I agree it's lame, but it's still a construction zone even when nobody is there working. They don't change the limits every day because that would require someone remembering to do it every day, AND leads to people not paying attention... drop the limit and leave it there is much safer than a variable speed limit. (just go look at school zones where the limit varies by time of day. unless a patrol car is parked there, very few people pay any attention.)
They aren't lowered "10 mph"; it's dropped from whatever to 45 (at least around here.) And it has been my experience that people who will go that fast in the first place have no reservations about going that fast inches from a wall -- temporary or not.
And I didn't say "it won't matter". I said it won't completely stop a car (certainly not an SUV or truck.) It does prevent numerous crashes from hitting workers at full speed, and gives them some window, albeit small, to react. Even at 45 it's possible to get across them -- they have to put the "pins" in them to lock them together so they act as a chain to prevent a single block from getting tipped or turned and anchor them to the ground so they won't slide. (Yes, they are pretty damned heavy, but a 4000 lb SUV moving 70mph is a lot of energy.) The DOT is trying to provide as much safety as is practical for what is by it's very nature dangerous work. In the summers I worked there (landscape dept., which covers more than you might think), not a month went by that there wasn't something the FAA would call a "near miss" -- since noone was hurt and (usually) no equipment was damaged, we didn't fill out any accident reports.
(You're also ignoring construction traffic. You know, the big "trucks entering highway" signs.)
Because it's f'ing dangerous. Go get a job working on the roads and then tell me you like having cars wiz past you at 85+ (nobody obeys the posted limits.) It doesn't matter if they are 100 feet away on the other side of a concrete block or 1 feet away. When there's a wreck (and there always are), those hunks of concrete will not stop a car at even half that speed -- better than not having them at all. And bits of crap go flying everywhere. There's also the issue of "rubbernecking" distracting drivers from paying attention to their driving. Issues of construction material (and works) ending up near or in traffic. Etc. Etc.
Having worked for the NCDOT, I can tell you hundreds of stories from personal, first hand experience. And even more from fellow coworkers.
A) This isn't the UK. And B) your situation is 100%, utterly and completely UNLIKE that of Childs. Please, pull the same shit he has and see if it gets "laughed out of court" as you put it. He withheld the password(s) to city owned assets for which only he had access and to which the city could not regain access without disruptive and destructive proceedures -- which was, in fact, the point of setting them up that way, 'tho it's unclear if he did this as an intentional means of "job protection". Futher pad the hole you've dug by keeping documentation and other information pertaining to a job you no longer hold ("other company assets") at your home -- which presumablly does not also exist at your former office. (do not offer to return it, or make any mention of it at all.) AND fail to mention any of your own personal hardware left in the network.
While I may understand (and even sympathize with) his position, he's dug himself a might deep hole. And he's not climbing out of it anytime soon. Even if all of his former coworkers are/were morons and thus unfit to have access to the network hardware, he no longer works there; it is no longer his responsibility to maintain that network, and he is (or was) actively and willfully preventing anyone else from maintaining it.
The passwords ARE company assets, as are the documents and files found in his house. It's actually very clear... he refused to hand over the passwords when he was an employee (and refused to give anyone else access) and continued to do so after he was fired. It is not illegal (except for any classified material) to have documentation at home... while you are an employee. When you cease to be an employee, you are legally required to return all company assets. Just because you are too naive to know this or believe it doesn't make it any less so.
We don't need to debate any what-if's. He wasn't run over by a bus. He's simply a pig-headed ass who refused to give his former employer access to their equipment -- i.e. hand over the only valid password. (among other things.) And he will have his ass handed to him is sections should this ever reach a courtroom.
(I would suggest you consult with a qualified lawyer before you find yourself in the same situation. Childs is not the only idiots who's done this; and it has never turned out well for such people.)
Every packet has 14 bytes added to it (for ethernet.) FC can have 1024byte or 4096byte frames. A 1500 byte packet (layer 3) requires 2048 bytes to cross the wire -- an additional 548. A 9000 byte packet requires 9216 bytes -- an additional 216 (which is why 9216 is a common jumbo frame MTU size.) Yes, there are tiny bits of protocol overhead in everything (IP header, TCP header, ethernet header, ATM AAL5 header, ppp header, T1 frame sequencing, etc.), but they are very small compared to the payload. Bottom line -- and the entire reason jumbo frame exists -- a higher data:header ratio is always better.
You do know you can have the same storage in multiple "zones". That is, LHC data collection systems writing data to the same volume others are reading. This is SAN 101, btw. It's rather hard to hack a computer system via it's file system; esp. when it isn't reading anything from it.
multiplied by many thousands of unnecessary frames.
WHAT? MTU = MAXIMUM transmission unit. It's the MAXIMUM size of a packet. That does not mean "every packet will be this many bytes". The minimum is 64, btw. So you can have any single packet between 64 and MTU bytes. (+/- any padding at the physical layer. e.g. ATM has 53 byte cells, so a 64byte packet would take 2 cells. ethernet adds protocol, mac, and optional vlan headers bringing the total to 14 or 18 + MTU)
What do you mean "coming"? It's already here. Any company that does this SOX BS extends it to the entire company even though it only applies to finacial records and reporting.
Oh yes, let's make a conspiracy out of someone who's worked there for 41 YEARS finally retiring. I'd certainly take now as a good time to get as far away from this mess (and SF) as possible.
Any good network admin will turn off CDP because it's a waste of time and resources. It's a Cisco proprietary protocol that can only tell you about other cdp running cisco devices. It might have been slick 20 years ago; today it's mostly useless. What's the first thing you do after answering "no" to "Do you want to run setup?"? 'conf t' and 'no cdp run'
Heh. In the office I'm sitting in right now, the dry wallers walled in the electrician while he was wiring the lights. It's not like they cannot see him on his 10ft ladder. Needless to say, they had to replace that piece of drywall after his "cool-aid moment". I also know of an office remodeling that missed a setup and didn't cut a new door for a closet that was closed off; they cut the new door for the conference room but forgot about closing off that closet:-) [I don't think there was any active gear in it at the time.]
So, I don't doubt any of these "hidden server" stories.
They brought in cisco because it would take inside knowledge of the hardware and software to get around the security Childs had in place without destroying the network. And one would assume, a room full of Cisco's CCIE's (who have higher testing standards than non-Cisco employee CCIE's) should be able to map out the network and recreate it in a few hours, right? (I, of course, know better, but SF obviously doesn't.) This is typical "buy your way out of a bind" thinking. [any problem can be solved by throwing enough money at it.]
I cant bring a device in from home and plop it on my network
Heh. I have done that everywhere I have ever worked. Of course, being a sysadmin such things are seldom questioned. I actually (surprisingly) don't have any personal machine(s) at work; I have a plenty of personal hardware here, but it's all used for business related purposes (wireless AP, vpn, vmware cluster)
His criminal record was not hidden. The city knew about it when they hired him. And it was from over 20 years ago.
He was in charge of the network and thought everyone else was a moron. So locking down the network, while on the surface looks odd, is not necessary as evil as everyone points out. And don't forget, management allowed this shit to happen; he didn't wake up the morning before his firing and lock everybody out.
We're talking about a "lost" terminal server. Even if it only powers up 1hr a day, it still has to be able to communicate with other machines -- it has to obey the same rules as any other TCP/IP protocol supporting device, which means it cannot change it's MAC every 30s, it must answer arp's, etc.
"work correctly" means exactly that. you can login to it and interact with it. If it spoofs the MAC of another running system, it will confuse the switch and traffic will be lost as it gets put on the wrong port meaning it will be hard to interact with it. (and if it's a cisco switch, it'll log an error when it sees the same MAC on multiple ports.) If it spoofs an offline machine, it doesn't matter as it'll show up on one port for you to follow down one cable.
Could you add things to my network without me knowing? Sure. Can I find it once I know about it? Without a doubt. But then, I'm not a moron. And I built the entire network -- literally every inch of cabling. So, how exactly would you propose hiding a simple network device (say a linksys NAS drive) in my (wired) network where it can be accessed but not physically found?
The real difference is that the "geek" has to figure things out, the pro already knows what to do. It's all a matter of experience; if you've never seen X before, you won't know how to deal with it, but once you have, you know what to do when you see it again.
There's an element of truth to that. He didn't save the configuration to NVRAM to prevent remote workers from breaking into the router; if they reset it, it would come back up blank and thus be off the network. He later learned about the "hidden" Cisco feature to turn off password recovery which he felt was "good enough" to safely save the config -- password recovery in that case would erase NVRAM and put you back to the same place. So, without the password(s) -- or sufficent knowledge of the network to recreate the config -- they were indeed "rigged"... if you bypass security you'll wipe the configuration.
[I've toyed with this setup, and yes, you can get past this without losing the config, but it's not easy and you have to take the router apart:-)]
Of course not. They don't pay enough to attract people with any measurable clue. (Childs worked there for a long time, and probablly landed there due to the felony on his record -- most companies will not hire convicted felons.)
[That's not to imply there are no clueful gov employees. Their are, but they are quite rare in my experience.]
No. He was already refusing to hand over the passwords before they fired him -- which is partly why they fired him. And once fired, refusing to hand over the passwords is failing to return all company assets. (which he further violated by having various documentation, etc. in his home.)
And exactly what good is a terminal server if it cannot talk to anything else on the network?
While you might not get and ICMP Echo Reply, the attempt to send the original ICMP Echo Request will cause an arp request to find the receiver. It doesn't matter if the MAC is spoofed; it still has to be able to talk to other network devices or it's useless. Once you have the MAC, you can find the correct switch port and chase down the device(s) at the end of the cable. The process should take minutes, not days.
Either that's a very crappy TDR or it's not a TDR at all. Most "cheap" cable length reports are based on capacitance, not actual reflectory. A quality TDR can be surprisingly accurate and detailed... showing bends, nicks, connectors, and lengths accurate to the mm. (of course that's not going to be built into a cheap little network switch.)
Slashdot Mirror
That's like saying once I sell you my house I'm not responsible for giving you the keys. That's bullshit.
I agree it's lame, but it's still a construction zone even when nobody is there working. They don't change the limits every day because that would require someone remembering to do it every day, AND leads to people not paying attention... drop the limit and leave it there is much safer than a variable speed limit. (just go look at school zones where the limit varies by time of day. unless a patrol car is parked there, very few people pay any attention.)
They aren't lowered "10 mph"; it's dropped from whatever to 45 (at least around here.) And it has been my experience that people who will go that fast in the first place have no reservations about going that fast inches from a wall -- temporary or not.
And I didn't say "it won't matter". I said it won't completely stop a car (certainly not an SUV or truck.) It does prevent numerous crashes from hitting workers at full speed, and gives them some window, albeit small, to react. Even at 45 it's possible to get across them -- they have to put the "pins" in them to lock them together so they act as a chain to prevent a single block from getting tipped or turned and anchor them to the ground so they won't slide. (Yes, they are pretty damned heavy, but a 4000 lb SUV moving 70mph is a lot of energy.) The DOT is trying to provide as much safety as is practical for what is by it's very nature dangerous work. In the summers I worked there (landscape dept., which covers more than you might think), not a month went by that there wasn't something the FAA would call a "near miss" -- since noone was hurt and (usually) no equipment was damaged, we didn't fill out any accident reports.
(You're also ignoring construction traffic. You know, the big "trucks entering highway" signs.)
Because it's f'ing dangerous. Go get a job working on the roads and then tell me you like having cars wiz past you at 85+ (nobody obeys the posted limits.) It doesn't matter if they are 100 feet away on the other side of a concrete block or 1 feet away. When there's a wreck (and there always are), those hunks of concrete will not stop a car at even half that speed -- better than not having them at all. And bits of crap go flying everywhere. There's also the issue of "rubbernecking" distracting drivers from paying attention to their driving. Issues of construction material (and works) ending up near or in traffic. Etc. Etc.
Having worked for the NCDOT, I can tell you hundreds of stories from personal, first hand experience. And even more from fellow coworkers.
A) This isn't the UK. And B) your situation is 100%, utterly and completely UNLIKE that of Childs. Please, pull the same shit he has and see if it gets "laughed out of court" as you put it. He withheld the password(s) to city owned assets for which only he had access and to which the city could not regain access without disruptive and destructive proceedures -- which was, in fact, the point of setting them up that way, 'tho it's unclear if he did this as an intentional means of "job protection". Futher pad the hole you've dug by keeping documentation and other information pertaining to a job you no longer hold ("other company assets") at your home -- which presumablly does not also exist at your former office. (do not offer to return it, or make any mention of it at all.) AND fail to mention any of your own personal hardware left in the network.
While I may understand (and even sympathize with) his position, he's dug himself a might deep hole. And he's not climbing out of it anytime soon. Even if all of his former coworkers are/were morons and thus unfit to have access to the network hardware, he no longer works there; it is no longer his responsibility to maintain that network, and he is (or was) actively and willfully preventing anyone else from maintaining it.
The passwords ARE company assets, as are the documents and files found in his house. It's actually very clear... he refused to hand over the passwords when he was an employee (and refused to give anyone else access) and continued to do so after he was fired. It is not illegal (except for any classified material) to have documentation at home... while you are an employee. When you cease to be an employee, you are legally required to return all company assets. Just because you are too naive to know this or believe it doesn't make it any less so.
We don't need to debate any what-if's. He wasn't run over by a bus. He's simply a pig-headed ass who refused to give his former employer access to their equipment -- i.e. hand over the only valid password. (among other things.) And he will have his ass handed to him is sections should this ever reach a courtroom.
(I would suggest you consult with a qualified lawyer before you find yourself in the same situation. Childs is not the only idiots who's done this; and it has never turned out well for such people.)
Every packet has 14 bytes added to it (for ethernet.) FC can have 1024byte or 4096byte frames. A 1500 byte packet (layer 3) requires 2048 bytes to cross the wire -- an additional 548. A 9000 byte packet requires 9216 bytes -- an additional 216 (which is why 9216 is a common jumbo frame MTU size.) Yes, there are tiny bits of protocol overhead in everything (IP header, TCP header, ethernet header, ATM AAL5 header, ppp header, T1 frame sequencing, etc.), but they are very small compared to the payload. Bottom line -- and the entire reason jumbo frame exists -- a higher data:header ratio is always better.
You do know you can have the same storage in multiple "zones". That is, LHC data collection systems writing data to the same volume others are reading. This is SAN 101, btw. It's rather hard to hack a computer system via it's file system; esp. when it isn't reading anything from it.
Then they can get off their lazy Ph.D.(s) and go there in person to run their experiment(s).
WHAT? MTU = MAXIMUM transmission unit. It's the MAXIMUM size of a packet. That does not mean "every packet will be this many bytes". The minimum is 64, btw. So you can have any single packet between 64 and MTU bytes. (+/- any padding at the physical layer. e.g. ATM has 53 byte cells, so a 64byte packet would take 2 cells. ethernet adds protocol, mac, and optional vlan headers bringing the total to 14 or 18 + MTU)
What do you mean "coming"? It's already here. Any company that does this SOX BS extends it to the entire company even though it only applies to finacial records and reporting.
I'm going out on a limb here, but maybe, just maybe, it's because it's his f'ing property. I know I have all of my property in the office marked.
Oh yes, let's make a conspiracy out of someone who's worked there for 41 YEARS finally retiring. I'd certainly take now as a good time to get as far away from this mess (and SF) as possible.
Any good network admin will turn off CDP because it's a waste of time and resources. It's a Cisco proprietary protocol that can only tell you about other cdp running cisco devices. It might have been slick 20 years ago; today it's mostly useless. What's the first thing you do after answering "no" to "Do you want to run setup?"? 'conf t' and 'no cdp run'
Heh. In the office I'm sitting in right now, the dry wallers walled in the electrician while he was wiring the lights. It's not like they cannot see him on his 10ft ladder. Needless to say, they had to replace that piece of drywall after his "cool-aid moment". I also know of an office remodeling that missed a setup and didn't cut a new door for a closet that was closed off; they cut the new door for the conference room but forgot about closing off that closet :-) [I don't think there was any active gear in it at the time.]
So, I don't doubt any of these "hidden server" stories.
They brought in cisco because it would take inside knowledge of the hardware and software to get around the security Childs had in place without destroying the network. And one would assume, a room full of Cisco's CCIE's (who have higher testing standards than non-Cisco employee CCIE's) should be able to map out the network and recreate it in a few hours, right? (I, of course, know better, but SF obviously doesn't.) This is typical "buy your way out of a bind" thinking. [any problem can be solved by throwing enough money at it.]
Heh. I have done that everywhere I have ever worked. Of course, being a sysadmin such things are seldom questioned. I actually (surprisingly) don't have any personal machine(s) at work; I have a plenty of personal hardware here, but it's all used for business related purposes (wireless AP, vpn, vmware cluster)
His criminal record was not hidden. The city knew about it when they hired him. And it was from over 20 years ago.
He was in charge of the network and thought everyone else was a moron. So locking down the network, while on the surface looks odd, is not necessary as evil as everyone points out. And don't forget, management allowed this shit to happen; he didn't wake up the morning before his firing and lock everybody out.
We're talking about a "lost" terminal server. Even if it only powers up 1hr a day, it still has to be able to communicate with other machines -- it has to obey the same rules as any other TCP/IP protocol supporting device, which means it cannot change it's MAC every 30s, it must answer arp's, etc.
"work correctly" means exactly that. you can login to it and interact with it. If it spoofs the MAC of another running system, it will confuse the switch and traffic will be lost as it gets put on the wrong port meaning it will be hard to interact with it. (and if it's a cisco switch, it'll log an error when it sees the same MAC on multiple ports.) If it spoofs an offline machine, it doesn't matter as it'll show up on one port for you to follow down one cable.
Could you add things to my network without me knowing? Sure. Can I find it once I know about it? Without a doubt. But then, I'm not a moron. And I built the entire network -- literally every inch of cabling. So, how exactly would you propose hiding a simple network device (say a linksys NAS drive) in my (wired) network where it can be accessed but not physically found?
The real difference is that the "geek" has to figure things out, the pro already knows what to do. It's all a matter of experience; if you've never seen X before, you won't know how to deal with it, but once you have, you know what to do when you see it again.
There's an element of truth to that. He didn't save the configuration to NVRAM to prevent remote workers from breaking into the router; if they reset it, it would come back up blank and thus be off the network. He later learned about the "hidden" Cisco feature to turn off password recovery which he felt was "good enough" to safely save the config -- password recovery in that case would erase NVRAM and put you back to the same place. So, without the password(s) -- or sufficent knowledge of the network to recreate the config -- they were indeed "rigged"... if you bypass security you'll wipe the configuration.
[I've toyed with this setup, and yes, you can get past this without losing the config, but it's not easy and you have to take the router apart :-)]
Of course not. They don't pay enough to attract people with any measurable clue. (Childs worked there for a long time, and probablly landed there due to the felony on his record -- most companies will not hire convicted felons.)
[That's not to imply there are no clueful gov employees. Their are, but they are quite rare in my experience.]
No. He was already refusing to hand over the passwords before they fired him -- which is partly why they fired him. And once fired, refusing to hand over the passwords is failing to return all company assets. (which he further violated by having various documentation, etc. in his home.)
And exactly what good is a terminal server if it cannot talk to anything else on the network?
While you might not get and ICMP Echo Reply, the attempt to send the original ICMP Echo Request will cause an arp request to find the receiver. It doesn't matter if the MAC is spoofed; it still has to be able to talk to other network devices or it's useless. Once you have the MAC, you can find the correct switch port and chase down the device(s) at the end of the cable. The process should take minutes, not days.
Both of those are broadcast addresses. (multicast to be exact.)
Either that's a very crappy TDR or it's not a TDR at all. Most "cheap" cable length reports are based on capacitance, not actual reflectory. A quality TDR can be surprisingly accurate and detailed... showing bends, nicks, connectors, and lengths accurate to the mm. (of course that's not going to be built into a cheap little network switch.)