Why Marissa Mayer’s ban on remote working at Yahoo could backfire badly — Tech News and Analysis

Mathew Ingram at GigaOm wrote an article on Yahoo’s new policy on remote workers:

Not long after her arrival at Yahoo, new CEO Marissa Mayer started handing out carrots to her new employees, including new smartphones, free food and other Google-style amenities. Now she has brought out the stick: namely, a directive that employees are no longer allowed to work from home, something that is expected to affect as many as 500 Yahoos. Mayer’s move has its supporters, who argue that she is trying to repair Yahoo’s culture — but in doing so, she could be sending exactly the wrong message for a company that is trying to spur innovation after a decade of spinning its wheels.

The moment I first heard Yahoo proclaimed this policy I became angry. It does not impact me directly, but as a highly skilled and experienced IT Security and Networking professional now on the market I can say that Yahoo is no longer on my list of companies I’d care to work for. Here’s why.
About 15 years ago while I worked for EDS as a Network Security Administrator my marriage fell apart. Up until then I rarely if ever worked from home. With divorce looming I had sole custody of my two young kids. I had to work from home when they were sick or were off of school. At the same time my role at EDS changed to include firewall administration, demanding more of my time to cover on-call and odd support hours.
I was fortunate to report to managers that understood my situation and worked to help me. I worked with a great group of professionals who didn’t complain about my flexible work schedule. In fact we all worked together so everyone could have the same flexibility I had. How did I handle things? I became infamous for keeping sleeping bags, pillows, snacks, and toys for my kids in my cube. I don’t know how many nights I carried the two of them into the data center in the middle of the night, each slumped over a shoulder while I badged through the security doors. They slept on the floor swaddled in their sleeping bags and little heads resting on Disney-themed pillows, lullabied by the white noise.
When I interviewed with Magna I was very upfront about what I needed to do to take care of my kids and what I would to do in return. They took me on without hesitation, and I always appreciated and respected the trust they placed in me. Similar to my days at EDS, the team at Magna embraced me and the flexibility I needed. I repaid my boss’ and team’s trust in many of the same ways I did for EDS, but there was one case that was  above and beyond.
For reasons that escape my memory the IT staff in Europe all quit on the same day. The organization I worked for was very lean. There were no extra people around to help fill in while they hired new staff. I stepped up, waking between 03:00 and 04:00 Eastern time to support Europe until I had to get my kids ready for school. I’d drop them off (no bus service) and return to cover the rest of the European day and my normal work. I was caretaker of servers and services in addition to the network and security. I did this for almost 6 months from my basement, buying the European IT director time to hire some great team members.
When I moved into management my team earned with me the same opportunities and respect that I earned. With instant messaging and email, IP telephony and video conferencing, and cheap Internet-based VPNs back to the company they could do everything they needed to do from home that they could do from work. Yes, you cannot replace face-to-face interaction. But by the same token how much hallway and water cooler talk is mere friendly trivia?
I’ll leave how companies chose to handle working from home to what makes sense for them and their business. But I want the conversation rephrased to talk about working from home as a tool and not a benefit. It can help both the employer and the employee, and that can’t be taken lightly.
I sincerely hope Marissa Mayer reconsiders her decision. She’s closing a door on quality hard-working talent that will go elsewhere just at the time when she needs them in Yahoo.
via Why Marissa Mayer’s ban on remote working at Yahoo could backfire badly — Tech News and Analysis.

Categorized as I84D

Move Over, APTs — The RAM-Based Advanced Volatile Threat Is Spinning Up Fast – Dark Reading

Advanced Volatile Threat (AVT) is an attack on RAM, not on data or programs stored on the system. It’s fast, ephemeral, & hard to detect, according to the article:

And that concern, (John) Prisco (CEO of Triumfant) says, could drive more attackers to drop their APT strategies and turn to AVTs instead. “The AVT is going to be attractive to sophisticated attackers because it’s there, and it’s gone,” he says. AVTs take a bit more effort, Prisco observes, because they only work once, but attackers who are highly concerned about attribution will likely be willing to do the extra work.
Using an AVT is no guarantee against detection, DeMesy says. “Detection of advanced volatile attacks is extremely difficult, even when best practices are followed,” he says. “However, you may be able to detect what the attackers are trying to do. Internal honeypots are an excellent way to entice attackers to reveal their presence. Attackers employing advanced volatile attacks are looking to get in and out of a network quickly, bringing with them as much information as possible, so seemly vulnerable targets, such as a honeypot, are a prime target.”

via Move Over, APTs — The RAM-Based Advanced Volatile Threat Is Spinning Up Fast – Dark Reading.

Categorized as I84D

Malware on oil rig computers raises security fears – Houston Chronicle

This article from the Houston Chronicle highlights the need for layered security including proper VLAN design to segregate & contain malware as part of security:

Malicious software unintentionally downloaded by offshore oil workers has incapacitated computer networks on some rigs and platforms, exposing gaps in security that could pose serious risks to people and the environment, cybersecurity professionals told the Houston Chronicle.
The worst-case scenario could be catastrophic: A malfunctioning rig and safety systems could cause a well blowout, explosion, oil spill and lost human lives, experts said.

The way the article reads it seems like these platforms have large flat LANs, where employees’ personal equipment is on the same network as the production equipment. I’m a fan of placing SCADA systems in their own VLAN with non-routable IP addressing – Internet and the rest of your local network. Place a physical firewall device between the SCADA LAN and the regular LAN, but lock that firewall down. Selectively open ports for maintenance and restrict when done. Monitor the heck out of the thing.
InfoSec professionals, how would you handle this type of situation?
via Malware on oil rig computers raises security fears – Houston Chronicle.

Categorized as I84D

The Determination of Idiots

It is hard to impossible to stop a determined idiot.
This axiom came to mind as I read the story of the man who leapt from a zoo’s train. His athletic jump cleared a sixteen foot tall protective fence and landed right in the pen of a Siberian tiger. The tiger attacked the man severely.
I’ve been trying to think of valid reasons why the man would do that. From the reports I read the man seemed intent upon clearing the safety fence, so this was no accident. He wasn’t trying to escape a giant space scorpion or an icky bug or a girlfriend he was trying to break up with. Even if he was trying to commit suicide I imagine there are ample other avenues available, avenues less elaborate and ultimately more effective. This seems to me more in the field of a frat prank or a dare or drunken misplaced determination or a desperate ploy to get famous.
I think the guy is an idiot. If one applies Hanlon’s Razor, i.e. “never attribute to malice that which is adequately explained by stupidity”, he’s an idiot. Even if he’s not, even if there’s a valid reason for this bizarre chain of events, let’s assume for the sake of this post that he is an idiot.
We’re left with an idiot that did, deliberately and with malice of forethought, jump into a Siberian tiger’s pen. The tiger did what tigers do: the man was mauled. The man was rescued by zoo staff.
I’m sure that some people read the stories and were appalled that a tiger would do such a thing. They might demand the animal’s destruction for daring to harm homo sapien in such a blatant way.
Others might read that story and say, “How can we let people jump from a moving train over a 16-foot fence into a wild animal’s pen? We must implement laws and elaborate security systems to prevent this.”
The zoo did neither. The zoo’s director, Jim Breheny, handled the situation, in my humble opinion, appropriately based on the actual risk.
The Associated Press quoted Breheny as saying, “When someone is determined to do something harmful to themselves, it’s very hard to stop that. … The tiger did nothing wrong in this episode”.
The most telling part from both a risk management and incident handling perspective is the other statement from the Associated Press article I read: “Zoo officials said they would review safety procedures but stressed that the situation was unusual.” By the way, they’re not going to euthanize the tiger.
“We review everything, but we honestly think we provide a safe experience,” Breheny said in the Associated Press article. “And this is just an extraordinary occurrence. … Somebody was deliberately trying to endanger themselves.”
The lesson: don’t make more out of an isolated incident than is there. If the particular ingredients to a problem are all unlikely to rare, then the response should be proportional. This isn’t to say that there aren’t lessons to be learned from every event. Rather, a rational and judicial
The corollary: given enough resources a determined person can defeat security measures. As my Dad said to me after my childhood home was broken into, “If someone wants to get in bad enough they’ll find a way”.
The same is true for determined idiots.
Categorized as I84D

Penny Wise & Pound Foolish

No, this is not a Steven King’s IT related post.

The other day I took 100 bottles and cans to the local liquor store for a refund. Here in Michigan we pay a ten cent deposit on every soda pop, beer, and other beverage containers. It has been this way for as long as I can remember. The deposit makes a difference. After having spent 5+ years in a no deposit state (Oklahoma), a $0.05 state (Connecticut), and the afore mentioned ten cent Michigan, I follow the deposit refund options far more religiously in the Great Lakes State.

But that’s not the point of this post, either.

The point is that the other day I took 100 bottles and cans, some beer and some soda pop, to the local liquor store for a refund. That is $10 in a refund that I invariably spend on more soda pop and beer. I like high quality local breweries, so $10 will often not quite cover a six pack just in that. After having dropped the containers off the store employee in charge of returns, Robert, chased me down to admonish me for my containers.

The way the MI law is written, stores only have to accept containers that they sell. The stores with automatic return machines enforce this. That’s why I take mine back to this store – no machines policing the returns. The store itself offers a decent beer selection, albeit smaller and a little more expensive than the other stores where I shop. I always end up spending more in the store after a return run than the refund.

When Robert flagged me down and lectured me loudly in the store on how hard it is for him to get $0.10 on a bottle they don’t carry from the store’s distributor, I argued. Uninterested, he dug through every neatly packed bag (and I do rinse and orderly arrange things). After everything was reviewed only 12 bottles out of the 100 were questionable. Since I had in my hands two six packs of beer and one 12 pack of pop worth $23 before tax and deposit, Robert was arguing about 5% of my total spend with them on that trip, $1.20.

Again, Robert was not wrong. A store’s obligations under the program are laid out. While I argue that such limitations negatively impact the effectiveness of the law, the law is plainly written.

Nevertheless I put the $23 of stuff back on the shelf and walked out with $8.80 in deposits. I let Robert keep the extra bottles. I spent that $8.80 plus more at another store. That was a loss of $31.80 (the $23 I was going to buy plus the deposit I was entitled to) instead of a $21.80 in sales (presuming the store had to eat the $1.20).

Since I was treated so poorly I later returned another 27 containers for cash at that store on my way to another store where I spent $23 in more of the same. That’s over $50 dollars lost for the sake of $1.20. Once I exceed $120 dollars I will talk with the owners.

For me I spent next to nothing on the extra fuel since the other options are less than a mile away. I saved about $1.50 on my purchases.

This illustrates “Penny Wise & Pound Foolish” very well.

I would be a fool if I didn’t cast a critical eye on myself. What have I done that, in retrospect, was penny wise & pound foolish?

At work the big thing that leapt out at me, fit for public consumption, was being so far behind on my expense reports. It always takes more time to complete them the longer it takes me to do them. It takes money out of my pocket both in covering the expense in a timely fashion as well as in any late charges that I have to absorb.

At home I just went through a big refresh in various parts of my life, so it is too early to tell there.

“Penny Wise & Pound Foolish” is another way of describing the Law of Unintended Consequences. How much time and effort would it cost to ask “What happens if …?” before making a decision?

Categorized as I84D

Retail: The Joys and the Sorrows

My professional career started in retail. Specifically, I started in food service. I was a fill in for three weeks, then discarded.

I then went to Best Buy. I quickly climbed the ladder there in the computer department from part time sales associate to department manager.

I left Best Buy for personal reasons, then found myself back at the same store one year later. I was hired back in as a sales associate. Two weeks later I was promoted to assistant supervisor. Two months later I was promoted to supervisor. I was moved from department to department where I was needed. Eight months later I was promoted to manager.

I did the manager thing until I found myself at the top of a step ladder during the Christmas shopping season directing people to the 14 or so checkout lanes we had running. My department, the cashiers and customer service, processed well over a million dollars worth of transactions that December of ‘96. From atop my perch I herded the customers like cattle, each into their own financial abattoir. I dealt with people returning new-from-the-factory computers with bricks in them, people with electronics infested with insects and vermin, people with equipment we never sold demanding us provide them with satisfaction.

By January, the return season, I had quit and moved my family to Michigan. That story is one for another day.

Sitting in the Apple store in Troy, Michigan today I was reminded why I hated working in retail. It’s loud. It’s crowded. Customers are crazy. At least Apple has incredible margins that PCs don’t have.

The retail plus was the immediacy of the numbers. You didn’t have to wait for month’s end to see how you were doing. You didn’t have to wait for the end of the week. Every morning a fresh set of numbers were ready to great you on your previous day’s performance. You knew about that day in the week’s context, the month’s, the year’s, and the previous year’s day.

As a supervisor or manager, it meant that you could immediately adjust your approach, and your team’s, to the numbers. That was also the drawback if you only relied on the numbers.

The numbers wouldn’t tell you that the University of Oklahoma was in a crucial game, keeping attendance down. The numbers wouldn’t tell you there was an ice storm last year. The numbers wouldn’t accommodate for half the staff laid up with the flu.

The numbers certainly weren’t forgiving in cases of fraud or outright theft. That was what the twice-annual inventory audits were for. Back in the day there was a department supervisor taking tens of thousands of dollars of gear out the back door. As is often the case with thieves, the supervisor got greedy and took enough to get noticed. Even though that person was prosecuted to the full extent of the law, store management was held responsible for the loss, or shrinkage.

There are things that I miss from my retail days, but they are few. I am still extremely happy not to be in that space any more.

Have you worked in retail or still do? What do you like or miss about retail?

Categorized as I84D