The time has come for us to stop using the 'wasting bandwidth' argument against users forwarding crap. The bandwidth of our systems now comfortably handles so much data (spam, heavy attachments, etc.) that nothing individual users have time to do (without automation or looping, at least) can amount to even a drop in the bucket.
Wanna bet? I work in an office that has a really, really skinny pipe between a branch office and our main office. One day, one of the executive staff came to the IT department to ask us why his work-related download kept timing out. The other network admin and I started monitoring web traffic and found our users streaming radio, watching Internet T.V., running an E-Bay store on the side (no, I'm not joking), etc. We added the worst offenders to DNS with a 127.0.0.1 address, and poof! Problem solved.
Just because last-mile fiber is becoming a reality in some locales doesn't mean it is ubiquitous yet. Some of us are still on T1 over satellite (yuck!).
I'm sure someone or some company would start a public list that is updated regularly...
Already been done: http://www.shallalist.de/Downloads. It's a pretty decent list, designed to work with SquidGuard, and Shalla is pretty generous with their licensing terms.
The last virus infection where I work (about a year ago) took two admins and one desktop support tech two days to clean up. 3 people x $30 per hour x 8 hours per day x 2 days = $1440. $50 per seat x 100 computers in our organization = $5000 licensing costs. $5000 / $1440 = 3.47 virus outbreaks to break even. Ok, we also have two spam firewalls at ~$5000 each, so that makes just over ten outbreaks per year to break even. So in other words, it would only take one virus per month to break even.
But wait...that two days' repair time basically meant most of our employees were less productive than usual while we were cleaning up the virus, and the three of us who were cleaning up after the virus have other tasks that need to be done, and taking two days to clean up a virus every five weeks will put us further behind in our work, so we would probably need to hire more IT staff if we are going to spend this much time cleaning up viruses. And that doesn't even count the potential for data loss when a virus starts overwriting/infecting/deleting data. Like you said, the corporate environment is not the same as the home user's environment. A company's data IS its business. If you've ever seen the aftermath of a large data loss in the corporate environment (I have...) you'll know it is NOT a pretty sight.
Seems to me that the incremental cost of additional infections is actually quite high.
You can always run an on-line scan once in a while to be sure. That's cheating a little, since you are still using an A/V product, but at least it isn't installed on your computer.
As Admin, you have rights to pretty much everything on the system. If you are running as an Admin user, and you execute a virus, guess what privileges it inherits? You got it -- Admin rights. The virus then has the keys to the entire system.
On the other hand, if your account only has User or Power User privileges, there are a lot more parts of the system that you no longer have read/write access to. This makes it somewhat more difficult for a virus to hose your system than if you had Admin rights. That's the greatly simplified answer to why running as Admin is a bad idea.
The problem, however, is that a lot of Windows software was designed to have read/write access to privileged areas on the computer. Quicken (!) and AutoCad are two examples that I know offhand require Admin privileges to run. I have tried to get Quicken to run without Admin rights, but failed. My predecessor where I work tried to get AutoCad to run without Admin rights, and eventually got fed up with all the calls from our AutoCad techs, and gave them Admin rights. I've heard other people say they managed to get programs to run, but it takes a lot more patience and Windows skills than I have to make it happen (I'm a Unix guy; I don't use Windows any more than I have to).
I run multiple Windows computers. I have a wife and kids. Yet we don't get viruses....If you know what you are doing, you don't need AV. Now do my parents have AV? You betcha.
I've really got to know the difference between your wife/kids and your parents. How can your immediate family get by w/o A/V, but your parents can't?
I've got a wife and daughter who periodically manage to infect the Windows PC they share despite a hardware router/firewall, a software firewall on the PC, A/V on the PC and anti-spyware on the PC. I'd switch them to Linux (like I use) but my wife goes ballistic every time I suggest it. If you've got tech tips, I'd *love* to hear them!
AV is like putting more and more buckets in the attic to catch leaks, rather than fixing the holes.
Right, but if you have a closed-source roof so that you can't patch the holes, you still put the buckets up there rather than flood the house, right?
If they're norton buckets they're also (a) glued to the floor so you can't use them anyway, and (b) full of holes themselves.
ROFL!!! That may be the best comment I see on/. -- heck, the entire Internet -- this month:)
If...[you still have to patch and clean up computers, etc.]..., the money spent on it is wasted. Not exactly controversial.
Not necessarily.
Where I work, we have a WSUS server, and three anti-virus products (one on desktops, one on our Windows servers and ClamAV on our Linux-based Samba file server and Linux-based mail server). About a year ago, we got hit with a virus and spent two days cleaning up all of our Windows systems. However, we still have our patching system and anti-virus subscriptions because having something slip through our security once every couple of years is far better than doing this process every week because we eliminated the A/V and WSUS server.
Slammer or Slapper, I forget which and am too lazy too look it up, was a virus that attacked Linux systems through a hole in Apache. Despite that fact, I have run Linux on servers and desktops, both personally and professionally, since ~2001 and have yet to find even a single virus on any of my Linux machines.
On the flip side, however, I have had multiple A/V programs fail to protect many of the Windows systems I've had the misfortune of administering...
Even if I hold a flashlight right next to my eyeball (ouch!) and turn it on, there is still a small -- albeit infinitesimally small -- delay between the point when the photons exit the flashlight and when they impact my retina. Thus, I am not watching the flashlight turn on in "real time", although for all practical purposes, it is close enough.
Try that in Texas. No shoulders, six lanes, highway speeds in town and nobody will move an inch for a bicyclist.
I'm glad I live in Alaska now. The weather may be colder, but at least we build bike paths for commuters here. I've even used Rollerblades to get to work a time or two;)
Looks like you found a good fit for your needs then:)
I was arguing more with pleappleappleap than you, who was recommending Cisco over the WRT54g. Personally, I think Cisco is overpriced and underpowered.
Quit and get a job somewhere else. It sucks, but if you're screwed if you do and screwed if you don't, then it's only a matter of time until you either get fired, go postal on your coworkers or die of hypertension.
My job as an IT professional is to keep the network running, which means, among other things, "make the network secure from internal *and* external threats." You can paraphrase that as "...secure from simple ignorance and malicious intent" if you prefer. Just because Joe-Bob in accounting wants to do something stupid doesn't mean I should let him. Assuming I have already done my best to explain to everyone involved why Joe-Bob's request is a bad idea, it is not until my manager tells me to do it anyway that I should implement the end-user's idiotic request.
Having said that, I agree with your main point -- IT is there to make business process work better. A former boss explained it this way. In any business, there are two groups of people: those who make the money, and those who make it possible for the first group to make the money. In most businesses, IT is the *second* group of people. We should be as unobtrusive as possible, since our salaries are pure overhead for the company.
Let's see...what motive could anyone have for DoSing a network connection?
Suppose a radical environmentalist decides to brick the router(s) providing connectivity to Exxon's public web server(s)?
Maybe two small town business rivals are about to launch competing products this summer, and one decides to brick the other's router the morning they both announce their new offerings?
What if organized crime wants to extort "protection" money from a bank, and threatens to take down their web portal if the bank doesn't comply?
These are just off the top of my head; I'm sure there are more/more plausible possibilities.
Meh. Cisco doesn't have a lot of horsepower either, unless you want to pony up for their really big iron. If you want horsepower, buy a micro-ATX motherboard and a compact flash drive, put a really slimmed down Linux distribution on it, run IPTables to firewall your network and use Quagga to do any routing you need. You'll blow away any Cisco box you can afford, and have ten times the flexibility to boot.
Not that comfortable with doing it yourself? Buy an http://www.imagestream.com/ImageStream Envoy or Transport, then. It'll cost you a little more (I think a brand new Transport is about $800, but the Envoy is a lot less), and it'll smoke any Cisco up to 3-5X the price:)
I have this argument with the "engineers" where I work all the time. In my experience, I've found very little difference between consumer-grade equipment and carrier-grade equipment as far as reliability goes. If anything, there seems to be a bit of an edge to the consumer-grade equipment.
On my home network, I have one server that I built from commodity hardware that has been running 24/7 for over six years. A second server ran 24/7 for about seven years before the motherboard finally gave up the ghost. I have a very, very old Linksys WAP-11 that has been rock solid since I acquired it (used) about five years ago.
At work, we use Linux-based routers that are built on PC hardware in 1/2U, 1U and 4U cases; the 4U model is the only one with any redundancy whatsoever. We have used these routers since before I started working here (so at least three years, maybe longer than that), and in that time we have had one failure out of something like 100 units. One of these routers had over 900 days of uptime when we finally rebooted it (for a firmware upgrade, incidentally) almost six months ago.
I'm with Creepy Crawler on this one -- if you need reliability, buy two of them. It will still cost less than the "reliable" hardware, it will outperform the "reliable" and at least as far as I can tell, it will often last longer than the "reliable" hardware, as well.
Fill in the missing parts of the genome with Chiuaua DNA. I bet they'd make very popular house pets.
Oh @#$%@!!! no!
The last thing I want is a house pet that sheds a wool blanket twice a year, has tusks that are nearly equal its body length and has the disposition of a Chihuahua.
Just out of curiosity, even though DNA degrades significantly over time, do the same sequences in the DNA degrade at the same rate? Suppose you were able to recover DNA from a number different individuals from the same species. Would it be possible to compare the DNA from multiple sources and try to "fill in the blanks" so to speak? Or would there be so much missing information that even with hundreds of samples, there's no way to complete the sequence?
Go easy on me if this is a stupid question -- I'm a computer geek, not a microbiologist;)
Not me...I can just answer what I believe is right. Wiser men than I have struggled -- and failed -- to find a universal answer to that question since the dawn of recorded history.
Slashdot Mirror
Wanna bet? I work in an office that has a really, really skinny pipe between a branch office and our main office. One day, one of the executive staff came to the IT department to ask us why his work-related download kept timing out. The other network admin and I started monitoring web traffic and found our users streaming radio, watching Internet T.V., running an E-Bay store on the side (no, I'm not joking), etc. We added the worst offenders to DNS with a 127.0.0.1 address, and poof! Problem solved.
Just because last-mile fiber is becoming a reality in some locales doesn't mean it is ubiquitous yet. Some of us are still on T1 over satellite (yuck!).
Then you are even better off than the poor schmuck using Windows -- just SSH to a computer outside the corporate network and tunnel e-mail through it.
About an hour -- just long enough to rewrite the Windows partition with my Linux distro of choice ;)
Already been done: http://www.shallalist.de/Downloads. It's a pretty decent list, designed to work with SquidGuard, and Shalla is pretty generous with their licensing terms.
Ehh, no.
The last virus infection where I work (about a year ago) took two admins and one desktop support tech two days to clean up. 3 people x $30 per hour x 8 hours per day x 2 days = $1440. $50 per seat x 100 computers in our organization = $5000 licensing costs. $5000 / $1440 = 3.47 virus outbreaks to break even. Ok, we also have two spam firewalls at ~$5000 each, so that makes just over ten outbreaks per year to break even. So in other words, it would only take one virus per month to break even.
But wait...that two days' repair time basically meant most of our employees were less productive than usual while we were cleaning up the virus, and the three of us who were cleaning up after the virus have other tasks that need to be done, and taking two days to clean up a virus every five weeks will put us further behind in our work, so we would probably need to hire more IT staff if we are going to spend this much time cleaning up viruses. And that doesn't even count the potential for data loss when a virus starts overwriting/infecting/deleting data. Like you said, the corporate environment is not the same as the home user's environment. A company's data IS its business. If you've ever seen the aftermath of a large data loss in the corporate environment (I have...) you'll know it is NOT a pretty sight.
Seems to me that the incremental cost of additional infections is actually quite high.
You can always run an on-line scan once in a while to be sure. That's cheating a little, since you are still using an A/V product, but at least it isn't installed on your computer.
As Admin, you have rights to pretty much everything on the system. If you are running as an Admin user, and you execute a virus, guess what privileges it inherits? You got it -- Admin rights. The virus then has the keys to the entire system.
On the other hand, if your account only has User or Power User privileges, there are a lot more parts of the system that you no longer have read/write access to. This makes it somewhat more difficult for a virus to hose your system than if you had Admin rights. That's the greatly simplified answer to why running as Admin is a bad idea.
The problem, however, is that a lot of Windows software was designed to have read/write access to privileged areas on the computer. Quicken (!) and AutoCad are two examples that I know offhand require Admin privileges to run. I have tried to get Quicken to run without Admin rights, but failed. My predecessor where I work tried to get AutoCad to run without Admin rights, and eventually got fed up with all the calls from our AutoCad techs, and gave them Admin rights. I've heard other people say they managed to get programs to run, but it takes a lot more patience and Windows skills than I have to make it happen (I'm a Unix guy; I don't use Windows any more than I have to).
HTH!
I've really got to know the difference between your wife/kids and your parents. How can your immediate family get by w/o A/V, but your parents can't?
I've got a wife and daughter who periodically manage to infect the Windows PC they share despite a hardware router/firewall, a software firewall on the PC, A/V on the PC and anti-spyware on the PC. I'd switch them to Linux (like I use) but my wife goes ballistic every time I suggest it. If you've got tech tips, I'd *love* to hear them!
Right, but if you have a closed-source roof so that you can't patch the holes, you still put the buckets up there rather than flood the house, right?
If they're norton buckets they're also (a) glued to the floor so you can't use them anyway, and (b) full of holes themselves.
ROFL!!! That may be the best comment I see on
Not necessarily.
Where I work, we have a WSUS server, and three anti-virus products (one on desktops, one on our Windows servers and ClamAV on our Linux-based Samba file server and Linux-based mail server). About a year ago, we got hit with a virus and spent two days cleaning up all of our Windows systems. However, we still have our patching system and anti-virus subscriptions because having something slip through our security once every couple of years is far better than doing this process every week because we eliminated the A/V and WSUS server.
Slammer or Slapper, I forget which and am too lazy too look it up, was a virus that attacked Linux systems through a hole in Apache. Despite that fact, I have run Linux on servers and desktops, both personally and professionally, since ~2001 and have yet to find even a single virus on any of my Linux machines.
On the flip side, however, I have had multiple A/V programs fail to protect many of the Windows systems I've had the misfortune of administering...
You're right. My time is measured in dollars; I don't piddle with pennies :)
Exactly.
Even if I hold a flashlight right next to my eyeball (ouch!) and turn it on, there is still a small -- albeit infinitesimally small -- delay between the point when the photons exit the flashlight and when they impact my retina. Thus, I am not watching the flashlight turn on in "real time", although for all practical purposes, it is close enough.
</pedantic>
Not only that, but what do you think lubricates the gear drives, bearings, etc. on the wind turbines?
Try that in Texas. No shoulders, six lanes, highway speeds in town and nobody will move an inch for a bicyclist.
;)
I'm glad I live in Alaska now. The weather may be colder, but at least we build bike paths for commuters here. I've even used Rollerblades to get to work a time or two
Looks like you found a good fit for your needs then :)
I was arguing more with pleappleappleap than you, who was recommending Cisco over the WRT54g. Personally, I think Cisco is overpriced and underpowered.
Quit and get a job somewhere else. It sucks, but if you're screwed if you do and screwed if you don't, then it's only a matter of time until you either get fired, go postal on your coworkers or die of hypertension.
Get out before you burn out.
My job as an IT professional is to keep the network running, which means, among other things, "make the network secure from internal *and* external threats." You can paraphrase that as "...secure from simple ignorance and malicious intent" if you prefer. Just because Joe-Bob in accounting wants to do something stupid doesn't mean I should let him. Assuming I have already done my best to explain to everyone involved why Joe-Bob's request is a bad idea, it is not until my manager tells me to do it anyway that I should implement the end-user's idiotic request.
Having said that, I agree with your main point -- IT is there to make business process work better. A former boss explained it this way. In any business, there are two groups of people: those who make the money, and those who make it possible for the first group to make the money. In most businesses, IT is the *second* group of people. We should be as unobtrusive as possible, since our salaries are pure overhead for the company.
Let's see...what motive could anyone have for DoSing a network connection?
Suppose a radical environmentalist decides to brick the router(s) providing connectivity to Exxon's public web server(s)?
Maybe two small town business rivals are about to launch competing products this summer, and one decides to brick the other's router the morning they both announce their new offerings?
What if organized crime wants to extort "protection" money from a bank, and threatens to take down their web portal if the bank doesn't comply?
These are just off the top of my head; I'm sure there are more/more plausible possibilities.
Which side of the router is someone who is leeching your WiFi on?
Meh. Cisco doesn't have a lot of horsepower either, unless you want to pony up for their really big iron. If you want horsepower, buy a micro-ATX motherboard and a compact flash drive, put a really slimmed down Linux distribution on it, run IPTables to firewall your network and use Quagga to do any routing you need. You'll blow away any Cisco box you can afford, and have ten times the flexibility to boot.
:)
Not that comfortable with doing it yourself? Buy an http://www.imagestream.com/ImageStream Envoy or Transport, then. It'll cost you a little more (I think a brand new Transport is about $800, but the Envoy is a lot less), and it'll smoke any Cisco up to 3-5X the price
I have this argument with the "engineers" where I work all the time. In my experience, I've found very little difference between consumer-grade equipment and carrier-grade equipment as far as reliability goes. If anything, there seems to be a bit of an edge to the consumer-grade equipment.
On my home network, I have one server that I built from commodity hardware that has been running 24/7 for over six years. A second server ran 24/7 for about seven years before the motherboard finally gave up the ghost. I have a very, very old Linksys WAP-11 that has been rock solid since I acquired it (used) about five years ago.
At work, we use Linux-based routers that are built on PC hardware in 1/2U, 1U and 4U cases; the 4U model is the only one with any redundancy whatsoever. We have used these routers since before I started working here (so at least three years, maybe longer than that), and in that time we have had one failure out of something like 100 units. One of these routers had over 900 days of uptime when we finally rebooted it (for a firmware upgrade, incidentally) almost six months ago.
I'm with Creepy Crawler on this one -- if you need reliability, buy two of them. It will still cost less than the "reliable" hardware, it will outperform the "reliable" and at least as far as I can tell, it will often last longer than the "reliable" hardware, as well.
Oh @#$%@!!! no!
The last thing I want is a house pet that sheds a wool blanket twice a year, has tusks that are nearly equal its body length and has the disposition of a Chihuahua.
Just out of curiosity, even though DNA degrades significantly over time, do the same sequences in the DNA degrade at the same rate? Suppose you were able to recover DNA from a number different individuals from the same species. Would it be possible to compare the DNA from multiple sources and try to "fill in the blanks" so to speak? Or would there be so much missing information that even with hundreds of samples, there's no way to complete the sequence?
;)
Go easy on me if this is a stupid question -- I'm a computer geek, not a microbiologist
Not me...I can just answer what I believe is right. Wiser men than I have struggled -- and failed -- to find a universal answer to that question since the dawn of recorded history.