> I assume you don't have kids. Or work in security, for that matter.
So you have lots of kids and work in security and it didn't occur to you that it would be easier and more effective to just take kids laptop and lock it up somewhere?
No it is not. You have contradicted yourself in your post. You have described a solution which from begining is flawed. Then you described that flaw (the kid could just change his IP to grandparents machine or even MAC if you would go for MAC based filtering). So you have basically posted a solution that is not a solution at all if you wish to make things working without beating the child.
In my opinion you are making this issue more complicated than it really is. You really don't need site-to-site VPNs and custom routing to accomplish your goals.
If I understand you correctly your goals are:
1) To have remote access to machines (Linux, Windows, others) in few remote networks.
Just set up VPN server in each of these remote networks. OpenVPN is probably a good way to go. It would run on any Linux machine, Windows machine (if you dare), even on some routers (f.e. DD-WRT compatible). If these networks are behind dynamic IPs you will also need somekind of dynamic DNS service.
Having VPN server running in all locations you just login to it and access whatever machine in that network remotely. For Windows machines DameWare is probably not a bad idea. It is commercial software but you only need to pay for one license - the license is for an operator (you), not for client machines. You could also use VNC - why not? For Linux machines SSH is a no brainer. And other devices (like printers, networking gear, etc.) probably have HTTP interface anyway.
Also you wrote: "me being able to log in and apply patches and security updates without requiring someone on the other end sending me Desktop Sharing invites". Well are you aware that you DO NOT need to log in to Windows systems to apply patches and security updates? It just happens automatically. Just turn on Windows Update.
And since it looks like you are required to take 4hr trips to fix your parents computers that makes you basically their administrator - DO NOT give them administrator rights on their machines. Set them up with quite secure configuration - no admin rights, antivirus software running and set to automatic, backup running and set to automatic, updates running and set to automatic. If you do so I hardly see a need to physicaly access their machines (modulo hardware failures).
2) You have described your second goal in such convulted way with buts/ifs and so on that I need to cite this mess: "I'd also like some way to be able to monitor/control my son's online activities while he's away (hence my desire to route at least his traffic, if not all Location B internet traffic, through Location A). Also note: I'm not a helicopter parent by any means and only monitor once in a while to get a general idea of what his online trend is; and the extent of "control" is if grandpa and grandma say he needs time off the computer for x days for bad behavior or whatever, I want to be able to enforce that rule where he won't be able to sneak around while they're in bed. This connection will not have any firewalling or blocking enabled by default.".
So basically you want to: * monitor your sons network usage * enforce policies on your son (like no Internet after eight since you were bad) * enforce password usage (or other form of authentication) on your users since you don't want to allow your son to use their grandpas computers while they are not around physically guarding the machines
Well what you basically wish for is corporate-like network with authentication to local systems and to network usage. It can't be done without enterprise class systems - you will need an internet access proxy/gateway for accounting and enforicing access policies for network, user directory to enforce password usage and restrict access to certain machines for certain users (namely your son), network access protection system (and network hardware supporting it) so your son can't just use his Linux machine to access network however he likes.
That means that you are contradictiong yourself by saying that you dont want to have any firewall or blocking - you do.
How you are claiming that you have any training in network administration is beyond my understanding.
> Don't listen to the amateurs. Block by default, require business justification
So your boss emals you and asks you to implement a policy (read the post) - in my opinion it is business justifiend enough, at least his (boss) responsibility. Just doing your job is not amateur in my opinion. If it is extremely stupid you should go on and warn him but nevertheless don't object and do your job.
> and offer a risk assessment for all exception requests,
This is fair - given boss request you reply - OK I'll do that but it introduces certain risks. Right on it while you review the risk assesment. Amateur enough?
> monitor and report suspicious activity.
This is obvious - it does not hold you from doing your job (what your boss expects you to do).
> Don't trust your internal users.
What does it mean?
> Segment wherever possible. Plan for failure. Exercise recovery plans. Due diligence.
> It is the Company's network connection, block whatever you like.
If you are the owner of course.
> But, and this is important, have an easy mechanism where a user > can submit an url,
Browsers adress bar easy enough?
> an admin can verify it is a legitimate business related site, and have the > site whitelisted immediately. That way you can block "Big Butt Russian > Teens" or whatever, but when the SmartFilter(tm) randomly decides > that Fairchildsemi.com contains "adult content, sports, gambling and > lotteries" (happened to me) the legit business use is not impeded.
Oh great. So now an admin administering f.e. 5k users network should also babysit them?:)
Consider that your company relies heavly on email usage. It is probably more important service than web - you could function without web browsing I guess... but without email service - you can all go home for what I guess. Email works similar to web - there are emails sent back and forth, emails are interpreted in client, emails can contain files (like downloads) etc. Now I don't see you arguing that you should have an admin looking and verifing every email sent to your user right? That would be extremely stupid and retarded right? Well you are sugesting exactly same stupid and retarded method for the web. Just use email scanning technologies for your email like you would use web scanning technologies for your web. Don't be retarded.
> If you want to allow open downloading, provide a restricted AV protected share > to retrieve downloaded files, if you do not want to allow open downloading,
You DO realise that AV usually fails?
> provide one anyways but require an IT person to review it manually.
OK so from now on exept from your usuall duties as an IT administrator (I like them) now you also need to review files downloaded by 1000 users. Expect calls when urging you to review downloaded files. Expect angry people. And how you will review these files anyway? What if these files to be review are sensitive data (like medical, financial) that are not for IT eyes? Does not scale well isn't it? Legal problems no?
> Reimage nightly if paranoid.
Why nightly? Why not every 17 minutes? Why not spawn new image on every access - certainly possible.
While I agree on your view about access policy one thing struck me:
> They can as well pierce your firewall with personal VPN services, they are very cheap nowadays.
In a network structured properly (routers than IPS/security appliaces than filtering proxy) how could users pierce that with VPN services? If users can pierce your "firewall" (meaning just oubound Internet access) with cheap VPNs that you mean malware could just as easy transfer data out of your network? Something is wrong with what you are stating.
Why are you blocking access to anything? As an IT administrator it is _not_your_job_ to block anything for users and otherwise disturb them while using your network. Your job as an IT administrator is to allow your users to do their job without any unnecessary obstacles. Also keep in mind that usually (if you are not an IT service company) the users do their jobs so the company earns for your sallary - business wise - you don't earn shit, they do.
So with that in mind the structure of Internet access policy should be as follows.
- access to harmful webstites is blocked by default (like malware, phishing, hacking) - this is a no brainer and you shouldn't give anybody access to such sites - block it by default as you are protecting your company's assets (which IS your job) - access to potentially harmful websites is blocked by default (like sites that post no technical threat but othwerwise are not legal - child pornography, hatespeech, drugs and so on) users interfacing with such sites could post image damage for your company - which is also an asset - which you need to protect (as it IS your job) - access to certainly non work related websites (pornography, gambling) - I would probably block it by default, I don't see any reason to allow it and also I don't see anybody going to argue with you that he needs access to pornography (unless he is doing research on that) - other websties like time wasting social media, gaming, news, etc. - basically evertything else - it is NOT YOUR JOB to put such policies in place without a request from your management (probably coming from HR) - other policies like time/role based - also NOT YOUR JOB - this is HR - it IS YOUR JOB to keep your users actions accountable - so it is to log all their internet access so if needed (f.e. an incident) you can present it to management - also when you are loging Internet access that in most jurisdictions it is safest to inform (on paper and let them sign that they accept the policy) your users about it
So given these rules you certainly need some kind of policy enforcing technology at your Internet access gateway. Probalby a proxy with filtering and a security appliance.
Of course you should assist your HR staff with sugesstions on what can and can't be done with your systems/budget restrains and so on. You should implement the policies as HR or your boss tell you. You just don't want to decide on that matter - it is NOT YOUR JOB.
If you are an engeener in service providing company your certification level is essential for HR of this company. Be it Cisco, Microsoft, Oracle, IBM, Citrix, VMware or whatever - the company providing services (like implementation) usually needs to have certified employers to reach certain partner level (like Gold, Platinium and what-the-fuck-they-had-invented-recently). It is just a business for these companies to sell certifications for their products.
Is it important to have certifications? Well just look at the policies FOR EMPLOYERS that the vendors in your area of interest are providing.
Solidarity. Yes. I love and up your comment. I live in Poland which by Greek standards is kind of poor. I see poor people everyday, I also face hard working people daily. The ones which build up the economy on which Greece can now bargain for details - please also think about us who lend you the money. We are a community.
So are you contradicting me or what? What I've meant that I like Greeks - and we (Polish people) can party with them all night long. Well we tend to get a bit more druk in the process but I blame the climate for that. Whatever man.:)
> So you're proud to be paying taxes spent in the wrong way? Congratulations on being part of the problem.
Yeah I love people who tend to bend words tho their liking. I KNOW that in my country I guess that about 20% of taxes that I pay are spent wrong. But the other 80% are spent for pensions for elderly people (it is called generational agreement), for my FREE health care, for the roads I use, for police and firemen that keep me safe, for FREE education and so on. In general the notion of taxes is OK with me. So congratulations on not getting the facts right. Go on and invent somekind of larger society without the need to contribute to it. Please go on. Teach me.
I don't quite understand what they are cheering about. They have put themselves into this situation and really there is no good outcome now for them. They take the EU conditions and further tighten expenses (drastically) or leave eurozone and stay between Turkey, Russia and the EU. Also in the second choice (leaving the EU) they go back to Drahma and face weeks lasting deep crisis and than 5-10 years of economic recession. Really no reason to cheer in my opinion.
And for the record - I love Greece as a tourist. I've been there many times but I also recall that they have a culture of not paying taxes which in my opinion is stupid and unpatriotic. Mind you - I am Polish and here also people HATE to pay taxes - they know that their taxes are being spent in wrong ways usually, the taxes fuel a caste of mindless clerks etc. but nevertheless Polish people DO PAY taxes like VAT and icome.
For what I know the Greeks as a tourist I know that they had a culture of mass avoiding the taxes - f.e. in late 90's I were on holiday in Greece and common practice was to use credit card for payment - best bargaining method. You just go to shop, pick some wares and tell to pay with credit card - imediately they dropped the price to the minimum and begged you to pay in cash (since using credit card would produce paper trail and taxing). And it was extremely common. Also in restaurants - go, eat and then wave credit card - the payment would drop from f.e. 2200 drahmas to 1000 (!!!) with a promise of further discount the next day. Really. Not to mention thousands of not finished housed used as finished houses (another reason for not paying taxes).
I have nothing against the Greeks - I like them - they are kind, warm and similar to slavian people. But they need to learn that paying taxes is what makes you country function. They need to learn that if they are into some international community they can't lie about their finances to get a credit. And so on.
> The way a drone strike works is a drone loiters on station for > weeks on end. During this time the drone's pilots figure out who > is in the house when [...] the Girl Scouts [...] teenage daughter > has a boyfriend who sneaks in [...] civilian population [...]
Seriously? Do you belive this? It looks like some soap opera TV drama applied to military actions. I don't think it works like that. For what I see nobody cares about the civilians unless it would be a publicity stunt. For what I see the drone killing policy is just plain chaos fueled by special forces intel - and the chain of command - general the target is in the building - just blow it the fuck up and we have a success, then the order goes down and further down and then it is the sole drone pilot who is given an order to blow something up - but he has objections, maybe the said, hypothetical boyfriend is right now banging, but he has orders - what to do? Run it up the chain of command to the general who has his orders from the intel? Are you joking? Etc.
What you have written would be true if secret intel operations were flawless but for what we know it is just a chaotic bullshit. Man USA invaded another country based on wrong/or misleading political interpretations of wrong intel (I am wrigting about Iraq and Bush administration) and also USA is a big mess of Xteen top secret organisations/agencies and employing about a milion people with access to top secret information...
In general this whole machine powers decisions to use drone killing. Paranoia I would say.
I don't know how you function in what I presume is USA but here in Poland in small to mid sized companies nobody would even consider buying general purpose office printer without knowing that there are cheap substitute toners aviable for that model. I work in small company and we only buy printers for which we can get cheap toners. And the price difference is like 1/2 (!). Right now we go only with Lexmark and annually we do a market research to emerge the cheapest company to supply us with substitute toners. Once we have a contract with such company they are more than willing to take old toner cases from us. And they also do all the paperwork for us to give us receipts of old toners recovery since it is required by law to have such. I don't know anybody who was controlled about this but it is illegal here tu just dump the e-waste in thrash - you ought to have a receipt for every piece of electronics/e-waste you dispose (and also you need it for fiscal reasons).
So I am a bit shocked reading about your toner accumulation policy and your urge to throw them away into trash.:)
You are perfectly OK to choose Uber whenever you like and it is aviable for you but the rest of your post is just invalid.
> Sure, like you said, there are nice taxis therein Poland regulated > by the government. And then there are all the other scammers around.
And what makes you think that Uber are not scammers? What real jurisdiction Uber has over transport in Poland?
> Now, me as a tourist, I land at Krakow airport and I have > no clue which is which and I may as well end up in a shitty dirty > unregulated cab paying 5x the fare
Well I don't know the airport in Kraków but Warsaw airport has like five accepted taxis which can pick you up straight from the terminal. Other ones (if you order them) can drive to further pickup lanes on the airport. So it is really not longer a problem with scammer taxis on aiports in Poland (it used to be). The same is for major railway stations. You can safely pick the ones recommended by airports - they are not the cheapest (in 2,4z per kilometer range) but they are safe.
> call a Uber driver and be sure to arrive at my destination in an accountable > transport that charges me the minimum fare possible for that trip.
I'am posting this from Warsaw, Poland. Taxi business here is OK I guess as a client - there are just a loads of taxis everywhere, you can call you favourite and it will come in 10 minutes - always. And it is great. Local regulations require that TAXI to be called TAXi is to have a license - fare with these guys is regulary between 2,60-1,50 (per kilometer +"shutting door" fare). There are also "people transfer" services which are like TAXI but are not formaly these but private lines - they can't have TAXI sign on car but would use something like TAKSI and so on. Also there is a law that anybody who can transport 7 people (large vans with seatings in back) can operate as private transporter. Also you have the thing called "Night Drivers" and it is like a person transfer (legally) but usually somebody with really fancy car shows up and drives you - and then gives you their card so you call them more often.
This is a mess I guess but if you know the differences you can pick the best way for you (which in my case is registered cheapest TAXI - since they can use exclusive lanes for them).
And there also was a case in Kraków in which the city forbided non registered taxis - so they operated as psychological services (sic! - you drive you get an advice). Etc.
Nevertheless I love taxi-and similar services in my city (Warsaw) - I can order whatever the fuck I want.:) TAXI, private transfer, Uber etc. - and get home....
So in my opinion Uber has no chance here (with their 1/4 provision going just about using the app - fuck you uber - clients PAY for tha) since you can get cheap rides anyway... Uber is only strong where old-school style city-regulated TAXIs are strong.
Except it is not an niche. Personally I haven't used a desktop/workstation computer for like 5 years. And also it have been like 5 years (or more) since notebook shipments exceeded desktop/workstations. Of course in sane IT deployments loss of client computer should not be a problem but still there could be sensitive data there. Even system level stuff like password hashes and so on. Maybe it is rare but security breaches usually involve the weakest link - and be it that if stoling a notebook is easier than breaking in your network then attackers would go and steal that laptop.
> except laptops get hacked just like desktops way more often than they get stolen and offlined
True. Probably spear-phishing or something like that would be easier than physically stealing a notebook. But stealing is still possible so you should protect also that vector of attack.
It's funny that IRRC the guy behind SilkRoad was captured using his laptop. The FBI tracked him and waited for opportunity to seize his notebook without possibility for him to shut it down (as it was encrypted). The lesson here is maybe to have some low-range personal device like bluetooth LE smartband that makes the computer to shut down where you are not close to it (like very close). And also don't tell anybody about it.;)
Oh and for the Silkroad guy it would be wiser to operate from a country in which FBI has no jurisdiction...;)
I don't know why are you hostile?:) If you could describe a situation in which allowing divide by zero would be deadly. I don't disagree with you - I AGREE - YOU DONT DIVIDE BY ZERO - BASIC MATH. But also I wonder how one can explain this to another by example on how it could be deadly (a airplane example, nuclear powerplant maybe)?
> so a vulnerability in one process cannot give you access to the content of the other
Unless it is a kernel vulnerability in LXC that allows you to escape the container.
But you are right about POSIX.
IMO containers are not about security - if you wanted security you would go with designs that were built with it in mind from hardware to software.
Containers and microservice architecture allow faster and better managed deployments of services in large distributed scale (aka the cloud) and this is the main selling point.
> I'm not a PS4 (or any other console) fanboy, but I read this and can't help wonder: > It there anything that stops a user from replacing the hard drive in a PS4 with a larger > drive themselves (wonky interfaces? self destruct when opened cases? magic formatting > of the drive that can't readily be duplicated?)? Is it a typical 3.5 inch drive or a smaller drive?
It is no problem to replace PS4 disk. You just get compatible (in size - 2,5", max 9,5mm tall, similar performance - nothing fancy, you can even pop SSD) drive, open the console, pop in the new drive, download and install OS from USB flashdrive and it is done. There are plenty of guides on Internet if you Google it. You can also buy an accessory which adds 500gb storage to PS4.
Also you wouldn't be buing entire new PS4 system if you were short on storage. So this is not the case here.
So really this is not a big news. I don't quite get why they haven't launched with a bigger drive but it just normal that they release new hardware revision later after launch and adress problems (like limited storage) - it is for people who _do_not_own_PS4_yet_.
As I know from my job experience large scale IT deployments inside their WAN networks can filter whatever the fuck they want. Sudden appearance of ADP as an enterprise deployable package - who the fuck cares? We are right now black/white listing all the stuff we need. Who needs to introduce something like ADP that probably can mess with loads of internal services and need to be tested if you could just not use it? if an user has a problem with advertisements he/she is probably far away of what he/she should be doing on their workstation.
Slashdot Mirror
> I assume you don't have kids. Or work in security, for that matter.
So you have lots of kids and work in security and it didn't occur to you that it would be easier and more effective to just take kids laptop and lock it up somewhere?
> that's all he needs
No it is not. You have contradicted yourself in your post. You have described a solution which from begining is flawed. Then you described that flaw (the kid could just change his IP to grandparents machine or even MAC if you would go for MAC based filtering). So you have basically posted a solution that is not a solution at all if you wish to make things working without beating the child.
So in hardware VPN device VPN related stuff is being done in their ROM or maybe there are physical gears doing the VPN stuff...?
In my opinion you are making this issue more complicated than it really is. You really don't need site-to-site VPNs and custom routing to accomplish your goals.
If I understand you correctly your goals are:
1) To have remote access to machines (Linux, Windows, others) in few remote networks.
Just set up VPN server in each of these remote networks. OpenVPN is probably a good way to go. It would run on any Linux machine, Windows machine (if you dare), even on some routers (f.e. DD-WRT compatible). If these networks are behind dynamic IPs you will also need somekind of dynamic DNS service.
Having VPN server running in all locations you just login to it and access whatever machine in that network remotely. For Windows machines DameWare is probably not a bad idea. It is commercial software but you only need to pay for one license - the license is for an operator (you), not for client machines. You could also use VNC - why not? For Linux machines SSH is a no brainer. And other devices (like printers, networking gear, etc.) probably have HTTP interface anyway.
Also you wrote: "me being able to log in and apply patches and security updates without requiring someone on the other end sending me Desktop Sharing invites". Well are you aware that you DO NOT need to log in to Windows systems to apply patches and security updates? It just happens automatically. Just turn on Windows Update.
And since it looks like you are required to take 4hr trips to fix your parents computers that makes you basically their administrator - DO NOT give them administrator rights on their machines. Set them up with quite secure configuration - no admin rights, antivirus software running and set to automatic, backup running and set to automatic, updates running and set to automatic. If you do so I hardly see a need to physicaly access their machines (modulo hardware failures).
2) You have described your second goal in such convulted way with buts/ifs and so on that I need to cite this mess: "I'd also like some way to be able to monitor/control my son's online activities while he's away (hence my desire to route at least his traffic, if not all Location B internet traffic, through Location A). Also note: I'm not a helicopter parent by any means and only monitor once in a while to get a general idea of what his online trend is; and the extent of "control" is if grandpa and grandma say he needs time off the computer for x days for bad behavior or whatever, I want to be able to enforce that rule where he won't be able to sneak around while they're in bed. This connection will not have any firewalling or blocking enabled by default.".
So basically you want to:
* monitor your sons network usage
* enforce policies on your son (like no Internet after eight since you were bad)
* enforce password usage (or other form of authentication) on your users since you don't want to allow your son to use their grandpas computers while they are not around physically guarding the machines
Well what you basically wish for is corporate-like network with authentication to local systems and to network usage. It can't be done without enterprise class systems - you will need an internet access proxy/gateway for accounting and enforicing access policies for network, user directory to enforce password usage and restrict access to certain machines for certain users (namely your son), network access protection system (and network hardware supporting it) so your son can't just use his Linux machine to access network however he likes.
That means that you are contradictiong yourself by saying that you dont want to have any firewall or blocking - you do.
How you are claiming that you have any training in network administration is beyond my understanding.
> Don't listen to the amateurs. Block by default, require business justification
So your boss emals you and asks you to implement a policy (read the post) - in my opinion it is business justifiend enough, at least his (boss) responsibility. Just doing your job is not amateur in my opinion. If it is extremely stupid you should go on and warn him but nevertheless don't object and do your job.
> and offer a risk assessment for all exception requests,
This is fair - given boss request you reply - OK I'll do that but it introduces certain risks. Right on it while you review the risk assesment. Amateur enough?
> monitor and report suspicious activity.
This is obvious - it does not hold you from doing your job (what your boss expects you to do).
> Don't trust your internal users.
What does it mean?
> Segment wherever possible. Plan for failure. Exercise recovery plans. Due diligence.
Yes.
> It is the Company's network connection, block whatever you like.
If you are the owner of course.
> But, and this is important, have an easy mechanism where a user
> can submit an url,
Browsers adress bar easy enough?
> an admin can verify it is a legitimate business related site, and have the
> site whitelisted immediately. That way you can block "Big Butt Russian
> Teens" or whatever, but when the SmartFilter(tm) randomly decides
> that Fairchildsemi.com contains "adult content, sports, gambling and
> lotteries" (happened to me) the legit business use is not impeded.
Oh great. So now an admin administering f.e. 5k users network should also babysit them? :)
Consider that your company relies heavly on email usage. It is probably more important service than web - you could function without web browsing I guess... but without email service - you can all go home for what I guess. Email works similar to web - there are emails sent back and forth, emails are interpreted in client, emails can contain files (like downloads) etc. Now I don't see you arguing that you should have an admin looking and verifing every email sent to your user right? That would be extremely stupid and retarded right? Well you are sugesting exactly same stupid and retarded method for the web. Just use email scanning technologies for your email like you would use web scanning technologies for your web. Don't be retarded.
> If you want to allow open downloading, provide a restricted AV protected share
> to retrieve downloaded files, if you do not want to allow open downloading,
You DO realise that AV usually fails?
> provide one anyways but require an IT person to review it manually.
OK so from now on exept from your usuall duties as an IT administrator (I like them) now you also need to review files downloaded by 1000 users. Expect calls when urging you to review downloaded files. Expect angry people. And how you will review these files anyway? What if these files to be review are sensitive data (like medical, financial) that are not for IT eyes? Does not scale well isn't it? Legal problems no?
> Reimage nightly if paranoid.
Why nightly? Why not every 17 minutes? Why not spawn new image on every access - certainly possible.
While I agree on your view about access policy one thing struck me:
> They can as well pierce your firewall with personal VPN services, they are very cheap nowadays.
In a network structured properly (routers than IPS/security appliaces than filtering proxy) how could users pierce that with VPN services? If users can pierce your "firewall" (meaning just oubound Internet access) with cheap VPNs that you mean malware could just as easy transfer data out of your network? Something is wrong with what you are stating.
Why are you blocking access to anything? As an IT administrator it is _not_your_job_ to block anything for users and otherwise disturb them while using your network. Your job as an IT administrator is to allow your users to do their job without any unnecessary obstacles. Also keep in mind that usually (if you are not an IT service company) the users do their jobs so the company earns for your sallary - business wise - you don't earn shit, they do.
So with that in mind the structure of Internet access policy should be as follows.
- access to harmful webstites is blocked by default (like malware, phishing, hacking) - this is a no brainer and you shouldn't give anybody access to such sites - block it by default as you are protecting your company's assets (which IS your job)
- access to potentially harmful websites is blocked by default (like sites that post no technical threat but othwerwise are not legal - child pornography, hatespeech, drugs and so on) users interfacing with such sites could post image damage for your company - which is also an asset - which you need to protect (as it IS your job)
- access to certainly non work related websites (pornography, gambling) - I would probably block it by default, I don't see any reason to allow it and also I don't see anybody going to argue with you that he needs access to pornography (unless he is doing research on that)
- other websties like time wasting social media, gaming, news, etc. - basically evertything else - it is NOT YOUR JOB to put such policies in place without a request from your management (probably coming from HR)
- other policies like time/role based - also NOT YOUR JOB - this is HR
- it IS YOUR JOB to keep your users actions accountable - so it is to log all their internet access so if needed (f.e. an incident) you can present it to management - also when you are loging Internet access that in most jurisdictions it is safest to inform (on paper and let them sign that they accept the policy) your users about it
So given these rules you certainly need some kind of policy enforcing technology at your Internet access gateway. Probalby a proxy with filtering and a security appliance.
Of course you should assist your HR staff with sugesstions on what can and can't be done with your systems/budget restrains and so on. You should implement the policies as HR or your boss tell you. You just don't want to decide on that matter - it is NOT YOUR JOB.
If you are an engeener in service providing company your certification level is essential for HR of this company. Be it Cisco, Microsoft, Oracle, IBM, Citrix, VMware or whatever - the company providing services (like implementation) usually needs to have certified employers to reach certain partner level (like Gold, Platinium and what-the-fuck-they-had-invented-recently). It is just a business for these companies to sell certifications for their products.
Is it important to have certifications? Well just look at the policies FOR EMPLOYERS that the vendors in your area of interest are providing.
Solidarity. Yes. I love and up your comment. I live in Poland which by Greek standards is kind of poor. I see poor people everyday, I also face hard working people daily. The ones which build up the economy on which Greece can now bargain for details - please also think about us who lend you the money. We are a community.
Greece LIED/MANIPULATED their financial reports to get credits. You can't blame banksters for that.
So are you contradicting me or what? What I've meant that I like Greeks - and we (Polish people) can party with them all night long. Well we tend to get a bit more druk in the process but I blame the climate for that. Whatever man. :)
Slavic. I meant slavic.
> So you're proud to be paying taxes spent in the wrong way? Congratulations on being part of the problem.
Yeah I love people who tend to bend words tho their liking. I KNOW that in my country I guess that about 20% of taxes that I pay are spent wrong. But the other 80% are spent for pensions for elderly people (it is called generational agreement), for my FREE health care, for the roads I use, for police and firemen that keep me safe, for FREE education and so on. In general the notion of taxes is OK with me. So congratulations on not getting the facts right. Go on and invent somekind of larger society without the need to contribute to it. Please go on. Teach me.
I don't quite understand what they are cheering about. They have put themselves into this situation and really there is no good outcome now for them. They take the EU conditions and further tighten expenses (drastically) or leave eurozone and stay between Turkey, Russia and the EU. Also in the second choice (leaving the EU) they go back to Drahma and face weeks lasting deep crisis and than 5-10 years of economic recession. Really no reason to cheer in my opinion.
And for the record - I love Greece as a tourist. I've been there many times but I also recall that they have a culture of not paying taxes which in my opinion is stupid and unpatriotic. Mind you - I am Polish and here also people HATE to pay taxes - they know that their taxes are being spent in wrong ways usually, the taxes fuel a caste of mindless clerks etc. but nevertheless Polish people DO PAY taxes like VAT and icome.
For what I know the Greeks as a tourist I know that they had a culture of mass avoiding the taxes - f.e. in late 90's I were on holiday in Greece and common practice was to use credit card for payment - best bargaining method. You just go to shop, pick some wares and tell to pay with credit card - imediately they dropped the price to the minimum and begged you to pay in cash (since using credit card would produce paper trail and taxing). And it was extremely common. Also in restaurants - go, eat and then wave credit card - the payment would drop from f.e. 2200 drahmas to 1000 (!!!) with a promise of further discount the next day. Really. Not to mention thousands of not finished housed used as finished houses (another reason for not paying taxes).
I have nothing against the Greeks - I like them - they are kind, warm and similar to slavian people. But they need to learn that paying taxes is what makes you country function. They need to learn that if they are into some international community they can't lie about their finances to get a credit. And so on.
> The way a drone strike works is a drone loiters on station for
> weeks on end. During this time the drone's pilots figure out who
> is in the house when [...] the Girl Scouts [...] teenage daughter
> has a boyfriend who sneaks in [...] civilian population [...]
Seriously? Do you belive this? It looks like some soap opera TV drama applied to military actions. I don't think it works like that. For what I see nobody cares about the civilians unless it would be a publicity stunt. For what I see the drone killing policy is just plain chaos fueled by special forces intel - and the chain of command - general the target is in the building - just blow it the fuck up and we have a success, then the order goes down and further down and then it is the sole drone pilot who is given an order to blow something up - but he has objections, maybe the said, hypothetical boyfriend is right now banging, but he has orders - what to do? Run it up the chain of command to the general who has his orders from the intel? Are you joking? Etc.
What you have written would be true if secret intel operations were flawless but for what we know it is just a chaotic bullshit. Man USA invaded another country based on wrong/or misleading political interpretations of wrong intel (I am wrigting about Iraq and Bush administration) and also USA is a big mess of Xteen top secret organisations/agencies and employing about a milion people with access to top secret information...
In general this whole machine powers decisions to use drone killing. Paranoia I would say.
I don't know how you function in what I presume is USA but here in Poland in small to mid sized companies nobody would even consider buying general purpose office printer without knowing that there are cheap substitute toners aviable for that model. I work in small company and we only buy printers for which we can get cheap toners. And the price difference is like 1/2 (!). Right now we go only with Lexmark and annually we do a market research to emerge the cheapest company to supply us with substitute toners. Once we have a contract with such company they are more than willing to take old toner cases from us. And they also do all the paperwork for us to give us receipts of old toners recovery since it is required by law to have such. I don't know anybody who was controlled about this but it is illegal here tu just dump the e-waste in thrash - you ought to have a receipt for every piece of electronics/e-waste you dispose (and also you need it for fiscal reasons).
So I am a bit shocked reading about your toner accumulation policy and your urge to throw them away into trash. :)
You are perfectly OK to choose Uber whenever you like and it is aviable for you but the rest of your post is just invalid.
> Sure, like you said, there are nice taxis therein Poland regulated
> by the government. And then there are all the other scammers around.
And what makes you think that Uber are not scammers? What real jurisdiction Uber has over transport in Poland?
> Now, me as a tourist, I land at Krakow airport and I have
> no clue which is which and I may as well end up in a shitty dirty
> unregulated cab paying 5x the fare
Well I don't know the airport in Kraków but Warsaw airport has like five accepted taxis which can pick you up straight from the terminal. Other ones (if you order them) can drive to further pickup lanes on the airport. So it is really not longer a problem with scammer taxis on aiports in Poland (it used to be). The same is for major railway stations. You can safely pick the ones recommended by airports - they are not the cheapest (in 2,4z per kilometer range) but they are safe.
> call a Uber driver and be sure to arrive at my destination in an accountable
> transport that charges me the minimum fare possible for that trip.
What makes you thint Uber is accountable?
> Guess which one the users choose.
I guess they choose airport aproved taxis.
I'am posting this from Warsaw, Poland. Taxi business here is OK I guess as a client - there are just a loads of taxis everywhere, you can call you favourite and it will come in 10 minutes - always. And it is great. Local regulations require that TAXI to be called TAXi is to have a license - fare with these guys is regulary between 2,60-1,50 (per kilometer +"shutting door" fare). There are also "people transfer" services which are like TAXI but are not formaly these but private lines - they can't have TAXI sign on car but would use something like TAKSI and so on. Also there is a law that anybody who can transport 7 people (large vans with seatings in back) can operate as private transporter. Also you have the thing called "Night Drivers" and it is like a person transfer (legally) but usually somebody with really fancy car shows up and drives you - and then gives you their card so you call them more often.
This is a mess I guess but if you know the differences you can pick the best way for you (which in my case is registered cheapest TAXI - since they can use exclusive lanes for them).
And there also was a case in Kraków in which the city forbided non registered taxis - so they operated as psychological services (sic! - you drive you get an advice). Etc.
Nevertheless I love taxi-and similar services in my city (Warsaw) - I can order whatever the fuck I want. :) TAXI, private transfer, Uber etc. - and get home....
So in my opinion Uber has no chance here (with their 1/4 provision going just about using the app - fuck you uber - clients PAY for tha) since you can get cheap rides anyway... Uber is only strong where old-school style city-regulated TAXIs are strong.
> The laptop niche seems okay,
Except it is not an niche. Personally I haven't used a desktop/workstation computer for like 5 years. And also it have been like 5 years (or more) since notebook shipments exceeded desktop/workstations. Of course in sane IT deployments loss of client computer should not be a problem but still there could be sensitive data there. Even system level stuff like password hashes and so on. Maybe it is rare but security breaches usually involve the weakest link - and be it that if stoling a notebook is easier than breaking in your network then attackers would go and steal that laptop.
> except laptops get hacked just like desktops way more often than they get stolen and offlined
True. Probably spear-phishing or something like that would be easier than physically stealing a notebook. But stealing is still possible so you should protect also that vector of attack.
It's funny that IRRC the guy behind SilkRoad was captured using his laptop. The FBI tracked him and waited for opportunity to seize his notebook without possibility for him to shut it down (as it was encrypted). The lesson here is maybe to have some low-range personal device like bluetooth LE smartband that makes the computer to shut down where you are not close to it (like very close). And also don't tell anybody about it. ;)
Oh and for the Silkroad guy it would be wiser to operate from a country in which FBI has no jurisdiction... ;)
I don't know why are you hostile? :) If you could describe a situation in which allowing divide by zero would be deadly. I don't disagree with you - I AGREE - YOU DONT DIVIDE BY ZERO - BASIC MATH. But also I wonder how one can explain this to another by example on how it could be deadly (a airplane example, nuclear powerplant maybe)?
It runs on Linux.
> so a vulnerability in one process cannot give you access to the content of the other
Unless it is a kernel vulnerability in LXC that allows you to escape the container.
But you are right about POSIX.
IMO containers are not about security - if you wanted security you would go with designs that were built with it in mind from hardware to software.
Containers and microservice architecture allow faster and better managed deployments of services in large distributed scale (aka the cloud) and this is the main selling point.
> I'm not a PS4 (or any other console) fanboy, but I read this and can't help wonder:
> It there anything that stops a user from replacing the hard drive in a PS4 with a larger
> drive themselves (wonky interfaces? self destruct when opened cases? magic formatting
> of the drive that can't readily be duplicated?)? Is it a typical 3.5 inch drive or a smaller drive?
It is no problem to replace PS4 disk. You just get compatible (in size - 2,5", max 9,5mm tall, similar performance - nothing fancy, you can even pop SSD) drive, open the console, pop in the new drive, download and install OS from USB flashdrive and it is done. There are plenty of guides on Internet if you Google it. You can also buy an accessory which adds 500gb storage to PS4.
Also you wouldn't be buing entire new PS4 system if you were short on storage. So this is not the case here.
So really this is not a big news. I don't quite get why they haven't launched with a bigger drive but it just normal that they release new hardware revision later after launch and adress problems (like limited storage) - it is for people who _do_not_own_PS4_yet_.
As I know from my job experience large scale IT deployments inside their WAN networks can filter whatever the fuck they want. Sudden appearance of ADP as an enterprise deployable package - who the fuck cares? We are right now black/white listing all the stuff we need. Who needs to introduce something like ADP that probably can mess with loads of internal services and need to be tested if you could just not use it? if an user has a problem with advertisements he/she is probably far away of what he/she should be doing on their workstation.