I gotta agree here. If the workplace overlords start prepping for her arrival with reminder emails, "awareness bulletins" that might get posted in the kitchenette / break room area, etc., -- these tend to make the existing employees feel like they are catering to this new employee in a way that, no matter how good she is, no matter how hot (sorry) or not she is, there will be resentment towards her.
I think the better approach is to introduce her to the team, remind folks that it is a workplace, and that HR still accepts complaints, and acts on them.
To take all of the marketing bias/hype out of the equation, the exercise you must do is to write out your Non-functional requirements first.
Example:
- A solution that successfully integrates documents, spreadsheets, email, calendaring, contacts, tasks, and does so seemlessly.
- A solution that can support a single-sign-on approach to password/identity management
- A solution that facilitates usage across devices (physical desktop, virtual desktop, roaming laptop, handheld device) ......
You get the idea.
Then, evaluate the solutions based on your requirements. Is it Google Apps? O365? 3rd party hosted Exchange as a service?
There are a lot of choices. Consider what it costs to run a server, maintain licenses, etc. compared to these *as-a-Service options. For 10 people, buying server infrastructure is overkill.
it this way:
In your attic, place a switch, with runs to each of your upper floor rooms, and a run to the basement.
In your basement, place another switch, with runs to each of your lower floor rooms, and connect that attic switch in.
Now your whole house is chatting at up to 1000baseT if you splurge on the gig switches. I've seen the attic/basement connection ran out a window and down the outside of a house. I've also seen that line get hit by lightning and take out a bunch of gear, so think twice about that, or at least put some grounding straps on it (check with an electrician who can advise you on this) to keep the lightning at bay.
Typically, your older houses have hollow, easily accessible internal walls. Good for fishing wires up and thru.
Hire some good Linux admins. Preferably someone fired for violating a policy in the past, because he/she will know all the rules, where the fulcrum of those rules are, and how to lock them down and prevent their abuse.
Prepare to be hated though. No one likes going to school, er, I mean work, to sit in detention all day long.
Will track down where any MAC address is connected.
If they have the IP, they can get the MAC. If they have the MAC, they can get what port it's plugged into.
Find the switch, find the cable, and air-gap it.
I know this, and I'm not even a network guy.
Grab a LTO drive off of eBay... tapes are not expensive (LTO2 tapes and drives are easy to come by as everyone upgrades to LTO3)...
The media has a 30-year shelf life, which, I would imagine, can be extended with temperature/humidity control.
Sometimes these decisions are made above your pay grade. Just interject your own creativity and reasoning in between and hope it all works for the best.
Here is what I would propose if I were you:
Pre-parse and re-write the query before submitting it to the database.
Some checks:
Make sure it starts with SELECT,and does not contain ALTER, UPDATE, DELETE, TRUNCATE, etc. in the query string.
Remove all ";" semicolons to prevent them from stacking commands. If a ; is found, strip everything beyond that.
Require them to log in and establish their credentials somehow. Let's establish them and make a session var equal to their login uuid or something.
Substring search their query "WHERE" clause, and interject a "and customer_id = %cust_id%" to restrict the returned results to just the stuff they are supposed to see.
If none of that flies, you can offer your resignation, saying that you can't support it, and if they insist, bail out of there.
I have IP service at a co-lo facility. I have bandwidth bills. I know how to read them. I know that 1mbps of service is equivalent to ~320GB per month. The above reference of 250GB being ~800kbit is accurate.
Now. If I'm buying an advertised 800kbit service, and that 250GB is my monthly limit, then no-harm/no-foul.
BUT
If they are advertising a 6mbps service (for example -- I don't know what they are offering) but cutting you off if you actually USE it, then that's something for the FTC to get involved in.
6mbps should be a smidge under 2TB of data transfer. 4mbps (what I have with my TWC/RR service) is about 1.2TB of transfer.
Granted, I don't know any/home/ users who reach 1TB, but if that's what you're paying for, then you are certainly entitled to it.
I would almost go out onto a limb to say:
If they start limiting how much of a service you've paid for that you can use, People should start demanding refunds for the cable channels they have but don't watch.
I can go out and buy a GSLB device (several people make them: F5, Foundry, Cisco... pick one)...
I can buy a hosting account in multiple datacenters on multiple geographically dispersed areas (US east cost, US west coast, uk, germany, japan)...
I can set up Apache in proxy/cache mode at each location...
I can tag my images to pull from gslb-images.myserver.com...
But in doing so, I violate their patent of intellectual property? C'mon now.
I haven't invented any of this. It's all standard internet engineering technique. Next thing you know, you won't be able to cache to disk or load balance across multiple servers anymore.
Look at AOL, for example: View source on their home page. You'll see their images are being plucked off another server, and guess what-- the image server has "CDN" in the hostname.
That's just one example. We could go all day on this. Either finding prior art or more cases of infringement.
I pay for bandwidth two ways: First, a Residential RoadRunner subscriber, and Second: as a commerical client at a co-location facility.
My "home" stuff: I get a measley 5mbit down and 460kbit up. My "commercial" stuff: Is so fast I can't really accurately measure it with any of the speedtest sites.
I never really knew why that mattered, I only thought transfer speed was what mattered. But I learned about how bandwidth works when I got a bill for it from my co-lo facility. Apparently, we were on a 256kbit monthly commit. I thought "well, we get faster than that obviously" and never thought more about it. But they calculate out what the throughput is both in and out over a month to get this 256kbit number. If you multiply it out, 256kbit = approximately 80 gigabytes of transfer. The conversion they gave me is 1megabit = 320gigabytes of data.
Using what Comcast allows you to buy (12mbit down x 1mbit up) = ~3.8 terrabytes of data down, and ~320 gigabytes of data up. Even if you use only 25% of what you've paid for (above numbers * 0.25) = 960gb download, 80gb upload, that's still a fair bit higher than 30,000 songs, 150,000 pictures, or 13m emails.
If they are not capping at below those numbers, they are, in my opinion (IANAL), selling something labeled as one thing but not delivering all of it.
They must stop calling it 12mbit service if you can't really download 12mbit.
Something else: They don't say if the 30,000 songs are in WAV format (10MB/minute X 3.5 minutes/song X 30,000 songs = ~1TB of data) or if it's 128kbit MP3 (80K/minute X 3.5 minutes/song X 30,000 songs = 84GB of data). They don't say if the 150,000 pictures are in RAW format out of a Canon 1DS (~25MB/pic X 150,000 pictures = 3.7TB of data) or if it's a crappy 2 megapixel digicam (~1.5MB/pic X 150,000 pictures = 225GB of data). And their 150,000 emails: Are they plaintext, HTML, mixed, and do they all have attachments?
And if that means you don't cheap out and go OSS, don't worry about it. If you're in a place subject to these woes ^H^H^H^H regulations, then by all means it's probably not your money you're spending on it. Don't get me wrong, I'm a huge fan of OSS, but when it comes to keeping lawyers and auditors at bay, you take the plunge and buy the real stuff. And you pay the 35% service contract fee too.
I had a situation where something we were doing wouldn't pass muster with our SOX auditor. I asked her for if she could tell me what would pass. She could not. Instead, she offered that if I posed the question another way, she could answer. That meant asking "how have you seen other companies meet this or a similar requirement?" And she told me right away a number of things that would work in my particular situation.
Applying that logic here, you can't ask an auditor for advice, but they will tell you if you ask the question the correct way. And if they know and have seen Centera, it's a review of the configuration on the frame and you're done. Do you really want to spend all day explaining this custom rig up of Linux syslog server with logfiles on a partition that is mirroring off to CDR drives, how syslog works, how your box is locked down, etc., etc., etc?
OSS Fits. But not everything.
I was the "UNIX Contractor" for a group that had a few (10 or so) UNIX boxes but no UNIX Administrator. So I did a 6 month stint at that agency working on developing runbook procedures, doing day-to-day stuff, fixing broken hardware (essentially calling Sun service and walking the tech up to the datacenter), and on and on.
But what confounded me the most was that my cube was right next to a guy who was an "Oracle DBA V" (that's a Database Administrator, level 5) -- There is no DBA 6, so in my thinking, he should at least know who Larry Ellison is. Turns out the guy had just been there "a long time" in other roles and he knew someone that put in a good word for him at our agency.
Now, mind you, I'm not a DBA. I create your filesystems and chown them to oracle:dba and let you go have fun. But this guy had no clue. None. If it didn't start up on its own, he was stuck. I found myself calling a buddy of mine from a previous job that actually worked at Oracle and was nice enough to not mind helping out when he had a question that I couldn't answer.
Long story short, as an Ohio Taxpayer, I now fully understand why we're the most tax-disadvantaged state in the nation. We essentially pay double: first time around to pay the state employees (the ones like the DBA V mentioned here) and then the second time around for the consultants to come in and do the actual work.
I had a consulting role for a state office. It was within the public safety sector. I had physical access to the entire state's main datacenter. To get that level of unescorted access, I had to submit to no less than three (FBI, State, and BCI) fingerprint screenings and other background checks.
I also worked for a major bank. Fingerprint screening (FBI only there).
Now working for a financial services org, I submit to recurring background checks (every x years) and agree to surrender my post if I become ineligible for employemnt.
But being in a position of trust requires me to give up some rights in exchange for this position.
Would I trust a bank or another institution controlling my money that I knew didn't perform due diligence and screen its employees?
I too hate it when people fail to RTFA/RTFM. I missed the ISC article because I happened to be reading the news.com article at the same time.:-/ sorry 'bout that...
So there's a list of 50-or-so banking sites that the malware picks up. Where's the list? How can I know if I need to call home and tell the wife to NOT use online banking until I get home or not?
Also, what's the quick way to tell if I have the malware or not? Does it drop a dll, exe or something somewhere?
I *hate* things like this where it's reported that "you might be infected" -- tell me what clues I can look for to know. Tell me which (if any?) IE fixes subvert this. Tell me which A/V vendors have patches to prevent it (if any).
Aargh.
Slashdot Mirror
I gotta agree here. If the workplace overlords start prepping for her arrival with reminder emails, "awareness bulletins" that might get posted in the kitchenette / break room area, etc., -- these tend to make the existing employees feel like they are catering to this new employee in a way that, no matter how good she is, no matter how hot (sorry) or not she is, there will be resentment towards her. I think the better approach is to introduce her to the team, remind folks that it is a workplace, and that HR still accepts complaints, and acts on them.
To take all of the marketing bias/hype out of the equation, the exercise you must do is to write out your Non-functional requirements first.
......
Example:
- A solution that successfully integrates documents, spreadsheets, email, calendaring, contacts, tasks, and does so seemlessly.
- A solution that can support a single-sign-on approach to password/identity management
- A solution that facilitates usage across devices (physical desktop, virtual desktop, roaming laptop, handheld device)
You get the idea.
Then, evaluate the solutions based on your requirements. Is it Google Apps? O365? 3rd party hosted Exchange as a service?
There are a lot of choices. Consider what it costs to run a server, maintain licenses, etc. compared to these *as-a-Service options. For 10 people, buying server infrastructure is overkill.
already slashdotted. who knew.
it this way: In your attic, place a switch, with runs to each of your upper floor rooms, and a run to the basement. In your basement, place another switch, with runs to each of your lower floor rooms, and connect that attic switch in. Now your whole house is chatting at up to 1000baseT if you splurge on the gig switches. I've seen the attic/basement connection ran out a window and down the outside of a house. I've also seen that line get hit by lightning and take out a bunch of gear, so think twice about that, or at least put some grounding straps on it (check with an electrician who can advise you on this) to keep the lightning at bay. Typically, your older houses have hollow, easily accessible internal walls. Good for fishing wires up and thru.
Hire some good Linux admins. Preferably someone fired for violating a policy in the past, because he/she will know all the rules, where the fulcrum of those rules are, and how to lock them down and prevent their abuse.
Prepare to be hated though. No one likes going to school, er, I mean work, to sit in detention all day long.
Will track down where any MAC address is connected. If they have the IP, they can get the MAC. If they have the MAC, they can get what port it's plugged into. Find the switch, find the cable, and air-gap it. I know this, and I'm not even a network guy.
Grab a LTO drive off of eBay... tapes are not expensive (LTO2 tapes and drives are easy to come by as everyone upgrades to LTO3)... The media has a 30-year shelf life, which, I would imagine, can be extended with temperature/humidity control.
Sometimes these decisions are made above your pay grade. Just interject your own creativity and reasoning in between and hope it all works for the best. Here is what I would propose if I were you: Pre-parse and re-write the query before submitting it to the database. Some checks: Make sure it starts with SELECT,and does not contain ALTER, UPDATE, DELETE, TRUNCATE, etc. in the query string. Remove all ";" semicolons to prevent them from stacking commands. If a ; is found, strip everything beyond that. Require them to log in and establish their credentials somehow. Let's establish them and make a session var equal to their login uuid or something. Substring search their query "WHERE" clause, and interject a "and customer_id = %cust_id%" to restrict the returned results to just the stuff they are supposed to see. If none of that flies, you can offer your resignation, saying that you can't support it, and if they insist, bail out of there.
Now. If I'm buying an advertised 800kbit service, and that 250GB is my monthly limit, then no-harm/no-foul.
BUT
If they are advertising a 6mbps service (for example -- I don't know what they are offering) but cutting you off if you actually USE it, then that's something for the FTC to get involved in.
6mbps should be a smidge under 2TB of data transfer. 4mbps (what I have with my TWC/RR service) is about 1.2TB of transfer.
Granted, I don't know any
I would almost go out onto a limb to say:
Make it fair at least.
I can go out and buy a GSLB device (several people make them: F5, Foundry, Cisco... pick one)...
I can buy a hosting account in multiple datacenters on multiple geographically dispersed areas (US east cost, US west coast, uk, germany, japan)...
I can set up Apache in proxy/cache mode at each location...
I can tag my images to pull from gslb-images.myserver.com...
But in doing so, I violate their patent of intellectual property? C'mon now.
I haven't invented any of this. It's all standard internet engineering technique. Next thing you know, you won't be able to cache to disk or load balance across multiple servers anymore.
Look at AOL, for example: View source on their home page. You'll see their images are being plucked off another server, and guess what-- the image server has "CDN" in the hostname.
That's just one example. We could go all day on this. Either finding prior art or more cases of infringement.
Geesh.
I pay for bandwidth two ways: First, a Residential RoadRunner subscriber, and Second: as a commerical client at a co-location facility.
My "home" stuff: I get a measley 5mbit down and 460kbit up.
My "commercial" stuff: Is so fast I can't really accurately measure it with any of the speedtest sites.
I never really knew why that mattered, I only thought transfer speed was what mattered. But I learned about how bandwidth works when I got a bill for it from my co-lo facility. Apparently, we were on a 256kbit monthly commit. I thought "well, we get faster than that obviously" and never thought more about it. But they calculate out what the throughput is both in and out over a month to get this 256kbit number. If you multiply it out, 256kbit = approximately 80 gigabytes of transfer. The conversion they gave me is 1megabit = 320gigabytes of data.
Using what Comcast allows you to buy (12mbit down x 1mbit up) = ~3.8 terrabytes of data down, and ~320 gigabytes of data up. Even if you use only 25% of what you've paid for (above numbers * 0.25) = 960gb download, 80gb upload, that's still a fair bit higher than 30,000 songs, 150,000 pictures, or 13m emails.
If they are not capping at below those numbers, they are, in my opinion (IANAL), selling something labeled as one thing but not delivering all of it.
They must stop calling it 12mbit service if you can't really download 12mbit.
Something else: They don't say if the 30,000 songs are in WAV format (10MB/minute X 3.5 minutes/song X 30,000 songs = ~1TB of data) or if it's 128kbit MP3 (80K/minute X 3.5 minutes/song X 30,000 songs = 84GB of data). They don't say if the 150,000 pictures are in RAW format out of a Canon 1DS (~25MB/pic X 150,000 pictures = 3.7TB of data) or if it's a crappy 2 megapixel digicam (~1.5MB/pic X 150,000 pictures = 225GB of data). And their 150,000 emails: Are they plaintext, HTML, mixed, and do they all have attachments?
And if that means you don't cheap out and go OSS, don't worry about it. If you're in a place subject to these woes ^H^H^H^H regulations, then by all means it's probably not your money you're spending on it. Don't get me wrong, I'm a huge fan of OSS, but when it comes to keeping lawyers and auditors at bay, you take the plunge and buy the real stuff. And you pay the 35% service contract fee too. I had a situation where something we were doing wouldn't pass muster with our SOX auditor. I asked her for if she could tell me what would pass. She could not. Instead, she offered that if I posed the question another way, she could answer. That meant asking "how have you seen other companies meet this or a similar requirement?" And she told me right away a number of things that would work in my particular situation. Applying that logic here, you can't ask an auditor for advice, but they will tell you if you ask the question the correct way. And if they know and have seen Centera, it's a review of the configuration on the frame and you're done. Do you really want to spend all day explaining this custom rig up of Linux syslog server with logfiles on a partition that is mirroring off to CDR drives, how syslog works, how your box is locked down, etc., etc., etc? OSS Fits. But not everything.
I was the "UNIX Contractor" for a group that had a few (10 or so) UNIX boxes but no UNIX Administrator. So I did a 6 month stint at that agency working on developing runbook procedures, doing day-to-day stuff, fixing broken hardware (essentially calling Sun service and walking the tech up to the datacenter), and on and on.
But what confounded me the most was that my cube was right next to a guy who was an "Oracle DBA V" (that's a Database Administrator, level 5) -- There is no DBA 6, so in my thinking, he should at least know who Larry Ellison is. Turns out the guy had just been there "a long time" in other roles and he knew someone that put in a good word for him at our agency.
Now, mind you, I'm not a DBA. I create your filesystems and chown them to oracle:dba and let you go have fun. But this guy had no clue. None. If it didn't start up on its own, he was stuck. I found myself calling a buddy of mine from a previous job that actually worked at Oracle and was nice enough to not mind helping out when he had a question that I couldn't answer.
Long story short, as an Ohio Taxpayer, I now fully understand why we're the most tax-disadvantaged state in the nation. We essentially pay double: first time around to pay the state employees (the ones like the DBA V mentioned here) and then the second time around for the consultants to come in and do the actual work.
I had a consulting role for a state office. It was within the public safety sector. I had physical access to the entire state's main datacenter. To get that level of unescorted access, I had to submit to no less than three (FBI, State, and BCI) fingerprint screenings and other background checks.
I also worked for a major bank. Fingerprint screening (FBI only there).
Now working for a financial services org, I submit to recurring background checks (every x years) and agree to surrender my post if I become ineligible for employemnt.
But being in a position of trust requires me to give up some rights in exchange for this position.
Would I trust a bank or another institution controlling my money that I knew didn't perform due diligence and screen its employees?
I too hate it when people fail to RTFA/RTFM. I missed the ISC article because I happened to be reading the news.com article at the same time. :-/ sorry 'bout that...
So there's a list of 50-or-so banking sites that the malware picks up. Where's the list? How can I know if I need to call home and tell the wife to NOT use online banking until I get home or not? Also, what's the quick way to tell if I have the malware or not? Does it drop a dll, exe or something somewhere? I *hate* things like this where it's reported that "you might be infected" -- tell me what clues I can look for to know. Tell me which (if any?) IE fixes subvert this. Tell me which A/V vendors have patches to prevent it (if any). Aargh.