I used to work for our drunk university a few years ago before I moved along to better opportunities. Dr. Alberts is brilliant and they have made huge strides in getting the maglev operational. I will be highly impressed if they get the maglev working without reinforcing the concrete, alas I do not think that is possible. I am planning to return to the norfolk area eventually (civilian contract work for the Navy) and pursue my masters in Physics.. When I do, my goal is to work with Dr Alberts and his Maglev...
How are the parties on 42nd st? It's a shame the brickhouse (42nd and Powatan) got condemned.. they had the best parties in my day (I sound old already).
Our university has had this technology on our campus for almost 10 years now. If you're wondering how it works check out Dr Lawrence Weinstein's page on maglevs. Our current problem is vibration which makes riding at any speed intolerable.
AEN
And that calls the legitimacy of those policies into question.
because a policy makes life difficult does not mean its not a legitimate policy. i have to walk through a security check point every morning to get to my desk. if the card reader dies at that entrance, the policy is to redirect all employees to another entrance. it takes me 20 minutes to get into work when that happens. that policy makes my life more difficult, but is it legitimate?
In other words, getting work done is secondary to "process" and "going through the motions" and your own preference to offer no help on anything.
have you ever run a business? if you do not have well thought out processes and regulations, you tend to just run things at the flip of a hat. the downside is then you don't have any concept of where you are wasting your time or money. look at IT shops where they are always fighting fires, i guarantee you'll see there is a lack of process in their IT model. the first year i started our business, we went flying into it headfirst and picked up as many projects and contracts as we could. by the end of the first year i was run ragged and had more debt than profit. i took three weeks to detail processes from running our servers and networks (including an acceptable software policy, network restrictions, etc) to how we handle meetings with new clients. then for the next month anything that came up that didn't have a standard operating procedure was voted on whether we should standardize that process or if we deemed it was miniscule enough to address it if we had time (in fact we had a few processes that were standardized, but we specifically said if the consultant has time they could work on it at their hearts content as long as it did not impact our company. however, it was specific to those procedures.)
I'm guessing you work for the government or some large utility or some company that has a monopoly or near-monopoly and so it can afford to be completely process-bound in every way.
nope still work for myself, but we have a rather large datacenter now...
please note, i always use other departments as an example. before you reply again, take your same situation and adapt it to fit another department's business model. there is no reason why IT is so special that you are allowed to break legitimate policies to make life easier for someone.
Help them when they're trying to get their work done. What if you have a list of "approved" software and someone downloads something like firefox or GIMP or some other utility to get their work done? Do you help them get their work done? Or do you stand in their way because their software isn't on the "approved" list?
then first i would have the department build a business case for it. once it passes, it goes through the testing process that all approved software goes through. once that is done, the software is approved and is pushed onto that users desktop (via sms or other methods). i'm not standing in their way anymore than payroll stands in my way when i need an advance on my paycheck (they need to follow their policies before they cut you a check)
What if Sally from HR took some pictures for documentation for work and needs your help to mount her digital camera?
is it her personal camera? tough nuggets. sally's manager should be involved if it is. sally's manager thinks its ok? fine, keep moving up the chain of command until it lands at the HR director's desk (so he/she is aware of the possible spike in their IT budget... assuming each department pays their part for IT). first time, the problem gets resolved (or dropped) and minimal resources are wasted. multiple times, then sally's manager or the HR director will see that HR needs a dedicated digital camera, future incidents will be streamlined (instead of having to figure out sally's camera and then having to figure out jackie's camera and oh wait sally's camera driver was updated and breaks mcaffee!...ad infinitum)
you're right. everyone uses usb flash drives, so lets rework our policy of not allowing any storage device to connect to our network to only allowing flash drives. we'll "train" our users not to pirate software from our networks. not to copy lil' jimmie's screensaver to our desktop. not to keep a copy of employee's SSN records on the flash drive.
oops, someone forgot about that silly training course and after being fired for allowing a virus to ravage your network (and the overtime in IT labor) the flash drive turns up on ebay complete with your employee's medical data and a copy of the software used to read the records.
so let me understand what you're saying.. you want me to dedicate additional resources to figure out why joe in accounting can't use itunes or sally in hr can't mount her digital camera? you are effectively wasting the companies time to help employees with their personal effects. okay how about you setup a tollfree help line to help your employees with setting up firefox at home or setting up their home network? sound silly? so does your idea of saying that IT is required to help users setup their unapproved software or hardware.
IT is a business function, just like the janitors. do you want your janitors to always come around and clean your employees cubes because they are slobs, or would it be smarter to implement a clean office policy to reduce the overtime hours of your janitorial staff. overtime hours that can be redistributed into a bonus for all employees, for example.
people forget that IT needs to be profitable, otherwise the company would just outsource the IT work onto a third party company (which is why you don't see onsite admins at hotels/car dealerships/etc). this extends beyond helping users with unapproved software. why do you think most companies stayed on windows 2000 well past its end of life? there was no real cost justification to upgrading to 2003/xp. eventually it became cheaper to upgrade than to maintain the old systems. however, if your current backup solution requires you to take down your application for 2 hours resulting in $10k lost revenue daily, it would be prudent to upgrade to 2003 and a backup solution using VSS which could backup your data while keeping your application alive. long term you make more money than if you kept the old solution. this is what the CTO and IT directors are doing in their closed door meetings. when those 'asinine' tasks come down from above, its usually to make the IT department more cost efficient.. not to piss off users.
port security. you allow one mac and if it changes, your system is dumped from the network. of course you can get around this and your whitelist method by spoofing your mac address... this is where 802.1x comes into play
Something tells me you have never worked in a competent IT department. First of all
To solve the issue of personal laptops being connected to the corporate network, there needs to be some kind of server software where every approved device's MAC address is registered. When a non-approved device is connected, it will not be assigned an IP address by the DHCP server. This will cut 90% of the devices from ever being connected, since most lusers have no idea about MAC addresses, IP addresses, DHCP, and the fact that they can manually assign an IP address if they know the proper range. This does leave a rather gaping hole, though, so another layer of security is needed. It's not coming to me just yet...
go google for port security. problem solved. hell, microsoft's system center will quarantine you if your system even looks at the network funny.
On the other issue of people installing ICQ and whatnot, you set up all computers used by lusers to boot from a fresh image every time they boot. You'll have to set the darn thing up exactly the way it needs to be and then use VMware or some other solution that causes the computer to start from a known image each time. They'll install ICQ, but the next time they boot, it won't be there. They'll install it again. It'll be gone again. After five or six iterations, they'll get tired of reinstalling it. I would say that by properly setting up permissions, the issue of ICQ or any other software being installed in the first place will disappear, but given the way permissions work in Windows (and the way most software ceases to work unless you have Administrator privileges), that isn't a very good answer. The advantage of the approach where the system boots from a known image each time is that your lusers can get all the viruses, spyware, adware, etc., installed on their machine, but it won't be there for more than a few hours. Like the previous paragraph, not a perfect solution, but one that cuts down on your headache by 90%.
except that spyware was actually a planned attack on your corporate network to retrieve juicy data from your network.. the "oh-its-just-harmless-spyware,-it-will-be-gone-tomorrow" means you have just been owned and you have no clue how they got in. if i were your CTO i would fire you and all your direct managers that thought that policy was acceptable. there is a reason why unapproved software is frowned upon and why many software products exist to enforce application whitelists.
i don't think you fully understand the process they are describing.
It seems like an interesting approach, though it may not be as useful on Windows where there's not such a formal distinction between system calls and other kinds of calls.
can i have some of what you're smoking? if my exchange server is compromised and starts to serve webpages by binding to a port other than port 25, this method would catch it and kill the process in its tracks. this is an os-agnostic approach to stopping malware, they just used the linux kernel because its free.. don't be surprised if you see these kind of features appearing in every major compiler/os over the next few years.
It won't do anything about interpreter code injection (eg, SQL injection or shell code injection)
You application, which normally never spawns a procses while in a certain function, will be killed as soon as it attempts to execute because it violates the model that was created at compile time.
or script privilege escalation attacks (eg, ActiveX and other "cross zone" attacks in Internet Explorer), or attacks that involve complete executable code drops.
it is designed to stop "cross zone" attacks, but it depends on the application developer's approach. i.e. ie7 would not benefit from this trick, but ie8 would (each zone is spawned in a new thread)
Still, this is useful and not nearly as dodgy as the article made it sound.
this should help curb the outrageous memory and cpu usage of the typical blacklist virus scanners of the present.
Slashdot Mirror
~$69, round trip.
This is valid for long haul maglevs, short track maglevs such as the one at ODU does not rely on superconducting magnets. Read the link I posted.
AEN
I used to work for our drunk university a few years ago before I moved along to better opportunities. Dr. Alberts is brilliant and they have made huge strides in getting the maglev operational. I will be highly impressed if they get the maglev working without reinforcing the concrete, alas I do not think that is possible. I am planning to return to the norfolk area eventually (civilian contract work for the Navy) and pursue my masters in Physics.. When I do, my goal is to work with Dr Alberts and his Maglev...
How are the parties on 42nd st? It's a shame the brickhouse (42nd and Powatan) got condemned.. they had the best parties in my day (I sound old already).
Our university has had this technology on our campus for almost 10 years now. If you're wondering how it works check out Dr Lawrence Weinstein's page on maglevs. Our current problem is vibration which makes riding at any speed intolerable. AEN
half-life 2.
And that calls the legitimacy of those policies into question.
because a policy makes life difficult does not mean its not a legitimate policy. i have to walk through a security check point every morning to get to my desk. if the card reader dies at that entrance, the policy is to redirect all employees to another entrance. it takes me 20 minutes to get into work when that happens. that policy makes my life more difficult, but is it legitimate?
In other words, getting work done is secondary to "process" and "going through the motions" and your own preference to offer no help on anything.
have you ever run a business? if you do not have well thought out processes and regulations, you tend to just run things at the flip of a hat. the downside is then you don't have any concept of where you are wasting your time or money. look at IT shops where they are always fighting fires, i guarantee you'll see there is a lack of process in their IT model. the first year i started our business, we went flying into it headfirst and picked up as many projects and contracts as we could. by the end of the first year i was run ragged and had more debt than profit. i took three weeks to detail processes from running our servers and networks (including an acceptable software policy, network restrictions, etc) to how we handle meetings with new clients. then for the next month anything that came up that didn't have a standard operating procedure was voted on whether we should standardize that process or if we deemed it was miniscule enough to address it if we had time (in fact we had a few processes that were standardized, but we specifically said if the consultant has time they could work on it at their hearts content as long as it did not impact our company. however, it was specific to those procedures.)
I'm guessing you work for the government or some large utility or some company that has a monopoly or near-monopoly and so it can afford to be completely process-bound in every way.
nope still work for myself, but we have a rather large datacenter now...
Help them when they're trying to get their work done. What if you have a list of "approved" software and someone downloads something like firefox or GIMP or some other utility to get their work done? Do you help them get their work done? Or do you stand in their way because their software isn't on the "approved" list?
then first i would have the department build a business case for it. once it passes, it goes through the testing process that all approved software goes through. once that is done, the software is approved and is pushed onto that users desktop (via sms or other methods). i'm not standing in their way anymore than payroll stands in my way when i need an advance on my paycheck (they need to follow their policies before they cut you a check)
What if Sally from HR took some pictures for documentation for work and needs your help to mount her digital camera?
is it her personal camera? tough nuggets. sally's manager should be involved if it is. sally's manager thinks its ok? fine, keep moving up the chain of command until it lands at the HR director's desk (so he/she is aware of the possible spike in their IT budget... assuming each department pays their part for IT). first time, the problem gets resolved (or dropped) and minimal resources are wasted. multiple times, then sally's manager or the HR director will see that HR needs a dedicated digital camera, future incidents will be streamlined (instead of having to figure out sally's camera and then having to figure out jackie's camera and oh wait sally's camera driver was updated and breaks mcaffee! ...ad infinitum)
you're right. everyone uses usb flash drives, so lets rework our policy of not allowing any storage device to connect to our network to only allowing flash drives. we'll "train" our users not to pirate software from our networks. not to copy lil' jimmie's screensaver to our desktop. not to keep a copy of employee's SSN records on the flash drive.
oops, someone forgot about that silly training course and after being fired for allowing a virus to ravage your network (and the overtime in IT labor) the flash drive turns up on ebay complete with your employee's medical data and a copy of the software used to read the records.
are you sure that middle ground is necessary?
so let me understand what you're saying.. you want me to dedicate additional resources to figure out why joe in accounting can't use itunes or sally in hr can't mount her digital camera? you are effectively wasting the companies time to help employees with their personal effects. okay how about you setup a tollfree help line to help your employees with setting up firefox at home or setting up their home network? sound silly? so does your idea of saying that IT is required to help users setup their unapproved software or hardware.
IT is a business function, just like the janitors. do you want your janitors to always come around and clean your employees cubes because they are slobs, or would it be smarter to implement a clean office policy to reduce the overtime hours of your janitorial staff. overtime hours that can be redistributed into a bonus for all employees, for example.
people forget that IT needs to be profitable, otherwise the company would just outsource the IT work onto a third party company (which is why you don't see onsite admins at hotels/car dealerships/etc). this extends beyond helping users with unapproved software. why do you think most companies stayed on windows 2000 well past its end of life? there was no real cost justification to upgrading to 2003/xp. eventually it became cheaper to upgrade than to maintain the old systems. however, if your current backup solution requires you to take down your application for 2 hours resulting in $10k lost revenue daily, it would be prudent to upgrade to 2003 and a backup solution using VSS which could backup your data while keeping your application alive. long term you make more money than if you kept the old solution. this is what the CTO and IT directors are doing in their closed door meetings. when those 'asinine' tasks come down from above, its usually to make the IT department more cost efficient.. not to piss off users.
port security. you allow one mac and if it changes, your system is dumped from the network. of course you can get around this and your whitelist method by spoofing your mac address... this is where 802.1x comes into play
To solve the issue of personal laptops being connected to the corporate network, there needs to be some kind of server software where every approved device's MAC address is registered. When a non-approved device is connected, it will not be assigned an IP address by the DHCP server. This will cut 90% of the devices from ever being connected, since most lusers have no idea about MAC addresses, IP addresses, DHCP, and the fact that they can manually assign an IP address if they know the proper range. This does leave a rather gaping hole, though, so another layer of security is needed. It's not coming to me just yet...
go google for port security. problem solved. hell, microsoft's system center will quarantine you if your system even looks at the network funny.
On the other issue of people installing ICQ and whatnot, you set up all computers used by lusers to boot from a fresh image every time they boot. You'll have to set the darn thing up exactly the way it needs to be and then use VMware or some other solution that causes the computer to start from a known image each time. They'll install ICQ, but the next time they boot, it won't be there. They'll install it again. It'll be gone again. After five or six iterations, they'll get tired of reinstalling it. I would say that by properly setting up permissions, the issue of ICQ or any other software being installed in the first place will disappear, but given the way permissions work in Windows (and the way most software ceases to work unless you have Administrator privileges), that isn't a very good answer. The advantage of the approach where the system boots from a known image each time is that your lusers can get all the viruses, spyware, adware, etc., installed on their machine, but it won't be there for more than a few hours. Like the previous paragraph, not a perfect solution, but one that cuts down on your headache by 90%.
except that spyware was actually a planned attack on your corporate network to retrieve juicy data from your network.. the "oh-its-just-harmless-spyware,-it-will-be-gone-tomorrow" means you have just been owned and you have no clue how they got in. if i were your CTO i would fire you and all your direct managers that thought that policy was acceptable. there is a reason why unapproved software is frowned upon and why many software products exist to enforce application whitelists.
It seems like an interesting approach, though it may not be as useful on Windows where there's not such a formal distinction between system calls and other kinds of calls.
can i have some of what you're smoking? if my exchange server is compromised and starts to serve webpages by binding to a port other than port 25, this method would catch it and kill the process in its tracks. this is an os-agnostic approach to stopping malware, they just used the linux kernel because its free.. don't be surprised if you see these kind of features appearing in every major compiler/os over the next few years.
It won't do anything about interpreter code injection (eg, SQL injection or shell code injection)
You application, which normally never spawns a procses while in a certain function, will be killed as soon as it attempts to execute because it violates the model that was created at compile time.
or script privilege escalation attacks (eg, ActiveX and other "cross zone" attacks in Internet Explorer), or attacks that involve complete executable code drops.
it is designed to stop "cross zone" attacks, but it depends on the application developer's approach. i.e. ie7 would not benefit from this trick, but ie8 would (each zone is spawned in a new thread)
Still, this is useful and not nearly as dodgy as the article made it sound.
this should help curb the outrageous memory and cpu usage of the typical blacklist virus scanners of the present.