"Securing Android for the Enterprise" = "How may we break your device today?"

So I bought a Droid-X about a year ago. Pretty happy with it. Then I hooked it up to Corporate Sync (exchange email server). A few PITA issues brought on by corporate security paranoia, but otherwise livable. (They forced a screen lock after 3 minutes with a minimum 6-digit PIN). Mildly irritating, but tolerable.

Then some even more paranoid actor in our security theater / department found out that they could force full-device encryption in 2.3. They turned that on and that broke the video camera. Enabling encryption of the device and SD card limits the video recording to 720 - can't do hi-def 1080 video anymore.

Then some bean counter decided that they should disable background data when roaming for all of us. When I'm at home, connected via WiFi to my own internet connection - I can't access the android market. Why? Because the only tower by my house isn't Verizon - that makes it roaming, and Market requires background data be enabled. So effectively I can only use the app store in places my phone/company "likes"

That was the last straw. Before they further hamstrung, crippled, or otherwise dumbed-down my perfectly good smartphone, I pulled the plug on corporate sync. Now I use the outlook web access from Firefox mobile when I need corporate email on the device. The benefits of a nicer email experience and better contacts integration just doesn't justify the cost.

A less cynical individual might say it was a conspiracy and that was their intent all along - Make it so painful for of us mobile users, we'll give up and leave, but I won't give them that kind of credit - conspiracies require intelligence. This was more a mix of paranoia, hubris, incompetence, and inertia.

-a

Public Sector workers don't pay income taxes?

On the back of what cereal box did you read that? Having worked in various players within the public sector (State, Local, and Federal) - I've been hit with the same unpleasant income tax that anyone else is required to pay. There are no free lunches where income tax is concerned.

I'm guessing you're conflating certain states (IIRC, Vermont, NH, and possibly D.C.) that don't have a state income tax. That doesn't get you out of paying federal income taxes, which are the brunt anyways, and those states and locales that don't have an income tax get the revenue in other ways (10%+ sales tax, $300 to throw away a bag of trash or $500 to park a car on your street.)

Nobody gets away clean.

Also, for what it's worth, I recently left the public sector (State of Wisconsin, of all places) and re-joined the private sector after a long hiatus. I'm up $35,000 year-over-year, even considering lousy health insurance compared to the state, and I'm responsible for much less work in the private sector than was expected of me in the public sector. Increasingly, working for government is a job that only a crazy person would sign up for. You really want the type of individual that sees a value proposition in making half-as-much money for twice-as-much work teaching your kids, writing government software, policing your streets, etc?

But by all means, don't let reality get in the way of ideology.

It was me. I misread the recipe and baked 4200 into a pie instead of the four-and-twenty it called for.
-a

Parent is exactly right. When you look at the time, effort, expense, performance impact on your PC and productivity impacts to the users - Running A/V software turns out to be substantially more harmful than any virus, and likely more harmful than several viruses. If you install A/V on your PC, it might prevent an infection. On the other hand it is guaranteed to sap 30-50% of the performance of your PC. Furthermore, you can put every A/V suite you can find on a PC, it won't stop an unsophisticated user (with admin rights on a wintel pc, of course), from installing the dancing monkey icon or the weather buddy, or the sports gadget, and pretty soon you have and IE installation with two dozen toolbars, a laundry list of keyloggers, spyware, adware, etc.

What amazes me is that americans are always quick to see causation where only correlation exists - Toyota has electronic throttles and old people drive them through strip malls - must be the electronics. B follows A, so A->causes->B, right? Yet in the face of an actual correlation that is causation, they never catch on. Hmmm...I installed the weather gadget bonzi buddy dancing deer girlfriend search wizard, and then my computer got slow and all these toolbars showed up on my IE. I wonder if they're related....Nope, couldn't be.

On the other hand, it's unsophisticated end-users that keep the geek squad and lots of kitchen-table PC techs in business. Eventually the repeat offenders drive me crazy and I send them to any of the "MyFreeFastPCFinallyFixed.dot.com" providers that advertise on late-night TV. Esssentially, they're sentially selling a rebranded adware/spyware/toolbar remover that any geek could install for free. I consider the exorbitant rates charged by these charlatans to be a sort of "stupid tax", and only send someone there after they've reinfected themselves a good 3 times or better.

A/V software has always operated as a blacklist. Because the Wintel platform has never been able to properly implement Default Deny security, because the average Wintel user could never grasp the concept of using a "sudo/su" equivalent, the A/V blacklists will never work. The won't fail because the A/V coders are stupid, nor because the malware writers are clever. They'll fail because the whole ecosystem is broken. With > 1 billion wintel PCs, even if 90% of the users patch appropriately and behave online, that's 100 million potential machines to compromise. That 90% figure is nowhere close to reality, it's probably more like ~20% of PCs are patched appropriately and have users who won't click on the "free security scan, now with naked mermaid" popup ad.

netflix.com currently has a "short wait".

Only this "new" Visal.B uses the same payload and transmission vectors as Visal.A which was first spotted in the wild six weeks ago:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FVisal.A

More than enough time for enterprisey-"security" vendors to get the blockware/websense/exchange server A/V up to date. At a minimum, firewall or websense block the 3 URLs Visal uses to transmit the payload.

More troubling, why does no one ever demand some friggin' accountability from those criminally incompetent "security" vendors. This worm is not some brand-spankin-new, just-released-today threat. The first entry in microsoft's web site for Worm:Win32/Visal.A can be found here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FVisal.A - It went up on August 4 2010 and was updated on August 19 2010. The full text of the email can be found at that site, as well as a list of infection symptoms, spread vectors, and URL patterns of the payload. My own employer spends millions of dollars per year on websense to keep me safe from gmail and youtube, symantec A/V to keep me safe from 30% of my laptop's performance, and a myriad of other safety and security products.

You'd think that a firm like webNonSense would have the resources to add the payload sites to their list of "naughty" websites. Although it would be a pretty big undertaking for them, after all the worm/trojan does have a huge set of THREE FUCKING URL PATTERNS that it uses to link to the payload. That's a pretty tall order to keep track of 3 whole URL patterns. For example, they start with sharedocuments.com/ and end with Something_BunchOfNumbers.PDF.scr. Like, someone might have to learn how regular expressions work or something - that's time taken away from webNonSenses' primary mission of keeping corporate america safe from boobies. I don't know what WebSenses' slogan or tagline is, but given that it only seems to work on static porn sites that have been around for years, maybe they should think about changing it to "WebSense - Tits or GTFO!"

You'd think that if the idiots at Microsoft Security Essentials had found this in the wild six weeks ago that our friends at McAfee/Intel and Norton/Symantec would have rolled out a definition file that immunized against the infection already.

You'd think that the Microsoft Security Essentials idiots would talk to the Microsoft Exchange retards and maybe block the emails at that level. Or maybe they'd block it at the browser level - fit it into the several terabytes or so that counts for an InternetExploder install these days.

Incidentally, for the fun of it I fired up a Windows VM and logged on to the corporate exchange server this morning after reading about this. I clicked on the link and you'll never guessed what stopped the infection - Good old Firefox threw up the warning. Not the AV software, not websense, not UAC - but firefox caught it on the download/check for virus step.

So the product with the least responsibility for the save actually saved the day. The best description of the performance of websense, symantec, mcaffee, etc can only best be described as: "They shit the bed."

Antivirus and security software doesn't work. It never will work. So long as the mindset of security is default permit or blacklisting, this kind of thing will happen again and again. If any good can come of this, it would be the SEC hauling symantec and mcafee and the rest of them off for perpetrating a massive fraud on nearly eveyone.

To myself and many other slashdotters' relief, this law, and others like it in many U.S. states only bans the creation of human/animal, not human/machine hybrids or fully synthetic life. So while the minotaur and the mermaid are right out, this will not dampen further innovation in the field of cybernetics and robotics.

In other words, your girl robot is still safe...

Why the penny-pinching misers of corporate America haven't gotten wise to the incredible scam that's been perpetrated on them in the form of Anti-Virus software still amazes me. It would be easy to assume that there are kickbacks from Symantec/McAffee to the big corporate subscribers, or some other conspiracy. But then I'm reminded to not ascribe to malice that which stupidity explains. If my last three employers are representative, then the average Fortune 500 company has about 10 FTE positions tasked with ongoing maintenance and support of their A/V infrastructure. Then factor in the millions in licensing costs. The bandwidth to push out terabytes of signature updates monthly or weekly. The 30% performance hit off the top of every PC in the enterprise that on-access and resident scanning imposes. The lost productivity that wasted performance leads to. The soft costs in terms of user confusion caused by false positives, system crashes, application/utility conflicts with the A/V, etc.

And then realize that the punchline to this sick joke is that the stupid thing doesn't even work!

If I gave any reasonably competent Wintel PC/Software technician that list of symptoms above, and asked for a list of possible causes, near the top of everyone's like would be "malware infection" Contrast the potential problems caused by a malware infection in comparison to the guarantee that the issues above will affect a PC "infected" with one of these massively bloated A/V solutions.

Anti-Virus solutions are based on blacklists. Blacklists don't work. Anti-Virus programs cause the machine to exhibit the exact symptoms they were designed to prevent. It's cutting off your arm because of a hangnail. I'm sure someone more clever than I can come up with a car analogy. The medicine is worse than the disease.

One good thing about A/V software - since I started sharing the above rant with family members, especially the in-laws, the requests for tech support from me have gone way way down. I think that my anti-A/V views have gotten me labeled as some kind of tinfoil-hat-wearing nut who shouldn't be allowed anywhere near their computers.

One of my last jobs involved a web app for local governments with a third-party GIS and mapping component that unfortunately required a pop-up window. After every election cycle in the state, we'd take a flood of support calls from new clerks, public works directors, mayors, etc, and 90-ish percent of those calls were "The maps aren't working" - with typical misplaced hostility towards the poor sap taking the call.

So, we put a message on the main entry/splash screen that did some detection to see if you were using a pop-up blocker. Basically a quick: 'var newWindow=window.open(someTinyOffScreenWindow); if var==null show warningMessage; The message indicated that the maps and other stuff wouldn't work if you didn't create an exception for our site for your pop-up blocker, and a list of some common ones (yahoo, google, mozilla, etc)

The results: None, it had no measurable impact on support calls. So, we made the message huge, put it in red text, and prefaced it with OMG!! WARNING!!! LAND SHARKS!!! etc... We even changed the OMG part to an animated .gif that simulated the dreaded blinking text. Still no impact. Like a blind spot. No one saw it.

Finally, we displayed the message, and disabled/hid all the buttons and links on the app. Basically, we denied them access to any part of the app until they fixed it. Maximized the window so you could see or do nothing except read and acknowledge the error.

The result of this extreme action: Support calls for pop-up blocker issues plummet. Usage of the app actually goes UP! Turns out there was a large percentage of users that didn't read the error and just gave up in frustration when the thing didn't work. Once they were blocked from doing anything until they fixed the root issue, the overall usage of the app goes up.

I learned some valuable lessons from this. One - From a UI standpoint, there is nothing you can do to make a message more noticeable. Visibility/boldness isn't the problem. Think of users like a selenium script program to press a particular button on a page. So long as the button is there, the script/user keeps doing what they're 'programmed' to do. Two: If you need the user to take a certain action, including reading a message, you have to paint them into a corner where that's all the system allows them to do.

I just got done switching out several of our production machines from 32-bit windows server 2003 to windows server 2003 x64 to solve a performance problem. Something commonly missed in these discussions is that beyond the amount of memory you can reach per process on x86 32-bit, there's also the problem of fragmentation in the addressing space, especially on certain (read:windows) OSes. My particular performance problem related to a java process (tomcat) which was starved for memory on the 32-bit VMs. The new 64-bit VMs, like the 32-bit ones I was on still only have 2 GB of memory, but I can get at it in contiguous chunks, which Java still requires because it uses an offset map table to address the heap. Microsoft parks all kinds of DLLs and other rubbish all over the place and you end up with a 4 GB machine with 3.5 GB available after the OS loads, but the biggest contiguous piece is often 700 MB. Moving to 64-bit solves the problem not by making more physical memory available, but by increasing the odds there's a contiguous chunk of addresses available.

Then again, you could just go to some 32-bit linux and avoid the problem that way as well.

I'm on a deadline at the moment, so I unfortunately can't get into all the details...But I was home-schooled from 1st grade through the end of high school, until I got bored with that and started college (higher school?) at 15. Out own journey through home-school started as a fairly structured, formal, almost classroom-oriented affair and slowly d/evolved into unschooling. It was a far more suitable approach, and not just for me, for my parents and two siblings as well, and we're all as different from each other as three kids can be. Unschooling isn't really a rejection of conventional schoolwork, it's an accepting that children all learn in different ways, and have been for millenia, (OK, so the wack-jobs you've probably heard about would say 6000 years, but you get the point.) while pen-and-paper curriculum is only a few generations old.

Having had such a wonderful experience with Home/Un-Schooling, and realizing it had a lot to do with giving me the freedom to become a liberal, atheist, Obama-voting, Latte-sipping-Elitist, It always troubles me when I see yet another right-wing nutjob "ruining it for the rest of us" by using home-schooling as a means of unzipping their children's heads and just pouring the bullshit straight on in. The parents I know who are taking the un-schooling approach I always have the greatest hope for, as these people are generally all about rejecting Dogma and finding their own way. More and more within the home-schooling community I still occasionally make presentations and speeches for, "un-schooling" has started to become code for "Yes, I'm homeschooling my kids, but I'm living in a place called reality, where the world's 4.6 billion years old, where Obama was born in the USA, and where the best source of news is NPR"....

"because it won't make one iota of difference to the environment whether that thing is on or off..."

assuming it's 500 cores, and also assuming (conservatively) that the diffrence between idle and full load is only 100 watts per processing unit - that means about 50 extra KWh consumed by this thing at near full utilization.

X 24 hours = about 1.2 million watts.

1 short ton of coal yields about 2500 KWh of electricity at average efficiencies.

If I've done the math right, you can imagine dumping an extra 1/2 ton of coal on a fire somewhere to run this thing (at load) for 1 day.

According to DOE - Burning coal produces 2.117 lbs of carbon per KWh. So even 1 hour at full load introduces an additional 50 pounds of CO2 into the atmosphere

Again, all assuming this cluster sits somewhere (like america) where most of the electricity gets generated from coal or other fossil fuels. YMMV.

Important to remember - there isn't any storage or margin in the power grid. Every time turn on a light switch or run a CPU up to max with SuperPrime, somewhere a turbine starts turning that little bit faster - it's always got to be nearly in balance.