My experience has been that an awful lot of shops try to use a canned methodology to compensate for the fact that they don't have good people. This simply never works. Having tons of documentation describing how your systems differ from a vendor-supplied baseline, what steps to go through to install something new, how you're going to test the changes, etc, etc, etc, is useless if the people doing the work aren't competent. They'll still find a way to fsck it up.
No amount of testing will save you if the tests aren't performed by people qualified to interpret the results and as QA systems often differ from production ones, there is no substitute for having sysadmins who have a solid understanding of what's going on.
I've been in several shops that have attempted to adapt software development lifecycle practices to system administration. The most common result is a bunch of documentation requirements that slow operational processes down to a crawl and don't end up increasing their reliability. A more productive approach would be to hire top-flight sysadmins and to invest in QA systems that accurately reproduce operational conditions, so that the testing is meaningful. Why is this done so infrequently? Because it costs money and can't be accomplished by management fiat.
1. He's lazy. There are jobs to be had in IT. Some of them don't pay well. Some of them involve difficult working conditions or long hours. My first sysadmin job suffered from all three problems, but it taught me enough that I could get a better job. It's harder to get a job without a college degree, but plenty of people pull it off (I did). He could go to school, too, but I suspect it doesn't satisfy his need for the quick and easy.
2. He's morally defective. The fact that his actions cause harm to others doesn't bother him. The fact that his black hat activities damage the very field that he wants to work in doesn't bother him, either.
In my professional opinion, Cringley is full of it. I've been a unix sysadmin for the last ten years. I've run big shops and small ones, I've been a grunt and a manager. There is exactly one reason that Apple doesn't have MS's mindshare in industry: marketing. Period.
I have recommended Macs as desktop machines to all kinds of customers just about forever. Believe me, it won't put me out of a job. Configuration management, software distribution and system administration tasks that are not the end-user's reason for being employed will have to be taken care of by someone no matter what platform is used. No business wants to have its accountants, programmers, scientists, photographers, etc, etc, etc spending their time messing with their computers. There will always be a role for professional IT people.
My experience has been that when I argue in favor of Apple, the pointy-hairs essentially come back with all kinds of marketing rhetoric. MS wines and dines them. MS gives them slick presentations with lots of big numbers. MS gives them free stuff. MS whispers FUD in their ears. Apple does none of this, they just sell a better product. Apple doesn't give those slick presentations. They don't offer to help port your legacy code for free or to send legions of droids to the customer's site to hold their hands during the conversion. They do not fight Microsoft's mass-market juggernaught.
The only conspiracy is the one in Redmond. Technical IT people aren't stupid and they aren't gullable. Having better tools would mean being able to get more done, not less work to do. If everyone used Macs instead of Windows, productivity would improve, but so would demand. Users would expect to get more and higher quality work done. Demand for IT support wouldn't go away, by a longshot. Cringley: try actually working in an IT shop sometime.
It depends on what you mean by "imitate film." IMO, the CCDs in most digital cameras have a dynamic range, color fidelity and exposure lattitude that's comparable to that of a slow color slide film. LIke slide films, most CCDs produce more saturated images when slightly underexposed. I personally find that the old rule of exposing for the shadows and processesing for the highlights is almost exactly reversed with digital cameras (blown-out highlights are basically gone, but I can post-process for shadow depth). You are correct that the old zone approach is only partically applicable.
I don't mind spending time in Photoshop; I used to spend lots of time in a darkroom. Post-processing and printing a digital photo is an art in and of itself, just like wet-darkroom work. I don't do digital IR photography, but I do a lot of B&W. I basically never use my camera's B&W mode. I get far superior tonality using various post-processing methods to get a black and white image. The camera's B&W mode is too lossy, too noisy and too contrasty for my taste. The only thing I ever use it for is to help previsualize something as I'm shooting it. Frankly, there's no reason NOT to record in full color. If you like the color image, wonderful, you can store it right alongside whatever B&W conversion you do after the fact.
I absolutely agree with the sentiment that digital camera vendors should be putting their efforts into things that really matter to photographic quality (like more versatile CCDs, better lenses, etc), but as I said in an earlier post, marketing rules. I could write a very similar rant about the travails involved in doing decent B&W printing on an inkjet, but that's really off-topic...
This isn't all that different from the (nearly worthless) magnification numbers quoted when advertising the zoom capability that just about every compact camera now has. For example, a lens with a 35mm-equivalent range of 35-105 is advertised as being "3x." What that really means is that the difference between minimum and maximum focal length is a factor of 3. It DOES NOT mean that at maximum magnification, images will appear 3 times bigger than they are (50mm is approximately "normal," so 105 is much closer to twice that than three times that). This isn't deceptive, it's just the way these things are marketed. The marketing of (nearly worthless) digital zoom features is equally irritating. Most of those amount to nothing more than in-camera cropping. If you want to throw away pixels, you really should do that in post-processing, but marketing prevails, and unfortunately, people probably make buying decisions based on that kind of crap.
Yes, the "more megapixels is better" thing is dumb, but most people have no idea what they're actually buying, and the "mine is bigger than yours" strategy sells equipment. I "still" use a 3 MP camera. There are plenty of times that more pixels would be a benefit (so that I can crop more severely while still maintaining high enough PPI for satisfactory printing), but there are many, many factors that I think are more important than megapixels (who wants a lot of pixels in an unsharp image captured by a camera with lousy optics?).
I'd love to be able to buy a new high-end digital camera every year or so, but I'm not a pro, and I can't put that kind of money into my hobby. The bottom line is that if my system is good enough when I buy it, it's probably still good enough a ways down the road (I still use film systems that are 20+ years old...). It's sad that people allow themselves to get sucked in to the upgrade treadmill, but it's just marketing, and the vendors rely on it.
...at least not in the sense that it applies to their software. I agree with the posters who argue that some of this is about control, and how the BSA wants it for itself. I also think that software vendors DO NOT want to eradicate software piracy. They DO NOT want a world in which their code can't be copied, and people instead pirate code from companies that don't use the technology or switch to free OSes. The fact that MacOS X installs without license keys or other copy protections is not accidental. The bottom line is that the software vendors want you to use their code more than they want you to pay for it up front. In the current scheme, they can get the BSA to shake you down for cash after the fact, but they want those eyeballs seeing their software.
Every time I've been away from computing for a while and come back, I'm reminded of the scene at the beginning of Neuromancer where Case jacks in for the first time after getting his nervous system fixed. Absolutely fantastic half-page or so of text. Those images have stuck with me for a lot of years.
If you repeal the laws that create the local monopolies, what do you plan to do about the existing monopolies? What's going to moderate the behavior of those monopolists in the absence of competition OR regulation?
How are you going to promote competition in your newly-deregulated cable industry? Building all that infrastructure costs a lot of money. How can you compel existing infrastructure owners to allow others to lease time on their networks at sane rates without regulation? How are you going to encourage startups to build infrastructure knowing that the existing monopolists can buy them out or otherwise crush them at whim?
Even if you don't believe in the idea of a natural monopoly (and thus the need to regulate those monopolies), how would you prevent outright collusion in your deregulated cable industry? Wouldn't it be better business for a bunch of little cable startups to band together to protect themselves instead of competing openly?
Personally, I agree 100%. That said, the average consumer seems to be unbelievably open to marketing, and utterly willing to suspend disbelief in the face of advertising.
Most cell phones DO work badly, and the cellcos have long ago figured out that it's cheaper to market the hell out of essentially worthless products (like ringtones or Java/BREW videogames) than it is to build infrastructure.
Personally, I will never, ever pay for a ringtone. I will likewise never pay to play games on my phone or to use it to take pictures. What I want is better network coverage and a handset durable enough to put up with my abuse. Those are features I'd be willing to pay for, but I'm obviously not the targeted market...
This will only work in a society where driving is conidered a privilege, and not a right. In the US, at least, it seems as though just about everyone is allowed to drive, almost regardless of the damage they've done in the past. Mandatory retesting of every driver would be hideously expensive and pointless unless the tests were changed to make them mean something (see my first point as to why that won't ever happen). Heavy fines for causing accidents would only work if you could convince people that a reasonable mechanism for determining fault exists. The current police/insurance company mess won't do. There are, for example, states in which ANY accident in which you strike another car from behind is, by definition, your fault. Sane speed limits and non-selective enforcement of traffic laws would also go a long way.
The problem is not that companies hire programmers without college degrees. It's that they hire incompetent programmers. The two are not the same thing. Holding a degree doesn't make one a good programmer, it just means that one is good at a certain (narrow) type of academic exercise. Whether or not one produces good code is a completely different question.
My experience has been that companies hire incompetents because their interview process is not adequate to weed out the lousy applicants. Plenty of terrible coders have college degrees, and all sorts of certifications. The bottom line is that there is no substitute for allowing experienced technical people to control the hiring process.
That said, I don't agree with the posters who say that college doesn't teach you anything. I think a lot of people who haven't been to school are not disciplined enough to learn the theoretical basis for what they do on their own. That's not to say that it's impossible, just that those people who do manage to teach it to themselves are the exception. Again, an interviewer has to know his stuff well enough to be able to tell the difference.
I agree that software engineering is not CS. System administration is also not CS. Many of your points apply to hiring sysadmins as well as coders. In an industry that changes as fast as ours, it's unrealistic to expect that the college system will be able to produce a steady supply of competent practitioners of our arts. Some graduates can hack it, some can't, and the same is true of people with little formal education.
In some environments, patching IS difficult. This can happen both cause of politics (eg. managers who'd rather take the risk of being insecure than the downtime involved in maintenance, as insane as that sounds), and because validation testing is a big deal on business-critical systems. If the patch breaks your box or your home-grown (and potentially broken) application code, it's as good as a DoS. It's also the case that amongst said managers, the level of security knowledge is SO low, the idea of "best practices" is totally alien. If they do get owned, they can defend themselves by weasling because their peers don't know any better.
IMO, it's not so much that companies see security as a luxury, as they see it as being largely unimportant to the bottom line (again, as insane as that sounds).
As you accurately pointed out, security is not a procedure, it's a mindset. There are lots of corporate managers out there who are still in the mindset of "keep doing what I think makes money, no matter how much those techies scream about security or anything else."
Most cracks can be prevented. Many managers don't care. It's not always the case that admins don't know better.
The BBS scene is alive and well, especially (but not exclusively) in the hacking/phreaking subculture. Check out http://napalm.firest0rm.org/issue6.txt for a decently up-to-date list of active BBSes.
A few points: First of all, Windows 9x machines have no conception of privileged ports or privileged users. If you allow them on your network at all, any user could be running the same unauthorized services under windows that they could be under *nix.
You may be able to physically secure YOUR systems, but what's stopping a user from bringing in a laptop and plugging it in instead of their desktop? A user which physical access to your LAN can circumvent there security measures (even if your switches insist of having certain MACs on certain ports...).
Finally, I don't know what you're talking about regarding "packet storms" but it's certainly the case that if you have systems which are wholesale into using plaintext protocols and insecure trust relationships, you have much, much more serious security problems.
I certainly can't speak to why ALL the customers who signed the NDA did so. What I can speak to is why my company (a decently large telecom company which shall remain nameless) did so:
Sun had a software patch that they felt might help alleviate the problem (I still can't reveal the details of what it does or why). In order to receive the software, we had to sign a non-disclosure agreement. It's that simple: we have a problem. If you want us to solve it, sign the paper. Otherwise, shut up and wait along with everyone else.
As we had business-critical systems that were affected, it's not hard to understand why management did not hesitate to sign the NDA.
Slashdot Mirror
My experience has been that an awful lot of shops try to use a canned methodology to compensate for the fact that they don't have good people. This simply never works. Having tons of documentation describing how your systems differ from a vendor-supplied baseline, what steps to go through to install something new, how you're going to test the changes, etc, etc, etc, is useless if the people doing the work aren't competent. They'll still find a way to fsck it up.
No amount of testing will save you if the tests aren't performed by people qualified to interpret the results and as QA systems often differ from production ones, there is no substitute for having sysadmins who have a solid understanding of what's going on.
I've been in several shops that have attempted to adapt software development lifecycle practices to system administration. The most common result is a bunch of documentation requirements that slow operational processes down to a crawl and don't end up increasing their reliability. A more productive approach would be to hire top-flight sysadmins and to invest in QA systems that accurately reproduce operational conditions, so that the testing is meaningful. Why is this done so infrequently? Because it costs money and can't be accomplished by management fiat.
This guy has two problems:
1. He's lazy. There are jobs to be had in IT. Some of them don't pay well. Some of them involve difficult working conditions or long hours. My first sysadmin job suffered from all three problems, but it taught me enough that I could get a better job. It's harder to get a job without a college degree, but plenty of people pull it off (I did). He could go to school, too, but I suspect it doesn't satisfy his need for the quick and easy.
2. He's morally defective. The fact that his actions cause harm to others doesn't bother him. The fact that his black hat activities damage the very field that he wants to work in doesn't bother him, either.
In my professional opinion, Cringley is full of it. I've been a unix sysadmin for the last ten years. I've run big shops and small ones, I've been a grunt and a manager. There is exactly one reason that Apple doesn't have MS's mindshare in industry: marketing. Period.
I have recommended Macs as desktop machines to all kinds of customers just about forever. Believe me, it won't put me out of a job. Configuration management, software distribution and system administration tasks that are not the end-user's reason for being employed will have to be taken care of by someone no matter what platform is used. No business wants to have its accountants, programmers, scientists, photographers, etc, etc, etc spending their time messing with their computers. There will always be a role for professional IT people.
My experience has been that when I argue in favor of Apple, the pointy-hairs essentially come back with all kinds of marketing rhetoric. MS wines and dines them. MS gives them slick presentations with lots of big numbers. MS gives them free stuff. MS whispers FUD in their ears. Apple does none of this, they just sell a better product. Apple doesn't give those slick presentations. They don't offer to help port your legacy code for free or to send legions of droids to the customer's site to hold their hands during the conversion. They do not fight Microsoft's mass-market juggernaught.
The only conspiracy is the one in Redmond. Technical IT people aren't stupid and they aren't gullable. Having better tools would mean being able to get more done, not less work to do. If everyone used Macs instead of Windows, productivity would improve, but so would demand. Users would expect to get more and higher quality work done. Demand for IT support wouldn't go away, by a longshot. Cringley: try actually working in an IT shop sometime.
It depends on what you mean by "imitate film." IMO, the CCDs in most digital cameras have a dynamic range, color fidelity and exposure lattitude that's comparable to that of a slow color slide film. LIke slide films, most CCDs produce more saturated images when slightly underexposed. I personally find that the old rule of exposing for the shadows and processesing for the highlights is almost exactly reversed with digital cameras (blown-out highlights are basically gone, but I can post-process for shadow depth). You are correct that the old zone approach is only partically applicable.
I don't mind spending time in Photoshop; I used to spend lots of time in a darkroom. Post-processing and printing a digital photo is an art in and of itself, just like wet-darkroom work. I don't do digital IR photography, but I do a lot of B&W. I basically never use my camera's B&W mode. I get far superior tonality using various post-processing methods to get a black and white image. The camera's B&W mode is too lossy, too noisy and too contrasty for my taste. The only thing I ever use it for is to help previsualize something as I'm shooting it. Frankly, there's no reason NOT to record in full color. If you like the color image, wonderful, you can store it right alongside whatever B&W conversion you do after the fact.
I absolutely agree with the sentiment that digital camera vendors should be putting their efforts into things that really matter to photographic quality (like more versatile CCDs, better lenses, etc), but as I said in an earlier post, marketing rules. I could write a very similar rant about the travails involved in doing decent B&W printing on an inkjet, but that's really off-topic...
echo8
This isn't all that different from the (nearly worthless) magnification numbers quoted when advertising the zoom capability that just about every compact camera now has. For example, a lens with a 35mm-equivalent range of 35-105 is advertised as being "3x." What that really means is that the difference between minimum and maximum focal length is a factor of 3. It DOES NOT mean that at maximum magnification, images will appear 3 times bigger than they are (50mm is approximately "normal," so 105 is much closer to twice that than three times that). This isn't deceptive, it's just the way these things are marketed. The marketing of (nearly worthless) digital zoom features is equally irritating. Most of those amount to nothing more than in-camera cropping. If you want to throw away pixels, you really should do that in post-processing, but marketing prevails, and unfortunately, people probably make buying decisions based on that kind of crap.
Yes, the "more megapixels is better" thing is dumb, but most people have no idea what they're actually buying, and the "mine is bigger than yours" strategy sells equipment. I "still" use a 3 MP camera. There are plenty of times that more pixels would be a benefit (so that I can crop more severely while still maintaining high enough PPI for satisfactory printing), but there are many, many factors that I think are more important than megapixels (who wants a lot of pixels in an unsharp image captured by a camera with lousy optics?).
I'd love to be able to buy a new high-end digital camera every year or so, but I'm not a pro, and I can't put that kind of money into my hobby. The bottom line is that if my system is good enough when I buy it, it's probably still good enough a ways down the road (I still use film systems that are 20+ years old...). It's sad that people allow themselves to get sucked in to the upgrade treadmill, but it's just marketing, and the vendors rely on it.
echo8
...at least not in the sense that it applies to their software. I agree with the posters who argue that some of this is about control, and how the BSA wants it for itself. I also think that software vendors DO NOT want to eradicate software piracy. They DO NOT want a world in which their code can't be copied, and people instead pirate code from companies that don't use the technology or switch to free OSes. The fact that MacOS X installs without license keys or other copy protections is not accidental. The bottom line is that the software vendors want you to use their code more than they want you to pay for it up front. In the current scheme, they can get the BSA to shake you down for cash after the fact, but they want those eyeballs seeing their software.
Every time I've been away from computing for a while and come back, I'm reminded of the scene at the beginning of Neuromancer where Case jacks in for the first time after getting his nervous system fixed. Absolutely fantastic half-page or so of text. Those images have stuck with me for a lot of years.
How are you going to promote competition in your newly-deregulated cable industry? Building all that infrastructure costs a lot of money. How can you compel existing infrastructure owners to allow others to lease time on their networks at sane rates without regulation? How are you going to encourage startups to build infrastructure knowing that the existing monopolists can buy them out or otherwise crush them at whim?
Even if you don't believe in the idea of a natural monopoly (and thus the need to regulate those monopolies), how would you prevent outright collusion in your deregulated cable industry? Wouldn't it be better business for a bunch of little cable startups to band together to protect themselves instead of competing openly?
Most cell phones DO work badly, and the cellcos have long ago figured out that it's cheaper to market the hell out of essentially worthless products (like ringtones or Java/BREW videogames) than it is to build infrastructure.
Personally, I will never, ever pay for a ringtone. I will likewise never pay to play games on my phone or to use it to take pictures. What I want is better network coverage and a handset durable enough to put up with my abuse. Those are features I'd be willing to pay for, but I'm obviously not the targeted market...
This will only work in a society where driving is conidered a privilege, and not a right. In the US, at least, it seems as though just about everyone is allowed to drive, almost regardless of the damage they've done in the past. Mandatory retesting of every driver would be hideously expensive and pointless unless the tests were changed to make them mean something (see my first point as to why that won't ever happen). Heavy fines for causing accidents would only work if you could convince people that a reasonable mechanism for determining fault exists. The current police/insurance company mess won't do. There are, for example, states in which ANY accident in which you strike another car from behind is, by definition, your fault. Sane speed limits and non-selective enforcement of traffic laws would also go a long way.
The problem is not that companies hire programmers without college degrees. It's that they hire incompetent programmers. The two are not the same thing. Holding a degree doesn't make one a good programmer, it just means that one is good at a certain (narrow) type of academic exercise. Whether or not one produces good code is a completely different question. My experience has been that companies hire incompetents because their interview process is not adequate to weed out the lousy applicants. Plenty of terrible coders have college degrees, and all sorts of certifications. The bottom line is that there is no substitute for allowing experienced technical people to control the hiring process. That said, I don't agree with the posters who say that college doesn't teach you anything. I think a lot of people who haven't been to school are not disciplined enough to learn the theoretical basis for what they do on their own. That's not to say that it's impossible, just that those people who do manage to teach it to themselves are the exception. Again, an interviewer has to know his stuff well enough to be able to tell the difference. I agree that software engineering is not CS. System administration is also not CS. Many of your points apply to hiring sysadmins as well as coders. In an industry that changes as fast as ours, it's unrealistic to expect that the college system will be able to produce a steady supply of competent practitioners of our arts. Some graduates can hack it, some can't, and the same is true of people with little formal education.
In some environments, patching IS difficult. This can happen both cause of politics (eg. managers who'd rather take the risk of being insecure than the downtime involved in maintenance, as insane as that sounds), and because validation testing is a big deal on business-critical systems. If the patch breaks your box or your home-grown (and potentially broken) application code, it's as good as a DoS. It's also the case that amongst said managers, the level of security knowledge is SO low, the idea of "best practices" is totally alien. If they do get owned, they can defend themselves by weasling because their peers don't know any better. IMO, it's not so much that companies see security as a luxury, as they see it as being largely unimportant to the bottom line (again, as insane as that sounds). As you accurately pointed out, security is not a procedure, it's a mindset. There are lots of corporate managers out there who are still in the mindset of "keep doing what I think makes money, no matter how much those techies scream about security or anything else." Most cracks can be prevented. Many managers don't care. It's not always the case that admins don't know better.
The BBS scene is alive and well, especially (but not exclusively) in the hacking/phreaking subculture. Check out http://napalm.firest0rm.org/issue6.txt for a decently up-to-date list of active BBSes.
A few points: First of all, Windows 9x machines have no conception of privileged ports or privileged users. If you allow them on your network at all, any user could be running the same unauthorized services under windows that they could be under *nix. You may be able to physically secure YOUR systems, but what's stopping a user from bringing in a laptop and plugging it in instead of their desktop? A user which physical access to your LAN can circumvent there security measures (even if your switches insist of having certain MACs on certain ports...). Finally, I don't know what you're talking about regarding "packet storms" but it's certainly the case that if you have systems which are wholesale into using plaintext protocols and insecure trust relationships, you have much, much more serious security problems.
I certainly can't speak to why ALL the customers who signed the NDA did so. What I can speak to is why my company (a decently large telecom company which shall remain nameless) did so: Sun had a software patch that they felt might help alleviate the problem (I still can't reveal the details of what it does or why). In order to receive the software, we had to sign a non-disclosure agreement. It's that simple: we have a problem. If you want us to solve it, sign the paper. Otherwise, shut up and wait along with everyone else. As we had business-critical systems that were affected, it's not hard to understand why management did not hesitate to sign the NDA.