Weeks are better than months

If I say to you “let’s meet in a month” you probably won’t know exactly when we are meeting again. It’s an approximation at best. Do I mean 30 days? do I mean the exact same day number but on the next month? What if that month doesn’t have that day, like February 30th? What if we are in a business setting and 30-days-later or same-number-of-the-month falls on a Saturday? As you see, months, as a measure of time, can be pretty useless. Specially when talking about small numbers, like 1 or 2.

There’s a better unit. The week. How long is the week? 7 days. All weeks are 7 days, no exceptions. If I say “‘let’s meet in a week” you know what I mean. Add seven days to today and that’s when we are meeting. If it’s a Monday, in a week, it’s also a Monday. Also, weeks are smaller, more granular, which is useful for little projects. If I ask “When is X is going to be done?” I’d rather hear it expressed in weeks rather than months.

We normally use months because they allow us to set up a time in the year. We can say “July” and know when it’s that. Weeks can do that too actually.

Did you know that the weeks of the year are numbered? It is call “ISO week date” where ISO stands for International Organization for Standardization. Since a year doesn’t start on the same day of the week every year and also has variable numbers of days, years may have 52 or 53 weeks. This allows to say week 5 or week 30 and refer to a specific week of the year. There’s even a format: 2015-W5-1. That referees to Monday of week 5 of 2015.

If you are using Google calendar, you can add the week numbers to it following this procedure:

  1. Click on “Other calendars”
  2. Click on “Browse Interesting Calendars”
    Using Week Numbers in Google Calendar - Browse Interesting Calendars
  3. Click on “More”
    Using Week Numbers in Google Calendar - More
  4. Next to “Week Numbers” click on “Subscribe”

From now on, in your week view, you’ll see a small rectangle with the week number, in this case, week 6:

Using Week Numbers in Google Calendar - Week 6

It also appears on your list of other calendars, so you can change the color and enable or disable it:

Using Week Numbers in Google Calendar - Other calendars

The most organized businesses I came in contact with, made extensive use of calendar numbers and I intend on doing the same and recommend it to other people. I think the first obstacle to overcome is making the number ubiquitous so that when you use it, saying “week 6” for example, people know intuitively what you are talking about.

Let’s do it.

Picture by Yandle.

 

 

Advertisements

Happy New Year

Happy New Year! Up to now, Marty McFly has showed us what to expect, but from now on, we are in uncharted territory. It’s time to start making our own future, our own decisions. We can now focus on things more important than hoverboards. Just kidding, hoverboards are cool.

More than four years ago I co-founded Carousel Apps and since then I’ve been the CTO and now I am the CEO. I, like many geeks and entrepreneurs, can super focus on one thing and ignore all others. This can be very productive, but it can isolate you.

For example, I forgot how much I enjoy sitting down with someone and being the bounce board for their ideas or providing my technical expertise on how to execute those ideas. I ended up doing just this recently, which was a reminder, and now I want to do it more often. During 2016, I want to do it once a week.

I’ve been coding for 25 years, I used around 17 different language in many different operating systems and countless frameworks. I worked for Google. I co-founded two startups (or more, depending how you count). I had production systems in both Linux and Windows. I use a Mac and I used Linux as my desktop. I’m the CEO of a distributed company. If any of these things or the many others I’ve done make it sounds like it would be useful for us to sit down for an evening and talk about your startup, let’s do it!

During 2016 I want to spend one evening a week helping a different entrepreneur each time, specially non technical ones, with their issues, specially the technical ones. I want to do this for free, just because it’s fun. I’m located in London and I want to divide my time roughly equally between face to face meetings in London and remote ones with people from all over the world. By the end of 2016, I hoped to have helped 26 London based entrepreneurs and 26 from other places.

If this is something that you want, fire an email to pupeno@pupeno.com and tell me a bit about yourself and what do you want to talk about.

Happy New Year!

How to legally submit an app to Apple’s App Store when it uses encryption (or how to obtain an ERN)

Disclaimer: I am not a lawyer, this is not legal advice. 


Shameless plug: I am available for hire doing Ruby, Clojure, Python or many of my other skills including managing developers.


There’s a lot of conflicting information out there about whether you need an ERN or not to publish an app in the App Store. I spoke to Apple representatives as well as various employees of a couple of US agencies. As painful as it is, if your app is capable of the simplest, most standard, of encryptions such as SSL/HTTPS then you need to answer your export compliance questions like this:

Mac App Store questions and answers about encryption

The conclusion from selecting the above answers:

To make your app available on the App Store, you must submit a copy of your U.S. Encryption Registration (ERN) approval from the U.S. Bureau of Industry (BIS).

In some places, you’ll see CCATS instead of ERN. I’m not 100% sure, but it seems CCATS was a previous more bureaucratic version of the ERN. Right now, what you need is an ERN and this is our journey to get it. We are publishing as much detail as possible so that you can replicate it for your own application. There are some other blog posts that explain how to do it, but we found that over the years, some of the steps changed and we had to find a new path. Since this is going to happen again, we are adding as much information as possible so that should your path be slightly different, you won’t have much trouble finding your way through it.

Starting at the beginning

After being utterly confused by both Apple’s as well as BIS’ FAQ and how to pages, I decided to go the homepage for the Bureau of Industry and Security and see where it took me:

Homepage for the Bureau of Industry and Security

At this point I new SNAP-R was relevant to my needs. I was almost under the impression of needing one, even though I didn’t know what it was. Going through that page I found this:

BIS Would you like to

Yes! I’d like to submit an application (SNAP-R) – fourth item in the list. That takes you to this page: http://www.bis.doc.gov/index.php/licensing/simplified-network-application-process-redesign-snap-r, which defines what a SNAP-R is. It stands for Simplified Network Application Process – Redesign. I think a SNAP-R is sort of an account with the BIS. There’s no mention of ERN in that page, but it says:

You must have a Company Identification Number (CIN) and an active user account to access SNAP-R. The procedures and requirements for obtaining a CIN and user account are set forth below.

You need to obtain a CIN before you can proceed. If you scroll all the way to the bottom of the page, you’ll see:

BIS Obtaining a CIN for a SNAP-R for an ERN

And that link, ladies and gentlemen, is the most promising I’ve seen so far. It takes you to https://snapr.bis.doc.gov/registration/Register.do which looks like this:

BIS SNAP-R Company Registration for an ERN

The SNAP-R Company Registration process

After completing and submitting that form you’ll get an email to confirm your email address. I recommend limiting yourself to ASCII characters here, as the é and á in my name got mangled. That email took only a few minutes to arrive but the confirmation page claims the next step might take up to five days:

BIS SNAP-R Email confirmation

Some people claim to have been finished in 30 minutes or even less. I suppose it depends where you or your company is located. In my case, the five days elapsed so I sent them an email and two days later I got a reply telling me to call their support number: +1-202-482-2227 (later on I learned that another phone number that might help is +1-202-482-0707). When I talked to a representative, he said that I should have received the activation email already and just re-triggered it. Maybe calling them after a couple of days would have been a good approach to speed things up. Shortly after my call I got this email:

BIS SNAP-R Account Invitation email - for ERN

That link takes you to a page to set up your log in and password:

BIS SNAP-R Login ID and Password Setup

After entering those details, voila! you have an account:

BIS SNAP-R Login ID and Password Setup - account created

You may now log in:

BIS SNAP-R login in - for ERN

After logging in, you are now in your SNAP-R Home page:

Creating a new work item within your SNAP-R account

The next step is to create a new work item, which you can do from the sidebar. That takes you to a page that looks like this:

BIS SNAP-R Create Work Item

The type of work item that you want, to be able to distribute apps with encryption, is an Encryption Registration:

BIS SNAP-R Create Work Item Type Encryption Registration

Now, about the Reference Number, the question mark next to it sends you to https://snapr.bis.doc.gov/snapr/docs/fieldHelp.html#NewWrkItem1 where it says:

Enter a valid reference number for the Work Item. Reference numbers must be in the format “AAA1111”.

which didn’t really answer what a reference number is. I decided to call them again and when I asked the question they put me on hold for 25 minutes. I hung up, called them again and I was speaking with someone else in less than 3 minutes and she answered. The reference number is just something you make up, for yourself. It’s not something you obtain and it seems as long as you follow their convention, it’s fine:

BIS SNAP-R - Create Work Item - Encryption Registration and reference number

After creating the work item, you are invited to edit it. It starts partially populated and it’s straight forward:

BIS SNAP-R Edit Work Item Encryption Registration

Well, it’s straightforward until the last part: Documents. You need to attach the Encryption Registration Supplement No. 5 to Part 742.

Creating the Encryption Registration Supplement

Creating the supplement, thankfully, is easier than it looks; that is, when you know what you have to do. There’s a document number 742 that you can download from https://www.bis.doc.gov/index.php/forms-documents/doc_download/1208-742 and  on page 60 it has the Supplement No. 5: Encryption Registration. These are the contents of that page:

SUPPLEMENT NO. 5 TO PART 742 – ENCRYPTION REGISTRATION

Certain classification requests and self-classification reports for encryption items must be supported by an encryption registration, i.e., the information as described in this Supplement, submitted as a support documentation attachment to an application in accordance with the procedures described in §§ 740.17(b), 740.17(d), 742.15(b), 748.1, 748.3 and Supplement No. 2 to part 748 of the EAR.

(1) Point of Contact Information

(a) Contact Person

(b) Telephone Number

(c) Fax Number

(d) E-mail address

(e) Mailing Address

(2) Company Overview (approximately 100 words).

(3) Identify which of the following categories apply to your companys technology/families of products:

(a) Wireless

(i) 3G cellular

(ii) 4G cellular/WiMax/LTE

(iii) Short-range wireless / WLAN

(iv) Satellite

(v) Radios

(vi) Mobile communications, n.e.s.

(b) Mobile applications

(c) Computing platforms

(d) Multimedia over IP

(e) Trusted computing

(f) Network infrastructure

(g) Link layer encryption

(h) Smartcards or other identity management

(i) Computer or network forensics

(j) Software

(i) Operating systems

(ii) Applications

(k) Toolkits / ASICs / components

(l) Information security including secure storage

(m) Gaming

(n) Cryptanalytic tools

(o) “Open cryptographic interface” (or other support for user-supplied or non-standard cryptography)

(p) Other (identify any not listed above)

(q) Not Applicable (Not a producer of encryption or information technology items)

(4) Describe whether the products incorporate or use proprietary, unpublished or non-standard cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body. (If unsure, please explain)

(5) Will your company be exporting “encryption source code”?

(6) Do the products incorporate encryption components produced or furnished by non-U.S. sources or vendors? (If unsure, please explain)

(7) With respect to your companys encryption products, are any of them manufactured outside the United States? If yes, provide manufacturing locations. (Insert “not applicable”, if you are not the principal producer of encryption products)

All you have to do is create a PDF file answering these questions for your application and upload it. I couldn’t find this information anywhere so I called them once again and that’s how I learned that all matters related to encryption were handled by the department… never mind the name, the phone number is +1-202-482-0707. Next time I’m calling them directly – there was no wait, no menu, just a person picking up the phone.

I created a document for my case saying:

Screensaver Ninja Encryption Registration Supplement No. 5 to Part 742

(1) Point of Contact Information

(a) José Pablo Fernández Silva

(b) +44XXXXXXXX

(c)

(d) pupeno@carouselapps.com

(e) 20-22 Wenlock Road, London, N1 7GU, United Kingdom

(2) Carousel Apps is a small London based company producing software apps such as Screensaver Ninja. Our main use of encryption (and so far all of it) is the standard SSL (https), OpenSSH, etc. You can learn more about us at https://CarouselApps.com

(3) We produce

(j) Software

(ii) Applications

(4) Our products use standard off the shelf encryption libraries and tools, such as https (SSL). We don’t develop or intend to develop any proprietary encryption mechanisms

(5) We don’t plan on exporting “encryption source code”.

(6) Screensaver Ninja uses Apple’s Safari component that allows https encrypted communication. This is provided by Apple. I understand that Apple uses OpenSSL which is an open source project and thus may have contributions from all around the world.

(7) We produce software, so, no manufacturing process are involved. All our software is produced outside the United States. The reason for this application is to distributed an app through Apple’s App store.

I cannot vouch for this content, I’m not sure this is the appropriate file to submit, this is only what I did. The next step is to click on “View and Manage Supporting Documents” which will take you to a page that looks like this:

BIS SNAP-R Document Management Encryption Registration Supplement No. 5 to Part 742

There, click “Upload Supporting Document” and you’ll be greeted by this form:

BIS SNAP-R Upload document for Encryption Registration Supplement No. 5 to Part 742

I just came up with a title and keywords, entered the current date and my name as author. I think the only really important field is the document type:

BIS SNAP-R Upload document for Encryption Registration Supplement No. 5 to Part 742 f

Submitting the ERN

With that document in place and attached, we seem to have passed some sort of automatic verification procedure.

BIS SNAP-R Encryption Registration All party addresses have passed verification

I clicked on “Preview Work Item to Submit” and I was given a last chance to look at the application and verify its correctness:

BIS SNAP-R ERN Application with document

The submission process, triggered by the “Submit” button of course, asks you for your name, in a special format, one more time:

BIS SNAP-R Encryption Registration Submit Work Item

And we you click “Submit Work Item” you are done:

BIS SNAP-R Encryption Registration Submitted - Thank you

Uploading Encryption Registration to Apple

I almost immediately got a message in the SNAP-R website:

Screen Shot 2015-11-19 at 10.36.00

And the message was the acceptance of the application including the ERN code (blacked out):

BIS SNAP-R Encryption Registration Accepted

That is the document you need to upload to Apple. Take a screenshot of that page and save it for your records. Back at Apple’s iTunes connect, when you answer the questions stating that you use encryption, you get an upload box for the document:

iTunes Connect Encryption upload ERN

If the upload button doesn’t appear, this is what an Apple representative suggested: “If you do not see the prompt, there could be a glitch in the website. One possible workaround is to change the answer to question 4 to “Yes”. By doing this the upload field should appear.”

Once you upload it, the “Submit” button will become enabled and you are ready to rock. Click it and your app will be on its way to fame and fortune. Well… that is… after they review your export compliance. For now, your app will be “Waiting for Export Compliance”:

iTunes Connect - Waiting for Export Compliance

From Apple’s version statuses, that means: “Your app is reviewed and ready for sale, but your CCATS file is in review with Export Compliance.” CCATS seems to be an older or bigger version of the ERN and in some places we can still find CCATS instead of ERN. Don’t worry, an ERN is all you need if your situation is similar to mine. When the status reaches to “Waiting for Review”:

mac app waiting for review

Congratulations! Your ERN was accepted.  You are done with this bit of bureaucracy.

If this blog post was useful or you find differences in the process, please, let us know in the comment section.

Picture by Yuri Samoilov

A browser in your screensaver is a square peg in a round hole

This blog post was originally published in Screensaver Ninja‘s blog.

We were recently challenged by someone who asked what was so special about adding websites into a screensaver. Perhaps, at first, this doesn’t seem like a tough task but after months of challenging work, I can confirm it is. I realized I never shared exactly why yet, so here it is. Putting a browser into your screensaver is like putting a square peg in a round hole.

Chromium on Mac

Screensaver Ninja for Mac is already out there. It’s working and it’s robust, but getting there wasn’t without its pains. Initially, we wanted the Mac and Windows versions to have the exact same rendering engine and thus, we went for Chrome’s WebKit, packaged as Chromium Embedded Framework, or CEF for short.

open-package-contentsChromium, the open source version of Chrome, follows the same structure as Chrome to handle page isolation: by running it in different processes. On Mac, applications are distributed as bundles which you may know as .app files. They are actually directories and you can inspect the contents by right‐clicking or control‐clicking on it and then choosing Show Package Contents. (Warning: if you change anything the app will likely not work anymore.) When you use CEF, you end up with a secondary bundle application inside your application. This is sort‐of supported, but weird and not without issues.

In Mac OS X, screensavers are dynamic libraries that are loaded by a special screensaver program. When you make a screensaver, you are not in control of the running program, you just have a few entry points to start doing your animation. The Mac OS X screensaver framework doesn’t like it at all when you have a secondary app bundle that you trigger from your library.

During this research, we found a bunch of issues, many of which were not clear‐cut as solving it for us might break it for other people. We still needed those issues solved so we wrote scripts that would pre-process CEF and solve them for us. Ultimately we ended up dropping CEF; more on that later.

Swift

We decided to use Swift for our project. It’s the new way and we prefer higher level languages whenever possible. Swift saves us a bit of pain with memory management, syntax and other things. But we inadvertently caused ourselves quite a bit of pain. The Mac screensaver framework is still an Objective-C application and since we are not building an app, but a library, we need to write and compile Swift with Objective-C binary compatibility. This is not commonly done so it took us quite a bit of bumping our head against a brick wall to figure it out. Furthermore, not being in control of the program loading our library made getting error messages tricky at best.

Apple’s WebKit

When we dropped CEF, our alternative was Apple’s WebKit, which was so much easier to integrate and have running, despite the fact that there are two of them; one that works out of the box, but it’s deprecated, called WebView, and a new one that’s not so well supported, called KWWebView. We played a lot with both and both had the same problem: cookies shared with Safari.

Apple decided that all users of a web view must share cookies with Safari. This was not acceptable for us because we want to have separate independent sessions and in the future we are even planning on having separate cookie jars per site so that you can, for example, be logged in into two different Twitter accounts at the same time. We contacted Apple about it, paying our tech support fee, and the answer was a resounding “can’t be done, we’ll add it to the list of things that we’ll consider in the future”.

Challenge accepted Mr Apple! We embarked on a quest to achieve this anyway that took us into the dark innards of the Cookie Jar, debugging it at the assembly level to understand its interface and workings:

debugging-the-cookie-jar

I have to admit it, that was fun. After understanding Apple’s cookie jar’s implementation, we wrote a test suite that was exercising it all, as far as we know, including bits that we believe are abandoned. After that we wrote our own implementation that stored the cookies separately and used the same test suite to make sure our implementation was equivalent to Apple’s. This code had to be done in a mix of C and Objective-C. Then we used method swizzling to replace Apple’s with our own and ta-da! Cookie separation.

Windows events

The Windows version of Screensaver Ninja is of course not done yet, but we’ve already started working on it and we are partly there. One interesting problem that we run into is that Windows doesn’t help you at all with the workflow of a screensaver. It is of paramount importance to us that while the screensaver is running, nobody should be able to interact with those websites. We don’t want any keystrokes, mouse moves, mouse clicks, etc to reach the pages, otherwise it would be a breach of our security approach to dashboards.

Windows has a long history all the way back to Windows 1.0 that ran as a little program on top of MS DOS. Awww, good old days. Through the decades, ways to code Windows applications have changed radically and thus the way events travel through applications also did. That means that there’s a lot of different ways for an app to get keystrokes, mouse events, etc. Finding them all and plugging all those holes was not trivial and since we are talking about security this required a lot of testing.

I’m sure that as we go along, we are going to find many more issues like those in the Windows environment, and we are going to solve them and we are going to strive for elegant, stable, robust code.

 

Finally happy with the creation of a web site

In the past, I never managed to build a web site and feel happy with the process. Every time I finished building a web site I would have a list of things to never do again. Until now! So, I thought I’d share.

First, by web site I mean content, like watuapp.com or screensaver.ninja, I don’t mean a web app. I’m happy with how I build web apps although I’m constantly improving and learning and trying new things. When it comes to content, you have to balance some opposing forces:

  • It should look amazing.
  • It should be flexible.

It should look amazing because it’s going to be compared to the ones produced by expert teams of designers at tech companies and if your web site is not indistinguishable from those, your web site will be perceived as unprofessional and as a result, so will you and your product.

I had web sites that looked very good. A graphic designed was hired to produce a pretty illustration of the web site and then a coder turned that picture into HTML and CSS. New pages were created by hand-coding them in HTML. The process of setting up the web site initially was ok, but after that, the workflow was horrendous.

Changes to the web site would come from non-coders, like the CEO, people in marketing or sales, copywriters, and they would be given to a developer to execute. Then we would have to prioritize between improving our web site or improving our product. Almost always product wins… only when the web site got the point of being embarrassingly out-of-date or broken we would consider doing something about it. This situation is annoying and frustrating for both developers and content generators.

The way to solve it is with a Content Management System, where things get flexible. With a CMS suddenly anyone with a browser and the right access can edit the site, add new pages, correct typos, add a FAQ, change a title, write a new blog post, etc. It’s as easy as Microsoft Word and the output is as generic, boring and bland as that of your average Word document. It might be ok for text files, but on the web, that screams unprofessional.

The problem is a tricky one. You might think there’s a nice separation between design and content but that isn’t true. A content writer might decide to have only one column of text instead of two because there’s not enough copy. But the difference between one and two columns is a big one when it comes to design. The content might call for a picture or even worst, a drawing. The design establishes the palette and style of that drawing.

A screenshot of Screensaver Ninja's web site
A screenshot of Screensaver Ninja’s web site at the time of this writing.

I just finished rebuilding the web site for Screensaver Ninja and for the first time I’m happy with the result. Not only how it looks, but the amount of work and funds require as well as the flexibility and workflow going forward.

The CMS we are using is WordPress and we host it at wpengine, which I really recommend. Not the cheapest, but if you care about your web site and you can afford it, you should go there.

One potential approach to having a beautiful site would be to go to 99designs and run a contest for a WordPress theme. My hesitation is around the flexibility of the result. Will the new design be completely hard-coded or will I be able to change the copy? What about changing more involved aspects like the amount of columns or images. I’m not sure and asking around did not reach any useful answers. If you have taken this approach, would you mind sharing how it works with me?

The approach we took was to use a very flexible and advance WordPress theme called X. We chose one of their many templates for a page that we felt would match our current branding and the message we wanted to communicate. We proceeded to fill it up with our own copy following this tenets:

  • Change as little as possible.
  • Ignore all images, just leave them blank.

Once copy was done, we hired a designer through a freelancing marketplace and ask her to produce images to fill in the blanks. We showed her our web site with the blank images as well as the original template with sample images and asked her to keep the style and palette. We provided some ideas for the images and she came up with some as well. After a couple of iterations we had all the needed images.

And that’s it. That’s how we produced that site. Yes, it’s possible that out there there are other sites that look exactly the same, but it’s not a big issue. It’s like worrying that somewhere out there there’s someone with the same t-shirt as you. The chances of you two being seen by the same person in a short period of time is small and even if that happens, whether the t-shirts fits you or not is more important. Nobody will care about your originality of clothing if they look horrible and the same goes for your web site.

Next time i have to build a web site for a product, I’ll do this exercise again and I recommend it to all entrepreneurs that are working in a small company and need to be efficient.

The danger of the wide product

Working at Watu I came up with the categorization of products by width. There are products that are wide and products that are narrow. They have different traits and understanding those traits is important. Watu is a wide product. Twitter is a narrow product while Facebook is wider. This is not a matter of complexity or size but a matter of how many modules or independent parts a product has. An example of a narrow but complex product is Apple’s Siri.

GitHub used to be a narrow product: git repositories. Now it is a wider product: git repositories plus issue tracker, plus wiki for documentation, plus public pages. You can think of more features that GitHub could add to make it a wider product: product management, customer management, etc. Adding those features make GitHub a wider product, while adding pull requests handling doesn’t.

The advantage of wider products is that they are the all in one solution for more people than narrow products. That’s because people tend to have a wide variety of needs. If your social needs is just sending short messages, Twitter is the all-in-one, but if you also share pics, organize events, form groups, etc., then Twitter is no longer the all-in-one product and you need a wider solution, like Facebook.

The advantage of being the all-in-one product is that if your users are not looking outside your product they are less likely to jump to the competition. They are also more likely to put up with an inferior solution in one or several aspects because the other aspects make up for it and the seamless interconnection of the different parts of the product is in itself a big plus.

For example, if Facebook implements a Doodle-like module, it doesn’t have to be as good as Doodle to make me switch to it, because I’m already inside Facebook for socializing and event handling, so also using it for deciding when an event happens is very convenient (Facebook, please, don’t kill Doodle… just buy them if you have to).

But, there are some dangers to building wide products. Once is that it’s harder to keep focus because you need to constantly jump between modules. If I was to develop Twitter by myself I would be much more effective than if I was to develop Facebook, because I would have less context switching. I believe this point is not true when you have more people than modules so each person or team can keep focus. But when you are a small three-person startup, this is something worth considering.

Another danger of having a wide product is that, even as a developer, it’s scary to jump outside. At Watu we saw several opportunities to build different products where a customer came with a need that didn’t match Watu perfectly. Every time we discarded it because building a new product and making it as wide as Watu was too much work and modifying Watu was undesirable. The truth is that maybe those products didn’t need to be as wide, they didn’t need all these modules and features, but that fact was very hard to see when we were living and breathing Watu every day.