> The parents that DO home school their kids probably do so because they know that they are > qualified (and probably have some actual classroom teaching experience in the past).
Actually, no. A large percentage of home schooling parents have no teaching experience.
You're also making the assumption that the skill of the teacher has a direct correlation to the student's success at learning, with no other factors being significant.
Look at it this way: if I have an extremely skilled craftsman, who can turn out superior work, and compare him to an average or even below-average workman, both working on one piece, the difference is obvious. But if I demand the superior workman turn out 50 pieces daily, while the less skilled workman has all day to work on one or two pieces, I am very likely to discover that the less skilled workman is turning out much better pieces.
In a situation like that, factors other than the skill of the teacher are so significant that the skill of the teacher is largely irrelevant as long as he is not completely incompetent.
A relatively unskilled parent home schooling one or two children can get far better results in many cases than a highly skilled teacher who is spread much too thin with far too many students and conflicting goals. Or even a teacher with well planned class sizes and enough time.
> A parent that home schools their child simply for financial reasons, in order to save taxpayer > money, may not be giving their child a decent education.
I cannot imagine a parent home schooling their children solely to save the taxpayers a buck or two.
> Plus, the school bus will still have to run the same route anyway, using essentially the same > fuel, regardless of whether the child is on the bus or not.
Maybe yes, maybe no. Not all school systems use geographically distributed routes. Some of them form -very- odd patterns.
> Just a response to one point -- although this isn't my only point of disagreement -- the "right > to fair consideration". No, people don't have the right to "fair consideration", because no-one > has the right to step on someone else' private property to begin with.
Not sure where this came from; I explicitly defined the right as fair consideration for employment in the -field- in which they wish to be employed. Not fair consideration for any specific job in a field. The right refers to the right not to be excluded from a field. Not a right to a specific job.
There are a number of situations in which barring someone from employment for reasons of race, creed, gender, etc. is perfectly legal. For example, a Jewish synagogue has every legal right to bar people of other faiths from employment in various areas; christian schools can bar non-christians from teaching jobs, etc. Battered women's shelters can bar men from acting as counselors, and men's organizations can bar women.
And when you employ someone in your home, you have a great deal of latitute.
No saying it's -always- legal. But it isn't always illegal.
> If I'm inviting people into my house, or throwing a ball, I don't have to give anyone fair > consideration;
True.
> I have the right to discriminate who gets in or who doesn't based on any criteria I choose > (hair-color, height, age, sex, race, weight, etc) or none at all. That doesn't change just > because I'm offering people money to do a job for me (e.g., say I was hiring a maid).
Correct. But let's make it "Doctor" rather than "Maid", and let's say you head up the standards bodies for medical schools.
If you acted to ensure that people of a certain gender or race had no opportunity to apply to schools or for employment as doctors, that would violate what I discussed. If they can't go elsewhere, and are barred from an entire field of employment, then you've got a problem.
Now, large employers, corporations and such, generally need to go to great effort to ensure that everyone has fair consideration for -every job-.
> Now, those who engage in such kinds of discrimination are going to pay the financial > penalty, but they demonstrate by their actions that they'd rather pay that penalty than not engage in such discrimination.
For a case like you described, there might not be a penalty. Many employment laws require an employer to employee a certain number of people before he is covered by the law.
> When was the last time you saw lots of jobs for mainframe techs? The jobs that are out there are filled.
Actually, there are a lot of them out there. The problem is, students get to look at earning the same degree, and getting a job using.NET for mid to high 5 figures, or mainframe skills and getting a job earning low 5 figures. The pay isn't competitive; the high paid mainframe positions go to people with real-world experience. The graduates start off much cheaper than in the PC arena.
To fill the spots, you need to either raise the pay (not likely to happen), or reduce the cost of getting the education and sell it, really sell it, to people who wouldn't go the school for a CS degree anyway.
Selling it is going to require offering good benefits, contracts rather than "at-will" employment, etc. Basically, it needs to be treated as comparable to a technology-based trade-school position at a factory, rather than being a white-collar college degree job.
This is -not- a knock to the mainframers; most of them have as good an education or better than the PC folks. But the reality is that mainframe tech is more mature, and it doesn't require all CS graduates to handle it. It requires a few CS graduates, and mostly trained technicians to do maintenance tasks.
> "The right to vote" is newspeak for "the 'right' to aggress against others" (namely, to openly > express and act upon one's desire to take that which they haven't earned).
There is a certain truth to this. The right to vote comes with responsibilities: the responsibility to take the time to get to the polls; the responsibility to read the ballot carefully and research the candidates and issues; the responsibility to continue to work within the system even when your candidate/proposition fails.
> Regarding discrimination in the workplace, no-one has the "right" to work at a specific company.
And the law reflects this. But everyone has a right to apply and be fairly considered for employment in whatever field they choose. If and when the firms dominating a market collude, either explicitly or in a "gentlemen's agreement" to exclude people based on *specific characteristics noted in the law, in violation of statute, the people discriminated against have a right of legal action.
*race, creed, national origin, gender. Hair style? Not actionable. Life style? Not actionable.
> I'd argue, however, that there are alot of managers who would like nothing more than to have > all female employees.
The biggest problem is a culture of fear. Fearful managers take perceived safe actions. In many companies, hiring more than a certain percentage of women, or blacks, or hispanics, etc. is considered a "risky, high-profile" move. If the company is growing, risky and high-profile can be good for managers. If the company is cycling through rounds of layoffs, risky and high-profile is professional suicide.
The fact is that managers get credit for things they didn't do, and blame for things they didn't do. If the company does well due to some coincidence, risky, high-profile manager gets credit for the way his daring paid off. If the economy tanks, RHP manager gets blamed. Even if his actions reduced the inevitable losses.
> As regards the glass-ceiling, he argues this is due to...
I've always wondered if anyone has done any research on the other side of the glass ceiling. The glass ceiling idea is that those who hit the glass ceiling can get hired, but once they rise to a certain level, they hit a "glass ceiling". Management bars members of these groups from higher management positions.
But does it start when they rise to that level, or does it happen at hiring time? White males who are aggressive, hard-hitting, take-no-prisoners go-getters get hired for those qualities, and are often promoted into high-ranking positions. I've often wondered if black men, women, etc. displaying the same characteristics are viewed as "confrontational", "angry", or "bitchy" and weeded out early. Perhaps the system doesn't prevent the high-energy executive types from crossing the finish line so much as keeping them from the starting line.
No proof, just an idea I've mulled over.
You had more interesting points, I just don't have comments on them.
You have 4 distinct needs: 1- a DoD compliant secure computer 2- a secure environment for it 3- verifiable evidence of correct execution of the task of purchasing or building this system. 4- maintain the security of the system. This depends heavily on #2, and is one reason you require verifibility (#3).
If another admin or support person after you breaches security, you need to be able to verify who did what, when.
There are some clues in your post:
"Growing into the job of a system administrator..."
This indicates you have been tossed into a sysadmin position like many people, without the training and experience to do it. You've learned on the job, and are getting better. But you know there are gaps in your experience. You also know you don't know where all the gaps are. You aren't experienced enough to do something like this on your own, -and- properly document and verify its completion.
"...I'm not quite prepared for..."
This shows good sense.
"The computer...must have, *from what I can tell* (emphasis mine), a removable hard drive and security stickers to prevent tampering."
If you have to qualify statements with "from what I can tell", you aren't prepared for this. You can get assistance from a vendor or consultant, but this will always be -your- responsibility. You need to get prepared, and self-study and web research ain't gonna do it.
Inform your bosses that you can't take on this responsibility without the additional training to handle it. Find out what you need to learn, find a school, and present the proposal.
I have -no- experience setting up DoD secure systems, but I do set up high-security systems for businesses. I do read the DoD standards in order to be up to date. In other words, I'm better trained to do this than you, and I wouldn't try it without more training.
>> Another issue I have with AOL is that AOL digs roots very deeply into your computer. I don't know >> if this is still true since I haven't seen anyone using the service in a while, but it used >> to do stuff like replace your built-in dial-up networking functionality with its own, and even >> replacing various parts of the TCP/IP software and system files with its own. Uninstall? Useless. > > I am not an AOL fan, but to be fair to them, I will say that when I cancled my cousins AOL and he > got a cable modem, the AOL software was uninstalled without a problem. There was no > problem with the cable modem working.
I don't use AOL, but for the last few versions, it does seem to uninstall cleanly. The first poster is right about one thing; it -used- to replace critical system networking DLLs with AOL versions and overwrite the network settings. I was horrible then. I knew a lot of support departments who forbade users to install AOL.
> I never could figure out why AOL became such a large company.
Easy to install, and more local modem banks than anyone after they bought CompuServe. I have a number of friends in rural areas who could have AOL or nobody (without a long-distance call) for a -long- time.
> Did AOL become so huge because they were the only company that handed out free CD's at every computer store?
And direct mail, and in every kind of magazine, and in banks and office supply stores and discount stores... It was a big help in the process. A lot of people will take anything if you give something away.
> I'm not a US citizen so I can't really speak from experience, but the perception we get from the US > education is that it's not very "high standard".
I am a US citizen, and I can tell you that there is, unfortunately, a great deal of truth in this perception.
> For example history:... you guys get mostly US history and some european history.
True. Some time (relatively little) spent studying US history is mandatory, with about one year of "world history". The precise content of the world history component seems to be dictated by the current fashion in education. In the past, this was almost entirely Western European history, no depth. There have been various requirements to broaden it to cover the rest of the world, while no allowing additional (mandatory) time.
It is -very- definitely possible to get a broader exposure to history, but it depends on the willingness of the student or the student's parents to take appropriate "electives".
I got a great deal of additional exposure, but I -like- history. I still study history, just for fun.
> Which is mostly limited to facts and names and not really the "bigger picture".
Also unfortunately true in many cases. Many schools do much more, many do the minumum required. But you can definitely get through with just names and dates.
> The same thing applies to math imho: several US exchange students went over here and it turned out > that belgian high school students learn Math paradigms which are taught at college in the US.
Unfortunately very true. Again, the students -can- get exposure. I had advanced algebra in elementary school, advanced geometry and trigonometry in middle school, and advanced placement calculus and physics in high school. But I could have gotten a high school diploma, if I chose, with only minimal exposure to elementary algebra, and a fraction of the time spent studying math at all.
> Besides, what's the deal with classes like "woodshop" or "household"?
Most schools have courses called, when I was there "industrial arts" and "home economics". These give kids a basic exposure to practical industrial crafts (wood and sheet metal working, welding, electronics, several types of printing, etc.) and basics of running a home (childcare, cooking, sewing, basic home bookkeeping, etc). The idea is preparation for work and marriage.
In some ways, they are a holdover from the 1950s "Father Knows Best" idea of America. However, in part it is due to a relatively classless society.
In many parts of Europe, the quality in-depth education you refer to was only relatively recently available to the lower classes, and in some places is -still- kept from them (as a practical matter). American schools have been much more open to the lower classes. Our typical school day and year is largely a holdover from the need to adjust the school day for children living on working family farms.
> So, even as technology is used in the US educational system, I don't think it would create > any added value to the information.
At the low end it doesn't. However, you need to know that a poor education is -not- a typical situation in public schools, with better educations available in expensive private schools. Many public schools offer -exceptionally- good educations, and most allow and assist a motivated student to get a fine education. And many of the finest private schools are small church schools, with very small enrollments, and a great deal of assistance for low-income families.
Even at the low end, most teachers take their jobs seriously. They can't prevent students who will not learn from abusing the system, but I strongly doubt that situation is different in most European countries. But teachers in the US do try to encourage the students to take advantage of the opportunities available.
There isn't "one true picture" of education in America. The mere fact that America is republic of 50 largely autonomous states that is collectively several times larger than most European countries makes it impossible to have a single valid picture.
> The loss of people's right to privacy is a scary thing, but what scares me more is that our society > hasn't progressed beyond this idea that skin is somehow shameful, wrong, or private.
First off: you're assuming the reason -why- people don't want to be viewed in a dressing room. No one but -you- said shameful and wrong.
Second off: anything I reasonably -can- choose to view as private in my life is mine to keep private. Anything.
If I choose to keep my skin private, that's my business. If I choose to keep my email private, that's my business. If I choose to keep my opinions on Leo Tolstoy, Woody Allen, or Hillary Duff private, that's my business.
I don't need to justify it to anyone in order to have an expectation that this privacy be respected, as long as I take reasonable actions on my part to retain that privacy.
Going into a closed dressing room is, in itself, a reasonable action to maintain privacy.
> But, why is it a private matter?
Irrelevant. The reason we talk about a -right- to privacy is to get past the whole "justify yourself" argument. Rights aren't granted by government or society; no one needs to explain why. If they choose to, that's their business. A lot of people have, and if you google, I'm sure you can find a number of reasonable arguments.
There is cause and effect relationship between rights and society, but you've confused the cause (rights) and the effect (society).
> but when it comes to privacy (another mythical construct).
Sorry, just because you wish to declare something "mythical" doesn't make it so. If you believe privacy to be a myth, that's fine; just don't expect that -saying- it's a myth someone requires anyone to agree with you or prove you're wrong. Many people still believe that there is an natural moral law that exists in -reality- that forms the basis for many of our laws and customs.
And, again, I am -not- saying skin is shameful, wrong, or even private if you don't want to view it as such. It doesn't make me uncomfortable.
What makes me uncomfortable is the willingness of some people to blithely demand that society turn itself upside down, and revoke laws and customs explicitly, in the law, based on their desire to reject those customs. Reject them all you wish; just don't expect everyone to agree with you or support your views in law.
>...the from email address is sometimes a little suspicious,
Sometimes, not always; and, unfortunately, a large percentage of legitimate messages come from suspicious-sounding addresses.
> and the linked website URL is always suspicious, since that can't be faked.
Not quite true; while the linked domain can't be -easily- faked, excluding DNS cache poisoning, the intricacies of domain naming is such that getting legitimate ownership of a reasonable domain name is a frequent occurrence.
Again, this would be mitigated if the dumbasses in various legitimate firms use common sense themselves. If I could -count- on Citibank -only- using links hosted at citibank.com, it would be no problem. But they don't. They let various departments use different domain names, or host them at third party sites, and this blurs the line between the real and the fake mail messages.
It's not just Citibank; I've seen it with a -lot- of companies.
Of course, this is because many of the users would need to call tech support asking them "Remind me again how to type this in?" or "I clicked on the email and it didn't take me anywhere"
One company I did some work for recently has a simple solution; they provide a link to a support page on their intranet, and put the links to the patches there. The link is in the user's start menu. Eventually, even the dumbest seem to learn to use this method.
> Most legitimate requests will tell you to log in to the front page of their web-site (where you've > already been), and follow a certain chain of links to get to where the information needs to be verified.
Have to disagree. They should, of course, but a depressingly large number do not. Hell, a depressingly large number of firms don't send email from their own domain; instead they send it from some mailer account that sounds like a spamhaus.
> The biggest hole in this assumption is that someone could have hacked that web-site.
Second biggest. The biggest is that you actually fail to act on a legitimate email because the dumb bastards didn't use good common sense on their own part.
> I think that some slashdotters must be fortunate enough to have never seen a > really good phishing email.
I have to agree. I have seen several -extremely- well-crafted ones in recent months. The only way I could tell them from the legitimate ones was to use my own bookmarked links to go to the firm's web site and verify that there was nothing to see and no connection. Most of them, of course, I can tell from the real by looking at the raw mail source. But some are just too good.
Example of why this can be difficult: I just received an email from my ISP asking me to update the credit card information. It was real; the credit card company had just sent out a new card with an updated expiration date. At first, however, I assumed it was a scam.
> You get a letter in the mail on your banks letterhead in an envelope exactly like every > other letter you have received from the bank...
Excellent example. In fact, there are a -lot- of postal mail scams going around now. Despite what bigman2003 stated, it's not merely a failure on the part of the technical community to provide secure communications. Ensuring communications, either electronic or snail-mail, cannot be spoofed is not something anyone knows how to do with 100% accuracy.
> It works in Sport as you can choose to do specific things, for instance during the BBCs coverage of > Wimbledon you had a choice of 6 different matches, and a similar choice at the Open.
It's a natural for sports of many types. I can also see a benefit in Olympics coverage; rather than covering the most poular events, with occasional flashes of the less popular, feed all the events live and let people select.
>...when it will really come of age is when its properly PVR'ed and you can cut your own replay > scene of what ever you want and from the various feeds available.
Very true. That could be huge.
> You could also imagine "24" being done as a single broadcast with those little windows as > seperate feeds... so to be really hard-core you could just follow one character and try and work out WTF is happening.
There are a lot of dramas that could use this kind of thing. If it can become common enough that the program's producers can do it at a reasonable additional cost, it could catch on. Currently, that kind of thing involves a lot of additional storyboarding and planning, and extra camera crews as well as extra hours for the actors.
> I happen to be a young ad exec (not to mention a privacy nut, avid slashdot reader, gamer, geek, etc) > and I'm really getting tired of people not understanding our industry.
I can understand and accept that. Are you prepared to understand and accept that there are some things you don't understand about -why- people hate advertising and advertisers?
> Are there sleezy advertising people? HELL YES! Is it the vast majority of them? HELL NO! You see...
I see, you don't. I don't -care- that the majority of advertisers are not sleazy. We're viewing things from 2 different POVs here.
> What really pisses me off is that everybody assumes that our goal is to just annoy you and > grab your attention in any way possible.
Actually, we don't. Most industries are pushing the same sort of ill-advised personnel cuts, the "do it cheaper and sloppier" mentality of management, the push to reduce customer service people and turn it over to piss-poor web sites and botched touch-tone phone systems.
When a company I deal with -directly- takes this too far, I can terminate the relationship, which corrects the problem.
In advertising, there is no relationship to terminate. From the very start, I am being imposed upon with no choice in the matter.
Think about it. If my bank screws up regularly, sending me tons of crap, I can change banks. I have -no- relationship with most advertisers. They screw up, and I can't stop the crap.
It's not that advertisers are worse; it's that the nature of the function means that poor performance impacts me more negatively than poor performance in other business areas.
Good performance by advertisers, on the other hand, has very little impact on me.
> Attention Slashdotters: We Are Not Idiots!...the truth is that often times the advertising us geeks > find offense with is not targeted at us at all, and in fact the target audience has no problem whatsoever with it.
And this is relevant to what exactly?
Fundamentally, this is the problem. I -don't care- that you please 90% of the people with an ad. If I cannot opt -out- of ads by an advertiser (TV, radio, print, etc. as well as internet), I am annoyed.
> New technologies will continue to be developed to target more accurately because that generates better results.
This is part of the problem. You have just admitted that the purpose of the targeting is to increase sales. This can be accomplished best not by removing all misdirected ads, but by reducing them to a level that satisfies 90% of the people (as I mentioned above), and screwing the remaining 10%.
In fact, you can achieve this by screwing over 100% of the people, no more than 10% of the time.
> So in summary, I'm not saying there isn't a dark side to our industry (like every single other > friggin industry in existence), I'm just saying that everybody seems to focus on the bad and ignore the good.
Yes, we are. And we will continue to. Ultimately, you must understand: I have -no- relationship with most advertisers, nor do I desire one. -Any- inconvenience pisses me off. I am not going to give you any credit for doing it well, and will penalize you severely for doing it badly.
Yes, it's unfair. Tough noogies; I have no mandate to be fair to people who go out of their way to annoy me. I do not care that annoying me is not their intent.
No vendor accepts liability. But if the corporate office decides to bring in their lawyers to talk to Microsoft's lawyers*, you're off the hook for buying Microsoft. If you tell the lawyers that the product is Open Source, and it becomes non-trivial to set up this kind of meeting, they get nasty.
It's an issue of perception; often the employees corporate likes best aren't the most productive, they are the -least- productive. But they are visibly in motion. Similarly, the vendors corporate likes aren't the most secure, they are the ones who are in motion.
--------------
* It happens a lot, with all major vendors. They never sue the vendor, but they will do the whole lawyer-to-lawyer meeting and whatnot. MS will promise a small bone, like a "Preview fix in ## days, only available to preferred customers. List price $250,000 (actual value, $3.50). For you, free." And the lawyers will tell corporate that "we put their balls in a vise, and MS promises a fix in ### days."
> People who are already assertive aren't going to start shutting up because of a clicker.
Agreed.
> It will give voice the the normally less assertive.
Less assertive students already have avenues for responding in alternate ways. They contact the instructor privately, after class, email him, talk privately to more assertive friends who speak up for them.
The painfully shy ones probably won't use the clickers very much. I'd like to see real analysis of how well this works at getting the less assertive students to speak up. Something in a controlled experiment rather than opinion polls.
> Cisco is a large company. They obviously didn't know the extent of the problem until it was demonstrated to them.
Well, I wouldn't necessarily commit to 'obviously', but yes, it is possible that they did not understand the extent of the problem.
One problem many advocates of open source have with how large companies deal with security issues is that the company in question wishes to reserve -all rights- to evaluating the severity and proper response to security issues to their own management. As most companies do. Quis custodiet ipsos custodes?
The problem is that Cisco and others are taking the stand that 'this is our business'. Once Cisco offered to stand guard for other people, it stopped being Cisco's business.
Bottom line: to a -large- number of Cisco's customers, -retaining all rights to determining the disposition of security issues- is not acceptable.
> It was irresponsible for Mike to go ahead with his talk without allowing Cisco time to reassess the threat.
This is predicated on the assumption that obscurity effectively reduces the level of vulnerability. I'm not going to debate this here; I'm just saying that not everyone agrees with that proposition. You -cannot- use it as the basis for an unchallenged demand for more time until -after- the issue is dealt with in at -least- an interdisciplinary task force set up to resolve standard responses. Possibly this will require handling in the courts. But it will not go unchallenged.
> Put yourself in Cisco's shoes: someone points out a vulnerability, they tell you about it, you > spend 6 months fixing a zillion IOS images, release the images and the security alert, and > then BAM!, the individual says, "by the way, it was much worse then I initially told you and I > plan to talk about it in about 2 months".
Several problems here:
6 months response time from Cisco would be -much- faster than we have come to expect from vendors. A not unexpected time frame would be 2 to 5 years. In addition, 6 months is, from a certain standpoint, -much- too long. Not "too slow, Cisco; you should be faster", but "too slow; the window is too large and an exploit is -very- likely to occur in the wild."
That's part of the problem. Vendors want more time to deal with these issues, and that is -not- unreasonable. But customers want the damn systems secured, and that is -also- not unreasonable. There is a very real problem here. Neither the ideal for the customers nor the ideal for the vendors is going to happen. We need to explore other alternatives, and this is not going to happen as long as vendors keep a lock on security issues.
It doesn't necessarily have to be out in the open for the world. But it's got to be open to industry people outside the company, who can -force- the company to respond against it's wishes. People who -did not create- the vulnerable product have to be the ones to decide how long it takes to fix, how to fix it, and how to deploy the fixes.
> At that point, you would need some time to understand what the issues are an formulate a > response. Perhaps up to six months. And it is irresponsible to disclose the vulnerability > without allowing Cisco time to assess the problem. Mike could have found an even bigger > issue. Perhaps Cisco needed to research it further.
Cogent arguments all. The -only- problem is that neither Cisco, nor any other vendor, has a sufficient currency of trust and goodwill among their customers to force compliance with this.
This is true at least until they are willing to be far more open about how security issues will be addressed, and include members of the security community and customer representatives with opposing viewpoints to -veto- decisions by Cisco. Until these outsiders can force Cisco to take actions that Cisco management is unhappy with, there will be a problem here.
And using the big legal stick to punish researchers is -not- building up that currency of trust.
> So basically what you are saying is that IT staff are motivated by getting the business running > properly and efficiently,
Well, those areas that are in the 'line-of-sight' of the IT person, anyway. I don't know that IT people are, on average, any better at improving efficiency in areas outside their specific area than the next person. Many IT people are trained to think in terms of automating the tedious tasks,
> which management tends to not care about (and often finds inconvenient).
Many managers are unconcerned about the inconvenience -their employees- have to put up with. Only when it is so inconvenient that it spills over into poor customer service and lost business are they concerned about these inconveniences. I ran into this a number of times in customer service positions outside of IT.
Especially true when the people who deal with these issues work in departments that are viewed as a cost center, not a profit center.
Sometimes, too, it's not that they are unconcerned; it's that their lack of technical competence causes them to 'tune out' and fail to apply reasonable cost benefit logic to technical issues. Instead of looking at the cost, they react from an 'if it ain't broke, don't mess with it' perspective.
Certainly, it's not true of all cases. I don't even claim it happens in a majority of cases. But it does happen, and too often for my taste.
You only know if you are loved based on how the lover treats you. A lot of times, I know I was 'valued' by the company highly. But the treatment I received indicated that management valued me as an asset, not as an entire person. I was valued, but many qualities I consider integral to my sense of self were viewed as 'inconvenient', and 'obstacles to my advancement'. This is a very mixed message. It doesn't say, "we love you", it says, "we -would- love you if you were a little different; all you need to do is to stop being -you-."
Many managers, both in and out of IT, are very poor at communicating with employees.
Another problem is that many IT people are dissatisfied with "the way we've always done things." A lot of times, management insists on doing various things in very sub-optimal ways, and it can grate on the nerves of people who can't help but see better and more efficient ways to do things.
When your ability to patch the same broken software, on your day off, for the 300th time is 'valued', but your repeated requests to be allowed to -fix- the damn thing once and for all are ignored, it grates on the nerves.
In the post titled, "PHB - leave us alone!", AccUser points out another thing. It can be reslly frustrating to do something really spectacular and have management ignore it, while simultaneously misrepresenting and over-praising accomplishments that the IT staff knows are technologically crap.
A lot of bosses can't step outside their world view enough to really communicate with techies who have very different values. I've turned down some very lucrative jobs because there is no way I could reconcile my values with those of the firm's managers.
Managers focus so much on delivery dates, market share, product names, what color the splash screen should be, etc. These are necessary things, but a smart manager will realize that these are -never- going to be the motivators for the tech staff. Getting defects under control, smooth and predictable integration, automating bullshit tasks or removing them entirely; -these- are the IT staff motivators.
> Each message must have new and useful content. "Buy our stuff, best prices anywhere!" is neither > new nor useful, so if that's all you have to say--don't waste my time!
They make utilities, and I get mailings from them. Unlike -every other place- I have ever purchased anything, that sends me notices, I actually -read- and appreciate the notices. Because they only send me a notice if they actually have something to say. A bug fix, upgrade version, new program, or general request for feature requests for a new version.
I might not get a notice for 8 months, or I might get 3 in 2 days. And I read them. I just unsubscibed a month ago from 5 or so newletters from bigger outfits, because I never read them. They almost never had anything to say.
#6. Send mail from a recognizable domain name. I get some legitmate newsletters from companies with clearly recognizable domain names who insist on making it harder to manage the mail by using bogus-sounding domain names for their mailers.
#6 a. Use a legitimate-sounding and clear From: address, and consider prefixing the subject lines with a clear identifier. If you are 'ABC Company', send the mail from 'ABC Company Newsletter' and prefix all subject lines with 'ABC Company:'. -Especially- avoid using a mailer that uses a bogus constantly changing address in the From: line. *
#7 Consider requiring users to respond to an email once a year to maintain the subscription, and unsubscribing those who don't respond.
--------------------
* personal pet peeve: Microsoft's MSDN Flash comes from an address like: 10_16003_ZskXGUE6ygRusTwrHePbHg@newsletters.micros oft.com
Changing with each mailing. Bright idea, making the legitimate mail look like spam.
> The problem with most Windows developers is that they don't understand the history of Windows. > They pick up things like "event-driven paradigm" as if it was some great innovation that makes > their lives easier.
Not entirely. Most Windows developers aren't interested in other platforms, and get all their information from Microsoft documentation. This limits their exposure to the context that would allow them to see what MS created and what they didn't.
Worse yet, many Windows developers have never read the actual documentation, but only the "study guides" for various certifications. So while developers who actually -read- Microsoft's COM documentation would have been aware of other sources like the Object Management Group's DCE specifications, and how they were used in Microsoft's design of COM, most haven't.
Add to that the fact that most have never worked outside of Windows, and you have people with a very limited world view. They can parrot back a few things, but they don't have the broader experience to make use of a lot of the data.
Understood; but trademark law largely ignores -intent-, which makes this point, while true, irrelevant to the issue of infringment.
A more important issue is potential harm to the Vista trademark that may be caused by the use of the term Vista by Microsoft. Yes, it is planned to be 'Microsoft Windows Vista', however, history demonstrates that it -will- be shortened to 'Vista' in practice.
Vista has a legitimate concern here; it only needs to be determined if they can and should have any right of action against Microsoft. Especially since one of the deciding factors in US trademark law is how agressively you defend the trademark. If Vista -doesn't- take action, a subsequent court could rule that they have no trademark protection. They could even be ordered to stop infringing on Microsoft's use of Vista. 'Who used the name first' is not an important issue in trademark law.
> I now have the Friday afternoon rule. If a "crisis" comes up after 3PM on Friday, it couldn't > be so important that it cannot wait until Monday.
Good general rule. I made the rule a long time ago, that I get to decide what is an emergency worth working late/coming in early or on weekends for.
95% of the time, I refuse. Two examples where I didn't refuse:
-QA testing found a showstopper bug on Friday at 4PM, with testers planned to work the weekend. The programmer fixed it by 5PM, but the build/release manager wasn't there; left early for the airport. Since I wrote the build scripts and the release specifications, I stayed later in order to rebuild the release and send it to QA.
-The Netherlands ran into some unexpected defects in an application. Only occured in their localized environment. Due to time difference, I came in 3 hours early to have a conference call with them. Since I was knew more about localization issues than anyone on the team, even though it wasn't my project, I came in for the call.
The key difference between these and the usual case is, in the usual case, the 'emergency' was manufactured by managment error, or worse, by management refusing to acknowledge issues raised in a timely manner by development staff. By preferring to ignore the issues, and problem can be turned into a crisis.
Some of the other replies had some good ideas. The main thing I would suggest in this case is (assuming your boss is neither irretrievably stupid or malicious) to bring up the issue and see if you can work out some sort of "do not disturb" situation. Maybe pick specific times of day in which you can be approached, and others when you can't. Possibly set up an area less centrally located where these impromptu meetings won't occur, that you can use at least sometimes.
Slashdot Mirror
> The parents that DO home school their kids probably do so because they know that they are
> qualified (and probably have some actual classroom teaching experience in the past).
Actually, no. A large percentage of home schooling parents have no teaching experience.
You're also making the assumption that the skill of the teacher has a direct correlation to the student's success at learning, with no other factors being significant.
Look at it this way: if I have an extremely skilled craftsman, who can turn out superior work, and compare him to an average or even below-average workman, both working on one piece, the difference is obvious. But if I demand the superior workman turn out 50 pieces daily, while the less skilled workman has all day to work on one or two pieces, I am very likely to discover that the less skilled workman is turning out much better pieces.
In a situation like that, factors other than the skill of the teacher are so significant that the skill of the teacher is largely irrelevant as long as he is not completely incompetent.
A relatively unskilled parent home schooling one or two children can get far better results in many cases than a highly skilled teacher who is spread much too thin with far too many students and conflicting goals. Or even a teacher with well planned class sizes and enough time.
> A parent that home schools their child simply for financial reasons, in order to save taxpayer
> money, may not be giving their child a decent education.
I cannot imagine a parent home schooling their children solely to save the taxpayers a buck or two.
> Plus, the school bus will still have to run the same route anyway, using essentially the same
> fuel, regardless of whether the child is on the bus or not.
Maybe yes, maybe no. Not all school systems use geographically distributed routes. Some of them form -very- odd patterns.
> Just a response to one point -- although this isn't my only point of disagreement -- the "right
> to fair consideration". No, people don't have the right to "fair consideration", because no-one
> has the right to step on someone else' private property to begin with.
Not sure where this came from; I explicitly defined the right as fair consideration for employment in the -field- in which they wish to be employed. Not fair consideration for any specific job in a field. The right refers to the right not to be excluded from a field. Not a right to a specific job.
There are a number of situations in which barring someone from employment for reasons of race, creed, gender, etc. is perfectly legal. For example, a Jewish synagogue has every legal right to bar people of other faiths from employment in various areas; christian schools can bar non-christians from teaching jobs, etc. Battered women's shelters can bar men from acting as counselors, and men's organizations can bar women.
And when you employ someone in your home, you have a great deal of latitute.
No saying it's -always- legal. But it isn't always illegal.
> If I'm inviting people into my house, or throwing a ball, I don't have to give anyone fair
> consideration;
True.
> I have the right to discriminate who gets in or who doesn't based on any criteria I choose
> (hair-color, height, age, sex, race, weight, etc) or none at all. That doesn't change just
> because I'm offering people money to do a job for me (e.g., say I was hiring a maid).
Correct. But let's make it "Doctor" rather than "Maid", and let's say you head up the standards bodies for medical schools.
If you acted to ensure that people of a certain gender or race had no opportunity to apply to schools or for employment as doctors, that would violate what I discussed. If they can't go elsewhere, and are barred from an entire field of employment, then you've got a problem.
Now, large employers, corporations and such, generally need to go to great effort to ensure that everyone has fair consideration for -every job-.
> Now, those who engage in such kinds of discrimination are going to pay the financial
> penalty, but they demonstrate by their actions that they'd rather pay that penalty than not engage in such discrimination.
For a case like you described, there might not be a penalty. Many employment laws require an employer to employee a certain number of people before he is covered by the law.
Not saying it's right; just might not be illegal.
> When was the last time you saw lots of jobs for mainframe techs? The jobs that are out there are filled.
.NET for mid to high 5 figures, or mainframe skills and getting a job earning low 5 figures. The pay isn't competitive; the high paid mainframe positions go to people with real-world experience. The graduates start off much cheaper than in the PC arena.
Actually, there are a lot of them out there. The problem is, students get to look at earning the same degree, and getting a job using
To fill the spots, you need to either raise the pay (not likely to happen), or reduce the cost of getting the education and sell it, really sell it, to people who wouldn't go the school for a CS degree anyway.
Selling it is going to require offering good benefits, contracts rather than "at-will" employment, etc. Basically, it needs to be treated as comparable to a technology-based trade-school position at a factory, rather than being a white-collar college degree job.
This is -not- a knock to the mainframers; most of them have as good an education or better than the PC folks. But the reality is that mainframe tech is more mature, and it doesn't require all CS graduates to handle it. It requires a few CS graduates, and mostly trained technicians to do maintenance tasks.
Just my opinion, flame me if you like.
Some interesting points, I just -had- to reply.
> "The right to vote" is newspeak for "the 'right' to aggress against others" (namely, to openly
> express and act upon one's desire to take that which they haven't earned).
There is a certain truth to this. The right to vote comes with responsibilities: the responsibility to take the time to get to the polls; the responsibility to read the ballot carefully and research the candidates and issues; the responsibility to continue to work within the system even when your candidate/proposition fails.
> Regarding discrimination in the workplace, no-one has the "right" to work at a specific company.
And the law reflects this. But everyone has a right to apply and be fairly considered for employment in whatever field they choose. If and when the firms dominating a market collude, either explicitly or in a "gentlemen's agreement" to exclude people based on *specific characteristics noted in the law, in violation of statute, the people discriminated against have a right of legal action.
*race, creed, national origin, gender. Hair style? Not actionable. Life style? Not actionable.
> I'd argue, however, that there are alot of managers who would like nothing more than to have
> all female employees.
The biggest problem is a culture of fear. Fearful managers take perceived safe actions. In many companies, hiring more than a certain percentage of women, or blacks, or hispanics, etc. is considered a "risky, high-profile" move. If the company is growing, risky and high-profile can be good for managers. If the company is cycling through rounds of layoffs, risky and high-profile is professional suicide.
The fact is that managers get credit for things they didn't do, and blame for things they didn't do. If the company does well due to some coincidence, risky, high-profile manager gets credit for the way his daring paid off. If the economy tanks, RHP manager gets blamed. Even if his actions reduced the inevitable losses.
> As regards the glass-ceiling, he argues this is due to...
I've always wondered if anyone has done any research on the other side of the glass ceiling. The glass ceiling idea is that those who hit the glass ceiling can get hired, but once they rise to a certain level, they hit a "glass ceiling". Management bars members of these groups from higher management positions.
But does it start when they rise to that level, or does it happen at hiring time? White males who are aggressive, hard-hitting, take-no-prisoners go-getters get hired for those qualities, and are often promoted into high-ranking positions. I've often wondered if black men, women, etc. displaying the same characteristics are viewed as "confrontational", "angry", or "bitchy" and weeded out early. Perhaps the system doesn't prevent the high-energy executive types from crossing the finish line so much as keeping them from the starting line.
No proof, just an idea I've mulled over.
You had more interesting points, I just don't have comments on them.
You have 4 distinct needs:
1- a DoD compliant secure computer
2- a secure environment for it
3- verifiable evidence of correct execution of the task of purchasing or building this system.
4- maintain the security of the system. This depends heavily on #2, and is one reason you require verifibility (#3).
If another admin or support person after you breaches security, you need to be able to verify who did what, when.
There are some clues in your post:
"Growing into the job of a system administrator..."
This indicates you have been tossed into a sysadmin position like many people, without the training and experience to do it. You've learned on the job, and are getting better. But you know there are gaps in your experience. You also know you don't know where all the gaps are. You aren't experienced enough to do something like this on your own, -and- properly document and verify its completion.
"...I'm not quite prepared for..."
This shows good sense.
"The computer...must have, *from what I can tell* (emphasis mine), a removable hard drive and security stickers to prevent tampering."
If you have to qualify statements with "from what I can tell", you aren't prepared for this. You can get assistance from a vendor or consultant, but this will always be -your- responsibility. You need to get prepared, and self-study and web research ain't gonna do it.
Inform your bosses that you can't take on this responsibility without the additional training to handle it. Find out what you need to learn, find a school, and present the proposal.
I have -no- experience setting up DoD secure systems, but I do set up high-security systems for businesses. I do read the DoD standards in order to be up to date. In other words, I'm better trained to do this than you, and I wouldn't try it without more training.
>> Another issue I have with AOL is that AOL digs roots very deeply into your computer. I don't know
>> if this is still true since I haven't seen anyone using the service in a while, but it used
>> to do stuff like replace your built-in dial-up networking functionality with its own, and even
>> replacing various parts of the TCP/IP software and system files with its own. Uninstall? Useless.
>
> I am not an AOL fan, but to be fair to them, I will say that when I cancled my cousins AOL and he
> got a cable modem, the AOL software was uninstalled without a problem. There was no
> problem with the cable modem working.
I don't use AOL, but for the last few versions, it does seem to uninstall cleanly. The first poster is right about one thing; it -used- to replace critical system networking DLLs with AOL versions and overwrite the network settings. I was horrible then. I knew a lot of support departments who forbade users to install AOL.
> I never could figure out why AOL became such a large company.
Easy to install, and more local modem banks than anyone after they bought CompuServe. I have a number of friends in rural areas who could have AOL or nobody (without a long-distance call) for a -long- time.
> Did AOL become so huge because they were the only company that handed out free CD's at every computer store?
And direct mail, and in every kind of magazine, and in banks and office supply stores and discount stores... It was a big help in the process. A lot of people will take anything if you give something away.
> I'm not a US citizen so I can't really speak from experience, but the perception we get from the US
... you guys get mostly US history and some european history.
> education is that it's not very "high standard".
I am a US citizen, and I can tell you that there is, unfortunately, a great deal of truth in this perception.
> For example history:
True. Some time (relatively little) spent studying US history is mandatory, with about one year of "world history". The precise content of the world history component seems to be dictated by the current fashion in education. In the past, this was almost entirely Western European history, no depth. There have been various requirements to broaden it to cover the rest of the world, while no allowing additional (mandatory) time.
It is -very- definitely possible to get a broader exposure to history, but it depends on the willingness of the student or the student's parents to take appropriate "electives".
I got a great deal of additional exposure, but I -like- history. I still study history, just for fun.
> Which is mostly limited to facts and names and not really the "bigger picture".
Also unfortunately true in many cases. Many schools do much more, many do the minumum required. But you can definitely get through with just names and dates.
> The same thing applies to math imho: several US exchange students went over here and it turned out
> that belgian high school students learn Math paradigms which are taught at college in the US.
Unfortunately very true. Again, the students -can- get exposure. I had advanced algebra in elementary school, advanced geometry and trigonometry in middle school, and advanced placement calculus and physics in high school. But I could have gotten a high school diploma, if I chose, with only minimal exposure to elementary algebra, and a fraction of the time spent studying math at all.
> Besides, what's the deal with classes like "woodshop" or "household"?
Most schools have courses called, when I was there "industrial arts" and "home economics". These give kids a basic exposure to practical industrial crafts (wood and sheet metal working, welding, electronics, several types of printing, etc.) and basics of running a home (childcare, cooking, sewing, basic home bookkeeping, etc). The idea is preparation for work and marriage.
In some ways, they are a holdover from the 1950s "Father Knows Best" idea of America. However, in part it is due to a relatively classless society.
In many parts of Europe, the quality in-depth education you refer to was only relatively recently available to the lower classes, and in some places is -still- kept from them (as a practical matter). American schools have been much more open to the lower classes. Our typical school day and year is largely a holdover from the need to adjust the school day for children living on working family farms.
> So, even as technology is used in the US educational system, I don't think it would create
> any added value to the information.
At the low end it doesn't. However, you need to know that a poor education is -not- a typical situation in public schools, with better educations available in expensive private schools. Many public schools offer -exceptionally- good educations, and most allow and assist a motivated student to get a fine education. And many of the finest private schools are small church schools, with very small enrollments, and a great deal of assistance for low-income families.
Even at the low end, most teachers take their jobs seriously. They can't prevent students who will not learn from abusing the system, but I strongly doubt that situation is different in most European countries. But teachers in the US do try to encourage the students to take advantage of the opportunities available.
There isn't "one true picture" of education in America. The mere fact that America is republic of 50 largely autonomous states that is collectively several times larger than most European countries makes it impossible to have a single valid picture.
Sorry, your logic is seriously flawed.
> The loss of people's right to privacy is a scary thing, but what scares me more is that our society
> hasn't progressed beyond this idea that skin is somehow shameful, wrong, or private.
First off: you're assuming the reason -why- people don't want to be viewed in a dressing room. No one but -you- said shameful and wrong.
Second off: anything I reasonably -can- choose to view as private in my life is mine to keep private. Anything.
If I choose to keep my skin private, that's my business. If I choose to keep my email private, that's my business. If I choose to keep my opinions on Leo Tolstoy, Woody Allen, or Hillary Duff private, that's my business.
I don't need to justify it to anyone in order to have an expectation that this privacy be respected, as long as I take reasonable actions on my part to retain that privacy.
Going into a closed dressing room is, in itself, a reasonable action to maintain privacy.
> But, why is it a private matter?
Irrelevant. The reason we talk about a -right- to privacy is to get past the whole "justify yourself" argument. Rights aren't granted by government or society; no one needs to explain why. If they choose to, that's their business. A lot of people have, and if you google, I'm sure you can find a number of reasonable arguments.
There is cause and effect relationship between rights and society, but you've confused the cause (rights) and the effect (society).
> but when it comes to privacy (another mythical construct).
Sorry, just because you wish to declare something "mythical" doesn't make it so. If you believe privacy to be a myth, that's fine; just don't expect that -saying- it's a myth someone requires anyone to agree with you or prove you're wrong. Many people still believe that there is an natural moral law that exists in -reality- that forms the basis for many of our laws and customs.
And, again, I am -not- saying skin is shameful, wrong, or even private if you don't want to view it as such. It doesn't make me uncomfortable.
What makes me uncomfortable is the willingness of some people to blithely demand that society turn itself upside down, and revoke laws and customs explicitly, in the law, based on their desire to reject those customs. Reject them all you wish; just don't expect everyone to agree with you or support your views in law.
> ...the from email address is sometimes a little suspicious,
Sometimes, not always; and, unfortunately, a large percentage of legitimate messages come from suspicious-sounding addresses.
> and the linked website URL is always suspicious, since that can't be faked.
Not quite true; while the linked domain can't be -easily- faked, excluding DNS cache poisoning, the intricacies of domain naming is such that getting legitimate ownership of a reasonable domain name is a frequent occurrence.
Again, this would be mitigated if the dumbasses in various legitimate firms use common sense themselves. If I could -count- on Citibank -only- using links hosted at citibank.com, it would be no problem. But they don't. They let various departments use different domain names, or host them at third party sites, and this blurs the line between the real and the fake mail messages.
It's not just Citibank; I've seen it with a -lot- of companies.
Of course, this is because many of the users would need to call tech support asking them "Remind me again how to type this in?" or "I clicked on the email and it didn't take me anywhere"
One company I did some work for recently has a simple solution; they provide a link to a support page on their intranet, and put the links to the patches there. The link is in the user's start menu. Eventually, even the dumbest seem to learn to use this method.
> Most legitimate requests will tell you to log in to the front page of their web-site (where you've
> already been), and follow a certain chain of links to get to where the information needs to be verified.
Have to disagree. They should, of course, but a depressingly large number do not. Hell, a depressingly large number of firms don't send email from their own domain; instead they send it from some mailer account that sounds like a spamhaus.
> The biggest hole in this assumption is that someone could have hacked that web-site.
Second biggest. The biggest is that you actually fail to act on a legitimate email because the dumb bastards didn't use good common sense on their own part.
> I think that some slashdotters must be fortunate enough to have never seen a
> really good phishing email.
I have to agree. I have seen several -extremely- well-crafted ones in recent months. The only way I could tell them from the legitimate ones was to use my own bookmarked links to go to the firm's web site and verify that there was nothing to see and no connection. Most of them, of course, I can tell from the real by looking at the raw mail source. But some are just too good.
Example of why this can be difficult: I just received an email from my ISP asking me to update the credit card information. It was real; the credit card company had just sent out a new card with an updated expiration date. At first, however, I assumed it was a scam.
> You get a letter in the mail on your banks letterhead in an envelope exactly like every
> other letter you have received from the bank...
Excellent example. In fact, there are a -lot- of postal mail scams going around now. Despite what bigman2003 stated, it's not merely a failure on the part of the technical community to provide secure communications. Ensuring communications, either electronic or snail-mail, cannot be spoofed is not something anyone knows how to do with 100% accuracy.
> It works in Sport as you can choose to do specific things, for instance during the BBCs coverage of
> Wimbledon you had a choice of 6 different matches, and a similar choice at the Open.
It's a natural for sports of many types. I can also see a benefit in Olympics coverage; rather than covering the most poular events, with occasional flashes of the less popular, feed all the events live and let people select.
>...when it will really come of age is when its properly PVR'ed and you can cut your own replay
> scene of what ever you want and from the various feeds available.
Very true. That could be huge.
> You could also imagine "24" being done as a single broadcast with those little windows as
> seperate feeds... so to be really hard-core you could just follow one character and try and work out WTF is happening.
There are a lot of dramas that could use this kind of thing. If it can become common enough that the program's producers can do it at a reasonable additional cost, it could catch on. Currently, that kind of thing involves a lot of additional storyboarding and planning, and extra camera crews as well as extra hours for the actors.
No flame, just a detailed response.
> I happen to be a young ad exec (not to mention a privacy nut, avid slashdot reader, gamer, geek, etc)
> and I'm really getting tired of people not understanding our industry.
I can understand and accept that. Are you prepared to understand and accept that there are some things you don't understand about -why- people hate advertising and advertisers?
> Are there sleezy advertising people? HELL YES! Is it the vast majority of them? HELL NO! You see...
I see, you don't. I don't -care- that the majority of advertisers are not sleazy. We're viewing things from 2 different POVs here.
> What really pisses me off is that everybody assumes that our goal is to just annoy you and
> grab your attention in any way possible.
Actually, we don't. Most industries are pushing the same sort of ill-advised personnel cuts, the "do it cheaper and sloppier" mentality of management, the push to reduce customer service people and turn it over to piss-poor web sites and botched touch-tone phone systems.
When a company I deal with -directly- takes this too far, I can terminate the relationship, which corrects the problem.
In advertising, there is no relationship to terminate. From the very start, I am being imposed upon with no choice in the matter.
Think about it. If my bank screws up regularly, sending me tons of crap, I can change banks. I have -no- relationship with most advertisers. They screw up, and I can't stop the crap.
It's not that advertisers are worse; it's that the nature of the function means that poor performance impacts me more negatively than poor performance in other business areas.
Good performance by advertisers, on the other hand, has very little impact on me.
> Attention Slashdotters: We Are Not Idiots!...the truth is that often times the advertising us geeks
> find offense with is not targeted at us at all, and in fact the target audience has no problem whatsoever with it.
And this is relevant to what exactly?
Fundamentally, this is the problem. I -don't care- that you please 90% of the people with an ad. If I cannot opt -out- of ads by an advertiser (TV, radio, print, etc. as well as internet), I am annoyed.
> New technologies will continue to be developed to target more accurately because that generates better results.
This is part of the problem. You have just admitted that the purpose of the targeting is to increase sales. This can be accomplished best not by removing all misdirected ads, but by reducing them to a level that satisfies 90% of the people (as I mentioned above), and screwing the remaining 10%.
In fact, you can achieve this by screwing over 100% of the people, no more than 10% of the time.
> So in summary, I'm not saying there isn't a dark side to our industry (like every single other
> friggin industry in existence), I'm just saying that everybody seems to focus on the bad and ignore the good.
Yes, we are. And we will continue to. Ultimately, you must understand: I have -no- relationship with most advertisers, nor do I desire one. -Any- inconvenience pisses me off. I am not going to give you any credit for doing it well, and will penalize you severely for doing it badly.
Yes, it's unfair. Tough noogies; I have no mandate to be fair to people who go out of their way to annoy me. I do not care that annoying me is not their intent.
No vendor accepts liability. But if the corporate office decides to bring in their lawyers to talk to Microsoft's lawyers*, you're off the hook for buying Microsoft. If you tell the lawyers that the product is Open Source, and it becomes non-trivial to set up this kind of meeting, they get nasty.
It's an issue of perception; often the employees corporate likes best aren't the most productive, they are the -least- productive. But they are visibly in motion. Similarly, the vendors corporate likes aren't the most secure, they are the ones who are in motion.
--------------
* It happens a lot, with all major vendors. They never sue the vendor, but they will do the whole lawyer-to-lawyer meeting and whatnot. MS will promise a small bone, like a "Preview fix in ## days, only available to preferred customers. List price $250,000 (actual value, $3.50). For you, free." And the lawyers will tell corporate that "we put their balls in a vise, and MS promises a fix in ### days."
It's all BS, but it's effective CYA BS.
> People who are already assertive aren't going to start shutting up because of a clicker.
Agreed.
> It will give voice the the normally less assertive.
Less assertive students already have avenues for responding in alternate ways. They contact the instructor privately, after class, email him, talk privately to more assertive friends who speak up for them.
The painfully shy ones probably won't use the clickers very much. I'd like to see real analysis of how well this works at getting the less assertive students to speak up. Something in a controlled experiment rather than opinion polls.
> Cisco is a large company. They obviously didn't know the extent of the problem until it was demonstrated to them.
Well, I wouldn't necessarily commit to 'obviously', but yes, it is possible that they did not understand the extent of the problem.
One problem many advocates of open source have with how large companies deal with security issues is that the company in question wishes to reserve -all rights- to evaluating the severity and proper response to security issues to their own management. As most companies do. Quis custodiet ipsos custodes?
The problem is that Cisco and others are taking the stand that 'this is our business'. Once Cisco offered to stand guard for other people, it stopped being Cisco's business.
Bottom line: to a -large- number of Cisco's customers, -retaining all rights to determining the disposition of security issues- is not acceptable.
> It was irresponsible for Mike to go ahead with his talk without allowing Cisco time to reassess the threat.
This is predicated on the assumption that obscurity effectively reduces the level of vulnerability. I'm not going to debate this here; I'm just saying that not everyone agrees with that proposition. You -cannot- use it as the basis for an unchallenged demand for more time until -after- the issue is dealt with in at -least- an interdisciplinary task force set up to resolve standard responses. Possibly this will require handling in the courts. But it will not go unchallenged.
> Put yourself in Cisco's shoes: someone points out a vulnerability, they tell you about it, you
> spend 6 months fixing a zillion IOS images, release the images and the security alert, and
> then BAM!, the individual says, "by the way, it was much worse then I initially told you and I
> plan to talk about it in about 2 months".
Several problems here:
6 months response time from Cisco would be -much- faster than we have come to expect from vendors. A not unexpected time frame would be 2 to 5 years. In addition, 6 months is, from a certain standpoint, -much- too long. Not "too slow, Cisco; you should be faster", but "too slow; the window is too large and an exploit is -very- likely to occur in the wild."
That's part of the problem. Vendors want more time to deal with these issues, and that is -not- unreasonable. But customers want the damn systems secured, and that is -also- not unreasonable. There is a very real problem here. Neither the ideal for the customers nor the ideal for the vendors is going to happen. We need to explore other alternatives, and this is not going to happen as long as vendors keep a lock on security issues.
It doesn't necessarily have to be out in the open for the world. But it's got to be open to industry people outside the company, who can -force- the company to respond against it's wishes. People who -did not create- the vulnerable product have to be the ones to decide how long it takes to fix, how to fix it, and how to deploy the fixes.
> At that point, you would need some time to understand what the issues are an formulate a
> response. Perhaps up to six months. And it is irresponsible to disclose the vulnerability
> without allowing Cisco time to assess the problem. Mike could have found an even bigger
> issue. Perhaps Cisco needed to research it further.
Cogent arguments all. The -only- problem is that neither Cisco, nor any other vendor, has a sufficient currency of trust and goodwill among their customers to force compliance with this.
This is true at least until they are willing to be far more open about how security issues will be addressed, and include members of the security community and customer representatives with opposing viewpoints to -veto- decisions by Cisco. Until these outsiders can force Cisco to take actions that Cisco management is unhappy with, there will be a problem here.
And using the big legal stick to punish researchers is -not- building up that currency of trust.
Thanks, you made some very good arguments.
> So basically what you are saying is that IT staff are motivated by getting the business running
> properly and efficiently,
Well, those areas that are in the 'line-of-sight' of the IT person, anyway. I don't know that IT people are, on average, any better at improving efficiency in areas outside their specific area than the next person. Many IT people are trained to think in terms of automating the tedious tasks,
> which management tends to not care about (and often finds inconvenient).
Many managers are unconcerned about the inconvenience -their employees- have to put up with. Only when it is so inconvenient that it spills over into poor customer service and lost business are they concerned about these inconveniences. I ran into this a number of times in customer service positions outside of IT.
Especially true when the people who deal with these issues work in departments that are viewed as a cost center, not a profit center.
Sometimes, too, it's not that they are unconcerned; it's that their lack of technical competence causes them to 'tune out' and fail to apply reasonable cost benefit logic to technical issues. Instead of looking at the cost, they react from an 'if it ain't broke, don't mess with it' perspective.
Certainly, it's not true of all cases. I don't even claim it happens in a majority of cases. But it does happen, and too often for my taste.
You only know if you are loved based on how the lover treats you. A lot of times, I know I was 'valued' by the company highly. But the treatment I received indicated that management valued me as an asset, not as an entire person. I was valued, but many qualities I consider integral to my sense of self were viewed as 'inconvenient', and 'obstacles to my advancement'. This is a very mixed message. It doesn't say, "we love you", it says, "we -would- love you if you were a little different; all you need to do is to stop being -you-."
Many managers, both in and out of IT, are very poor at communicating with employees.
Another problem is that many IT people are dissatisfied with "the way we've always done things." A lot of times, management insists on doing various things in very sub-optimal ways, and it can grate on the nerves of people who can't help but see better and more efficient ways to do things.
When your ability to patch the same broken software, on your day off, for the 300th time is 'valued', but your repeated requests to be allowed to -fix- the damn thing once and for all are ignored, it grates on the nerves.
In the post titled, "PHB - leave us alone!", AccUser points out another thing. It can be reslly frustrating to do something really spectacular and have management ignore it, while simultaneously misrepresenting and over-praising accomplishments that the IT staff knows are technologically crap.
A lot of bosses can't step outside their world view enough to really communicate with techies who have very different values. I've turned down some very lucrative jobs because there is no way I could reconcile my values with those of the firm's managers.
Managers focus so much on delivery dates, market share, product names, what color the splash screen should be, etc. These are necessary things, but a smart manager will realize that these are -never- going to be the motivators for the tech staff. Getting defects under control, smooth and predictable integration, automating bullshit tasks or removing them entirely; -these- are the IT staff motivators.
> Each message must have new and useful content. "Buy our stuff, best prices anywhere!" is neither
> new nor useful, so if that's all you have to say--don't waste my time!
Good point. There is a little software shop called SomeWare http://www.somewareonthe.net/
They make utilities, and I get mailings from them. Unlike -every other place- I have ever purchased anything, that sends me notices, I actually -read- and appreciate the notices. Because they only send me a notice if they actually have something to say. A bug fix, upgrade version, new program, or general request for feature requests for a new version.
I might not get a notice for 8 months, or I might get 3 in 2 days. And I read them. I just unsubscibed a month ago from 5 or so newletters from bigger outfits, because I never read them. They almost never had anything to say.
#6. Send mail from a recognizable domain name. I get some legitmate newsletters from companies with clearly recognizable domain names who insist on making it harder to manage the mail by using bogus-sounding domain names for their mailers.
s oft.com
#6 a. Use a legitimate-sounding and clear From: address, and consider prefixing the subject lines with a clear identifier. If you are 'ABC Company', send the mail from 'ABC Company Newsletter' and prefix all subject lines with 'ABC Company:'. -Especially- avoid using a mailer that uses a bogus constantly changing address in the From: line. *
#7 Consider requiring users to respond to an email once a year to maintain the subscription, and unsubscribing those who don't respond.
--------------------
* personal pet peeve: Microsoft's MSDN Flash comes from an address like: 10_16003_ZskXGUE6ygRusTwrHePbHg@newsletters.micro
Changing with each mailing. Bright idea, making the legitimate mail look like spam.
> The problem with most Windows developers is that they don't understand the history of Windows.
> They pick up things like "event-driven paradigm" as if it was some great innovation that makes
> their lives easier.
Not entirely. Most Windows developers aren't interested in other platforms, and get all their information from Microsoft documentation. This limits their exposure to the context that would allow them to see what MS created and what they didn't.
Worse yet, many Windows developers have never read the actual documentation, but only the "study guides" for various certifications. So while developers who actually -read- Microsoft's COM documentation would have been aware of other sources like the Object Management Group's DCE specifications, and how they were used in Microsoft's design of COM, most haven't.
Add to that the fact that most have never worked outside of Windows, and you have people with a very limited world view. They can parrot back a few things, but they don't have the broader experience to make use of a lot of the data.
Understood; but trademark law largely ignores -intent-, which makes this point, while true, irrelevant to the issue of infringment.
;>
A more important issue is potential harm to the Vista trademark that may be caused by the use of the term Vista by Microsoft. Yes, it is planned to be 'Microsoft Windows Vista', however, history demonstrates that it -will- be shortened to 'Vista' in practice.
Vista has a legitimate concern here; it only needs to be determined if they can and should have any right of action against Microsoft. Especially since one of the deciding factors in US trademark law is how agressively you defend the trademark. If Vista -doesn't- take action, a subsequent court could rule that they have no trademark protection. They could even be ordered to stop infringing on Microsoft's use of Vista. 'Who used the name first' is not an important issue in trademark law.
IANAL; I just play one on the internet
> I now have the Friday afternoon rule. If a "crisis" comes up after 3PM on Friday, it couldn't
> be so important that it cannot wait until Monday.
Good general rule. I made the rule a long time ago, that I get to decide what is an emergency worth working late/coming in early or on weekends for.
95% of the time, I refuse. Two examples where I didn't refuse:
-QA testing found a showstopper bug on Friday at 4PM, with testers planned to work the weekend. The programmer fixed it by 5PM, but the build/release manager wasn't there; left early for the airport. Since I wrote the build scripts and the release specifications, I stayed later in order to rebuild the release and send it to QA.
-The Netherlands ran into some unexpected defects in an application. Only occured in their localized environment. Due to time difference, I came in 3 hours early to have a conference call with them. Since I was knew more about localization issues than anyone on the team, even though it wasn't my project, I came in for the call.
The key difference between these and the usual case is, in the usual case, the 'emergency' was manufactured by managment error, or worse, by management refusing to acknowledge issues raised in a timely manner by development staff. By preferring to ignore the issues, and problem can be turned into a crisis.
Some of the other replies had some good ideas. The main thing I would suggest in this case is (assuming your boss is neither irretrievably stupid or malicious) to bring up the issue and see if you can work out some sort of "do not disturb" situation. Maybe pick specific times of day in which you can be approached, and others when you can't. Possibly set up an area less centrally located where these impromptu meetings won't occur, that you can use at least sometimes.