AlexAitken.net

Reboot with a Past Blast on SAAS

Alex — Mon, 23 Apr 2012 05:15:04 +0000

blog’s been dormant. Recently I’ve found myself in conversations on products vs services. I’ve started digging up some of my B-School work from five years ago. …are some of the reasons I’m throwing up this case study on the SAAS pioneering of P&H (a former employer, since acquired by ACI). Not entirely relevant to the Business of front end Code and Design, unless you consider that everything is.

How one company’s product-to-service evolution is opening new markets and democratizing the banking sector

P&H Solutions Inc. (P&H) is the U.S. market leader in developing cash management and commercial banking software. Founded in 1983 and (therefore) initially dedicated to the development of DOS and Windows products, the company’s product offerings are now entirely web-based. P&H today has an installed base of over 100 financial institutions (FIs) in production, including icons such as J.P. Morgan and Merrill Lynch but also numerous credit unions and smaller regional banks. P&H software serves as the interface between these institutions and their customers, enabling the latter to perform assorted banking activities remotely.

As little as 5-6 years ago P&H sold 100% of its software on the ‘in-house,’ or ‘license model.’ Financial institutions ran their own hardware, bought Web Cash Manager ‘product modules,’ and paid P&H significant project management fees for the personnel and know-how required to configure the programs and machines involved and bring the new system to market (when FI customers would make live, money transactions using the system). Currently, however, the majority of the deals P&H closes adhere to an entirely different model.

One-half to a full two-thirds of P&H customers today are installed in the company’s ‘Outsource Solution Center’ (OSC) With this offering, P&H relieves financial institutions of the burden of hosting and administering their own hardware. FIs choose from among the same product modules as those offered under the license model but run them on machines that P&H manages in partnership with a third party, NCR. The difference between models is entirely transparent to the end-users (FI corporate customers).

P&H’s outsource model was made possible by a new technology (the internet), and by the observation from members of a formerly-excluded market segment (small FIs) that the technology could be leveraged to put them on an even playing field with the big guys. This paper details the circumstances leading to the outsource offering, the differences between the outsource and license models, and the process that P&H went through to set up its Outsource Solutions Center.

Background

Through most of the 1980s and 1990s P&H developed and sold DOS and Windows versions of its cash management software. Large FIs and their corporate customers installed the software, which enabled the latter to submit batch-based transaction instructions via modem. 1998 saw P&H’s release of Web Cash Manager (WCM) – a move consistent with a software-industry-wide trend towards web-based application delivery and its inherent economies. While installation of P&H software was still required on the FI-side, software distribution to FI customers was eliminated as these could now use the ubiquitous Internet Explorer or Netscape Navigator to interface with their financial institutions.

But almost as soon as the initial WCM release was marketed, P&H sales people and executives started sensing that the move to an internet-based product promised benefits far beyond those implied by just the saved postage and logistics of an eliminated client software distribution requirement. “Our DOS and Windows products were really only available to large institutions because of the significant, up-front capital outlays they required,” explains Terry Monteith, P&H Senior VP of Product and Marketing. “Initially this was true of Web Cash Manager under the license model as well. But around 1999, with WCM on the market for about a year, we started hearing from smaller banks that if we could run the software for them, they’d be able to afford same technologies as the big guys. So we gave it a shot.”

And the shot hit home. By assuming hardware and administration responsibilities and offering a revenue sharing-based pricing scheme (which in effect amounts to a rent), P&H lowered the up-front outlay required of banks by a factor of 10. This proved the key to opening up entirely new markets for P&H and the Web Cash Manager product, as illustrated by the figure below.

Figure 1 Number of U.S. commercial banks by total assets, with P&H’s traditional and newly relevant market segments highlighted. Data as of 9/30/2006, provided by FDIC.

The Two Models Compared From an FI’s Viewpoint

The table below summarizes the key FI considerations of price, payment schedule, and time-to-market for the licensed and outsourced deployment models. Figures are for the ‘Enterprise’ edition of Web Cash Manager with all modules installed and full functionality delivered.

Product, Services, and Rents

When P&H switched its focus from DOS and Windows to the internet, it did so because of the evident benefits that web-based software promised in terms of customer-base growth (as P&H is a B2B company, the growth was to be in its clients’ customer bases but the value of this growth was of course to be shared). Product delivery, however, continued in much the same way as during the era of the company’s modem-reliant products. And indeed many of P&H’s clients still adhere to this ‘license’ model, whereby the Web Cash Manager product is bought outright and physically installed on machines at the client sites. The value of the product is bought and transferred.

Figure 2 The traditional value transfer model. FI buys Web Cash Manager outright from P&H (assuming its value), rents required consulting and support services, and sells access to the product it now owns to its corporate customers.

In contrast to the value transfer model above, P&H has, for close to a decade now, been developing its OSC offering. As described, this is a model in which P&H does not sell the Web Cash Manager product itself, but instead sells access to it. As the number of FIs renting this access has increased and the outsource operation has grown, P&H has found that it in turn has needed to purchase services from other, third-party providers. In effect, the values of the separate services accrue as we move downstream along the chain.

Figure 3 The outsourced value accrual model. PH rents hosting (from NCR) and data redundancy (from Savvis) services; FIs rent Web Cash Manager modules and system management from PH; Corporate customers rent access form FIs to the Web Cash Manager functionality that lets them manage their treasury operations.

Transformation Process

Almost as soon as Web Cash Manager was released, P&H started hearing requests for an outsource operation from smaller banks who had too long been shut out of the big-technology market. In response, P&H effectively called the segment’s bluff by having its sales force proactively explore the idea during 1-on-1 sales calls to potential clients. The company needed a pioneer. “We felt from a gut level that there was an opportunity there for us,” Monteith explains. “We just wanted to get one bank to commit so that we’d have a concrete reason to invest.”

Stage 1 – Pioneering

In 1998/9 they got their trailblazer. During what Monteith calls ‘Stage 1’ of the Outsourcing venture, P&H ran the WCM software for this initial client, and those that tumbled in on its heels, on machines housed at the company’s headquarters in Newton, MA, just outside of Boston. Existing company resources were redistributed to support the effort.

It didn’t take long for the company to recognize what it had spawned. “Within the first year it became pretty clear to us that this was going to take off,” Monteith says. “We had 15-20 banks installed in our outsourcing center and it became clear that we, in turn, were going to have to outsource parts of the operation.”

FIs opting for P&H’s new Outsourcing Solution Center were choosing to entrust the non-core areas of IT infrastructure and software administration to what was in effect a second party – the company whose software was necessitating the infrastructure and administration. As a software development firm, P&H had fairly robust internal IT resources and expertise that were able to absorb the infrastructure requirements of its early Outsourcing Solution Center adopters. But with 20 banks installed and more knocking at the door, those resources were stretched and company management realized that it, in turn, needed to divest itself of pieces of the operation not tied to its core software development and support mission.

P&H tapped NCR Corporation, with whom it had an existing reseller agreement, for the job of hosting the machines and infrastructure that would run Web Cash Manager installations for OSC clients. With the agreement, physical hardware supporting the operation moved to Maryland, U.S., while at P&H headquarters in Massachusetts a barebones team was kept on to remotely manage the installations.

Figure 4 Alignment of actors and core competencies (in black) over time. Initially FIs assume 3 main operational areas, only one of which is their core business. With the NCR deal, the 3 main operational areas have been distributed to the three corresponding specialists.

Stage 2 – Growing Up

P&H had succeeded in finding a capable partner to assume the hardware implications of the Outsource Solution Center. But the customers kept coming, and even having escaped infrastructure responsibilities, those involved with the outsourcing project found themselves kicking hard to keep their heads above water. “At 25 to 30 installed banks, we started feeling some pain,” says Monteith. “It’s bootstrapped, fly-by the seat of your pants stuff and we were having a hard time keeping up. We basically addressed this through staffing, and through bringing in outside expertise”

P&H was no longer treating the Outsource Solution Center as an experiment or side project, but rather as a profit center of huge potential to which dedicated resources needed to be devoted. And as the company became more adept at managing the environment with more success stories to share, the profiles of the banks who were signing up diversified. Quoted in 2001, Mike Thongpaithoon, who was then P&H’s director of client services, described P&H’s outsourcing customers. “They are typically regional and smaller community banks that need to compete with the big boys. But we also have some big customers – banks in the billion-dollar plus range – outsourcing because they just don’t want to deal with the hassles."

Over the next years, as the number of installed banks climbed towards 60, more big banks would come, each presumably bolstered in confidence by the one that preceded. The signing of a $10b FI into the Outsourcing Solution Center was a milestone until recently, when a $70b bank chose to outsource to P&H. “The stakes are definitely getting pretty high, “ says Monteith. “And organizationally, we’re starting to look at Outsourcing as one of our biggest customers.”

Stage 3 – Maturing With the Environment

As P&H has matured in its management and delivery of outsourced solutions, so too has the regulatory environment in which it operates. Today, the challenges P&H faces with the Outsource Solution Center derive from both the size of its customer base and a set of government rules that has grown up around the internet banking industry. A partial list of these includes:

Management of WCM patch and upgrade installations
Management of multiple ‘pods’ or ‘environments’ for customers in different
time zones
Government-mandated SAS Level I and II security audits
Sarbanes Oxley compliance
Disaster recovery and failover capability (in essence, backup solutions)
Government-mandated user sign-on authentication

“We’re basically now responsible for anything regulatory happening in the environment,” says Monteith. Financial institutions, in other words, outsource not just the day-to-day operational aspects of an enterprise-level software implementation, but also all associated compliance concerns. As a result, P&H has brought in top gun management for the Outsource Solution Center from the outside and developed new competencies in knowledge areas it considers specific to the core service it provides with the operation. It continues, however, to pen deals with other providers for services and third-party products it views as ancillary. Recently, for example, P&H brought on a second hardware hosting company, Savvis, which has assumed disaster recovery and failover duties for the outsourcing operation – basically running mirrored installations of the NCR machines in Maryland.

Outcome and Future Directions

By any measure, the P&H Outsource Solution Center has proven a resounding success. Talking to Monteith, and indeed anyone who has been involved in the effort, about the experience of getting the operation off the ground elicits from them terms and phrases such as ‘frenetic,’ ‘rapid growth,’ ‘hanging on by the seat of our pants.’ At every step along the way, growth in the installed customer base has met or exceeded internal predictions.

During the near-decade that P&H has been running its Outsource operations it has acquired market knowledge and Professional Services expertise that the company now leverages by offering consulting services to large financial institutions. And in a bid to appeal to even the smallest banks and budgets, the P&H marketing group is now exploring the idea of what it calls ‘processor options.’ With this option, banks could, in effect, choose to share installations of WCM with other institutions that were willing to forego customization for price. A cookie cutter version of the software at an even lower price point.

Figure 5 Schematic (NOT to scale) depicting relative sizes of three P&H segments and market share in each. Grey bar represents number of institutions in each segment; black bar portrays P&H’s penetration of the segment. Dollar signs indicate the comparative revenue represented by a typical deal closed in each segment.

For all P&H’s success, however, the amazing thing in this B2B environment is that after 23 years in business and depending on who you talk to, P&H’s total installed customer base (including outsourced and in-house installations) is between 100 and 150 financial institutions – approximately 2% (using the more optimistic figure) of the seven-to-eight thousand banks detailed in Figure 1, on page 2. Should P&H decide to market ‘processor options,’ the decision will have been made, in effect, in order to blanket all segments with offerings. It certainly won’t have been made because the company has exhausted the markets it currently finds itself in. The choice P&H currently faces with its Outsourcing Solution Center is one between breadth and concentration.

Takeaways

The Following dicta are based on four aspects that proved key to P&H’s successful growth of its Outsource Solution Center, and which should be considered in any B2B product-based to service-based marketing evolution.

Dip your toe in first… preferably with a partner
When P&H first started hearing murmurs about how an outsource offering could potentially provide the keys to a hitherto locked market, dollar signs must have flashed in more than a few sets of eyes. To the marketing group’s credit, however, the company didn’t lurch forward with an if-you-build-it-they-will-come effort. Instead, it courted a partner with whom to test the waters. P&H got guaranteed revenue for its efforts and the trailblazing client enjoyed special treatment. Had the venture proved a flop, P&H’s losses would have minimal. But it didn’t, and we know the rest.
Buy Services to Provide Services
One of the most intriguing aspects of P&H’s mature Outsource Solutions Center is the string of service-provider agreements it comprises (see Figure 3, page 2). The value chain is in fact a service chain. As P&H’s outsourcing operation grew, the company found itself having to devote an increasing proportion of energy and expertise to extending its core competencies of WCM development and administration. Less and less bandwidth was available to absorb management of the supporting infrastructure, which in itself was becoming more intricate with the expanding operation, and so the company contracted with third-parties who specialized in hardware and failover. In short, P&H found that by outsourcing parts of its outsourcing operation, it was able to concentrate on maximizing the differentiating value for its customers.
Balance
Eight years into the Outsourcing venture, Monteith says that finding the right equilibrium is crucial to success. “The challenge becomes how to keep functionally competitive, be on top of the all regulatory requirements, offer quality implementation services, and deliver this at a good price point. It’s really a big balancing act.” On top of freeing P&H to concentrate on its core competencies, the third-party deals referenced above let P&H deploy the required hardware at a cost significantly lower than would have been possible otherwise. P&H has spent approximately $5m on hardware, pays NCR and Savvis their rents, and employs twenty people to run the Outsource Solution Center. With 60 outsourcing contracts worth between $2m and $5m each, the model has proven profitable. Nonetheless, should the balance Monteith describes be disturbed – should the technologists, for example, succeed with an internal sell of the latest internet technology for the WCM product without determining if its value would be perceived and bought by P&H’s customers – the profits which are now healthy could well prove to be ephemeral.
Book the Recurring Revenue
If P&H’s outsourcing operations had proven just a means to open new markets, celebration would have been justified on this count alone. In fact, however, the very pricing model that suddenly made small banks a viable segment for the company also proved a boon to the company’s planning capabilities. The deals P&H signs for in-house installations bring the company immediate revenue in today’s dollars. But the revenue sharing model inherent in the Outsource Solution Center deals brings something just as valuable – a predictable, recurring revenue stream, or an annuity. Knowing the proportion of a future year’s revenue goals that has already booked allows the company to develop coherent, long-range plans for growth.

jQuery Demystified

Alex — Wed, 31 Aug 2011 16:15:26 +0000

Guiding slides for the hour-long presentation on ‘What is jQuery’ that I’ve been giving to backend teams.

Thor 2005

Alex — Sat, 09 Jul 2011 19:48:33 +0000

JSConf 2011

Alex — Wed, 04 May 2011 15:38:53 +0000

It’s a fun thing to be at the forefront of a language/technology revolution. I’m always a little amazed at how the JavaScript I began coding ten years ago has turned in to one of the cornerstones of my career. MBAs and years on consensus building are one thing, but it’s this language that truly brings my design work to life, from its prototyping stages to its full production deployment. And while I’ve forged deeper and deeper under its hood, JavaScript has implicated itself further and further in modern development practices. JSConf 2011 brought most of the thought leaders responsible for this implication together for two days in Portland, OR, inducted others in to the circle, and hummed throughout with young, fresh, energy and ideas devoted to the standards language making today’s web hop. Notes on the summit:

David Flanagan, @__DavidFlanagan
BLOB (Binary Large OBjects) APIs
Use case: file system, BLOB, DOM. User selects image from hard drive, runs it through the API, then sees image displayed in a web page; All files are BLOBs but not all BLOBs are files; Get files the same way we always have: with input tag (and onchange)… or with drag and drop; XHR2; new URL object; blob://; FileReader object can be used to examine and manipulate contents of BLOBs; Text files can now be read; readAsText, readAsArrayBuffer, typed arrays, ArrayBufferView; “endianness”; BlobBuilder; Web apps can implement their own sandboxed file systems.

John Hann, @unscriptable and Brian Cavalier, @briancavalier
Modules > Frameworks
Framework vs library vs module; Switching cost of moving from a library or framework like jQuery is HUGE; “coding dysentary” – get yer shit outta my code; coding utopia – standalone, small, fast, interchangeable, no globals; loaders and namespacing; JavaScript standard APIs/interfaces – ecma, json…; html5/css3 – querySelectorAll…; CommonJS proposed standards; AMD – Asynchronous Module Definition; Modules today – require.js, curl.js, pinf, bdload, mLAB; promises; inversion control.

Paul Irish, @paul_irish
Chrome Dev Tools
Tab autocompletion; click color box to iterate through different color format definitions; new groups by type AND revision history; …and freeform stylesheet editing under resources; see console api doc for all available console methods; console.dir = DOM view; ESA to hide/show console on all tabs; $0; ‘copy’ in console view => clipboard; ‘?’ in console = help on keyboard shortcuts; –remote-debugging = for example, debugging tablet apps via desktop; right-click pretty print of minified js.

Dave Balmer, @balmer
Jo, Lightweight Mobile Framework
Web is the SDK; He’s looking for code contributors; See ‘JavaScript, The Good Parts’ extend method; lesscss, sass; css3 for animations and transformations to save the mobile JS engine (and give better results); joapp.com; lighter weight than enyo.

Fabian Jakobs, @fjakobs
Cloud9IDE

Brian Cavalier
wire.js
Inversion control; “bootstrapper”; Aspect Oriented Programming (AOP) – augmentation of existing components (whether or not source code is available/controllable); Dependencies – integral, configurable, required, optional; Complements AMD by providing further flexibility; Ordering and promises; Connectors.

David Kaneda, @DavidKaneda
Sencha Touch
“Details Matter”; sass and compass.

Boris Bokowski, @bokowski
Orion Dev Environment
Use the web itself as a platform for tool aggregation; jsbeautifer.org, etc; eclipse.org/orion

Anton Kovalyo, @antonkovalyo
Code Quality Tools
Gofmt, pylint…; Linters and doc tools (MDC, Better JS); JSHint, a politer fork of JSLint;

Gaurav Seth, Microsfot
Chakra JS Engine
Better use of dual cores for JS processing/compiling; See IE9 dev guide; ecmascript.org – ecmascripttest262; IE10 now available.

Testing
FuncUnit; qunit;

Ray Morgan, @raycmorgan
App vs Web
Zappos; App = native, web = html5; “Native apps aren’t that hard to write”; “Native Apps are easy to get performant”; “Should mobile web really be trying to emulate native apps..?”; Beware broken expectations; Android vs iphone vs Windows; back to basics – semantic html; progressive enhancement – test on the older technologies; Usability and simplicity; Flickr does it right and captures what the web is about; Hashbang (and Google’s spec on); keep the web the web; flex box.

Dave Herman, @littlecalculist
Modules for JS.Next
Libraries are a language’s lifeblood; NPM; JavaScript basically hands you a chunk of clay and leaves it up to you; Module pattern – (function(global){…global.var=var={};}(window)); CommonJS on server side is taking off; for(i=0;…) = WRONG b/c of the leaked global; underscore.js; I/O; Next.Js lets you declare requires and pull them without blocking the main thread; harmony.js, next.js…; eval is NOT evil (though irresponsible/uneducated use of it may be); coffescript, scheme, examples of declaratively extending html with other languages.

Toby Ho, @airportyh
Tutti, Multiple Browser JS Testing

Adam Baldwin, @adam_baldwin
Security in Web Apps
CORS headers now allow for cross-domain scripting and this can screw you if you’re working with hash bang nav techniques; evilpacket.net; OWASP/ESAPI encoder; output encoding != validation; FF has new content security policy.

Dan Webb, @danwrong
Designing Non-Shit JS APIs
jQuery today is pretty much the defacto standard because, even though it’s cobbled together under the hood; its interface is amazing; A good API = predictability, simplicity, flexibility; Don’t buck language conventions or standards.

Thomas Fuchs, @thomasfuchs
Zepto Mobile Framework
All major JS frameworks we know/use today came out before phones had real browsers, so in developing for a single platform (essentially, what mobile is today with Webkit) get rid of the x-browser bloat/polyfills; proprietary features can be killer – WK’s document.querySelectorAll, for example, replaces a huge JS footprint and is faster; native JSON support; array iteration gets rid of loops FTW; Some functionality (window.resize, for example) is not meaningful/relevant in the mobile context; SO, don’t download a whold bunch of code that isn’t needed (though let’s have a fallback plan for if code is run on a non-WK browser) – Zepto provides easy mechanism for replacing itself with jQuery, for example; querySelectorAll returns a node list that Fuchs turns into an arracy with slice.call; ajax, events, css, polyfills, modular, and webkit only; basecamp mobile = zepto and backbone; Small is beautiful, easier to understand, and comes with less bugs; mustache.js, lawnchair.js, backbone.js; microjs.com.

Get (Vertical) Rhythm

Mon, 28 Mar 2011 17:25:05 +0000

The grid-based design behind much of today’s web was revealed to me a few years back as I was serving as in-house Technical Lead for a major corporate redesign. My team worked with designers from an external agency, and as their comps started coming across the wire it was quickly clear that visual components were being aligned to a four-column grid. Everyone liked the order and organization afforded by the grid. When it came time to turn comps into code we went with the 960.gs css framework and to this day, design and development of new solutions takes place within the context of the grid.

But with our approach we had, in effect, only treated one of the axes of a traditional grid system. Early conceptualization and prototyping often elicit the columns, or horizontal rhythm in our designs. We should realize, however, that the content that will occupy those columns will be subject to an intersecting rhythm. This is the vertical rhythm derived from typographic font sizes and line spacings.

Because of its dependence on document structure and multiple css rules, nailing vertical rhythm with an off-the-shelf solution is pretty hard to do. While there are frameworks that incorporate the notion of vertical rhythm, extra-framework css deviations by developers will often break the math, and therefore the grid. I think a more realistic (and less bloat-susceptible) approach is to simply keep an eye on the rhythm through development iterations. To that end, here’s a simple development tool that draws gridlines on a canvas overlaid on the page. Use it, get rhythm, gain control, and shed the bloat.

https://github.com/aaitken/Baseline

Kootenays

Alex — Mon, 07 Mar 2011 02:43:25 +0000

http://www.flickr.com/photos/59772570@N05/sets/721576261858…
https://picasaweb.google.com/JUSTINSVOBODA/ValhallaPowdercats
http://soundcloud.com/ses-one/ses-koots-roots-west-kootenay

Venn and the Art of Overlap Maximization

Alex — Wed, 09 Feb 2011 21:34:32 +0000

A couple of years back I half-yawned my way through a UXWeek breakout session on digital strategy led by Henning Fischer from Adaptive Path. Root cause analysis featured. The group also went through a couple of mock spending exercises. Then I remember a Venn Diagram that had me saying, “I have to remember this,” before I skipped out early for some San Fran Chinese.

The yawns weren’t Fischer’s fault – I was just in a time and place that made it hard for me to take the 30,000-foot view. But the Venn stirred in me a sense of recognition. It showed the overlap of teams involved in designing and making online products. If the groups weren’t labeled as they are above they were pretty close, and the spot in the middle, Fischer stressed, was where the tension of concerns was equal and the product was informed by its user advocates, and business and technical stakeholders.

Part of the reason perspective can be difficult, especially for members of in-house teams, is because we often subscribe to a sort of jingoistic world view that frames the pursuit of user/business/technical interests as a zero-sum competition. In effect, the Venn is subject to expansive, outward pressures as teams pursue their goals over the others.’ And in environments where one group has a disproportionate amount of power or control, this view ensures that that group’s concerns are disproportionately represented in the final product. Google’s products smell of engineering. Most others leave us wondering why registration is required before we’re offered content, or why they simply aren’t better…

If we’re able to do a 180 and turn from nationalists into globalists, the focus for all teams becomes maximization of the Venn overlap. Priorities continue to differ but they’re no longer at odds by definition. Business stakeholders recognize that UX, though notoriously difficult to quantify, is integral to the bottom line and the UX guys in turn seek counsel from their backend counterparts. Each region of the Venn is informed by the other two as UX goals become Business goals become Development goals. “What could be a four-step process has turned in to nine… Are we sure that the business value in users who complete these offsets the implied technical challenges and user inconvenience and fallout?” Constructive debate on that kind of question puts us on our way to the right balance of business and customer needs.

I’ve personally fallen into the trap of thinking I needed to defend UI/UX territory as part of my job. What I’ve later come to recognize-through experience, reading, conferences, and UCD course audits-is that even in environments that don’t invest heavily in user studies or research, that UI/UX region doesn’t belong to us but rather to the user. Acknowledgement of this reality can free today’s UI/UX designer to advocate on behalf of the user, but with unique insight into business and technical concerns-in other words, to take the 30,000-foot view. And in fact, as the designers of today’s digital products, this is our obligation. It’s up to us to be first into the overlap.

The three-legged stool
implementation, mental, and represented models

McNamara, 12-31-2010

Alex — Sat, 08 Jan 2011 05:50:23 +0000

Rear-wheel drive from Denver to Vail in surprise 12-30 storm.
5:45am 12-31 departure for 9:00am 0-degree Aspen trailhead.
REM, Dylan, Jimmy Vaughn, Son Volt, Tokyo Police.
21 skiers, 4.5 hours, 2,000 feet…
16 beds, 2 days, 42 ski boots.
East Coast Rockies time zone.
Sparklers and down coats.
Euker, Pigs, Celebrity, Comet, Jenga, Dice, Hearts…
Laphroaig, Red Bull, Vodka, Eggplant, Bacon, Pineapple Express.
Skins, skis, snow.
Blisters, tape, and short on joe.
Highlands Bowl…
And a wrinkle in time.
Thanks y’all… and Happy 2011!

A Form

Alex — Fri, 26 Nov 2010 04:39:10 +0000

Almost all applicatons we interact with on the web are form driven. User-supplied data in; system conclusion out. To be sure, a decade plus of experience and innovation has seen UX improve by leaps and bounds. But we’re still building forms, and to that end I always enjoy re-visiting the basic question of how to build them well. Here’s the essence of a recent stab.

Requirement

A conference registration form to be used by admins from attending schools to submit school info, names and details for event attendees, and attendee ‘Pre-Conference’ and ‘Institute’ choices for each of the conference’s three days. Form submittal delivers an email receipt to the admin as well as the conference organizers.

Challenges

Information There was a lot. From form submitters we required school info, point of contact info, attendees’ details and contact info, and attendees’ choices for each of the three days. We also needed to give a detailed breakdown of the choices along with cost information.
Accumulation The form needed to accommodate multiple attendees from a school, and track each attendee’s choices for each day of the conference.
Dependency While attendees would be able to choose only a single Pre-Conference or Institute for each of the first two days of the event, it would be possible to choose two Institutes for the third day. Possibilities for a second would depend on the choice made for the first.
Calculation Cost determinants include a school’s ‘member’ status, the number of attendees it sends, whether its attendees are also ‘presenters,’ and which sessions its attendees register for. Each of these variables needed to be tracked so that before form submission we can present summary info including total cost.
Validation …as always.

Solutions

Wizard & Segregation Chunking long forms in to steps with wizards is a tried and true approach that works well here. And rather than blur the line between information we are requesting and information we are delivering, we sharpen it with two distinct views (‘Conference Registration’ and ‘Conference & Registration Details’).
Adaptability We handle multiple attendees as they come, with a tabled layout. After an attendee has been entered with required info, we let the form user ‘Add Next Attendee’ by appending a new row to the table. With this approach we allow for an unlimited number of attendees but never present more fields than are required. In the single-page form, attendee session choices are recorded in a second table that synchs to the first.
Custom Controls Basically we want dropdowns with Pre-Conference/Institute options for each of the three days… except that for the last day, multiple selections may be valid. Here, a custom control emulates the standard dropdown but ties logic to each selection/un-selection so that the user can never make an invalid selection. For visual consistency and greater flexibility, we use a variation of this control for the first two days also.
JavaScript The language has always been great for client-side calculators. It still is.
Minimal, Sometimes Live Feedback We decided that valid emails were important and that beyond that, we simply wanted to enforce completion of required fields. This stripped down set of requirements meant we could deliver a single, standard message for all error scenarios. When an error message displays, validation switches to a ‘live’ mode that removes error indicators as source data is corrected.

Closing Notes

Some aspects of the design get a little bit cheated when presented in the iframe pulled up by the demo button above. For IE, we decided on requiring users to use another browser or else to install Google Chrome Frame. While Chrome Frame detection works from within the iframe, Chrome Frame itself apparently does not.

CSRF Protection via X-Browser jQuery Ajax Hijack

Alex — Thu, 28 Oct 2010 18:52:08 +0000

Cross-Site Request Forgeries (CSRF) exploit the trust that a site has within a user’s browser. By inducing clicks on links to sites where users are suspected to be authenticated, perpetrators can execute transactions under the umbrella of a user’s current session. Requiring newly generated parameter values with each new POST or GET is one way for programmers to protect against CSRF. But while implementing this requirement in page-driven applications is fairly straight-forward, ajaxified apps make things more complicated. The following approach lets us abstract the complications out of our day-to-day so we can code both currently and securely.

Instead of

bank.com/withdraw?account=bob&amount=1000000&for=mallory

we’re now going to require

bank.com/withdraw?account=bob&amount=1000000&for=mallory&csrfProtect=1234567890

where the csrfProtect value is updated with each server hit. As new pages are constructed on the application server, the csrfProtect parameter and latest value are appended to any static links or actions that kick off GETs or POSTs. Thus when legit users fire the requests from the pages returned to their browsers, they also supply a current csrfProtect value that signals all is aboveboard.

The complication in these being fired through ajax is twofold. First, for each request we need to dynamically detect and include a current csrfProtect value. Then on the response, because the app server isn’t given the chance to construct a new page, we need to iterate through in-page links and actions and update their parameter value.

The easiest way I’ve found to keep up with the changing csrfProtect value is to simply require it be supplied in any page that might instigate ajax requests, and as part of the data in any ajax response (in the code below, the value is transported with input[type=hidden].csrfProtect). With these hooks and a standardization of IE’s implementation in place, we can modify the XMLHttpRequest object’s prototype with a new csrfProtect property and a custom open method that intercepts and updates requests before they are sent to the server. jQuery’s ajaxComplete method keeps XMLHttpRequest.prototype.csrfProtect up-to-date and ready for the next request.

/*
in­clude jQuery
in­clude ht­tp://code.google.com/p/xm­l­ht­tpre­quest to stand­ard­ize XM­L­Ht­tpRe­quest as con­struct­or func­tion in IE<7 (info at ht­tp://www.il­in­sky.com/art­icles/XM­L­Ht­tpRe­quest/)
*/

//over­ride jQuery's de­fault IE<7 call for the Act­iveX ob­ject with stand­ard con­struct­or (avail­able to IE<7 via il­in­sky.com script)
$.ajax­Setup({
  xhr:func­tion(){re­turn new XM­L­Ht­tpRe­quest();}
});

(func­tion(){
  var $links,//in-page ele­ments whose csr­f­Pro­tect param value needs up­dat­ing on ajax re­sponses 
    b;//'?' or '&' de­pend­ing on if re­ques­ted URL already has params

  //Store off nat­ive XM­L­Ht­tpRe­quest.open as XM­L­Ht­tpRe­quest.nat­i­ve­Open
  XM­L­Ht­tpRe­quest.pro­to­type.nat­i­ve­Open = (func­tion(){
    re­turn XM­L­Ht­tpRe­quest.pro­to­type.open;
  }());

  //Re­define XM­L­Ht­tpRe­quest.open to in­ter­cept and modi­fy re­quest
  XM­L­Ht­tpRe­quest.pro­to­type.open = func­tion(){

    var a=ar­gu­ments;//ori­gin­ally sup­plied ajax ar­gu­ments

    //Mutate first in­stance (ini­tial re­quest) of XM­L­Ht­tpRe­quest with csr­f­Pro­tect prop­erty and value if 'csr­f­Pro­tect' class is found with­in the page
    if(!this.csr­f­Pro­tect&&$('.csr­f­Pro­tect').length>0){
      this.csr­f­Pro­tect=$('.csr­f­Pro­tect:eq(0)').val();
    }

    if(this.csr­f­Pro­tect){
      a[1]=a[1]+(func­tion(){a[1].in­dex­Of('?')>0?b='&':b='?';re­turn b}())+'csr­f­Pro­tect='+this.csr­f­Pro­tect;//ap­pend csr­f­Pro­tect para­met­er and value to re­ques­ted url
    }
    this.nat­i­ve­Open(a[0],a[1],a[2],a[3],a[4]);//open re­quest
  };

  $(win­dow).ajax­Com­plete(func­tion(event,xhr,set­tings){
    var csrf­Split=xhr.re­spon­se­Text.split('class="csr­f­Pro­tect" VALUE='),
      csr­f­Value;
    if(csrf­Split.length>1){
      csr­f­Value=csrf­Split[1].split('>')[0];
      this.XM­L­Ht­tpRe­quest.pro­to­type.csr­f­Pro­tect=csr­f­Value;
    }
    //up­date page links with latest csr­f­Pro­tect value
    $links.each(func­tion(){
      if(this.href){this.href=this.href.re­place(/csr­f­Pro­tect.*/,'csr­f­Pro­tect='+this.XM­L­Ht­tpRe­quest.pro­to­type.csr­f­Pro­tect);}//this re­place makes the as­sump­tion that csr­f­Pro­tect param and value are al­ways last in URL
    });

  });

  //links
  $(doc­u­ment).ready(func­tion(){
    $links=$('a');//modi­fy this se­lect­or and $(win­dow).ajax­Com­plete lo­gic per ele­ments that need up­dat­ing
  });
}());

The sleeper in this implementation is Sergey Ilinsky’s script, which not only exposes the XMLHttpRequest’s prototype property in IE but standardizes the ajax implementation across all browsers. In the code above we take advantage of the jQuery wrapper and methods because we’re working in a jQuery shop. XMLHttpRequest.js, however, gives us the same cross-browser access to ajax states that jQuery does. If we weren’t already incurring the jQuery overhead, we could achieve the same results with some slightly rawer JavaScript.

AlexAitken.net

Reboot with a Past Blast on SAAS

How one com­pany’s product-to-ser­vice evol­u­tion is open­ing new mar­kets and demo­crat­iz­ing the bank­ing sec­tor

Back­ground

Trans­form­a­tion Pro­cess

Out­come and Fu­ture Dir­ec­tions