That's the basic approach that I took. When I started back in 2000, licensing and compliance was a disaster. Tackling it all at once was a non-starter. Our compromise was that any new machine coming in the door had to be purchased with legit licenses. So we went legal within the course of a normal hardware refresh cycle.
Plus, we've switched as much as possible to open source or pure free alternatives. Moving from SourceOffSite to SVN, from SQL Server to PostgreSQL, from Windows servers to Linux, etc.
It's usually more like $10k per violation. Which is a lot more believable. Although there's a lot of scare mongering out there about $90k to $150k per violation fines. Your boss is more likely to believe the former number, but disregard the latter numbers as pure FUD.
So, as in all things legal, YMMV. At least with the above two links, you can offer concrete evidence of the actual fine amounts rather then some hypothetical amounts.
P.S. It's just a small business, give 'em a break. If they don't care that they are breaking the law, why should you?
I simply remind the CEO that each infraction would cost us $10k in fines per infraction if we were audited due to a disgruntled employee. Which makes that $500 license suddenly look a lot less expensive.
At the same time, we're moving as fast as possible away from software that requires licenses. The major pieces that we still pay for? Windows XP/7, MS Office, and really useful tools like JASC PaintShop Pro, UltraEdit32 and SecureCRT. Everything else has been moved to free tools where we don't have to track licenses.
Well, see, here's where things are going to get difficult.
Once we see the TLD explosion occur in a few years where instead of www.ebay.com, eBay just buys up a.ebay TLD, what defines a "domain"? Right now, it seems like Adobe's origin policy needs to be more specific about what is in the same domain or not. Or is eBay going to have to buy.ebay as well as.ebay-files?
Maybe the default needs to be "loaded from the same server" instead of "loaded from this domain or any sub-domain".
Omnipresent wireless internet with cloud storage might kill off portable storage (except for special uses) in the next 20 years. Maybe longer, given that consumers would want to hang onto their old media. I wouldn't make any bets on the next 100.
Eh, I fully expect corps to screw the pooch and constantly mess with consumer's or their data. Which means that portable storage will still be alive and kicking because the cloud simply isn't reliable.
(Now, if you're talking movies / TV... I fully expect that to be streamed. But personal data? While it might visit the cloud, I think a lot of it will end up on portable storage. Or maybe storage implanted in the owner.)
Viruses generally come from 3 things: Porn sites, Warez sites and emails from idiot friends who also don't know any better.
Or infected / hacked websites which serve up exploit code using Flash/Javascript. Or malicious ads placed on ad networks that serve reputable sites. Or SQL injection attacks against reputable sites that insert exploit code into every dynamically served page.
It's no longer responsible to trust every site out there except for what folks consider to be the shady side of the net. The attackers have gotten smarter and are infiltrating the not-so-shady side.
(Of the infections that I've dealt with over the past few years. The vast majority have been drive-by types where malicious Flash/Javascript infect the machine. And I can look back at the Squid server logs and see that it was a non-shady website that did the infection. Most have been the type where the attacker inserts their Javascript directly into the static HTML pages on the website.)
2) Stay in the "well-lit" areas of the Internet. By that I mean corporate and reputable public sites - as a general rule of thumb, if they've heard about it on the news, its "well-lit".
That rule of thumb no longer works with the virus infected ad networks that have become more prevalent over the past few years. Or the sites with poor FTP security where the attacker breaks in and adds exploit code (usually Javascript) to all of the static web pages. Or SQL injection attacks that add exploit code to all of the dynamically generated pages.
(Regular user instead of admin user is the first line of defense. Or at least it makes it a lot easier to remove a drive-by install, because only the user's account is infected and not the entire machine.)
Memtest86+ will test the ram with no errors (usually)*
Try Prime95 in torture test mode for 12-72 hours. Much more likely to uncover issues with timing then MemTest86+. MemTest86+ doesn't push the CPU/RAM hard enough to uncover those "almost good" memory issues.
(There's also that weird thing with single sided or double sided, or registered vs unbuffered. Which is why I always buy pre-tested motherboard bundles from MWave. I make them do the hard work of figuring out what works or doesn't work.)
We've had good luck with the batch of Athlon64 X2s that we bought for desktops here at the office over the past 5-6 years. (Whenever it was that the X2s dropped below $200 for the first time.)
The main hardware failures I've had to deal with are:
- DOA power supply units in Antec cases (only 1 out of roughly 20)
- Busted capacitors on a GeForce PCIe low-end card
Most of our desktops use the 40/45W parts (energy efficient) models if we can get them. Keeps it cooler inside the case and makes it easier to build a nearly silent system.
(I'm running a quad-core Phenom 2.5GHz as my gaming machine. I've pretty much only bought AMD since about '01 onward as my comfort level is very high and I understand their product line and roadmap. Plus, we switched over to Opteron/Athlon64 as early as possible, just in case 64bit computing arrived sooner then expected. Intel was only shipping 32bit parts at the low end for quite a few years after Athlon64 debuted.)
One of the earlier languages had position dependent coding (code had to start on column 3 or something like that. The name eludes me at the moment).
FORTRAN (GOD is real)
Which was (and is) an interesting language for doing math and fractals. I learned how to use and abuse the VAX scheduling system to batch up my fractals for late-night when nobody was online.
The idea that one's employer wouldn't pay directly to one's account is really weird for people here. Of course, we are probably more backwards in other ways, so don't worry.
Here in the US, direct deposit where the check goes straight into your checking (bank) account costs money and many small businesses don't want to pay the fees involved.
Larger companies usually offer direct deposit, however.
Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.
Which means that as soon as the encrypted volume is mounted, all of the passwords are exposed. (It's an inherent weakness of encrypted volumes. Encrypted volumesare only secure when not mounted.)
For more security conscious logins, you should be encrypting the contents of that text file with GPG/PGP. And keeping different sites in different files, so that decrypting one file only exposes sites listed in that file.
You could accomplish the same thing using a PGP/GPG encryption key and plain text files. (I prefer to keep each site's credentials in a different file. Other folks use larger files that cover multiple sites.)
GPG is available on almost every possible platform. That satisfies the portability issue. Text files with encrypted ASCII text blocks inside are easy to backup (or can even be printed to hard copy).
Plus, if you have a password that multiple people need to know, just encrypt the text with all of their public keys and email the ASCII text block to them.
I do something similar. Create a GPG/PGP encryption key, guard it carefully. Give it a strong passphrase. Keep a copy or three in offsite locations. (Hell, print out an ASCII armored copy on paper. You could always OCR or hand key it back in.)
On the USB key that I carry around, I have 1 text file per website. Instead of encrypting the file, I simply create a GPG ASCII encrypted block of text and put that in the text file. When I need to reference a password, I fire up WinPT, copy the ASCII text into the clipboard and then encrypt it. Since I keep each site in a different file, only 1 password at a time is exposed in the clipboard.
The big advantages are that since they are plain text files, I can easily back them up. Or email them to another account. Without my GPG/PGP key, the blocks of text are useless to anyone who might see them. I could toss them into a version control system, or put them up in Google Docs, or many other storage locations.
For sites where I don't care if I'm locked out for a while (until I can gain access to my password files), I use a completely random (using EPG) text string of upper/lower case letters and number as the site's password. I tell Firefox to remember it, but keep a copy in a GPG encrypted text file. For sites where I'll want to remember the password, I choose something easier to remember.
Flash and Javascript ads are the two main methods of drive-by, user didn't even do anything, infections.
Firefox + NoScript + FlashBlock
The internet ad business is going to have to change, or the end-users are going to revolt and install ad blocking software to keep their machines safe.
Right now, it's late in the expansion and here's the problems that I'm seeing:
- The "B" team is obviously in charge. So many immersive RPG elements have been removed this year (3 days between server moves or name/race changes). And they continue to remove any sorts of barriers that make the game world feel real and not just a grind fest of teleporting to an instance then teleporting to another instance.
- The ToC raid (3rd in the series, Naxx -> Ulduar -> ToC) was a piss poor "toss the players in a box with big scary monsters". I was bored with it after the 2nd week. At least Naxx and Ulduar were somewhat interesting with different scenery. But there were some really stupid fights in Ulduar, where it would take you 15-20 minutes to finish an encounter (only to fail after 10 minutes and have to start over).
- Most players have gotten all of the alts they could want to level 80. Most have finished grinding out all WotLK reps to exalted that they care about and are basically biding their time (or trying to keep up with the raid progression).
- The rumors about the next expansion are out, and nearly everything that you knew about Talents and Attributes will be changing. So why bother killing yourself now to bone up on stuff that will be obsolete in another 3-6 months.
And nobody milks their players as much as SOE. Blizzard is almost a saint in comparison. Go price out the Station Pass or the various services that you can add onto a EQ2 account.
You're confusing RBLs (which are based on a DNS lookup of the IP address) and "suppression lists" which are lists of email addresses that have unsubscribed.
The latter is best implemented as a one-way hash (usually md5) so that the resulting list can't be used for other mailings.
CentOS 5 x64 is fixed (and has been since at least 2.6.18-128.2.1.el5). Which came out sometime prior to July 2009. So it was probably fixed before then.
$ cat/proc/sys/vm/mmap_min_addr
65536
(Yes, I need to update that box to the latest CentOS 5 kernel... the latest is 2.6.18-164.)
Well, if the TV Execs and advertisers were smart (I know, I know, we're talking about TV Execs and advertisers, but bear with me), they'd tailor the commercials to the viewers and design their ads to be effective when viewed by someone with a "30-second skip" feature, who will probably only see a few frames of the commercial, randomly phased within the 30 second window.
Do you really want TV execs and advertisers to have detailed information about your household? Most folks don't, and find targeted advertising to be spooky.
Actually, for folks with a regular DVR, what you're seeing is a reversion to old behavior. You know, where you get up and go to the kitchen/bath during commercials. Let the DVR play the commercials, they know that they can always fast-forward or rewind when they come back into the room.
Sometimes, folks can't be arsed to reach for the remote at every commercial break. Or the commercials are actually interesting if you haven't seen them before. (Some actually are. At least until you've seen them 5 times, the they likely get tiresome.)
Do this to 3 or 4 Bobs, and pretty soon you'll have an understanding of the corporate org chart, upcoming projects, and most importantly you'll be able to target your future EvilMaid attacks with pinpoint accuracy.
Slashdot Mirror
That's the basic approach that I took. When I started back in 2000, licensing and compliance was a disaster. Tackling it all at once was a non-starter. Our compromise was that any new machine coming in the door had to be purchased with legit licenses. So we went legal within the course of a normal hardware refresh cycle.
Plus, we've switched as much as possible to open source or pure free alternatives. Moving from SourceOffSite to SVN, from SQL Server to PostgreSQL, from Windows servers to Linux, etc.
I hate keeping track of licenses.
It's usually more like $10k per violation. Which is a lot more believable. Although there's a lot of scare mongering out there about $90k to $150k per violation fines. Your boss is more likely to believe the former number, but disregard the latter numbers as pure FUD.
$950,000 BSA Violation Fine (about $8900 per)
U.S. Companies Fined for Using Illegal Software ($70-$110k total fines)
So, as in all things legal, YMMV. At least with the above two links, you can offer concrete evidence of the actual fine amounts rather then some hypothetical amounts.
P.S. It's just a small business, give 'em a break. If they don't care that they are breaking the law, why should you?
I simply remind the CEO that each infraction would cost us $10k in fines per infraction if we were audited due to a disgruntled employee. Which makes that $500 license suddenly look a lot less expensive.
At the same time, we're moving as fast as possible away from software that requires licenses. The major pieces that we still pay for? Windows XP/7, MS Office, and really useful tools like JASC PaintShop Pro, UltraEdit32 and SecureCRT. Everything else has been moved to free tools where we don't have to track licenses.
PostgreSQL evolved from the Ingres project at Univ of CA (UC Berekely). As did Ingres, which is once again a separate company called Ingres Corp.
Well, see, here's where things are going to get difficult.
.ebay TLD, what defines a "domain"? Right now, it seems like Adobe's origin policy needs to be more specific about what is in the same domain or not. Or is eBay going to have to buy .ebay as well as .ebay-files?
Once we see the TLD explosion occur in a few years where instead of www.ebay.com, eBay just buys up a
Maybe the default needs to be "loaded from the same server" instead of "loaded from this domain or any sub-domain".
Omnipresent wireless internet with cloud storage might kill off portable storage (except for special uses) in the next 20 years. Maybe longer, given that consumers would want to hang onto their old media. I wouldn't make any bets on the next 100.
Eh, I fully expect corps to screw the pooch and constantly mess with consumer's or their data. Which means that portable storage will still be alive and kicking because the cloud simply isn't reliable.
(Now, if you're talking movies / TV... I fully expect that to be streamed. But personal data? While it might visit the cloud, I think a lot of it will end up on portable storage. Or maybe storage implanted in the owner.)
Viruses generally come from 3 things: Porn sites, Warez sites and emails from idiot friends who also don't know any better.
Or infected / hacked websites which serve up exploit code using Flash/Javascript. Or malicious ads placed on ad networks that serve reputable sites. Or SQL injection attacks against reputable sites that insert exploit code into every dynamically served page.
It's no longer responsible to trust every site out there except for what folks consider to be the shady side of the net. The attackers have gotten smarter and are infiltrating the not-so-shady side.
(Of the infections that I've dealt with over the past few years. The vast majority have been drive-by types where malicious Flash/Javascript infect the machine. And I can look back at the Squid server logs and see that it was a non-shady website that did the infection. Most have been the type where the attacker inserts their Javascript directly into the static HTML pages on the website.)
2) Stay in the "well-lit" areas of the Internet. By that I mean corporate and reputable public sites - as a general rule of thumb, if they've heard about it on the news, its "well-lit".
That rule of thumb no longer works with the virus infected ad networks that have become more prevalent over the past few years. Or the sites with poor FTP security where the attacker breaks in and adds exploit code (usually Javascript) to all of the static web pages. Or SQL injection attacks that add exploit code to all of the dynamically generated pages.
(Regular user instead of admin user is the first line of defense. Or at least it makes it a lot easier to remove a drive-by install, because only the user's account is infected and not the entire machine.)
Memtest86+ will test the ram with no errors (usually)*
Try Prime95 in torture test mode for 12-72 hours. Much more likely to uncover issues with timing then MemTest86+. MemTest86+ doesn't push the CPU/RAM hard enough to uncover those "almost good" memory issues.
(There's also that weird thing with single sided or double sided, or registered vs unbuffered. Which is why I always buy pre-tested motherboard bundles from MWave. I make them do the hard work of figuring out what works or doesn't work.)
We've had good luck with the batch of Athlon64 X2s that we bought for desktops here at the office over the past 5-6 years. (Whenever it was that the X2s dropped below $200 for the first time.)
The main hardware failures I've had to deal with are:
- DOA power supply units in Antec cases (only 1 out of roughly 20)
- Busted capacitors on a GeForce PCIe low-end card
Most of our desktops use the 40/45W parts (energy efficient) models if we can get them. Keeps it cooler inside the case and makes it easier to build a nearly silent system.
(I'm running a quad-core Phenom 2.5GHz as my gaming machine. I've pretty much only bought AMD since about '01 onward as my comfort level is very high and I understand their product line and roadmap. Plus, we switched over to Opteron/Athlon64 as early as possible, just in case 64bit computing arrived sooner then expected. Intel was only shipping 32bit parts at the low end for quite a few years after Athlon64 debuted.)
A lot of folks consider NPR to be a tool of the liberals.
(Personally, I'm a conservative but I liked then NPR morning edition when I listened to it back at the turn of the century.)
I still have my USR Courier V.Everything external modem. Best investment ever.
One of the earlier languages had position dependent coding (code had to start on column 3 or something like that. The name eludes me at the moment).
FORTRAN (GOD is real)
Which was (and is) an interesting language for doing math and fractals. I learned how to use and abuse the VAX scheduling system to batch up my fractals for late-night when nobody was online.
The idea that one's employer wouldn't pay directly to one's account is really weird for people here. Of course, we are probably more backwards in other ways, so don't worry.
Here in the US, direct deposit where the check goes straight into your checking (bank) account costs money and many small businesses don't want to pay the fees involved.
Larger companies usually offer direct deposit, however.
Spreadsheets are the wrong tool.
Go with text files where the contents are encrypted with PGP/GPG.
Or at least toss the files into a version control system.
The big advantage of GPG/PGP encrypted text blocks are they they are easily emailed, faxed, printed, OCR'd, etc.
Do what I set up for my father, Truecrypt installed to a USB key, passwords in a plaintext file inside the arcive.
Which means that as soon as the encrypted volume is mounted, all of the passwords are exposed. (It's an inherent weakness of encrypted volumes. Encrypted volumesare only secure when not mounted.)
For more security conscious logins, you should be encrypting the contents of that text file with GPG/PGP. And keeping different sites in different files, so that decrypting one file only exposes sites listed in that file.
You could accomplish the same thing using a PGP/GPG encryption key and plain text files. (I prefer to keep each site's credentials in a different file. Other folks use larger files that cover multiple sites.)
GPG is available on almost every possible platform. That satisfies the portability issue. Text files with encrypted ASCII text blocks inside are easy to backup (or can even be printed to hard copy).
Plus, if you have a password that multiple people need to know, just encrypt the text with all of their public keys and email the ASCII text block to them.
I do something similar. Create a GPG/PGP encryption key, guard it carefully. Give it a strong passphrase. Keep a copy or three in offsite locations. (Hell, print out an ASCII armored copy on paper. You could always OCR or hand key it back in.)
On the USB key that I carry around, I have 1 text file per website. Instead of encrypting the file, I simply create a GPG ASCII encrypted block of text and put that in the text file. When I need to reference a password, I fire up WinPT, copy the ASCII text into the clipboard and then encrypt it. Since I keep each site in a different file, only 1 password at a time is exposed in the clipboard.
The big advantages are that since they are plain text files, I can easily back them up. Or email them to another account. Without my GPG/PGP key, the blocks of text are useless to anyone who might see them. I could toss them into a version control system, or put them up in Google Docs, or many other storage locations.
For sites where I don't care if I'm locked out for a while (until I can gain access to my password files), I use a completely random (using EPG) text string of upper/lower case letters and number as the site's password. I tell Firefox to remember it, but keep a copy in a GPG encrypted text file. For sites where I'll want to remember the password, I choose something easier to remember.
Flash and Javascript ads are the two main methods of drive-by, user didn't even do anything, infections.
Firefox + NoScript + FlashBlock
The internet ad business is going to have to change, or the end-users are going to revolt and install ad blocking software to keep their machines safe.
Right now, it's late in the expansion and here's the problems that I'm seeing:
- The "B" team is obviously in charge. So many immersive RPG elements have been removed this year (3 days between server moves or name/race changes). And they continue to remove any sorts of barriers that make the game world feel real and not just a grind fest of teleporting to an instance then teleporting to another instance.
- The ToC raid (3rd in the series, Naxx -> Ulduar -> ToC) was a piss poor "toss the players in a box with big scary monsters". I was bored with it after the 2nd week. At least Naxx and Ulduar were somewhat interesting with different scenery. But there were some really stupid fights in Ulduar, where it would take you 15-20 minutes to finish an encounter (only to fail after 10 minutes and have to start over).
- Most players have gotten all of the alts they could want to level 80. Most have finished grinding out all WotLK reps to exalted that they care about and are basically biding their time (or trying to keep up with the raid progression).
- The rumors about the next expansion are out, and nearly everything that you knew about Talents and Attributes will be changing. So why bother killing yourself now to bone up on stuff that will be obsolete in another 3-6 months.
And nobody milks their players as much as SOE. Blizzard is almost a saint in comparison. Go price out the Station Pass or the various services that you can add onto a EQ2 account.
You're confusing RBLs (which are based on a DNS lookup of the IP address) and "suppression lists" which are lists of email addresses that have unsubscribed.
The latter is best implemented as a one-way hash (usually md5) so that the resulting list can't be used for other mailings.
CentOS 5 x64 is fixed (and has been since at least 2.6.18-128.2.1.el5). Which came out sometime prior to July 2009. So it was probably fixed before then.
/proc/sys/vm/mmap_min_addr
$ cat
65536
(Yes, I need to update that box to the latest CentOS 5 kernel... the latest is 2.6.18-164.)
Well, if the TV Execs and advertisers were smart (I know, I know, we're talking about TV Execs and advertisers, but bear with me), they'd tailor the commercials to the viewers and design their ads to be effective when viewed by someone with a "30-second skip" feature, who will probably only see a few frames of the commercial, randomly phased within the 30 second window.
Do you really want TV execs and advertisers to have detailed information about your household? Most folks don't, and find targeted advertising to be spooky.
Actually, for folks with a regular DVR, what you're seeing is a reversion to old behavior. You know, where you get up and go to the kitchen/bath during commercials. Let the DVR play the commercials, they know that they can always fast-forward or rewind when they come back into the room.
Sometimes, folks can't be arsed to reach for the remote at every commercial break. Or the commercials are actually interesting if you haven't seen them before. (Some actually are. At least until you've seen them 5 times, the they likely get tiresome.)
Do this to 3 or 4 Bobs, and pretty soon you'll have an understanding of the corporate org chart, upcoming projects, and most importantly you'll be able to target your future EvilMaid attacks with pinpoint accuracy.
I smell the plot for a new anime...