fred avolio's musings

“Never again spend all day talking about nothing that will never get made (sic). I want to do real things; to think about real stuff, for real people, who need real things done, and I want to feel great about my environment where I do it. If I am going to spend 10 hours a day there, I need to like [the people there] a lot… to have a culture that works. Money is the reason people say they leave a job, but culture is the reason that money becomes an issue.”

I was listening to the “43 Folders” podcast of Merlin Mann’s Time & Attention Talk at Rutgers. He was discussing the culture of meetings in different companies. As I listened I thought about a question someone had recently asked: what sorts of things are you looking for in a job?

When talking about job satisfaction and dissatisfaction, more than once I’ve had someone say, “That’s why they call it ‘work’ and not ‘vacation.'” While that sounds very clever, it does not address the other aspects of, and desires in, a job. I don’t know about you, but I am at the point in my life where benefits and salary are important, but they are second to having meaningful work to do and enjoying it, which includes the people, the environment, the culture, and the customer. Put another way, making a ton of money with fabulous benefits, producing wonderful and accurate reports that will sit on a shelf, sounds like Purgatory, if not Hell. (Granted, it beats doing all that for lousy pay.) Interesting and useful work trumps salary every time.

(Caveats: We need to eat. We need to be able to care for our health and that of our families. Sometimes, for a season, the most important thing is income. The economy could be so bad, and our particular skill set so out of step with what is needed, that we will do whatever we can to survive. I may be naïve, but I do hope that those times are rare.)

So, what does my perfect job look like, after things like working for and with an organization I can “get behind,” whose mission or purpose I can support and help advance? First, what Merlin described is a good start. Real challenges, real work, working with great people, for customers with real needs, who know they have them. I’ve been blessed with working with great people at every place I have worked, really, but that alone doesn’t offset “know-it-all” customers. Next, helping develop and guide others. This does not necessarily mean being a supervisor, though I have been very successful and satisfied doing that. Finally, the ability to work at home sometimes, is a great benefit.

I remember very well a recent job I had. I was a project manager leading an effort to assess the risks associated with an unbelievably large—really, unmeasurable—network. Further, we, the team, had an inkling that when we were done and the mathematics and statistical analyses were all proven, the final report would be put on a shelf. How did I keep from going crazy? I concentrated on the task at hand, certainly, but I also focused on the individuals on my team, helping them get through it, and preparing them for better work, better times. The result was sanity for me, the required “shelf-ware” for the satisfied customer, and—though not my goal—an excellent performance rating for me.

Looking at it from the other side, “Best jobs?” My top jobs—after my grad school assistantship—were working for DEC, working for TIS, and working for myself (Avolio Consulting).

DEC. Great people, challenging work, a lot of customers and sales people to bring together and for whom to provide “interpretive services” (we spoke “techie”). In my latter time at DEC, I was connected with developers and product managers in engineering, and the best group of peers in the field, worldwide. I was able to travel, had opportunities to teach, and earned a voice in the process of how and where the products went. I also supervised the best team of sales engineers I could ever imagine.

TIS. I was employee #78, or something. Small company, that I helped grow. “A fun place to work,” was a stated goal of Steve Walker, and it was. Again, I had the opportunity to grow in my influence, to mentor others, write, and speak. We had a great work environment, great corporate culture, and free lunch, coffee, and soft drinks. The people were great, and we still meet once a year for a reunion and party. I was influential in where the products and the company went.

Avolio Consulting.Great commute. No, just kidding, though I really liked that. Business was good, so I picked and chose my clients. The work was diverse: 1/3 consulting, 1/3 writing, and 1/3 teaching. The pay was great, but I reserved the right to give away
services when the client could not afford me and the challenge was interesting. (On my “Rates” page I quoted Sherlock Holmes in “The Problem of Thor Bridge”: “My professional charges are upon a fixed scale. I do not vary them, save when I remit them altogether.”)
I loved the varied work. I loved the ability to make decisions and set direction. It was wonderful working for “real people, who need real things done,” and solving real problems.

I notice something. In none of these did I mention “clearances,” or “commutes,” or “network and computer security” (or “information assurance“). Those things are secondary. They are particulars. In each of them, I did mention the same things that Merlin noted in his talk. I guess I agree with him. It may be different for you. I hope you find what you are looking for.

Previously, in one of the comments in this post about Evernote, I describe how I capture web pages to read later. This is especially important, because I do not always have access to the Internet. I want to download the webpage or document onto my iPod touch (in this case) and read it later, even without an Internet connection.

These are the steps I go through using Evernote.

1. See something, in Twitter, for example; click on the URL.
2. Click on “Email it”
3. Make the “To:” address be to “My Evernote” (whatever my address is to send it my Evernote account).
4. Open Evernote
5. In the new Note, click on the URL. (You still need a network connection for this, so far).
6. When the web page opens, click on the action button on the bottom right, and select “Clip to Evernote.”
7. When it is done, under Notes in Evernote you will the page clipped as “Clip:” followed by the URL. You may rename this and delete the original Note that only had the URL.
8. “Star” the note as a “Favorite,” and sync.
   

I stumbled upon Instapaper, “A simple tool to save web pages for reading later.” Like Evernote, it works on PCs, Macs, iPod touches, and iPhones. It really is simple. You use a “Read Later” Bookmark and it uploads the page you are viewing to your account on the web, to access later. Let’s do the same thing I suggested earlier, but this time with Instapaper.

1. See something, in Twitter, for example; click on the URL.
2. In Twitter, select “Open in Safari”
3. Click the bookmark “Instapaper: Read Later”
4. Open Instapaper app
   
5. When it syncs, you have it.
   

Obviously, fewer steps. The Instapaper interface is not as “pretty,” but it does format the web page for easier readability. You can chose to download images, or not, in the Instapaper “Settings.” (I am using the free—so, with advertisements—version.)

Earlier today, I “retweeted” David Strom, who pointed to this story: Woman’s Facebook Account Hacked, Friends Ripped Off. The short version is after the account was broken into, the bad-guy sent a message to all of her friends currently on-line. “The message sent to her friends was a desperate plea for cash. … ‘hey I’m in London I just got mugged, my phone, my credit card was stolen, please send money so I can get home.'”

My friend, Diane, replied to my repost on Facebook, and said, “That’s scary! Thanks for sharing!”

Let’s do more. What should you do? You should first take a deep breath. (No, not now! I mean, when you see such a plea purported to be from a friend.) It may be a real emergency, but that does not mean there is no time to think.

And that’s the next thing to do. Think. Is your friend really out of the country? Do you have her phone number? Can you phone her to check? Is she still on Facebook? Can you ask her to verify her identity?

That’s the third thing. Verify. If she is a friend, surely there is a way to do this that is not already in her profile on Facebook. If you cannot come up with a way to verify her identity, then she is probably not close enough of a friend for you to wire $1000 to her. (Remember, she didn’t say she was stuck in an Afghan prison, she said “London.” Not so bad, really. She can wait a bit. And if she says she is in an Afghan prison, don’t believe it. They do not have Internet-connected computers in the cells. At least I doubt it.) In fact, that is what the victim recommends in the news story.

Breath. Think. Verify.

I will always put a date on every report or document I produce, that is not going to get one added automatically. (E.g., blog entries and emails get a time stamp added; I don’t have to.)

I bet that literally half of the papers—white papers and other reports—I find on the Internet have no indication of when they were written. If I am looking for something on, let’s say, “Traffic Generation Systems,” (network test devices), and I find a paper “LARIAT: Lincoln Adaptable Real-time Information Assurance Testbed, I believe it would be nice to have, somewhere clearly visible, an indication of when it was written. I am not picking on the writers of this paper. As I said, probably half of the academic reports on the Internet suffer from a lack of a time stamp indicating when it was written.

Going back to my notes of things that I set aside to discuss or to comment on, I find a February 3 Computerworld article, Old security flaws still a major cause of breaches, says report. Its first line states “an over emphasis on tackling new and emerging security threats maybe causing companies to overlook older for more frequently exploited vulnerabilities, according to a recent report.” As I see it, the old but more common security threats—the old, but more common vulnerabilities—are less interesting, especially for newer security practitioners. Therefore, they get less serious attention.

The article makes some recommendations, including knowing your network assets. In other words, knowing what is is on your network, and knowing if it is behaving as you expect, will enhance your security posture.

I add the following:

• Know your network’s security posture. “Water seeks its own level.” Nowhere will it be higher than its lowest point. Or if you prefer, “a boat is only as strong as its weakest rower.” Network security is only as strong as its weakest component.
  
• Next, enforce existing security policies or remove them. Too many exceptions lower a network’s security posture and makes managing its security nearly impossible.
  
• If you are relying on reviewing log files, and associated port- and site-blocking as an important part of your network security, then you have already lost.
  

(I explain that last one in another post, The Never-ending Battle.)

I remember in the late 1950 and early 60s watching the television program “The Adventures of Superman.” In the famous opening credits, (“Look up in the sky! It’s a bird! It’s a plane! It’s Superman!”), the narrator goes on to say, “and who, disguised as Clark Kent, mild-mannered reporter for a great metropolitan newspaper, fights a never-ending battle for truth, justice, and the American way!” Superman had his never-ending battles and we have ours. One of those is relying on reviewing log files, and associated port- and site-blocking as an important part of your network security. (I bring this up in Old security flaws.)

I know of a large network installation, that is fairly secure, but does rely on port- and site-blocking. Recently, someone tried using a file-syncing service, called Dropbox. As it’s description says, “Dropbox allows you to sync your files online and across your computers automatically.” You know? One uses it instead of carrying around a thumb-drive. There is a web interface and applications on Windows, Mac OS X, and iphone/iPod touch.

Now, as one can imagine, it is against many corporation’s security policy. Why? Here is the picture. At one end is a home computer. That could be “secure enough.” At the other end is a work computer. Same story. In between is a web site, in this case, inbox.com’s web site. I am not suggesting that their server and service is insecure. I don’t know. Did you catch that? Those three words are very significant when we are discussing network security matters. You are extending your security perimeter to include a web site belonging to someone else, administered by someone else, and under the corporate (command) management of someone else. Three strikes.

Someone tried to use dropbox, and could between his home and the web site, and between his iPhone and the web site, but not between his desktop at work and dropbox.com website, neither by the web site, nor from the dropbox application program. To him, it was no big dea. He did not have a business need for it; he was just trying it out.

A few days later, he received an email from someone in the company IT department of his company, who asked what I was doing? The log files showed repeated attempts to connect to dropbox from his IP address! He asked what policy was it against, and he was pointed to a policy that talked about proprietary, sensitive, and “for official use only” information. That is a good policy, but it did not apply. There was no sensitive information involved.

He also told the person from IT, that he had successfully used SugarSync, a program that does the same exact thing on the same platforms. IT did not flag that or block that. It didn’t know about it. SHould it be blocked? What about EverNote? Similar attributes. Potentially, similar risks.

Do you see the problem? Either this sort of thing is permitted or it is not. It cannot be permitted when we do not know enough to block access to a site, but denied when we do. If we cannot affectively block it, we block it when we can and we create, publicize, and enforce a well-vetted policy. The policy plus enforcement is key. And by enforcement, I don’t just mean mitigation. I mean following through with consequences when the policy is ignored. And possible consequences will be spelled out in the policy as well. Otherwise you are involved in a never-ending battle.

Never produce or print a document of more than 3 pages without having page numbers. (The same for slides in a slide presentation.)

“Note to Self” in this blog will be just that. But, you can read them, too. They will always be short and I hope helpful to more than just me.

Texting and driving: a report on NPR’s “Morning Edition”. We need to make a law about this? Are we stupid? (Rhetorical. Rhetorical.)

It reminds me of that urban myth my brother-in-law shared with me years ago about a driver in motor home setting the cruise control, then slipping into the backseat for a beer.

I’ve used BibleReader for years, originally on the Palm handheld computer, and now on the iPod touch.
I like to follow a plan of reading through the Bible in a year. Originally, I followed a written (paper) plan, but then when I moved to an “all digital” experience, I wanted the information on my PDA. Years ago, someone wrote an add-on for BibleReader (I used on the Palm back then) that displayed a lower-case ‘d,’ and when you clicked on it, it showed a list of dates, and related verses, and little boxes to check off to keep track.

The newest version, version 4.11, not only keeps track of your readings, but also takes you there, and marks the beginning and end of the reading. Here is an example.

• Open Bible Reader.
• I like to write notes in a paper journal, so I next check to see what I am reading today, by selecting “Reading Plans” and “View Today’s Assignment.”
• I then go back to this screen and select Continue Reading.
• I read until I see “Done,” and select it.

BibleReader is available from Olive Tree Bible Software

It has been years since I published a list of Security Axioms on my web page. Note, I didn’t write “My” security axioms. They are old, probably timeless, and too-often forgotten.

Bill Murray, in his Thinking About Security blog mentions some that fit right in, in his post “Effective” Security.

Oops. meant “Facebook.”

Email messages about millions in contract money waiting to be paid to you for work you did years ago in Nigeria. Or an inheritance waiting for you because someone in Ghana heard about your Christian charity.

Most of us are smart enough to know that those are scams. (As I wrote in
Internet Safety, “No widow in some foreign country has heard of what a kind-hearted, trustworthy person you are, no matter how kind-hearted and trustworthy you are.” And, “Did you really do business in another country and forget that they still owed you $75,000?”)

They feed on our greed and on our pride, right?

Facebook applications like these are similar:

• “Who secretly thinks you are hot?”
  
• “Who has blocked you?”
  

The first one… well, it is obvious why that might get our attention. The second… I don’t know. What makes us interested in the answer to “Who secretly thinks I am an idiot, and talks behind my back?” Do you really want to know? No, I mean really?

Anyway, it doesn’t matter why. What matters it they do get attention. They are also prime candidates for applications that contain malware (things that trigger viruses, etc.).

My friends on Facebook should not take offense at this, but I do not add applications. I don’t trust those applications. Also, I’d rather interact with you on Facebook with words rather than snowballs, pumpkins, or whatever.

No one will listen, but I recommend going into your Facebook and removing any Application you don’t remember adding or whose purpose you don’t understand. (I mean, what could happen? No more stray cows in your corn?)

(I assume you know what phishing is. The Wikipedia definition of phishing is good.)