From someone that is following this closely from within the "cloud services community", has read every article, every relevant blog, twitter, forum, and newsgroup post, I hope I can bring some enlightenment to this issue.
The CCIF is an organization that is supposed to be little more than an "open forum" between those in the cloud services community. I'm not certain if its role should even be to make such statements or issue documents, but if it is, that those statements should be discussed and agreed upon by its members. This manifesto appears to have been created secretly by the founders of the CCIF without discussion, review, or disclosure directly in contrast to the goals and promises of the CCIF. Instead, that review and disclosure only happened behind closed doors with "large companies" such as Microsoft and IBM. As I made it quite clear on the CCIF newsgroup, regardless of the origin of the document, it is of my opinion that the CCIF as an organization should not endorse any documents without a vote by its members.
So far, it seems the plan is that the CCIF will officially release this document on Monday, prior to the meeting it will hold on Thursday in NYC. I hope that those behind the scenes here realize that the best course of action is to wait until Thursday and secure a vote by members present at that time.
You say that you "wasted your twenties". I think this will be more of a struggle than your age in the hiring process, especially for entry-level positions. Potential employers will wonder what type of person "wastes their twenties" and ask themselves if they want to hire that sort of person. You need to have an explanation for the past decade which puts you in positive light, even if the circumstances are bad. However, once you do manage to squeeze yourself into a career and have some solid, relevant experience, you can get that all past you.
Yes, I think this is the biggest barrier to adoption, and I'm not just talking about for residential connections. I was recently hunting for IP transit in center-city Philadelphia and found that very few carriers provided IPv6. For now, we're playing "wait and see".
I run a VPS hosting company, my job is to research, setup, and maintain a cluster/grid of servers running Xen with hundreds of guests (virtual machines). For testing and even for deployment, we've used machines as simple as a single-core AMD 3800 with 80GB disks in RAID-1, and 1GB of RAM. These aren't the most profitable machines, as they can only support as many virtual machines as can pay for the electricity and square footage, but they work perfectly fine for up to approximately 12 guests. I do highly recommend a dual-processor or dual-core system, though.
If you want to know how much you can stress a system, for highly-dense numbers of guests, I try not to load more than 15 guests and 2GB of RAM per CPU core. Of course, if you plan to have a low-density of guests (say one guest per core), you'll need to adjust accordingly.
I found that for my home office, where I often have pretty excessive needs such as installing multiple operating systems and performing multiple large compiles at the same time, a dual quad-core system with 16GB of RAM is overkill. Right now, I'm using a single quad-core workstation with 8GB of RAM and it works pretty well for me, and is probably still a bit more than I need.
VDSLv2 gives you 100mbps. Technically, they would only need 5 lines to reach 500mbps, but I imagine ther "500mbps" is actual throughput, thus the requirement of a 6th line to reach this figure. However, this is with bonding. They could have just as easily claimed 10gbps speeds, by bonding 20 lines. VDSL2 bridges are readily available and bonding isn't anything special. The summary, the article, and the whole press release is just bull.
As for if this is good idea or not, it depends on the distance. This only makes sense for distances between 100m and 300m. Otherwise, there are better options. If your distance is shorter, run Ethernet. If your distance is longer, you're either going to lose performance or consider running fiber.
I find it interesting that when my wife and I were married in 2002, she had never seen or used Linux or any other Unix system. At the time, I only had three computers, one ran FreeBSD, another Irix, and another had both MacOS9 and Linux. None of them *could* run Windows, so she really didn't have a choice, and we didn't have the money to buy another computer. I think she found it a little awkward at first, but she got used to it, and had no immediate problems doing what she needed or wanted to do at the time.
Certain things like virtual desktops bothered her, but now she loves some of the things she had first hated. Recently, for instance, I found out that she bugged the IT guy at work into configuring virtual desktops for her company laptop (running Windows).
These days, she has used Linux enough that she usually recommends it to people, when even I wouldn't! I generally don't recommend Linux to people directly anymore, I simply tell people that I use it, is more stable and secure, and that I think it can be very user-friendly. She, however, despite having had broken wifi drivers and living without sound on her computer for a year, recommends it to everyone without hesitation or warning! This might be due to the fact that if I recommend Linux to someone, I'll be helping them with it, but if she recommends that someone use Linux, I'll be helping them with it;-)
Regardless, the point (if there is one) of this story is that Windows users, especially wives, can not only get used to Linux, but can learn to love some of the great features (like virtual desktops) that might at first seem annoying.
The problem with the "Microsoft mentality" is that Microsoft's Group Policy allows for a number of things, related to both lockdown and configuration, and it really confuses the issues. Sometimes it is important not to give people what they *want*, but what they *need*.
As others have said, you can manage network configurations with NFS, CFEngine, Puppet, and SSH. You can also configure thin client architectures. However, despite how much you think you *want* it, what you do not *need* is to lock down machines.
There are certain situations where locking down machines makes practical sense. Kiosks, for instance, or for that receptionist that keeps dropping her desktop icons in the recycle bin. However, "lock down" should NOT be a security mechanism. It is not, cannot, will not, and should not ever be a security mechanism in any environment, including Microsoft Windows. If you think that "lock down" is a security mechanism, read some RFCs, read some books, man pages, and take classes. If you can't do that, or you do that and disagree, change your career.
You might think my attitude is harsh, but I'm tired of this stale way of thinking. Client systems are increasingly dynamic and flexible, and are so by their very nature. You could spend thousands or even millions deploying SELinux, content filters, Radius, 802.1X, configuring BIOS passwords, upgrading to systems with TPM chips, and so forth, only to lose the battle to a can of compressed air or a user that installs a web-based VNC Viewer on a webpage somewhere. Sure, lock down flash and java applets too, just wait until HTML5 and the canvas tag! You're going to block that too? That will work, maybe, for the first couple years, until it is so ubiquitous that you can't reasonably block it.
My point is, you cannot stop client systems. It is a lost cause. What you can do is secure your network, secure the physical environment, and provide network configuration. If you want to provide network configuration, do so to assure that systems are configured with reasonable defaults as not to make the jobs of the employees more difficult, but to make their jobs easier. The only thing accomplished by overly restrictive "lock down" mechanisms is the waste of company money. Wasted hours on configuration, wasted hours by the employees in circumvention, and wasted money on the additional employees you'll need to make up the loss in productivity.
Again, if you missed it, the only reason you, as a Systems Administrator, want to touch a client system, is to make the system more convenient for your users and enable them to perform their tasks better. That only includes "lock down" when the alternative is an inconvenience, like the receptionist that can't keep his icons in the right place. If you need security, that should always be done on the server, on the network, and physically.
For $30k, you can get 64TB of (usable) storage on top of RAID-10. Two Areca controllers, Chenbro SAS expanders, Supermicro cases, and Seagate 1TB ES.2 disks. All in about 24U.
You can do it for around $15k if you just want RAID-5, RAID-Z, or similar.
I'm not arguing it makes sense, only that it might be the prosecution's case. Of course, there are two possible scenarios, one is where someone leaves voluntarily, and the other is when they are removed from the position. Clearly, when someone is removed, they don't have the opportunity to remove their access, legally.
What is apparent in this whole case is the ineptitude of the city. From what I've read, it seems the city never made sure that anyone else had vital information, they fired him prior to getting that information, and Terry Childs saw no point in providing free assistance and information to an entity that let him go. In fact, as far as I'm concerned, according to my understanding of the case, the only thing that might possibly be illegal here, as far as Terry Childs is concerned, is that he still retained and remembered those passwords after he left their employment!
There are some similar books today which resolve around style and design. That is, books that showcase, highlight, and sometimes even deconstruct the design of actual sites on the web. Other books simply catalog the "best sites" of the year, as a printed version of the internet archive.
I recently bought such a book to help me improve my ability to create pretty, yet effective websites. Sure, I could have just looked at sites on the web, but this book categorized design details and provided insight into design and layout.
The other possible outcome is that they'll say that he had permission to configure access, but when that privilege was renounced, that he should have removed remote access... in which case, I question how they would ever expect to let anyone go if they would have to go through such trouble each and every time?
The truth is that often enough, companies don't change passwords, or at least not all of them, when a Systems Administrator leaves. Even in very small shops, it is very difficult to keep track of all the places passwords might be hiding, where remote access might left enabled. For other employees, it isn't as tough, they might have access to one or two systems, but for an SA? You might never be able to lock them out completely, and simply rely on trust, morals, and the law. For instance, an SA might have set up a router just to test new IOS releases on, test, etc. Nobody else would have used it other than that SA, and nobody else would have known of it of it or thought of it. Such a router could be on the network for years without being noticed. Such issues will only become more apparent with "VM Sprawl", where you might have thousands of virtual machines. Without strict auditing, and even with it, you'll easily miss a stray virtual machine floating out there.
The point is, once you give someone access to your network and your systems, to the level that a CTO, Senior Systems Administrator, or Network Administrator might have access, you can't ever be certain of locking them out of your systems, and you shouldn't be able to punish them for not remembering to lock themselves out -- only because it is too easy to make such mistakes or to have such oversight.
Personally, whenever I've left a job, I've done my best to forget everything possible that was specific about their configuration. I'd rather not remember the IP addresses of their machines, their passwords, or anything else -- there is too much liability.
First, I'll remind everyone that the code 502 in question is only applicable in California.
The phrasing of the law at the root of this discussion is, "Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section."
What I imagine the prosecution will argue is that Terry Childs had no right or explicit permission to configure remote access. The defense will likely counter with the fact that as their Systems Administrator he had implied permission as part of his job's duties. Depending on the outcome, this might trigger Systems Administrators to seek contracts shielding themselves from such risks, or seeking express, written permission for everything they do. Of course, considering how badly companies abuse their employees, and how many employees are naive enough to not protect themselves legally, it will likely just be ignored and we'll see more cases like this.
Besides the fact you can manually specify files in cp/mv, you can do directory comparisons in all sorts of various ways with find, diff, patch, tar, etc... Not to mention rsync.
VPS hosts (at least the one I run) do have high IO requirements, but it is cheaper to run RAID-10 with SATA than to buy SAS disks for the amount of storage we require. In my case, I've been buying the Seagate ES.2 drives because they can accommodate higher IO, now I've got terabytes of storage to flash/replace. Then again, I'm running RAID-10 so it might be better to just live with the possibility that drives might fail at a greater than normal rate than to bother replacing or flashing them. The failure only happens *rarely* on boot, we typically don't reboot more than once every year, and with virtualized storage the disks go down even less frequently -- perhaps every 3 years.
I warn the OP here regarding WD, though, because we did look at running the WD-RE2 drives instead -- we bought two. Of those, one failed within the first month. I know that disk failures happen, but it was a really bad first-impression.
Ugh.. please ignore what I just said about RAID-5. I feel like an idiot, and in public too! Can I call a mulligan? I forgot that only the "parity" stripes are pads, the other stripes are "plaintext". Parity is then calculated on reads when the array is degraded (thus a very good reason to keep a hot spare...).
All the other stuff about RAID-10 still applies to RAID-5 though. On that, I think we agree on all accounts except perhaps what some organizations might consider acceptable risk -- which I'm simply stating is a subjective matter, and that RAID will decrease (but not eliminate) the risk.
1) Yes, I acknowledge this. First of all, RAID-1 is mirroring, not striping. Precisely for the reasons you mentioned, however, RAID-0 isn't very secure. Yet, if you blindly toss away a RAID-0 disk, you will not expose 100% of your data, and whatever data is revealed will be very obscure. This is particularly true if you have data that deals poorly with data loss, and even more true if you have many drives being striped. I entirely acknowledge the flaws, but I note it depends quite extensively on what your security requirements and concerns are, your stripe size, array size, and other factors. Clearly, RAID-5 is much better on a broader set of deployments, security-wise.
2) RAID-5 is essentially a one-time-pad. Yes, it is cryptographically secure. Basically, the disks are divided into N stripes, each disk having a single stripe for parity. On each write to the disk, the parity is calculated via a simple XOR and written to disk. Each disk has a parity stripe for performance (as opposed to putting all of the parity on a single device, such as with RAID-4). If you know how XOR works, and what a one-time-pad is, then you should know at this point why RAID-5 is cryptographically secure with any number of disks (N-1)
As if it wasn't clear, if you're using RAID-5 or RAID-10, and your disks are discarded individually, and the data on the arrays changes significantly enough between each time another disk is tossed, it is not necessary to wipe the disks before discarding. Obviously, this doesn't work as well if the drives are very infrequently have data rewritten, but even then, you can assure the security by doing a "wipe" of N-2 disks of a RAID-5 set. The amount you would want to wipe of a RAID-10 array depends on what percentage of the data you are comfortable with exposing.
Also, I thought about it a bit more and figured I might explain how RAID-10 becomes "more secure" as the array grows. I meant to say that the threat from a single compromised/exposed disk is lower, the larger the array. The greater the number of disks in the RAID-0 set, the more disks the attacker must acquire. Yet, the attacker only needs N/2 disks to complete the RAID-10 array, and each disk acquired provides them a "piece of the puzzle" -- comparatively, RAID-5's "puzzle" cannot be completed without N-1 pieces.
Finally, RAID-50 might be an option for those looking at increased performance and capacity, and having the "security" of RAID-5.
I use RAID-10, it makes it really easy to toss disks, although it would be equally simple with RAID-5. Normally, I just toss one drive at a time, not a whole array, and by the time subsequent drives are tossed there is too much of a differential to rebuild any data. With RAID-5, this is made really simple because you would need to have N-1 disks to have any chance to recover the data -- it is cryptographically secure. However, RAID-10 can be quite decent in this regard as well. The more disks of the RAID-10 set an attacker recovers, the more data they will have, but that can be trivial as arrays grow larger (RAID-10 is more secure in large arrays than in small ones).
Really, I think this is one of the most overlooked advantages of configuring NAS and SAN solutions for one's enterprise or small business.
Have you actually tasted commercially packaged, pre-sliced bread? It is terrible. Go to a good baker, now, and get a fresh whole loaf. No, don't go to the supermarket, a real baker! If you're fast, it might still be nice, warm, and crispy.
There has been Linux software on the shelves of stores that Windows users would buy accidentally. Notable examples would be Wordperfect and the Loki titles. The most obvious example might be the boxed Linux Quake 3 "collectible" tin. It was great that Linux users actually got something better than the Windows and Mac users, but I wouldn't be surprised if there were a good number of people that bought the "pretty case" without realizing it was only for Linux -- even with the words "Linux version" emblazoned on the front -- at a time when Linux wasn't as well known as it is today.
Please refer to this list of several thousand video cards and type in the hexadecimal representation for your given video card and chipset as provided in the list! Note - if you get this wrong your monitor and/or video card may expel magic smoke.
It isn't requred, but they *tell* you it is required. The problem I've found with family that I'd give Linux machines to is that they would just go out and buy software, hardware, and services without checking if they were compatible with Linux or consulting with me. There are many users that don't understand what an OS is, they think that there are "computer CDs" and that they work like DVDs (and work everywhere). Really, those users aren't wrong -- its the situation that is screwed up. We should have been using a standard interpreter years ago, such as Java. People can lament the Java implementations all they want, but it was a great idea.
Those same users, when they get a CD from Verizon telling them to put it in, to get their internet working, will do just that. If it doesn't work, they won't blame Verizon (who is rightly at fault), they'll blame their computer for "not working right". Surely, because to them "computer CDs" are like DVDs and will "just work" unless their computer is broken. I know that this happens to Windows users too on occasion, they'll buy programs that only work under MacOS or Linux -- this happens much more rarely than the other way around, of course.
Of course, readers of Slashdot will know *why* it doesn't work, and *why* the situation is as it is, but we really need to do something about this. There should be a trademark logo program that can be used to certify disks or procedures that are platform independent. Verizon should make it clear that Linux (and other) operating systems will work with their services, and provide ample instructions that will not confuse users that don't know what an "operating system" is.
Vendors really need to get on the ball and realize that Linux is getting on enough devices now that they *do* have to support it, and they can't make it a magic black art that only power users and greater can accomplish. Linux on the desktop won't be a success as long as our grandmothers get hung-up on when they say their computer has Linux running on it. Grandmothers won't know that they need to lie on the phone when they call technical support, they won't even know what lie to concoct, and they shouldn't have to lie.
The truth is that if you run Linux today, you need to know what you're doing or entrust management of your systems to someone that does -- not because Linux is difficult, but because vendors will make your life hell otherwise.
I agree, although I wonder about licensing rights? Can they do this legally? Assuming they can, there are many sorts of variants of this theme. Is this why you can't just use televisions, or are you hoping to make use of large-scale projectors that won't accept a TV input? Why weren't you in an auditorium again? Well, okay, lets assume you do this with technology... grab a cable feed and stream it on your LAN, it won't touch your T1. The only reason you would need to touch the T1 is if you don't have cable anywhere in the school. Then, you could stream it from off-site somewhere. Assuming it is done on the LAN, you don't even have to bother setting up and using multicast for only 20 classrooms if you have FastE, unicast will work fine.
Compared to the 10/90 (5/45) schedule, 9/80 sounds pretty good! Basically, I'd get days off? Nice. When I was employed, this is the sort of schedule I'd run, if I was so lucky, whenever I didn't have an emergency keeping me at work overnight. Overtime? No chance. On rare occasions I might have gotten a bonus.
The torture of the long hours and the long commute is why I took a big pay cut and started my own business.
Slashdot Mirror
From someone that is following this closely from within the "cloud services community", has read every article, every relevant blog, twitter, forum, and newsgroup post, I hope I can bring some enlightenment to this issue.
The CCIF is an organization that is supposed to be little more than an "open forum" between those in the cloud services community. I'm not certain if its role should even be to make such statements or issue documents, but if it is, that those statements should be discussed and agreed upon by its members. This manifesto appears to have been created secretly by the founders of the CCIF without discussion, review, or disclosure directly in contrast to the goals and promises of the CCIF. Instead, that review and disclosure only happened behind closed doors with "large companies" such as Microsoft and IBM. As I made it quite clear on the CCIF newsgroup, regardless of the origin of the document, it is of my opinion that the CCIF as an organization should not endorse any documents without a vote by its members.
So far, it seems the plan is that the CCIF will officially release this document on Monday, prior to the meeting it will hold on Thursday in NYC. I hope that those behind the scenes here realize that the best course of action is to wait until Thursday and secure a vote by members present at that time.
You say that you "wasted your twenties". I think this will be more of a struggle than your age in the hiring process, especially for entry-level positions. Potential employers will wonder what type of person "wastes their twenties" and ask themselves if they want to hire that sort of person. You need to have an explanation for the past decade which puts you in positive light, even if the circumstances are bad. However, once you do manage to squeeze yourself into a career and have some solid, relevant experience, you can get that all past you.
Yes, I think this is the biggest barrier to adoption, and I'm not just talking about for residential connections. I was recently hunting for IP transit in center-city Philadelphia and found that very few carriers provided IPv6. For now, we're playing "wait and see".
I run a VPS hosting company, my job is to research, setup, and maintain a cluster/grid of servers running Xen with hundreds of guests (virtual machines). For testing and even for deployment, we've used machines as simple as a single-core AMD 3800 with 80GB disks in RAID-1, and 1GB of RAM. These aren't the most profitable machines, as they can only support as many virtual machines as can pay for the electricity and square footage, but they work perfectly fine for up to approximately 12 guests. I do highly recommend a dual-processor or dual-core system, though.
If you want to know how much you can stress a system, for highly-dense numbers of guests, I try not to load more than 15 guests and 2GB of RAM per CPU core. Of course, if you plan to have a low-density of guests (say one guest per core), you'll need to adjust accordingly.
I found that for my home office, where I often have pretty excessive needs such as installing multiple operating systems and performing multiple large compiles at the same time, a dual quad-core system with 16GB of RAM is overkill. Right now, I'm using a single quad-core workstation with 8GB of RAM and it works pretty well for me, and is probably still a bit more than I need.
VDSLv2 gives you 100mbps. Technically, they would only need 5 lines to reach 500mbps, but I imagine ther "500mbps" is actual throughput, thus the requirement of a 6th line to reach this figure. However, this is with bonding. They could have just as easily claimed 10gbps speeds, by bonding 20 lines. VDSL2 bridges are readily available and bonding isn't anything special. The summary, the article, and the whole press release is just bull.
As for if this is good idea or not, it depends on the distance. This only makes sense for distances between 100m and 300m. Otherwise, there are better options. If your distance is shorter, run Ethernet. If your distance is longer, you're either going to lose performance or consider running fiber.
I find it interesting that when my wife and I were married in 2002, she had never seen or used Linux or any other Unix system. At the time, I only had three computers, one ran FreeBSD, another Irix, and another had both MacOS9 and Linux. None of them *could* run Windows, so she really didn't have a choice, and we didn't have the money to buy another computer. I think she found it a little awkward at first, but she got used to it, and had no immediate problems doing what she needed or wanted to do at the time.
Certain things like virtual desktops bothered her, but now she loves some of the things she had first hated. Recently, for instance, I found out that she bugged the IT guy at work into configuring virtual desktops for her company laptop (running Windows).
These days, she has used Linux enough that she usually recommends it to people, when even I wouldn't! I generally don't recommend Linux to people directly anymore, I simply tell people that I use it, is more stable and secure, and that I think it can be very user-friendly. She, however, despite having had broken wifi drivers and living without sound on her computer for a year, recommends it to everyone without hesitation or warning! This might be due to the fact that if I recommend Linux to someone, I'll be helping them with it, but if she recommends that someone use Linux, I'll be helping them with it ;-)
Regardless, the point (if there is one) of this story is that Windows users, especially wives, can not only get used to Linux, but can learn to love some of the great features (like virtual desktops) that might at first seem annoying.
The problem with the "Microsoft mentality" is that Microsoft's Group Policy allows for a number of things, related to both lockdown and configuration, and it really confuses the issues. Sometimes it is important not to give people what they *want*, but what they *need*.
As others have said, you can manage network configurations with NFS, CFEngine, Puppet, and SSH. You can also configure thin client architectures. However, despite how much you think you *want* it, what you do not *need* is to lock down machines.
There are certain situations where locking down machines makes practical sense. Kiosks, for instance, or for that receptionist that keeps dropping her desktop icons in the recycle bin. However, "lock down" should NOT be a security mechanism. It is not, cannot, will not, and should not ever be a security mechanism in any environment, including Microsoft Windows. If you think that "lock down" is a security mechanism, read some RFCs, read some books, man pages, and take classes. If you can't do that, or you do that and disagree, change your career.
You might think my attitude is harsh, but I'm tired of this stale way of thinking. Client systems are increasingly dynamic and flexible, and are so by their very nature. You could spend thousands or even millions deploying SELinux, content filters, Radius, 802.1X, configuring BIOS passwords, upgrading to systems with TPM chips, and so forth, only to lose the battle to a can of compressed air or a user that installs a web-based VNC Viewer on a webpage somewhere. Sure, lock down flash and java applets too, just wait until HTML5 and the canvas tag! You're going to block that too? That will work, maybe, for the first couple years, until it is so ubiquitous that you can't reasonably block it.
My point is, you cannot stop client systems. It is a lost cause. What you can do is secure your network, secure the physical environment, and provide network configuration. If you want to provide network configuration, do so to assure that systems are configured with reasonable defaults as not to make the jobs of the employees more difficult, but to make their jobs easier. The only thing accomplished by overly restrictive "lock down" mechanisms is the waste of company money. Wasted hours on configuration, wasted hours by the employees in circumvention, and wasted money on the additional employees you'll need to make up the loss in productivity.
Again, if you missed it, the only reason you, as a Systems Administrator, want to touch a client system, is to make the system more convenient for your users and enable them to perform their tasks better. That only includes "lock down" when the alternative is an inconvenience, like the receptionist that can't keep his icons in the right place. If you need security, that should always be done on the server, on the network, and physically.
For $30k, you can get 64TB of (usable) storage on top of RAID-10. Two Areca controllers, Chenbro SAS expanders, Supermicro cases, and Seagate 1TB ES.2 disks. All in about 24U.
You can do it for around $15k if you just want RAID-5, RAID-Z, or similar.
I'm not arguing it makes sense, only that it might be the prosecution's case. Of course, there are two possible scenarios, one is where someone leaves voluntarily, and the other is when they are removed from the position. Clearly, when someone is removed, they don't have the opportunity to remove their access, legally.
What is apparent in this whole case is the ineptitude of the city. From what I've read, it seems the city never made sure that anyone else had vital information, they fired him prior to getting that information, and Terry Childs saw no point in providing free assistance and information to an entity that let him go. In fact, as far as I'm concerned, according to my understanding of the case, the only thing that might possibly be illegal here, as far as Terry Childs is concerned, is that he still retained and remembered those passwords after he left their employment!
There are some similar books today which resolve around style and design. That is, books that showcase, highlight, and sometimes even deconstruct the design of actual sites on the web. Other books simply catalog the "best sites" of the year, as a printed version of the internet archive.
I recently bought such a book to help me improve my ability to create pretty, yet effective websites. Sure, I could have just looked at sites on the web, but this book categorized design details and provided insight into design and layout.
The other possible outcome is that they'll say that he had permission to configure access, but when that privilege was renounced, that he should have removed remote access... in which case, I question how they would ever expect to let anyone go if they would have to go through such trouble each and every time?
The truth is that often enough, companies don't change passwords, or at least not all of them, when a Systems Administrator leaves. Even in very small shops, it is very difficult to keep track of all the places passwords might be hiding, where remote access might left enabled. For other employees, it isn't as tough, they might have access to one or two systems, but for an SA? You might never be able to lock them out completely, and simply rely on trust, morals, and the law. For instance, an SA might have set up a router just to test new IOS releases on, test, etc. Nobody else would have used it other than that SA, and nobody else would have known of it of it or thought of it. Such a router could be on the network for years without being noticed. Such issues will only become more apparent with "VM Sprawl", where you might have thousands of virtual machines. Without strict auditing, and even with it, you'll easily miss a stray virtual machine floating out there.
The point is, once you give someone access to your network and your systems, to the level that a CTO, Senior Systems Administrator, or Network Administrator might have access, you can't ever be certain of locking them out of your systems, and you shouldn't be able to punish them for not remembering to lock themselves out -- only because it is too easy to make such mistakes or to have such oversight.
Personally, whenever I've left a job, I've done my best to forget everything possible that was specific about their configuration. I'd rather not remember the IP addresses of their machines, their passwords, or anything else -- there is too much liability.
First, I'll remind everyone that the code 502 in question is only applicable in California.
The phrasing of the law at the root of this discussion is, "Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section."
What I imagine the prosecution will argue is that Terry Childs had no right or explicit permission to configure remote access. The defense will likely counter with the fact that as their Systems Administrator he had implied permission as part of his job's duties. Depending on the outcome, this might trigger Systems Administrators to seek contracts shielding themselves from such risks, or seeking express, written permission for everything they do. Of course, considering how badly companies abuse their employees, and how many employees are naive enough to not protect themselves legally, it will likely just be ignored and we'll see more cases like this.
Besides the fact you can manually specify files in cp/mv, you can do directory comparisons in all sorts of various ways with find, diff, patch, tar, etc... Not to mention rsync.
I understand you like 'mc', but I'll pass.
VPS hosts (at least the one I run) do have high IO requirements, but it is cheaper to run RAID-10 with SATA than to buy SAS disks for the amount of storage we require. In my case, I've been buying the Seagate ES.2 drives because they can accommodate higher IO, now I've got terabytes of storage to flash/replace. Then again, I'm running RAID-10 so it might be better to just live with the possibility that drives might fail at a greater than normal rate than to bother replacing or flashing them. The failure only happens *rarely* on boot, we typically don't reboot more than once every year, and with virtualized storage the disks go down even less frequently -- perhaps every 3 years.
I warn the OP here regarding WD, though, because we did look at running the WD-RE2 drives instead -- we bought two. Of those, one failed within the first month. I know that disk failures happen, but it was a really bad first-impression.
Ugh.. please ignore what I just said about RAID-5. I feel like an idiot, and in public too! Can I call a mulligan? I forgot that only the "parity" stripes are pads, the other stripes are "plaintext". Parity is then calculated on reads when the array is degraded (thus a very good reason to keep a hot spare...).
All the other stuff about RAID-10 still applies to RAID-5 though. On that, I think we agree on all accounts except perhaps what some organizations might consider acceptable risk -- which I'm simply stating is a subjective matter, and that RAID will decrease (but not eliminate) the risk.
Slashdot's HTML filter took out from the end, "<(N-1)"
1) Yes, I acknowledge this. First of all, RAID-1 is mirroring, not striping. Precisely for the reasons you mentioned, however, RAID-0 isn't very secure. Yet, if you blindly toss away a RAID-0 disk, you will not expose 100% of your data, and whatever data is revealed will be very obscure. This is particularly true if you have data that deals poorly with data loss, and even more true if you have many drives being striped. I entirely acknowledge the flaws, but I note it depends quite extensively on what your security requirements and concerns are, your stripe size, array size, and other factors. Clearly, RAID-5 is much better on a broader set of deployments, security-wise.
2) RAID-5 is essentially a one-time-pad. Yes, it is cryptographically secure. Basically, the disks are divided into N stripes, each disk having a single stripe for parity. On each write to the disk, the parity is calculated via a simple XOR and written to disk. Each disk has a parity stripe for performance (as opposed to putting all of the parity on a single device, such as with RAID-4). If you know how XOR works, and what a one-time-pad is, then you should know at this point why RAID-5 is cryptographically secure with any number of disks (N-1)
As if it wasn't clear, if you're using RAID-5 or RAID-10, and your disks are discarded individually, and the data on the arrays changes significantly enough between each time another disk is tossed, it is not necessary to wipe the disks before discarding. Obviously, this doesn't work as well if the drives are very infrequently have data rewritten, but even then, you can assure the security by doing a "wipe" of N-2 disks of a RAID-5 set. The amount you would want to wipe of a RAID-10 array depends on what percentage of the data you are comfortable with exposing.
Also, I thought about it a bit more and figured I might explain how RAID-10 becomes "more secure" as the array grows. I meant to say that the threat from a single compromised/exposed disk is lower, the larger the array. The greater the number of disks in the RAID-0 set, the more disks the attacker must acquire. Yet, the attacker only needs N/2 disks to complete the RAID-10 array, and each disk acquired provides them a "piece of the puzzle" -- comparatively, RAID-5's "puzzle" cannot be completed without N-1 pieces.
Finally, RAID-50 might be an option for those looking at increased performance and capacity, and having the "security" of RAID-5.
I use RAID-10, it makes it really easy to toss disks, although it would be equally simple with RAID-5. Normally, I just toss one drive at a time, not a whole array, and by the time subsequent drives are tossed there is too much of a differential to rebuild any data. With RAID-5, this is made really simple because you would need to have N-1 disks to have any chance to recover the data -- it is cryptographically secure. However, RAID-10 can be quite decent in this regard as well. The more disks of the RAID-10 set an attacker recovers, the more data they will have, but that can be trivial as arrays grow larger (RAID-10 is more secure in large arrays than in small ones).
Really, I think this is one of the most overlooked advantages of configuring NAS and SAN solutions for one's enterprise or small business.
Have you actually tasted commercially packaged, pre-sliced bread? It is terrible. Go to a good baker, now, and get a fresh whole loaf. No, don't go to the supermarket, a real baker! If you're fast, it might still be nice, warm, and crispy.
There has been Linux software on the shelves of stores that Windows users would buy accidentally. Notable examples would be Wordperfect and the Loki titles. The most obvious example might be the boxed Linux Quake 3 "collectible" tin. It was great that Linux users actually got something better than the Windows and Mac users, but I wouldn't be surprised if there were a good number of people that bought the "pretty case" without realizing it was only for Linux -- even with the words "Linux version" emblazoned on the front -- at a time when Linux wasn't as well known as it is today.
Please refer to this list of several thousand video cards and type in the hexadecimal representation for your given video card and chipset as provided in the list! Note - if you get this wrong your monitor and/or video card may expel magic smoke.
It isn't requred, but they *tell* you it is required. The problem I've found with family that I'd give Linux machines to is that they would just go out and buy software, hardware, and services without checking if they were compatible with Linux or consulting with me. There are many users that don't understand what an OS is, they think that there are "computer CDs" and that they work like DVDs (and work everywhere). Really, those users aren't wrong -- its the situation that is screwed up. We should have been using a standard interpreter years ago, such as Java. People can lament the Java implementations all they want, but it was a great idea.
Those same users, when they get a CD from Verizon telling them to put it in, to get their internet working, will do just that. If it doesn't work, they won't blame Verizon (who is rightly at fault), they'll blame their computer for "not working right". Surely, because to them "computer CDs" are like DVDs and will "just work" unless their computer is broken. I know that this happens to Windows users too on occasion, they'll buy programs that only work under MacOS or Linux -- this happens much more rarely than the other way around, of course.
Of course, readers of Slashdot will know *why* it doesn't work, and *why* the situation is as it is, but we really need to do something about this. There should be a trademark logo program that can be used to certify disks or procedures that are platform independent. Verizon should make it clear that Linux (and other) operating systems will work with their services, and provide ample instructions that will not confuse users that don't know what an "operating system" is.
Vendors really need to get on the ball and realize that Linux is getting on enough devices now that they *do* have to support it, and they can't make it a magic black art that only power users and greater can accomplish. Linux on the desktop won't be a success as long as our grandmothers get hung-up on when they say their computer has Linux running on it. Grandmothers won't know that they need to lie on the phone when they call technical support, they won't even know what lie to concoct, and they shouldn't have to lie.
The truth is that if you run Linux today, you need to know what you're doing or entrust management of your systems to someone that does -- not because Linux is difficult, but because vendors will make your life hell otherwise.
I agree, although I wonder about licensing rights? Can they do this legally? Assuming they can, there are many sorts of variants of this theme. Is this why you can't just use televisions, or are you hoping to make use of large-scale projectors that won't accept a TV input? Why weren't you in an auditorium again? Well, okay, lets assume you do this with technology... grab a cable feed and stream it on your LAN, it won't touch your T1. The only reason you would need to touch the T1 is if you don't have cable anywhere in the school. Then, you could stream it from off-site somewhere. Assuming it is done on the LAN, you don't even have to bother setting up and using multicast for only 20 classrooms if you have FastE, unicast will work fine.
Compared to the 10/90 (5/45) schedule, 9/80 sounds pretty good! Basically, I'd get days off? Nice. When I was employed, this is the sort of schedule I'd run, if I was so lucky, whenever I didn't have an emergency keeping me at work overnight. Overtime? No chance. On rare occasions I might have gotten a bonus.
The torture of the long hours and the long commute is why I took a big pay cut and started my own business.