Advogato blog for avriettea

Hints for the email-impaired

Thu, 20 Sep 2007 20:06:44 GMT

I identified a copy of your resume this afternoon in our database and I am interested in speaking with you regarding several UNIX Admin Positions (4) I have available in the Reston/Herndon area. All of these positions are permanent full time opportunities and they are available immediately. Both my client’s are looking for people with at least 5 years of solid UNIX Admin experience. Also knowledge of Oracle and/or SQL (SQL Queries) is required for two of them. I can pay very competitively for these positions and my client’s are moving very fast on these opportunities.

First, it's "clients." I'm a snot about that, even though I'm not perfect in what I write. I do try to make sure emails I send to employers (or employees) are close to perfect if I'm asking for something.

Second, it's unlikely that you're able to "pay very competitively" if you can't immediately quantify that (or at least qualify it, like "pay very competitively for government positions in Reston/Herndon"). Sort of like the adage, "if you have to ask, you can't afford it." So, say eighty-five dollars an hour if you can pay it. If you just say "competitively," the people that might take $85/hr won't know it's that high, and the people that won't take $85/hr won't believe you.

What's the worst that can happen? Somebody actually gets paid what you budgeted for them? I mean, really, recruiters. It's not like you weren't going to ask for 1.75x whatever you pay me anyways. Why not just tell me, and try to hook me with a number instead of an empty promise?

SuSE vs Windows

Thu, 20 Sep 2007 14:05:45 GMT

I remember at Microsoft there were at least a few people who were very concerned about SuSE as competition. I am starting to believe that the reason they feared it is that SuSE is as complicated and wrong-minded about operating system design as Windows is. I bitch and moan about MacOS being hosed by default, and its documentation being poor at best, but the more I dig into this unholy alliance of Novell and SuSE the more I smell Windows.

There really doesn't seem to be "one state" of the OS in SuSE, much as in Windows and in MacOS. On the Mac, we have this hideous netinfo business mucking things up so that we cannot simply copy /etc/passwd and /etc/shadow (or master.passwd, or whatever) for example. We have also strange filesystems that magically determine where they are to be mounted, which may or may not have case sensitivity, and nobody else can read. How different is that from Novell or Windows?

One of the great benefits (and indeed great curses) of Unix is that everything is a file. This means all you really need to move files around is the shell, which is to say things that live in {,s}bin. Your friends, rsync, tar, cpio, and their less intelligent but just as potent friends, cp, mv, rm, and so on, should really be all you need. When we start referring to "directories" as magical clouds in the sky full of stuff we can't touch, can't back up, and sometimes can't even read (leaving us crippled!), rather than just a fancy kind of file, Unix fails to be what it really is: industrial strength, user-hostile, and totally understandable.

user-hostile is important, if you think about it. When we start to make operating systems friendly, people get this false sense of confidence, and all of a sudden, you've got a user who comes into your office with blood on their hands, saying, "my god! the files! they're all gone! how do I get them back??"

Unix is great because it can do stuff, not because everyone in the world can use it.

(And with respect to Apple's lying about UFS/FFS and their manpages being broken, I'm surprised nobody mentioned fsck_hfs or hfs.util. I discovered these are equally as useless, but at least they, you know, try to be more or less the right tool for the job)

When tools become obstacles

Mon, 17 Sep 2007 15:05:26 GMT

Today I sat down to write. I've been trying very hard to train myself to write when I'm not furious, or depressed, or whatever else drives me to put "pen" to "paper." So, this is significant for me. However, I spent a good amount of time yesterday formatting a manuscript for submission.

The previous agent I worked with had asked for 1.5 space, Times New Roman, left-aligned and ragged, and with only the page number in the header, specifically the top right.

Yesterday's manuscript went out double-spaced, in Courier, left-aligned, ragged, with a weird sort of "cover" for it, a rough word count, a header that included my name, the title of the manuscript, and the page number, and also that all my italics be changed to underlines. Further, all my emdashes (—) needed to be changed to double-hyphens (--) and the spaces before and after removed. Oh, and a double-space after a full stop instead of a single.

Given there's a huge difference between what I had before and what I formatted yesterday, I thought, gee, I'll write myself a Word template so I can just do that automatically. Instead, I've been wrestling with Word's autoformatting for ninety-seven minutes. It will let me auto-replace a full stop with a period-space, but not a period-space with a period-space-space. This is problematic because here in 'Merka, we use periods in numbers (and commas too!). Further, when I go to Format > Auto Format ..., it ditches all the formatting in the document, even though I'm using a goddamn template that says courier new, double space, and so on. Oh, and now it wants to show me my newlines and spaces. It's charming.

I have lost the title. I can't remember it. I know it was a good one. I've also lost Rita Sue. I know what she looks like, I can practically smell her. But I don't remember what she was doing with that gun, and I can't remember why she killed those people.

This is so aggravating. If I do manage to get any writing done today, it's going to be revisions to the manuscript from yesterday (went through a couple people I trust to "galley" it before it goes to submission), or that column on turn-based versus real-time strategy and role-playing games. Neither of these are what I wanted to write, and neither of them are the outlet that Rita Sue was/is for me.

I might also just get so fucking frustrated that I'll play Xbox games until my brain dribbles out my ears.

(if above image goes away)

When and where to lie.

Mon, 17 Sep 2007 15:05:26 GMT

It's okay to lie on your resume. There, I've said it. Now, don't go and start adding those years you spent at NASA designing thermal tiles that they never adopted, or add those publication credits to C&EN about using carbon nanotubes to fight cancer. Those kinds of things stick out and come up in job interviews.

Let's talk a little bit about lying first, and then we can talk about job interviews, which is also a crucial part of lying.

So, let me give you an example of a lie that is perfectly okay to tell on your resume, and in fact one that most people will expect you to tell (even if they tell you they don't want you to lie). The example starts with your being employed at ASNA. You're maybe second- or third-tier help desk. This doesn't mean you answer phones and read scripts to people who scream "OMG THE INTERNETS ARE DOWN." This is more like, you know how to replace hardware and actually diagnose when something is bad ram versus a bad CPU or maybe even a problem with a specific library (this is not to say "OMG WINDOWS IS TOAST REINSTALL"; rather, you understand when the DX10 drivers are kaput and need to be reinstalled, you do so, and the machine is restored to functionality).

Now, let's be real here. You're help desk. You're not a sysadmin. However, in the course of doing your job, you have to know (and you probably learned this on the job) what a subnet mask is. You have to know what IP addresses are, and you have to understand what the term "RFC 1918" means. You might even learn how to telnet to port 25 and understand what's wrong with the local mailserver.

So, here's the lie. We list on our resume:

2005 - present
ASNA, Los Angeles, California
Junior Systems Administrator
Performed maintenance tasks on defective hardware; performed basic troubleshooting of network issues and diagnosed problems with Sendmail 12. Part of a team of twelve, responsible for maintaining workstation, server, and network functionality for 350 engineers in aerospace development environment.

Well, you did that, didn't you? Sure, your boss thought you were help desk, your coworkers knew you were help desk, but because you're a good employee, and because you're a smart, upright hominid, you took it upon yourself to really learn everything you could in the environment you were in. Compare the lie to the truth:

2005 - present
ASNA, Los Angeles, California
Help Desk Technician
Repaired broken desktops, performed RMA packaging and repair to vendors HP and Dell. Reinstalled operating systems (Windows XP, Windows 2000).

The truth isn't going to get you hired anywhere. That second version isn't going to get you a raise, either. Here are the key components of making this transition:

First, your lie is not really a lie because you must have done that stuff, even if it wasn't your primary responsibility.
Second, the upright, tool using hominid in you bought hardware off ebay that was similar to the stuff in the office, or the stuff you want to use in the future, and you read every damn man page, reinstalled a bajillion times, and learned how they work. We'll get back to this in a minute.
Third, they're going to ask you what you did in your interview (and in your phone screen! be prepared for this part!). You have to know this shit cold even if it's a lie. Lies are only lies when people know they're a lie. If you lie and say it was your responsibility to build solar panels for the Mars Global Surveyor, but you know every single atom of those solar arrays, is it a lie? Who could tell? It doesn't matter. The key here is know. your. shit.

Here's the explanation most of the people I work for (who do read this), and most of the people I have worked with (who certainly do read this), and the people I will work for (who usually go digging for stuff like this), are waiting for.

Employers are so busy when they receive resumes for an open position that they can't possibly call all your previous employers (provided, you know, there are more than three or so). They just can't. So they base their entire estimate of whether they want you, and how much they're willing to pay you, on your performance in two places:

Your phone screen
1. A recruiter (if you're working with one)
2. A tech guy you'll be working with or for
3. His boss. This is usually a guy who used to be technical, but can sometimes be a complete tool, one of those guys who got into managing technical people because he managed the mailroom effectively for ten years. These guys have usually never done anything else for a living and will either be complete pricks (and thus you won't get anywhere in the phone screen unless he liked your resume — your phone screen is irrelevant if grueling and unpleasant)
4. This only really applies to government contracting. You may also get the government guy. He's usually pretty thick (this is not to say that government guys are thick, he's just busy with other stuff, and he hires contractors because he doesn't understand what you're going to be doing for him, just that the "boss" guy above says you need to be on the contract)
Your in-person interview.
1. Somebody who you'll be working with. This won't be a supervisor. They'll either be real sharp or real dopes. They know what they do for a living, and they want to make sure that you either have lots of sympathy for how hard their job is, or that you at least know what they do and can do it.
2. Somebody who is probably going to be your boss. This is probably not the mailroom guy. This is the one you absolutely, positively, cannot screw up with. Everyone else is kind of irrelevant in this process. He is the one that makes the decision. I'll get back to this guy in a minute.
3. If you're interviewing with Amazon, Google, or Microsoft, most of this stuff goes out the window. This second process, the in-person part, can last for days and include ten or more people. You should just disregard this document.

So there's a technique you need to have. Most people would call it a bluff, but I have a term I like better. Psychologist face. Imagine the dilemma of a psychologist. Let's say you're a normal-ish person (let's put aside for a moment it's not really possible to be a shrink and be normal), and you have this person sitting in your office. They say to you something like they've been having sex with their dog for a few years, and they feel the bitch (sorry) really loves them back. That it's a fulfilling relationship.

Whoa.

You're a shrink. And you can't twist up your face, leap out of your chair, and say "Oh my god, you fucking pervert! how can you DO that? And the dog? The dog loves you? Are you fucking kidding?" No, as shrinks, they have to maintain that perfect composure, look the patient in the face, and say, "You know, most people don't consider dogs to be equivalent to a human lover. I think you may be misunderstanding the dog's natural affection for you, and you are probably using the dog to fill the space in your life where most people find love and sex with other humans."

So this isn't to say that mailroom guy, or your prospective coworkers or whomever are going to tell you they have sex with their pets (although I'm pretty sure one guy I recently used to work for could only find love in the eyes of a dog). But you're going to get asked questions about your lies. Listen to me very carefully. You can't twitch. You can't stutter. You can't even say "um." Learn to use the psychologist face. When you start to speak, you need to collect your thoughts, so look at your interviewer. Furrow your brow and look thoughtful if you have to rehearse your lie in your head. Start with "Well," not with "Um,". Generally, we call this "being articulate," but for purposes of prose here, we're going to call it bluffing your way into a job you might otherwise not have gotten.

Again, you must know your stuff, absolutely cold, if you're going to lie on your resume. But frequently, it's the best (only?) way to advance in your career. Think about this for a moment. If we didn't do this on our resume, we would say that we were doing "data entry" and nobody would take us seriously for a position doing SQL reporting. It's entirely plausible however, that if you worked with a data archival company, and you were paid and titled as a data entry technician (technician!), you probably had exposure to databases. If you were diligent and thorough, you learned enough SQL and Oracle or whatever to lie your way through your next interview, to get that bump in pay and responsibility.

It logically follows that you do the same thing at the next position, and in five years you've gone from Toadie to somebody who is actually running things, even if it's only a small fiefdom or part of some dog-lover's silo.

There's one other component to this. One thing employers do tend to check (although nowhere near a hundred percent of the time) is your references. So this is how this works. Be social. Meet people. Meet them socially, rather than in the workplace. Find people that do what you want to do for a living, and make it clear to them that you understand what they do. If you manage to become friends with them, or at least casual acquaintances, they'll probably let you use them as a reference.

With respect to "employer references," which are sometimes required, you pick employers, hopefully supervisors (although we all know that we don't always leave on great terms), from older employers. Pick a supervisor who loved you when you were doing data entry (remember, he loved you because you were learning SQL and starting to help with more stuff), rather than the last guy you worked for who remembers you more acutely and knows that "systems administrator" was nowhere near your title.

Lastly, and I have CM to thank for this (and she will probably get a chuckle out of reading this), join linkedin. I'm not a real big fan of social networking sites (I've created accounts on all of them, and they all suck), but LinkedIn has this incredible benefit. You can build a resume and link to it. Not only do you build a resume, but people look at that resume (because they have an account, too), and they see that, wow, they know Doug K at Verisign, and Doug knows Amy, and thus Amy knows you (through Doug). Now, in the real world, that doesn't mean dick, and we all know that. But us hominids are social creatures, and we impart great significance to social ties. Thusly, linkedin can be an incredible tool when you're trying to portray reliability, professionalism, or whatever.

Henry says it's okay to lie. Promise.

So go on. Lie a little. I'm pretty sure everyone's doing it, and I may be the only one actually saying it. But think about that DBA you worked with a few years ago that was just about the dumbest sack of bricks you'd ever met. That guy lied to get where he was. You know he did. And you know what sucks? He lied, and he makes a lot of money. You probably didn't.

Some days you don't want to get out of bed

Tue, 11 Sep 2007 16:06:26 GMT

I wrote myself a little letter to commemorate 2002, which I spent with Dan, briefly. I've lost the letter, since, but the gist is thus: we went and saw Bryan at the columbarium at Arlington Cemetery, and it was perhaps the most intimate moment he and I have ever shared. We talked about XML, we talked about how so many people were dying in so many wars that Arlington Cemetery is being expanded. In fact, they're tearing down the barracks behind the USAF Memorial (although we didn't know this at the time).

On Friday, I received an offer letter to go work at a research institute, doing far less stressful things than I had been doing in the past (although I may get to do some red-teaming on the feds, which is always fun). They were in a hurry to get me to start. So Friday being the 7th, they wanted me to start on the tenth. Sandy came back from Cupertino this weekend, though, and while it wasn't all bucking like funnies, we certainly had no reason to check the mail, email or otherwise. I got the offer letter on Sep 10. I thought to myself, oh, well, I'll just call and we'll start tomorrow.

Oh, shit. It's that day again. Another year has gone by, and the smell of JP-8 from my apartment, the fire trucks and the gigantic hole in the Pentagon have faded. The Humvees with 240 Golfs (I don't think they were fifties, but then it was a long time ago) have gone from the city. We've really all forgotten the intensity of the moment, and what it meant (I suppose the people that perpetrated the act have also lost some of the immediacy of the act and perhaps forgotten what they were trying to achieve, instead just wreaking wanton destruction on their own people). Most of us don't live in 22202 or 22201. Maybe the rest of the world has forgotten already and it's just another "day that will live in infamy." We've got 12/7 and 9/11. But they're just days. How many people go and sit in a columbarium, or place flowers at the headstone of an eighteen-year-old on these days (you can find the ones from 12/7 at Arlington, too).

As Dan and I left Bryan's plaque at the columbarium, we didn't have much more to say. It had only been a year, and both of us were incredibly morose. A flight of Vipers flew overhead, in the missing man formation, low and incredibly loud over the 5gon. The wind picked up, and the fountain in front of us sprayed us both with a modest amount of water, but enough that we got wet. Dan looked at me, with a sort of a smile, one I don't think I'll ever understand. A smile that betrayed something of a broken heart, and at the same time of hope.

He said to me, as he removed his glasses to get the water off them, "It rained the day of Bryan's funeral." Rain, the vipers, water from the fountain. None of it is really related, but when you're reaching, when you need things to mean something, when nothing else makes sense, there's comfort in these random happen-stances. Dan, who reads this, and will probably remember as I do, probably doesn't realize that the time we shared that day was one of my most cherished with him. Time doesn't heal all wounds, but having friends like that helps a lot.

It rained viciously last night, and continues to rain today.

Well that's interesting

Tue, 28 Aug 2007 18:06:12 GMT

Other friends, say, not so for them. Emotional turmoil will slow down the writing, or change it. But, apparently, my internal world is pretty solid. It chugs along no matter what's happening in my own life. It's probably why all the people that try to make analogies between my life and Anita's always amuse, or puzzle, me. For another writer, it might be analogous, but it just isn't for me.

Laurell K. Hamilton, purveyor of fine pulp-vampire-romance-and/or-lesbian-love books, reports that her emotional state doesn't affect her writing, and further, that she has an acquaintance for whom the same is true. What I find strange is that there are people who apparently cannot write when their mood is "down", or the opposite of what they want to write. I suppose this can mean a number of things:

I'm a terrible writer and/or nothing like successful writers.
I write very dark books
I am generally in a very dark mood (along with the above point)

I generally cannot write unless I'm in a pretty foul mood (this, to a point that my wife has started treating my greeting of "I started writing again!" as a warning sign). This may be because the first thing I wanted to write was a very unpleasant book about death, war, and failure. As I look through the stack of work I've started, there's only one thing that could be considered sort of happy, and even that is a happy story about being undead.

This is irritating, primarily because my being in a foul mood negatively impacts my marriage and my work life. I tend to not say hello to people, not acknowledge hello's, work odd hours, and get sick more. But golly, I hate what I write when I sit down and force myself to write. It's the stuff that comes out after I've had a multi-hour-long nightmare or I'm recovering in the hospital that I look forward to reading. It's written better, with more, you know, feeling.

I haven't cited Charlie in a little while, but in his discussion of how Accelerando came to be, he mentions it was a particularly shitty time for him in dot-com land. One has only to read the book to realized that Manfred is generally not a happy dude, and his ex-wife Pamela are not especially happy either. Going down the line, neither Amber nor Sirhan are happy people, either (one can even bring up Sadeq and his deeply neurotic self-hatred; however one cannot discuss same without a discussion of deeply neurotic islamic self-hatred, and that's not anything I want to discuss publicly). Was such a novel — to my mind, a magnificent novel — composed when Mr. Stross was all fluffy bunnies and just-from-the-dryer socks? It seems to me, probably not.

Glasshouse was not quite so bleak. In some ways it was, in the same way that Banks' Excession was (with respect to the GCS Grey Area a/k/a Meatfucker or perhaps Use of Weapons', uh, Chair Incident). However, it lacks some of the hopelessness and shaking-fist-at-god (little g, not big G) that Accelerando had. So it seems to me that perhaps an author is somebody who was initially motivated by enough heart-or-ass-pain to sit down and pound out a few hundred pages, but when they've finished, the pain or whatever diminishes to the point that they are able to operate as an author with less of it. I know the process from page 0 all the way through finishing the book forced me to be a better writer. Perhaps it is after that point that writing something that is more classical and less about angst becomes easier, and possibly something one wants to do. It's certainly not for the money.

Cops, again

Mon, 27 Aug 2007 19:08:12 GMT

This time, the DCA Transit Police:

Listen, you and I both know your car didn't come with that loud muffler and spoiler package. I'm not going to give you a ticket today — be quiet! — but you get out of here!

I offered to drive him to the dealer. I got out of the car to pop the hood and show him that red intake manifold and intercooler that also obviously didn't come with the car. I reached for the owners manual. At all points, I was stymied. Don't you dare tell me the truth, citizen, while I'm busy slapping my nightstick across your face! Makes me sick. This and Mr. You're-Going-To-Prison make me wonder why I ever had any faith in the police at all. Not that Alexandria PD and the DC Transit police are exactly shining examples of provincial authority. It's just that I kind of expect them to try not to suck. This stupid-and-proud business is more befitting LAPD than what are ostensibly police in one of the country's oldest cities (or, indeed, the country's capitol).

Whither thine superuser?

Wed, 22 Aug 2007 19:06:40 GMT

I have recently been discussing with an employee of a company based in Cupertino the difference between "root," "super user," and "administrator" users both in general, and as they apply to MacOS X, and also to Unix. It's important to note that all three are separate. General would include the administrative users on a local Windows machine, as well as an administrator in Active Directory, in addition to the Administrator on a MacOS X box. They're all different of course. But what's been bothering me is the sort of sleight-of-hand Apple is pulling with its documentation. To whit,

Administrative Accounts
Although the root account is disabled, Mac OS X establishes an admin user account when the system is first installed. The admin user can perform most of the operations normally associated with the root user. The only thing the admin user is prevented from doing is directly adding, modifying, or deleting files in the system domain. However, an administrator can use the Installer or Software Update applications for this purpose.
Any user on the system may have administrative privileges, that is, there is no special need for an account with the name admin. Admin users gain their privileges by being added to the admin group; non-administrative users belong to the staff group. An admin user can grant administrative rights to other users of the system using the Accounts pane of System Preferences

(via) and also:

Resetting an Administrator Password

Using the Mac OS X Server installation disc, you can change the password of a user account that has administrator privileges, including the System Administrator (root or superuser) account.

(via) again.

But, as anyone can see:

The progression here is as you would see on any stock, standard installation (note: I have installed the dev kit, but I doubt that bothers /etc/sudoers). When I open a new terminal, I am the alex user. We see the % prompt, which is standard for zsh non-super-users. I issue the command sudo su -, which essentially says, "make me uid 0 (zero), and run through that user's login process [e.g., run their .profile]." We see that the machine does as I ask after I issue alex's password, not root's. This is verified by the root# prompt, where the octothorpe (#) is the standard Unix convention for "you're root, please don't fuck things up."

The next command is a little more (or less, depending on your familiarity with sudo(1) [hm, section 1 of the manual is for binaries, which is where sudo should be, but it's been stuffed into section 8, which is for miscellaneous stuff. So here, I've said (1), but it's really in (8). Behold: No entry for sudo in section 1 of the manual] ) subtle. Instead of asking sudo to become root, we ask sudo to give us a shell. Now, we see again the octothorpe, but we don't see the prompt from before, gordon:~ root# . This is because we did not run through root's login process. Root, on Darwin, is given the shell /bin/sh. This shell, which is actually bash hiding in disguise,

gordon:~ root# cksum /bin/{,ba}sh
1901100275 1068844 /bin/sh
1901100275 1068844 /bin/bash
gordon:~ root# ls -la /bin/{,ba}sh
-rwxr-xr-x 1 root wheel 1068844 Dec 13 2006 /bin/bash
-r-xr-xr-x 1 root wheel 1068844 Dec 13 2006 /bin/sh

is different from alex's shell (zsh) [hi, nate], as we can see from niutil (ordinarily, we'd use /etc/passwd, of course, but OSX has this fancy netinfo garbage that hides things like that from us):

gordon% niutil -read . /users/alex | grep shell
shell: /bin/zsh

So anyways, what we've shown is that an ordinary "Administrator" (in Apple parlance) can become the super-user quite readily. Apple's documentation states that the simple Administrator is able to change parameters on the machine (and shut it down, eject/unmount devices, and so on), but cannot, for example, see files in other users' home directories. This is not the case. At all. It's misleading at best and devious at worst to suggest that having a differentiation between uid 0 ('proper' root) and a user who is enabled in sudoers with the keys to the kingdom:

gordon% id
uid=502(alex) gid=502(alex) groups=502(alex), 81(appserveradm), 79(appserverusr), 80(admin)
gordon% for group in `groups`; do sudo grep $group /etc/sudoers ; done
%admin ALL=(ALL) ALL

That ALL keyword being of course key. Administrator users are put into /etc/sudoers with the rights to do anything they please on the machine. This means the literature, as I said, is wrong, misleading, and probably intentionally so (as Apple has kind of struggled to keep a toehold in the DoD space, which has certain strictures). As I teach a class on the STIG, I can kind of understand why they would make this fallacious logical distinction between uid 0 and "regular Administrator users," but of course, as an instructor I find it reprehensible that they blur the line so, and I have to help somebody who works with Macs understand this. Mainly by this giant rant. But that's beside the point.

Since I want to distinguish here between Apple's terminology and Unix terminology, let's continue a little here.

In Unix, we have non-zero users, and we have root. Technically, there can be more than one user with uid of zero, but this is generally frowned upon (the Seebass/Nemeth/et al book being just one to warn against this). Users with an id of zero are allowed to rape, pillage, raze, ransack, and even mount volumes on Unix machines. This is sort of the achilles heel in Unix security, and one thing that Microsoft (and recently, even Sun) have rightly attacked. We can give non-root users the ability to execute programs (typical examples being ping(1) and traceroute(1)) as root, by creating "set uid" variables. These programs, when they launch, they become the uid of whichever they're set to, including 0. They are of course security risks, and frowned upon, because as I have said, once you've become root on Unix, it's game over. That user can do anything. This is changing of late, and Unixes are starting to get ackles and arbacks and things like this. The good news is it's generally pretty hard to become root, but the rule of thumb is, once they get onto the machine, they can pretty much become root through surreptitious means with impunity. The goal is to keep them off the machine entirely.

Windows is a little different, and this is largely owed to its torrid tryst with DEC VMS. Windows also has two kinds of local users, administrators and regular users. There's finer granularity than there is with Unix (or, for that matter, MacOS X), with the ability to restrict the administrative privileges of some users to specific things (I don't have an exhaustive list; finding one would be fruitless as it changes per release). The notion, though, is that with a big, mean operating system like VMS, designed to run on gazillion-dollar, building-filling VAX machines, you want to have Joe from one department able to remove tapes (and I mean tape, like big round spools, not DDS3 or LTO) or connect/disconnect devices, but heavens to Betsy, don't let him turn the machine off, the whole company would fall over. And so on. It's worth noting that sudo kind of replicates this granularity (but of course, sudo itself has been compromised more than once, and is itself a risk).

Users can sometimes be everywhere at once, or get from one place to another with little difficulty.

The next level of user resides in a network directory. Well, usually it's on a network. It can be built on a local machine. Examples of this are LDAP and Active Directory, Kerberos, NIS and NIS+, and of course NetInfo on the Mac/NeXT machines (which is a level of abstraction Apple could be whoring up, but doesn't, I suspect, for fear of scaring sysadmins like me. I really want to be able to grep myself out of /etc/passwd, and can't with NetInfo. Or maybe they've realized that NetInfo kind of sucks and they're going to replace it with LDAP or something else sensible....). Anyways, the notion here is that I tell my machine here, let's say my laptop, that when it gets a request to authenticate, say from me, that it's going to take the tokens I gave it ("alex" and "PAssw0RD"), and hand them to some server somewhere else that tells it (the laptop) whether it's okay to permit me access to the machine, and what sort of permissions to give me (and where my home directory lives and other various and sundry things like this).

So we have this sort of "network-level" administrator, as well as the local administrator. In some of these systems, after we've told our machines they have a network directory of users, they disallow local logins, including the ever ebullient Macintosh. If you join a Mac to Active Directory, only an administrator in AD can actually un-join it because it is (properly) refusing to allow somebody to circumvent the permissions in the network directory (although this, too, is get-around-able).

Network directories are applicable to every kind of operating system I've ever worked with, and have evolved from the days of Cutler and Knuth and all those old farts to the current, sexier, more complicated, but still vulnerable systems. Basically, the new ones have GUIs, and the old ones didn't.

But none of this forgives Apple. Apple has distinguished between a super-user and a super-user by a trick of vocabulary, and it unnecessarily confuses their users and ostensibly their employees. It isn't hard to say "users on the box with admin privileges are root, they own it, etc", but it kind of makes it sound dire to give a user Admin privileges. I'll finish this somewhat longish rant on privileges with an anecdote.

I was teaching a course in Virginia Beach when a Navy sysadmin of twenty years kind of raised his hand and suggested to me as I was giving roughly the above lecture, "You know, you paint kind of a dire picture. Is it really that bad?"

Yes. It's that bad. Your box is probably owned. You probably did it. And if it isn't, it will be. And, it will be because you didn't understand your own permissions model, probably because your software vendors have so confused the issues you can't understand how to securely and safely administer your machine.

A translation for the rest of the world:

Mon, 20 Aug 2007 17:05:48 GMT

Prosecution: We are invoking the DMCA because this man has used surreptitious means to defeat our software and defraud companies of $largesum.

Defense: You are invoking the DMCA because it's cheaper than admitting your "copy protection" amounted to leaving your house key in your mailbox and was cheaper than engineering a proper (and complicated, and expensive) intellectual property protection package. What you had sucked, I showed you that, and by the way, I do own what is on my computer (this is why the Party Van can come get me if they find loli/cp/jb on my computer – it's my cp).

"legally murky waters" indeed.

(via)

Teaching with emphasis

Sun, 19 Aug 2007 22:04:59 GMT

Computational Science Research Assistant Professor
The Computational Materials Science Center seeks a highly qualified computational scientist. The computational scientist will be responsible for design, implementation, and maintenance of data mining and knowledge discovery tools for chemical structure, chemical compounds and properties databases.

The ideal candidate will have an advanced degree in computer science or a Ph.D. in a chemistry-related discipline with significant computational experience, including machine-learning methods, database management and Web interfaces. Experience in cheminformatics, chemical database formats and chemical structure analysis is a plus.

Applications will be received continuously until the position is filled. Qualified candidates should send their CV containing a detailed description of their computational skills, relevant computational work done, list of publications and contact information for three references. Applications should be entered online at http://jobs.gmu.edu by selecting "Computational Materials Science Center" in the department menu.
The position is for two years. Salary will be commensurate with experience, but will not include benefits.

What the fuck, people? This position isn't going to pay more than $85,000 a year. In fact, that's probably the high end of the range, with $65,000 being the bottom. Yet, the position is for an assistant professorship. You're a lackey. For two years. With no benefits. They want somebody highly qualified, which is reasonable, given what they're doing, but they're asking for such a specific skill set that they can't possibly get anyone less than either a doctorate (they do suggest this) or twenty plus years in both chemistry and computer science. Somebody who's going to know Lisp, data architecture, probably filesystem mechanics, and who also understands the chemistry industry from an extremely technical point of view.

Are they looking for somebody retired? Are they looking for somebody who has all these skills but who, for some reason, is unable to pull down the $150k they'd make elsewhere? I really fail to see how anyone could want this position. I mean, sure, they'll probably do great stuff, but being a toady, losing your funding in two years, and "your" work actually being the work of the tenured prick who you actually work for.

They're a good university. I've said before, and I'm sure I'll say it again: I love teaching, but holy cow is the pay shit. The more I look for a teaching position these days, the more I also find that they have a wholly unrealistic impression of the candidate base (or they're raping grad students; equally possible), and they're not really interested in doing anything but rubbing their academic squishy bits against themselves.

They have so many positions that are assistants to assistants to the semi-provost of the director of human information definition center. I mean, shit that just makes my mind boggle. There are no, as far as I can see, positions that look like:

Instructor, Undergraduate, Programming

Masters degree or ten years industry experience preferred, in addition to pre-vetting by tenured staff of computer science department. Must be able to teach C, Java, and Lisp from provided materials. Additionally, incumbent will be expected to create curricula as required. Strong familiarity with Unix, Windows, and other operating systems required, as well as the ability to teach from any of the above platforms.

Certifications from professional organizations, such as the CISSP or RHCE, will be considered as qualifications and favored on submitted curricula vitae, however interviews with faculty and teaching ability will be given higher preference in hiring.

Now, that looks a lot more like an industry posting than one of these stupid academic postings, and I'm not really sure where the discrepancy comes from. Given it's a teaching position, I'd expect something like $62-97k, depending on experience, for the position. And it would be a full professorship, with tenure at ten or fifteen years. And for heavens' sake, fucking health insurance and life insurance for the new prof.

So, what in the hell is wrong with academia that they can't figure out how to hire people or even train them? We get a new MA or PhD or even just somebody with an AA, and it takes them four fucking years before they're worth a shit. And yet, academia wants more of the same academic fuckers that created the useless twits coming out of colleges today. Seems to me if academia started looking for the people that were, you know, already spun up, that they might be able to produce students who were more useful.

btw, hi Cheryl.