Michael N. Dundas

http://www.flickr.com/photos/magandafille/287193330/

I took a course on conducting effective performance evaluations yesterday that was being offered.  While I have done performance evaluations in the past, and am comfortable doing them, I find I always learn something new or someway I can improve.

There were two discussion points that surprised me. The first was the concept that a performance evaluation is completely separate from an employees career goals and aspirations.  The second was that your pay increase or financial incentives were not tied to your performance evaluation.

While both were interesting, I want to focus on the first, the separation of performance evaluation from career goals.    While I agree they are different to some extent, the positioning that they are not connected seems wrong.  On the template we use for performance evaluations there is an entire section on objectives.  These objectives are suppose to be measurable in some way and ideally if you are handling the performance evaluation correctly, the measurement is agreed upon by both the manager and the employee.  If your performance evaluation has nothing to do with your career, then these objectives are just objectives the company wants you to accomplish and have nothing to do with your own aspirations or career goals.  I think this devalues the performance evaluation for the employee as it only benefits the employer or is more sided to achieving the goals of the  company with no consideration of the employees aspirations or goals.

For myself, I feel I have a relationship with the company and that relationship is dynamic, constantly changing and adjusting to the environment, goals and situations of the company, goals and situations of the individual.  Like all relationships, there has to be some mutual agreed upon benefit for all parties for the relationship to work.  Over the last two years, I have specifically managed my own objectives to improve my career.  If someone is looking to improve their career in someway, get a promotion, obtain a opportunity in a new area, it makes sense to align your performance objectives with that goal.  When you apply for a new opportunity, at some point in an interview, they will probably ask you what you have done that you feel makes you a good candidate for the position you are applying for.  They will be selecting you partially based on this criteria.  I know people in my company and outside my company that have used their performance evaluation to do exactly this and it was effective.

While I logically understand how your evaluation of the past year or 6 months has nothing to do with your career goals or aspirations, I find it difficult to accept that setting measurable objectives for the next 6 months to a year has nothing to do with an employees career goals.  If that is true, then I guess companies don’t consider your past performance evaluations when you apply for a new position, as they are not connected?

I am no expert in this field of human resources, but I need to research more on this concept.  I want to understand if this is limited to my company, certain types of companies, or is some general human resources concept I have just never been aware of.  Regardless, if this separation is true, then I think companies have an obligation to have an avenue for career development that is as accountable and measurable in the same manner as performance evaluations are.  I do not understand the complete separation of performance evaluations and career goals.  To me, they are related.  When I have conducted performance reviews, the career goals of the employee usually come up.  It is natural and makes complete sense to me they would come up.  As an effective manager I feel you have to address this if you hope to have a good relationship with your employees.

Bruce Schneier did a talk in August on The Future of the Security Industry.  You can watch the talk here.  He discusses why selling security is hard, why buyers and sellers do not understand each other,  “Best Practice” being a herd mentality, why humans buy stuff, how I.T. is really infastructure and will eventually end up treated as a utility. My favorite part was his discussion of Prospect Theory and how it relates to the decisions businesses and humans make when considering security.  This is not a technical talk and so anyone with an interest in Security from a business or end user point of view will get value from listening to this talk.

There has been lots of discussion lately about Flash websites using Local Shared Objects (LSO) to track users selections, browsing habits, and other information.  One of the advantages for websites has been that until now they have not been well known.  From my basic searching they have been around since at least 2004 and probably earlier.  A user may configure their browser to remove or delete all ‘cookies’, but LSOs stay.  According to some, many of the top websites use them.

I tried a little experiment to see how LSOs are stored.  The directory that they are stored varies depending upon your operating system.  For me I use Linux as my primary O/S.  The default directory for LSOs is ~/.macromedia/Flash_Player.

Under the ‘Flash_Player’ there are two directories and under each of these directories are the security configuration and the binary installer for the Flash Air application.  Nothing interesting.  Next, I started Firefox and went to youtube.com and selected a video.  After the video completed, I took another look at the ~/.macromedia/Flash_Player directory.

Under~/.macromedia/Flash_Player we now have two new directories, macromedia.com and #SharedObjects.  If we decend the macromedia.com directory, we find 3 nested single directories called support, flashplayer, and sys respectively.  Under the ’sys’ directory we find a binary file called settings.sol and a subdirectory which is #s.ytimg.com owned by Google.  The #s.ytimg.com directory contains a separate settings.sol which is binary.

Under the #SharedObjects directory, there is a single oddly named directory ‘3BJH4AW6′, then a directory for the website ’s.ytimg.com’, a domain owned by Google.  Below this are two files entitled videostats.sol and soundData.sol, both containing binary data.

I haven’t investigated the format or contents of the .sol files, but it is obviously where the metadata is stored.  I may try to investigate the format or see if anyone else has already figured it out as I am curious.  The bigger question in my mind is how does one properly erase this data.  There is a Firefox add-on called BetterPrivacy which will do just that. It can be configured to delete LSOs on request or remove all the LSOs when you shutdown Firefox.  I installed BetterPrivacy and tried it.  Sure enough, upon shutting down Firefox I was greeted with this window:

Selecting OK, put my ~/.macromedia/Flash_Player directory back to its original state with no LSOs or website directories present.  For the normal user that should suffice.  However, these are files and they have been deleted.  Most people should know that files these days that are deleted are typically still recoverable.   File systems such as NTFS (windows), ext2/ext3 (*nix) all can have files deleted on them recovered.  In the case of ext3, it is a journal file system and the default file system installed on most *nix platforms today.  Without getting into the details in this post, this effectively means that even if you wipe a file it can potentially still be recovered.

If you carry around sensitive information on your laptop, I recommend you create an encrypted volume on your hard drive using a package such as TrueCrypt, PGP.  In the case of my system, I formatted the encrypted file system to be ext2.  This means there is no journaling.  This has the disadvantage of being less ‘recoverable’ but it has the advantage that if you wipe a file with ‘wipe’, ’shred’ or some other wiping software it is unlikely to be recovered.  Next, I point my ~/.macromedia directory to the encrypted file system.

You can see the ~/mndData file which is the truecrypt fileystem.  ~/.macromedia is symbolically linked to the encrypted filesystem.  For those interested, you can see that my Evolution (~/.evolution), Google Desktop (~/.google), Firefox Cache and bookmarks (~/.mozilla), IM client (~/.purple) and Skype (~/.Skype) all write to the encrypted file system.  You have to be able to mount the ~/mndData to get at any of the email, browser cache, bookmarks, IM conversations and now LSOs.  It isn’t fool proof, but it offers another layer of protection so that client data remains unviewable in the event of my laptop being stolen.

This post is not security or technical.

Today, we attended the first annual Splat Fest.  The festival was on the McCully’s farm in St. Mary’s, Ontario.  It was Sunday, something to do and seemed interesting.  It featured locally produced heirloom tomatoes.  I found them to be really good and the different tomatoes had quite different tastes and textures.  It is interesting what you don’t know, when your main source of food is a Loblaws, or other superstore.  Need to find the time to visit more of these farms and purchase food directly.  I don’t even mind paying a little more given the difference in taste and selection.

Our daughter brought a friend of hers along.  There was a corn maze, horse rides, bunny’s to hold, goats to feed, and tomato throwing at a target.  There is also a store, that smelled wonderful.  I purchased two home made pies.  For the first splat fest it was done well.  Look forward to next year.

Post written by Matt (who has a great URL I might add) on the security of your blog.

Where worms of old would do childish things like defacing your site, the new ones are silent and invisible …

He disucsses a recent worm with Wordpress software and how it works at a level that anyone can understand regardless of your background.  I think this is important given that most people are not security experts that use a blog, yet they are at risk.   He also discusses the difference between a “known quantity of work” (doing an upgrade) and an “unknown quantity of work” fixing a security breech on your blog.

Most importantly though it is a good article to understand security in general even if you are not technical. His logic applies to any blog, and his analogy of how malware works today applies to all security in general.