Coding Horror

I've already documented my brief, youthful dalliance with the illegal side of computing as it existed in the late 1980s. But was it crime? Was I truly a criminal? I don't think so. To be perfectly blunt, I wasn't talented enough to be any kind of threat. I'm still not.

There are two classic books describing hackers active in the 1980s who did have incredible talent. Talents that made them dangerous enough to be considered criminal threats.

The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage

Ghost in the Wires: My Adventures as the World's Most Wanted Hacker

Cuckoo is arguably the first case of hacking that was a clearly malicious crime circa 1986, and certainly the first known case of computer hacking as international espionage. I read this when it was originally published in 1989, and it's still a gripping investigative story. Cliff Stoll is a visionary writer who saw how trust in computers and the emerging Internet could be vulnerable to real, actual, honest-to-God criminals.

I'm not sure Kevin Mitnick did anything all that illegal, but there's no denying that he was the world's first high profile computer criminal.

By 1994 he made the FBI's 10 Most Wanted list, and there were front page New York Times articles about his pursuit. If there was ever a moment that computer crime and "hacking" entered the public consciousness as an ongoing concern, this was it.

The whole story is told in minute detail by Kevin himself in Ghost in the Wires. There was a sanitized version of Kevin's story presented in Wizzywig comix but this is the original directly from the source, and it's well worth reading. I could barely put it down. Kevin has been fully reformed for many years now; he wrote several books documenting his techniques and now consults with companies to help improve their computer security.

These two books cover the genesis of all computer crime as we know it. Of course it's a much bigger problem now than it was in 1985, if for no other reason than there are far more computers far more interconnected with each other today than anyone could have possibly imagined in those early days. But what's really surprising is how little has changed in the techniques of computer crime since 1985.

Written by Kevin Poulson, another famous reformed hacker, Kingpin is also a compelling read. I've read it twice now. The passage I found most revealing is this one, written after the protagonist's release from prison in 2002:

One of Max’s former clients in Silicon Valley tried to help by giving Max a $5,000 contract to perform a penetration test on the company’s network. The company liked Max and didn’t really care if he produced a report, but the hacker took the gig seriously. He bashed at the company’s firewalls for months, expecting one of the easy victories to which he’d grown accustomed as a white hat. But he was in for a surprise. The state of corporate security had improved while he was in the joint. He couldn’t make a dent in the network of his only client. His 100 percent success record was cracking.

Max pushed harder, only becoming more frustrated over his powerlessness. Finally, he tried something new. Instead of looking for vulnerabilities in the company’s hardened servers, he targeted some of the employees individually.

These “client side” attacks are what most people experience of hackers—a spam e-mail arrives in your in-box, with a link to what purports to be an electronic greeting card or a funny picture. The download is actually an executable program, and if you ignore the warning message

All true; no hacker today would bother with frontal assaults. The chance of success is miniscule. Instead, they target the soft, creamy underbelly of all companies: the users inside. Max, the hacker described in Kingpin, bragged "I've been confident of my 100 percent [success] rate ever since." This is the new face of hacking. Or is it?

One of the most striking things about Ghost In The Wires is not how skilled a computer hacker Kevin Mitnick is (although he is undeniably great), but how devastatingly effective he is at tricking people into revealing critical information in casual conversations. Over and over again, in hundreds of subtle and clever ways. Whether it's 1985 or 2005, the amount of military-grade security you have on your computer systems matters not at all when someone using those computers clicks on the dancing bunny. Social engineering is the most reliable and evergreen hacking technique ever devised. It will outlive us all.

For a 2012 era example, consider the story of Mat Honan. It is not unique.

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years. My guess is they used brute force to get the password and then reset it to do the damage to my devices.

I heard about this on Twitter when the story was originally developing, and my initial reaction was skepticism that anyone had bothered to brute force anything at all, since brute forcing is for dummies. Guess what it turned out to be. Go ahead, guess!

Did you by any chance guess social engineering … of the account recovery process? Bingo.

After coming across my [Twitter] account, the hackers did some background research. My Twitter account linked to my personal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for Twitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.

Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com. Jackpot.

Since he already had the e-mail, all he needed was my billing address and the last four digits of my credit card number to have Apple’s tech support issue him the keys to my account.

So how did he get this vital information? He began with the easy one. He got the billing address by doing a whois search on my personal web domain. If someone doesn’t have a domain, you can also look up his or her information on Spokeo, WhitePages, and PeopleSmart.

Getting a credit card number is tricker, but it also relies on taking advantage of a company’s back-end systems. … First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.

Phobia, the hacker Mat Honan documents, was a minor who did this for laughs. One of his friends is a 15 year old hacker who goes by the name of Cosmo; he's the one who discovered the Amazon credit card technique described above. And what are teenage hackers up to these days?

Xbox gamers know each other by their gamertags. And among young gamers it’s a lot cooler to have a simple gamertag like “Fred” than, say, “Fred1988Ohio.” Before Microsoft beefed up its security, getting a password-reset form on Windows Live (and thus hijacking a gamer tag) required only the name on the account and the last four digits and expiration date of the credit card on file. Derek discovered that the person who owned the “Cosmo” gamer tag also had a Netflix account. And that’s how he became Cosmo.

“I called Netflix and it was so easy,” he chuckles. “They said, ‘What’s your name?’ and I said, ‘Todd [Redacted],’ gave them his e-mail, and they said, ‘Alright your password is 12345,’ and I was signed in. I saw the last four digits of his credit card. That’s when I filled out the Windows Live password-reset form, which just required the first name and last name of the credit card holder, the last four digits, and the expiration date.”

This method still works. When Wired called Netflix, all we had to provide was the name and e-mail address on the account, and we were given the same password reset.

The techniques are eerily similar. The only difference between Cosmo and Kevin Mitnick is that they were born in different decades. Computer crime is a whole new world now, but the techniques used today are almost identical to those used in the 1980s. If you want to engage in computer crime, don't waste your time developing ninja level hacking skills, because computers are not the weak point.

People are.

Twenty-four years ago today, I had a very bad day.

On August 8, 1988, I was a senior in high school. I was working my after school and weekend job at Safeway as a cashier, when the store manager suddenly walked over and said I better stop ringing up customers and talk to my mother on the store phone right now. Mom told me to come home immediately because, well, there were police at the front door asking for me with some legal papers in hand.

Like I said, definitely not a good day. The only sliver of good news was that I was still 17 at the time, so I enjoyed the many protections that the law provides to a minor. Which I shall now throw away by informing the world that I am a dirty, filthy, reprehensible adult criminal. Thanks, law!

One of the problems you had in the pre-Internet 1980s as a hardcore computer geek was that all the best bulletin boards and online services were kind of expensive. Either because you had to pay an hourly fee to access them, like CompuServe, or because they were a long distance modem call. Or both. Even after the 1984 AT&T breakup, long distance at around 20-30 cents a minute was a far, far cry from today's rates. (Does anyone actually even worry about how much voice calls cost any more, to anywhere in the world? This, my friends, is progress.)

Remember, too, that this is back when 9600 baud modems were blazing, state of the art devices. For perspective, the ultra-low-power wireless bluetooth on your phone is about 80 times faster. If you wanted to upload or download any warez software, that meant potentially hours on your modem at rates of around $20/hour. Adjusted for inflation, that's closer to $40 in 2012 dollars. My family wasn't well off enough to afford a second telephone line, so most of my calling was done late at night both because the rates were lower, and also so that I wouldn't be monopolizing the telephone. Nothing was worse than the dreaded "mom picked up the phone" disconnect to an elite difficult-to-access BBS with limited slots.

One way or another, I eventually got involved with the seedier side of the community, even joining a lesser Apple // pirate group. Probably my main claim to fame is that while trolling BBSes, I personally discovered and recruited a guy who turned out to be an amazing cracker. He was so good he eventually got recruited away.

I was, at best, a footnote to a footnote to a footnote in Apple // history. This was mainly a process of self-discovery for me. I learned I was the type of geek who doesn't even bother attending his high school prom, partially because I was still afraid of girls even as a high school senior, yes, but mainly because I was so addicted to computers and playing my tiny role in these nascent online communities. I was, and am, OK with that. This is the circuitous path of 30 years that led me to create Stack Overflow. And there's more, so much more, but I can't talk about it yet.

But addicted, I think, is too weak a word for what I felt about being a part of these oddball, early online home computer communities. It was more like an all-consuming maniacal blood lust. So obtaining access to free, unlimited long distance calling rapidly became an urgent priority in my teenage life. I needed it. I needed it so bad. I had to have it to talk on the phone to the other members of my motley little crew, who were spread all over the USA, as well as for calling BBSes.

I can't remember exactly how I found it, probably on one of the BBSes, but I eventually discovered a local 804 area code number for "calling cards" that accepted a 5 digit PIN, entered via touch-tone phone. Try over and over, and you might find some valid PIN codes that let you attain the holy grail of free long distance calling. Only one small problem: it's a crime. But, at least to my addled teenage brain, this was a victimless crime, one that I had to commit. The spice must flow!

All I had to do is write software to tell the modem to dial over and over and try different combinations. Because I was a self-taught programmer, this was no problem. But because I was an overachieving self-taught programmer, I didn't just write a program. No, I went off and built a full-blown toolkit in AppleBasic, with complete documentation and the best possible text user interface I could muster, and then uploaded it to my favorite BBSes so every other addict could get their online modem fix, too. I called it The Hacking Construction Set, and I spent months building it. I didn't just gold plate, I platinum plated this freaking thing, man. (Yes, I know the name isn't really correct. I read as many 2600 textfiles as the next guy. This is mere phreaking, not hacking, but I guess I was shooting for poetic license. Maybe you could use the long distance dialing codes to actually hack remote machines, or something.)

I never knew if anyone else ever used my little program to dial for calling codes. It certainly worked for me, and I tried my level best to make it work for all the possible dialing situations I could think of. It even had an intro screen with music and graphics of my own creation. But searching now, for the first time in 24 years, I found my old Hacking Construction Set disk image on an Apple ROM site. It even has real saved numbers in the dialing list! Someone was using my illicit software!

If you're curious, fire up your favorite Apple // emulator and give the disk image a spin. Don't forget to connect your modem. There's full blown documentation accessible from the main menu. Which, re-reading now, was actually not half bad, if I do say so myself:

I used to regularly call BBSes in Florida, California, and Missouri? That's news to me; I haven't seen any of this stuff in over 24 years! All I did was upload a disk image to a few BBSes in 1986. After all that time, to discover that someone used and loved my little bit of software still gives me a little thrill. What higher praise is there for a software developer?

About that trouble. Using my own software got me in trouble with the law. And deservedly so; what I wrote the software to do was illegal. I hired a local lawyer (who, as I recall, was missing a hand; he had a prosthetic hand that was almost impossible not to look at) who represented me. It was quite clear at preliminary hearings that the Chesterfield County court system did not see any computer crime cases, and they had absolutely no idea what to make of me, or what this was all about. All they saw was a smart kid with a bit of bad judgment who loved computers and was headed to the University of Virginia, most likely not a life as a career criminal. So the case was dismissed for the cost of lawyer's fees. Which, for the record, I had to pay myself, using my income as a Safeway cashier.

This was definitely a wake up call for me; in the summer of 1988, I was about to graduate from high school, and I thought I'd try being just a regular guy at college, with less of an obsessive focus on computers that causes me to get in trouble with the law, and perhaps spread my wings to other interests. Who knows, maybe even girls!

That didn't last long. Because after all these years, I must confess I've grown to love my own bad judgment. It's led me to the most fascinating places.

When you're hired at Google, you only have to do the job you were hired for 80% of the time. The other 20% of the time, you can work on whatever you like – provided it advances Google in some way. At least, that's the theory.

Google's 20 percent time policy is well known in software engineering circles by now. What's not as well known is that this concept dates all the way back to 1948 at 3M.

In 1974, 3M scientist Art Fry came up with a clever invention. He thought if he could apply an adhesive (dreamed up by colleague Spencer Silver several years earlier) to the back of a piece of paper, he could create the perfect bookmark, one that kept place in his church hymnal. He called it the Post-It Note. Fry came up with the now iconic product (he talks to the Smithsonian about it here) during his "15 percent time," a program at 3M that allows employees to use a portion of their paid time to chase rainbows and hatch their own ideas. It might seem like a squishy employee benefit. But the time has actually produced many of the company's best-selling products and has set a precedent for some of the top technology companies of the day, like Google and Hewlett-Packard.

There's not much documentation on HP's version of this; when I do find mentions of it, it's always referred to as a "convention", not an explicit policy. Robert X. Cringely provides more detail:

Google didn’t invent that: HP did. And the way the process was instituted at HP was quite formal in that the 10 percent time was after lunch on Fridays. Imagine what it must have been like on Friday afternoons in Palo Alto with every engineer working on some wild-ass idea. And the other part of the system was that those engineers had access to what they called “lab stores” — anything needed to do the job, whether it was a microscope or a magnetron or a barrel of acetone could be taken without question on Friday afternoons from the HP warehouses. This enabled a flurry of innovation that produced some of HP’s greatest products including those printers.

Maybe HP did invent this, since they've been around since 1939. Dave Raggett, for example, apparently played a major role in inventing HTML on his 10% time at HP.

Although the concept predates Google, they've done more to validate it as an actual strategy and popularize it in tech circles than anyone else. Oddly enough, I can't find any mention of the 20% time benefit listed on the current Google jobs page, but it's an integral part of Google's culture. And for good reason: notable 20 percent projects include GMail, Google News, Google Talk, and AdSense. According to ex-employee Marissa Meyer, as many as half of Google's products originated from that 20% time.

At Hewlett-Packard, 3M, and Google, "many" of their best and most popular products come from the thin sliver of time they granted employees to work on whatever they wanted to. What does this mean? Should we all be goofing off more at work and experimenting with our own ideas? That's what the book The 20% Doctrine explores.

Closely related to 20% time is the Hack Day. Hack Days carve out a specific 24 hour timeframe from the schedule, encouraging large groups to come together to work collaboratively (or in friendly competition) during that period. Chad Dickerson instituted one of the first at Yahoo in 2005.

The Friday before, I had organized the first internal Hack Day at Yahoo! with the help of a loosely-organized band of people around the company. The “hack” designation for the day was a tip of the hat to hacker culture, but also a nod to the fact that we were trying to fix a system that didn’t work particularly well. The idea was really simple: all the engineers in our division were given the day off to build anything they wanted to build. The only rules were to build something in 24 hours and then show it at the end of the period. The basic structure of the event itself was inspired by what we had seen at small startups, but no one had attempted such an event at a large scale at an established company.

The first Yahoo! Hack Day was clearly a success. In a company that was struggling to innovate, about seventy prototypes appeared out of nowhere in a single 24-hour period and they were presented in a joyfully enthusiastic environment where people whooped and yelled and cheered. Sleep-deprived, t-shirt-clad developers stayed late at work on a Friday night to show prototypes they had built for no other reason than they wanted to build something. In his seminal book about open source software, The Cathedral and the Bazaar, Eric Raymond wrote: “Every good work of software starts by scratching a developer’s personal itch.” There clearly had been a lot of developer itching around Yahoo! but it took Hack Day to let them issue a collective cathartic scratch.

Atlassian's version, a quarterly ShipIt Day, also dates back to 2005. Interestingly, they also attempted to emulate Google's 20% time policy with mixed results.

Far and away, the biggest problem was scheduling time for 20% work. As one person put it, “Getting 20% time is incredibly difficult amongst all the pressure to deliver new features and bug fixes.” Atlassian has frequent product releases, so it is very hard for teams to schedule ‘down time’. Small teams in particular found it hard to afford time away from core product development. This wasn’t due to Team Leaders being harsh. It was often due to developers not wanting to increase the workload on their peers while they did 20% work. They like the products they are developing and are proud of their efforts. However, they don’t want to be seen as enjoying a privilege while others carry the workload.

I think there's enough of a track record of documented success that it's worth lobbying for something like Hack Days or 20% time wherever you work. But before you do, consider if you and your company are ready:

1. Is there adequate slack in the schedule?

   You can't realistically achieve 20% time, or even a single measly hack day, if there's absolutely zero slack in the schedule. If everyone around you is working full-tilt boogie as hard as they can, all the time, that's … probably not healthy. Sure, everyone has crunch times now and then, but if your work environment feels like constant crunch time, you'll need to deal with that first. For ammunition, try Tom Demarco's book Slack.

2. Does daydreaming time matter?

   If anyone gets flak for not "looking busy", your company's work culture may not be able to support an initiative like this. There has to be buy-in at the pointy-haired-boss level that time spent thinking and daydreaming is a valid part of work. Daydreaming is not the antithesis of work; on the contrary, creative problem solving requires it.

3. Is failure accepted?

   When given the freedom to "work on whatever you want", the powers that be have to really mean it for the work to matter. Mostly that means providing employees the unfettered freedom to fail miserably at their skunkworks projects, sans repercussion or judgment. Without failure, and lots of the stuff, there can be no innovation, or true experimentation. The value of (quickly!) learning from failures and moving on is enormous.

4. Is individual experimentation respected?

   If there isn't a healthy respect for individual experimentation versus the neverending pursuit of the Next Thing on the collective project task list, these initiatives are destined to fail. You have to truly believe, as a company, and as peers, that crucial innovations and improvements can come from everyone at the company at any time, in bottom-up fashion – they aren't delivered from on high at scheduled release intervals in the almighty Master Plan.

Having some official acknowledgement that time spent working on whatever you think will make things better around these here parts is not just tolerated – but encouraged – might go a long way towards making work feel a lot less like work.

When I wrote about TN LCD panels 5 years ago, I considered them acceptable, despite their overall mediocrity, mostly due to the massive price difference.

Unfortunately, the vast majority of LCDs on the market now are TN. You can opt to pay a little bit more for one of the few models with *VA – if there are any available in the size you want. *-IPS is widely considered the best all around LCD display technology, but it is rapidly being pushed into the vertical "pro" graphics designer market due to the big jump in price. It's usually not an option, unless you're willing to pay more than twice as much for a monitor.

But when the $499 iPad 3 delivers an amazingly high resolution IPS panel that's almost reference quality, I found myself a whole lot less satisfied with the 27" TN LCDs on my desktop. And on my laptop. And everywhere else in my life.

I'll spare you all the exposition and jump to the punchline. I am now the proud owner of three awesome high resolution (2560x1440) 27" IPS LCDs, and I paid less than a thousand dollars for all three of them.

(If you're curious about the setup, I use Ergotron monitor arms to fit everything in there.)

I won't deny that it is a little weird, because everything is in Korean. I replaced the Korean 3 prong power cord in the power brick with a regular US power cord I had laying around. But a monitor is a monitor, and the IPS panel is stunning. The difference between TN and IPS is vast in every measurable dimension. No bad pixels on these three panels, either. Although, as my friend Scott Wasson of Tech Report fame says, "every pixel on a TN panel is a bad pixel".

How is this possible? You can thank Korea. All three of these monitors were ordered from Korean eBay vendors, where a great 27" IPS LCD goes for the equivalent of around $250 in local currency. They tack on $100 for profit and shipping to the USA, then they're in business. It's definitely a grey market, but something is clearly out of whack, because no domestic monitor of similar quality and size can be had for anything under $700.

I wanted to get this out there, because I'm not sure how long this grey market will last, and these monitors are truly incredible deals. Heck, it's worth it just to get out of the awful TN display ghetto most of us are stuck in. Scott Wasson got the exact same model of Korean LCD I did, and his thorough review concludes:

Even with those last couple of quirks uncovered, I still feel like I won this thing in a drawing or something. $337 for a display of this quality is absolutely worth it, in my view. You just need to keep your eyes open to the risks going into the transaction, risks I hope I've illustrated in the preceding paragraphs. In many ways, grabbing a monitor like this one on the cheap from eBay is the ultimate tinkerer's gambit. It's risky, but the payoff is huge: a combination of rainbow-driven eye-socket ecstasy and the satisfying knowledge that you paid less than half what you might pay elsewhere for the same experience.

There are literally dozens of variants of these Korean 27" LCDs, but the model I got is the FSM-270YG. Before you go rushing off to type ebay.com in your browser address bar, remember that these are bare-bones monitors being shipped from Korea. They work great, don't get me wrong, but they are the definition of no-frills:

• Build quality is acceptable, but it's hardly Jony Ive Approved™.
• These are glossy panels. Some other variants offer matte, if that's your bag.
• They only support basic dual-link DVI inputs, and nothing, I mean nothing else.
• There is no on-screen display. The only functional controls are power and brightness (this one caught me out; you must hold down the brightness adjustment for many, many seconds before you see a change.)

Although the noise-to-signal ratio is off the charts, it might be worth visiting the original overclock.net thread on these inexpensive Korean monitors. There's some great info buried in there, if you can manage to extract it from the chaos. And if you're looking for a teardown of this particular FSM-270YG model (minus the OSD, though), check out the TFT Central review.

In the past, I favored my wallet over my eyes, and chose TN. I now deeply regret that decision. But the tide is turning, and high quality IPS displays are no longer extortionately expensive, particularly if you buy them directly from Korea. Is it a little risky? Sure, but all signs point to the risk being fairly low.

In the end, I decided my eyes deserve better than TN. Maybe yours do too.

One of my favorite movie scenes is from The Last King of Scotland, a dramatized "biography" of the megalomaniac dictator Idi Amin, as seen through the eyes of a fictional Scottish personal physician.

Idi Amin	I want you to tell me what to do!
Garrigan	You want ME to tell YOU what to do?
Amin	Yes, you are my advisor. You are the only one I can trust in here. You should have told me not to throw the Asians out, in the first place!
Garrigan	I DID!
Amin	But you did not persuade me, Nicholas. You did not persuade me!

If you haven't watched this movie yet, you should. It is amazing. (For trivia buffs, this is the video clip that prompted me to write YouTube vs. Fair Use. I eventually switched to hosting it locally using the HTML5 video tag.)

What I love about this tour de force of a scene – beyond the incredible acting – is that it illustrates just how powerful of a force persuasion really is. In the hands of a madman or demagogue, dangerously powerful. Hopefully you don't deal with too many insane dictators on a daily basis, but the reason this scene works so well is the unavoidable truth it exposes: to have any hope of influencing others, you must be able to persuade them.

Steve Yegge is as accomplished a software engineer as I can think of. I was amazed to hear him tell us repeatedly and at length on a podcast that the one thing every software engineer should know is not how to write amazing code, but how to market themselves and their project. What is marketing except persuasion?

Marc Hedlund, who founded Wesabe and is now the VP of Engineering at Etsy, thinks of himself not as a CEO or boss, but as the Lobbyist-in-Chief. I believe that could be re-written as Persuader-in-Chief with no loss of meaning or nuance.

I was recently asked how I run our development team. I said, “Well, basically I blog about something I think we should do, and if the blog post convinces the developers, they do it. If not, I lobby for it, and if that fails too, the idea falls on the floor. They need my approval to launch something, but that’s it. That’s as much ‘running things’ as I do, and most of the ideas come from other people at this point, not from me and my blog posts. I’ve argued against some of our most successful ideas, so it’s a good thing I don’t try to exert more control.”

I’m exaggerating somewhat; of course I haven’t blogged about all of our ideas yet. But I do think of myself as Lobbyist-in-Chief, and I have lots of good examples of cases where I failed to talk people into an idea and it didn’t happen as a result. One person I said this to asked, “So who holds the product vision, then?” and I replied, “Well, I guess I do,” but really that’s not right. We all do. The product is the result of the ideas that together we’ve agreed to pursue. I recruit people based on their interest in and enthusiasm about the ideas behind Wesabe, and then set them loose, and we all talk and listen constantly. That’s how it works — and believe it or not, it does work.

So how do we persuade? Primarily, I think, when we lead by example. Even if that means getting down on your knees and cleaning a toilet to show someone else how it's done. But maybe you're not a leader. Maybe you're just a lowly peon. Even as a peon, it's still possible to persuade your team and those around you. A commenter summarized this grassroots method of persuasion nicely:

• His ideas were, on the whole, pretty good.
• He worked mostly bottom-up rather than top-down.
• He worked to gain the trust of others first by dogfooding his own recommendations before pushing them on others.
• He was patient and waited for the wheels to turn.

Science and data are among the best ways to be objectively persuasive, but remember that data alone isn't the reductionist end of every single topic. Beware the 41 shades of blue pitfall.

Yes, it’s true that a team at Google couldn’t decide between two blues, so they’re testing 41 shades between each blue to see which one performs better. I had a recent debate over whether a border should be 3, 4 or 5 pixels wide, and was asked to prove my case. I can’t operate in an environment like that. I’ve grown tired of debating such minuscule design decisions. There are more exciting design problems in this world to tackle.

If I measure by click data alone, all Internet advertising should have breasts in it. Incorporate data, by all means. But you need to tell a bigger, grander, more inspiring story than that to be truly persuasive.

I re-read Letter from a Birmingham Jail every year because I believe it is the single best persuasive essay I've ever read. It is remarkably persuasive without ever resorting to anger, incivility, or invective. Read it now. But do more than just read; study it. How does it work? Why does it work? Does it cite any data? What techniques make this essay so incredibly compelling?

Nobody ever changed anything by remaining quiet, idly standing by, or blending into the faceless, voiceless masses. If you ever want to effect change, in your work, in your life, you must learn to persuade others.