Cogent can drop their peer links to Telia. But they shouldn't drop traffic from Telia via other peers that are paying for transit through Cogent.
It's like a shipping saying, "Yeah, we deliver there" and then ditching the delivery. If Cogent says they deliver somewhere (say UUNET), don't drop traffic to UUNET just because the source was from Telia. In reverse, don't drop traffic to Sprint just because the final destination will be Telia.
The problem is that Cogent is actively saying they can get traffic from point A to point B, but then if the traffic is to/from Telia they drop it.
What should occur is that all Cogent customers should threaten to pull their plugs with Cogent for breach of contract if they don't fulfill their transit agreements. If everyone did that, Cogent would cease to exist or they'd stop lying that they provide transit and then everything would right itself. They reality is that the amount of Telia customers affected may be too small to make the Cogent customers act.
Cogent's customers need to sue Cogent over this. It's fine if AS174 (Cogent) doesn't want to accept routes that include AS1299 (Telia). However, if AS174 announces AS81's prefixes to its peers, which in turn peer with AS1299, then it must accept all traffic to AS81, as they have a contract agreement (customer or peer) with AS81 (where groklaw.net is hosted) and with the intermediate peer. It doesn't have to give AS81 any routes to AS1299, and AS81 has other peers that can route the traffic to AS1299, so the return traffic doesn't even need Cogent.
Cogent is breaking things by announcing a prefix and then blocking traffic to it (in AS81's case) if it comes from an AS they don't like. Or, it may be that the downstream customers are just using default routes and blindly sending traffic for AS1299 which AS174 is just dropping.
However, if Cogent is sending a default to customers, they have an obligation to learn all prefixes available from any peer they have, no matter the originating AS.
Shame on Cogent. Play by the rules. You don't have to peer with Telia, but honor the peering agreements you have for other customers to transit to any peer that has a peering agreement to get to Telia.
I looked up the groklaw.net site (152.46.7.105), and then see it is coming via AS81 (North Carolina Research and Education Network), which is has a BGP path (peer or customer) to AS174 (Cogent).
AS174 shows it is announcing AS81 groklaw.net site prefix 152.46.7.0/24 to big peers like AS701 (UUNET/MCI/Verizon), AS7018 (ATT), AS1239 (Sprint). Telia also peers with all 3 of these Tier 1 ISPs.
Cogent is violating its peering agreements with those peers by not routing traffic from them to AS81 (which they must do if they announce AS81's 152.46.7.0/24 prefix) and/or traffic from AS81 (which would no doubt be breaking contract to their customer to provide transit).
Look for yourself: BGplay and put in 152.46.7.0/24 and you can see the peers AS81 has.
Use "whois as1299" to see Telia's peering agreements. You can also see from telnet route-views.oregon-ix.net using the command show ip bgp 152.46.7.0 that AS174 is AS81's major peer (but not only peer).
They'd need more than just their own AS, they'd need provider-independant space and/or netblocks not from Telia. Otherwise, I suspect Cogent would still drop the traffic.
I think the bigger problem is that some of Telia's links didn't have any other path except Cogent. That should mean that those Telia sites are totally dead in the water. If they're routing properly, and have multiple paths to other providers, it shouldn't matter if Cogent shuts down a link (except things just get slower).
Telia should be able to send traffic via their other link(s) which should also have peering at some point to Cogent. The other problem that I suspect the problem is that Cogent is dropping Telia traffic coming in from Cogent's other peers. Cogent shouldn't do this, it breaks the internet. If Cogent is announcing prefixes to other peers, they need to receive all non-abusive traffic from those other peers, not null-route it.
In short, even if I won't talk to you directly, if we have a mutual friend, we can route messages through that friend. However, it sounds like Cogent is just ignoring messages from Telia to spite them. They're actually doing both Telia and Cogent's customer's a disservice.
I'm not just guessing at this, I do BGP work regularly for 2 smaller ILECs and customers that are multi-homed with 2-4 peers each.
Yes/no. While you can run as a non-admin user on Windows, many apps won't work this way. At a minimum many require Power User access (I think that is the group). I set up my in-laws to use a non-Admin and they cannot access their Kodak camera unless they switch to Administrator (which they do and tell it to download, and then switch back to their regular user). They rarely install apps, but if they need to, again, they just switch to Administrator (showing them how to "Run As" is harder than just having them switch users). I can't recall the rest of the apps, but a number of customers cannot run as a non-local administrator.
Yes, Christian propaganda like not bowing to and evil ruler who wants you to violate your personal beliefs (Rack, Shack, and Benny (aka Meshack, Shadrack, and Abendigo)), not lying to cover up your mistakes (the fib from outer space), helping others in need that are different than you ("Are You My Neighbor", aka the Good Samaritan), Madam Blueberry (the "Stuffmart" - being happy with what you have) - those evil Christian beliefs taught by veggietales - I'd hate for anyone to corrupt their children with that propaganda.
Heh, sorry, Christian or not, I don't know how you can get mad about VeggieTales. It's so watered down, it's barely Christian (which I say to mean "pro-Christ"), especially the version on Tv these days. It's more like the positive thinking/acting words they put on the school bulletin boards these days.
Go one step further and use a MythTV setup with different Groups and put passwords on the groups. VeggieTales and 3-2-1 Pengiuns are in the password-less Kids group, everything else is in other groups, to be watched with a parent present.
Using the TCP MD5 signature that BGP uses doesn't break TCP, which was my point for bringing it up. No hardware/software inbetween the hosts would have to be modified. However, TCP MD5 is a hard thing to get working without root access to the host (I found out after looking into this).
I haven't paid much attention to this as I don't use BitTorrent that much to download to my house, where I have Comcast. I typically download to my colocated box with BitTorrent, and then download via FTP to home once it completes.
However, a thought occurred to me, as a work-around until this issue is "fixed." The problem, from what I've read, is that Comcast is sending spoofed TCP RST packets. I'm assuming this causes the peers to tear down, or at a minimum have to re-establish a TCP session.
How much overhead would it add to add TCP MD5 signatures? I know we use this with BGP so that no one can fake RSTs which would cause routing peers to drop and major routing flaps (RFC 2385).
Could TCP MD5 signatures just be added to RST packets? What method would be used to share the key (and how to prevent a man-in-the-middle attack?)? I just use BGP and TCP MD5 signatures already built into Cisco products, I didn't design any of it and don't have time to look into these details, however it seems to me that it would solve the problem.
I'm not sure if TCP MD5 signatures work with NAT, so that may be a problem if they do not. Perhaps MD5 is too old, and SHA or something else should be used instead - again, I don't know the technical details, but someone should use the same principle to solve this RST problem, especially if BT is ever going to be a major business software deployment model.
I'm not a lawyer, this is just personal experience:
I believe you've got the law wrong. A friend some years back woke up to find a homeless person sleeping on their couch. The husband had left early in the morning for work and forgot to lock the front door. She called the police - police said to ask to him to leave - he did. They wouldn't dispatch. Unless you have posted "No Trespass" it isn't trespass. Unless you lock a door, it isn't breaking and entering.
If he had refused to leave, the police would have dispatched.
Obviously they just need to put some sort of password interface on there. Then, when someone who hasn't been given the password accesses it, they are breaking in since they shouldn't have the password (the is the same as someone making a copy of your car key - just because they have a key doesn't mean they got it legally).
The problem here is that a URL is not a key or password. They are trying to act as if it is, but it is not. If you somehow could prove that finding a URL you were not meant to have was the same as copying someone's key illegally, they'd have a point. However, I don't think in this day and age that's ever going to be true. Too many times I get emails from friends and family and go there and share it with others. No one sees this as copying a key and giving access.
Put a password on it, and it is clear anyone trying to access would be in trouble if they shouldn't be accessing it.
3-4 different news stories provided links to other sites that have it, including Cryptome and The Pirate Bay. All the lawyers have done is cause this to explode into the headlines and push the contents all over the internet. One site I saw had over 50 links to other sites in many different country code domains (and assumingly hosted locally) with the content.
No doubt you'd need to be a CPA to figure out if the content has any real value. But I look at this like Watergate - what if the next Bob Woodward and Carl Bernstein - fearing for their lives (in any country), wanted to publish via Wikileaks or the like? I don't think you can block that if you care about freedom of speech.
If you care about freedom, you have to let lies and half-truthes be told, cults to spread their mess, and then let others take those on point-by-point to discredit and expose it. If someone's financials have been exposed, that bank is the only one to blame. If it is fradulant, then let the persons involved state as such and perhaps prove it if need be. The truth will come out one way or another.
Letting any one authority have the ability to silence speech will eventually turn bad - we know at the core a person's nature is selfish - just with varying degrees - and when you get someone with the wrong degree of selfishness, they'll abuse the authority.
Personal pet peave regarding Freenet: there is no way to not be a tool in spreading childporn with Freenet. Once you connect, you are spreading whatever is in Freenet. You have no idea what it is you are transmitting (which is good from a freedom standpoint). At least with something like Wikileaks there is some filter for that sort of content (I doubt they will post things of that nature), and if you are a mirror you could choose what content not to mirror.
Uhm, what? Any child talking back to a teacher in my children's school is given a warning and usually has recess yanked. Twice in the same day has their parents talked to. Twice in the same week will end them up in the pricipal's office. Too many of these and you're on suspension. Disrupting class too many times like this (too many suspensions), and you're out of the district, and this is public school.
Sounds to me like the teachers need to stand up and fill the pricipal's office up if need be.
But then the downside to MoC or MoR is that it only works at that one location (or you have to push it out to all the PCs you want it on). If I have multiple PCs or even public terminals I want to authenticate from, it's no good, right?
Also, by storing the fingerprint on the PC, the PC's physical security is a big deal - the same that is true of a private/secret key for SSH or GPG. But at least with GPG I can revoke a public key (and have stored revokes ready to go already) and/or time expirations. With my fingerprint stored locally, once it is stolen, it's stolen (has anyone made Mission:Impossible fingers that you can "print" a finger image on?). Whole new level of "identify fraud" there, eh? I guess the same is true if it is remote on a central server, but at least that server should be highly secure just as the CA root private stores are to be.
So I guess for local security to your PC you could use biometrics, but really for remote security you want some sort of SecureID type deal (which you can revoke if lost, and isn't vulnerable to a man-in-the-middle attack). Just thinking out loud here.
So ThinkFinger stores 3 copies of what my finger looks like on my local PC. That makes sense for auth on a local machine. How does this work on an enterprise scale? Is the fingerprint details sent to a remote central storage system which then confirms a match?
If that assumption is correct, how would OpenID-enabled websites work with that? Would your account somehow point to your OpenID "provider" which would have your fingerprint to confirm authentication against? Would the fingerprint go just from the PC you are at to the OpenID provider, which will say, "Yes, it's good" or go via the website first?
With such a single sign-on system, if it did go to the website first, wouldn't there be a danger of some "bad" (or compromised) website storing my fingerprint? I know I don't have my head around how this all works just yet - any good explanation of the technical details? The overview doesn't help much there.
Part of the problem is that so many apps expect you to have Local Administrator access.
A PC I set up for my in-laws has fits about a new HP printer they got. Even after downloading the latest 150+MB "full install" from HP, uninstalling the old, and installing the new, the non-Administrator account I have for them still doesn't want to recognize the printer is connected all of the time (print jobs show in the queue if it is paused, but once un-paused never print). If it is rebooted, or switched to the Local Admin it works just fine.
Their camera (Kodak, I think) won't let them connect and download w/o Local Administrator access as well. For this, they just switch user to the local Admin, start the picture transfer, and switch user back to their non-admin account to look at and edit the photos. Very lame though.
However, since I installed this machine for them 14 months ago, no other problems, no infections, no nothing. Granted, they have automatic Windows updates enabled, Firefox installed with auto-update enabled (and IE is disabled), AVG Free, and they don't install a bunch of junk.
What I really wanted to do was switch them over to Fedora, but the support curve is too steep and I've no time. Every single app they use (except a few HP-bundled and Kodak-bundled apps) are OSS now: Firefox, Thunderbird, Picaso, and I bet if there were any Windows apps I could make them run under Wine.
As lame as this sounds, I'd just ship a spare laptop with a current backup on it. Just before you depart, backup the current laptop and leave it at home. When you arrive, download your changes. Before you leave, upload your changes and ship the laptop back. If your laptop is that crucial to business, your business should be able to afford two.
The other option would be to check the laptop and not carry it on. I doubt they do much of anything with checked laptops. That's a pain, but just read a book instead of having your laptop with you.
We already have this in Modesto Irrigation District for at least 4 years. It's optional at this point, but I've signed up for it every place I've lived. You get a $5/month credit during the 5 peak months for letting them install this box on your AC unit. Basically, during peak times they can tell your AC to not run for up to 15 minutes per hour. So it's not like you're without AC. For 45 minutes it's on, for 15 off, and so on, and only during peak times. With a regular fan (the kind on a stand that moves left to right, right to left, repeat) pushing the air around you don't even notice it.
What I'm talking about isn't being opportunistic. I'm recommending adding new skills that the market wants, and ask your employer to pay you more for it. If they're not interested, no problem, move along.
Asking for a raise and/or leaving in the middle of a project is just going to breed bad feelings and burn bridges.
Also, if you're new or starting out, ask early on what merit raises are available. Are there some hoops you can jump through (certs, project completions, etc.) that can get you raises faster.
Current certs just show you're keeping up with the times. I have to renew 4-5 certs ever 2-3 years (CCVP, CCDP, IP Telephony Design Specialist (CQS-CIPTDS), Cisco Rich Media Specialist (CQS-CRMCS), Cisco Express Design Specialist (CXFS).
My company's CEO is a CCIE (Lance Reid, CCIE #14888, verify CCIE status ). He doesn't have an office as he's always meeting with customers bringing in more sales - that and we're so mobile we use any old conference area as a desk. Non-technical management is the problem most places, IHMO - I think Dilbert refers to them as PHBs.
But a degree is totally unnecessary in 90% of IT positions. IMHO, a BA/BS or MA/MS only helps you beat out someone with the same skillset. Except, they've got 4-6+ more years of experience already then the fresh-faced graduate. Again, IMHO, a degree is only needed if you want to go into management or want a fall-back to switch careers.
Working for any government agency has other perks. You've got as many or more holidays as a bank and the same hours. The pay is lower, but the stress and time in the office is much lower. Short of committing a felony, you're pretty much guaranteed a job for life once past review periods.
This is just my two cents working at IT companies who do work for government agencies and in my experience interfacing with their staff.
Slashdot Mirror
Cogent can drop their peer links to Telia. But they shouldn't drop traffic from Telia via other peers that are paying for transit through Cogent.
It's like a shipping saying, "Yeah, we deliver there" and then ditching the delivery. If Cogent says they deliver somewhere (say UUNET), don't drop traffic to UUNET just because the source was from Telia. In reverse, don't drop traffic to Sprint just because the final destination will be Telia.
The problem is that Cogent is actively saying they can get traffic from point A to point B, but then if the traffic is to/from Telia they drop it.
What should occur is that all Cogent customers should threaten to pull their plugs with Cogent for breach of contract if they don't fulfill their transit agreements. If everyone did that, Cogent would cease to exist or they'd stop lying that they provide transit and then everything would right itself. They reality is that the amount of Telia customers affected may be too small to make the Cogent customers act.
Cogent's customers need to sue Cogent over this. It's fine if AS174 (Cogent) doesn't want to accept routes that include AS1299 (Telia). However, if AS174 announces AS81's prefixes to its peers, which in turn peer with AS1299, then it must accept all traffic to AS81, as they have a contract agreement (customer or peer) with AS81 (where groklaw.net is hosted) and with the intermediate peer. It doesn't have to give AS81 any routes to AS1299, and AS81 has other peers that can route the traffic to AS1299, so the return traffic doesn't even need Cogent.
Cogent is breaking things by announcing a prefix and then blocking traffic to it (in AS81's case) if it comes from an AS they don't like. Or, it may be that the downstream customers are just using default routes and blindly sending traffic for AS1299 which AS174 is just dropping.
However, if Cogent is sending a default to customers, they have an obligation to learn all prefixes available from any peer they have, no matter the originating AS.
Shame on Cogent. Play by the rules. You don't have to peer with Telia, but honor the peering agreements you have for other customers to transit to any peer that has a peering agreement to get to Telia.
I looked up the groklaw.net site (152.46.7.105), and then see it is coming via AS81 (North Carolina Research and Education Network), which is has a BGP path (peer or customer) to AS174 (Cogent).
AS174 shows it is announcing AS81 groklaw.net site prefix 152.46.7.0/24 to big peers like AS701 (UUNET/MCI/Verizon), AS7018 (ATT), AS1239 (Sprint). Telia also peers with all 3 of these Tier 1 ISPs.
Cogent is violating its peering agreements with those peers by not routing traffic from them to AS81 (which they must do if they announce AS81's 152.46.7.0/24 prefix) and/or traffic from AS81 (which would no doubt be breaking contract to their customer to provide transit).
Look for yourself: BGplay and put in 152.46.7.0/24 and you can see the peers AS81 has.
Use "whois as1299" to see Telia's peering agreements. You can also see from telnet route-views.oregon-ix.net using the command show ip bgp 152.46.7.0 that AS174 is AS81's major peer (but not only peer).
They'd need more than just their own AS, they'd need provider-independant space and/or netblocks not from Telia. Otherwise, I suspect Cogent would still drop the traffic.
I think the bigger problem is that some of Telia's links didn't have any other path except Cogent. That should mean that those Telia sites are totally dead in the water. If they're routing properly, and have multiple paths to other providers, it shouldn't matter if Cogent shuts down a link (except things just get slower).
Telia should be able to send traffic via their other link(s) which should also have peering at some point to Cogent. The other problem that I suspect the problem is that Cogent is dropping Telia traffic coming in from Cogent's other peers. Cogent shouldn't do this, it breaks the internet. If Cogent is announcing prefixes to other peers, they need to receive all non-abusive traffic from those other peers, not null-route it.
In short, even if I won't talk to you directly, if we have a mutual friend, we can route messages through that friend. However, it sounds like Cogent is just ignoring messages from Telia to spite them. They're actually doing both Telia and Cogent's customer's a disservice.
I'm not just guessing at this, I do BGP work regularly for 2 smaller ILECs and customers that are multi-homed with 2-4 peers each.
Yes/no. While you can run as a non-admin user on Windows, many apps won't work this way. At a minimum many require Power User access (I think that is the group). I set up my in-laws to use a non-Admin and they cannot access their Kodak camera unless they switch to Administrator (which they do and tell it to download, and then switch back to their regular user). They rarely install apps, but if they need to, again, they just switch to Administrator (showing them how to "Run As" is harder than just having them switch users). I can't recall the rest of the apps, but a number of customers cannot run as a non-local administrator.
Yes, Christian propaganda like not bowing to and evil ruler who wants you to violate your personal beliefs (Rack, Shack, and Benny (aka Meshack, Shadrack, and Abendigo)), not lying to cover up your mistakes (the fib from outer space), helping others in need that are different than you ("Are You My Neighbor", aka the Good Samaritan), Madam Blueberry (the "Stuffmart" - being happy with what you have) - those evil Christian beliefs taught by veggietales - I'd hate for anyone to corrupt their children with that propaganda.
Heh, sorry, Christian or not, I don't know how you can get mad about VeggieTales. It's so watered down, it's barely Christian (which I say to mean "pro-Christ"), especially the version on Tv these days. It's more like the positive thinking/acting words they put on the school bulletin boards these days.
Go one step further and use a MythTV setup with different Groups and put passwords on the groups. VeggieTales and 3-2-1 Pengiuns are in the password-less Kids group, everything else is in other groups, to be watched with a parent present.
Using the TCP MD5 signature that BGP uses doesn't break TCP, which was my point for bringing it up. No hardware/software inbetween the hosts would have to be modified. However, TCP MD5 is a hard thing to get working without root access to the host (I found out after looking into this).
I haven't paid much attention to this as I don't use BitTorrent that much to download to my house, where I have Comcast. I typically download to my colocated box with BitTorrent, and then download via FTP to home once it completes.
However, a thought occurred to me, as a work-around until this issue is "fixed." The problem, from what I've read, is that Comcast is sending spoofed TCP RST packets. I'm assuming this causes the peers to tear down, or at a minimum have to re-establish a TCP session.
How much overhead would it add to add TCP MD5 signatures? I know we use this with BGP so that no one can fake RSTs which would cause routing peers to drop and major routing flaps (RFC 2385).
Could TCP MD5 signatures just be added to RST packets? What method would be used to share the key (and how to prevent a man-in-the-middle attack?)? I just use BGP and TCP MD5 signatures already built into Cisco products, I didn't design any of it and don't have time to look into these details, however it seems to me that it would solve the problem.
I'm not sure if TCP MD5 signatures work with NAT, so that may be a problem if they do not. Perhaps MD5 is too old, and SHA or something else should be used instead - again, I don't know the technical details, but someone should use the same principle to solve this RST problem, especially if BT is ever going to be a major business software deployment model.
I'm not a lawyer, this is just personal experience:
I believe you've got the law wrong. A friend some years back woke up to find a homeless person sleeping on their couch. The husband had left early in the morning for work and forgot to lock the front door. She called the police - police said to ask to him to leave - he did. They wouldn't dispatch. Unless you have posted "No Trespass" it isn't trespass. Unless you lock a door, it isn't breaking and entering.
If he had refused to leave, the police would have dispatched.
Obviously they just need to put some sort of password interface on there. Then, when someone who hasn't been given the password accesses it, they are breaking in since they shouldn't have the password (the is the same as someone making a copy of your car key - just because they have a key doesn't mean they got it legally).
The problem here is that a URL is not a key or password. They are trying to act as if it is, but it is not. If you somehow could prove that finding a URL you were not meant to have was the same as copying someone's key illegally, they'd have a point. However, I don't think in this day and age that's ever going to be true. Too many times I get emails from friends and family and go there and share it with others. No one sees this as copying a key and giving access.
Put a password on it, and it is clear anyone trying to access would be in trouble if they shouldn't be accessing it.
3-4 different news stories provided links to other sites that have it, including Cryptome and The Pirate Bay. All the lawyers have done is cause this to explode into the headlines and push the contents all over the internet. One site I saw had over 50 links to other sites in many different country code domains (and assumingly hosted locally) with the content.
No doubt you'd need to be a CPA to figure out if the content has any real value. But I look at this like Watergate - what if the next Bob Woodward and Carl Bernstein - fearing for their lives (in any country), wanted to publish via Wikileaks or the like? I don't think you can block that if you care about freedom of speech.
If you care about freedom, you have to let lies and half-truthes be told, cults to spread their mess, and then let others take those on point-by-point to discredit and expose it. If someone's financials have been exposed, that bank is the only one to blame. If it is fradulant, then let the persons involved state as such and perhaps prove it if need be. The truth will come out one way or another.
Letting any one authority have the ability to silence speech will eventually turn bad - we know at the core a person's nature is selfish - just with varying degrees - and when you get someone with the wrong degree of selfishness, they'll abuse the authority.
Personal pet peave regarding Freenet: there is no way to not be a tool in spreading childporn with Freenet. Once you connect, you are spreading whatever is in Freenet. You have no idea what it is you are transmitting (which is good from a freedom standpoint). At least with something like Wikileaks there is some filter for that sort of content (I doubt they will post things of that nature), and if you are a mirror you could choose what content not to mirror.
Uhm, what? Any child talking back to a teacher in my children's school is given a warning and usually has recess yanked. Twice in the same day has their parents talked to. Twice in the same week will end them up in the pricipal's office. Too many of these and you're on suspension. Disrupting class too many times like this (too many suspensions), and you're out of the district, and this is public school.
Sounds to me like the teachers need to stand up and fill the pricipal's office up if need be.
But then the downside to MoC or MoR is that it only works at that one location (or you have to push it out to all the PCs you want it on). If I have multiple PCs or even public terminals I want to authenticate from, it's no good, right?
Also, by storing the fingerprint on the PC, the PC's physical security is a big deal - the same that is true of a private/secret key for SSH or GPG. But at least with GPG I can revoke a public key (and have stored revokes ready to go already) and/or time expirations. With my fingerprint stored locally, once it is stolen, it's stolen (has anyone made Mission:Impossible fingers that you can "print" a finger image on?). Whole new level of "identify fraud" there, eh? I guess the same is true if it is remote on a central server, but at least that server should be highly secure just as the CA root private stores are to be.
So I guess for local security to your PC you could use biometrics, but really for remote security you want some sort of SecureID type deal (which you can revoke if lost, and isn't vulnerable to a man-in-the-middle attack). Just thinking out loud here.
When I read this story, I decide to get my Thinkpad fingerprint working.
So ThinkFinger stores 3 copies of what my finger looks like on my local PC. That makes sense for auth on a local machine. How does this work on an enterprise scale? Is the fingerprint details sent to a remote central storage system which then confirms a match?
If that assumption is correct, how would OpenID-enabled websites work with that? Would your account somehow point to your OpenID "provider" which would have your fingerprint to confirm authentication against? Would the fingerprint go just from the PC you are at to the OpenID provider, which will say, "Yes, it's good" or go via the website first?
With such a single sign-on system, if it did go to the website first, wouldn't there be a danger of some "bad" (or compromised) website storing my fingerprint? I know I don't have my head around how this all works just yet - any good explanation of the technical details? The overview doesn't help much there.
Part of the problem is that so many apps expect you to have Local Administrator access.
A PC I set up for my in-laws has fits about a new HP printer they got. Even after downloading the latest 150+MB "full install" from HP, uninstalling the old, and installing the new, the non-Administrator account I have for them still doesn't want to recognize the printer is connected all of the time (print jobs show in the queue if it is paused, but once un-paused never print). If it is rebooted, or switched to the Local Admin it works just fine.
Their camera (Kodak, I think) won't let them connect and download w/o Local Administrator access as well. For this, they just switch user to the local Admin, start the picture transfer, and switch user back to their non-admin account to look at and edit the photos. Very lame though.
However, since I installed this machine for them 14 months ago, no other problems, no infections, no nothing. Granted, they have automatic Windows updates enabled, Firefox installed with auto-update enabled (and IE is disabled), AVG Free, and they don't install a bunch of junk.
What I really wanted to do was switch them over to Fedora, but the support curve is too steep and I've no time. Every single app they use (except a few HP-bundled and Kodak-bundled apps) are OSS now: Firefox, Thunderbird, Picaso, and I bet if there were any Windows apps I could make them run under Wine.
As lame as this sounds, I'd just ship a spare laptop with a current backup on it. Just before you depart, backup the current laptop and leave it at home. When you arrive, download your changes. Before you leave, upload your changes and ship the laptop back. If your laptop is that crucial to business, your business should be able to afford two.
The other option would be to check the laptop and not carry it on. I doubt they do much of anything with checked laptops. That's a pain, but just read a book instead of having your laptop with you.
Same guy that owns ::1
We already have this in Modesto Irrigation District for at least 4 years. It's optional at this point, but I've signed up for it every place I've lived. You get a $5/month credit during the 5 peak months for letting them install this box on your AC unit. Basically, during peak times they can tell your AC to not run for up to 15 minutes per hour. So it's not like you're without AC. For 45 minutes it's on, for 15 off, and so on, and only during peak times. With a regular fan (the kind on a stand that moves left to right, right to left, repeat) pushing the air around you don't even notice it.
My kids love the magnets inside, and the copper-goldish platters are cool too.
What I'm talking about isn't being opportunistic. I'm recommending adding new skills that the market wants, and ask your employer to pay you more for it. If they're not interested, no problem, move along.
Asking for a raise and/or leaving in the middle of a project is just going to breed bad feelings and burn bridges.
Also, if you're new or starting out, ask early on what merit raises are available. Are there some hoops you can jump through (certs, project completions, etc.) that can get you raises faster.
Current certs just show you're keeping up with the times. I have to renew 4-5 certs ever 2-3 years (CCVP, CCDP, IP Telephony Design Specialist (CQS-CIPTDS), Cisco Rich Media Specialist (CQS-CRMCS), Cisco Express Design Specialist (CXFS).
My company's CEO is a CCIE (Lance Reid, CCIE #14888, verify CCIE status ). He doesn't have an office as he's always meeting with customers bringing in more sales - that and we're so mobile we use any old conference area as a desk. Non-technical management is the problem most places, IHMO - I think Dilbert refers to them as PHBs.
But a degree is totally unnecessary in 90% of IT positions. IMHO, a BA/BS or MA/MS only helps you beat out someone with the same skillset. Except, they've got 4-6+ more years of experience already then the fresh-faced graduate. Again, IMHO, a degree is only needed if you want to go into management or want a fall-back to switch careers.
Working for any government agency has other perks. You've got as many or more holidays as a bank and the same hours. The pay is lower, but the stress and time in the office is much lower. Short of committing a felony, you're pretty much guaranteed a job for life once past review periods.
This is just my two cents working at IT companies who do work for government agencies and in my experience interfacing with their staff.