Category: Practical Advice

Do Your Updates, Part II

Bobbie1 Comment

Firstly: a new Apple iOS update is out for phones/pads/Macs, and you want to take it *as soon as possible*. Not only does it have a zero day in it, that zero day is under active exploit. This means that a problem is/was identified before a fix was identified (zero days to fix) and professionals are already abusing it (under active exploit). Granted, the typical target of these things are journalists, government officials, etc., but also folks working at corporate offices. Maybe even you.

One of the questions I have fielded since Do Your Updates is best distilled as “why can’t developers do it perfectly the first time”. Aside from the unrealistic expectation that an engineer not be human, there’s a few reasons for this.

  1. The biggest vulnerability in any system *is the humans* and it’s not just the humans building the system, it’s the humans *using* the system. Phishing and social engineering – those emails asking you to click a link urgently or telling you “here’s your PayPal receipt” for a transaction of several hundred dollars (designed to make you panic) are phishing. Social Engineering is more like the person calling you on the phone saying they’re calling from Chase to verify a recent fraudulent activity and asking you for things like your passcode, to verify a 2FA, etc. These methods rely on the target feeling *vulnerable* and have a sense of urgency.
  2. Code evolves and so does technology. There was a time where a very strong password was sufficient to guard your stuff — but then we had data breaches. So then we added 2FA (second-factor authentication, e.g., when you get a text with a code to support your log in) — but then we had SIM swapping. So then we added MFA (multi-factor authentication), physical YubiKeys, etc. etc. — for each fine cat, a fine rat: engineers on the malicious side are not resting, so engineers on the corporate side cannot, either.
  3. We talked about packages and post-deployment vulnerabilities in Do Your Updates. That is still a thing.
  4. There are *a lot* of ways an attacker can poke at the platform or the code:
    • They can insert things into text boxes for forms that interrupt the inbound form contents (e.g., the text box in which you give your feedback on a thing) to try to get into the database in which those contents exist (this can go by a variety of terms and also has a variety of methods, one of which is called SQL Injection and is/was the first thing I learned about cybersecurity, aside from “never share your password”, back in 2002).
    • They can do something called a “brute force” attack which is just like it sounds: employing a variety of clients to just pound the ever-loving crap out of any intake on a site to either force it to give up/let you in and/or just take the site down (Ddos: Deliberate denial of service). 2FA helps with this but so does throttling (making it so that only so many requests are allowed before it locks you out), or Captcha/Re-Captcha. Except now AI can pick out all the parts that are a “motorcycle” in the image, even if you can’t. And so now engineers have to figure out the difference between a less tech savvy person reaching for their paper-written passwords and typing those carefully but incorrectly into the little box, vs. an AI acting as such.
    • They can code up sites that *look* like the site you want to go to and the URL even looks like the site you want to go to — except maybe instead of a “O” it’s a “0” in the site name. You go to the site that looks legit, that the engineer has scraped/copied the design from a legitimate site, and you type. your login as always. Because it’s not the real site, it tells you “oh gosh we need to verify it’s you, please type in the 2FA code” and instead of you sending that code to the real site and doing a real authentication, you are providing that code to the attacker so they can go log in as you.

AI is also not going to solve our security problems — it will make them harder to (as malicious folks have access to AI, too)– but it can help. AI can be used to detect anomalies faster (in most cases you don’t have to tell your bank you are traveling as it employs AI to figure out whether or not that was you booking a 7 night trip to Cancun or not), or even predict patterns for exploits. When it does, it will not be replacing the engineer or even making what the engineer does perfect. This dance does not end.

So do your updates.

Burner

BobbieLeave a comment

I recently had the opportunity to travel internationally, and to test a few things. Namely, using a “burner” phone.

To be super clear: it is very hard to do this perfectly and I did not do it perfectly. We’ll discuss some hypotheticals further down, but I felt the need to start with that. This was a test, it was only a test, and it went pretty much how one could expect it to.

Why

There’s a lot of discourse in the media about phone confiscation, personal privacy, etc.; this shows up in articles hearing about journalists being issued “burner phones” or the advice to acquire one yourself before international travel. I wanted to see firstly how that would work and secondly, frankly, if I would actually need it. I am not the target demographic for the sort of privacy harassment (yet?) that would require a burner phone (I am not a journalist and I hold no real position of power) so the likelihood I was going to have to hand over my phone to a Cellebrite was small, but not zero. How painful, then, would a burner phone experience be?

Who

This phone was just for me, in my private travel, to talk with about ten people in two countries. The number, once acquired (see “How”), was shared with those people via What’s App and/or Signal. The phone wasn’t used by anyone else during this period.

When

The actual phone was acquired about 3 weeks before my trip which, with life being as busy as it is, did not leave me much time to set up the necessary infrastructure. The plan was to have it set up pre-trip, test it a bit, and then evaluate it for the trip.

How

There are the “right” ways to do this for “ultimate privacy” (and I put that in scare quotes for a reason) and then there are the “okay” ways to do this for like 80% of scenarios, and I went with that one. Firstly, you have to acquire a phone. You could, for example, revive an old one of yours or a family members’, or purchase one off of Swappa. I did the former, but for “perfect” you would ideally do a cash deal off-record for someone else’s phone. Once you have the phone, you need to install a phone plan. You could, in theory, get a prepaid phone plan through a different carrier and in some cases they don’t actually require an ID (as long as you’re paying with cash and/or a prepaid Visa card) but note that everything, on some level, is traceable. There’s cameras at the phone store, there’s call recording for the wireless provider, etc. I didn’t bother with that, I just added it to my current plan.

I will note here that adding a phone to your plan immediately gives it some tether to you. The phone, when added to my plan, got “my name”, and anyone with a warrant, or really good phishing, could probably divine that this “Bobbie Conti” on the phone plan is related to that “Bobbie Conti” on the phone plan. They can also then probably get that other phone number, and my address, which in turn means they would know already quite a bit about me. BUT, the *phone itself* doesn’t impart all of that – in order to get there you need to do that “hop” and either that warrant or phish. Moving on…

If you have an Apple phone – and for security reasons I prefer them – you are best placed to get an iCloud account, so you can load apps and suchlike. For that, you need at least an email address. For a Google email address, they like it if you have a backup email and a phone number for 2FA. So the phone comes first, but where do you get the 2nd email address? Proton mail. Armed with my new Proton mail, and then my phone number, I got a Gmail account and wired that all up to the Burner. Great! I now have a phone, with the ability to load apps, text, etc., that on the surface level isn’t “me”.

A really, really driven person would have gone to a public forum of some kind (e.g., Best Buy when busy and using their demo machines) and used their computer to set up the Proton Mail account, then gone to a second one several miles away to set up the Gmail account, and so forth. I did none of that, but I did use a VPN on the machine that I set them up with. That said, Google almost certainly was able to figure out it’s me, since the machine I logged into was the same machine I use my personal Gmail (note: my gmail is my spam hole and I do not use it for anything important).

From here I did some final tweaking and followed some basic principles:

  • I removed location services from all the things – including even weather.
  • I deleted a bunch of apps I did not need.
  • I installed Signal. Yes, What’s App was on there, too, but if one has to choose one chooses Signal.
  • I did NOT load up any other accounts (emails, etc.), and absolutely did not tether any cards/payment forms to the phone.
  • I brought my own chargers, charging cables, etc. and never hooked up to public USB, nor to any bluetooth.

This left me with a phone I could use to search the internet (Duck Duck Go for the win), send texts/Signals/WhatsApps, and… that’s about it.

A truly driven person would probably purchase, with cash, some Visa gift cards, load those up in the “wallet”, would add in one or more VPN’s, and would almost certainly have not used What’s App. I know what they say about What’s App being private. However, What’s App *can* read your texts if a recipient requests them to, e.g., if you’re getting reported for fraud or abuse. If they can do that under that circumstance, they can certainly do it under others. Additionally, What’s App shares data with other Meta products, so if you are traveling with others who use those, the proximity tracking (and more if those folks are your friends and taking pictures in which you may be, *tagged or otherwise*), it’s not much for them to figure it out.

What

What happened was an exercise in frustration for me, and not much else.

Not having access to “tap to pay”, location services (hello maps!), etc. meant for a substandard experience to the one I could have had, had I had my phone. Instead I relied on others and/or visual directions, and physically pulling out my card to tap it. It also meant I wasn’t getting health tracking benefits, etc. If I had been on a trip by myself and not with friends, the maps/location piece would have absolutely driven me nuts.

The phone itself received generic text message phishing (in this case offering a job), allowed me to text the group I was in, and that was about it. There was no case in which it was compromised, invaded, etc., and there was no indication that someone or thing actually cared about it (other than me). It’s hard to prove a negative, and as I said earlier, I’m not that important :).

The final curiosity was to see if it were to get plugged into the aforementioned Cellebrite on the return trip and… it wasn’t. Not a hint of it. In theory, an Apple phone equipped with Signal and not voluntarily unlocked is fairly “protected” (thus far) from Cellebrite forensics but nothing lasts forever and I would imagine that Cellebrite, having preemptively declared victory in the past only to have to walk back their words would, in future, not advertise a capability until proven. Still, the plan had been to see if any of the account information stored on the phone (with the new emails, etc.) were to show up elsewhere post-plug-in.

Addenda

You could fit the “what ifs” and caveats in this scenario into a small football stadium.

If the concern is a government acquiring the data to do things with it (whatever one might imagine those things to be) then it should be noted that so much of our data is available to JUST ANYONE at any time it’s scary. With a first name and last name, you can search court records, find addresses, see property tax records, etc. With a social security number (which, erm, the gov’t gives you), you can run a credit report, know where someone is banked, and (if again you are said government) know their income and income streams. The things the government would need a warrant (purportedly) for would be specific financial transaction information, and possibly what calls were made at what time and to whom and for how long. If one is to believe the news of the early oughts, the NSA is already listening in anyway. What is left, then, is texts to/from the device itself, the contents of which you have and the person to which you texted have; and either can be forced via warrant.

The other concern is non-government entities or government entities that are not your own and, in my case, again, I’m not that important :). I would imagine the same holes in the process apply to those, if not more. I also generally ascribe to the notion one should not say out loud anything one is not willing to defend in court or another public forum.

The core scenario in which we hear about burner phones (e.g., journalists) are different from mine – I don’t imagine journalists using tap to pay from a burner phone in the middle of a war zone and I don’t imagine foreign officials using said burner phone to send sensitive messages (or if so I imagine some sort of Mission Impossible self-destruct smoke thing happening). For their sakes I hope it works, but my own scenario is nothing so dire.

One should remember the name here, too: a burner phone is so named because when it ceases to be useful and/or is compromised, you burn it; the real purpose of a burner is to get a message from point A to point B and then discard it, hopefully with no traceability back to your thumbs.

You can donate to Signal here.

You can donate to Reporters without Borders here.

Do your updates.

Bobbie2 Comments

Usually I try to figure out a pithy title as a draw, but for the love of whichever entities you respect and/or follow, please do your software updates. Specifically do your platform updates: on your iPhones/Pads/Macs, on your Windows machines. Update your apps. When the little red notification comes on, do not ignore it, just do it.

How to Update

(If you have other devices/platforms just use your handy dandy search engine — I use Duck Duck Go — to identify how to get your updates in a timely fashion. Bonus points if you set it up to automatically do it.)

Why Update

There are some that believe the updates are for feature funsies: e.g., if I update my phone I will get the new AI this or the new UI that. This is true, for most “regular” updates there are some feature releases and you get to read all about those (and decide if you like that or not). There are also “bug fixes”. I feel like this does disservice to what those fixes are: if I think of a “bug” I think of “annoying thing that happens”, I do not think of “wide open gaping hole for bad actors to waltz in through”.

Your platform updates often include security patches. These patches are, for the most part, NOT because the engineers made a mistake when crafting the platform, rather, they relied on packaged convenience libraries to do some standardized work and *it is those libraries* that have problems. Think of it like this: the engineers baked the cake, but the problem was hidden in the flour they used, and would not have been visible when they baked the cake and someone found out the flour had something in it long after the cake has been baked.

This happens *all the time*. There are thousands, probably millions of little packed up conveniences in the software world, because writing something *from scratch* takes a very long time and it’s kind of silly if someone has already done it (and done it so well that All the Other Kids are Using It). When a vulnerability is discovered in a package, it is given a CVE number (Common Vulnerabilities and Exposures), and a detailed write up on what the vulnerability is, where it is, and oftentimes suggestions on how to fix it. Companies worldwide use MITRE’s CVE database to understand what and where those vulnerabilities are, and how to fix them, so they can iteratively update their software and further secure it. Vulnerabilities are discovered by engineers around the world, sometimes on their own time, and sometimes on their company time: they are written up and shared with package users to make sure they get fixed.

How Bad Can it Be?

A vulnerability or exposure has roughly four stages of severity: low, medium, high, and critical. YOU as the consumer don’t really know which basket of vulnerabilities is addressed in “bug fixes”, but the company you depend on does: high and critical vulnerabilities, and their address, are often why you get off-cycle security patches (ever had an update on your phone that seemed awfully soon after the last one?). These vulnerabilities are “publicly disclosed”, meaning, their existence and how they can be exploited is also disclosed. The analogy here is: there’s a catalogue of all barn doors that are unlocked in your area, and anyone who uses those barns should be aware of that, and the barn owners should be aware of that, so the barn owner can lock the door. This also means that bad actors (who, let’s face it, are probably serially trying all the barn doors through the area anyway) who are lazy and did not do their homework now have a legit directory of which barns are probably unlocked.

Hence the haste.

These vulnerabilities are discovered and there is a Very Short Window in which the companies that use them can get a heads up on fixing them and getting those fixes out before they show up in the public discourse. (Meaning, the CVE doesn’t show up formally in the MITRE database until which time as the organizations and libraries dependent on fixing it have at least had a *chance* to fix it). This means that the original discoverer(s) of the exploit know how to break in, but it isn’t available to everyone else to see: that happens after (theoretically) everything has been fixed.

“Everything has been fixed”, in this case, means that your software has been patched and updated, *or you have been asked to do an update*.

If you wait, and the longer you wait, the more exposed you are.

Modern convenience often comes with modern inconvenience: we have computers that are smaller than our hand that literally tether to all global knowledge, they help us stay in communication with others and they help us track our lives and livelihoods. They also are fragile and need care and feeding, and it can be easy to defer it in light of convenience (“oh, I won’t do the update now because it will take too long, I’ll wait until ‘later'”). Please. Don’t wait until “later”.

Security

Bobbie1 Comment

It’s important to understand that the personal security space – that is, how you lock down your stuff – is a constant game of whack a mole. “For each fine cat, a fine rat” – as you close down some things, enterprising bad actors will find new ways in. Your very best option is to approach it as defense in depth by using multiple interventions to make it harder for them. Think of it like Swiss cheese slices: a single slice of Swiss cheese has many holes. Putting one slice of Swiss cheese on another limits the visibility of some holes but not others. Stacking a bunch of pieces of Swiss cheese will further close more holes.

This is a compilation of what I recommend for individuals and their (mostly cyber) security. A second post on Privacy is forthwith.

First, let’s get some terminology straight:

  • Security is the ability to ensure that we have Authentication and Authorization (AuthN and AuthZ). 
    • Authentication = we can verify you are really you. Examples are when you use a password and then get a code to your phone you have to enter, or have a PIN code to use, or a passphrase.
    • Authorization = once we know you are you, are you even allowed to be here and what are you allowed to do? For example, you can authenticate into your bank website as you, but you are not authorized to see anyone else’s stuff.
  • Privacy is the ability to ensure that ONLY authorized people get to see personal information (also known as PII, or Personal Identifying Information), and the person doing that authorization is the owner of the data (namely, you). 

Security Basics

The reality is there are a variety of different ways to secure things, and they are not employed consistently – so for example some sites have you authenticate in using your email, others require you to create a username. Some will send your second factor of authentication ONLY to a phone text, others will do email, still others will require or support an authentication app on your phone (and yet others will allow you to use a physical USB key you carry around with you). There are also “passkeys”, which are where a unique encryption is stored half on your machine and half on the server for the site you’re using, so unless someone has you, your machine, and that website, they can’t get in as you.

That said, there are some standardized ways to keep your stuff secure (or more secure):

  • Do not re-use passwords. I know, it’s tempting. But all it takes is someone getting ahold of one email/password combination, and they can feed that into a program and have it try a million different places to see what else they can get in to. There are password vaults that will create unique strong passwords for your sites, or you can use a pattern (a friend of mine uses album names and song names).
  • Regularly update your passwords. Passwords get leaked and stolen and bought.
  • Use a Password vault. I use Bitwarden.  Much like Apple’s Passwords, it will securely house your passwords, passkeys, etc. and will also tell you if that password is reused anywhere, and if it has been found on the dark web (where passwords are bought and sold). 
  • If you can use an authentication app, do so. It gets rid of the vulnerability that may happen if someone has access to your texts or emails.
  • Especially for banking stuff: you can set your communication preferences to tell you if a transaction more than $x has happened, or if someone has logged into your account.
  • Don’t click links in a text and be equally careful of links in email. If you get a “text” from GoodToGo, or your bank, or whatever, instead go directly to the website you know is theirs, and log in as you. If you don’t recognize the number, or if when you hover over the email “name” it’s an entirely different address (or the formatting is off, or there are misspellings, wonky grammar, or an inflated sense of urgency), do not click.
  • Have a separate email account for your banking/super important stuff, and your “shopping/etc” stuff. Online retailers can and often do sell your data and/or exploit cookie allowance for that purpose, so separate your concerns.
  • Do your security updates regularly: most of the iPhone updates you get (iPad, MAC, Windows, etc.) include a poop-ton of security patches and fixes and the longer you take to do your updates the longer you are leaving your barn doors open.
  • If you get a “here’s your code for logging in” *and you didn’t log in*, go to the website (open a fresh browser page and go there, don’t click on any links in the mail just in case), log in, see if anything has been messed with (especially for a bank account), *change the password immediately*, and notify the site owner via the site or the phone number on the site that you got a 2FA notification you did not ask for. Work with the site’s fraud department to address anything weird.

Secure your Credit and Identity

There are other things you should do to secure your credit and your information:

  • Freeze your credit with all three agencies (prevents anyone from using your data to open new credit lines/cards). Those three are Equifax, Experian, and TransUnion.
  • If you suspect your identity has been compromised and that someone is trying to or has used your social security information fraudulently, go to identitytheft.gov to report it and further lock down your information.

There are also subscription services you can use to monitor your credit and your identity for potential theft: oftentimes when you are notified of a data breach, the legal requirement is, at minimum, the breached party offer you this monitoring for one year for free. 

Securing your Networks and Devices

As we all know by now, all incognito mode spares you is someone identifying which pages you’ve visited when you lend them your browser — it doesn’t shield your internet provider from seeing them, or even your router. You’ll want to lock down who can see what.

  • Use a VPN where you can – VPN stands for Virtual Private Network and it means that from your machine to the machine your machine is talking to (‘cos the internet’s a series of tubes), the “tube” is locked on either end. More to the point, your cellular service, internet service provider, etc. do not get to see what you’re looking at or what you’re doing.
  • Avoid using Free Wifi, or make sure to use a VPN if/when you do. Remember that if something is “free”, you are the product.
  • Use USB condoms wherever you can. Those “free chargers” are not really free and can be infected with junk; USB condoms short the two data pins in a USB connection to allow for “just power”. You’re better off bringing your own charging block tho.
  • Secure your Router – change the default password to a strong one (the Admin password and the access password, each). Enable encryption (WPA2 or WPA3), and make sure you do your security patches for the router firmware.
  • If you have “Smart anything” in your home: put it on a separate network from your computers/phones that you bank/do business on; make sure all the Smart gadgets have *separate passwords* (your Smart TV and your Smart Fridge should have different passwords, for example).

Next Up: Privacy.

Ephemeral

BobbieLeave a comment

Every morning I open up a book of 3000 Sudoku puzzles and task away at one or more with my morning coffee. Unlike online sudoku, because it’s in a book, there is no feedback system for if I write a wrong number in a wrong slot. This means I can merrily make the wrong decision and go trotting down the 9×9 squares getting *everything wrong*, sometimes for a good chunk of the puzzle (more than 50%), before realizing I made a wrong choice *somewhere* previously and have to erase and start over.

Of course, I don’t have to actually erase and start over. I could strategically walk through every number choice, working painfully through the puzzle and pseudo-marking the *right* choices in an attempt to disambiguate them from an *unproven/wrong* choice, effectively re-working the puzzle but with a lot more noise. OR I can pull out my trusty Pentel Eraser and just axe the whole thing, with the faintest traces left on the page, and start (mostly) fresh.

There are pros and cons to each approach: the painstaking way forces me to find very, very specifically where I chose wrong, but it takes longer and is prone to confusion from previous choices. The quicker way gets me to the overall solution faster but means re-applying numbers that were good in the first place. Either way I’m giving something up: time, or effort.

One way is not “better than” the other, in the sense that sometimes wholesale erasure and restarting is important (in the case of Sudoku, this can be when you are on a fixed timeline and you have to Go Do A Thing shortly and you want the puzzle Done before you Go Do The Thing and you’ll take your lesson later) and sometimes strategic walk through is important (in the case of Sudoku, this can be when you are making the same mistake over and over and need to figure out *why*). (The very worst approach is to start off the painstaking way, decide it’s too hard, and then erase — you’ve wasted time and aren’t getting the benefit of the investment).

What is true in both cases is the problem is ephemeral and can be solved: I just have to choose my method and then stick with it. I’ve already sunk the cost of my initial investment in the puzzle, and if I choose to parse through the individual choices to find *why*, or if I choose to erase and start over, nothing is bringing back that initial time investment.

With Sudoku, I almost always choose the “erase and start fresh” method, for two reasons: I typically don’t have enough time in the morning to re-parse through my choices, and, it’s of dubious benefit if I do: the fact that there are 3,000 *different* Sudoku puzzles in this book alone tells me that parsing through my wrong choice in *this one* will probably not tell me anything useful for the next one, on a per-puzzle basis. Per this article I get about 5.5 billion combinations and that is more than I will ever do in my lifetime (I have roughly 40-45 years left and if I did 5 a day every day for that period I have maybe 82 thousand puzzles left to do). (Hyperbole: I’d have to do about 335k puzzles/day to get them all done before I die. #goals).

But if it’s a *trend* — If I consistently find myself getting it wrong, over and over, it’s less about the puzzle and it’s more about me: am I constantly making assumptions about something? Am I not really paying attention? If it’s important enough to understand why, there are times when picking through the choices are valid: oh, I made an assumption about X number being in N place when I had no data for that. Or, oh, I conflated that number with this number (e.g., looking at the trend of 3’s in the blocks and then misapplying it to a different number/relationship). That won’t help me get through the block sooner but it will help me understand why I’m messing up and that maybe it’s time for coffee or a break.

I work (perhaps unsurprisingly) in engineering, and almost always the faster way of dealing with a problem is to start over. Sometimes you get to carve in some things that you *know* are good — in Sudoku this would be the numbers that are prepopulated for you and maybe your first four moves — and then you go from there. Generally speaking, as long as everyone’s ok with that approach (in any industry you can have things cheaply, quickly, and of good quality: pick two), that is the way to go. “Starting over” is expensive but may be cheaper than “refactoring extant” (the assumption here is that quality is not up for grabs). What you sacrifice is the inability to really hyper specifically target how you got into a specific pickle, which, sometimes you need. Sometimes, though, it’s enough to know you got there… and to work more diligently and specifically to ensure you don’t go back.

The First Ridiculous Thought

BobbieLeave a comment

I have insomnia. It is persistent, sometimes even chronic, and although not as near as bad as it used to be it can be relied upon to hit a couple of times per week (or more) in high-stress periods. It isn’t chemically induced (I drink mostly decaf) but more of a, “I have to get up in the night anyway and when I try to get back to bed the brain is on *just enough* to make it difficult to get back to sleep” thing.

If you live in a world where outside forces set your schedule (which is most of us), you don’t have the luxury of “sleeping in”. How much sleep you get is directly related to when you go to bed and how successfully you sleep in the window allotted. And I am an 8-hours of sleep to function person.

Over the years I have developed various coping strategies for this, but the most reliable one is what I call The First Ridiculous Thought.

NOTE: I am not a doctor of any kind in any way. This is just what works for me and how I’ve rationalized it. It might work for you.

To set the scene: it’s roughly 2:30am. You need to wake up again at say, 5am. You have clocked maybe 5 hours of sleep thus far, so every minute is precious. And you’re awake – your brain is buzzing through all of the things it wants you to be preoccupied with: how are you going to present this issue to management? How are you going to give feedback to this person? If this schedule falls through, which contingency plan are you most likely to use? Did you, in fact, remember to put the trash bins out? Is *this* the weekend you were going to go dig under the house to find that thing or was that next weekend because wasn’t this weekend that thing… and so on. Thoughts coming fast and loose, spilling over into each other, all demanding attention, and the more you give it, the longer you will be awake.

There are two ways to get to the First Ridiculous Thought. The one I recommend (that works often for me) is you build a story in your head. You can borrow heavily from favorite media (e.g., you are Indiana Jones and now you’re on your next adventure) or build your own. The point is, it has nothing to do with the bulk of racing thoughts and it resides firmly in fantasyland. However, because your brain is logic-ing and fretting away, it will want reasonableness in this fantasyland: how have those snakes been surviving all this time? You see the spider webs but where do the spiders come from? Etc. Let your brain rathole on these things. They aren’t important and they give it something to chew on.

And then you get the First Ridiculous Thought.

You’ll know it when you think it: it is Patently Ridiculous. Maybe it’s that the snakes are now space aliens or maybe it’s because they are somehow special underwater magic snakes that can survive in an oxygen-starved tomb or whatever. And then you remind yourself that underwater creatures use oxygen too for the most part and they filter out oxygen from water so saying underwater snakes can handle entombment is just Ridiculous.

Get ready, you’re about to go back to sleep.

This is because your brain has detached from this requirement of logic and fret and worry and is now goofing on some weird idea that isn’t really quite right and is Patently Ridiculous. It’s because the logic-y part of your brain has gone to sleep, and the less-than-logic-y part is taking over. The land of dreams.

You can of course talk yourself out of this, I have done so, I do not recommend it. It takes longer to get to the Second First Ridiculous Thought.

This works in other places, by the way. In waking times, at work or in a work group environment (school project, committee work) you may find yourself in an intractable kludge of worry and ratholing. You (and your team maybe) are going over the same sixteen questions over The Thing that seem just as problematic as they did the last time you talked about them, and the time before that. This can be because you are bringing up the same strategies and key points, over and over.

Detach from them. You can do these one of two ways: you can do it transparently: making a rule such as “we will tackle Just One, and we will either pursue Just One with the things we’ve said, or we will specifically say “those are not options, start thinking about different options”. ” As soon as someone points out there aren’t, point out there have to be, even if they’re ridiculous. Give yourself, and others, permission to be ridiculous. Embrace the awkward.

Opaque works too: suggest a “brainstorming” session and start seeding it with ridiculous thoughts. I mean, legitimate ones – no, you cannot ship the data on 1,000 USB sticks via elephant over the Alps, but… you could FedEx it. No, no, that’s ridiculous but… there are ways.

Is this 100% foolproof? No. But neither is it 100% foolish. And when you find yourself desperate for sleep at 2:30am, or desperate to unravel a Gordian Knot of a project, it can’t hurt.

Now What

Bobbie4 Comments

I work for a major tech company, one that is/was recently in the news for layoffs, and I get that that doesn’t narrow things down much. I’m not immediately impacted. Many are.

This is my best effort at a salient list of what to do if you found/find yourself on the receiving end of a difficult conversation, a last-minute scheduled meeting with HR, or a sterile email. (I am glad to be working at a place where it wasn’t the latter).

  1. Read Everything – I mean really read it. Don’t gloss over the letter/notice/information you’re given, read everything and make sure you read everything before you sign anything. You should be given time to read it and review it with someone else if needed.
  2. Get answers to the questions you will have after reading everything:
    • What happens with your health benefits? How long are you covered, is there COBRA?
    • Can you claim unemployment insurance? (in some states you can after a layoff, and in some if you take a package, you can’t. Your state may vary, check the state site. Here’s that page for Washington State.
    • What happens with your stock, specifically your unvested stock?
    • What happens with your ESPP (if you participate)?
    • What happens with your 401k?
    • Are they offering employment assistance (e.g., helping you find another job)?

If it’s all happening NOW

  • You’re going to feel overwhelmed, but you’ll need to do steps 1 and 2 above to the best of your ability. Don’t *sign anything* until you have to. Let the person who notified you know that you need time to review the notice with your SO, parent, roommate, whatever.
  • Take a walk or scream into a pillow or take a hot shower or do something, anything to give yourself some space. Breathe.
  • If you have a budget, revise it based on what your package will be (if you get one) and what your unemployment will be (if you get it).
    • You can work with most companies (energy, mobile, etc.) to create payment plans and/or assistance depending on your circumstances. The reality is that some people live paycheck to paycheck and so if that’s you, start communicating early. This includes you credit card companies.

If you have time between now and D-Day

  • Use your benefits. That means:
    • Get your doctor’s appointments in, eyeglasses, dental, etc. *Same for any dependents*.
    • If you have other perks, use them.
  • Establish *how much time* you really have and what “normally” happens in that time:
    • Do you have stock that vests? Do you contribute to your 401(k)? Do you participate in an ESPP (Employee Stock Purchase Program)?
  • Do you have enough time to look for another role in the same company (large company layoffs are usually strategic and around projects, your skill set may work in another project).
  • Should you start changing automatic deductions/drafts *now* to accommodate an uncertain future?

And then

  • Brush up your resume. This includes:
    • Updating your work history
    • Looking at current job listings at other companies/your companies and identifying how skill sets are being labeled/displayed “these days”
    • Updating your LinkedIn profile
  • Consider working with a contract or temporary agency – not glamorous, but it keeps you out there, it gets you exposure in companies, you get additional skill sets, and most importantly, it helps pay bills.

Your mileage may vary, and some may be in a better position than others. There is this perception that if you work in the tech sector, you have scads of cash just lying about for just such an occasion, and whilst there are those that do, there are those that do not. Not all tech sector jobs are high-income engineering, and things are tightening up.

We’ll get through it. It’s going to be rocky, but we’ll get through it.

Change Management, Part II

BobbieLeave a comment

Following up on the earlier post, as I have had Spare Time TM courtesy of a bout of COVID.

The Ripple Effect

I failed to mention previously that Big Changes tend to have ripples, and much like when you throw a rock into a pond and then another rock shortly after it the ripples sort of crash into each other, creating other ripples, is how post-major-change ripples go. For example: you have broad reorganization A – let’s say whole departments move, charters move, Big Changes happen. That’s the first rock.

As the ripples from the first rock stretch out to other parts of the water, things in that part of the water get impacted — in this case, there’s the tactics of administrating to a reorganization (changing of cost centers, migrating of resources, identifying process or people gaps, revising projections, etc.) and then there’s the tactics of reacting to a reorganization (I had guaranteed funding from your team to do X, you have gone through a reorganization, is my dependency on you at risk). After enough buildup of these ripples, it often comes to management’s (correct) mind that another reorganization is needed, to account for the things that weren’t immediately derived or attended to with the first one. This “aftershock” reorganization is typically smaller, more nuanced, and often has better details worked out (direct reporting lines, accounts for previously identified gaps, etc.). Perhaps pedantically, this aftershock can breed additional, smaller aftershocks (or, additional, smaller ripples) that eventually calm down as they extend through the system. Depending on what time of year The Big One hit, the Little Ones can extend 3 to 6 months afterwards.

Driving To Clarity

The unloved but absolutely necessary job of the shitbird.

I’m sorry, there’s no better way to put it, although LinkedIn me wants to change “shitbird” to “change facilitator” or something; the bottom line is that oftentimes the people who have to drive through the stickier parts of the ambiguity pursuant to a reorg (particularly when we are talking about things like charter, support, keeping programs running, transfer of knowledge, transfer of understanding (those are indeed two different things), and so forth) are incredibly unpopular because we are often the ones pointing out the un-fun things to be done. For example, if the reorganization of people and charter does not equate to a clean reorganization of resources, there’s typically a lot of tedious work in identifying which resources go where, which ones can’t move until they’ve been reviewed, etc. In a world where development teams are already stacked with features and fundamentals work, the tactics of a reorg often present an unfunded mandate and are not usually expressed in cost of hours (e.g., this reorganization equates to N developer hours spent on the tactics of the reorg).

Note I do not say “wasted”. The time spent inspecting and enabling a reorganization to be successful is *not a waste* if done transparently, with understanding of the purpose of the reorganization, and in good faith. Like any effort, there are costs to that effort; the overall reorganization ostensibly results in greater long-term efficiencies, development or productivity. There is a short-term cost, however, and I’ve yet to see any reorganization actually attempt to size the cost and get better at sizing and predetermining the costs associated.

Tactics vs Strategy

Thus far all of my conversation here has been about “tactics” because the reorganization itself is the output of a strategy decision, and the implementation and administration of the reorganization is all tactics. But should it be?

I’m fairly certain that my company is not the only company to regularly shift resources, assets and charter in a near-constant effort to get better: we are a for-profit company and like sharks you either swim or die. We spend money on things, we want to be as efficient as possible for the best possible outcome, and ostensibly every reorganization is made with that goal in mind.

In a world where this is the case then it occurs to me that, by now, there should be a playbook for these things: how to determine the lines of the reorganization, how to pre-identify some of the impacts (both proactive and reactive), and most of all size the costs associated. Those costs need to be juxtaposed with the previous planned expenditures and weighed accordingly – you cannot absorb the impact of moving a thousand people around with no delay in production or productivity; to do so is either specious or obtuse.

One could argue that we cannot get to the impacts of the proactive/reactive tactics to a reorganization because the people who tend to understand these pieces best are too close to the ground – they cannot be trusted, in advance, with the knowledge of the pending changes enough to provide sizing of impact, and so it’s better to let the reorg roll and then “just deal with it”.

If you cannot trust your team to size things in advance, that’s probably a signal to pay attention to. Let’s ignore that for now, because that’s not what we’re talking about here (but we will, later).

You can have some aspect of both worlds.

The Strategy of Shuffle

Working with the fait accompli that a reorg is coming, you cannot (for whatever reason) pre-plan the reorg transparently with your organization, and you have to land the message and then pick up the pieces: approach it as strategy.

Because this isn’t the first one of these you’ve done, and it won’t be the last.

Playbook

If you don’t have a playbook, build one. Literally start building one by capturing the experience of the pain of the tactics of this reorg:

  • What were the hardest parts of the implementation?
  • What were the things you didn’t plan for?
  • What were the things you planned for that didn’t actually happen? Or didn’t turn out the way you thought?
  • How much time did your team actually spend implementing the reorganization?
  • What projects for that period ended up being delayed (either directly or indirectly)?
  • Did any of your KPI’s suffer?
  • Did your OKR’s have to change?
  • How did your employee satisfaction scores change before/after/6months after 12 months after (for those who were part of the cohort before and after)?
  • What volume of attrition could you directly or indirectly tie to the reorg?

You’re already having to absorb the tactics of the specific reorg you’re undergoing right now, you may as well track this while you’re at it.

Sharing

As you’ve captured all this information, be transparent with it – share it with your team, share it with your management, share it with your impacted peers, share it with your leadership. None of these things should be sensitive and every single one of them is useful.

“None of these should be sensitive? What if my KPI’s suffered? What if our employee satisfaction scores suffered?”

I would argue that it’s likely anyone seeing this data already has access to it — it’s not unusual for employee health scores to be shared out semi-or-annually, OKR’s and KPI’s by their very nature are shared in a Measure What Matters context, and I guarantee that regardless of what they wrote on their “going away/changing roles” email everyone knows why someone left the team or company.

The transparency and sharing of the data facilitate conversation, they facilitate awareness, and most of all they facilitate the ability to identify areas to improve *next time* — because there will be a next time.

Benchmarking

If you’re thinking, “hey it looks like you’re gearing up to say now that I’ve measured all this and documented it, I should benchmark and improve” then ding! go to the head of the class. Because that is exactly what you (I, anyone in this) should do. If for no other purpose than your own for the next time you go through one of these, to better set expectations and understand the volume of work, and to better approach the tactics of *that* reorg, record what it took last time and use it to inform your experience the next time.

Forecasting

Obviously if every impacted team did exactly this then that would be a heck of a conversation with leadership about (and accrued body of data to inform) the strategy of reorganizing. Armed with the data of the costs pursuant to a reorganization (in time, developer productivity, attrition) vs. the benefits (in strategic pursuit, overarching delivery, etc.) leadership can make better informed and more surgical reorganization decisions. Specifically, armed with data about implementation times — e.g., if Reorg A took a really long time to implement because the volume of entrenched and shared resources was particularly gnarly to tease apart — then when approaching the next reorganization leadership can cast an eye in that direction and ask their middle management (who will be better informed on this aspect but also ostensibly in the Circle of Trust, or at least enough to help message the reorg) to size the effort for this bout and/or adjust their reorganization plans accordingly (move more/fewer people, move more/less charter, etc.).

In turn, much like any development effort, the management team can identify predictive costs of the reorg (if we do X, it will use up about Y productivity, and potentially impact Z project, to N degrees), avoiding many of those unpleasant conversations (or worse, handwavy conversations without any actual data attribution) that happen 6, 8, or 12 months down the line when we’re collectively trying to figure out why something did or did not happen.

Perfect vs Good

A quick note here about perfectionism: it’s good in small doses to get you directionally better at things. It is not a good management philosophy or philosophy to apply to any sort of “benchmarking and improvement” endeavor, which I would posit the Strategy of Reorgs as. Which is to say:

  1. Your first round of reorganization benchmarking will not solve for All the Cases.
  2. Your first or even second set of impact metrics will not be enough data to create a predictive model, but will be enough potentially to suggest correlation.
  3. The practical upshot of this exercise is to fractionally minimize the pain and/or volume of expense with each go.

It’s not going to be perfect, ever. You are welcome to aim for perfection; understand you will oft settle for good.

Which is better than settling for nothing at all.

Unplug

BobbieLeave a comment

TL;DR: Use your paid time off if you’ve got it.

There’s kind of a lot going on in my world right now, a conflux of “things we should have known better” and “things we had no idea would happen”; as my job is professional Anvil Spotter these things touch me in one way or another. (Typically: “Yes we saw that anvil, here’s proof we saw that anvil, here’s how we will duck out of the way of said anvil”, or, “Nope, didn’t see that anvil, but here’s how we dealt with a similar anvil, and here’s how we’ll keep from being under this anvil next time”.) So far none of the anvils have landed but there’ve been some close calls.

What this means in a dynamic, hybrid work environment is a finely controlled chaos. In a meeting talking about interpersonal dynamics the other day a graph popped up to show all the interaction capabilities in a group of say, six people — and it’s factorial. Which means that if you have six people then Person A can have a “group” with all 5 other people, or 4, or 3, or 2, or 1, and as you whittle down the numbers the combinations increase as to which people they can be interacting with. Which in turn means that a group of “six” people is actually something like 720 “groups”. Which is why at the end of the day you and I and everyone are exhausted when working on a “small group” project (never mind 3 or 4).

The privileged luxury I have is to be able to take a break. This break has been like a few others where I’m actually not completely removing myself (even though that is/was the stated purpose) from work, but it is a departure from my normal work habits and a drastic reduction in the amount of mental involvement and time spent in front of a machine (for work). It’s that last that gets to the crux of it – the same machine I would log in to for fun or just routine access to docs and such, is aligned with my work. I can remove work notifications from my phone relatively easily (without having to remove the apps) but removing those from my Outlook, for example, is a bit more of a project. Thusly I’ll log in to say, update my grocery list or check in on something outside of work and I’ll see the little red bubble and it will entice me to go pay attention to that Teams chat or email. These sporadic check ins are not as tiring as a full day of work but are, as you can imagine, not as relaxing as one completely departed from it.

The fact that I *also* stacked this “break” with my to-do list of non-work stuff makes it feel like less of a break — car maintenance, catching up on house stuff, etc. means that my eternal fantasy of sitting on the couch systematically eating the marshmallows out of a box of Lucky Charms while watching Jaws and Aliens still eludes me.

That said, this “break” still provides respite and is necessary to ensuring that when I do officially return, I’m a sane, practical, rational person, whose job it is to identify anvils as they hover. The takeaway here for you, is to use your paid time off.

FOMO (Fear of Missing Out) is a thing – and probably drives some amount of “nah I’ll just take a break later”. It’s not necessarily fear of missing out on the fun stuff, though, but rather fear of missing out on crucial information to a given project, or the nuance in a meeting, or having the time to catch up on XYZ technology, or getting your administratea done. The objective horror of coming back to literally hundreds (thousands) of emails can also be a deterrent. Much as lying down without sleeping can offer an incomplete yet still valid rest, so too can be the “break” with a teeny check in here and there. In my case, the little red bubble will not be too scary when I return.

Does this sort of “semi break” take the place of a real, honest to goodness, vacation? Heck no – no more than that 20 minute beanbag loll takes the place of 8 hours of sleep. But it can give you the respite you need to keep going until you can get to the *real* break. Just remember to actually take that real break. I’m scheduling mine shortly… you know, while on this one.

Liminal

BobbieLeave a comment

We sit, in the western world at least, in the liminal space between One Big Holiday (yours truly celebrates Christmas as a cultural holiday rather than a religious one) and Another Big Holiday (New Year’s Eve/Day). Annual odometer changes are so ripe for “new beginnings” that the question “have you started writing up your New Year’s resolutions?” is a fair one, even if one doesn’t practice it.

As we know, I make lists, and I like to make goals; I have had my brain described as mercurial and that’s pretty accurate: I use goals and lists to keep myself in check. (One of the reasons I don’t really get into competitive sports or games is that I’m already in constant competition with myself I don’t really want to add a new adversary.) And since many of you out there are quite possibly in that “making of lists” mood, I figured I’d share some of the resolutions and plans that have stuck best and that I have benefitted from. Take this and use it as you will; I am not a professional, just a passionate amateur.

Money Matters

I’m nearly 50 so the things I have to contend with — and the problems that money solves — are different from a new college graduate, or a young family. But having been a new college graduate and started a young family, I can provide the following things I did and used that helped:

Track Your Money; Make a Budget: I once had a friend who avoided the mailbox because she knew there were bills in there. The “rationale” was that if she didn’t open the mailbox, the bill wasn’t really an issue. (Yes, yes, my mind exploded too). *Fear of money* is a real thing, and fear of decisions about money is a real thing. In the US our financial education for children and teens is appalling. It’s offered as an elective, in some schools, and in others not at all. I get it if you’d rather not look at where the money comes, and where it goes. That doesn’t mean you shouldn’t do it — this is a fear, or a task, you will need to master because (at least at this point) we are in a world where currency is exactly that.

There’s all kinds of budgeting software out there, like You Need a Budget and Mint. They come with their own downsides and detractions, and when I started out they did not exist; so I used Excel. At one point in my life I was budgeting down to the penny but you can budget to the round number and general idea you are comfortable with. The principal parts of a budget are: how much you expect to earn (income), how much you expect to spend (outgo), and that’s it. Ideally the former is larger than the latter and if not, you work the puzzle to get it to either be even (okay) or surplus (better). You can download your most recent bank statements, import them into excel, figure out what your habits have been, and go from there. (Pro tip: work in small batches. Don’t get draconian and say “I’m never eating out again” — just like crash dieting you will regret it — pick one thing and go after it in increments.) Review it quarterly and update as needed (put an item in your calendar and treat it like a work meeting!).

Get out of Expensive Debt: If you have debt — and everyone does — you need to prioritize it. Some debt is advantageous (e.g., depending on your circumstance you would still write off your mortgage interest) but debt is debt. Identify all the money you owe (cards, loans, etc.), identify its interest rate, and look at how “expensive” that debt is. The higher the interest rate, the higher the expense, so extra cash goes to pay down that higher interest rate *first*. And if you’re really in trouble? Go to credit counseling — they can help negotiate with creditors and reduce interest rates and put things on a payment plan so your credit score doesn’t go down the tubes but you also don’t live on ramen and rice. Those store cards are tempting because they give you a % off at the beginning but they almost always have the highest interest rates, so if you plan to carry a balance (or if it’s even a possibility), don’t.

Shop Around: Your insurance company has to compete for your business. So does your cell company, and depending on where you live, maybe your internet as well. Look around and see what other companies are charging for what services and you may be able to save some cash. Sometimes all it takes is letting your current company know you’re thinking of leaving, and they’ll offer discounts.

Bulk Buying, maybe: If you have the storage space for it, bulk-buying (like what you get from Costco) is great. But you may be in a 600′ apartment and… not so much. However, you may have 3-4 friends *also* in 600′ apartments and if so, you can get a Costco membership and split the purchases. While Costco won’t do this for you — it’s a per-household thing — and while you need to trust your friends won’t stick you with 24 rolls of toilet paper — it’s worth considering.

REduce, REuse, REcycle

Marie Kondo did a bunch for many people (including me, I learned a new way to fold things) but I don’t sit there and hold up my vitamin container and ask if it brings me “joy”. There’s stuff you need to have. Clothes seems to be though the one that gets away with many of us, and so here’s some ideas:

  1. Clothes Clutter: On New Years’ Day (or some other very familiar “start of a year”, like a birthday or anniversary), flip all of your hanging clothes backwards, so you have to work to get the hanger out (so instead of the curve of the hanger facing away, it faces towards you). As you wear something, when you put it back put it the proper way (facing away). At the end of the year, anything facing you has not been worn, and at that time ask yourself: is there a good reason it has not been worn? (Oh, I dunno, maybe a pandemic rendered all those work outfits kinda useless for a bit?). Then ask if it’s worth another go. If it is, relegate part of your closet to these “unsure” clothes, put them backwards again, and go another year. If after two years you *still* haven’t worn them, and there isn’t a specific sentimental value and/or practical value (I mean, formalwear is a thing), consider donating or consigning.
  2. Paper piecing: Do you scribble notes a lot? I do. I use the backside of discarded envelopes, or misprinted pages, to jot a temporary note. (Because frankly sometimes I don’t have patience to type it into my phone with thumbs and it’s ephemeral in nature). You can make a specific tray/location for this “second chance paper”.
  3. Food Foraging: Make leftovers and use storage containers to store it. Tupperware and/or other storage containers can be got for cheap secondhand and/or accommodate your current set with a practically-priced set (bonus: organize your food storage so it isn’t hard to get at and you know where the lids are). Then, store your leftovers oldest-to-newest in the fridge (oldest at front). If you can, take lunch from home.
  4. Kitchen Kvetching: Declutter your kitchen. I am one of the friends in my group that “cooks a lot” and I was the one to do dinner parties and such in my 20’s and 30’s (and early 40’s). As a result I collected, over the years, a ton of cooking stuff… that I rarely use. I mean, how many casserole dishes does someone need? How many blenders? A friends’ friend recently pulled out all of her kitchen tools onto the counter and laid them out, and picked one (maybe two) of the favorites from the group, and donated the rest –(or if you have good stuff and larger stuff, consider selling on Mercari or Marketplace or Craigslist).

Health is Wealth

I do realize that I’m atypical here – I mean, I’m not the only one in my circle (or family) that has a spreadsheet and chart of my cholesterol levels (and other tests) over the last 15 years, but bear with me: your health is everything. (Overtones of Baz Luhrmann’s Sunscreen here).

  1. Move every day for 30 minutes. It doesn’t have to be a run or biking — even if it’s a brisk walk (<20 minutes per mile if you can manage it, and/or up a hill or two). It’s good for your heart but it’s also good for your head – you can listen to podcasts, or music, or mull over that issue you need brainspace to mull over. It’s raining? You don’t have a treadmill? Do some basic stretching. Check out YouTube for “bodyweight fitness” and find something do-able.
  2. Get your blood panel done annually – like my friend and her mailbox with bills, just because you haven’t gone to the doc doesn’t mean there’s nothing to attend to (and by attend to I don’t mean worry about). A regular blood panel will check for lipids, sugar, etc. and provide guidance on some changes — or not– that you may need to make. In the US, even though we don’t have socialized medicine, insurance companies are *required* to cover 100% of the cost of preventative care — which includes a blood panel over 40 and for at-risk folks.
  3. Wear sunscreen.
  4. If you want to start some sort of fitness regimen — e.g., regular work outs, tracking time and such — there’s a wealth of stuff out there to help – Strava and MapMyRun have free modes where you can sign up and just track what you do/where you do it. Or if you’re like me and less into the social aspect of working out, you can track it in Excel/Google Spreadsheets. In my 30’s I belonged to a “run club” at work where we basically had an annual goal of N miles per week and were free to track and/or do as much as we wanted. You could leverage others for accountability or not, and you could be as detailed in your tracking as you wanted.

Finale

The important thing to remember here is these are ideas for *if you want to do them*, if you identify that you need/want change and if they are appropriate to you at this time. They’re also by no means the only ones out there and, with it being that time of year, the internet is full of lists and opportunities to review. My one last piece of advice is this: you don’t have to do “all the things” and if you try you may go nuts. Pick one, maybe two, and tackle those. If that’s working, maybe pick a third and go from there. Remember: you’re not doing this for anyone else; you’re doing it for you.