Active Directory (45)
Articles and Books (92)
Final Cut Server (44)
Home Automation (12)
Mac OS X (852)
Mac OS X Server (672)
Mac Security (410)
Mass Deployment (329)
Microsoft Exchange Server (48)
Network Infrastructure (72)
Network Printing (4)
On the Road (58)
public speaking (59)
Social Networking (32)
Time Machine (6)
Windows Server (97)
Windows XP (105)
Monthly Archives: November 2011
There aren’t a lot of magazines that I read. There are fewer I actually pay for. But MacTech is one of those. I know I have mentioned MacTech before, but I never actually bothered to get any deals for my readers. Well, how about a free subscription? Actually, MacTech is also running the offer on their main site, so it’s not like I’m special – but I do have my own link and it is a separate run of the same special pricing – so there!
Want a free subscription to MacTech Magazine? If you aren’t yet a subscriber of MacTech Magazine, then you should take a look at the ”Ultimate Black Friday” deal. Be one of the first 100 to apply using this link, and MacTech will give you a FREE subscription to MacTech Magazine. Not in the first 100? Not a problem — MacTech will get you a free copy of the magazine anyway! No strings attached.
Also, it is worth noting that I have no official connections to MacTech, other than having spoken at one of their conferences. I receive absolutely no commission or payment for making such a recommendation and have, in fact, never received a check from MacTech. But since I believe in what they do and find it of quality, I relish the opportunity to pass on a little love. If you’re reading this article on your day off then you should get something for it after all!
So if you’re looking for something to give yourself for the holidays, don’t stay up all night hitting Best Buy, WalMart, Kohls, Macy’s, Home Depot and the other Black Friday specials starting at midnight. Instead just get yourself a little MacTech and just know, deep down, that those 99 cent poinsettias aren’t worth staying up all night for…
Oh, MacTech has a little fine print: Limited quantity. While supplies last. US delivery address only. Not valid for current subscribers.
Looks like Wave will be gone as of January. From Google:
More than a year ago, we announced that Google Wave would no longer be developed as a separate product. At the time, we committed to maintaining the site at least through to the end of 2010. Today, we are sharing the specific dates for ending this maintenance period and shutting down Wave. As of January 31, 2012, all waves will be read-only, and the Wave service will be turned off on April 30, 2012. You will be able to continue exporting individual waves using the existing PDF export feature until the Google Wave service is turned off. We encourage you to export any important data before April 30, 2012.
If you would like to continue using Wave, there are a number of open source projects, including Apache Wave. There is also an open source project called Walkaround that includes an experimental feature that lets you import all your Waves from Google. This feature will also work until the Wave service is turned off on April 30, 2012.
For more details, please see our help center.
The Wave Team
© 2011 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
You have received this mandatory email service announcement to update you about important changes to your Google Wave account.
OS X now prompts for and iCloud account when you log in for the first time. To disable the iCloud prompt on first login, edit the com.apple.SetupAssistant file in the Library/Prferences of the User Template. To do so, run the following defaults command:
sudo defaults write /System/Library/User\ Template/Non_localized/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
Hat tip to Mike Boylan and Allen Golbig on finding the file.
There is a good article on User Masquerading in Lion Server on techrecess.com. This feature has come and gone a few times in Mac OS X Server and through a few different books, I’ve discussed it here and there over the years. Some use it as a troubleshooting mechanism for permissions on servers. I have always had a couple of problems with this feature and so I’ll do a mini-rant on it. No offense to Randy whatsoever as the article is great in and of itself.
Problem #1: Logs
When a user logs into a file share via AFP and browses a directory, those events are logged. The user’s IP address is logged along with the username they entered for authentication. Subsequent activity, including directory browsing, file access and file deletion events are then logged into the AFP logs (provided you actually use logging). If the username is entered through a masqueraded account then you might be able to look into your DHCP logs (or router logs or whatever other logs help with this) and figure out which events have to do with a masqueraded account. But events are tracked by IP address from then on, meaning that if you have two IPs logging in with the same username, that you effectively have an issue with the logs not telling you a complete story. This isn’t that big a deal, except that it leads to Problem #2.
Problem #2: Forensics
Things can happen on servers. Data theft is one of those things that happens a lot, but that we don’t discuss much in the server admin side of things. You see, to us, users either have access to data or they don’t. And if they have access, then they have certain limitations put on what they can or cannot do with that data. But, when you’re doing any forensics work, you look for certain things in the logs. For example, if a user copied a lot of data from the server the day before they left their job then you can reasonably be assured that the user was stealing that data from the server. If the user deleted a lot of data 10 minutes before you fired them, then they probably got wind of what was about to happen. If their actions are bad enough then forensics invariably comes up.
Now beyond the shadow of a doubt and reasonable doubt are two different things. But, if you are looking to prove that a specific action was taken then using AFP logs is already hard enough as you only see entries for IP addresses, with the exception of when the user authenticated. The fact that you can masquerade as a user means that doubt can be placed on whether the user did something or whether ANY user with an administrative account did something because they knew the user could take the blame. For example, the systems administrator gets an email that the user is going to be let go. The systems administrator then uses a system in the office (not their own) to authenticate as the user and do something. The user gets blamed. Now, most systems administrators I know would never engage in nefarious activities; however, reasonable doubt that the user who performed an action can be cast if you are using masqueraded accounts.
Problem #3: Lock Picking
When picking locks, one thing you learn is that it’s easier to pick a lock that has different sets of keys that can open it. There’s just more combinations, making it quicker and easier to pick the lock of many an office building than it is to pick the locks for many houses. Another problem with masquerading is in brute force. Password policies in OS X Server do not get applied to administrative accounts. Let’s say you have 4 admin accounts. In a Mac OS X Server environment you can pretty safely assume that either admin or diradmin are accounts that exist on the domain. Any user can dscl from their client system to find administrative accounts, if they’re part of an OD environment. If a brute force attack is run, then there are 5 possible passwords (including the user password) that can authenticate, theoretically cutting down the amount of time to run such an attack by almost 80%. I know, I know, don’t forget about the adaptive firewall, and all… But it’s a best practices conversation, not specifics.
Problem #4: Non-repudiation
Similar to Problem #2, but not quite. You authenticate as a user and access data in a file that you as the systems administrator are not supposed to have access to. If you are sitting at the console of a computer, a sudo event would have been trapped in the security logs. However, since you’re coming in over AFP, you do so as a user who has access to that payroll file or something else you should not have access to. I really don’t like knowing any user passwords, ever. This way the finger never gets pointed at me. If I need access to a user’s data, I am going to change their password. That way, they know I accessed their data. The only way I can access their data is if I change their password, because I don’t otherwise have access to their stuff…
But I can just enable masquerading any old time? Having a layer of change/configuration management, where you snapshot server settings, such as sabackup helps to keep an audit trail clean and consise. Logs and the fact that afp would have had to be restarted twice between snapshots helps make possibility of wrongdoing more easily tracked and therefore (hopefully) less likely. There are a lot of ways to troubleshoot permissions. Masquerading as a user is rarely going to be necessary, and in any cases where it is necessary, you can change the user’s password. The security issues that arise, visibility in logs and how this option breaks some of the most basic tenets of security all make me stay away from using this feature.
It would seem there are those within Apple that would agree with me. Otherwise I can’t imagine why the option would come and go over the years… Having said this, one of the reasons I’ve spoken about security less and less over the years is that there are a lot of different views and points and layers that go into a security model. Another is that some Mac users can get violent at the most minor implication you may make that there is a modicum of a flaw in their platform of choice – even if it is meant to increase the overall security of the platform. Or at the least there is a general sense of apathy about security on the platform. Provided you’ve masquerading into account though, then by all means, use this option (there are definitely arguments that good Splunk (or other log analysis/aggregation tools) utilization can override such practice, albeit a lot of effort would need to go into such a practice). Either way, thanks to Randy for pointing out how to enable it!
MDM is a growing hot-button for many organizations — and many don’t yet understand why they need MDM to keep their organizations safe. With the consumerization of IT, the need for MDM has crept up on most. MacTech is doing a bunch of stuff to help further the MDM cause. For starters, with MDM being SUCH a hot topic, and so many people having no idea that they really need to pay attention to it, MacTech has created a free primer which is now available at:
The primer covers the following topics:
- device configuration
- reasons for MDM
- user configured/owned devices
- configuration profiles
- MDM lifecycle
- Apple Push Notification Service
- assorted MDM technologies
- and questions to be asking of MDM providers
MacTech InDepth: Mobile Device Management is on December 7, 2011 in San Francisco. Early bird pricing saves $200 and will end soon — register now at $295. Register at http://www.mactech.com/indepth/register
Back at the University of Georgia, we had the 101 classes, which were introductions to a topic. We also had the 99 classes, which usually meant you weren’t supposed to get into school, but squeaked by, but that you actually needed to do this to stay there. I have no business telling others how to conduct themselves during a job interview, given that it’s been a long time since I interviewed anywhere myself. But I’m going to anyway, since I interview plenty of people as a part of my job. I’m just going to teach the 99 class though, since I have no business teaching anything higher…
My post from yesterday involved tips on resumes. But what happens when you get the interview and you go in for the first time to meet your potential employer? I have a few tips, just some basic rules I like. Others are sure to have their likes and dislikes, but whatever on that, I’m the one teaching Interviewing 99 for SysAdmins, so I get to express my own opinions:
- Shower. I might not shower, but you should. If you’re not sure whether you should shower, the answer is always yes.
- Dress for the part. Don’t show up in a tuxedo. Don’t show up in shorts. There’s a happy medium. Know your audience and dress just a tad up from them. But, even if they wear less, don’t wear shorts. Wear pants. Or a skirt. If you’re a guy and you wear a skirt, I don’t care – just don’t wear shorts. Don’t wear a shirt that shows me your armpits. Doesn’t matter what sex you are, I don’t need to see shoulders or unshaven pits. Or shaven pits… Also, don’t show me that tramp stamp that’s still a little red around the edges. Seriously, I don’t care; just don’t show me more than is appropriate in an interview. It’s an etiquette thing… You can never dress too nice. Unless you show up in a tuxedo. Then I assume you’re an ironic hipster and I think you should move to Portland. Unless I’m hiring in Portland. Then I think maybe you can show up in a tuxedo. But not shorts. If you show up in a tuxedo with shorts, then there is a high probability that things will be thrown at you…
- Be about 5 minutes early. If you’re more early than that I feel guilty (see, I told you guys who thought I was pure evil that I was in fact, human). If you’re more than 5 minutes late then I assume you’ll be late to work every single day of your employment, which annoys me mostly because if I’m usually late then I can only assume you’re always late since I’m not there to see you.
- If you are going to be late, call. I am pretty sure that everyone has a cell phone. If you don’t have a cell phone then I am going to be worried that you won’t carry one at work either (and in some professions you really need to carry one). If you do have a cell phone and you don’t call then I’ll assume you haven’t figured out how to get Siri to call. If I figure you can’t figure out how to use Siri then I’m going to figure on being very concerned about you in more ways than just being late.
- If you don’t call and you’re more than half an hour late, make up a really awesome excuse and bring proof. Broken bones are awesome (hopefully I won’t get a nastygram from an HR attorney about that last sentence). If you pull a Ben Roethlisberger and snap your nose back into its socket and run back in the game, I honestly don’t care if you pulled a fight club downstairs to get your nose in that shape, I’m sold.
- Bring a copy of your resume. On paper… I know, it’s a digital world. I know, you’re interviewing to be a systems administrator, not a paper maker or a typist. I’m not going to ask for it. But someone will (I know plenty of people who always ask during an interview, just to make sure).
- You don’t live in a fraternity house any more. Or at least I hope not. Don’t tell me about the bar you were drinking at last night, that finally kicked you out at 10am when the interview is at 10:30. Also, don’t tell me about how you threw up in the bathroom at the bar. Both of these are bad ideas. If I saw you throw up in the bathroom at the bar, still, don’t mention it. If you saw me throw up at the bar, definitely don’t mention it. This should go without saying, but don’t mention that you bought an 8 ball off someone in the bar either. Nor that you smoked a big fatty on the way to the interview to come down off the 8 ball, which you somehow managed to demolish in just under a couple of hours. Any time discussing drinking is off the table, discussion of illegal substances is as well – even if it’s basically legal in California anyway…
- Stay on point. I ask you questions, you ask me questions, we keep it professional and that’s that. A few minutes of pleasantries up front are fine, but if you can keep things on track in an interview then I’ll assume you can do so on the job as well.
- Don’t lie to me. If I figure it out, I’ll wrap things up and say goodbye and that’s that. If I don’t figure it out and I hire you and then I figure it out, I will despise you for it. And I have been known to carry grudges.
- I ask technical questions. It is fine not to know something, but if you don’t, let me know how you would figure it out. Actually, let’s refine that a bit. It’s better to say, “I’m not sure how to do that in RHEL but I can tell you how I’d do it in Mac OS X and I am guessing I could Google for the differences between the two.” When you ask a politician a question and they answer a completely different question, it bugs people. But it doesn’t have to. If you asked Mitt Romney some religious question and he said “that doesn’t matter. But since I’m not going to talk about something that doesn’t matter, let me tell you what does” then people might like him better. Actually, they probably wouldn’t. But that’s another post…
- Be yourself. If you’re nervous, I don’t assume you’ll always be nervous. If you’re a little weird, I will probably actually like you more. If you don’t answer every question perfectly I’ll know you don’t dream of electric sheep. I enjoy interviewing and I almost always get people to warm up by the end.
- Turn off your phone. Or at least the ringer. Airplane mode is probably best. Unless it’s a phone interview. Then Airplane mode might not be the best idea. This goes doubly if you have any John Tesh ringtones!
- Mind the gatekeeper. The person who schedules, coordinates, lets you in the door, shows you to the office, brings water or whatever they do in whatever organization, these are the gatekeepers. Chances are, they’re not just scheduling interviews but an integral part of the workflow of the interviewer. Keep that in mind when you are about to snark at them and think twice about doing so. It’s like if I’m Matthew Stafford and I throw a 40 yard TD. In the press conference I’m gonna’ say it’s all about the line. Or Johnson, or whatever. They are more important than I am. Not that I’m anything like Stafford. Well, we did both go to Georgia. But other than that, nothing like him… But really, the gatekeeper is critical and if there’s someone that doesn’t work well with them, they’re likely not going to be on the team (e.g. Albert Haynesworth w/ the Patriots). Seriously, this is one of the few deal breakers for me. If you show up drunk and high, with John Tesh blaring on your iPhone, about 2 hours late and you’re wearing shorts with a special cutout in the back so we can see the entire tramp stamp you’re rocking you have a higher chance of getting hired than if you piss off the people that coordinate the interview. I’m not saying to bring them chocolates, but be nice to them.
- Have fun with it. Don’t go overboard, but smile. People like it when you smile. Unless you look evil when you smile (then do it anyways). If people usually get frightened when you smile, still do it. I used to want to punch my band teacher when he said smile when we were out marching in 100+ degree weather during a hot, humid Georgia day. But it makes everyone around you feel better, which is nice during a job interview.
- Don’t talk about religion or politics. This could be included under number 8, but it’s not. Remember that we live in a country split almost down the middle on these topics. If you talk about them during an interview you’re going to be screwing up about half the time. Funny enough, I don’t really care either way. I disagree with practically everyone on most topics when it comes to these two, but am always interested in hearing their position. Just not during a job interview…
- Do tell me why you want the job. This is a rarely asked question, but a very powerful one. Why do you want the job? If the interviewer doesn’t ask it then while it isn’t staying on point, answer it at some point during the interview. Assuming of course that you want the job. Just to throw this out there, the correct answer is not “I want money.”
- Do tell the interviewer what differentiates you from other candidates. Unless you know them. Don’t tell me that one of them was getting high on the drive in for the interview (if you do I will assume you were with them). Instead, what about you makes you the right fit for the gig. Again, even if you aren’t asked, this is great to put at the end of an answer to one of the interview questions. If it happens to be another question down the line then you’ve teed up the things you forgot to mention already (and hindsight is always 20-20).
- Don’t discuss sexual orientation, age, race or anything else that could remotely be considered discriminatory. I really don’t care about any of it. Actually, I might care if you discuss it. But I don’t care otherwise. You may think everyone cares a little, but I really don’t. I only care about your sysadmin orientation.
- Do ask questions. If you don’t look nervous and you have no questions to ask then I might think you don’t care. If you’re apathetic during an interview I can only imagine what an engaged employee you would be. The interviewer needs to find out if you’re going to be good at the job, but you need to find out if you’re going to like the job. If you don’t like what you are doing then chances are that you won’t be great at it. Try and keep the questions relevant. About the job. Not about whether I like my jagermeister warm or chilled…
- Do compliment yourself, don’t compliment me. An interview is about me learning about you and you learning about me. Tell me what makes you great. If you tell me you like my shirt (which has never happened during an interview, btw) then I will spend at least a minute in my head thinking “did this person say that so I would like them or is this shirt awesome? I mean, it is new, but my wife wasn’t too hot on it and I think it does make me look a little…” I know, I’m slow. But point is that staying on point is about eliminating those distractions. You need to learn if you’d like the job, for sure; but the interviewer needs to learn if they like you. I’m not saying to throw all humility to the wind though… Also feel free to mention what motivates you.
- And one from @rtrouton – bring documentation and/or code samples. I love this one. I had a guy bring a 3 ring binder one time with about 300 pages of stuff. It was a bit much, but impressive in its own right. I’m also happy with a page with some code samples. One of the few semi-social things that I think is valid to share is a github account. Great addition, Rich!