Sunday, July 30, 2017

Windows Update (Yet Again)

I hate to be constantly harping on the theme of broken Windows updates, but I recently ran into yet another issue on my workhorse notebook PC. Every once in a while, I will drill on the Update History link, like I did this weekend,  choosing to ignore Window's cheerful assignment that my Windows was currently patched and any new patches would be promptly processed. It's difficult to explain why I didn't believe this, but I routinely bounce my PC and I hadn't seen any new updates over the past month or so. I was then dismayed to see the same cumulative monthly update had been failing nearly all month long on an almost daily basis (sometimes multiple attempts per day). I have no idea how this happens without Windows notifying the status on the update page and/or an explicit notification, say through the action center.

As Windows 10 owners may know, there's a troubleshoot link under the Settings/Windows Update page--which includes an Update Troubleshooter. Long story short, the troubleshooter did seem to find some corruptions which it later claimed to have resolved. But it seemed to cycle over the already downloaded patch, erring out as usual.

There is a well-known workaround to these type issues which is to turn off the BITS and WinUpdate services. delete the contents of the Windows Software Distribution folder and turn the services back up (see here for a related write-up).

The downside of this fix is you lose your history of recent patches via the Update History link. But the proof is in the pudding; Windows was finally able to download and process the update over a PC bounce.

So I would recommend, until Windows fixes its notification process, that you periodically review your Update History and check for a pattern of failing updates.

Sunday, July 23, 2017

DMV's, Computer Maps, the Cable Guy, Etc.

One of the annoying things in moving between states is that you are usually under the gun  to get your drivers license transferred and new license plate(s). This is usually a hassle in starting a new job because you don't have accrued leave/personal days and they aren't open in evenings or holidays. In my current state, the MVA holds an abbreviated Saturday schedule for drivers services only.  So I figured to knock the license transfer first. The self-storage place I'm using recommended going to a branch north of me; I looked it up on Google Maps, which warned me that this (prominent local route just off the interstate) was a toll road. It surprised me--but what the heck? What was it: $2-3? I had also reviewed the hours for Saturday service. (One of the nice things in doing a Google search is that it often indicates whether a facility is open or closed, but I did a search after hours.)

So I brought along a copy of Google Maps directions plus my Garmin (plus I also had my Android Smartphone with me). It was probably overkill because the location should have been a minor offset to a major intersection, but I was unfamiliar with the area and have run into misleading/wrong directions on multiple occasions (I've missed job interviews, etc.) I reach the bridge--and find an $8 toll to cross the bridge. Holy cow! I decide to go ahead; there is an MVA sign near the relevant intersection, but looking along the street in question for signs, somehow I managed to drive past it; I retrace my steps and finally see the center maybe a couple of hundred yards off the street.  The only problem? The entire parking lot is vacant except for another recently arrived car. Something was wrong--I would expect it to be a fairly busy day with people like me. Sure enough, there are a couple of signs in windows saying the MVA was closed. Somehow I didn't know about it. (I would later discover a posted schedule that shows maybe one Saturday every 2-3 months or so is off, like this time, in addition to holidays.) I find my way back to the Interstate--I sure the hell didn't want to get hit with an $8 toll going back (each way was about 20-25 miles).

Some guy at work overheard my tale and suggested another MVA maybe 20 miles southwest via the interstate and route exit. This one was much easier to find; the MVA was essentially on the right corner of the town's first intersection. My new job allows a variation of a flex schedule. (In consulting, it's become an emerging standard for road warriors to work a compressed 4-day work schedule with Friday being a travel day. Instead of 4 10's, we work 8 9's and one 8.) I remembered Maryland has an emissions check every couple of years or so.  I ask about it when getting my tags, and the clerk said they would let me know. Sure enough, I got an email this past week. Now granted I had 2-3 months to get it done. The facility claimed to do them, so I went back for a third time. But what I didn't know was it was a single kiosk--which did not accept car models prior to 2003 (including my car). And I'm there without my Garmin. I have to wait in line to figure out where to go.

People are usually bad with directions. In this case, an emissions center was only a few miles away. I was told to go north on the same route, bear right to another route at an upcoming split and follow MVA signs.  That actually worked fine, but I had gone through so many turns, some on 1-way streets, I had no clue how to find my way back to the interstate after I pass the emissions test. I turn on Google Maps on my Android. What I didn't realize that the screensaver would essentially shut down the app's operation. Somehow I find myself back on the original route, but I turned north instead of south which I eventually realize as the road becomes more rural. I do wish, though, that these applications would alert you when you take a wrong turn. Often they're simply recalculating how to get you back. In one case yesterday I jumped the gun on an upcoming right turn and found myself back on the Baltimore loop, going back onto the original exit. (A lot of times you can't see the name of the upcoming street.)

Going back to the Android Smartphone, there are a number of Apps which will suspend the screensaver; I downloaded one and will test it on a future trip. But there are other things so annoying about printed Google Maps. For instance, the other week I decided to visit the nearest Sam's Club, roughly 23 miles south near the Baltimore loop. The printed map identified the cross-street and the name of the mall. The only trouble is there were no signs referencing the mall or the cross-street. I did see a WalMart sign off a shopping center to the right but decided that wasn't it because I've never seen a WalMart and Sam's Club in the same shopping center. WRONG! Eventually I decide I've passed the mall, driving inside the loop and turn on the Garmin (after pulling off the road). Garmin doesn't really telegraph its intent; what it was really trying to do is go in the opposing direction but it's implementing it to having me enter a shopping center across the street and navigate my way within the mall into the equivalent of a U-turn; I simply turned left onto the route.

Moving on to the CABLE GUY. On 2 of my last 3 moves, the cable services at my request sent a kit. I'm not a mechanic (my Dad was), but it's not really rocket science connecting a coaxial cable to the cable outlet, connecting my devices and setting up my wireless. Of course, my first priority is setting up the Internet. No problems, although I'm confused why the kit comes without a coaxial splitter which I've seen in almost any bundled (cable/Internet) package to apartments. With hesitation, I try to connect the cable coaxial to a nearly jack. Nothing happens. The wall socket is loose enough I can see nothing attached to the jack behind the wall. I pull the cable for the Internet out and attach the one for cable. Success! I then check Walmart.com and discover they carry splitters and coaxial cable locally. A quick trip to WalMart and 15-30 minutes later, I now have concurrently functional cable and Internet.

Only one problem. My cable service is supposed to be bundled with HBO but any and all HBO channels appear to be frozen. I do a Google search and find no usable explanation. I've lived for years without HBO, but if I'm paying for it, I should get it. I eventually have an Internet chat with a cable agent, who has never heard of the problem but is sure it requires an in-home visit from a technician  She starts talking wiring--and I repeat--to no avail--that I'm not having issues with the regular channels; the cost of a technician is around $70. She assures me if the issue is on the cable providers part the charge will be reversed. I get an overnight email from the cable operator with an assessed charge to be applied on my next bill. This time I don't bother with webchat and call the cable operator. I make it very clear that I'm not willing to spend $70 just to get the service I was promised with from the get-go; I can live without HBO; just refund the HBO portion of my cable subscription from my ongoing package. I'm assured this was not my bill, just a prospective bill and she'll audit any service charges on my account to ensure I won't be unfairly charged.

The cable guy calls me Friday, wanting to make sure I'm home. He apparently hasn't been briefed on the purpose and asks for a summary. When I started to describe all the channels are frozen with only perhaps an initial 2 seconds of video. He immediately says, "It's the cable box." I don't recall if he himself had run into the issue or a prior customer. I ask if he's carrying a replacement. He says yes. I see him pull up the the building, but it's maybe 15-20 minutes before he knocks on my door. I'm puzzled; if he knows the box needs to be replaced, what has he been doing? Basically he's got a standard operating procedure to go through, including checking my line from the service box. (I think that had to happen before he was authorized to try swapping the box.) He claims that there is some interference on the line, related to certain filtering. (It's not at all clear why this interference would affect all and just HBO channels. But basically he tries splicing me to a neighbor's line which has no interference issue, and I still have frozen HBO--which I expected.)

So finally he calls it in; it turns out that it's not just customers who run into voice mail hell. He finally connects to his familiar point of contact. He seem oblivious to the fact I can hear his part of the conversation, and he talks about how he's  at a customer who had a self-install kit. He then starts saying something like, "I wish they wouldn't do that (i.e., they should have professionals doing installations)..." He finally gets the okay to swap the box--and long story short, HBO works on the replacement box.  I'll have a follow-up visit by other contractors to get my dedicated line replaced ("in case your neighbor changes cable providers") I felt like saying, "You know, if the cable provider had done a QC check on the box before shipping it to me, you wouldn't be here right now." The only real advantage to having professionals do it (at an inconvenient time interfering with my work schedule) is they might be carrying a spare in their truck, and the self-service equipment doesn't come with a spare.

Certifications

I started a post draft a few months back, shortly after passing my CompTia Security+ exam (a job requirement). From a functional standpoint, my job is not really on the network side, configuring firewalls, etc., but databases may contain PII or PHI and poorly designed applications can be vulnerable to SQL injection attacks. Oracle and other database software publishers release periodic security updates of their products and/or provide configured security alerts, e.g., the use of predictable passwords. We also need to harden database servers, e.g., against unnecessary, predictable and/or vulnerable ports. (In fact, for one federal client, I discovered Oracle Management Server (which, for example, would allow me to remote manage other database servers from a centralized location) was not functioning because ports which allowed communication between database servers via Intelligent Agent had been blocked by network administrators.)

The DoD requires Security+ for a number of system administrative positions (including DBA) Depending on the contract, new hires without Sec+ might be given 2-6 months, but I know people who failed the exam and were let go. (I don't think CompTia publishes failure rates, but a significant percentage fail to reach the minimum score of 750, which corresponds to just over 80%; in fact, I know someone with a D.B.A. degree who failed his first attempt. Another implicit indication is they offer a preparation bundle which includes a free re-test. Why would they even offer such an incentive unless there was a good chance you would fail, even with their preparation materials?) In one case before I took the exam, I was basically offered a defense contractor job in Mississippi when an account manager told me I had 2 weeks (i.e., before moving) to take/pass the exam.  That wasn't even locally possible; there are often only a limited number of slots through Pearson (CompTia's testing facility partner) which dry up the closer you get to the date. I suspect if you live in a large enough metropolitan area that might not be an issue, but I and others, short of flying to another city just to take an exam, had to wait a few weeks for an available slot. So basically they cancelled the job offer (and contacted me later to see if I had picked it up in the interim). There are other vendors who explicitly make a contingent offer on achieving it, and in many cases, they'll trash the resumes of even 20-year DBA's without the cert listed on them.

Security+ used to be a perpetual certification (until 2010 or so, don't quote me) but given the rapidly changing world of technology,  CompTia now issues 3-year certificates with a 50 CE (continuing education) unit renewal (CE's can be earned in a variety of ways, e.g., taking or delivering salient training or classes, qualifying seminars/webinars, credit for security-related employment, etc.) In fact, DoD demands that ongoing education process; I have a friend with a perpetual Sec+ certificate who had a Japan-based assignment, but the USMC demanded that he retake the exam (I gather he had not been involved in post-certificate continuing educational activities).

One of the things I had mentioned in my earlier post draft was that I can still recall when I finished my oral doctoral qualification exam (which followed passing my major and minor comprehensives) thinking I would no longer have to take any more exams; I would be the one giving them as a professor. Of course, that was quite naive, even assuming I didn't seek another doctorate or other degree (e.g., law). There was, of course, the dissertation proposal defense and the dissertation defense; my academic articles would be subject to peer review, my teaching evaluated by students and administrators, the tenure process, etc. When I restarted my professional career post-academia, I often faced tech screening, had to take various training courses/exams, etc. And there's been more and more push towards certification as a type of common baseline, e.g., as a filter for qualified job applicants. To a certain extent, I understand the need, given grade inflation, variances among college programs, etc.

Personally, I found some of it rather insulting. One example was this one consulting client had a rule that all contractors, as well as employees, had to take this IBM programming aptitude test. I'm like, give me a break! I had worked as a professional programmer/analyst before I started on my MBA. I have written in multiple computer languages (APL, Fortran, COBOL, etc.), had taught several programming classes and had assigned programs in others (which, of course, I personally completed in advance). So I take the stupid test, and the astonished client says, "You know, you are quite gifted." No kidding!

It's somewhat annoyed me when I get similarly quizzed over Oracle. I mean, I had gone through multiple levels of tech screens to get a job offer as a senior principal from Oracle Consulting almost 20 years ago. Are you seriously going to compare a 90-minute multiple choice question exam to over 20 years of experience from someone who used to work for Oracle? (I did decide to earn an OCA (Oracle Certified Associate) in 2005 while I was between assignments at a consulting company; I would have gone for my OCP, which required a second exam, but Oracle decided to make the cert dependent on taking one of some 8 (?) Oracle University classes ($3500 a seat). The company wouldn't cover the class; well, they might after I improved my utilization (billing percentage) rate (which had more to do with their sales guys not winning new contracts). (I saw being on the bench as a perfect opportunity to pick up training, and the additional certification might make me more attractive to prospective clients.)

Of course, some exams, including CompTia's, have gone beyond just multiple choice (which allows more comprehensive coverage, objectively scored) to increased  use of scenario/performance-based questions. A candidate is obligated not to discuss actual test questions, use purported test banks/brain dumps, etc. But to give an example I've not personally seen, one might be asked to specify underlying constructs of the CIA triad and accordingly sort relevant items, e.g., clustered servers, encrypted message bodies, message digests, etc. Or perhaps analyze a network diagram and identify risk mitigation tactics. The basic idea is to focus on critical thinking skills; you can, to some extent, do that with multiple choice items, e.g., rank-order hashing algorithms in footprint, speed, collisions, etc..

I found Security+ to be a particularly challenging exam given the wide scope of the subject, including topics like access to system resources, server and network configuration, job design, system, communication security, disaster planning, etc. (For a more detailed description, see here.) As someone who has widely read and researched test measurement and validation constructs, I was favorably impressed by question sampling and construction. Some unspecified questions aren't scored. One must also be disciplined and pace yourself; in my case, the scenarios appeared at the start of the exam; it's not obvious how the scenarios are scored, and it's easy to get sidetracked in the process. I remember when I initially completed the scenarios, I realized that I had less than a minute per question to finish the exam (but it turned out that I completed the exam with time to spare, enough to go back and review questions). There weren't a lot of predictable questions (e.g., what are the 7 layers of the OSI model?)  But the exam included questions which went beyond any of the material I had studied for the exam, including multiple preparation guides and practice exams; I had watched the Professor Messer videos on Youtube, etc. I felt I was doing well, but I had heard of people failing by 5 points, and I remember thinking, "If I have to take this exam again, how will I study for it?  My preparation hadn't covered the material for some questions; of course, to some extent my taking the exam when I did reflected real world constraints. I am a bit of a perfectionist, and no doubt I would have done better with more time to study.

Luckily, you don't have to wait long to get the results, although they want you to first fill out a survey of sorts after you submit the final answers. I remember being relieved to see not only had I passed but by a comfortable margin, but just in case I had a swelled head, they printed up a number of exam objectives that I need to review. For obvious reasons (i.e., forbidden brain dumps), they don't tell you directly which questions you missed, which questions weren't scored, etc.

Yes, even with a PhD in MIS, there is a lot to learn in the rapidly developing area of IT, especially since I left academia around the time of the introduction of Windows 3.0 and Microsoft Office. I'm already working on my CE's. As much as I enjoyed the process of gaining my certification, I would prefer not to take the $300 exam again.