Tuesday, August 20, 2013

Getting things out of your head

Most task management methodologies share some way to deal with getting information out of someone's head and into a persistent form as quickly as possible without evaluating it. Some methodologies use some notebook or tool that you carry around everywhere and you just write things down in them, some others simply have you write things on a whole sheet of paper and throw it into it inbox. These actions are intended to relieve you of the mental burden of keeping track of stuff. When you write something down and you know you can find it again later when you need it, it stops filling the space in the back of your brain. A great deal of research has shown that the more thought that has to go into categorizing or figuring out where something has to go at the moment when you need to capture it, the more likely it is that it will be lost (due to interruptions, indecision, etc.)

Unfortunately, most PIM's require you to know exactly what you going to do with the data before you ever capture it. And when you capture it, if you need to change it into something else, it can be a real pain that requires cut-and-paste.

The scenarios below deal with capturing information as well as evaluating and transforming it later.

Scenario: A parent is assuming out the door when their son reminds them that he needs to be at the newly scheduled soccer practice on Saturday. When the parent jumps in the car they open the PIM application on their cell phone and simply speak "Trent has a soccer practice next Saturday at 4 PM". The PIM generates a note and automatically puts it into a list to be triaged.

That evening when the parent opens the PIM on their desktop or tablet it notes that there are several items to be triaged. When the parent looks at the note they use a finger gesture or mouse gesture to transform it to an event. The event is generated with the subject "Trent has a soccer practice", and a date of next Saturday at a time of 4 PM.

Scenario: An entrepreneur is on the road and uses a digital voice recorder to record a bunch of brilliant ideas that they absolutely don't want to forget. When they come to rest they open up their laptop, open the PIM and import the various sound files from the voice recorder. A note gets created for each sound
file with the sound file attached. They automatically go into the triage queue and the entrepreneur can use voice recognition to extract the text or simply use the attached voice file as is.

Scenario: A vice president of a small company wants her engineering team to stay on top of the latest development technologies and subscribes to the newsfeeds of several training and development companies. She has set things up so that whenever something new is available it automatically gets put into her morning to do list as a task that says "Evaluate: New and Cool Course" where "New and Cool Course" was the subject of the newsfeed entry.

The VP evaluates a bunch of new courses and decides that 3 of them look interesting and then uses a mouse gesture or a click to transform all three of those into "Shared Votes" that are visible to the engineering team. The engineering team members each give a thumbs up or thumbs down to the particular course and at the end of the "New and Cool Course" has three thumbs up.

The VP then uses a mouse gesture or a click to turn the "Shared Vote" into an task "Schedule New and Cool Course for the engineering team".

Scenario: A security consultant has been asked to step in and have a conversation with a general consultant's client about their security needs. He enters this into the PIM as a note "Call so-and-so about security for whats-his- name". That night he tells the PIM that this note is now both an event (which is
not yet scheduled) AND a promise. These are not two separate entities. The single item is both an event and a promise. The event does not yet have a hard and fast date so it needs to be scheduled. And when it is complete, and the consultant notes that is complete, and email goes out to the general consultant
to let them know that that's complete.

And the security consultant can even share the event with the general consultant so that the general consultant can see when the event has actually been scheduled.

One size does not fit all

Here are some scenarios pertaining to personalizing your PIM.

Scenario: A divorced parent is creating an event in their PIM for one of their kids birthdays. When they create the event they include associated actions and events such as an email to be sent out two months ahead to check which parent is going to be throwing the party, a reminder a month ahead to make sure that both parents have the kid's "birthday list", A time to be scheduled a week or two ahead to do the shopping for the gift, and a time and checklist for the kid to write thank you notes afterwards.

After they have created that event, they can simply tell the PIM that this is a new type of event called "My Kid's Birthday" and the next time they schedule an event with that type it will include all of those associated actions and events and reminders.

Some of the follow-up videos include entering the "Birthday List" and automatically sharing it with the other family members and parents of kids who have been invited to the event. It is then visible as a checklist (somewhat like a wedding registry) that others can view and click off on.

Scenario: Someone using the PIM for the first time who is already an avid user of some methodology such as GTD (Getting Things Done) or Mission Control or Steve Covey... simply picks their choice of  methodology and their PIM is populated with the typical types used by that methodology. So a user of GTD would have types that included "Ticklers" and monthly reviews. A user of Mission Control would have the "Not Doing Now" and "Never Doing Now" lists.

And the user would still be able to add types of actions and events that are either associated with or derived from the types in the methodology.

Scenario: A teacher using the PIM had previously scheduled and taught a new course. The teacher had set up the classrooms in such a way that they included actions that automatically sent out the homework for that classroom the next day as well as a homework reminder to the students two days before each classroom reminding them that the homework was due as well as including the homework for that classroom.

The school asks the teacher to teach that course again and the teacher simply goes back into the PIM, selects all of the events from the previous course and then tells the PIM that the entire course is the new type "Really Cool Course". When the course gets scheduled the teacher goes into the PIM and  schedules a new course using the type "Really Cool Course" and substituting in the new dates. All of the actions and reminders and checklists and agendas from the previous course are included.

Scenario: A consultant makes a promise to a client to let them know when they finished some research and to set up a new time to talk when that is complete. The consultant already has a type "Research promise and follow-up" in their PIM. The consultant creates a new promise from that type and types in the subject of the research and selects the client to be notified. The consultant clicks on the promise and notes that it's complete. The PIM generates an email notifying the client that the task is complete, puts it into the email queue to be edited and then sent out. The email contains a link to the consultants favorite scheduling system (Timetrade, Doodle, etc..) that allows the client to schedule their follow-up.

In order to make these scenarios a reality the PIM needs to support

  1. The ability for users to create their own types.
  2. The ability for users to create types from existing events, tasks, and actions.
  3. The ability for types to include information that must be entered when a new instance of that type is created (such as the dates in the teacher's course, or the client used in the consultants promise)

I am not hallucinating but...

I have, in the past, had problems with company vision statements. I could never see how any
of the actions of most of the companies that I was dealing with were connected to the vision statement.

When I think about a vision I think of it as someone crawling their way through the desert and hallucinating about the oasis. And the oasis is truly beautiful; it shimmers. It is like a vision of the promised land (Cue heavenly choir).

As this vision starts to take shape is mostly coming to me as pictures of what I would like to see in the world. Somewhat like visual "User Stories". In some cases they are simple images and in other cases they are mental videos.

But all of them are about what it would look like for a user to manage their life with tools that are built to fit their life.

In the next few posts I'm going to be describing the scenarios that make up my vision (this is the moment when I really regret a lack of artistic talent) and what I think is required to make the vision a reality.

The scenarios of these visions come from real life needs. Some come from my real life as a divorced parent who has created a really effective collaboration with my ex-spouse so that we are in a partnership to raise our children that includes our current spouses and involves being aware of and working with all of the parents and kids schedules. Some come from my life as someone who devotes a great deal of time to coaching people and working with other people schedules. Some come from the people I have talked to over the years regarding their challenges in managing a busy distributed life while maintaining connections with people.

The one thing that all of these visions have in common is that the model that they are based on is much richer in connections, data types, and metadata than the typical models we see in use in most existing PIMs. To make this happen, one of the requirements will be that this data model and servers that support this data model will have to be ubiquitous. I have prototyped and experimented and I
have confirmed that I can go back and forth between a rich and hierarchical model of events to something that can be represented in an iCal format but the rich nature of the hierarchical model would be lost.

So the first underpinning of this vision is that there is a rich model that is ubiquitous.

And so it begins...

In the last 14 days I've had over 60 conversations with people about what it will take to kick this project off and have it be successful.

I have talked to people about what they want out of a PIM, who they know that might be an expert on something, who they know that might be willing to contribute money to making this happen, and what would be the market for it.

And a path forward has started to emerge.

Along the way I have discovered that I have a lot of opinions that could get in the way of what I want to create. When I started this I was thinking purely in terms of producing an open source project and finding a way to fund it so that I could produce something that will shift the way people deal with their communities, their schedules and to do lists.

What I have discovered is that for many people an open source project alone is not going to provide what they want and need. With everyone I talked to, many of whom are open source boosters, I kept bumping into people's interest in the commercial availability of these tools.

A lot of startup owners, consultants and small business owners are definitely interested in having SaaS providers of these services so that they don't have to install and manage the software. Everywhere I went I kept bumping into that if I want to make the kind of difference I am looking at I will be dealing with people that want to deal with businesses that provide services.

I find myself resisting the very feedback I had gone looking for. That's like doing a marketing survey and then ignoring the results. I did not want to get involved in any activity that looks like a business. I really had to confront that my opinions about businesses and business owners were getting in the way.

All of my opinions boil down to: When you start selling something you start going down the slippery slope towards lying and losing what little integrity you might have. And of course, I have lots of evidence to support this opinion. I have been in many startups and other companies dealing with sales and marketing people who have "Sold the Sizzle" when the functionality hasn't been even put in
the project plan. And I have dealt with executives in marketing or sales who have outright lied and directed their salespeople to lie. And I know many software engineers who can say the same. And when I have encountered single salespeople or even whole sales organizations that have integrity I have discounted them as exceptions rather than the rule.

I have a commitment to creating tools that make a difference in how people deal with life. In order to do that I can see that I am going to have to constantly examine my opinions and where they get in the way of that commitment.

Tuesday, August 6, 2013

Taking on something radical

Declaring something.

For years now I've been (playing with the design of, thinking about, contemplating, prototyping) a personal information manager and now I am taking it on.

Whats happening right now

Currently, PIMs have hit a "semi-sweet" spot. Good enough to do the job but not "rock your world" great. They are capable and with some poking, effort, technical savvy, and working within their limits you can manage your life. 
Many people find a rough, workable, set of tools and settle on it because no cleaner path presents itself. I know a very highly effective executive coach who constantly deals with breakdowns in synchronization between her different tools. And she is not alone. Everyone from small business owners to teachers to parents and students working in a more complex, fast moving world with more and varied commitments and opportunities for collaboration wrestle with the inevitable friction of getting the tools to do what they need them to do. The busier the person the more the friction is felt. 

As more and more things need to be managed with increasing speed and accuracy the friction becomes more apparent until the user feels like they are swimming upstream. 

The right PIM is not "The Answer". But as people figure out ways to manage their live's powerfully the right PIM will empower them in using those methods. They will make the difference between feeling like you are swimming upstream or swimming with the current.

So for the people who want to manage their contacts and relationships with people, who have multiple accountabilities and calendars to juggle, and who need to track lots of tasks and the state of conversations, the less they have to deal with the tool the freer they are to do what they intend to do. Another consultant I know summed it up quite effectively: "How successful I am in life and business is a function of how many conversations I can effectively manage."

What the future predictably holds.

There is a lot of inertia in this area. Getting to the point that we can reliably exchange calendar events and contact information has taken awhile and most people have gotten used to tools that don't do everything they want. There is some friction but it is not so uncomfortable that most of us feel it strongly enough or often enough to do more than get wistful about something better.

The "good enough, not too painful" place the users are in doesn't call for powerful innovation.

The commercial products are limited by existing standards. Some of the key standards in the area of calendaring and exchanging contacts and tasks date from the 90s and interoperability has been poor. Calconnect, the Calendaring and Scheduling Consortium, was formed in 2004 and one of its major victories was clarifying the iCalendar standard and making it possible to test how well various products allow us to exchange meeting or event information. Some of the biggest players (Google, Microsoft, Apple) in the scheduling space really have no need to do more than provide some fairly basic, fairly usable exchange of calendar information via iCalendar. And there doesn't appear to be a lot of urgent and visible market needs that typically drive innovation.

So predictably we will see a series of incremental improvements with no radical changes over the short haul.

But the market is changing quietly but rapidly. The world has shifted to a vary loose and collaborative footing. Personal communications, projects and collaboration are now routinely spanning countries, time zones, and languages. Sharing calendars, events and tasks become important collaborative processes even in families. The use of online services to find,  locate, purchase retrieve and use products and services that weren't available 10 years ago. School age kids have daytimers to help them manage their schedules. Schools have online homework and grade reporting. Hair salons, banks and retail outlets allow you to schedule appoinments online. Online schools allow you to take course and do homework online and schedule calls with advisors you have never met. Some businesses are composed of coworkers working at home collaborating with people they have never met.

Our existing PIMs and the standards they rest upon are insufficient to support us in that type of world and now is the moment for something new to come into being.

What is possible

Capturing things quickly. 

I envision a PIM that allows you to capture information quickly. You start typing and it creates a note. You can triage the note later or turn it into a task or event immediately. The intention is that the you be able to get the information out of your head and into the system for dealing at your leisure.

Personalizing life 

One size does not fit all.  How we take on life colors how we describe the things in our life and how we track those things. Some of us have specific actions and events that others don't. I have "Calls", "Coaching Calls", "Sales Calls", "Calls to generate leads", etc.. and each has its own agenda or checklist. Some people have "Promises" rather than just tasks. We all have specialized events like "Family Reunions", "Training Weekends" , "Tax Audits", "Employee Reviews", etc..
The incident "Kickoff call with Carl" may be both an event with a start time and date and duration, as well as an task to be completed as part of another task or project. A given type of meeting may have an agenda, a separate checklist, and action items generated by the meeting. And each of those actions may or may not be themselves scheduled in time. When you are looking at the meeting, you want to be able to get access to the agendas and checklists easily.A birthday party usually includes actions like buying birthday cards, buying a gift, etc. And things change over time, a meeting or appointment may become a conference call or an email exchange.

Life has depth.  

When you schedule a class and it has 16 sessions, if you cancel the class you should be able to cancel the class as a whole, not each session individually. Each course may have classes which contain multiple sections each with their own agendas and checklists. Tasks often include multiple tasks which may include other tasks. Communities generally have a  hierarchical relationship. An organization such as a company may have specific departments within it and the departments themselves may have other included groupings. There may be more than one set of such hierarchies. The corporation may have a hierarchy for departments, a hierarchy for roles within all departments, and a hierarchy for current projects that spans across the departments.

Life is fuzzy.  

You may say to someone, I will do it next week but I don't yet know exactly when. Putting it in the calendar at an exact time is misleading. Not putting it into the calendar until you know when could lead to someting else taking up the needed time. Some things are fuzzy in people's heads but need to be remembered until they can be clarified. The PIM should allow you to declare the fuzziness so that you are clear on what needs to be clarified.

Life is repetitive.  

Many of the most complex actions we take on in life are repetitive. I lead courses which have the same structure (the same number of sessions, many of the same checklist to be used each time, etc.). To schedule the course typically requires re-creating the actions by hand or reimporting the data with modified dates. Ideally, sets of actions, and/or events should be something that you could create a template for and then use whatever you are going to schedule those actions or tasks. Ideally you would be able to simply plunk down something like the course starts at this date, put all the standard actions, preparation tasks and events into existence and notify me of any conflicts.

Life involves collaboration. 

Most activities in life involve collaboration. You may schedule a call and want an email or SMS reminder to go out to them 15 minutes ahead of time. You may make a promise to complete an action and report it back to the person you made the promise to. The PIM could email or text that person when you completed that action. You may make a request via email and want to track who replied and who said yes and who said no. You may also wnat to share certain events or actions with others.

Memories are not infinite. 

If you are a teacher you may want to remember key details of your students or your interactions with them years later. If you are a consultant you may want to remember details about the client that you may not want in your CRM system but make it easier for you to have a conversation with them. If you are coaching someone you may wnat to track the ongoing promises they make to you so you can check with them at the next call.

What you see is what you need.  

People can only keep (GROK) a limited number (5-7) of items ( or groupings of items) in their brain at a time. How well the PIM presents the data governs the usefullness and ease of use. The user must be able to tailor their display to fit how they work.

Context is decisive.  

Having the application be sensitive to whether you are home and online or home and off-line or at work and online etc. is key to determining what actions can be performed a given situation. So eventually the application will be able to use the fact that you are in your home office to determine that you have resources such as phone, computer, Internet, etc. available to you.                 

What is next

In the next few weeks I will be blogging about my vision, my actions in creating the funding to take this on as well and technical topics centered around it.

Wednesday, February 6, 2013

Changing over to two factor hardware authentication.

Over the past two years I have become very concerned about security.

First of all a disclaimer. I know just enough about security to be worried. I am not a security expert but I do understand enough to understand some Bruce Schneier articles which is probably enough to qualify me to play a security expert on TV.

I was one of the people whose Dropbox accounts was hacked and attempts were made on several of my Gmail accounts as well as my bank account immediately afterwards. Luckily I do not use even vaguely similar passwords on the different systems.
In addition, I am seeing a huge increase in attempts on my home system through the firewall. My personal development server at home is accessible only through the SSH port and that port has shown a 173% increase in attempts in the last year alone.
On that server are several hundred gigabytes of scans of various documents and photographs on the family document management system. Of course all of this is backed up to the cloud but I would rather deal with disaster prevention than disaster recovery.
At work I am dealing with how to manage a large number (on the close order of 100) of uername/password/SSH Key/PGP combinations for various servers (development, testing, and production) in a way that allows me 24/7 access in case of emergencies without compromising security.

When it comes to security I have become as nervous as one of our forebears on the African savanna hearing a rustle in the tall grasses. I know that it may just be the breeze and it may mean nothing, but our ancestorss have already demonstrated the value of panicking early and often. The ones that did lived to contribute to the gene pool. In this area, false positives are a survival feature.
As a result I have settled upon setting up two factor authentication based on something known (a password) and something possessed (a hardware key).

Any convenient hardware key alone will typically be subject to man in the middle attacks so to make that more difficult I was looking for something time-based like a RSA SecurId or something that generated a one-time password or OTP.


The first part of my solution is LastPass. LastPass is a online service that stores user names and passwords (along with other secure data pieces of data). The data is stored in their servers as a single encrypted block and that block of data is kept in sync as a block with your local system. In other words it is never encrypted or decrypted except on your local machine. Your passwords don't pass over the wire. They don't have the password, you do.  All encryption and decryption is done locally (usually via a browser plugin) or a mobile application.
This is allowed me to change over to using automatically generated passwords that are very large and impossible for me to remember. By using LastPass I have drastically decreased the cognitive burden of keeping track of passwords. Though, of course I still have to enter them into LastPass but the browser plug-in makes that very doable. In addition, I don't have access to them when the Internet  is down.  Of course, if it is, most of the systems I need to connect with are inaccessible anyway.

On the plus side it has mobile apps for both the Android and iPad, and the cost for the premium package that is $12 a year.
The key downside to this is that it puts a premium on protecting the single password for LastPass. And it is still only one factor authentication (i.e. you only need the password).

Enter the Yubikey. 

It is sold by Yubico  and is a hardware key that provides two factor authentication. It is significantly slimmer (2mm) than a standard USB thumb drive and acts as a USB keyboard. Is used by inserting the key into a USB port and then pressing a button on the key that causes it to generate a one-time password (OTP)  that can then be validated against the Yubico security servers.
The standard keys are $25.00 apiece and can be purchased in larger numbers such as 10 for $200 or 50 for $750.
There are more advanced keys that do cooler things. More about the various "coolnesses" in a moment.
LastPass has built-in support for Yubikeys and you can register up to 5 Yubikeys with your LastPass account. In That means that if for some reason you lose one of the keys, you can simply deregister it from your LastPass account and use your backup. In addition you can configure what types of systems require the Yubikey (mobile and desktop and so on) versus those that you don't want to use it on.

I am currently using a Yubikey on my android phone and all desktop systems, but not my venerable original iPad.
Using it is simple. I log into the LastPass count on my system using the browser plug-in (Available for Chrome, Firefox, Safari, and IE).

After the browser plug-in has validated my local password it then asks me to enter the Yubikey one-time password.

I put the key into the USB port and press a button. And I am now authenticated until my LastPass  authentication expires normally ( I have it set differently on different systems).

For using it with my Android phone I use the NEO NFC (Near Field Communication) feature to simply hold the key to the back of my phone and it automatically brings up LastPass and asks me for my password and logs me in.

I have purchased 2 NEOs and a standard key and after two weeks I am very happy with the result. The biggest con to all of this is building the habit of always carrying my hardware key with you. But that is a small price to pay to drastically decrease my exposure to security breaches.

More on the Yubikey coolness 

The Yubikey comes in several different forms: Standard, NEO, Nano, VIP

A quick summary of what they're good for is below:

  • Standard - One-time password support and an additional "slot" for multiple configurations such as OATH. 
  • NEO - Same as the Standard with the addition of NFC to allow authentication to those mobile devices that support it. Also has other cool features that I don't yet understand.
  • Nano - Same as the Standard but ultra-tiny with additional support for the newer iPad camera docking station (This appears to be the only way to use the key with the iPad)
  • VIP - Same as Standard with additional features that allow it to be used with Symantec VIP and PayPal.

As far as software support is concerned there are login authentication solutions for Windows and Linux (I have done nothing to test the Apple based OSes). In addition they provide an API for writing clients that connect their services.

As a special treat for me, they publish notes on how to use the Linux PAM (Pluggable authentication module) with SSH so that the hardware key is required in order to SSH into servers.

I'm going to be trying to set that up next week.

General usability

The LastPass browser plug-ins and integration with Yubikeys is very usable.

The only place where I have bumped up against usability is really in the documentation for the additional Yubikey integrations ( such as the Linux PAM and SSH integration).  They do seem intent on making it easy for third-party application support Yubikey authentication so I expect that will shift over time.

Next comes the real challenge: enrolling my wife and boys into using hardware keys.