In continuing with the theme of my previous post, I'd like to present yet another "How can a sane and/or rational person look at these numbers and not think that something is a little wrong here?"
And today's topic is "Wealth Inequality".
Wealth inequality is the term used to describe why the majority of people are living paycheck to paycheck while one percent of Americans own over a third of the country's wealth.
Articles like this give more numbers and try to illustrate the point. Unfortunately the people most affected by this social problem tend not to be good with numbers; partly because the human brain sucks at dealing with numbers and there's a point where all big numbers are just subconsciously translated as "wow that's big" instead of comprehending the comparisons, and partly, perhaps, because this is a topic that once politicians get into the mix becomes something that you either actually think about or reject outright because it's against your personal ideology.
Numbers and graphs sometimes just don't cut it for conveying a message of these proportions. Let's try a video instead. Every time I've seen this I can't help but wonder, "How can you not think something is a little wonky here?"
There's an important point to make here; there's a difference between wealth inequality and income inequality. Wealth inequality is what leads to the reaction, "We pay sports stars millions of dollars to throw a ball while teachers educating our future leaders make so little!" or some similar comparison.
Income is more of a flow of money...your paycheck. Wealth is the accumulated value of things you own. This would be why many people who are retired have very little income, but are not considered necessarily poor, because they have accumulated assets in their lifetimes. Also, money gained from trusts, dividends, and investments aren't considered income.
It's easier to remember the difference between wealth and income when you remember that Steve Jobs, cofounder and CEO of Apple at the time of his passing, had a salary of one dollar in his position at Apple.
I see these numbers and look at these graphs and it absolutely gobsmacks me that people defend the idea that this is not only fair, but reasonable.
One YouTube comment read, "Nobody has time for your whiny, ignorant, socialist crap. If you want
socialism, go to Russia. Those top people work very hard. And Obamaites
like you don't realize that it is fair based on how much you work. Go
complain somewhere else."
I normally attribute YouTube comments about as much credibility as 4chan comments, but this is actually something I've seen echoed by people in FaceBook, with actual people not necessarily hiding behind trollish anonymity. And these were not wealthy people saying this; from what I can tell the sentiment was being expressed by economically lower to middle class people, the very people falling under a category I labeled "being screwed."
Maybe I lack the ability to properly convey how I see the situation.
No one is working 380 times harder than the average person.
You can, perhaps, say that someone is working 380 times harder than someone else. There are people in comas and on the other end of the spectrum there are athletes training 12 hours in the gym in preparation for the next Olympics. I can see that fitting the scenario.
But that's not the average person.
See, the average would be, ideally, the middle class. You have a job. You put in your 40 hour workweek. You do your part, and you should, in theory (according to the version of the American Dream I was told) be able to provide comfortably for your family, be able to afford healthcare, and maybe take a vacation once or twice a year.
But as you can see in that video, that's not the reality.
And when you take that average, you shouldn't have it common...that is, routine, and expected...for a person to make 380 times your economic value if they have a particular title in a business. I can see it happening, but it should be the exception, not the rule. And I'm not saying that CEO's should have more wealth or money; they are the people that are leading the business, and they shoulder the responsibility of keeping that company running and keeping employees employed.
But 380 times more than the average employee? Isn't that...excessive?
It would seem that some economists agree. Something along the way has become seriously warped.
I see a progression of blame in society. A series of excuses, really.
"If you're poor, you deserve to be poor."
"It's America. If you work hard, you will make it."
"Nothing is stopping you from going out and making that money."
The reality is that it's not a level playing field. Most of the money going to the top of the wealth pie doesn't come from their paychecks, although that's a big help (remember, Steve Jobs, dollar salary, worth millions...) Thanks to Congress and Congressional lobbies over time, tax and economic policies favor people who get a chunk of cash to start off well in the game of accumulating wealth. Wealth creates more wealth. Investments create more wealth. It's a feedback loop. And it's the reason you see wealthy people being compensated with large, healthy salaries on top of stop options and bonuses and other forms of compensation.
Ever play the board game Risk? I used to like playing it. It's a game of war. As you conquer more countries, you get more armies each round so you can place them and roll dice to take over another country and expand, leading to more armies on your next turn if you're successful, and you get a bonus number of armies if you control a particular region. Also you get these cards each time you take over a country and after collecting a certain number of cards you turn them in for a bonus army set, which gets higher each time a set is turned in.
Follow that?
The game is fun the first several rounds. Especially if you can get Australia. You'd understand if you played.
But inevitably the game loses its appeal at the end, because usually about a third to halfway through you know who's going to win. Someone by that point is getting an obnoxious number of army units each turn, and everyone else is going to be faced with fighting a juggernaut with so many armies that only a gambling addict would think the dice would overcome the odds. "I'm going to place my 55 armies here, 34 armies here, and 25 here...against your total of 15 armies in Brazil. Roll the dice!"
Our economic and tax policies have been crafted in such a way that if you have 6 or 7 figures in investments, that money will make more than enough money for you to live on. And it just snowballs. Meanwhile the poor and middle class have hardly enough to pay the taxes and insurance premiums to live on, let alone pass on in inheritance to their kids. The hard part is getting that initial investment amount so you can build up a snowball to roll down the mountain, metaphorically speaking.
I suppose it shouldn't be surprising; once you have people making a lot of money through means outside of income or salary, they have more power and influence to tell Congress how to create laws that are beneficial to their ways of making more money. And they have enough money to hire people who specialize in making money to spend their time taking advantage of loopholes in laws so they can make yet more money. The fox is guarding the henhouse; Congress isn't generally comprised of blue collar workers, but rather wealthy businessmen and lawyers. Your representatives are probably not able to relate to you economically. There's a disproportionate skewing in the background that comprises our Congress compared to the rest of the nation. Yet they are supposed represent your interests in matters of law? I suppose it should be no surprise to find laws passed that benefit more economically privileged positions in society once you see who is running our government.
When you hear people say that the poor don't work hard enough, that's really just a way of placing blame through word play. I understand there are CEO's that put in long hours at the office. Most have had times of extreme stress at various times of their lives. And CEO's of large businesses can look back and think about the difficulties they've had in their lives while sipping alcoholic beverages on a beach in Bermuda.
I think back to people like my dad who woke at 4:30 in the morning to drive to work by 5:30 and get home that evening after putting in a long day in his job at one of the three industrial plants funding my home town's economy. I think back to a man named Dave who worked long days at the garage he owned beside his 2 employees, grease and oil covered from mucking about in the undercarriage of cars and SUV's. I think about the numerous farmers living near my home who woke before the sun rose and continued spreading that "Dairy Air" scent until the sun went down, and rarely were able to take vacations (unless they were a corporate farm or had enough farmer family neighbors that would check in and keep their farm going for a day or two). My mother made a comfortable living as a teacher...not wealthy, by any definition, but not living on spam and bologna, thanks to efforts of the teacher's union ("When I first started teaching I made $7,000 a year. Your dad made more at the time. He worked at a garage mounting tires.") She would get to school by 7:30 and, much to my impatient chagrin as a child, stay in her classroom grading papers and preparing for the next day until roughly 5:00 every weekday.
These people worked hard.
So why aren't they wealthy?
And how do laws favoring wealth building wealth creating a fair playing field, a fair opportunity for the poor to become wealthy?
I see a question of, "How can you blame people for not being wealthy, if the opportunity is the exception, not the rule?"
How can it been reasonable that any person is worth 380 times the average worker? I have no problem with someone being wealthy. I'm not criticizing that. I'm simply pointing out the excessive nature of that number. That's a really big number when it's compared to an average...and wealth by its nature hoards wealth; the wealthy aren't using their wealth to create jobs.
And why is it considered fair to have laws favoring money making money, meaning that it's easy for the rich to get richer, while the poor and middle class struggle to have modest incomes? Shouldn't it be easy, if you have a job and work your fair share, to afford not to worry about your bills being paid and have a vacation once or twice a year, and once you reach a certain point of wealth it should be harder to continue having your finances snowball like the leading player in a game of Risk builds their armies?
Wednesday, March 13, 2013
Thursday, March 7, 2013
Why Aren't We Hearing About Healthcare Prices?
The topic of healthcare prices has long been something that infuriated me.
I think about it every time I have to go to the doctor. Every time I am inconvenienced by some bill or statement. I have so little faith in the co-mingled bureaucracies woven by insurance companies and hospitals that every envelope marked with the address of the insurer or hospital leaves me feeling a sense of overwhelming dread as to what I'm expected to pay or have to sort out yet again.
The sad part is that I'm one of the fortunate ones; I've spent most of my life with decent medical insurance. I read horror stories from other people, and what they have to go through, and on days where I'm in a more empathetic moods they leave me feeling bereft of hope for our country. Not only do I wonder how we as a society could have let things get this bad, but I wonder why we continue to put up with it.
Or worse, how people could be such monsters that they will defend our current system. Our government is crawling with such selfish monsters. People like Florida House speaker Will Weatherford who decried the decision to accept Medicaid expansion for the state. He told the story of his little brother passing from cancer, and his family being left destitute from the bills for treatment. Medicaid didn't help them! Charity from the hospital helped them! Which is what Florida needs! Not that nasty Medicaid stuff!
Only the story was complete bullshit. The bills were paid by a program funded by Medicaid. Whoopsie.
But this twit isn't alone. There are plenty of people throwing numbers out there showing how unsustainable our healthcare costs are, complete with predictions of bankruptcies and destitution. And yet, when I read stories of what suffering Americans are going through, I wonder: why is it so expensive in the first place?
I mean, really? Are people really not seeing the same things I am and thinking, Something just isnt right here?
Am I really the only one? Because I'm seeing some really outrageous things going on.
An article by Steven Brill was recently published in Time magazine about the cost of healthcare in America and it was truly infuriating.
I grabbed a notebook and began jotting down some facts from the article, and ended up filling quite a few pages with material that no sensible person would think would come from the "greatest country on Earth."
The story talked of Sean Recchi, 42, diagnosed with non-Hodgkins Lymphoma. They paid $469/month for an insurance plan, meaning they paid $5,628 a year, and it was 20% of their income, which by my math meant they made a modest $28,140 a year.
Even with insurance, the policy only covered $2,000 per day of hospital costs, and the hospital wouldn't take their insurance anyway. In order to create a treatment plan, they had to front $48,900. To actually begin treatment, they borrowed another $35,000 from family.
The hospital made them wait 90 minutes because they couldn't confirm the check cleared. They had to pay $7,500 with a credit card as a good faith payment that the check would clear.
What. The. Hell.
So...these insured Americans had to pay $83,900 up front just to have a first round of treatment for cancer.
What kind of things were they being billed for?
Tylenol on Amazon costs around $17 for a bottle of 100 (there was a cost of $1.49 here, but in checking, I don't see it and don't know if it was a typo...), the hospital charged $1.50 for a single pill.
A chest X-ray for $283, which Medicare pays $20.44.
Rituxan, a cancer drug, was charged to them to the tune of $13,702. A dose. The actual cost from the drug supplier to the hospital was around $4,000, which the hospital pays less for because they can get it in volume, so the actual price to the hospital would be an estimated $3,000 to $3,500. It cost the company about $300 to manufacture, test, package, and ship the drug.
There was the story of Janice, who experienced chest pains. She rode 4 miles by ambulance, and after 3 hours of testing, it was diagnosed as heartburn. Out of work for a year, she had no insurance. Her bill? $21,000.
The ambulance, for a four mile trip, was $995.
The doctors, whom she saw very little of in the ER, cost $3,000.
The hospital fees for room, tests, and equipment...$17,000.
Let's break some of the costs down some more. She had three troponin tests, which look for a protein that indicates a possible heart attack. Each test cost her $199.50.
Medicare would pay $13.94.
A CBC test was charged to her for $157.61. Medicare pays $11.02.
Diabetes test strips were charged $18 each. You can order them on Amazon for $0.55 each.
A stress test was performed with an injected dye and CT scan. $7,997.54. Medicare would pay $554.
How does Medicare get away with such low fees? Here's something I didn't know. Medicare, by law, is restricted to paying what is basically the actual cost of the procedure...including staffing costs, overhead, etc...plus about 6%, so there's some profit in there for the hospital. So when you see how much Medicare will pay for a procedure, that's more or less supposed to be pretty close to the actual cost of the procedure to the hospital.
The New York Times did an article on deficit cutting proposals that included cutting payments to hospitals, and Steven Safyer, the Chief Executive of the Montefiore Medical Center in the Bronx, sai that any cut to hospitals would be a cut to beneficiaries. The hospital couldn't afford these cuts!
His salary was $4,065,000.
His Executive Vice-President's salary was $2,220,000.
The head of their dental department was making $1,798,000.
That hospital's operating profit for 2010 was $196.8 million, 99.4% of which came from patient billing and only 0.6% from fundraisers.
Where do these prices come from? A dirty little secret hospitals apparently don't like to talk about. The Chargemaster. That's a list of prices charged for each service. This is the list they go to insurance companies with and start talking pricing from, and these are the prices given to the patients after treatment if they don't have insurance.
How are the prices calculated?
They're arbitrary.
Yeah. They're made up. The reason they stink is because they're pulled from someone's ass.
The numbers on the Chargemaster are where many of the numbers come from when citing statistics. The American Hospital Association ran ads in some Washington rag remind Congress that they shouldn't cut payments to hospitals because think of the poor and all the good they do for them; the hospitals paid $39.3 BILLION to the poor in forgiven fees and procedures!
Only that was based on Chargemaster pricing. By the author's research, that $39.3 billion dollars was really closer to $3 billion. A lot of money, sure, but hardly the nearly forty billion they were boasting they spent on those icky poor people.
Honestly, to read some of these stories you'd think that the primary goal of insurers and hospitals was to make sure being dead was cheaper than living. I've heard plenty about the uninsured...but being insured is hardly a guarantee you're better off than the uninsured. Scott came down with pneumonia. After 4 or 5 days in the hospital his wife went down to check on the bill...it was already at $80,000.
Their insurance had an annual payout limit of $100,000.
By the time he checked out of the hospital, the 161 page bill came to $474,064. After insurance, that bill was lowered to $402,955.
Would it surprise you to learn that they were charged between $84 and $134 for bottles of saline solution? You can get them packaged in drip bags on Amazon for $5.16.
There are reform measures out there. It's just that the government works hard to prevent them from passing. For example, Congress made sure that if two drugs were shown to be equally effective in treating a disease, but one drug was $4,000 and the other was $400, Medicare cannot say they'll pay for the cheaper drug and not the overpriced treatment. They are forbidden from negotiating prices on equipment or drugs. So hospitals can still make a nicer profit from the drugs by reporting how much the average retail price of them is, and conveniently dropping the part about rebates they get for buying in bulk.
There are some that say that the high prices paid in America are what subsidize R&D for hospitals and drug companies. But do we?
According to the article, the securities filings for pharma companies state they are spending around 15% to 20% of gross revenue on R&D, which are hardly enough to cut into the net profits they're making (and are accounted for after R&D.) In other words, if you do the math you'll find that the companies are making so much profit that our outstanding prices and fees are not necessary to fund their R&D efforts.
The article stated that if we were to regulate hospital costs the way other developed countries do, we'd save $94 BILLION a year.
Honestly, how can someone look at these numbers and not understand that something is seriously wrong with our medical system? There's a brilliant amount of spin in media keeping people from seriously questioning why things are so expensive in the first place. It's a common-knowledge joke, much like the $5,000 hammers in the army and $10,000 toilet seats on subs. Charged an extra fifty bucks for an Aspirin? Well, it was administered by a skilled nurse! Gotta pay her salary somehow! Har har...
Only it's not so funny when you're hit with thousands of dollars in fees because your insurance doesn't cover a procedure, or only covers to a certain point then you're on your own.
And thanks to the fact that the Chargemaster prices are based on arbitrary numbers, it should come as no surprise when hospitals charge you $50,000 on a bill that gets magically cut down to $10,000 after the right person makes a phone call to push the right buttons. Hospital bills are actually the opening to negotiation, something they don't tell their average patients. They claim they're willing to work with you and make a deal. Which is great, since the bill you end up holding is largely based on fiction.
An even bigger joke is that the prices on Chargemaster are sent to people without insurance as the full price owed. Insurance companies deal with the negotiation process all the time; they have people dedicated to just haggling with hospitals. But the uninsured...they often find themselves in a position of shellshock. They just got treated for an illness or catastrophic life event; it probably doesn't occur to them that in addition to the recovery efforts they would be slapped with the challenge of a four to six digit bill. Most people don't do a lot of shopping around for medical work when they're dragged to the hospital in pain.
And can you imagine having to deal with the choice of treating cancer or letting yourself die if it meant not putting your family in debt that will outlast you?
The people who are least able to afford the Chargemaster prices are the ones that GET the Chargemaster prices. How stupid is that?
If you can look at those prices and think that something isn't fundamentally broken with our medical system, I question what kind of person you are. Profits aren't a bad thing, but outrageous profits...that's different. There's something sinister about an institution that codifies a system of substantial profit on the backs of the suffering.
This is a wonderful illustration of a system that is screaming for regulation. Yet the government does nothing. Well, that's not entirely true. Congress has actually gone out of its way to make sure prices stay high. They worked hard to keep people uninsured, or at least keep people with plans that are beneficial to the companies providing the insurances out there. They work hard to keep up the appearance of wanting a population that is insured, when in reality the insurance is worthless if you have a major health event and the insurance doesn't cover more than a pittance of the bill. But it does make you look better in the statistics to say you're insured!
Try reading that article in Time. It's shocking. It's infuriating. It illustrates how fundamentally broken the system is. And worse, none of our representatives are doing their jobs and stepping up to fix this. Short of having a major economic collapse, I don't know what, if anything, will fix the situation.
After all, we hardly even talk about this problem. Without that conversation it's hard to see the situation improving anytime soon, despite how glaringly obvious it is.
I think about it every time I have to go to the doctor. Every time I am inconvenienced by some bill or statement. I have so little faith in the co-mingled bureaucracies woven by insurance companies and hospitals that every envelope marked with the address of the insurer or hospital leaves me feeling a sense of overwhelming dread as to what I'm expected to pay or have to sort out yet again.
The sad part is that I'm one of the fortunate ones; I've spent most of my life with decent medical insurance. I read horror stories from other people, and what they have to go through, and on days where I'm in a more empathetic moods they leave me feeling bereft of hope for our country. Not only do I wonder how we as a society could have let things get this bad, but I wonder why we continue to put up with it.
Or worse, how people could be such monsters that they will defend our current system. Our government is crawling with such selfish monsters. People like Florida House speaker Will Weatherford who decried the decision to accept Medicaid expansion for the state. He told the story of his little brother passing from cancer, and his family being left destitute from the bills for treatment. Medicaid didn't help them! Charity from the hospital helped them! Which is what Florida needs! Not that nasty Medicaid stuff!
Only the story was complete bullshit. The bills were paid by a program funded by Medicaid. Whoopsie.
But this twit isn't alone. There are plenty of people throwing numbers out there showing how unsustainable our healthcare costs are, complete with predictions of bankruptcies and destitution. And yet, when I read stories of what suffering Americans are going through, I wonder: why is it so expensive in the first place?
I mean, really? Are people really not seeing the same things I am and thinking, Something just isnt right here?
Am I really the only one? Because I'm seeing some really outrageous things going on.
An article by Steven Brill was recently published in Time magazine about the cost of healthcare in America and it was truly infuriating.
I grabbed a notebook and began jotting down some facts from the article, and ended up filling quite a few pages with material that no sensible person would think would come from the "greatest country on Earth."
The story talked of Sean Recchi, 42, diagnosed with non-Hodgkins Lymphoma. They paid $469/month for an insurance plan, meaning they paid $5,628 a year, and it was 20% of their income, which by my math meant they made a modest $28,140 a year.
Even with insurance, the policy only covered $2,000 per day of hospital costs, and the hospital wouldn't take their insurance anyway. In order to create a treatment plan, they had to front $48,900. To actually begin treatment, they borrowed another $35,000 from family.
The hospital made them wait 90 minutes because they couldn't confirm the check cleared. They had to pay $7,500 with a credit card as a good faith payment that the check would clear.
What. The. Hell.
So...these insured Americans had to pay $83,900 up front just to have a first round of treatment for cancer.
What kind of things were they being billed for?
Tylenol on Amazon costs around $17 for a bottle of 100 (there was a cost of $1.49 here, but in checking, I don't see it and don't know if it was a typo...), the hospital charged $1.50 for a single pill.
A chest X-ray for $283, which Medicare pays $20.44.
Rituxan, a cancer drug, was charged to them to the tune of $13,702. A dose. The actual cost from the drug supplier to the hospital was around $4,000, which the hospital pays less for because they can get it in volume, so the actual price to the hospital would be an estimated $3,000 to $3,500. It cost the company about $300 to manufacture, test, package, and ship the drug.
There was the story of Janice, who experienced chest pains. She rode 4 miles by ambulance, and after 3 hours of testing, it was diagnosed as heartburn. Out of work for a year, she had no insurance. Her bill? $21,000.
The ambulance, for a four mile trip, was $995.
The doctors, whom she saw very little of in the ER, cost $3,000.
The hospital fees for room, tests, and equipment...$17,000.
Let's break some of the costs down some more. She had three troponin tests, which look for a protein that indicates a possible heart attack. Each test cost her $199.50.
Medicare would pay $13.94.
A CBC test was charged to her for $157.61. Medicare pays $11.02.
Diabetes test strips were charged $18 each. You can order them on Amazon for $0.55 each.
A stress test was performed with an injected dye and CT scan. $7,997.54. Medicare would pay $554.
How does Medicare get away with such low fees? Here's something I didn't know. Medicare, by law, is restricted to paying what is basically the actual cost of the procedure...including staffing costs, overhead, etc...plus about 6%, so there's some profit in there for the hospital. So when you see how much Medicare will pay for a procedure, that's more or less supposed to be pretty close to the actual cost of the procedure to the hospital.
The New York Times did an article on deficit cutting proposals that included cutting payments to hospitals, and Steven Safyer, the Chief Executive of the Montefiore Medical Center in the Bronx, sai that any cut to hospitals would be a cut to beneficiaries. The hospital couldn't afford these cuts!
His salary was $4,065,000.
His Executive Vice-President's salary was $2,220,000.
The head of their dental department was making $1,798,000.
That hospital's operating profit for 2010 was $196.8 million, 99.4% of which came from patient billing and only 0.6% from fundraisers.
Where do these prices come from? A dirty little secret hospitals apparently don't like to talk about. The Chargemaster. That's a list of prices charged for each service. This is the list they go to insurance companies with and start talking pricing from, and these are the prices given to the patients after treatment if they don't have insurance.
How are the prices calculated?
They're arbitrary.
Yeah. They're made up. The reason they stink is because they're pulled from someone's ass.
The numbers on the Chargemaster are where many of the numbers come from when citing statistics. The American Hospital Association ran ads in some Washington rag remind Congress that they shouldn't cut payments to hospitals because think of the poor and all the good they do for them; the hospitals paid $39.3 BILLION to the poor in forgiven fees and procedures!
Only that was based on Chargemaster pricing. By the author's research, that $39.3 billion dollars was really closer to $3 billion. A lot of money, sure, but hardly the nearly forty billion they were boasting they spent on those icky poor people.
Honestly, to read some of these stories you'd think that the primary goal of insurers and hospitals was to make sure being dead was cheaper than living. I've heard plenty about the uninsured...but being insured is hardly a guarantee you're better off than the uninsured. Scott came down with pneumonia. After 4 or 5 days in the hospital his wife went down to check on the bill...it was already at $80,000.
Their insurance had an annual payout limit of $100,000.
By the time he checked out of the hospital, the 161 page bill came to $474,064. After insurance, that bill was lowered to $402,955.
Would it surprise you to learn that they were charged between $84 and $134 for bottles of saline solution? You can get them packaged in drip bags on Amazon for $5.16.
There are reform measures out there. It's just that the government works hard to prevent them from passing. For example, Congress made sure that if two drugs were shown to be equally effective in treating a disease, but one drug was $4,000 and the other was $400, Medicare cannot say they'll pay for the cheaper drug and not the overpriced treatment. They are forbidden from negotiating prices on equipment or drugs. So hospitals can still make a nicer profit from the drugs by reporting how much the average retail price of them is, and conveniently dropping the part about rebates they get for buying in bulk.
There are some that say that the high prices paid in America are what subsidize R&D for hospitals and drug companies. But do we?
According to the article, the securities filings for pharma companies state they are spending around 15% to 20% of gross revenue on R&D, which are hardly enough to cut into the net profits they're making (and are accounted for after R&D.) In other words, if you do the math you'll find that the companies are making so much profit that our outstanding prices and fees are not necessary to fund their R&D efforts.
The article stated that if we were to regulate hospital costs the way other developed countries do, we'd save $94 BILLION a year.
Honestly, how can someone look at these numbers and not understand that something is seriously wrong with our medical system? There's a brilliant amount of spin in media keeping people from seriously questioning why things are so expensive in the first place. It's a common-knowledge joke, much like the $5,000 hammers in the army and $10,000 toilet seats on subs. Charged an extra fifty bucks for an Aspirin? Well, it was administered by a skilled nurse! Gotta pay her salary somehow! Har har...
Only it's not so funny when you're hit with thousands of dollars in fees because your insurance doesn't cover a procedure, or only covers to a certain point then you're on your own.
And thanks to the fact that the Chargemaster prices are based on arbitrary numbers, it should come as no surprise when hospitals charge you $50,000 on a bill that gets magically cut down to $10,000 after the right person makes a phone call to push the right buttons. Hospital bills are actually the opening to negotiation, something they don't tell their average patients. They claim they're willing to work with you and make a deal. Which is great, since the bill you end up holding is largely based on fiction.
An even bigger joke is that the prices on Chargemaster are sent to people without insurance as the full price owed. Insurance companies deal with the negotiation process all the time; they have people dedicated to just haggling with hospitals. But the uninsured...they often find themselves in a position of shellshock. They just got treated for an illness or catastrophic life event; it probably doesn't occur to them that in addition to the recovery efforts they would be slapped with the challenge of a four to six digit bill. Most people don't do a lot of shopping around for medical work when they're dragged to the hospital in pain.
And can you imagine having to deal with the choice of treating cancer or letting yourself die if it meant not putting your family in debt that will outlast you?
The people who are least able to afford the Chargemaster prices are the ones that GET the Chargemaster prices. How stupid is that?
If you can look at those prices and think that something isn't fundamentally broken with our medical system, I question what kind of person you are. Profits aren't a bad thing, but outrageous profits...that's different. There's something sinister about an institution that codifies a system of substantial profit on the backs of the suffering.
This is a wonderful illustration of a system that is screaming for regulation. Yet the government does nothing. Well, that's not entirely true. Congress has actually gone out of its way to make sure prices stay high. They worked hard to keep people uninsured, or at least keep people with plans that are beneficial to the companies providing the insurances out there. They work hard to keep up the appearance of wanting a population that is insured, when in reality the insurance is worthless if you have a major health event and the insurance doesn't cover more than a pittance of the bill. But it does make you look better in the statistics to say you're insured!
Try reading that article in Time. It's shocking. It's infuriating. It illustrates how fundamentally broken the system is. And worse, none of our representatives are doing their jobs and stepping up to fix this. Short of having a major economic collapse, I don't know what, if anything, will fix the situation.
After all, we hardly even talk about this problem. Without that conversation it's hard to see the situation improving anytime soon, despite how glaringly obvious it is.
Tuesday, February 19, 2013
The City; It Changes You
My first day at the new job was July 9th, 2012. I moved to the city two days before that. Today is February 19th. That means it's been roughly 227 days since I arrived in New York City.
Handy tip, straight from the Unix Stack Exchange site. If you want to know the difference between two dates, ask a snake for help.
These 227 days have been filled with emotional ups and downs. I deal with the constant feeling of being an inadequate father, as I'm not physically with my wife and son back home. Usually at least once a month either I'm back home visiting them or they come to the city, and each time my boy seems to have grown another inch, despite not looking so different on our periodic Skype sessions.
That wears on you after awhile. I had several reasons for coming here, and there is the promise that things will improve. The time between moving and things getting better, though, that's the rocky part. It's a tough road to travel. I don't recommend it unless you're really dedicated to taking that path, and you have a strong relationship with your significant other, because without a very strong support system something will definitely give in your relationship.
Sometimes I think the only things that have kept me going are my extremely strong support system back home and my enjoyment of the new job.
But there are times when I look at my life and I see that some things have changed. Not just in circumstances, but in my general outlook on life. I suppose it comes from the horizon having been stretched a little wider, due to the fact that I lived my entire life in a small town with as many bars as there are churches, and we have a lot of churches back home. Here...it's New York City.
There was a story of someone living in the Chicago area who went home to a more country area to visit his family. The strange thing was he never came back to the city. Just quit his job...his coworkers apparently didn't have much idea of what happened.
Upon hearing this, one of my own coworkers said, "The city will make you or break you." That stuck with me. It was said as a nonchalant observation. But it rang true. You are either a city person or a country person, and some people just can't take the transition between.
I still have some of the fragments of country life in me. I know it's true; I have a stab of repulsion at my reaction to homeless people. Not repulsion at the homeless; my reaction to them. I ignore them. Like just about every other New Yorker, I ignore them. At least, I ignore them to the extent that I don't pull out my wallet, I don't donate to them, and I pretend I don't hear them if they're speaking.
I still try to glance at the cardboard signs they hold in front of them as they sit on the sidewalk. Not long ago I saw one man with a hand on a sign and the other on his dog, who lay quietly at his master's side. "Lost everything but my dog," it read.
Another time I was walking to the toy store to find something for my son who was planning to visit in a few days, and a passed a woman sitting against a light pole at a crossing not far from an Apple Store. Next to her was a large bag and a tattered sign. She was sobbing. I was in a bustling crowd that split apart as they approached her, as if grief were something that you could catch if you got too close. I didn't know what she was sobbing about. I moved with the crowd.
Why?
In part because I can't save the world. There are far far too many homeless and desperate out there, and handing out money for a short term assist will do little in the long run other than deprive me of resources that I can, admittedly in a selfish fashion, use on myself and my family.
In part because I'm afraid; afraid to engage people. Many are mentally ill. It is not difficult to find stories of people who end up being mugged because they engage with a homeless person, and once the wallet comes out...you're a target. Or they may suddenly flip out on you.
Cynicism also plays a part. How many of the people asking for money are telling sob stories that are disingenuous? Do they really have a family that's starving? Or will the money be used to feed some addiction?
And then there are the scammers. As there are stories of people being mugged for trying to help, there are stories of people who actually pretend to be homeless, or play on your emotions to get more money. Want more donations? Try sitting outside with your children, or your dog. You're a really heartless bastard for letting someone's kids suffer when you have a spare buck in your pocket.
The way I see it, the city has made me more of a heartless bastard.
I take solace in hating myself for it. It means that there's still a part of me that questions that behavior...it's just that that part is smaller than the part of me that pretends I can't hear them through my headphones.
Then there's the people. So many people! Back home a heavy crowd means having to pass within five feet of someone in the mall. I remember when that was irritating.
Here...two words. "Times. Square."
Ugh. One more word. "Tourists."
With all the flashy animated signs, you'd think someone could add a billboard that slides the words "MOVE IT" in that sardine can of a tourist trap. I don't know how many times I was bumped into, shouldered, and run over with rolling suitcases as I navigated my way around that general area.
But it wasn't limited to just Times Square; that was just where the effect was most pronounced. I would get shouldered as I crossed the street as I commuted to and from the subway station and my apartment. On the weekend I would make a trek to the ATM and from there to the comic shop; I'd have to dance around the sidewalk to keep from getting plowed by New Yorkers yacking on phones or jogging or just glowering at me.
Eventually I realized that this was like some kind of test. I was moving because they expected me to move. When you're 300 pounds...that's just ridiculous. I was being bullied by complete strangers.
See, there is this thing that happens when you're in an environment that is just filled with people in close proximity to you. Manhattan has over two million people living and working on a relatively small island. The five boroughs have, during the workday, more people total than my entire home state of Pennsylvania. This is crazy full of people.
So many people in such a small space...you begin to see other people as if they were two dimensional. You're forced into a small space, but you have an instinct to respect some semblance of personal space, while physically forced to break the personal boundaries...subways will crowd you to the point where you wonder if you've impregnated someone between two stations because you didn't have enough room to turn around, yet the whole time you and the strangers you're rubbing up against have this insane mutual understanding that you all don't actually exist. All of you refuse to acknowledge the other people are there.
Unless, of course, one of them is insane. But that's another story.
You end up with this situation where people act as if no one else exists, and you don't generally acknowledge their existence. And that kind of dehumanizes you; the infamous "don't look other New Yorkers in the eye" seems to stem in part from the unwritten rule of never acknowledging the existence of others. When you do this, you force them to acknowledge you, and it triggers something primal, like an animal being challenged for territory.
I was thinking about this one day when I realized that my moving around the streets to accommodate others was a way of signalling my submission to others. I was a target of bullying because I allowed myself to be bullied. I nearly laughed when I thought about the image of a 300 pound guy hopping out of the way of some 100 pound bastard sporting thick rimmed glasses and expensive brand name jacket; he was no better than I was, and I had every right to be where I was.
You move.
And as I crossed the street, they did.
Well, most did.
Whump!
Dude. I'm 300 pounds. Your skinny ass isn't going to stop me.
I don't think I've been a prick about it. I don't plow over old ladies or ram headlong into people just because they're there. But when I'm walking a straight line, and they clearly see I'm coming and they move into my way...I don't really move over so much to accommodate them. I've noticed that there are people who will actually move into your way, like a challenge.
Now I take that challenge.
Whump!
Times Square is worse. There are times when I've contemplated molding rubber to my shoulders to cushion the blows from passersby. Some of them almost seem shocked when I don't get out of their way.
Get used to it. You and me, when we die, we both become dirt. I've been a doormat long enough and I'm hardly invisible.
Then I get back to my apartment and I feel shock. I'm pushing people out of my way instead of dancing around, trying not to get pushed over. I'm ignoring people that sit on sidewalks painted in dried piss, begging for a buck. At times I hate myself for it. Other times I feel as if I'm seeing more of what people are really like; I see how it's possible to have little regard for other people and place yourself at the top of the priority list.
Care about yourself first; other people here don't give a damn about you.
The other night I sat on the floor of the Port Authority waiting for my wife and son to arrive on the bus. I clutched my bag, which basically held my clipboard of documents and a couple containers of lunch leftovers; my trenchcoat shielded me from whatever unpleasantness was skittering about on the floor, and my headphones played a podcast loud enough to drown out the low din of travelers trying to find their way around the terminal when it occurred to me that the best way to be ignored, even on an island with two million people crawling around it, was to put a cup in front of me and dump a couple dollars into it. That would virtually guarantee that I would become instantly invisible to people as they hustled by. Just sitting on the floor in my decade-old trenchcoat and out-of-fashion clothes seemed to be enough to keep me camouflaged from most of the travelers.
I was starting to understand how this worked. I was starting to understand how people are, when they feel anonymous in large crowds. When they are given the freedom to behave how they want without consequences. Without having to conform beyond the minimum of civility towards other people.
Basically, in some ways this was a real life version of the Internet. The city anonymizes you and gives you leave to care more about yourself, or you will be taken advantage of by others.
These emergent behaviors seem to make it hard to raise a child in the city environment. How can you teach your son to care about others when you also teach them that it's okay to ignore people sitting on the corner begging for money?
I'm not entirely sure.
I suppose the only thing I can do is look for teachable moments, where I can make some difference in his character. Not long ago we were in a Barnes and Noble, and he was looking at a large book. It's slightly above his reading level, but I still encourage him to read whatever he can, because $DEITY knows children today get more than enough flashy commercials to fill their brains with PURCHASE THIS OR YOUR PARENTS DON'T LOVE YOU messages. I hope that teaching my son to love books may foster his curiosity and help him become a bit of a critical thinker as he grows older.
As he flipped through the book I heard the sound of paper shredding. The heavy binding slipped from his grip and a page suddenly gained a four inch tear.
He was clearly embarrassed and his face reddened.
"Be more careful," I said. "Support the book with both hands."
"I will, Daddy," he said.
I sighed. "Well, it looks like you've gained a book." I closed the back cover. "Thirty bucks."
"That's a lot," he said. I could tell he was afraid I'd be docking his allowance to pay for it, which was horrible for a boy obsessed with trying to negotiate advances in his allowance to feed his BeyBlade addiction.
"Yeah, it is. Here's the deal...I'll pay for it, and you're going to read it to Mommy. You read it and if you do well we'll talk about a new Bey for Easter."
"Okay," he said.
On the surface it was a bribe. What I hoped it taught him, in some small way, was manifold lessons.
Then I find myself trying to teach my son to be better person, which in part is the opposite to how I see myself reacting to other people in the street.
I still haven't found a way to fully reconcile these observations and behaviors. Maybe in the next 200 days I will find a way to integrate them into a narrative that makes sense, so it will be okay to look out for your own good while still believing in the goodness of others and hoping that people aren't always, completely, selfish.
But in the meantime...don't stand in my way when I'm crossing the street. In New York City, I'm invisible. And you are too.
Handy tip, straight from the Unix Stack Exchange site. If you want to know the difference between two dates, ask a snake for help.
$ python
>>> from datetime import date as D
>>> print (D.today() - D(2012, 7, 7)).daysThese 227 days have been filled with emotional ups and downs. I deal with the constant feeling of being an inadequate father, as I'm not physically with my wife and son back home. Usually at least once a month either I'm back home visiting them or they come to the city, and each time my boy seems to have grown another inch, despite not looking so different on our periodic Skype sessions.
That wears on you after awhile. I had several reasons for coming here, and there is the promise that things will improve. The time between moving and things getting better, though, that's the rocky part. It's a tough road to travel. I don't recommend it unless you're really dedicated to taking that path, and you have a strong relationship with your significant other, because without a very strong support system something will definitely give in your relationship.
Sometimes I think the only things that have kept me going are my extremely strong support system back home and my enjoyment of the new job.
But there are times when I look at my life and I see that some things have changed. Not just in circumstances, but in my general outlook on life. I suppose it comes from the horizon having been stretched a little wider, due to the fact that I lived my entire life in a small town with as many bars as there are churches, and we have a lot of churches back home. Here...it's New York City.
There was a story of someone living in the Chicago area who went home to a more country area to visit his family. The strange thing was he never came back to the city. Just quit his job...his coworkers apparently didn't have much idea of what happened.
Upon hearing this, one of my own coworkers said, "The city will make you or break you." That stuck with me. It was said as a nonchalant observation. But it rang true. You are either a city person or a country person, and some people just can't take the transition between.
I still have some of the fragments of country life in me. I know it's true; I have a stab of repulsion at my reaction to homeless people. Not repulsion at the homeless; my reaction to them. I ignore them. Like just about every other New Yorker, I ignore them. At least, I ignore them to the extent that I don't pull out my wallet, I don't donate to them, and I pretend I don't hear them if they're speaking.
I still try to glance at the cardboard signs they hold in front of them as they sit on the sidewalk. Not long ago I saw one man with a hand on a sign and the other on his dog, who lay quietly at his master's side. "Lost everything but my dog," it read.
Another time I was walking to the toy store to find something for my son who was planning to visit in a few days, and a passed a woman sitting against a light pole at a crossing not far from an Apple Store. Next to her was a large bag and a tattered sign. She was sobbing. I was in a bustling crowd that split apart as they approached her, as if grief were something that you could catch if you got too close. I didn't know what she was sobbing about. I moved with the crowd.
Why?
In part because I can't save the world. There are far far too many homeless and desperate out there, and handing out money for a short term assist will do little in the long run other than deprive me of resources that I can, admittedly in a selfish fashion, use on myself and my family.
In part because I'm afraid; afraid to engage people. Many are mentally ill. It is not difficult to find stories of people who end up being mugged because they engage with a homeless person, and once the wallet comes out...you're a target. Or they may suddenly flip out on you.
Cynicism also plays a part. How many of the people asking for money are telling sob stories that are disingenuous? Do they really have a family that's starving? Or will the money be used to feed some addiction?
And then there are the scammers. As there are stories of people being mugged for trying to help, there are stories of people who actually pretend to be homeless, or play on your emotions to get more money. Want more donations? Try sitting outside with your children, or your dog. You're a really heartless bastard for letting someone's kids suffer when you have a spare buck in your pocket.
The way I see it, the city has made me more of a heartless bastard.
I take solace in hating myself for it. It means that there's still a part of me that questions that behavior...it's just that that part is smaller than the part of me that pretends I can't hear them through my headphones.
Then there's the people. So many people! Back home a heavy crowd means having to pass within five feet of someone in the mall. I remember when that was irritating.
Here...two words. "Times. Square."
Ugh. One more word. "Tourists."
With all the flashy animated signs, you'd think someone could add a billboard that slides the words "MOVE IT" in that sardine can of a tourist trap. I don't know how many times I was bumped into, shouldered, and run over with rolling suitcases as I navigated my way around that general area.
But it wasn't limited to just Times Square; that was just where the effect was most pronounced. I would get shouldered as I crossed the street as I commuted to and from the subway station and my apartment. On the weekend I would make a trek to the ATM and from there to the comic shop; I'd have to dance around the sidewalk to keep from getting plowed by New Yorkers yacking on phones or jogging or just glowering at me.
Eventually I realized that this was like some kind of test. I was moving because they expected me to move. When you're 300 pounds...that's just ridiculous. I was being bullied by complete strangers.
See, there is this thing that happens when you're in an environment that is just filled with people in close proximity to you. Manhattan has over two million people living and working on a relatively small island. The five boroughs have, during the workday, more people total than my entire home state of Pennsylvania. This is crazy full of people.
So many people in such a small space...you begin to see other people as if they were two dimensional. You're forced into a small space, but you have an instinct to respect some semblance of personal space, while physically forced to break the personal boundaries...subways will crowd you to the point where you wonder if you've impregnated someone between two stations because you didn't have enough room to turn around, yet the whole time you and the strangers you're rubbing up against have this insane mutual understanding that you all don't actually exist. All of you refuse to acknowledge the other people are there.
Unless, of course, one of them is insane. But that's another story.
You end up with this situation where people act as if no one else exists, and you don't generally acknowledge their existence. And that kind of dehumanizes you; the infamous "don't look other New Yorkers in the eye" seems to stem in part from the unwritten rule of never acknowledging the existence of others. When you do this, you force them to acknowledge you, and it triggers something primal, like an animal being challenged for territory.
I was thinking about this one day when I realized that my moving around the streets to accommodate others was a way of signalling my submission to others. I was a target of bullying because I allowed myself to be bullied. I nearly laughed when I thought about the image of a 300 pound guy hopping out of the way of some 100 pound bastard sporting thick rimmed glasses and expensive brand name jacket; he was no better than I was, and I had every right to be where I was.
You move.
And as I crossed the street, they did.
Well, most did.
Whump!
Dude. I'm 300 pounds. Your skinny ass isn't going to stop me.
I don't think I've been a prick about it. I don't plow over old ladies or ram headlong into people just because they're there. But when I'm walking a straight line, and they clearly see I'm coming and they move into my way...I don't really move over so much to accommodate them. I've noticed that there are people who will actually move into your way, like a challenge.
Now I take that challenge.
Whump!
Times Square is worse. There are times when I've contemplated molding rubber to my shoulders to cushion the blows from passersby. Some of them almost seem shocked when I don't get out of their way.
Get used to it. You and me, when we die, we both become dirt. I've been a doormat long enough and I'm hardly invisible.
Then I get back to my apartment and I feel shock. I'm pushing people out of my way instead of dancing around, trying not to get pushed over. I'm ignoring people that sit on sidewalks painted in dried piss, begging for a buck. At times I hate myself for it. Other times I feel as if I'm seeing more of what people are really like; I see how it's possible to have little regard for other people and place yourself at the top of the priority list.
Care about yourself first; other people here don't give a damn about you.
The other night I sat on the floor of the Port Authority waiting for my wife and son to arrive on the bus. I clutched my bag, which basically held my clipboard of documents and a couple containers of lunch leftovers; my trenchcoat shielded me from whatever unpleasantness was skittering about on the floor, and my headphones played a podcast loud enough to drown out the low din of travelers trying to find their way around the terminal when it occurred to me that the best way to be ignored, even on an island with two million people crawling around it, was to put a cup in front of me and dump a couple dollars into it. That would virtually guarantee that I would become instantly invisible to people as they hustled by. Just sitting on the floor in my decade-old trenchcoat and out-of-fashion clothes seemed to be enough to keep me camouflaged from most of the travelers.
I was starting to understand how this worked. I was starting to understand how people are, when they feel anonymous in large crowds. When they are given the freedom to behave how they want without consequences. Without having to conform beyond the minimum of civility towards other people.
Basically, in some ways this was a real life version of the Internet. The city anonymizes you and gives you leave to care more about yourself, or you will be taken advantage of by others.
These emergent behaviors seem to make it hard to raise a child in the city environment. How can you teach your son to care about others when you also teach them that it's okay to ignore people sitting on the corner begging for money?
I'm not entirely sure.
I suppose the only thing I can do is look for teachable moments, where I can make some difference in his character. Not long ago we were in a Barnes and Noble, and he was looking at a large book. It's slightly above his reading level, but I still encourage him to read whatever he can, because $DEITY knows children today get more than enough flashy commercials to fill their brains with PURCHASE THIS OR YOUR PARENTS DON'T LOVE YOU messages. I hope that teaching my son to love books may foster his curiosity and help him become a bit of a critical thinker as he grows older.
As he flipped through the book I heard the sound of paper shredding. The heavy binding slipped from his grip and a page suddenly gained a four inch tear.
He was clearly embarrassed and his face reddened.
"Be more careful," I said. "Support the book with both hands."
"I will, Daddy," he said.
I sighed. "Well, it looks like you've gained a book." I closed the back cover. "Thirty bucks."
"That's a lot," he said. I could tell he was afraid I'd be docking his allowance to pay for it, which was horrible for a boy obsessed with trying to negotiate advances in his allowance to feed his BeyBlade addiction.
"Yeah, it is. Here's the deal...I'll pay for it, and you're going to read it to Mommy. You read it and if you do well we'll talk about a new Bey for Easter."
"Okay," he said.
On the surface it was a bribe. What I hoped it taught him, in some small way, was manifold lessons.
- If you damage something like that, you don't hide it. You make it right. In this case, we bought the book. Because really...how would you feel if you bought a new book at the store and when you read it, found a page ripped?
- I might get upset at something, but if we're going to work on a solution, it's okay to get upset. I won't stay mad. Cover it up, and then I'd get mad. Lie to me, and then I'd get mad. Acknowledge the problem and work on a solution, I'll get over it.
- Honor is the one thing only you can give away and no one can take from you. I could have had him hide the book back on the shelf. Sometimes doing the right thing is more scary...or in this case, expensive...but it's still the right thing to do.
- Mistakes happen, but if you learn from them, it's okay to make mistakes.
Then I find myself trying to teach my son to be better person, which in part is the opposite to how I see myself reacting to other people in the street.
I still haven't found a way to fully reconcile these observations and behaviors. Maybe in the next 200 days I will find a way to integrate them into a narrative that makes sense, so it will be okay to look out for your own good while still believing in the goodness of others and hoping that people aren't always, completely, selfish.
But in the meantime...don't stand in my way when I'm crossing the street. In New York City, I'm invisible. And you are too.
Monday, February 11, 2013
Hello Trello!
I was a skeptic.
When I started working at Stack Exchange, I had to adapt to a new workflow. They had certain things they did in a certain way; that's something that is to be expected. There are ways certain things are expected to work, and you are going to conform to them so things run smoothly among your team.
They used a lot of tools, largely unfamiliar to me. And as with any new job, it took time to "ramp up" and become familiar with the tools.
One of the tools, Trello, was created by our sister company, Fog Creek Software. I didn't quite get it at first. I'm not even sure I quite get it now...but over time I became a believer.
How can I describe Trello? Trello is like...lists of lists. A veritable listception. If you have a project that can be tracked or organized using cards which can in turn be organized into topics, Trello is the ultimate organizational tool for you. It's a new way of organizing just about anything using the Trello web page.
Maybe you're an author working on a book. You can create a Trello board, and on that board create a list called "Agents to query." Then create a card in that list for each agent you send your manuscript to. Suppose one of these agents is named Likable Literary Agency, Inc; you click the card and for the description you add the address of the agent.
Create another list called "Manuscripts sent." Click the Likable Literary Agency, Inc. card again and enter as a comment the date which you sent your manuscript and the contact you sent it to. Then drag the card from Agents to Query to the Manuscripts Sent list.
After a few months, you can create a list called "Rejections", and drag the card to that list! And move on to the next card on your "Agents to query" list!
Being relatively new in the city, I am always getting a little lost. I created a board I titled "Locations." In it, I created lists by subject; banks, clothes, books, etc. Then under each list, as I found a location of interest, I would note it in my Trello. My bank has a card; in the comments, I added the address of each ATM. In another card I added an address of a Barnes and Noble to the comments along with a note telling me the nearest subway stations and what trains stop there. For a clothing store, along with notes on the address and station, I uploaded a screenshot of a Google map so I could get some reference of the nearby streets.
The Trello team released a very usable iPhone app; the only complaint I've had is that it relies on a connection to the Internet to update at the time you use it, so when I'm in the subway I can't read my notes. Once I pop above ground, though, I can open Trello, pop into my Locations board, and refer to my directions.
I also use Trello as a to-do list; I track my tasks at work, organized by what I'm currently doing, what I need to do, what I periodically needs to check, and what I've finished for the week. When it comes time to work on the weekly report, I can pull up my finished tasks and jot them down on the report. Better yet, there are times when I've needed to refer to past items I've finished and my Trello lists tell me what I completed and when, along with my notes.
What started as a single list blossomed into several. "This website looks interesting, but I don't have time to look at it right now..." Blam! New list.
"This might be an interesting blog topic..." Blam! New list.
Organization was almost addictive with Trello.
I know someone who uses Trello as a shopping list; he created a board and invited his wife as a user, so they can both add to the board and edit things as needed.
I even liked it when Taco the Dog made an appearance on the board to make announcements; I remember "feeding Taco" treats in the form of inviting new users to Trello. IT WAS JUST FUN.
I really haven't pushed Trello to the limits. You can invite multiple users and collaborate on projects; assign them cards or tasks, assign due dates, create lists on the card (wherein it will give you a kind of percentage complete as you check items off), and upload files to cards. You can track research papers or writing projects or constructions projects.
Anything that needs organization, especially if you need to collaborate, can benefit from using Trello.
Here's the kicker. It's free.
There's really no risk to trying it out. You can create a board and set the permission to be as strict as you want; invite others to collaborate, or keep it private while you experiment with it yourself. Or do what I do and create boards for yourself and others that collaborate with someone.
Seriously. If you need to organize a projects...or your life...or collaborate on a project with other people...try Trello. Click the link. It won't hurt. I promise.
...now if you'll excuse me, I have to remove the Trello card from my list of possible blog topics...
When I started working at Stack Exchange, I had to adapt to a new workflow. They had certain things they did in a certain way; that's something that is to be expected. There are ways certain things are expected to work, and you are going to conform to them so things run smoothly among your team.
How can I describe Trello? Trello is like...lists of lists. A veritable listception. If you have a project that can be tracked or organized using cards which can in turn be organized into topics, Trello is the ultimate organizational tool for you. It's a new way of organizing just about anything using the Trello web page.
Maybe you're an author working on a book. You can create a Trello board, and on that board create a list called "Agents to query." Then create a card in that list for each agent you send your manuscript to. Suppose one of these agents is named Likable Literary Agency, Inc; you click the card and for the description you add the address of the agent.
Create another list called "Manuscripts sent." Click the Likable Literary Agency, Inc. card again and enter as a comment the date which you sent your manuscript and the contact you sent it to. Then drag the card from Agents to Query to the Manuscripts Sent list.
After a few months, you can create a list called "Rejections", and drag the card to that list! And move on to the next card on your "Agents to query" list!
Being relatively new in the city, I am always getting a little lost. I created a board I titled "Locations." In it, I created lists by subject; banks, clothes, books, etc. Then under each list, as I found a location of interest, I would note it in my Trello. My bank has a card; in the comments, I added the address of each ATM. In another card I added an address of a Barnes and Noble to the comments along with a note telling me the nearest subway stations and what trains stop there. For a clothing store, along with notes on the address and station, I uploaded a screenshot of a Google map so I could get some reference of the nearby streets.
The Trello team released a very usable iPhone app; the only complaint I've had is that it relies on a connection to the Internet to update at the time you use it, so when I'm in the subway I can't read my notes. Once I pop above ground, though, I can open Trello, pop into my Locations board, and refer to my directions.
I also use Trello as a to-do list; I track my tasks at work, organized by what I'm currently doing, what I need to do, what I periodically needs to check, and what I've finished for the week. When it comes time to work on the weekly report, I can pull up my finished tasks and jot them down on the report. Better yet, there are times when I've needed to refer to past items I've finished and my Trello lists tell me what I completed and when, along with my notes.
What started as a single list blossomed into several. "This website looks interesting, but I don't have time to look at it right now..." Blam! New list.
"This might be an interesting blog topic..." Blam! New list.
Organization was almost addictive with Trello.
I know someone who uses Trello as a shopping list; he created a board and invited his wife as a user, so they can both add to the board and edit things as needed.
I even liked it when Taco the Dog made an appearance on the board to make announcements; I remember "feeding Taco" treats in the form of inviting new users to Trello. IT WAS JUST FUN.
I really haven't pushed Trello to the limits. You can invite multiple users and collaborate on projects; assign them cards or tasks, assign due dates, create lists on the card (wherein it will give you a kind of percentage complete as you check items off), and upload files to cards. You can track research papers or writing projects or constructions projects.
Anything that needs organization, especially if you need to collaborate, can benefit from using Trello.
Here's the kicker. It's free.
There's really no risk to trying it out. You can create a board and set the permission to be as strict as you want; invite others to collaborate, or keep it private while you experiment with it yourself. Or do what I do and create boards for yourself and others that collaborate with someone.
Seriously. If you need to organize a projects...or your life...or collaborate on a project with other people...try Trello. Click the link. It won't hurt. I promise.
...now if you'll excuse me, I have to remove the Trello card from my list of possible blog topics...
Saturday, February 2, 2013
New York Times Hack and Symantec
If you're the kind of person that monitors news relating to security in technology or have been paying attention to headlines in the mainstream media, you may have seen the news stories detailing the infiltration of the New York Times' network by the Chinese.
The details are surprisingly thorough for a mainstream story, and the Times is being rather candid in their sharing of details. Usually when a business is "hacked" they'll do anything and everything possible to hide the details from the public so they can save face.
For people in the tech industry the story is still overly simplified and light on gritty details, but for a story aimed at public consumption the details get gory. So I won't bother rehashing them. I even linked to a version of the story so you can view it there.
What I did find interesting, though, was the small storm that erupted because of the malware software the Times used being directly named in the article and the publicity that it generated, most of it negative. I have had dealings with Symantec, along with several other security/malware/antivirus solutions, and upon reading that there were 40-plus pieces of malware created to infiltrate the Times in one way or another and their Symantec software caught approximately, oh, one of them wasn't much of a surprise to me.
But apparently this is still news.
In terms of dealing with this, I found the fluffy public relations face rather amusing. The article recounting events mentioned Symantec in passing; not a directly attack on the company. But merely mentioning the name put a face upon which to plant a black eye. While probably accidental, it was nice of them to be candid about it while accidentally making the company look rather incompetent.
Symantec wouldn't, at first, comment, and I thought their initial reaction on Twitter was rather...strange. Didn't they realize how they looked in the news story? A company using their Enterprise solution (I'm assuming, given their size) with not-so-cheap licensing associated with said product (no solution with the word "enterprise" is cheap) had over 40 malware applications get into their network and your product caught one of them. And yet, Symantec said this:
That tweet was rather...bland, don't you think? Perhaps the press release was more interesting. A fiery defense of the company? Acknowledgement of weak points in their software? From the article:
"Advanced attacks like the ones the New York Times described in the following article, (http://nyti.ms/TZtr5z), underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."
...So the problem was that the Symantec software would have been effective, but the Times didn't use all the software features to detect the malware. In other words, our customer was too stupid to fully use our product.
It didn't take long for others to notice this response and criticize Symantec. Somehow Symantec was still trying to spin this in a positive light for themselves.
I can understand what Symantec is saying, even if I'm not sure I'd have framed the reply this way. I would think blaming the customer, even though they may legitimately feel this way and there is probably more the customer could have done to try to protect themselves, is usually not going to make you look good. The fact their last tweet I quoted above is a link to their entire software suite just conveys the message (to me) that if you don't want what happened to the Times to happen to you, you just need to buy more of our stuff!...doesn't seem effective.
On the other hand, protecting your network and your users is hard.
In the old days, viruses tended to be written by clever malcontents eager to show their technical prowess. Viruses were a way to display their programming ability while at the same time showing their hatred for non-technical people who dared to bring their non-geekhood to a domain ruled by geeks. The basic idea was that if you were stupid enough to get a virus, it was your own fault for not knowing how computers worked so you deserved what you got. Their software carried an implicit message with every infection:
Non-geeks are not welcome here.
But computers were becoming more mainstream and non-geeks weren't going away.
Somewhere along the way viruses went from becoming a nuisance to becoming something more sinister. Black hats learned that stupid people had money! The behavior of viruses evolved until they were no longer technically viruses, but rather "malware;" they relied on social engineering and software flaws to spread rather than self-replicating code, and the target was less the computer and more the person using the computer. If you knew the computer was "infected", that was an accident, whereas in the golden age of viruses the programs often announced their presence with pride.
Much of the malware out there now is backed by organized crime and State-sponsored campaigns. These groups will pay individuals or groups to orchestrate attacks to farm naive or ignorant users into running programs that will then target a user for spammy and intrusive ads, redirecting your web browsing to ad-ridden websites that may contain more malware, tracking your keystrokes to intercept passwords to banking websites,...all sorts of fun things.
As you can probably guess, the antivirus industry is quite lucrative, and have created a kind of arms race with malware authors. In the beginning the cycle of war was pretty simple; virus author created a new virus and released it into the wild. Antivirus vendors got a sample, reverse engineered it, found a "signature" sequence of code in the executable that was unique to the virus, then they updated their product for clients. The Antivirus product then scanned every program you ran on your computer and if anything matched that unique string of code, it flagged it as a virus and sometimes would try to clean your computer.
One step forward for virus authors matched by one step forward by AV vendors.
Virus authors fancied themselves clever, so they needed to find clever ways to beat AV vendors.
That's when we started seeing viruses that incorporated encryption as well as adapting in memory to alter themselves so you couldn't find a single simple signature. AV vendors had to react and find new techniques for deconstructing these polymorphic viruses.
Second step from virus authors...second step from AV vendors.
The point: clever people with time on their hands are obsessed with the challenge of finding new and creative ways to be destructive and/or profit from people.
This little lockstep war continues today. It's reached a point where the possible attack surface (the places where unauthorized users or code can be run) against a potential target is huge, and as our society continues to become more connected through the Internet the surface continues to get worse (or better, depending on which side of the fence you're on.) Computers, cellphones, our cars, printers, security cameras, televisions, disc and media players, even home appliances like refrigerators, air conditioners and thermostats are accessible over networks.
That baby monitor you installed to watch the crib from your computer? Did you forget to use a long, secure password? I bet the wireless connection was a lot more convenient than having to run a wire. But you did securely encrypt it, right? Since your wireless signal could be intercepted a house away...or from the street...or farther, if someone used a directional antenna?
It's really neat that you can connect your phone to your car. Handy, especially in states where it's illegal to use your phone without a hands-free connection and $DEITY knows you HAVE to take that call from your boyfriend the moment he calls. But did you change the default connection sequence to marry the bluetooth in the car to the phone? Are you even able to change it? Because someone did write a program for clever techs to use a laptop for connecting to nearby bluetooth systems. It's fun to stream porn audio into unsuspecting schlub's cars on the freeway. Or listen in through the car audio system.
The point: there are ways for malware to get into your systems that you may not even be aware of.
Secondary point: The things that make our lives more convenient can be used against you.
The security industry now relies on a variety of techniques to try closing the holes in the potential attack surface.
Vendors rely on signatures, heuristics, behavior analysis, probabilistic analysis of email and web pages via proxy scans, along with good practices in firewalling connections and locking users down to accessing only the things they actually need to use on their computers (keeping users from being able to install updates to Word or new programs also means they can't accidentally install malware.)
Users, of course, tend to hate this because security measures come at a cost. Malware scanners use CPU and memory while they check every program being accessed, slowing down the computer. Proxies intercepting your web browsing and email to analyze the content for spam or embedded malware sometimes go wonky and end up messing up your email or creating web browsing quirks. Locking down the computer access privileges means you end up waiting hours or days for software updates or programs to be installed that would have taken a few minutes if you could do it on your own.
Users hate this. They just want to get their work done and just want their systems to work. This stuff gets in the way. And when security people do what they're supposed to do, they make the lives of their users more miserable; thus users being to hate their system administrators even more. It's a cycle of antagonism.
Point: security is a balancing act. You can have it really secure or really usable for users.
Most of the malware out there is kind of generic. These crime syndicates trying to steal your money or browsing habits (or control of your computer) cast a wide net and are pretty content with the replies they get; this is why you normally get laughably horrible emails filled with generic messages offering you tons of cash in exchange for contact and banking information. Malware often comes in the form of code on hacked websites that waits for you to find the webpage and asks you to install a plugin that isn't really what it reports it is. The weak point is the social engineering of the user; we tend to be trusting of things we don't want to think about beyond the immediate future.
If I want to see boobies I need to install this plugin? Okay! <click>
<dialog box pops up> words...words...words...whatever. <click>
<email comes up asking you to run an attachment.> Blah blah. Okay, whatever. <click!>
People aren't just trusting, but we do things that are blatantly dangerous or stupid if it means getting some kind of payoff. When a company does put in generally good security policies it still falls down when users are willing to give away their passwords to anyone who says they're from IT and need your password to test something.
In fact, a study found that users were willing to give up passwords for a chocolate bar (although it's a valid point to say that there wasn't any indication whether these passwords were tested for validity.) There are also cases where USB drives left in parking lots were taken and plugged into systems with little thought of whether there was malware on them.
Point: Users are the weakest point of any security policy, and social engineering can be a powerful attack vector.
Unfortunately with technology we still have to trust someone at some point.We end up needing to trust that someone more skilled or knowledgeable is doing the right thing for us, or acting in our interests, in areas in which we lack skill or knowledge.
Of course in many, if not most cases, we abdicate responsibility for these domain-specific areas of knowledge; we don't want to deal with it. This is understandable when you look at the complexity of our society today, I suppose...
If you read this far...
...this is where things tie together a bit. See, I sort of understand the difficulty the Times IT crew faced because they made themselves a target.
Usually malware is sort of out there, like a poisonous jellyfish in the ocean waiting for prey to happen into it. But the Times was running a story on someone that was a big name in China. And China is known for sponsoring targeted "cyber-attacks" (to be fair, this has been long rumored for the US and its allies as well. I'm just focusing on China because it is alleged they were behind the New York Times attack.)
When you get into becoming a named target, things get worse. Much worse. Because you are targeted for a custom attack. You're no longer a target of opportunity; you are a target that is researched, and a breach means tendrils of back doors being installed and user activity being actively monitored.
The network gets scanned and probed. Your employees are researched, and emails come in specifically addressed to specific employees with malicious code embedded (or more likely, links to malicious code.) Maybe they had a meeting with someone who was set up to hand over a drive with malicious code. Or maybe someone got a device sent to them for testing that contained trojan-horse type code that went to work as soon as it was connected to the company network.
Once there is some kind of hook into a computer, software can be installed and run that will scan the network from the inside. A military sponsored attack means that when they find something connected with a vulnerability, custom code can be created to create a back door into that system again; for example, installing malware on a particular brand of printer.
Yes, it's possible for a printer to have custom code embedded into it for attacks.
Emails get monitored, maybe forwarded or copied without your knowledge, leading to more information being leaked and another user that can be targeted with possibly better access privileges.
Malware monitoring relying on signatures would be useless if there's software being custom-crafted to attack you. If there is a device running on your network that isn't monitored directly, the only way to detect it is to have intrusion detection at the border of your network, or devices watching for suspicious network behavior to alert administrators, and if the attackers are aware of what you're using for defense (which they'd know, for example, that you're running Symantec the moment they pull a list of running programs from an infiltrated system) they can create software specifically meant to bypass the malware scanners in use.
Worse, once a system is infected, it's nearly impossible to know with 100% certainty that you've completely eradicated the intruders. Clean a workstation with a complete reformat and reinstall only to discover that the intruders managed to reinfect it because you didn't realize that laser printer was also allowing remote access to your network...very frustrating, to say the least.
People tend to think that they install antivirus software and they're safe. They're not. Security is a process with several layers, and there are many factors to consider in the great set of tradeoffs between security and usability. So the fact that Symantec detect one piece of malware out of over 40 programs used to attack the New York Times isn't really surprising to me. Symantec's response, to blame the customer for not having more monitoring and alerting mechanisms in place, is valid in that it may have helped to some degree but I doubt it would have stopped this attack.
On the other hand having a completely secure environment would likely have been a management headache as well as a miserable environment for the users to try to actually get a product out the door. Sometimes I think software vendors in a certain industry develop a myopia to this aspect of their product in the real world.
In the end Symantec took a bit of a black eye for being named. I have my gripes with their security products...several several gripes...but part of the problem is just the environment in which security software must co-exist and operate and blame can't be entirely laid at their feet.
Security is complicated. End users misunderstand it. And vendors, in their zeal to sell products, misrepresent the issues involved. If you're a company that may draw a giant target on your back, it's worth your trouble to hire people focused on computer and network security to work in your IT team, lest you, too, end up making the news for the wrong reasons...
The details are surprisingly thorough for a mainstream story, and the Times is being rather candid in their sharing of details. Usually when a business is "hacked" they'll do anything and everything possible to hide the details from the public so they can save face.
What I did find interesting, though, was the small storm that erupted because of the malware software the Times used being directly named in the article and the publicity that it generated, most of it negative. I have had dealings with Symantec, along with several other security/malware/antivirus solutions, and upon reading that there were 40-plus pieces of malware created to infiltrate the Times in one way or another and their Symantec software caught approximately, oh, one of them wasn't much of a surprise to me.
But apparently this is still news.
In terms of dealing with this, I found the fluffy public relations face rather amusing. The article recounting events mentioned Symantec in passing; not a directly attack on the company. But merely mentioning the name put a face upon which to plant a black eye. While probably accidental, it was nice of them to be candid about it while accidentally making the company look rather incompetent.
 |
| There's some irony to the order of these tweets. |
"Advanced attacks like the ones the New York Times described in the following article, (http://nyti.ms/TZtr5z), underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."
...So the problem was that the Symantec software would have been effective, but the Times didn't use all the software features to detect the malware. In other words, our customer was too stupid to fully use our product.
It didn't take long for others to notice this response and criticize Symantec. Somehow Symantec was still trying to spin this in a positive light for themselves.
 |
| I'm not a marketing person, but I'm not sure implying "Our customers are morons" is a good public defense. |
On the other hand, protecting your network and your users is hard.
In the old days, viruses tended to be written by clever malcontents eager to show their technical prowess. Viruses were a way to display their programming ability while at the same time showing their hatred for non-technical people who dared to bring their non-geekhood to a domain ruled by geeks. The basic idea was that if you were stupid enough to get a virus, it was your own fault for not knowing how computers worked so you deserved what you got. Their software carried an implicit message with every infection:
Non-geeks are not welcome here.
But computers were becoming more mainstream and non-geeks weren't going away.
Somewhere along the way viruses went from becoming a nuisance to becoming something more sinister. Black hats learned that stupid people had money! The behavior of viruses evolved until they were no longer technically viruses, but rather "malware;" they relied on social engineering and software flaws to spread rather than self-replicating code, and the target was less the computer and more the person using the computer. If you knew the computer was "infected", that was an accident, whereas in the golden age of viruses the programs often announced their presence with pride.
Much of the malware out there now is backed by organized crime and State-sponsored campaigns. These groups will pay individuals or groups to orchestrate attacks to farm naive or ignorant users into running programs that will then target a user for spammy and intrusive ads, redirecting your web browsing to ad-ridden websites that may contain more malware, tracking your keystrokes to intercept passwords to banking websites,...all sorts of fun things.
As you can probably guess, the antivirus industry is quite lucrative, and have created a kind of arms race with malware authors. In the beginning the cycle of war was pretty simple; virus author created a new virus and released it into the wild. Antivirus vendors got a sample, reverse engineered it, found a "signature" sequence of code in the executable that was unique to the virus, then they updated their product for clients. The Antivirus product then scanned every program you ran on your computer and if anything matched that unique string of code, it flagged it as a virus and sometimes would try to clean your computer.
One step forward for virus authors matched by one step forward by AV vendors.
Virus authors fancied themselves clever, so they needed to find clever ways to beat AV vendors.
Second step from virus authors...second step from AV vendors.
The point: clever people with time on their hands are obsessed with the challenge of finding new and creative ways to be destructive and/or profit from people.
This little lockstep war continues today. It's reached a point where the possible attack surface (the places where unauthorized users or code can be run) against a potential target is huge, and as our society continues to become more connected through the Internet the surface continues to get worse (or better, depending on which side of the fence you're on.) Computers, cellphones, our cars, printers, security cameras, televisions, disc and media players, even home appliances like refrigerators, air conditioners and thermostats are accessible over networks.
That baby monitor you installed to watch the crib from your computer? Did you forget to use a long, secure password? I bet the wireless connection was a lot more convenient than having to run a wire. But you did securely encrypt it, right? Since your wireless signal could be intercepted a house away...or from the street...or farther, if someone used a directional antenna?
It's really neat that you can connect your phone to your car. Handy, especially in states where it's illegal to use your phone without a hands-free connection and $DEITY knows you HAVE to take that call from your boyfriend the moment he calls. But did you change the default connection sequence to marry the bluetooth in the car to the phone? Are you even able to change it? Because someone did write a program for clever techs to use a laptop for connecting to nearby bluetooth systems. It's fun to stream porn audio into unsuspecting schlub's cars on the freeway. Or listen in through the car audio system.
The point: there are ways for malware to get into your systems that you may not even be aware of.
Secondary point: The things that make our lives more convenient can be used against you.
The security industry now relies on a variety of techniques to try closing the holes in the potential attack surface.
Users, of course, tend to hate this because security measures come at a cost. Malware scanners use CPU and memory while they check every program being accessed, slowing down the computer. Proxies intercepting your web browsing and email to analyze the content for spam or embedded malware sometimes go wonky and end up messing up your email or creating web browsing quirks. Locking down the computer access privileges means you end up waiting hours or days for software updates or programs to be installed that would have taken a few minutes if you could do it on your own.
Users hate this. They just want to get their work done and just want their systems to work. This stuff gets in the way. And when security people do what they're supposed to do, they make the lives of their users more miserable; thus users being to hate their system administrators even more. It's a cycle of antagonism.
Point: security is a balancing act. You can have it really secure or really usable for users.
Most of the malware out there is kind of generic. These crime syndicates trying to steal your money or browsing habits (or control of your computer) cast a wide net and are pretty content with the replies they get; this is why you normally get laughably horrible emails filled with generic messages offering you tons of cash in exchange for contact and banking information. Malware often comes in the form of code on hacked websites that waits for you to find the webpage and asks you to install a plugin that isn't really what it reports it is. The weak point is the social engineering of the user; we tend to be trusting of things we don't want to think about beyond the immediate future.
If I want to see boobies I need to install this plugin? Okay! <click>
<dialog box pops up> words...words...words...whatever. <click>
<email comes up asking you to run an attachment.> Blah blah. Okay, whatever. <click!>
People aren't just trusting, but we do things that are blatantly dangerous or stupid if it means getting some kind of payoff. When a company does put in generally good security policies it still falls down when users are willing to give away their passwords to anyone who says they're from IT and need your password to test something.
Point: Users are the weakest point of any security policy, and social engineering can be a powerful attack vector.
Unfortunately with technology we still have to trust someone at some point.We end up needing to trust that someone more skilled or knowledgeable is doing the right thing for us, or acting in our interests, in areas in which we lack skill or knowledge.
Of course in many, if not most cases, we abdicate responsibility for these domain-specific areas of knowledge; we don't want to deal with it. This is understandable when you look at the complexity of our society today, I suppose...
If you read this far...
Usually malware is sort of out there, like a poisonous jellyfish in the ocean waiting for prey to happen into it. But the Times was running a story on someone that was a big name in China. And China is known for sponsoring targeted "cyber-attacks" (to be fair, this has been long rumored for the US and its allies as well. I'm just focusing on China because it is alleged they were behind the New York Times attack.)
When you get into becoming a named target, things get worse. Much worse. Because you are targeted for a custom attack. You're no longer a target of opportunity; you are a target that is researched, and a breach means tendrils of back doors being installed and user activity being actively monitored.
The network gets scanned and probed. Your employees are researched, and emails come in specifically addressed to specific employees with malicious code embedded (or more likely, links to malicious code.) Maybe they had a meeting with someone who was set up to hand over a drive with malicious code. Or maybe someone got a device sent to them for testing that contained trojan-horse type code that went to work as soon as it was connected to the company network.
Once there is some kind of hook into a computer, software can be installed and run that will scan the network from the inside. A military sponsored attack means that when they find something connected with a vulnerability, custom code can be created to create a back door into that system again; for example, installing malware on a particular brand of printer.
Yes, it's possible for a printer to have custom code embedded into it for attacks.
Emails get monitored, maybe forwarded or copied without your knowledge, leading to more information being leaked and another user that can be targeted with possibly better access privileges.
Malware monitoring relying on signatures would be useless if there's software being custom-crafted to attack you. If there is a device running on your network that isn't monitored directly, the only way to detect it is to have intrusion detection at the border of your network, or devices watching for suspicious network behavior to alert administrators, and if the attackers are aware of what you're using for defense (which they'd know, for example, that you're running Symantec the moment they pull a list of running programs from an infiltrated system) they can create software specifically meant to bypass the malware scanners in use.
Worse, once a system is infected, it's nearly impossible to know with 100% certainty that you've completely eradicated the intruders. Clean a workstation with a complete reformat and reinstall only to discover that the intruders managed to reinfect it because you didn't realize that laser printer was also allowing remote access to your network...very frustrating, to say the least.
People tend to think that they install antivirus software and they're safe. They're not. Security is a process with several layers, and there are many factors to consider in the great set of tradeoffs between security and usability. So the fact that Symantec detect one piece of malware out of over 40 programs used to attack the New York Times isn't really surprising to me. Symantec's response, to blame the customer for not having more monitoring and alerting mechanisms in place, is valid in that it may have helped to some degree but I doubt it would have stopped this attack.
On the other hand having a completely secure environment would likely have been a management headache as well as a miserable environment for the users to try to actually get a product out the door. Sometimes I think software vendors in a certain industry develop a myopia to this aspect of their product in the real world.
In the end Symantec took a bit of a black eye for being named. I have my gripes with their security products...several several gripes...but part of the problem is just the environment in which security software must co-exist and operate and blame can't be entirely laid at their feet.
Security is complicated. End users misunderstand it. And vendors, in their zeal to sell products, misrepresent the issues involved. If you're a company that may draw a giant target on your back, it's worth your trouble to hire people focused on computer and network security to work in your IT team, lest you, too, end up making the news for the wrong reasons...
Friday, January 25, 2013
What is Stack Exchange?
I moved here to the city to take a new job, and every once in awhile, I get asked, "What is it the company does?" (Actually, I'm first asked what it is I do at the Stock Exchange; I'm afraid they're down the street. I'm at Stack Exchange. There's a different vowel in there.)
They know it has something to do with the Internet and a website. Whenever I try to explain what we do, I see that glazed-over look appear in the questioner's eyes, similar to what you'd see in a deer's face moments before it impacts with the windshield.
I should note here that I'm not the official representative for the company. I'm merely a systems administrator; interacting with people is not my "thing."
I would say that what follows is typical of the conversation I have with my relatives when they ask me about my job. That would be a lie. Really they get that glazed-deer look in their eyes after the second or third line. But if I were able to have a nearly complete yet relatively short conversation about my job, this is how I'd imagine it would go:
What does your company do?
Basically we're a question and answer site. We try to make the Internet a better place.
So...you're like Yahoo Answers?
$DEITY no. We're a site where you can ask questions and get answers from experts.
Oh. So only certain people can answer your questions.
Actually, anyone can. If you know the answer, you can reply to the question.
But...I'm not an expert.
That's okay. You don't even need to register to answer a question, but if you create an account, you can get reputation for your answers and reputation builds credibility for your future answers. Continued participation helps make you an expert, or at least validates that you are familiar with the subject.
So I post an answer, and I get reputation for it?
Not exactly. You post an answer, and other users can vote your answer up if it's useful, or down if it's not clear or doesn't answer the question. This affects your reputation.
What can I do with this reputation?
Absolutely nothing!
Well, that sucks.
What I mean is you can't get money for your reputation or prizes.
So why do people try to get reputation if you can't do anything with it?
Reputation is like a validation of your knowledge in a particular area; you can embed your Stack Exchange profile's reputation into your blog or web page, to show the world that you actively participate in the website. For programmers, StackOverflow is the leading source of answers to programming questions on the web, and reputation is a fun way to show their peers how much they use the site.
So programmers can show employers their StackOverflow reputation to show what they can do.
It's a useful metric for employers familiar with the site. And our Careers site, which is part of the StackExchange network, has tools built in that highlight your reputation so employers can see how you participated in StackOverflow. They just create a Careers profile and potential employers can find a programmer suited to their needs.
Okay,...this sounds like Stack Exchange is just for programmers. I'm not a programmer.
Stack Exchange started out with StackOverflow, which is for programmers and their questions. And StackOverflow is by far our most active site...if you look at our list of sites, as of today there are over 4 million questions and it's growing by over six thousand questions per day. But there's actually over 90 sites in the Stack Exchange network, each with a particular topic of focus.
Ninety sites? Why so many? I could go to Yahoo Answers and there's just one site where I just ask anything I want.
We have a lot of sub-sites because this helps divide the areas of interest, which means your question won't be buried among questions that aren't relevant to the subject. You wouldn't ask a question about home repair in a stadium of people, would you? There's a good chance someone there can help you, but the majority of the people wouldn't have a clue, and it would be very noisy compared to going to a do-it-yourselfer's convention and asking the people there.
While we are largely technical...the first three Stack Exchange sites focused on programming, systems administration (ServerFault) and home computer user questions (SuperUser), we're not just for technology questions. We have sites for video games, parenting, science-fiction and fantasy, and even cooking. There's a list of sites you can explore.
What if you don't have a site that looks like it is good for things I'm interested in?
If you think there is a community that would be interested in what you have in mind, you can go to Area 51 and propose a new site be created. Area 51 is where new sites are proposed to see if they have enough support to build a community.
How do you make them grow? Like...why do people keep participating with the site?
I'm afraid there's no single answer for that! Maybe this would best fit as a question with our cognitive sciences site.
Most people come to get answers to their questions. Some stay because they enjoy helping others and sharing knowledge. Others find a sense of community. Some like the challenge of gathering reputation and badges, and others make friends in our integrated chat system.
It helps that we're completely free; there's no paywall, and we try to reduce the friction in the user experience by keeping advertising to a minimum. What advertising we do carry is shown as unobtrusively as possible.
There are many users who enjoy the game aspect of the site. They enjoy building reputation. We also have badges you can unlock by performing various tasks, like editing people's questions and achieving certain goals on the site. There are many users who enjoy trying to collect all the badges.
Wait, you get a badge for editing people's questions? Like, you alter what other people write? So you're like Wikipedia?
Our goal is to make the Internet a better place, and we're doing that by giving users tools to find authoritative answers to their questions. Sometimes an answer...or question...needs altering so that it can help the most people. Or maybe the wording is vague. Questions might get downvoted or closed until they are edited to be suitable for the site.
So yes, it is possible for other users to edit your contributions, and in that respect we are like a wiki site. Remember, the goal is for us to make the Internet a better place, and we want your questions to help other people too! It's nothing personal!
Usually by this point I imagine the other person is either satisfied with the explanation or they're making a sandwich and have no interest in talking anymore. Or maybe I'm making a sandwich. Or both. It's my imaginary conversation, so I can make a sandwich if I want.
Regardless of the stopping point, I usually suggest they look at the new animated "about" pages that give a brief overview of each site. Take a look at the Apple site's About page. Cool, huh? Just click on the "about" link in the upper right corner of any Stack Exchange site page.
That's kind of all there is to it. It's free to join, it's free to participate, and it's free to lurk around the sites and peruse the information. Jump in and see if you can answer some questions!
They know it has something to do with the Internet and a website. Whenever I try to explain what we do, I see that glazed-over look appear in the questioner's eyes, similar to what you'd see in a deer's face moments before it impacts with the windshield.
I would say that what follows is typical of the conversation I have with my relatives when they ask me about my job. That would be a lie. Really they get that glazed-deer look in their eyes after the second or third line. But if I were able to have a nearly complete yet relatively short conversation about my job, this is how I'd imagine it would go:
What does your company do?
Basically we're a question and answer site. We try to make the Internet a better place.
So...you're like Yahoo Answers?
$DEITY no. We're a site where you can ask questions and get answers from experts.
Oh. So only certain people can answer your questions.
Actually, anyone can. If you know the answer, you can reply to the question.
But...I'm not an expert.
That's okay. You don't even need to register to answer a question, but if you create an account, you can get reputation for your answers and reputation builds credibility for your future answers. Continued participation helps make you an expert, or at least validates that you are familiar with the subject.
So I post an answer, and I get reputation for it?
Not exactly. You post an answer, and other users can vote your answer up if it's useful, or down if it's not clear or doesn't answer the question. This affects your reputation.
What can I do with this reputation?
Absolutely nothing!
Well, that sucks.
What I mean is you can't get money for your reputation or prizes.
So why do people try to get reputation if you can't do anything with it?
Reputation is like a validation of your knowledge in a particular area; you can embed your Stack Exchange profile's reputation into your blog or web page, to show the world that you actively participate in the website. For programmers, StackOverflow is the leading source of answers to programming questions on the web, and reputation is a fun way to show their peers how much they use the site.
So programmers can show employers their StackOverflow reputation to show what they can do.
It's a useful metric for employers familiar with the site. And our Careers site, which is part of the StackExchange network, has tools built in that highlight your reputation so employers can see how you participated in StackOverflow. They just create a Careers profile and potential employers can find a programmer suited to their needs.
Okay,...this sounds like Stack Exchange is just for programmers. I'm not a programmer.
Stack Exchange started out with StackOverflow, which is for programmers and their questions. And StackOverflow is by far our most active site...if you look at our list of sites, as of today there are over 4 million questions and it's growing by over six thousand questions per day. But there's actually over 90 sites in the Stack Exchange network, each with a particular topic of focus.
Ninety sites? Why so many? I could go to Yahoo Answers and there's just one site where I just ask anything I want.
We have a lot of sub-sites because this helps divide the areas of interest, which means your question won't be buried among questions that aren't relevant to the subject. You wouldn't ask a question about home repair in a stadium of people, would you? There's a good chance someone there can help you, but the majority of the people wouldn't have a clue, and it would be very noisy compared to going to a do-it-yourselfer's convention and asking the people there.
While we are largely technical...the first three Stack Exchange sites focused on programming, systems administration (ServerFault) and home computer user questions (SuperUser), we're not just for technology questions. We have sites for video games, parenting, science-fiction and fantasy, and even cooking. There's a list of sites you can explore.
What if you don't have a site that looks like it is good for things I'm interested in?
If you think there is a community that would be interested in what you have in mind, you can go to Area 51 and propose a new site be created. Area 51 is where new sites are proposed to see if they have enough support to build a community.
How do you make them grow? Like...why do people keep participating with the site?
I'm afraid there's no single answer for that! Maybe this would best fit as a question with our cognitive sciences site.
Most people come to get answers to their questions. Some stay because they enjoy helping others and sharing knowledge. Others find a sense of community. Some like the challenge of gathering reputation and badges, and others make friends in our integrated chat system.
It helps that we're completely free; there's no paywall, and we try to reduce the friction in the user experience by keeping advertising to a minimum. What advertising we do carry is shown as unobtrusively as possible.
There are many users who enjoy the game aspect of the site. They enjoy building reputation. We also have badges you can unlock by performing various tasks, like editing people's questions and achieving certain goals on the site. There are many users who enjoy trying to collect all the badges.
Wait, you get a badge for editing people's questions? Like, you alter what other people write? So you're like Wikipedia?
Our goal is to make the Internet a better place, and we're doing that by giving users tools to find authoritative answers to their questions. Sometimes an answer...or question...needs altering so that it can help the most people. Or maybe the wording is vague. Questions might get downvoted or closed until they are edited to be suitable for the site.
So yes, it is possible for other users to edit your contributions, and in that respect we are like a wiki site. Remember, the goal is for us to make the Internet a better place, and we want your questions to help other people too! It's nothing personal!
Usually by this point I imagine the other person is either satisfied with the explanation or they're making a sandwich and have no interest in talking anymore. Or maybe I'm making a sandwich. Or both. It's my imaginary conversation, so I can make a sandwich if I want.
Regardless of the stopping point, I usually suggest they look at the new animated "about" pages that give a brief overview of each site. Take a look at the Apple site's About page. Cool, huh? Just click on the "about" link in the upper right corner of any Stack Exchange site page.
That's kind of all there is to it. It's free to join, it's free to participate, and it's free to lurk around the sites and peruse the information. Jump in and see if you can answer some questions!
Sunday, January 20, 2013
How to Move Datacenters
(Disclaimer: as always, this is my blog, not my employer's. I'm not their spokesperson. They'll have their own blog entry about the datacenter move, so some details here will be a little vague...after all, I've grown rather attached to being employed.)
I haven't moved many times in my life.
I half-moved when I went to college, which normally entailed hauling a lot of my crap from home to a small shared bedroom space and back again every two semesters. I remember the "big move" when my wife and I bought a house, an adventure that involved a lot of storage totes and a hole in the wall covered by a strategically placed doorknob-guard that happened to match the paint on the wall. And then there was what was possibly the most bittersweet move; hauling as many of my belongings as possible in our Toyota Corolla to New York City in 100 degree weather.
That's about as much fun as it sounds. And seeing as it ended with two of us entering the city and one leaving,...yeah, about as much fun as it sounds.
Thankfully the company moving data centers was not quite like that.
The company I work for was in need of moving data centers. Not for any scandalous reasons or a story of excess drama...it was simply a question of space and resources. Scaling predictions showed we would need more than the current company would be able to provide; we would need to move or hit a scaling wall.
Our company happens to run a fairly popular website with over one and a half million registered users and a large number of anonymous users utilizing our content.
So how do you manage a move of a website like that?
The first step is to become disaster resistant in case your primary data center is hit by a hurricane.
In case you forgot, New York City and New Jersey were recently hit by Hurricane Sandy, taking a number of tech sites offline as data centers around the island were systematically flooded and in several cases rarely-used generators suffered pump failures. This web company lucked out; we have a second data center on the other side of the country that dutifully replicated our data until it needed to step up to the plate.
As the storm intensified, the call was made to fail to our secondary site,...and we didn't fail back.
Months later we still had data served from the backup site, while our New York location was acting as a non-production backup.
This ended up taking a bit of pressure off the team; now that the data center we were moving was no longer the "production" site, there was more flexibility in when things could be moved around.
Second, plan, plan, then plan some more.
There were a number of meetings and pow-wows to discuss minutiae of the move. Type of racks to purchase, the power runs, expected loads placed on circuits, even the color coding to be used so it would be easier to identify what you accidentally unplugged while trying to reach something on a server.
Charts and checklists are made and cross-verified and I even throw the occasional curveball by saying something like, "Okay, but try not to mix brown and green cables or purple and blues too much unless you don't want me to touch it. I'm partially colorblind," which elicited some surprised curses as invisible handicaps don't normally get considered when you don't have those handicaps, which meant more revisions.
Got those checklists and charts all made and ready to go? Good. You'll have a Plan(tm) to follow until something goes kerplooey.
Third step: hire a good moving company that specializes in moving computer equipment. In our case, Morgen Industries in Secaucus, New Jersey. Yeah, I named them. Because they were that fucking awesome.
These guys gathered information about our servers...names, placement, etc...along with diagrams mapping where they would physically be placed in the new datacenter's racks. And they provided documentation that they were properly insured for moving our equipment, which is kind of important for moving what is essentially...you know, our entire business...through New York City traffic.
Migration measures were taken in the old data center; DNS names on remaining external services were changed along with the TTL values for the entire site, database clustering taken offline between geographical locations, and then cables were disconnected. Arrangements were made for access to both data centers' freight elevators and security was told to allow the new guys in, along with members of our own team flying in to lend a hand with the move.
The movers came in with boxes for the servers. They un-racked the systems and tucked them into their little foam-padded boxes along with scannable tags inventorying where the servers were at all times. They were fast. They were professional. After the cables were pulled, our team was mostly supervising.
The moving team hauled everything ahead of schedule to the new location. In fact, that threw a kink into the schedule, as the new building needed to change the schedule in when the freight elevator could be used.
That's right. We were delayed because we needed someone with proper contractual rights to flip a switch on the elevator ahead of what was originally scheduled. Because the movers were too awesome to let something like schedules keep them from doing the job fast.
Step Four is the fun step. Getting things working again.
The moving team unboxed the servers and racked them according to specifications, and our team moved in to re-cable things.
Systems were whipped out and cable management plans were pulled up so labeling could begin in earnest.
Cables were labeled and shuffled to the servers.
As systems were plugged in, tests were run to test connectivity to the new switching equipment, and firewall rules had to be adjusted accordingly. There were some occasional...um...challenges?
In the end, though, the crack coding commandos managed to iron most of the wrinkles out.
In the end, we were pretty happy with the results.
That is the 10,000 foot view of a datacenter move. It's not completely finished as of this writing; our data is still flowing from the backup site as testing is performed in the new site. Some DNS has not been migrated. Testing is still proceeding on the firewall rules for our site-to-site interconnects.
Some software upgrades are being implemented, then SQL Server has to be told that our New York site is back online so the data can begin re-syncing; each day, several gigs of data are accumulating in the backup site, waiting to pour back into our primary site. The physical move and cabling took the better part of a week to complete...that's a lot of time for data to pile up. We're also taking this opportunity to upgrade some of the servers to take advantage of less buggy clustering code, a decision made for reasons outside the scope of this blog posting.
New shiny data center. Servers are fully patched and updated. Some of the servers even have new parts, upgraded since they were offline for a period of time. Now we just fight the occasional Chaos Monkey glitch in a switch or a call about a rule in the firewall.
Step five is the big one; fail-back.
We're getting the infrastructure back up. Site to site VPN's. DNS. External services visible to the Internet again. Documenting connections. Testing new PDU's, and monitoring servers for reliability with their new cabling and possible bits shaken loose in transit.
Soon we'll have the meetings to coordinate the fail-back procedure, wherein everything in the remote site is shifted back to our new primary site with as little downtime as possible. This includes web servers, SQL servers, load balancers and internal services.
There you have it; the 10,000 foot view of a major website with lots of jiggly wiggly parts being moved to another data center. This is meant for people with a passing interest in how one company achieves such a move. I didn't get into the excruciating details of SQL cluster reconfigurations, the internal services being migrated, or the VM migrations.
In this particular instance, it really boiled down to a few steps.
1) Have a secondary site to run your business from.
2) Disconnect dependencies between your secondary and primary sites.
3) Physically move the servers.
4) Test the new connections at the new site.
5) Plan the migration of your backup site to the primary site.
A few notes to keep in mind:
1) We happened to have the resources for a second data center, which was in place for historical reasons. Not every business has this, and it's not a "right" or "wrong" thing. It's how things worked out for our particular business and it gave us a big advantage in making our transition.
2) The new data center is restrictive of what can and cannot be shown for security reasons. The pictures I posted above were taken with the understanding that we can show our own equipment and only our own equipment, so I was trying to be careful not to get other equipment housed at the new site in the pictures. If images are pulled, you know why.
3) There were rumors of a plan to keep our site online during the move using new racks on wheels, big UPS's and MiFi's. We'll pretend those were just rumors.
4) I work with a team of highly intelligent and capable people. While this blog posting was glib and probably made the move sound simple, the truth is there were numerous points where things could have gone south in a really bad way and the advanced planning performed by the team kept everything running relatively smooth. It was a week of late nights neck-deep in reconfiguring firewalls and switches and database burps for most of the team while I spent much of the migration handling office issues and helping our sales and remote groups connect to our internal systems as they were brought back online. It takes a lot of hard work to make something like this look easy...those guys deserve a lot of credit, from the guy that handled coordinating the movers and scheduling elevators to the admin that plugged in the last cable and the devops that altered the last firewall rule. These people were awesome...credit where credit is due.
5) This case was just how we ended up moving to a new datacenter. Depending on how a business grew its infrastructure, the behind the scenes methodology and drama could unfold in a very different manner. Our drama was limited to toe shoes and eventually fixing flat tires on a hand truck and the occasional aggressive negotiations when discussing certain logistics of the move. Your mileage may vary.
I haven't moved many times in my life.
That's about as much fun as it sounds. And seeing as it ended with two of us entering the city and one leaving,...yeah, about as much fun as it sounds.
Thankfully the company moving data centers was not quite like that.
The company I work for was in need of moving data centers. Not for any scandalous reasons or a story of excess drama...it was simply a question of space and resources. Scaling predictions showed we would need more than the current company would be able to provide; we would need to move or hit a scaling wall.
Our company happens to run a fairly popular website with over one and a half million registered users and a large number of anonymous users utilizing our content.
So how do you manage a move of a website like that?
The first step is to become disaster resistant in case your primary data center is hit by a hurricane.
In case you forgot, New York City and New Jersey were recently hit by Hurricane Sandy, taking a number of tech sites offline as data centers around the island were systematically flooded and in several cases rarely-used generators suffered pump failures. This web company lucked out; we have a second data center on the other side of the country that dutifully replicated our data until it needed to step up to the plate.
As the storm intensified, the call was made to fail to our secondary site,...and we didn't fail back.
Months later we still had data served from the backup site, while our New York location was acting as a non-production backup.
This ended up taking a bit of pressure off the team; now that the data center we were moving was no longer the "production" site, there was more flexibility in when things could be moved around.
Second, plan, plan, then plan some more.
There were a number of meetings and pow-wows to discuss minutiae of the move. Type of racks to purchase, the power runs, expected loads placed on circuits, even the color coding to be used so it would be easier to identify what you accidentally unplugged while trying to reach something on a server.
Got those checklists and charts all made and ready to go? Good. You'll have a Plan(tm) to follow until something goes kerplooey.
 |
| Um...where does that stuff go again?... |
Third step: hire a good moving company that specializes in moving computer equipment. In our case, Morgen Industries in Secaucus, New Jersey. Yeah, I named them. Because they were that fucking awesome.
These guys gathered information about our servers...names, placement, etc...along with diagrams mapping where they would physically be placed in the new datacenter's racks. And they provided documentation that they were properly insured for moving our equipment, which is kind of important for moving what is essentially...you know, our entire business...through New York City traffic.
Migration measures were taken in the old data center; DNS names on remaining external services were changed along with the TTL values for the entire site, database clustering taken offline between geographical locations, and then cables were disconnected. Arrangements were made for access to both data centers' freight elevators and security was told to allow the new guys in, along with members of our own team flying in to lend a hand with the move.
The movers came in with boxes for the servers. They un-racked the systems and tucked them into their little foam-padded boxes along with scannable tags inventorying where the servers were at all times. They were fast. They were professional. After the cables were pulled, our team was mostly supervising.
 |
| Yeah...put it in that box there...good job, bro. |
That's right. We were delayed because we needed someone with proper contractual rights to flip a switch on the elevator ahead of what was originally scheduled. Because the movers were too awesome to let something like schedules keep them from doing the job fast.
Step Four is the fun step. Getting things working again.
The moving team unboxed the servers and racked them according to specifications, and our team moved in to re-cable things.
 |
| The power cords got their own piles... |
 |
| Management parts...now imagine boxes of patch cables. Many boxes of patch cables. |
 | |
| A labeler ordered just for the move, capable of making self-laminating labels. So. Many. Labels. |
 |
| Realign the dilithium crystal and reroute power to the flux capacitor, then reboot...easy peasy. |
 |
| Dammit, the SQL Server's eating Craver again... |
 |
| Dude, it works. I can crash Reddit twice as fast from this data center!...Where's Craver?...Craver? |
 |
| Color coded, management arms, labeled, blinkied, semi-sentient... |
Some software upgrades are being implemented, then SQL Server has to be told that our New York site is back online so the data can begin re-syncing; each day, several gigs of data are accumulating in the backup site, waiting to pour back into our primary site. The physical move and cabling took the better part of a week to complete...that's a lot of time for data to pile up. We're also taking this opportunity to upgrade some of the servers to take advantage of less buggy clustering code, a decision made for reasons outside the scope of this blog posting.
New shiny data center. Servers are fully patched and updated. Some of the servers even have new parts, upgraded since they were offline for a period of time. Now we just fight the occasional Chaos Monkey glitch in a switch or a call about a rule in the firewall.
Step five is the big one; fail-back.
We're getting the infrastructure back up. Site to site VPN's. DNS. External services visible to the Internet again. Documenting connections. Testing new PDU's, and monitoring servers for reliability with their new cabling and possible bits shaken loose in transit.
Soon we'll have the meetings to coordinate the fail-back procedure, wherein everything in the remote site is shifted back to our new primary site with as little downtime as possible. This includes web servers, SQL servers, load balancers and internal services.
In this particular instance, it really boiled down to a few steps.
1) Have a secondary site to run your business from.
2) Disconnect dependencies between your secondary and primary sites.
3) Physically move the servers.
4) Test the new connections at the new site.
5) Plan the migration of your backup site to the primary site.
A few notes to keep in mind:
1) We happened to have the resources for a second data center, which was in place for historical reasons. Not every business has this, and it's not a "right" or "wrong" thing. It's how things worked out for our particular business and it gave us a big advantage in making our transition.
2) The new data center is restrictive of what can and cannot be shown for security reasons. The pictures I posted above were taken with the understanding that we can show our own equipment and only our own equipment, so I was trying to be careful not to get other equipment housed at the new site in the pictures. If images are pulled, you know why.
3) There were rumors of a plan to keep our site online during the move using new racks on wheels, big UPS's and MiFi's. We'll pretend those were just rumors.
4) I work with a team of highly intelligent and capable people. While this blog posting was glib and probably made the move sound simple, the truth is there were numerous points where things could have gone south in a really bad way and the advanced planning performed by the team kept everything running relatively smooth. It was a week of late nights neck-deep in reconfiguring firewalls and switches and database burps for most of the team while I spent much of the migration handling office issues and helping our sales and remote groups connect to our internal systems as they were brought back online. It takes a lot of hard work to make something like this look easy...those guys deserve a lot of credit, from the guy that handled coordinating the movers and scheduling elevators to the admin that plugged in the last cable and the devops that altered the last firewall rule. These people were awesome...credit where credit is due.
5) This case was just how we ended up moving to a new datacenter. Depending on how a business grew its infrastructure, the behind the scenes methodology and drama could unfold in a very different manner. Our drama was limited to toe shoes and eventually fixing flat tires on a hand truck and the occasional aggressive negotiations when discussing certain logistics of the move. Your mileage may vary.
Friday, January 11, 2013
Publish a Podcast from Your Local Mac
I've always had a slight interest in presenting onstage. I have coworkers who do presentations. I worked in a school, they sometimes presented the change to "present" in front of an audience. I now work with a company with a consultant who does many classes and presentations of a technical nature. Yet for reasons that don't relate to the topic at hand, I haven't really worked on stage to give a presentation.
I'm a little strange in that when I have an interest in something, I usually try to do due diligence. Namely, research. I have some books on the shelf I've yet to read on presentations, for example.
Then the other day I was talking to a coworker known for doing technical talks and mentioned the honing of presentation skills. He suggested a podcast that had a series of episodes about giving professional presentations, and forwarded me the link with the "presentation" tag filtering results.
The podcasts were filtered; it wasn't a podcast about giving presentations, but rather a few episodes out of several where the topic happened to be about giving presentations.
Instead of subscribing to the podcasts' main feed, I downloaded the MP3's. Now I had the podcasts I wanted to listen to, but only as audio files.
The easy way to listen to them would be to import them to iTunes as music, then create a playlist just for those audio files and then telling iTunes to sync that playlist with my iPhone for later listening on the go.
While this would work, it meant that the "songs" end up getting shuffled in with other songs as any other audio track, and it would be played separately from the rest of my podcasts. I was also bugged by the fact that this interrupted my usual podcast workflow; listening to the podcast audio wouldn't mark it for "deletion" so it would be taken out of the listening rotation.
I lamented this to the same coworker when he gave some brilliant advice. Just serve it from your local machine with an XML file.
Well, it takes a little more work than that, but here's how I did it on OS X 10.8.2.
First, it seems that iTunes needs to grab the files from a web server. OS X happens to come with a web server, but the old way of turning on "web sharing" has been removed. To enable a simple Apache setup, open a terminal and create a conf file for your user:
...where "username" is obviously your username. In that file add the following block.
...where again the "username" is your username. Then start the web server.
At this point opening your web browser and entering "http://127.0.0.1" in the address bar should give you an "it works" message. If you go to http://127.0.0.1/~username" it should give you a little intro ditty to web page serving. Neat, huh?
This is a very limited web server; no database stuff, no bells and whistles, just a very bare-bones configuration. But I'm not looking to host a world-class website. I just wanted to turn those podcast audio files into an RSS feed for iTunes.
Next I created a subdirectory in ~/Sites called presentation_mp3 and copied the MP3 files to it. Now opening http://127.0.0.1/~bsilver/presentation_mp3 in my browser gave me a list of MP3 files.
Now the fun part, XML! I created a file called ~/Sites/podcast.xml. In it, I placed the following:
I based this off a template from this website, although for simplicity I didn't include the nice iTunes-compatible yet optional bits. I used the above as a template, adding a new <item> for each MP3 file, altering the "length" to correspond to the size of the file in the directory and the pubDate and description as necessary. You should be able to puzzle out from the above what things would need to be customized, at least to a point where it would work. The file was saved to ~/Sites/podcast.xml.
Once these were set, I opened iTunes and clicked File -> Subscribe to Podcast.
In the URL box I entered, "http://127.0.0.1/~username/podcast.xml", without the quotes.
Then I told iTunes to update the podcast and it downloaded them. Ta-da!
I should note that activating Apache means that others can connect to your machine's web server, so beware of taking it onto untrusted networks (if you're worried, use
In the off chance that someone else will read this and cringe at how horrible my XML file was, or get irritated that I didn't include particular options or any of a half-dozen other things I neglected to do properly, keep in mind that this was a quick-and-dirty way to get a series of audio files inserted into my podcast feed. If I were working on an actual podcast meant for public consumption I would have taken far more time prettifying everything and making each episode have more than a rudimentary description, not to mention hosting it on an actual podcast service.
That said, if there are improvements I should use feel free to leave suggestions. I was primarily looking for a quick and easy way to make iTunes act like a series of MP3's I downloaded were regular podcasts so I could listen to them in the same way I listen to other podcasts instead of squeezing them into music playlists, and ended up doing it by turning my laptop into a portable web server.
Any suggestions for improvements?
Then the other day I was talking to a coworker known for doing technical talks and mentioned the honing of presentation skills. He suggested a podcast that had a series of episodes about giving professional presentations, and forwarded me the link with the "presentation" tag filtering results.
Instead of subscribing to the podcasts' main feed, I downloaded the MP3's. Now I had the podcasts I wanted to listen to, but only as audio files.
The easy way to listen to them would be to import them to iTunes as music, then create a playlist just for those audio files and then telling iTunes to sync that playlist with my iPhone for later listening on the go.
While this would work, it meant that the "songs" end up getting shuffled in with other songs as any other audio track, and it would be played separately from the rest of my podcasts. I was also bugged by the fact that this interrupted my usual podcast workflow; listening to the podcast audio wouldn't mark it for "deletion" so it would be taken out of the listening rotation.
First, it seems that iTunes needs to grab the files from a web server. OS X happens to come with a web server, but the old way of turning on "web sharing" has been removed. To enable a simple Apache setup, open a terminal and create a conf file for your user:
sudo nano /etc/apache2/users/username.conf...where "username" is obviously your username. In that file add the following block.
<Directory "/Users/username/Sites/">
Options Indexes Multiviews
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all
</Directory>...where again the "username" is your username. Then start the web server.
sudo apachectl startAt this point opening your web browser and entering "http://127.0.0.1" in the address bar should give you an "it works" message. If you go to http://127.0.0.1/~username" it should give you a little intro ditty to web page serving. Neat, huh?
This is a very limited web server; no database stuff, no bells and whistles, just a very bare-bones configuration. But I'm not looking to host a world-class website. I just wanted to turn those podcast audio files into an RSS feed for iTunes.
Next I created a subdirectory in ~/Sites called presentation_mp3 and copied the MP3 files to it. Now opening http://127.0.0.1/~bsilver/presentation_mp3 in my browser gave me a list of MP3 files.
Now the fun part, XML! I created a file called ~/Sites/podcast.xml. In it, I placed the following:
<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" version="2.0">
<channel>
<title>Podcast Presentations</title>
<description>Tips and Tricks for Delivering Killer Presentations</description>
<link>http://127.0.0.1/~username/presentation_mp3</link>
<language>en-us</language>
<copyright>Copyright 2013</copyright>
<lastBuildDate>Wed, 9 Jan 2013 11:30:00 -0501</lastBuildDate>
<pubDate>Wed, 9 Jan 2013 11:30:00 -0500</pubDate>
<docs>http://blogs.law.harvard.edu/tech/rss</docs>
<webMaster>MyEmail@myemail.com</webMaster>
<item>
<title>Killer Presentations</title>
<link>http://127.0.0.1/~username</link>
<guid>http://127.0.0.1/~username/presentation_mp3/Killer_presentation.mp3</guid>
<description> How to give a killer presentation!</description>
<enclosure url="http://127.0.0.1/~username/presentation_mp3/Killer_presentation.mp3" length="24308496" type="audio/mpeg"/>
<category>Podcasts</category>
<pubDate>Wed, 9 Jan 2012 11:30:00 -0500</pubDate>
</item>
</channel>
</rss>I based this off a template from this website, although for simplicity I didn't include the nice iTunes-compatible yet optional bits. I used the above as a template, adding a new <item> for each MP3 file, altering the "length" to correspond to the size of the file in the directory and the pubDate and description as necessary. You should be able to puzzle out from the above what things would need to be customized, at least to a point where it would work. The file was saved to ~/Sites/podcast.xml.
Once these were set, I opened iTunes and clicked File -> Subscribe to Podcast.
In the URL box I entered, "http://127.0.0.1/~username/podcast.xml", without the quotes.
Then I told iTunes to update the podcast and it downloaded them. Ta-da!
I should note that activating Apache means that others can connect to your machine's web server, so beware of taking it onto untrusted networks (if you're worried, use
sudo apachectl stop to stop the server when going out.) Always keep your system up to date, kids! The open port 80 doesn't seem to show up under the sharing system preference, and it is accessible even with the firewall on. If you're worried, you may want to change the accessibility in the conf file.In the off chance that someone else will read this and cringe at how horrible my XML file was, or get irritated that I didn't include particular options or any of a half-dozen other things I neglected to do properly, keep in mind that this was a quick-and-dirty way to get a series of audio files inserted into my podcast feed. If I were working on an actual podcast meant for public consumption I would have taken far more time prettifying everything and making each episode have more than a rudimentary description, not to mention hosting it on an actual podcast service.
Any suggestions for improvements?
Subscribe to:
Posts (Atom)