Christian Heilmann

You are currently browsing the archives for the General category.

Archive for the ‘General’ Category

[webfinds] Ethical performance, programming sucks and 101 bash tips

Wednesday, January 16th, 2019

As people complained that I post too many links to follow on Twitter (it is my stream of consciousness – as I find it, I post it), I’m starting to release these link lists every few days now. Hopefully that helps.

Old man aged 26 stating that being an engineer is not stressful at all


Web Development

Work inspiration

not sure about the plumbing / toilet analogy, but this argument from New Dark Age about why learning to code is not enough is at least thought provoking
We need more people who are willing to travel that distance and build up the craftsmanship that produces great work. So take pride in your craft. Take interest in learning. And create great things.
This file is Good Code. It has sensible and consistent names for functions and variables. It’s concise. It doesn’t do anything obviously stupid. It has never had to live in the wild, or answer to a sales team. It does exactly one, mundane, specific thing, and it does it well. It was written by a single person, and never touched by another. It reads like poetry written by someone over thirty.


Meta stuff, long reads

A more complicated web

Tuesday, January 15th, 2019

One of the amazing things about the web used to be its simplicity. It was not too hard to become your own publisher on it. You either used one of the now defunct services like Geocities, Xoom, Apple Web Pages, Google Pages and so on… Or you got a server, learned about HTML and CSS and a dash of JavaScript and created your own site. Training materials were online and largely free and open.

The more important thing to me was there was a sense of adventure and exploration. Many of us took our first steps as web developers by changing colours on a GeoCities or NeoPets web site. We looked at the source code. We used what we had and made it work – no matter how convoluted. That way we discovered now terrible ideas like layout tables or inline styles. There was no guide to follow – it was the thrill of beating the system and making it do something it wasn’t meant to. It was our cleverness that got us there – not picking from a huge offer of choices and finding one that does the job. I loved the times when online magazines about web design talked about CSS techniques like sliding doors and what image replacement technique to use and not “which is the best framework to get started” or “which browser is the fastest this month”.

A read-write web

The big success of the web is that everybody can take part and the barriers to entry were low. It was a read-write web, you learned the trade by using the medium. This was the big breakthrough. You didn’t learn sound production by listening to the radio. You didn’t learn how to make movies by watching TV. Old school media needed many experts to work together to produce the final product. On the web, things seemed much easier. And being able to peek under the hood with a view-source was a great opportunity.

This is still the idea of the indie web and there are many great ideas to be your own publisher. And – maybe even more importantly – the owner of your publishing platform and how your content gets to the end users. I consider this incredibly important but I am torn about what happens in that area.

I’m disappointed that we allowed self-publishing on the web to become a niche experience again. But the more problematic part to me is that outside the indie web movement there is a general call to go back to when the web was simpler and we can fight the siren song of Facebook by running our own blogs. First of all, fighting Facebook is fighting the most finely honed skinner box and peer pressure machinery out there. Secondly, it is not as simple to run your own web site these days as it used to be.

The problem that I see though is that there is a romantic view of the realities of the web today. In the following few paragraphs I will point out a few things that broke along the way of the dream of an open and simple to contribute web. These are based on 20 years experience in this field, working as a web developer, server admin, in security and on browsers and standards.

I don’t want them to discourage anyone to take part in the web. But I am tired of the message that “everything was simpler back in the days” and that “we should go back to that”. Running a web site means you take on responsibility for your users and – to a degree – the open web. Any system is as weak as its weakest link.

The gamed web

The web isn’t a cool geek playground any longer. It is a vital part of everyday life. And decades of trying to find a way to monetise something open and decentralised took their toll. When I look back at when I started publishing on the web there was a genuine “build it and they will come”. Or, to be more precise, “write it and they will come” – as good content, structured in a clear way, was the big winner. To a degree, it still is, but the question is who will come.

Put an email link on the web and you will get 95% spam, 3% people trying to sell you their content services and 2% genuine requests. Have a comment option on your web product and things are worse. You will either have to share your content with a third party doing spam protection for you or drown in it. A huge part of web traffic these days is bots and scripts. Which is a downside of a simple system designed to be open.

Good content still gets you found. But it also invites a lot of people to quote, steal or find some other way to associate their – often terrible – products with it. It is damn easy to set up a web product full of scraped content with lots of link optimisation. Lazy SEO consultants have been doing it for years.

Take this blog. I have no uncertain words about it being my work, and that I don’t publish third party content. Yet I get about 50 emails a week of people offering me their articles, infographics or videos to publish for a link back. I even have been approached by companies in direct competition to the product I work on offering me money for each download of theirs.

Fact is that when you publish on your own site, you inherit a whole community of people you don’t want and you need to deal with them. You need to factor this time in.

The abused web

What we consider a way to express ourselves on the web – our personal web site – is a welcome opportunity for attackers. You may think that your little home on the web isn’t interesting to attackers. It probably isn’t. But it can be recruited as a part of a botnet or to store illegal and malicious content for re-distribution.

Publish any form or non-paranoid display of user entered or URL data and you will have lots of hacking attempts. So we need to be constantly vigilant about this. It may look like nothing when a security tool shows a JavaScript alert on your page, but it isn’t. To an attacker this means they can access your server and store whatever they want, scan for more credentials and create their own users. Unless you have access to the server logs, you often don’t realise unauthorised use. Often with shared virtual hosting, you don’t. And even if you do but lack the tools or knowledge it can be months before you realise someone is abusing your server. I did.

Any chance to publish content is a possible attack vector. If you want to hear a real horror story about this, check out what Remy Sharp went through over the years with JSBin .

To put this in other words:

If it is easy for you to quickly FTP some content to your web product, it is easy for everybody.

Which brings me to the last part of our open web world.

A new level of technical complexity

Again, I don’t want to discourage people to take part in the open web and I am 100% behind the message that we need to own our content. But I also want to make sure that when we tell people to do that about the responsibilities and dangers.

The web of old had a few attack vectors but now the game has changed. Our goal as web standards and browser makers shifted some time ago. It wasn’t only about offering and displaying web content. It was to match what native apps offered. This was a necessity to keep the web alive in a world of mobile devices. It had to answer the different challenges of mobile connectivity. That way we made the web a lot more complicated. We have databases, offline functionality and storage, workers and can use and create binary code in the browser. In CSS we have layout tools that aren’t abuse of position and float. We can generate and manipulate images with gradients, drop shadows and filters. We can generate sound and access cameras and sensors. It is a wonderful time to be a web developer.

One big change in this new functionality of the web was the extensible web manifesto . In it we rightfully demanded more transparency and access to the low-level functionality of browsers. We didn’t want “magical functionality” on the web that did things. We wanted more detailed access to how browsers work and how they show the things we defined in our markup. Thus we created a much more complex web. More access means more responsibility. And more responsibility demands more insight and knowledge.

Lately I got a few bug reports of scripts I wrote to work with HTML5 canvas. People complained that Chrome reported tainted canvas data not being available. It turns out that people downloaded my script and used it in a local file in the browser. Almost every newer API in the browser needs to be accessed via http or even a safer resource accessed with https or by running a local server. This is now a given – and it means we need to step up as new developers and for us to train them accordingly.

So, to me, there is no such thing as going back to the good old web where everything was simple. It never was. What we need now to match the siren call of closed garden publishers is making it easier to publish on the web. And to control your data and protect the one of your users. This isn’t a technical problem – it is one of user interfaces, services and tools that make the new complexity of the web manageable. I’m tired of complaints about people using frameworks when there is a simpler alternative. I am tired of the argument of “too much JavaScript”.

Every feature of an interface isn’t an opportunity but a choice. And it costs some effort to blend it out when you don’t need it until you do. When we introduce new people to the web these days we often overwhelm them with an overload of choice. Freedom of choice should be a gift, not a burden.

Publishing on Medium, Facebook and LinkedIn is simple. It also comes with a pre-filtered audience and tools to control abuse. Self-publishing is better – no question asked. But as of now, it is harder to do. It seems simple enough, but can get problematic soon. We have enough un-maintained, open-to-attack resources out there . All these started with the best intentions in mind but ran out of steam soon enough.

Own your content. Own your platform. But take your time to understand the risk. Learn how to be a good landlord for your words and thoughts by keeping their home in check.

This is where tooling comes in. Teaching new publishers on the web using an editor that lints and creates local servers for you is a great idea. Showing them tools that check their sites for interoperability, security and accessibility issues with explanations is a good idea. Getting people started with GitHub to host their projects and find a way to generate a static page from them is a good idea. I don’t want to see people using a file name as version control any longer and have no history of their work. Sure, they have the right to make life harder for them, but isn’t this about publishing content?

Four years at Microsoft

Wednesday, January 9th, 2019

LinkedIn this week reminded me that I am now four years at Microsoft. Technically, my first day in a meeting on a company machine was the 5th of February (as Rey Bango reminded me). It’s been quite a ride and I am still happy to work here.

Do Epic Shit Microsoft cup

When I started, I was curious if that works out. Coming from a fiercely open company like Mozilla back to a large corporate felt odd. I wanted to make a change where it matters. Internet Explorer was the boogeyman of the web development world, so I wanted to help phase it out. This, to a degree, worked out. More importantly though, during my journey I learned a lot of things I hadn’t before about large companies.

Here are a few things that kept me humble and interested over all these years. Some were a surprise, others shouldn’t be, but I think it is worth while mentioning them.

The sheer size of Microsoft is staggering

I was more or less told to spend my first few months in the company to get my bearing, to get to know the structure and network internally. This sounds like overkill or bad organisation, but it is not. It is pretty straightforward to find people you need to know on the Intranet and in Teams. But, to forge some meaningful connections, it is important to put more effort in. It surprised me to get this opportunity, but it helped a lot with my career. Far more companies should allow people to do so. In the long run, this can help with employee retention.

That said, I still have no clue what some departments in the company are doing. Microsoft has its fingers in many pies, and works with a lot of different customers. We do hardware, write software, provide connectivity and hosting, education, research and consulting services. Some departments are around for a long time and can’t change without annoying their customers. Others are on the bleeding edge and it is OK to build something that will never be a commercial success. And then there is the whole entertainment and gaming part that I have no clue whatsoever about.

The great thing about this is that it helps with diversity and it brings a grown-up attitude to work. When you walk around the company you find all kind of people.

  • You meet the amazing young people who innovate fearlessly.
  • You meet researchers that don’t touch code but work on ideas and concepts.
  • You meet wise old sages of the network stack and people who invented languages people use right now.
  • You meet interns and supported students
  • You meet people from all over the world and from different local offices coming to the main campus for meetings
  • You meet partners and clients

There is no shortage of creative work and releases of products. But there is a lack of “work yourself to death because it is cool” attitude we often see as a great sign of an up and coming company. Meetings are short and to the point. Work hours aren’t quite fixed, but it is rare to see people late in the office. You are encouraged to take breaks and vacation. It pretty much feels like a company that invests in you for the long run. Some people have been here for dozens of years.

This diversity of options also means that there is always an option to move sideways to other departments of the company. Of all the “I am leaving” emails I got in the last years, only 2% were people leaving the company. The others were all people moving to a different department. Often doing something completely different, but without having to start new. They keep their contract, compensation, shares and bonuses that accumulate over time.

I like this as it is relaxing. You know there are other options when you are annoyed with what you do now.

Microsoft reaches where I never could before

The amount of day to day operations of our world that Microsoft works in is ridiculous. When I thought that in my little “web world” the company is not that important any longer I was wrong. I learned that a lot of what we consider as innovative and success is not having much impact. The cool tech praised on hacker news today can quickly be forgotten.

There is a vast world of software developers and systems out there that we as people who want the web to be the platform never heard about or reach. People who build amazing and important things and do not keep up to date like we do. People who see this as a job and spend time outside the office with their families and hobbies. People not falling for the “side hustle” we proclaim to be oh so important. People whose products customers rely on to work without knowing or caring how they work.

This size and impact multiplies with the third party companies that resell and use Microsoft technology. I’ve been to internal conferences where everybody around me was an expert in our technologies. All these people were working for small companies or freelance consultants. I had no idea what most of them talked about and wondered how I never thought that could be a career for me. You can have a decent living creating with Microsoft products without ever having to code much yourself. Same with Amazon, IBM, Oracle or Google. A sobering fact to me were the training materials these developers can use to learn how to use product XYZ. They are outstanding and blow away anything I’ve seen for web technologies. Maybe we can learn something there. You don’t need to be an expert and work all the magic when the products you use are reliably supported and explained well.

Working remote is fun – and hard

I work remote, my office is my sofa or my kitchen table and my only local colleague a deaf, 14 year old cocker spaniel. I also work in the Berlin time zone, whereas most of my colleagues work in Washington. I could go to one of the offices here, and sometimes I need to – f.e. to set up new hardware or fix VPN issues. I’m lucky in that regard, not many people in Microsoft work from home, but the number is increasing.

I like this freedom, but I also realise that it can be a burden on my colleagues. That’s why I try to be flexible with my work hours and sometimes start in the early afternoon and end at midnight. That way I can attend meetings (on Teams) with my colleagues and work on what they created during their day until they come back.

I found out though that it is important to meet face to face every few months and I am flexible to fly over to do so. That way I realise that when people are late for a meeting at 7pm my time there are reasons. They don’t consider me unimportant – they are stuck in horrible traffic on the way to work. It is also important to be in the office from time to time to see how people work there. The Microsoft campus is overwhelming at first. You need a car or take buses or company owned taxis to get around and in between buildings. You realise why sometimes your requests aren’t handled immediately when you need to navigate it yourself.

Anyone working remote needs to put some more effort in to make it work for the others. That’s my opinion – not a company policy. Remote workers should be a calming agent in the interplay of colleagues, not someone who has lots of demands. Often I found myself being able to give advice to colleagues about their career as I am not in the middle of the office hustle.

Education is paramount

One of the things I want to do more is to take advantage of our internal training tools. There is a ridiculous amount of courses and video content you can consume to learn new skills. Not only Microsoft ones, but including subscriptions to Pluralsight, and the likes. In our quarterly reviews you are always asked to challenge yourself to learn more and things you haven’t done before. You get time to do so, but you also need to prove that you took the classes and did something with it. I should do a lot more of that.

Our internal trainings are great. This sounds odd as you hardly ever hear people having a great time learning about corporate security standards, code of conduct or legal requirements for working with clients. But our materials are outstanding. They are professionally produced video series with transcripts, captions and actually good acting. Instead of telling you what not to do in a hypothetical scenario many are based on real happenings in the past. So you learn how someone almost lost their job and went to jail because he didn’t think something was bad that actually is. Think of a Netflix mini series with tests at the end.

Things that didn’t happen

All in all, I’ve had a great time so far at Microsoft. Of course, there are office politics, re-organisations and sometimes odd paperwork to do. But I found that there is a place for an out-spoken open source, open web person here. I was never asked to only promote Microsoft products. I am not forced to use Windows only. I am allowed to keep my personal channels like this blog and my crazy Twitter account. I don’t need to wear company attire. And I don’t need to apply for a patent for all my code or release it behind closed doors. There is a lot of open source work happening here, and I am happy about that.

Right now, there is a lot of change happening and the times ahead are interesting indeed. I am looking forward to these challenges. And we are hiring a lot, soon. AMA :)

[webfinds] ML and security, Pixel Fire and your best work time

Wednesday, January 9th, 2019

As people complained that I post too many links to follow on Twitter (it is my stream of consciousness – as I find it, I post it), I’m starting to release these link lists every few days now. Hopefully that helps.




  • Automatic visual diffing with Puppeteer is a simple explanation by the amazing Monica Dinculescu
  • Blobmaker is a tool to create organic shape blobs and save them as SVG (saving doesn’t work in Edge, at the moment)
  • RRWeb is an open source web session replay library, which provides easy-to-use APIs to record user’s interactions and replay it remotely.

Misc Tips

Geek shit



  • Algorithms by Jeff Erickson – This web page contains a free electronic version of my (soon to be) self-published textbook Algorithms, along with other lecture notes I have written for various theoretical computer science classes at the University of Illinois, Urbana-Champaign since 1998.

Mental health and working

  • New Office Hours Aim for Well Rested, More Productive Workers – one of the big new(ish) topics is that of personalized biological rhythm known as “chronotype”. Basically this means that we all tick differently – some of us a more effective in the morning and others in the wee hours of the morning. That leads some companies to put people on different shifts. More information about the chronotype is also in the morning lark or night owl article of the World Economic Forum

2018 in events and trips

Tuesday, January 8th, 2019

I just did a quick round-up of my events and trips in 2018, and despite me promising myself to do less, it tallies up to quite a bit. Here is my 2018, and I am not quite sure if I haven’t missed some bits and bobs:




  • MVP Summit – a Microsoft event for Most Valuable Partners/Programmers
  • PAX Day – a planning event with the team I was with back then
  • Techdays Finland – again a Microsoft centric event, but great fun.



  • Beyond Tellerand Duesseldorf – a must, every year
  • //build – Microsoft’s flagship event for developers
  • Influencer Day – this is an event we run right after build where we invite selected people to peek under the hood and have meetings with our development teams for candid conversations
  • We are Developers Vienna – as described in my blog post I gave a workshop, the opening keynote, acted as MC and took part in a panel about artificial intelligence and ethics


  • NDC Oslo – I love this event, great crowd and super speaker community
  • EnterJS Darmstadt – this is the first time I did that one, an enterprise-ish, German JavaScript conference. I got a lot of good leads from that one, giving the opening keynote and a talk I think :)


  • Video Shoots One Dev Question – these are a great format, where you get one question to ask in videos of tops 2 minute length, so that they can be put in tweets. I shot a series for Webhint and another for VSCode. I’ll do more of those.




  • Web Unleashed Toronto was my first time at an FITC event, and I will be back this year, they do a great job. My notes and resources are here .
  • Nuremberg Web Week was an odd one, as I was asked by people of the local government to present there. It was great as my family lives nearby, so I could bring my nephew.
  • DevFest Nantes – this was one of the biggest DevFests and interesting to present there. I got really good feedback for the keynote.
  • TDC Trondheim – I was there once before and very happy to come back. Again I did a lot of work and had a great time seeing some surprising talks


  • DevRel Summit Singapore was insightful, I wrote in great detail about my findings there
  • BTConf Berlin – I didn’t present, but helped with the warm-up
  • Halfstack London – good show, always, as I explained in my post
  • Codemotion Berlin – I was let down by Codemotion events in the past, but this one really worked, as I explained in the post here
  • DotJS Paris – I went to man the Microsoft booth there, but this year I shall be back to present :)


  • We are Developers AI Congress – I went back to Vienna to give the opening talk and MC the AI Congress for the two days. Some really great material there.
  • FHWS Wuerzburg – I went to the place I grew up to give a guest lecture at the university I would have gone to had I chosen to pursue a degree :)

All in all a nice, full year, and I managed to squeeze a few more podcasts, a book chapter and some articles in magazines, too. Don’t try this at home. It is exhausting, but I am happy that I have these opportunities to work with so many amazing people.

Chris Heilmann on plane