Take the survey.

Take part in the 2007 Perl Survey!

The Perl Survey is an attempt to capture a picture of the Perl community in all its diversity. No matter what sort of Perl programmer you are, we'd love to hear from you.

The survey can be found at: http://perlsurvey.org/

It only takes about 5 minutes to complete.

The survey will be open until September 30th, 2007. After that, we'll be reporting on the results and making the data freely available.

Please feel free to forward this email to any other Perl programmers you know.

Thanks for your help!

Yours,

Kirrily "Skud" Robert
The Perl Survey
info@perlsurvey.org

A guy (Scott Lazzari) on the SAGE list asked:

I've been tasked with putting together a risk assessment for the local office where I do nuts-to-bolts IT support. So far, I've identified the key equipment, and assigned a criticality level to this equipment. I'm not sure where I should go from here. My background is much more tech-oriented - fixing and installing equipment, servers, etc. so this level of business analysis is a little new to me.

Does anyone have some good resources, or advice they could drop my way?

Summary of some risk assessment resources, with responders, suggested in response:

• http://www.securityfocus.com/infocus/1591 [John Buys]
• http://www.securitymetrics.org/content/Wiki.jsp [Lynda]
• http://www.iatrp.com/ [Brian Kirouac]
• www.rcmp-grc.gc.ca/tsb//pubs/it_sec/g2-001_e.pdf [Sean MacGuire, he of Big Brother fame

Somewhere pretty far along in your career, you should be thinking strategically. New projects, system improvements, proactive, all the buzzwords.

But then that host croaks.

There goes the day.

Attending technical conferences can provide the system administrator with a number of benefits. A good conference can broaden or deepen your skills, expose you to the state of the art, and provide networking opportunities and some valuable recharging and entertainment away from the office grind. And it can be fun.

At conferences, I tend to choose training sessions on topics or problems that maybe we don't have today, or haven't identified yet as a weakness or opportunity. For example, we don't conduct our own penetration testing or web application reviews (we have a dedicated Security team for that), but therein lies an opportunity for our admins to become trained, or certainly more aware of the practices in this area that can make us more secure. "Many hands make light work" and all... So I signed up for session on penetrating and exploiting web applications.

The tough part (and potentially a cause of expectation mismatch with your boss) might be your ability to return from the conference, head aswim with ideas, get dropped back into the fray, yet still find the time and energy to share what you've learned with your team. "We spent $X,000 and what do we have to show for it?"

What to do?

• Make your course guides and handouts available to your team as soon as you return.
• Send a summary of the classes you took and their potential applicability in your world to your team. Keep it short, they're busy.
• Over the next few weeks or months, as you have opportunities, revisit your course materials and consider them in the light of your current job role or interests.
• Consider teaching a "potpourri" session where you cover the "5 Coolest Things I Learned At Usenix", for example, to give people a jumping-off point for new ideas.
• If you're shy of speaking in public, share that information on a team wiki or internal blog. I'd do that anyway, teaching or not, since your teammates may vary in how they consume new ideas.
• If you decide to "teach", don't attempt to reteach the course. Unless you took copious notes, you'll likely miss something teaching from someone else's powerpoint deck.

While the kids watched Tarzan this afternoon, I spent about an hour re-reading the presentation notes from Dan Geer's Measuring Security session at USENIX in June of last year. In light of new responsibilities and changing emphases in my job since then, I came away with 9 new tasks or ideas that my team can or should do. They're now on the GTD list and in the pipe to make us more aware and hopefully make our infrastructure more secure.

Jacob's has posted the deck for his Web2.0 Expo talk on Geographic Distribution for Global Web Application Performance

My friend Rob Carlson has assembled an Amazon list: Essential Developer/Sysadmin Toolkit

The only thing I'd add would be Database Nation, by Simson Garfinkel, as a solemn reminder of the privacy and trust implications we face as sysadmins when handling our user's business data and email.

I applaud the Getting Things Done as the first item on the list.

It's now less than six days until the mini-y2k of our newly adjusted daylight savings time switchover date.

Are you patched?

# mkdir `ifconfig | grep inet | grep Bc | awk '{print $2}' | awk -F: '{print $2}' | tr . _`

Some days we move the platform/product/team/company forward. Some days we tend the garden. Both are needed. My exercise the past two weeks has been the planning and prioritization of the my group's infrastructure projects for the year. I'm lucky in that my boss and I are sympatico, seeing the opportunities and shortcomings in much the same way. Still, it's hard to say what the landscape will look like in October - that's a whole nine months away. Yet, we try. I'm balancing the garden-tending against the big initiatives, trying to not let the weeds overtake us.

This time of year, starting with a fresh list (although with some carryover) emphasizes the personal satisfaction that I find in my position. I'd never plead indispensability, but it's good to be dedicated and focused and know that we'll get support for most of the good projects and finish them. Looking back at what we did in 2006, project-wise, puts a soft-focus on the year and takes the edge off days of host recoveries, difficult on-call weeks, and the occasional pettiness of daily corporate life.

I've thought a lot about how to make a career. I have friends who are attorneys, engineers, doctors, and accountants. Their professional paths are well-defined. Knowledge and skill are prized among them. Bigger cases, projects, and deals are the hallmarks of growing and progressing in those fields. It's human nature probably to compare jobs, so I weigh my days as a system administrator often, and check the progression. In my field, unless you head into management, the careers progress with projects and innovation. Are the projects technically challenging? Do they move us forward or are you tending garden? Are they bold or simply incremental? These are the things I consider.

So what am I doing? I can't very well list my projects here, but the areas of focus are very buzzword-compliant. To wit:

• Privacy and Security
• Integration and Standardization
• Redundancy (with resulting service availability goodness)
• Reporting and Monitoring

Each of these areas has a bunch of verbs, "improve", "upgrade", "migrate", "decomm" (my favorite!), and objects such as mail and DNS. Some of the projects are technical challenges, while others simply need a long span of attention to finish - no wondering off after that next shiny thing.

The interesting part of this whole exercise, beyond moving us forward, is the balancing of company interests and goals with my professional goals, interests, and skills. Somehow it all works out, maybe I'm good with puzzles, and we now have a set of marching orders.

Google has chosen Lenoir, NC for a new data center. Yahoo Finance reports:

Search engine giant Google Inc. plans to spend $600 million to build a data center in North Carolina, state officials and the company said Friday.

...

The state will give the company $4.8 million as part of a total incentives package that could reach more than $100 million.

Nothing on the Google site yet about it.

Yahoo was a leader in many areas - search, portal, messaging. But as they've aged, their engineering teams are beginning to suffer some of the same problems as the rest of us. Cutting-edge platforms (at one time), often of a proprietary nature, need a hard look and difficult, often expensive, choices need to be made about the continued use of those platforms.

A Yahoo insider comments on their dead-end infrastructure:

And let me tell you this. Yahoo! is now rotten from the inside out. Here's my take of how to fix Yahoo!'s engineering:

... 4) Slowly port all Yahoo! software to linux and phase out FreeBSD. Start supporting and encouraging multi-threading programming. I bet Google is laughing their asses off at us because we are still stuck with FreeBSD, gcc-2.95 and single process model.

...

5) Slowly get rid of all Yahoo-specialized open source software. Why do we have "YApache" (based on Apache 1.3), and why do we have the dreaded yut/ycore++ libraries when we can use STL and boost? And why do we have YPAN when we can just use CPAN??? The platform group is doing the wrong job supporting this dead-end infrastructure.

IBM has an excellent article on virtualization techniques and architectures.

From a business perspective, there are many reasons for using virtualization. Most come down to what's called server consolidation. Simply put, if you can virtualize a number of under-utilized systems on a single server, there are distinct savings in power, space, cooling, and administration due to having fewer servers. Because it can be difficult to determine server utilization, virtualization technologies support what's called live migration. Live migration allows an operating system and its applications to be migrated to a new server to balance the load over the available hardware.

Technorati Tags: system administration

If you're running PHP on production sites, especially in a shared hosting environment, you should probably add the PHP Security Blog to your RSS reader.

If you can get past the mild case of bad attitude, the details are very interesting.

Technorati Tags: system administration

Wired has a fascinating article on the changes at Google and at Ask.com to build out infrastructure to support cloud computing for searches and other tasks.

Although the evergreen mazes, mountain majesties, and always-on skiing surely play a role, two amenities in particular make this the perfect site for a next-gen data center. One is a fiber-optic hub linked to Harbour Pointe, Washington, the coastal landing base of PC-1, a fiber-optic artery built to handle 640 Gbps that connects Asia to the US. A glassy extension cord snakes through all the town's major buildings, tapping into the greater Internet though NoaNet, a node of the experimental Internet2. The other attraction is The Dalles Dam and its 1.8-gigawatt power station. The half-mile-long dam is a crucial source of cheap electrical power- once essential to aluminum smelting, now a strategic resource in the next phase in the digital revolution. Indeed, Google and other Silicon Valley titans are looking to the Columbia River to supply ceaseless cycles of electricity at about a fifth of what they would cost in the San Francisco Bay Area. Why? To feed the ravenous appetite of a new breed of computer.

Find The Dalles, on Google Maps, of course or see pictures of the super secret place.

Technorati Tags: system administration

I sent this to my team recently:

Here are the various security vulnerability sources I am using daily:

• http://secunia.com/
• http://www.securityfocus.com/
• http://www.securityfocus.com/vulnerabilities
• http://packetstormsecurity.org/advisories50.html

I'm also reading RSS feeds for the following:

• bugtraq
• incidents
• full-disclosure

You can get subscription info at http://seclists.org/

The SANS Internet Storm Center RSS is also good,http://isc.sans.org/

There's occasional duplication in some of these.