That is not even a sentence, I'm not entirely sure what you are saying you whining little cheerleader for oligarchs. Why do you hate America so much? Do you really prefer what the Russians have done recently instead?
Ah, personal definitions. Why bother even commenting if you cannot communicate clearly? So with your personal definition there are only employable people (group A) and for some reason two groups of unemployable people (B and C)? Why bother dividing up the second group when you are not dividing up the first?
Warlords relied on violence — living (and dying) by the proverbial sword.
Look up "Pinkerton" to remind yourself why it's still a relevant comparison and what governments are protecting us from in the workplace. “You could not run a coal company without machine guns" - Richard Mellon, 1925, is a quote that is also relevant.
I knew, that Statists like yourself
I do indeed prefer a State to a Kingdom or Oligarchy.
"We pay about 15% more than average with the expectation that you will be dependable rather than lazy and/or unavailable."
It's all relative. If you need to be almost permanently contactable but only get contacted a couple of times every year or so due to exceptional events that's kind of fair (so long as there is some mechanism such as time off in lieu or whatever). If it's something that becomes frequent it isn't. Some would argue that a requirement to be sober enough to drive into work at all times is a bit much to expect.
Of course it's incredibly unprofessional management and as the above poster suggested an on call roster is the way a professional manager would do it.
WTF is it any concern of the government, what sort of contract free citizens of able body and sound mind enter into with each other?
Since government is what we have when a lot of people banded together to avoid being the prey of petty warlords it is very much the business of government to step in when it appears some are preying on others. Hence the attitudes of governments to crime and onerous contracts - it's illegal to sell yourself into slavery and dealing with lesser exploitation is also a core business of a government.
Of course you knew that "mi", but you just want to pull a fast one and justify all exploitation by pretending that government is something "other" instead of for the people and of the people.
That's part of the problem quote altering guy. An "A player", no matter how capable, hiring their clone for a very different role is going to result in boredom and departure if the role is way below the current level of their abilities or a series of fuckups if it is well beyond their abilities. Also what's wrong with a "B player" or "C player" if that's all the role requires?
Then why push it as mandatory on others? It's nothing but an extra point of failure for those situations where the data is not sensitive enough that publication would matter.
It looks very much like you are very good at dishing out something truly vicious ("I'd fire you") while not being able to put up with some relatively mild questions of your words and no attack at all upon your person. Truly pathetic.
A recurring problem in "technology" companies is that people want to hire their clone instead of working out that people with a range of experiences is a useful thing in a workplace. That's why so many places are a sausage fest with a very narrow age range and almost identical career path for everyone. It's kind of weird visiting some of those places, watching nerf stuff fly and feeling like the only adult in the room.
So you've marked me foe because I didn't act meek and mild after you jumped in on me stating the obvious and said I was someone you would fire? That's somewhat pathetic.
Ironically it was a financial audit that initiated the requirement
With the greatest possible respect, sometimes the quality assurance weenies need to be questioned when they mandate things that are beyond their level of understanding. It is supposed to be a process and not an edict.
talk about the "crown jewels"
Context. Not all data is equal thus "crown jewels" is supposed to indicate the stuff that you do not want anyone to get hold of. Treating everything as if it is the "crown jewels" is IMHO counterproductive because you have two modes of access - everything or nothing. When you need to give an outsider access they should not be able to get to the stuff that is of critical importance unless that is what they are working on.
and you will be up shit creek of you inadvertently leak that kind of data
And I'm in a far worse place if I do something that loses or even endangers the existance of most of the types of data on the premises as are many others. What you seem to think of as the universal situation of the consequences of a leak being vastly greater than the consequences of loss is the exact opposite in a lot of places. Your "one size fits all" suggestion doesn't fit a lot of places.
Also what's with the lectures? Since they are based on a premise that's not as universal as you seem to think they are someone pointless. If the consequence of a third party stealing those tapes of unencrypted system backups are limited to having to buy more tape it's not really a huge deal. You do not have to encrypt everything and IMHO it's asking for many sorts of trouble if you do.
There is professional software (CAD applications) released with WINE compatibility.
There's also professional scientific software written in dotnet that is tested against mono so that it can be run on linux. That turns a single licence from a hotseat in front of a MS Windows workstation to something you can run on a noisy and fast server then let the user get to it from their desktop machine via X Windows. No need for a dusty computer in the corner used for an hour a week but a different person each time.
If the consequence of data loss is very high you DON'T encrypt because the vastly increases the chance of loss - when shit happens your careful house of cards with the keys doesn't even have a table to sit on and is lost. A corporate restructure, let alone a buyout, is likely to lose those keys and anyone who knows where they are. As I wrote elsewhere, I've had to have reels of tape transcribed (on well over a dozen occasions now) because the client lost their copies over time and the tape that was sent to my workplace years ago to transport the data to the people interpreting it ended up being the only one surviving. If someone in the 1980s decided to encrypt those tapes the key would be long gone with most of the other paperwork so it would mean a very expensive seismic survey to get that data again. All industries have similar situations where old information is of great value but not any sort of secret.
Accounts info - sure you don't want all that getting out, but in the general case? That is asking for trouble.
That's the only point I'm trying to make. Above it was suggested as if it was mandatory instead of situations where the consequences of unencrypted data escaping are far greater than that of losing all of the data on that media forever.
The consequences are
For your system backups? No. For other things? Very little information in a typical business is of the sort where it would be a problem if it was published on the front page of a newspaper. That stuff that would be a problem should be treated differently to what is needed for a bare metal restore, which IMHO should be easy enough that a contractor from outside can do it in a hurry without having to wait around for a time window to bother someone for keys. In disaster situations the people who have the keys are probably going to be very busy if they can get on site at all.
Personally I think a policy of treating everything as top secret is a security risk on it's own. You only want to trust a contractor with general information instead of giving them the key to the crown jewels.
Ah - semantics now. Dropping every packet at every point of ingress and egress is effectively the same as an air gap, and is the same if you do it by unplugging things. What's with the bluster, getting personal and the need to show dominance? It's kind of pathetic the way you are big noting yourself to try to show how much better you are than someone who offered a suggestion.
Clearly you've never worked in a highly regulated environment that is restricted by mandate to encrypt backups when shipping data offsite
Ah yes, you are very important obviously, at least in your own mind if nowhere else, and are attempting to rub that in but it appears you think the policy of where you are is how it should be done everywhere. Clearly most people do not because it's as fucking stupid as letting people you do not trust have possession of your backup tapes. If you can't trust who has your tapes then why are you letting them have them? What about the onsite tapes? What about tapes that have only system files and zero sensitive information? Why encrypt them when it's just another thing to go wrong and nobody who cannot be trusted with them has access to them.
Keys are stored in multiple locations to protect against the inevitable unavailability of someone as well
Over time things get lost (which is why I've had to get stuff from tapes recorded in the 1990s despite the client originally having multiple copies). If someone needs something from a backup or archive in many years time it's very likely that after restructures/buyouts/etc that the key is going to be lost unless it's stored with the tapes (which of course made the encryption pointless in the first place).
Disaster recovery should be simple and adding potential show-stoppers to the process is not a good idea unless the consequences of unencrypted data escaping are far greater than that of losing all of the data on that media forever.
Because you did not present it as "one of the many things", but as the countermeasure that will stop a former admin
That was in your own mind since it does not appear to be in any of my comments above. Perhaps you can quote where I suggested it was the only thing required instead of making yourself look ridiculous with baseless claims, assertions that you are so important that you can fire people and threats as to what you would do to someone who offered a piece of advice. I really don't understand why you are foaming at the mouth over an obvious suggestion of an obvious first step. If you control all the ways in and out you can block people. How are they going to ssh in when ssh is blocked entirely and then only opened up to a checked list of valid addresses? How are they going to use teamviewer when your web proxy blocks all asp pages and their old PC isn't even connected to the network? If you have a real reason to worry your web proxy can block everything apart from to trusted workstations inside the network, trusted because they are being checked one by one. If you have a real reason to worry you drop all encrypted traffic (I'm anticipating your next rant by stating the obvious here) until you don't have to worry.
Throwing up your hands and saying it can't be done and you'll fire anyone who tries is somewhat petty and ridiculous IMHO. You just do not seem to understand that you chop the complex problem into simple chunks and solve it one bit at a time - instead of just giving up.
that the you saved the day by doing so
I didn't save the day, I just took sensible precautions in a tense situation. It wasn't even difficult. It would be harder now with everything and it's dog coming in through port 80 - but that just means a bit of temporary pain when that gets blocked as well if it's really seen as necessary.
You said you would fire me for a similar suggestion - that of initially shutting down any way in. Why is it good advice from you and a firing offence for me?
Seriously kid (or stop acting like one), what part of a boss owning people's off hours is "progressive" and what part of caring about people's sexual preferences is "progressive"? It's just someone pretending to be when the press is around. An example from the 1900s is people arguing against payouts for injured workers with the argument that it would encourage the poor factory workers to injure themselves so they would get a windfall. Of course the people pushing that line did not really care about the injured factory workers, they cared about the threat of legal action and it was just an excuse instead of the social justice line they were pretending to push.
defend your incorrect interpretation
Not incorrect, you're bullshit detector is just not working in this situation. The guy was fired "to protect women" - seriously? He was fired because the boss was a fucking prude that thinks he owns his employees after they go home. It's that simple.
I've been called in places to help deal with such real world examples - it's called a rootkit. The only way to be sure with those is reinstall and to look at the (preferably removed) owned system disks with knoppix or similar.
which limits it to a very small and inadequate subset of what needs to be done to secure a system.
So you want to shift the goalposts from step one of keeping someone from the outside from getting in the way they normally do to something else? Fine, but don't whine at me about it. Are you going to attack anyone who suggests changing a password as well?
Actually, I am
And you would fire someone who solves a problem over someone who ignores it or doesn't even consider it? How about using your brain here instead of farting your "gut feeling" all over the page.
Why did you so viciously attack a suggestion I made about one of the many things that should be done and get so fucking personal about it? You do not appear to be someone worthy of any sort of responsibility if you do that when you are on the clock.
For example, imagine I went into a hospital's case management system and put a trigger on the database to double all new doses on insert. It's a "simple" attack but could have very deadly consequences.
Unlikely. Nurses check paperwork, which gets printed onto actual paper and they would see the previous dose. That's a system that is already has a lot of mistakes from data entry so has error checking outside of the computer system.
You do have a point, just the example doesn't quite fit.
Slashdot Mirror
Ah yes, I forgot that democracy and the ideals of a Republic are "socialist" now. We should just follow "might is right" should we?
That is not even a sentence, I'm not entirely sure what you are saying you whining little cheerleader for oligarchs. Why do you hate America so much? Do you really prefer what the Russians have done recently instead?
Ah, personal definitions.
Why bother even commenting if you cannot communicate clearly?
So with your personal definition there are only employable people (group A) and for some reason two groups of unemployable people (B and C)? Why bother dividing up the second group when you are not dividing up the first?
Look up "Pinkerton" to remind yourself why it's still a relevant comparison and what governments are protecting us from in the workplace. “You could not run a coal company without machine guns" - Richard Mellon, 1925, is a quote that is also relevant.
I do indeed prefer a State to a Kingdom or Oligarchy.
Personally I think that should be a goal for sysadmins. If you can get things to that state you've got the systems running well.
The movies obviously.
You try to negotiate and no guzzaline for you.
It's all relative. If you need to be almost permanently contactable but only get contacted a couple of times every year or so due to exceptional events that's kind of fair (so long as there is some mechanism such as time off in lieu or whatever). If it's something that becomes frequent it isn't.
Some would argue that a requirement to be sober enough to drive into work at all times is a bit much to expect.
Of course it's incredibly unprofessional management and as the above poster suggested an on call roster is the way a professional manager would do it.
Since government is what we have when a lot of people banded together to avoid being the prey of petty warlords it is very much the business of government to step in when it appears some are preying on others. Hence the attitudes of governments to crime and onerous contracts - it's illegal to sell yourself into slavery and dealing with lesser exploitation is also a core business of a government.
Of course you knew that "mi", but you just want to pull a fast one and justify all exploitation by pretending that government is something "other" instead of for the people and of the people.
That's part of the problem quote altering guy. An "A player", no matter how capable, hiring their clone for a very different role is going to result in boredom and departure if the role is way below the current level of their abilities or a series of fuckups if it is well beyond their abilities.
Also what's wrong with a "B player" or "C player" if that's all the role requires?
Then why push it as mandatory on others?
It's nothing but an extra point of failure for those situations where the data is not sensitive enough that publication would matter.
It looks very much like you are very good at dishing out something truly vicious ("I'd fire you") while not being able to put up with some relatively mild questions of your words and no attack at all upon your person.
Truly pathetic.
A recurring problem in "technology" companies is that people want to hire their clone instead of working out that people with a range of experiences is a useful thing in a workplace.
That's why so many places are a sausage fest with a very narrow age range and almost identical career path for everyone. It's kind of weird visiting some of those places, watching nerf stuff fly and feeling like the only adult in the room.
So you've marked me foe because I didn't act meek and mild after you jumped in on me stating the obvious and said I was someone you would fire? That's somewhat pathetic.
With the greatest possible respect, sometimes the quality assurance weenies need to be questioned when they mandate things that are beyond their level of understanding. It is supposed to be a process and not an edict.
Context. Not all data is equal thus "crown jewels" is supposed to indicate the stuff that you do not want anyone to get hold of. Treating everything as if it is the "crown jewels" is IMHO counterproductive because you have two modes of access - everything or nothing. When you need to give an outsider access they should not be able to get to the stuff that is of critical importance unless that is what they are working on.
And I'm in a far worse place if I do something that loses or even endangers the existance of most of the types of data on the premises as are many others.
What you seem to think of as the universal situation of the consequences of a leak being vastly greater than the consequences of loss is the exact opposite in a lot of places. Your "one size fits all" suggestion doesn't fit a lot of places.
Also what's with the lectures? Since they are based on a premise that's not as universal as you seem to think they are someone pointless. If the consequence of a third party stealing those tapes of unencrypted system backups are limited to having to buy more tape it's not really a huge deal. You do not have to encrypt everything and IMHO it's asking for many sorts of trouble if you do.
There's also professional scientific software written in dotnet that is tested against mono so that it can be run on linux. That turns a single licence from a hotseat in front of a MS Windows workstation to something you can run on a noisy and fast server then let the user get to it from their desktop machine via X Windows. No need for a dusty computer in the corner used for an hour a week but a different person each time.
If the consequence of data loss is very high you DON'T encrypt because the vastly increases the chance of loss - when shit happens your careful house of cards with the keys doesn't even have a table to sit on and is lost. A corporate restructure, let alone a buyout, is likely to lose those keys and anyone who knows where they are.
As I wrote elsewhere, I've had to have reels of tape transcribed (on well over a dozen occasions now) because the client lost their copies over time and the tape that was sent to my workplace years ago to transport the data to the people interpreting it ended up being the only one surviving. If someone in the 1980s decided to encrypt those tapes the key would be long gone with most of the other paperwork so it would mean a very expensive seismic survey to get that data again. All industries have similar situations where old information is of great value but not any sort of secret.
Accounts info - sure you don't want all that getting out, but in the general case? That is asking for trouble.
That's the only point I'm trying to make. Above it was suggested as if it was mandatory instead of situations where the consequences of unencrypted data escaping are far greater than that of losing all of the data on that media forever.
For your system backups? No. For other things? Very little information in a typical business is of the sort where it would be a problem if it was published on the front page of a newspaper. That stuff that would be a problem should be treated differently to what is needed for a bare metal restore, which IMHO should be easy enough that a contractor from outside can do it in a hurry without having to wait around for a time window to bother someone for keys. In disaster situations the people who have the keys are probably going to be very busy if they can get on site at all.
Personally I think a policy of treating everything as top secret is a security risk on it's own. You only want to trust a contractor with general information instead of giving them the key to the crown jewels.
Ah - semantics now. Dropping every packet at every point of ingress and egress is effectively the same as an air gap, and is the same if you do it by unplugging things.
What's with the bluster, getting personal and the need to show dominance? It's kind of pathetic the way you are big noting yourself to try to show how much better you are than someone who offered a suggestion.
Ah yes, you are very important obviously, at least in your own mind if nowhere else, and are attempting to rub that in but it appears you think the policy of where you are is how it should be done everywhere.
Clearly most people do not because it's as fucking stupid as letting people you do not trust have possession of your backup tapes. If you can't trust who has your tapes then why are you letting them have them?
What about the onsite tapes? What about tapes that have only system files and zero sensitive information? Why encrypt them when it's just another thing to go wrong and nobody who cannot be trusted with them has access to them.
Over time things get lost (which is why I've had to get stuff from tapes recorded in the 1990s despite the client originally having multiple copies). If someone needs something from a backup or archive in many years time it's very likely that after restructures/buyouts/etc that the key is going to be lost unless it's stored with the tapes (which of course made the encryption pointless in the first place).
Disaster recovery should be simple and adding potential show-stoppers to the process is not a good idea unless the consequences of unencrypted data escaping are far greater than that of losing all of the data on that media forever.
That was in your own mind since it does not appear to be in any of my comments above.
Perhaps you can quote where I suggested it was the only thing required instead of making yourself look ridiculous with baseless claims, assertions that you are so important that you can fire people and threats as to what you would do to someone who offered a piece of advice.
I really don't understand why you are foaming at the mouth over an obvious suggestion of an obvious first step. If you control all the ways in and out you can block people. How are they going to ssh in when ssh is blocked entirely and then only opened up to a checked list of valid addresses? How are they going to use teamviewer when your web proxy blocks all asp pages and their old PC isn't even connected to the network? If you have a real reason to worry your web proxy can block everything apart from to trusted workstations inside the network, trusted because they are being checked one by one. If you have a real reason to worry you drop all encrypted traffic (I'm anticipating your next rant by stating the obvious here) until you don't have to worry.
Throwing up your hands and saying it can't be done and you'll fire anyone who tries is somewhat petty and ridiculous IMHO. You just do not seem to understand that you chop the complex problem into simple chunks and solve it one bit at a time - instead of just giving up.
I didn't save the day, I just took sensible precautions in a tense situation. It wasn't even difficult. It would be harder now with everything and it's dog coming in through port 80 - but that just means a bit of temporary pain when that gets blocked as well if it's really seen as necessary.
You said you would fire me for a similar suggestion - that of initially shutting down any way in.
Why is it good advice from you and a firing offence for me?
An example from the 1900s is people arguing against payouts for injured workers with the argument that it would encourage the poor factory workers to injure themselves so they would get a windfall. Of course the people pushing that line did not really care about the injured factory workers, they cared about the threat of legal action and it was just an excuse instead of the social justice line they were pretending to push.
Not incorrect, you're bullshit detector is just not working in this situation. The guy was fired "to protect women" - seriously? He was fired because the boss was a fucking prude that thinks he owns his employees after they go home. It's that simple.
I've been called in places to help deal with such real world examples - it's called a rootkit. The only way to be sure with those is reinstall and to look at the (preferably removed) owned system disks with knoppix or similar.
So you want to shift the goalposts from step one of keeping someone from the outside from getting in the way they normally do to something else? Fine, but don't whine at me about it. Are you going to attack anyone who suggests changing a password as well?
And you would fire someone who solves a problem over someone who ignores it or doesn't even consider it? How about using your brain here instead of farting your "gut feeling" all over the page.
Why did you so viciously attack a suggestion I made about one of the many things that should be done and get so fucking personal about it? You do not appear to be someone worthy of any sort of responsibility if you do that when you are on the clock.
Unlikely. Nurses check paperwork, which gets printed onto actual paper and they would see the previous dose. That's a system that is already has a lot of mistakes from data entry so has error checking outside of the computer system.
You do have a point, just the example doesn't quite fit.