Tag: Computer Security

Resources for pfSense, Private Internet Access, Netflix, and Hulu

You've probably heard by now that the US Congress just repealed Obama-era regulations preventing Internet service providers from selling their users' browsing data to advertisers. I'll probably talk more about that in future posts. For now, I'm going to focus on a specific set of steps I've taken to prevent my ISP (Cox) from seeing what sites I visit.

I use a VPN called Private Internet Access, and a hardware firewall running pfSense. If that sentence looked like gibberish to you, then the rest of this post is probably not going to help you. I plan on writing a post in the future that explains some more basic steps that people who aren't IT professionals can take to protect their privacy, but this is not that kind of post.

So, for those of you who are IT professionals (or at least comfortable building your own router), it probably won't surprise you that streaming sites like Netflix and Hulu block VPNs.

One solution to this is to use a VPN that gives you a dedicated IP (I hear good things about NordVPN but I haven't used it myself); Netflix and Hulu are less likely to see that you're using a VPN if they don't see a bunch of connections coming from the same IP address. But there are problems with this approach:

  • It costs more.
  • You're giving up a good big chunk of the anonymity that you're (presumably) using a VPN for in the first place; your ISP won't be able to monitor what sites you're visiting, but websites are going to have an easier time tracking you if nobody else outside your household is using your IP.
  • There's still no guarantee that Netflix and Hulu won't figure out that you're on a VPN and block your IP, because VPNs assign IP addresses in blocks.

So I opted, instead, to set up some firewall rules to allow Netflix and Hulu to bypass the VPN.

The downside to this approach is obvious: Cox can see me connecting to Netflix and Hulu, and also Amazon (because Netflix uses AWS). However, this information is probably of limited value to Cox; yes, they know that I use three extremely popular websites, when I connect to them, and how much data I upload and download, but that's it; Netflix, Hulu, and Amazon all force HTTPS, so while Cox can see the IPs, it can't see the specific pages I'm going to, what videos I'm watching, etc. In my estimation, letting Cox see that I'm connecting to those sites is an acceptable tradeoff for not letting Cox see any other sites I'm connecting to.

There are a number of guides on how to get this set up, but here are the three that helped me the most:

OpenVPN Step-by-Step Setup for pfsense -- This is the first step; it'll help you route all your traffic through Private Internet Access. (Other VPNs -- at least, ones that use OpenVPN -- are probably pretty similar.)

Hulu Traffic -- Setting up Hulu to bypass the VPN is an easy and straightforward process; you just need to add an alias for a set of FQDNs and then create a rule routing connections to that alias to WAN instead of OpenVPN.

Netflix to WAN not OPT1 -- Netflix is trickier than Hulu, partly because (as mentioned above) it uses AWS and partly because the list of IPs associated with AWS and Netflix is large and subject to change. So in this case, instead of just a list of FQDNs, you'll want to set up a couple of rules in pfBlockerNG to automatically download, and periodically update, lists of those IPs.

That's it. Keep in mind that VPN isn't a silver bullet solution, and there are still other steps you'll want to take to protect your privacy. I'll plan on covering some of them in future posts.

E-Mails and Passwords

So the other day I decided it was past time to reset all my passwords.

I'm pretty good about password hygiene. I've been using a password locker for years, with a unique, randomly-generated* password for every account I use. But I'll admit that, like most of us, I don't do as good a job of password rotation as I might. That's probably because I've managed to amass over 150 different accounts across different sites, and resetting 150 different passwords is a giant pain in the ass.

(I'm thinking that, from here on in, I should pick a subset of passwords to reset every month, so I never wind up having to reset all 150 at once again. It would also help me to clear out the cruft and not keep logins for sites that no longer exist, or which I'm never going to use again, or where I can't even find the damn login page anymore.)

There was one more reason I decided now was a good time to do a mass update: I've got two E-Mail addresses that have turned into spam holes. As I've mentioned previously, I'm currently looking for work and getting inundated with job spam; unfortunately I went and put my primary E-Mail address at the top of my resume, which in hindsight was a mistake. Never post your personal E-Mail in any public place; always use a throwaway.

Which I do, most of the time -- and that's created a second problem: I've been signing up for websites with the same E-Mail address for 15 years, and also used to use it in my whois information. (I've since switched to dedicated E-Mail addresses that I use only for domain registration.) So now, that E-Mail has turned into a huge spam hole; it's currently got over 500 messages in its Junk folder, and that's with a filter that deletes anything that's been in there longer than a week. My spam filters are well-trained, but unfortunately they only run on the client side, not the server side, so any time Thunderbird isn't running on my desktop, my spam doesn't get filtered. (If I'm out of the house, I can tell if the network's gone down, because I start getting a bunch of spam in my inbox on my phone.)

So now I've gone and created two new E-Mail addresses: one that's just for E-Mails about jobs, and another as my new all-purpose signing-up-for-things address.

My hope is that the companies hammering my primary E-Mail address with job notifications will eventually switch to the new, jobs-only E-Mail address, and I'll get my personal E-Mail address back to normal. And that I can quit using the Spam Hole address entirely and switch all my accounts over to the new address. Which hopefully shouldn't get as spam-filled as the old one since I haven't published it in a publicly-accessible place like whois.

Anyway, some things to take into account with E-Mail and passwords:

  • Don't use your personal E-Mail address for anything but personal communication. Don't give it to anyone you don't know.
  • Keep at least one secondary E-Mail address that you can abandon if it gets compromised or filled up with spam. It's not necessarily a bad idea to have several -- in my case, I've got one for accounts at various sites, several that I use as contacts for web domains, and one that's just for communication about jobs.
  • Use a password locker. 1Password, Keepass, and Lastpass are all pretty highly-regarded, but they're just three of the many available options.
  • Remember all the different devices you'll be using these passwords on.
    • I'm using a Linux desktop, an OSX desktop, a Windows desktop, and an Android phone; that means I need to pick a password locker that will run on all those different OS's.
    • And have some way of keeping the data synced across them.
    • And don't forget that, even with a password locker, chances are that at some point you'll end up having to type some of these passwords manually, on a screen keyboard. Adding brackets and carets and other symbols to your password will make it more secure, but you're going to want to weigh that against the hassle of having to dive three levels deep into your screen keyboard just to type those symbols. It may be worth it if it's the password for, say, your bank account, but it's definitely not worth it for your Gmail login.
  • Of course, you need a master password to access all those other passwords, and you should choose a good one. There's no point in picking a bunch of unique, strong passwords if you protect them with a shitty unsecure password. There are ways to come up with a password that's secure but easy to remember:
    • The "correct horse battery staple" method of creating a passphrase of four random words is a good one, but there are caveats:
      • You have to make sure they're actually random words, words that don't have anything to do with each other. Edward Snowden's example, "MargaretThatcheris110%SEXY.", is not actually very secure; it follows correct English sentence structure, "MargaretThatcher" and "110%" are each effectively one word since they're commonly-used phrases, the word "SEXY" is common as fuck in passwords, and mixed case and punctuation don't really make your password significantly more secure if, for example, you capitalize the beginnings of words or entire words and end sentences with periods, question marks, or exclamation points. Basically, if you pick the words in your passphrase yourself, they're not random enough; use a computer to pick the words for you.
      • And this method unfortunately doesn't work very well on a screen keyboard. Unless you know of a screen keyboard that autocompletes words inside a password prompt but won't remember those words or their sequence. I think this would be a very good idea for screen keyboards to implement, but I don't know of any that do it.
    • There are programs and sites that generate pronounceable passwords -- something like "ahx2Boh8" or "ireeQuaico". Sequences of letters (and possibly numbers) that are gibberish but can be pronounced, which makes them easy to remember -- a little less secure than a password that doesn't follow such a rule, but a lot more secure than a dictionary word. But read reviews before you use one of these services -- you want to make sure that the passwords it generates are sufficiently random to be secure, and that it's reputable and can be trusted not to snoop on you and send that master password off to some third party. It's best to pick one that generates multiple passwords at once; if you pick one from a list it's harder for a third party to know which one you chose.
  • Of course, any password is memorable if you type it enough times.
  • And no password is going to protect you from a targeted attack by a sufficiently dedicated and resourceful attacker -- if somebody's after something you've got, he can probably find somebody in tech support for your ISP, or your registrar, or your hosting provider, or your phone company, or some company you've bought something from, somewhere, who can be tricked into giving him access to your account. Or maybe he'll exploit a zero-day vulnerability. Or maybe one of the sites you've got an account with will be compromised and they'll get everybody's account information. Password security isn't about protecting yourself against a targeted attack. It's about making yourself a bigger hassle to go after than the guy sitting next to you, like the old joke about "I don't have to outrun the tiger, I just have to outrun you." And it's about minimizing the amount of damage somebody can do if he does compromise one of your accounts.
  • And speaking of social engineering, security questions are deliberate vulnerabilities, and they are bullshit. Never answer a security question truthfully. If security questions are optional, do not fill them out. If they are not optional and a site forces you to add a security question, your best bet is to generate a pseudorandom answer (remember you may have to read it over the phone, so a pronounceable password or "correct horse battery staple"-style phrase would be a good idea here, though you could always just use letters and numbers too -- knowing the phonetic alphabet helps) and store it in your password locker alongside your username and password.
  • You know what else is stupid? Password strength indicators. I once used one (it was Plesk's) that rejected K"Nb\:uO`) as weak but accepted P@55w0rd as strong. You can generally ignore password strength indicators, unless they reject your password outright and make you come up with a new one.

* For the purposes of this discussion, I will be using the words "random" and "pseudorandom" interchangeably, because the difference between the two things is beyond the scope of this post.

Getting Sprint LTE to Work on CyanogenMod 12

Update 2015-10-12: My new advice for getting Sprint data to work on a Nexus 5 phone running CyanogenMod 12 is "Don't bother." I never did get it working right, and had to reboot at least once a day to get it working. I've since reverted back to KitKat. Original post follows, but if you want my advice it's "Stick with CM11."


First, let's get one thing out of the way: if you're using a custom Android ROM on your phone (or any device that can receive text messages), you're going to want to make sure it's up-to-date. There's a vulnerability in an Android component called Stagefright that is potentially devastating; it allows an attacker to gain control by doing nothing more than send a text message, and there are now attacks in the wild.

If you've got the stock firmware on your phone, and your phone is relatively recent, you should get the patch to fix this vulnerability automatically. (If, for example, your phone is running Lollipop, either because it came with it or automatically updated to it, you're probably good.)

But if you're running a custom ROM and don't have automatic updates enabled, you're going to want to check on whether you're running a current version that includes the Stagefright fix.

I'm a CyanogenMod user. If you're using the latest version of CyanogenMod 11.0, 12.0, or 12.1, then you've got the Stagefright fix.

I recently took the opportunity to upgrade my phone to the latest 11.x series to get the fix. And I figured while I was at it, why not upgrade to 12.1 and see if it's any good?

So I installed CyanogenMod 12.1, and everything looked like it was working fine at first -- when I was using it in my own house, on my wifi network. It wasn't until a day or two later that I realized my Sprint data connection wasn't working.

It took rather more searching than it should have, but it turns out there's an easy solution (albeit an annoying one if you've already got your phone set up the way you want it, because it involves wiping it to factory again).

mjs2011 at XDA Developers links to a sprint.zip file assembled by somebody named Motcher41, and gives these instructions for use:

The fix should be flashed during initial installation, so:

  1. Flash ROM
  2. Gapps
  3. SU (if necessary)
  4. Sprint APN Fix zip

I can confirm that you don't need to worry about setting up root before sprint.zip; it's fine if you do it afterward (my recovery, for example, sets up su right before reboot). However, I can confirm that you need to install sprint.zip after Gapps and before your first boot; if you install it before Gapps or after your first boot then it won't work.

Update 2015-09-30: After a few days my data connection quit working again. I rebooted to recovery, reinstalled sprint.zip, and it started working again. So never mind about not working if you install it after you've already booted the ROM; it will still work just as well. Unfortunately, "just as well" appears to mean "just for a few days"; I'm not sure what happened that changed my settings to make it stop working, but if I figure it out I'll update this post again.

You may notice that the linked thread is old (it's from November 2013) and was written in reference to pre-11.0 versions of CyanogenMod. However, I can confirm that it applies to the 12.x series too. This issue appears to be a regression; CM fixed it in version 11 but then broke it again in version 12.

So if you're a Sprint customer and you just installed CyanogenMod 12 on your phone and then discovered Sprint data was no longer working, this is what you're gonna wanna do to fix it.

Password Restrictions are Stupid

There are few things more infuriating than submitting a randomly-generated password and seeing it rejected based on some stupid asshole's stupid asshole idea of what constitutes a strong password.

Yesterday I encountered a site that rejected K"Nb\:uO`) as weak but accepted P@55w0rd as strong.

And my first day at my current job, we had to take mandatory security tutorials that, among other helpful hints, suggested that we satisfy the requirement for a capital letter and a symbol by putting the capital letter at the beginning of the password and an exclamation point at the end. Which, for those of you who are as bad at basic arithmetic as whatever moron put that suggestion in a security tutorial, defeats the entire purpose of requiring a capital letter and a symbol.

Which is, of course, why requiring capital letters and symbols in the first place is stupid, because "make the first letter a capital and put an exclamation point at the end" is what pretty much everybody does to satisfy that requirement anyway, even without official company-sanctioned security tutorials assuring them that this is okay and totally better than just having an all-lowercase password because math class is tough.

The Real Questions

I was going to write a post about Edward Snowden.

But then I realized: that's bullshit.

Because this isn't about Edward Snowden.

I just read a great piece by Matt Taibbi titled As Bradley Manning Trial Begins, Press Predictably Misses the Point. He argues, persuasively, that focusing on Manning is what the government wants. It wants the story to be about a person instead of about the information he disclosed.

The NSA story isn't about Snowden, any more than the military leaks are about Manning or Assange. "Hero or traitor?" is a bullshit question.

There are real questions we should be asking. Here are a few courtesy of Bruce Schneier:

We need details on the full extent of the FBI's spying capabilities. We don't know what information it routinely collects on American citizens, what extra information it collects on those on various watch lists, and what legal justifications it invokes for its actions. We don't know its plans for future data collection. We don't know what scandals and illegal actions -- either past or present -- are currently being covered up.

We also need information about what data the NSA gathers, either domestically or internationally. We don't know how much it collects surreptitiously, and how much it relies on arrangements with various companies. We don't know how much it uses password cracking to get at encrypted data, and how much it exploits existing system vulnerabilities. We don't know whether it deliberately inserts backdoors into systems it wants to monitor, either with or without the permission of the communications-system vendors.

And we need details about the sorts of analysis the organizations perform. We don't know what they quickly cull at the point of collection, and what they store for later analysis -- and how long they store it. We don't know what sort of database profiling they do, how extensive their CCTV and surveillance-drone analysis is, how much they perform behavioral analysis, or how extensively they trace friends of people on their watch lists.

All that said: I can't resist linking the petition for Obama to debate Snowden. Obviously it's not going to happen, but if it gets 100,000 signatures, the White House will have to issue an official response.

And presumably up the signature requirement for an official response to 150,000 for next time.

This Week on "Nobody Involved with Bones Gives a Fuck Whether Computers Behave in a Remotely Rational or Coherent Fashion"...

...somebody gets an E-Mail -- "probably spam" -- and it allows Angela to decrypt every encrypted E-Mail she's ever gotten.

This somehow manages to be the stupidest thing in an episode about a mutant virus injected into a blogger with a microneedle that, still attached to her skeleton, then manages to jab one of the interns and infect him too.

Well maybe next week's episode will be less stupid.

...wait. Season finale? Fuck. That means another Pelant episode.

Well, maybe they'll finally just fucking shoot him and next season's premiere will be less stupid.

Skyfallin'

The theme of Skyfall is the conflict between the old and the new. You can tell because every third line of dialogue reminds you of this.

I think the trouble is that the writers and director don't seem quite clear on what that premise actually means.

Spoilers follow.

Does Silver represent the new, because he is a computer hacker and a new kind of enemy? Or does he represent the old, because he's a Cold War-era agent who's gone rogue for reasons that are entirely tied to the way M has run MI6?

There's also the question of the contrast between the original Bond films and the Craig-era ones. This movie makes a big point of bringing back the trappings of the original films -- Moneypenny, Q, a 1960 Aston Marton with machine guns -- but it also makes a big point of how the original movies felt a lot more high-tech and futuristic than the current ones. (The gadgets Q gives Bond are "A radio and a gun -- not exactly Christmas, is it?") So which is the old and which is the new? And that's before you even get into the point that Craig's Bond, and Casino Royale as a whole, are throwbacks to Fleming's novels, the oldest version of Bond there is.

There's another conflict between the old and the not-quite-so-old: the last two Bond films seemed intent on introducing Quantum as the new, non-infringing version of SPECTRE, a shadowy organization that would pose a recurring threat through the rebooted franchise. And then, in Skyfall? No trace of Quantum at all. We're back to isolated, one-off villains -- perhaps because someone at the recovering-from-bankruptcy MGM realized that self-contained movies without recurring villains just make more sense for the film franchise. (Hell, even when the old films were using Blofeld as their go-to villain, they still had a different actor in the role every time; it may as well have been a different character.)

On the whole, though, it all hung together pretty well; I thoroughly enjoyed the first and third act. (The second act was stupid and had Magic Computers. I don't know where the writer picked up the phrase "security through obscurity", but apparently he missed the part where it is not an expression any security professional would ever use without sneering. The less said about the movie's idea of data encryption and depiction of code as a stupid-looking early-1990's wireframe screensaver the better.) But nonetheless, perfectly decent. Though I'm kinda glad I waited to see it at the cheap theater.

Buggy Messes

I had some harsh words yesterday for the EaseUS software for Mac. Mainly, it constantly locked up and didn't do much of anything.

I'm not quite ready to let EaseUS off the hook just yet, but I'm seeing that same behavior in a lot of programs now. At this point I'm pretty confident that, in setting my Mac up to run like a Hackintosh, I have wound up with a system that has all the stability and reliability of a Hackintosh.

Regrettably, I'm having much the same problem with MIUI, which I installed on my phone the other day (as something to do while I waited for diags to run on my Windows 8 drive). It's slow and it crashes like a motherfucker. I really think the monthly release cycle is a pretty poor idea; what we've got is bleeding-edge code (in this case Jelly Bean running on a phone that was never meant to support it) instead of stable code.

Which is a pity because there's really a lot to love about MIUI. For starters, it's the most paranoid OS I've ever seen -- its security settings are granular as hell; it doesn't just tell you what data your program is going to have access to at install time, it defaults to warning you at access time, too -- and giving you the opportunity to refuse.

Trust the Chinese to be thorough about who's listening in on them.

It also comes with a lot of mostly-pretty-useful programs out of the box.

Except that weather program. The one that thinks I live in some place called Temperanceville (and that's not autocomplete on me typing in "Tempe", that's the location it automatically set itself to), consistently tells me I have no network connection even though I have a network connection, and can't be uninstalled. I don't like that one very much.

So I don't think I'll be sticking with MIUI. I guess the question is whether I should just restore CyanogenMod 7 from backup, or try some other ROM.

Decisions, decisions...

LeakedOut

So apparently LinkedIn didn't salt any of its users' passwords before hashing.

Man, if only they'd had some way of finding people who understood basic fucking network security and were looking for work.

Tempin' Ain't Easy

I try not to think about the fact that it's been seven years since I got my CS degree and I haven't put it to use professionally.

I entered the field at the wrong time and in the wrong place. It's rough all over, and the housing bubble hit Arizona disproportionately hard. I've spent the past few years working as a temp and building the odd website on the side.

The first temp gig lasted two years -- ironically, longer than any other job I've had. But I got laid off about a year ago.

There's this kind of paranoia you get. It could happen again any time. And it has absolutely nothing to do with how hard you work or how good a job you do. You could be out on your ass tomorrow, on the whim of some guy you've never met.

I've heard some of the "get a job" rhetoric lately and it's just baffling. A hell of a lot of people would like very much to get a job. I've been either unemployed or underemployed my whole adult life, and that's with a degree that, fifteen years ago, could have gotten me six figures.

Not that I intend this as a pity party. I've got work now, and it pays well enough to live comfortably while still squirreling away enough each week that I'll be okay for a few months if I find myself unemployed again. There are a lot of guys who have it a lot worse than I do.

And if you take anything away from this comedy of errors, let it be that: this is the story of a guy who's doing okay in this economy.

Job 1: Fortune 500 Company, Real Estate Business

Job: Imaging laptops, working in a warehouse, inventory duty
Distance from Home: 3.5 miles
Best Thing: Laid-back atmosphere most of the time
Worst Thing: Lung fungus
Length of Service: 2 years

This wasn't a bad gig, really. Not intellectually challenging, but I worked with some good people, I got some good exercise in, and most times things were pretty laid-back.

But it wasn't worth giving up my health for, and ultimately that's what I did.

I did a lot of work out in a dusty warehouse, and I managed to contract valley fever. For those of you not from around here, valley fever is a lung fungus, and it lives in dust. The Valley and valley fever are like the Internet and Hitler comparisons -- you stay there long enough, it's something you're eventually going to have to deal with.

So I contracted a lung fungus working there, and I've still got asthma. It's manageable now, but I'm not what I was. Before I took that job I was healthy.

The next-worst thing about the job, after the lung fungus, was the meddling from up the chain. People with little-to-no grasp of our actual day-to-day operations had very strong opinions of what those operations should be, and precisely which boxes we should check on which forms each and every single time we did them. Precisely what those opinions were tended to change from week-to-week, producing an ever-changing, increasingly complex system for dealing with very simple tasks.

And as this went on, the environment became less and less laid-back, and more and more stressful.

There was a real disconnect between the building I was in and management out on the west coast. Within my office I was regarded as an essential member of the team, and indeed my bosses not only recognized my value, they realized that I could probably be doing more for the company than just counting how many sticks of RAM were left in inventory, and fought hard to get me not only hired on but promoted.

It's no small comfort to me that every single person who actually worked with me was pulling for me. To the point that when Corporate decreed that all the temps would be let go, my boss's boss's boss got reassigned for telling his boss's boss's boss exactly how he felt about that.

It was nothing personal. And it was nothing to do with my performance. I was just caught up in a bloodbath. I was part of the first wave, but it kept going. Last I heard, they'd laid off another third of my department, every help desk tech in Arizona, nearly everyone in the front office, and most of the people up the chain to VP. And demoted my boss back down to tech.

But before all that, I got a layoff for Christmas. I lost my job two years, to the week, after I'd gotten it.

There's a fatalism that kicks in after awhile. A knowledge that no matter how hard you work and how much you're appreciated, there's some clown in a corner office somewhere who's never met you but has the power to decide whether you're drawing a paycheck next week.

But ultimately there's something liberating about that, too. After awhile you stop trying to impress the clowns in the corner offices who have never met you. You realize the only people worth giving two shits about are the ones you deal with every day -- and that trying to impress them isn't about whether you'll have a job next week, it's about doing a good job for its own sake and for the sake of your team.

Those guys had my back. And that means more to me than a paycheck ever did.

Unemployment

Unemployment sucks. But it could be worse.

It's a pretty damn smooth process in this day and age -- all online, no driving across town and waiting in line. You fill out an online form, they take a week or two to make sure your story checks out, and then they open up a bank account for you, send you a card, and put money in every week.

Once a week you'll have to resubmit your claim. You tell them you're still looking for work (and keep evidence on file in case they ask for it -- I kept rather a long Excel spreadsheet with a list of everybody I'd contacted) and declare any money you've earned.

The whole thing's demoralizing and more than a little Kafkaesque -- Ursula K Le Guin recently described it quite wonderfully in a short story called Ninety-Nine Weeks: A Fairy Tale, and it's barely an exaggeration. That spreadsheet I mentioned where I kept track of all the dozens jobs I applied for? Only one of them ever actually got me an offer, and it was out-of-state -- more on that below. By the time I did finally get work again, it wasn't from the job search, it was from the same temp agency I'd been working for since '08.

Job 2: Local Non-Profit, Medical Industry

Job: Imaging laptops
Distance from Home: 13 miles
Best Thing: A job!
Worst Thing: Poor pay, sporadic availability
Length of Service: 3 months, off and on

This one wasn't too bad either. Neat office, nice people, and a certain degree of autonomy. The cramped little room I worked in got pretty crowded and hot as time went on, and there was a whole lot of downtime as I waited for laptops to finish imaging, but hey, I got time to catch up on my reading.

I also learned some interesting things about security policy. I've never had to lock things down so tightly from the BIOS -- a unique strong boot password on every machine, USB boot disabled, Bluetooth disabled, and on and on.

The toughest thing was that this wasn't a 40-hour-a-week job. It was "We just got these laptops in; image them and when you're done we'll send you home and call you back in when we get more."

And, without getting into the specifics of my pay, here's where that got frustrating: often I didn't make significantly more money than if I'd just stayed at home and collected unemployment.

Unemployment in Arizona works like this: you get a weekly stipend of up to $240. I was eligible for that maximum amount.

Every week, you report how much you've earned. You can earn up to $30 before they start subtracting your earnings from your unemployment check.

So there's this sort of dead zone between $30 and $270 where you are making the same amount of money whether you work or not.

And at this job, I frequently worked a weird part-time schedule and fell into that zone. Once I got past that first $30, I wasn't actually making any money; I was just getting a paycheck from the temp agency instead of the state.

Obviously there are still reasons to work. For its own sake, first of all. And second, to stay eligible for my healthcare, which was set to expire after three months without work. (I got back into the market just in time, but not fast enough to keep someone from fucking up my paperwork and taking me off their books even though I was still paying in every week. I had to call three different departments to get it corrected and my last prescription covered.) But there's still a definite sense of frustration in knowing that you're effectively working for free.

More than one other tech actually told me I should slow down and deliberately take longer to do the work so that I wouldn't get sent home in the middle of the week to await the next shipment. What a position to be in -- effectively being punished for being efficient, and incentivized to slow down and waste time.

This, as you will see, was to become a recurring theme.

Job 3: Company You've Probably Heard Of If You Live in North America, Retail Business

Job: Phone support
Distance from Current Home: 30 miles
Distance from Apartment Where I Lived 4 Years Ago: Directly across the street
Best Thing: Coworkers seem like all right guys
Worst Thing: The single worst job I have ever had. Fuck these people.
Length of Service: About a month

On some level, this fucking fiasco was my own doing.

I'd been poking through listings on some job site or other (probably not CareerBuilder; I quit using it after I discovered it was the thing that kept locking up my browser and hanging my entire system) and I noticed an IT job being offered through my temp agency which my rep hadn't brought to my attention. So I E-Mailed him and asked about it. In hindsight, I should have assumed there was a good reason he hadn't approached me about it.

It was phone support. Not phone support like I'd done before, but in a phone bank -- I had a few feet of shelf that I wouldn't really refer to as a desk, partitioned off from the guys next to me by small dividers that I wouldn't really refer to as a cubicle. Every morning at 6 AM I pulled up whatever broken chair nobody was sitting in, put on a headset if it was still where I'd left it the day before, and started working my way through a list of branches to call to walk their managers through installing new kiosks that didn't work very well in buildings that, half the time, weren't cabled correctly. (Ever walk a retail manager through recabling a patch panel? I've done it six times before breakfast.) It was dimly lit and it was dehumanizing -- I'd compare it to an assembly line, but the assembly lines I've seen are a whole lot livelier and more fun.

(I will grant one thing to the "cog in a corporate machine" setup: this is a company with hundreds of stores, all organized exactly the same. Each store has the same patch panel with the same numbered ports that go to the same rooms and assign IP's based on the same scheme. There was this in-house .NET program we had that would let you plug in a store number, automatically populate the IP address for every port in the place, and give you a one-click ping for each one. That's the advantage of a company that treats its stores as unifom, cookie-cutter widgets. The disadvantage is that it treats people exactly the same way.)

I spent most of each day on hold listening to the same fucking 16 bars of piano music over and over again. Periodically interrupted by a recorded voice telling me I was on hold, of course -- and if I ever meet the son of a bitch who decided to stick voice recordings in the middle of hold music, I am going to gouge his eyes out with my thumbs. I know I'm on hold, asshole; that's why there is music playing. About the only thing that could trick me into thinking that I wasn't on hold would be if the music abruptly stopped and I heard a human voice instead.

There were a couple of guys there who I'd gone to high school with. One of them I recognized but hadn't really known very well; the other used to pick on me but claimed not to remember me (he blamed it on the drugs he'd been doing back then and I am inclined to believe him). Now, remember how earlier I expressed frustration that my career hasn't really gone anywhere? Well, if you want a symbol that will hammer that little insecurity home, suddenly finding yourself sitting next to a couple of guys from high school is a pretty good one. But probably not as good as being directly across the street from the apartment where you lived back when you worked a previous dead-end job. Man, that would have been a sweet commute in 2007!

So no, let's say that this job wasn't the best fit for me. But dammit, I got up every morning at 4:30, put on a smile, went in, did my job and did it well. I blew through every task they gave me and asked for more.

This, as it turned out, was a problem. But nobody ever actually bothered to tell me that.

One morning I walked in and found that my login wasn't working. I asked the guy who'd been training me; he hemmed and hawed and wandered off for awhile, then came back and told me to turn in my badge.

It bears repeating, at this point, that I had just driven 30 miles to show up to work at 6 AM.

My rep told me that they'd called his office the previous evening to tell him to call me and tell me not to come in to work in the morning -- after he'd already gone home for the day.

He added that I'd been sacked because they thought I didn't schmooze enough with the end users over the phone -- something that nobody had ever actually complained to me about. I wasn't rude, or even brusque; I was just, in my rep's words, "too focused on getting the job done". I'm used to support jobs emphasizing getting the task done quickly, because the user doesn't want to be on the phone and wants to get back to what she was doing. But apparently that's not how it worked at this company; they wanted me to slow down and shoot the breeze -- except nobody ever bothered to tell me that. Come on, guys, if you want me to talk about the weather, just say so -- I have quite a lot to say about the weather in Phoenix in June, even when half the state isn't on fire.

Anyhow, it's the only job I've ever been fired from. And nobody even bothered to tell me there was a problem, let alone that I'd been fired.

The guy who walked me to the door was apologetic and told me not to worry about it, that people get fired from that place all the time through no fault of their own; maybe just for looking at somebody the wrong way. And it occurred to me that I'd passed my boss early one morning in the hall and, when she asked how I was doing, cracked a grin and responded "Hanging in there" -- and she apparently took offense that I hadn't said something more enthusiastic.

On the whole, pretty demoralizing and upsetting, and far and away the worst professional experience I have ever had.

Of course, I use the term "professional" in its loosest possible sense.

Job Interviews

Through it all, of course, I was interviewing wherever I could.

There are lots of stories I could tell. The temp agency I spent half an hour trying to find. The interview where I referred to a former coworker as "A temp like me, but kind of a slacker" but the interviewer just caught the "like me, kind of a slacker" part and that pretty well torpedoed me. The interviewer who asked me about a comment I'd posted about Spore's DRM on the FTC website back in '09 and then followed up by asking my opinion about SB1070. But the best story is the hosting company I saw advertised on a billboard.

"Do you know Linux? We're hiring!" said the billboard, with a colorful mascot next to the words. I would see it on the freeway on my way to work. Or maybe it was on my way home from work. Maybe it was both; I think they had more than one billboard.

Well, hell yeah I know Linux. I pulled up the website and submitted a resume. Turned out it was a hosting company -- even better. I spent most of '07 running the backend of a local ISP singlehandedly; I know my way around Apache httpd and MS IIS pretty well.

So they called me back, and the most immediately odd thing was that they told me the job was in Austin. Why would a company in Austin advertise in Phoenix?

Well, of course the answer is that they couldn't find anybody in Austin willing to accept the shitty salary they want to pay for Linux administration, so they're advertising in depressed markets that are full of desperate, unemployed Linux admins. But as you might expect, they didn't come right out and say that.

No, they gave me some talk about how they're expanding into new markets, and how they'd pay for my relocation, and they didn't balk when I gave them a deliberately high figure for my expected salary. They made the whole process seem very exclusive, putting me through three different interviews -- a general one, a second one with a series of technical questions, and a third where they had me SSH into one of their servers and demonstrate that I know my way around bash.

And then they offered me an hourly rate that was maybe fifty cents better than what I was currently getting in the phone bank. And a relocation fee that might have covered a U-Haul rental, deposit, and first month's rent on an apartment.

I hear Austin is a neat place, but no thank you.

It was about this point that I decided to read some employee testimonials on the place, and it sounded suspiciously like the terrible job I was already working at.

The billboards are down now. I wonder if they ever found anybody desperate or gullible enough to take their offer.

Job 4: Contractor for a Contractor for a Contractor, Insurance Industry

Job: Imaging laptops
Distance from Home: 32 miles
Best Thing: Getting work immediately after the previous fiasco; autonomy and people who were happy to see me
Worst Thing: Night crew fired after their first day
Length of Service: 6 weeks

Actually, before this job my rep sprang into action and got me a half-day gig fixing a company's QuickBooks setup, a mere 5 days after the debacle at my previous job. But I'm not counting that as its own section. My rep's cool, though.

Anyhow, shortly after the half-day QB fixer-upper, he found me something else and, at last, I got to be part of a Windows 7 refresh -- the precise thing that my boss, the previous December, had assured me would ensure my job security for another year, the week before announcing that the Windows 7 rollout had been canceled and so had my employment.

Anyhow, this one was interesting. The idea was to provide a minimum of disruption for the employees, while upgrading most of the office to Win7 in a matter of weeks.

So we had a night crew. They came in, ran a script to back up the user's files, either reimaged the user's existing computer or grabbed a new, freshly-imaged one that I'd already put together, restored from backup, and left it to me to walk the user through initial configuration the next morning.

At least, that's how we eventually got it working. The first night, things failed rather spectacularly.

I got in the next morning to find the night crew still there, a small handful of computers actually in working condition, and the rest in various states of completion.

The way I heard the story went something like this: one tech on the crew had asked the guy in charge what the plan was -- how they were going to split up the workload, what the schedule was, etc. He had made some vague "Just get started" noises. She asked him a few more times; he responded similarly. Finally she just went to work; she was responsible for the handful of machines that had actually been finished, while the other techs hadn't really worked out a plan for how to get their work done.

So the company fired everyone else and put her in charge of the new team.

After that it went really smoothly most nights. There were a couple exceptions -- one weekend when the generator had to be turned off for maintenance and so they couldn't come in to get computers ready for Monday, and one night when the AC was out and it was too hot to work. But no more problems from the techs themselves; the second crew did a really great job and made my life much easier.

Job 5: Company You've Probably Heard Of If You Live in the Southwestern US, Real Estate Business

Job: Imaging laptops
Distance from Home: 22.5 miles
Best Thing: Autonomy
Worst Thing: Still a bit of a drive.
Length of Service: 4 months so far, out of a one-year contract.

And from there I moved on to my fifth job of the year, not including freelance Web design or that one-day gig fixing QuickBooks.

This one comes with a one-year contract, so hopefully that'll hold and I'll still be there through next August. But I'm not going to take that for granted; one of the many lessons I learned in the Dank Pit of Phone Support last summer is that a six-month contract can turn into a one-month contract with absolutely no warning. Course, I've been working this one long enough that I am confident in saying that this time I am working for decent human beings, but again, it's not the people I've actually met I'm worried about. And every time I hear the Windows 7 rollout's been delayed, I get a little nervous.


I guess it's worth asking, what motivates me to come to work every day and do a good job? Here's what I can come up with:

  • Need for money
  • Need for health insurance
  • Pride
  • Loyalty to my coworkers

It's instructive to note the things that aren't on the list. "Hope for promotion" and "fear of losing my job" are conspicuously absent -- yes, I do feel both of those things, but as I've mentioned several times, I have absolutely no sense that my employment or advancement is tied to my performance in any way. They're motivating factors just as much as the potential for finding a $100 bill on the ground or tripping and cracking my skull -- they're both things that have some potential for happening, and my job performance has about as much to do with the likelihood of either one.

Also missing: "company loyalty". And unlike those other two things, this isn't something I have in the slightest. I am, as I said, loyal to my coworkers, and I appreciate my rep at the temp agency, but that's not the same thing as being loyal to either the company I'm working for or the company that placed me there. If I get a better offer I'll take it -- and those last two bullet points are the only reasons I'll give two weeks' notice.

On the whole I'm not entirely sure this is a bad thing from my perspective -- hell, the ideal list would probably have two bullet points instead of four. Company loyalty, the stick of firing and the carrot of advancement -- I don't need those things to do a good job. But from the company's perspective, it's probably a bad thing.

And if I may be so bold, I think I'm probably representative of a good solid chunk of my generation. Educated, underemployed, unable to hold down a job for more than two years through no fault of my own -- what happens when that's your workforce? In the coming decades we're going to find out.