The difference is that the banks are being sued and the underlying data (loan records, underwriting guidelines, securities information, etc.) is being preserved and provided to plaintiffs and defendants. The NSA is refusing to do collection / preservation / discovery at all.
Right. And every child is a special snowflake, so different than their peers and the generations that came before them. Heaven forbid that people who have dedicated their lives to educating children should be allowed to leverage data sets and discuss those data sets with their peers.
Children inherit their values from their parents until they are old enough to develop their own. The community are the educators who are teaching the children. Nerds talk about nerd stuff. Jocks talk about sports. Teachers talk about education. Children have plenty of opportunities to choose various paths. If as a parent you have problems with teachers doing what teachers do, then maybe you should educate your children yourself.
Personally, I went through the public school system and I turned out well enough. I can support myself and my family. I contribute to my community. I was in GATE (Gifted and Talented Education). It was one of those evil programs where educators got together and put together curriculums tailored to "Gifted and Talented" students. (http://www.cde.ca.gov/sp/gt/gt/) There were criteria and tests required to get into it. I was ranked against my peers. Oddly enough, everything turned out alright in the end.
You just assigned me a belief that I do not have. I was simply making an example. Replace "make more money" with "more likely to help an old lady across the street" if it makes you feel better.
Now are you asserting that because there are some incompetent teachers out there that educators should not tune their curriculum to produce more students who are inclined to help old ladies across the street?
You do realize that with a large enough sample size, the impact of singularly incompetent actors will not statistically influence the results, right?
Students have different learning styles. The algebra teacher who you thought was incompetent may have just had a teaching style that was incompatible with your learning style. I struggled with high school math in school and always had to retake it in summer school. The second time through, I got A's and finally absorbed the material. With regards to math, I needed to see the end state. Math was not taught to me in that way. It was taught in isolated steps that were pieced together to solve larger equations. Until I saw how everything fit together, I was unable to conceptualize the individual concepts and failed. Is that the teacher's fault? Is it mine? Or is it simply a fact that one size does not fit all in terms of education?
The records of violence that you are so concerned about are already recorded and are not stopping people from getting firearms. The records of minors are sealed when they turn 18.
Every educator that I have known has acted with positive intent and a genuine desire to make the lives of future generations better. People do not go into education, especially in public schools, because they want to get rich or amass influence and personal power. They do so because they are gluttons for punishment and believe that it is their duty as human beings to make the world a better place.
As a society, we see our data being used against us. Where as the educators are trying to track the effectiveness of their programs, citizens are fearful of the data being mined for nefarious purposes. Some things that come to mind are, increased healthcare premiums / denial of coverage. Denied job opportunities due to invasive background screening. I am sure that the concerns that people have are numerous.
The other side of the equation is compelling though. If the educators are gathering data that showing people who failed or never took geometry end up making 50% less more than students who do pass geometry, they will more than likely look to tailor the curriculum to help students develop the skills and abilities required to pass geometry.
The other issue is monetization of data. Nobody wants to be a product, especially if they are not receiving any benefits. To use the geometry example above, if the data sets are being mined to extrapolate data like, "Students who pass geometry are 50% more likely to purchase a luxury automobile." and that data is then sold to marketers to target Facebook advertising, people are going to be understandably upset.
It all comes down to trust. Even if the educators can prove that their intentions are pure, what about the third parties they engage? What if the third party is initially pure, but then they go bankrupt and the personal data is sold as part of the liquidation of the company? Who is going to control what the fourth party does with it?
Recently there was an article about how the FBI was having problems recruiting competent IT talent due to their zero tolerance policy with marijuana.
Apparently that problem has been solved. All they really need to do is arrest the people who have the skills that they need, and then coerce them into doing the work that needs to be done.
We all know that the prison system is often tapped as a source of unskilled and low skilled labor. Obviously this is just taking that model to a new level. What's next? Mass incarceration of bitTorrent users who will then be forced into the life of skript kiddies in exchange for money on the books at the Club Fed commissary?
Does it need to be that complicated with the signal strength readings? I am not up to speed on cellular technology, but don't cell towers have the equivalent of a MAC address? Surely there has to be some sort of hardware identifier that is visible. We are talking about TCP/IP here....
If so, it would be easy enough to develop a database of legit addresses and do a look up against that list every time a hand-off occurs. The list could be easily paired down by county / state / zip code.
I used to work for an organization where a handful of our users traveled internationally on a fairly regular basis (a few times a year). Because permanent international plans were much too expensive, we "activated" international roaming on an as needed basis. Without fail, every month following an international roaming activation AT&T would fail to restore the account back to its previous plan. The plans always ended up on the most expensive plan AT&T had at the time, completely ignoring the corporate plan that we had with them.
This is what we are seeing in the field. A number of large financial institutions and government organizations who we deal with on a regular basis have already told us that they are no longer going to use TrueCrypt.
Most of them are moving towards SecureZip from PKware because it supports AES-256 and is FIPS 140 compliant. Others seem to be okay with 7Zip's "encrypted zip" feature (also AES-256). Others are looking at random packages that I have never heard of before last week, like BestCrypt. Of course there are others who want to go with Symantec's PGP.
This has proven to be a major pain the ass. For all of its warts, TrueCrypt was the de facto standard for secure data exchange. Now we are seeing a Balkanization of encryption software, and organizations are moving in different directions.
Personally I think that TrueCrypt is good enough for transferring data on an external USB drive and protecting it against accidental or intentional theft (by anyone other than the NSA). However it is going to be impossible to convince others of that, and I cannot state it with 100% certainty so I am not even trying to have that conversation within the business context.
As long as Client X is demanding encryption tool Z, that is fine. We will use that tool and let them shoulder the risk. After all, they are telling us what to use, not the other way around.
I guess I am the only person lame enough to admit it. I learned ASM to crack copy protection. A side effect was I developed the knowledge to code virii. I got into phreaking to swap the zero day. I started going to 2600 meetings and Defcon after I read The Hacker Crackdown and thought it would be cool to see Gail Thackery and other assorted miscreants in the flesh. From there it was on to cell phones (Oki 900 anyone?) and all the other goodness that flowed from LA 2600 like being inspired by listening to Aleph One talking about buffer overflows.
These days I am only aware enough of what "hackers" are up to do maintain a slightly above average defensive posture. Being a security guy comes with too much liability and the inevitability that your site is going to get hacked at some point if the data you are protecting is valuable enough. I fell out of the scene after I turned 18 because I did not want to deal with the legal repercussions of what I was up to. And honestly I was not smart enough to discover the exploits myself. When you are hanging out with people who were on the cutting edge of things like like buffer overflows, cell phone hacking and others who were working for the NSA... it tends to make you feel a bit dumb.
I work for a company that does a lot of forensics work, including collections activities and incident response. The company has to be licensed as a "private investigator" in all of the states that our employees do collections in.
It seems like a similar licensing regime would be a good place to start for computer security researchers.
It might also be worth considering making the researchers or their employer carry a bond as collateral against any potential damage that they might inadvertently cause.
It has been my experience that when people and organizations have something to lose (like forfeiture of a bond or loss of a license / ability to do business), they tend to act in a more predictable manner, and within well established guidelines.
There might also be some lessons to be learned from maritime law. In a way, researchers are sort of like privateers on the digital oceans. (So yes, once again, pirates ARE better than ninjas. Just in case there was ever any doubt.)
Is Accenture still in the running to redo the web site? I am curious to see how they do with it, given the way they handled London Stock Exchange revamp a while ago.
Your car was only worth three grand, and State Farm made you fight to get the money?
That sucks.
For a perspective from the other side of the fence, I have been through more than a few accidents with them (all my fault). At one point they dropped me, but half a decade after that I talked them into taking me back once all of the points fell off of my record. I have not had an accident since.
In two of the accidents, my car was a total loss. I was able to buy the car back from them and fix it up with the difference between the total loss settlement, and the cost of the buy back. In an accident that I was not at fault for, they got me 20% more than blue book value for the car.
I think the moral of the story is that they make a good friend, and a terrible enemy.
I have been with State Farm for almost 20 years and have filed multiple claims. The reason I continue to pay their far above average premiums is because they never give me any flak about filing a claim.
I have made multiple automobile claims and two against the renters policy for damaged computer equipment. All of them have gone smoothly.
The government does a great job of keeping the conversation focused on "terrorism" and the inevitability of it.
They never allow the dialogue to shift to the causes of terrorism. We never see discussions about the specific foreign policy elements that generate the hatred and anger that leads to people getting to the point where they are willing to sacrifice their lives to inflict harm to the American economy and way of life.
Until people begin having real conversations about what we are doing, why we are doing it, what the benefits of doing it are, and what the risks associated with it are, this is going to continue.
Unfortunately it seems that any sort of multi-faceted conversation like that is not of interest to most of the population. Those who are interested in having those conversations have already had them, and decided that the benefits outweigh the risks. Money in their pockets is worth the cost of a few lives and civil liberties.
It all comes back to the 1%. There is a small portion of the population that is gambling with the lives of everyone else. Everyone else is too disorganized to remove the 1% from power.
Until people get to the point where they are willing to publicly stand up and say, "I am tired of living in fear for my life so that WE can make money at the expense of the rest of the world." Nothing is going to change. And that is the truth of it. On some level, all of us, ALL OF US, benefit from the current system and are too comfortable with it to do anything more than whine about it online.
I know it is not what you are asking, but the much more simple solution is to just get a decent renters / home owners insurance policy with a premium that you can afford and a level of coverage that will allow you to replace everything. The added benefit is that if you need to replace it, the odds are the old gear will no longer be available and you will get to purchase newer, better gear. FWIW, my renter's insurance policy with State Farm costs me something like $150 every six months, and has up $20,000 in coverage. That's more than enough to replace a couple of computers and some television sets.
If your concern is data loss, you are approaching this the wrong way. You protect against data loss with offsite replication.
They are web apps. There are some outliers where the queries being passed to the web tier for processing are invalid. The good news is that the vendor is limiting those and throwing exceptions, as opposed to just taking them.
I never really got enthusiastic about coding. The first language I learned was BASIC. That was an interesting introduction into IF,ELSE logic. After that I taught myself x86 ASM. That was useful because I could understand virii, crack copy protection and write trainers for games. I work with relational databases a lot so I can write decent TSQL. I have some experience with.Net and recently I have been working with PowerShell. PS is not really a language, but understanding functions and variables helps make it more useful.
I have always enjoyed systems administration. My knowledge of programming is useful there. Often times it helps when resolving application performance problems. One of our largest vendors and I are at odds over their code. For the longest time I told them that the application is slow because they have a few functions that could be better optimized, and they refused to acknowledge it. I finally convinced my company to invest in dynaTrace. Now I have full process information, from the API, down to the method and function, including the execution timings. The vendor is having a hard time denying the code problems now that I have return values from the stack that are detailing application crashes due to poorly defined arrays or invalid syntax.
Now that I think about it, I have been doing IT for 18 years (since 1996). Management is where I belong. I am tired of technology cycle, but understand it well enough to mentor others and help them find success in their own careers. I also understand the technology well enough to keep the vendors in line. At the same time, I can advise the executive leadership on where they should be going with the business and what technology to be involved with. I am working for a mid-sized firm, running a 60 node VMware cluster with ~1400 VMs. It is large enough to keep me engaged with challenging projects. I have over 4PB of data with a 10%+ annual growth rate.
I have to admit that managing people is a lot more difficult than running systems. With systems, when I want things done a certain way, I can do it exactly that way. People have their own ways of doing things, and often times the more experienced they are, the less receptive they are to taking direction. Dealing with direct reports is easy. You can give them direction, check in every once in a while to make sure they are on track, and help them out when they run into problems. Dealing with peers on the other hand requires a whole different set of skills. It is hard for me to not treat people with contempt when they want to call in consultants to do their jobs. Or to be patient with having to write up business cases and risk analyses, then wait 6 months for the risk to materialize and blow up in someone's face before they finally acknowledge that there really is a better way to do something.
I know you are kidding, but the scientists who are putting the satellites into orbit are not the same group as the engineers who are designing the satellites in the first place.
We manage our patching process by exception. By that I mean, "bad" patches are held back and everything else goes through. I am responsible for about 1400 VMs running on 60 physical ESX hosts. We have a small subset of VMs that are representative sample of the environment. Those get patched two weeks ahead of time. If nothing goes wrong with those servers, the corresponding patches are pushed into production.
We have an exception for the web tier. Those get patched the weekend after patch Tuesday. They are higher risk due to being public facing.
We have some verbiage in our documentation that states something to the effect of, "We expect that the vendors will properly test and QA their patches before releasing them. We do not have the time to fully vet every patch before deploying it. Therefore we take the following steps to mitigate the potential damage to the environment caused by a bad patch...."
Snapshots are taken of all VMs before patching. That way in case something slips through the cracks, we can quickly roll back to a known good state.
If you need to go toe to toe with the CAB, make them provide you with a business case justification that details the perceived risk(s) and danger of not mitigating the risk. If they cannot do that, they are completely worthless.
Your counter argument then becomes, "Mitigating your perceived risk is going to take xx hours of time. If the risk were to actually occur, we would lose xx hours of time cleaning up."
At the end of the day, if the risk absolutely has to be mitigated and you do not have enough time with all of your other responsibilities, then they need to provide resources. They can do that by either assigning the task to someone else, or hiring a new employee. Ultimately that is your supervisor's call to make the business case for needing more help. All you can do is quantify the time required to comply, and then make your supervisor make a decision on what you will stop doing because you will now be dealing with the new mandate.
Try to understand where the CAB is coming from. They probably have a regulatory requirement, either because of the business that your company is in, or because of the business that your clients are in. They have to prove that they have a functional change management process. It seems like they are just going too far overboard with the process. A change management process just needs to show that people cannot make unauthorized changes to the environment whenever they feel like it. It also needs to show that changes that are made are documented. Potentially destructive changes that could impact application or service available should be discussed, or at the very least, procedures should be developed to mitigate any potential impact of a destructive change.
Meet them half way. Suggest constructive solutions to address their concerns.
Slashdot Mirror
The difference is that the banks are being sued and the underlying data (loan records, underwriting guidelines, securities information, etc.) is being preserved and provided to plaintiffs and defendants. The NSA is refusing to do collection / preservation / discovery at all.
Right. And every child is a special snowflake, so different than their peers and the generations that came before them. Heaven forbid that people who have dedicated their lives to educating children should be allowed to leverage data sets and discuss those data sets with their peers.
Children inherit their values from their parents until they are old enough to develop their own. The community are the educators who are teaching the children. Nerds talk about nerd stuff. Jocks talk about sports. Teachers talk about education. Children have plenty of opportunities to choose various paths. If as a parent you have problems with teachers doing what teachers do, then maybe you should educate your children yourself.
Personally, I went through the public school system and I turned out well enough. I can support myself and my family. I contribute to my community. I was in GATE (Gifted and Talented Education). It was one of those evil programs where educators got together and put together curriculums tailored to "Gifted and Talented" students. (http://www.cde.ca.gov/sp/gt/gt/) There were criteria and tests required to get into it. I was ranked against my peers. Oddly enough, everything turned out alright in the end.
You just assigned me a belief that I do not have. I was simply making an example. Replace "make more money" with "more likely to help an old lady across the street" if it makes you feel better.
Now are you asserting that because there are some incompetent teachers out there that educators should not tune their curriculum to produce more students who are inclined to help old ladies across the street?
You do realize that with a large enough sample size, the impact of singularly incompetent actors will not statistically influence the results, right?
Students have different learning styles. The algebra teacher who you thought was incompetent may have just had a teaching style that was incompatible with your learning style. I struggled with high school math in school and always had to retake it in summer school. The second time through, I got A's and finally absorbed the material. With regards to math, I needed to see the end state. Math was not taught to me in that way. It was taught in isolated steps that were pieced together to solve larger equations. Until I saw how everything fit together, I was unable to conceptualize the individual concepts and failed. Is that the teacher's fault? Is it mine? Or is it simply a fact that one size does not fit all in terms of education?
The records of violence that you are so concerned about are already recorded and are not stopping people from getting firearms. The records of minors are sealed when they turn 18.
Every educator that I have known has acted with positive intent and a genuine desire to make the lives of future generations better. People do not go into education, especially in public schools, because they want to get rich or amass influence and personal power. They do so because they are gluttons for punishment and believe that it is their duty as human beings to make the world a better place.
As a society, we see our data being used against us. Where as the educators are trying to track the effectiveness of their programs, citizens are fearful of the data being mined for nefarious purposes. Some things that come to mind are, increased healthcare premiums / denial of coverage. Denied job opportunities due to invasive background screening. I am sure that the concerns that people have are numerous.
The other side of the equation is compelling though. If the educators are gathering data that showing people who failed or never took geometry end up making 50% less more than students who do pass geometry, they will more than likely look to tailor the curriculum to help students develop the skills and abilities required to pass geometry.
The other issue is monetization of data. Nobody wants to be a product, especially if they are not receiving any benefits. To use the geometry example above, if the data sets are being mined to extrapolate data like, "Students who pass geometry are 50% more likely to purchase a luxury automobile." and that data is then sold to marketers to target Facebook advertising, people are going to be understandably upset.
It all comes down to trust. Even if the educators can prove that their intentions are pure, what about the third parties they engage? What if the third party is initially pure, but then they go bankrupt and the personal data is sold as part of the liquidation of the company? Who is going to control what the fourth party does with it?
Recently there was an article about how the FBI was having problems recruiting competent IT talent due to their zero tolerance policy with marijuana.
Apparently that problem has been solved. All they really need to do is arrest the people who have the skills that they need, and then coerce them into doing the work that needs to be done.
We all know that the prison system is often tapped as a source of unskilled and low skilled labor. Obviously this is just taking that model to a new level. What's next? Mass incarceration of bitTorrent users who will then be forced into the life of skript kiddies in exchange for money on the books at the Club Fed commissary?
Does it need to be that complicated with the signal strength readings? I am not up to speed on cellular technology, but don't cell towers have the equivalent of a MAC address? Surely there has to be some sort of hardware identifier that is visible. We are talking about TCP/IP here....
If so, it would be easy enough to develop a database of legit addresses and do a look up against that list every time a hand-off occurs. The list could be easily paired down by county / state / zip code.
I used to work for an organization where a handful of our users traveled internationally on a fairly regular basis (a few times a year). Because permanent international plans were much too expensive, we "activated" international roaming on an as needed basis. Without fail, every month following an international roaming activation AT&T would fail to restore the account back to its previous plan. The plans always ended up on the most expensive plan AT&T had at the time, completely ignoring the corporate plan that we had with them.
This is what we are seeing in the field. A number of large financial institutions and government organizations who we deal with on a regular basis have already told us that they are no longer going to use TrueCrypt.
Most of them are moving towards SecureZip from PKware because it supports AES-256 and is FIPS 140 compliant. Others seem to be okay with 7Zip's "encrypted zip" feature (also AES-256). Others are looking at random packages that I have never heard of before last week, like BestCrypt. Of course there are others who want to go with Symantec's PGP.
This has proven to be a major pain the ass. For all of its warts, TrueCrypt was the de facto standard for secure data exchange. Now we are seeing a Balkanization of encryption software, and organizations are moving in different directions.
Personally I think that TrueCrypt is good enough for transferring data on an external USB drive and protecting it against accidental or intentional theft (by anyone other than the NSA). However it is going to be impossible to convince others of that, and I cannot state it with 100% certainty so I am not even trying to have that conversation within the business context.
As long as Client X is demanding encryption tool Z, that is fine. We will use that tool and let them shoulder the risk. After all, they are telling us what to use, not the other way around.
I guess I am the only person lame enough to admit it. I learned ASM to crack copy protection. A side effect was I developed the knowledge to code virii. I got into phreaking to swap the zero day. I started going to 2600 meetings and Defcon after I read The Hacker Crackdown and thought it would be cool to see Gail Thackery and other assorted miscreants in the flesh. From there it was on to cell phones (Oki 900 anyone?) and all the other goodness that flowed from LA 2600 like being inspired by listening to Aleph One talking about buffer overflows.
These days I am only aware enough of what "hackers" are up to do maintain a slightly above average defensive posture. Being a security guy comes with too much liability and the inevitability that your site is going to get hacked at some point if the data you are protecting is valuable enough. I fell out of the scene after I turned 18 because I did not want to deal with the legal repercussions of what I was up to. And honestly I was not smart enough to discover the exploits myself. When you are hanging out with people who were on the cutting edge of things like like buffer overflows, cell phone hacking and others who were working for the NSA... it tends to make you feel a bit dumb.
I work for a company that does a lot of forensics work, including collections activities and incident response. The company has to be licensed as a "private investigator" in all of the states that our employees do collections in.
It seems like a similar licensing regime would be a good place to start for computer security researchers.
It might also be worth considering making the researchers or their employer carry a bond as collateral against any potential damage that they might inadvertently cause.
It has been my experience that when people and organizations have something to lose (like forfeiture of a bond or loss of a license / ability to do business), they tend to act in a more predictable manner, and within well established guidelines.
There might also be some lessons to be learned from maritime law. In a way, researchers are sort of like privateers on the digital oceans. (So yes, once again, pirates ARE better than ninjas. Just in case there was ever any doubt.)
Define trust...
I trust it to render any disks physically removed from the server worthless.
I trust it to render any disks that are not unlocked with a verified key unreadable.
I do not trust it to be free from back doors that facilitate access by law enforcement.
Is Accenture still in the running to redo the web site? I am curious to see how they do with it, given the way they handled London Stock Exchange revamp a while ago.
Have they not figured it out, or is the solution too compute intensive on the server?
Your car was only worth three grand, and State Farm made you fight to get the money?
That sucks.
For a perspective from the other side of the fence, I have been through more than a few accidents with them (all my fault). At one point they dropped me, but half a decade after that I talked them into taking me back once all of the points fell off of my record. I have not had an accident since.
In two of the accidents, my car was a total loss. I was able to buy the car back from them and fix it up with the difference between the total loss settlement, and the cost of the buy back. In an accident that I was not at fault for, they got me 20% more than blue book value for the car.
I think the moral of the story is that they make a good friend, and a terrible enemy.
I have been with State Farm for almost 20 years and have filed multiple claims. The reason I continue to pay their far above average premiums is because they never give me any flak about filing a claim.
I have made multiple automobile claims and two against the renters policy for damaged computer equipment. All of them have gone smoothly.
What's your beef with State Farm?
The government does a great job of keeping the conversation focused on "terrorism" and the inevitability of it.
They never allow the dialogue to shift to the causes of terrorism. We never see discussions about the specific foreign policy elements that generate the hatred and anger that leads to people getting to the point where they are willing to sacrifice their lives to inflict harm to the American economy and way of life.
Until people begin having real conversations about what we are doing, why we are doing it, what the benefits of doing it are, and what the risks associated with it are, this is going to continue.
Unfortunately it seems that any sort of multi-faceted conversation like that is not of interest to most of the population. Those who are interested in having those conversations have already had them, and decided that the benefits outweigh the risks. Money in their pockets is worth the cost of a few lives and civil liberties.
It all comes back to the 1%. There is a small portion of the population that is gambling with the lives of everyone else. Everyone else is too disorganized to remove the 1% from power.
Until people get to the point where they are willing to publicly stand up and say, "I am tired of living in fear for my life so that WE can make money at the expense of the rest of the world." Nothing is going to change. And that is the truth of it. On some level, all of us, ALL OF US, benefit from the current system and are too comfortable with it to do anything more than whine about it online.
I know it is not what you are asking, but the much more simple solution is to just get a decent renters / home owners insurance policy with a premium that you can afford and a level of coverage that will allow you to replace everything. The added benefit is that if you need to replace it, the odds are the old gear will no longer be available and you will get to purchase newer, better gear. FWIW, my renter's insurance policy with State Farm costs me something like $150 every six months, and has up $20,000 in coverage. That's more than enough to replace a couple of computers and some television sets.
If your concern is data loss, you are approaching this the wrong way. You protect against data loss with offsite replication.
http://insecure.org/stf/smashs...
In order to be a successful IT professional, an individual must understand: Programming, Networking and Systems Administration
On the subject of networking, Comer's work on TCP/IP is invaluable. (http://www.amazon.com/Internetworking-TCP-Volume-One-Edition/dp/013608530X)
They are web apps. There are some outliers where the queries being passed to the web tier for processing are invalid. The good news is that the vendor is limiting those and throwing exceptions, as opposed to just taking them.
I never really got enthusiastic about coding. The first language I learned was BASIC. That was an interesting introduction into IF,ELSE logic. After that I taught myself x86 ASM. That was useful because I could understand virii, crack copy protection and write trainers for games. I work with relational databases a lot so I can write decent TSQL. I have some experience with .Net and recently I have been working with PowerShell. PS is not really a language, but understanding functions and variables helps make it more useful.
I have always enjoyed systems administration. My knowledge of programming is useful there. Often times it helps when resolving application performance problems. One of our largest vendors and I are at odds over their code. For the longest time I told them that the application is slow because they have a few functions that could be better optimized, and they refused to acknowledge it. I finally convinced my company to invest in dynaTrace. Now I have full process information, from the API, down to the method and function, including the execution timings. The vendor is having a hard time denying the code problems now that I have return values from the stack that are detailing application crashes due to poorly defined arrays or invalid syntax.
Now that I think about it, I have been doing IT for 18 years (since 1996). Management is where I belong. I am tired of technology cycle, but understand it well enough to mentor others and help them find success in their own careers. I also understand the technology well enough to keep the vendors in line. At the same time, I can advise the executive leadership on where they should be going with the business and what technology to be involved with. I am working for a mid-sized firm, running a 60 node VMware cluster with ~1400 VMs. It is large enough to keep me engaged with challenging projects. I have over 4PB of data with a 10%+ annual growth rate.
I have to admit that managing people is a lot more difficult than running systems. With systems, when I want things done a certain way, I can do it exactly that way. People have their own ways of doing things, and often times the more experienced they are, the less receptive they are to taking direction. Dealing with direct reports is easy. You can give them direction, check in every once in a while to make sure they are on track, and help them out when they run into problems. Dealing with peers on the other hand requires a whole different set of skills. It is hard for me to not treat people with contempt when they want to call in consultants to do their jobs. Or to be patient with having to write up business cases and risk analyses, then wait 6 months for the risk to materialize and blow up in someone's face before they finally acknowledge that there really is a better way to do something.
Sucks to be you. You're actually working. I am giving people direction to write code and trolling slashdot while they work.
I have been doing IT for 15 years and broke the six figure mark two years ago. Last year after factoring in bonuses I made a little over $150k.
I had to move into management to make that salary.
I know you are kidding, but the scientists who are putting the satellites into orbit are not the same group as the engineers who are designing the satellites in the first place.
We manage our patching process by exception. By that I mean, "bad" patches are held back and everything else goes through. I am responsible for about 1400 VMs running on 60 physical ESX hosts. We have a small subset of VMs that are representative sample of the environment. Those get patched two weeks ahead of time. If nothing goes wrong with those servers, the corresponding patches are pushed into production.
We have an exception for the web tier. Those get patched the weekend after patch Tuesday. They are higher risk due to being public facing.
We have some verbiage in our documentation that states something to the effect of, "We expect that the vendors will properly test and QA their patches before releasing them. We do not have the time to fully vet every patch before deploying it. Therefore we take the following steps to mitigate the potential damage to the environment caused by a bad patch...."
Snapshots are taken of all VMs before patching. That way in case something slips through the cracks, we can quickly roll back to a known good state.
If you need to go toe to toe with the CAB, make them provide you with a business case justification that details the perceived risk(s) and danger of not mitigating the risk. If they cannot do that, they are completely worthless.
Your counter argument then becomes, "Mitigating your perceived risk is going to take xx hours of time. If the risk were to actually occur, we would lose xx hours of time cleaning up."
At the end of the day, if the risk absolutely has to be mitigated and you do not have enough time with all of your other responsibilities, then they need to provide resources. They can do that by either assigning the task to someone else, or hiring a new employee. Ultimately that is your supervisor's call to make the business case for needing more help. All you can do is quantify the time required to comply, and then make your supervisor make a decision on what you will stop doing because you will now be dealing with the new mandate.
Try to understand where the CAB is coming from. They probably have a regulatory requirement, either because of the business that your company is in, or because of the business that your clients are in. They have to prove that they have a functional change management process. It seems like they are just going too far overboard with the process. A change management process just needs to show that people cannot make unauthorized changes to the environment whenever they feel like it. It also needs to show that changes that are made are documented. Potentially destructive changes that could impact application or service available should be discussed, or at the very least, procedures should be developed to mitigate any potential impact of a destructive change.
Meet them half way. Suggest constructive solutions to address their concerns.