antipaucity

fighting the lack of good ideas

they asked the right question

Let me compare the experience I wrote about yesterday to another I had the same year with the first customer I was ever sent to – HSBC.

Just a couple weeks after starting with ProServe in 2008, I was sent to Chicago to do a final PoC for HSBC. Someone else had done a PoC the previous year, but with HP’s acquisition of Opsware, HSBC (along with many other customers and potential customers) held-off on signing a purchase contract so they could bundle “everything” they wanted from HP under one big honking purchase order.

And due to changes in the underlying product architecture, HSBC wanted a fresh demo to play with for a little while before writing-in that line item into their PO.

Enter me. A freshly-minted consultant who hadn’t yet developed a solid cheat sheet. So fresh, I thought staying 20 minutes away in a Comfort Inn to save $12 a night was smart (it’s not – always stay as close to your customer as you can (that is within budget) when you’re traveling). But I digress.

After a set of unexpected flight delays, instead of being able to start Monday before lunch, I didn’t even get to meet the customer team until almost end-of-business Monday. Tuesday morning, my main contact met me at the door, escorted me into their lab, and introduced me to the “spare” hardware I’d be working on – a ~5-year-old Sun server running Solaris 10 (thankfully – they’d only just upgraded from Sun OS 9 on that machine a couple weeks before).

Like my main contact in Nutley later that year, my main contact at HSBC was an old hat Solaris admin – he’d been using and administering Sun equipment for nearly 20 years. Smart guy (but, unlike the guy in NJ that summer, he wasn’t a Sun fanboi purist).

The reason we were using retired (and, possibly, resurrected) hardware was because they didn’t trust one of the sales reps (who had since been fired) who made some pretty sweeping promises to them early on in the sales cycle. And, whomever had been in several months prior to do the first PoC had apparently complained bitterly about “having to use Sun”.

So they partially set me up to fail – but I was too dumb to realize it at the time…a perfect instance of the old phrase, “you can’t fool me, I’m too ignorant”.

I did have to suffer through slow network access (the NIC onboard “supported” 100Mbps … but it was flaky, so it had been down-throttled to just 10Mbps. To put this is a little context, that was slower than my home internet access – even then – 10 years ago!

Wednesday about lunchtime, the HSBC project manager for “HP automation initiatives” introduced herself and through our conversation, casually asked, “if you had your druthers, what kind of hardware would you install SA on to support our environment?”

So I answered what I’d use: each server in each SA Core (they were going to have 3) should have 16+ x86-64 CPUs, at least 32 GB RAM, and ample storage (at least 100 GB just for the install, let alone extra space which might be needed for the software and OS libraries). Oh. And it should be running RHEL – don’t use Solaris as the host OS for HPSA.

She pressed me to find out why I suggested this, and I told her, “because SA is written on Linux, and the ported to Solaris; every major issue SA has run into in the last few years regarding OS conflicts has happened on Sun hardware & OSes.”

A little while later, she thanked me for our conversation, thanked me for getting SA up and running so quickly (even on half decade out of date hardware, I had it installed and ready to demo to them in only a little over 1.5 days), which gave me time to go through its functionality, show-off some new things in 7.0 that hadn’t been possible (or as easy) in 6.1 (or 6.5, or 6.6), and even be told I could head out to the airport a little early on Thursday! Win-win-win all around.

Fast forward a few months.

I get a phone call from the engagement manager I’d worked with on the HSBC PoC week, and he asked me if I had a current passport. I told him, “yes,” and asked him why he wanted to know.

He then informed me that HSBC was getting ready to finalize a $12+ million dollar hardware, software, and services sale … but would only be buying SA if I was available to install it.

That’s cool – getting asked back is always a Good Thing™ … but what does that have to do with having a current passport? Bob elaborated: HSBC has a policy of vendors doing installs on site (not weird). And two of those “on site” locations were not in the US: one would be in London England, and the other in Hong Kong. “Would I be able to do that?”, he wanted to know.

“Yes. Yes, I would.”

“OK,” he said, “I’ll send travel dates and details in a few days.”

I hung up, then wondered if I’d said “yes” maybe a little too quickly: who gets asked to be the installation engineer who’s holding-up the finalization of a multi-million-dollar sale? Especially when I knew there were folks at least as qualified, if not much more so, available?

This was my first experience with being asked-back as a consultant (I’d been asked-for when I worked in Support, but that was very different).

And, ultimately, it’s what led to the single best services engagement I had for quite a while. And giving me a [partially] company-paid vacation to the UK. And getting my first stamps in my passport. And establishing a friendship with a customer contact in London who’ve I’ve stayed in touch with ever since.

All from not knowing the “project manager” was actually high-enough up in the HSBC management chain that her recommendations/requests for external personnel would be honored even on big contracts – and being truly honest with her when she asked what I viewed as a casual, throwaway question in a loud computer lab on a cool Wednesday afternoon in April.

The upshot is to always treat everyone you meet as “just another person” – whether a CEO or a janitor, they put their pants on the same way you do: one leg at a time.

but, i got them on sale!

Back in August 2008, I had a one-week “quick start” professional services engagement in Nutley New Jersey. It was a supposed to be a super simple week: install HP Server Automation at BT Global.

Another ProServe engineer was onsite to setup HP Network Automation.

Life was gonna be easy-peasy – the only deliverable was to setup and verify a vanilla HPSA installation.

Except, like every Professional Services engagement in history, all was not as it seemed.

First monkey wrench: our primary technical contact / champion was an old-hat Sun Solaris fan (to the near-exclusion of any other OS for any purpose – he even wanted to run SunOS on his laptop).

Second monkey wrench: expanding on the first, out technical contact was super excited about the servers he’d gotten just the weekend before from Sun because they were “on sale”.

It’s time for a short background digression. Because technical intricacies matter.

HP Server Automation was written on Red Hat Linux. It worked great on RHEL. But, due to some [large] customer requests, it also supported running on Sun Solaris.

In 2007, Sun introduced a novel architecture dubbed, “Niagara”, or UltraSPARC T1, which they offered in their T1000 and T2000 series servers. Niagara did several clever things – it offered multiple threads running per core, with as many as 32 simultaneous processes running.

According to AnandTech, the UltraSPARC T1 was a “72 W, 1.2 GHz chip almost 3 times (in SpecWeb2005) as fast as four Xeon cores at 2.8 GHz”.

But there is always a tradeoff. The tradeoff Sun chose for the first CPU in the product line was to share a single FPU (floating point unit) between the integer cores and pipelines. For workloads that mostly involve static / simple data (ie, not much in the way of calculation), they were blazingly fast.

But sharing an FPU brings problems when you need to actually do floating-point math – as cryptographic algorithms and protocols all end up relying upon for gathering entropy for their random value generation processes. Why does this matter? Well, in the case of HPSA, not only is all interprocess, intraserver, and interserver communication secured with HTTPS certificates, but because large swaths are written in Java, each JVM needs to emulate its own FPU – so not only is the single FPU shared between all of the integer cores of the T1 CPU, it is further time-sliced and shared amongst every JRE instance.

At the time, the “standard” reboot time for a server running in an SA Core was generally benchmarked at ~15-20 minutes. That time encompassed all of the following:

  • stop all SA processes (in the proper order)
  • stop Oracle
  • restart the server
  • start Oracle
  • start all SA components (in the proper order)

As you’ll recall from my article on the Sun JRE 1.4.x from 6.5 years ago, there is a Java component (the Twist) that already takes a long time to start as it seeds its entropy pool.

So when it is sharing the single FPU not only between other JVMs, but between every other process which might end up needing it, the total start time is reduced dramatically.

How dramatically? Shutdown alone was taking upwards of 20 minutes. Startup was north of 35 minutes.

That’s right – instead of ~15-20 minutes for a full restart cycle, if you ran HPSA on a T1-powered server, you were looking at ~60+ minutes to restart.

Full restarts, while not incredibly common, are not all that unordinary, either.

At the time, it was not unusual to want to fully restart an HPSA Core 2-3 times per month. And during initial installation and configuration, restarts need to happen 4-5 times in addition to the number of times various components are restarted during installation as configuration files are updated, new processes and services are started, etc.

What should have been about a one-day setup, with 2-3 days of knowledge transfer – turned into nearly 3 days just to install and initially configure the software.

And why were we stuck on this “revolutionary” hardware? Because of what I noted earlier: our main technical contact was a die-hard Solaris fanboi who’d gotten these servers “on sale” (because their Sun rep “liked them”).

How big a “sale” did he get? Well, his sales rep told him they were getting these last-model-year boxes for 20% off list plus an additional 15% off! That sounds pretty good – depending on how you do the math, he was getting somewhere between 32% and 35% off the list price – for a little over $14,000 a piece (they’d bought two servers – one to run Oracle RDBMS (which Oracle themselves recommended not running on the T1 CPU family), and the other to run HPSA proper).

Except his sales rep lied. Flat-out lied. How do I know? Because I used Sun’s own server configurator site and was able to configure two identical servers for just a smidge over $15,000 each – with no discounts. That means they got 7% off list …
tops.

So not only were they running hardware barely discounted off list (and, interestingly, only slightly cheaper (less than $2000) than the next generation T2-powered servers which had a single FPU per core, not per CPU (which still had some performance issues, but at least weren’t dog-vomit slow), but they were running on Solaris – which had always been a second-class citizen when it came to HPSA performance: all things being roughly equal, x86 hardware running RHEL would always smack the pants off SPARC hardware running Solaris under Server Automation.

For kicks, I configured a pair of servers from Dell (because their online server configurator worked a lot better than any other I knew of, and because I wanted to demonstrate that just because SA was an HP product didn’t mean you had to run HP servers), and was able to massively out-spec two x86 servers for less than $14,000 a pop (more CPU cores, more RAM, more storage, etc) and present my findings as part of our write-up of the week.

Also for kicks, I demoed SA running in a 2-CPU, 4GB VM on my laptop rebooting faster than either T1000 server they had purchased could run.

Whats the moral of this story? There’s two (at least):

  1. Always always always find out from your vendor if they have a preferred or suggested architecture before namby-pamby buying hardware from your favorite sales rep, and
  2. Be ever ready and willing to kick your preconceived notions to the sidelines when presented with evidence that they are not merely ill thought out, but out and out, objectively wrong

These are fundamental tenets of automation:

“Too many people try to take new tools and make them fit their current processes, procedures, and policies – rather than seeing what policies, procedures, and processes are either made redundant by the new tools, or can be improved, shortened, or – wait for it – automated!”

You must always be reviewing and rethinking your preconceived notions, what policies you’re currently following, etc. As I heard recently, you need to reverse your benchmarks: don’t ask, “why are we doing X?”; ask, “what would happen if we didn’t do X?”

That was a question never asked by anyone prior to our arrival to implement what sales had sold them.

what if

you blogged as often as you tweeted, facebooked, linkedinned, instagrammed, plogged, pinterested, google plussed, mastodonned, etc?

For many of us, that would be 4, 10, 20, 100, or even more blog posts per day.

Wonder how differently we would view/utilize social media if we took that approach?

Just a thought.

on entropy, password/passphrase complexity, and if you’ve been part of a data breach (spoiler alert: you have)

I wrote an article on passwords, passphrases, entropy, and data breaches for my employer’s blog: https://augustschell.com/passwords-passphrases-complexity-length-crackability-memorability-data-breaches

you can make anything online – even grave markers

Knock yourself out.

what is “plan b” for iot security?

Schneier has a recent article on security concerns for IoT (internet of things) devices – IoT Cybersecurity: What’s Plan B?

We can try to shop our ideals and demand more security, but companies don’t compete on IoT safety — and we security experts aren’t a large enough market force to make a difference.

We need a Plan B, although I’m not sure what that is. Comment if you have any ideas.

There are loads of great comments on the post.

Here’s the start of some of my thoughts:

There are a host of avenues which need to be gone down and addressed regarding device security in general, and IoT security in particular.

Any certification program could be good .. right up until the vendor goes out of business. Or ends the product line. Or ends formal support. Unless we go to a lease model for everything, you’re going to have unsupported/unsupportable devices out there.

We can’t have patches ad infinitum because it’s not practical: every vendor EOLs products (from OSes to firearms to DB servers to cars, etc).

A few things which would be good:

  • safe/secure by default from the vendor – you have to manually de-safe it to use it (like a rifle which only becomes usable/dangerous/operable when you load a cartridge and put the safety off)
  • well-known, highly-publicized support lifecycles (caveating the vendor going out of business)
  • related to the above, notifications from the device as it nears end of support
  • notifications from the device as well as the vendor that updates/patches are available
  • liability regulations – and an associated insurance structure – affecting businesses which choose to offer IoT devices across a few levels:
    1. here it is :: you deal with it || no support, no insurance, whatever risk is there is your problem
    2. patches / updates for 1 year || basic insurance / guarantee of operation through supported period, as long as you’re patched up to date
    3. patches / updates for 3 years ||
    4. patches / updates for 5 years || first-level business offering || insurance against hacks / flaws that have been disclosed for more than 90 days so long as you have patched
    5. patches / updates for 10 years || enterprise / long-term support || “big” insurance coverage (up to a year, so long as you’re yp-to-date) || proactive notifications from the vendor to customers regarding flaws, patches, etc

There are probably other things which need to be considered.

But there’s my start.

david pogue’s 1996 mac holiday sing-along

Thanks, Archive.org!

God Rest Ye Copland Programmers
(to the tune of “God Rest Ye Merry Gentlemen”)

God rest ye Copland programmers,
It’s finally Christmas Day.
You’ve all worked 20-hour shifts
Beginning back in May.
No wonder after such neglect
Your spouses moved away.
The last real meal you had
Was late last year–
That’s what we hear;
And since then you’ve lived on
Pizza, Coke, and beer.

Your bosses change, and change their minds,
Is Copland off or on?
Are last week’s OS plans in place
Or now completely gone?
God rest ye well this Christmas Day,
You’d better sleep in late–
It’s the last sleep you’ll get till ’98.
Isn’t that great?
It’s the last day off you’ll have till ’98!

The Bill Gates Song
(to the tune of “The Christmas Song”)

Netscape roasting on an open fire,
Apple begging on its knees,
Photo popping up on Time magazine,
Yes, Bill Gates dreams of days like these!
Everybody knows he’s never fully satisfied,
Throws himself behind each task,
World dominion is his company’s goal.
Well, hey, is that so much to ask?
He knows the world is in his sway,
We’ll buy whatever software he might toss our way,
We’ll surf his Internet, watch his TV,
He’ll take us anywhere we ask him–for a fee.

And so we’re offering this simple prayer,
To Bill and all his MS grunts:
Since we all follow any standard you write,
Make it good, please,
Make it good, please,
Make it good, please, just once!

Gil Amelio’s Coming to Town!
(to the tune of “Santa Claus Is Coming to Town”)

You better watch out,
Absurd as it sounds,
‘Cause Apple’s about
To lose a few pounds–
Gil Amelio’s coming to town!

He’s making a list,
And trimming the rolls
Of projects that missed
Their revenue goals–
Gil Amelio’s coming to town!
He knows what’s losing money,
Like eWorld, PowerTalk . . .
You’d better make your project work
Or prepare to take a walk!

Though you follow his lead
Right out the back door,
You know he’ll succeed–
He’s done it before!
Gil Amelio’s coming to town!

Microsoft
(to the tune of “Jingle Bells”)

Nine-tenths of a gig,
Biggest ever seen,
God, this program’s big–
MS Word 15!
Comes on ten CDs,
And requires–damn!
Word is fine, but jeez–
60 megs of RAM?!

Oh! Microsoft, Microsoft,
Bloatware all the way!
I’ve sat here installing Word
Since breakfast yesterday!
Oh! Microsoft, Microsoft,
Moderation, please.
Guess you hadn’t noticed:
Four-gig drives don’t grow on trees!

I’m Dreaming of a Clean System
(to the tune of “White Christmas”)

I’m dreaming of a clean System,
Something that fits on one CD.
Each component matches,
Not bits and patches,
Unlike 7-5-point-3.
I’m longing for a dream System,
Small, stable, fast, and trouble-free.
What we want, I think you’ll agree,
Is called System 6-point-oh-3!

Violent Night
(to the tune of “Silent Night”)

Silent Mac, broken Mac!
System bombed, screen went black.
Books suggested things; I tried ’em all:
Shift key, desktop file, clean reinstall.
Now my deadline is tight,
This Mac’s been silent all night.

Violent night, horrible night!
Lost my cool, filled with spite,
Threw my Mac through the balcony door
Watched it fall from the 20th floor,
Now I’m sleeping in peace;
Thank God I had it on lease.

Prove It’s So!
(to the tune of “Let It Snow”)

Oh, the papers say Apple’s dying,
But before we start good-byeing,
We should call them all up and go,
“Prove it’s so! Prove it’s so! Prove it’s so!”

They say “Mac OS software’s scarcer.”
We say, “Read those numbers, there, sir,
Sales continued this year to grow.
There ya go, there ya go, there ya go!”

When they tell us Win 95
Made the Mac’s famed advantages ebb,
We’ll say, “Why, then, do Macs now drive
60 percent of the Web?”

We can win our PR reversal–
Make the Mac be universal–
Though we may have some years to go,
Make it so, make it so, make it so!

Happily Addicted to the Web
(to the tune of “Winter Wonderland”)

Doorbell rings, I’m not list’nin’,
From my mouth, drool is glist’nin’,
I’m happy–although
My boss let me go–
Happily addicted to the Web.
All night long, I sit clicking,
Unaware time is ticking,
There’s beard on my cheek,
Same clothes for a week,
Happily addicted to the Web.

Friends come by; they shake me,
Saying, “Yo, man!
Don’t you know tonight’s the senior prom?”
With a listless shrug, I mutter, “No, man;
I just discovered letterman-dot-com!”

I don’t phone, don’t send faxes,
Don’t go out, don’t pay taxes,
Who cares if someday
They drag me away?
I’m happily addicted to the Web!