2017: Year in Review

What a year! I can't even begin to remember everything that happened, but here are some highlights and lowlights.

Highlights 

• After 20 years, I left Sun/Oracle and joined Intel as a Director of Software Engineering of Security Solutions Enablement for Data Center.  A long title that means my team works on security related projects, like Open Security Controller, that enable security on the Data Center. 
• I worked at Intel 21 years before, as an intern in their Folsom Engineering Services group (as an admin for Win 3.1, WinNT, Win95, AIX, Irix, SunOS and Solaris).  It was oddly like like putting on a comfortable pair of shoes coming back, but at the same time a very different company. A much faster moving place, a more inclusive place and more inventive place.
• My team has released two versions of Open Security Controller (0.6 and 0.8) this year! (like I said, fast moving!)
• I was appointed to the City of Mountain View's Bicycle/Pedestrian Advisory Committee, where I get to advise the City Council on such things like: transit projects, walk-ability of new building projects, how to improve dangerous and deadly intersections, and where to spend budget to improve biking and walking.  It's pretty fun! The committee definitely has diverse opinions and I have found the last twelve months on the committee to be quite a learning experience.
• I demonstrated, with my Oracle team, PKCS#11 and KMIP on Solaris at the RSA Conference Expo in San Francisco in February 2017.
• I read 24 books, covering 7,937 pages.
• I recorded the narration for 8 audio books for Learning Ally. These books are for the blind and others with reading disabilities.
• I did a police ride-a-long with the Mountain View Police Department! I was amazed at the officers compassion, how well they treated the citizens and how they were quick to de-escalate a situation.  I watched an officer arrest a man who had been drinking "since the early morning" and then brandished a knife at another man at Walmart. The man was belligerent when first approached, yelling and gesticulating.  The officer used calm tones, did a quick and calm search, secured the gentleman and proceeded with his investigation. I watched a situation go from tense to calm in a heartbeat. Yes, I used the word calm repeatedly - but that is the best way to describe what the officer did.
• I was on the Crypto Review Board for BlackHat USA, and got to attend!!
• Additionally, I was on the program review boards for International Cryptographic Module Conference (ICMC) and GreHack!
• I presented on PKCS#11 version 3.0 at ICMC.
• I became secretary of the PKCS#11 technical committee, a role change from co-chair.
• I reviewed scholarship applications for Learning Ally Scholars - every one of the students was incredible!
• My husband and I celebrated 10 years of marriage in Sausalito, CA.
• I saw all of my siblings and my parents this year! Most more than once! I didn't see enough of my nieces and nephews, though...  
• I did a few more Murder Mysteries, did photography for a couple of shows, and sang with the Lyric Victorian Carolers.
• Overall, I volunteered more than 179 hours.
• I went skiing!
• I stayed alive!

Lowlights

• I lost my uncle, Dan Bubb, my Dad's brother, to pneumonia.
• My dear friend Elisa was diagnosed with breast cancer in October and Comcast let her husband go from his job (along with the rest of his division) in December - just before Christmas.  Her battle continues, please consider donating.
• I suffered a major health crisis myself - on my first day of work at Intel, where I learned another highlight: Intel is a compassionate company, they were there when I needed them and helped me to get back on my feet and hit the ground running in my new role!  And, I didn't die :)

Any lowlights or highlights for you?

Here's to 2018!

Oracle: Oracle Open Allies, a PFLAG Panel

A panel discussion with PFLAG members: Formerly Parents, Families, and Friends of Lesbians and Gays

Panelists:

Mitzi Henderson, Past National PFLAG President 

Rosemary Malvey, PFLAG Speaker's Bureau (Parent)

Joyce Miller, Straight Spouse Support Group

Windsor Smith, PFLAG San Jose Vice President

Moderated by Cynthia Chin-Lee, OPEN Ally team lead

The event is hosted by Oracle's OPEN group (Oracle Pride Employee Network), a resource for gay, lesbian, transgender, queer and questioning employees.

Cynthia Chin-Lee published a book about Prop 8 called Operation Marriage five years ago, which was since made into a movie! 

Having allies is important, and Oracle is a big ally for their employees. In some US states, you can still be fired for being a homosexual, in some countries you can be killed.

Mitzi Henderson was distressed when she discovered that her church, and other churches, would not provide pastoral services around gay and lesbian issues, which drove her to get involved with PFLAG.

Joyce Miller is a retired nurse and grief counselor, she is a member of the straight spouse support group. Some people were celebrating their gay and lesbian children, but discovered it wasn't always a shared emotion across both parents, which inspired her to get involved in the straight spouse group.

Rosemary Malvey volunteers for Mission Hospice, 12 step programs, and PLFAG. When her son came out to her, she was full of supportive words, but she was full of trepidition about his health, job prospects and safety.  

Windsor Smith attended the Robert E. Lee high school (home of the rebels), and later came out to all of his family and friends in one fell swoop, and quickly learned about various support groups.

Mitzi recalls a terrible story about a gay man arrested in NYC that was arrested and beaten by police just before the gay pride parade, so his mother marched in the parade with a sign asking parents to support their gay children.  She started a support group in NYC, then reached out to other groups and formed a national organization, PFLAG.  They wanted rules that the groups could not be exclusive - ie only for one religion, only for people with gay sons, etc.  It's important for parents to be proud of their children, no matter what their sexual orientation is.

Mitzi had a chance to go to congress to testify on the national issues facing their children to subcommittees in congress. Other research showed that many states had even more restrictive laws than the federal government., and PLFAG is trying to work on this.

When Joyce's son came out to her, when he had finished college and was living abroad, he was very careful to right away to tell her that it was nothing she had done and that it had nothing to do with her recent divorce from his father.  She was concerned about AIDS, at that time it was an out of control epidemic.  She found a lot of support from the other parents in PFLAG. She had been sending her son packages full of pamphlets about AIDS, but she found out that was not going to help her continue to build her relationship with her son.  Her son is now 55 years old and recently married to his partner of 15 years.

Joyce used to handle the hotline phone line for PFLAG for the Bay Area.  She had been getting calls from people who had discovered their husband or wife was actually gay or lesbian.  The straight spouse goes through very different issues than a parent of a gay or lesbian child.  The straight spouse support group doesn't have many "long timers" as it were, as they get their needed healing, they can move on.

Rosemary Malvey has been a PFLAG member for nearly 20 years - she had never heard of PFLAG until she needed PFLAG.   When her son came out to her, he did it by telling her that he was in love and happier than he's ever been.  She was happy he shared this with her, and was very supportive while she was visiting him.  But, after she left, she cried the entire flight home. She worried about her son suffering for his sexual orientation both socially and in his career.  Fortunately, a friend pointed her to PFLAG and told her "it's no big deal" and to get over it.

Rosemary's daughter didn't realize she was a lesbian until she was 35!  Finally, many pieces of her life have fallen into place, and she was finally happy!

Windsor Smith likes being involved with PFLAG and wants people know that they also welcome gay, lesbian and transgender members - not only parents.

A question from the audience: is there a place for siblings to go for support? Resounding answer: PGLAG! Open to all.

A great question about pronouns if your child comes out as transgender. There are many clever pronouns, like "they" in the singular sense, and many other options (zhe/zer/etc). But, the best way is to ask what pronouns the individual prefers.  Some people, including Windsor, put their preferred pronouns in their email signature.

Another question about differing cultural issues - coming out in a conservative culture (religion, ethnicity, etc). If your parents cannot accept you or come to PFLAG, Rosemary still encourages you to go to PFLAG yourself and find a surrogate accepting parent.

PFLAG is a great place to find allies of all sorts. Many of our loved ones are biased, and it's good to challenge them when you can and know you can find an ally.

For younger folks, most junior highs, high schools and colleges have support groups specifically for youths.

At the end of the day, PFLAG is an excellent resource for parents and anyone with questions. If they aren't the right place, they will likely know the direction to point you.

This event was additionally put on to raise money for Equity Florida, the group that has helped many victims of the Orlando shooting.  If you can, please consider donating.

Remembering Roger Faulkner, UNIX Legend

Roger Faulkner, UNIX engineer since 1976, SunOS/Solaris developer since 1990, creator of /procfs, passed away this past weekend.

 

Photo by Sherry Q. Moore, 2010. 

Roger Faulkner, or raf as his co-workers knew him, was intelligent and had no patience for fools. He was always happy to share history of UNIX, libc, /proc or any other kernel internals, or his opinion on how things should continue to be improved. If you broke the gate in any way shape or form, he'd let you know within a few hours - and if you blocked his project with this breakage, he would not hesitate to let everyone know. He was an amazing colleague with a wry sense of humor and will be missed.   Most folks remember him as that really smart guy that was tough on the outside and sweet, gentle and kind on the inside.  (and seeing that sweet inside wasn't so hard :-)

Roger did not care how senior the engineer (or management) was - he would not let them get away with things that would hurt UNIX or Solaris. He was also always willing to answer questions, do a code review, or help debug an interesting kernel dump. I learned a great deal from him - how to be a good engineer, how to do an excellent root cause analysis, how to know when a bug is really, truly fixed. 

UPDATE July 7, 2016: Obituary is posted here online.  There is a tribute page there as well, where you can leave notes for his family and friends.

UPDATE: July 12, 2016: USENIX Memoriam, and release of Roger's paper on /proc.

UPDATE: July 20, 2016: Roger's Memorial will be livestreamed Saturday 7-23-16, 1p EDT/10a PST/6p BDT.   Streaming will begin 30 mins prior to the memorial service. Youtube channel memorial broadcast:  Memorial Service.

Photos of Roger and the infamous Roger T-Shirt can be found on Flickr. 

Roger's more extensive bio, courtesy of his manager, Rob Stephens:

Roger grew up in North Carolina and earned a BS in Physics from North Carolina State University in 1963 and a PhD in Physics from Princeton University in 1968. He became involved with UNIX in 1976 when he helped set up and enhance a UNIX service at Bell Labs, Naperville, IL. Roger returned to Bell Labs, Murray Hill, NJ, in 1979 where he continued to work on UNIX development for two years. He moved to New York City in 1981 to do something entirely different for four years, but he couldn't stay away from UNIX. Roger worked at Unix Systems Laboratory 1986-1988 attempting to develop an application debugger for System V Release 3. The result was the first /proc file system for System V and the truss(1) utility for tracing/displaying application-level system calls.

Roger joined Sun Microsystems in 1990 to work on the merge of AT&T's SVr3 and SunOS4.x to create UNIX SVr4 (a.k.a. Solaris 2.0 at Sun). He then concerned himself with the definition, exposure, and maintenance of the Solaris/UNIX process model, with emphasis on visibility into and support for debugging application programs:

From 1990-1993 he extended the ioctl-based /proc interface from being a single-threaded process model to being a multi-threaded process model with lightweight processes within the traditional process.

Photo by Sherry Q. Moore, 2010

In Solaris 2.6 (1995-1996) Roger created the structured /proc file system, with each entry under /proc being a directory rather than a file, each pid directory under /proc containing individual files and other directories reflecting the full process model for both inspection and control. Programming interfaces defined by the proc(4) manual pages.

In Solaris 8 (1997-1998) Roger created the alternate libthread as a better support library for multi-threading. It is a one-to-one thread/lwp interface rather than the old N-to-M thread/lwp interface implemented in the original Solaris libthread. The alternate libthread become the only threading library in Solaris 9.

In Solaris 10 Roger created the unified process model in which all threading support is folded into libc. All processes became multi-threaded, in principle, eliminating the confusion of having three separate process models as was the case previously. Eliminated static linking of the system libraries; all processes are dynamically linked.

Roger then implemented system changes to enable Solaris 11 to conform to the latest POSIX standard (UNIX V7).

[Solaris 12 work redacted, but let it be known, he's done a lot.]

Roger also lent his expertise to countless Solaris projects and was generous with his time and knowledge as he helped many engineers develop their own expertise about all things UNIX. Roger's dry sense of humor, his chuckle, his irreverence for management, his passion for UNIX, and his inspiration will be missed by everyone who had the privilege to work with him.  Please feel free to share this as it is impossible to include everyone Roger worked with over his many years.

I think Sherry Q. Moore really summed him up in her Facebook post:

 What I learned from Roger:
- You can be brilliant and kind.
- "If you don't have time to do it right, when will you have time to do it over?"
- You can be creative and productive for as long as you want.
- "When you are about to do a putback, if your heart is not pounding, palms not sweating, you shouldn't be doing this (be a kernel engineer) any more."

Meem (Peter Memishian) shared the following (Note: the below source comment can be viewed freely online in context):

Indeed.  Today I lost one of my professional heroes.  As those on PSARC
well know, Roger cast a shadow far beyond his truly immense technical
contributions to UNIX (and Solaris in particular).  His curmudgeonly
outwardness belied a remarkably gentle and caring internal character.
Despite having forgotten more about UNIX than most of us could ever know,
he was as grounded as they come, with a unique style that left indelible
memories on so many of us, and altered the DNA of our engineering culture.

Speaking personally, I've always admired those who prioritize doing over
talking.  Roger was one who quietly moved mountains -- as Bryan captured
in the approval of Roger's RTI which put the final nail in the coffin of
the M-to-N threading model:

  http://dtrace.org/resources/bmc/rti.txt  

And of course, Roger wasn't afraid to speak his mind when necessary --
as captured in this gem above cv_wait_stop():

 /*
  * Same as cv_wait(), but wakes up (after wakeup_time milliseconds) to check
  * for requests to stop, like cv_wait_sig() but without dealing with signals.
  * This is a horrible kludge.  It is evil.  It is vile.  It is swill.
  * If your code has to call this function then your code is the same.
  */

Finally, I'd like to share this mail from many moons ago on the history of
the name "truss", which embodied the soul that he infused into his work.

 | From: "Roger A. Faulkner" <Roger.Faulkner@Eng>
 | To: meem@Eng
 | Subject: Re: curiosity: truss?
 | Date: Wed, 27 Jan 1999 23:34:47 -0800 (PST)
 |
 | For your edification, this is the geneaology of the name "truss"
 | (taken from some mail dated Sep 26, 1988)
 | This was when Ron Gomes and I were jointly developing the first
 | /proc for SVR4 at USL.
 | -----------------------------------------------------------------
 |
 | We considered, and discarded, several alternative names for truss(1),
 | including "trace", before settling on "truss".  The objection to
 | "trace" is that it's too generic a term and shouldn't be co-opted
 | for a specific use like this; there are lots of other things that
 | one might trace.  Among the alternate names we considered were:
 | "ptrace"  (but this incorrectly implies a connection with ptrace(2)),
 | "strace"  (but this is already used for some streams tracing thing),
 | "tss"     for "trace syscalls and signals" (but this is certainly bad),
 | "sst"     a permutation of "tss" (but this implies it's blinding fast),
 | "trss"    another variation of "tss" (but this is unpronouncable).
 | Adding the obvious vowel gave us "truss", which can be construed
 | to mean "TRace Unix Syscalls and Signals".
 |  
 | "truss" seems to have the right combination of mnemonic value
 | and disrespect for authority ("If your program doesn't work, put
 | it in a truss.")  It conjures up a mental image which is fairly
 | accurate, considering what the program does.

Rest in Peace, Roger.  May all your RTIs be promptly approved. 

Tim Foster did an in memoriam integration into the ON gate for Roger. He will live in Solaris forevermore.

Below are some tweets I saw passing by.... Please share your own thoughts below, or send to me and I will share them here.

Do you have any memories of raf? Please share in the comments or in your own space.

We are collecting pictures for his family and friends in the Roger Flickr group. Please add your own there.

Don't worry Roger, someone will approve your RTI.

Pride: Oracle Santa Clara Campus

 

I had a big post planned for earlier this month. How I had read in the Mountain View Voice, my town's local paper, that the city council was arguing about whether or not the city should fly the rainbow flag for one day in June.  How silly I thought that was and how proud I was that Oracle, and Sun before, has flown the pride flag annually for the entire month of June.

Then Orlando happened.

I didn't know what to say anymore.

So, here is the picture. 

The flag is still flying today.

More pictures of the Oracle Santa Clara campus can be found on my flikr page.

No more hate, y'all, okay?  thanks.

OWL: Bias in the Workplace

Professor Joan C. Williams, Hastings Foundation Chair; Director, Center for WorkLife Law; University of California, Hastings College of the Law.

I had read Joan's book - What Works for Women at Work - and LOVED it, so I was so happy to see Oracle brought her onsite! Her book was well researched and science based, and gives lots of great everyday strategies for women in today's workplace.

She interviewed more than 100 successful women, and did additional research. Ninety-six percent of all women interviewed had experienced  at least one type of bias at work.

She wrote an article for Harvard Business Review, "Why We Hate Our Offices: And how to build a workspace that you can love".

The first type of bias is "Prove it Again!" syndrome, experienced by 68% of the business women and scientists she interviewed.

One gentleman she interviewed had transitioned from being a woman, and stayed in the same field of science. He overheard people, who were confused about who the female was with the same last name, that "his work s so much better than his sister's". He doesn't have a sister - that was his work, published when he was a man.

There is the "stolen idea" syndrome - you expect great ideas to come from men, so don't hear it when it comes from a woman.

Women's and men's mistakes are remembered differently, and many of these same biases also apply across racial lines. For example, people were asked to review a legal memo - the same memo, with the same errors - but when reviewers thought they were reviewing a document by a black man - they found more errors.

What's the most important factor in determining networks?  Similarity, attractiveness and location.

How does this play out in the workplace? In an org where people on top are a certain demographic, they are going to sponsor people who are like them (A sponsor is a mentor that is willing to spend their political capital to help their mentee's career).  Men tend to be judged on their potential, women on their results. This gets them stuck in the "prove it again" loop.

Women of color trigger two sets of negative stereotypes: gender and race.

When they interviewed scientists they were surprised that women of Asian descent reported the "prove it again" strategy more often then white women, even though we thought their was a stereotype that Asians were good at science. Apparently the women in this group were exempt from that positive stereotype.

So, how to get out of it? Well, prove it again - but try not to burn out. Keep careful, real-time records that track your accomplishments.  When you get compliments? Forward the email to your sponsor and manager.

How can manager's level the playing field for women?  Look around - who are you sponsoring. Is there a certain patter? do you need to widen out the group.  Male managers sometimes worry that taking a woman out to lunch or coffee would look "weird" - it doesn't. If you would do it with the men you were sponsoring, then it should be appropriate for women. Now, if you do a lot of your bonding in the men's locker room... then you need to think about doing this in ways where it wouldn't matter if you were sponsoring a man or a woman (mentoring, etc0.

Imagine you are sitting in a meeting and you see the stolen idea occur. How do you intervene? Lot's of ideas, but saying something is better than nothing. Something like, "thanks, Paul, for going back to that, I've been pondering that ever since Pam brought it up"

What if you are sitting in a meeting and you see men being judged on their potential; women on their performance - how would you intervene? This happens a lot when it comes to promotions, women are often already doing the job before they get the promotion.  One idea for getting around this: suggest evaluating the engineers first by their accomplishments, then by potential. Another: Are we being consistent here?  Or, now that we know what we're looking for, let's go back to the top of the pile and re-review everyone.

Often the most savvy way to call out bias is not to mention that's what you're doing :-)

What works for organizational prove-it again: set up precommitment to what is important (for promotion, for example), and when someone varies from there they need to have justification.

Women are expected to be nice and communal - and nice. Men are expected to competent and "agentic" (assertive, direct, competitive and ambitious).  Nobody thinks of a strong leader as "nice", so women often aren't even considered for leadership positions.

This varies by culture - US/Canada and UK believe a leader should be independent, risk takers, direct and focus on tasks. It's opposite in India/China/Japan: Interdependent, certainty, indirect and have a focus on relationships.

Ben Barres, the transgendered scientist, noted that "by far, the biggest difference is people treat me with respect. I'm interrupted less" since becoming a man.

How you stand and sit telegraphs power or submission. To demonstrate authority, stand with feet apart - stable.

Ellen Pao was described as both as "passive, too quiet at meetings" and "entitled, demanding".

Women get pressure to be deferential or play the office mom - always deliver, but never threaten. Women are pressured to do the office housework: planning parties, getting gifts, note taking, scheduling meetings, mentoring, and do the undervalued work (paperwork, etc).

But, if you're stern or say no - you're not modest or nice. You become the "B" word.

As a women, you need to claim your seat at the table and practice power poses. You need to learn how to get a word in edgewise - learn how to politely interrupt: "Oh, I'm sorry, I thought you were done."

What works for one woman won't work for another. You need to be authentic, and no when to say no (and how!).

Managers - how to handle "office housework"?  Don't ask for volunteers - women will be  under gender stereotype to volunteer. Assign true admin and housework to admins or true support personnel.  Possibly, for things like minutes, do a rotation.

Spread the load and set norms. For example, everyone does one "citizenship task" - sitting on committees, and everyone does their own ordering, billing, etc.

There was a non peer reviewed study on performance evaluations. Men got specific feedback. Women got things like "bossy, abrasive, strident, aggressive, emotional, irrational" - very strong prescriptive gender bias.

Women also are impacted by maternity bias - mothers are 79% less likely to be hired, are held to higher standards for punctuality, offered lower starting salaries and promoted less.

Indisputably competent and committed mothers are seen as LESS likable, particularly by women.

Mothers are not offered stretch positions because people assume she's busy with kids. Managers: don't assume! If she's the best person, offer it - and let her know that similar positions will be available in the future if now is not a good time.

There is this false sense that only one woman can get promoted, get an award, etc - so they will compete with each other, instead of working together.

A study found that not one female legal secretary expressed preference to work with a female lawyer as a boss.  "Females are harder on their female assistants, more detail oriented, and they have to try harder to prove themselves, so they put that on you."

Older women in the workplace discourage younger mothers from working part time after maternity leave, because "I worked full time right away and my kids are fine". That is, "I did it the hard way, why can't you."

One study found that women without children work more unpaid hours of overtime than anyone else in the workplace, seen as a pathetic spinster - so why can't you work these hours?

To get organizational change: do a "4 patterns assessment" - is bias playing out in everyday work interactions? Then develop an objective metric to test whether what women think is happening is, and make adjustments.

Example: given the study of performance reviews, companies should be reviewing their reviews for this language and see if it's mentioning bias based negative personality traits? Look at objective metric: promotion rates.  Interrupt: have someone trained to spot bias read all performance evaluations (or use an app), and redesign evaluations and provide workshops for your managers.

We all have unconscious bias. This is usually not malicious. But if you are ignorant, who's fault is that? We need to be aware and take action to counteract it.

OWL: Understanding the Hidden Language of the Subsconcious

Oracle Women's Leadership group brought in Master Hypnotherapist/Three in One Behaviorist Dylan Rumley on June 18 to help us learn how to shift negative experiences into positive ones by harnessing the hidden language of the subconscious to our favor.

The evening started out with drinks and hors-d'oeuvres and networking with other women from Oracle. As it was held at our headquarters, I had the opportunity to meet many women I normally would never cross paths with. Everyone I talked to was so interesting, and friendly. A fantastic environment!

Dylan was an energetic and thoughtful speaker, who is focused on one goal: She wants to bring peace and calm to as many people as possible, using a whole brain approach, for adults and children.

Dylan spoke of her work with adults and children alike, and her discoveries she's made through her training and work with clients.  The brain loves to play! Without stress, learning can be easy for anyone. Think about how much fun you have and how relaxed you can become when looking through a kaleidoscope.

Dylan spoke of three brain states: the brain we know, the heart and brain together (coherence), and the psoas muscle. Wait, what? Yes, the psoas muscle - the one that many of us work on relaxing through yoga and tension release exercises.  Dylan believes all of these things should be used and taken care of to use your "whole brain".

There is a myth that some people are right brained and some are left, as we all need both hemispheres for executive functions and creativity. Sure, some people may find more inspiration from one side or the other - but if you can learn to use both, you can do more with your life.

Confusing, right? Let Iain McGilchrist explain it all to you:

Both hemispheres of our brain need to work together, but as we've evolved, the connections have been broken or shrunk.  The focus of the right hemisphere is broad, the left is narrow.

Dylan reminded us that it takes 21 days to change a pattern.  She had to remind her client, Wesley, as well. He came to her with extreme panic attacks when he tried to get on an airplane, bus or train. He was convinced that his claustrophobia was incurable. After exhausting doctors, medication and conventional therapists, he thought he had nothing to lose by seeing Dylan. She told him that if he could get himself into a true whole brain state, he would not be able to panic.

Dylan and Wesley worked together in an intense schedule for 21 days - and at the end of that 21 days, they got onto a plane together. Wesley was able to then fly across country to see his child's college graduation. :-)

One way to get your brain hemispheres to communicate more effectively is from doing cross patterning exercises.  Doing this helps the subconscious disconnect from your conscious and complete filing away emotions and events that are blocking you. It doesn't mean that you will forget these events, but that they will no longer stop you from moving forward with your life.

Dylan taught us a handful of cross patterning exercises and recommended we do them every day for 21 days - to create new brain habits.  All of these exercises involve keeping the body moving in some fashion (hands or eyes in the two we learned), which will help you from getting into the "freeze" mode in an uncomfortable situation.

Dylan additionally talked about the Behavior Barometer - how to manage your feeling words. For example, Anger is a really important emotion. When harnessed correctly, it can help you discover things.

She stressed how important it was for us to feel fully, or warned us that we could get stuck. Boy, that's happened to me before - playing conversations over and over in my head, re-reading emails, thinking about a car accident I witnessed, etc.

We need to work with our subconscious, get those emotions and events filed away properly so we can move forward.

Looking at the Behavior Barometer, find your emotion. Look up the definition of your emotion in the dictionary. Look up the meaning of its Latin roots. Truly understand what you are feeling.

Take the Resentment section, for example, and imagine your consciousness is feeling offended. Find the word in the same position under the subconscious section: ruined. See where that is leaving your body: no choice. Stuck.

If you can own your feelings ("Yes, I am offended"), then your subconscious can let go.  the subconscious loves completeness, so give it to your brain.  Don't ignore feelings, acknowledge them - but stay there for less time.

Dylan noted that our subconscious also loves to heal. To help move this process forward, she recommends guided imagery, meditation, and cross pattern activities.

She ended the evening by taking us through her 20 minute guided imagery meditation, called "The Theater". Dylan recommends listening to this as you fall asleep at night. I found I left very relaxed and happy - so maybe that means I need to start meditating again!

ICMC: Is Anybody Listening? Business Issues in Cryptographic Implementations?

Mary Ann Davidson, Chief Security Officer, Oracle Corporation

A tongue in cheek title... of course we're hoping nobody is listening!  While Ms. Davidson is not a lobbyist, she does spend time reading a lot of legislation - and tries not to pull out all of her hair.

There are business concerns around this legislation - we have to worry about how we comply, doing it right, etc.  Getting it right is very important at Oracle - that's why we don't let our engineers write their own crytpo [1] - we leverage known good cryptographic libraries.  Related to that, validations are critical to show we're doing this right. There should not be exceptions.

Security vulnerabilities... the last 6 months have been exhausting. What is going on?  We all are leveraging opensource we think is safe.

We would've loved if we could've said that we knew where all of our OpenSSL libraries were when we heard about Heartbleed. But, we didn't - it took us about 3 weeks to find them all! We all need to do better: better at tracking, better at awareness, better at getting the fixes out.

It could be worse - old source code doesn't go away, it just becomes unsupportable.  Nobody's customer wants to hear, "Sorry, we can't patch your system because that software is so old."

Most frustrating?  Everyone is too excited to tell the world about the vulnerability they found - it doesn't give vendors time to address this before EVERYONE knows how to attack the vulnerability. Please use responsible disclosure.

This isn't religion - this is a business problem! We need reliable and responsible disclosures. We need to have good patching processes in place in advance so we are prepared.We need our opensource code analyzed - don't assume there's "a thousand eyes" looking at it.

Ms. Davidson joked about her ethical hacking team. What does that mean? When they hack into our payroll system, they can only change her title - not her pay scale. How do you think she got to be CSO? ;-)

Customers are too hesitant to upgrade - but newer really is better! We are smarter now than we used to be, and sorry we just cannot patch you thousand year old system. We can't - you need to upgrade! The algorithms are better, the software is more secure - we've learned and you need to upgrade to reap those benefits.

But we need everyone to work with us - we cannot have software sitting in someone's queue for 6 months (or more) to get our validation done.  That diminishes our value of return - 6 months is a large chunk of a product's life cycle. Customers are stuck on these old versions of software, waiting for our new software to get its gold star. Six weeks? Sure - we can do that. Six months? No.

Ms. Davidson is not a lobbyist, but she's willing to go to Capital Hill to get more money for NIST. Time has real money value. How do we fix this?

What's a moral hazard? Think about the housing market - people were making bad investments, buying houses they couldn't afford to try to flip houses and it didn't work out. We rewarded those people, but not those who bought what they could afford (or didn't buy at all) - we rewarded their bad risk taking.

Can we talk with each other?  NIST says "poTAHto", NIAP says "poTAHto" - why aren't they talking?  FIPS 140-2 requires Common Criteria validations for the underlying OS for higher levels of validations - but NIAP said they don't want to do validations

We need consistency in order to do our jobs. Running around trying to satisfy the Nights Who Say Ni is not a good use of time.

And... The entropy of ... entropy requirements.  These are not specific, this is not "I know it when I see it". And why is NIAP getting into entropy business? That's the realm of NIST/FIPS.

Ms. Davidson ends with a modest proposal: Don't outsource your core mission.  Consultants are not neutral - and she's disturbed by all of the consultants she's seeing on The Hill.  They are not neutral - they will act in their own economic interest. How many times can they charge you for coming back and asking for clarification? Be aware of that.

She also requests that we promote the private-public partnership.  We need to figure out what the government is actually worried about - how is telling them the names of every individual that worked on code help with their mission? It's a great onus on business, and we're international companies - other countries won't like us sharing data about their citizens. Think about what we're trying to accomplish, and what is feasible for business to handle.

Finally, let's have "one security world order" - this is so much better than the Balkanization of security.  This ISO standard (ISO 19790) is a step in the right direction. Let's work together on the right solutions.

[1] Unless you're one of the teams at Oracle, like mine, who's job it is to write the cryptographic libraries for use by the rest of the organization. But even then, we do NOT invent our own algorithms. That would just be plain silly. 

Success! Team Salty Dawgs Do Marin!

We did it!  Mark, Mike and I completed the 100K Marin Century Route on Saturday, August 2.  Mike noticed at the last rest stop that the route was actually only 57 miles, so Mark and I added a 20 minute loop at the end of the ride to make sure we got our full 62 miles in.

Stats: Since April, I rode 900 miles, burned 36,204 calories and rode for 75 hours and 35 minutes to train for this 100K ride to raise money for the American Lung Association.

Results: I rode 62 miles, climbed 3830 feet, and burned 2360 calories in 6 hours and 15 minutes. (that includes time at rest stops).

Best results: I raised nearly $4500 for the American Lung Association of California, and Oracle will be chipping in about another $1500 in matching donation.  I have been overwhelmed with everyone's generosity.

Not bad for a woman who thought she'd never ride a bicycle again just 3 years ago!

The ride was fabulous, and the rest stops had the best food! They had all the standards: m&ms, nuts, chips, cookies, PB&J and Gatorade.  But then they had even more: focaccia bread, brie, strawberries, figs, beef jerky, peaches, grapes, cherries, coffee cake and more.

That really helped me avoid stomach cramps while I rode (more fruit, less heavy/fatty stuff).

The day started out cool and nice (and missing Mike, who started 38 minutes after us...)

Mark beat me to the Big Rock (he appears to be being very silly)

but I got there eventually...

We did see a little bit of sun and Mark warmed up enough to take off his arm warmers, though they came back on for some of the descents.

Mike did find us and ride with us for a lot of the ride - completing Team Salty Dawgs!

We were still grinning at the finish!

Photos courtesy of Captivating Sports and Event Photos!

I couldn't have done this with out the support of my friends and family, and without Mike and Mark.  Mark even pushed me a bit up the steepest climb - I think he was getting bored.

I felt like I could've easily done another 10 miles... with more training, maybe next year I can try 100 miles...

THANK YOU!!  Valerie

OASIS PKCS#11 v2.40 in final 15-day public review!

After starting work in February 2013, I am so excited that just 14 months later, our recently formed OASIS technical committee has our first standard revision under the OASIS banner out for final public review.

I am proud of the hard work everyone put forth into this new version of the standard, particularly so of our editors who all integrated changes and fixes with nary a complaint.

PKCS#11 v 2.40 is just what we need to move this cryptographic standard forward into the future.

I'm excited about the new work we're starting on the next revision already!

Check it out and let us know what you think.

Thank you!

Valerie, co-chair OASIS PKCS11 TC
[Update July 2014: Not sure why I said "Final"... some minor mistakes were found, we're cleaning them up and should have another review out shortly!]

Solaris 11.2: Security Blog Round Up

In case you missed it, last month we launched the Solaris 11.2 Beta! Now is your chance to download the OS and kick the tires and let us know what you think.

To help you catch up on what's out there in security, check out:

• Misaki Miyashita (aka Slayer of Engines) on the changes for OpenSSL for Solaris 11.2
• Dan Anderson on Verified Boot
• Casper Dik on Immutable Global Zones
• Darren Moffat on the Compliance Framework and /etc/system.d for kernel configurations
• Glenn Faden on Authenticated Rights Profiles and Qualified User Attributes

Enjoy!

Oracle Solaris Cryptographic Framework: Now Fully Validated!

It is with great pleasure that I can announce that Oracle has received our FIPS-140-2 certificates for the userland Solaris Cryptographic Framework as well!

I wrote in December about receiving our certificates for the kernel side.

These new certificates, certificate #2077 for Intel and SPARC64 processors and certificate #2076 for SPARC T4 and T5 processors, completes our story for FIPS-140-2 Level 1 validation for Solaris 11.1.

This was a long and difficult process, and I am very proud of the team of engineers, program managers, testers and documentation folks who made this all happen.

Solaris Kernel Cryptographic Framework is FIPS-140 Validated!

Great news - we've been rewarded for years of hard work!

NIST has awarded FIPS 140-2 certificate #2060 to the Oracle Solaris Kernel Cryptographic Framework with SPARC T4 and SPARC T5 (Software-Hybrid), and FIPS 140-2 certificate #2061 for the Oracle Solaris Kernel Cryptographic Framework (Software) module.

This is a big piece of our validation puzzle for Solaris 11 cryptography.

The validation was based on Solaris 11.1 SRU3 and SRU5 on a variety of hardware platforms.

Celebrating Ada Lovelace Day at Oracle

Lovely infographic including Ada Lovelace Day tweets from many Oracle team members - Enjoy!

PKCS 11 Technical Committee Face to Face

This week, Oracle hosted the OASIS PKCS 11 Technical Committee's face to face meeting on our Santa Clara campus.

It was a very productive two days, I believe we got through some of the final issues to the next revision of the standard (v2.40).  Work won't finish there, it seems, as all of the committee members are excited about what we can do in the future to make PKCS 11 an even more robust interface for providing cryptographic services to applications and utilities.

As most of you already know, Solaris's user level Cryptographic Framework is a PKCS 11 API, so we're very excited to see the standard progress and evolve.

As co-chair of the committee, I am so proud of everyone's hard work in dusting off the standard and doing the hard work necessary to quickly converge to get the next revision ready to go!

The standard moved from RSA to OASIS earlier this year.

Meeting PCIDSS Compliance Using Oracle Solaris 11

There's a great new whitepaper, by Matt Getzelman of Coalfire, up on Oracle.com today on how Oracle Solaris 11 can be used to comply with Payment Card Industry regulations.  These types of regulations and guidance can be difficult to parse. This whitepaper takes you through the various Solaris 11 features that you can leverage to make sure you are in compliance with PCI DSS.

• Oracle Solaris 11 and PCI DSS:Meeting PCI DSS Compliance with Oracle Solaris 11, by Matt Getzelman.

Solaris 11.1: Extended Policy and application containment on Solaris

Some interesting blog entries from Glenn Faden on these topics:

• Permissive and restrictive policies  
• Extended Policy and MySQL 
• Application containment via sandboxing

 

Great ZFS Encryption numbers on T5!

Some great mentions of the Cryptographic Technology Team's technologies in this T5 benchmark from SAE .

ZFS Encryption is faster on T5 SPARC than on Solaris on Intel - with marginal overhead compared to clear text on SPARC. All while using a fraction of the CPU used by Intel!

Keep your eyes on BestPerf Blog , as I expect to see some more great results out in the next few days.

Disclosure Statement

Copyright 2013, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Results as of 3/26/2013.

OWL: Getting More of What you Want in Your Career: Patty Azzarello

Patty Azzarello, author and coach, joined our Oracle Women's Leadership talk on Risk Taking today to help us learn how to take risks and still enjoy our lives.  If you're enjoying your life, you're actually better at your job!

She tends to break things into 3 categories:

• Do better: Are you thriving? Are you having impact?
• Look better: Are you invisible? Being invisible is not a good thing.
• Connect better: Do you have the right support?  If you're the only person that cares about your career: that's a big risk! And not a good one :-)

In order to do better you need to really get better about assessing risks, and stop worrying about looking foolish. There are risky career behaviours we all do that stop us from taking the right risks.

Early in her career, Ms. Azzarello had turned a project team around, taking a seemingly doomed project to a successful outcome. At the end of the year, when she went in for her performance evaluation and big rewarding raise, her boss had to let her down - nobody knew who she was. He couldn't get the raise for her.   If nobody knows what you're doing, it's difficult to get rewarded for it.

You need to realize something very important: the things that come easily to you are the things you're good at. Build on those strengths, people will be impressed.  We all only have so much energy to spend on our improving ourselves, so try to focus on what you've already got a knack for.

Be your brand - who you are. That does require you know what you're good at doing and aware of your strengths. Don't apologize for who you are and let other people know!

Ms. Azzarello reminded us that we can tune our jobs to suit our strengths.  I've done this myself many times over the years.  I'd been in the same position, on the org chart, for about 10 years... but had done at least 7-8 distinct jobs.  Sure, you still have to do the tasks you don't like - it's called work for a reason, but tune your job so you do more of what you love and less of what you hate.

When you get blocked at work, never blame your failure on the fact that your boss is stupid. Could be very career limiting. :-) Instead, use the voice of others - win others over to your side, get them to help you convince others.

You need Ruthless Priorities. Do FEWER things! [Note: I really need this!]  Think about it: what adds the  most business value? how bad is it if you fail or don't do this thing at all?  If something really cannot be dropped, prioritize the important things - protect them and do them. Get famous for doing important things, not for being busy.

[Note: that last paragraph seemed to be directed to me! see my recent post on out of control email... is that really my number one priority? Will I get an Oscar for reading it all?]

But, doing the right things yourself is not enough. You need the right team. The best project with the wrong team is just not going to be successful. Get people in the right jobs, delegate power and let those people be amazing.  A really smart person in the wrong job will be miserable and won't be productive.  They won't have the opportunity to be amazing.  Give it to them.

A risky behaviour Ms. Azzarello  has seen too many times is people avoiding clarity to avoid conflict. Big ambiguous fuzzy goals do not get action.  You need clarity - that might lead to conflict, but it is necessary for action.

Being invisible and ignored can kill your career in its tracks.  Put yourself out there, make sure your boss knows what you and your team is doing. There's a balance - you need to be visible without being annoying.  Steer away from shallow publicity - every little thing does not need to be announced, but excellent work should be shared.  Make sure your work is relevant - which may require translating what you do and why it's important into lingo someone outside of your immediate team will understand.

Ms. Azzarello gave us a great example of this. Gartner surveyed CEOs for their top 10 priorities and the same companies' CIOs for their priorities. She put the lists side by side on the screen, and there was only one common *word* between the two -  "business". She then made two new lists that combined the two separate ones. The CEO priorities were the headings, and the sub bullets were the CIO priorities and, combined, they made so much more sense as a cohesive strategy for a company. I could actually understand the CEO priorities when I saw technically relevant items underneath.

Ask your boss for their business initiatives, listen to their words and fit your projects into their initiatives using their words. Use this in real life! Magic :-)

Back on the visibility topic - She notes being shy is okay, but being invisible is not. She, herself, is an introvert on the Meyer's-Brigg's scale, yet she's on stage talking to us. It's performing - not presenting.  I do that myself. I am very shy (really), but when I'm somewhere I need to network or when I need to do a presentation - I act as if I'm someone that does that thing.  I love acting, so I just apply it when I'm presenting - I'm pretending to be someone that enjoys presenting and that does a good job.  Now, is my acting good enough to cover it?  Not always, but the more I practice the better it gets. :-)

Another risk Ms. Azzarello talked about is the experience paradox.  That thing where women will explain how if they aren't perfectly qualified for a job and they will talk themselves out of a position, when a man will often say, "Sure, I'll do the job" - even if they are actually less qualified than their female equivalent.  Someone once told her: Every CEO was a CEO for the first time in their lives at one point. You sometimes have to dive in and learn on the job.

Finally, and I've heard this so many times in the last 2 years: get a sponsor.

I really enjoyed this talk and hopefully can take a few things away from it and apply at least one or two in real life.

How well do you do about delegating and prioritizing? Any tips or suggestions?

OWL: Risk Taking Panel

Oracle Women's Leadership group, OWL, brought us Risk Taking panel yesterday here on our Santa Clara campus with three esteemed panelists, Meg Bear, VP Oracle Cloud Social Platforms; Rodrigo Liang, VP SPARC Platforms; and Nandini Ramani, VP Java Client Development with Pamela Parish moderating.

Mr. Liang and Ms. Ramini both started out with a reflection of things that were happening during the Oracle merger and the risks they needed to take to get the best output for their teams and their own careers. With so much going on at those time, quick action was required.  From the continued momentum of Java and SPARC platform, I'd have to say some of their risks definitely paid off.

They all addressed a recent study that showed women regretted taking risks and what we could all do to be more comfortable about taking a risk. Ms. Bear noted that she didn't think women were weighing the downsides of the risks properly. Women seem to view the same potential of failure with more dread than a man would, and the panelists seem to agree: you don't know until you try it!

Ms. Ramini shared a lesson she learned while learning to ride a horse that her instructor gave her: if you've never fallen off a horse, how do you know what it feels like? Or that it will ever happen?

Ms. Bear noted the best opportunities she's had for professional development seems to have been when she was thrown into a situation she knew nothing about. It can be terrifying at the time, but she found those were the times she learned the most.  We shouldn't be afraid of making mistakes.  Ms. Bear recommended we all check out Seth Godin's blog, particularly his latest entry on mistakes.

Ms Ramini noted that for almost all women she knows would not consider it "risk taking" to make a brand new recipe for a large dinner, but somehow similar risks in the workplace that would have the same severity of consequences, have made her nervous in the past.  Fortunately, a manager years ago chided her for not speaking her mind in a meeting when someone was doing the wrong thing and she knew it, but was afraid to speak up and risk being embarrassed - said she hasn't shut up since. :-)

Ms. Ramini noted that when you do take a risk, you have to be willing to take "no" as an answer. When that happens, don't let that "no" be a forever no - just for that one thing.  Continue to take risks!

As a manager, the panel recommends helping to guide your team in taking risk. You can't constantly challenge the status quo and try to change directions of your team, that becomes tiring for all involved. They all agree to keep an open door for their teams and let them approach you with any idea, be a sounding board. Also, as a manager, you need to keep an open mind to these suggestions and be willing to change.

Remember to take risks when things are going well. While stated before, you don't want to change the status quo simply because you have nothing better to do - though staying still can be a risk, too.  Sometimes a little change is all that's needed to keep things on track or to even greatly improve the outcome of a project.

Ms. Ramini encourages people to work with others outside of your direct group, brainstorm, and keep your eyes on what others are doing - that's where innovation comes from.  You wouldn't want to be caught still using tcl/tk because you failed to notice the world had moved on ;-)

Mr. Liang noted that part of being the leader is about moving the group. It doesn't matter if you have great ideas if you can't get anyone to come along. It needs to be civil, of course. You can't force people to follow you - not in the long haul, anyways.

Ms. Bear mentioned that even being a risk taker, there are still times she's neglected to take the risk as soon as she should have. For example, she recently changed her role - something she's needed to do for a long time. While she was waiting for the right opportunity to come along, she could've perhaps pursued it in a different manner and made the change sooner.

Someone in the audience asked about making the jump into management. Ms. Ramini noted to make sure it's really something you want to do, as it's not for everyone. Talk to people who are managers, talk to people that know you and make an informed decision.

For career/role change in general, Ms. Bear said you need to convince yourself first that you're the right person for this new role, before you ask for it.  Find others that can help you ease into a new role, if that's a possibility.

Ms. Bear says she has seen women preventing others from making career growth, unfortunately, and pleads with all women to not do this.  Ms. Ramini hasn't seen this nasty behavior herself, but still noted that she tries to make sure that men and women on her team are given the same opportunities.

A great panel, followed by a great talk from Patty Azzarello - blog coming Monday. :)

Have you regretted not taking a risk?  What risk taking behaviour really paid off for you in the past?

GHC12: From Engineer to Executive: The Path Forward

Susan Zwinger, Oracle, is building upon Nora Denzel's keynote - here to talk about people.

Who is Sue? Well, she's an engineering VP at Oracle, but she's also a wife, a mother of two, daughter and frequent traveler.

Ms Zwinger didn't start out thinking she'd become a VP, with her degree in statistics. She started out as a software engineer, but quickly became bored and took a job designing a kernel internals course - where she got to travel all over the world to give the class.  She was hooked on the travel bug after that and looked for jobs that let her do that!

You want to choose a career that you can grow in, will increase your job satisfaction and improve your satisfaction. But, you need to figure out what your strengths and weaknesses are - and this changes as you grow.

You want to plan your career instead of just react - but that's not always possible. Ms. Zwinger's first husband committed suicide when their daughter was only a year old.  Initially feeling like everything was over, she picked up everything and moved to Tokyo. It taught her that she was strong and could find her way out of the worst circumstances imaginable.

Best ways to start planning? Figure out who you are - take a Myers Briggs test and do a 360 degree review (includes self review, peer rating, direct report rating, supervisor rating).

•  Myers Briggs test
• 360 degree review (includes self review, peer rating, direct report rating, supervisor rating)
• Her own 360 taught her that she's great at results and leading her team through change, her reports loved her - but her peers did not.  She has problems with people skills, leaving "bodies in her path". Something to work on! 
• FIRO-B  -  Fundamental Interpersonal relations Orientation-Behavior. 
• She learned from tis that she had a need for control (which she knew) but also had a big need for affection (surprise!)
• Coaches
• People that will tell you the truth about yourself!
• Sun paired her up with executive coach Steve Josephs
• Taught her to respect everyone - sincerely, not just going through the motions.
• when things are getting stressful or out of control, take a deep and slow breath.
• The Leadership Derailer helps leaders find which weaknesses require improvement to succeed?
• Management Skills Inventory
• Books: Think Positive, Lou Tice
• For Ms. Zwinger, this was applied to a simple thing: think about the positive parts of not biting her nails. Her fingers felt better. Focusing on that simple positive thought, she broke her long time bad habit.
• Inspiring person: Think Olympian, Marilyn King
• Injured for 9 months and could not practice for the decathlon, but thought through her training. Spent every day thinking about and watching the event. She ended up placing second in the trials.

A great and inspiring a talk, very relevant for me given my recent job change into management!

This post syndicated from Thoughts on security, beer, theater and biking!