- Software Webdevelopment
- Software Software
- Software Technology
- Software Macintosh
- Software News
- Software Apple
- Software Mac-News
- Software Miscellaneous
- Software all available Feeds
- Bad Attitude
Employment
2010/03/13
I quit early Friday afternoon. I was in a foul mood, partly from lack of sleep the previous two nights, but also because it had just been a crappy, good for nothing week and by 1:00 PM on Friday, I'd had enough of it. I shut down my computer, turned off the lights and left my office.
Actually, financially it had been a good week. In fact, the past month has been decent - if the year keeps up with this, we'll do much better than 2009. Paradoxically, that was also contributing to my end of week funk, because most of the income was from distasteful work: transferring old Unix systems to Windows, and resurrecting crashed machines. It's all money, but none of it is satisfying and often it's one time billing - I may never see the customer again when they've moved to Windows and if I do see them, most of that will be stuff I hate like chasing Windows viruses.
My wife doesn't really understand that. "It's just money", she says, "What difference does it make whether it's a Unix problem or Windows?"
It matters because I don't like the Windows philosophy of monolithic programs not designed to work with other programs. It matters because chasing viruses isn't doing anything productive. It matters.
I was also less cheerful because I may have fired a customer Friday morning. I say "may have" because it's up to them: they have unpaid invoices 60 days old and as much as I may commiserate that times are tough, I'm not going to keep supplying services to someone who isn't paying me. So I told them that I expected immediate payment of past due invoices and from this point on they'd need to maintain a credit balance with me that I'll apply against any future work. They probably won't like that, but I'm adamant - I'm not their partner, their banker or their best friend.
So, for all those reasons, I'd had enough. I did go back and answer a few emails later, but my heart wasn't in it. I needed a break, I took it.
We spent a few hours at the gym this morning. I was still a bit tired and still somewhat grumpy, but felt better after the workout. I intend to ignore work this weekend and hope to greet Monday with a more positive attitude.
Comments: Click Here.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.
I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.
-
Skills Tests
-
Psst - wanna work for yourself?
- Unix/Linux Troubleshooting e-book
-
Kerio Mail Server
-
Consulting
-
Advertise Here
- Roku Streaming
Misc.,Web-HTML
2010/03/06
We ordered a Roku box last week. If you don't know what that is, it's a little Internet connected box that lets you stream content to your TV. The funny thing about that is that if you had asked me if I wanted something like this two years ago, or five years ago, or indeed even twenty or forty years back, I would have said 'No". I would have even been mildly amused by the very idea of it because we hardly ever watched movies - so why would we want something that brought movies to our TV?
Oh, I don't mean we never watched a movie. Once in a great while we'd venture out to a movie theatre and from time to time we helped make the cable TV industry wealthier by subscribing the HBO and even though we only did that to watch The Sopranos, we'd watch a movie now and then. But we weren't "big on it". Not like my sister, for example, who seems to have seen just about anything and everything you ever heard of. Mention a movie and she has likely seen it. Mention the same movie to us and you might get a blank stare. We just aren't Movie People.
Introducing Hulu
I don't know when I first noticed Hulu - probably not very long back because, well, remember? We aren't Movie People. What brought me to Hulu was a TV show that we wanted to see but missed - I don't remember now what it was, but I found it there and we watched it. The experience wasn't great, a little choppy now and then and with sound lagging behind the video sometimes, but hey, we got to see the show. Better than nothing, right? Right.
The Lending Library
Yeah, I know: video stores have been around a long time. We had a VCR player and even rented a tape or two. But when we moved five years ago, we somehow misplaced or lost the VCR and didn't even notice that it was missing for more than a year - it was that unimportant to us.
We have a community library here. That's great, but the books are mostly fiction and we don't read fiction so that didn't attract our attention. However, there is also a community DVD and VCR tape library. There aren't many tapes (who uses VCR's today?) but just seeing them reminded us of that missing piece of equipment. Hmmm - what happened to that?
Who knows? We never did find it, but it got us thinking about all the community center DVD's sitting there free for the temporary taking. We looked through the shelves and saw a few movies we might want to watch. But - we had no DVD player.
Should we buy one? Given our movie watching habits, it didn't seem to make much sense. Sure, the darn things are dirt cheap now, but we'd probably only use it a few times a year. We hemmed and hawed a bit but finally decided it was cheap enough and I went out and bought one.
Of course we rushed right down and got a few movies, right? No - the player sat unused for a week or more before we picked out something to watch and we were in no rush to go get more movies when we were done. We still were not Movie People.
Netflix
The problem was that there's a limited selection here. A pretty large selection, but measured against a video store's stock, not much. We just weren't finding enough we wanted to watch.
We knew about Netflix. Our kids and my sister and probably everyone else we know have been long time subscribers. We were not, but then wasn't that because we hadn't owned a DVD player? And now we did own one, so..
So we signed up for Netflix - just the bottom tier, one DVD at a time plan. After all, we'e not Movie People.
But something funny happened. We found we really liked watching the Netflix stuff and that made us start getting more movies from the library here - we were slowly becoming Movie People.
Roku
It was getting harder to find movies we wanted to see. Our community adds new movies regularly, but we were watching them too quickly and while Netflix is quick, we started finding ourselves movieless. We couldn't have that, could we? I noticed the Roku link on Netfilx and saw the solution.
The box arrived yesterday. It took just a few minutes to hook it up, configure it to connect to my wireless router, activate it for Netfilx and minutes later we watched our first streamed video (we watched the first episode of "Soap", an ancient TV show we had enjoyed back in the 70's).
Roku doesn't download anything - this is streaming, but we saw no jitter and no video lag. Netflix doesn't have everything available for streaming, but they do have many thousands of movies and TV shows and you can stream as many as you want - none of that activity affects your normal Netflix subscription. You just access Netflix from your computer as you normally would and add movies to your "Instant" queue. Seconds later, they are available to your Roku box.
Roku does have some other "channels" available but we haven't looked into that yet. There's no extra subscription costs; you buy the Roku outright and that's the end of that.
I've been mentioning this to people we know who have Netflix and I have been surprised by how many have never heard of it. We think it's great and highly recommend it.
Comments: Click Here.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.
I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.
-
Skills Tests
-
Psst - wanna work for yourself?
- Unix/Linux Troubleshooting e-book
-
Kerio Mail Server
-
Consulting
-
Advertise Here
- Microlite BackupEDGE 3.0 coming soon
Linux,OSR5,Backup
2010/03/03
Microlite will soon be releasing a new version of BackupEDGE. The cost to upgrade from a 2.x version will be $250.00 (unless you just bought 2.x in 2009 - it's $100.00 in that case). However, if you act RIGHT NOW (and I mean literally now because this price is going to change very, very soon) you can buy a support contract that entitles you to a free upgrade to the new version.
Microlite charges $160.00 for that support contract. When the new version comes out, the contract price is also going up to $200.00 per year. I can sell it to you for $140.00 IF YOU ACT NOW!
This is a great opportunity from Microlite - but you have to move quickly. Email or call me NOW.
See http://www.microlite.com/ for
more information on the new version.
Comments: Click Here.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.
I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.
-
Skills Tests
-
Psst - wanna work for yourself?
- Unix/Linux Troubleshooting e-book
-
Kerio Mail Server
-
Consulting
-
Advertise Here
- Questions about the new MA data security law
Employment,Security
2010/03/02
I previously talked about how the new "201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH" regulations might affect me and my customers. Here I'd like to take a closer look at what the regulations seem to require.
Please remember that I am not a lawyer and not a certified security expert. My purpose here is simply to raise questions that you and your customers may want to discuss with a lawyer, insurers and or a security firm. As the fines for non-compliance could be quite large, this is not something you should ignore.
So. let's get started. The regulation starts off like this:
(1) Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.
The interesting part here is that "the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data." Does that mean that there is going to be more lenience toward the "little guy"? There seems to be some indication of that, but I doubt it means that a Mom and Pop shop can just ignore this entirely.
(2) Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to: (a) Designating one or more employees to maintain the comprehensive information security program;
OK, that's easy enough: George, this is your problem. Start documenting.
(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
1. ongoing employee (including temporary and contract employee) training; 2. employee compliance with policies and procedures; and 3. means for detecting and preventing security system failures. (c) Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.
Now we start getting into areas where I'd have questions. Who is qualified to identify and assess "reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information"?
I have over 30 years experience in computer systems and I know a lot more about potential risks than most of my customers do, but I don't think I'm fully qualified. What standards will be used here? Do you need to hire certified people?
(d) Imposing disciplinary measures for violations of the comprehensive information security program rules. (e) Preventing terminated employees from accessing records containing personal information. (f) Oversee service providers, by:
1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and 2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person's behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.
OK, looks like some outs here. If you hired me before March 1st, 2010, it looks like neither of us need do anything. That can't be as simple as it sounds, though. If I have access to personal information that you store, I just can't imagine that I and you are exempt from all this just because you contracted with me before March 1st. That makes no sense.
(g) Reasonable restrictions upon physical access to records containing personal information,, and storage of such records and data in locked facilities, storage areas or containers.
Does that mean that servers holding personal information need to be in locked server rooms where nobody ordinarily has access? If so, does it mean that the door has to be locked all day long or only outside of business hours? I don't know.
(h) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks. (i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
Does this mean we need Intrusion Detection Systems or is this just human monitoring?
(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
See Mike Desrosier's Incident Response article. My question: who does this? The designated person referred to above or does this need to be a security professional? Does it matter whether you are Jan's Card and Gift or T.J. Maxx ?
17.04: Computer System Security Requirements
Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a
security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements: (1) Secure user authentication protocols including: (a) control of user IDs and other identifiers;
What does "control of user id's" mean? Does it mean that Mary can't know Sam's login information? How about "secure user authentication protocols" - how secure? Obviously the hundreds of systems I know that have accounts with no passwords wouldn't comply. How about the systems where the admin password is written on a Post-It note tacked on the monitor? I think not.
Does this require enforced changing of passwords? Some people insist that it does, but I don't see that it actually says that. Does "technically feasible" let you off the hook if you are running a very old system that can't do those things?
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (d) restricting access to active users and active user accounts only; and (e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
So - no passwords tacked up on the wall. Login lockout - I can't think of too many systems that don't do that, but does that include VPN's? I know a lot of systems running simple PPTP VPN's - I don't know, but I'd guess that most of those couldn't meet these requirements.
Oh, and then there are the Samba systems that aren't authenticating against some other machine. Many of these are setup with shares that use "Connect as a different user" and a fixed name/password to make for easy acess. Compliant? I'd guess probably not.
(2) Secure access control measures that: (a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
Now we are inside application software. Some apps have these user level controls, some don't. Most have their own internal password systems - do those systems and methods have controls and lockouts? Most don't. Should they? I don't know.
(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
I know many a system where logins are related to a physical station. That is, if you are using the station nearest the front door, you are supposed to login as "pos1". Multiple people use that login and the system assigns resources like printers based on that. My guess would be that you can't do that anymore.
(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
Here's a big problem. You have users accessing a server and inputting or accessing personal information. If they are wireless, that's plain enough: you have to encrypt. If they are accessing it remotely from home or a hotel room, you have to encrypt.
Encrypt to what standards? Is ROT13 encryption? OK, that's silly, but are older PPTP VPN's compliant? Older ssh? I don't know.
(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information; (5) Encryption of all personal information stored on laptops or other portable devices;
Again, is that Intrusion Detection Systems?
(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
Is a $50 Linksys firewall compliant? How about if you've never updated the firmware?
There are many, many Multitech firewall appliances out there. Multitech no longer manufacturers these. Does that matter?
OS security patches? What if you are running an old server where the vendors no longer provide patches? Are you required to upgrade? What if your application software won't run on a newer operating system? That's reality for many small businesses.
(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
What is "reasonably up-to-date"? Three days old? Three weeks? Three months?
Is this just for the servers or (more likely) all systems that access the server? What about those VPN and ssh users - are you responsible for auditing their home operating systems? You obviously can't audit public access systems - how will you handle that?
Malware and virus protection? How exactly is that defined for Unix/Linux systems? What about very old Windows systems again?
(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.
Company meeting? Memo? Formal training by outside folks? Would this include janitors who might access that locked computer room? OK, that's maybe silly, but it is vague.
This law could cost small businesses a lot of money. At best it will be annoying, confusing and inconvenient.
As I said before, I suspect it will cause problems for small consultants also. As just about anything you do on a computer is likely to have security implications, companies may feel they need to hire larger firms with formally trained and certified security professionals on staff. The small consultant may not be able to afford the training and certifications necessary - or at least perceived to be necessary. Nothing here specifically says that I can't interpret and apply my best efforts to help someone comply, but a client concerned about compliance might not see it that way and honestly, I think they'd be correct to protect themselves in that way.
Some people have said that Massachusetts can't realistically enforce this law today. That is probably true, but I don't think it makes good business sense to ignore this on that basis.
See 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH.
Comments: Click Here.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.
I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.
-
Skills Tests
-
Psst - wanna work for yourself?
- Unix/Linux Troubleshooting e-book
-
Kerio Mail Server
-
Consulting
-
Advertise Here
- Running old Linux apps on new Distros
Linux,Virtualization,Programming
2010/02/27
I have a number of customers running older Linux apps. Sometimes they have source for the app, sometimes they don't. Sometimes the original app vendor still exists and is willing to be helpful, sometimes they are out of business or uninterested in the old app because they want to sell something newer.
Often the app will make a graceful transition across operating system upgrades and changes. Sooner or later though, it probably breaks.
Sometimes the fix is simple. Defining and exporting LD_ASSUME_KERNEL might let an older app run on a newer kernel.
Sometimes it takes a bit more. I recently had an app that had come from RedHat 6 days and had successfully aged until the latest Debian stopped it cold. To solve that, I asked "ldd" to show what libraries it used. That returned:
linux-gate.so.1 => (0xb7fac000)
libm.so.6 => /lib/i686/cmov/libm.so.6 (0xb7f7c000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7e21000)
/lib/ld-linux.so.2 (0xb7fad000)
You can ignore linux-gate. That meant I needed ld-linux.so.2, libc.so.6 and libm.so.6 from a system where the app worked. I copied them to the new Debian and stuck them in a new directory I called /oldlibs.
I then changed the calling script to look something like this:
LD_LIBRARY_PATH=/oldlibs
export LD_LIBRARY_PATH
/oldlibs/ld-linux.so.2 oldapp
If you just type "/lib/ld-linux.s0.2", you'll see what's going on here:
Usage: ld.so [OPTION]... EXECUTABLE-FILE [ARGS-FOR-PROGRAM...]
You have invoked `ld.so', the helper program for shared library executables.
This program usually lives in the file `/lib/ld.so', and special directives
in executable files using ELF shared libraries tell the system's program
loader to load the helper program from this file. This helper program loads
the shared libraries needed by the program executable, prepares the program
to run, and runs it. You may invoke this helper program directly from the
command line to load and run an ELF executable file; this is like executing
that file itself, but always uses this helper program from the file you
specified, instead of the helper program file specified in the executable
file you run. This is mostly of use for maintainers to test new versions
of this helper program; chances are you did not intend to run this program.
But we really did intend it here.
That worked, but we very quickly ran into another problem - the app makes calls to shell scripts and other utilities. Most of those won't work when running with the old libraries. What now?
There are several ways around it. In this case, we had some source (well, source and object files). The program supposedly could be statically linked. That would eliminate the need for old libraries. However, we had no luck getting the code to link statically and the app vendor was uninterested or unavailable.
Wrap it
Another way is to wrap the shell calls in a new environment. You can see that at work easily with a couple of shell scripts:
LD_LIBRARY_PATH=/oldlibs
export LD_LIBRARY_PATH
/bin/ls
That breaks with:
/bin/ls: relocation error: /lib/i686/cmov/libpthread.so.0: symbol
errno, version GLIBC_PRIVATE not defined in file libc.so.6 with link
time reference
We can fix that if we create another script (I'll call it "runit"):
unset LD_ASSUME_KERNEL
LD_LIBRARY_PATH=/lib
export LD_LIBRARY_PATH
/lib/ld-linux.so.2 $*
We'd change the original script like this:
LD_LIBRARY_PATH=/oldlibs
export LD_LIBRARY_PATH
runit /bin/ls
The problem here is that we have to modify every call. That's not impossible, but it is annoying. So is messing with PATH to front-end commands. But we could make wrappers for every command used and put them early in PATH - our "/newbin/ls" (and everything else) would be:
unset LD_ASSUME_KERNEL
LD_LIBRARY_PATH=/lib
export LD_LIBRARY_PATH
/lib/ld-linux.so.2 $0 $*
Note the use of $0 here. That lets us use the same script everywhere.
But it can't be that simple because a shell script isn't going to work - the shell gets called from the oldlib environment and it needs the normal libraries. We'd need to write something that will work and have it reset the environment for the next call.
Maybe something like this (haven't tried it yet):
main (int argc, char** argv)
{
*argv++;
char *env[]= { (char *)0 };
execve (argv[0],argv, env);
}
You'd compile that on the OLD system, not the new. It's going
to run in the /oldlib environment so it needs to have come from there.
That just runs whatever it is passed with no environment, which isn't
going to work for a lot of things. Hmmm.. this is tricky, isn't it?
Probably what we want is something like this:
main (int argc, char** argv, char **envp)
{
putenv("LD_LIBRARY_PATH");
putenv("LD_ASSUME_KERNEL");
*argv++;
execve (argv[0],argv, envp);
}
That unsets the stuff we don't want. Will it work? I don't know.
These aren't the only issues, though. See How to Run Binary-Only Application Packages on Various Versions of Linux for more on that.
What about a VM?
He could run the old OS and old app in a VM. There are a few things not to like about that. First, running in a VM is always going to be slower than running natively. Always? Well, no: if the app is coming from an old OS on old hardware, it can sometimes run faster under a VM. However, in this specific case, that wasn't true: he would have to take some performance loss.
The other disadvantage is security and features. The old OS is an old OS. It may lack features we need or want and may have security weaknesses that can be hard to fix. Life is such fun, isn't it?
With some effort, you might be able to avoid that by turning the old app into a two or three tier client-server app. That is, you write a new app on your new OS that makes protected back-end calls to a tightly protected process running on the VM. That could be a fair amount of work, though.
Getting old isn't fun for us or our applications.
Comments: Click Here.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.
I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.
-
Skills Tests
-
Psst - wanna work for yourself?
- Unix/Linux Troubleshooting e-book
-
Kerio Mail Server
-
Consulting
-
Advertise Here
- New Mass. Data Security Laws
Employment,Security
2010/02/22
Massachusetts has a new data security law going into effect on March 1st, 2010. Frankly, it scares me.
Here's the problem: most of my customers are in Massachusetts or do business with MA residents. Most of my customers are NOT in compliance with these new regulations and I am very concerned about my exposure to lawsuits if they are ever sued because of that.
I am not a lawyer. I may have some idea of how the new law applies to specific situations, but I'm not in a position to interpret regulations. Do you need to upgrade an old RedHat 8 or SCO 5.0.6 system because they may not meet security requirements and are on the same network as a machine that handles personal information? I DO NOT KNOW.
I'd sarcastically note that your lawyer doesn't really know either: if there's a security breach and somebody wants to sue you, their lawyers will be looking for anything they can blame on anyone, so my bet is, yeah, they'd be trying to pin blame on any old OS on the network. But - I DO NOT KNOW.
I am not a security expert. I don't even like thinking about security. I'm a trusting person: I trust people, I want them to trust me. I truly hate that there are people in this world that you cannot trust, so that makes it very hard for me to get interested in security. Does your Windows 2000 server present a security risk? Probably, but I DO NOT KNOW. Frankly, I don't WANT to know.
I had a conversation this morning with another consultant who hires me now and then when he has Linux or Unix customers. He asked me if I could set password policies for those customers. Sure I can - but is that enough? I DO NOT KNOW. And I don't want to know.
We talked about a specific job where we are moving from a SCO server to Linux. The servers store credit card information. "They need to be in a locked room", he said. I don't know if that's true (I am not a lawyer, remember?) but the room that they are in is often locked - though people work in that room also. Where does that leave me if they want me to assist with the transfer? Should I work on the system? Am I exposing myself to potential liability?
Another of his customers wanted a Samba share added for a particular user. I can think of at least 20 ways this guy is not in compliance. Do I refuse to add the share?
We talked about liability insurance. He's never carried it and neither have I. It's doubtful that it could protect us anyway. It definitely wouldn't cover work we did years ago and unless we were certified security experts, I can't imagine that any insurance company would be dumb enough to cover us for this stuff anyway.
So what do we do? We both agreed that if we were financially able, we'd close our businesses today and retire. That's not an option for either of us.
Do we refuse security related work? Fine, but almost anything is security related in some way. If we do refuse it, we both know damn well that we'll probably lose ALL work from that customer because someone really no better equipped than we are will step in and tell the customer that they CAN advise them on this stuff. That they will likely be lying is no comfort: they'll have the business.
Do we ask for indemnification? Great, you get your customer to sign something that says he won't sue you. Do you think he'll agree to indemnify you if someone sues him AND you? Not likely.
So what do you do? I know a lot of the folks who read this are in similar situations. Maybe your State hasn't passed this sort of legislation yet, but odds are that they will. What are you going to do? What are WE going to do?
I DO NOT KNOW.
See also
Questions about the new MA data security law
Comments: Click Here.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.
I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.
-
Skills Tests
-
Psst - wanna work for yourself?
- Unix/Linux Troubleshooting e-book
-
Kerio Mail Server
-
Consulting
-
Advertise Here
- Hard Times
Employment
2010/02/22
I know times are really tough for many people. Here in America, we have incredible opportunities to succeed, but our social safety net has a lot of big holes in it - you can fall right through to complete disaster. If you do fall, it can be very hard to move back up, but I fully believe that the best way upward for many of us is self employment.
Self employment doesn't mean automatic riches. It may not even mean riches at all. Many self employed people earn a decent living, but we can be affected by recessions and depressions just like any business.
I just finished up our 2009 taxes and realized that our gross income was about 55% of what it was 5 years ago and 20% less than what it was last year. That's quite a pay cut, but it does illustrate one of the great advantages of being self employed: I may have less income right now, but I still have income. When you work for yourself, you don't get laid off - unless you've done something very dumb (such as only having a handful of customers), you will always be bringing something in.
By the way, I did much better in January and February is also doing well - almost seems like old times.. I don't dare think that things really are about to turn around, but it was nice to have a good run again. We'll see what the rest of the year brings.
Are you taking advantage of the lull?
Not being busy brings opportunity. When you are running flat out, you may be making money hand over fist, but you probably aren't learning new skills. Slow periods are ideal times for education - and learning new skills can help you through the next down-turn or even avoid it entirely.
That also applies to people looking for work, of course.
You have more time for planning. More time to reorganize your files, clean up deadwood, more time to do all the things you just can't get to when you are busy.
All work and no play makes Jack what?
You have time to play, also, and while it may feel inappropriate or even wrong, taking some extra vacation might just be the best thing you can do with your increased spare time. If the business just isn't there, you can't spend all day every day fretting about how you will find something to replace it. You need a break - take one.
You aren't going to give up, are you?
The absolute last thing you'd want to do is seek employment. Oh, sure, it can look very attractive: you'll take a part time job, maybe 20 hours a week and that will bring in enough to make up the shortfall and you still have time for your business.. but you won't. You won't be available to old customers or new while tied down with that part time work - that's lost opportunity that could be worth many times the paltry hourly wage you get from the job. You'll also be more stressed trying to juggle too many things. If you really think a part time job is going to help your self employed business, you might as well just close it up now and start looking for full time work!
There may be exceptions to that advice, but in most situations you just need to lean into the wind and keep plodding forward. If you have done well before, you can do well again. You may have to do something different - for example, ten years ago a lot of my business still came from SCO Unix. I saw the writing on that wall years before and was already moving my business in other directions. I was fortunate in that I knew SCO's demise was coming even before they started up their Linux nonsense (not that it took any great brilliance to recognize that!). Even so, changing the main focus of a business is much like changing the course of a giant oil tanker: you usually can't do it instantly.
Income is more important than expenses
While you are waiting for the helm to turn or the snows to melt or whatever it is that you have to wait for, while you are tightening your belt and turning down the heat and canceling your HBO subscription, closing off the spare room or doing whatever else you need to do, try to remember that your time could be better spent looking for more income. I made some cuts, but they were things I would have done anyway: my primary goal is always to increase income, not cut expenses.
OK, maybe this isn't the year for a month long Caribbean cruise. But it isn't the time to stop advertising or sell your computer, either. In fact, it might be exactly the right time to ramp up advertising and buy new equipment. If you can't afford it, your every waking thought should be "What can I do today to improve income?"
Income is more important than expenses
Yes, I already said that. I said it again because it's important. When faced with economic difficulty, most people's first thought is to cut expenses. Look at the Tea Party movement as a perfect example: they want to cut taxes. Our roads are crumbling, our bridges falling down, our schools failing our children. Crime is rampant, we're entangled in two wars - what do we really need? We need more money. Fine, we can argue about how much of the control of that money should be at the Federal, State and local level, but government at all levels needs more money, not less.
There are places in government where there is waste. There is waste in every business, too. I pay for an Internet fax service even though very few people send faxes any more. If I were a Federal Agency, the Tea Party folks would be screaming that I am wasting money. Maybe I am, but every now and then I have
someone who wants to fax me something, so I keep the service - it may be "waste", but it's an insignificant part of my expenses and it's convenient when I need it.
If it really is waste, cut it (in your business or in government). Just keep your main focus on increasing income - that's what is important.
Comments: Click Here.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.
I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.
-
Skills Tests
-
Psst - wanna work for yourself?
- Unix/Linux Troubleshooting e-book
-
Kerio Mail Server
-
Consulting
-
Advertise Here
- SCO 5.0.7V
Virtualization,OSR5
2010/02/17
Although many an old SCO box has been replaced by Linux or (shudder) Windows, many others still chug along in server rooms across the country. Sometimes the server remains alive because of stubbornness, sometimes it is just rank ignorance, but more often it's simply that any replacement is economically difficult. The SCO server is kept alive because the company using it can't afford any alternative.
I have a number of resources here about converting or maintaining SCO systems.
Most of these old systems run on SCO's 3.2v5 operating systems. These date from 1995 (3.2v5.0.0) to 2003 (3.2v5.0.7), so the newest of them is seven years old and are often running on hardware of the same age. Never mind security, operability or anything else: it's downright scary to be running on hardware that old. Unfortunately, installing SCO on anything current can be difficult or even impossible as driver support melts away.
As of this writing, it is still possible to install SCO 5.0.7 on generic hardware but when you start getting into RAID systems it can be very hard to find drivers and even network cards can cause some difficulty - it's all become nasty enough that I refuse to do any such work on anything but a flat time and materials basis with no guarantees of success. If the system is older than 5.0.6 and can't be upgraded to at least 5.0.7, I may refuse it anyway - it's just too unpleasant. Life sucks for old SCO owners.
SCO has made things a bit easier by providing SCO 3.2v5.0.7V, which is a VMware image - that is, it's not an operating system installation disk, it's an image of an already installed (partially unconfigured) SCO 5.0.7 system. That's important because it means you don't "install" the OS within VMware, you "import" or (depending upon your flavor of VMware) "deploy" it. After VMware is done bringing it in, you boot it and it asks for the system configuration info needed - see all this at the 5.0.7V for VMwareŽ Getting Started Guide.
I was involved with one of these earlier this week. The customer had an old Compaq running a Synergy DBL system under SCO 5.05. I was simply contracted to install the SCO (their VMware vendor had attempted part of that but didn't realize that the CD was a VM image) and to transfer data.
This was a fairly easy process. I transferred users using "ap" (see SCO Unix Upgrades for more on that and
other upgrade issues), tarred up their home directories and transferred them with "rcp" after establishing user equivalence.. I suppose I could have taken the trouble to install ssh on the old system, but why look for trouble? The old "rcp" works.
To establish user equivalence, the simplest thing is to login to the new server from the old. Do a "w -x" to see the source of your login - it will either be an ip address or a name. Whatever it is, put that in /.rhosts and chmod 600 /.rhosts. You'll then be able to rcp from the old to the new.
We added a second drive which was actually a NAS. VMware abstracts that as scsi id 1, so SCO doesn't know that this is actually a network device. However..
While transferring data, I observed WRITE_10 errors. Specifically:
Mon Feb 15 15:47:11 2010 WARNING: "WRITE_10" command timed out 12
seconds after its start on ha=0 id=1 lun=0 Request=C102F6A0
WARNING: "WRITE_10" command timed out 12 seconds after its start on ha=0
id=1 lun=0 Request=C1035B80
The VMware consultant expressed no interest whatsoever except to observe that we were hammering heavily transferring data and that he was trying to install Exchange on the same NAS concurrently.
OK - color me naive, but if you can't transfer data to one VM while installing another, is this really usable? I would think not, but what do I know?
After the Exchange install finished, we didn't see any more problems. Until two days later, that is:
Wed Feb 17 09:19:13 2010
WARNING: "WRITE_10" command timed out 12 seconds after its start on ha=0
id=1 lun=0 Request=C102F100
That upset me. but it turned out that the VMware folks had needed to take the NAS down at about that time. You'd think they would have realized that no operating system likes its drives disappearing, but they did not mention this until I sent email to the customer's IT person warning about the error. I'm left HOPING everything is in fact as it should be - I'm not completely confident.
But - maybe there WAS something misconfigured, maybe that's why they bounced it, maybe I'm worried for nothing. I left instructions for checking /usr/asdm/messages and with luck they won't see that again.
We did have a minor issue with Synergy. On the old system, all that stuff was installed under /usr/asa/synergy. Apparently new binaries were needed to transfer to 5.0.7, and these were all installed in /usr/asa/synergyde. As there were an unknown number of scripts referring to the old paths, I created a symlink: ln -s /usr/asa/synergyde /usr/asa/synergy to fix that.
Printers were easy as these were all netcat printers. I simply rcp'd the interface scripts to /usr/spool/lp/model and than ran lpadmin for each printer:
for i in printer1 printer2 printer3
do
/usr/lib/admin -p $i -m $i -v /dev/null
/usr/lib/accept $i
enable $i
done
I transferred the mmdf information and was able to send mail. There were some cron entries I extracted from "crontab -l" and added them to the new machine. That was about it for me. I headed home and sent them my bill.
Comments: Click Here.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.
I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.
-
Skills Tests
-
Psst - wanna work for yourself?
- Unix/Linux Troubleshooting e-book
-
Kerio Mail Server
-
Consulting
-
Advertise Here
Feed cached for the next hour.
