Ransomware and DevOps


A scary topic and one attack that is apparently more common than I suspected. Before you go further, if you haven’t restored a database backup in the last month, stop and go verify your DR plan works. That’s one of the overconfident issues facing lots of government and businesses. While this might not help your entire organization, at least you’ll have some confidence in your process and that you can recover a database.

This is a great article from Ars Technica and worth reading: A take of two cities: Why ransomware will just get worse. I’d recommend you read it and think about a few things. First, do you have insurance because things (or substitute your own word here) happen? Second, have you really tested a DR plan for some sort of software issue like this? You might think about a way to restore systems in an air-gapped manner that prevents them from re-triggering encryption from a remote source, or maybe even in a scenario where you reset dates/times to prevent timer triggered issues. If you don’t think you need to, read this article as well.

Perhaps the bigger issue is are you actually patching and updating systems? Too many organizations can’t, don’t, or won’t. The former means you aren’t sourcing software properly. Either you’re using vendors with poor practices or have a poor development process. Organizations that don’t or won’t bother prioritizing patching, especially security issues, are likely those that will have issues as more criminals spread and use ransomware and other attacks for profit. Software and environments continue to be more complex, which means that the less you ensure the system is patched, the more likelihood there is of a vulnerability in your environment.

DevOps and the cloud PaaS/SaaS platforms are attractive for a few reasons. One is that the platforms are constantly kept up to date, forcing you to move along with them. SaaS cloud vendors know this and are constantly patching and updating their software in order to keep it running. DevOps asks that we always have the ability to release, that we have the ability to patch on demand, not only at certain intervals. This is something I try to emphasize when talking about DevOps. It isn’t necessarily about velocity, but it is about being able to release when you need to, whether that’s today or next month. This is especially important for security issues.

I have had hope for a long time that insurance would drive software to higher quality, and I still do. With the attacks and issues of ransomware, and who knows what other techniques that will be developed, I still believe more companies will buy insurance. I then hope, because of selfish motives, the insurance companies will require frequent patching, regular vendor certification of new platform versions, and better development processes. If insurance drives DevOps, I’m all for it, but I’d prefer you decide to adopt it yourself and start making changes today.

Steve Jones

Listen to the podcast at Libsyn, Stitcher or iTunes.

Posted in Editorial | Tagged , | 1 Comment

Republish: Dig Out the Root Cause

Off to SQL Saturday Austin today, so you get Dig Out the Root Cause from the archives.

Have a margarita and fajitas tonight in celebration of the great food I hope to enjoy in Austin.

Posted in Editorial | Tagged | Leave a comment

Great Access to Data with Google Fi

I’ve been a subscriber to the Google Fi (formerly Project Fi) network for a couple years now. Like many of you, I depend on my mobile device for lots of data items, usually email, but I’ve also been able to get work done at times, and certainly Slack and Skype are a regular part of my work.

I made the switch because I often travel to the UK and a few other countries. Getting access from the US carriers is a pain. I’ve switched SIM cards before (never like doing that), carried a second phone that I can put a SIM in, and even tried to live on Wi-Fi. These are all compromises and a hassle.

I used to have Verizon and the had great coverage, but at $10/day, that adds up quickly. T-Mobile had free data, but low speed. My kids have Sprint and get the same, low speed connection that’s almost useless in today’s very chatty applications.

The last couple years have had me use the Google network in my travels. I’ve gotten phone and text calls in many places, tethered my computer, and been able to keep in touch in same way I do every day, regardless of where I am. I’ve been in these countries with Google Fi:

  • United States
  • United Kingdom (GB, Scotland, and N Ireland)
  • Ireland
  • France
  • Switzerland
  • Greece
  • Norway
  • Denmark
  • Canada
  • Australia
  • New Zealand
  • Hong Kong

In all of these countries, my phone connects and gives me 4G speeds, with my same data plan. I pay a bit for international calls, but texts are included. What’s even better is that my data cost is capped at $60. I pay $10/GB, but if I go over $60 (And I did while in Australia), there’s no extra charge. If I use less, I get charged on a pro-rated basis.

If you decide to move, I’ve got a referral link. You’ll save some money and I’ll get a little credit. Referral: https://g.co/fi/r/KAF848

Posted in Blog | Tagged , | Leave a comment

Learning to Stop Being a Hero

A few weeks ago I re-published a piece on whether we might be giving too much of ourselves for our employers. At the time I was on holiday with my family and since this was a popular piece years ago, I decided to run it again. I was surprised at the response, with quite a few individuals writing about their experiences in their current positions.

A good friend of mine read the editorial and then sent me a link to a post by Paul Cunningham that looks at the IT hero. This talks about some of the ways in which we put ourselves out as employees. It’s a good read, and it’s certainly something to think about when you look for a new job. When I talk about finding a dream job, I’m not talking about a specific job or career path, but rather, what’s the right fit for you. That might not be the job I want, or even that your friends want. It’s the job that you’d want.

To find your job, you really need to think about more than the work, the company, the location, or benefits. Instead, think about everything and start to rate those items against each other. A friend always tries to scale everything to some monetary value to make it easy to compare jobs. You can put a value on a 5 minute commute v a 45 min commute by thinking of the cost of time. Same for other benefits. Perhaps you can even do this in terms of future opportunities. You certainly can do this in terms of expected work week, on call time, and more.

What you don’t want to do is let an employer take advantage of you by asking for a lot more of your time than you feel comfortable giving for the salary. Most of us are happy to pitch in when extra work is needed. I’ve seen this in restaurants, lawn care, and IT. What we don’t want to do is get taken advantage of when extra work is required on a regular basis. You don’t need to be a hero to be successful.

Perhaps the final caveat in all of this is that you can’t control how all employers treat or view employees. Sometimes you might take a job that isn’t a good fit because you need a job, or maybe because you’re trading a poor situation for some experience. Just be sure you know you’re making that trade.

The other thing I’d note is that finding a dream job, or maybe just a job that fits your life well, means you need to be able to compete with the others wanting that job. Work on improving your technical and soft skills to ensure that when the time comes, you are in the best position to get that job.

Steve Jones

Listen to the podcast at Libsyn, Stitcher or iTunes.

Posted in Editorial | Tagged | 1 Comment