Friday, February 21, 2014

Tech Job Postings are Funny! Post 1

I get a lot of recruiters emailing me and I get job postings in my RSS feeds.  Many of these postings are unintentionally funny, some are downright embarrassing, and some just leak a lot of information about a company.

I've decided to start posting some of these with commentary.  The one that finally made this decision for me is from . A copy can be found here. I've added bold for emphasis.

The almost certainly illegal and super ageist posting title is what caught my eye: "Systems Engineer - AWS Simple Storage Service (S3) -University Candidate: May 2014 Grads Only".

It was the wonderful nonsequitur requirements for job experience that really hooked me.

  • Experience running and maintaining a 24x7 Internet-oriented production environment, preferably across multiple data centers, involving (preferably) at least hundreds of machines.
  • Demonstrable expertise around specifying, designing, and/or implementing system health, performance monitoring tools, and software management tools for 24x7 environments.
  • Experience with very large distributed systems such as multi-terabyte storage farms, and/or horizontally scaled request processing fleets

Sure, there are plenty of 2014 Grads with expertise in the book sense and maybe some even in a more practical sense, but, really how does a grad get to a place where their college and work lives intersect with a large 24x7 operation?   Maybe I need to open my mind.  Maybe Amazon wants a 12th year senior who has been working in enterprise architecture while going to school at night?   That eliminates the ageism too!!

Sunday, February 9, 2014

Will Satya Nadella Save the Internet on April 8th 2014?

If you have worked for Microsoft, or any huge company, this will be no surprise; Microsoft has many groups working against each other or at least spending dollars in one department that could save or make millions in another. It’s not easy to align everything in a large company, especially when it has been run by the worst CEO in America for so long. Microsoft is regularly in the news “shutting down botnetsand doing other great pro-bono work to make the web safer.  I applaud this!

Yet, in the core operating systems orgs, they have let Windows XP, still the second most used desktop OS, lag behind in security and will stop issuing patches in April of 2014.  There is nothing wrong with XP, even the MS page on its retirement makes it clear that they don’t have to support it, by law, so they won’t.  There are no claims related to it not being good or safe.  I read it as, “There is no money in it for us, so we will spend the resources in a money making area”.  If you add no context, this is a totally rational business decision.  I won’t pretend to have all the data on the financial and opportunity costs of patching XP and enhancing it.  I have no idea how much money it costs Microsoft to fund the groups that take down botnets.  I also don’t know who the users of XP are, but I expect they are those who can’t afford to upgrade.  This may be due to the cost of the OS, lack of skills to safely upgrade, or in the case of businesses, economy of scale making it very expensive.

Figure 1 All OSs on the Web

WT OSs.gif

Figure 2 Windows OS Breakdown

Web OS Trends.gif

Here is what I do know.  MS will continue to support Server 2003 until July 2015.  XP and Server 2003 are mostly built on the same code base, so patching XP isn’t a complete diversion from their business.  If MS stops patching the OS that is nearly 30% of the desktop market, XP will become the most researched and exploited OS on the web in fairly short order.  The MS team that is taking down botnets will sure have their hands full then.  Maybe MS thinks that the fear of no patches will finally get users to upgrade.  In the case of the enterprise, I would think so.  In the case of small businesses and individuals, I expect this to be a boon for little IT shops; removing viruses and selling cheap fixes like host based firewalls, more anti-virus, anti-malware, and Advanced Persistent Controls.

Considering that Microsoft has zero legal or contractual obligations to improve or maintain XP, perhaps they can write off the cost of not turning the internet into a XP infested filthy virus zone.  OK, intentional hyperbole aside, I vehemently urge Mr. Nadella to throw his predecessor under the bus and take up the cause of keeping XP healthy.  This doesn’t just mean patching; it means a few basic enhancements that are needed.

OK, when I say, “there is nothing wrong with XP”, I know, it doesn’t have Address Space Layout Randomization and User Account Control, and many other benefits of post-XP OSs.  Let’s not confuse the “need” for the next best OS for an actual need to get off a dangerous OS.  I guess XP will be that OS soon, if Mr. Nadella doesn’t reconsider.

My in-depth focus on security is mainly around applied cryptography and identity management, so I welcome other suggestions in the comments. Below is my wish list for XP enhancements. 

Upgrade to schannel.  XP does not support Server Name Indication and TLS 1.2 with AES cipher suites.  There are some patches for 2003 that add AES cipher suites, but with TLS 1.1 and below are vulnerable to BEAST attacks, as the added cipher suites use CBC mode. Make all these changes part of critical updates, not hotfixes. No one applies hotfixes unless they know about the issue.

Force stronger NTLM settings as part of a Critical Update, rather than simply issuing advisories.  Nobody reads the advisories; they apply patches and cross their fingers.

Inputting falsified referrals to this site violates the terms of service of this site and is considered unauthorized access (hacking).