vanilla Subversion, a user can work on a set of files at each client, but if he wants to continue working elsewhere on the changes that he was previously working on at his desktop, he simply can’t. With pure Mesh, a folder can be synchronized between multiple computers so that sets of working files are always and immediately available. However, in this case there’s no versioning. There’s no source control. The current version is the only version. So how could these two technologies be mashed up? There’s a couple potential ways…

The Gateway Method

Each Subversion client is an entry into the user’s Mesh network. The dual purpose machine acts a gateway between the two logical networks:

The gateway would sync the source from Subversion and that source would be synchronized across all Mesh nodes. The working set would always be available. So everyone’s happy, right? Well, not quite. The only way to commit the working files back into Subversion is through the gateway, since it’s the one computer that is both a Subversion client and a Mesh node. The other Mesh nodes have no direct access to Subversion other than through the gateway. This also means that the downloading of any other files the user might need could only be done on the gateway as well. Doesn’t sound like we got it yet.

The Full Synchronization Method

The other way is to force each and every Subversion client to be a Mesh node:

In this manner, the working set of files would always be available and the user can commit from whichever computer he’s on. An update in Subversion to grab the latest source would then be replicated across all Mesh nodes. Everyone’s happy now, right?

For starters, you have a chicken and egg problem here. If you set up Live Mesh synchronization first, then Mesh will download the files into the synchronized folder. But then when you set up the Subversion client, the first update will fail because the files and folders already exist. You can’t just delete the files, because Mesh will automatically delete them throughout your Mesh network. Not good. However, this is easily fixable by just signing out of Mesh temporarily, updating Subversion, and then signing back in to Mesh.

Making any changes on any of your Mesh computers will automatically be synched to the other computers. This makes updating Subversion obsolete. The updating is constant and automatic. You still have to (or at least you still should) check in your changes so that subversion can version the files correctly and so that others can see your check-ins, but if your source code repository only has a single user (you), you really aren’t forced to commit your changes.

And all this would be true in a perfect world where software works correctly and bug free all the time. Unfortunately, we don’t live in that world. After performing the Mesh and Subversion client installs on two computers, Mesh seems to be an in infinite loop. Mesh is continuously deleting and resynchronizing the files I deleted while offline from Mesh so that I could synchronized them through Subversion.

Switching to "work offline" didn’t stop the loop. The only way I could terminate it was to delete the problem files one by one… all of them. The unresolved conflict loop then stopped, however my files were no more. What to do now? How about updating via subversion a second time? Unfortunately, that leaves us with the same unresolved conflicts loop.

While this all seems like it should work perfectly well, it doesn’t. At the end of my testing, I have two computers using Live Mesh and working as Subversion clients. One of the computers is synchronized with my Live Mesh Desktop, but the other computer is actively  not synchronized. This seems to be a bug with Mesh since Mesh should synchronize all changes no matter how they’re made. Maybe this process would have worked with modified or rearranged steps. I don’t know.

So what have we learned here today? Well, the full synchronization method is too error prone and problematic. The gateway method would probably work fine for most people, although I proved that Mesh still has some synchronization bugs, so it may not be ready for prime time just yet. Either way, if you go about attempting to set this up, tread carefully, do your Subversion updates with care, and watch for Live Mesh synchronization issues. And don’t cry when your files mysteriously vanish. You’ve been warned…

I’ve developing my Twitter client Bitter for some time now. A small group of close friends have been alpha testing it for me for quite some time, reporting bugs and enhancements along the way. I’ve been tweaking things for quite a while now and feel like it’s time to go on to the next stage. Things eventually come to a point where enough is enough and you’ve got to release! Well, I’m not quite there yet…

Today begins the extended usability testing of Bitter in the form of user diaries. A user diary is basically a stream of thoughts that the user has as they are using the application. It’s a list of their real-time, unfiltered thoughts, impressions, suggestions, enhancements, weird experiences, bugs, and even feelings they have while using the application. The entries can be as big and descriptive or as short and small as the user wants. There’s no real format. Just a straight brain dump onto paper.

So what exactly is happening today? Today I sent out the release candidate of Bitter to my volunteer group of usability testers. I tried to get some old, some young, some experienced Twitter users, some noobs, some developers and some not-so-technical users. A wide variety of testers is best especially in usability testing. Not everyone has had the same experiences using software and so everyone comes in with a slightly different (or maybe even vastly different) viewpoints on how things should work. I’ve already seen a few issues while helping a less technical person sign up for Twitter and start using Bitter.

Anyway, I’ll post the outcome of all this in the near future and some lessons learned with my user diary process. Stay tuned…

I know you’ve probably heard this before, but it bears repeating: set the default options for your application how most users will want them. Do not expect your users to go into the options and tweak them. They won’t do it. And don’t think that normal users won’t care, but advanced users will go in there and change them. They probably won’t either. Just think of all the applications you use and think of how many times you’ve tweaked the options. I know I very rarely do. Just a couple in Firefox, one or two in Visual Studio. That may speak to how well their default options are, how I simply didn’t know that I could change that option or how I just don’t know where to look. In the sea of tabs, combo boxes, and check boxes, how are most users (let alone most users’ mothers) supposed to know where to look to make cookies work or change the default formatting when replying to emails or keep iTunes on top of all windows?

I experienced this first hand tonight. My brother-in-law recently bought a new Toshiba laptop, all nice and lightweight and filled with memory that’ll never get used. Since he bought it last week he hasn’t been able to login to various sites including eBay, his bank and some other sites. Interesting isn’t it? A new computer shouldn’t have any problems like that. So we went over to their house tonight and I take a look. We open it up, I bring up eBay and the homepage shows fine. “Wait til I login” he says. Name, password, submit…

Sounds simple enough, right? I need to mess with the cookie settings. Ok, cookies, cookies… where were those again?

Lucky for me, I know that the privacy tab configures how the browser handles cookies, but my brother-in-law didn’t. He’s a pretty average user: definitely not as ignorant as my grandma, but he’s no developer either. He very well might have known where to look, but in this case he didn’t. He’s never needed to before.

Would you have known? Have you ever customized your privacy options? I always tell myself I should, but I never have. What’s there works and I’ve never had any problems… famous last words, huh? His computer for whatever reason came with all cookies being blocked by default. Sure it’s more secure, but it’s by no means usable and would never be fully usable by him until he got it reconfigured.

So why did it come so locked down? Did the OEM fall into the trap of thinking that users always customize their apps? I don’t know. But you should know better than to think this. As Jeff Atwood said:

For most users, the default value is the only value.

So always install your applications thinking that the options will never be touched again… because they probably won’t.