Thankful

Things have been pretty busy around here the last few days.  My in-laws were in from upstate New York to celebrate the holidays and as a result my kids and grandkids have been here nearly every day.  As a result, I haven’t had a whole lot of free time to reflect on all the things that I am thankful for.

The great thing is that I actually spent most of my weekend with what I am most thankful for.  Family.  Like most families, we have had our ups and downs, good times and bad.  Every day I thank God that we are still together, and that everybody is headed in the right direction.

Happy Thanksgiving everyone!

Missing the Mark on Privacy

I’m a big fan of L. Gordon Crovitz’s weekly column in the Wall Street Journal (and not just because he is a board member of Dun & Bradstreet).  Much of the time I find myself agreeing with him, but occasionally we are at odds.  This week is one of those weeks.

In his column Terrorists Get A Phone Upgrade (It is behind a paywall), he argues against the recent stand by Silicon Valley firms to encrypt their devices to prevent governments from being able to see what is on them, even with a court order.

He starts out by describing the Najibullah Zazi case and how they caught him by tapping his email.  I’m not sure what this has to do with encrypting our handheld devices, since email can be tapped at the destination (Yahoo! in this case) long before it is ever downloaded to a phone.  The only think that you may need it for would be to prove that it was actually downloaded to the phone, but at this point I would assume that the real evidence (such as the explosives) would be enough to convict him.

He also brings up some of the fictitious scenarios that were argued by Deputy Attorney General James Cole about rescuing children by being able to access a criminals mobile device.  This argument by Mr. Cole doesn’t hold up very well either.  What information would you be able to get from the cell phone that wouldn’t already be available in the meta data?

Would Mr. Crovitz make the same argument against hard drive encryption of his laptop?  Should the government be able to come in and decrypt his drive with (or without) a court order?  We have seen that the government is more than willing to go after reporters who help whistleblowers (James Rosen anyone?), so how hard would it be for them to get a court order?  Moveover, wouldn’t it be better if terrorists were using an encrypted phone that if they were using an encrypted laptop?  At least with the encrypted phone you would have all the meta-data associated with it.

Personally, I’m in favor of as much protection of my information as possible.  From the tone of the article, I assume (perhaps wrongly) that Mr. Crovitz feels that the encryption is OK so long as government can get to it with a court order.   I think that I should be able to choose if I want what’s on my phone encrypted, just like I can choose to have what’s on my laptop encrypted.  If you put a back door in for the government, it will eventually find it’s way out into the wild making nothing secure.

Thanks Comrades

Most people will never understand the sacrifices that those who serve make.  The birthday’s missed, the anniversary’s spent apart, the time separated from loved ones.  Whether you’ve been to a war zone or served during peacetime, you have sacrificed much and have always been willing to sacrifice more.

To all that have served, before me, with me, and after me, thank you.  Your sacrifices will forever be appreciated.

Small Changes

It’s amazing what a small change can do to improve your attitude and outlook.  This past weekend, my wife and I celebrated our 20th wedding anniversary.  In today’s culture, being married to the same person for that length of time is quite an accomplishment.  As I reflected on the past 20 years, I started to ponder what made it work for us.  My conclusion?  Small Changes.

To be sure, we are not the same people today that we were 20 years ago when we met.  We were both in the Army, stationed at Ft. Carson in Colorado, me a never married boy of 21 and her a recently divorced mother of two.  Our courtship was quick, taking just under 10 months to get from first date to wedding vows.   Six days after we were married, she left for Korea and I didn’t see her for almost six months.

In our first 18 months together, we only spent the middle six together when our Korean tours overlapped.  This was back before the internet, Skype, Yahoo! chat, or any other digital forms of communications were available, limiting us to weekly phone calls that were so long distance that $600 monthly phone bills were the norm, rather than the exception.

We’ve lived all over the country; Colorado, Kentucky, New York, Michigan, Hawaii, and Texas.  We have been together through sickness and health, richer and poorer, and through good times and bad.

Over the years we have learned to adjust to each other, to try new things together, and to be comfortable with each other.  As life delivers it’s next mission, we make our small adjustments and keep moving on.  Sometimes it’s good, sometime’s it’s bad, but we always work together to make whatever adjustments are necessary.

Every time we make the small changes, it seems to reinvigorate what we have together.  It’s never dull, it’s never boring.  For the last 20 years I have been lucky enough to be married to my best friend.  I wouldn’t have it any other way.

Is Outsourcing Good or Bad?

I’ve started reading through the textbook for my Multinational Corporate Environment Book and the first Point/Counterpoint is on the subject of whether offshoring is good strategy.

The “yes” side of the argument starts off with the point that if it succeeds in reducing costs, it’s good.  They make the statement that it isn’t much different than other means of employment changes, such as technology improvements or recessions.  Much of the remainder of the argument in favor of offshoring revolves around this central theme.  They wrap up by concluding that these are less skilled jobs and that their departure leads to an high-value jobs here at home.

On the “no” side, they start by stating that cost of goods never seem to go down, even when the cost of production does.  They make the argument that the displaced workers find it hard to recover from the even, and even if their is higher value jobs, they likely won’t go to the people being displaced by outsourcing.  Probably the only point that I felt was beneficial in either argument was the following on the no side:

Outsourcing merely diverts companies’ attention from taking steps to find innovative means of more efficient production

Personally, I think that both sides of these arguments are off base.  I am a firm believer in the The Three Rules:

      • Better Before Cheaper
      • Revenue Before Costs
      • There are no other rules

If your outsourcing strategy complements the Three Rules, then great.  For much of what I have seen over the course of my career, these types of moves have always been centered around cost savings, not anything that would add value to the product or service we are offering.  We look for cheap labor, but don’t realize what we end up missing; a sense of ownership.

One of the things that I love about working with the teams here in Austin are the sense of ownership that everybody feels for the products that we ship and support.  When something doesn’t work the way it is supposed to, everybody is on it until it is solved.  There is no kicking it over the wall because the developer is in Ireland or the QA resource is in India.  People are here and hold each other accountable.  They can walk up and discuss problems immediately.  There is no time zone difference to deal with.

Personally, I’m not against offshoring.  I think that it has a place, as long as its sole reason is not cost savings.  That only gets you cheap.

Reflection

A lot of the reading that I do these days is around leadership.  As with most things in my life, once I start down a path I can’t help but devour everything that I can find on the topic.  I’m not looking for a leadership style, that was developed courteous of good old Uncle Sam.  What I am looking for is primarily tips and tricks that leaders do to make their jobs easier and their leadership more effective.  While I was going through my morning RSS Feeds I came across an article on CIO.com by Stephen Balzac titled The Leader Who Didn’t Play Well With Others.  Talk about an eye opener.  For much of my career, I have been that engineer.

Regardless of any official title, I have always been a thought leader in every organization that I have been in.  The relentless drive for efficiency and excellence have only intensified as formal responsibility has been given to me.  While I feel that I have been generally open with my teams during a decision making process and allowed for their input, I never really thought much about the sense of ownership or the lack of commitment that stems from not allowing them to drive outcomes.

It was about halfway through the article that I started to see myself.  I never really thought about it in those specific terms, but as I think back (especially early in my career) I recall a few such demoralizing incidents.  The good thing is that it is easily fixed.  I have recognized for some time that I need to reign in some of my perfectionist tenancies, which is generally leads to the “My Idea Is Better” realm.  I also need to remember how I happy and focused I feel when I have a sense of ownership over what I am doing.  This is something that I need to instill in my team.

It just goes to show you that no matter what you think you know, you always have more to learn.

Embarking on a New Adventure

For the last few years things have been pretty busy, both personally and professionally. I’ve been the Scoutmaster of my son’s Boy Scout troop, the Finance officer for our local American Legion Post, taken over as the leader of a great team of System Administrators, and learned a lot of new technologies. Throw in some interesting (and for my co-workers, entertaining) family and personal adventures and I haven’t had much time to do anything.

My time as Scoutmaster is winding down, and with only one last big trip (Summer Camp) to go before I hand the reigns over to my successor (Thanks Ray!), it’s time for me to find something to do with the extra “hour a week” I’ll gain. So I’ve decided to go back to school.

I earned my Bachelor’s degree in 2007. When I started my degree in 2001 I already had 10 years in IT, so I decided to earn a degree in a field where I would actually learn something. I chose business management. Much better than a computer science degree where I would learn about three year old technology as if it were the cutting edge (although at the time I was still in Detroit and the many of the auto companies were still using OS2 Warp4 so it may still have seemed like cutting edge.)

Now I have decided to go back and get my MBA with a focus initially in Information Technology, but eventually I think I will also take the courses on Leadership. Since my military days I have been fascinated by the the difference in how the military approaches leadership versus the how the civilian world handles it. I expect that the next 18 months will be very challenging and very rewarding. I look forward to it.

Personal Security

A coworker asked me a question yesterday about what I use to protect my personal data.  He knew that I was using a password vault of some sort, but was curious as to what I did for files, etc.  What followed was a pretty lengthy discussion of the tools I used and why.  Most of the why on specific tools was due to their ability to be used across all the platforms that I use.  On a daily basis I use Windows 7, Mac, Linux, Android, and until recently IOS.

Password Save – Keepass
I have been using Keepass as my password safe for probably the last 5 years or so.  It provides a number of key features that I really wanted, including auto type and password generation.  It also does a pretty good job with some of the websites that make you enter a username first and then goes to a second page to enter your password.  The password generation tool allows me to make long, very complex passwords that I don’t have to remember.  As a result, outside of my keepass password I only have to remember about 10 passwords.  Compare that to the 200+ entries I currently have in Keepass and you can see the benefit.
I keep a copy of the database in SpiderOak Hive (we will discuss SpiderOak further down) so that it syncs securely across all of my devices.  That way, if I am every using a computer that is not mine and I need to enter a password, I can pull it up on my phone and type it in manually.  I also keep a copy of it on my Portable Apps USB drive I keep on my keychain.

Computer Backup – SpiderOak
When I started using SpiderOak a few years ago, there were only a handful of online backup providers.  Carbonite was the big dog, but there was also Mozy and Backblaze.  There were a number of things that drew me to SpiderOak.  First of course was that it worked on all the platforms, and right behind it was that you paid for space rather than computers.  With most providers you paid a fee for a computer and could backup as much as you want, but when you are only backing up a couple of important gigs, per PC I think SpiderOak provides a better value.  I pay one fee annually for 100G and can backup as many computers or devices as I want to it.  The thing that really sealed the deal was SpiderOak’s Zero Knowledge privacy (https://spideroak.com/zero-knowledge/).  It essentially means that they have no way of decrypting the contents of your files once they reach their servers.

Cloud Drive Encryption – BoxCryptor Classic
Dropbox, Google Drive, and Microsoft’s OneDrive provide a lot of free storage (I think I have around 100G between them), but none of them provide encryption for your files, other than in-transit.  For those services I use BoxCryptor Classic.    It allows me to encrypt locally before they are synced to the cloud drive.  While BoxCryptor only has a Windows and Mac client, you can you EncFS on a Linux system to decrypt and mount the drive.  The free version allows you to encrypt the files of one provider, but it doesn’t encrypt the file names.  I use the paid version that lets me use it with as many providers as I want as well as encrypting file names.

Local Disk/Device Encryption – TrueCrypt
There is still local drives and devices, and for that I use TrueCrypt.  TrueCrypt allows me to encrypt my system drives, portable USB drives, and provides portable containers for other types of files.  Right now, I only have one encrypted container on my laptop, and it contains all of my financial information (Quicken, Turbo Tax, Budget, etc) so that if my laptop is ever lost they don’t get my bank information as well.

Saltstack and Bonding – Part 2

(Part 1 can be found here)

After I wrote my custom grains and was able to get the information that I needed (IP, netmask, gateway) to configure my bonding and bridging, my first attempt to get SaltStack to configure it was with the salt.states.network module:

bond0:
  network.managed:
    - type: bond
    - enabled: True
    - proto: dhcp
    - mode: 802.3ad
    - miimon: 100
    - require:
    - network: eth1
    - network: eth2
eth1:
  network.managed:
    - type: slave
    - proto: none
    - master: bond0

eth2:
  network.managed:
    - type: slave
    - proto: none
    - master: bond0

br0:
  network.managed:
    - enabled: True
    - type: bridge
    - ipaddr: {{ grains['bondnet_ip'] }}
    - netmask: {{ grains['bondnet_mask'] }}
    - gateway: {{ grains['bondnet_gw'] }}

This only partially worked for me.  It would configure the interfaces and change the necessary files, but it would leave the system in a broken state with the IP running on both br0 and eth0.  Once I logged in to the host and restarted networking, everthing was fine, but I don’t what to do that for every system that I build.

Next I tried to do it using file.managed and Jinja templates to make the changes and restart networking:

/etc/sysconfig/network:
  file.managed:
    - source: salt://kvm/network
    - user: root
    - group: root
    - mode: 644
    - template: jinja  
    - defaults:
      hostname: {{ grains['fqdn'] }}

/etc/sysconfig/network-scripts/ifcfg-eth0:
  file.managed:
    - source: salt://kvm/ifcfg-eth0
    - user: root
    - group: root
    - mode: 644

/etc/sysconfig/network-scripts/ifcfg-eth1:
  file.managed:
    - source: salt://kvm/ifcfg-eth1
    - user: root
    - group: root
    - mode: 644

/etc/sysconfig/network-scripts/ifcfg-bond0:
  file.managed:
    - source: salt://kvm/ifcfg-bond0
    - user: root
    - group: root
    - mode: 644

/etc/sysconfig/network-scripts/ifcfg-br0:
  file.managed:
    - source: salt://kvm/ifcfg-br0
    - user: root
    - group: root
    - mode: 644
    - template: jinja
    - defaults:
      ip: {{ grains['bondnet_ip'] }}
      netmask: {{ grains['bondnet_mask'] }}
      gateway: {{ grains['bondnet_gw'] }}

/etc/init.d/network restart>/tmp/out:
  cmd.wait:
    - watch:
    - file: '/etc/sysconfig/network-scripts/ifcfg-br0'

This didn’t work very well for me initially. It would restart the network after it changed ifcfg-br0, but it would change it before the rest of the network files, so it would break as well.  To solve that I added “- order” to each of the lines to make sure that the processed in the order that I wanted them to and my problem was solved:

/etc/sysconfig/network:
  file.managed:
    - source: salt://kvm/network
    - user: root
    - group: root
    - mode: 644
    - template: jinja
    - order: 1
    - defaults:
      hostname: {{ grains['fqdn'] }}

/etc/sysconfig/network-scripts/ifcfg-eth0:
  file.managed:
    - source: salt://kvm/ifcfg-eth0
    - user: root
    - group: root
    - mode: 644
    - order: 2

/etc/sysconfig/network-scripts/ifcfg-eth1:
  file.managed:
    - source: salt://kvm/ifcfg-eth1
    - user: root
    - group: root
    - mode: 644
    - order: 2

/etc/sysconfig/network-scripts/ifcfg-bond0:
  file.managed:
    - source: salt://kvm/ifcfg-bond0
    - user: root
    - group: root
    - mode: 644
    - order: 3

/etc/sysconfig/network-scripts/ifcfg-br0:
  file.managed:
    - source: salt://kvm/ifcfg-br0
    - user: root
    - group: root
    - mode: 644
    - template: jinja
    - order: 4
    - defaults:
      ip: {{ grains['bondnet_ip'] }}
      netmask: {{ grains['bondnet_mask'] }}
      gateway: {{ grains['bondnet_gw'] }}

/etc/init.d/network restart>/tmp/out:
  cmd.wait:
    - watch:
      - file: '/etc/sysconfig/network-scripts/ifcfg-br0'

Once I added the “- order”, everything worked exactly the way that I wanted it.  My KVM server was build and ready to be added to CloudStack with the proper network configuration.

Rants and Ramblings of Austin IT Professional