Productive? - "Many children with Down syndrome do have difficulties reading and understanding more than a rather basic vocabulary. Complex thinking as required in sciences but also in history, the arts and other subjects is usually beyond their abilities"
So people who can't read "War and Peace" aren't productive? Or people who can't design complex electronics aren't productive? Maybe we need to consider what productive means.
As far as healthy goes, people have immune deficiences, heart disease, and hearing problems all the time, and they aren't consider invalid.
I don't know why you feel the need to quote the words "options" and "informed". There are other options, and knowing more would help you make an informed decision.
The reason I did was because the doctors use those two words in particular as codes. "Options" means, in all cases, termination/abortion. "Informed" means repeatedly making it clear that they have an opinion, and what it is, and why you are wrong to not take it.
Come off it. You really can't see the difference between deciding not to have a baby that has a major disability and insisting upon perfection?
There is no difference. There are families/women who have convience abortions, and it's really sad. There are women who have abortions to save their lifestyle.
The big question becomes when is the disability "major" or not. If a family of athletes learns that the baby is going to have a weak spine, and will never be a strong athelete, is that a major disability? It never ends. The bar gets lower and lower, until it's socially acceptable.
it's noble, and all that. but nobody should be forced to live with an avoidable anomalous situation and accept it as "god's will", as not everyone believes that.
I said nothing about "god's will", I believe. Niether of us are overtly religious.
it's noble, and all that. but nobody should be forced to live with an avoidable anomalous situation and accept it as "god's will", as not everyone believes that.
Make no doubt about, people who abort because of a Downs Syndrome diagnosis are not doing so at 8 weeks, they are doing so at 22, 24, 30, even 32 and 34 weeks, when the child is developed to an amazing degree, and in many cases could survive outside the womb with no medical care, no life support, and no special treatment. My daughter is 33 weeks, coming up on 34, and without much of a doubt could survive handily with only minimal extra-care at this point. We are well past a "clump of cells".
My point is and was that viewing a birth defect in your child or a handicap in someone as a "problematic situation" that needs to be cured is really not right in my view, and that it's a sad thing when a culture gets to the point that a life is worthless and not worth living without being physically perfect from the day you are born.
And it can only lead to more and more depravities.
Especailly with Downs Syndrome, of all things, which allows people to still live healthy, happy, productive lives.
consider termination to be a reasonable choice where the fetus carries other genetic disorders such as Downs Syndrome
That makes me very, very sad. My wife and I are expecting our first child, a girl, to be born in the next 4 weeks. There is a strong chance she will be born with Downs Syndrome.
Our doctors wanted to advise us about our "options". They wanted to run all kinds of tests, including amniocentesis and genetic testing, in order to be sure one way or another,so we could make an "informed" decision.
So, so sad. I just can't imagine anyone wanting to do such a thing - especially since we've seen her in full motion 3D video on two seperate occasions - smiling when we stroke her head, sucking her thumb, yawning when we wake her up after a nap - things that any baby would do.
My point of view -- not a political statement really. It's just heartbreaking. I fear for any culture that so highly values convenience, pride, and "perfectness" that it would cast aside those who we should be called to love and care for even more than the "perfect" little baby everyone hopes and prays for. And for the worst shame of all, doctors who repeatedly promote termination of even marginally defective babies and are constantly harping about options -alternatives! - to life.
I am under no illusions about how painful, difficult, and disappointing raising my daughter maybe if she turns out to have Downs, but believe me, I will love her and treat her as my daughter till I draw my last breath.
I really hope our culture doesn't continue to devolve into one that values only designer, perfect, genetically correct babies.
If I'm completely crazy, somebody slap me, but wasn't Microsoft convicted of anti-trust violations relating to their monopoly on the browser? Wasn't a serious issue of their case the "need" to integrate Internet Explorer with the OS? Now it is MORE integrated--to the point that they CAN'T possibly make a Windows 2000 version?
One side effect of the MS trial - and one of the many ways that MS really got the best of the DOJ - is that MS conviced the court of something called "middleware" - things that are not strictly the OS but things that are not stritcly an application.
IE, WMP, ODBC, etc are all considered middleware now, and are not explictly illegal to bundle or tie to a product.
I care about security. Part of the reason for the.net scrap was SECURITY based.
Do you have any references, or any backup for this claim? Links or quotes or somesuch?
In a utopian environment like yours, PC's can be made to work just fine, but I'd argue that ANY OS could be made to work when you have an environment like yours. BOFHs, like me would love to have a setup like that:-)
Utopian! I love it. It was far from Utopia.. but you are correct, our focus was more about helping the business than the nuts and bolts of crappy IT drudge work. We were able to spend time and money on projects that helped with the bottom line, with allt he details.
As a BOFH, I can tell you, it was a good network for really locking things down. Having just three images and a well define policy was huge.
If you are ever buying products from Dell in bulk, you have to get a custom service agreement (CSA) or whatever they call it now. We put in ours that parts against all machines must be identical brand, model and revision. No exceptions. One failing unit would invalidate the whole shipment. We also did some independent research into the failure rates on various models, so we could order enough extra at the original purchase time so that we wouldn't have to settle for slightly different models in 3 months, 1 year, or 5 years. We purchased the right number plus, I believe, 3.5% more units, for parts and extras and float and all that.
Made a big difference. To this day there are probably a few hundred unopened units sitting in cold storage. Maybe unncessary, but again, with a huge hardware contract already formed, it was minor to add that safety check in place.
Nothing, and I mean nothing, can beat really knowing what your machines are made of. From an admin standpoint, it was priceless. Our help desk and IT guys never, and I mean never, had to go to a remote workstation excepting to bring in a new box to swap. When hardware failures really happened the IT runner of the day would navigate the maze (50K cubicles is.. well.. it's a sight to behold.. think Matrix in the "fields", only more depressing) and drop in a machine with latest image already loaded. The whole thing took probably 20-30 minutes to get there, drop the machine in, do a little dust up cleaning, and be back to look at the defective machine.
Anyways, don't belittle your "little" network - 20,000 users is still massively huge by any reasonable standard. I can appreciate the opinion of an informed cohort more than a random small-time (no offense, truly) Linux guru.
You can customize Linux infinitly. But one problem that is big in the Linxu world is the lack of a standard base for any type of large application development, which causes a lot of waste/bloat.
Two real life examples: help reading and printing support. Since there is no system wide standard that people actually follow, if you install a few packages you will end up with 3-4 different packages used: one by KDE, Gnome, and for some apps, their own custom versions of a help-reader. It's very vexing, and makes it difficult to train users on how to use online help.
The other example is printing. Depending on how advanced or primitive the printing support is in any given app you'll get anything from good printing support and interfaces to crap. Windows printing isn't all that impressive, but well, at least each application has a fair shake at it!
Most people who download stuff from the net, ie, most Windows users, see a download link, and click to download it. Then the browser says "Save or Open", and most users hit "Open", and the installer starts up.
That's actually quite a bit easier than how many linux distros handle things.
Yes, a monday morning audit on the wiped machines will reveal "zero" problems, but I feel a friday evening audit would tell a different story
That's an okay opinion to have, but it never happened that way. Maybe after all this time it's possible.
Imaging OSes is a luxury a great many admins simply cannot afford. Is this really a solution, or a workaround? And is this what has to be put up with to run an efficient windows network.
I guess this is were we disagree. I think the imaging solution is ideal, you think it sucks. I've found it's ideal because I can use one "package", one format, one method for all patches. I can roll a service pack the same way as an application update. RPM is very nice and nifty, but still limited. If I wanted to upgrade all my boxes from ext2 to ext3 there isn't an RPM for that, but if you were using an imaging solution for Linux you could in fact do it transparently to users as part of your regular maintainence!
Any manual intervention would be anathema to a network this big!
Your opinion is it's a lot harder. I am sayng in my experience, it's not. We spent about 4 hrs once a week keeping a 50,000 machine network secure once it was setup in a secure manner. I guess I am not following how it could be better. Are you saying with OSX it'd e 3.5 hrs, or 2 hrs, or what?
I can't speak for others. But I can speak for me. And that's all I've done.
As I said before, good management is probobly the only reason your solution has lasted this long. One quarter with a PHB type CEO and your solution will be biting the dust.
Well, right. That's like saying "One quarter with Microsoft management at Apple and bam, Apple is Microsoft." Well duh. Obviously the management side of things is what makes the difference.
I cannot for the life of me see how a handful of IT staff handled 100,000 users. I worked in a company with 200 users and the five helpdesk personel spent most of their time running about, setting up email clients, installing new hardware and finding lost files. What are you doing to the clueless lusers who lose their files or forget their training? Who installs new PCs? Are you delegating duties? If you are then you need to revise your estimates of helpdesk personel.
That's the point I have been making! Users have one location to store their files - they have no write permissions to any folder except the one and their own subfolders. Users have the *same* e-mail client, with settings centrally administered, that they can't modify or "tweak". See what a difference that makes? There is no running about. When I was running things my IT guys and the helpdesk never had to visit a workstation except if it had hardware problems, like a bad motherboard or video card. And even then, it was just to drop in a replacement and boot it. Since everything is centrally managed there is no migration. Users could be moved from one workstation to another seamlessly.
To begin. Windows licencing. I haven't looked at this in a long time, but I'm going to hazard a lowest possible estimate of $50 per machine, not user, per annum. Times 50,000 machines. Bang. $2.5 million big ones.
First off, $50/each is high. We paid, I believe $88/machine for a full complement of MS software - Windows, Office, licenses for the backend tools, various odds and ends MS makes, etc. But $2.5M sounds like a lot to you, and in an abstract way it is, but whne you look at it as part of a $50M IT upgrade, it's only 5%. Let's say everything else was 100% equal with a Linux solution, and we went with a roll it your own solution instead of a pay per vendor like Novell or whomever. Let's say all of that is true. A 5% difference in cost between solutions is not huge! Especailly when you figure we figured the costs for a 7 year schedule. That's $350,000 a year for 7 years. Not chump change, but for a company with a payroll of $3 billion, it's not that big!
This is my basis for lower cost. Let the TCO waving legions come and get me. They are full of it. We are talking 50,000 machines here. User licencing costs are $0 total for linux. Zero dollars!
You are a fool! People don't run the "free" versions of Linux on a 50,000 station network. Maybe some of it, but not all of it. It's a lot of work, especially if customizations are made.
How is it going to be more manageable? Where do I begin? For a start, do you even want PC's anymore? You could go for thin-clients on NX or the like and save yourself millions by the time the next upgrade cycle comes up.
First, this was 2001, and let's remember where Linux was then. Four years is a long time. Look back at what REdHat and other vendors offered. RedHat 5.x was vogue. NX wasn't dreamt of. Secondly, thin client has it's own host of problems, and even with a generous allowance for the scalability of Linux, we'd be talking 1 server for ever 200 users, or 250 terminal servers, plus the 80 we already had for applications and the whatnot. That's an additional load for management to be sure on the server side, which is where 50% or more of the time went. And frankly, thin clients are not all that cheap or prone to resist upgrade costs. I looked at the option though the decision was made before I got there. An X or WinTerm is going to cost between $300 and $500 a seat, whereas we paid in the realm of $1K/seat for the workstations. If it were 10 times cheaper,
If you're going to set up a minimalist configuration that only allow specific programs, you might as well just run Linux. The whole reason people run Windows is so they can install some little app that they have to have. If you're not allowing that, then what do you need windows for?
We ran windows because app support was there, it was inexpensive, and it worked well. What other reasons could there be? I disagree with your question about why run Windows. We ran Windows because it made a lot of sense. Win2k is a good general business platform, and that's what we used.
A few more follow up points, and then after this, you can take it off list to e-mail.
1. I was not imaginging at login. That was only in the case of a major problem for a user. A good troubleshooting procedure should always start with: "start at a known good point", we and had that capability. The machines got reimaged once a week, on weekend at night. This allowed us to maintain up to date machines - all of them - without using multiple deployment methods to update apps. It also means that we didnt have to have the machines themselves run things like Windows Update, or whatnot. Very, very efficent. We had three image templates in circulation, and every machine was one of those three templates.
2. The CEO of the privately held company helped design parts of the IT policy. A very, very saavy man. Him and the old CIO that I replaced (after he dropped dead) designed the IT policy from the ground up.
3. Contrary to your claims of the extremely time consuming nature of the process, it was only time consuming for the machines. As I mentioned, the IT department here was very small. Myself, four full timers, a handful of part timers on the help desk, and that's it. For managing 50,000 machines and 100,000 users, with 80 servers in the mix. Thats a good ratio, and depending on your industry, probably 5 times better than anyone else.
4. Imaging is supported, and legal, and that's not going to change. First off, there are no extra copies wasted as you suggest, excepting the one that is stored in each master image. We licensed appropriately for each app. There is no functional or legal difference from automatically installing software or doing it differently. You can never predict what a judge will rule, but imaging is safe. Also, we are explicitly allowed by law to make backups of installed software, so that is another avenue of protection.
5. Well I dont know how you doubt this, but the clients were all using a large number of highly customized applications, as well as office and web browising and web based applications. Additionally, many of the machines had peripherals to consider.
6. As far as some new vendor that's interesting. Sales people are sales people, and the burden is on them to make the sale, not the other way around. As I said before, the CEO was extremely tech saavy, and would have a lot to say about a pushy vendor demanding changes. No app would make it to the network without being friendly to admin, and frankly, with 50,000 licenses at stake, we never found a vendor who wouldn't work with us to fix their broken apps, or package it to do what is correct.
6. As far as effort, It's not that hard, and thousands of similiarly secure networks exist. It was very straightforward to do. Sure, it was hardwork. It's tempting to take shortcuts. But short isn't always the best way.
And the big whopper:
A 50K user, unix based solution would be more efficient, more manageable and more flexible than what you've set up. Why didn't you take this option?
How? See, we had dozens of you guys show up, take a tour, and tell us how linux would be much better! Save us a million bucks a year! It's like the long distance guy who calls up and says he can save me $50 a month on my phone bill, not knowing my phone bill is only $25 to start with.
How is it going to be more manageable? We had complete control of every workstation. We had neatly divided groups of policies that were handed out to users. Machines were evenly and routinely updated. Making large changes was as easy as small changes. We were able to quickly and easily deploy large changes as needed.
The fact is, you have no basis for your assertion. You assume that *nix would have been better, because you can't believe that a Windows network would work well. But I am telling you this: it did. You can disagree with me, you can call me a liar, but these are the facts as I saw them, as a first hand witness: we had no virus in
The lynchpin of your solution appears to be the OS reinstallation on login.
No, not on login. Weekly, for updates.
You have basically given up on any attempt to secure the OS itself and simply wipe it regardless.
No, this is the method used to secure the OS. Instead of worrying about all myraid of patching methods for different apps and all that, just go low. Re-image the system once a week with all new updates.
And the reinstallation is not a good solution.
Sorry, I disagree. We supported 50k clients with less than half a dozen IT people. It's pretty good, thanks.
Though your tribulations in securing the network are impressive, your whole network is a prime example of the need to move off windows. It's a poster child for a switch, not a reason to stay. If this is the level of time and resources it takes to keep a windows network clean, I'm better off elsewhere.
Hey, actually, you are wrong. Find me another network run with fewer people or less resources. UNIX, Mac, or otherwise. You'll be hard pressed. It was an extremely efficent operation. 100K users, 50K workstations. For christsakes, we tested and updates 50,000 machines a week with less than 2 hrs of effort. Do you understand what a big deal that is? You really are daft thinking thats a lot of work. Startup each of the three images (basic, advanced, developer), update as needed, test with our regression suite, and that's it.
How did you do your centralized logging? I have looked at using MS dumpel.exe/SQL stuff and Snare/syslog, but haven't done it yet.
Nothing that fancy. I used a shell script that ran on the client machines periodically (I believe every 10 minutes), exported and then cleared individual machines logs, and copied the file to a shared folder on the "logging server". The logging server had a script that ran every 1 minute or some such small interval that took all the logs, parsed them and inserted the data into a database in the database cluster (we had two 8 machine SQL clusters onsite, so the load added was minimal). From there we had our "IT dashboard" app monitor for exceptions that we could watch, etc. On days when new software packages had been installed we'd setup a watch on any given message that would indicate a problem. It worked well. One time we had two apps that kept trying to install over each others shared DLLs they each had each improprely located in a system folder. Boy was that a mess. But it was easy to trace down.
Not the 12.. they were up and are still up with no patches.. that's what restricted access, locking down unused services, and other similiar strategies can do to protect your systems. Just because a patch comes out doesn't mean it has to be installed the same day, uptime be damned!
Filtering? 50K users? What's wrong with this picture? Is this proxy in the Top 10 supercomputer lists?
What are you talking about? It's not great feat. 12 machines, dual processor, with a 2GB of RAM. I think since it was a while back they were early generation XEONs.
Hardly a supercomputer!
What about the win32 APIs. They allow admin privilages even if the user is running a reduced privilage.
No, not actually. What are refering too? It's just not true! Everything compiles down to Win32 API on Windows -.NET, C - all of it. Win32 API *is* Windows.
Yo you have effectively banned removeable media. Actually, I agree with this, but your users a probobly p/o'ed
Absolutely. No new data/apps in without going through IT.
Now I know something is wrong with your network. I suggest you audit it, immediately.
Sorry, but, I dont work there anymore. But, let me clear. None. Ever. No infections. Think about. No untrusted binaries, machines up to date, network locked down multiple ways (IPSEC all machines, filtering, no broadcast protocols running, etc), users trained, IT staff trained, e-mail attachments virus scanned, etc.
It's not rocket science. If you don't control the binaries on your computer, it's not your computer.
The baddies are out there man. They are pros. Spammers, marketers, DDOSers who spend their days finding and exploiting holes in windows boxes. Malware doesn't happen by accident. it happens because very determined people want your boxen for their twisted money making schemes. People blame user stupidity and ignorence for malware issues, but in truth it is the cunning and ingenuity of ruthless crackers which is to blame.
And bad IT makes it easy. Good IT makes it impossible. We had layers of security, good technology, good people, and good policies. That's all it takes!
That's great, but then the users are their own system administrators.
Things like software updates (think internal vertical apps), for example. How does that work in your example?
Let me just say. Macs are great. But 50,000 of any computers that are all different is a big freakin hassle for your help desk. A network that big would require a huge help desk with 50,000 user-admin'd Macs. It all adds up.
The network you describe would be cool if all the users were say graphics people who had macs at home. They could handle updates themselves, install their own apps, troubleshoot minor software questions, etc. In a more standard environment, it would be well, a challenging thing to manage.
Users aren't admins you say? Tough luck sonny. It's called win32 API programming and it gets past all such restrictions. Malware will most likely run as admin whether your user is one or not. user mode will not save you.
That's utter bullocks. I should disregard the rest of your post, but you are entirely incorrect. Win32 API does not bypass file system permissions, registry permissions, etc. Yes, if there is an exploit/bug those restrictions *could* be bypassed.
I hope iexplore.exe and outlook.exe were in there, cause if they wern't.... msnmessenger too.
What do you mean? I dont follow your sarcasm I guess. Yes, outlook and ie were on there.
Naturally. However a better step would be to ensure ActiveX is never used by switching to alternate browsers. Also, the users(malware) may, for whatever reason, find a way to turn ActiveX back on, or worse, request it! Getting rid of IE altogether is a better step.
I agree, however, at the time, Firefox was very very young and the Netscape alternative was very nearly as bad as possible. If it were today, IE would be out and Firefox would be in.
So basically what you're saying is each boot was a throwaway OS image, which you simply wipe after each user logs off.
No. Not at all. If there was some type of problem we had a good baseline which we good always reset to without disrupting the user one wink. Great for troubleshooting.
OK, I'm not even going to begin to describe how much hassle your solution is, especially when it comes to upgrade time.
False. Very easy. Boot each image once a week on a test machine/VMware. Update all apps, the OS, anything else you want to do. Then that image is pushed out to the clients. Very, very efficent delivery method.
It's also most likely illegal and unsupported
No, actually it's neither. look a product like Symantec Ghost. It's explicitly supported. MS explicitly supports system imaging, and puts out a number of tools to help you with it. Not illegal, not unsupported.
On top of that, I patiently await the day one of your machines become infected at 09:05 and proceeds to infect the entire network.
The point is that when only trustd binaries run, all software is very much up to date, and incoming/outgoing traffic is closely managed, you have a very small risk vector for infection. We never got infected, even during the big name virus outbreaks. Vendors and outside sales guys would come in and plug their infected nasty laptops into my network, and nothing bad would happen. Why? Layers of security. IPSec, appropriate routing rules, the lack of a broadcast protocol being enabled, etc.
Even if you do get a company wide switch off, I doubt your servers will be able to handle the load. Good luck with that.
Of course all 50,000 machines couldn't resync at the same time. 250 was reasonable.
Your solution is extreme. If this is what it takes to run a windows network you should be asking yourself why you are running a windows network.
No, it's very workable, and a very small amount of ongoing work. Yes, some prep time, but on this network I could assure you 100% that everyone was running secure apps, the right versions, the correct software, etc. Without a doubt, it was effective and fast.
Your network sir, is a disaster waiting to happen. The next sobig or sasser will cripple it quickly. I'd wager it is spending most of its life as a productive DDOS or spam botnet as we speak. it is a juicy plum, waiting to be picked by professional cracker gangs.
Nope. We with stood both of attacks, handily. And even if something did get infected, that PC was effectively disabled. Heavy unusual traffic would cause a PC to get auto-null routed off the network.
You are wrong, just plain wrong. Good security is a matter of policy, technical and otherwise.
If you want to come to Maine, I can arrange a tour. It's a very secu
50K Windows machines and not a single BSOD? I find that incredibly unlikely. You didn't have a single PC with bad memory or flaky mother board or power supply? We have around 600 Dells, all certified for Windows with Dell's "Gold" level support, running 99% Microsoft apps, and still get an occasional BSOD, even if it is a hardware related problem.
Ohh I had plenty of hardware problems: machines that never came backup, etc. But, oddly, never a single BSOD. We had HDD's die, and they just froze the machine. We had memory go flaky, with the same result. But nope, we used central logging, and the only BSOD we ever had was the one you can cause yourself with a registry tweak and the scroll lock key (to test the logging, actually).
Granted, the hardware was brand - brand new - and we picked out the defective units before deployment thanks to a healthy burn in period.
I don't care what you do to a wintel laptop, you will not be able to abuse your machine the way I do and have this kind of reliability.
I've got news for you chief, I am not arguing against Macs.
I think they are great, and great for you.
I am saying, however, that all these people that assume you can't secure a Windows network are wrong. I've done it, got the t-shirt, whatever you want to call it.
And, finally, by the way, I run a Windows XP desktop that has had similiar results: default browser (IE), mail client (well, Outlook 2003, but still) and a stock install. I've been all over the web, and never had a virus, trojan, or any problems whatsoever. You are not that unique! I beat on that box day and night, and I mean day and night, and it's always done what I want, how I want!
b) Your network does not in fact have any access to the net(at all!)
Close, but no. They had full access that was heavily filtered through a proxy, and aggressively tracked for nasty things.
You do realise that on most windows boxes a user so much as visiting a malicious site will infect the machine. This is not to mention the legions of suspect attachements they open everyday? Do you even run Spybot or equililents? Have you heard of USB drives? Do root kits ring a bell?
Not true, my friend! Lock it down! Lock down the registry, disable ActiveX, filter out drive-by installs at the proxy. Run the user as a user, not an administrator. Attachments are scanned and filtered. Users are unable by permission to mount removable media.
I'm not going to elaborate on all the things that can lead to infection on a windows box, or what an infection can result in. What I will say is that Anti-virus, firewalls and automatic updates cannot gaurantee security.
I can guarantee that these boxes were infection free, and were very clean. We also didn't run client firewalls, anti-virus, or automatic updates!
You've got users, on windows boxes. Face it. They will be infected within one week of clean install. There is nothing short of cutting your net connection and bolting shut media drives. Nothing.
False! 100K users, 50k machines, no infections, no spyware, never, not once!
Here is how, it's easy:
1. Filtered Internet access. Easy.
2. Allowed programs only. Windows allows admins to specify which binaries are allowed to run via a group policy. Thats 99% of it right there.
3. Principle of least privelage. All users run the fewest permissions possible. Minimal local system privelages. The users could not even download to the desktop for lack of permissions. Locked down. Minimal ability to modify non visual aspects of the system. Remove profile storage, and re-imaging of the systems with available patches once a week.
Yu are buying into a victim culture of IT! Its too hard! MS ruins it for me! It's all those baddies against me!
Well, the tools are there. Testing, planning, written policy, technical policy. Scripting, automation, and restricted privelages.
It is possible! It takes hardwork and planning, but what doesn't?
Slashdot Mirror
Productive? - "Many children with Down syndrome do have difficulties reading and understanding more than a rather basic vocabulary. Complex thinking as required in sciences but also in history, the arts and other subjects is usually beyond their abilities"
So people who can't read "War and Peace" aren't productive? Or people who can't design complex electronics aren't productive? Maybe we need to consider what productive means.
As far as healthy goes, people have immune deficiences, heart disease, and hearing problems all the time, and they aren't consider invalid.
I don't know why you feel the need to quote the words "options" and "informed". There are other options, and knowing more would help you make an informed decision.
The reason I did was because the doctors use those two words in particular as codes. "Options" means, in all cases, termination/abortion. "Informed" means repeatedly making it clear that they have an opinion, and what it is, and why you are wrong to not take it.
Come off it. You really can't see the difference between deciding not to have a baby that has a major disability and insisting upon perfection?
There is no difference. There are families/women who have convience abortions, and it's really sad. There are women who have abortions to save their lifestyle.
The big question becomes when is the disability "major" or not. If a family of athletes learns that the baby is going to have a weak spine, and will never be a strong athelete, is that a major disability? It never ends. The bar gets lower and lower, until it's socially acceptable.
it's noble, and all that. but nobody should be forced to live with an avoidable anomalous situation and accept it as "god's will", as not everyone believes that.
I said nothing about "god's will", I believe. Niether of us are overtly religious.
it's noble, and all that. but nobody should be forced to live with an avoidable anomalous situation and accept it as "god's will", as not everyone believes that.
Make no doubt about, people who abort because of a Downs Syndrome diagnosis are not doing so at 8 weeks, they are doing so at 22, 24, 30, even 32 and 34 weeks, when the child is developed to an amazing degree, and in many cases could survive outside the womb with no medical care, no life support, and no special treatment. My daughter is 33 weeks, coming up on 34, and without much of a doubt could survive handily with only minimal extra-care at this point. We are well past a "clump of cells".
My point is and was that viewing a birth defect in your child or a handicap in someone as a "problematic situation" that needs to be cured is really not right in my view, and that it's a sad thing when a culture gets to the point that a life is worthless and not worth living without being physically perfect from the day you are born.
And it can only lead to more and more depravities.
Especailly with Downs Syndrome, of all things, which allows people to still live healthy, happy, productive lives.
consider termination to be a reasonable choice where the fetus carries other genetic disorders such as Downs Syndrome
That makes me very, very sad. My wife and I are expecting our first child, a girl, to be born in the next 4 weeks. There is a strong chance she will be born with Downs Syndrome.
Our doctors wanted to advise us about our "options". They wanted to run all kinds of tests, including amniocentesis and genetic testing, in order to be sure one way or another,so we could make an "informed" decision.
So, so sad. I just can't imagine anyone wanting to do such a thing - especially since we've seen her in full motion 3D video on two seperate occasions - smiling when we stroke her head, sucking her thumb, yawning when we wake her up after a nap - things that any baby would do.
My point of view -- not a political statement really. It's just heartbreaking. I fear for any culture that so highly values convenience, pride, and "perfectness" that it would cast aside those who we should be called to love and care for even more than the "perfect" little baby everyone hopes and prays for. And for the worst shame of all, doctors who repeatedly promote termination of even marginally defective babies and are constantly harping about options -alternatives! - to life.
I am under no illusions about how painful, difficult, and disappointing raising my daughter maybe if she turns out to have Downs, but believe me, I will love her and treat her as my daughter till I draw my last breath.
I really hope our culture doesn't continue to devolve into one that values only designer, perfect, genetically correct babies.
If I'm completely crazy, somebody slap me, but wasn't Microsoft convicted of anti-trust violations relating to their monopoly on the browser? Wasn't a serious issue of their case the "need" to integrate Internet Explorer with the OS? Now it is MORE integrated--to the point that they CAN'T possibly make a Windows 2000 version?
One side effect of the MS trial - and one of the many ways that MS really got the best of the DOJ - is that MS conviced the court of something called "middleware" - things that are not strictly the OS but things that are not stritcly an application.
IE, WMP, ODBC, etc are all considered middleware now, and are not explictly illegal to bundle or tie to a product.
Nothing about security playing a role.. anything else? I am very interested in this topic!
I care about security. Part of the reason for the .net scrap was SECURITY based.
Do you have any references, or any backup for this claim? Links or quotes or somesuch?
In a utopian environment like yours, PC's can be made to work just fine, but I'd argue that ANY OS could be made to work when you have an environment like yours. BOFHs, like me would love to have a setup like that :-)
Utopian! I love it. It was far from Utopia.. but you are correct, our focus was more about helping the business than the nuts and bolts of crappy IT drudge work. We were able to spend time and money on projects that helped with the bottom line, with allt he details.
As a BOFH, I can tell you, it was a good network for really locking things down. Having just three images and a well define policy was huge.
If you are ever buying products from Dell in bulk, you have to get a custom service agreement (CSA) or whatever they call it now. We put in ours that parts against all machines must be identical brand, model and revision. No exceptions. One failing unit would invalidate the whole shipment. We also did some independent research into the failure rates on various models, so we could order enough extra at the original purchase time so that we wouldn't have to settle for slightly different models in 3 months, 1 year, or 5 years. We purchased the right number plus, I believe, 3.5% more units, for parts and extras and float and all that.
Made a big difference. To this day there are probably a few hundred unopened units sitting in cold storage. Maybe unncessary, but again, with a huge hardware contract already formed, it was minor to add that safety check in place.
Nothing, and I mean nothing, can beat really knowing what your machines are made of. From an admin standpoint, it was priceless. Our help desk and IT guys never, and I mean never, had to go to a remote workstation excepting to bring in a new box to swap. When hardware failures really happened the IT runner of the day would navigate the maze (50K cubicles is.. well.. it's a sight to behold.. think Matrix in the "fields", only more depressing) and drop in a machine with latest image already loaded. The whole thing took probably 20-30 minutes to get there, drop the machine in, do a little dust up cleaning, and be back to look at the defective machine.
Anyways, don't belittle your "little" network - 20,000 users is still massively huge by any reasonable standard. I can appreciate the opinion of an informed cohort more than a random small-time (no offense, truly) Linux guru.
You can customize Linux infinitly. But one problem that is big in the Linxu world is the lack of a standard base for any type of large application development, which causes a lot of waste/bloat.
Two real life examples: help reading and printing support. Since there is no system wide standard that people actually follow, if you install a few packages you will end up with 3-4 different packages used: one by KDE, Gnome, and for some apps, their own custom versions of a help-reader. It's very vexing, and makes it difficult to train users on how to use online help.
The other example is printing. Depending on how advanced or primitive the printing support is in any given app you'll get anything from good printing support and interfaces to crap. Windows printing isn't all that impressive, but well, at least each application has a fair shake at it!
Most people who download stuff from the net, ie, most Windows users, see a download link, and click to download it. Then the browser says "Save or Open", and most users hit "Open", and the installer starts up.
That's actually quite a bit easier than how many linux distros handle things.
Yes, a monday morning audit on the wiped machines will reveal "zero" problems, but I feel a friday evening audit would tell a different story
That's an okay opinion to have, but it never happened that way. Maybe after all this time it's possible.
Imaging OSes is a luxury a great many admins simply cannot afford. Is this really a solution, or a workaround? And is this what has to be put up with to run an efficient windows network.
I guess this is were we disagree. I think the imaging solution is ideal, you think it sucks. I've found it's ideal because I can use one "package", one format, one method for all patches. I can roll a service pack the same way as an application update. RPM is very nice and nifty, but still limited. If I wanted to upgrade all my boxes from ext2 to ext3 there isn't an RPM for that, but if you were using an imaging solution for Linux you could in fact do it transparently to users as part of your regular maintainence!
Any manual intervention would be anathema to a network this big!
Look, I am saying this. After setup, we spent about 4 hrs a week to update and keep secure 50,000 workstations with 100K users.
Could be done easier with Macs? I have no idea.
Your opinion is it's a lot harder. I am sayng in my experience, it's not. We spent about 4 hrs once a week keeping a 50,000 machine network secure once it was setup in a secure manner. I guess I am not following how it could be better. Are you saying with OSX it'd e 3.5 hrs, or 2 hrs, or what?
I can't speak for others. But I can speak for me. And that's all I've done.
As I said before, good management is probobly the only reason your solution has lasted this long. One quarter with a PHB type CEO and your solution will be biting the dust.
Well, right. That's like saying "One quarter with Microsoft management at Apple and bam, Apple is Microsoft." Well duh. Obviously the management side of things is what makes the difference.
I cannot for the life of me see how a handful of IT staff handled 100,000 users. I worked in a company with 200 users and the five helpdesk personel spent most of their time running about, setting up email clients, installing new hardware and finding lost files. What are you doing to the clueless lusers who lose their files or forget their training? Who installs new PCs? Are you delegating duties? If you are then you need to revise your estimates of helpdesk personel.
That's the point I have been making! Users have one location to store their files - they have no write permissions to any folder except the one and their own subfolders. Users have the *same* e-mail client, with settings centrally administered, that they can't modify or "tweak". See what a difference that makes? There is no running about. When I was running things my IT guys and the helpdesk never had to visit a workstation except if it had hardware problems, like a bad motherboard or video card. And even then, it was just to drop in a replacement and boot it. Since everything is centrally managed there is no migration. Users could be moved from one workstation to another seamlessly.
To begin. Windows licencing. I haven't looked at this in a long time, but I'm going to hazard a lowest possible estimate of $50 per machine, not user, per annum. Times 50,000 machines. Bang. $2.5 million big ones.
First off, $50/each is high. We paid, I believe $88/machine for a full complement of MS software - Windows, Office, licenses for the backend tools, various odds and ends MS makes, etc. But $2.5M sounds like a lot to you, and in an abstract way it is, but whne you look at it as part of a $50M IT upgrade, it's only 5%. Let's say everything else was 100% equal with a Linux solution, and we went with a roll it your own solution instead of a pay per vendor like Novell or whomever. Let's say all of that is true. A 5% difference in cost between solutions is not huge! Especailly when you figure we figured the costs for a 7 year schedule. That's $350,000 a year for 7 years. Not chump change, but for a company with a payroll of $3 billion, it's not that big!
This is my basis for lower cost. Let the TCO waving legions come and get me. They are full of it. We are talking 50,000 machines here. User licencing costs are $0 total for linux. Zero dollars!
You are a fool! People don't run the "free" versions of Linux on a 50,000 station network. Maybe some of it, but not all of it. It's a lot of work, especially if customizations are made.
How is it going to be more manageable? Where do I begin? For a start, do you even want PC's anymore? You could go for thin-clients on NX or the like and save yourself millions by the time the next upgrade cycle comes up.
First, this was 2001, and let's remember where Linux was then. Four years is a long time. Look back at what REdHat and other vendors offered. RedHat 5.x was vogue. NX wasn't dreamt of. Secondly, thin client has it's own host of problems, and even with a generous allowance for the scalability of Linux, we'd be talking 1 server for ever 200 users, or 250 terminal servers, plus the 80 we already had for applications and the whatnot. That's an additional load for management to be sure on the server side, which is where 50% or more of the time went. And frankly, thin clients are not all that cheap or prone to resist upgrade costs. I looked at the option though the decision was made before I got there. An X or WinTerm is going to cost between $300 and $500 a seat, whereas we paid in the realm of $1K/seat for the workstations. If it were 10 times cheaper,
If you're going to set up a minimalist configuration that only allow specific programs, you might as well just run Linux. The whole reason people run Windows is so they can install some little app that they have to have. If you're not allowing that, then what do you need windows for?
We ran windows because app support was there, it was inexpensive, and it worked well. What other reasons could there be? I disagree with your question about why run Windows. We ran Windows because it made a lot of sense. Win2k is a good general business platform, and that's what we used.
A few more follow up points, and then after this, you can take it off list to e-mail.
1. I was not imaginging at login. That was only in the case of a major problem for a user. A good troubleshooting procedure should always start with: "start at a known good point", we and had that capability. The machines got reimaged once a week, on weekend at night. This allowed us to maintain up to date machines - all of them - without using multiple deployment methods to update apps. It also means that we didnt have to have the machines themselves run things like Windows Update, or whatnot. Very, very efficent. We had three image templates in circulation, and every machine was one of those three templates.
2. The CEO of the privately held company helped design parts of the IT policy. A very, very saavy man. Him and the old CIO that I replaced (after he dropped dead) designed the IT policy from the ground up.
3. Contrary to your claims of the extremely time consuming nature of the process, it was only time consuming for the machines. As I mentioned, the IT department here was very small. Myself, four full timers, a handful of part timers on the help desk, and that's it. For managing 50,000 machines and 100,000 users, with 80 servers in the mix. Thats a good ratio, and depending on your industry, probably 5 times better than anyone else.
4. Imaging is supported, and legal, and that's not going to change. First off, there are no extra copies wasted as you suggest, excepting the one that is stored in each master image. We licensed appropriately for each app. There is no functional or legal difference from automatically installing software or doing it differently. You can never predict what a judge will rule, but imaging is safe. Also, we are explicitly allowed by law to make backups of installed software, so that is another avenue of protection.
5. Well I dont know how you doubt this, but the clients were all using a large number of highly customized applications, as well as office and web browising and web based applications. Additionally, many of the machines had peripherals to consider.
6. As far as some new vendor that's interesting. Sales people are sales people, and the burden is on them to make the sale, not the other way around. As I said before, the CEO was extremely tech saavy, and would have a lot to say about a pushy vendor demanding changes. No app would make it to the network without being friendly to admin, and frankly, with 50,000 licenses at stake, we never found a vendor who wouldn't work with us to fix their broken apps, or package it to do what is correct.
6. As far as effort, It's not that hard, and thousands of similiarly secure networks exist. It was very straightforward to do. Sure, it was hardwork. It's tempting to take shortcuts. But short isn't always the best way.
And the big whopper:
A 50K user, unix based solution would be more efficient, more manageable and more flexible than what you've set up. Why didn't you take this option?
How? See, we had dozens of you guys show up, take a tour, and tell us how linux would be much better! Save us a million bucks a year! It's like the long distance guy who calls up and says he can save me $50 a month on my phone bill, not knowing my phone bill is only $25 to start with.
How is it going to be more manageable? We had complete control of every workstation. We had neatly divided groups of policies that were handed out to users. Machines were evenly and routinely updated. Making large changes was as easy as small changes. We were able to quickly and easily deploy large changes as needed.
The fact is, you have no basis for your assertion. You assume that *nix would have been better, because you can't believe that a Windows network would work well. But I am telling you this: it did. You can disagree with me, you can call me a liar, but these are the facts as I saw them, as a first hand witness: we had no virus in
The lynchpin of your solution appears to be the OS reinstallation on login.
No, not on login. Weekly, for updates.
You have basically given up on any attempt to secure the OS itself and simply wipe it regardless.
No, this is the method used to secure the OS. Instead of worrying about all myraid of patching methods for different apps and all that, just go low. Re-image the system once a week with all new updates.
And the reinstallation is not a good solution.
Sorry, I disagree. We supported 50k clients with less than half a dozen IT people. It's pretty good, thanks.
Though your tribulations in securing the network are impressive, your whole network is a prime example of the need to move off windows. It's a poster child for a switch, not a reason to stay. If this is the level of time and resources it takes to keep a windows network clean, I'm better off elsewhere.
Hey, actually, you are wrong. Find me another network run with fewer people or less resources. UNIX, Mac, or otherwise. You'll be hard pressed. It was an extremely efficent operation. 100K users, 50K workstations. For christsakes, we tested and updates 50,000 machines a week with less than 2 hrs of effort. Do you understand what a big deal that is? You really are daft thinking thats a lot of work. Startup each of the three images (basic, advanced, developer), update as needed, test with our regression suite, and that's it.
How did you do your centralized logging? I have looked at using MS dumpel.exe /SQL stuff and Snare/syslog, but haven't done it yet.
Nothing that fancy. I used a shell script that ran on the client machines periodically (I believe every 10 minutes), exported and then cleared individual machines logs, and copied the file to a shared folder on the "logging server". The logging server had a script that ran every 1 minute or some such small interval that took all the logs, parsed them and inserted the data into a database in the database cluster (we had two 8 machine SQL clusters onsite, so the load added was minimal). From there we had our "IT dashboard" app monitor for exceptions that we could watch, etc. On days when new software packages had been installed we'd setup a watch on any given message that would indicate a problem. It worked well. One time we had two apps that kept trying to install over each others shared DLLs they each had each improprely located in a system folder. Boy was that a mess. But it was easy to trace down.
Not the 12.. they were up and are still up with no patches.. that's what restricted access, locking down unused services, and other similiar strategies can do to protect your systems. Just because a patch comes out doesn't mean it has to be installed the same day, uptime be damned!
Filtering? 50K users? What's wrong with this picture? Is this proxy in the Top 10 supercomputer lists?
.NET, C - all of it. Win32 API *is* Windows.
What are you talking about? It's not great feat. 12 machines, dual processor, with a 2GB of RAM. I think since it was a while back they were early generation XEONs.
Hardly a supercomputer!
What about the win32 APIs. They allow admin privilages even if the user is running a reduced privilage.
No, not actually. What are refering too? It's just not true! Everything compiles down to Win32 API on Windows -
Yo you have effectively banned removeable media. Actually, I agree with this, but your users a probobly p/o'ed
Absolutely. No new data/apps in without going through IT.
Now I know something is wrong with your network. I suggest you audit it, immediately.
Sorry, but, I dont work there anymore. But, let me clear. None. Ever. No infections. Think about. No untrusted binaries, machines up to date, network locked down multiple ways (IPSEC all machines, filtering, no broadcast protocols running, etc), users trained, IT staff trained, e-mail attachments virus scanned, etc.
It's not rocket science. If you don't control the binaries on your computer, it's not your computer.
The baddies are out there man. They are pros. Spammers, marketers, DDOSers who spend their days finding and exploiting holes in windows boxes. Malware doesn't happen by accident. it happens because very determined people want your boxen for their twisted money making schemes. People blame user stupidity and ignorence for malware issues, but in truth it is the cunning and ingenuity of ruthless crackers which is to blame.
And bad IT makes it easy. Good IT makes it impossible. We had layers of security, good technology, good people, and good policies. That's all it takes!
That's great, but then the users are their own system administrators.
Things like software updates (think internal vertical apps), for example. How does that work in your example?
Let me just say. Macs are great. But 50,000 of any computers that are all different is a big freakin hassle for your help desk. A network that big would require a huge help desk with 50,000 user-admin'd Macs. It all adds up.
The network you describe would be cool if all the users were say graphics people who had macs at home. They could handle updates themselves, install their own apps, troubleshoot minor software questions, etc. In a more standard environment, it would be well, a challenging thing to manage.
Users aren't admins you say? Tough luck sonny. It's called win32 API programming and it gets past all such restrictions. Malware will most likely run as admin whether your user is one or not. user mode will not save you.
That's utter bullocks. I should disregard the rest of your post, but you are entirely incorrect. Win32 API does not bypass file system permissions, registry permissions, etc. Yes, if there is an exploit/bug those restrictions *could* be bypassed.
I hope iexplore.exe and outlook.exe were in there, cause if they wern't.... msnmessenger too.
What do you mean? I dont follow your sarcasm I guess. Yes, outlook and ie were on there.
Naturally. However a better step would be to ensure ActiveX is never used by switching to alternate browsers. Also, the users(malware) may, for whatever reason, find a way to turn ActiveX back on, or worse, request it! Getting rid of IE altogether is a better step.
I agree, however, at the time, Firefox was very very young and the Netscape alternative was very nearly as bad as possible. If it were today, IE would be out and Firefox would be in.
So basically what you're saying is each boot was a throwaway OS image, which you simply wipe after each user logs off.
No. Not at all. If there was some type of problem we had a good baseline which we good always reset to without disrupting the user one wink. Great for troubleshooting.
OK, I'm not even going to begin to describe how much hassle your solution is, especially when it comes to upgrade time.
False. Very easy. Boot each image once a week on a test machine/VMware. Update all apps, the OS, anything else you want to do. Then that image is pushed out to the clients. Very, very efficent delivery method.
It's also most likely illegal and unsupported
No, actually it's neither. look a product like Symantec Ghost. It's explicitly supported. MS explicitly supports system imaging, and puts out a number of tools to help you with it. Not illegal, not unsupported.
On top of that, I patiently await the day one of your machines become infected at 09:05 and proceeds to infect the entire network.
The point is that when only trustd binaries run, all software is very much up to date, and incoming/outgoing traffic is closely managed, you have a very small risk vector for infection. We never got infected, even during the big name virus outbreaks. Vendors and outside sales guys would come in and plug their infected nasty laptops into my network, and nothing bad would happen. Why? Layers of security. IPSec, appropriate routing rules, the lack of a broadcast protocol being enabled, etc.
Even if you do get a company wide switch off, I doubt your servers will be able to handle the load. Good luck with that.
Of course all 50,000 machines couldn't resync at the same time. 250 was reasonable.
Your solution is extreme. If this is what it takes to run a windows network you should be asking yourself why you are running a windows network.
No, it's very workable, and a very small amount of ongoing work. Yes, some prep time, but on this network I could assure you 100% that everyone was running secure apps, the right versions, the correct software, etc. Without a doubt, it was effective and fast.
Your network sir, is a disaster waiting to happen. The next sobig or sasser will cripple it quickly. I'd wager it is spending most of its life as a productive DDOS or spam botnet as we speak. it is a juicy plum, waiting to be picked by professional cracker gangs.
Nope. We with stood both of attacks, handily. And even if something did get infected, that PC was effectively disabled. Heavy unusual traffic would cause a PC to get auto-null routed off the network.
You are wrong, just plain wrong. Good security is a matter of policy, technical and otherwise.
If you want to come to Maine, I can arrange a tour. It's a very secu
50K Windows machines and not a single BSOD? I find that incredibly unlikely. You didn't have a single PC with bad memory or flaky mother board or power supply? We have around 600 Dells, all certified for Windows with Dell's "Gold" level support, running 99% Microsoft apps, and still get an occasional BSOD, even if it is a hardware related problem.
Ohh I had plenty of hardware problems: machines that never came backup, etc. But, oddly, never a single BSOD. We had HDD's die, and they just froze the machine. We had memory go flaky, with the same result. But nope, we used central logging, and the only BSOD we ever had was the one you can cause yourself with a registry tweak and the scroll lock key (to test the logging, actually).
Granted, the hardware was brand - brand new - and we picked out the defective units before deployment thanks to a healthy burn in period.
I don't care what you do to a wintel laptop, you will not be able to abuse your machine the way I do and have this kind of reliability.
I've got news for you chief, I am not arguing against Macs.
I think they are great, and great for you.
I am saying, however, that all these people that assume you can't secure a Windows network are wrong. I've done it, got the t-shirt, whatever you want to call it.
And, finally, by the way, I run a Windows XP desktop that has had similiar results: default browser (IE), mail client (well, Outlook 2003, but still) and a stock install. I've been all over the web, and never had a virus, trojan, or any problems whatsoever. You are not that unique! I beat on that box day and night, and I mean day and night, and it's always done what I want, how I want!
Same goes for my HP laptop.
b) Your network does not in fact have any access to the net(at all!)
Close, but no. They had full access that was heavily filtered through a proxy, and aggressively tracked for nasty things.
You do realise that on most windows boxes a user so much as visiting a malicious site will infect the machine. This is not to mention the legions of suspect attachements they open everyday? Do you even run Spybot or equililents? Have you heard of USB drives? Do root kits ring a bell?
Not true, my friend! Lock it down! Lock down the registry, disable ActiveX, filter out drive-by installs at the proxy. Run the user as a user, not an administrator. Attachments are scanned and filtered. Users are unable by permission to mount removable media.
I'm not going to elaborate on all the things that can lead to infection on a windows box, or what an infection can result in. What I will say is that Anti-virus, firewalls and automatic updates cannot gaurantee security.
I can guarantee that these boxes were infection free, and were very clean. We also didn't run client firewalls, anti-virus, or automatic updates!
You've got users, on windows boxes. Face it. They will be infected within one week of clean install. There is nothing short of cutting your net connection and bolting shut media drives. Nothing.
False! 100K users, 50k machines, no infections, no spyware, never, not once!
Here is how, it's easy: 1. Filtered Internet access. Easy.
2. Allowed programs only. Windows allows admins to specify which binaries are allowed to run via a group policy. Thats 99% of it right there.
3. Principle of least privelage. All users run the fewest permissions possible. Minimal local system privelages. The users could not even download to the desktop for lack of permissions. Locked down. Minimal ability to modify non visual aspects of the system. Remove profile storage, and re-imaging of the systems with available patches once a week.
Yu are buying into a victim culture of IT! Its too hard! MS ruins it for me! It's all those baddies against me!
Well, the tools are there. Testing, planning, written policy, technical policy. Scripting, automation, and restricted privelages.
It is possible! It takes hardwork and planning, but what doesn't?