So, you've never seen a user access a webmail account, click a link that points to a site that installes a zero day virus or keylogger, then gains access to the network using a stolen password and steals hundreds or thousands of users worth of data?
Aparently you were not around for lovebug either, which although the corp e-mail server stopped it cold, our CEO managed to cross infect his PC from his home e-amil account, and since he had the entire company e-mail list in that system, both personal and company e-mail accounts of nearly all 100 employees, nearly every employee got a copy of love bug in their own web mail, and yes, it was litterally like 45 seconds and 60 of our 87 systems were infected.
Also, whitelists should be resonably departmentalized. And yea, for a big firm, absolutely there's a guy full time who does pretty much nothing but whitelist requests and password resets. He gets about $14 an hour... not bad for a kid still in college.
Ah, that's what the 3 year and 5 year cost analysis plans are for. Beancounters usually do understand forcasing pretty well, you just need to explain to them that IT is not a buy and forget department...
Of course, not all bean counters get it, and some of the ones who do still can't slide your department the cash, but still, if you can't "run as" you have an issue...
Hey, off hours, stuck in an IT office waiting for a backup to complete, or a build to roll out... Shit, you're on slaary anyway. As long as your accessing/. from a VLAN secure system and logged in with user not admin credentials, then there's no harm in it.
We're refering mostly to the hourly line employees here. Admins have much larger white lists, and to an extent, I 'd even call/. business necessary for admins, as part of problem resolution research or new product information sources.
Depending on your position, wether you have department level decision making power or not, policy level influence, or are in a position to hire and fire others, it;s quite likely your company may be required to pay you overtime. My job, no, I do have manager level influence, so I'm salaried, and not much higher than some others in my city, but I'm at about double the pay of the bobs on the floor who work 40 hours flat every week in the call center... and I'm quite satisfied with that even if I do pull an occasional 60 or 70 hour week during a rollout or a non-stop weekend maraton solving a disaster. They give me leneincy on when i come and go anyway as long as I average over 80 hours each 2 weeks.
Our developers are not permitted to work over 11 hours in any day, and not over 60 hours in a week. Deadlines are pushed back as necessary. We certainly find that fresh minds and rested bodies are far more productive. We also give our salaried employees the option of taking bonus PTO the following week anytime they work over 50 hours in a current one, balancing their 2 week load to 80-90 hours.
But really, we're not talking about devs here. Most of the devs I know pretty much stare at code all day, unless they're scanning code banks on line and forums to find a solution to a specific issue. Few of them do anything on a computer at work outside of that. It's the accoutnants, support reps, call center employees, secretaries, and other general workers that make up 80% of the work force, and who are all paid hourly not salary now with the changes in federal overtime rules (most of them were already hourly anyway), those people waste tons of time at work.... TONS.
It;s not really about controlling employees to boost productivity, much more of it is in preventing productivity loss from dowen systems and workers inabiltiy to be productive in the first place. Also, at a former company, we implemented these policies and cut out IT overhead by nearly 2 million a year, both dropping our IT staff by half and increasesing system availablity 10%.
besides, you can't possibly compare a few employees working full time to boost productivity vs 1000 employees potentially wasting 3 hours or more a day (current surveys say this is not only common, but the norm!).
HR and depertment managers have their own metrics for managing productivity. I'm not even really concerned with a single machine having a softwar eissue or a virus. That's a 90 minute fix that takes 10 minutes of my time to do (to re-image the system automatically after swapping the hard disk with one known to be virus free). What my concerrn really is about is the overall loss of productivity when that single user accesses an e-mail through an unaproved service, clicks a link and directs a company system at a site that can install a zero day exploit. If you can only go to white listed sites, this is not a big concern. Further, no access to unaproved applications means you can't bypass the 3 layers of security we have, one of which would likely have stopped the e-mail in the first place.
We allow you to suggest sites to the white list (personal or business resons) and most are approved instantly. We allow you to suggest applications only for business purposes (you can bring your own PC from home to do anything else, and it gets access to a completely seperate network. You can request a personal POP account be added to your exchange account. This ensures proper mail filtering and security is maintained.
We're not unreasonable, we're just strict.
In many companies I've consulted for, they measure downtime in the thousands of dollars a minute. Some of them in the millions per hour. A security breach for some of my clients could cost tens of millions of dollars in addition to that.
I'm not suggesting your local small biz with 25 employees have this rigid of a structure (unless they are bound by SOX or HIPPA, or some banking regulations, in which case, it's not their choice). In fact, the regulkations apply to more than 3 times the number of business that currently comply. They can't police all the networks, so inctead, the heavily fine and potentially shut down those who violate. I'm not doing my job if I don;t uphold STIG.
I'm not talking about strictly monitoring what you do every minute, or ordering strict scheduled breaks...
You get 1 hour each 8 hour shift (more if you work a longer shift). You can break that up however you like, provided that in this state by law, you have to take a single break not less than 30 minutes, and can not take that break under orders from management within the first or last hour of your shift. We don;t order you to take breaks at all, take them when you want, provided you log out to take them, and provided minimum company staffing rules for your department are enforced (you can't all go to lunch exactly at 12:00 and leave the call center empty).
In addition, we allow roughly 30 minutes a day for you to work on a personal project, outside of your job duties. This can be for simply letting your brain unwind after a tough issue is resolved, take an extra 30 minutes for lunch, run an errand, read the paper, whatever you like. This is paid time, not unpaid time like lunch.
Outside of that, you're on the clock for 8 hours. We expect you to actually be working during that time. I don;t care when or how you break, or how you deal with your outrside life issues, but loosening network security or data integrity, or wasting IT time hunting down buggy programs and virues in the network, that simply won't happen.
I have both a restircted use system and an unrestricted one on a seperate VLAN. One is used for business, the other for research. I am bound by the same security I impose on my users. I do not log in as Admin unless strictly necessary (and often Run As works just as well).
There's no real "crap" on the PCs in our network. Each runs only the services required to do their job, and those required by HIPAA, Sarbanes Oxley, Federal regulations, DOD STIG, and company security policies which comply with those. AV, AS, and a hardware monitoring tools are all that's on them aside from Office where necessary, the IP phone connector, Company chat system (which doulbes as the time clock), and the CRM or accounting apps again as necessary. There's not a bunch of bloat. The images are job specific and easily deployable. If you need an app, in most cases I make a quick change to your system image in the software distro app, and in 15 minutes or less it;s auto installed. We give users a media player and a few other programs to occupy them at work and on breaks.
If a user wanted to, they have no access to the shell, no control panels, no way to make system level changes. The computer BIOS is locked out, there's no booting from CD or USB, and with plug n play disabled, and the C: and D: drives hidden, and only the home folder and workgroup folders accessible, there is no way for them to mount a volume with which to install a program or infect the machine, and no way to change settings other than walpaper, font size, and a few ergonomic settings we're required by law to allow you access to.
Anyone needing to take files home is approved to do so, and has a shared web accessible, encrypted system to access to get those files, and all activity is logged. Moving a file to CD, DVD, thumb drive, etc, is grounds for termination, as is the attempt to mount any unapproved device. Need to load something from a disk? you bring it to IT for scanning and loading to your home folder.
I don't keep them from their favorite, proven safe news sites, or the occasional blog (we do prevent myspace, facebook, etc but mostly due to HR rules about content accessibility and to help limit bandwidth utilization, not so much for security.) They're alowed a whitelist of places to go when they're taking personal time at their desks. We're not inhuman, we just expect certain levels of security, HR accountability, and productivity from our well paid (above regional average) employees.
If you were on my network, and disabled any of the security software on the machine, you'd not only be immediately terminated without exception, but the IT department through terms in your employee contract would deduct from your last paycheck consulting time for which to re-image the infected machine (about an hour and a half). If you really pissed us off, you'd be terminated without predudice and saccrifice your severence pay, potential for unemployment compensation, possibly matching funds in your 401K, and if you'de been here long enough, your pension too. We're bound by regulation to have a minimum security level. Not firing you would get other people fired when the audit comes though. If there's Credit Card info, SSNs, medical insurance info, or other peronal info in your systems anywhere (almost guaranteed HR has them), and if you do business in more than 1 state (or some specific states like NY), then your IT department is bound by these laws, wether they explained that to you or not.
If your image is blue-screening, it is NOT a software issue, but a hardware conflict or more likely a failing HDD or RAM. If you knew shit-one about IT, you'd know that application software does not cause blue screens, only kernel level events. If your system was so sluggish, or routinely failing, it would have been pulled to the helpdesk for a hardware scan to confirm, or re-imaged to eliminate the potential of a corrupt driver. Likely you would have had your system swapped with another while it was being tested. If multiple machines like
I'll comply typically with executives on this, or when a depertment (like marketing) really does need the camera hooked up, but everyone else can e-mail the JPEG they want to use as a background to themselves, they need not connect the camera. If they're sorting pics from their weekend fun, they can do that on their break on their personal laptop or fucking do it at home!
If they need an application, there's a process to approve it, and it's pushed out through Altiri or SMS, never installed manaully, with minor exceptions in the test lab or QA depertment. If they feel they need access to a website (which we do allow approved sites for personal use, blogging, news, etc, just not webmail which is too risky), they get their manager to submit a ticket and we'll turn it on ASAP, or they can sumbit themselves via a low priority ticket and it goes into a listing that's approved on a weekly basis and one of my IT lackey's uploads the white list to the filter.
Users should be controlled. IT has domain over them, the admins are not at their beck and call. Even my CEO has to go through an approval process, and is not permitted to access programs or sites on his company issued computer (he has a personal laptop on a "public" wireless network, completely seperate from the corporate LAN he can surf with, and if he wants to view porn on his personal PC behind the closed doors of his office, he can, but most people on the "public" WAN do still have at least a blacklist to poll against. There are NO exceptions to the company security policy. Not even for executives. If we have to live with it, sdo do they, and that goes a long way to morale.
1. Users WILL attempt to install stuff 2. If they can't, they will eventually give up
I'm afraid you have it wrong. They WILL attempt to install stuff and one of these will happen
a) They will succeed
b) They will fail but break something serious in the process (by booting from a special CD from a friend or something like that)
c) They will fail but find some decent-work around
d) They will tell you to fuck off and find a better place to work
e) If they are incompetent enough to do a, c or d they will give up but find another hobby.
So instead of frustrating yourself and your employees, you could just demand a level of productivity in return for a pleasant workplace where having an IM client is not a crime.
A) if IT is doing the job right, it should be impossible for a user to launch an exe. period. This is simple and can not be overcome by a user who does not have an admin password. If a user has an admin password, fire the admin and the user both. B) change bios to not be able to boot from CD, USB, or any device other than primary HDD. Enable BIOS passwords. Use business class systems that have firmware monitoring software, and cases that have physical access alarms or keys. Employees that try to get around this get more than fired, they get prosecuted for tampering with company property or attempting to circumvent a security system, and could face 5-20 years in prison. C) if you can't install software, and you can't boot from external media (and plug and play is disabled preventing other options) then they can't succeed. If they do, I say its you who should be fired, unless the user found some zero day exploit you could not prevent, highly unlikely somone it so deperate to use AIM that they'll risk federal prison for hacking. D) let them go. There's a stack of resumes down in HR waiting for people who are here to work 8 hour days and who won't fuck around on the job and waste productivity, let alone become security risks. Fire a couple and the rest stand up and work. E) If that hobby keeps them from sitting in their seats, logged into the productivity system except when on breaks and logged out as permitted by a floor manager(ie when not getting paid), or if they bother other employees, floor managers will learn about it quick, and we'll need yet another resume from HR.
F) if an application that's not approved IS installed (because someone got access to a password they should not have), automatically terminate the user, then bill them for the HR resourced required to clean the infected computer of said application. ENSURE they are aware this will be deducted from their last pay check before they accept the job. Remind them occasionally by firing an employee for trying. Network scanning software makes it real easy to detect these kinds of changes, within minutes of it happening.
G) If theres a web site they feel they need to access, business OR personal, and they feel its a secure site, let them submit a helpdesk request to get it added to the white list. Wost that will happen is they get told NO. Even allow the submissions to be anonymous if they feel the site is questonable. As for applications, same thing goes. There will be an approved music and video player on your machine already, and chat IS permitted, provided it's logged to the servers and the chat program security prevents file transfers. Webmail is right out, but if you feel you really need to get personal e-mail in your in box, we'll add your POP credentials to your exchange account so you can get those messages, and at least they're filtered for spam, virus, and phishing.
You're here to work. People in this country have become too complacent. 20 years ago you got fired for standing at the water cooler too long, now people think its their right to blow 3 hours a day blogging, that somehow thats all their salary justifies they should work for.
RND, test labs, pre-production, software QA, software dev systems, etc should use seperate user crednetials, and be on seperate VLANs. Part of security is limiting physical and logical access, not just permissions and filtering.
Who's the most likely user in your network to get you infected: The CEO. Seen it dozens of times. The one who refuses to accept the same security as other users is the biggest risk in the building, and he's also typically the one with the least work to actually keep him busy (if he's delegating properly).
As far as employee morale, provided it can be monitored for abuse of productivity, access to known secure sites like iGoogle, MSN, etc are not beyond permissable, but open access to the internet through anything other than personally maintained white lists in a large corporate environemtn is just suicide.
IT personal should simply have a different white list than call center employees. I'm not saying everyone needs the same restrictions, but restrictions do need to be in place, and routinely analyzed for necessary changes to policy.
It's both easier and cheaper to simply deploy a system that images the OS drive nightly. Though I do agree users should not have write access to C:, should not have any form of admin rights nor really access to control panels or comand line, plug and play should be disabled, and data should only be accessible in a home folder on the network as well as group project folders the user is a member of.
What you are describing is thin computing...
Oh, you can PXE boot Windows, it's just a bitch on the network, and unless you can afford 8+ GB to use as a RAM disk, you'll need an internal HDD to hold parts of the boot image loaded on demand. Mac and Linux have similar limitations so don;t harp on Microsoft about it.
Better (similar) solution: VLAN register all approved company owned and validated MAC addresses on the corporate LAN. Give these and only these system access to the server and network resources they require (and not to resources they don't require) based on their image deployment or intended purpose of use. Internet access for these machines and devices is limited to a strictly maintained white list of sites deemed necessary for business or approved as safe for employee use when on breaks or when off the clock (iGoogle, my.Yahoo, etc), but no web based e-mail, social sites, etc.
Approved personal devices, (ie helpdesk has manually keyed in the MAC address to a seperate ACL after validating the device personally meets company securitry requirements) are relegated to a VLAN quarantine zone, and are checked for current AV, AS, and OS patches by a batch program. If clean, they're connected to a seperate VLAN where filtered internet access is permitted, but on a seperate "public" IP range and VLAN from any corperate machines, and with a greatly expanded white list of sites accessible. The intent here is to limit bandwidth utilization, not so much for security, though adult sites as well as other known blacklisted sites are automatically blocked. If the device needs patches, they are VLANed into a zone where only the known IPs and ports of the patch sites can be connected to until the patches are installed, then they must diconnect and reconnect to be reverified for access. This process is not so much to protect the company, but the other users systems who connect to this "public" employee network.
Machines or devices that have not been MAC approved are connected to a VLAN that has no acces to the internet at all (no gateway). An exception will be a few APs in the lobby and conference rooms for which the signal range is limited as is connection speed, and which still gets some minimal filtering from blacklisted and adult sites. Employees should be banned from accessing resources in the lobby or designated "guest" areas as all devices entering the building with an employee should be registered with helpdesk if they are to connect to the wireless or wired networks for any reason. Bypassing this should get a warning folowed by non-negotiable termination.
MAC tag all of the corporate machines (should be easy if you're asset tagging systems already). Set up all corporate machines in VLANS assigned by MAC addresses. Set up user groups in your filtering system based on job title, machine type, etc and strictly limit inside access to the web via white lists and proxys.
Now, create a seperate VLAN, and automatically put all system in that VLAN that are not on your tagged, approved, MAC address listing. Let those machines access the net through a secondary method of access (cheap, high speed corporate cable service instead of the T1 etc lines). Place only simple, but secure filtering measures on that connection (blacklist instead of white list, and still incorporate inlive file type and virus filtering.
Now your network is secure, and personal devices can still be used, to a limited extent, at work. Lock each active thread down to say 128 or 64K to prevent bandwidth abuse.
We allow VPN from home as well, but for any user issued a VPN account, we issue corporate versions of AV and spyware, and the VPN has stick port and application access limitations. We also quarantine the system if it does not pass certain AV definition and windows patch revisions before it gains access to the VPN.
Yes, setting this up was complicated and expensive. If it prevented even a single virus outbreak or security breach, it paid for itself twice over, especially considdering the cost of federal red flag legislation, and notifying and paying for ID theft assurance for our customer base if a leak occoured and we even suspected a breach.
I have no problem giving users access to something like iGoogle, or my.yahoo. We log how much time they're connected to non-intranet sites, and if this gets excessive, we notify HR. However, it is CRITICAL that we block access to any unapproved URL. Not doing so is a huge security risk for more reasons than i can count.
If the site is safe, it takes about 10 minutes for a helpdesk ticket to be filed, approved, and that site added to a white list. It's easy to log how much time they spend on these sites, and easy to weed out employees who are unproductive not only using this as a guage, but traditional productivity measurements as well. By default HR gives you a warning once if you fall below certain productivity metrics. Fall below again without some good reasons and your fired. Simple.
If you think we can't prevent web access, you know very little about proxy and web filtering... There's only one way to get out the the internet, and it can not be bypassed, not even by our own admin staff unless they actually permit the site to be accessible.
Personal devices? no, I can't prevent people from using their iPhones and Balckberries to access data over cell networks (in fact, we even permit then to connect to wi-fi in a segregated public VLAN, with a small 64K pipe each), but it's very easy for a manager to see if you're using a device at your desk, and there's very little leniency for that. Company policy is your personal devices may not be placed on your desk, but must be in your bag when not in use, and all personal calls, texts, or e-mails must be handled by logging out and walking to the break room.
We allow water cooler conversations and the like, but that's because we track your time at your desk using a company log-in system that's part of the IP phone system and corporate chat network. Employees are trained to set their status as away if they leave their desk (for PCs that access critical personal data, logout is detected by the webcam and is instantaneous). We'll let you have a limited amount of time away from your desk for getting coffee, water, bathroom breaks, and some personal chat time with co-workers, in addition to your required breaks, and we track your productivity in part based on how much time and what kind of patterns you display. If your productivity is high, we're more lenient, but if productivity is low, and you spend a lot of time away from your desk, the mangers are alerted to keep a watchful eye on your activity, and if it's deemed lax, you get written up and/or fired.
Generally, we leave the bosses, and HR, to determine if an employee is productive or not, and we have some leniency, especially for employees that take breaks at their desks, but securing the network has NOTHING to do with personal preference, or even productivity. I will NOT allow the use of personal e-mail accounts on the companie's systems unless that e-mail is registered with the corporate e-mail servers and passes through several levels of security. I can set up several e-mail accounts under your user name in Exchange, including 3rd party POP accounts, and make it all nice and secure. Accessing through a web browser? Fuck no! I've seen viruses rip a network apart in seconds, I've also seen rampant ID theft simply because some idiot opened an e-mail through an insecure web based mail client and opened an attachment they should not have. That is simply inexcusable, as is anyone trying to go to a hacked webserver that operates as a phishing system or that can install back door zero day exploits that can bypass our AV security. Further, opening too much web access is a waste of bandwith, and for a 1000+ user company, bandwidth is NOT cheap...
Um, never heard of a "run as" macro? You don't have to be logged in as an admin to run software that requires admin rights.... Not on Mac, Linux, XP or Vista, and if you're using something else, you've got other bigger issues to worry about!
Besides, any software that DOES require admin rights to execute was poorly coded, and should be replaced as soon as posisble. Keep in mind any user logged in with admin rights not only has access to their own machines, but an infection could easily spread network wide using those credentials! For every piece of business software you can find that requires admin rights to run, I'll find you five that doesn't. There might be a cost difference, but the admin labor savings and improved security will outweight that several times over.
The rare exception might be small offices, 8-10 people, but honestly those are not who we're talking about here, we're discussing enterprise, 500+ user environments, not mom n pop shops that can easily police their staff on their own without IT support.
First, Group Policy makes it very easy to prevent a user with standard credentials from installing and software at all. Network scanning tools like Spiceworks make tracking down unaproved applications quick and easy. If it's a real problem, software like Altiris of Ghost Enterprise can simply re-image the machines nightly, overwriting and changes.
Second, proper firewalling and filtering, combined with a white list of approved sites, and further user based site access tracking quickly stops both employees who try to go where they're not allowed and also stops employees wasting "as much as 3 hours a day surfing the web."
Third, Disable plug and play. Now connected devices won't automatically be accessible. (certain models of mouse and keyboard, and company distributed thumb drives will be installed by default and work automatically) Other devices will need a helpdesk employee to remotely connect to your system to activate. This not only protects you from users installing unaproved software, but also deflects one of the key ways a corporation gets a virus, and also limits data theft. We also disable the DVD drive (or at least hide the icon so you can't access disks) Want to bring files from home? We have a web accessible space for that and all file transactions are logged.
Fourth, block access, using group policy, to any control panel or feature a user should not have access to. Leave them there themes, and any other settings that would otherwise be considdered an ergonomic or user preference, but block everything else, even sleep other power settings.
Fifth, Lock down file write permissions. Corporate users should not be able to save ANYTHING to their local machine from any application. Everything should go to shared storage.
Lastly, (at least all I'm bothering with, there's certainly more), Users at the office are expected to be working. They don't need access to all sorts of software and devices that don't directly lead to productivity or company business. On the other hand, we need to allow them their comforts (music players, etc) so some social applications like iTunes should be approved. If they want something to be available to them, they need to fill out a help request ticket. Any user trying to bypass this process is subject to instant termination or reprimand.
Users will also typically request access to personal e-mail accounts and chat applications. Since we don't want to introduce virus potential (or let them waste too much time per day on it) we allow them to request that helpdesk add additional POP e-mail accounts to their corporate e-mail account, provided they're through approved servers like gmail or MSN. This way, all mail passes through the company's strong filtering systems, and can be considdered safe, plus we can also keep an eye on employees over using personal accounts (typically, we throw a red flag if they send more than 15 personal e-mails a day). We allow pre-approved chat applications and rely on floor managers to make sure they're not over abusing that privilidge (plus all chat is logged to a corporate system, so if there's an HR issue, we can persue it).
Face the facts. You're at work. Unless you're on break, you're expected to leave your personal life at the door. We don't mind you customizing button bars, or loading personalized wallpaper (though we do need it to go though the helpdesk to insure youre not putting copywritten or HR worrysome images on corporate equipment), but beyond that, the machine was provided to you to accomplish a job. We don't mind that you need to keep in touch, and be able to receive critical notifications from family, doctors, school administrators, etc while at work, but generally we prefer people call you instead since e-mail and chat should not be trusted in emergencies, and can easily be checked when on breaks.
Surfing the web, especially social sites, and even reading the news, should strictly be limited to your time on break. If you want to bring your own notebook to work to do that, we
Just because the problems they solve use 2D, simply because access to a 3D solver means a copy of Mathematica and a PC, not exactly convenient for a school, the principal of solving is the same, and in school we did linear equasions in math only, no graphical, to solve multi-variable equasions. The principal is the same once you use 3 or more variables, it just takes more time and effort to solve. 50 variables is no differnt than 3, and they teach 3 at least in high school, ususlaly just 2 in lower grades.
His inputs did not have 50 variables. The wiki article supported that complexity, but not this guy's equasions. All hes done is calculate the vote difference needed to win the election on the popular level, and also on the electoral level, then analyze the data to find the smallest nu,ber of votes in a state that by itself or in combibation with a couple of others would have swung it. This is not that hard... I wouldn't assign something like this as a nightly homework problem, or put it on a test, but there's no reason a couple of 10th graders working as a team could not design the equasion, which a computer could then have solved for them.
Google is claiming the device failed because it failed to detect a wireless mic signal that just happened to be using the same frequency as a TV station. In other words, it detected the TV signal, and chose not to use that channel properly, but since it could not also discern the less powerful mic signal hidden on the same frequency, which would not happen since the mic would not have worked on the same channel as a TV station anyway, the FCC failed it.
It's like this: You correctly identify an object as being colored black, but someone tells you you're wrong because under the black paint was red paint, and you were supposed to be able yto somehow see both and answer both red and black.
With frequencies, the only one you can see is the stronger one. Had the device been a bit smarter, it may have been able to tell it was a TV signal, and then notice that TV signal was suffering from interference, but even then, determining the source of the interference is extremely difficult. Either way, we chose not to use that channel, and did not effect either the TV signal or the microphone, so technicall it should have passed. All it cares about is "is someting using this channel or can I" no logic is necessary to determine if what's using that channel is already subject to interference, yet the FCC failed it anyway. It's clearly a rigged test.
Actually, I much prefer the opposite avenue. Don't LET people vote unless they can pass a very simple set of questions about the canditate they have placed a vote for and prove they have at least some basic understanding of how government works.
If you can't name the top issues, as printed in the paper and approved by each candidate, and discussed over and over in debates, then CLEARLY you do not have the power to make in informed decision, a decision those of us that are informed have to live with. If you don't have a basic education, you should also be denied the right to vote.
1) to vote, a high school diploma is required, or equivolent, for anyone to vote. Asside that, we'll offer a way to get "certified" to vote by taking a free exam, which we'll allow you to take at any library, government office, at the DMV, even the post office, anywhere you could otherwise register to vote and where someone who can check your ID and log you onto a computer to certify it is in fact you taking the exam in person. We'll even allow it to be an open book test, and offer it in several languages. This test will be a bit more involved than the citizinship test, but easier than a GED, and offered to anyone who wants to vote. This test will focus exclusively on the structure of government, the economy, foreign policy, the environment, and other topics taught in high schools that would have an impact on knowledge expected of a common voter. There won't be math problems or deep science issues, this is simply about "do you understand how the government works" as a litmus test for should you be allowed to vote. A subset of the GED basically. If you fail, you can take it again in 3 days, and take it as many times as you want until you pass. You only have to pass once in your lifetime. Again, high school diploma or equivolent is considdered good enough.
2) On the day you vote, we'll remove all references to political parties from the election system. You will be shown each position up for election, one at a time, and simply a list of names that are on the ballot for that position, randomized. When you pick one, you will be shown a list of political parties, and pick the one the candidate is a member of. If you're wrong, your vote does not count for that person. If you can't identify their political party, you CLEARLY don't know enough about them to be considdered an informed voter. Next, you will be shown a list of the top 5 debated issues with a short official statement from each candidate about it. Pick any ONE issue, and the statement from your candidate referncing that issue. If you can't determine your candidate's stand on any 1 out of 5 issues, then your vote does not count. This information will be published in the newspaper, made available online, and discussed on TV, and also made available to you AT the polling center. We're not asking you to memorize this stuff, we're just electronically confirming that you are AWARE of their stand on each of the 5 top issues before you register your vote. Feel free to take this into the booth with you so you're certain to get it right. However, this paper can not have any indication of their political offiliation, that you DO need to know.
This process confirms you at least have a basic understanding of goverment operation, and that you have been informed of the issues. It means you'll actually have to make SOME effort prior to the election. No more people blindly walking in and voting republican down the line, like my grandfather has been doing his whoile life. Guess what, he got a BIG surprise when i finally sat him down and showed him what the republican key issues were in the 1950s when he started voting compared to the party platform today. He realized that the republicans of old are actually the democrats of today! It's almost a mirror of their core issues from 60 years ago. He said if he knew that in 2000, he'd have voted for Gore, then started to cry. This unfortunately is too common, and it MUST stop.
Actually, linear programming IS basic algerbra, but is best solved with geometry skills. Simpler formulas are being used in 6th and 7th grade math. Basic linear programming problems, like calculating the best sale price for profit based on demand, are math standards used in Algebra I, Geometry, and statiscics classes alike. In some states using circular math, like NY and Connecticut (tiered learning instead of seperating Algebra from Geometry, from Trig, which is simply stupid to do since they're all interdependent!) Linear programming and advanced logic are taught in the second year of high school math (9th or 10th grade).
But actually, it starts much earlier than High School. My wife teaches 3rd grade now in SC, but Linear programming is one of the standards of math she taught a couple years ago when teaching 4th grade. It appears again in the 6th and 8th grade curriculum standards on the state's PACT test.
The wiki article is highly technical, and goes pretty deep into equasion design, but honestly, you've been using this stuff for years, it just wasn't called "programming" and you didn't use function notation... (and it has no relation to writing software)
This is exactly the same as kids that use calculus, doing derivitives and more for optics experiments and when dealing with simple velocity equasions, in basic physics classes in 6th, 8th and 9th grade years before actually finding out it's called "calculus" because if they actually told kids that, they'd refuse the work and parents would lobby the schools not teach that stuff to kids who had not already taken calculs... Honestly, short form derivitives using the 4 shortcut rules is easier than algerbra, and many people believe it should actually be taught FIRST, after basic math skills but before geometry and trig.
I go both ways on this arguement, and forgive me for responding to an off-topic post, but this one gets me going:
Doctors do make mistakes, and even non-medical professionals can pick up on it. Lets face if, none of us are pro dancers, but all of us see clearly when the dancers on TV screw up. We can look at construction and see faults in it, non straight lines, gaps in finish, but we're not architects. We can quite easily tell when a doctor has perscribed something that is incorrect by looking online, and it's easy for that to happen. First, docs typically are not informed on your complete condition, only a few symptoms. They don't typically cross check all your prescriptions, only the ones they themselves have subscribed (and most docs are arrogent enough to assume your not taking anything else without their consent, even over the counter meds and supplements). And also, when something fits the symptoms, it may or may not be the cause.
Part of the problem is that docs are given massive amounts of propoganda by drug companies. Many have been convinced that drugs are available to treat conditions that don;t even exist, and others that drugs are necessary when homeopathic remedies (like excersize, proper hydration, or even sleep) will fix it by itself. And many times, especially in the las 10 years, I've been perscribed medicines that are proporietary and expensive simply because a doctor was given a large sample base of it, got taken to play golf, and got schmoozed into only perscribing that brand.
On the flip side, we are NOT doctors. Just because some TV commercial, or an online article convinced you that your symptoms mirror that of some horrible sounding medical condition, and you go rushing to your doctor to get some designer medicine for it, the doctor NEEDS to stop you, to run tests, and to confirm first is this condition even real or threatending, second do you really have it, or were the symptoms described so generic anyone could have it, and 3, is the treatment worth the cure...
Sure, people who have done research into conditions have in fact confirmed their doectors were wrong, but this is a small number. Many many times this number have gone to doctors demanding treatment and have gotten perscriptions for conditions they did not have, and have caused potential long term organ damage, or actually suffered from serious complications. A much higher number either lost trust in their doctor or changed practitioners because the doctor actually told them the truth, that they did not have that condition, and this is causing false distrust in the medical community. Far more simply lost money on expensive perscriptions that caused no harm, and all of us foot the bill for their insurance coverage.
I don't mind their being some independent bank of knowledge about symptoms and remedies, but any such information provided should be 1) complete, insisting not only on the symptoms, but detailing the tests necessary to confirm it, and listing ALL of the medications andf remedies, including non-medicinal remedies, and the side effects of each. No single brand should ever be mentioned. I want a COMPLETE BAN on any kind of medical advertising, even OTC drugs. If your sick, you don;t need to ask your doctor what to take, just the store pharmacist, who will be far more informed than you after watching a 30 second TV commercial. If you're vomiting, have a fever over 101, or have any other symptom outside of the common cold, GO SEE YOUR DOCTOR. Online you might find information about a virus going around, but typically that's only national news, you won't find a list of the colds and flu strains running around downtown NYC so other than a common cold, how do you know what you have is even whats effecting everyone unless there are distinct symptoms, which usually there will not be?
If you go in trying to convince a doctor you have a particular condition, odds are, the symptoms match, and he's going to have a real hard time arguing against it unless he can also come up with a cont
White space is not defined as the small padding between documented frequencies, thogh a spall part of it exists there. White space are the UNUSED frequencies in many markets.
You see, there are more than 40 TV broadcast chanels available, and a further 81 digital channels as well, but in any one market or area, typically no more than 10 are ever in use. There is some small bleed over from one market to another, so maybe 15-18 of the channels may have some signal detectable and thus needing to be avoides.
Wireless microphones are poretty much the only other dev ice allowed to operate in this range. Where TV might cover 100 mile radius of effect, mics have at best a mile or so. There are a lot more of them in use, upwards of 40 for a single concert, and dozens at each TV studio, and your local bands and clubs each may use a few, but I know a few guys in bands, and they donlt seem to have any issues with signal crossover themselves when setting up their gear, so there are clearly not so many of these in use that it's a big issue.
a white space detecting wi-fi system would simply scan the spectrum and find a frequenct it detects no power on at all. Then, if it feels its safe, it powers on its anteanna and begins broadcasting, but that's not where it stops. Should it detect a signal after its picked one, its supposed to automatically fail over to a backup frequency (it also scanned for) and instantly stop broadcasting on the first until it determines the nature of that signal (perhaps it's just anotehr wi-fi base station that it can co-exist with).
Now, we're also not talking about using these things in home deployments. The purpose of this frequency is that it penetrates walls and has a significant range for a small amount of gain. Home users don;t need a wi-fi base station with a 5 mile radious of effect... This is for municipal deployment, large campuses, park areas, etc. Busineses won't use it because the range is so great, it's a security risk. In any geographic area, an ISP would deploy these things in a grid pattern, likely each 2-3 miles apart, so there's reasonable signal coverage even if one fails. This means at any one spot, an ISP might be using 5 signals, which I might add use a tighter digital signal range than TV, so 2 or 3 of these might take the channel space of 1 TV station. Maybe there's 3 or 4 ISPs in an area that size with simalar devices, so potentially we're talking 16-20 radios, which might use 20% of the white space in a given 5 mile radius, of which less than 20% more is in use by broadcast TV stations. This leaves 60% of the digital frequenct range for wireless microphones... 3 times what either TV or Wi-Max are getting. Why is this an issue?
Besides, for wireless mics, they can change frequencies! TV stations can't, but when your engineer powers on a mic, he checks for interferernce. If it's a bad, channel, he changes it. Once the mic is on, since Wi-max would not interfere, the only other potential for interference is someone else using a mic on the same channel. They're used to that. Even if WiMax was using the frequency when he turned it on, it would stop and the mic would get a clear signal unless another mic was also came on.
I think the only thing we might be able to propose is limiting wimax deployment into white space to a certain number of operating base stations on seperate chanels (some will be bridges on the same channel, so they don;t count). Say, limit to to 25 or 30% of the total available white space, and if it comes on and there's not enough, it should report an error. Again, this is limited to ISPs and big municipalities, so I really doubt we'd even hit this number of stations operating at once anyway.
I've been kinda holding on to hope that Opera would put it in... Firefox is kinda slow, and I'm used to Opera's advanced features, guestures, toolbars, etc. I might have to switch eventually... There are some Opera plug-ins that did it in the past, but they fell behind on updates and don't work. I'll go looking for a new one, mostly just be lazy lately.
If the kids can pass the tests on theirt own merrit, self study style, I really don't give a crap if they do the busy work, or waste their time in a classroom. If the kid can do the work already, shit, why not just let him exempt it, and move on to something that chalklenges his mind enough to WANT to go to class.
I had a similar problem in High School. If my schoo had that policy in place, I would have completed 3 or 4 more classes each year, and had a dozen or more AP tests under my belt before I entered college. As it was, I managed to get into 4 AP classes my senior year, and exempted classes in college because of them. Combined with a pair of CLEP tests I managed to enter college with credits enough to be within 1 class of being called a sophomore. A self-paced calculus class allowed me to earn that distinction before the end of my 4th week at school.
If I had the chance to sit in a study hall reading fiction, or working on creative writing or art, or hell, just listening to music, instead of being in class bored out of my mind doodling in a book and hoping the teacher understood not to call on me as I clearly wasn't paying attention, I'd have jumped on that chance. In college, most of my professors had a simple policy. There were 2 critical components to class: the pressure testes in the classroom, and the major programming assignments or team assignments due 2-3 times each semester. Your grade in the class, regardless of attendance, homework, minor projects, etc, could not be less than 1 letter grade lower that your average on the tests and major projects. If you got all As, your grade could not be less than a 3.0 for the semester. I abused this pivilidige in a few classes, especially the busy-work heavy classes, as I was working full time while in college and simply didn't have the time to do the work.
You're right that these kids need to have the option to be pulled aside. Some clear system needs to be in place to identify these kids so the process isn't abused, but it;s a workable system. Most schools unfortunately don't have the resources to allow them to take alternate classes or higher level studies, and we can't have the roaming the halls, but most of these kids are self starters anyway, and given access to materials will learn on their own.
Just as the system of providing passing grades to students who do no work is bad, the opposite is true, forcing these over the top smart kids to be stifled by administration, and fall far below their potential is a shame.
Slashdot Mirror
So, you've never seen a user access a webmail account, click a link that points to a site that installes a zero day virus or keylogger, then gains access to the network using a stolen password and steals hundreds or thousands of users worth of data?
Aparently you were not around for lovebug either, which although the corp e-mail server stopped it cold, our CEO managed to cross infect his PC from his home e-amil account, and since he had the entire company e-mail list in that system, both personal and company e-mail accounts of nearly all 100 employees, nearly every employee got a copy of love bug in their own web mail, and yes, it was litterally like 45 seconds and 60 of our 87 systems were infected.
Also, whitelists should be resonably departmentalized. And yea, for a big firm, absolutely there's a guy full time who does pretty much nothing but whitelist requests and password resets. He gets about $14 an hour... not bad for a kid still in college.
Ah, that's what the 3 year and 5 year cost analysis plans are for. Beancounters usually do understand forcasing pretty well, you just need to explain to them that IT is not a buy and forget department...
Of course, not all bean counters get it, and some of the ones who do still can't slide your department the cash, but still, if you can't "run as" you have an issue...
Hey, off hours, stuck in an IT office waiting for a backup to complete, or a build to roll out... Shit, you're on slaary anyway. As long as your accessing /. from a VLAN secure system and logged in with user not admin credentials, then there's no harm in it.
We're refering mostly to the hourly line employees here. Admins have much larger white lists, and to an extent, I 'd even call /. business necessary for admins, as part of problem resolution research or new product information sources.
Depending on your position, wether you have department level decision making power or not, policy level influence, or are in a position to hire and fire others, it;s quite likely your company may be required to pay you overtime. My job, no, I do have manager level influence, so I'm salaried, and not much higher than some others in my city, but I'm at about double the pay of the bobs on the floor who work 40 hours flat every week in the call center... and I'm quite satisfied with that even if I do pull an occasional 60 or 70 hour week during a rollout or a non-stop weekend maraton solving a disaster. They give me leneincy on when i come and go anyway as long as I average over 80 hours each 2 weeks.
Our developers are not permitted to work over 11 hours in any day, and not over 60 hours in a week. Deadlines are pushed back as necessary. We certainly find that fresh minds and rested bodies are far more productive. We also give our salaried employees the option of taking bonus PTO the following week anytime they work over 50 hours in a current one, balancing their 2 week load to 80-90 hours.
But really, we're not talking about devs here. Most of the devs I know pretty much stare at code all day, unless they're scanning code banks on line and forums to find a solution to a specific issue. Few of them do anything on a computer at work outside of that. It's the accoutnants, support reps, call center employees, secretaries, and other general workers that make up 80% of the work force, and who are all paid hourly not salary now with the changes in federal overtime rules (most of them were already hourly anyway), those people waste tons of time at work.... TONS.
It;s not really about controlling employees to boost productivity, much more of it is in preventing productivity loss from dowen systems and workers inabiltiy to be productive in the first place. Also, at a former company, we implemented these policies and cut out IT overhead by nearly 2 million a year, both dropping our IT staff by half and increasesing system availablity 10%.
besides, you can't possibly compare a few employees working full time to boost productivity vs 1000 employees potentially wasting 3 hours or more a day (current surveys say this is not only common, but the norm!).
HR and depertment managers have their own metrics for managing productivity. I'm not even really concerned with a single machine having a softwar eissue or a virus. That's a 90 minute fix that takes 10 minutes of my time to do (to re-image the system automatically after swapping the hard disk with one known to be virus free). What my concerrn really is about is the overall loss of productivity when that single user accesses an e-mail through an unaproved service, clicks a link and directs a company system at a site that can install a zero day exploit. If you can only go to white listed sites, this is not a big concern. Further, no access to unaproved applications means you can't bypass the 3 layers of security we have, one of which would likely have stopped the e-mail in the first place.
We allow you to suggest sites to the white list (personal or business resons) and most are approved instantly. We allow you to suggest applications only for business purposes (you can bring your own PC from home to do anything else, and it gets access to a completely seperate network. You can request a personal POP account be added to your exchange account. This ensures proper mail filtering and security is maintained.
We're not unreasonable, we're just strict.
In many companies I've consulted for, they measure downtime in the thousands of dollars a minute. Some of them in the millions per hour. A security breach for some of my clients could cost tens of millions of dollars in addition to that.
I'm not suggesting your local small biz with 25 employees have this rigid of a structure (unless they are bound by SOX or HIPPA, or some banking regulations, in which case, it's not their choice). In fact, the regulkations apply to more than 3 times the number of business that currently comply. They can't police all the networks, so inctead, the heavily fine and potentially shut down those who violate. I'm not doing my job if I don;t uphold STIG.
I'm not talking about strictly monitoring what you do every minute, or ordering strict scheduled breaks...
You get 1 hour each 8 hour shift (more if you work a longer shift). You can break that up however you like, provided that in this state by law, you have to take a single break not less than 30 minutes, and can not take that break under orders from management within the first or last hour of your shift. We don;t order you to take breaks at all, take them when you want, provided you log out to take them, and provided minimum company staffing rules for your department are enforced (you can't all go to lunch exactly at 12:00 and leave the call center empty).
In addition, we allow roughly 30 minutes a day for you to work on a personal project, outside of your job duties. This can be for simply letting your brain unwind after a tough issue is resolved, take an extra 30 minutes for lunch, run an errand, read the paper, whatever you like. This is paid time, not unpaid time like lunch.
Outside of that, you're on the clock for 8 hours. We expect you to actually be working during that time. I don;t care when or how you break, or how you deal with your outrside life issues, but loosening network security or data integrity, or wasting IT time hunting down buggy programs and virues in the network, that simply won't happen.
Day off actually. I don;t blog at work.
I have both a restircted use system and an unrestricted one on a seperate VLAN. One is used for business, the other for research. I am bound by the same security I impose on my users. I do not log in as Admin unless strictly necessary (and often Run As works just as well).
There's no real "crap" on the PCs in our network. Each runs only the services required to do their job, and those required by HIPAA, Sarbanes Oxley, Federal regulations, DOD STIG, and company security policies which comply with those. AV, AS, and a hardware monitoring tools are all that's on them aside from Office where necessary, the IP phone connector, Company chat system (which doulbes as the time clock), and the CRM or accounting apps again as necessary. There's not a bunch of bloat. The images are job specific and easily deployable. If you need an app, in most cases I make a quick change to your system image in the software distro app, and in 15 minutes or less it;s auto installed. We give users a media player and a few other programs to occupy them at work and on breaks.
If a user wanted to, they have no access to the shell, no control panels, no way to make system level changes. The computer BIOS is locked out, there's no booting from CD or USB, and with plug n play disabled, and the C: and D: drives hidden, and only the home folder and workgroup folders accessible, there is no way for them to mount a volume with which to install a program or infect the machine, and no way to change settings other than walpaper, font size, and a few ergonomic settings we're required by law to allow you access to.
Anyone needing to take files home is approved to do so, and has a shared web accessible, encrypted system to access to get those files, and all activity is logged. Moving a file to CD, DVD, thumb drive, etc, is grounds for termination, as is the attempt to mount any unapproved device. Need to load something from a disk? you bring it to IT for scanning and loading to your home folder.
I don't keep them from their favorite, proven safe news sites, or the occasional blog (we do prevent myspace, facebook, etc but mostly due to HR rules about content accessibility and to help limit bandwidth utilization, not so much for security.) They're alowed a whitelist of places to go when they're taking personal time at their desks. We're not inhuman, we just expect certain levels of security, HR accountability, and productivity from our well paid (above regional average) employees.
If you were on my network, and disabled any of the security software on the machine, you'd not only be immediately terminated without exception, but the IT department through terms in your employee contract would deduct from your last paycheck consulting time for which to re-image the infected machine (about an hour and a half). If you really pissed us off, you'd be terminated without predudice and saccrifice your severence pay, potential for unemployment compensation, possibly matching funds in your 401K, and if you'de been here long enough, your pension too. We're bound by regulation to have a minimum security level. Not firing you would get other people fired when the audit comes though. If there's Credit Card info, SSNs, medical insurance info, or other peronal info in your systems anywhere (almost guaranteed HR has them), and if you do business in more than 1 state (or some specific states like NY), then your IT department is bound by these laws, wether they explained that to you or not.
If your image is blue-screening, it is NOT a software issue, but a hardware conflict or more likely a failing HDD or RAM. If you knew shit-one about IT, you'd know that application software does not cause blue screens, only kernel level events. If your system was so sluggish, or routinely failing, it would have been pulled to the helpdesk for a hardware scan to confirm, or re-imaged to eliminate the potential of a corrupt driver. Likely you would have had your system swapped with another while it was being tested. If multiple machines like
I'll comply typically with executives on this, or when a depertment (like marketing) really does need the camera hooked up, but everyone else can e-mail the JPEG they want to use as a background to themselves, they need not connect the camera. If they're sorting pics from their weekend fun, they can do that on their break on their personal laptop or fucking do it at home!
If they need an application, there's a process to approve it, and it's pushed out through Altiri or SMS, never installed manaully, with minor exceptions in the test lab or QA depertment. If they feel they need access to a website (which we do allow approved sites for personal use, blogging, news, etc, just not webmail which is too risky), they get their manager to submit a ticket and we'll turn it on ASAP, or they can sumbit themselves via a low priority ticket and it goes into a listing that's approved on a weekly basis and one of my IT lackey's uploads the white list to the filter.
Users should be controlled. IT has domain over them, the admins are not at their beck and call. Even my CEO has to go through an approval process, and is not permitted to access programs or sites on his company issued computer (he has a personal laptop on a "public" wireless network, completely seperate from the corporate LAN he can surf with, and if he wants to view porn on his personal PC behind the closed doors of his office, he can, but most people on the "public" WAN do still have at least a blacklist to poll against. There are NO exceptions to the company security policy. Not even for executives. If we have to live with it, sdo do they, and that goes a long way to morale.
I'm afraid you have it wrong. They WILL attempt to install stuff and one of these will happen
a) They will succeed
b) They will fail but break something serious in the process (by booting from a special CD from a friend or something like that)
c) They will fail but find some decent-work around
d) They will tell you to fuck off and find a better place to work
e) If they are incompetent enough to do a, c or d they will give up but find another hobby.
So instead of frustrating yourself and your employees, you could just demand a level of productivity in return for a pleasant workplace where having an IM client is not a crime.
A) if IT is doing the job right, it should be impossible for a user to launch an exe. period. This is simple and can not be overcome by a user who does not have an admin password. If a user has an admin password, fire the admin and the user both.
B) change bios to not be able to boot from CD, USB, or any device other than primary HDD. Enable BIOS passwords. Use business class systems that have firmware monitoring software, and cases that have physical access alarms or keys. Employees that try to get around this get more than fired, they get prosecuted for tampering with company property or attempting to circumvent a security system, and could face 5-20 years in prison.
C) if you can't install software, and you can't boot from external media (and plug and play is disabled preventing other options) then they can't succeed. If they do, I say its you who should be fired, unless the user found some zero day exploit you could not prevent, highly unlikely somone it so deperate to use AIM that they'll risk federal prison for hacking.
D) let them go. There's a stack of resumes down in HR waiting for people who are here to work 8 hour days and who won't fuck around on the job and waste productivity, let alone become security risks. Fire a couple and the rest stand up and work.
E) If that hobby keeps them from sitting in their seats, logged into the productivity system except when on breaks and logged out as permitted by a floor manager(ie when not getting paid), or if they bother other employees, floor managers will learn about it quick, and we'll need yet another resume from HR.
F) if an application that's not approved IS installed (because someone got access to a password they should not have), automatically terminate the user, then bill them for the HR resourced required to clean the infected computer of said application. ENSURE they are aware this will be deducted from their last pay check before they accept the job. Remind them occasionally by firing an employee for trying. Network scanning software makes it real easy to detect these kinds of changes, within minutes of it happening.
G) If theres a web site they feel they need to access, business OR personal, and they feel its a secure site, let them submit a helpdesk request to get it added to the white list. Wost that will happen is they get told NO. Even allow the submissions to be anonymous if they feel the site is questonable. As for applications, same thing goes. There will be an approved music and video player on your machine already, and chat IS permitted, provided it's logged to the servers and the chat program security prevents file transfers. Webmail is right out, but if you feel you really need to get personal e-mail in your in box, we'll add your POP credentials to your exchange account so you can get those messages, and at least they're filtered for spam, virus, and phishing.
You're here to work. People in this country have become too complacent. 20 years ago you got fired for standing at the water cooler too long, now people think its their right to blow 3 hours a day blogging, that somehow thats all their salary justifies they should work for.
We accomodate some leniency in allowing you 3
RND, test labs, pre-production, software QA, software dev systems, etc should use seperate user crednetials, and be on seperate VLANs. Part of security is limiting physical and logical access, not just permissions and filtering.
Who's the most likely user in your network to get you infected: The CEO. Seen it dozens of times. The one who refuses to accept the same security as other users is the biggest risk in the building, and he's also typically the one with the least work to actually keep him busy (if he's delegating properly).
As far as employee morale, provided it can be monitored for abuse of productivity, access to known secure sites like iGoogle, MSN, etc are not beyond permissable, but open access to the internet through anything other than personally maintained white lists in a large corporate environemtn is just suicide.
IT personal should simply have a different white list than call center employees. I'm not saying everyone needs the same restrictions, but restrictions do need to be in place, and routinely analyzed for necessary changes to policy.
It's both easier and cheaper to simply deploy a system that images the OS drive nightly. Though I do agree users should not have write access to C:, should not have any form of admin rights nor really access to control panels or comand line, plug and play should be disabled, and data should only be accessible in a home folder on the network as well as group project folders the user is a member of.
What you are describing is thin computing...
Oh, you can PXE boot Windows, it's just a bitch on the network, and unless you can afford 8+ GB to use as a RAM disk, you'll need an internal HDD to hold parts of the boot image loaded on demand. Mac and Linux have similar limitations so don;t harp on Microsoft about it.
Better (similar) solution: VLAN register all approved company owned and validated MAC addresses on the corporate LAN. Give these and only these system access to the server and network resources they require (and not to resources they don't require) based on their image deployment or intended purpose of use. Internet access for these machines and devices is limited to a strictly maintained white list of sites deemed necessary for business or approved as safe for employee use when on breaks or when off the clock (iGoogle, my.Yahoo, etc), but no web based e-mail, social sites, etc.
Approved personal devices, (ie helpdesk has manually keyed in the MAC address to a seperate ACL after validating the device personally meets company securitry requirements) are relegated to a VLAN quarantine zone, and are checked for current AV, AS, and OS patches by a batch program. If clean, they're connected to a seperate VLAN where filtered internet access is permitted, but on a seperate "public" IP range and VLAN from any corperate machines, and with a greatly expanded white list of sites accessible. The intent here is to limit bandwidth utilization, not so much for security, though adult sites as well as other known blacklisted sites are automatically blocked. If the device needs patches, they are VLANed into a zone where only the known IPs and ports of the patch sites can be connected to until the patches are installed, then they must diconnect and reconnect to be reverified for access. This process is not so much to protect the company, but the other users systems who connect to this "public" employee network.
Machines or devices that have not been MAC approved are connected to a VLAN that has no acces to the internet at all (no gateway). An exception will be a few APs in the lobby and conference rooms for which the signal range is limited as is connection speed, and which still gets some minimal filtering from blacklisted and adult sites. Employees should be banned from accessing resources in the lobby or designated "guest" areas as all devices entering the building with an employee should be registered with helpdesk if they are to connect to the wireless or wired networks for any reason. Bypassing this should get a warning folowed by non-negotiable termination.
MAC tag all of the corporate machines (should be easy if you're asset tagging systems already). Set up all corporate machines in VLANS assigned by MAC addresses. Set up user groups in your filtering system based on job title, machine type, etc and strictly limit inside access to the web via white lists and proxys.
Now, create a seperate VLAN, and automatically put all system in that VLAN that are not on your tagged, approved, MAC address listing. Let those machines access the net through a secondary method of access (cheap, high speed corporate cable service instead of the T1 etc lines). Place only simple, but secure filtering measures on that connection (blacklist instead of white list, and still incorporate inlive file type and virus filtering.
Now your network is secure, and personal devices can still be used, to a limited extent, at work. Lock each active thread down to say 128 or 64K to prevent bandwidth abuse.
We allow VPN from home as well, but for any user issued a VPN account, we issue corporate versions of AV and spyware, and the VPN has stick port and application access limitations. We also quarantine the system if it does not pass certain AV definition and windows patch revisions before it gains access to the VPN.
Yes, setting this up was complicated and expensive. If it prevented even a single virus outbreak or security breach, it paid for itself twice over, especially considdering the cost of federal red flag legislation, and notifying and paying for ID theft assurance for our customer base if a leak occoured and we even suspected a breach.
I have no problem giving users access to something like iGoogle, or my.yahoo. We log how much time they're connected to non-intranet sites, and if this gets excessive, we notify HR. However, it is CRITICAL that we block access to any unapproved URL. Not doing so is a huge security risk for more reasons than i can count.
If the site is safe, it takes about 10 minutes for a helpdesk ticket to be filed, approved, and that site added to a white list. It's easy to log how much time they spend on these sites, and easy to weed out employees who are unproductive not only using this as a guage, but traditional productivity measurements as well. By default HR gives you a warning once if you fall below certain productivity metrics. Fall below again without some good reasons and your fired. Simple.
If you think we can't prevent web access, you know very little about proxy and web filtering... There's only one way to get out the the internet, and it can not be bypassed, not even by our own admin staff unless they actually permit the site to be accessible.
Personal devices? no, I can't prevent people from using their iPhones and Balckberries to access data over cell networks (in fact, we even permit then to connect to wi-fi in a segregated public VLAN, with a small 64K pipe each), but it's very easy for a manager to see if you're using a device at your desk, and there's very little leniency for that. Company policy is your personal devices may not be placed on your desk, but must be in your bag when not in use, and all personal calls, texts, or e-mails must be handled by logging out and walking to the break room.
We allow water cooler conversations and the like, but that's because we track your time at your desk using a company log-in system that's part of the IP phone system and corporate chat network. Employees are trained to set their status as away if they leave their desk (for PCs that access critical personal data, logout is detected by the webcam and is instantaneous). We'll let you have a limited amount of time away from your desk for getting coffee, water, bathroom breaks, and some personal chat time with co-workers, in addition to your required breaks, and we track your productivity in part based on how much time and what kind of patterns you display. If your productivity is high, we're more lenient, but if productivity is low, and you spend a lot of time away from your desk, the mangers are alerted to keep a watchful eye on your activity, and if it's deemed lax, you get written up and/or fired.
Generally, we leave the bosses, and HR, to determine if an employee is productive or not, and we have some leniency, especially for employees that take breaks at their desks, but securing the network has NOTHING to do with personal preference, or even productivity. I will NOT allow the use of personal e-mail accounts on the companie's systems unless that e-mail is registered with the corporate e-mail servers and passes through several levels of security. I can set up several e-mail accounts under your user name in Exchange, including 3rd party POP accounts, and make it all nice and secure. Accessing through a web browser? Fuck no! I've seen viruses rip a network apart in seconds, I've also seen rampant ID theft simply because some idiot opened an e-mail through an insecure web based mail client and opened an attachment they should not have. That is simply inexcusable, as is anyone trying to go to a hacked webserver that operates as a phishing system or that can install back door zero day exploits that can bypass our AV security. Further, opening too much web access is a waste of bandwith, and for a 1000+ user company, bandwidth is NOT cheap...
Um, never heard of a "run as" macro? You don't have to be logged in as an admin to run software that requires admin rights.... Not on Mac, Linux, XP or Vista, and if you're using something else, you've got other bigger issues to worry about!
Besides, any software that DOES require admin rights to execute was poorly coded, and should be replaced as soon as posisble. Keep in mind any user logged in with admin rights not only has access to their own machines, but an infection could easily spread network wide using those credentials! For every piece of business software you can find that requires admin rights to run, I'll find you five that doesn't. There might be a cost difference, but the admin labor savings and improved security will outweight that several times over.
The rare exception might be small offices, 8-10 people, but honestly those are not who we're talking about here, we're discussing enterprise, 500+ user environments, not mom n pop shops that can easily police their staff on their own without IT support.
First, Group Policy makes it very easy to prevent a user with standard credentials from installing and software at all. Network scanning tools like Spiceworks make tracking down unaproved applications quick and easy. If it's a real problem, software like Altiris of Ghost Enterprise can simply re-image the machines nightly, overwriting and changes.
Second, proper firewalling and filtering, combined with a white list of approved sites, and further user based site access tracking quickly stops both employees who try to go where they're not allowed and also stops employees wasting "as much as 3 hours a day surfing the web."
Third, Disable plug and play. Now connected devices won't automatically be accessible. (certain models of mouse and keyboard, and company distributed thumb drives will be installed by default and work automatically) Other devices will need a helpdesk employee to remotely connect to your system to activate. This not only protects you from users installing unaproved software, but also deflects one of the key ways a corporation gets a virus, and also limits data theft. We also disable the DVD drive (or at least hide the icon so you can't access disks) Want to bring files from home? We have a web accessible space for that and all file transactions are logged.
Fourth, block access, using group policy, to any control panel or feature a user should not have access to. Leave them there themes, and any other settings that would otherwise be considdered an ergonomic or user preference, but block everything else, even sleep other power settings.
Fifth, Lock down file write permissions. Corporate users should not be able to save ANYTHING to their local machine from any application. Everything should go to shared storage.
Lastly, (at least all I'm bothering with, there's certainly more), Users at the office are expected to be working. They don't need access to all sorts of software and devices that don't directly lead to productivity or company business. On the other hand, we need to allow them their comforts (music players, etc) so some social applications like iTunes should be approved. If they want something to be available to them, they need to fill out a help request ticket. Any user trying to bypass this process is subject to instant termination or reprimand.
Users will also typically request access to personal e-mail accounts and chat applications. Since we don't want to introduce virus potential (or let them waste too much time per day on it) we allow them to request that helpdesk add additional POP e-mail accounts to their corporate e-mail account, provided they're through approved servers like gmail or MSN. This way, all mail passes through the company's strong filtering systems, and can be considdered safe, plus we can also keep an eye on employees over using personal accounts (typically, we throw a red flag if they send more than 15 personal e-mails a day). We allow pre-approved chat applications and rely on floor managers to make sure they're not over abusing that privilidge (plus all chat is logged to a corporate system, so if there's an HR issue, we can persue it).
Face the facts. You're at work. Unless you're on break, you're expected to leave your personal life at the door. We don't mind you customizing button bars, or loading personalized wallpaper (though we do need it to go though the helpdesk to insure youre not putting copywritten or HR worrysome images on corporate equipment), but beyond that, the machine was provided to you to accomplish a job. We don't mind that you need to keep in touch, and be able to receive critical notifications from family, doctors, school administrators, etc while at work, but generally we prefer people call you instead since e-mail and chat should not be trusted in emergencies, and can easily be checked when on breaks.
Surfing the web, especially social sites, and even reading the news, should strictly be limited to your time on break. If you want to bring your own notebook to work to do that, we
Just because the problems they solve use 2D, simply because access to a 3D solver means a copy of Mathematica and a PC, not exactly convenient for a school, the principal of solving is the same, and in school we did linear equasions in math only, no graphical, to solve multi-variable equasions. The principal is the same once you use 3 or more variables, it just takes more time and effort to solve. 50 variables is no differnt than 3, and they teach 3 at least in high school, ususlaly just 2 in lower grades.
His inputs did not have 50 variables. The wiki article supported that complexity, but not this guy's equasions. All hes done is calculate the vote difference needed to win the election on the popular level, and also on the electoral level, then analyze the data to find the smallest nu,ber of votes in a state that by itself or in combibation with a couple of others would have swung it. This is not that hard... I wouldn't assign something like this as a nightly homework problem, or put it on a test, but there's no reason a couple of 10th graders working as a team could not design the equasion, which a computer could then have solved for them.
Google is claiming the device failed because it failed to detect a wireless mic signal that just happened to be using the same frequency as a TV station. In other words, it detected the TV signal, and chose not to use that channel properly, but since it could not also discern the less powerful mic signal hidden on the same frequency, which would not happen since the mic would not have worked on the same channel as a TV station anyway, the FCC failed it.
It's like this: You correctly identify an object as being colored black, but someone tells you you're wrong because under the black paint was red paint, and you were supposed to be able yto somehow see both and answer both red and black.
With frequencies, the only one you can see is the stronger one. Had the device been a bit smarter, it may have been able to tell it was a TV signal, and then notice that TV signal was suffering from interference, but even then, determining the source of the interference is extremely difficult. Either way, we chose not to use that channel, and did not effect either the TV signal or the microphone, so technicall it should have passed. All it cares about is "is someting using this channel or can I" no logic is necessary to determine if what's using that channel is already subject to interference, yet the FCC failed it anyway. It's clearly a rigged test.
Actually, I much prefer the opposite avenue. Don't LET people vote unless they can pass a very simple set of questions about the canditate they have placed a vote for and prove they have at least some basic understanding of how government works.
If you can't name the top issues, as printed in the paper and approved by each candidate, and discussed over and over in debates, then CLEARLY you do not have the power to make in informed decision, a decision those of us that are informed have to live with. If you don't have a basic education, you should also be denied the right to vote.
1) to vote, a high school diploma is required, or equivolent, for anyone to vote. Asside that, we'll offer a way to get "certified" to vote by taking a free exam, which we'll allow you to take at any library, government office, at the DMV, even the post office, anywhere you could otherwise register to vote and where someone who can check your ID and log you onto a computer to certify it is in fact you taking the exam in person. We'll even allow it to be an open book test, and offer it in several languages. This test will be a bit more involved than the citizinship test, but easier than a GED, and offered to anyone who wants to vote. This test will focus exclusively on the structure of government, the economy, foreign policy, the environment, and other topics taught in high schools that would have an impact on knowledge expected of a common voter. There won't be math problems or deep science issues, this is simply about "do you understand how the government works" as a litmus test for should you be allowed to vote. A subset of the GED basically. If you fail, you can take it again in 3 days, and take it as many times as you want until you pass. You only have to pass once in your lifetime. Again, high school diploma or equivolent is considdered good enough.
2) On the day you vote, we'll remove all references to political parties from the election system. You will be shown each position up for election, one at a time, and simply a list of names that are on the ballot for that position, randomized. When you pick one, you will be shown a list of political parties, and pick the one the candidate is a member of. If you're wrong, your vote does not count for that person. If you can't identify their political party, you CLEARLY don't know enough about them to be considdered an informed voter. Next, you will be shown a list of the top 5 debated issues with a short official statement from each candidate about it. Pick any ONE issue, and the statement from your candidate referncing that issue. If you can't determine your candidate's stand on any 1 out of 5 issues, then your vote does not count. This information will be published in the newspaper, made available online, and discussed on TV, and also made available to you AT the polling center. We're not asking you to memorize this stuff, we're just electronically confirming that you are AWARE of their stand on each of the 5 top issues before you register your vote. Feel free to take this into the booth with you so you're certain to get it right. However, this paper can not have any indication of their political offiliation, that you DO need to know.
This process confirms you at least have a basic understanding of goverment operation, and that you have been informed of the issues. It means you'll actually have to make SOME effort prior to the election. No more people blindly walking in and voting republican down the line, like my grandfather has been doing his whoile life. Guess what, he got a BIG surprise when i finally sat him down and showed him what the republican key issues were in the 1950s when he started voting compared to the party platform today. He realized that the republicans of old are actually the democrats of today! It's almost a mirror of their core issues from 60 years ago. He said if he knew that in 2000, he'd have voted for Gore, then started to cry. This unfortunately is too common, and it MUST stop.
Also, the electoral college
Actually, linear programming IS basic algerbra, but is best solved with geometry skills. Simpler formulas are being used in 6th and 7th grade math. Basic linear programming problems, like calculating the best sale price for profit based on demand, are math standards used in Algebra I, Geometry, and statiscics classes alike. In some states using circular math, like NY and Connecticut (tiered learning instead of seperating Algebra from Geometry, from Trig, which is simply stupid to do since they're all interdependent!) Linear programming and advanced logic are taught in the second year of high school math (9th or 10th grade).
But actually, it starts much earlier than High School. My wife teaches 3rd grade now in SC, but Linear programming is one of the standards of math she taught a couple years ago when teaching 4th grade. It appears again in the 6th and 8th grade curriculum standards on the state's PACT test.
The wiki article is highly technical, and goes pretty deep into equasion design, but honestly, you've been using this stuff for years, it just wasn't called "programming" and you didn't use function notation... (and it has no relation to writing software)
This is exactly the same as kids that use calculus, doing derivitives and more for optics experiments and when dealing with simple velocity equasions, in basic physics classes in 6th, 8th and 9th grade years before actually finding out it's called "calculus" because if they actually told kids that, they'd refuse the work and parents would lobby the schools not teach that stuff to kids who had not already taken calculs... Honestly, short form derivitives using the 4 shortcut rules is easier than algerbra, and many people believe it should actually be taught FIRST, after basic math skills but before geometry and trig.
I go both ways on this arguement, and forgive me for responding to an off-topic post, but this one gets me going:
Doctors do make mistakes, and even non-medical professionals can pick up on it. Lets face if, none of us are pro dancers, but all of us see clearly when the dancers on TV screw up. We can look at construction and see faults in it, non straight lines, gaps in finish, but we're not architects. We can quite easily tell when a doctor has perscribed something that is incorrect by looking online, and it's easy for that to happen. First, docs typically are not informed on your complete condition, only a few symptoms. They don't typically cross check all your prescriptions, only the ones they themselves have subscribed (and most docs are arrogent enough to assume your not taking anything else without their consent, even over the counter meds and supplements). And also, when something fits the symptoms, it may or may not be the cause.
Part of the problem is that docs are given massive amounts of propoganda by drug companies. Many have been convinced that drugs are available to treat conditions that don;t even exist, and others that drugs are necessary when homeopathic remedies (like excersize, proper hydration, or even sleep) will fix it by itself. And many times, especially in the las 10 years, I've been perscribed medicines that are proporietary and expensive simply because a doctor was given a large sample base of it, got taken to play golf, and got schmoozed into only perscribing that brand.
On the flip side, we are NOT doctors. Just because some TV commercial, or an online article convinced you that your symptoms mirror that of some horrible sounding medical condition, and you go rushing to your doctor to get some designer medicine for it, the doctor NEEDS to stop you, to run tests, and to confirm first is this condition even real or threatending, second do you really have it, or were the symptoms described so generic anyone could have it, and 3, is the treatment worth the cure...
Sure, people who have done research into conditions have in fact confirmed their doectors were wrong, but this is a small number. Many many times this number have gone to doctors demanding treatment and have gotten perscriptions for conditions they did not have, and have caused potential long term organ damage, or actually suffered from serious complications. A much higher number either lost trust in their doctor or changed practitioners because the doctor actually told them the truth, that they did not have that condition, and this is causing false distrust in the medical community. Far more simply lost money on expensive perscriptions that caused no harm, and all of us foot the bill for their insurance coverage.
I don't mind their being some independent bank of knowledge about symptoms and remedies, but any such information provided should be 1) complete, insisting not only on the symptoms, but detailing the tests necessary to confirm it, and listing ALL of the medications andf remedies, including non-medicinal remedies, and the side effects of each. No single brand should ever be mentioned. I want a COMPLETE BAN on any kind of medical advertising, even OTC drugs. If your sick, you don;t need to ask your doctor what to take, just the store pharmacist, who will be far more informed than you after watching a 30 second TV commercial. If you're vomiting, have a fever over 101, or have any other symptom outside of the common cold, GO SEE YOUR DOCTOR. Online you might find information about a virus going around, but typically that's only national news, you won't find a list of the colds and flu strains running around downtown NYC so other than a common cold, how do you know what you have is even whats effecting everyone unless there are distinct symptoms, which usually there will not be?
If you go in trying to convince a doctor you have a particular condition, odds are, the symptoms match, and he's going to have a real hard time arguing against it unless he can also come up with a cont
White space is not defined as the small padding between documented frequencies, thogh a spall part of it exists there. White space are the UNUSED frequencies in many markets.
You see, there are more than 40 TV broadcast chanels available, and a further 81 digital channels as well, but in any one market or area, typically no more than 10 are ever in use. There is some small bleed over from one market to another, so maybe 15-18 of the channels may have some signal detectable and thus needing to be avoides.
Wireless microphones are poretty much the only other dev ice allowed to operate in this range. Where TV might cover 100 mile radius of effect, mics have at best a mile or so. There are a lot more of them in use, upwards of 40 for a single concert, and dozens at each TV studio, and your local bands and clubs each may use a few, but I know a few guys in bands, and they donlt seem to have any issues with signal crossover themselves when setting up their gear, so there are clearly not so many of these in use that it's a big issue.
a white space detecting wi-fi system would simply scan the spectrum and find a frequenct it detects no power on at all. Then, if it feels its safe, it powers on its anteanna and begins broadcasting, but that's not where it stops. Should it detect a signal after its picked one, its supposed to automatically fail over to a backup frequency (it also scanned for) and instantly stop broadcasting on the first until it determines the nature of that signal (perhaps it's just anotehr wi-fi base station that it can co-exist with).
Now, we're also not talking about using these things in home deployments. The purpose of this frequency is that it penetrates walls and has a significant range for a small amount of gain. Home users don;t need a wi-fi base station with a 5 mile radious of effect... This is for municipal deployment, large campuses, park areas, etc. Busineses won't use it because the range is so great, it's a security risk. In any geographic area, an ISP would deploy these things in a grid pattern, likely each 2-3 miles apart, so there's reasonable signal coverage even if one fails. This means at any one spot, an ISP might be using 5 signals, which I might add use a tighter digital signal range than TV, so 2 or 3 of these might take the channel space of 1 TV station. Maybe there's 3 or 4 ISPs in an area that size with simalar devices, so potentially we're talking 16-20 radios, which might use 20% of the white space in a given 5 mile radius, of which less than 20% more is in use by broadcast TV stations. This leaves 60% of the digital frequenct range for wireless microphones... 3 times what either TV or Wi-Max are getting. Why is this an issue?
Besides, for wireless mics, they can change frequencies! TV stations can't, but when your engineer powers on a mic, he checks for interferernce. If it's a bad, channel, he changes it. Once the mic is on, since Wi-max would not interfere, the only other potential for interference is someone else using a mic on the same channel. They're used to that. Even if WiMax was using the frequency when he turned it on, it would stop and the mic would get a clear signal unless another mic was also came on.
I think the only thing we might be able to propose is limiting wimax deployment into white space to a certain number of operating base stations on seperate chanels (some will be bridges on the same channel, so they don;t count). Say, limit to to 25 or 30% of the total available white space, and if it comes on and there's not enough, it should report an error. Again, this is limited to ISPs and big municipalities, so I really doubt we'd even hit this number of stations operating at once anyway.
I've been kinda holding on to hope that Opera would put it in... Firefox is kinda slow, and I'm used to Opera's advanced features, guestures, toolbars, etc. I might have to switch eventually... There are some Opera plug-ins that did it in the past, but they fell behind on updates and don't work. I'll go looking for a new one, mostly just be lazy lately.
If the kids can pass the tests on theirt own merrit, self study style, I really don't give a crap if they do the busy work, or waste their time in a classroom. If the kid can do the work already, shit, why not just let him exempt it, and move on to something that chalklenges his mind enough to WANT to go to class.
I had a similar problem in High School. If my schoo had that policy in place, I would have completed 3 or 4 more classes each year, and had a dozen or more AP tests under my belt before I entered college. As it was, I managed to get into 4 AP classes my senior year, and exempted classes in college because of them. Combined with a pair of CLEP tests I managed to enter college with credits enough to be within 1 class of being called a sophomore. A self-paced calculus class allowed me to earn that distinction before the end of my 4th week at school.
If I had the chance to sit in a study hall reading fiction, or working on creative writing or art, or hell, just listening to music, instead of being in class bored out of my mind doodling in a book and hoping the teacher understood not to call on me as I clearly wasn't paying attention, I'd have jumped on that chance. In college, most of my professors had a simple policy. There were 2 critical components to class: the pressure testes in the classroom, and the major programming assignments or team assignments due 2-3 times each semester. Your grade in the class, regardless of attendance, homework, minor projects, etc, could not be less than 1 letter grade lower that your average on the tests and major projects. If you got all As, your grade could not be less than a 3.0 for the semester. I abused this pivilidige in a few classes, especially the busy-work heavy classes, as I was working full time while in college and simply didn't have the time to do the work.
You're right that these kids need to have the option to be pulled aside. Some clear system needs to be in place to identify these kids so the process isn't abused, but it;s a workable system. Most schools unfortunately don't have the resources to allow them to take alternate classes or higher level studies, and we can't have the roaming the halls, but most of these kids are self starters anyway, and given access to materials will learn on their own.
Just as the system of providing passing grades to students who do no work is bad, the opposite is true, forcing these over the top smart kids to be stifled by administration, and fall far below their potential is a shame.