...a market completely unencumbered by outside regulations.
I guess you missed this part. Government is an outside regulation. The 'invisible hand' is market self regulation, which BTW, includes many of the things people hate the most about Microsoft and Walmart. IE. negotiating the best contracts from a position of strength, and under cutting competitor's pricing to gain market share. The only questions a pure capitalist system would have is did they use illegal means to gain their competitive advantage. And really, the government ideally would be enforcing laws regardless of whether a company is a market leader or not.
Also, not to get into an outsourcing debate, but lately companies are re-evaluating the economies of outsourcing and finding the gains are much smaller than expected. At least when the outsourcing is with companies outside the US.
1. they have no control over staff employment contracts, so they spend 3 months getting someone up to speed only to have them leave after their 6 month contract is fulfilled. 2. customers are expressing a preference for american customer support. Language issues primarily, but also an ingrained bias and work ethics. 3. trouble coordinating US teams with outsourced workers. 4. problems with staff management.
Dell was one of the first to announce that they are moving some of their outsourced services back to the US, but others are following.
REAL capitalism isn't about making the most sales and dominating the market.
Actually, that is exactly what capitalism is. Pure capitalism is about using methods that put the most money in your pocket in a market completely unencumbered by outside regulations.
What you are looking for is an ideal market where people place an appropriate value on quality. That of course will mean the end of Microsoft, Walmart, and outsourcing manpower to 3rd world countries.
Oh, c'mon; I haven't written a call of gets() in years.
You do realize, gets() is just one example? How about this one, it's one that your compiler should either catch, or the runtime environment should handle:
void SimpleFunction(char str[]) {
char str2[20];
strcpy(str2, str); }
int main() {
char str1[25];
SimpleFunction(str1);
return 0; }
There is a good chance you're going to overflow the array and C/C++ doesn't check. A smart compiler would give you a warning about the size mismatch. An Ok compiler will insert runtime code to at least truncate the str value being put in str2.
Attributing all security problems to things like buffer overflows shows an incredibly shallow understanding of the issue.
Really... hmm, let's examine that:
Phatbot trojan - exploited a core dll buffer overflow (probably ntdll.dll), RPC buffer overflow, Workstation buffer overflow. Code Red and variants - ntdll.dll buffer overflow WebDAV - ntdll.dll buffer overflow SQL Slammer - buffer overflow in SQL server resolution service. There has been an MDAC buffer overflow Windows SNMP - ASN buffer overflow
Granted, there have been other security issues. Social engineering is a big one. People still click on attachments. People still give strangers their passwords.
Buffer overflows are so serious that Microsoft has finally given up on backward compatibility and turned on bounds checking for XP SP2.
Protocols that are old and use cleartext are things we know about. They are readily documented. Cleartext wasn't a design concern when they were created, it is now so there are alternatives.
Encryption? Why do average programmers need to know the nuts and bolts of encryption? That's what libraries are for. Let the people who specialize in encryption routines handle that and the average programmer can concentrate on putting out quality code. But if you really need the details, I hear there is something called Open Source out there somewhere. I don't write drivers, I don't write graphic engines, I write applications and leave specialization to people who have the interest and the time to do them right.
And quite frankly, if you can't find information on software vulnerabilities, you haven't learned how to use google. Take a look at CERT, take a look at SANS. There are books available. There was just an article on a school in California that was teaching an 'ethical hacker' course.
Oddly enough, those insigificant buffer overflows and e-mail trojans are what give business managers heartburn. They might have 1 FTP server and web server. They have thousands of desktops and hundreds of file and app servers. The unlucky (not real bright) ones still see their networks fall over when a new one is found. And the prepared ones spends days every month updating their virus signatures as well as testing and installing patches. I have seen the cost of buffer overflows. I have seen ONE FTP server rooted, and guess what, it was a buffer overflow in wuarchive ftp server.
No, there is no such thing as an Ok warning. Trust me, I have a lot of experience with this from the production side. The problem is they get ignored; they're ok, right? But the more noise you create during compile and execution, the more likely a bad warning will get missed.
I have been programming for over 20 years, and I have yet to find a warning I couldn't get rid of. And I personally will not put ANY program into production that doesn't compile clean.
This sounds nice, but there's a serious problem: There is a widespread attitude in the security community that the details of security holes should be kept secret from programmers. They're worried about those evil hackers exploiting the holes, and there is reason to worry. But when they keep such things secret, the major effect is to keep programmers ignorant of how they might be making mistakes.
You shouldn't need the security community to tell you about the issues addressed in this article. Basically all he is saying is have the compiler give warning messages for all unsafe practices. (learn to keep your arrays safe, there are no exploits for the security community to find) And there is no such thing as an OK warning. Just look at his gets/fgets example.
Personally I'd like to see people keep writing these kinds of articles until everyone gets it; because a lot of programmers don't.
BTW, I read the summary and was all ready to disagree with the premise that it's lazy programmers and not a language issue. Then he explained that programmers are lazy because we haven't fixed the compilers so that we don't have to worry about these problems. But I'm still leaning towards 'C is evil'.
The funniest thing about Rush is when he used to have his television show. He liked to say "you don't know what to think, because I haven't told you want to think." And then in the next sentence he would praise his "intelligent" audience.
Rush used to be interesting before he got his TV show and got ultra political. Kind of like Al Franken.
How would you do a Massively Multiplayer Online (MMO) game? It seems like you're limited to the number of players on the field at one time. Even with multiple games at any given time, you still have to deal with forced grouping of a very specific number of players playing at the same time/duration.
I can see multiplayer and online, but I think the massive part is going to be tough to design.
MMO developers need to realize that any "loyalty" that their games command is only amongst the power-gamer minority.
I would have described it the other way. Power gamers are LESS likely to be loyal to a game. They burn through levels and content so quickly that they get bored and try new games. A gamer with only a few hours a week will stick around because they have to work harder to build a character. The thing that gets the average gamer is the repetitive nature of leveling that power gamers have ways of getting around.
Here is an example: Asheron's Call recently opened a new server. The power gamers are racing to see who can be the first to hit maximum level (126), and in a month, several are getting pretty close. (lvl 100+) As a more average gamer, my main character is in it's 20's. The power gamers are going to max out in less than 2 months and move on just as my character is maturing into it's interesting levels.
For better or worse, the $40 box/download plus monthly fee is probably here to stay.
The box price is lock-in. The cell phone industry business model.
Players won't try out new games on a whim because they have to pay $40-60 to do it. That cuts both ways for the providers; they don't lose as many players to new MMOs, but they have a harder time attracting new ones too.
My personal preference would be a free client, a monthly charge, and regular content additions. Then I might be inclined to subscribe to more than one MMO. I don't have time to play more than one, but I might play one this week and a different one next week.
Otherwise, half the staff will be too cold and the other half too hot, and lord help you if your server room is too far from the main trunk.
Don't put your server room on the same system as the rest of the building. The server room rarely (if ever) needs heating. And I doubt a single HVAC system will be able to heat and cool at the same time. IE. during the winter.
Jeez, you need to know assembly to tell that you have overrun your arrays in C? If that's the case, we'll never get rid of buffer overflows until we kill C and all it's siblings.
BTW, it's not the case. Segfaulting was an easy clue, and what you needed to understand is how your program was allocating memory. People need to start managing their data or the language needs to start doing it for them.
And yes, I've worked in C, C++, and Assembly (sys 360), as well as CoBOL, RPG II, and BASIC. Although I choose not to use any of them right now.
The real problem is not that Discovery is not worth the time and money spent, but that it becomes worthless if the patches created are not applied.
Patching isn't the solution, but it's the best one we have right now. Right now we are chasing the horses around the field because nobody bothered to close the barn door.
The development culture has to be changed so that it's unacceptable to allow software to be released in this state in the first place. But with so many problems out there, you can bury your head in the sand at your own peril. I don't think that we can make the assumption that if we don't look for the problems, no one will ever find them. On the other hand, spending all of our time building a patch system instead of fixing the cultural problem seems kind of silly too.
Nope, they had a special account for it. It's called 'Raping the Consumer'. It's offset by the 'Political Contributions' account. I hear they even had a special category for Grandma Millie.
Actually, it's a good thing you are not an accountant.
Goodwill is a perceived value that is higher than book value. For example, you decide you want to expand your web hosting business. A friend of yours is also in the web hosting business, but wants to move on to another career and sells his business to you. Now he has done a lot of work and his customers really like doing business with his company. So when he sells his business to you, he wants more than the book value of his assets because he has built a loyal customer base that will become yours along with his business assets. The difference between the book value of his company, and what you actually have to pay him for it, goes into your accounts as goodwill so that you can depreciate it like any other asset.
It's not that accounting is odd or a black art, it's that you don't understand that every dollar has to be accounted for and properly categorized.
We have a server here with dual-200GB drives in RAID-1. It's primarily used to backup several offsite servers on a nightly schedule. Assuming that there was space elsewhere in the building, putting another server in there with RAID-1 drives and doing networked backup should be fine.
Let's be clear about what you have here... You've taken a box, stuck a pair of IDE drives in it and called it a server. While not necessarily a bad solution, it's not in-line with the post I replied to that suggested redundant power supplies, NICs, and RAID (not IDE RAID). I know you have to be talking about IDE, because the largest SCSI drive on pricewatch is 180 gig and they run $600 each. Kind of hard to build a $1000 server when the drives would be $1200.
You don't need 'nix (sic) to have software RAID. NT4 handled it just fine. But rather than getting real cheap I'd recommend getting something like a Promise IDE controller and letting it handle the IDE RAID in hardware. That frees up the CPU to do real work.
If all you were doing it building a backup box like you suggested: Dell 400SC - $400, Promise TX4000 - $125, and 2 200g IDEs - $120 ea. Easily under $1000, but not a solution I personally would recommend as a critical server. At the very least, there has to be some kind of offline backup capability. Tape, removable drive, something...
If I remember correctly, the survey that I read was 90% of small businesses....
And $10k is a huge investment for a company of 15 employees if they aren't technology based. Most would start to squeal long before you hit $5000. Sometimes you just have to be happy that the 'server' isn't the owner's PC.
I think it's a mistake to make a blanket statement that a RAID array overkill for a small business. My company is similar in size (18 employees) and a RAID is absolutely essential for us from a downtime perspective. We simply can't afford to be down becuase a drive crashed.
Exactly. RAID is all about buying time when a hard drive fails. My personal server ate it's OS drive, and from a user's perspective, you would never know it. Being lazy, I waited several months before I replaced it. OTOH, at work, I have remote servers mirrored because if they have a drive failure, I have to call a 3rd party to service them. I'm much more comfortable sending a drive and rebuilding the mirror than having someone rebuild the server. Not to mention the ability to shift the repair to non-production hours of the day.
While your suggestions are good, some of them might be a little expensive for a company this size. Depending on what kind of business they are.
The first red flag I saw was that although they had backups, they were three days old. If the data is worth saving, it's worth doing it right. Full backups on the weekends and incrementals nightly.
Ok, the redundant stuff... power supplies, hot swap drives, RAID5. You're approaching a $10k configuration. That, BTW, would have still gone down because they had a motherboard failure. And since they needed backups, their drives were corrupt, so the RAID probably would have been too.
Really though, this whole question is about designing their new server without any idea of the load required. Based on the info that is available, I think I would lean towards purchasing two servers. Make them a little smaller than what you would purchase if you only had one, and divide the load between them. If one fails, you can temporarily transfer to the remaining one until you can get it fixed. You could even go so far as to move drives and RAM temporarily if necessary. Just make sure the equipment is server rated. IE: my Dell 400sc Poweredge servers are rebadged desktop machines. My Compaq Proliant 800s are definately not. Even good equipment is getting pretty cheap if you have reasonable requirements.
Above that; daily backups. The UPS equipment like you suggested, just keep in mind that UPSs are consumables. And possibly IDE RAID-1. Drives are cheap and 15 users shouldn't need the performance of SCSI.
Slashdot Mirror
...a market completely unencumbered by outside regulations.
I guess you missed this part. Government is an outside regulation. The 'invisible hand' is market self regulation, which BTW, includes many of the things people hate the most about Microsoft and Walmart. IE. negotiating the best contracts from a position of strength, and under cutting competitor's pricing to gain market share. The only questions a pure capitalist system would have is did they use illegal means to gain their competitive advantage. And really, the government ideally would be enforcing laws regardless of whether a company is a market leader or not.
Also, not to get into an outsourcing debate, but lately companies are re-evaluating the economies of outsourcing and finding the gains are much smaller than expected. At least when the outsourcing is with companies outside the US.
1. they have no control over staff employment contracts, so they spend 3 months getting someone up to speed only to have them leave after their 6 month contract is fulfilled.
2. customers are expressing a preference for american customer support. Language issues primarily, but also an ingrained bias and work ethics.
3. trouble coordinating US teams with outsourced workers.
4. problems with staff management.
Dell was one of the first to announce that they are moving some of their outsourced services back to the US, but others are following.
REAL capitalism isn't about making the most sales and dominating the market.
Actually, that is exactly what capitalism is. Pure capitalism is about using methods that put the most money in your pocket in a market completely unencumbered by outside regulations.
What you are looking for is an ideal market where people place an appropriate value on quality. That of course will mean the end of Microsoft, Walmart, and outsourcing manpower to 3rd world countries.
It sounds nice, but be careful what you wish for.
Ford did it a long time ago. (1987) It was a driving simulator that let you test drive their new models.
Sim Ford
Oh, c'mon; I haven't written a call of gets() in years.
You do realize, gets() is just one example? How about this one, it's one that your compiler should either catch, or the runtime environment should handle:
void SimpleFunction(char str[])
{
char str2[20];
strcpy(str2, str);
}
int main()
{
char str1[25];
SimpleFunction(str1);
return 0;
}
There is a good chance you're going to overflow the array and C/C++ doesn't check. A smart compiler would give you a warning about the size mismatch. An Ok compiler will insert runtime code to at least truncate the str value being put in str2.
Attributing all security problems to things like buffer overflows shows an incredibly shallow understanding of the issue.
Really... hmm, let's examine that:
Phatbot trojan - exploited a core dll buffer overflow (probably ntdll.dll), RPC buffer overflow, Workstation buffer overflow.
Code Red and variants - ntdll.dll buffer overflow
WebDAV - ntdll.dll buffer overflow
SQL Slammer - buffer overflow in SQL server resolution service.
There has been an MDAC buffer overflow
Windows SNMP - ASN buffer overflow
Bind - buffer overflow
OpenSSL - buffer overflow
Apache - mod_ssl - open ssl buffer overflow
Sendmail - buffer overflow
Unix SNMP - buffer overflow(s)
OpenSSH - buffer overflow(s)
NIS/NFS - buffer overflow(s)
Granted, there have been other security issues. Social engineering is a big one. People still click on attachments. People still give strangers their passwords.
Buffer overflows are so serious that Microsoft has finally given up on backward compatibility and turned on bounds checking for XP SP2.
Protocols that are old and use cleartext are things we know about. They are readily documented. Cleartext wasn't a design concern when they were created, it is now so there are alternatives.
Encryption? Why do average programmers need to know the nuts and bolts of encryption? That's what libraries are for. Let the people who specialize in encryption routines handle that and the average programmer can concentrate on putting out quality code. But if you really need the details, I hear there is something called Open Source out there somewhere. I don't write drivers, I don't write graphic engines, I write applications and leave specialization to people who have the interest and the time to do them right.
And quite frankly, if you can't find information on software vulnerabilities, you haven't learned how to use google. Take a look at CERT, take a look at SANS. There are books available. There was just an article on a school in California that was teaching an 'ethical hacker' course.
Oddly enough, those insigificant buffer overflows and e-mail trojans are what give business managers heartburn. They might have 1 FTP server and web server. They have thousands of desktops and hundreds of file and app servers. The unlucky (not real bright) ones still see their networks fall over when a new one is found. And the prepared ones spends days every month updating their virus signatures as well as testing and installing patches. I have seen the cost of buffer overflows. I have seen ONE FTP server rooted, and guess what, it was a buffer overflow in wuarchive ftp server.
What this REALLY means is that they have already suffered a "major loss of data"
Graduates of the Richard Nixon School of Data Integrity.
It's not the number of records that is the problem. It's the fact that they are on punched cards in the basement....
We laugh at your puny drive failures.
No smoking please.
No, there is no such thing as an Ok warning. Trust me, I have a lot of experience with this from the production side. The problem is they get ignored; they're ok, right? But the more noise you create during compile and execution, the more likely a bad warning will get missed.
I have been programming for over 20 years, and I have yet to find a warning I couldn't get rid of. And I personally will not put ANY program into production that doesn't compile clean.
Get back to work! You know we've got to ship version 2.0 by the end of next week come hell or high water!
That's Ok, we can release it now and patch it later.
This sounds nice, but there's a serious problem: There is a widespread attitude in the security community that the details of security holes should be kept secret from programmers. They're worried about those evil hackers exploiting the holes, and there is reason to worry. But when they keep such things secret, the major effect is to keep programmers ignorant of how they might be making mistakes.
You shouldn't need the security community to tell you about the issues addressed in this article. Basically all he is saying is have the compiler give warning messages for all unsafe practices. (learn to keep your arrays safe, there are no exploits for the security community to find) And there is no such thing as an OK warning. Just look at his gets/fgets example.
Personally I'd like to see people keep writing these kinds of articles until everyone gets it; because a lot of programmers don't.
BTW, I read the summary and was all ready to disagree with the premise that it's lazy programmers and not a language issue. Then he explained that programmers are lazy because we haven't fixed the compilers so that we don't have to worry about these problems. But I'm still leaning towards 'C is evil'.
And somehow you think putting more permanent troops in the region is going to help?
And here I always thought the problem was we supported dictators who had different values that their citizens.
Well hell, reinstitute the draft and give us 'another fucking base' everywhere in the world. We'll have world peace.
$200B/250m = ~$800 for each man woman and child. (That's the total USA cost of the war so far, divided by the population of the USA.)
While the number is outrageous, I think yours is a little high.
Cost Of War
Which means we could have spent over $4000 per person relocating every citizen of Iraq to Someplace Else.
Iraq
Cool, so the troops will come home in a few days! That is great news.
Absolutely. Right after the ones in Japan, Germany, Korea, and Vietnam.
I'm sure there must be some kind of pattern there....
The funniest thing about Rush is when he used to have his television show. He liked to say "you don't know what to think, because I haven't told you want to think." And then in the next sentence he would praise his "intelligent" audience.
Rush used to be interesting before he got his TV show and got ultra political. Kind of like Al Franken.
How about a MMO football or soccer game?
How would you do a Massively Multiplayer Online (MMO) game? It seems like you're limited to the number of players on the field at one time. Even with multiple games at any given time, you still have to deal with forced grouping of a very specific number of players playing at the same time/duration.
I can see multiplayer and online, but I think the massive part is going to be tough to design.
MMO developers need to realize that any "loyalty" that their games command is only amongst the power-gamer minority.
I would have described it the other way. Power gamers are LESS likely to be loyal to a game. They burn through levels and content so quickly that they get bored and try new games. A gamer with only a few hours a week will stick around because they have to work harder to build a character. The thing that gets the average gamer is the repetitive nature of leveling that power gamers have ways of getting around.
Here is an example: Asheron's Call recently opened a new server. The power gamers are racing to see who can be the first to hit maximum level (126), and in a month, several are getting pretty close. (lvl 100+) As a more average gamer, my main character is in it's 20's. The power gamers are going to max out in less than 2 months and move on just as my character is maturing into it's interesting levels.
For better or worse, the $40 box/download plus monthly fee is probably here to stay.
The box price is lock-in. The cell phone industry business model.
Players won't try out new games on a whim because they have to pay $40-60 to do it. That cuts both ways for the providers; they don't lose as many players to new MMOs, but they have a harder time attracting new ones too.
My personal preference would be a free client, a monthly charge, and regular content additions. Then I might be inclined to subscribe to more than one MMO. I don't have time to play more than one, but I might play one this week and a different one next week.
Otherwise, half the staff will be too cold and the other half too hot, and lord help you if your server room is too far from the main trunk.
Don't put your server room on the same system as the rest of the building. The server room rarely (if ever) needs heating. And I doubt a single HVAC system will be able to heat and cool at the same time. IE. during the winter.
Jeez, you need to know assembly to tell that you have overrun your arrays in C? If that's the case, we'll never get rid of buffer overflows until we kill C and all it's siblings.
BTW, it's not the case. Segfaulting was an easy clue, and what you needed to understand is how your program was allocating memory. People need to start managing their data or the language needs to start doing it for them.
And yes, I've worked in C, C++, and Assembly (sys 360), as well as CoBOL, RPG II, and BASIC. Although I choose not to use any of them right now.
The real problem is not that Discovery is not worth the time and money spent, but that it becomes worthless if the patches created are not applied.
Patching isn't the solution, but it's the best one we have right now. Right now we are chasing the horses around the field because nobody bothered to close the barn door.
The development culture has to be changed so that it's unacceptable to allow software to be released in this state in the first place. But with so many problems out there, you can bury your head in the sand at your own peril. I don't think that we can make the assumption that if we don't look for the problems, no one will ever find them. On the other hand, spending all of our time building a patch system instead of fixing the cultural problem seems kind of silly too.
Nope, they had a special account for it. It's called 'Raping the Consumer'. It's offset by the 'Political Contributions' account. I hear they even had a special category for Grandma Millie.
Actually, it's a good thing you are not an accountant.
Goodwill is a perceived value that is higher than book value. For example, you decide you want to expand your web hosting business. A friend of yours is also in the web hosting business, but wants to move on to another career and sells his business to you. Now he has done a lot of work and his customers really like doing business with his company. So when he sells his business to you, he wants more than the book value of his assets because he has built a loyal customer base that will become yours along with his business assets. The difference between the book value of his company, and what you actually have to pay him for it, goes into your accounts as goodwill so that you can depreciate it like any other asset.
It's not that accounting is odd or a black art, it's that you don't understand that every dollar has to be accounted for and properly categorized.
We have a server here with dual-200GB drives in RAID-1. It's primarily used to backup several offsite servers on a nightly schedule. Assuming that there was space elsewhere in the building, putting another server in there with RAID-1 drives and doing networked backup should be fine.
Let's be clear about what you have here... You've taken a box, stuck a pair of IDE drives in it and called it a server. While not necessarily a bad solution, it's not in-line with the post I replied to that suggested redundant power supplies, NICs, and RAID (not IDE RAID). I know you have to be talking about IDE, because the largest SCSI drive on pricewatch is 180 gig and they run $600 each. Kind of hard to build a $1000 server when the drives would be $1200.
You don't need 'nix (sic) to have software RAID. NT4 handled it just fine. But rather than getting real cheap I'd recommend getting something like a Promise IDE controller and letting it handle the IDE RAID in hardware. That frees up the CPU to do real work.
If all you were doing it building a backup box like you suggested: Dell 400SC - $400, Promise TX4000 - $125, and 2 200g IDEs - $120 ea. Easily under $1000, but not a solution I personally would recommend as a critical server. At the very least, there has to be some kind of offline backup capability. Tape, removable drive, something...
If I remember correctly, the survey that I read was 90% of small businesses....
And $10k is a huge investment for a company of 15 employees if they aren't technology based. Most would start to squeal long before you hit $5000. Sometimes you just have to be happy that the 'server' isn't the owner's PC.
I think it's a mistake to make a blanket statement that a RAID array overkill for a small business. My company is similar in size (18 employees) and a RAID is absolutely essential for us from a downtime perspective. We simply can't afford to be down becuase a drive crashed.
Exactly. RAID is all about buying time when a hard drive fails. My personal server ate it's OS drive, and from a user's perspective, you would never know it. Being lazy, I waited several months before I replaced it. OTOH, at work, I have remote servers mirrored because if they have a drive failure, I have to call a 3rd party to service them. I'm much more comfortable sending a drive and rebuilding the mirror than having someone rebuild the server. Not to mention the ability to shift the repair to non-production hours of the day.
While your suggestions are good, some of them might be a little expensive for a company this size. Depending on what kind of business they are.
The first red flag I saw was that although they had backups, they were three days old. If the data is worth saving, it's worth doing it right. Full backups on the weekends and incrementals nightly.
Ok, the redundant stuff... power supplies, hot swap drives, RAID5. You're approaching a $10k configuration. That, BTW, would have still gone down because they had a motherboard failure. And since they needed backups, their drives were corrupt, so the RAID probably would have been too.
Really though, this whole question is about designing their new server without any idea of the load required. Based on the info that is available, I think I would lean towards purchasing two servers. Make them a little smaller than what you would purchase if you only had one, and divide the load between them. If one fails, you can temporarily transfer to the remaining one until you can get it fixed. You could even go so far as to move drives and RAM temporarily if necessary. Just make sure the equipment is server rated. IE: my Dell 400sc Poweredge servers are rebadged desktop machines. My Compaq Proliant 800s are definately not. Even good equipment is getting pretty cheap if you have reasonable requirements.
Above that; daily backups. The UPS equipment like you suggested, just keep in mind that UPSs are consumables. And possibly IDE RAID-1. Drives are cheap and 15 users shouldn't need the performance of SCSI.