DEV Community: Mackenly Jones

The Cumulative Advantage

Mackenly Jones — Thu, 19 Sep 2024 16:46:06 +0000

In the early days of Google, a well-known test occurred dubbed Google's 41 Shade of Blue. This test arose out of a disagreement between design and product. Design preferred a "bluer" blue, while product preferred a "greener" blue. What to do? Google employee #20, Marissa Mayer, who was known as the gatekeeper of Google's home page and a big believer in quantitative decision-making, decided to A/B test 41 different shades of blue. Whichever color performed best would win.

It's been claimed that this color choice resulted in an increase of $200,000,000 in advertising revenue.

It would be easy to read that story and think, "Wow, the colors I choose have a really big impact on my business, so I should probably A/B test colors like Google did." After all, there are many such stories where small changes resulted in claims of large rewards. But that would ignore the fact that you're not Google.

What is it that makes such seemingly simple decisions or ideas result in big impacts?

Something I often see on X/Twitter is large build-in-public style influencers who say things like:

"All you have to do is launch!"
"Presells are the way to go! You can validate and sell before you build."
"The most important thing is to ship!"

And for them, and others like them, that might be great advice, but when every day people try to take those "easy" steps, it often doesn't result in the instant success that those giving it experience time after time.

So, can anyone really do it?

Photo generated with DALL-E

Strategic Advantages

The traditional thought process behind why some succeed and others do not is the possession of "true" strategic advantages. I put emphasis on true, because if something doesn't work out, all that has to be argued is that it wasn't a "true" advantage. These advantages are formally identified through a SWOT analysis matrix:

Strengths

Strong brand recognition
Innovative product line
Experienced management team

Weaknesses

Limited market presence
High production costs
Dependence on key suppliers

Opportunities

Expanding into new markets
Developing strategic partnerships
Leveraging new technologies

Threats

Increasing competition
Changing consumer preferences
Economic uncertainties

You look at your business and try to determine the strengths, weaknesses, opportunities, and threats—a good exercise for becoming more self-aware—then you should be able to identify some strategic advantages that are unique to your firm.

In theory, if a firm mitigates its threats, leverages opportunities, fixes weaknesses, and uses strengths it will be successful. That may be true, but it doesn't really explain why some founders and firms can take small actions and receive big rewards. There's something more to it.

The Cumulative Advantage

This term was coined in the 80s as a part of cumulative disadvantage theory The general idea is that our actions and experiences and consequently our failures and successes do not occur in a vacuum or sterile environment.

In programming, we might think of it like this: If our life were a class, it wouldn't get re-instantiated every time we call a method; instead, the state persists until we go out of scope.

Things happen to us personally and professionally and to our business ventures that impact the future successes and failures of our efforts. As a result, it matters where and when we apply our effort.

Application to Founders

Now, we're getting to the main thought behind this post. It matters when you do something and what you've done in the past:

Effort spent with no cumulative advantage won't have a big impact. Sorry, but changing the color of the button on your $1m gross ecommerce store is not going to turn it into a $201m store.
Starting a product and posting about it on X/Twitter when you have 160 followers (like me) won't be enough to validate your idea or generate significant sales.
Making a $200m mistake won't be the end of the world for Google, but it would be for most businesses.
You get the point.

It's easy to see stories from those who have built up a significant amount of cumulative advantage and be tempted to copy or do the same thing that works for them. When you're the underdog, that's just not how it works. Having or building a competitive advantage is useless if you haven't built up enough cumulative advantage to truly leverage it.

For a competitive advantage to be useful, it has to have some momentum behind it. It's not as simple as working nights and weekends, making a design adjustment, or sharing on social media. Advantages are relative and can only be used successfully if they are the right thing at the right time. There's truly some luck involved, but that luck is only useful when you've put in the work in the past to build up the foundation upon which you can put your effort.

It's important not to let this concept become discouraging. The path to entrepreneurial success is rarely linear, and even those who seem to have overnight success started somewhere, even if they didn't document it or share it with the world. While the concept of cumulative advantage is real, it doesn't mean that you don't have control. The key is to start, stay committed, and continuously build upon each step forward. Shortcuts and get-rich tricks likely won't work, but persistent, incremental wins will.

If you're curious, it turned out that the greener blue was the one that performed best. But please don't take that as a reason to go change all your links and button colors. :-)

Cool Tools for Google Tag Manager

Mackenly Jones — Thu, 20 Jun 2024 01:23:03 +0000

In this post, I share a few tools I've been using lately for data analytics, tracking, and marketing, specifically looking at tools related to Google Tag Manager. As a software engineer, I've encountered a need to work with analytics tools quite frequently. I would much rather be coding than "button clicking" and thanks to these tools I can spend less time navigating dashboard menus and more time making sure the data I need is sent to the right place.

I hope that this article, or at least the links attached, find their way into your favorites bar and save you some time, as they have for me.

Request Map Generator

https://requestmap.webperf.tools/

This tool allows you to quickly scan a website and visualize its requests. This is valuable for determining what is loading on a website.

Critiques:

There's little in terms of analysis beyond requests and their timing data.
I would love to see a better visualization of how the requests affect load time (sorta like a flame graph).

Overall, great tool with helpful export features. Keep up the good work Simon Hearne.

For example, in the screenshot below, I'm loading Plausible Analytics, Adobe Typekit, and Google Fonts.

Request Map for Tricities Media Group's site

Tag Stack

tagstack.io - tracking stack from any website

Tag Stack is unique among the tools in this list in that 1. it has paid tiers and 2. also integrates lead prospecting. Rather than just a container analysis tool, Tag Stack allows you to scan a website and reverse engineer the container's config. This allows you to scan sites you don't have access to (without needing to download/copy the container config) and, in the Enterprise tier, even download the GTM JSON, potentially allowing you to clone a container if you lose access to the container in GTM. Pretty nice!

In addition to the scan functionality, Tag Stack also includes a lead search engine. Accoridng to the site, it has over 1.4 million containers scanned and searchable. This makes the service a valuable prospecting tool since users can query based on not using modern standards or based on technology (if, for example, you specialize in tagging Acme Social pixels). You can think of it as Shodan.io but for analytics data.

Critiques:

The lowest paid tier for the service starts at € 225 or about $240 per month. This makes this tool somewhat prohibitive due to the cost for casual or freelance users. I'm personally on the free tier, which includes 10 scans and 10 lookups per month. This has been enough for my relatively casual usage, but if I regularly needed it, I'd quickly run into the limits. I'd love to see a more affordable scan-only tier for users who do not need the prospecting features.
It hasn't picked up the container on a few sites I've tried (I'm not sure what the cause might be).
I'd love to see a mapping style feature like GTM Utility and a report generation tool with data similar to GTM Visualizer.

Shoutout to Lucas Kosta, the creator!

Walk Through

After completing a scan, the user is shown a page reminiscent of GTM's previewer, except with the addition of an audit and more detail on containers without needing access.

Tag Stack Scan Results

Notice how it shows the various features the container has and lets me dive into the individual tags and triggers:

Tag Stack Scan Containers

When clicking a tag, you can see more details, including parameters and connected triggers.

Tag Stack Scan Tag Details

GTM Visualizer

https://yuhui.github.io/gtmvisualizer/

This tool allows you to paste in your config and then see it broken down, illustrating which relationships are present throughout your container. Viewing these details is helpful since it let's you, at a glance, understand where and how various tags and triggers are used. Yes, you can find similar information in the GTM console, but this format is much easier to digest.

Critiques:

The UI design is a bit dated, but that's fine.
It would be nice to be able to click on a trigger/tag/variable's name and view it in its relevant list. Instead, the list is static (though the colors are a helpful touch).

As an added benefit, this tool is open-source (though not maintained), which is reassuring since it requires you to paste in your config or sign in. Big thanks to yuhui/gtmvisualizer on GitHub.

Using the tool is super easy. Just paste in a GTM JSON or Sign In with your Google Account (I didn't try the latter).

Screenshot of GTM Visualizer

GTM Utility

Visualize Google Tag Manager Container

I really like how it shows everything in a graph network. This view helps to visualize how the different Tags, Triggers, and Variables interact.

Critiques:

You can't drag around the canvas, instead relying on scroll bars.
Because of how the scroll bars are setup you can't use a full page screenshot tool.
There's no export option. Ideally, it should allow saving as a image, PDF, and/or interactive HTML file. If you trying saving as a HTML file, the functionality breaks.
When you select a node it shows only the relationships connected to that node. This is nice! But I would also like to see a side bar appear with more details about the node rather than just the name.

Overall, it's a great tool and a great price (free)! Kudos to Igor Smirnov 🔥

Using the tool is very similar to GTM Visualizer. Paste in your GTM JSON or Sign in with Google.

Screenshot of GTM Utility

At the risk of sounding like Buggs Bunny, that's all folks. If you're looking for help with your data and analytics, I'd love to chat. I am a certified Zaraz developer, which is a Cloudflare owned GTM alternative that takes the heavy lifting off of user browsers and onto the edge, with benefits including speed, interactivity, and privacy control. To get in touch, send over an email or directly book a paid 1-hour call where I'll try to work through your problem and/or give suggestions: https://tricitiesmediagroup.com/contact

I realize this is a departure from the more technical content I typically post on this blog, but rest assured, my drafts are piling up with content covering my approach to testing, an article on building a faster version of dig for name server lookups, and a deep dive from keyboard to cloud.

Functional vs. Dysfunctional Conflict in a Project

Mackenly Jones — Fri, 05 Apr 2024 20:49:07 +0000

As developers, we often work on projects with teams of people. Believe it or not, people do not always get along. Developers might not agree with UI, ops might not agree with developers, and developers might not agree with one another! Understanding how to frame conflict within a project can make you a better developer and teammate. In this short post, I look at the two types of conflict and how they can be used to increase project effectiveness.

On the surface, conflict within a project team sounds like a bad thing. However, in some cases, conflict can lead to a more effective project and better outcome. If a conflict leads to furthering the objectives of a project without damaging future productivity capabilities, it can be classified as functional.

In essence, conflict is okay when it results in better project outcomes but not when it inhibits team members’ ability to work together effectively.

The level and style of conflict that falls within the dysfunctional category can depend on the culture and maturity of the team members. In some cultures, using profanity generously is the norm, while in other cultures or in other companies, that would be considered unprofessional and offensive. Alternatively, one team member might not respond well to feedback, or another member might not be good at giving constructive feedback. Either way leads to dysfunctional conflict.

Project managers can encourage functional conflict by designating a team member as the devil’s advocate and protecting contrarians. Having a devil’s advocate ensures that even if the team is in total agreement, contrasting viewpoints will be considered. Functional conflict is valuable because it enables everyone’s viewpoints to be considered and evaluated. If everyone agrees, the project will suffer from a lack of diverse viewpoints. A devil’s advocate can help fix this issue by highlighting “the other side” of every problem.

Going further, in project teams, a phenomenon known as groupthink may occur when, either through peer pressure or the curse of knowledge, a team becomes too cohesive. Designating a devil's advocate ensures that someone brings to the table a variety of options to consider when making a decision, encouraging functional conflict and overall team growth.

That's all for now!

Cloudflare Magic Linker: Chrome Extension Project

Mackenly Jones — Sat, 30 Dec 2023 23:43:42 +0000

Beginning as a personal project, over Christmas, I decided to create a Chrome extension to make copying deep or magic links from the Cloudflare dashboard easier. In this post, I discuss the need for this tool, my process of building it, and how to install it yourself.

What Are "Magic" Links?

The Cloudflare dashboard supports several deep link variables (affectionately known as magic links by the community) to make sharing links into the dashboard easier. These links work by replacing various IDs found within the dashboard's URLs with variables that are intercepted by the deep linker. When a user visits a link like in the example found below, they're shown a selection screen to choose the Cloudflare account they would like to use, then directed to select the zone they'd like to use.

💡 Read all about Accounts vs. Zones vs. Profiles here.

After making both selections, they're redirected, in this case, to the Zaraz tools configuration page.

https://dash.cloudflare.com/?to=/:account/:zone/zaraz/tools-config/tools

...converts into...

https://dash.cloudflare.com/1234567890poiuytrewq/bogus.studio/zaraz/tools-config/tools

This feature of the dashboard is extremely useful for sharing links in blog posts like this, helping others in GitHub issues or forums, or sharing links with coworkers. But before now, the only way to create them was to manually replace the values or to use a bot within the Cloudflare Discord community.

Building the Extension

I've built several extensions before (mostly for removing ads on random sites and other random customizations that Arc could probably replace), but never have I published one of the Chrome Webstore. The process itself isn't hard; you mostly just have to pay $5 to create a developer account and fill out some paperwork saying you're not loading remote code and that you're not doing anything sketchy with user data.

Still, the documentation leaves much to be desired. The manifest v3 migration, which I have heard lots of rumors suggesting is designed to make tools like adblockers less effective, seems to have caused a bit of chaos as far as documentation goes. The documentation is there, but it's hard to tell what version it's for; I found several broken links within Google's own help docs, and the general process feels chaotic. Thankfully, the actual functionality of my extension is relatively basic, with a simple manifest, a small bit of HTML+ CSS, and straightforward JavaScript.

{
    "manifest_version": 3,
    "name": "Cloudflare Magic Linker",
    "version": "1.0.0",
    "description": "Create magic deep links for the Cloudflare dashboard.",
    "icons": {
        "128": "src/images/icon128.png"
    },
    "action": {
        "default_popup": "src/popup.html"
    },
    "host_permissions": [
        "https://dash.cloudflare.com/*",
        "https://one.dash.cloudflare.com/*"
    ]
}

I think the most challenging part was creating the extension's icon, but ChatGPT was able to come to the rescue and, on the first try, generated an icon that looked exactly as I wanted.

ChatGPT Generating Icon

Community Feedback and Collaboration

One of the most valuable parts of Cloudflare as a company is its community of users. After creating a quick MVP of the extension, I decided to make it public and ask the community for feedback and if anyone was aware of any more deep link variables that could be used (I don't think they're documented anywhere, at least publically). Within the community Discord, I created a post asking for feedback where several community members quickly added helpful comments and suggestions. A big shoutout to James, Chaika, and Erisa for bringing up the :pages-deployment variable and that Zero Trust supports :account.

Using the Extension

To try out the extension yourself, you can either install it from the Chrome Webstore like a normal Chrome extension or load it unpacked from the source using developer mode by cloning the repository to your local machine. The source code is licensed under the GPL-3.0 license and is open to issues and PRs.

Once installed, simply go to a page within the Cloudflare dashboard or Zero Trust dashboard, click on the extension, and copy the link. I would recommend testing the link first. At the time of writing, support for magic links in Zero Trust isn't complete, and some pages in the regular dashboard, like Workers, don't have full support for deep links. I hope to update the extension in the future, if wider support is added to the magic link system by the Cloudflare team.

Using the Extension to Copy and Link

If you've found this post or extension valuable, I'd love it if you gave it a star, and subscribed to my blog. In addition, you can sponsor me on GitHub, or get in touch about career opportunities on my personal site. Thank you for reading this far, and happy coding! 🔥

Review of Uptime Kuma Self-hosted Status Monitoring Tool

Mackenly Jones — Sat, 11 Nov 2023 06:20:34 +0000

Monitoring uptime statuses can be a complicated task, and SaaS services typically target enterprise users and have enterprise pricing. For small team and personal projects, uptime monitoring is often overlooked. Observability

Still, uptime monitoring is a valuable tool for incident response and tracking problems. If your servers go down at 2:00 AM on Saturday morning, it might be hard to catch unless you're a night owl like me. By the time you find out your critical service isn't functioning, it may be Monday or whenever customers or clients start sending support requests. That's no fun for anyone and makes it harder to gain visibility into what is broken.

That's where uptime monitoring tools come into play. A health check is run every few seconds or minutes to see if the server or endpoint is behaving as expected. The history of these checks and metrics on response speed is logged in a database for future review. If there's a problem, alarms or notifications can be triggered to ensure the right people know there's a problem as soon as it happens.

Tricities Media Group, my consultancy, is currently a single-person business, so I don't have a large team (or large budget) to configure enterprise monitoring solutions. But my client and my personal projects can still benefit from a comprehensive status monitoring system.

My Solution

I decided upon a tool called Uptime Kuma, which is an open-source self-hosted monitoring tool that can be run with Docker. I'm using Portainer on my Synology NAS to host the container and Cloudflare Zero Trust's Tunnels tool to securely expose it to the internet. This combo works great by using existing hardware that I already have running and allows for easy administration and maintenance.

Overall, I'm super happy with how it's working and plan to expand my use of this tool in the future. This tool is open-source, MIT-licensed, and community-supported, so while there are a few potential cons, they are opportunities for improvement rather than complaints.

💡This tutorial by Marius Hosting is an excellent resource for installing Uptime Kuma on Synologys.

Pros of Uptime Kuma

So. many. notification. options. This screenshot only shows about a quarter of the options. From Discord and Slack to Twilio and PagerTree, there are few notification tools that I can think of that don't exist. If, for some odd reason, the one you use isn't there, it also supports Webhooks with a custom body and headers, letting you send a request pretty much anywhere.

There are lots of options for customizing health check requests. You can change the HTTP method, encoding, body, headers, and specify authentication (basic auth, OAuth2, NTLM, and mTLS). With that many options, there's few things you can't do. You could even use it for HTTP CRONs.
A variety of check types. In addition to standard HTTP request and ping checks, there's also support for TCP, DNS, and other Docker containers. Many of these options support response validation to check if expected results are returned. One handy feature is a push URL that your application calls every x seconds. On top of that, there's support for a variety of database and server types, such as Postgres, MySQL, Radius, and MQTT.
The biggest feature for me is integration with Cloudflare Tunnels for reverse proxy. It's as easy as pasting in the tunnel token.
Status pages let you create custom statuses with groups of services you select. This allows for creating a status page for each client, for each application, or one for all of your applications. The sky is the limit. In addition, you can pin custom error or warning messages to highlight incident statuses as you correct any issues.
Custom domains for status pages. You can create custom domains for your status pages allowing for a single instance of Uptime Kuma to handle a variety of products and services.
If you run the tool on-prem like I'm doing in your home or office you can setup checks for systems on your local network. This let's you ping computers, security cameras, or anything really to see if they're running and awake. This opens a lot of options and the potential for using statuses as triggers for automation. For example, if all of the office computers are offline and it's after hours, schedule the lights to turn off in 5 minutes. Or if the smart refrigerator stops responding to health checks it may be worth checking in on. Just an idea. 🤔

Cons of Uptime Kuma

The base page of the app directs to login rather than a status page. For example, when a user visits status.example.com you would expect to be taken to a status page, but instead, you're taken to the status page admin login. A great change would be the ability to set a default status page to live at the app's base. A potential workaround for this is to host your app at a different URL and use custom domains for your status pages. This one might just be user error, but I'd appreciate the option either way.
Creating an incident isn't intuitive, especially at first. To create an incident message/update, you have to go to the status page's editor as if you were changing the page's title or style. A dedicated page within the main dashboard would be more intuitive and feel like a more seamless solution.
Lack of REST HTTP API. An API would superpower the capabilities of this project and make things like incidents much more programmable. Being able to send updates directly from an incident management system or form would help make automation much more seamless.
Automation integrations. This is probably something held back by not having an API, but it would be great to see integrations with tools like n8n or Zapier to trigger automation outside of the existing notification destinations. This can kinda be done using the webhooks feature, but still, there's an opportunity to let automation tools do things like set maintenance windows and incident messages.

Resiliency and Disaster Readiness

To wrap up, I have to add a quick note about resiliency. Many companies have made the mistake of hosting their uptime monitoring and error visibility tooling with the same infrastructure dependencies as the services they monitor. It's easy to see how this can go wrong. If there's a major problem and your systems go down, it's likely your uptime monitor will go down as well, making it useless.

For my purposes, I'm self-hosting it locally and using Cloudflare as the tunneling service. I, of course, do not host any of my services or sites locally, so as far as ISP, server, power, and network resiliency go, I should be fairly good. But I do use Cloudflare extensively. If Cloudflare's DNS or Tunneling went down, my entire infrastructure would be taken out. There are always going to be risks, but it's important to identify those risks and consider them when planning a solution. For my purposes, that's within my acceptable tolerance of risk, so I'm not going to spend the resources required to go a different route. If you're a large company or a dependency in your infrastructure is less reliable or more critical, I would suggest getting as much separation as possible between your core application services and your uptime solution. (read: Host on a different continent, use a different DNS, a different domain name registrar, and use an alternative payment method to pay for it)

If you enjoyed this post or want to chat directly, let's connect on LinkedIn, X/Twitter, or contact me about business opportunities at tricitiesmediagroup.com/contact.

Hacktoberfest 2023 👕

Mackenly Jones — Wed, 18 Oct 2023 00:06:01 +0000

Intro

Hi, my name is Mackenly and this was my fourth year participating in Hacktoberfest. I'm a full-stack developer mostly focused on web front and backend development.

This year I focused my contributions on three projects:

Link Shortener: A new project building a Cloudflare Workers based link-shortening application. https://github.com/mackenly/link-shortener
Cloudflare Documentation Improvements: I worked on improving the Cloudflare developer docs by fixing some errors and visual bugs.
Meetup Scrapper: My local developer meetup hosted a Hacktoberfest event where I worked on a project to scrap the latest meeting from meetup.com. This was also Cloudflare Workers based and will eventually be used as a part of the meetup's web page at tricities.dev

Highs and Lows

My biggest disappointment was the lack of Hacktoberfest t-shirts this year. Hacktoberfest certainly doesn't feel the same and it has lost much of the fun that previous years had. Still, it wasn't all bad. Getting to work with others at a dedicated event was great and I look forward to future events like that.

Thank you to all the maintainers, contributors, event organizers, and sponsors!

The Ethics of Hourly Billing

Mackenly Jones — Thu, 24 Aug 2023 02:33:49 +0000

One of the most obvious but often overlooked ethical conflicts within the workplace is workers who are paid hourly. By definition, those who are paid hourly get paid based on how many hours they work. (Indeed, 2023) It seems like a simple concept. But as information technology professionals, most of what we do involves making systems and processes more efficient.

But what does that mean if we're paid hourly?

Even if it might not seem that way, there is a finite amount of IT work that an organization can realistically need. So, by creating more efficient systems and processes, we're effectively reducing our earning potential even though we're adding value to the organization.

There are downsides to being salaried as well, where a reduction of overall headcount may occur instead of a reduction of hours.

Diving deeper, hourly billing is rooted in the Labor Theory of Value, a foundation of Marxism, where the value of labor is emphasized in the production process and ideal distribution of wealth. (Taylor, 1996) The idea that a worker's time is valuable is popularized by workers who argue they should be compensated based on how much time they spend working rather than the value they provide. This is where the concepts of minimum wages and pay ceilings come from. An example would be saying, "Workers who work 60 hours per week should make more per year than those who work 40 hours because the 60-hour worker works harder."

Photo by Hans Eiskonen / Unsplash

By being a truly effective IT professional by providing the maximum value to your employer or client, you're optimizing yourself out of a job. So what's the alternative? Make things more complicated? Here are a few approaches that are taken:

Put effort into developing complex and hard-to-understand policies, procedures, and guidelines to ensure that bureaucracy slows down the organization and increases the amount of required labor.
Increase the barrier of entry by requiring additional qualifications, certifications, government-mandated licenses, and other means to reduce and limit the talent pool.
Avoid tools that make us more efficient, such as modern IDEs (integrated development environments) and GitHub Copilot (AI code autocomplete).
Unionize to pressure employers to let us increase the amount of time we spend by limiting change and innovation to protect union member jobs while increasing benefits and compensation.

via imgflip

All of those options are commonly taken (not just in IT), but are they ethical? That question is answered based on your personal opinions and economic ideas. An alternative could be to incentivize employees to create value in a way that attempts to minimize the disincentivizing nature of increased efficiency and automation, but there are few mainstream examples of that within IT.

So that brings us to the title of this article: The Ethics of Hourly Billing

If employees aren't incentivized to be good at their jobs, that raises the question of how employees can behave ethically. I'm of the persuasion that people never behave counter to their incentives, so to create an ethical workforce, hourly compensation can't be the sole motivator.

A few types of employees may include:

Employees who see it as their moral duty to society to do their best at their jobs.
Those who simply do not consider the true economic incentives associated with their job.

Most people probably fall within these two categories rather than maliciously sabotaging their workplace but likely do participate in activities that ensure their job security without even realizing it.

The traditional solution to this problem in the tech startup world is stock options mirroring the long-standing practice of incentivizing executives by getting stock and/or full equity. When employees can earn favorable stock options, restricted stock, phantom stock, etc. they're given an opportunity to invest in their efforts and hopefully benefit from the profits of the company. But this doesn't necessarily make sense for every company (especially for small companies and those owned privately).

💰

Startups are often messy. Sometimes the incentive to build a company up enough to be able to get an exit payday results in a sacrifice in quality control and security that ultimately hurts the startup's growth. Just giving employees stock probably isn't the answer either because that just incentivizes employees to work towards raising the company's valuation, which doesn't necessarily equal true business success.

So, what's the best solution to this ethical dilemma? I don't know. It's clear that employees whose roles are to minimize inefficiencies and to effectively automate their own jobs (and the jobs of others) aren't incentivized to act in the best interest of their company causing an ethics conflict. But it's not clear the best way to universally fix this issue. And complex hard-to-understand questions like this are why economists have job security. 😉😂

If you'd like to read more on this topic, I wrote another post on hourly billing and labor theories over on The Church Factory, where I take a look at the similarities between traditional hourly billing and value-based pricing. Surprisingly, there are similarities, but also big differences.

If you’re a freelancer or independent consultant pricing your services based on value is essential. However, there is a common theme among value pricing advocates that suggests hourly workers don’t value price, which simply isn’t true.

The Ethics of Hourly Billing on The Church Factory

References

Indeed. (2023). What Is an Hourly Employee and How Do Employers Pay Them? Www.indeed.com; Indeed. https://www.indeed.com/career-advice/career-development/hourly-employee

Taylor, K. S. (1996). Human Society and the Global Economy. www.d.umn.edu; University of Minnesota. https://www.d.umn.edu/cla/faculty/jhamlin/4111/2111-home/value.htm

How to add users to a Cloudflare account

Mackenly Jones — Tue, 15 Aug 2023 01:22:26 +0000

A break from this site's usual higher-level tech posts, this post walks through the process of adding users to a Cloudflare account ad briefly covers a few account-related terms.

As a prerequisite, let's take a quick moment to look at three different Cloudflare terms that will be important: Zones, Profiles, and Accounts. If someone asks for access to your Cloudflare account, they're not asking for your username and password, instead, they're asking you to create a profile for them within your account.

Zones

A zone is most closely related to a domain but not to be confused with a website. Your Zones can be found within the homepage of the Cloudflare dashboard and serve as the hub for everything related to a domain using Cloudflare.

I disagree.

Websites have been called zones in the APIs and other places for as long as I remember so relabeling in the dashboard lowers confusion.

In addition a zone in cloudflare doesn't represent a website. Multiple websites can be under the same zone (subdomains, different…

— Mackenly Jones (@mackenlyjones) July 31, 2023

An X of Me Tweeting

Profiles

If you're reading this post, you're probably looking to add a profile to your account. Profiles are individual user logins attached to a single person and should never be shared between team members. A user's profile is tied directly to them and their email address. Profiles have a one-to-many relationship with accounts because a single profile can have access to multiple Cloudflare accounts, which in turn can give a profile access to many different zones.

Chart Showing a "User Profile" from Cloudflare Docs

Accounts

Accounts serve as a container for all of your organization's Cloudflare resources. Accounts hold all your Zones, Workers, Page, D1 databases, etc. One account can have many different profile members, each with their own roles and permissions.

Chart Showing an "Account" from Cloudflare Docs

Step 1: Members Page

First, log into your Cloudflare account. Then from the Cloudflare home dashboard, navigate to the side panel and select “Members” from within the “Manage Account” sub-menu.

Manage Account Sub-Menu

Step 2: Invite a New Member

From the manage account "Members" page, press the invite button or edit an existing member.

If you haven't already, now it a great time to enable "Member 2FA enforcement" to ensure that all of your users have a 2FA method enabled.

Manage Account Members Page

Step 3: Configure Account Privileges

From the invite page, first, enter the email address for your new user(s). Then within the scope section, select either "include" or "exclude" for your scope rule operator. Next, under "Type", select between:

All domains: Gives the user access to all domains (aka zones) on the account. This option is required to give the user access to account-level resources such as R2, Pages, Workers, Images, etc.
A specific domain: Select a single domain (or zone) to give the user access to. (You can add multiple zones by adding a rule for each).
Domain group: Select a predefined group of domains (zones).

💡

What is a zone?

In Cloudflare, a DNS Zone is a single domain name.

These would be in the same zone: example.com, blog.example.com, and example.com/about
These would be in separate zones: example.com, example.co, example.co.uk

After selecting the scope for the user, you can now configure the domain-scoped rules. These permissions allow you to control the new user's access level. For example, you may want only to grant read access. Always follow the principle of least privilege when assigning access. Once permissions are selected, press “Continue to summary.” Confirm the options are correct, and finally send the invite.

Now your new user will receive an invite email allowing them to join your Cloudflare account. If you ever need to change privileges or remove users, you can return to the "Members" submenu item under "Manage Account."

Design Systems

Mackenly Jones — Sun, 06 Aug 2023 04:21:49 +0000

What are design systems?

According to UX research firm Neilson Norman, "A design system is a complete set of standards intended to manage design at scale using reusable components and patterns." (Fessenden, 2021) To summarize, design systems are style guides, component libraries, color swatches, typography selections, etc., which together form a system of design. As a whole, a design system enables users throughout an organization to create applications, creatives, and other design elements in a way that matches and feels cohesive.

Well-Known Design Systems

Several well-known design systems include:

Fluent:

Developed by Microsoft, Fluent is the design system used by Windows 11 and other Microsoft apps like Word. https://fluent2.microsoft.design/

Material:

Developed by Google, Material is found all across Google products and services, plus used by many Android apps. https://m3.material.io/

Human Interface Guidelines:

Developed by Apple and found across many Mac and iOS devices, apps, and services. https://developer.apple.com/design/human-interface-guidelines/

SDLC Benefits

Design systems are about more than which colors and fonts to use. Design systems enable apps to become a part of an ecosystem. If your organization has a design system or follows another company's design system, it will be easy for users of your system to pick up your app's interface quickly. When components and layouts look the same across systems, users can bring their familiarity with them even when they've never used your new application.

Spillover Benefits

In addition to useability advantages, design systems also simplify the app design process, make building wireframes a breeze, and streamline the development process. Developers following a design system only have to implement components once. They can use your organization's component library across various apps, reducing repeated UI code and speeding up the development process.

Photo by Mario Gogh / Unsplash

References

Fessenden, T. (2021, April 11). Design Systems 101. Nielsen Norman Group. https://www.nngroup.com/articles/design-systems-101/

Social Engineering

Mackenly Jones — Sun, 09 Jul 2023 05:51:01 +0000

What is social engineering?

Social engineering is one of the oldest forms of malicious or unethical hacking. Scammers and con artists have used social engineering long before computers and the internet were ever created. The first social engineering attack comes from the story or legend of the Trojan Horse. According to legend, the Greeks hid inside a wooden horse and tricked the Trojans into letting them into the gated city.

Photo by Tayla Kohler / Unsplash

Another example of social engineering is the well-known Nigerian Prince email scam. You may think that the seemingly obvious scam is a new invention that came about because of low-cost email sending (cast a wide net, eh?), but that isn't the case. The Nigerian Prince scam traces its roots as far back as the 1800s when it was known as the Spanish Prisoner scam.

All throughout history, humans have been trying to trick, manipulate, and take advantage of one another. The recent phenomena of internet-based social engineering attacks is merely a chapter in social engineering's long history. As ethical hackers, our role is not to trick people maliciously but to educate and train our coworkers and clients to identify malicious actors who use their psychological knowledge to further their own interests.

Scammers, hackers, and con artists have used social engineering for millennia, and the general idea hasn't changed much, but the actual implementations of the attacks are always evolving to take advantage of emerging technologies and to outpace the public's awareness of tactics. Here are two current examples of age-old attacks that are being updated with modern tech:

New Phishing Domain Names

The #1 type of social engineering attack is phishing. Phishing comes in many forms (such as spam emails), but a recent threat has emerged that will likely be a headache for cyber security professionals who try to educate their coworkers on identifying phishing attacks. This new threat is the creation of the .zip and .mov TLD (top-level domains) by Google, which means anyone can register domain names using this extension. I share SwiftOnSecurity, a popular cyber security Twitter commentator's, sentiment in calling this move "dumb."

Let's look at an example of how this could be exploited in this infographic from Twitter user @hnasr:

What is the difference between the two urls?

one has an @ and one doesn't.

But also the first downloads version 15 of postgres from GitHub and the second one resolves to v15 dot zip domain which can also downloads a zip file that sure doesn't have postgres in it.

You see,… pic.twitter.com/muGU1ruYdD

— Hussein Nasser (@hnasr) May 17, 2023

These new domains will make it even easier to hackers to create realistic-looking phishing URLs.

Vishing

Vishing is a term assigned to phishing-style attacks conducted on the phone using the attacker's voice.

Most people are fairly alert when it comes to random spam calls; however, when combined with information gained from reconnaissance, sophisticated attackers can be very believable. When used in combination with another attack adding a phone call into the mix can add credibility to an otherwise suspicious attack by making it seem more genuine rather than just a bot.

If you've been keeping up with tech news as of late, you've probably seen demos where a clip of someone speaking is fed into an AI-powered tool, and the user gets a custom text-to-speech tool. This is great for attackers. With enough digging, you can find a video of most people (especially well-known business people) on social media. If you want to go full James Bond, you could even directly obtain audio recordings. All you've got to do is get audio clips (doesn't matter how), and you can create a fake voice that sounds exactly like an authority figure which you could use to manipulate a subordinate into transferring money or other action via a vishing call. This kind of thing used to only live in the imaginations of movie and TV writers, but it's now a reality.

An interesting report published by the US HHS's Office of Information Security claims a form of vishing called "hybrid vishing" increased by 625% in Q2 of 2022. A hybrid vishing attack is typically characterized by a multistage vishing process where the attacker calls back or introduces other stages to their attack.

One common variation is where the attacker sends a phishing email that instructs the victim to call a number. Adding a phone call increases the perceived legitimacy of the email, making victims feel more comfortable with the attacker. From my own personal experiences, I know I've seen many companies say that they will never ask for passwords over the phone, but they obviously do ask for them through websites. If I get a call asking me to verify by opening a link sent to my email and to check my spam, I might feel comfortable enough to do it since that's an authentication method deployed by many legitimate companies.

Summary

Think of it like this. Both malicious hackers and ethical hackers follow a similar strategy for successfully meeting their objectives. To defend a system, cyber security professionals rely on a concept called "layered defense," where multiple security controls or defenses are layered on top of each other so that even if one fails or is breached, the overall system isn't completely exposed. Attackers can utilize the same concept by implementing a "layered attack" where multiple steps are combined to increase the chances of success. Just sending a phishing email or just making a vishing call isn't likely to succeed. But when combined into a hybrid vishing attack, the attacker has a much greater chance of success.

Just like a single attack is more likely to fail, so is a single defense. Defense strategies with single points of failure (while sometimes hard to avoid) are likely to eventually be breached. As information technology professionals, it's our job to identify weak points in the systems we design and develop so that we can add multiple layers of security between our protected assets and attack surfaces.

Social engineering attacks are as old as dirt, but that doesn't mean they're unstoppable. Using multiple layers of defenses and ensuring accountability is maintained helps mitigate the threat of social engineering to an organization. Like all cyber security threats, your organization will never be 100% safe, but investing resources and training into improving your odds could mean the difference between disaster and identifying an attack before it succeeds.

The Wayback Machine

Mackenly Jones — Sun, 09 Jul 2023 05:26:32 +0000

In an ever-evolving digital world, websites come and go, often taking valuable information with them. The Wayback Machine, a digital web page archive created by the Internet Archive, seeks to preserve these moments in time for future generations to get a snapshot into the past.

Regularly used by journalists, researchers, and even web developers (to see the history of pages), the Wayback Machine has become an increasingly valuable tool for time traveling through the internet.

The Wayback Machine works by crawling websites, following links, and saving the content the crawler finds. The site boasts of having over 805 billion web pages archived.

The data archived by the Wayback Machine can be very useful for cyber security professionals, black hat hackers, and Open Source Intelligence (OSINT) gatherers. As a developer, there are several potential dangers of your website being achieved:

Comments in the code revealing sensitive data could expose your company to attack
Contact information on the site could be used in phishing attacks
Blog posts or other public content could reveal sensitive information about your organization's policies and procedures

Even though the Wayback Machine does present a security challenge, the Internet Archive's important mission of preserving the web for future generations benefits everyone. It's important to be aware of the fact that anything posted to the internet is probably archived somewhere. Cyber security specialists can help educate and inform their community, employers, and clients of the importance of not sharing potentially compromising information publicly on the web by knowing about and understanding tools like the Wayback Machine.

How can developers utilize the Wayback Machine?

If you work with clients or are on a dysfunctional team you may be familiar with stories like this... "Our website is down because our hosting server got deleted and we don't have backups!" This issue could be caused by someone not paying the bill, a malicious threat actor, or an incompetent employee. Either way, it's your responsibility to fix it.

Without a live website to restore or access the actual data on the servers, your options are limited. You might have never even visited the website you're trying to recover. This is where Wayback comes in. Using the Wayback Machine you can look back in time and see archived versions of the site, hopefully enabling you to rebuild the site. Not a great resolution, but without Wayback you would have had to start 100% from scratch.

Another common use case for Wayback is Always Online tools. Cloudflare in particular, has a feature powered by the Wayback Machine that enables their customers to opt into an Always Online feature. When your site's server is offline or otherwise unreachable, an archived version of your site is shown to your users with a little banner that lets them know this is an archived version. This feature is invaluable during downtime or other cases where your server may be offline. This is all thanks to the efforts of the Internet Archive and the contributors to the Wayback Machine.

How can I protect myself from the potential security vulnerabilities associated with the Wayback Machine?

Wayback in and of itself isn't a malicious or otherwise harmful service. In fact, as the previous section discussed, Wayback can be valuable to developers and IT professionals. The issues arise when site owners carelessly expose sensitive information that could be used by malicious threat actors to build out a target profile or as clues to conduct better-informed attacks.

Information security is paramount when it comes to the internet because any number of actors are constantly scraping the internet and saving what they find. Search engines like Google do this to provide better search results, the Wayback Machine does this to compile an internet library, and well-funded malicious actors such as nation-states and organized crime groups may be scraping the internet to gather intelligence and leverage. Because of these reasons, it must not be forgotten that anything you post on the internet might as well be published on the front page of every newspaper in the world and memorialized in lights on every billboard from Time Square in New York to Moscow, Russia and everywhere in between.

What policies can my organization implement to minimize the threat of scrapping archives?

Every organization's information security policies should dictate the importance of ensuring confidential data stays confidential. A few helpful ideas include:

Utilize secret scanning tools like GitHub's code scanning features with push protection: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning
Don't publically expose internal documentation and resources/tooling.
Require peer code reviews and ensure that secure programming practices are followed.
Avoid disclosure of confidential information or specific technologies in job postings. Rather than saying we use WordPress version 2.0 and MySQL say we use CMSs like WordPress, Sanity, Druple, and Contentful along with database technologies like MongoDB, MySQL, and PostgreSQL.
Never put personal employee contact details on your website.
Restrict employees from disclosing confidential information about the internals of your systems in interviews, podcasts, engineering articles, etc.
Utilize a tool or build step that removes comments from your code. It's a great practice to write descriptive comments in your code, but it's not a great practice to share those comments with an attacker attempting to reverse engineer your site.

Choosing the Right Java Data Types

Mackenly Jones — Sun, 09 Jul 2023 04:33:25 +0000

There are several reasons for Java having different data types. Java has eight primitive data types:

byte
short
int
long
float
double
char
boolean

Of those eight, six are used to represent numbers. Byte, short, int, and long are all used to represent integers, while float and double are used to represent floating-point numbers.

You may be asking, "Why do we need to memorize six different data types just to store numbers?" Well, here are a few reasons:

Size / Performance

Primitive data types store their values directly in the memory location that's allocated for them. As a result, primitive data types have a fixed memory size. An int will always and only take up 4 bytes (32 bits) regardless of its value. The number 7 can be represented in the smallest Java data type, which is a byte (8 bits), or it can be represented as an int which is 4 bytes (32 bits).

Seven as a byte: 00000111
Seven as an int: 00000000000000000000000000000111

On most modern computers with hefty amounts of RAM, most programmers might not think they have to worry about how much memory their programs consume. After all, unless you're doing embedded systems programming where memory is limited, storing someone's age as an int rather than byte or short isn't going to cause your program to crash. But if your program is storing or processing a billion people's age, that's a different story. I've heard many stories where developers choose the wrong data type, resulting in unnecessary costs or performance issues for their applications. At scale, consuming four times the necessary memory or storage has real performance implications and can cost your organization millions of dollars. This is the key reason for needing so many data types. Only using what you need means there's less data for the computer to process and less data being stored in memory, files, and databases.

Precision

The other major reason is precision. This is inherently a side effect of saving space by selecting smaller data types. If you use a data type that's smaller, by definition, it can hold less data. This can become an issue when accuracy and precision are important when you don't know ahead of time how large of a value you need to store. According to our textbook, Doubles can hold up to 14 or 15 significant digits, while Float holds up to 6 or 7 significant digits. If you attempt to assign the value 3.1415926535 to a float, you're going to be out of luck. Java will truncate the value to 3.1415927 and your IDE will scream at you. Java gives us multiple data types so that we can select the best type for the data we're storing, but it's up to us as programmers to know what each type can hold and which will work best for our use case.

Type Capacity (Bonus)

Different data types can, of course, hold different maximum and minimum values. But one additional thing to consider is why can a short hold -32,768 to 32,767 rather than -32,768 to 32,768? Since data is stored in binary (which is a base-two number system), it would seem to make sense that the max number would be divisible by two. But that doesn't take into account zero.

Two bytes (the size of a short) contains 16 bits. With signed binary, that means there's a total of 15 bits that can be used to represent numbers (one is used to switch positive/negative). A total of 32,768 values are being stored within those 15 bits, whether positive or negative. However, there's one less positive number because with a positive number, all zeros mean zero; with a negative number, all zeros mean the lowest possible number. Positive numbers have to give up one value to be able to represent zero.

With any length of bits, the maximum number of values that can be represented is always divisible by two, but that doesn't mean what the values represent always will be since zero must be counted as a possible value.

Here's an illustration from my IDE's debugger showing the binary values of each variable: