Mythic Monday – Immortality

Stories about immortality and the quest for it abound in literature. You have kings trying to live on through their sons. You have gods that must ritually die and be reborn so that the cycle of nature can continue. And you have, in a few stories, the few humans that succeed in their quests.

Consider, for example, the Cumaean Sibyl who bartered her virginity to Apollo in exchange for everlasting life (not technically, but despite appearances, this isn’t a mythology blog). However, she made a bit of an error when she forgot to also ask for everlasting youth, so she kept getting older and older until she eventually faded to nothing but a voice kept in a jar.

This is very similar to the story of Tithonos, who was granted immortality by Eos (via Zeus) but she also forgot to ask for everlasing youth, so he aged past senility and was locked away where he babbled to himself in an empty room.

(Stories from Metamorphoses 14 and the Homeric Hymn to Aphrodite).

What lesson is there here? Clearly, there’s something for us all to learn about operating system virtualization.

Yeah, you heard me right. Ovid and Homer^* were clearly writing about the modern practice of virtualization. Specifically, they were concerned about aging operating systems.

^* Whether Homer actually wrote the Homeric Hymn to Aphrodite is debatable.

See, virtualization is wonderful, and it’s all the rage right now for some excellent reasons. It allows you to fully leverage your hardware to capacity. You can aggregate virtual machines on top of real machines and have them create a robust infrastructure. If any hardware fails, all the little VMs can even skitter around like cockroaches as they find a working environment in which to live. In short, we as IT admins have the power to make these machines live forever. We are truly blessed.

But, as ancient mythology has informed us, with great power comes great responsibility (OK, so that bit is modern mythology). We have the power to grant immortality to these systems, but we have to consider how we use that power.

After all, what purpose does death serve? It allows new life to take hold. It allows unfit life to go away. From a technical perspective, this means that we have to let systems die to make room for new and more efficient systems to be built. Also, and a bigger concern, we have to let the ancient systems die before they start to make problems for us.

Imagine for a second, a network that has a mix of Windows 2003, Windows 2000, Windows NT, Windows 98, RedHat Enterprise 3, IRIX, AIX and DOS. Now, I’m sure you’re thinking “this is ridiculous, such a network doesn’t exist, no one would let that happen”. Well, this describes the network I was working on a few months ago. I’ve worked on live production networks in 2008 that used operating systems that were five to ten years old. I’ve heard tales of systems that were running Windows 3.1, as production machines, into 2009.

Now stop for a minute and think ahead twenty years. Can you imagine still supporting Windows 2000 in 2029? What about 2049? We have the ability to grant these systems immortality, people. It’s going to happen.

Sometime in 2020, you’re going to be working on the GoogleSoftwahoo TeleBlazinger running on Linux kernel 2.6.3492-23 and wondering why your network hypercloud is slow. After launching numerous tools that allow you to trace network traffic in all four dimensions (five if you can afford the enterprise license), you’ll track the problem to an infected botnet of Windows 2000 systems running a ponzi scheme involving stolen credit card numbers. You’ll try to refresh them from backup, to discover that they’ve been compromised for the last 19 years, and your backups only go back 15. And, worst of all, there’s a legacy billing system that requires these machines, so you have to keep them running… forever.

You’ll stop, scratch your head, and think that virtualizing at the operating system level was the stupidest thing that we ever did. And you know, you’d be right.

What it comes down to is how your organization is structured. If you’re building a virtual infrastructure, making brand new systems and setting hard deprecation dates for these systems, you’ll probably be OK. However, if you are like many companies, and take the perspective of “just move the physical machines to virtualization and we’ll straighten it all out later”, I’m sorry to break it to you, but later is never going to get here. There will always be another fire and another resource restriction.

We have think through new technology before we deploy it. There is a tendency to only look at the benefits and costs in terms of dollars, not in terms of time. A small gain in the present can be completely reversed and magnified by the flow of time. Just as inefficiencies add up throughout the weeks and months, security problems tend to grow over time. The longer you keep legacy systems around, the greater your risk grows.

If you grant immortality to these systems, they will just continue to age, until they will eventually be just another set of voices, hidden somewhere in the back of your network, babbling at your IDS systems pleading to be allowed to die.

Site Review – Flickr

For those that don’t know, you know, those of you have been under a rock for the last few years, Flickr is a photo sharing site. It has numerous social media features which make it very easy to post your content, add it to groups, discuss it with others, etc. It supports all types of cameras as well as files from applications like PhotoShop and PaintShop Pro. They recently added the ability to share movies.

In short, it’s great. I use it all the time.

But, like all systems, especially in the fancy 2.0 world, there is a risk assessment that you should consider.

Pros:

Easy to use
Free to low cost
Active community with which to interact

Cons:

Who owns your content?
How can you use other’s content?
How can others use your content?
How is your content backed up?
Are you at risk from social engineering?

Please note that copyright is a complicated thing and well outside of the scope of this blog. For real questions, please see a lawyer. However, I’ll be glad to answer my own fake questions, after all, it’s my blog, right?

Who owns your content?

Well, you do, of course. You made it, it’s yours. Yahoo even agrees. Oh, wait a minute. The Terms of Service state:

Yahoo! Inc. (“Yahoo!”) welcomes you. Yahoo! provides the Yahoo! Services (defined below) to you subject to the following Terms of Service (“TOS”), which may be updated by us from time to time without notice to you.

So maybe it would be more accurate to state that “you own your content right now”. Not exactly ringing with assurance, but it’s the best we can do.

How can you use other’s content?

Oh, this one is easy! Each photo is marked as “All rights reserved” (meaning you can’t use it) or “Some rights reserved” (meaning, umm, maybe). Flickr uses the Creative Commons to allow people to license their photos as they wish. Luckily, they also provide an advanced search so you can find photos that you can use and alter for commercial use.

Of course, there’s nothing preventing a user from posting a photo that you can re-use and then changing the licensing AFTER you’ve used it. Any idea how you could prove that it used to licensed differently? I sure don’t know.

Also, what happens if a photo is licensed so that you can use it but the person in the photo never signed a release? Is it usable? Can you be sure?

How can others use your content?

OK, this one should be easy, right? After all, you upload your photos and you set a license and you’re done. Flickr does all the magic to make sure that people only use your photos the way you want, right?

Well, not exactly. See, if you license your photo under any of the Creative Commons options, the original image is available to everyone. In other words, they have to voluntarily agree to abide by the copyright. If they don’t, you have to deal with that yourself. Are you able to monitor all the images on the Internet to make sure that yours are being used according to your wishes? I know that I’m not.

How is your content backed up?

This really isn’t known. There’s no mention of backups in the terms of service, and there has been at least one high-profile issue involving backups. In general, they should be safe, but you might want to consider other options. Or, you know, just keep a copy of whatever you upload to them.

Are you at risk from social engineering?

Finally, once that can be answered definatively. Yes. You are always at risk of social engineering. The more interesting question is “How are you at risk from social engineering?”

Flickr allows you to post photos. Odds are that these photos will be of people you know and places you’ve been. You can tag these photos by location, put people’s names into them and otherwise release loads of information for the savvy social engineer. They can take this information and use to develop friend and family graphs and identify themselves to you or one of your friends as someone who seems trustworthy, but isn’t.

Conclusion

Wow, that’s a lot of negatives. Does that mean that you shouldn’t use Flickr?

Well, that’s a decision that you have to make on your own. In case it helps you, this is the decision that I made:

I choose to use flickr because I like the community and because I want others to use my photos. With the exception of people that have not signed a release, all of my photos are tagged under the Creative Commons to allow re-use but only for non-commercial use and if I am credited. Also, since a great many of my photos are taken at zoos, I allow zoos to use my photos for free, even for commercial use, so long as they ask politely.

In short, I do not make much of a living directly off of my photos (though I’m working on some projects at the moment that may change that). Rather than expend my energies pursuing and defending misuse, I choose to trust the majority of people to do the right thing. I do, however, keep the originals on my systems and am prepared to defend my rights, should I become aware of a violation.

I do NOT use anyone else’s photos for a commercial purpose without their permission. I do not consider accent and illustritive photos in this blog to be commercial use (as I make no money off this site), so I may use someone’s photo here or there. However, I am very easy to get ahold of, and if anyone asks me to take down one of their photos, I’m easy to work with.

So yeah, it’s not exactly straightforward, but to me, it’s worth the risk.

Small Business Defense – Document Leakage

If my last post raised any questions for you, this post will hopefully answer some of them. As with many security topics, the issue is complex and this post will NOT give you all the answers. Hopefully, though, it will help.

The first thing to look at is access. In order for an attacker to get your data, they have to get on your network and somehow access the documents. The more places that you keep your documents, the easier this is for an attacker to do. If you put all your documents in a single place and prevent anyone from saving them anywhere else, you’ll be a bit better off. (Odds are you won’t be able to keep them off your network, just so you know.)

However, this will also make a nice place for an attacker to target, so you should control this storage location. At a minimum, you should control access to the document repository by username and password. If you can, it would be good to split up access levels within the repository so that the documents are grouped by type and only people with the business need to access those documents have the ability to do so.

Do not rely on the built-in password protection of the documents themselves. They can be broken. (Also, please note, running random software off the Internet is unwise. It may not work, it may do things other than what you expect, it may give an attacker the very files you are trying to protect.)

If you are somewhat technical or have a technical consultant helping you, you may want to implement an encryption mechanism to protect your documents. This is highly complex and hard to do right, but it can help more than almost anything else you can do.

Once your documents are all in one place and reasonably protected, stop and think about what to do if someone does access and misuse the document. Are all of your sensitive documents clearly marked? Are you certain that the law will protect you if they’re not? (Sometimes it doesn’t.) Would marking the documents as “sensitive”, “secret” or “proprietary” just give attackers something to search for?

Hmm, what an interesting problem.

What many companies choose to do is to classify information based on it’s security level. There are different ways to do this, but all of them start with the question “what’s the most important and/or damaging information?” Once you can group your documents by risk, you stand a chance of protecting them. Then you can write a document classification policy and start looking at tools to implement it technologically. These steps are beyond the scope of this post, but your legal and technological contacts can help you with that.

Lastly, I should mention that the easiest data to protect is data that isn’t there anymore. You might want to read Brett Trout’s post on document retention policies.

Small Business Attack – Type of Data: Office Documents

How many of you use Microsoft Office? OpenOffice.org? KOffice? AbiWord?

I’ll bet you’re all raising your hands right now, right? We’ll put’em down, you’ll want to hit scroll at some point.

What do you know about these files? Did you know that many of these files track changes? In other words, if you redact certain things or change data, that a clever attacker can open the file and revert it to what it used to be? It happens.

Do you know what kind of data is stored in these documents? financial data? Email addresses? Trade secrets? Passwords?

(The above links go to Google searches. There is no guarantee what Google may find when you search on certain things. If you access information that you shouldn’t, saying “but it was on Google” may not be a good defense. Remember rule number one of security is don’t be stupid.)

If someone wanted data from your company, where would they go to get it? Is there any one thing (say, a spreadsheet perhaps) or location (hmm, shared drive) that might be particularly tempting to an attacker?

If you get a virus or spyware infection on your computer, might the person who wrote it be able to access all the documents that you can access?

How are you protecting your files?

Security lessons from Nature – Genetic Tricks of Parasites

Let’s start this one by utterly ignoring the negative connotations of the word “parasite”. It is a perfectly valid form of life and has proven to be highly successful in nature. So, in other words, there’s nothing wrong with being a parasite… you know, if you happen to be one.

This news from from the journal Nature Genetics and is summarized here. In a nutshell, they’ve found that parasitic life forms tend to have fewer genes than non-parasitic life forms. Why is this interesting?

Well, it means that creatures that are dependent on other creatures can simply drop the bits of themselves that they don’t need. However, dropping genes is a lot easier than gaining new ones (usually). What does this mean to you?

It’s interesting to compare this to business models. While no company exists in a vacuum, different companies do have differing levels of self-sufficiency. For example, a full service IT company can do many things themselves. They may use the products of different companies, but generally speaking, they are dependent on none of them. If one branch of their business were impacted by a change in the market, they could just focus on another. This is good, but it does tend to make the company larger and less responsive.

Compare this to companies that only do one thing, but do it very very well. Let’s take a hosting company as an example. A hosting company is completely dependent on their bandwidth provider. Sure, some of them use multiple bandwidth providers, but even in this case, the business model is parasitic (upon a genus or order of businesses, rather than just one species). So, suppose that something happened to all but one of the sphenodontian businesses. Our little parasitic business would be forced to work with the one remaining business to survive.

Suddenly, the reduced resource usage that parasitism allows for doesn’t look quite so appealing.

As with many things, it’s all about risk management. You gain an advantage here, it’s often paired with a disadvantage there. So, as you look at your business and consider where to make cuts or where to focus on your core competencies, just consider one thing:

How do reductions now reduce my options later?

Mythic Monday – Orpheus

So, you all know the story of Orpheus, right?

Short form:

Orpheus was the greatest musician in the world. He had a wife named Eurydice who died. He went to the underworld, played for and charmed the Lord and Lady of Death (Hades and Persephone) into letting him bring his wife back from death. The one condition was that he not look back on his journey back to the lands of the living. Being a Greek tragedy, he looked back and saw his wife following. She then faded away, and was gone forever.

Longer (and better) versions can be found here and here. I mostly want to look at one main theme.

Trust

While, most people seem to have a general idea of what the word “trust” means, there has been considerable debate in the computer security field as to how to build it into systems. They raise questions about levels of trust, webs of trust, calculating trust, and how to handle the fact the trusted relationships can change over time. These questions can be very fine grained and particular, but you’re probably not interested in the academic nature of these discussions. Instead, let’s look at a couple examples.

Scenario 1: You partner with a large company.

Suppose you enter into a business partnership with a company that is much larger than yours. Odds are that you have to fill out a contract and commit to specific items (usually based on revenue). You are then granted access to specific resources at the large company. In IT, this is usually in the form of internal-use licenses.

In this model, you trust the company to provide you with software that doesn’t steal your data and the company trusts you not to resell your licenses to others or otherwise negatively impact their revenue. So, what happens if the trust model is violated?

Well, there are really two variants. If you break the trust relationship, you will likely be faced with, at minimum, the severing of partnership and, at maximum, legal action. However, if it turns out that the large company is not to be trusted, what can be done? Legal action may not be much of an option, and if you terminate the partnership, how much would it hurt you versus the large company?

Is the partnership fair?

Scenario 2: Trusted people within a business.

In security discussions, the second hardest discussion is trying to convince a client that inside attacks are a real and present danger. Of course, the hardest discussion is after the trusted insider is discovered to have been embezzling money or selling private data, so it’s often worth the time to have the first discussion.

Simply put, businesses don’t function well without trusted internal people. If there are too many rules, work can’t get done. However, the more lax an organization is, the more risk it faces. In time of economic difficulty, this risk increases.

Why? When people don’t get bonuses and raises, they often take it personally. They may be in a position where valuable data (or even just money) passes through every day. They may stop and think “gee, with all this money around, who is going to miss a little tiny bit” then they’ll have the big thought of “besides, they owe me”. Sometimes, they wind up in personal difficulty, and it starts as a little “borrowing” that gets out of control.

This happens all the time: police sergeants, booster club presidents, priests, vice presidents, and more.

Yeah yeah, I know, you’re different, your people can be trusted.

Maybe, maybe not. . . probably not.

Do you have any systems or procedures in place to catch this type of activity?

Conclusion

In the story, Hades and Orpheus had an agreement. Sure, it was an agreement with an odd condition, but that’s not exactly unusual in partnerships. In this case, who was trustworthy and who was not? Also, how were the individuals impacted?

Hades: Got to hear some lovely music.
Orpheus: Lost the love if his live TWICE.

The cost of being untrustworthy is awfully high, isn’t it?

So, what could Orpheus have done differently? Might the agreement have benefited from some additional clarity, so that his nervousness could have been alleviated? Could there have been some procedure or technology used to make it more difficult for him to violate the agreement?

Look at the trust relationships at work within your business. Consider what happens if you wind up being untrustworthy. Consider what happens if your partner isn’t trustworthy.

Is there anything in place to validate and maintain the trust?

Should there be?

Grinnell and Giving Followup

About a month ago, I made a post calling out to former Grinnell students to stand with me to get some changes made.

Well, while that post was one of my most widely read, no one stood with me. I somewhat expected this. Also, Grinnell isn’t making any reactive changes. I also expected this.

What I did not expect, however, was to receive a phone call from Jim Hess, the Director of Alumni Relations at Grinnell College. We had a good talk and followed this up by meeting in person and talking for a few hours. I also talked with Dan McCue, the Assistant Director of Alumni Relations. Dan was kind enough to send me the following (links changed to be made clickable):

Josh,

Thanks for stopping by the office last week. I wanted to share some sites that detail the issues you addressed:

1. Admission to Grinnell is need blind and financial aid has been increasing as necessary already. (A brief explanation can be found on the Admission website: here.) We have already limited loan within need to $2K per year. (Details available from the Office of Financial Aid: here.) This change was instituted this past winter, prior to the current economic downturn: here. An article also appeared in the Spring 2008 issue of The Grinnell Magazine.

2. We have many post-grad fellows, but we’re not a grad school. Information about post-grad fellowships is online at the Office of Social Commitment: here. Grinnell also funds the Grinnell Corps program: here.

3. The senior opportunity scholarship buys-down debt of deserving seniors. Visit here for more information.

4. Our pay-grades are $7.25, $7.50, $8.25, and $8.85 – dining is $8.25 and they have job openings.

5. The Career Development Office continues to work with any alumni who call. CDO can assist alumni with resume critiques, interviewing tips and share job search resources. Visit here for more information.

So, in considering my challenge from earlier:

1) Either discount tuition for the Senior year (to keep them in school) or institute a tuition freeze for all current students (i.e., no tuition hikes for current students).

This was not done, but I had been previously unaware of the senior opportunity scholarship. I think that this partly counts, so I’m going to award them a half point. I also had the $2k debt limit explained to me. The college really prefers this to be called a $2k loan limit, but I must admit that when I first heard this term, I had thought that they were lowering financial aid, not raising it. What it really means is that, at the end of a student’s four years, they should be left with no more than $8000 personal debt, which I think is a very reasonable way to manage the situation. They get the other half point for this.

2) Boost the number of on-campus student jobs by at least 30. and 3) Raise the entry-level wage for student jobs by at least $1.00/hr

Since there are openings that are not being taken, and they are at a comparable rate, I’m going to call these “close enough”. I still think that Grinnell should create some more jobs, especially since there are worthwhile projects out there that would help both the students and the school, but if current students aren’t taking the current job openings, there must not be sufficient need to push this.

4) Offer free classes to alumni on getting a new job, covering interview, and resume techniques. Ideally, these classes will be available online so that non-local alumni can attend them.

I’ve long heard that the CDO will work with any alumni who call. However, I view this as a far cry from actually providing classes. Classes are about education and learning and are strategic in nature. The method currently offered by the CDO is reactive and tactical in nature. I’d still like to see a program around helping people target new opportunities, craft a marketing plan for themselves and pursue the opportunity. The days of simply sending out resumes and interviewing on chance are over, so I do not perceive this as taking a leading position. (If you’re with the CDO and wish to disagree with me, comment here or give me a call.)

So, no points there.

In the end, It looks like Grinnell got 3 points, or $300. Dominican University therefore gets $100. In any case, I’m out $400.

But, you know what I got for that $400? I got an amazing first hand look at branding and marketing.

Now, I am sure that I am biased, but I have known about Grinnell for many years, as have many of the people I’ve talked to since I’ve graduated. In contrast, the response that I got from friends and associates when I mentioned Dominican University was a universal “where’s what? / who are they?” It seems that Grinnell has done a good job of branding. Seemingly (at least in my area) a better job than Dominican University.

However, and this is the very interesting bit, I got a very fast reply from Dominican within the same medium as my message. I got a contact from Grinnell that was effectively out-of-band. I had no idea what Grinnell had been up to before I was contacted, but I found out what Dominican was doing almost the same day they did it, without my altering my daily routine at all. In short, Dominican is embracing social media and Grinnell is not (I have been informed that this will be changing soon). So, while Grinnell has a stronger brand than Dominican, Dominican has better marketing than Grinnell.

The other interesting observation was about communication. I heard from a few Grinnell alumni that I should have checked better what Grinnell was doing before I posted this, that I should have checked here and there (at which point they’d send me a list of obscure links). All of these communications were personal and emailed directly to me. All of them came from people still working in academia. What’s interesting here is that I’ve transitioned to business. My communication style is many/one-to-many, not one-to-one. Sure, I could have looked up the base rate that students were being paid, the number of jobs available. I may have even found out that limiting loans to $2k isn’t a bad thing (doesn’t limiting the loan amount sound bad to you?).

However, to do so, I would have wasted at least half a day finding the right people. The Dominican information came to me, as I follow news relating to education. I do not follow news that is specifically Grinnell-focused, but anything important that touches on education and liberal arts should come my way. Dominican managed to release the information in a way that was concise, easy to understand, easy to propagate and timely. Grinnell’s information was not – even though I get emails and letters from them, I was unaware of certain things that they were already doing.

In my discussions with Jim Hess, it was clear that this is something that Grinnell is working on. In fact, there is a chance that I may be allowed to work on it with them, as the project that they’re pursuing to make this happen has some potential. However, as my work with other schools has shown me, “the wheels of academia turn slowly”. I find this a sad thing, as it’s that very slowness that could cause a weakening of Grinnell’s brand position and allow (relative) upstarts like Dominican to overtake them. Clearly, being a graduate of Grinnell, I’d prefer that this not happen (sorry, Dominican) and will put forth some effort to help them out.

In any case, it’s $400 that gives Grinnell and Dominican students a bit of help, gives me a valuable lesson and hopefully allows me to pass the lesson along to you.

I consider that money well spent.

Grinnell and Giving

I know I’ve not been blogging much lately. I’m working on that, but until I get to the business and security content that so many of you come here for, I have to share this. It’s about my alma mater, Grinnell College.

When I set foot on Grinnell’s campus, it felt like home. My four years there were focused on education. Not necessarily the academics, but education nonetheless. While I did learn a lot about Physics and Art, I learned a lot more about friendship, adversity, pain, love, and how to get along with others. It was where I stopped being a child and started on the path towards being an adult. It was a time of transformation and metamorphosis. Of all the times in my life, it is the one I point to when I need to say “This is when I really started to be me.”

Since that time, I have worked a few jobs and have learned a lot about adult life and the working world. I’ve begun to look upon Grinnell with new eyes.

Since graduation, I have been irritated when I get calls and letters from Grinnell asking for money. This is not because I think poorly of my time at Grinnell, quite the contrary. It is because the administration of Grinnell seems to have been working very hard to ensure that the experiences that I had there could not be repeated in the future. I’ve heard about the exorbitant salary for the college president, continuously skyrocketing tuition, and the erection of larger and larger buildings. It appears to me that the college is attempting to grow and, through growth, become something other than what it was to me: a small, incredibly liberal arts college where students are free to experiment, make mistakes, and become adults.

My fear is the Grinnell has gotten lost in the pursuit of college rankings and the cost of the college experience. As such, I cannot justify giving any of my money to the college.

Today, I heard about Dominican University. It’s similar in size to Grinnell. It’s a small Catholic university located in Northern Illinois. I don’t know their politics or academic record. However, I do know something about their values. Detailed in a press release, they are addressing the current economic situation as follows:

1) To encourage students staying in school, all seniors graduating in January and May 2009 are granted a tuition reduction towards Masters-level tuition.
2) They are expanding the number of on-campus student jobs.
3) They are raising the entry-level wage for student jobs.
4) They are offering free classes in resume writing, interviewing, and finance management to all alumni that need them.
5) They are offering scholarships to parents of current students who are between jobs and wish to gain education.

I am astonished that the little school about which I knew almost nothing prior to today is taking such an active role in promoting education in society. I am impressed at their creativity and attention to their values. I am deeply deeply ashamed that my own school is not leading the effort.

So, what am I going to do about it?

I am not skilled in political theory or sociology. I do not have an incredibly deep understanding of economics or history. Grinnell did, however, teach me about systems and to be a moderately skilled writer. I know about physical, biological, technological and business systems. I know that the lifeblood to an institution like Grinnell is money and that the lifeblood to a college student is the assurance that they can stay at Grinnell to complete their education. I know that a great many people that attended Grinnell have skills that vastly exceed mine in their own areas of expertise.

Therefore, I am going to put my money where my mouth is. I challenge Grinnell to meet Dominican University and lead that way, proving that education and raising responsible adults still wins out over political games and attracting high-profile donors. I am setting aside $400. It’s money that I had earmarked for something else, and not having it will hurt. I think that this is very important, however, so I’m going to do it. I give Grinnell four challenges to meet by February 1.

1) Either discount tuition for the Senior year (to keep them in school) or institute a tuition freeze for all current students (i.e., no tuition hikes for current students).
2) Boost the number of on-campus student jobs by at least 30.
3) Raise the entry-level wage for student jobs by at least $1.00/hr
4) Offer free classes to alumni on getting a new job, covering interview, and resume techniques. Ideally, these classes will be available online so that non-local alumni can attend them.

For each point that the college can meet, I will give the college $100. For all that haven’t been met by February 1, I will give $100 to Dominican University. I am not Catholic and suspect that I would disagree with their politics, but I have to support these particular values. If my alma mater won’t adopt them, I’ll support the school that will.

Similarly, I challenge my fellow classmates to join me. Work within your own areas of expertise to spread the word. Come up with other ways that the college can help the students, not just the rankings. Put up what money you can afford so that Grinnell can see we’re serious. Either challenge Grinnell directly or donate with an earmark towards “reducing the economic burden on current students”. Post this or an abbreviated rewrite (I do tend to go on) on your blogs/facebooks/myspace/livejournals/etc. I may not be skilled in “getting the word out,” but I know that some of you are fantastic at that.

Do what you can

Help us help the next generation.

-Josh More
Grinnell Class of 1999

Certification – Conclusion

Well, if you got this far, you should have everything that you need to pass your certification with flying colours. Once you have it, take a few weeks to relax (and gloat, if you are so inclined). Then, work on maintaining it and look for your next challenge. Try not to rest on your laurels too much, or someone will pass you up. It’s always easier to maintain a lead than to catch up to someone else or a changed industry.

I hope that this helped.

Certification – Test Types

There are generally two types of tests. Those which you can go back and look at questions once you’ve answered them (generally paper-based) and those where you cannot (generally practica or “live” tests). Each of these have different strategies to win.

Paper-based
If you are taking a paper test, go through it as fast as you can and answer everything that you KNOW. If you don’t know, skip it. You should be done very quickly. Then, go back through the test and look at the ones that you didn’t know right away. If it’s multiple choice or true/false, find the answers that you KNOW are wrong, and cross those out. You’re not actually answering questions at this point, you’re just eliminating possibilities. Then, go back through and see if you KNOW any of them now that you’ve eliminated the ones that were obviously wrong. This also should not take much time.

By this point, most of the test should be answered, and the good news is that these answers are things that you know are correct, and with absolute certainty. Now you get to actually start thinking about the remaining questions. This will be hard, but you have to keep in mind that you have already answered most of the questions right. It’s OK if the hard questions are hard, just do the best you can. If you’re stuck, try to think of a real-life scenario involving the question and ask what you would do. You can also flip the question around and see what you would do if the situation were reversed. This may make the correct answer more obvious.

If there is an essay component to the test, do NOT just start writing. First, take notes of what you want to say. Then, categorize the notes by putting a letter in front of each key item. Then, within each category, prioritize the importance by putting a number in front of the letter. Then, write an introduction and segue into point 1A. Once you’ve addressed that, go to 2A, to 3A and all the way until you’re done with the As. Then start with 1B. At this point, your essay has become a game of connect the dots, and you can just write until you’re done. Don’t worry about style, the examiner is looking for correct information, not a brilliant expression of ideas.

Live Tests
As computers advance, these tests are becoming more popular. They allow the test to adjust itself to your level. Sometimes this is used to give you challenging questions, sometimes it’s used to drive you into an area that you do not know so well. On tests like this, you have to know the scoring. Keep a mental tally on how you are doing and how much of a penalty you may get by skipping questions. Then, allocate time based on what you need to do the best. It’s often better to take more time on each question than on the paper tests, because of how wrong answers can impact the questions that you get later.

Practicum
When taking a practicum, you cannot use strategy to manipulate the test system to your advantage. You either solve the problem or you do not. Luckily, there are often multiple problems to solve, so start with the ones that you know best. However, do NOT assume anything. Do not make any changes that you cannot test. Test before a change and then test after, to make sure that your change did what you think. If you have to restart a service, test after the restart, to make sure that your changes persisted. On many systems, it is easy to forget that some changes only affect the running system and are lost on a reboot. (Cisco is tricky this way.)

Also, use proper diagnostics. Test at the boundaries or interface layers. On modern systems, this is often the TCPIP stack, so use tools like netcat and telnet to ensure that the interfaces are responding properly.

Most systems also come with built-in reference documentation. Whether it is a commented configuration file, the documentation that came with the package, or a man/help page, know where to find the information and verify that you understand what you think you do.

Lastly, at the end of a test or scenario, RETEST everything that you’ve done. Make SURE that the problem is solved. It’s much too easy to break one thing when you’re fixing another.