July 2011 Archives

Sex and greed in DNS

| 2 Comments
The new .XXX top-level-domain is coming on line later this year. Apparently the organizers of the domain are having a hard time convincing the porn industry to get on-board.

Most left feeling like there were few reasons to buy a .XXX domain other than in self-defense - which may whisper the future of what an unlimited number of vanity gTLDs will look like.

I totally agree. Back on March 28th, 2007 I said this regarding this very TLD:

Which is very true. They won't be reaping the big bucks by signing over the seamy side of the internet, they'll be making the big bucks from reputation protection buys from the likes of us. Higher Education domains like ours, WWU.EDU, are PRIME PICKINGS for .XXX. You can fully imagine that "WWU.XXX" will be full of ***Hot CoEd Action***, if we don't get it first. So you can further guarantee that our Telecom group will dilligently pick up "WWU.XXX" in order to maintain our reputation. So whoever is granted the authority to register ".XXX" domains will be getting our money, and most other .EDU domains as well.

That's what the gold-rush of the now wide open gTLD system looks like to organizations with a brand to protect. As it happens, WWU is also sensitive to alcohol consumption by students, so a hypothetical "WWU.BEER" would be yet another defensive buy on the part of the University. Each new TLD that comes up will have to be vetted by trademark and copyright owners to determine if a defensive buy is in order to protect their brandname.

Incredulity at security auditors

A question was posted to ServerFault yesterday that raised ALL of our eyebrows.

Our security auditor is an idiot, how do I give him the information he wants?

The asker is not wrong. Really, go read the question. Any security auditor asking for a complete list of passwords, in plain-text, has got a few screws loose. The asker is understandably hiding their identity, though it has become clear that they are in the UK somewhere. The answers are high quality, and I recommend reading them.

Yes, this is something that System Administrators have to put up with from time to time.

  • I have been told to do something against all good understanding of best practice, and may be possibly illegal.
  • I have complained, and been told by higher authority to put up or shut up.
  • Now what?
In the industry, if your boss is an (potentially criminal) idiot, and you can't change their mind, it is time to change the boss. Not everyone has that luxury though, especially in this economy, so sometimes you have to stick with it. That's the hard part.

The "fix" for this particular case is the same as the "fix" for being asked to troubleshoot a faulting legacy system you'd been studiously ignoring because it privately scares you. Hold your nose, get educated about the system, and start making some reasoned arguments/guesses about what may be the problem. The answers on that question provide the education and troubleshooting guidance for dealing with the, "my security auditor is defective," problem.

This person is in a very sticky situation. They are being asked to do something that is very likely illegal in their area and it seems like this is a serious request rather than a subtle test of some kind. And worse, their business management has bought in (see second comment on the question, you'll have to expand the comments to see it). If they do everything they can to convince business management that this is not only stupid, but potentially criminal, and management still presses ahead, they'll get to one of the hardest decisions to make in our line of work.

  • Do I quietly go along with this, having done everything I can to dissuade them?
  • Do I report this action to the authorities and be a whistle blower?
  • Do I point management at this as-yet-unlinked-to-the-company tempest-in-an-Internet as last ditch supporting evidence of the flagrant stupidity of these actions?
  • Do I resign my position and become employed elsewhere rather than do these actions?
Each of the above has their own consequences. The first point may end up with your butt on the line if the issue ever does get brought up legally. The second one will cause your company to be quite angry with you, probably involve extensive legal proceedings, and will be an unremovable mark on your record (for good or bad). The third will only work if management is of the right mindset to understand it, and may get you fired for talking about company policy in public. The fourth is perhaps the easiest to do, but will also involve a period of unemployment that could stretch several to many months.

I wish them the best of luck. It's the kind of thing that we all hope only happens a very few times in any career.
This blog-post by Cliff Mass describes why. The opening paragraph:
We look to the heavens and ask: Why do we suffer? Why is the warmth of summer denied us?

Is this a great test of a stormy Satan? If we accept the coolness and clouds without complaint, will the warmth of a true summer be restored, as Job was restored when he accepted God's will without complaint?
By all reports it has been a bad summer so far. Summer in Bellingham generally didn't start until a few days in July anyway, but this year it is now weeks late. It was an event similar to that one which caused me to decide that perhaps I should live somewhere else.

In a good year, we'd get 8 solid weeks of summer and a beautiful slide in to Autumn until the storms hit.

In a bad year it would be 6 interrupted weeks of summer and the storms would start pretty early in September.

You'd think that 2 weeks wouldn't make much of a difference, but it does. 8 weeks was barely enough summer for me. When summer was a week late a couple years ago, it was hard. Last summer had a two week cold spell in the middle and ended early. This summer I had my first full day over 70 degrees in April, I was smiling all day.

Most people who leave the Pacific Northwest due to weather do so because of January, when we see the sun in short breaks every several days, if that often. That didn't bother me, I'm used to Winter being dreary. October through December is usually very stormy with lots of wind and rain; again, didn't bother me. The October right before we moved up, October 2003, was particularly wet in our neck of the woods when they had something like 20+ days of precipitation with its predictable effects on rivers (flooding) and slopes (landslides). Thanksgiving was usually pretty good for bad weather. Not a problem.

But having the 4th of July be a day that stays in the 60's more often than it's in the 70's? To someone who grew up in an area where the 4th of July has been preceded by a full month of 70+ weather and the swelter of July just around the corner, that sounds mighty fine. But when June was 60-degrees and partly to mostly cloudy the entire month, having July start out the same way takes its toll.

I was somewhat concerned when our house didn't have air-conditioning of any kind. However, as I learned in person we didn't really need it. Even in the worst summer we had (heat-wise, not cold-wise), we only needed it like 9 days that year. While that made for some uncomfortable nights, it wasn't enough to spring for a heat-pump.

When I took the WWU job I knew about Winter. I thought it might be a problem, but as I started in Winter it ended up not being much of one. Which is good. No one told me about Juneuary though.

Tomorrow I get to see about 102F (39C) degree weather with a heat index around 113F (45C). Part of me is cheerful about that, but I'm pretty certain that's just the lingering trauma talking ;).

Why would you use Windows?

| 1 Comment
This is a question from ServerFault that was there and then was no longer there because it's rampant flame-bait and got mod-hammered. But sometimes flame bait can make for good blog-posts, so here it is. Unattributed since the source no longer exists and I don't want to embarrass the asker.

As someone who has a good amount of experience with basic server setup exclusively on Linux, I'm wondering why anybody would want to use Windows.

I'm not asking this to make it into some snide comment, I just don't see any advantages.

The big things I think I would miss are:

  • SSH access. As far as I know, the only real way to remotely access a Windows service is via RDP or VNC or something similar, which is a lot more work if all I want to do is restart a service.
  • Open source software. From my experience, almost all open source server software is made for Linux. While some, like Apache, can also be run on Windows, a lot of the times it feels like it was added as an afterthought.
  • Easy configuration. I've never used Windows tools, but I love being able to apt-get install libapache2-mod-whatever. While package systems aren't technically part of Linux, most popular distributions use yum or aptitude or some packaging system which makes it a lot easier to handle updates.

Again, I've not used Windows extensively as a server, so please forgive me if some of these points are inaccurate.

A valid question. We had a thread much like this one on the LOPSA mailing list a while ago. And really, to a Linux admin, Windows looks like an expensive, opaque, and above all annoying way of doing what Linux can do in its sleep. This view is very couched in the observer's biases.

The consensus of the web this year is that if you want to do large scale web-application infrastructures, Linux is where it is at in spades. During my job hunt there were exceedingly few job-postings for Linux admins that mentioned something other than Web or DB duties. Web, DB, load-balancing, routing, orchestration, caching layers, it's all there and very well documented.

So why WOULD you use use Windows?

The number one reason I know of...

Because the application you're using requires it.

At WWU we had quite a number of off-the-shelf products require a Windows server because they were .NET applications. FLOSS versions may exist, but that's not what our users wanted. They wanted this piece of software that they picked out and is kinda standard in their industry, not some half baked open source project out of some other University.

Or for my current employer, a number of the key processing tasks we need to do are most accurately accomplished on Windows. The open source versions of these software packages get close enough, but part of what distinguishes us from our competitors is that we get closer then that.

The number two reason...

Because that's what you know.

This was why WWU was running Blackboard on Windows servers, even though it's a Tomcat application at the core. I'm pretty sure the reason for this is because what came before Blackboard was also running on Windows and our Windows admin inherited the new environment, not that the Linux admin said "Not it!" faster than the Windows admin. I know that admin found Linux confusingly opaque and convoluted.

The number three reason...

Because you don't have time/skill to maintain it yourself, and/or you're willing to pay someone else to do it for you.

If that application comes in a box, wrapped in an installation wizard, and comes complete with phone-home abilities to pull updates, notify the vendor (and later you) of problems, a lot of the effort in keeping that application going has now been outsourced to the vendor. Few FLOSS-stack products can do that, they need some skilled time to keep 'em up. To an organization looking to fire-and-forget, this kind of software is really attractive.



Now on to some of the asker's specific concerns regarding remote access, scalability, and software installs. Below the fold.

Google has made some waves with their Google Plus social networking service in that they're following Facebook's footsteps in making it require real names (or names that look real at any rate). Nothing new there, both Facebook and LinkedIn do just that and they're both making quality money off of that. Advertisers like real names since it helps narrow marketing preference profiles.

Being the age I am, I came of age during a time when online identity (in my case "online" meant dial-up BBS systems before it meant Internet) was entirely a pseudonym. Very few people used their real name as their handle, those that did tended to add a few letters for disambiguation. So my age-group earned our online chops behind made up names. We find nothing wrong with doing so.

Since then, though, there has been pushback on a number of fronts regarding identity. It is a clear fact that it's easier to harass people if there is some slight anonymity involved. Fraud is easier to perpetrate when the actors are pseudonyms. Libel is harder to prosecute if the accused isn't a real person. That sort of thing.

The question of electronic identity in the workplace has been around ever since people were represented as bits in computers. In olden days my Identity according to the computer and online records would be "195", my employee ID number. What name to attach to the EID is where we run into two other forms of identity in the workplace:

  1. Legal Identity such as Jubal Rupert Smith
  2. Casual Identity such as Rupert Smith, Bertie Smith, or even "J. Smith"

In white America of the 1960's everyone had three names, which makes writing the database schema easy. What name to slap on the employee record was pretty easy in the early days: use the name the income-tax man uses.

When email came out and started to be linked to those same employee records, employees like Mr. Smith up there wanted to be referred to as their casual name not legal name, so accommodations had to be made (or not). Figuring out how to disambiguate all of the "Jennifer Anderson" and "Pham Nguyen" employees also had to be figured out. Naming rules are complex for a reason.

Which brings me to a nice article titled, "Falsehoods Programmers Believe About Names"

If you are going to write something that'll take real names and not made up names, you'll end up having to make some assumptions about what those names look like. In 1960's white America, everyone had three names: A first name, a middle name, and a family name. Some have prefixes (Hon.) or suffixes (Jr.) on that, but the name format stands. Easy!

Except we're no longer in 1960's white America any more. Names can be very long (the last name of "Nebauer-Ledenhausen" will probably break most field-length limits). Some people don't have middle names. Some only have one name. Some have more than three words in their name. Some names are based on clan not family. Names can have numbers in them (Jubal Smith 4th). Names can be duplicative (Muhammad Muhammad). Names can have strange characters in them, or be made entirely of strange characters.

The American work-place has the advantage that the US tax code seems to think that everyone has at least two names, a fact that is also enshrined in some State ID card systems. This doesn't help multinationals though.



Even if a person sticks to real-names in both work and social circumstances, how many names can a person have? A lot.

  • The formal legal name found on "primary identity documents" such as birth certificates.
  • The informal legal name, which in my experience frequently excludes the middle name (if present), reduces the middle name to an initial,  or shortens the first name to certain common short names (Robert -> Bob, that kind of thing)
  • The name that appears on work correspondence.
  • The name that appears on the letter to Grandma every Christmas.
  • The name that appears on the cover of books, since authors frequently publish under names they weren't born under. Having a hard to pronounce name encourages publishers/authors to pick something commonly pronounceable.
  • The name that high-school friends used in high-school.
  • The name that grade-school friends used.
  • The name used on hobby-craft publications, such as knitting patterns or Nerf-gun modification how-tos.

Every one of these is a "real name" to the people that use it. For some people there may only ever be one or two of these. For others there could be six or more. People who only see one of those names may not recognize the other versions.

Names, like identity, are multi-faceted. When I pick a name for a new system I'll be using I look at the audience it will have. Anything with a name similar to to what I use in the workplace and professionally needs to only contain content I would be not shocked about should workplace/profession discover it. The apocryphal drunk-party pics from college scuttling post-college employment options provides the lesson for that.

However, that's me and my generation. We have a long history of identity based around names that aren't even remotely like our legal names (shocking, I know, but "sysadmin" appears nowhere in my legal name) so are used to firewalling parts of our lives like that. Linking those parts has been the subject of academic papers in the past that map social graphs between various social networks to identify what usernames likely belong to a single person.

People in the next couple of generations down the line, Generation-Y/Millennials and especially GenZ, don't have this deep pseudonym history. Real-name social networking has been around for subjectively longer for them than me. But even they are still going to have a wide variety of names. It doesn't take judicial writ to change your name on Facebook, but the impact to how you are called by your friends can be just as large.

Anything that demands a 'real name' needs to have some context about what kind of real name it's looking for. Anything other than what's on your legal identity documents is going to be fuzzy and hard to control for. Google lacks the context but finally appears to be getting the point about fuzzy, some of their earlier suspensions have been overturned. LinkedIn has that context, the name you want to work under, and leaves it up to that. Whatever that set of fields that holds your name is, it needs to be able to take a wide, wide variety of inputs.

Or something. News of the new vSphere 5 pricing guide has leaked out. Kind of like the NetFlix announcement, it has raised a lot of ire on the part of their customers. As would be expected when your preferred vendor announces you'll be paying a lot more.

The key problem has to do with how they're changing the licensing model for vSphere. We knew they'd change it, we just didn't know if they were going to put DRS and HA into a new Enterprise Plus Ultra tier, or do something else. They did something else.

With vSphere 4 the licensing tiers were based on the processor socket, number of cores, and desired features. If you had over 6 cores on that processor, you needed Enterprise Plus to use them all. If you had 6 or fewer, you could go with one of the three cheaper options.

With vSphere 5 the licensing tiers are now based on a combination of processor socket and RAM (as well as features). A 2-core socket counts as much as a 12-core socket in this scheme (yay). Unfortunately, if that dual-socket 12-core server has 256GB of RAM in it, you'll be paying for 6 Enterprise Plus licenses and not the 2 you were paying under vSphere 4. Also? The prices for Enterprise Plus haven't changed, so you just tripled your licensing costs.

vSphere 4's licensing model encouraged cramming as much RAM into a single server as possible. 12-core CPUs and buckets and buckets of RAM. And this happened, since cheaper is always good, and most VM environments are more RAM constrained than CPU constrained. With pricing per socket and not per core, you could maintain efficient RAM-to-Core ratios with licensing efficiency to boot.

vSphere 5's licensing model encourages servers with much fewer cores and a lot less RAM. Keeping a good RAM-to-Core ratio will involve a lot more physical hosts if you wish to maintain licensing efficiency. And you simply won't be able to reach the heights of efficiency you could with vSphere 4.

This is going to be expensive. We'll see if the industry moves as a whole to something else, I'm sure Citrix is salivating at the thought of upgraders upgrading to XenServer and not vSphere, or lumps it and just starts resenting the hell out of VMware the way they already resent (but still use) Oracle.

Talking about work

| 5 Comments
I haven't been doing that lately. This is due in no small part to a week's vacation I recently took. But it's also because I've been dealing with Product Next and... that's company IP right there, and complaining/explaining the problems I'm facing around it would count as intelligence to our competitors so... I can't talk about it. So blog posts, no SF-questions even though they'd help. Maybe I need a sock-puppet over there... hm.

This is crimping my style somewhat, but I expected this when I moved out of the public sector. I do apologize for that.

There is one thing I can talk about though, phones. Specifically, changing ours out. The system we have was purchased some time in the 4-6 years ago range and is probably a good example of the state of IP telephony of the time. One of the first things I was half-asked to do (half-asked = a higher up complained about it but didn't demand action on it) was find something more modern. I was full-asked last week.

I can't blame them, really. As an IT professional, even one with a previously casual relationship with the networking and phones world (my previous two jobs were tightly siloed, so I never got to play with routers or 110-blocks) I can recognize that this phone system is chock-full of what I call "TelCo crap".

TelCos. You know, those people who built continent spanning networks before digital switching was invented. And after digital switching was invented, encoded all of the standards in the mode of the era while carrying over some analog-switching thoughts because the edges still had analog switches. Someone used to Google Voice or Skype will take one look at that and see, "A maze of twisty passages, all alike." Or worse, "I was designed for mainframes, here is my 7300 page manual."

I am not at all surprised that big money can be made by providing phone-simplification services to companies. In olden days that meant outsourcing the PBX maintenance and calling a service to turn on new extensions. These days with Office Communication Server, Asterisk, Skype, Google Voice, and whatever else promising to get rid of the PBX entirely there are a lot of options.

So, yeah. I need a small-business friendly phone system that isn't OCS or Skype and can use phone-like devices. With a pretty-looking web-portal that allows checking of voice mail, preferably mobile-friendly. I'm open to recommendations and experiences. In the mean time, I'll slip the research into my non Product-Next time.