A Day at Ground Control Conference 2017

Last Friday I was lucky enough to spend a day at Ground Control Conference in London. This was a conference for anyone leading digital projects. Talks revolved around project management, product management, Agile and leadership topics.

Coincidentally it was also Turing Day in our team. So this conference’s themes perfectly fit our aim to sharpen the saw and learn new things.

So here are a few of my key insights.

Yvette Pegues: Digital Diversity – Leading multi-sensory & multi-ability audiences

When designing (IT) systems, check their P.O.U.R. criteria:

  • Perceivable
  • Operable
  • Understandable
  • Robust (can this be interpreted on a different platform)

If you create content consider these practices:

  • Text alternatives
  • Search engines
  • Labeled images
  • Don’t enlargement, color contrast
  • Captured video
  • Short time-out windows
  • Meaningful links

Generally, follow WCAG standards

Sam Barnes: It’s all about the little things

It is our job to look after people, and make them feel valued. It is about the little things. These include:

  • Manage your own workload: have your house in order
  • Always be present on communication channels
  • Get back to people on time
  • Unlock radical candor
  • Out of hours comms: make sure you are not expecting a timely reply
  • Assume people mean well
  • Trust is often the issue: Break work into smaller pieces to build up trust
  • Use regret to make decisions: “Will I regret it if I say no?”

  • Professional doesn’t mean being dull: Accept who you are, be comfortable and be yourself at work
  • Be nice, be polite and watch the outcome.

Adrian Howard: Failure Swapshop

Adrian was the guy who made me aware of this conference as we are both members of the BalancedTeam Slack. His workshop focused on failure:

  • Failure is hard to hear and hard to say
  • If you can’t admit to a failure you are not allowed to learn
  • Celebrate failure (don’t be afraid to fail) and you will have a better life

One way out of the not-allowed-to-fail hole is to run a Failure Swapshop:

  1. Hi, my name is ___ and I failed
  2. EVERYBODY CHEERS
  3. Explain your failure
  4. Share the lessons learned

Carson Pierce: Your brain hates project management

This was a great session of cognitive biases in project management.

To get past some of these biases:

  1. Slow down decision making, explore other ideas, analyze the information we get
  2. Unpack it, break the problem down into smaller pieces
  3. Go outside, find an external source to help look at things more objectively, reference class forecasting
  4. Flip it, consider the opposite of the problem, pre-mortems
  5. Be sad, avoid optimism bias
  6. Externalize, because memory is so bad, “Never memorize something you can look up. (Albert Einstein)”, meeting minutes, Jira tickets, Google docs, you never have to rely on you own information

Meri Williams: Modern management – Creating space to be awesome

Yet another awesome talk. Meri extends Daniel Pink’s Drive with a dimension on inclusion.

Space to be awesome =
+ Purpose (do I believe in why)
+ Autonomy (do I get a say in what)
+ Mastery (do I choose how)
+ Inclusion (do I belong here)

Cultivate inclusion, show that “someone like me can be successful here”. In order to do so, craft inclusive environments, answering these questions:

  1. Am I expected here?
  2. Am I respected here?
  3. Can I be myself and be successful here?

Michael Lopp: The impossible job

The day was wrapped up by Michael Lopp’s talk on Leadership, the impossible job. Michael presented 16 of his leadership practices/traits/hacks/qualities … Very worth it.

There is never enough time: As a manager you are exposed to more things.

#1 Two minutes early for everything. Show up two minutes early for everything. As a leader we set the tone.

#2 Office hours. As a leader there is more of them than you. It is not effective to meet them all. But you must be available. Schedule “office hours”. This encourages serendipity.

#3 Move the clock towards you. Empathy is a super power. Move the clock towards you to avoid devaluing the moment when looking at the clock.

You are greatly outnumbered by chaotic beautiful snowflakes.

#4 The most important meeting. One on one meetings with all direct reports. 30 minutes, every week, no matter what. If you have to reschedule, tell your people why this happens. Value people’s time.

#5 Learn everyone’s first name. As a leader you acknowledge the connection with other humans.

#6 Three questions before any meeting.  Prepare for any meeting and find three questions. 1:1s and staff meetings are for topics of substance, they are not status meetings. Talk about the things that matter to humans on the team. Value people’s time.

#7 Complement frequently. Compliments are free and amazing leadership coins. Show acknowledgement and talk about the things we are doing well. Give compliments of substance to recognize the value of what others are doing.

There is too much to do and too much to know.

#8 Continually fix small things. Pay down a little bit of debt.  File bugs, pay attention to small things.

#9 Know the most important numbers. What are the three to five most important numbers in your business. Know where they are coming from and why they actually matter.

#10 Share profusely. Share meeting minutes. The more eyeballs see an idea, the better it gets.

Their expectations are unattainable. Their expectation is that you are the best version of them.

#11 Think before you speak. Everything you say as a leader is judged. Speak clearly, speak slowly. Get some speaker training.

#12 Admit and explain failures. Can you admit failure and explain it?

#13 Seek diversity. This is also about social justice. Ideas get better with diverse eyeballs. Pull in diverse ideas to build products for humans. This is really hard, this is a 100 year problem.

#14 Weaponize rumor crushing. As a leader crush rumors. Talk about gossip, rumors and lies in every staff meeting. Put truth/signal back into the system.

#15 Smile as the sky falls. As a leader smile when the sky falls. We want to understand how to fix it. The smile will calm people down so they can fix it. Set a positive tone.

#16 Pick one thing.
For @rands this is to be unfailingly kind.

Conclusion

The ROTI for this conference was a clear 5 (out of 5), i.e. it was an excellent use of time. I already signed up for the 2018 mailing list of Ground Control Conference.

IAM/CoSS Work Week – JAN 2017

Last week people from various Mozilla teams got together in Berlin for a work week on Identity and Access Management (IAM) as well as Community Support Software (CoSS).

<TL;DR>

Following up on work done throughout 2016, we

  • updated project visions,
  • populated backlogs,
  • resolved technical integration questions,
  • created roadmaps,
  • and defined integration milestones.

Lastly, we came out of the week with broad and deep shared understanding on these two projects and their envisioned impact on Mozilla’s mission.

Day 1

As people had to travel from many places in Europe and Northern America to the work week we used day one to get to know each other, set expectations and introduce project metaphors.

IAM Metaphor

Access management is strongly related to “levels of trust” of people involved in an initiative. In the past, this was usually modeled by relying on the “onion model” of Mozilla Communities. Moving forward, we believe that trust is better modeled using a Community Garden metaphor.

IAM Community Garden Metaphor.png

Some of the base principles driving this metaphor are:

  • Each contributor is a plant in the community garden
  • Mozilla is the environment providing resources that make plants grow (water, soil, rain)
  • The gardeners are the onboarding program members
  • Each group has a different level of maturity, like the plants
  • Levels of trust are represented by the depth of roots

CoSS Metaphor

Diving into Community Support Software, a Utilities metaphor closely resembles our project goals. Right now various Community Support websites are like cabins in the woods, from the outside they all look a bit different. But at the core, they have a lot of similar needs. Taking a holistic approach to these products will allow us to develop robust technologies to service all. So instead of us living like we are all cabins in the woods. We will set up “public utilities” (sewage pipes, power, heating) that can serve the community. And we’ll make sure all the utilities (identity, event management, content management, etc) can work together, can scale, and support openness.

CoSS Icon 2.png

Participants evaluated the Day 1 Return-On-Time-Invested (ROTI) at 4.7 (on a scale of 1 to 5).

Day 2

During the second day we split in two streams

  1. Identity & Access
  2. Community Software

The Identity & Access stream created a very rough story map for the work to be done during the coming months. The Community Software stream identified, refined, and shaped a shared language among program managers, product managers and software engineers.

Together we agreed on various communication and collaboration processes and expressed our intent to run the projects in a Scrum-like development approach, allowing us to inspect and adapt as we go. This set us up to co-create a strategic vision for the two projects.

IAM Vision

Mozilla’s Identity and Access Management (IAM) project builds a secure, easy to manage, and appropriate authentication and identification service for all of Mozilla and its community, which enables seamless communication & collaboration between staff and volunteers.

It is an integral element of the Community Support Software project and an essential building block to Mozilla’s goal of making radical participation a strategic advantage.

This will be achieved by

 

  • providing an easy, safe, and consistent user experience
  • allowing for services to be expanded and focused based on level of trust or role
  • using the same IAM platform and tools
  • establishing organization-wide data consistency
  • reducing IAM management tasks

In 2017 IAM will expand the unified sign-up/login experience to all users and provide a common platform linking identity & access management for employees and volunteers.

CoSS Vision

The Community Support Software, CoSS for short (previously VMS or MozNet), provides the tools needed for people to contribute to the issues [could be tech or mission] they care about through Mozilla. A simple, transparent, guided and personalized User Experience ensures that work is surfaced, strategic, done with clear accountability. It will have a near seamless experience with other Mozilla communication and collaboration tools.

Additionally, the CoSS facilitates and enhances the staff/volunteer relationship, allowing for staff or Volunteer Leaders to identify, recognize, and support people at a variety of levels and contribution types.

In 2017, we will create the start of a solution through iterative prototyping with local clubs. With the goal to build key functionality to solve programmatic  needs in a way that is scalable for other teams.

Participants evaluated the Day 2 Return-On-Time-Invested (ROTI) at 3.6.

Day 3

By now we switched from “going broad” to “going deep”. This resulted in various break-out sessions, cross-pollination between the  work streams, and continued refinement of the overall picture.

In the early afternoon we spent time on a real-life user experience journey. Showing a Mozilla Club Captain’s journey from a Tweet to the website to his/her email inbox and all the back and forths happening in between. This was a fun and enlightening exercise.

The picture below shows Gene (the Club applicant) talking to Lucy (the website). Not pictured is Julia (the email inbox). The blue flag Alan is holding up signals confusion at this particular interaction step.

UX Journey.png

Participants evaluated the Day 3 Return-On-Time-Invested (ROTI) at 3.8.

Day 4

Throughout the day we continued to answer the hard questions. This included refinement of story maps, identification of personas, prototyping and stating product assumptions.

We also used the afternoon to check in with some of the core stakeholders: CRM/lifecycle marketing, MoFo leadership, IT leadership, Open Innovation leadership. Future stakeholder meetings are planned with the People team and others.

Participants evaluated the Day 4 Return-On-Time-Invested (ROTI) at 4.0.

Day 5

The final work week day. This is where our roadmaps came together. The pictures below are rough and should provide a high level overview. Work for the coming weeks will be based on these roadmaps.

Concluding the work week we are excited to be at the start of this implementation journey!

IAM Roadmap

public_iam

CoSS Roadmap

coss-roadmap

Participants evaluated the full week Return-On-Time-Invested (ROTI) at 4.8.

Closing Remarks

A huge thank you to the work week participants, sponsors and organizing committee. It was great to see that 23 people were able to set aside an entire week of their busy schedules and join us in-person. The many “Aha!”moments and actionable outcome speaks for the week’s success.

Now it’s time to switch into delivery mode and ship value. We aim to get as much done as possible in the remainder of Q1 and until we all meet again at the next All Hands. Onwards!

Work Week team.png

PS: If you want to continue the conversation, please join us on Discourse at the Participation Systems Program category.

HTTP 400 (Bad Request) on Mozilla’s Auth0 Passwordless Login

As previously mentioned, Mozilla decommissioned Persona and moved to Auth0 as authentication provider. During the past days, we received reports that users were returned HTTP 400 (Bad Request) upon login. With KaiRo‘s help we tracked down an issue in Auth0‘s plain text URL encoding. Awesome find! Big kudos to KaiRo!

For full details, please read on.

Steps to reproduce

  • Open reps.mozilla.org
  • In the top right, select Login
  • On Mozilla’s Auth0 Log in page, select Log in with Email
  • Enter your email address
  • Press Send Email
  • In your mail open the message from Mozilla SSO and view source
    • In Gmail: Options > Show original
    • In Thunderbird: View > Message Source (or ⌘U)
  • Take the login URL from section “Content-Type: text/plain” and paste it into your browser
  • A web page displaying “Oops!, something went wrong” is loaded

User-facing error message

Upon clicking the login URL from the text/plain content, the browser:

  • Opens a URL starting with https://auth.mozilla.auth0.com/passwordless/verify_redirect
  • The web page says “Oops!, something went wrong
  • Clicking on TECHNICAL DETAILS > See details for this error shows: invalid_request: missing client_id parameter

Auth0 HTTP 400.png

Root cause analysis

The passwordless authentication email full message looks like this (simplified content):

Content-Type: multipart/alternative;
 boundary="----sinikael-?=_1-14816452544280.8165679203812033"
From: Mozilla SSO <noreply@sso.mozilla.com>
Subject: Welcome to reps.mozilla.org
X-Mailer: nodemailer (2.3.0; +http://nodemailer.com/; SES/1.3.0)
Date: Tue, 13 Dec 2016 16:07:34 +0000


------sinikael-?=_1-14816452544280.8165679203812033
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Welcome to reps.mozilla.org!

Click and confirm that you want to sign in to=
 reps.mozilla.org. This link will expire in five minutes:

https://auth.mozilla.auth0.com/passwordless/verify_redirect?=
scope=3Dopenid&amp;response_type=3Dcode&amp;redirect_uri=3Dhttps%3A%2F%2Fre=
ps.mozilla.org%2Foidc%2Fcallback%2F [other parameters removed for privacy]

If you are having any issues with your =
account, please don't hesitate to contact us by replying to this mail.

Thanks!
reps.mozilla.org

------sinikael-?=_1-14816452544280.8165679203812033
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.=
w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=3D"http://www.w3=
.org/1999/xhtml">

[Content removed for sake of readability.]
</html>
------sinikael-?=_1-14816452544280.8165679203812033--

The relevant part is the text/plain section. The URL parameters are encoded incorrectly. Instead of a simple & (ampersand), the parameters are concatenated via a HTML encoded ampersand (&amp;). This breaks the URL, resulting in the HTTP 400 (Bad Request).

Next steps

We opened a ticked with Auth0 and expect this to be fixed soon.

Credits

Kudos to KaiRo for reporting and tracking this down.

Awesome Mozilla InfoSec team for following up and keeping the energy level high!

 

(Fun) Your Daily ‘We Are The World’ Reminder

Mozilla is a distributed place. About a third of its workforce are remote employees or remoties. So we speak to each other a lot on video chats. A lot.

Some paid contributors still have hobbies aside from working on the Mozilla project. For example, there’s the enterprise architect who is a music aficionado. There’s a number of people building Satellite Ground Stations. And I am sure we have many, many more pockets of awesomeness around.

And of course there are people who record their own music. So if you own a professional microphone, why not use it to treat your colleagues to a perfectly echo-canceled, smooth and noiseless version of your voice? Yay!

This is the point where I am continuously reminded of the song We Are The World from the 80ies. For example, check out Michael Jackson’s (2:41 min) or Bruce Springsteen’s (5:35 min) performances. This makes my day. Every single time.

 

PS: This article was published as part of the Participation Systems Turing Day. It aims to help people on our team who were born well past the 80ies to understand why I am frequently smiling in our video chats.

PPS: Oh yes, I confused “Heal the World” with “We Are The World” in the session proposal. Sorry for this glitch.

PPPS: Thank you to you-know-who-you-are for the inspiration.

Autonomy, Mastery & Purpose at Mozilla’s Participation Systems

This week I was reminded of Dan Pink’s Drive and it’s key message: Autonomy, Mastery & Purpose. We are doing some work on Mozilla’s Moderator application: infrastructure migration, decommission Persona, and give it a visual refresh.

It’s the first part that held a strong lesson.

In the past, the Moderator site scored an F in the HTTP Observatory, a way to measure a server and application web security. Following the migration, the site now scores A+. By the way, you can always verify this yourself.

 

What I Learned This Week:

  • Autonomy: Provide a team with autonomy over it’s entire product value chain and be surprised of the cool stuff that happens.
  • Mastery: Going to A+ wasn’t an acceptance criteria. It’s our intrinsic motivation which helps us be better every day.
  • Purpose: The Mozilla Manifesto provides us with a great set of shared values. In this case it was probably principle #4 on treating individuals’ security which served as North Star.

Of course the same Observatory rating could have been achieved on the old infrastructure. We just never did. It’s probably the perfect storm of a cross-functional team operating in autonomy, growing mastery and with a clear sense of purpose that made it so easily possible.

Blessed to be working on the Participation Systems team.

moderator.png

On Mozilla’s identity and access management (IAM) initiatives

(Cross-post from Mozilla’s discourse.)

Introduction

This document describes some of Mozilla’s activities in response to the decommissioning of Persona. It describes the change taking place in many of our web properties. Additionally the document provides a short overview on Mozilla’s broader identity and access management (IAM) initiatives.

Summary (TL;DR)

  • Persona will be decommissioned on NOV 30, 2016.
  • Our new authentication provider is built with Auth0 at its core.
  • All Participation Systems properties (reps.mozilla.org, mozillians.org, moderator.mozilla.org and others) will be using Auth0 moving forward.
  • Using this new authentication provider, Mozilla will transition many of its web properties that use Persona today to provide both
    • password-less email login for all profiles on Mozillians.org and
    • LDAP login for staff.
    • Additionally, some web properties will offer select social logins (e.g. Google, GitHub).
  • Moving into 2017, Mozillians.org will be fully integrated with Mozilla’s LDAP. This will enable volunteers and paid staff to collaborate using some of the same platforms and tools.

Persona Replacement (aka IAM Package B)

As previously mentioned on mozilla.dev.identity [Jan 12 2016 and Oct 13 2016], Persona is slated for decommissioning on November 30th, 2016.

Mozilla will not offer a public-facing authentication service like Persona after November 30th. Information for website owners to migrate their sites away from persona.org can be found on the wiki.

Many of Mozilla’s web properties (some of them listed below) will replace Persona with a new authentication provider based on Auth0. This means that Mozillians will be able to authenticate on many Mozilla sites using password-less email login, or select social logins (e.g. Google, GitHub). Staff members can continue to use their LDAP credentials on these sites. This transition includes, but is not limited to: Mozillians.org, Discourse, Moderator, Reps Portal, and Air Mozilla.

For the web properties maintained by the Participation Systems team (Discourse, Moderator, Mozillians.org, Reps Portal) this bucket of work is often referred to as “IAM Package B” and can be tracked on the team’s Kanban board. Package A was a technical proof of concept which successfully ended in September 2016.

Mozillians.org LDAP Integration (aka IAM Package C)

Looking towards 2017 we plan to integrate Mozillians.org with LDAP, to facilitate group management and access control for both paid staff and volunteers. This endeavor is often referred to as “IAM Package C”. Connecting these two systems will allow us to offer a single access management system for all Mozillians, volunteers as well as paid staff. We are still designing this new system and will share additional details in the coming months.

This groundwork will eventually allow us to differentiate collaboration tools’ access levels based on project needs instead of employment status. Think about the ability to provide document access to a hybrid project group of volunteer and staff contributors. This is a natural next step in our work as a radically participatory organization.

Feedback welcome!

This article hopefully provided insight into Mozilla’s currently running and planned activities around identity and access management. We invite you to continue the conversation at this discourse post.

Back at the Front at #push16

During the last two days Mozilla had a booth at push.conference 2016 in Munich. Push unites creative coding and user experience design, by offering a platform for designers, developers and UX professionals.

Elio, George and I represented Mozilla. To put it in George’s words:

Among the things we presented to booth visitors were:

Here’s what I learned this week:

  • Be there, talk and -most importantly- listen to people. It’s exhaustive and rewarding. Totally awesome.
  • On the Innovation Toolkit:
    • The toolkit allows us to open a conversation with a whole range of new (potential) contributors: experience designers, visual designers, and many other creative types.
    • We are missing a creative commons content license. This is a bug and will hopefully be fixed soon.
    • People have not heard of the toolkit yet. We need to be louder about it.
    • Students and higher-education teachers are really interested in this.
    • Seasoned professionals identified it as a great “quick reference” source.
    • We need to become better at explaining WHY Mozilla has created this innovation toolkit and WHAT’s the Mozilla’iary aspect of the toolkit and HOW it is used inside and outside Mozilla.
  • On the EU Copyright Campaign: People like it. Many can’t believe how broken current copyright rules are.
  • On the Equal Rating innovation challenge: Again, people really like the idea. Students and university teaching staff are very receptive on potentially running creative projects around that topic.
  • On the Mozilla Festival: It would be great to get the word out to more designers and UX professionals to join us at #MozFest.

Overall, a great couple of days.

Update: Elio’s post has some additional details on #push16 itself.