If a company is requiring me to be trained on current technology, then YES, they should at least offer reimbursement for the costs of the training and allow me to study on company time. Once certified, a pay raise is in order if they want to benefit from the skills.
Why is a pay raise in order for benefitting from the skills, when they paid for all the training?
They should get the financial benefits that were generated by paying for training.
Newer skills may be getting learned, but the reason they need the training is obviously now the older skills are of less value.
Technology changes. When an employee's existing skillset becomes less valuable to the company, and they need training to obtain a certification of a different nature, they are doing the employee a big favor if the employer pays for training they need.
Because the conventional wisdom is to dismiss the existing employee whose current skills are losing value, and hire someone with the skillset and credentials having greater value to the company, at (probably) a lower pay, for a net win.
Instead they paid to get the employee the skills needed to their job. The employee can also expect long term (but not immediate) benefits for having more skills. But the employee put the resources in to allow you to get those skills, and they have the right to the financial advantage obtained through their investment.
I will agree it's within the employer's perogative to offer a raise.
However, the employee wanting or expecting a raise sounds like double dipping to me.
Usually to the advantage of the employee, and normally the employee already has a desk, and electricity costs are inexpensive.
Now if you've heard of an employee whose company decided 'working for home' meant they would need to setup some server racks at their house, and power a portion of the company's IT infrastructure, or power up some heavy-duty office equipment ancillary to inherent needs for them to work remotely, you might have a point about electricity usage and rent...
c) No reference at all and a difficult to explain gap in employment history.
All of which could be much more disadvantageous than just paying the money back.
I assume the "gap" would not be a gap at all, and very easy to explain that the former company would not provide a reference, or you were unwilling to accept their reference, because you were in a dispute with them.
It creates whole new classes of problem, where an employee is motivated to do poor work in order to get fired so that they don't have to pay for their training. And since they can be dismissed for a whole host of reasons, then there is ample opportunity for a court battle over who foots the bill.
Then the contract should contain a clause that the employee pays at least half of the cost of training, if they are fired.
Or perhaps the company pays for half the cost of their training upfront, and by contract, the employee will receive a reimbursment for the rest with interest and a substantial "achievement bonus" after 12 months, if still working for the company.
We're talking about SIP brute forcing here, not DoS. Most botnets are not large enough to emit a 1 million pps flood, especially not accidentally, while trying to brute force SIP registration.
Most of the ones that are large enough, are unlikely to be used to create such a large flood against you.
They got so large by avoiding detection, and sending too large of floods from a node results in detection.
Large botnets get rented out to perform activities profitable to people who rent services from their owner. Usually spam sending.
Unless you allow IRC on your network, or one of your customers is with the anti-botnet/anti-spam camp and the botnet operator sees you as a threat, or you are a national company suitable for extortion, you are extremely unlikely to be singled out to receive a 1 million pps flood.
You are far more likely to be sending such a flood, due to compromise of hosts on your network.
It is possible to use REINVITE in that way.
In most cases it is avoided.
It still wouldn't explain abnormally high outgoing SIP traffic, with the much smaller inbound amounts.
A legitimate SIP proxy that uses REINVITES to move the audio streams elsewhere should still have at least as much inbound control traffic as outbound traffic.
Legitimate phone calls don't come from the Ether, and as far as I know you can't currently buy PRI service or a POTS connection from Amazon for your EC2 instances.
A legitimate PBX should have fairly little SIP control traffic, even when calls are open.
Well, most of the traffic should be RTP audio frames over UDP, or other frames tunneled over TCP.
So if they look at a traffic graph and see SIP usage is extremely high, and RTP / other traffic is basically nonexistent, then it is really quite suspicious.
Unless this is a huge telco's SBC, then they could (in theory) have a dedicated server for control, with separate servers for dealing with audio/media.
4) What's with the 4-6 character passwords, or WORSE, the user name BEING the password? I guess that might be fine in a local network environment where there is a strong physical security presence
Here's what happens: the PBX starts as something local only, with access from only intranet and only company IP addresses allowed.
Probably rfc1918 private LAN IPs, maybe some external IP addresses of phones at other branches.
PBX admin initially designs a closed system, and everything works great, and is secure enough.
Extension numbers are used for authentication, and secrets are 12345. Or some variation of the extension.
This is secure enough for a trusted intranet, and very convenient, makes setup and maintenance a lot easier: no need for techs in the field to call the PBX admin and ask for the password, everyone knows the standard password used by all extensions.
Do not underestimate the inconvenience and cost regarding time and hassle involved for everyone in using a more complicated username/password assignment scheme.
Security does not have an infinite value, there are always tradeoffs between the probability that a security measure prevents an attack, and the actual costs of the security measure (password management is expensive, and setting strong distinct passwords, and strong authnames for every phone is an expensive proposition).
6 - 12 months after the PBX gets deployed, some PHB in sales or upper management decides it would be really cool for them to be able to plug a phone when they are on the road, at whatever Hotel they are visiting, and at home.
They determine that connecting to the VPN is too much an inconvenience, so they order the Firewall admin to allow external IPs on the internet to be able to connect to the PBX.
So they can connect on the road.
The PBX admin never hears about any of this.
It was configured in such a way that it would be a really bad idea to open it to the outside world, but other people want to do their own thing based on what they believe, understand, or think the technology is capable of (probably from talking to folks in other companies who plug their phones in wherever they want on any external network).
Imagine if a bunch of Tier1 and Tier2 providers (who don't peer with them) adopted a policy of blocking all Amazon EC2 IP ranges at all border routers?
This is basically like an ISP arguing they are not responsible for spam sent by their downstream customers they provide internet connectivity to.
The IP addresses belong to the ISP, so they are ultimately responsible for handling any report of abuse in terms of network traffic from those IPs.
If the ISP does nothing, the IPs will eventually get blacklisted,
and most blacklists will make the blacklist entry larger and larger until the ISP responds... e.g. start with blacklisting just that IP, then if it continues, blacklist the entire/24, then if it continues, blacklist that entire RIR registered IP block.
As last step... blacklist the entire AS number.
Amazon EC2 is in the same situation here.
If they don't respond to serious abuse complaints like this, transit providers are going to start blackholing EC2 IPs at their border.
Ah... so it might not be a "violation"?
Their average customer has a legitimate reason for their EC2 VM to be sending a SIP packets to 2000 new IPs every minute, and 100000 distinct IP addresses every hour?
No, not even remotely close. Upgrading ClamAV is trivial and costs nothing.
It costs something, especially for organizations who don't have dedicated staff to handle that and pay consultants/contracters by the hour for technical services.
People may be running ClamAV who don't even know they are running ClamAV, by the way.
I guess maybe their consultant is to blame and they should fired, since they deployed ClamAV in production, which obviously was not reliable: instead they should have bought a professional AV product..
I suppose if they didn't release a demo, I might just find some P2P server and grab a copy of the full game off it, and play it for a few hours, if I think the game might be remotely worthwhile.
Of course danger there is I may like it so much I play all the way through, delete it, and forget about it, without ever buying the game....
Back in the day, before e-commerce, you could try games at the store before buying them, and I always did
I for one am never going to spend money on something I haven't played.
A certain portion of their customers will be the same way, and they will miss out on a marketing opportunity and a lot of potential customers by not offering any demo.
Why the hell did you make a Linux distribution (Oracle Enterprise Linux), buy MySQL and a company that developed Open Source software such as Java and OpenSolaris, if you didn't think Open Source was profitable?
That response is utter nonsense. A virus scanner with sigs that are 6 months old has less value than one which is completely up to date, but that lesser value is not zero.
Delivering an update to disable an AV is destructive, when instead they should have simply refused to deliver patterns updates to the out-of-date AV.
Most viruses spreading via e-mail are very old ones that could be detected even if the patterns are over a year old.
Whether an upgrade is going to be done is properly the system admin's decision alone, and may be influenced whether there is a large outbreak of a new virus.
You're way off base. The ClamAV folks delivered a patterns update that disables the virus scanner, and causes it to return an error every time you try to scan something.
This effectively kills the software when the update is loaded.
I wouldn't be complaining if they had only modified their update servers to deny the ability for 0.94 installations to download antivirus rules.
SUPPORT WILL END does not imply killing instances in production. It implies you stop delivering support services (such as tech support or new updates).
How would you feel if the Ubuntu folks delivered a 'security update' to Ubuntu 8.x to disable your system entirely, until you can get a chance to go install a non-EOL'd major release of your OS?
How about all those Windows Vista users who haven't upgraded to Windows 7?
Firefox 2 users who haven't upgraded to 3.
Users who are still using IE6.
Would users trust the vendors anymore with auto-updates, if they all released updates to 'kill the old product' in order to force you to manually do a clean upgrade?
It wasn't the server going away.
They delivered an update designed to kill it
The Windows equivalent would be Microsoft Delivering a critical update with XP designed to disable windows, because you haven't updated to Vista yet.
In other words, they used the automatic update service against their own users.
From now on, my recommended course of action is that all mail administrators running clamav should REMOVE or DISABLE any automatic updates of ClamAV rules, make sure to comment out any crontab entries for freshclam.
Until the developers can either grow up and stop doing stupid shit such as abusing auto-updates to disable their own product.
Or do what they should do... include a method for automatically applying version updates.
Or force auto version update instead of disabling.
Maybe, if you can find a licensed attorney to go along with it.
Keeping in mind the attorney would be sanctioned and possibly disbarred, if they were found to have brought your claims to the court room without performing their due dilligence investigations regarding factual basis of your claims.
You would likely need to provide tangible evidence to the court of both the existence and nature of said 'invisible purple unicorn witch' and of said 'hex'
A malfunctioning fluorescent light can flicker at a dangerous rate (frequency); it is a liability issue for installing fluorescent lighting in a public place, that a bulb broken or about to go out could trigger an epileptic attack.
It is an unusual risk of fluorescents, when they are not delivering light correctly, and does not apply to normal lighting, or even the fluorescent lighting under normal circumstances, it is a safety measure.
However, we are not talking about fluorescents here, just plain old LEDs and incandescents.
If a company is requiring me to be trained on current technology, then YES, they should at least offer reimbursement for the costs of the training and allow me to study on company time. Once certified, a pay raise is in order if they want to benefit from the skills.
Why is a pay raise in order for benefitting from the skills, when they paid for all the training? They should get the financial benefits that were generated by paying for training.
Newer skills may be getting learned, but the reason they need the training is obviously now the older skills are of less value. Technology changes. When an employee's existing skillset becomes less valuable to the company, and they need training to obtain a certification of a different nature, they are doing the employee a big favor if the employer pays for training they need.
Because the conventional wisdom is to dismiss the existing employee whose current skills are losing value, and hire someone with the skillset and credentials having greater value to the company, at (probably) a lower pay, for a net win.
Instead they paid to get the employee the skills needed to their job. The employee can also expect long term (but not immediate) benefits for having more skills. But the employee put the resources in to allow you to get those skills, and they have the right to the financial advantage obtained through their investment.
I will agree it's within the employer's perogative to offer a raise.
However, the employee wanting or expecting a raise sounds like double dipping to me.
Usually to the advantage of the employee, and normally the employee already has a desk, and electricity costs are inexpensive.
Now if you've heard of an employee whose company decided 'working for home' meant they would need to setup some server racks at their house, and power a portion of the company's IT infrastructure, or power up some heavy-duty office equipment ancillary to inherent needs for them to work remotely, you might have a point about electricity usage and rent...
c) No reference at all and a difficult to explain gap in employment history. All of which could be much more disadvantageous than just paying the money back.
I assume the "gap" would not be a gap at all, and very easy to explain that the former company would not provide a reference, or you were unwilling to accept their reference, because you were in a dispute with them.
It creates whole new classes of problem, where an employee is motivated to do poor work in order to get fired so that they don't have to pay for their training. And since they can be dismissed for a whole host of reasons, then there is ample opportunity for a court battle over who foots the bill.
Then the contract should contain a clause that the employee pays at least half of the cost of training, if they are fired.
Or perhaps the company pays for half the cost of their training upfront, and by contract, the employee will receive a reimbursment for the rest with interest and a substantial "achievement bonus" after 12 months, if still working for the company.
We're talking about SIP brute forcing here, not DoS. Most botnets are not large enough to emit a 1 million pps flood, especially not accidentally, while trying to brute force SIP registration.
Most of the ones that are large enough, are unlikely to be used to create such a large flood against you. They got so large by avoiding detection, and sending too large of floods from a node results in detection.
Large botnets get rented out to perform activities profitable to people who rent services from their owner. Usually spam sending.
Unless you allow IRC on your network, or one of your customers is with the anti-botnet/anti-spam camp and the botnet operator sees you as a threat, or you are a national company suitable for extortion, you are extremely unlikely to be singled out to receive a 1 million pps flood.
You are far more likely to be sending such a flood, due to compromise of hosts on your network.
It is possible to use REINVITE in that way. In most cases it is avoided.
It still wouldn't explain abnormally high outgoing SIP traffic, with the much smaller inbound amounts.
A legitimate SIP proxy that uses REINVITES to move the audio streams elsewhere should still have at least as much inbound control traffic as outbound traffic.
Legitimate phone calls don't come from the Ether, and as far as I know you can't currently buy PRI service or a POTS connection from Amazon for your EC2 instances.
A legitimate PBX should have fairly little SIP control traffic, even when calls are open.
Well, most of the traffic should be RTP audio frames over UDP, or other frames tunneled over TCP.
So if they look at a traffic graph and see SIP usage is extremely high, and RTP / other traffic is basically nonexistent, then it is really quite suspicious.
Unless this is a huge telco's SBC, then they could (in theory) have a dedicated server for control, with separate servers for dealing with audio/media.
4) What's with the 4-6 character passwords, or WORSE, the user name BEING the password? I guess that might be fine in a local network environment where there is a strong physical security presence
Here's what happens: the PBX starts as something local only, with access from only intranet and only company IP addresses allowed. Probably rfc1918 private LAN IPs, maybe some external IP addresses of phones at other branches.
PBX admin initially designs a closed system, and everything works great, and is secure enough. Extension numbers are used for authentication, and secrets are 12345. Or some variation of the extension. This is secure enough for a trusted intranet, and very convenient, makes setup and maintenance a lot easier: no need for techs in the field to call the PBX admin and ask for the password, everyone knows the standard password used by all extensions.
Do not underestimate the inconvenience and cost regarding time and hassle involved for everyone in using a more complicated username/password assignment scheme. Security does not have an infinite value, there are always tradeoffs between the probability that a security measure prevents an attack, and the actual costs of the security measure (password management is expensive, and setting strong distinct passwords, and strong authnames for every phone is an expensive proposition).
6 - 12 months after the PBX gets deployed, some PHB in sales or upper management decides it would be really cool for them to be able to plug a phone when they are on the road, at whatever Hotel they are visiting, and at home.
They determine that connecting to the VPN is too much an inconvenience, so they order the Firewall admin to allow external IPs on the internet to be able to connect to the PBX.
So they can connect on the road. The PBX admin never hears about any of this.
It was configured in such a way that it would be a really bad idea to open it to the outside world, but other people want to do their own thing based on what they believe, understand, or think the technology is capable of (probably from talking to folks in other companies who plug their phones in wherever they want on any external network).
There is a piece of equipment that can handle this: it's called a router. And it can do all that in hardware at wire speed.
De-Peering isn't the only option.
Imagine if a bunch of Tier1 and Tier2 providers (who don't peer with them) adopted a policy of blocking all Amazon EC2 IP ranges at all border routers?
This is basically like an ISP arguing they are not responsible for spam sent by their downstream customers they provide internet connectivity to.
The IP addresses belong to the ISP, so they are ultimately responsible for handling any report of abuse in terms of network traffic from those IPs.
If the ISP does nothing, the IPs will eventually get blacklisted, and most blacklists will make the blacklist entry larger and larger until the ISP responds... e.g. start with blacklisting just that IP, then if it continues, blacklist the entire /24, then if it continues, blacklist that entire RIR registered IP block.
As last step... blacklist the entire AS number.
Amazon EC2 is in the same situation here. If they don't respond to serious abuse complaints like this, transit providers are going to start blackholing EC2 IPs at their border.
Eventually, this could make EC2 useless....
It is trivial for Amazon to confirm the report by actually observing the traffic themselves before they act.
Ah... so it might not be a "violation"? Their average customer has a legitimate reason for their EC2 VM to be sending a SIP packets to 2000 new IPs every minute, and 100000 distinct IP addresses every hour?
No, not even remotely close. Upgrading ClamAV is trivial and costs nothing.
It costs something, especially for organizations who don't have dedicated staff to handle that and pay consultants/contracters by the hour for technical services.
People may be running ClamAV who don't even know they are running ClamAV, by the way.
I guess maybe their consultant is to blame and they should fired, since they deployed ClamAV in production, which obviously was not reliable: instead they should have bought a professional AV product..
I suppose if they didn't release a demo, I might just find some P2P server and grab a copy of the full game off it, and play it for a few hours, if I think the game might be remotely worthwhile.
Of course danger there is I may like it so much I play all the way through, delete it, and forget about it, without ever buying the game....
Back in the day, before e-commerce, you could try games at the store before buying them, and I always did
I for one am never going to spend money on something I haven't played.
A certain portion of their customers will be the same way, and they will miss out on a marketing opportunity and a lot of potential customers by not offering any demo.
Why the hell did you make a Linux distribution (Oracle Enterprise Linux), buy MySQL and a company that developed Open Source software such as Java and OpenSolaris, if you didn't think Open Source was profitable?
That response is utter nonsense. A virus scanner with sigs that are 6 months old has less value than one which is completely up to date, but that lesser value is not zero.
Delivering an update to disable an AV is destructive, when instead they should have simply refused to deliver patterns updates to the out-of-date AV.
Most viruses spreading via e-mail are very old ones that could be detected even if the patterns are over a year old.
Whether an upgrade is going to be done is properly the system admin's decision alone, and may be influenced whether there is a large outbreak of a new virus.
You're way off base. The ClamAV folks delivered a patterns update that disables the virus scanner, and causes it to return an error every time you try to scan something.
This effectively kills the software when the update is loaded.
I wouldn't be complaining if they had only modified their update servers to deny the ability for 0.94 installations to download antivirus rules.
They should have altered their update servers to no longer deliver new update files to .94 installations.
The admins could then notice freshclam failures, or 'patterns not up to date' on their spam filtering devices' web interfaces.
Which is a better outcome for them than lost critical e-mail.
No, they delivered a virus patterns update containing a rule to prevent the scanner from running at all.
If they just modified their servers to refuse to deliver updates to the old version of the software, it would not be a front page news item.
SUPPORT WILL END does not imply killing instances in production. It implies you stop delivering support services (such as tech support or new updates).
How would you feel if the Ubuntu folks delivered a 'security update' to Ubuntu 8.x to disable your system entirely, until you can get a chance to go install a non-EOL'd major release of your OS?
How about all those Windows Vista users who haven't upgraded to Windows 7?
Firefox 2 users who haven't upgraded to 3.
Users who are still using IE6.
Would users trust the vendors anymore with auto-updates, if they all released updates to 'kill the old product' in order to force you to manually do a clean upgrade?
It wasn't the server going away. They delivered an update designed to kill it
The Windows equivalent would be Microsoft Delivering a critical update with XP designed to disable windows, because you haven't updated to Vista yet.
In other words, they used the automatic update service against their own users.
From now on, my recommended course of action is that all mail administrators running clamav should REMOVE or DISABLE any automatic updates of ClamAV rules, make sure to comment out any crontab entries for freshclam.
Until the developers can either grow up and stop doing stupid shit such as abusing auto-updates to disable their own product.
Or do what they should do... include a method for automatically applying version updates.
Or force auto version update instead of disabling.
I believe the progression was...
Injury was caused by impacting the floor in an unnatural way.
Impacting the floor was caused by falling.
Falling was caused by losing footing.
Loss of footing was caused due to misstepping on balance board device.
Misstepping on balance board device was caused due to poor balance while playing some Wii fit mission.
Therefore, Wii Fit caused the misstep, therefore the fall, therefore the impact with the floor, therefore the injury.
Thus Wii Fit is a root cause for the injury.
Maybe, if you can find a licensed attorney to go along with it.
Keeping in mind the attorney would be sanctioned and possibly disbarred, if they were found to have brought your claims to the court room without performing their due dilligence investigations regarding factual basis of your claims.
You would likely need to provide tangible evidence to the court of both the existence and nature of said 'invisible purple unicorn witch' and of said 'hex'
A normal fluorescent light poses no danger.
A malfunctioning fluorescent light can flicker at a dangerous rate (frequency); it is a liability issue for installing fluorescent lighting in a public place, that a bulb broken or about to go out could trigger an epileptic attack.
It is an unusual risk of fluorescents, when they are not delivering light correctly, and does not apply to normal lighting, or even the fluorescent lighting under normal circumstances, it is a safety measure.
However, we are not talking about fluorescents here, just plain old LEDs and incandescents.