April 2014 Archives

Having watched recent events unfold, I'm beginning to wonder what effect employment contracts are having on how companies and their employees respond to catastrophic reputation-loss events. A certain well known open-source company is undergoing this right now, which is why I'm thinking about it. Because they're big enough to have had lawyers go over their employment agreements for more than just intellectual property clauses, I'm guessing it's also picked up a few other goodies along the way.

The Setup

  1. $Company does something.
  2. $Activists say, "Hey, that's bullshit."
  3. $Supporters say, "Dude, not cool."
  4. $Defenders say, "Hey, no biggie, eh?"

Steps 2-4 can happen in 30 minutes these days. At this point the news is still expanding. But now the interesting things start to happen. As the $Defenders and $Supporters+$Activists start hammering on each other in social media the ranks of both camps increase and at some point, somewhere a subset of $Employee chimes in and after a while maybe $Company.Officer actually gives an official statement. By now the shit-storm is well and truly engaged.

Free Speech Means Freedom From Arrest (but not binding contracts between private parties)

Bloggers like me have known for over a decade now that mouthing off about one's employer is a great way to get fired. Some companies actually have clauses in their employment contracts that read, in effect:

You will only talk about the $Company in glowing terms. Or else.

The language is actually written like, "under no circumstances will you do or say anything that will reflect negatively on the company," but this works for now. This is called a non-disparagement clause, and is perfectly legal. What's more, it's common practice to use severance agreements to bind outgoing employees to those same clauses (if they weren't already bound by the employment agreement) in perpetuity to ensure that the now-ex employee doesn't mouth off about their old employer; less of a risk for voluntary departures, more of one for involuntary ones.

Your free speech has a price. Maybe it's $10K. Or $20K. $30K? $30K and 4 months health-insurance coverage to carry you to your next position? Okay, $75K, 5 months, and 10K shares of preferred stock. Have a nice life.

Shit-storm Meteorology

So you're in the $Activist+$Supporter camp and $Company is being strangely silent on the topic of what bonehead thing they did. The only people from the company talking about the thing are firmly in the $Defender camp, which only cements your opinion that they're just not getting it and are hopelessly out of touch.

What if you're a $Supporter that is also $Employee? If you have a non-disparagement agreement in your contract voicing that opinion is to risk your job and future employability. Unless you're also in $Company.Officer, speaking up is a very bad idea no matter how loudly the $Activists are crying for redress (in fact, speaking up even if you're a $Defender is a bad idea, but it's less likely to pothole your career-path). The Cyclone of Suck accelerates.

Stopping the Cyclone

It is possible to avoid the cyclone, or at least minimize it. It requires a fast response from $Corporate.Officer in a way that even the $Activists can recognize as meaningful. This is a hard step to take since it usually requires admitting fault (and thus, liability) which is why the first statement is almost always something like...

There there, we're not evil. We promise. We do good things too.

...and is lambasted by the $Activists as not addressing the problem. This is likely to accelerate the cyclone, not spin it down.

Another way to slow it down requires hard choices made by $Supporters who are also $Employees, by voluntarily severing employment due to whatever happened, refusing a severance agreement (and thus accept a period of no pay-check or even unemployment benefits), and saying why they left. It works better if more than one make this grand flounce.

This is just a theory of mine for how "never trash-talk your employer" clauses intersect with online debate. When I see people getting ever louder in indignation that some company or organization is remaining silent on some contentious topic, I do wonder if that's because the very people who would give the desired response have been preemptively legally gagged.

The number one piece of password advice is:

Only memorize a single complex password, use a password manager for everything else.

Gone is the time when you can plan on memorizing complex strings of characters using shift keys, letter substitution and all of that. The threats surrounding passwords, and the sheer number of things that require them, mean that human fragility is security's greatest enemy. The use of prosthetic memory is now required.

It could be a notebook you keep with you everywhere you go.
It could be a text file on a USB stick you carry around.
It could be a text file you keep in Dropbox and reference on all of your devices.
It could be an actual password manager like 1Password or LastPass that installs in all of your browsers.

There are certain accounts that act as keys to other accounts. The first account you need to protect like Fort Knox is the email accounts that receive activation-messages for everything else you use, since that vector can be used to gain access to those other accounts through the 'Forgotten Password' links.


The second account you need to protect like Fort Knox are the identity services used by other sites so they don't have to bother with user account management, that would be all those "Log in with Twitter/Facebook/Google/Yahoo/Wordpress" buttons you see everywhere.


The problem with prosthetic memory is that to beat out memorization it needs to be everywhere you ever need to log into anything. Your laptop, phone and tablet all can use the same manager, but the same isn't true of going to a friend's house and getting on their living-room machine to log into Hulu-Plus real quick since you have an account, they don't, but they have the awesome AV setup.

It's a hard problem. Your brain is always there, it's hard to beat that for convenience. But it's time to offload that particular bit of memorization to something else; your digital life and reputation depends on it.

The different kinds of money

Joseph Kern posted this gem to Twitter yesterday.


It's one of those things I never thought about since I kind of instinctively learned what it is, but I'm sure there are those out there who don't know the difference between a Capital Expenditure and an Operational Expenditure, and what that means when it comes time to convince the fiduciary Powers That Be to fork over money to upgrade/install something that there is a crying need for.

Capital Expenditures

In short, these are (usually) one-time payments for things you buy once:

  • Server hardware.
  • Large storage arrays.
  • Perpetual licenses.
  • HVAC units.
  • UPS systems (but not batteries, see below).

Operational Expenditure

These are things that come with an ongoing cost of some kind. Could be monthly, could be annual.

  • Your AWS bill.
  • The Power Company bill for your datacenter.
  • Salaries and benefits for staff.
  • Consumables for your hardware (UPS batteries, disk-drives)
  • Support contract costs.
  • Annual renewal licenses.

Savy vendors have figured out a fundamental truth to budgeting:

OpEx ends up in the 'base-budget' and doesn't have to be justified every year, so is easier to sell.
CapEx has to be fought for every time you go to the well.

This is part of why perpetual licenses are going away.

But you, the sysadmin with a major problem on your hands, have found a solution for it. It is expensive, which means you need to get approval before you go buy it. It is very important that you know how your organization views these two expense categories. Once you know that, you can vet solutions for their likelihood of acceptance by cost-sensitive upper management. Different companies handle things differently.

Take a scrappy, bootstrapped startup. This is a company that does not have a deep bank-account, likely lives month to month on revenue, and a few bad months in a row can be really bad news. This is a company that is very sensitive to costs right now. Large purchases can be planned for and saved for (just like you do with cars). Increases in OpEx can make a month in the black become one in the red, and we all know what happens after too many red months. For companies like these, pitch towards CapEx. A few very good months means more cash, cash that can be spread on infrastructure upgrades.

Take a VC fueled startup. They have a large pile of money somewhere and are living off of it until they can reach profitability. Stable OpEx means calculating runway is easier, something investors and prospective employees like to know. Increased non-people CapEx means more assets to dissolve when the startup goes bust (as most do). OpEx (that AWS bill) is an easier pitch.

Take a civil-service job much like one of my old ones. This is big and plugged into the public finance system. CapEx costs over a certain line go before review (or worse, an RFC process), and really big ones may have to go before law-makers for approval. Departmental budget managers know many ways to... massage... things to get projects approved with minimal overhead. One of those ways is increasing OpEx, which becomes part of the annually approved budget. OpEx is treated differently than CapEx, and is often a lot easier to get approved... so long as costs are predictable 12 months in advance.