388 posts • joined 14 Feb 2013
I'd rate "Internet connection prospects" better than most things mentioned on that page.
But, of course, location, location, location (which in turn gives you some guarantees on schools, nightlife, chances of some bloke pilfering your car, etc.).
Pick a nice area. Then make sure you've got Internet. Because that's one thing you won't be able to "fix" yourself. Mobile signal? If your internet is good enough, get your own personal picocell. But chances are that if you're in a nice, internet-connected area, there's going to be mobile signal anyway.
InI did exactly this several years ago now.
Never had a problem.
Inherited 2003 DC's, put on a single 2012R2 DC, moved all the config, files, services, etc. over and slowly converted each 2003 machine to 2012R2.
Did it half-live, half-not (school system, summer holidays) - never saw this problem. I'm guessing it relates to some obscure configuration or even just an hotfix gone bad.
If you're large enough to justify using Oracle, you would hardly care. In fact, you'd probably pay it for the option to move that much faster.
If you're not large enough to justify using Oracle, STOP USING ORACLE.
I don't particularly care what companies this huge charge for databases sold on this scale. If you're even CAPABLE of paying that much money for one piece of software running on one processor, you're big enough to know what to do about it and hire experts to manage it and the time is critical. Everyone else can just jumble along on "normal" business databases quite happily.
Seriously, I'm not even sure at what kind of scale I'd need to start thinking to myself "Hmmm... Oracle might be what I need here". Possibly government-sized? I don't know. Certainly not 99.999% of the IT that's out there in the world.
- He confessed that "restoring the service itself is not as simple as rebooting it (turning it off and on again is the ultimate solution to most problems)."
BLOODY MICROSOFT HAS A LOT TO ANSWER FOR. No, a reboot is NOT the ultimate solution to most problems. It's a temporary stopgap when you confess that you have no idea what happened and cross your fingers that the unknown problem will never happen again.
The reason that paracetamol is prescribed is because it tends not to conflict with other things you're taking.
My ex- has joint hypermobility syndrome - basically every joint is completely loose, your knees can go backwards, your hips dislocate, etc. This puts enormous wear on the joints and gives you arthritic symptoms (enough that it's often misdiagnosed as arthritis - basically the OPPOSITE of reality - itself).
The doctor put her onto all sorts to ease chronic joint pain and at one point told her off. He'd prescribed her something, so she'd stopped taking paracetamol. He told her the point of paracetamol is that it's low-impact on other drugs, and can be taken (on doctor's orders!) en-masse without prescription, so she could still take some ridiculous number of paracetamol AS WELL AS her other drugs. She was taking so many paracetamol, on his specific advice, that it was actually difficult to buy them without people asking questions or running into per-store limits.
The point of paracetamol is not to cure long-term, high-intensity pain. It's to take the background ache down a peg or two and not interfere with better painkillers. That's why you should use it for a headache, say, but not take JUST paracetamol when your break you back.
I work in IT in schools. We recently had a bunch "e-Safety" sessions - several with the kids, two with the parents, one with staff.
Product names were not mentioned in the sessions, they weren't there to sell, they were there just to inform. At each, it was offered that if any parent had any problems or questions, IT-wise, they should come to me and I'll help them install ISP filters / filtering software etc. at home. This was met with great enthusiasm in the session, much gratitude from the governors, and I hung around outside the session just to be visible.
Bear in mind that we're a private "primary" school, going up into Year 8, with just under 400 kids. Just the kind of kids old enough to go on things that they're too young to be on.
Out of all their parents, all the sessions, etc. hundreds of parents attending a specific session on e-Safety, I got one parent ask my details. They took my email. I never got an email from them.
People just aren't interested in filtering the net. If they are worried what their kids are doing, they MAKE THEM DO IT IN FRONT OF THEM, like proper parents do. If they aren't worried, they wouldn't activate a filter. An online babysitter (literally a "net nanny") is pointless and horrible parenting. And the biggest threat now isn't PC's or laptops or tablets that use the wireless, it's smartphones that bypass it to talk 3G directly.
Nobody cares. Because, well, good parents are managing the problem already without the aid of unnecessary technology, and presumably bad parents couldn't care less anyway.
"Urgh.. a Seagate... well, I'm not going to work with HIM..."
Re: Purpose of qualification
Sorry, but IT is one of the few industries where you can branch out on your own - uncertified - and still get a ton of stuff done.
Stick an ad in the paper to "clean your PC" for £40. You'll eventually do the PC of some business that was in dire straights, then go help them out. Bang, instant "career experience" (self-employed) moving into the B2B side of support.
But paying £699 for an MCSE course (or, worse, making someone else pay for you) is just a waste of money if you're out of work. See the attitudes that most IT guys have to it in the comments above, then ask who's going to be the "technical" guy on the interview panel at the very least.
It's not like you have to legally have a qualification to work in IT (unlike an electrician, gas fitter, taxi driver, etc.). You can start now, for friends, do the horrible jobs for yourself, then slowly turn it into a career. I know, I've never had any other job but in IT and never been unemployed for a day, and never had any certifications (which, as I stated above, is actually sometimes seen as a positive thing precisely because of the reputation of those certifications). The best guys I've worked with don't either - the smartest techs I've seen don't. And the places I've gone to with entirely MCSE-certified staff? God, I wanted to kill myself. They solved about one ticket a day, and struggled all the way.
Recruitment agencies are in fact the worst culprits. So you tell your agent "I don't care about MCSE, I just want experience - on the job or self-employed". One line of criteria, and your recruitment people can't manage that? THEN STOP USING REED. (cough).
Honestly, IT is the easiest career path to get into if you're even vaguely techy. You can make a killing just going round people's houses and cleaning up the viruses, honestly. I bet even some entrepreneurial spirit like knocking on doors and asking if they have any computer problems that you could help them with would likely generate enough business on a quiet day.
You won't walk into Google, or IBM, or Facebook, but damn sure you can get there if you try (my friend just moved from Rackspace to Symantec to Google datacenters, and they had nothing past A-Level and only on-the-job training).
I started from uni making websites for friends. Then one friend worked in a school, so I went there and did their website. I was just a kid, didn't even know what to charge them. Then a few visits later it was "Oh, well, we have this little computer problem, I don't suppose you could take a look?". Within a year I worked in six schools in the Borough, supporting their entire infrastructure (including finance, child protection data, etc.) and was slowly pushing RM's expensive support contracts out single-handedly (I succeeded in almost all of the schools I worked at). Did that for 8 years, ran out of time to handle schools, made enough money not to care about dropping some of them. Then worked a few tech positions, always being promoted, recognised and headhunted. For the last five years I've been an IT manager for independent schools.
I literally have NO INDUSTRY QUALIFICATIONS, and in the beginning had never touched a server let alone managed one. But I outdid those who do have qualifications, managed the systems better, and offered what the clients were missing. Did I sweet-talk my way in? No, I'm terrible socially. Did I undercut them? No, a lot of schools couldn't afford me. Did I need to prove training and qualifications when word-of-mouth and nice headteachers phoning other schools worked enough to fill my working week? No.
IT has the lowest barrier-to-entry as a career. The guy you get in to install that rack, or setup that server, or configure that access control system, or whatever? Chances are he's just a guy that would be out of his depth on anything else. But you trust them to come in and plug things in all over your network all year round. And it's a short step from being in that position, to being regarded as actually a good troubleshooter to an entire career where nobody questions your experience.
I have spent my career running Microsoft networks.
Not once have I ever felt hindered by not having a Microsoft certification.
And, anecdotally, though I'm sure there are many MCSE's out there with good skills, I only really hear the term in interviews now. The last two times in the manner of "Do you have any MCSE or other certifications?", "No, just fifteen years experience.", "Oh, good... the last guy we hired who said he had all the certifications was just rubbish and did X, Y and Z...."
Honestly. I tell no lie. I was hired in two interviews with a major factor being that I actually asked if their previous guy's MCSE's had made them a better IT guy. Both times the answer was no, and both times the employer actually reeled off a list of people they knew with MCSE's who they regretted hiring.
And why? Because of this reason. It's memorising how to click the new icon that's appeared in Windows 8 whereas before it used to be underneath another icon, or vice versa. The questions teach you how to USE a computer, not manage it. And when they do veer into technicalities, it's so Microsoft focused as to be useless.
I was working with another IT Manager a few months ago, and he was hiring a technician. He had a little practical test, a little written test, and an interview. He shared with me the results of the tests and asked my opinions because, literally, they were SO BAD that he couldn't decide but was being made to by his circumstances. People didn't know what RAID was. They couldn't explain the simplest of technologies. They have no idea about what order to do things in, or even Microsoft-specific stuff like how to do the simplest of management on an AD.
The questions on "common problems" that occur MS networks, the answers were hilarious. People didn't know how to reset a profile,or a password. They had literally memorised the path, and done it so long ago it had got corrupted in their heads, and the answers were junk. What we were looking for was NOT a menu-selection, but a general overview of the process - we don't care WHERE the menu is, you'll find it if you know what it does, or you can Google it at worst. We care that you know what clearing a profile means, what the implications are, when you should and should not do it, and most importantly that you TAKE A BACKUP (whether explicitly, by keeping a shadow copy, by renaming the folder, etc.).
MCSE doesn't furnish you with any IT skills that are useful. I could teach a teenager everything in MCSE in a few weeks, and most of it would probably NEVER come up if they were actually working with me. The bits that did, I bet they could Google quite easily and find a more comprehensive and reliable tutorial in seconds.
The guy doing the hiring, though - the only technician he had was a young lad who'd done A-Level's, worked a bit for his uncle, and then had to find a real job and ended up in the IT department. He was fabulous. Quite learner, very keen, even touched on programming etc. while I was there because he was trying to suck all the knowledge he could out of us. And didn't have a single IT qualification to his name.
The guy they ended up hiring. All the certs. Left in a month, and had been nothing but trouble in between. And the young lad was so scared of being ignored for promotion etc. because of the age/experience/certs that that guy had.
Dumb employers with no sense of actual IT might request an MCSE. I get that. If you don't know the industry, a certification looks good. But, like I say, it's like a guy with a McDonald's Chef Certificate applying to run your businesses kitchen (or, in some cases, a catering business or even a posh restaurant). I don't have one and have never had a problem explaining it. If it ever took two sentences, I probably wouldn't ever want to work for such a company anyway.
In all the places I've worked, freelance and employed, they don't particularly care - mainly because experience has showed them that it has more correlation with £699 in spare cash, time on your hands and a gap on your CV than anything to do with IT skills. Some places have asked if I wanted to do it as part of training. I politely declined each time. When they ask why, I show them the course content which, if I couldn't do, I wouldn't be able to do the job they asked me to do.
I fear that making them "more rigorous" will just be a matter of more obscure questions, because the marking still has to be "easy to do" and the training for it still has to be given by people who've never managed a network in their life.
If I were Microsoft, I wouldn't continue with MCSE, I'd change the name entirely and reinvent it. Because everywhere I go, MCSE has a bad name. Most of the people in my position that I ask about such things, they are ashamed to admit they have one, and quickly qualify it with "Oh, well, my employer made me take it, and they were paying, and it was a couple of days off so..."
Re: This is a Windows API problem
What bloody idiot allowed that to propagate through to modern Windows?
And what kind of damage would happen if Windows just said "Okay" and then ignored the new timer functions and/or returned TIMER_NOCANDO (the most colloquially named timer constant I've ever seen)?
MS should have deprecated that call or at least said it was "not guaranteed" 10 years ago.
Get rid of that awful Google Update service that constantly reinstalls itself and triggers firewalls and all sorts just to check that Chrome is up-to-date, and we'll talk.
If you WANT to check for updates, create a scheduled task, not a service, and let me disable the damn thing.
Re: Paper shortages
It doesn't matter what level of nerd-dom I manage to discover, there will be a nerd-based argument about how some sub-strata of it is better.
Don't get me wrong, I'm a nerd too, just for slightly different things.
(The best boardgame I ever played was Advanced Space Crusade, but never got into RPG's even with a brother mad on WH40K, several trials of DnD and no shortage of nerd-friends to play against. Sadly, even ASC is consigned to the scrapheap so that people can sell the plastic models in it for a fortune and you can never get a "full box" of it ever again, but it was a great, simple game without all the hassle of the DnD rules and having to deal with ridiculous amounts of non-rule situations.)
Recently booted up the classic for a four-player fest with some (non-gamer) friends at a party.
The comments on Facebook the next day revolved around "Yellow Wizard, keep the hell up and stop shooting the potions!" (NB: I was red warrior, not yellow wizard").
Great fun and one of those few games that is truly endless without getting boring quickly.
The remake (which is on Steam, by the way) better live up to the original. So tired of junk remakes at the moment (Syndicate, etc.).
Re: What's the real danger ?
"We didn't have the money" is not a viable excuse for failing to abide by the law. In fact, it will just make the problem worse when you are compromised, then held responsible for running an "obsolete" and unsupported operating system on the servers, and then fined hugely. It's not the beancounters who will fall in that case, they will just say "Well, our IT guy said it was okay".
And as my more verbose post says - if you have that large a network, there's even less reason to cling onto operating systems that were designed before some of the kids that left the school I work at this year were even born.
Latest technology? No... because you'll want to spend a year or so testing ANYTHING on that scale - I am more suspicious of "zero day updating" than I am of letting working systems continue. A botched install without proper planning will provably cost you money. But equally running unsupported software over a decade old for no good reason other than "it costs money to replace", that's just asking for more trouble. I'm surprised you can even find new hardware that will boot it, to be honest. I haven't seen a 2003 driver for, say, a RAID controller in a while - and UEFI BIOS are quite common now.
Re: What's the real danger ?
It all depends on how common YOUR usage is.
The places where you can assume that your users are always going to be non-hostile and that you're holding nothing of import that you have to protect? Sure.
But did you know you can get done for a DPA violation for just letting someone have access to certain data that they weren't required to have as part of their job? And PCI standards pretty much dictate that you have to be on the new OS with official update procedures in place and supported software throughout?
Before you even flinch, you have to consider that - say - every school MUST upgrade. All web businesses MUST upgrade. Most offices MUST upgrade. Anything on the network periphery MUST upgrade whatever you're doing. Anything that handles credit card data in any way - even offline - MUST upgrade. And so on. Before you even start, you're close to the majority of computers in the majority of workplaces. At that point, convenience, homogeneity, simplicity of deployment and just hardware refresh means that you probably shouldn't be on 2003 almost anywhere now.
Sure, I've run an internal Intranet server for years and got several hundred days of uptime from it, because it wasn't critical, held no important information, and wasn't accessible remotely. But the problem today is that the places you can do that are increasingly rare. I converted a school from 2003 to 2012R2 only last year (they'd not bought into the MS annual licensing, so only had VLKs for 2003, so we were putting it off as long as possible until we KNEW we had to upgrade). But it was still technically in support then and even then we KNEW we were leaving it very late. Only a tech-savvy Bursar, a huge injection of cash, and dire warnings of what would happen if we stayed on 2003 much longer prevailed (for a start, our MIS system was dropping support for the same reasons given above, and MIS software runs the school).
Consider even a basic school or office. Your Exchange server is front-line, so that has to go. Your probably have RD or website hosting machines - they have to go. Your AD servers have publicly visible names and (in a small scenario such as that) probably host user files too. It takes a second to guess share names and start poking holes in them, especially if they aren't updated. Sure, you have staff processes in place to discipline those who access data like that but as soon as you go from small business to having employees that might be unhappy, you have to protect them.
So that's all your main internal servers. Now you're doing that, you need to integrate old 2003 servers with your brand new (presumably) 2012R2 setup. The hassle of doing so, especially if you've taken the opportunity to virtualise, means it's probably just easier to wipe them out and put in a 2012R2 VM to take their place. Hell, you can do it on the same hardware if you like - the chances of you being in a place that is at 100% CPU on all their servers is vanishingly small - and it's silly to drag around old systems like that.
Sure, for some reasons, for a mom-and-pop shop without direct finance detail access, you can get away with not keeping up. For the majority of places, someone's going to have your arse for not keeping up to date - whether that be data protection, PCI-DSS, or just your boss. I'd say if your IT FTE (full time equivalent) staffing is much less than 1, you "could" get away without updating. For anything else, you damn well shouldn't be because almost certainly there's more on the line than just your job.
And if you don't know the DPA, PCI-DSS, etc. off by heart but you deal with personal data / card info, the chances are you're going to fall foul of it before long anyway. And if you do, you know why you have to keep up-to-date (hint: the potential for PERSONAL LIABILITY now!). You can't afford to let the data you have get into other's hands, so you can't be sloppy about managing it, so you can't put it on out-dated computers of any flavour.
It doesn't save you automatically but if you can show "reasonable effort" was used to secure the system, and not just "I let it linger on a 11-year-old OS", then chances are you'll be seen as doing your job, and not being irresponsible with people's data.
Re: another router doesnt make a diff....
I call bluff, or misconfiguration.
I have DNS going through my own VPS, and direct to Google servers. Any machine you use on my local net you can query any nameserver you like and get the answers (if you want to be paranoid, yes, even if your DNS returns deliberately false answers just to test them).
If you're using your SuperHub, you might need to do modem mode, but I VM don't intercept DNS to anything other than their own servers from what I see (there's a variety of tests you can do here). Hell, I've read that's one of the easiest ways around their "you can't see this page because of a court order" messages, not that I've ever needed to do that.
Ah, yet again saved from any inconvenience by my setup:
Internet router (in this case SuperHub in modem mode, but previously everything from dial-up modem to cable modem to ADSL2 from several different providers in several different houses)
Forwards everything to a WRT54G that actually DOES the proper routing, DHCP, DNS caching, etc. (and also has proper, real security on it beyond what WPA2 can provide, is a VPN endpoint, DynDNS client, etc.).
Which offers everything else out to the rest of my network. Which has never needed to be renumbered, or even needed a single setting set (DHCP for everything).
Impact: Zero. The WRT54G hasn't used any ISP DNS in its life - OpenDNS, Google DNS and my own private DNSMasq running on a VPS all the way.
Impact during the previous outage: Zero.
Impact when SuperHub wireless was found insecure? Zero (the wireless isn't even switched on).
Impact when moving house / changing ISP's / sticking on a 3G dongle for an emergency connection? Zero - get an Internet connection out of a Ethernet cable somehow, shove everything down it, plug it into the WRT54G, done.
To be honest, the amount of times it saved me has paid for the router and initial configuration hassle ten times over. I thought we were supposed to be IT people on here? Having to change DNS at every computer? Haven't set a DNS setting on something that wasn't a static-IP AD DC (with deliberately hard-coded settings) in over a decade.
People moaned about the SuperHub etc. being a heap of junk - I wouldn't even know - it doesn't do anything but pass traffic, doesn't even try to *interpret* traffic, for me. And so has always just worked. The real config is on the device that's older than any of the computers that use it and has been running 24/7 all that time. And, similarly, can be replaced in a heartbeat with some bodge if something goes drastically wrong.
Sod all the other security measures.
Just send me a text when a transaction occurs on my account. I'll be able to tell you IN SECONDS that it's fraudulent.
Like my Italian girlfriend's entire family and friends have whenever they have a transaction occur. Her dad was worried because when buying something for us in B&Q once, his phone beeped twice while we were still at the checkout and he was able to tell the girl (via a translator) that she'd double-charged him for the goods. It was THAT quick, even internationally.
Prevention might be better than the cure, but we clearly can't prevent and a rapid diagnosis will catch more than sheer ignorance ever would.
Anyone know a SINGLE UK bank that offers this? They can have my current account in a heartbeat.
Re: Which crypto?
Nobody has yet proven a break in AES or TrueCrypt. It's probably those.
And beware the scaremongers - strange that OpenSSL/Truecrypt happened just as EC was starting to be proposed as a secure alternative, despite the fact that nobody has ever seen AES or Truecrypt broken...
Re: @Stuart Longland
All of my best utilities, tools, and even to some extent OS's are similarly "free".
Freeware has been around for DECADES.
Shareware has been around for DECADES.
There's always been a difference between the two but neither stopped the other existing or made every programmer jump ship to earn cash.
And, believe it or not, in the old days everyone who gave stuff away didn't take over your computer in order to turn you into a cash cow just so they could claw back the 50p that the ZIP library they wrapped in a GUI cost them to make.
Nobody is obliged to pay for this stuff, because it's given away for free. And people will happily pay to NOT use software that tricks them into installing junk and costing them time and money to remove. They'll use your competitor instead.
Just because you give something away for free does NOT mean you're entitled to try to take over the computer of every person that downloaded it in order to pay your costs, and certainly not without the user's explicit permission.
And without free, truly free, software, there's an awful lot of stuff that would just fall over.
If you gave it away, I'm not obliged to pay you. Certainly not against my will by installing a toolbar that I don't want.
Shove junk that I don't want into your downloads?
I stop using your software.
At BEST, I remove the junk and keep a "clean" version someone on my network that I only ever use to install from (i.e. you not only lose your paid-for junk, but quite likely any future updates, and I'll start looking for alternatives).
It's things like this that force me to move towards software where I have a choice. I'm not a GNU/FSF fan at all, but to me open-software does precisely what I need to do and nothing more, especially where installation is concerned.
Don't even get me started on the places that take freeware like Irfanview and "bundle" it for no reason (surely against the EULA of a lot of this software, if it isn't and it was my software, it most certainly would be very quickly).
Honestly, a great way to turn off your customers. And you know what, a ZIP utility installing a browser toolbar is NOT something that ANYONE actually wants. Stop it. I'm looking at you IZArc, that I recommended and used personally for years until you started that nonsense.
And why do I get annoyed? Precisely because I want you doing NOTHING MORE than you absolutely need to do to do the job, because of problems like this. Especially when you want to insert yourself into my web-browsing path, redirect my searches, even change my proxy to something third-party. It's a massive security issue, even if things aren't written by a technically incompetent programmer, or maliciously intended.
Re: they're a spy agency
They're not good at it. We're discussing it for one thing. The leaks were trivially performed by someone who should never have been party to that kind of information. Even on a military level, leaks of sensitive material are incredibly easy things to do (the hope is that the punishment that Manning et al receive is enough to put you off doing them).
In fact, I'd say this shows just how bad they are - personally, I believe the techniques they are using at INCREDIBLY bad at collecting anything useful. The signal-to-noise ratio is just far too low and they've had to resort to basically listening to every packet in order to get anywhere. And, to be honest, we just don't hear of that many cases which end with "And the plan was foiled by the NSA/GCHQ". In fact, we don't. You could argue that's secrecy, but I don't think it's all that common at all.
And, at the end of the day, nobody is above the law. You want to spy, you spy legally. The people you are spying on will consider it illegal while you are on their soil, of course. If the law does not apply to spies, we could just say that and have done with it. But the fact is that it applies to them the same as everyone else. Some countries have forgotten this recently, but even in the MIDST OF WAR it can be illegal to treat an enemy inhumanely. That's how stupid it is to claim that a spy is above the law. If a spy gets caught breaking a foreign law in a foreign country, yeah, hard cheese, that's your job that we've given you permission to do (but that permission does not extend to overriding the target country's permission, obviously). But if a spy is caught breaking the law left, right and centre on it's own soil when EVERY statement it makes says that it's complying with the relevant laws, that can be taken - ironically, by just the extremists it's looks to contain - as a descent into anarchy.
Personally, spying in the last 50 years or so is nothing more than amateur hour after being left behind - brains-wise - by the rest of the developed world. There was a time and place where intellectuals dedicated their lives to forwarding their nation's cause and were at the cutting-edge of science (and inventing new sciences along the way). Those days have passed, and we have kids with McDonald's chef certificates using encryption that those agencies can't beat (yet, again ironically, invented for just that kind of purpose).
Spying en masse, on your citizens and allies, illegally, and then claiming it's legal, is a recipe for disaster. All this "acres of supercomputers" nonsense that gets spouted? I can only think that if that's considered a viable intelligence source nowadays, you might as well pack up the invisible ink and laser watches now. I honestly JUDGE the modern GCHQ for becoming nothing more than government-funded, consultant-advised, facebook-watchers.
And I'm almost certainly on some list somewhere. I've education background in cryptography, I can code, I've run TrueCrypt and Tor, I use Linux, and I'm pedantic about the security of systems. I'd be disappointed if I wasn't. But I'd be a million times more disappointed if any of those are even considered a factor without some actual real suspicion based on something other than my website/OS preference first.
Spying's gone seriously downhill. It's now just a "Google him" exercise with a "private Google" that the NSA/GCHQ are trying to build for themselves.
Re: £480 RRP
Yep. 1.5 laptops. Sure, I get that smartphones are very powerful nowadays, have OpenGL ES, etc. and in a tiny, compact, power-saving unit, etc.
But give me a £10 Tesco special and a real laptop any day.
Sorry, if you're still there you need to learn something before you learn Server 2012:
Virtualise those damn things. Sure, it's a huge job, but just get it done. Then your migration is on your own schedule (which you obviously seem to enjoy if you're still on 2003 - only 11-year-old tech).
Plus it'll save you a ton of migration hassle as you don't have to "switch" anything off - just virtualise it onto your first 2012 server (and, please, 2012R2 if you're going to make the leap), then carry on running it and - over time - slowly strip off those functions and put a 2012R2 VM on the same machine that takes them over. When you realise that the 2003 VM has been on 0% CPU for a month, switch it off and see who complains.
I'm certainly not one of those first-day guineau pigs, but 2003 was dead when I did my last 2003 migration two years ago (and we knew we were taking the mick running so long, even then). The transition to 2012R2 is pretty easy, for the vast majority of things, and gives you an awful lot of new features. At the time, I didn't even bother to virtualise (but wish I'd been able to - licensing problems mainly) - just slapped 2012R2 servers in, joined them to the old domain as a DC, pulled the DC roles over, rasied the DC level to something this-decade, migrated user data, began pulling over roles/features. After a while, the 2003 machines were obsolete, so they got formatted and brought online as 2012R2 until I found a use for them (mostly secondaries for various functions). There was nothing so drastic that it wouldn't survive the change, and actually I spent most of the time converting crusty old batch scripts to GPO's that handled print-management and drive mappings (yes, in 2012R2, that all works properly).
If I'd been able to virtualise, it would have been even easier, and without downtime. Put 2012R2 machine in. Join to domain as client. Install Hyper-V role. Run Sysinternals Disk2VHD on the 2003 servers. Grab the VHDs and copy to the 2012R2 servers. Create new virtual machine (isolated from the network), and test operation. Schedule 30 minutes of downtime. Turn off 2003 server. Bring its VM onto the network (two clicks). Test. Listen out for people shouting. When nobody does, start preparing a 2012R2 VM and take over the functions and data one by one. With DFS etc., a good team, and proper planning, it can be done in a day.
Quite why we need a livestream event to do that, I don't know.
Forwards me a Viagra spam:
"Hi, Just so you know, I got this this morning"....
Thanks. Now so did I!
Re: Bible Thumpers Rejoice
I was hoping for more of a query about sea-levels rising, etc...
To be honest, I'd be shocked if the water wasn't making it's way through somehow. Are you telling me that someone thought that billions of tonnes of a tiny molecule are somehow magically floating atop water-tight rocks that slide over each other and expose enormous holes in themselves all the time, when the pressures of deep-seas are such that we can't even send metal boxes down there? I wouldn't be surprised if they were actually some of the fuel for the Earth's internal heat that's hotter than the Sun - H and O make quite a bang, and H is pretty much the basis of a star.
Maybe not in the forms we know, maybe not in states usable by us, but we basically fire water into the hot rocks ourselves and collect it for heat, so it must be happening naturally all over the surface too. At the kinds of pressures and heats that turn dinosaurs into oil and trees into diamonds, though, who really knows how it happens?
Like the old classic:
"Voice recognition, eh? Whatever you do, don't say "Delete all files", yes?"
Don't get the point of, nor the need for, voice recognition. Especially not when it has to listen 24 hours a day just for that 2 second gap when you want it to turn on, and not all the other times you might say something similar.
Re: So much to do, so little time...
Excusing the "chest masters"...
Worse than that... we can't even decide what intelligence is. The Turing Test is not really well-defined and certainly isn't a cover-all explanation of when we hit "AI". I would reject it out of hand as having achieved nothing more than this article points out - deception by one human of another using a machine as the tool of that deception. That's not really "intelligence" on the behalf of the computer, only a display of intelligence, or lack of it, by the humans.
All AI that I've ever seen is highly dubious and amounts to nothing more than basic heuristics, or gibberish. Although I can happily claim that humans give the latter all the time, we tend to perceive those humans as "non-human"... a guy telling you what his gerbil had to say about a certain place is the kind of guy you'd move down the bus away from. And the former do not describe humans at all - in fact, there are a vanishingly small number of "rules" that any particular instance of a human will follow blindly every time. And en-masse, we're even more dumb.
I hate the focus on "AI". We don't have it. We don't have anything on the horizon near it. And we've been doing and saying the same things for nearly a hundred years, if not more. We're not even close. We can do interesting things, we can automate machines to a high degree and we can have them do some wonderfully difficult work a lot quicker than we ever could (e.g. in the computer vision areas, etc.), but there's not a peep, not a glimpse, not a sign, of any real "intelligence" that I've ever seen.
Which makes me wonder, sometimes, if there's more than just a "complexity" problem to be solved to approach AI... whether there's some inherent physical process or characteristic that inserts enough "illogical" or random elements into the physics to make everything just that bit more capable of breaking from logic and rules and into decisions and intelligence. I'd place my bets on something quantum, personally.
And the bit that really annoys me? It takes a human baby several years of constant, intense, personally-focused training to get close to mastering the baby-end of intelligence. Yet every AI project I've seen tends to be a year or two old at the most - usually just long enough to write a paper, get your doctorate and then flee before someone asks you to do any more on it. And the computer systems we have don't even approach the complexity of the human brain, nor it's genetic "bootstrap" headstart on being successful at forming intelligence quickly from a blank slate.
Start an AI project that is intended to run continuously and last 100 years, using the most powerful hardware available, which we train constantly in the same intense amounts of data and detail as we could a baby. Then we might approach something akin to a three-year-old. It's no wonder we've got nowhere with it so far.
Frankly (haha!), most franking machines are a pain in the butt. Everywhere I've used one it still dials up over PPP to top-up and you can happily top-up hundreds of pounds each time (I believe it just gets invoiced, but I don't really care).
The ink-cost alone is probably wiping out a lot of the savings of franking mail, not to mention the hassle of keeping analogue lines around, or buying the start-of-the-art Ethernet ones and supplying power/sockets/Internet to them.
To be honest, the largest use of them I see if to print pretty postmarks, not to save any money. And it's one hell of an expensive post-mark when the inks are nothing but an old HP deskjet cartridge with some knobs on to stop you cloning them (literally, I recognise the casing / head layout).
If I ran my own company, I'd say sod it and go to CostCo and bulk-buy stamps and stick them on. By the time you pee about weighing the item, feeding it through, correcting paper jams, replacing inks, topping up, etc. you might as well just lick a stamp.
And if urban myth is correct, bulk-buying of stamps is a good way to beat inflation...
Re: As someone still running Windows XP x64 ...
Despite the fact that, only last year, I did move my previous employer (a large independent school) from XP (32-bit!), Server 2003, Office 2003 to 8, Server 2012R2, Office 2013 - I can't agree with you here.
We threw it onto every PC, every client. In fact, I had one image whereas with XP I'd needed several (CPU architecture differences, etc.). I set up the image with 8 with Classic Shell, and to be honest it was pretty indistinguishable. All software ran - over 200 pieces of it - apart from a single 1990's-era Quicktime-based heap of educational junk that had never been updated and the company went bust years ago - which still ran, but crashed on a certain function. All hardware was supported (did not install a SINGLE driver across a network of 200 machines, all booted from the same PXE image) - I deleted 5Gb of old XP drivers that I'd needed for the same machines!
It all worked. And, with the fudginess of the XP-backwards compatibility, imaging and network setup, there were speed IMPROVEMENTS to running 8. Things felt, and were, faster. XP - for instance - didn't have AHCI drivers for quite a lot of our hardware and we were running in IDE mode.
We held off for ever until we couldn't hold off no more. And, single-handedly, I deployed a network of it after managing the same network on XP for many years. In one school summer (six weeks). There was nothing wrong with it. It just worked. Things just ran. And Windows looked like Windows (all Metro apps were uninstalled, for instance). On the same hardware.
I don't quite know what you're holding off against, though I admit I held a huge amount of scepticism on my own part. To be honest, if we had needed XP for anything, I'd have virtualised it on PXE-deployed images, the transition was just that easy. That's how you're going to have to do eventually, and if you use Linux underneath the VM, nobody will care - and I quite understand that kind of philosophy. But XP x64 on raw hardware? Give in, mate. At least just throw it inside a VM and admit the usage - you like the interface, not the OS running your machine - VM it and put a modern OS (any OS, even a thin-hypervisor) on the actual hardware and save yourself an awful lot of hassle. And then no disk-sector issues forever more.
Though I'm not the kind of person to dive into anything early (hell, I'm a Slackware guy and the above network had at least two Slackware servers!), there's really no reason to hold back on newer Windows except paranoia. You're used to configuring XP, get used to configuring 8 to the same depth and all the stuff you don't like about it can be turned off.
In fact, I'm about to do the same again for another independent school - same kind of size, but coming from 7. They were 8-fearers who'd even had a failed 8-trial - until they saw my 8 image. This summer I'm redoing every 7 PC to 8. We have no software that demands 8, and we have licensing which means that it costs no more to deploy 8 than to deploy 7 - but the fact that we stay on supported configurations with a long lifetime and, more importantly, a lot of new features (some of which we switch off, like Metro, of course) for basically zero downsides means that it's not an issue. And our banks are starting to make noises towards only supporting the smartcard readers on 8, and various educational suppliers debating similar.
XP was great. I used it myself for years. I'm on 7 at home. But I do most of my real work in VM's of various OS. The fact is that the base OS does not matter anymore. If you're a home user, VMWare is free. If you're an 8 user, you have Hyper-V for free - or you can just use the free Hyper-V hypervisor on the bare hardware. If you're commercial, the cost of a hypervisor software is either free (with Server editions) or lost in the noise of any upgrade.
Bite the bullet, put your hardware on something recent. Stop making problems for yourself. And admit that what you like about XP is the GUI and the working pattern. Not the OS.
I don't need any more platforms. I do not struggle to access the content available for the prices it's available for.
What gets my goat is that the content either isn't available, or I'm not prepared to pay that much for it.
I pay for cable-TV with my broadband and phone. That gives me several hundred channels of junk, that I don't really watch. To be honest, my girlfriend and I lived for four years without a TV, and barely noticed, and let's face it - a landline is optional nowadays. So really we both know that 2/3rds of what we pay for is wasted, but it still turns out to be a reasonable deal for our broadband connection. We never press the red button, and I think we bought a pay-for movie once (and it crashed halfway and wouldn't let us resume it, but that's probably just fluke).
We have FreeviewHD. It shows the same stuff as cable but isn't interactive, doesn't offer Pay-TV, etc. Not that we use either of those features, but given that both are plugged into the telly, we default to the one that gives us more channels/features. We also have FreeSat plugged into the TV. We use it so much, I moved the dish to point at an Italian satellite for my girlfriend (and we don't watch that either).
Over and above that, we use BBC iPlayer and 4oD's YouTube channels for anything that we've missed and need to watch. That's rare. We had Amazon Prime for the trial month. We watched four old junk movies and then I stopped the payment on it before it went live. If I'm honest, I benefited more from the free delivery on Amazon than I did the streaming/on-demand/pay-TV even with hundreds of free TV/movies on it.
But yet, I still can't get some old comedies on DVD anywhere. They just don't exist. Try to find "The Two of Us". Yes, you might have hated it but I will spend money to find it... I have Series 1 on DVD after waiting - what - 25 years? Series 2 has never come out. It was the same for Just Good Friends - Series 1 and 2 on DVD only after 20+ years. Series 3 came out nearly 10 years later. And that's stuff just sitting in archives, that's been digitised already (they show it on Freeview/cable etc.), that they could sell to me today on just about any format they liked. Apparently, they're not interested in that.
But they like to try to sell me the latest Disney movie on every format possible for basically the same cost as a Disney DVD (i.e. ludicrously expensive) with copy-protection coming out of its ears, even 30 years after its initial release. I honestly couldn't care less about that.
We've solved the "access method" problems. We've solved the "payment method" problems (everything from a small monthly payment for lots of content to one-off payments for purchases and and rentals). Now can we get something worth buying?
I'm honestly this close to just upping my broadband connection and turning off the TV. I wouldn't pirate (that would imply that there was something worth watching/stealing), but I'd get more value out of it.
Until then, I just trawl bootsales for DVD copies of movies I want to watch. It's served me well, but I'm hardly a cheapskate. I just begrudge a movie costing more than the meal I eat in front of it for four people.
Truecrypt isn't Windows-only.
If it's anything like Bing Translate, they can keep it.
My Italian friends are frequently in hysterics at the translations it gives of quite simple Italian phrases - not just bad grammar, but totally inverting the meaning of the sentence or failing altogether to translate words that a quick Google pops up the English for in seconds. Unfortunately, the Facebook default is Bing (wonder how much that cost them).
We only use Google Translate: not perfect, obviously struggles on local dialect words and things like that, but at least you can get the gist of a post. Wouldn't want to think what the average speech recognition accuracy would add to the error margins on Bing... you have to remember that a 90% recognition rate on a translation tool that's 90% right is actually giving an overall accuracy of 81%. And, to be honest, I've never got any voice recognition tool to work well enough to justify it... Siri just completely blanked me just now, then didn't understand me, then finally realised I asked for a web search, then from "furry dice" managed to get "-". And then went off to Google "-".
Sorry, voice just isn't there. It wasn't there 20 years ago, it's not there now.
Then setup what you would if your whole ISP was IPv4.
There's an IPv4 address SET ASIDE for automatic, on-the-fly, ISP-independent, 6-to-4 translation. You just set up your local equipment, then make the last link in chain go through 6-to-4 and it talks IPv4 only. That's it.
Personally, my stuff is all using IPv6 anyway. My host is Tagadab (part of Claranet), they do cheap VPS and servers and every one gets 5 IPv4's and as many IPv6's as you like. You click a button, your server gets an IPv6 allocated and routed to you. It's that quick.
Given that every mobile operator in the world is using IPv6 by now (they have to if they want to support the latest standards), your ISP not keeping up is pretty poor show.
Re: I'm invoking my rule again @Lee D
Actually, basically all GMail SMTP traffic and Google search comes in and out on IPv6. I'm sure if you switched off GMail and Google for your users they'd be up in arms so, just on it's own, that's a fair chunk.
Lots of mobile networks and protocols are IPv6-only - you'll see a ton of iPhone/iPad access if you switch it on.
Apart from that, it RELIES ON WEBSITES TO DEPLOY IT FIRST, which is exactly my concern. It's like those old banking websites that used to tell you that Firefox isn't supported because "nobody uses it to access our website"... of course not, you morons - how can you access a website that specifically does not support Firefox in the first place?
IPv6 isn't going away. And it's literally a day or two's work to turn it on for your main public-facing services (enable it, add entries in firewalls and configurations for it - THEY ALL SUPPORT IT ALREADY - stick entries in your DNS for it, and you'll spot that google's DNS, SMTP and HTTP servers instantly start talking to you over IPv6.
I'm invoking my rule again
dig AAAA theregister.co.uk - no result.
dig AAAA myworkservers - full set of AAAA records with all services IPv6-enabled
dig AAAA mypersonalwebsite - full set of AAAA records with all services IPv6-enabled, that's been like that for about 3 years now.
Sorry, Reg, but until you just ring up your host and get them to add IPv6 and run a webserver that was written this century to support IPv6, you really have NO place telling us how to deploy IPv6.
I've been working in IT for schools exclusively for the last 15 years.
I've not been in a school that, now, does not have iPads or some form of tablets.
The educational value - that's a different question which I'm not able to answer without seeming like I "know better" than scores of qualified teachers (of which I'm not one). But then, on that basis, you can also include interactive whiteboards, vast portions of the curriculum, banks of laptops and netbooks, a multitude of online resources, the whole "ICT" curriculum (notice the C, that's a giveaway as to the content of the course, vs just IT - the C stands for Communication officially, but unofficially it stands for "computing", i.e. how to use Word and click on files), the existence of teaching assistants and all kinds of things before you worry about things like iPads/tablets that are visibly used almost every day.
Sure, there aren't many schools outside the independent sector that allocate iPads in the ratio of per child, but there are very, very, very few schools without at least a bank or two of them. And I've worked in several independent schools that are, literally, putting them on the uniform list - i.e. the child is required to have them with them in order to attend school, whether supplied by the school or by the child's parents. The state secondary sector is swarming with iPads, Learnpads, Android tablets, Windows Surface tablets, you name it. The last Academy I worked in, in a notoriously poor borough of London, had two banks of iPads, one of netbooks, and about 8 IT suites (two of them Mac). It was run, for many years, by one IT guy who basically detested iPads. Try doing that without proper management.
Fad, yes, possibly. But so were in-class voting systems, electronic microscopes, interactive whiteboards, netbooks, VLE's, and lots of others. All of them still sell, all of them get into schools, and some of them become virtually compulsory (I've yet to witness a class teacher interview in the last ten years that did NOT include a section in front of an interactive whiteboard with the teacher supplying the content in electronic format - plays merry hell for IT unless they use the de facto standard SmartBoard software. The new one is to bring your own iPad and AirPlay your screen to the interactive whiteboard).
Honestly, before you stab a guess, go find your kid's school's IT guy and ask them. Or just visit their website. And if you don't have kids, go attend BETT next time it's on at Excel, and see what's being sold to schools - if you get 10 feet through the door without seeing an iPad, I'll be impressed.
Cost? A tiny primary school in London would happily spend £20-30k on a bank of laptops 10 years ago. You think they care about doing so with iPads if they can tell parents (who are MAD KEEN on hearing "iPad" when it comes to their children's education) about it?
You can question it all you like, just ask someone who works in IT in schools. The tablet-to-pupil ratio is fast becoming greater than the PC-to-pupil ratio, and in at least half the schools I've ever worked (especially the ones that have become Academies) they actually are already there. That's one of the reasons that the VLE's are selling so well, because they are generally platform-independent and the kids can access them on PC's or iPads, from home or in-school.
I suggest if you want to know the truth, you go look into actual, real schools. My daughter's nursery, in the back end of nowhere in Cornwall, has iPads for her use. She knew how to use them because she had a Nexus at age 4. I'm a very, very traditionalist parent, I'd thrown all electronics out if I actually ran a school (and now, please consider my career as stated above) except in IT-specific lessons, but I won't hinder my daughter by pretending schools don't have this kit and won't be using it with her anyway - this is what she's going to grow up with, pervasive as hell.
I'll be shocked if you can find me a state-school nursery classroom that does not have an interactive whiteboard, at least one PC (probably more in nursery as they usually have standalone for keyboard-bashing by the kids), site-wide wireless, and access to a bookable class-bank of tablets (of one brand or another).
Or, say, those schools with thousands of iPads nowadays that need some kind of management.
Sorry, I'm not an Apple fan (never owned an Apple product in my life, personally, but have managed a few). But if you're going to manage Apple-based tablets, an Apple-based server is the best idea. Same as if you're going to manage a thousand Windows machines - you don't want to be faffing about trying to do it via Samba unless you really have to (and, no, not particularly a Microsoft fan either... again, never bought an MS product in my life but have managed many thousands of them). I'm a Linux guy, personally.
The setup I inherited from my predecessor is Apple MDM controlling iPads with a Windows network, both tied together nicely. And Cisco Meraki switches/wireless takes off a lot of MDM burden too.
Given the choice, I'd throw them all in the bin personally (I deployed Google Apps For Education-managed Android tablets in my previous school, they worked wonderfully), but my job involves managing them, and the schools love iPads for the apps and AirPlay streaming video to their Windows-based interactive whiteboards, if nothing else. As such, I'm quite happy to have an Apple product managing other Apple products rather than some improvised half-baked scheme that tries to compensate.
Sorry, but everywhere I've worked, the unanimous decision has been to turn off anything even approaching Live Tiles. In fact, we uninstall the apps (which is easier said than done for a lot of them).
We don't want every desktop running off to download weather updates and animate the desktop - we got rid of that junk back in the days of Active Desktop for the same reason (if you can't see the similarity between Metro and Active Desktop, I suggest you look again).
Users ask me to turn off tiles. So I turn them all off and the tech ones are free to reinstall / reshow whatever they want. I've yet to see someone with anything but a "quick-launch" desktop of what they deem to be their most used apps, not what Windows Tiles want to throw at you.
If I were getting complaints from users about WANTING to have this stuff, I'd be forced to change it quite quickly. The opposite is true and workplaces that were putting off 8-deployment because of tests went onto it when they say my "cut-down" version that was still 8, but without all the junk.
I spend months testing these things before I roll them out. And I'm still yet to see why a Finance app or a Weather widget is at all useful to the average user. Hell, even the Metro "versions" of things like Chrome and IE are pretty inferior to the real product. People, in general, just don't care about Metro. And, so, I'm forced to follow the majority.
Just be thankful that I do push them by making 8 work rather than letting them linger on 7 or even - in some cases I've seen - XP.
TIFKAM isn't hard to learn. It's just not as productive for me as a piece of freeware.
Hell, with Classic Shell, I can even remove the side-crap on the Windows menu, change the Start button to the company logo, whatever I like.
And it works quick, smooth, easy, ADMX-configurable, MSI-deployable... literally in the time it took me to "learn" Metro, I had deployed an alternative that saved myself - and any of my users - from ever needing to.
New != progress. And I fail to see anything that Metro does "better" than the old-fashioned interface and a properly configured start menu (which we can do now that we can turn every damn option on it off whenever we like, site-wide, in a matter of seconds - even down to the order of things in the menu).
Even if we're all wrong and it's just a fad and we all end up on Metro - fact is, I've put off that "training" for another year, i.e. another budget, and provided a much smoother transition than MS ever did for my users... and it's under my control and on my schedule.
Re: RNG at Camelot
It was built into the prior generation of CPU's
VIA chips have had them for years.
Intel incorporated quantum effects into their hardware RNG's.
Nobody really used them.
They stopped making them chip features.
If you missed this entire section of history, maybe you should keep up. It wasn't that long ago.
I had this with WStore once
My boss was negotiating a big deal for network hardware with them, and they seemed to be quite good by all accounts.
Next thing I know, my boss forwarded me an email he'd got: The people at WStore had been doing some internal chatting about our requests for discounts etc. and had managed to CC: him into the email. They quite plainly called him an idiot (for trying to get a discount?).
So I strung them along for weeks and then when they got shirty about wanting us to finally order, I mentioned the email. The guy on the other end went VERY quiet. And then apologised and said he understood why we wouldn't be ordering etc.
I never found out if anything more happened because from the time of the email, that company was on our purchasing blacklist.
The point of open source is not that a million people are constantly reviewing your code for free.
It's that bugs like this can be found by code inspection, by anyone. As you rightly point out, this is both a positive and a negative.
But the people who claim being open-source makes something secure are idiots. Sorry, they are. Nobody with brains REALLY thinks that. The difference is, once the problem is identified *I*, *you* or anyone else could knock up a patch in minutes and distribute it to the world. And that's pretty much what happened.
If you think that open-source = security, I'm sure you also think that being honest means people won't rob you. It's the same thing.
Re: Biased at all?
"drag your finger across it"
Sounds like a security feature to me... so you don't leave behind static fingerprints that can be Gummi-Bear'ed.
I don't believe PGP, or traditional PKE, has been cracked.
But someone REALLY wants everyone off PKE lately.
And, strangely, the alternative pushed is this new-fangled perfect-forward-secrecy (only available with Elliptic Curve from what I can see with OpenSSL), that's still new, unknown and (security-wise) basically untested.
When you think the trick is being done... it's already happened.
As far as I'm concerned, until I see a documented attack that cannot have happened any other way, I'll stick with what I know works. Call me back when EC has been in worldwide deployment for a decade or two.
Last I heard, the DVLA were debating making you tell them if you've had laser surgery as they have had a number of cases of people who've had it done and then - years later - their eyesight has deteriorated below the acceptable standard again.
I'm very short-sighted. I could just about get home on foot without my glasses but it would take forever and there's no way I could drive without them. But I don't particularly want a one-way process of grinding down my own biological lenses (that we have no way to fix), especially if it could be even slightly risky or - worse - temporary.
Sorry, but given the amount of people I see every day wearing glasses, I don't think there's any reason not to carry on wearing them. There's no longer the schoolboy stigma of my generation. There's no longer only the hideous NHS designs. There's enough products to choose (from 1-day-contacts to full glasses). There's enough competition. You can even order online if you have a vaguely recent prescription.
For the moment, I'll just stick with glasses. They rarely get in the way of my life.
One thing GUARANTEED to make me steer clear of a company...
When they try to put the kibosh on negative opinions of their services.
As far as I'm concerned, an attempt to silence a complaint (rather than just respond to it, prove it's untrue, etc.) is worth at least 100 unqualified negative complaints.
What don't you want me to know so bad that you want to pursue this and spend that much money on silencing rather than, for example, just saying "We don't believe the comments on that website are true, we have a complaints process with which we're happy to deal with those concerns raised"?
And I don't really care if it IS your competitor hosting the site. So long as what is on it has a modicum of truth (if it doesn't you can sue their asses off for slander etc.), how does that make any difference? If your competitors can say enough that's true about you to make you run to the courts to get them silenced, I think I'd rather use your competitors instead of you.
Fabulously customisable, runs on Windows or Linux, ties into AD, does full inventory and really powerful scripting/rules to promote / hand-off tickets.
And, er... let's just take my scenario again.
A web server has to boot at startup. It has to read wherever you've put the key and get the PRIVATE key out of it (in order to be able to decrypt communications encrypted by the PUBLIC key that you give out to everyone and send to them as part of TLS etc.).
So then that machine, when powered on, without requiring passphrases, has enough information to boot, log in at the service account user (e.g. "httpd" or equivalent), read the keystore and get the PRIVATE key out of it.
Game over. It might be more tricky but still game over. Encryption is useless if you're storing the credentials on the same disk and you are booting from it without supplying external information (e.g. dongle, manual login, etc.). It's either storing the key in plain text or it's storing it somewhere where it can get to using no more information than is contained on its default storage devices.
And, thus, why most OS's don't try to "obfuscate" access to it, because that's just pretending to actually be secure. Fact is, if you have enough info to boot up and decrypt SSL encrypted with your private key, you have enough information that the key is effectively plain-text.
- Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
- 14 antivirus apps found to have security problems
- Feature Scotland's BIG question: Will independence cost me my broadband?
- Apple winks at parents: C'mon, get your kid a tweaked Macbook Pro
- FTC to mobile carriers: If you could stop text scammers being jerks that'd be just great