You know how every once in awhile you’ll get asked a question that catches you completely off-guard because its simplicity demands a straightforward answer and yet none exists? I was meeting with the partners of a small company for a web project I’m doing the other day and one of the partners (who’s quite a bit older) asked me point-blank, “Sean- how do you know how to do all this stuff?” I considered for a moment launching into an explanation of RSS feeds and blogs, webinars, listservs, etc and then realized this is someone who doesn’t even use email, much less the more advanced communication channels of the internet. In the interest of not filling this guy’s head with a bunch of foreign technical jargon, I opted for the abridged explanation of “I’m self-taught.” But then I got to thinking that I have been asked the same question before by younger comp-sci majors who are moving into the field and I figured it warranted an attempt to break it all down and explain the guts of how we in the software industry learn what we know. This will be beneath other developers that happen to be reading this but here goes:

There’s a ton of ways to come at this explanation but I thought a useful perspective would be to break it down by communications channel (Of course there is no substitute for getting your hands dirty and actually playing with a technology yourself). Our attention is a limited resource that can only be divided amongst so many sources in a day. Given this limitation, how then is the best way to allocate our brain cycles in order to solve our complex problems, keep up with the latest technologies and methodologies and at the same time remain sane, human and happy? Having spent over seven years in the web app development industry I’ve knitted together a system which works well for me and incorporates about eight different mediums. Broken down by order of time allotment they are:

• Email – Undoubtedly the majority of my time is spent reading and writing emails. It may be unthinkable to some but I conduct all my email through a web interface using Gmail for work and Yahoo for personal email. Gmail is great for listservs and newsletters because of Google’s options for applying labels, filtering messages and threading conversations. Email encompases all list exchanges, newsletters and one-to-one personal communications with other developers.
• Web – Web browsing accounts for the next chunk of knowledge input and consists generally of highly-specific google searches for various error codes and phrases that usually lead to someone’s forum post on how they dealt with the exact same problem. I also use web to browse vendor’s sites and read developer zone tutorials and announcements they publish on their products. When I come across a helpful tutorial or refernce page I’ll bookmark it and come back to it later. There are a couple news sites I read regularly including Google News, Wired, Slasdot and Boing Boing. Del.icio.us is a recent gem I’ve found that uses social bookmarking to show what other people find useful. Technorati is supposedly the next greatest thing for unearthing information found in blogs but I haven’t caught that bug yet.
• RSS – “Really Simple Syndication” or what Firefox calls “Live Bookmarks” is huge part of my daily reading and allows me to monitor the ramblings of people I feel are wise and worth listening to. Rather than checking a bunch of sites regularly, I can subscribe to certain authors and the new content comes to me. I have a two-tier system to “triage” the various blog postings that I follow. I use Bloglines to aggregate a bunch of feeds and skim through the material for key stories of relevance. If a particular feed on bloglines has consistently high-quality information and the user comments are insightful and complement the authors post, I promote the feed to my Thunderbird RSS reader. Unlike Bloglines, Thunderbird doesn’t strip the formatting and it leaves the user comments inline with the post.
• Print – As high-tech as this world gets there will always be a place for paper and ink publications. Even in the face of downloadable ebooks and the promise of high-res ePaper, there is simply no substitute for having a reference book or a glossy magazine which you can leaf through, dog ear and pass along to friends. Finding the best books on a subject is usually a matter of asking around on a discussion list or reading Amazon reviews. I only subscribe to one magazine personally, though I read a couple others at my office like Law Office Computing and Law Technology News. Amazon recently added a concordance feature to their book reviews which could make an interesting way to thin-slice a book for its contents.
• Podcasts – I was a skeptic of the podcasts at first thinking “I can read this faster than I can listen to someone else talk about it,” but things like tone of voice, personality and emphasis just do not come through in an article. Think of podcasts like syndicated talk radio that you can subscribe to. I’m a big believer in cross-training and variety and I have found that listening to a few podcasts from ITConversations is a great way to stay ontop of new trends, get to know the voices in the industry and hear the authors that I read actually talking about their own books. This is the relative newborn for me having only discovered podcasts in the last couple months but I am appreciative of this channel because it lets me attend virtually the conferences that I couldn’t otherwise.
• Webinars – These are generally live product demos you get delivered via WebEx or Breeze. Think of it like someone giving you a presentation on a projector only it’s projected over the web to your computer and can incorporate interactivity like chat and desktop sharing. Comparitively I spend only a sliver of my total time in webinars (maybe one or two a month) but I have gained massive insight from a few webinars so I wanted to make sure they were included in this list.
• Conferences, Usergroups and Instructor-led Training – Much like paper publications, face-to-face interaction will always have its place in learning in the IT industry. Anyone who neglects the value of a dialogue with a teacher in person or shooting the shit with other developers over a beer is sadly deficient in an important element of this field. Conferences and Training can be expensive investments but usually have unforseen dividends that come in the form of personal connections that are established and continue well after the event. Usergroups are free and a great place to get a monthly barometer of what other fellow developers are doing and to launch into peripheral discussions about xboxes and other topics that are important to developers.

So that’s the “quilt of info channels” that keeps me warm in this industry. Ultimately, it’s playing with blocks first-hand and discovering through trial and error how things work that matters most. Jean Piaget’s model of assimilation and accomodation resonates for me as being a very simple yet helpful way to understand the way we understand. What did I forget? How do you learn what you know how to do?

It’s a sad day- apparently the comedian Mitch Hedberg died in his sleep last night. If you’ve heard any of Mitch’s stuff then you know how funny this guy was. Normally it doesn’t even phase me when I hear about famous people I’ve never met passing away but having seen Mitch live and heard a bunch of his stuff on CD, I felt like I knew him pretty well. I’m sure wherever Mitch is, he’s found some classic “stoner irony” to poke fun at. My favorite quote of his:

I think Pringles’ initial intention was to make tennis balls. But on the day that the rubber was supposed to show up, a big truckload of potatoes arrived instead. But Pringles, being a laid-back company, said “Fuck it… Cut ’em up.”

You can read some other funny quotes of his here. RIP Mitch.

Well I found out today that the article I was asked to write over Easter for Law Office Computing was rejected because it violates their editorial guidelines concerning “touting your own stuff” as a vendor (except that we’re not actually selling anything, the app is free). It was intended to be published in their May edition under the “Consultant’s Challenge” column but after going back and forth with their editor, we determined that given the nature of the issue, it made more sense for them to publish a news story on it rather than in the column for which I had written. Rather than scrap the article I figured I’d post it here – it is an pressing issue confronting lawyers right now and from the survey of our clients I conducted over the holidays, not many lawyers are even aware of it. The bottomline is that I wrote a simple application called Sentinel that greatly reduces the work involved for attorneys in maintaining compliance and my company is (for the time being) donating the service free to the legal community. Here is the article:

***********************

Solving OFAC Compliance for Attorneys

Sentinel provides an elegant solution for a daunting task

By Sean Tierney

In the wake of national crises like 9/11 and Enron, the government introduces legislation and creates regulations to reduce the likelihood of such disasters occurring in the future. Acts like Sarbanes-Oxley and the Patriot Act are implemented, businesses adapt to ensure they meet compliance and life goes on. In October, however, I had my ear to the rail and began hearing the rumblings of a new issue called “OFAC compliance” and the ” SDN list .” This type of compliance apparently was familiar to the financial sector but was a new concern for law firms. Cursory searches of the major search engines yielded no de facto solution for attorneys and with penalties as steep as $10mm in fines per violation, it was clear that this issue demanded attention. I began a rapid research project to gain an understanding of the problem and the potential solutions.

Background on the OFAC

The Office of Foreign Assets Control (“OFAC”) is a branch of the US Department of the Treasury tasked with the responsibility of enforcing sanctions against certain entities deemed to be “enemies of the United States .” It operates by freezing monetary assets in domestic jurisdiction to thwart activities of these entities thereby achieving foreign policy and national security goals. OFAC is the successor to the Office of Foreign Funds Control which was established at the onset of WWII for the purpose of blocking financial transactions that would otherwise have assisted the Axis powers. It functions today by publishing a list of approximately 5000 Specially-Designated Nationals and Blocked Entities (“SDN list”) and levying stiff penalties against anyone who conducts business with these entities. And “stiff” means “seven and eight-figure” stiff… Unknowing acceptance of monies from a entity on the SDN list is punishable by a $1mm fine per instance. Knowingly engaging in a financial transaction with one of these entities can result in a whopping $10mm fine and up to thirty years imprisonment for the individual responsible for the transaction.

Technical Challenges of Meeting Compliance

Okay, they had my attention with the part about the $10mm fines. The trouble now was that nowhere was there a clear definition of what constituted “proper compliance.” From reading the FAQ on their web site it appeared that it was a “don’t get caught” type of attitude. You have to be able to prove that you have taken “reasonable steps” to ensure on a continual basis that you are not dealing with clients who appear on the SDN list. But you could still scrutinize your client list daily and, if you end up accidentally taking on a bad client that happened to be using a pseudonym or spelled his/her name differently, you would have exposure. This challenge of vetting client names against the SDN was further compounded by the fact that most entities on the list were foreign names and had multiple aliases (about twenty each) and different permutations of spellings with odd characters (ever had to type the “schwa” character?). On top of all this, law firms’ client lists were evolving at the same time as the SDN list was changing. The OFAC provides no software searching tools to simplify the process of comparing names. According to their web site, their idea of “automation” for this task consisted of bookmarking their web page in Internet Explorer and monitoring for updates to the list via browser synchronization. To actually compare your client names against the list, OFAC recommends downloading a 1.5MB Adobe PDF file containing all the names and using the built-in “find tool” with each of your clients’ names and business names to scan one-by-one against the document, EACH time the SDN list is updated. The analogy here is that law firms are standing on a moving platform using a bow and arrow to shoot at a moving target and are expected to have laser-precision accuracy. At best, this SDN list review process could be considered cumbersome – more than likely, it could be considered entirely unrealistic and dysfunctional.

The Existing Options

Shunning the advice of the OFAC web site for manually comparing client names against the SDN list, I researched the other automated software solutions in existence. I came across Bridger Insight which is a subsidiary of ChoicePoint (the company that was recently in the news for accidentally selling 150,000 of its clients’ names to criminals). They offer a piece of software which runs on Windows that claims to (among other things) scan a client list against names on the SDN. It sounded promising so I downloaded their demo version and tried it out for myself. I was able to get it working immediately and it did, in fact, offer the ability to search specific names against the SDN from my desktop. Its interface, however, was less-than-intuitive and the steps required to scan a full list of clients against the SDN proved to be a perplexing task even for someone who is adept at using hundreds of different software programs. It ended up being a pretty involved hack that their tech support guided me through over the telephone to get it to scan my contacts. With a hefty price tag and recurring service fees associated with their product, I continued looking to see what other options were out there.

I came across another company called Attus Technology that made a product called ” Watchdog ” which sounded like it might be the answer. Unfortunately, I was never actually able to demo their product. I asked some difficult questions of their sales guy and mentioned that I was considering developing my own solution if I didn’t find one that I liked. I think he viewed me as a potential competitor because I was never given an evaluation version of their software. At any rate, their price tag was comparable to Bridger Insight’s and by this point I was beginning to think that for the features these products offered, they were severely over-priced and that with my programming background I might be able to solve this issue in a manner that lawyers would find more intuitive.

The “Sentinel” Solution

Arthur C. Clark once said “any sufficiently advanced technology is indistinguishable from magic.” Having written software myself, I share this ideal that good software is the kind that you never notice – it does its job transparently and you simply derive the benefits without having to alter your routine and learn new tricks to make it work. I set about writing an application that would run anywhere and allow any attorney to check his or her client list against the SDN and receive a concise report any potential matches it found. I had the following three goals:

1. The whole process should take no more than one minute from start to finish

2. Steps should be comprehensible to anyone with common sense

3. It should work with any operating system and the “lowest common denominator” format in which most attorneys store their client lists.

I chose the web as a delivery platform instead of creating a desktop application because it offered the advantages of being easier to maintain and averted OS compatibility issues. It’s also an easier sell to a security-conscious Network Administrator for an attorney to view a web page rather than install a downloaded binary executable on their PC. From my experience, nearly all law firms use Outlook for their email, contacts and calendaring. Outlook supports all types of import and export formats making it an attractive “hub” to target for this project (if people didn’t currently store their contacts in Outlook, it wouldn’t be terribly difficult to import them). Its pervasiveness and versatility of import formats made it the logical choice for the “common denominator” storage format for contacts.

Under the hood the Sentinel web application runs ColdFusion application server and a souped-up version of the Verity search engine called K2 . The web site that hosts the Sentinel application resides on a php-based opensource content management system called Mambo. I wrote a brief two-minute video tutorial that walks the visitor through the steps of how to check your Outlook contacts against the SDN using Sentinel. Basically, Sentinel grabs a fresh copy of the SDN each night, indexes the list in a database and awaits you to upload your client list. When you upload your clients, Sentinel scans each individual name and company name against its indexed copy of the SDN and reports back with your client list highlighting any potential matches in red. You can then drill down on offending records to get details on the matching records to investigate if it is in fact a true match. Searching is very fast – Sentinel can assimilate and compare a 1000 person client list against every SDN entity and each of its aliases under two seconds. The results page can be printed from the browser with the timestamp and archived for hardcopy proof of “reasonable” steps taken to ensure compliance. Best of all, Sentinel is currently offered free as a service to the legal community by my company, Legal Technology Consulting .

Room For Improvement

This one-minute process is clearly a major improvement over OFAC’s suggested method of screening names, however it still requires manual intervention on the part of the attorney and therefore doesn’t yet meet the “indistinguishable from magic” litmus test for advanced technology. Ideally this scan would occur automatically at a predefined interval and intelligently converse with a centralized billing and conflict management system behind the scenes and alert the appropriate person only when it finds a problem. Depending on the demand for such a tool, my company is prepared to allocate my time towards development of this system and to make it available for a reasonable fee. In the meantime Sentinel is currently offered free of charge on www.SDNCompliance.com . There is a concern I have heard voiced before that I wanted to address here “in order to use Sentinel client information must be transmitted in clear-text over HTTP to our server – isn’t that insecure?” To this objection I would respond by saying that it’s no more insecure than lawyers using unencrypted email to conduct sensitive communications with their clients. Unless you are currently using PGP for all email communications, this would be an unfounded complaint. Using SSL to encrypt the transmission of the client list to our server is certainly an option and one we will implement if the market demands it.

I welcome your feedback on the OFAC compliance process and the Sentinel service in particular and hope you find this free tool useful in your efforts to maintain compliance. To take part in an ongoing discussion of Sentinel-related questions, visit my personal blog at www.ScrollinOnDubs.com .