Let's continue the obvious - I don't consider that most professional roles have a specific training programme. They are built on experience and appropriate training and professional development as required.
I would consider CISSP and/or GIAC qualifications as being key indicators for professional development for someone in a CSO role. Of course there can be other qualifications or evidence of professional development - I'm not claiming there is a specific training programme; just as there isn't one for a web developer, call center agent, tester, CIO, or road sweeper.
Hmm, I really don't know where to start with the misinformation that you're spreading here...
The DAO issue was early in the lifetime of Ethereum, and indeed was a "bad contract", ETH was forked due to the scale of the hack and that it was still a new usage of the cryptocurrency. This is the only time that Ethereum forked because of a hack. People are a lot more careful about how contracts are written after this.
The CoinDash ICO hack was caused by someone hacking the site, and replacing the Ethereum address for the ICO - this is like a hacker hacking into a company site and modifying the bank details for payment - customers paid into the wrong "account". This is not a hack of Ethereum, and nothing to do with the way smart contracts work - it can be done with fiat currency by changing bank details, or any other cryptocurrency (including Bitcoin) by changing the wallet address.
The Parity wallet hack was a sloppy 3rd party wallet implementation - again, if you use 3rd party software for any financial transactions you need to be really sure that you trust the software - this is also not a hack of Ethereum, it was a hack of a 3rd party wallet implemntation - again nothing to do with smart contracts and could have happened for another cryptocurrency wallet (such as a Bitcoin 3rd party wallet).
The Classic Ether Wallet hack was also a hacker taking control of a 3rd party wallet - the same warnings apply as for the Parity wallet hack - again nothing to do with Ethereum smart contracts.
The hack under discussion in this article was a hack of Veritaseum - their VERI tokens were stolen, and these were sold for Ethereum - again, nothing to do with any hack on Ethereum, it was just the cyrptocurrency that the hackers exchanged for their stolen property. They could have sold VERI for Bitcoin, USD, or cheese and it wouldn't make this a Bitcoin, USD, or cheese issue...just as this is not an Ethereum issue.
I was working as a Major Incident Manager for a very large consulting company working on a huge government project. The management in the consultancy company were generally terrible, on my first day my colleagues took me out for a drink - they pointed out a bunch of people across the room and mentioned that it was the configuration management team who had all just been fired because management weren't happy with the way the process was going...just as my first example.
Another time I had someone from second line support come to my desk and point out that some of the monitoring was showing red, I immediately directed one guy to check from an end-user perspective to see the actual impact for users, another guy to pull the logs, and a third to dig deeper into the monitoring - they all scurried away to start assessing the situation. In the mean-time I leaned over the partition to my boss who was sat next to me, and mentioned the issue - she stuck her head up like a meercat, looked around, and said (quoting word for word), "I can't hear any shouting, I can't see people running around, I can't see people panicing, I don't feel this is being managed properly!". She then asked me if I'd informed her boss yet - I told her we were still evaluating the situation (again, apparently unacceptable), so she immediately snatched up her phone and called him saying the monitoring was red and we were in a crisis. Just as she finished her call the guy from the end-user perspective came back to my desk and reported that the issue was completely transparent to end-users. I passed this news to my boss who threw her hands up and said, "But I've called X! Now it's nothing?!". Yes. Quite.
A third story would be from the time her replacement (she was eventually demoted then fired) pulled me to one side and started screaming and swearing in my face because he didn't feel I was motivating technical staff to fix issues quickly enough because I wasn't in their faces screaming and swearing at them until any issue was fixed (yes - this is exactly what he meant). I'm sure any techies here will be happy to agree that this is not an appropriate motivational technique to get the best from your staff...but there you go.
I could go on - but instead I'll just summarise to mention that in the 12 months I worked there everyone in my team quit or was fired and replaced twice over except for me and one other guy...when my contract finished I wasn't sad to leave.
Imagine an office environment where each desk/meeting room includes a monitor/keyboard/mouse for each user where the monitor passes through all connectivity via USB-C. Each user just carries a tiny lightweight computer that is "theirs" with all associated configuration/application/data, plugs it into the USB-C socket and off they go.
Not so different from having a laptop, except the devices are smaller, lighter, and cheaper - and with a higher quality screen, keyboard, and mouse. Sure you are constrained to work at points where there is a monitor, but in many cases this is a great solution.
Where did the speed instruction come from? The driver's foot on the pedal?
The driver sets the maximum speed when they activate the autopilot, in much the same way as you set the speed when you use cruise control on any other car. Or are you saying speeding isn't the responsibility of any driver if they're using cruise control to break the limit?
Autopilot will slow down if there is traffic ahead, otherwise it travels at the speed set by the driver.
By "social engineering", I take it he's not planning to directly attack the hardware of the phone, which means he's planning to use the only other logical approach to breaking into this phone (and to me the only obvious attack vector open to him or anyone else as long as Apple stand their ground [correctly]).
Because this phone has a four digit passphrase, this means that the owner of the phone has hit the same four sections of screen at least hundreds, and more likely thousands of times. Maybe it is possible using very delicate and incredibly accurate equipment to detect some sort of impact print on the screen where it has been used in those four spots repeatedly. If it is possible to do this, then you have cut down the number of password from 10,000 to 24 different possibilities. From here you need to check everything you know about the phone owner to see if any of those combinations are personally significant in any way - even if the combination is entirely random, you'll still have a 41.5% to break the password with 10 attempts...
Meh - then again I'm not a half-million dollar a year hacker, so what do I know?
I never played FreeCiv, but I knew Claus (virtually) as he was working on it. I was a player (known as "Mort") on AnotherMUD, which was another project Claus worked on.
Good to bring back memories, although MUDding could have easily cost me my degree...;)
Actually I see another reason to keep the base model at 16Gb. App development is crucial to the iPhone (and any other smartphone out there), and many developers don't like to do the extra work to keep their application sizes sane. However, as long as the base model is 16Gb, app developers need to keep this in mind when developing their apps.
If this encourages even only some developers to keep their applications down to a sensible size (knowing that anyone with a 16Gb device will either avoid their application, or delete it as soon as they run low on space) then I guess it's worth it.
I'm not saying the extra money in Apple's pocket isn't a factor, but I'm sure there are other factors at play here, this theory being just one of them.
I was a backer of this project that was pretty much the same: Packed Pixels
Nice screen at 2048 x 1536, but not yet delivered. They just about hit their funding goal of £60,000 on 29th November 2014, and they're now taking pre-orders. It would probably be better to just pre-order one of these than back a whole new Kickstarter - at least these are close to production.
As long as people like you exist, and they always will, it goes to show why we should never trust the government to have these sorts of capabilities.
Snoop on property within the UK.. fucks sakes, you realize we're talking about people here right. Nah, best to call it property and further distance yourself from what this really means.
Shame on you.
You appear to be mistaking someone who is stating the facts of the situation for someone who agrees with the situation.
Laws should be written simly, cleanly, and transparently, and the security forces of a nation should be working for the greater good of the nation rather than against the native citizens of that nation.
This involves giving advice and assistance "to any other organisation which is determined for the purposes of this section" - which includes MI5 (Security Service) as they are a member of the Intelligence and Security Committee. And the constraints are:
The functions referred to in subsection (1)(a) above shall be exercisable only—
(a)in the interests of national security, with particular reference to the defence and foreign policies of Her Majesty’s Government in the United Kingdom; or
(b)in the interests of the economic well-being of the United Kingdom in relation to the actions or intentions of persons outside the British Islands; or
(c)in support of the prevention or detection of serious crime.
Although their powers to activate a warrant under section 3(2)(c) may not relate to property in the British Islands, that doesn't mean that they cannot work with, and provide assitance to the Security Service (MI5) under section 3(2)(a). Do note that only 3(2)(c) [and 1(2)(c), which is identical except in reference to SIS instead of GCHQ] is excluded for GCHQ to use as justification for a warrant to snoop on property within the UK.
Just because people don't like the idea or that they find it unpalatable, that doesn't make it less true.
The OP states that GCHQ is, "purported by officials to be focused on foreign intelligence and counterterrorism". Since when?
My understanding has always been that there are 3 main "legs" to British Intelligence:
MI5 for internal security within the country
SIS (aka MI6) for international security outside the country
GCHQ for providing communication intelligence and security towards both of the above, and for advice on protecting key national infrastructure (via CESG)
In this context, GCHQ should have always been providing internal communications intelligence for MI5, I'm not sure why this should be news to anyone?
Sourceforge was always my go-to place for trusted original non-screwed files, and now I check the list of projects owned by sf-editor1, 2, and 3 and I see a lot of projects that I have used in the past.
Sometimes (particularly for older projects) it is very difficult to find a home-page or source that I can trust...and now it just became a lot harder.
Some years ago when I was between contracts as a freelance contractor, I had an agent call me about a job that sounded interesting in a location that was a little more than inconvenient. He offered me a position dead on my field of excellence, and piqued my interest...until the rate came in. He was offering between 1/3 and 1/2 of my typical daily rate, I think I practically laughed in his face. From there he resorted to pleading that I accept something close to the rate, and that I'd "be doing them a huge favour" if I could work at that rate. I think maybe he misunderstood why I work, and how "doing people a favour" who I have never met, is not exactly high on my list of motivations.
I think he also tried the, "but this is better than you receive with no contract at all" line...that went down just as badly for him.
Some people will do anything just to try and find expertise on the cheap, and if you have the skills, it is your imperitive to know what those skills are worth.
A more serious issue with multi-player would be handling the "turn based" nature of the game...how do you decide when the game "ticks"? And if it's not turn based, then it's really not neckhack any more...
All those fucking cards and coupons in my inventory and no option to just delete them
Sell the cards (they'll typically only get you a few cents, but it adds up and it gets them out of your account), trade the coupons with your friends for coupons that actually interest you (a friend had a 90% off coupon for a game this weekend that semi-interested me). The coupon gave me a game for 70 cents, and my card sales paid for that.
Sure - and we take our data very seriously - really, I doubt we'd last long as a telco if we didn't. But the underlying fact is that the data needs systems, your data sits in databases, that in turn reside on servers - hopefully virtual servers that can be moved around to minimise downtime and impact, but still systems at the end of the day.
The new way of thinking is certainly going to be more data orientated in the future, and for sure, there are still a lot of improvements to be done, but there is certainly no lack of focus in that area of the business already - in fact any company that has a data warehousing team to take care of the long term broad reporting needs of the business is already well aware of the importance of data.
In the future there'll be more focus on data (security) protection in the world of IT - we're already mostly past the days where people are only just starting to think about the implications of data loss and data mining for information though. There is a lot of work that can be done in controlling data access, and ensuring that all data has the appropriate levels of protection, and that it is managed in the correct way, I agree with you 100% there.
I work in Change Management for a major telco, I chair the IT CAB, and I oversee server and client patching (amongst many other changes!). When we patch clients, we are patching up to around 30,000 real and virtual desktops - when we patch servers, they also number in the thousands.
There is no way we would allow a sysadmin to patch anything at any time without some level of oversight, an individual admin has no oversight on other patches, hardware interventions, application releases, network upgrades, business campaigns, etc that may be happening on our environment at any given moment (this isn't their job to be keeping track of all of that info). For server and client patching is as light as possible, but we still maintain a close oversight.
On the Wednesday following the second Tuesday of each month (for example), I sit down with the Windows server guys and the Windows client guys, and we review their proposals to patch - usually we have a fairly rapid timescale that we can meet to ensure that the patches are deployed (including pilot testing, etc to catch any issues before everyone's desktop is broken!), sometimes there are other major interventions that overlap, and then we need to make prioritisation decisions and decide which has priority. We have made similar agreements with the Linux teams, where they have a special process to patch, and we have close oversight on Unix patches, as upgrading these servers with a reboot can be a very big deal.
The last thing you want is an application version release of a critical ordering application happening at the same time as a system software patch, and then to have an issue afterwards - is it the application version, is it the systems patch, was there some conflict with the activties being performed at the same time? Troubleshooting gets more difficult, teams point fingers at eachother, and the whole time the business is screaming blue murder.
Of course in an Incident situation there is more flexibility to get things fixed fast, and with security issues I am keen to break open the S-CAB process to expedite a rapid approval flow to ensure that security holes are fixed as fast as possible - of course most changes are encouraged to follow the rules though, the change calendar is published, and everyone knows when the "standard" slots for deployment are, and if most people manage to schedule their changes within those windows, then it minimises potential conflict for everyone.
Change management are not your enemy, they are your friend - once you register your change with them, they have your back, they will guard from other interventions clashing with you, will stop you from inadvertently upsetting the business, and will decrease change related Incidents. However, with great power comes great responsibility, and Change Management need to find the right process for the right type of change - we cannot have a full in depth investigation into every configuration change, every patch, every bug-fix, every new server to be provisioned. A good Change Management team will guide changes to the appropriate flow, and grease the wheels for certain types of interventions - it seems that the CAB mentioned in the summary are still finding their feet a little, and I am sure they will evolve over time as they start to understand which changes are high risk, and which can be allowed to pass with a lighter touch.
Slashdot Mirror
Let's continue the obvious - I don't consider that most professional roles have a specific training programme. They are built on experience and appropriate training and professional development as required.
I would consider CISSP and/or GIAC qualifications as being key indicators for professional development for someone in a CSO role. Of course there can be other qualifications or evidence of professional development - I'm not claiming there is a specific training programme; just as there isn't one for a web developer, call center agent, tester, CIO, or road sweeper.
-- Pete.
Well I'd start by expecting professional qualifications such as CISSP or at least one or more GIAC certifications...
Particularly GIAC Security Leadership or GIAC Strategic Planning, Policy, and Leadership.
-- Pete
Hmm, I really don't know where to start with the misinformation that you're spreading here...
The DAO issue was early in the lifetime of Ethereum, and indeed was a "bad contract", ETH was forked due to the scale of the hack and that it was still a new usage of the cryptocurrency. This is the only time that Ethereum forked because of a hack. People are a lot more careful about how contracts are written after this.
The CoinDash ICO hack was caused by someone hacking the site, and replacing the Ethereum address for the ICO - this is like a hacker hacking into a company site and modifying the bank details for payment - customers paid into the wrong "account". This is not a hack of Ethereum, and nothing to do with the way smart contracts work - it can be done with fiat currency by changing bank details, or any other cryptocurrency (including Bitcoin) by changing the wallet address.
The Parity wallet hack was a sloppy 3rd party wallet implementation - again, if you use 3rd party software for any financial transactions you need to be really sure that you trust the software - this is also not a hack of Ethereum, it was a hack of a 3rd party wallet implemntation - again nothing to do with smart contracts and could have happened for another cryptocurrency wallet (such as a Bitcoin 3rd party wallet).
The Classic Ether Wallet hack was also a hacker taking control of a 3rd party wallet - the same warnings apply as for the Parity wallet hack - again nothing to do with Ethereum smart contracts.
The hack under discussion in this article was a hack of Veritaseum - their VERI tokens were stolen, and these were sold for Ethereum - again, nothing to do with any hack on Ethereum, it was just the cyrptocurrency that the hackers exchanged for their stolen property. They could have sold VERI for Bitcoin, USD, or cheese and it wouldn't make this a Bitcoin, USD, or cheese issue...just as this is not an Ethereum issue.
-- Pete.
I was working as a Major Incident Manager for a very large consulting company working on a huge government project. The management in the consultancy company were generally terrible, on my first day my colleagues took me out for a drink - they pointed out a bunch of people across the room and mentioned that it was the configuration management team who had all just been fired because management weren't happy with the way the process was going...just as my first example.
Another time I had someone from second line support come to my desk and point out that some of the monitoring was showing red, I immediately directed one guy to check from an end-user perspective to see the actual impact for users, another guy to pull the logs, and a third to dig deeper into the monitoring - they all scurried away to start assessing the situation. In the mean-time I leaned over the partition to my boss who was sat next to me, and mentioned the issue - she stuck her head up like a meercat, looked around, and said (quoting word for word), "I can't hear any shouting, I can't see people running around, I can't see people panicing, I don't feel this is being managed properly!". She then asked me if I'd informed her boss yet - I told her we were still evaluating the situation (again, apparently unacceptable), so she immediately snatched up her phone and called him saying the monitoring was red and we were in a crisis. Just as she finished her call the guy from the end-user perspective came back to my desk and reported that the issue was completely transparent to end-users. I passed this news to my boss who threw her hands up and said, "But I've called X! Now it's nothing?!". Yes. Quite.
A third story would be from the time her replacement (she was eventually demoted then fired) pulled me to one side and started screaming and swearing in my face because he didn't feel I was motivating technical staff to fix issues quickly enough because I wasn't in their faces screaming and swearing at them until any issue was fixed (yes - this is exactly what he meant). I'm sure any techies here will be happy to agree that this is not an appropriate motivational technique to get the best from your staff...but there you go.
I could go on - but instead I'll just summarise to mention that in the 12 months I worked there everyone in my team quit or was fired and replaced twice over except for me and one other guy...when my contract finished I wasn't sad to leave.
-- Pete.
Imagine an office environment where each desk/meeting room includes a monitor/keyboard/mouse for each user where the monitor passes through all connectivity via USB-C. Each user just carries a tiny lightweight computer that is "theirs" with all associated configuration/application/data, plugs it into the USB-C socket and off they go.
Not so different from having a laptop, except the devices are smaller, lighter, and cheaper - and with a higher quality screen, keyboard, and mouse. Sure you are constrained to work at points where there is a monitor, but in many cases this is a great solution.
-- Pete.
A few seconds with Google and I found this USB 3.0 to Dual Port Gigabit Ethernet Adapter NIC
-- Pete.
Prison sentences?
-- Pete.
The driver sets the maximum speed when they activate the autopilot, in much the same way as you set the speed when you use cruise control on any other car. Or are you saying speeding isn't the responsibility of any driver if they're using cruise control to break the limit?
Autopilot will slow down if there is traffic ahead, otherwise it travels at the speed set by the driver.
-- Pete.
I was interested to read in the article, "Medicare does not pay for them, nor do most insurers".
How is this even possible? You have overpriced healthcare in the USA, and then even if you have insurance, it won't pay for the treatment you need?!
Just for those people that think the NHS is a terrible thing, I'll just leave this here - hearing diagnosis, treatment, and aids are free on the NHS in the UK for people that need them...
-- Pete.
By "social engineering", I take it he's not planning to directly attack the hardware of the phone, which means he's planning to use the only other logical approach to breaking into this phone (and to me the only obvious attack vector open to him or anyone else as long as Apple stand their ground [correctly]).
Because this phone has a four digit passphrase, this means that the owner of the phone has hit the same four sections of screen at least hundreds, and more likely thousands of times. Maybe it is possible using very delicate and incredibly accurate equipment to detect some sort of impact print on the screen where it has been used in those four spots repeatedly. If it is possible to do this, then you have cut down the number of password from 10,000 to 24 different possibilities. From here you need to check everything you know about the phone owner to see if any of those combinations are personally significant in any way - even if the combination is entirely random, you'll still have a 41.5% to break the password with 10 attempts...
Meh - then again I'm not a half-million dollar a year hacker, so what do I know?
-- Pete.
I never played FreeCiv, but I knew Claus (virtually) as he was working on it. I was a player (known as "Mort") on AnotherMUD, which was another project Claus worked on.
Good to bring back memories, although MUDding could have easily cost me my degree... ;)
-- Pete
It's nice they've got an official box and all, but the service to send disks to Amazon has been there for a while (as a beta program).
Here is a blog post from 2009 explaining the service.
Of course, a nice official controlled and encrytped box is a far tidier way of doing things!
-- Pete.
Actually I see another reason to keep the base model at 16Gb. App development is crucial to the iPhone (and any other smartphone out there), and many developers don't like to do the extra work to keep their application sizes sane. However, as long as the base model is 16Gb, app developers need to keep this in mind when developing their apps.
If this encourages even only some developers to keep their applications down to a sensible size (knowing that anyone with a 16Gb device will either avoid their application, or delete it as soon as they run low on space) then I guess it's worth it.
I'm not saying the extra money in Apple's pocket isn't a factor, but I'm sure there are other factors at play here, this theory being just one of them.
-- Pete.
I was a backer of this project that was pretty much the same:
Packed Pixels
Nice screen at 2048 x 1536, but not yet delivered. They just about hit their funding goal of £60,000 on 29th November 2014, and they're now taking pre-orders. It would probably be better to just pre-order one of these than back a whole new Kickstarter - at least these are close to production.
-- Pete.
As long as people like you exist, and they always will, it goes to show why we should never trust the government to have these sorts of capabilities.
Snoop on property within the UK .. fucks sakes, you realize we're talking about people here right. Nah, best to call it property and further distance yourself from what this really means.
Shame on you.
You appear to be mistaking someone who is stating the facts of the situation for someone who agrees with the situation.
Laws should be written simly, cleanly, and transparently, and the security forces of a nation should be working for the greater good of the nation rather than against the native citizens of that nation.
As an aside, I have spent most of my working life working (both as an employee, and as a contractor) with a company that is alleged to have been a direct target of GCHQ.
-- Pete.
No. CSE, NSA, GCHQ, NZ/AUS's agencies, all of 'em have explicit laws preventing them from operating internally.
From the Intelligence Services Act 1994 you will see that GCHQ's powers are quite well defined.
This involves giving advice and assistance "to any other organisation which is determined for the purposes of this section" - which includes MI5 (Security Service) as they are a member of the Intelligence and Security Committee. And the constraints are:
Although their powers to activate a warrant under section 3(2)(c) may not relate to property in the British Islands, that doesn't mean that they cannot work with, and provide assitance to the Security Service (MI5) under section 3(2)(a). Do note that only 3(2)(c) [and 1(2)(c), which is identical except in reference to SIS instead of GCHQ] is excluded for GCHQ to use as justification for a warrant to snoop on property within the UK.
Just because people don't like the idea or that they find it unpalatable, that doesn't make it less true.
-- Pete.
The OP states that GCHQ is, "purported by officials to be focused on foreign intelligence and counterterrorism". Since when?
My understanding has always been that there are 3 main "legs" to British Intelligence:
In this context, GCHQ should have always been providing internal communications intelligence for MI5, I'm not sure why this should be news to anyone?
-- Pete.
Sourceforge was always my go-to place for trusted original non-screwed files, and now I check the list of projects owned by sf-editor1, 2, and 3 and I see a lot of projects that I have used in the past.
Sometimes (particularly for older projects) it is very difficult to find a home-page or source that I can trust...and now it just became a lot harder.
-- Pete.
Some years ago when I was between contracts as a freelance contractor, I had an agent call me about a job that sounded interesting in a location that was a little more than inconvenient. He offered me a position dead on my field of excellence, and piqued my interest...until the rate came in. He was offering between 1/3 and 1/2 of my typical daily rate, I think I practically laughed in his face. From there he resorted to pleading that I accept something close to the rate, and that I'd "be doing them a huge favour" if I could work at that rate. I think maybe he misunderstood why I work, and how "doing people a favour" who I have never met, is not exactly high on my list of motivations.
I think he also tried the, "but this is better than you receive with no contract at all" line...that went down just as badly for him.
Some people will do anything just to try and find expertise on the cheap, and if you have the skills, it is your imperitive to know what those skills are worth.
-- Pete.
A more serious issue with multi-player would be handling the "turn based" nature of the game...how do you decide when the game "ticks"? And if it's not turn based, then it's really not neckhack any more...
-- Pete.
Sell the cards (they'll typically only get you a few cents, but it adds up and it gets them out of your account), trade the coupons with your friends for coupons that actually interest you (a friend had a 90% off coupon for a game this weekend that semi-interested me). The coupon gave me a game for 70 cents, and my card sales paid for that.
-- Pete.
Sure - and we take our data very seriously - really, I doubt we'd last long as a telco if we didn't. But the underlying fact is that the data needs systems, your data sits in databases, that in turn reside on servers - hopefully virtual servers that can be moved around to minimise downtime and impact, but still systems at the end of the day.
The new way of thinking is certainly going to be more data orientated in the future, and for sure, there are still a lot of improvements to be done, but there is certainly no lack of focus in that area of the business already - in fact any company that has a data warehousing team to take care of the long term broad reporting needs of the business is already well aware of the importance of data.
In the future there'll be more focus on data (security) protection in the world of IT - we're already mostly past the days where people are only just starting to think about the implications of data loss and data mining for information though. There is a lot of work that can be done in controlling data access, and ensuring that all data has the appropriate levels of protection, and that it is managed in the correct way, I agree with you 100% there.
-- Pete.
I work in Change Management for a major telco, I chair the IT CAB, and I oversee server and client patching (amongst many other changes!). When we patch clients, we are patching up to around 30,000 real and virtual desktops - when we patch servers, they also number in the thousands.
There is no way we would allow a sysadmin to patch anything at any time without some level of oversight, an individual admin has no oversight on other patches, hardware interventions, application releases, network upgrades, business campaigns, etc that may be happening on our environment at any given moment (this isn't their job to be keeping track of all of that info). For server and client patching is as light as possible, but we still maintain a close oversight.
On the Wednesday following the second Tuesday of each month (for example), I sit down with the Windows server guys and the Windows client guys, and we review their proposals to patch - usually we have a fairly rapid timescale that we can meet to ensure that the patches are deployed (including pilot testing, etc to catch any issues before everyone's desktop is broken!), sometimes there are other major interventions that overlap, and then we need to make prioritisation decisions and decide which has priority. We have made similar agreements with the Linux teams, where they have a special process to patch, and we have close oversight on Unix patches, as upgrading these servers with a reboot can be a very big deal.
The last thing you want is an application version release of a critical ordering application happening at the same time as a system software patch, and then to have an issue afterwards - is it the application version, is it the systems patch, was there some conflict with the activties being performed at the same time? Troubleshooting gets more difficult, teams point fingers at eachother, and the whole time the business is screaming blue murder.
Of course in an Incident situation there is more flexibility to get things fixed fast, and with security issues I am keen to break open the S-CAB process to expedite a rapid approval flow to ensure that security holes are fixed as fast as possible - of course most changes are encouraged to follow the rules though, the change calendar is published, and everyone knows when the "standard" slots for deployment are, and if most people manage to schedule their changes within those windows, then it minimises potential conflict for everyone.
Change management are not your enemy, they are your friend - once you register your change with them, they have your back, they will guard from other interventions clashing with you, will stop you from inadvertently upsetting the business, and will decrease change related Incidents. However, with great power comes great responsibility, and Change Management need to find the right process for the right type of change - we cannot have a full in depth investigation into every configuration change, every patch, every bug-fix, every new server to be provisioned. A good Change Management team will guide changes to the appropriate flow, and grease the wheels for certain types of interventions - it seems that the CAB mentioned in the summary are still finding their feet a little, and I am sure they will evolve over time as they start to understand which changes are high risk, and which can be allowed to pass with a lighter touch.
-- Pete.
Don't remind me - I paid $5.99 to GOG for Dungeon Keeper Gold just five days before they announced the deal...argh.
-- Pete.
The Kindle DX is still available (and hugely discounted) - just a bit hidden, and not pushed at all by Amazon. I bought one last year for PDF reading.
You can find it here: http://www.amazon.com/Kindle-DX-Wireless-Reader-3G-Global/dp/B002GYWHSQ
-- Pete