Learn to say “No”

Users consider their needs top priority. Not only that, but when they pick up the phone or press the send button of their email client, they demand immediate service. System Administrators on the other hand are trained (over time) to objectively distinguish between real emergencies (threats to the organization’s business operation if not dealt with) and the rest.

So whenever an urgent situation arises, step back and ask yourself:

– Urgent for whom?
– Why is this urgent?
– Is there a process missing here??

These are important questions, especially if there exists no process covering the situation. Organizations have written workflows that define processes, but operate on the evolution of those rules which are mostly undocumented. If you identify a missing process, your reaction to the matter will create a process, no matter what. Solve the problem as a fireman and you have just created a process with your name hardcoded in it. Not your team, your name. People will look for you.

Identify that it is about a missing process problem that needs to be fixed and everybody will promise to you that it will be dealt with. Only it will not. The next time it arises, they will come back to you, because you did it the first time and now you are (informally) in charge of “those things”.

This is neither good for you nor for your employer. So the need to say “No, I will not fix that this way. Create a process and I will” arises. It is to the benefit of your employer to do so. It makes certain that for this particular situation they are not depended from a single person (you). It also protects your time, weekends and vacation. Explain this to upper management. Learn to say “No” in a productive way. Make sure this is not misunderstood as BOFHiness from your part. Put a price tag on what it means not doing it the formal way.

As a System Administrator you do not only manage the computers in your organization. You manage the people using them too. You manage human-computer systems. And whenever there is a void in the workflow, you need to do your best to create a process. Otherwise it will be created without your intervention. You do not want that. You are the System manager.

Eliminating unnecessary processes is part of the job too, but this is maybe for another blog post.

Μπουρμπουληθρόνερο

Τώρα που έχω το γκάτζετ το καλό για μπουρμπουλήθρες (μοιάζει με ηλεκτρική ξυριστική της Φίλιπς με τρεις κεφαλές) ξέρει κανείς πως φτιάχνουμε αξιοπρεπές μπουρμπουληθρόνερο;

Update: Ο Clechuck προτείνει: Δύο μέρη υγρό για πιάτα, δύο μέρη γλυκερίνη από το φαρμακείο και ένα μέρος νερό.

ΤΖΩΤΖΙΟΥ mode on

Χρειάστηκε να πάμε τον Χ. στο νοσοκομείο για να τον δει παιδίατρος (όχι κάτι σοβαρό τελικά). Στην επιστροφή προς το σπίτι πήραμε ένα παιχνίδι στον Θ. από το ELC.

Θ: Μαμά, πολύ καλός ο γιατρός που πήγατε τον Χ.

Και την επόμενη μέρα:

Θ: Πότε θα πάμε την Κ. στο γιατρό;

(Inspired by: Οικογενειακές ιστορίες των ΤΖΩΤΖΙΟΥ)

Operation Haystack

Thanks to epubBooks, I got to read Frank Herbert‘s “Operation Haystack” on my BeBook Mini. First published in 1959, in its 22 pages one can find stuff that will later show up fully developed in “Dune“, like deep politics (with plots within plots), a Bene Gesserit like formation and even nomads. And all the action taking place in less than 48 hours!

cashier

Flatland: A Romance of Many Dimensions

Το “Flatland” έχει ξαναφερθεί στο blog. Με χαρά διαπιστώνω πως υπάρχουν δύο εκδόσεις online στο Project Gutenberg και μία στο epubBooks.

disconnected

These days I am trying to disconnect (from a lot of things, not just from the Net).

(→)

“Information wants to be free”

“But such is the irresistible nature of truth, that all it asks, -and all it wants,- is the liberty of appearing”

Written in 1791 by Thomas Paine.

WorldWideWeb – Executive Summary

In August 6, 1991 Tim Berners-Lee posted his “WorldWideWeb – Executive Summary” on the USENET.

Five Theses on Security Protocols

Inspired by recent discussion, these are my theses, which I hereby nail upon the virtual church door:

1 If you can do an online check for the validity of a key, there is no need for a long-lived signed certificate, since you could simply ask a database in real time whether the holder of the key is authorized to perform some action. The signed certificate is completely superfluous.

If you can’t do an online check, you have no practical form of revocation, so a long-lived signed certificate is unacceptable anyway.

2 A third party attestation, e.g. any certificate issued by any modern CA, is worth exactly as much as the maximum liability of the third party for mistakes. If the third party has no liability for mistakes, the certification is worth exactly nothing. All commercial CAs disclaim all liability.

An organization needs to authenticate and authorize its own users; it cannot ask some other organization with no actual liability to perform this function on its behalf. A bank has to know its own customers, the customers have to know their own bank. A company needs to know on its own that someone is allowed to reboot a machine or access a database.

3 Any security system that demands that users be “educated”, i.e. which requires that users make complicated security decisions during the course of routine work, is doomed to fail.

For example, any system which requires that users actively make sure throughout a transaction that they are giving their credentials to the correct counterparty and not to a thief who could reuse them cannot be relied on.

A perfect system is one in which no user can perform an action that gives away their own credentials, and in which no user can authorizes an action without their participation and knowledge. No system can be perfect, but that is the ideal to be sought after.

4 As a partial corollary to 3, but which requires saying on its own: If “false alarms” are routine, all alarms, including real ones, will be ignored. Any security system that produces warnings that need to be routinely ignored during the course of everyday work, and which can then be ignored by simple user action, has trained its users to be victims.

For example, the failure of a cryptographic authentication check should be rare, and should nearly always actually mean that something bad has happened, like an attempt to compromise security, and should never, ever, ever result in a user being told “oh, ignore that warning”, and should not even provide a simple UI that permits the warning to be ignored should someone advise the user to do so.

If a system produces too many false alarms to permit routine work to happen without an “ignore warning” button, the system is worthless anyway.

5 Also related to 3, but important in its own right: to quote Ian Grigg:

*** There should be one mode, and it should be secure. ***

There must not be a confusing combination of secure and insecure modes, requiring the user to actively pay attention to whether the system is secure, and to make constant active configuration choices to enforce security. There should be only one, secure mode.

The more knobs a system has, the less secure it is. It is trivial to design a system sufficiently complicated that even experts, let alone naive users, cannot figure out what the configuration means. The best systems should have virtually no knobs at all.

In the real world, bugs will be discovered in protocols, hash functions and crypto algorithms will be broken, etc., and it will be necessary to design protocols so that, subject to avoiding downgrade attacks, newer and more secure modes can and will be used as they are deployed to fix such problems. Even then, however, the user should not have to make a decision to use the newer more secure mode, it should simply happen.

Perry
—
Perry E. Metzger perry@

Posted on the cryptography mailing list at Jul 31, 2010