If you tell enough stories, perhaps the moral will show up.



Running Adsense is more interesting than you would expect:

  • I can speak freely, because I know that no-one -- literally nobody except me -- is reading this. That's not a gloomy observation based on absense of comments and feedback: It's hard fact taken from from the excellent hit records that Adsense provides. If I had a website (I don't), and I was lazy (I am) I'd put up an Adsense block just to get free analytics.
  • The algorithm used to target ads is excellent. I know this because I keep wanting to click on them. In the same way that cannibalism ought to be the best diet, the adsense Ads on one's own blog ought to be consistently enticing, and they are (though I could do with a bit more hedging/forestry). It's really quite frustrating (Adsense subscribers know why).


That Google Account

Has anyone noticed how useful Google Docs has got lately? Obviously it's not Office 2003, nor Open Office 2, nor even Office 97. But I'm more and more finding it to be the natural home for my reference documents, drafts and other oddments. The collaboration features look interesting, and probably work well for all I know, but for me what counts is the accessibility from any of about half a dozen computers. Content search and tagging isn't a huge deal at the moment, but I know it'll save my bacon when the volume goes up, or when I upload all that stuff I used to keep on my Palm.

The limitations and problems are more and more obviously the consequence of hosting it in HTML. The tables reek (I do a lot of things in tables) but HTML tables do reek. Layout for paper is actually useless -- but I'm blaming the browsers.

And really, I find that there's a large slice of what I do where rough and ready is OK -- almost anything is OK -- if I can rely on getting at it from the computer I'm working on. That plan I'm working on in odd moments can only be a Google spreadsheet. I don't need a fair printable version of my CV, but I do need to be able to keep the copy up to date. And Blogger is a terrible place to hold draft articles like this one.

The security angle ought to be obvious. I set up my Google account so I could customise my searches, or something, and the password was some old joe job. (It isn't UMACF24, but you get the idea). By stages, stealthily, that same rotten password now defends:

  • My email, calendar, and the management of my domain (Google Apps for Your Domain)
  • A bunch of documents and plans (Google Docs)
  • My Blog
  • And probably other stuff I've forgotten.
I can change that. I'll have to allocate a "public site -- reputation/convenience" password now -- that's just one stage short of Paypal/banking. But, unfortunately, it's still just a password. And If I want to get the full benefit from Google, I'll have to use it on untrusted, bugged machines.

So, "Hey Google: It's time for a second factor!".



Today I paid

UKL 50
to the cleaner
UKL 100
to the rat catcher
UKL 80
on a new gardening coat for Mrs U (Christmas present)
UKL 50
on Felco secateurs for Mrs U (Christmas present)
UKL 40
on petrol
UKL 20
as petty cash for Mrs U and a carer to take the darlings on an outing which they did not enjoy -- Mrs U will have paid a further UKL 60 to get in
Yesterday I paid UKL 600 for 1600 litres of heating oil.


The Rules

I turned down a system last month. It needed a user to be permanently logged on at the server console, which implies a password shared among the support team. The chances of that being tough and regularly changed are nil, so my vote was no.

We'll see if I can make that stick! But I'm content, because I've only applied a published policy. Project people think that security imposes strange and unnatural demands on system design, and I suppose it's true that the demands puzzle people. But they're not unnatural and they're not arbitrary -- just misunderstood. So as my contribution to public education, taken from the handout I send to project managers, support people and anyone I can find, here are the rules. They way I present them is a checklist -- tick every box and you're on the right track.

First we have the Exemption Checklist for changes and small implementations -- Tick every box here and I won't bother you:

  • No file, folder, registry or mailbox permissions changed or created.
  • System is explicitly permissioned by our standard groups and does not rely on “Everyone”, ”Authenticated Users”, ”All Users”, 0x??7, “Domain Admins” or ”Administrator” permissions to work.
  • No Windows local or global or Unix security groups are created, deleted or changed in meaning.
  • No impersonal domain user accounts (service accounts), or any local or Unix or special device user or admin accounts are a) created, b) get new group memberships or c) are admins.
  • All human users and administrators use their regular personal Insight workstation or app/admin/Unix accounts, and there are no shared accounts, and no non-Insight users.
  • No changes to external data transfers, network security configs (firewalls/acls) or external accessibility.

For larger changes, I need to hear about it earlier. Here's the standard advice for project managers contemplating a new system. Again, if you can't check every box, we need to talk:

First, how about Unattended Processing (UP)? That's any processing other than discontinuous console session on a user or administrator workstation.

  • All UP is on a server platform?
    (Servers are physically inaccessible. Console access is only granted to IT support users.)
  • All UP runs as a service or scheduled task?
    (Not on the console or in a terminal session.)
  • All UP runs without administrative privilege?
    (Not as Domain admin member, nor as server local Administrators member, nor built-in administrator including Local System)
  • All UP runs without a profile?
    (No requirement for logons using service a/c.)
  • All UP credentials stored in Windows SC password store?
Then there's Authentication of Users and Administrators
  • All work done with personal accounts?
    (No shared users)
  • Users and administrators authenticate using Windows workstation domain logons?
  • Users and administrators authorised by membership of domain global groups?
  • No user or admin credentials stored?
    EG in scripts or config files. (DPAPI and SC list storage is permitted.)
And finally there's the Application Structure itself
  • Admin privilege can be withheld from business users without impeding function?
    (Users are not admins -- we can keep admin functions on the support desk.)
  • Conformable with our app access model?
    (Role/Environment groups allow us to manage permissions through the helpdesk, using standard tools)
  • All resource access via application-specific group membership?
    (Excluding: Domain *, Everyone, Auth users…)
  • Administrative and security events logged in a supported means?
    (syslog, ftp upload, Windows event log, text file)
  • Will be supported on platforms kept patched up to date?
    (No vendor qualification of Windows patches)
  • Documentation identifies all resource permissions, and sensitive locations
    (config files, private keys)?
  • All Internet/external access via authenticated proxy?

Once every application can check off all these, we will be getting somewhere.


Hedging Strategies

This weekend, I have been mostly de-wiring.

The mad woman who lived here before us handled the increasing gappiness of the hedges by stapling stock fence on to the more solid stalks. Over time, the bark and wood grows over and through the wire, and new shoots tangle up in it. It becomes absolutely impossible to manage in the normal way: you can't lay the stalks over because they're tangled up in the wire, and you can't use the saw because it'll be blunted on wire or staple.

The only way out is to remove it and this is what I have been doing. You need to cut away the grown-through stalks (a terrible waste because they're the ones that would be easy and productive to lay) and lever out every staple and length of embedded wire.

I could have salvaged some of the stalks by cutting them out of the wire, but unfortunately the wire netting was in such good shape that my tightfistedness took over and I was determined to get it out intact. Which I did and in the process finally discovered how to use the staple remover on the fencing pliers. Instead of ineffectual whacking with the pliers in the hope of getting the hook under the staple, you position it carefully, and then smack the striking face of the pliers with a 3lb hammer. The hook leaps under the wire and you can lever the whole thing out.

Anyway, I've done a good old length, and while my arms are scratched up to buggery, I've salvaged some posts to weave into the lay, I'll be able to buy some chestnut pales to do the rest, and I can start laying next weekend. And I have the wire I'll need to keep the neigbour's horses from browsing on the new growth. (Why do horses prefer thorn bushes to lush grass? FIIK.)