Oh, hang on - you didn't even get media !? What did they write the code on - laser-etched pits in the side of a chocolate teapot?
Some years ago, that may have been a problem...now, as long as I have a legal license, getting the install media is easy. No one cares if you torrent software if you aren't also getting the crack to use it illegally.
I'd suggest this is how doctors work as well. It's poor engineering, but I'd bet people would claim it's the best we've got. It's the proactive/reactive IT debate. Is it better to keep locked down, smoothly running machines that fail at your expense? Or do you keep open systems that fail at the whim and fancy of your co-workers with you as their hero every time it's fixed? Human nature points people towards the poor option.
I'd argue that the former option (inarguably the better option from a security standpoint) can be very risky from a career standpoint. If you don't get it perfect the first time (and you won't), people will assume incompetence from you as you get everything working smoothly, and bitch and complain every time they can't do exactly what they want without going through you. You get labeled a tyrant, and even if you are very, very good and good with people, the wrong impression could leave you without a job.
Some might argue that that would be the sort of job you should want to lose. I'd point at the unemployment rate and that there are damned few companies hiring who would act much differently than that.
At least in the second option, you can get lots of praise and promotion.
I'm not saying it's right, but sometimes, you do what you're made to do by the higher ups because you can't afford to lose your job if you stick to your guns.
This is fine and dandy, if I only see it. But sometimes the support personnel take offence.
I've actually set up security questions on one system where it wouldn't let me answer it the way I wanted because of the language I used. Unfortunately, that really WAS the name of my first pet. Jerks.
As for support personnel possibly taking offense, they really should lighten up if they feel that way...if they can't take that sort of language, they are probably in the wrong field.
It's unreasonable to expect banks to have to assume that every connection may or may not be coming from a machine not under the control of their customer.
Maybe it's the whiskey, but I tried five times to parse that...short of taking out a pen and paper and working it out, I'm not sure what you are trying to say here.
As a company becomes larger, IT guy becomes a full time role. Eventually you need an IT staff. What percentage of your staff should be in IT depends on your business. But having 1 IT staff member per 10 or so users is a minimum.
Where I'm at, we have 2 IT (plus an IT manager) for just over 300 users. We just got approval to hire one more person.
With what we have right now, though, if we added two more people (for a total of four non-management IT staff), we would be comfortable in our work-flow. If we went up to your recommendation of 30 IT staffers, we would just cost our company tons of money to sit around playing StarCraft 2 all day.
A well designed network with good automation and a well-tuned corporate image, not to mention plenty of GPOs, allows a much, much lower IT to user ratio than 1:10. I'm not sure where that particular myth came from, or why it hasn't died yet.
Oracle doesn't "own" Java - they own the trademark, one implementation, and the conformance test suites to certify other implementations as to be able to use the name Java instead of, say, IcedTea.
Wouldn't you say that is pretty significant? I'm not sure that it is worth what Oracle payed, but I would see it as a fair amount of control over the future of Java.
Old tools could often make you lose a limb if used incorrectly. Therefore older people are much more hesitant to randomly try things, if they don't know and haven't been instructed on proper use.
I'm honestly at a loss here...we're saying it's a natural fear to cause serious bodily harm to oneself by a small electronic device such as a phone, which people poke and prod all day without any prior knowledge, because of experience with dangerous and dangerous looking, very large, sharp tools?
I'm not trying to troll you here; that's just what it sounds like to me, and I honestly can't get behind that idea. I'm not saying it isn't correct, at its heart...just that I can't excuse that attitude for that reason.
I'll buy, however, that there are still scary warnings all over the place (at least on the computer), and we techs are telling people NOT to just randomly click on things. So, we're confusing to ordinary, non-tech people: on the one hand, we call them stupid for clicking on everything, and when they stop clicking on things they don't understand, we call them stupid for not being able to figure it out. IT arrogance, in my opinion, is largely to blame for this attitude...people give up trying after being put down enough. So, without tech training to explain how all these various technologies work and work together, how do we teach people (older and younger alike) when it is okay to explore by clicking on things, and when it is not?
It's only intuitive because you know how to use iOS
Huh. I've never used iOS before, and by looking at that, I would assume pressing the + would add an alarm...but, no; it's only intuitive to people who've gotten used to the obviously backwards iOS that everyone complains has a difficult to understand user interface/sarcasm
And you wouldn't ask yourself "Hey, how can these people be so smart and so stupid all at once?"
Maybe you need to think past the obvious a little more often.
I would never pretend to be good at something medical; that doesn't make me stupid, just that that is not where my strength lies. In the same way, I don't expect my doctor to be good with a computer, beyond what he needs to get his job done (EHR and all that).
I tell my users who are down on themselves about technology every day that they are good at something I'm lousy at...we all have our strengths.
Your way of approaching it ("How can you be so smart but so stupid?") is just arrogant and very off-putting to people. That attitude is what gives IT a bad image, and makes people want to avoid us when they should be working with us. If you can remember that they have their strengths, too, you won't come across as so arrogant, and you may just make someone's day for caring a bit more.
CentOS/RedHad does iptables exactly that way: you make the changes using iptables directly, then service iptables save, and it is done. Not sure, but I'm betting Fedora does the same thing.
I think the real problem here is that RedHat has a (very limited, sort of crappy) tui/gui interface to make changes to the firewall. I ignore it and strip out the RH chain when I set anything up...it's just easier to work with that way, and much more powerful. Heck, the RH tools don't even have a way to manually add a custom port (that I was able to find...I'll admit, I gave up on it very quickly and just started learning iptables commands)
Easily fixed: "service iptables save" once everything is working the way you want (though you might want to make a backup of the old rules before you do that, just in case...)
Just a side note: this is how RedHat/CentOS does it. I'm not sure about other distros, because I've not used iptables in any other distro yet.
IPTABLES changes aren't persistent between reboots
Easily fixed: "service iptables save" once everything is working the way you want (though you might want to make a backup of the old rules before you do that, just in case...)
I'll give you that Windows Update does not update anything outside of Microsoft products...this is unfortunate, and I agree with you on that.
As for the updates you do get, my point was that I'd rather not leave it up to the user to remember to update. Further, if I give a user the ability to update with a package manager like Apt, they will also have the rights to install anything they want on the system (providing it is in the repositories). I'm sorry, but I really don't want users doing that; those systems are often shared with others, and the more crap they install on them, the further away those systems get from the corporate image.
Maybe I'm being a bit paranoid and controlling, but as the system administrator, I want to know what goes on on my network. I'm sure there is a way to do that with Linux, probably even better ways. Unfortunately, they all take time to implement. What I currently have took relatively little of the short time I have to spare.
I insist that any pc IT provides has me listed as an admin with install rights.
If you were in my environment, I would deny that request. What makes you better than everyone else? How is IT supposed to adequately manage their systems if everyone is a mini-admin? Sure, you personally may not cause me any headaches, because you know what you are doing...however, everyone thinks they know what they are doing. I'd rather take the time to vett the software my users need, not from a need to control everything, but from a need to be able to manage my network.
Some are just doing it for a power trip...they are usually easy to spot, as they won't help you install anything unless you cow-tow to them just the right way. I just want to make user it isn't a virus and isn't going to interfere with the operation of other critical software on the machine.
I'd find the other side of the coin frustrating to be on, granted...however, remember there is often a good reason it is that way.
For the sake of your point, it does: Windows Update. Further, I can easily set it so it automatically runs without their intervention.
I'm user you could do that with Ubuntu, as well...
Let me be clear: I'm not a Microsoft fanboi or shill, and in fact prefer Linux. I also don't hate on Microsoft like I used to, and see its use and benefits. Its security and update model may not be up to Linux standard yet, but they are showing a lot of progress and promise in that direction; they likely will never quite get there, but they are trying. I can lock a Windows network workstation up pretty well, and administer hundreds of boxes and users mostly by myself thanks to a lot of the built-in automation they have like GPO. Sure, I could do that with Linux, but it would take one hell of a lot longer, time I just don't have with as large a user base as I have to work with.
For my environment, Microsoft is also cheaper. Time IS money in the business world, and with non-profit licensing, MS is not really all that expensive, either.
Every environment is different, and has different needs. I can't even get my users to lock their systems when they walk away from their desktops, and that is just a two-key combination (window-key+L). Do you really think I can expect ALL of them to click on "Update" whenever they see it?
My solution is simpler for my users: they just do their work. Their systems magically update themselves at night (we disable rights to shut down their machines), scan themselves at night, and their user accounts have no local admin rights on their machines.
When I ran into an example of this, I remotely rebuilt the person's profile and the infection was effectively gone (or at least neutered, and my AV took care of the trailing bits). If that hadn't taken care of it (through some local rights escalation vulnerability or other), I would just drive over to the site with my external hard drive and a copy of clonezilla and have them back up to normal with a brand new copy of my corporate image in half an hour.
Its not worth the time and hassle to fight these things anymore. When the infection appears, just carpet bomb: it's much faster, and much more likely to work, and the user loses almost nothing.
Would still be nice for a way to downgrade if an upgrade breaks something. When I had an issue like that come up, all I could find from Debian forums was "why would you want to downgrade?". Because it would have made a 5 hour outage only last 20 minutes, while I figured out what it was changing in the configs.
Sure, best practices weren't employed in my scenario, but when I saw that yum has a method to downgrade, I realized they build their systems around the concept that people make mistakes sometimes, and need the tools to undo them easily when they affect production systems.
I don't know about how you would do it, but my password safe requires four bits of authentication:
I have to have physical access to the machine it is on.
I have to know the password to log on to that machine (technically, this can be bypassed with physical access...)
I have to know where the password safe is.
And I have to know my (fairly secure) password, which I do not share with anyone, and does not match any other sites.
There are ways around those, but the truth is that no one cares enough about my secrets to even go so far as finding my password database, let alone reverse engineer its encryption. There are simply too many other, easier targets to go after.
If I needed to add another layer of security, I could always account-bind it and add a file key that I keep somewhere else...
Security can always be breached somehow. The trick isn't to make security perfect, but to make it the right balance between secure and usable (without usability, what point is there to security in the first place?)
Not to mention: I don't know about you, but for me, the more frequently I use a password (especially a new one), the faster and faster I type it. What may have taken me 10-15 seconds to type when I registered may take me 2-3 seconds now after using it twice a day for a month.
10.04 LTS was as stable in april 2010 as 11.04 is now.
Sure; however, for those using the LTS on servers, if they were on version 8.04 LTS server, they have until April 2013 to upgrade (when they drop support for 8.04). This means they could wait until 12.04 LTS to have a full year of stability patches before upgrading; meanwhile, they have a server that is very stable in the sense that their software packages continue to work the way they did when they first installed (no updates to newer versions, just patches to improve security/stability).
"Stable", in server terms, doesn't just mean "doesn't crash"...just as importantly, "stable" means "doesn't change". Give an LTS a year to mature, and it will give you both. Buy a server box to put it on, and by the time it has given you the four remaining years on the LTS, you might very well be looking to replace the server with something more powerful or with a fresher warranty anyway. Then, when you set up it's replacement, you skip an LTS for the latest and test to make sure it all works on the new version. Congratulations: other than regular security patches, you won't have to do much else with that box for another 4 years (assuming you have it set up the way you need initially, and that your needs for it don't change much).
Slashdot Mirror
Oh, hang on - you didn't even get media !? What did they write the code on - laser-etched pits in the side of a chocolate teapot?
Some years ago, that may have been a problem...now, as long as I have a legal license, getting the install media is easy. No one cares if you torrent software if you aren't also getting the crack to use it illegally.
P.S., that's from a sysadmin standpoint; companies like McAfee really have no excuse not to be working towards this methodology.
I'd suggest this is how doctors work as well. It's poor engineering, but I'd bet people would claim it's the best we've got. It's the proactive/reactive IT debate. Is it better to keep locked down, smoothly running machines that fail at your expense? Or do you keep open systems that fail at the whim and fancy of your co-workers with you as their hero every time it's fixed? Human nature points people towards the poor option.
I'd argue that the former option (inarguably the better option from a security standpoint) can be very risky from a career standpoint. If you don't get it perfect the first time (and you won't), people will assume incompetence from you as you get everything working smoothly, and bitch and complain every time they can't do exactly what they want without going through you. You get labeled a tyrant, and even if you are very, very good and good with people, the wrong impression could leave you without a job.
Some might argue that that would be the sort of job you should want to lose. I'd point at the unemployment rate and that there are damned few companies hiring who would act much differently than that.
At least in the second option, you can get lots of praise and promotion.
I'm not saying it's right, but sometimes, you do what you're made to do by the higher ups because you can't afford to lose your job if you stick to your guns.
This is fine and dandy, if I only see it. But sometimes the support personnel take offence.
I've actually set up security questions on one system where it wouldn't let me answer it the way I wanted because of the language I used. Unfortunately, that really WAS the name of my first pet. Jerks.
As for support personnel possibly taking offense, they really should lighten up if they feel that way...if they can't take that sort of language, they are probably in the wrong field.
It's unreasonable to expect banks to have to assume that every connection may or may not be coming from a machine not under the control of their customer.
Maybe it's the whiskey, but I tried five times to parse that...short of taking out a pen and paper and working it out, I'm not sure what you are trying to say here.
As a company becomes larger, IT guy becomes a full time role. Eventually you need an IT staff. What percentage of your staff should be in IT depends on your business. But having 1 IT staff member per 10 or so users is a minimum.
Where I'm at, we have 2 IT (plus an IT manager) for just over 300 users. We just got approval to hire one more person.
With what we have right now, though, if we added two more people (for a total of four non-management IT staff), we would be comfortable in our work-flow. If we went up to your recommendation of 30 IT staffers, we would just cost our company tons of money to sit around playing StarCraft 2 all day.
A well designed network with good automation and a well-tuned corporate image, not to mention plenty of GPOs, allows a much, much lower IT to user ratio than 1:10. I'm not sure where that particular myth came from, or why it hasn't died yet.
Oracle doesn't "own" Java - they own the trademark, one implementation, and the conformance test suites to certify other implementations as to be able to use the name Java instead of, say, IcedTea.
Wouldn't you say that is pretty significant? I'm not sure that it is worth what Oracle payed, but I would see it as a fair amount of control over the future of Java.
Old tools could often make you lose a limb if used incorrectly. Therefore older people are much more hesitant to randomly try things, if they don't know and haven't been instructed on proper use.
I'm honestly at a loss here...we're saying it's a natural fear to cause serious bodily harm to oneself by a small electronic device such as a phone, which people poke and prod all day without any prior knowledge, because of experience with dangerous and dangerous looking, very large, sharp tools?
I'm not trying to troll you here; that's just what it sounds like to me, and I honestly can't get behind that idea. I'm not saying it isn't correct, at its heart...just that I can't excuse that attitude for that reason.
I'll buy, however, that there are still scary warnings all over the place (at least on the computer), and we techs are telling people NOT to just randomly click on things. So, we're confusing to ordinary, non-tech people: on the one hand, we call them stupid for clicking on everything, and when they stop clicking on things they don't understand, we call them stupid for not being able to figure it out. IT arrogance, in my opinion, is largely to blame for this attitude...people give up trying after being put down enough. So, without tech training to explain how all these various technologies work and work together, how do we teach people (older and younger alike) when it is okay to explore by clicking on things, and when it is not?
It's only intuitive because you know how to use iOS
Huh. I've never used iOS before, and by looking at that, I would assume pressing the + would add an alarm...but, no; it's only intuitive to people who've gotten used to the obviously backwards iOS that everyone complains has a difficult to understand user interface /sarcasm
Note to self...don't feed the trolls.
And you wouldn't ask yourself "Hey, how can these people be so smart and so stupid all at once?" Maybe you need to think past the obvious a little more often.
I would never pretend to be good at something medical; that doesn't make me stupid, just that that is not where my strength lies. In the same way, I don't expect my doctor to be good with a computer, beyond what he needs to get his job done (EHR and all that).
I tell my users who are down on themselves about technology every day that they are good at something I'm lousy at...we all have our strengths.
Your way of approaching it ("How can you be so smart but so stupid?") is just arrogant and very off-putting to people. That attitude is what gives IT a bad image, and makes people want to avoid us when they should be working with us. If you can remember that they have their strengths, too, you won't come across as so arrogant, and you may just make someone's day for caring a bit more.
CentOS/RedHad does iptables exactly that way: you make the changes using iptables directly, then service iptables save, and it is done. Not sure, but I'm betting Fedora does the same thing.
I think the real problem here is that RedHat has a (very limited, sort of crappy) tui/gui interface to make changes to the firewall. I ignore it and strip out the RH chain when I set anything up...it's just easier to work with that way, and much more powerful. Heck, the RH tools don't even have a way to manually add a custom port (that I was able to find...I'll admit, I gave up on it very quickly and just started learning iptables commands)
Easily fixed: "service iptables save" once everything is working the way you want (though you might want to make a backup of the old rules before you do that, just in case...)
Just a side note: this is how RedHat/CentOS does it. I'm not sure about other distros, because I've not used iptables in any other distro yet.
IPTABLES changes aren't persistent between reboots
Easily fixed: "service iptables save" once everything is working the way you want (though you might want to make a backup of the old rules before you do that, just in case...)
You know, I've been meaning to set something like that up for just that reason. I just haven't had the time yet.
I'll give you that Windows Update does not update anything outside of Microsoft products...this is unfortunate, and I agree with you on that.
As for the updates you do get, my point was that I'd rather not leave it up to the user to remember to update. Further, if I give a user the ability to update with a package manager like Apt, they will also have the rights to install anything they want on the system (providing it is in the repositories). I'm sorry, but I really don't want users doing that; those systems are often shared with others, and the more crap they install on them, the further away those systems get from the corporate image.
Maybe I'm being a bit paranoid and controlling, but as the system administrator, I want to know what goes on on my network. I'm sure there is a way to do that with Linux, probably even better ways. Unfortunately, they all take time to implement. What I currently have took relatively little of the short time I have to spare.
I insist that any pc IT provides has me listed as an admin with install rights.
If you were in my environment, I would deny that request. What makes you better than everyone else? How is IT supposed to adequately manage their systems if everyone is a mini-admin? Sure, you personally may not cause me any headaches, because you know what you are doing...however, everyone thinks they know what they are doing. I'd rather take the time to vett the software my users need, not from a need to control everything, but from a need to be able to manage my network.
Some are just doing it for a power trip...they are usually easy to spot, as they won't help you install anything unless you cow-tow to them just the right way. I just want to make user it isn't a virus and isn't going to interfere with the operation of other critical software on the machine.
I'd find the other side of the coin frustrating to be on, granted...however, remember there is often a good reason it is that way.
For the sake of your point, it does: Windows Update. Further, I can easily set it so it automatically runs without their intervention.
I'm user you could do that with Ubuntu, as well...
Let me be clear: I'm not a Microsoft fanboi or shill, and in fact prefer Linux. I also don't hate on Microsoft like I used to, and see its use and benefits. Its security and update model may not be up to Linux standard yet, but they are showing a lot of progress and promise in that direction; they likely will never quite get there, but they are trying. I can lock a Windows network workstation up pretty well, and administer hundreds of boxes and users mostly by myself thanks to a lot of the built-in automation they have like GPO. Sure, I could do that with Linux, but it would take one hell of a lot longer, time I just don't have with as large a user base as I have to work with.
For my environment, Microsoft is also cheaper. Time IS money in the business world, and with non-profit licensing, MS is not really all that expensive, either.
Every environment is different, and has different needs. I can't even get my users to lock their systems when they walk away from their desktops, and that is just a two-key combination (window-key+L). Do you really think I can expect ALL of them to click on "Update" whenever they see it?
My solution is simpler for my users: they just do their work. Their systems magically update themselves at night (we disable rights to shut down their machines), scan themselves at night, and their user accounts have no local admin rights on their machines.
When I ran into an example of this, I remotely rebuilt the person's profile and the infection was effectively gone (or at least neutered, and my AV took care of the trailing bits). If that hadn't taken care of it (through some local rights escalation vulnerability or other), I would just drive over to the site with my external hard drive and a copy of clonezilla and have them back up to normal with a brand new copy of my corporate image in half an hour.
Its not worth the time and hassle to fight these things anymore. When the infection appears, just carpet bomb: it's much faster, and much more likely to work, and the user loses almost nothing.
Would still be nice for a way to downgrade if an upgrade breaks something. When I had an issue like that come up, all I could find from Debian forums was "why would you want to downgrade?". Because it would have made a 5 hour outage only last 20 minutes, while I figured out what it was changing in the configs.
Sure, best practices weren't employed in my scenario, but when I saw that yum has a method to downgrade, I realized they build their systems around the concept that people make mistakes sometimes, and need the tools to undo them easily when they affect production systems.
I don't know about how you would do it, but my password safe requires four bits of authentication:
I have to have physical access to the machine it is on.
I have to know the password to log on to that machine (technically, this can be bypassed with physical access...)
I have to know where the password safe is.
And I have to know my (fairly secure) password, which I do not share with anyone, and does not match any other sites.
There are ways around those, but the truth is that no one cares enough about my secrets to even go so far as finding my password database, let alone reverse engineer its encryption. There are simply too many other, easier targets to go after.
If I needed to add another layer of security, I could always account-bind it and add a file key that I keep somewhere else...
Security can always be breached somehow. The trick isn't to make security perfect, but to make it the right balance between secure and usable (without usability, what point is there to security in the first place?)
Not to mention: I don't know about you, but for me, the more frequently I use a password (especially a new one), the faster and faster I type it. What may have taken me 10-15 seconds to type when I registered may take me 2-3 seconds now after using it twice a day for a month.
Look at it this way: we now all have a really good excuse why we didn't RTFA.
...the top end of town which may demand 5 9s or 6 9s.
6 9s? You mean, service that is SLA'd to be down no more than 31 seconds per year? Is it even possible to promise that?
Not trying to troll here...I'm serious: is that actually a usable measure?
10.04 LTS was as stable in april 2010 as 11.04 is now.
Sure; however, for those using the LTS on servers, if they were on version 8.04 LTS server, they have until April 2013 to upgrade (when they drop support for 8.04). This means they could wait until 12.04 LTS to have a full year of stability patches before upgrading; meanwhile, they have a server that is very stable in the sense that their software packages continue to work the way they did when they first installed (no updates to newer versions, just patches to improve security/stability).
"Stable", in server terms, doesn't just mean "doesn't crash"...just as importantly, "stable" means "doesn't change". Give an LTS a year to mature, and it will give you both. Buy a server box to put it on, and by the time it has given you the four remaining years on the LTS, you might very well be looking to replace the server with something more powerful or with a fresher warranty anyway. Then, when you set up it's replacement, you skip an LTS for the latest and test to make sure it all works on the new version. Congratulations: other than regular security patches, you won't have to do much else with that box for another 4 years (assuming you have it set up the way you need initially, and that your needs for it don't change much).