Work Stuff

Does anyone know of a Linux support company that provides 24*7 support to Ruby and PHP applications? I have a client that is looking for such a company.

Also I’m looking for more consulting work. If anyone knows of an organisation that needs some SE Linux consulting, or support for any of the FOSS software I’ve written then let me know. I take payment by Paypal and Bitcoin as well as all the usual ways. I can make a private build of any of my FOSS software to suit your requirements or if you want features that could be used by other people (and don’t conflict with the general use cases) I can add them on request. Small changes start at $100.

Preferring Not To

I’ve just read Bartleby the Scrivener which is a short story about a scrivener who refused to work saying “I’d prefer not to”.

It reminded me of some situations in the computer industry. I’ve never seen a single case where someone preferred not to work when everyone around them (colleagues and management) wanted them to work. But then the incidence of having an entire team and management wanting to work efficiently isn’t nearly as common as one might imagine.

In some cases it’s desired that someone not work, such as a former colleague who was hired as a sysadmin but did nothing but change backup tapes (a few hours work per week). Not having him login as root improved the general reliability of the servers but it was fortunate that we never needed to restore from backups…

One time I had a colleague who preferred to spend most of his time in the office searching the Internet for videos of street fights. I have often told colleagues that I would prefer them to work, but in the case of a guy who’s only hobby is street-fighting I decided to let it go.

Managing people can be difficult, particularly for someone who doesn’t like disagreements. Some managers that I’ve reported to seemed to prefer not to manage in an apparent attempt to avoid disputes. One time when I complained about a colleague not even having a suitable computer to permit doing any work a manager responded with the rhetorical question “what do you expect me to do?”. That manager didn’t do any annual reviews of staff for over a year, he only eventually did some reviews because he was told that his scheduled promotion was on hold until he got them done. I got the impression that at least two levels of management preferred not to work at that company.

Sometimes it just gets weird though, such as the occasion when I was the only member of a team and the manager who was supposedly managing no-one but me never seemed to have time to have a meeting with me. But he didn’t want me to bypass him and talk directly to other people in the company, so he preferred not to work and not to have anyone else do his job.

Most of the companies that I’ve worked for in a full-time capacity didn’t seem to have any effective technical interviews (note that I’ve mostly worked for financial companies and ISPs not free software companies). So it seems that anyone with minimal computer skills who wants a well paying job could just send out a CV to a bunch of recruiting agencies, get interviewed by enough companies to eventually hit one without a technical interview process and then find a job that doesn’t require work.

Depression

The Wikipedia page about Bartleby the Scrivener [2] suggests that Bartleby was depressed. I wonder how much of the lack of performance I’ve witnessed has been due to depression. There appears to be a strong correlation between work environments that cause depression and people preferring not to work.

Maybe managers should be considering how to make work less depressing to try and get more effective employees (in terms of quality and quantity of work). One example of this is the sysadmin team death spiral I’ve witnessed where no-one can automate solving problems (EG by cron jobs to manage resource usage and analysis tools to find minor problems before they become major problems) because everyone is dedicated to fixing things that break needlessly (EG systems crashing due to lack of disk space). When people start getting control over recurring problems and automating things then the work becomes increasingly about solving problems and less about implementing the same manual processes every day/week and it’s more fun and effective for everyone.

At the BoF on depression at LCA 2013 one delegate stated that many companies have people in HR who can arrange support for depressed employees. Apparently if you are depressed and you work for a company that’s large enough to have a HR department then it can be beneficial to talk to HR about it. That probably works well in the case where an employee is depressed but the company is working well. But in the case where the company isn’t working well it seems unlikely to help.

David Graeber wrote an interesting article about “Bullshit Jobs” [3]. He goes a bit far, I don’t think that late night pizza delivery is a bullshit job and actuaries are useful to society. But his points about the existence of useless jobs are reasonable.

Management Levels

I sometimes wonder whether there is some benefit in establishing social norms about working and then having management take little interest in how it happens. If a team works well together then management could just set deadlines (which would be negotiated with employees who know what’s possible) and let the team work out how to do it. Then instead of having one manager for each team of ~10 people who theoretically tracks what everyone is doing you could have one manager for a dozen teams who just tracks overall team performance – essentially remove a layer of management.

Valve is famous for having no formal management structure and for getting things done, unfortunately that apparently allows school-style cliques to block actions [4]. But I think that the Valve experiment is useful and provides some ideas that can be used by other companies. Maybe if instead of requiring consensus of the entire company for hiring decisions they only required consensus of the team things would have worked better.

Of course another down-side to such things is that hierarchical management can be good for avoiding discrimination and bullying. The article I cited about Valve compares it to high-school. It could be that Valve employees were all nice people who only hired other nice people. But if similar systems were implemented in many companies then some would surely end up being like a typical high school with all the bullying and mistreatment of minority groups that entails.

Michael O. Church wrote an interesting article in which he divides employees into four categories, “loser”, “clueless”, “psychopaths”, and “technocrats” (note that he didn’t invent the first three names) [5]. In his model the “clueless” category includes most middle-management. I think that there are some problems with Michael’s model and I’m not arguing for a “technocracy” (which is how this post might be interpreted in terms of his ideas). But I think he demonstrates some of the real problems in the way companies are managed and in his model the “losers” prefer not to work as long as they can get paid.

Conclusion

I don’t have any good solutions to these problems to offer. It seems that the best we can hope for is incremental change to make work less depressing, to have the minimal amount of management, and to avoid “bullshit jobs”.

Phone Calls and Other Distractions

Harald Welte has written about the distraction of phone calls and how it impacts engineering work [1]. He asks why people feel that they are entitled to interrupt him given the cost to his work.

Some years ago while working as a programmer I was discussing such things with a colleague who worked for the consulting part of the same company. He was really surprised when I told him that a phone call at the wrong time would cost me at least 30 minutes work and possibly an hour or more. His work was also quite technical and demanding but the difference between software development (where you need to think about a lot of program state to consider where the problem might be) and consulting (where you have to deal with a smaller number of configuration file options and sometimes getting debugging information to someone like me) is considerable. So the attitudes towards receiving calls also tends to be quite different.

Computer work requires more concentration, thought, and knowledge of system state than many (most?) career choices. If someone finds that an unexpected phone call costs them no more than a few minutes work then it’s quite reasonable of them to phone other people whenever they feel like it – generally by default people think that everyone else is just like them.

In terms of managing interruptions to my work, I generally encourage people to email me and that works reasonably well. So I don’t have too many problems with distracting phone calls. I used Jabber for a while a few years ago but I didn’t reinstall my Jabber server after it became corrupt because of the distraction. I believe that was due to using Jabber in the wrong way. I should have just started a Jabber client when I wasn’t doing anything important and then killed it when I started doing some serious coding. Having a Jabber message interrupt me when I’m watching a TED talk or reading blogs is no big deal. In fact I could tell everyone who has my phone number that if they see me on Jabber then they can just phone me if they wish while knowing that it won’t distract me from anything serious. I wonder if I could configure a Jabber client to only receive messages when a program such as mplayer is running.

I have configured my laptop and workstation to never alert me for new mail. If I’m not concentrating then I’ll be checking my email frequently and if I am concentrating I don’t want a distraction. I have configured my phone to give one brief vibration when it gets mail and not make any sound, I will only notice that if I’m not concentrating on anything. It’s a standard Android feature to associate ring tones with phone numbers, it’s a pity that the K9 MUA doesn’t allow associating email addresses with notifications. There are some people who’s email could usefully trigger an audible alert. There is an K9 feature request from 2009 to allow notifications only when the IMAP flag “Flagged” is set which would allow the mail server to determine which users are important, but there’s no sign that it will be implemented soon.

I’ve started playing with Google+ recently due to Ingress team interaction being managed through it. Google+ seems quite poor in this regard, it defaults to making a ring tone for lots of different events. Turning that off is easy enough but getting notifications only about things that are important to me seems impossible. I would like to get an audible alert when someone makes a Google+ post with an Ingress code (because they expire quickly and because they only seem to be posted at times when I’m not busy) but not get audible alerts about anything else. I’m sure that most people who use Google+ would like to have different notifications for various types of event. But the Android client has options for whether there should be vibration and/or noise and for which events get the notifications. No options for different notifications for different events and for treating some community posts differently from others.

It seems that the default settings for most programs suit people who never need to spend much time concentrating on a task. It also seems that most programs don’t offer configuration options that suit the needs of people who do concentrate a lot but who also sometimes receive important phone calls and email. It’s ironic that so many applications are designed in the least optimal way for the type of people who develop applications. The Google+ developers have an excuse as doing what I desire would be quite complex. But there are other programs which should deal with such things in a user friendly manner.

Recruiting at a LUG Meeting

I’m at the main meeting of Linux Users of Victoria (my local LUG). A couple of recruiting agents from Interpro [1] are here and have been working the crowd, one of them is on each side of the room and it seems that their plan is to speak to every person at the meeting and ask about whether they are looking for work.

It is apparently difficult for them to find good Linux candidates and they hope to find people here (they are mainly looking for a senior programmer/team leader and an experienced sysadmin). One of my friends is looking for work but he’s got two interviews for arranged for this week so they will have to be quick if they want to get him. I guess this means that the economy must be going well, or at least it’s not too difficult for Linux people to find work (which is what matters the most to me).

Attending the meeting and talking to people is a good business idea for the recruiters and is generally good for members of the group. Before the meeting starts and during the intermission people just hang out and talk, asking them if they are looking for work generally won’t harm anyone and can really help some people. I wouldn’t want to see multiple agencies doing this at every meeting, but I think that having it happen occasionally is a good thing.

Security and Hiring

The main sources of information used when hiring someone are their CV, the interview, and references.

CV

The CV is written by the applicant or sometimes for the applicant. Naturally it says only good things, if a CV notes no skill in a particular area then it may be used to exclude an employee from consideration. But the trend is towards including a reference to anything that you touch, so someone who lists DBA experience may merely have done a couple of CREATE TABLE operations.

Interview

The interview is a good test of people skills but is often of little value in assessing technical skills. The interviewer asks questions such as “do you know technology X” and the applicant says “I know that really well“. If the company is hiring another person with similar skills to current employees then they can have their current employees sit in on the interview and ask difficult technical questions, but for unknown reasons managers often don’t take that option and get no advice from their technical people. Also if the company is hiring someone with specialised skills (EG they are about to implement a new application and want to hire their first employee to work on it) then it may be impossible for them to assess the technical merit of answers. Probably the best use of the interview is to match answers with the CV, if the applicant doesn’t appear to know the contents of their own CV then they should be rejected.

The biggest problem with interviews is when the questions are all of the form “do you know X“. Someone who really knows it will say “yes” as will someone who doesn’t know enough to realise the limits of their knowledge – and such ignorant people vastly outnumber the skillful people. The real problem is that the people who are moderately skillful will lose out. If someone asks me about my MySQL skills I will tell them that I’m not really good at it. Sure I’ve run replicated servers with tens of thousands of users running 24*7, but that doesn’t mean I’m really good at it – probably most people who will claim to be great at MySQL without qualification would have less experience than me.

References

Reference checks rely on an unknown person saying good things about the applicant. For starters there is the issue of the number of references which may not be representative of their employment history – EG the applicant could use as a reference the one manager who didn’t sack them.

The next issue is that there is little incentive for the referee to be honest, most people are aware of instances where someone once worked for a friend and can rely on good references for the rest of their career. If a reference is inaccurate then there is no realistic opportunity for redress.

Finally every reference check that I am aware of (checks where I have been the referee or the applicant) has involved the applicant giving the phone number of the referee to the hiring manager! The phone could be owned by a friend or relative of the applicant, so logically a good reference that is based on trusting the applicant to supply the phone number only proves that the applicant is either good or really bad. To make a reference check prove something the recruiter would at a minimum have to phone the number listed in the white-pages for the corporation that used to employ the applicant, asks to speak to the manager of the relevant department, and then gets a reference. Calling a mobile phone number that is supplied by the applicant (which seems to be the standard practice) is essentially trusting the applicant – and trust is the root cause of most security problems!

Really most of this ends up as trusting the applicant to provide honest evidence that they are trustworthy and believing that the applicant’s technical knowledge is good enough to be correct when they say that their technical knowledge is good. It can fail spectacularly when someone isn’t trustworthy enough to provide honest evidence of their integrity or when someone doesn’t have the skills needed to know that their skills are lacking.

As an aside, even if the reference is given accurately and in good faith it may still be misinterpreted. The fact that telephone references are exclusively relied on exacerbates this problem. Ideally references would be in writing with some way of proving their authenticity (maybe using phone verification of the accuracy of the written document).

Solutions

So how can we solve this? Some people believe that career based social networking software will solve the problems, but as usual I think that software doesn’t magically solve human problems. The first challenge when trying to use social networking to solve the problem is to find someone on your friends list who has relevant knowledge, this may be viable in a small industry (EG when someone from bank A applies for work as bank B in the same city). The next issue is that of false “friends“. I’m sure that I’m not the only person who has been pressured to add people as friends on social networking sites, the non-computer social interactions really don’t prepare people for saying “no you are not my friend” (apart from high-school I guess). With professional social networking sites there are further issues, if you are working on a client site and a manager demands that they be listed as one of your friends then what are you going to do?

So it seems to me that the social networking sites are at best a helper for the gossip network. If you think that a friend of a friend from a social networking site might be able to help you then you first ask your friend if the person in question is really a friend, and if so are they one of the shifty pseudo-friends you only hang out with because their company pays good money. But the problem with the gossip network is that it’s mostly secret and is therefore subject to settling vendettas, I’ve heard of senior managers going out of their way to spread false stories about former employees to settle scores.

The best solution I can think of is for someone who has a reputation to publicly stake it on the accuracy of their references. If I’m going to give a reference then I would be happy to do so via a GPG signed email or a blog post. This doesn’t mean that my references will always be correct, but it would show that I try to give good references.

Ownership of Laptops for Work

Jetstar has announced some new changes to the way they manage their IT infrastructure [1]. Some parts of it are obvious things that people have been doing (or wanting to do) for a long time – such as using thin clients with no moving parts (not even cooling fans).

But the really interesting part is their plan for managing laptops. They are using a virtual machine image on a flash storage device that can run on any system. So deploying a new system will only require installing the virtual machine software and inserting a storage device. Moving a user’s environment to a different system (EG due to hardware failure) will merely require inserting the storage device in a new system.

That raises the issue of ownership of the device. It seems that Jetstar are considering using systems that are owned by employees, Stephen Tame said “In two years’ time a laptop should be a condition of employment, and this includes bringing your own laptop“. When introducing that I expect there would be some resistance by employees who don’t want to spend the money. However
I have previously estimated the costs of running a car [2] which works out to more than $1,650 per year for insurance, registration, basic maintenance, and the interest that would have been received if the car had not been purchased and the money had been invested. Laptops can be purchased for significantly less than $1000 (currently the EeePC 701 is on sale for $219) and can be expected to last for three years or more if you are careful to avoid damage and don’t run demanding software. So a job that demands ownership of a laptop is asking for a much smaller financial investment than one which demands ownership of a car. But I expect that many employees won’t see it that way.

The up-side for employees to bring their own laptops is that they can choose a model that suits their preference. Everyone has preferences regarding the size of keys on a keyboard, the distance that they travel and the pressure required to register a key-press. For desktop machines it’s easy to swap keyboards but for laptops there is no such option. Then there’s the issue of the trade-off between physical size and weight vs display resolution, personal preferences in this regard will depend to some extent on the body mass and strength of the employee.

Now there are a number of security issues related to personal laptop use. Obviously if the laptop has a Trojan-horse program installed then it could sniff any data that goes past on the network. The most trivial case of this could be addressed by running VPN software inside the emulated environment. This would force a Trojan to compromise the virtual environment (EG by modifying the address space) or to compromise the files on disk (insert a Trojan inside the filesystem for the virtual environment). The former would be tricky to get right while the latter would be trivial. Both attack methods have been used in the past and proven to work. This is why many companies prohibit their employees from connecting their own systems to the corporate network.

One example of a system that is based around running virtual machines for all desktop operations is the NSA NetTop project [3]. NetTop involves a SE Linux system that runs multiple instances of VMWare for different desktop environments. Each VMWare instance runs at a particular sensitivity level and uses a VPN connection to a back-end network running at the same level. The aim of NetTop is to prevent applications in the different VMWare instances from communicating with each other. The significant difference between a typical NetTop installation and what JetStar might be doing is that NetTop runs on a secure base – it’s hardware that has been purchased and installed by a military organisation and is run in a secure facility. While personal laptops that are owned by employees can be expected to be infected with viruses and Trojan-horse programs.

In the past I have suggested that an employment package for any skilled employee should include some budget for buying things that facilitate the work [4]. It seems to me that a company like JetStar could best achieve their goals by assigning a budget to each new employee to buy a machine for their use. The employee then gets to choose a machine up to that budget – which would only be for work purposes. Then when the employee leaves or the machine becomes due for replacement it could be sold at auction. When considering all the costs involved in hiring a new person, spending something less than $1,000 to buy a laptop is nothing.

Finally if buying machines for work purposes, you really don’t want employees using them for surfing porn. Porn sites tend to be particularly bad for malware distribution. To reduce the incidence of such problems I think that work machines should have their sound hardware disabled and laptops should not be purchased with overly large displays. There is no need to make work machines totally unsuitable for porn surfing (which would also make them less effective for work), but making them less suitable than a $500 budget PC should dramatically reduce the scope of the problem.

Increasing Productivity through Clean Air

Kamal Meattle gave an interesting TED talk about using plants to produce enough oxygen to support people in sealed buildings [1]. The combination he advocates is Areca Palm for the living-room (four shoulder-high plants per person), Mother-in-law’s Tongue for the bedroom to produce oxygen at night (six to eight waist-high plants per person), and Money Plant to remove formaldehyde and other volatile chemicals.

A study by the Indian government has found the health benefits from using such plants in an office environment to give a 20% increase in productivity. It seems reasonable to assume that the benefits would be smaller in a city such as Melbourne which doesn’t have serious pollution problems. But even a 5% improvement in productivity would pay for the cost of installing plants! The Indian research also indicated a 15% energy saving through having less “fresh air”.

It seems that now is not a great time to ask for a pay rise, but asking for more plants to be installed in the office is probably viable.

A “Well Rounded” CV

When discussing career advice one idea that occasionally comes up is that someone should be “well rounded” and should demonstrate this by listing skills that are entirely unrelated to the job in question. Something along the lines of “I’m applying for your C programmer position, and I like spending my spare time playing tennis and golf“.

I suspect that the bad idea in question originated in the days when it was not uncommon to work for the same company for 20+ years and when there were company picnics etc. In that social environment employing someone implied socialising with them outside work so it would be a benefit to have something in common with your employees other than working for the same company. Also in those times there were few laws about discrimination in the hiring process.

It is often claimed that participation in team sports teaches people how to do well in team activities in a work environment. I have previously described the ways in which software development is a team sport [1]. Like most analogies this one is good in some ways and bad in others. Team-work is required in software development but it’s not quite the same as the team-work in sports. One significant difference is that most team sports have a single ball, and the person who has the ball (or who is about to catch it, hit it, etc) is (for a moment) the most important person on the field. There have been many sporting debacles when two players from the same team tried to catch a ball at the same time, so the rule in team sports is that you don’t compete with a colleague. In a work environment there are many situations where it’s necessary for tasks to be passed between colleagues at short notice. For example when a deadline is imminent tasks often need to be reassigned to the most skilled people. A junior programmer needs to know that they aren’t an athlete who is running with the ball, their teamwork involves having difficult tasks being reassigned from them at short notice.

Another significant difference between sports and work is the amount of aggression that is tolerated. In most sports some level of harassment of opposing players is tolerated. But in the modern workplace using a single naughty word can be considered as just cause for instantly sacking an employee. So it seems that exposure to an aggressive sporting environment would be a bad thing if it actually makes any difference.

One thing that is sometimes ignored is the teamwork that is involved with hobbyist computer work. Being involved with a software development team for fun will surely give teamwork experience that is more relevant to paid software development work than any sport!

One of the reasons cited for being “well rounded” is the ability to have a “work life balance“. I might almost believe such a claim if it wasn’t made in connection with the IT industry. But given how common it is to demand 60 hour working weeks (or longer) and the number of people who are required to have mobile phones turned on when they aren’t at work it seems that the general trend in the IT industry is against a work-life balance. When hiring people to work in cultures where a strict 40 hour working week is well accepted it seems that hiring people who are willing to work as long as required is important. When I worked in the Netherlands I lost count of the number of times I worked until 10PM or later to fix a broken system after all my Dutch colleagues departed at 5PM.

I have also seen the bizarre claim that consumption of alcohol leads to developing better social skills. It seems really strange to me that anyone would want to work in a company where social skills that are relevant to a bar would be useful (I am reminded of a company that was named after the founder’s penis – I declined to send my CV to that company). Also of course there is the fact that in most countries where I would want to live it is illegal to discriminate against hiring someone for refusing to drink alcohol.

It is quite common for the geekiest people to do a significant portion of their socialising via email and instant/short-messaging (formerly IRC, now Jabber, Twitter, and other services). It seems to me that this experience is more relevant to most aspects of the modern work environment (where most communication that matters is via email and instant-messaging) than any form of socialising that happens in a sports club or a bar. In fact people who are used to face-to-face dealings might have difficulty fitting in to an environment where most communication is electronic.

Now employers seem to have worked these things out. Recruiting agents (who reject most job applicants) have told me that they want to see nothing on a CV that doesn’t relate to a job. That is an extreme position, but seems to represent the desires of the hiring managers who will see the CVs that get past the recruiters. Hiring managers often don’t even read a CV before an interview, they often entirely rely on recruiting agents to determine who they will interview. So it seems that an effective CV will in most cases list as many keywords as possible, demonstrate experience in the technologies that were listed in the job advert, show years of work with no long breaks, and have little else.

Finally the IT industry is distinguished by having a significant number of people who’s work and hobby are almost identical, those people tend to be significantly more skilled than average. It seems to be a bad idea to avoid the potential of hiring some of the most skilled people.

To a large extent your career success depends on what you learn from your colleagues, so if you end up working in a team of people with low skills then it is bad for your career. Therefore it seems that anyone who wants to have a successful career will strive to avoid working for a company who’s hiring process had any criteria other than the ability to do the job well and the ability to not be a jerk. So when it comes to the technical part of a job interview (where the hiring manager brings his most technical people to grill the candidate) it probably makes sense to ask those technical people what their hobbies are. If their hobby is something other than computers then it indicates that the employer might be a bad one – so at least you should ask for more money as compensation for not having highly skilled colleagues.

IT Jobs and Working Conditions

Mark Glossop has written about the best designs for offices to increase productivity and attract qualified staff [1]. He makes a lot of really good points and cites the Joel on Software blog post about “Bionic Offices” [2], it’s sequel “Updated Offices” [3], and Joel’s “Field Guide to Developers” [4]. Interestingly Joel disclaims a connection to “stereotypical Asperger’s geeks” while his points about private offices to avoid distractions, technical issues trumping politics, letting developers choose their own projects and tools, and making the company seem to be doing things that are good for society would apply well to people with Asperger Syndrome [5].

While Mark has made some great points, he has totally missed one important issue – that of being able to do some useful work. The section about “no dysfunctional politics” in Joel’s Field Guide does to some extent cover that issue if broadly interpreted. But generally anyone who is good at a job will want to be allowed to do it and anything which prevents them will make “work” less pleasant. I wonder if Mark has been fortunate enough to miss out on the experience of working for a company that has problems which are suitable for submission to The Daily WTF (Curious Perversions in IT) [6].

The Worst Company I have Worked for

The worst environment that I have ever worked in was for a financial organisation. They were proud of providing a good working environment, all Occupational Health and Safety issues were properly addressed, the office was always clean, etc – many of the people who worked there considered themselves to be fortunate to work there. But almost no work was done due to foolish paperwork! The worst example was a bug in an Apache module that caused an Intranet server to hang every couple of days, the symptom was trivially fixed by restarting Apache or it could have been worked around by a cron job that restarted Apache every night at midnight (the web application was only used in business hours). But instead every few days there were a few hours of down-time while managers worked together to get appropriate approval for me to restart Apache.

On one of the first occasions that Apache hung I asked my manager if I should restart Apache and get the paperwork done afterwards (which is standard system administration practice in every office where you would want to work). I was told that anyone who did such a thing would be sacked and slandered to try and prevent them from gaining other employment. It’s generally regarded that a wise manager won’t say anything bad about a former employee when asked for a reference due to legal reasons, it’s the absence of good things being said that indicates a problem. Deliberate slander would be good grounds for a law suit, but it seems that the management of some companies think that they are above the law.

When I resigned I told my managers that I was depressed and couldn’t stand being there.

In future I will try and identify such companies and walk away from job interviews. I will ask about the paperwork requirements and also ask to inspect the workstations that are used. Any company that pays top rates to people while forcing them to use workstations that would be in the rubbish at any normal company is obviously extremely dysfunctional and should be avoided.

The Best Company I have Worked for

I have worked in a few environments that were really good by various objective measures. One that stands out as being a little better than the rest is a small company that provides network support services. A large part of their business involved maintaining network gear for medium sized organisations. Small companies tend to have financial problems and this one was no exception, there were minor issues such as holes in the carpet that would have been regarded as OH&S violations at any corporation – but everyone knew that it was best to just walk carefully and not complain so that there was money for more important things (such as payroll). Of course many other aspects of a good working environment (such as good office furniture and good monitors) were also lacking due to financial issues. So by the Joel’s standards they were doing quite badly – but this didn’t make them a bad employer.

One significant positive aspect of this company was that everyone there was really friendly, I don’t know how much of this was due to hiring nice people and how much of it was due to having a positive social environment that encouraged the best behavior from everyone. Another major benefit was that things got done with little resistance, small companies that last tend not to have much in the way of political problems. Joel states a principle of not hiring jerks, but an average person can act like a jerks on a bad day. To have a team of people consistently not act like a jerks is unusual.

Another big advantage of that company was it’s positive and supportive attitude towards staff. When I started working for them my car was having some major repairs, so the owner of the company lent me a car for a couple of weeks. Staff who wanted to apply for work at bigger companies due to the limits for career growth in a small company were encouraged to do so. This is a great contrast to the attitude of managers in most companies who want to do whatever it takes to retain staff and who are reluctant to accept that employees will sometimes have good reasons for working elsewhere. This was good for employees and also good for the company who ended up with a ratio of payroll expenses to skilled employees that was far better than the industry average.

Update: ComputerWorld has an article about managing geeks [7]. The summary is that senior managers should listen to the technical professionals, have some basic technical knowledge, and that IT staff should be involved in recruiting new managers.

The Main Security Problem

All security problems are to some degree people problems. Code may be buggy, but it was written by people who could have been better trained, had more time to spend on code review, etc. When there are multiple programs, OSs, libraries, etc to choose from then choosing a suitable combination of software is a matter of the skill and background knowledge of the people involved.

There are issues of software choice where there is no provable benefit of making one particular choice, EG choosing between a popular product that is OK and for which it is easy to hire skilled people to use it and a less popular product that has better security features but less public knowledge. But this is minor compared to other security problem.

I believe that the greatest security problem is stupid people. Stupid people in technical positions write buggy code and configure servers to be insecure. In consulting and analysis roles they develop bad procedures. In management they hire bad people to do technical work.

The vast majority of security problems can be fairly directly and immediately traced back to stupidity. In the corporate environment that is stupid programmers, stupid managers who hire people who are obviously stupid, and often stupid executives for mandating that software that everyone knows to be insecure should be used across the entire enterprise. In both the home and corporate environments there are a huge number of people who run machines that they know to be compromised. Apparently using a computer that is known to be under the control of an unknown hostile person is something that they don’t consider to be a problem – in spite of the obvious risks of fraud, data destruction, and risk of being implicated in crimes such as the distribution of child porn.