Marissa Mayer's changes at Yahoo!, 2012-2013

Here's an excerpt from an upcoming book about Mayer and the history of Yahoo! If this account is accurate, she made changes that are very similar to Google practices, but I guess that's the only other company she's worked for - so no big surprise.

• She tried to increase mgmt. transparency and communication, so she started a series of Friday afternoon townhalls called "FYIs" (Google's meetings are on Thursdays and called "TGIFs")
• The food and drink at Yahoo! are free and high quality (I believe they were not free in the past?)
• She implemented a goals-based quarterly performance review process ("QPRs", called "OKRs" at Google) with fixed %s of workers allocated to each ratings tier (and repeat low performers would be let go)

QPRs are the biggest source of employee complaints now. It's possible that the Yahoo! system is closer to Microsoft's (that was abandoned after Ballmer left, due to myriad problems and perverse incentives). 

• When FTEs are uniformly stack-ranked vs. immediate peers, the company risks punishing the "weakest" high performers on strong teams, and rewarding the "best" slackers on poor teams
• The best talent didn't want to work together (harder to get top rating), and focused on specific projects that had the best chance of making them look good
• Due to calibration (where higher managers could unilaterally change ratings for workers they barely knew so their teams would fit the target distribution), resentment and workplace politics increased - meaning less time spent on actual work
• The quarterly rankings left little room for error and set people up for disappointment: an FTE who was rated misses/misses/meets/meets may still get fired, even if (s)he was showing diligence and improvement, and an FTE who was rated exceeds/exceeds/meets/exceeds might not get promoted

Mayer earned some love for refusing carry out massive layoffs (~30-50% staff) that the Board and others were calling for (she did conduct some small layoffs and product sunsets). However, some commented on Glassdoor that she carried out "stealth layoffs" instead. By eliminating WFH and implementing QPR attrition, Yahoo! likely encouraged less committed folks to leave, fired the ostensible low performers, and saved money by not having to pay severance. I am not sure how much their headcount has shrunk since Mayer joined, but some Yahoos are not happy that the salary saved from the stealth layoffs might have been spent to recruit new talent with comp packages much higher than what veteran Yahoos were making. And the stricter promo reqs of QPR makes it harder for veteran Yahoos to advance and get raises too.

Yahoo! needed to cut some dead weight, motivate the staff, and recruit new talent to revitalize their business. Mayer seemed to carry that out with some success, but there were morale and priorities consequences. I'm not saying that turning Yahoo! around is an easy task (others have tried before Mayer), and you can't please everyone, but it may be hard to accurately estimate the net benefits of her policies because there are so many complex repercussions.

Interesting story of the Conficker worm

http://www.npr.org/2011/09/27/140704494/the-worm-that-could-bring-down-the-internet

The author of "Black Hawk Down" recently published a book about internet security and the Conficker worm, the most successful malware program known to date. I am not an IT guy, but from the interview, it seems that Conficker was written by expert hackers in Ukraine (who still remain anonymous) to tunnel into millions of Windows PCs and subtly control some of their processing resources, and then answer to a mother computer. Their aim seems to be the creation of a massive "botnet" of 10-12M slave computers worldwide that basically aggregate their processors to become the most powerful supercomputer in the world (even better than our best, expensive NSA comps). It's like those movies with the little nano-machines piling up to become a huge scary monster.

With this asset, the masters of Conficker may be able to brute-force crack computer encryption, presumably to guess passwords to steal money and/or secrets. 128-bit encryption technology can maybe produce gazillions of possible passwords (>10^38), which would take too long for even modern supercomputers to plow through. But the Conficker botnet can do this much quicker, and it's masters are now "leasing" the botnet resources to other criminals seeking to steal something. In theory, the penetration of Conficker is so great that its masters would be able to shut down the global internet if they wanted, but they seem more inclined to use it to steal, so it's left unharmed.

How the heck does Conficker infect PCs? Good ol' Microsoft did not make Windows XP very secure, and their engineers eventually discovered a vulnerability for remote access. So they issued a typical software update/patch to close the hole, and anyone who regularly updates their Windows OS should be safe. But the problem is that most PCs running Windows worldwide are using pirated versions that are not eligible for updating (another consequence of OS piracy: exposing the whole internet and trillions of wealth to crime; thanks a lot, China). So those users are totally exposed unless they download antivirus software or a free anti-Conficker program written pro bono by the "Conficker working group" near Stanford (calling themselves "the cabal," a team of volunteer cyber-security experts who recognized the danger of Conficker and are trying to stop it on their own time and own dime, because gov'ts are way behind the curve and doing nothing).

The irony is that Conficker started infecting PCs after this Windows patch. It's possible that the hackers analyzed the patch to reverse-engineer and discover what the Windows vulnerability was, so MS gave the bad guys a free how-to guide to hack Windows! By trying to fix their product, MS brought about the Conficker infection (in addition to many other similar malwares that have been since identified, and lord knows what we haven't found yet). Another consequence of monopoly: concentrated risk. And even though Conficker doesn't affect Mac or Linux, that's not to say that those OS's are any more secure. The Conficker masters just see less value in infecting the much smaller global population of Macs and Linuxes, which would create a much wimpier botnet. So take that, Apple snobs (and FYI, iOS has been hacked repeatedly so far).

Why can't we identify and shut down Conficker? Infected PCs show virtually no symptoms of infection, and are blocked from receiving any new updates, so it is a very clever parasite (and as I said, most of the infected PCs are not in the West). It just uses the processor selectively without slowing down your normal apps. But all the slave comps must answer to the mother comp for instructions, right? Why not just use that communication to locate the criminals and shut it down? Well, Conficker is elusive and doesn't just route all slave communications to one IP address. Then it would be easy to track, like a phone trace. But each day Conficker commandeers 250 IP domains, so it requires more effort to track down, and recent Conficker strains now use 2,500 domains and even 5 "high level" domains that are very secure. The hackers know that the poorly-funded cabal is the only group trying to stop them, so they just needed to make Conficker communications too costly to trace and block.

So where the hell is the gov't in all this? Isn't our security and economy at risk? Conficker seems a lot more of a concern than a couple of Taliban fighters with AKs. Obama just started a US Cyber Command within the NSA, a whole year after Conficker was discovered, but I surmise that they are grossly unprepared for the challenges ahead. Russia crashed Georgia's e-infrastructure with a worm/virus prior to its military invasion. McAfee pretty much implicated China in hacking some major US websites too, so the writing is on the wall. Hasn't anyone seen "Live Free or Die Hard?" We need McClane to rescue us.

The cabal approached the Pentagon and NSA to ask for help to fight Conficker, and maybe even sequester their computing resources. But they were summarily turned down, possibly over territorial or state secrets issues. I am sure that the NSA has a couple interns working on this (what else could be a higher priority for them, Mugabe's cell calls?), but clearly they are not winning (like Charlie Sheen). Here's another hilarious side-story. Remember how the US and Israel crashed Iran's computers controlling their uranium enrichment program? It set them back like a year. It's quite possible that our spooks hired the Conficker botnet to do that, or at least created our own similar worm inspired by Conficker.

Corporate and gov't cyber security is not up to task, but in this climate of austerity, it may be a hard sell to demand more investment in this area. No one cares to protect themselves until after the first disaster strikes (even though a few have already struck, but we just didn't care). I am sure the Ukrainian gang is a super-talented bunch of hackers, but they should be nothing compared to the resources that China or Facebook (no connection suggested) can devote to cyber-security, or cyber-warfare. Modern states already know that the best way to bring each other down (besides nukes) is to crash our e-infrastructure that we so depend on and take for granted. And even so, a cyber attack could disable our nukes and military. The internet was developed by idealistic engineers who wanted a free flow of information, so unfortunately it's structure is inherently vulnerable. We take the good with the bad, but ignoring the problem to this degree is just unacceptable. Fortunately, the likelihood of worms directly stealing our passwords and meager e-weath is still quite low. But what's the value of our little savings account if our national financial system gets wiped out?