What’s the Fox Say?

I like Firefox.  It has the visual settings I want, the security features I want, the plugins I want, and the business model I like.  Chrome and Safari in their own right are just fine, but I prefer Firefox.

My employer, however, does not like Firefox, and that is for obvious reasons.  Firefox is a standalone application that doesn’t require root privileges to install or configure.  It also ignores group policy, and maintains its own certificate store.  From an IT admin perspective, it’d be a nightmare to try to support.  So, officially, they don’t.  But, they don’t explicitly forbid its use, either.  In fact, many internal documents offer information that is Firefox-specific.  But, IT also blocks the domains which provide Firefox installation packages, and the company’s Reasonable Use of Company Resources policy does state that circumvention of technological protections is prohibited, so am I violating this policy by, say, acquiring an installation package that I had downloaded onto a domain I control?  I’m not really bypassing these protections, and besides which–I have a business need to test how web code renders in different browsers.  It’s a bit of a grey area.

What isn’t a grey area, however, is the means by which I connect to the Internet.  Naturally, I use the default proxy URL and configuration provided by the company, so all good there.

Then recently, I couldn’t connect at all.  I received a certificate error for every HTTPS page I attempted to access.  Unbeknownst to me, IT had installed a middlebox.

Middleboxes operate by intercepting a connection, breaking it open, then re-encrypting it back to the end user.    This re-encryption, however, requires a re-signing of the contents with a valid certificate.  This certificate is generally a company-generated CA, installed via group policy into every machine’s certificate store.  But since Firefox uses it’s own certificate store, when the re-signed connection arrived, Firefox only saw that the connection was signed with an unknown and invalid certificate, and promptly terminated the connection as a security measure.  This is, amusingly, the way it’s supposed to operate.  Breaking TLS in this manner violates its purpose, but it works because of its current limitations (at least for now–TLS 1.3 has protections against this but is being pushed back because of its ability to prevent this type of corporate TLS-breaking).

Naturally, I don’t have a problem with the company monitoring the use of its own resources, so you’ll find no soap box argument here.  My main concern, then, was how to get Firefox working again.

Fortunately there’s a buried setting, within about:config.

Simply changing the Value from “False” to “True” will allow Firefox to access and accept the hosting machine’s certificate store, thus allowing corporate TLS certificates to break and re-sign HTTPS.

So at least for now, I can still use Firefox.  I just had to configure it myself, which is no doubt the kind of support IT wants to avoid having to provide.

Curiously, when I’m connected to the company VPN, my traffic doesn’t appear to be funneled through the middlebox.  I wonder if there’s too much overhead to do that, or because since the VPN uses TLS it’d be a technical challenge to separate VPN TLS from HTTPS TLS?  Maybe they’re only concerned about monitoring non-exempts to that extent.  Dunno.

Regardless, Firefox can still play nice in a corporate environment.  It’s just that it has to be manually switched away from its default, and untrusting, policies.

–Simon

Perspective

With the looming winter there just aren’t as many projects to undertake (and to write about), but rather than make yet another video game post I thought I’d ramble a bit about economic and workplace observations.  I’m sure that sounds riveting, but I’m not one to mislead with a false premise.  If you prefer, simply rename this post’s title to: Ten Things You Need to Know About the Millennial Worforce (in the typical clickbait list fashion).

Although, I still don’t consider myself a Millennial.  I fit somewhere into that forgotten Generation-Y group, before Millennials but too young to be a Gen-Xer.  And like everyone else, I feel that my generation had it worse, and I will explain why.

I will do so by mentioning two movies that I consider to be flagships of this Lost Generation, Gen-X: Fight Club and Office Space.  Media serves as an excellent historical record of a society.

Taken at face value, they’re comedies.  Looking deeper, however, I became irritated at the protagonists’ complaints.  In Fight Club, for example, a young professional becomes disillusioned with the consumerist society in which he lives, abandons it all, recruits followers, and then uses domestic terrorism to try and topple the financial sector.

I’m so angry and brooding. Look how cool I am though. In a later scene I take off my shirt.

Here’s another look: a young professional has more money than he knows what to do with, struggles to find meaning in his life, becomes an asshole at work, foregoes finding a meaningful relationship because he’s a misogynist and opts for a friend with benefits (to whom he’s also an asshole), then creates a gang to commit large-scale vandalism.

I’m so sad because I’m a cubicle jockey. Fucker–I had to work 9 YEARS to get my OWN cubicle.

In Office Space, a young professional becomes disillusioned with the lack of meaningful employment, struggles with having a relationship, then snarkily finds ways to strike back against his evil corporate overlords.  Or, a young professional doesn’t like his job and girlfriend, so he grabs the hottest girl he can find (obvious because it’s Jennifer Aniston–who’s always playing the part of hot chick), shamelessly ceases to do any work (but doesn’t quit his job–just pulls a paycheck while sitting around), then convinces a couple of his colleagues to commit computer crime and steal a lot of money, culminating in some vague message that these actions were maybe not justified, but permissible, since his boss/employer was terrible.

If I extrapolate a line of reasoning akin to the hierarchy of needs, then I would conclude that the Gen-Xers, not having to work as hard for economic sustenance, invented problems, or possibly focused too much on more minor problems, and as a result have a much greater expectation of their effort/reward ratio.

I mention all this because I work with this older generation.  As a whole, I’ve been reasonably content in my current role and department, feeling as though I’ve finally achieved a satisfying level of accomplishment and respect (see above: my own cubicle).  At least I don’t feel like killing myself anymore, so I was a little surprised that when we took our usual round of company surveys, the overall scores for the department were rather low.

I was not the only one who wanted to know why, as committees were soon formed with the intent of identifying the factors that were lowering the scores.  As I was conscripted, I had little say in my involvement.  So I just listened.  Common complaints were: inconsistencies regarding using benefit time, lack of established policies, perceived lack of trust, and a general feeling of being treated like a child.  I found little merit in these claims, seeing them as superficial interpretations of inevitable inconsistencies.

But I suppose the surveys did what they intended: measured the level of employee contentment; and the committees identified specifics.  Still, I can’t help but feel that the prior generation had it a little too easy.  I suppose, in time, the Millennials will consider me a big whiner with unreasonable demands too.

–Simon

Query Quotient

Working for a large company, I often find myself in the scenario of needing information.  I therefore seek to resolve this knowledge deficit by sending a simple email to an individual who holds said knowledge.  Yet all too often my queries go ignored.  Why is that?  What deep underlying motivations have possessed this individual to turn a deaf ear to the needs of others?  What cruel, sociopathic inclinations govern this person’s actions?

I debated at length these social dynamics, but the answer wasn’t nearly so disturbing as my overly-dramatic introduction might have implied.  Rather, I conclude there are a few and very simple factors: Does the person feel they have time (an extension of job title and pay grade), does the person feel the inquirer is worthy of their time (also an extension of job title and pay grade), can the person benefit from the inquirer, has the inquirer committed some social slight against them, and does the person like the inquirer?

To distill this even further, from the contactee’s perspective:

  • Are you at my level?
  • Has there or will there be a quid pro quo?
  • Do I like you?

Yet all reasons are not created equal, so based upon entirely subjective reasoning, I have developed a formula to weight them properly:

  1. Each party’s pay grade.  The first thing an email recipient looks at when receiving an email from an unknown party is that person’s job title.  A lot of information can be instantly determined from the hierarchy.  If you’re higher than me, I’d better listen, for my future promotion could depend on it.  If you’re lower than me, well…(dismissive wave of the hand).  If we’re the same level, I should at least consider you a peer, and there’s the possibility that I might work for you one day.
  2. Subjectives.  How well do I know this person, do we work together, do we have a good working relationship, and do I like you?  So much is difficult to determine from an email, but in short, if you’ve pissed me off, then you’re probably not going to get an answer.  Fair?  No.  True?  Always.  From failed experiences, I know to always humble myself accordingly when initiating contact.
  3. Positive Empiricals.  Have you done good work for me before and are you a potential cardinal to my promotion?  Obviously I would want to maintain a relationship with someone who’s benefiting me directly.
  4. Negative Empiricals.  Have you done lousy work for me before and have you beat me out for a job or opportunity?  Obviously I’d want to distance myself from a poor worker, but the last point does seem petty.  However, people take ego blows very seriously, and it’s no coincidence that former colleagues have severed contact when I became competition, and especially if I won.

As for probability, I’ve determined from experience that I will always get a response from a peer if every positive category is satisfied.  I will generally always get a response from someone lower with almost all of these conditions satisfied.  And I will usually get a response from someone higher with every condition satisfied.  However, if any negative conditions are satisfied, then the response rate very quickly drops.  As I stated, it’s weighted, and formerly positive relationships are always easy to sabotage since the human mind tends to remember the bad and not the good.  Here’s the formula for reference:

=IF(Their pay grade>Your pay grade,100*((1/(0.5*(Their pay grade-Your pay grade))/4)+(Do you know them?+Do you work with this person currently?+Is person within your department?+Do you have a positive working relationship?+Do they like you?)/25)+(Have you done good work for them before?+Can you get this person a job/opportunity?)/10)-(Have you done bad work for them before?+Have you beat that person out for job/opportunity?)/5)),IF(Your pay grade>Their pay grade,70+(100*(Do you know them?+Do you work with this person currently?+Is person within your department?+Do you have a positive working relationship?+Do they like you?)/25)+(Have you done good work for them before?+Can you get this person a job/opportunity?)*10)),60+(100*(Do you know them?+Do you work with this person currently?+Is person within your department?+Do you have a positive working relationship?+Do they like you?)/25)+(Have you done good work for them before?+Can you get this person a job/opportunity?)*10)-(Have you done bad work for them before?+Have you beat that person out for job/opportunity?)*10))))

Of course, that nightmarish formula is more readily understood in its natural format: a spreadsheet, so naturally I’ve provided it along with instructions:

https://moorheadfamily.net/data/Query%20Quotient.xlsx

Out of curiosity, I tested it with a recent scenario involving someone from our Legal department.  The calculator suggested a 33% chance of receiving a response, and seeing as it took 3 weeks to get any answer, this figure seems pretty accurate.  Hopefully this tool will allow you to adjust your project timelines accordingly.

–Simon

Decade

For the life of me, I couldn’t figure out a clever alliterative title to this post.  All the D-words I could think of were rather derogatory (see–there’s one right there), and while I may have failed to change others’ lives with my career, like so many with hopes and dreams of grandeur, I did managed to change mine, and drastically improve its standard of living.  And after all, isn’t that our prime directive as a species, before we get into all that nonsense about purpose and self-actualization that we’re spoon-fed from the time we learn to write our names?

But I’m too young for a midlife crisis.  This was a mere 10 years.  What happened career-wise in that timeframe?  Hmm…

I joined the company as the recession hit.  Large swaths of the management staff were let go.  Merit raises were frozen, our insurance was overhauled (not for the better), there was a hiring freeze, and then the parent company tried to sell off the division.  When that failed, they realigned it, then merged it, and ultimately spun it off.  In the end, I held 6 different positions over that time.  It wasn’t exactly a period of sustained economic growth.

Through it all, the company has still maintained the practice of awarding ceremonial gifts unto an employee upon reaching a milestone number of tenured years.  Or rather, they send a digital catalog and the employee gets to pick out a gift.  They can be a bit odd too, like sunglasses, a crockpot, or a telescope.  But I, reflecting upon what I have endured to reach that point, prefer to find my own symbolic meanings and so choose something of…symbolism.

So it was that upon reaching 5 years, when I was still a call-center agent toiling away in the ranks, when every second of my time spent on the clock was tracked and reported to generate various statistics and graphs that visualized how I wasn’t working hard or quickly enough, that I chose the Bulova analog watch:

…you know, because time?  Although now it occurs to me that this may already be intended symbolism, due to the watch’s ubiquity as a “years of service” award.  Because I guess there isn’t really a wearable calendar.

But now, I’ve reached 10 years.  Following suit on the symbolic gift appropriate choice…thing, I noticed this in the catalog:

A crystal whiskey decanter!  I couldn’t think of anything more appropriate had I tried: both a symbol of what has gotten me through those 10 years alive, and going forward, a physical item to get me through the next 10 years.

Plus, it’ll annoy Liz.  Win!

–Simon

Password Expiration

For anyone who follows infosec, or even just basic tech, news–NIST has made a landmark change to their password guidelines:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

The change came last month, with the NIST Special Publication 800-63B.  Now, to clarify, NIST cannot enforce these standards upon the private sector.  However, as a general best-practice, businesses incorporate the NIST standards anyway–a decision with which I personally don’t find any fault.

But a consequence of this has been the eternal password debate.  I jested at the very-popular entropy argument, and offered my own thoughts on the matter, specifically that the mathematical models change depending on how one views a password’s derived length.  And while this argument still continues, as least now we can finally acknowledge that once a “good” password has been created, the human elements create enough points of failure as to render any advantages of regular password changes negated.

I therefore beseech you, my employer: can we now please stop with the mandatory 90-day password changes?

–Simon