Corporate IT, NodeJS, “Tech” Companies, and Freaking Microsoft Windows

The Scene

A few years back, as part of a long, slogging series of unfortunate events, I had been tasked with developing a new web application, which circumstances dictated should be written in Java. Books could be written about this one-year period of my career. (And not, like, inspirational ones.) Anyway, part of the process included trying to get people to realize that no one, these days, wrote web apps in Java without using one of the many, popular Javascript libraries for the front end (like React or Angular), and get my management and corporate IT to understand that I needed to install NodeJS on my machine to facilitate this. Up until this point — and despite the fact that it was obviously used by other development teams in the company — it was not on the “approved” list of software to be installed on local machines. Through several strained meetings and rounds of email, someone, somewhere, deep in the bowels of IT, corrected the obvious oversight, and put it on the list.

The production version of NodeJS was 8, at the time of approval.

This kerfuffle was but one small facet in the gem that was this job posting. In the middle development process, I jumped at another job opportunity, and left my Fortune-250 for a different Fortune 250. The IT environment was eerily similar, and led to this post about making Windows tolerable. It was this experience that got me to see the real root of what I’m complaining about here.

And then, through a short series of more unfortunate events — and one amazing event — I came back to the original Fortune 250, in a different department.

Some months later, just after getting settled back in, I got an email asking me if I would approve a new version of NodeJS to be officially blessed and uploaded to the internal repository.

A Symptom, not the Disease

Strangely, I was being asked to approve NodeJS version 9. If you’re not familiar, NodeJS uses a version numbering system like the Linux kernel used to, where even-numbered releases are for production use, and odd-numbered releases are development versions, intended only for development of the software itself. In no way should 9.x be considered for use in projects inside a blue-chip Fortune 250.

I explained this situation to a laundry-list of TO: and CC: recipients in a long email thread that had already been making rounds inside the company before someone finally saw my name attached to the original request, and added me to the chain. Of course, my explanation was ignored, but I only discovered this 6 months later, when I was being asked, again, to approve version 9. Apparently, I was preventing some developer in India from doing his work on a “high priority project” by not having approved it already, and I needed to get on the stick.

I become more blunt, at that point. First, I didn’t do whatever was done to get it certified the first time, so I didn’t know why I was being called on to do it again. Second, I tried to make a case for exempting development libraries, like NodeJS, from the slow process of getting them approved for internal use, and uploaded to our internal software delivery site. This led to another important person added to the chain, who, surprisingly, supported my argument, but, again, nothing changed.

A month later — seven months into this “discussion,” and presumably still holding up a “high priority” project with a “requirement” for 9.x — I got another email, which included a screenshot of an error from Angular, saying that it no longer supported NodeJS 8.x, and that it needed at least version 10.x or 12.x. Again, I pled with the list of people involved in the email chain that we needed to treat development libraries and applications differently than we treated, say, Office applications. I pointed out that, in the time that we had been fussing over version 9, version 14 was now shipping.

Six months after this exchange, I got an email from a desktop support technician. He was asking for clarification about details when installing… wait for it… version 8 on a developer’s computer. That’s right: After over a year of this exercise, we were still fighting to get a version that’s now a year and a half out of support installed on a developer’s machine.

And then, the situation actually got even worse. The developer’s “computer” was really a shared environment (like Citrix, et. al.), and the shared NodeJS install was being constantly re-configured between multiple developers using the same computer between projects. The support person was actually savvy enough to have suspected this, and was asking me about how it worked. I confirmed that this would, indeed, be a problem, and we figured out the flags to install it into each person’s personal directory, and keep the node_modules directory separate, per user. So, at least we figured out how to successfully install a version of Node that was dangerously out of date to a shared computer.

Actually trying to use NodeJS for the job it was created for, and downloading a stack of Javascript libraries to support Angular or React, led to another discussion of how to get it to play nicely with our corporate, Active Directory-authenticated firewall, which — naturally — blocks all access to the internet from anything that doesn’t run through the Windows TCP/IP stack. Say, like npm or yarn trying to access the NPM repository. I had figured out a workaround for that in the first few months of working at the company, and just pointed them at Corkscrew, which transparently handles the NTLM authentication for command-line utilities like npm (or Ruby’s Bundler).

The Root of the Problem: Microsoft, and Windows

If the shared computer had been Linux or Mac, none of these problems would have existed. Each account on Linux and Mac has a proper personal directory, and things like Node and Ruby assume this, and take advantage of it. Each user could install whatever he wanted to in his home directory, and not need administrative permissions on their machine, or have to rely on some internal application-distribution site. Also, if developers could use anything other than Windows, corporate IT would probably not assume that everything which gets forced through the corporate firewall can do NTLM authentication, and force people running tools like NodeJS to rely on a squirrely tool like Corkscrew. Windows has gotten a lot better over the past several years about installing things into a user’s AppData directory, and Microsoft has spent a lot effort in recent years to develop and astroturf WSL(2), Visual Studio Code, and the new Terminal, but Windows is still a second-class citizen for modern web programming.

I try to temper my frustration with this situation with the knowledge that IT departments of large companies have been forced into many, cascadingly-obtuse compromises by their use of Windows. So many frustrations in a company’s user community can be traced back to the relatively quirky, and single-user-oriented way Windows has always worked, and the monoculture that using Windows requires, thanks to Microsoft’s legacy of embrace-and-extend, especially in directory services. The size of the company exacerbates the problem. At my current company, I know of at least 5 different IT org trees. After 6 years of working with various people in these groups, I still have very little understanding who actually owns what. To be fair, most of this is felt by only a small portion of the “power user” community at a company, but that’s most of the people I deal with.

The Distortion of Scale

The biggest problem here is the scale of the operation. When you have 50,ooo nails, you make sure they’re all the same size and finish, and you use the exact same kind of hammer and technique on all of them. You’d think it would be possible to use a bit of manpower in these various IT departments to treat some of these nails differently, but the vast ecosystem required to take care of Windows just eats up all available resources. Anti-virus. VPN. Standard desktops. Scripts to prevent people from doing things they shouldn’t. Scripts to report all activity on the things they should. Office 365. One Drive. Teams. Zoom. Forced password rotations. Worldwide hardware and software upgrades. Locking out how long the screensaver takes to kick in. Preventing changing of custom login screen backgrounds. It’s a lot. I get it. Using Windows as a corporate desktop environment automatically assumes so much work, it leaves little room for treating a computer like a tool that needs to be customized for the job it needs to do, and the work it needs to support, even when those goals are, ostensibly, incidentally, also primary goals of the larger IT organization. It’s a counter-intuitive situation.

I started this post by pointing out that this stack of regrettably-predictable compromises, which result in suboptimal policies and outcomes, is primarily a problem with traditionally non-“tech” companies, but the real, underlying problem is much deeper.

The truth is that all companies are now “tech” companies, whether they realize it or not. And those that can’t change their approach to IT to adapt to this new reality — or change it fast enough to matter — will wither on the vine, and their remaining assets, eventually, will be picked up in a corporate yard sale to companies that have “tech” embedded in their DNA from birth.

I worry that a company which, 30 years later, still breaks up it’s most-important digital asset into 8 pieces because that’s what would fit on a floppy disk will not make the turn in time.

The reason I started writing all of this down was because — after all of this time and discussion — I was asked to approve NodeJS version 10 for the internal software repository. At the time I was asked, version 10 didn’t even show up on the NodeJS release page any more. They were shipping version 16. I guess 10 is better than 8, but let’s be honest: The only reason they gave up on version 8 or 9 is because the version of Angular that they’re using is refusing to work with anything pre-v10. That happened back in Angular version 8, which is now also out of support.

As part of the great email chain, I pleaded with the various people involved with the internal software approval process that keeping up with the shifting versions of your tools and supporting libraries is just part of the job of being a web app developer, yet no one even batted an eye. You would have thought that this concept would have fallen directly under the multi-headed hydra of “security,” and the company’s philosophy seemed to be you can never have too many software layers or policies about it. You would have thought they would have pounced on the concept in order to at least seem serious. I even invoked the specter of the recent, infamous log4j bug, as an example of the risks of letting things get out of date. This issue caused an audit of every Java-based application in the company, so it should have been a touchstone issue which everyone in the chain could relate to. But if anyone could understand what I was trying to say, they apparently didn’t care.

IT Best Practice vs IT Policy

I didn’t much care for The Big Bang Theory, but one scene has stuck with me for a long time. In S1E16, Sheldon is shopping in a store like Best Buy, and some woman comes up to him and asks, “Do you know anything about ‘this stuff?'” He replies, “I know… everything about ‘this stuff.'” And that’s the heck of this situation. It’s almost like every single person concerned with this process has absolutely no idea how any of “this stuff” actually works, and won’t listen to someone who does. And I realize how conceited that may sound, but, in this case, I don’t know how else to put it.

The only other explanation is simply apathy in the face of bureaucracy, and I wish senior IT management would take it on themselves to root out this sort of intransigence, and fix it. It would seem to be their job, and would go a long way to justifying a C-level salary. Unfortunately, this isn’t the first time I’ve found myself trying to explain a direct contradiction of IT best practice versus IT corporate policy to the very people who are supposed to be in charge of both, and I’d like to think I’ve learned how to convey my thoughts in a less confrontational way, but I obviously still haven’t figured out how to motivate people to rise above the internal politics and align the two, and that makes me sad.

I’m finally posting this because I just got another request to approve version 8, now three and a half years on, and I needed to vent.

¯\_(ツ)_/¯

UPDATE: A couple weeks after posting this, I got CC’d on a long desktop support email chain from a developer in India who can’t get angular-cli version 7.x working with npm. <sigh> And there are 4 references to how urgent and how high a priority this is. A simple search shows a pretty detailed SO post about the particular error message, and the general answer seems to be to either play games with the particular versions of the dependencies, or just upgrade to a 8 or 9… three years ago. In any case, this isn’t a desktop support question. IMNSHO, this is squarely a developer’s issue. Sorry, but that’s the job, brother. Do I try, feebly, to make another point, or just let this go?

LinkedIn? In My GitHub? It’s More Likely Than You Think

Outlook Integration with LinkedIn

I didn’t much care when Microsoft bought LinkedIn, because no one actually likes LinkedIn. What little usefulness it has exists only because there’s nothing else in the space. A Facebook for work. Really? That’s boring squared. Who cares? But when Microsoft bought GitHub, I was really disappointed. I felt it was “unwarranted.”

Linus Torvalds wrote Linux, and changed the world. Despite never being able to make a dent in desktop usage, it destroyed what little progress Windows was making on the server side compared to Unix and minis, and now runs basically everything that isn’t a desktop (or an Apple device).

Then Linus changed the world again, and wrote git. Except for the absolute biggest repositories (e.g., Microsoft Windows, or, say, Oracle), it quickly ate all other source code management software, paid or free. And then Microsoft patched git to handle their codebase, and uses it now as well.

GitHub was one of the first big Ruby on Rails apps to prove the framework’s viability at scale; a huge platform success that didn’t involve either Microsoft or Oracle.

So, from my perspective, GitHub — hosting git repos using Rails running on Linux and MySQL — represented everything in the software world that was NOT MICROSOFT.

And then Microsoft threw a couple billion at the founders, the government shrugged their shoulders at such a “small” acquisition, and GitHub, like so many before, became another head on the software world’s biggest hydra. I actually felt a little betrayed by the founders, if I’m being honest. I hate the M&A activity that’s destroying our economy, capturing our government, and producing a new feudal-like aristocracy, but I suppose, of all the companies that had the resources to give the founders their exit, a DOJ-chastened Microsoft wasn’t the worst possibility. Certainly better than Oracle or Salesforce.

Now I see this tomfoolery in the updated version of Outlook, which my corporate laptop just self-installed. Uh, no thanks? In fact, I can’t imagine something I want less than this, but Microsoft is always surpassing themselves, so I’ll just give it time. I would complain about jamming more “stuff” into an already over-stuffed application, but Outlook may be the software world’s poster child for bloat at this point, so what’s another useless “social” add-on?

I’m saying all of that to say this: I fully expect GitHub to get some sort of LinkedIn integration like this in the near future as well. “Link your professional software portfolio with a click of the button!” it will say, as if you can’t stick a link in there already. And then it will build a graph of user data behind the scenes for only-God-knows-what further marketing purposes.

I also expect that there will be some linkage between GitHub and Azure Devops. I had been thinking that Microsoft would simply phase out Devops for GitHub. Devops has never been particularly interesting as a product. However, a thoughtful person on Twitter — “There are dozens of us!” — disabused me of that notion. I’m sure he’s right: Microsoft certainly has too many paying customers for Devops to do anything drastic with it now, and it has become another lame-duck victim of Microsoft’s own success, destined to limp on forever because of backward compatibility. But I’m certain that they’re not just going to leave these two, so-closely-related silos sitting right beside each other with no connection, and I’m also certain I won’t like it when they finally do something.

“How do you define ‘unwarranted?'”

#MSBuild a Non-Starter

I’m back on Twitter. Dang it. But it’s cracking me up that Microsoft’s (virtual) developer conference #MSBuild is getting so little attention on the platform.

Compare and contrast this with Apple’s WWDC. There’s more activity with the #WWDC tag right now, and that isn’t for another couple of weeks.

I made a post about the lack of excitement around Microsoft’s conference.

Twitter bubbled that up from my no-name, 2-day-old account to some other rando who responded (nicely). I replied that this basically proved my point, and then THAT response got retweeted by some .NET-oriented bot.

Look, I don’t really like Microsoft, because of their long history in abusing their monopoly position, but their platform has enabled about half of my career, so I still want them to announce cool new stuff, but there’s really nothing going on. They’ve gone to the mattresses to get Visual Studio Code, Windows Services for Linux, and their rewritten terminal accepted by the developers of the world over the past few years. And, sure, there are plenty of fanboys of this development environment, but I just don’t get it.

VSCode is a heavy editor/light IDE, and I don’t want that product. Sublime Text is a blazingly-fast, lightweight text editor, with all the features I need for editing Rails applications. WSL2 is just a Linux virtual machine with hard-coded defaults. I’d rather install VMware or VirtualBox, and take total control of the setup. I get the feeling that the primary users of Microsoft’s latest toys are Javascript developers who are constrained to use Windows because of corporate policies, and, sure, that’s a non-insignificant number of developers in this world.

So far, this seems to be the highlight of MSBuild 2021: Quake mode for Windows Terminal. You know, that gimmicky little feature that popped up in Guake on Linux… <checks Google> 14 years ago? Look, I know it’s supposed to be tongue-in-cheek, but “HUGE EARTH-SHAKING?” LOL. No.

Unfortunately, while I was able to install Windows Terminal on my work laptop, the preview build doesn’t install. I don’t know if that’s because of corporate policy or the fact that I’ve got the wrong build of Windows. The company, surprisingly, just updated the build corporate-wide, but I wonder if this requires a preview build. On the other hand, I don’t care enough to sort this out.

About the only thing I want to see from Microsoft is a cross-platform UI widget set that you could use from .NET Core to write native apps across Windows, Linux, and Mac. But people have been clamoring for that for 20 years, and there’s not even a hint that this will ever happen, for a lot of very understandable technical reasons. However, I suppose it’s primarily a function of the age-old scavenging problem. Everyone wants this, but this would open the door for a lot of companies to choose not-Windows for desktops, and Microsoft can’t give up that revenue.

Peter Thiel: Competition Is for Losers – WSJ

I am woefully late in coming to this understanding that monopoly is the goal of all venture capital. Peter Thiel, of Paypal, Palantir, Facebook “fame,” literally said this was the goal, in front of God and everyone, in a WSJ op-ed, seven years ago. Like the PG article from the other day, Thiel tells some whoppers to try to make everyone feel better about monopolies.

Even the government knows this: That is why one of its departments works hard to create monopolies (by granting patents to new inventions) even though another part hunts them down (by prosecuting antitrust cases). Source: Peter Thiel: Competition Is for Losers – WSJ

If this isn’t the most-lopsided statement I’ve ever seen, I don’t know what would beat it. First of all, the patent office does not “work hard.” An awful lot of patents are given out like candy for trivial things. Further, software patents — which I’m sure Thiel loves — have been one of the most business-stifling things to ever happen in modern history.

Second of all, the government has only ever stopped the very biggest deals. It would seem that the current “gentleman’s agreement” is that anything under about $30B isn’t worth talking about. So Microsoft buys LinkedIn and Skype and GitHub, when it doesn’t really make much sense for them to own any of them. All the FAANG companies run around, picking up interesting toys in the flea-market bins marked “less than $1B,” and the government doesn’t even bat an eye.

And the government certainly hasn’t broken up any monopolies since AT&T. Given that the “baby Bells” have all since re-merged into the duopoly of Verizon and AT&T — which, mysteriously, line up almost perfectly in their cell phone contract terms — I’m not sure that even this was worth the hassle for the customer. What I am sure of, is that lots and lots of executives pocketed lots and lots of money for all that M&A activity.

If your industry is in a competitive equilibrium, the death of your business won’t matter to the world; some other undifferentiated competitor will always be ready to take your place.

This reveals Thiel’s cognitive bias. These “undifferentiated competitors” — in his terminology — are small businesses that would make their owners a comfortable living, and provide good job opportunities in their local market. Yes, if it folds, someone else may come along and take your place. I feel that’s a humane cycle of life. Thiel thinks this is a tragic notion, when he can be the guy who provides the capital to corner a market, and then extract all the profits that would have gone to those smaller businesses.

Monopoly is therefore not a pathology or an exception. Monopoly is the condition of every successful business.

Bullcrap. Utter VC narrative-spinning bullcrap. There are millions of small businesses being run out of business or bought up to further fuel multi-national corporate behemoths, who were too big decades ago, in this twisted game to become the largest companies in the world.

History is going to judge this period in human development as the time where we either decide how big is “big enough,” or whether we become a planet of corporations instead of governments. We’re running out of time to make the call, and if we don’t, we will eventually get the latter.

You can say that it’s unethical to tell Peter Thiel, “No, you can’t have any more,” but if we find the collective will to start doing that to the billionaires of the world, in another generation, it will matter more which company you work for, than what nation you are a citizen of. It already does in China, where working for Apple — as detestable as the working conditions are to Americans — it’s still one of the best jobs in the country. It already does in Alabama, where working for Amazon was seen to be so good — despite all the press to the contrary — that they overwhelmingly rejected the call to unionize. Those people would work for Apple or Amazon no matter what country they had to do it from.

(Makes you wonder who was running all the pro-union stuff in social media, huh?)

Microsoft Released a Bizarre New Surface Pro Ad and It’s Hoping You Won’t Notice It’s Pure Gaslighting | Inc.com

Microsoft made a point of mentioning that price point–since the Surface Pro is cheaper–but it’s worth mentioning that it means the MacBook Pro in question is sporting Apple’s new M1 processor. It raises an interesting question: How do you compare two things that are not at all like each other? And, maybe more importantly, why would you?

Source: Microsoft Released a Bizarre New Surface Pro Ad and It’s Hoping You Won’t Notice It’s Pure Gaslighting | Inc.com

Whatever sales figures Microsoft might release about the Surface, they are continuing to struggle to sell these units. How do I know this? Because of jumbled and confusing ads like the one referenced in the article.

The kid in the video complains about not having a stylus or a touchscreen, but you can get both of those things in an iPad. The only reason alluded to in the ad about why you wouldn’t just want buy a tablet in this scenario is “gaming.” LOL WUT? You can’t pay me to believe that people are buying a Surface to play games that you couldn’t play on a MacBook.

Microsoft continues to try to sell people on the idea that the Surface somehow bridges a theoretical gap between a laptop and a tablet, but if that market segment exists, it’s very small. And, when your competition has so completely dominated the tablet end of that spectrum, any effort to wedge a hybrid device into that market gap is going to be difficult at best.

The issues with using a touchscreen while it’s not-horizontal have been beaten to death, and I won’t rehash them here. I know 3 people who have Surfaces, and they seem to like them. But I watch them fumble around with their keyboards as they switch between tasks, and wonder why they put up with it. Microsoft is betting they can make money selling to people who don’t mind living in the usability gap. Maybe they can, but they’ve obviously not created a segment-defining product the way the iPhone and iPad have.

My advice to Microsoft’s advertising department would be to simply sell the devices on their merits. The people who are interested want to live in that “convertibility” space. Market that. Play to that strength. I don’t see it, but there are people who do. Sell to both of them.

‘Wormable’ Flaw Leads July Microsoft Patches

Microsoft today released updates to plug a whopping 123 security holes in Windows and related software, including fixes for a critical, “wormable” flaw in Windows Server versions that Microsoft says is likely to be exploited soon. While this particular weakness mainly affects enterprises, July’s care package from Redmond has a little something for everyone. So…

Source: ‘Wormable’ Flaw Leads July Microsoft Patches

Every time I read a lede like this, I’m struck with the stark difference between Windows and macOS in terms of security posture. Apple releases patches for their operating system once every couple of months, and they contain a dozen or so patches. Microsoft releases hundreds of fixes every month. Sometimes multiple times a month. HUNDREDS! Every month!

Apples fixes are primarily about local privilege escalation. Microsoft? It seems like every patch note is for a “random interweb haxxor can pwn you”-type of problem. I’m sure I’m being overly generous with Apple, and completely unfair to Microsoft, but the difference in the general nature of the two kinds of problems is also starkly different.

The Microsoft fanboys will say that it’s because Windows is still the majority of the desktop market, but Microsoft has lost a lot of ground lately. macOS is around 15% of the market, making it a perfectly viable hacking target. So that can’t be the reason. I say it comes back to Windows having a DOS heritage, and macOS having a BSD heritage. The foundational assumptions these two systems were built on could not possibly be more different, and the ramifications of those differences are still present 30 years later. One is holding up very well. The other… isn’t.

I bring all of this up because the prevailing wisdom in Fortune 500 companies is that we 1) must run Windows, and 2) load it up with all sorts of first- and third-party software to A) “secure” the system, B) guarantee the integrity of the build, and C) lock it down as tightly as the internal staff can understand and manage. All of this approach is a holdover legacy from the 90’s, where we didn’t have much choice. What were we going to do? Run Linux? As much of a Linux zealot as I was — and continue to be — even I know that’s not workable. Now, it’s become a house of cards, with alternating layers of vulnerability mitigation and policy enforcement.

But macOS has matured. Almost all commercial software runs on it now. (The only things I know of that don’t are high-end CAD/FEA systems, but even AutoCAD does now.) And Apple has grown into a behemoth of a company, in terms of support capability. A truly staggering amount of money is being wasted in the Windows-ecosystem-based approach. It’s time for corporate America to stop — really stop — and think about the situation with a fresh set of assumptions. Do we really need to continue as we have for the past 25 years?

And maybe — just maybe — if we didn’t have to load up the corporate desktop image with layer after layer of software, trying to stem the flow of Windows’ suckage, my work laptop wouldn’t run its fans at full blast all the freaking time…

GitHub goes off the Rails as Microsoft closes in

And this year, Microsoft App Center and Google Container Builder showed up as Marketplace apps, signalling(sic) that GitHub isn’t just a storefront for startups but a cog in the code deployment machines of major tech firms.

Source: GitHub goes off the Rails as Microsoft closes in

Mark my words, this deal is going to wind up biting the developer “community” in the rear end.

I wish they hadn’t sold to Microsoft. It’s too much critical-path infrastructure for one company to manage. They now own the OS, the directory, the cloud, the languages, the dev tools, the database, the code repo, and the deployment tools. I mean, that looks good on paper, but we all know what happens when one company owns the entire vertical space.

It’s a perfect example of monopolies taking over the entire economy, and I think government should get serious about reigning-in this sort of thing. In my opinion, there should be limits on how large companies are allowed to be, based on various combinations of market cap, number of employees, and number of locations, and probably some other things that I can’t think of off the top of my head.