[NTLUG:Discuss] I PASSED... I'm an LCA

[Jeremy Blosser]

Chris Cox [cjcox at acm.org] wrote:
> Jeremy Blosser wrote:
> > The law defines what a company is allowed to do without getting sued.  It
> > does not define things like 'you must routinely invade your users' privacy
> > at any opportunity'.
> 
> Sounds good.  But incorrect.  Your email belongs to the company... not
> to you.  If you want more privacy, do not use the company's email
> facilities for your personal email.

Where did I say anything about ownership or a desire for privacy?  And how
is my statment incorrect in any way?  The only way what I said can be
incorrect is if the law does define things like 'you must routinely invade
your users' privacy at any opportunity'.  It does not.  Please read what I
wrote and address the point I'm actually making if you're going to address
any of it.

> > A lot of the questions related to ethics really feel like they're trying to
> > preach the 'your life belongs to the company, you have no rights' thing,
> 
> Essentially a true statement.  I don't think they really want to preach
> something that isn't true... even if you don't happen to agree with it.

What I personally think ethically is not really relevant.  You seem to take
it as some sort of given that they are in some way infallible, and if they
disagree with industry standard, they are the ones who are right (despite
that the purpose of certification is in many ways to measure compliance
with industry standard).  I don't buy that.

> Again, the test isn't designed to get on a soapbox.... it's designed
> to make sure you are aware of what the law says (there are some

Then they should do that by asking questions about what the law
specifically says, not by asking "gotcha" questions so they can lecture you
where you were wrong.

> > > you either get it right or wrong.... and I really hate the ones where
> > > there are multiple correct choices.... I mean, as an administrator you
> > > tend to favor a certain way of doing things... sometimes to the exclusion
> > > of alternatives just because you know you'll never need the
> > > alternatives.... but in the case of the exam, there are a few questions
> > > where you'll need to have a pretty broad understanding of various methods
> > > to due the same thing.
> > 
> > That's all fine, provided we can be confident they are going to pick the
> > industry-standard most correct answer and not just their own subjective
> > neat way of doing things.  Otherwise they have no value as a certification.
> 
> You won't have any problem.  Again, the trick is to realize that there
> may be more than one answer that is valid... it's tempting to shoot for
> the one that you might be most comfortable with... even when the other
> answers are just as suitable.  Those questions identify themselves
> by having check boxes instead of radio boxes to answer... signifying
> that there may be more than one answer.  The easier tests, Install & Config
> and Sys. Admin. usually tell you how many correct answers there are
> (e.g. select 2 answers).  I can't remember if the Network and Security
> tests gave the same hints however.... again, they are considered
> to be the harder tests of the set.

This is ranging wide of the initial point here, which was that one of the
questions at least appears to be just plain wrong.  Only one answer was
allowed in that question, and the answer they claimed as correct was
clearly incorrect.  An NFS server connected directly to the internet is in
no way the most secure of those options.  Even their own explanation
agrees.  This is pretty obviously a typographical error, so let's leave it
at that.

> > I'm well aware of what the sysadmin can do with email and other files and
> > what the law says.  That isn't the point.  The question lacks enough data
> > for an ethical sysadmin to determine if they have cause to read someone's
> > mail.  Given that lack of cause, the default has to be no, you should not.
> > Or, if they had instead said "it is LEGAL for", they could have been
> > correct and continued to make their pet point.
> 
> Uhmm... don't mean to burst the bubble here... but they can do whatever
> they want.  The ambiguity, as I mentioned is what they do with the
> detailed personal information in your email.  For example, you buy
> something via email by supplying your credit card number (don't send
> stuff like this in email!) ...anyway, the Sys Admin reads the mail... cuz
> he's allowed to do so....  and advertises your credit card number.  NOW,
> he's in trouble.... but up until that part... I'm afraid he was
> protected.... take him to lunch, get to know him really well... AND never
> tick him off! :-)

You aren't bursting any bubbles.  I've got root on my fair share of
multiuser systems, I'm well aware of what's possible.  The point still
stands that an ethical sysadmin should not routinely read his users' email.
Does he have the access to do so?  Yes.  Does the law protect him in most
cases?  Yes.  Should he do it?  No.  Do most companies expect their
sysadmins to do so anyway?  Not really.  Do a lot of companies actively
forbid it?  Yes.  The CEO's email is in there too, after all.  Might some
company require him to do it anyway?  Yes, but given the lack of context in
that question (which even said 'without permission', which implies lack of
both user and employer permission), the answer has to default to 'no, he
should not'.  This isn't my own opinion talking, this is industry standard
ethical practice.

> ...(tons of context snipped, read thread)
> > > Again... the law rules over "what is right" in our own eyes.  If the
> > > administrator fails to notify the world (so to speak), he may be
> > > putting his own career in jeopardy....he is failing to protect
> > > the company's interests potentially.
> > 
> > In the majority of companies, if you go tell the world about something like
> > this (especially if you bother the owner) instead of just your boss, you're
> > as good as fired.  If you are the boss, you have a defined route to take
> > the issue, usually through HR.  This really has nothing to do with 'in our
> > own eyes' and everything to do with appropriate (as defined by the company)
> > dissemination of that information.
> 
> You may well get fired.... I'm not saying that business decision makers
> understand the law well either.... but take them to court and you will
> probably win.

This is not remotely a matter of law, it's a matter of corporate policy.
In most companies taking this to anyone but your own boss is a collosal
waste of everyone's time, and way well be a violation of internal
procedural guidelines regarding treatment of sensitive information.

> Besides, I think the owner would be terribly interested
> in the fact that you found somebody trying to do harm to his company...

The question was about a nameless AUP violation, no reference to "harm".
This is on average generally likely to be something like someone playing
Quake all day on the network or downloading pr0n or mp3s.  NOC guys
routinely see this, and they routinely report it through the normal
channels, and it is routinely dealt with.  It is not something to bother
the owner of the company about unless the offender is one of his direct
reports.

> he might not like you coming to see him initially, but when he realizes
> you may have just saved his tail... well, you get my point.
> Now, some companies put some things into policy that probably should
> be guidelines.  What happens in those situations is that the policy
> doesn't get enforced.... and that could be used in court to nullify
> the policy.  It's sorta like protecting your trademark.  If someone
> uses it and you decide to let them go... because you don't feel
> threatened, you can lose your trademark.

I never said anything about not enforcing it.  If you want to respond to my
arguments, please respond to the arguments I'm making, not to someone
else's theoretical arguments.

> The Sair tests are NOT perfect (as my situation proves).  I don't think
> any of them are.  I've looked at some of the LPI exam samples and found
> some interesting nuances there as well... but I also realize that the
> samples ARE NOT the exam... they are more of guidance about the kinds
> of things asked on the exam.  I think there may have been only one
> or two questions which were nearly identical on the exam vs. the
> samples.

This was really the point of my original question.  I wouldn't expect the
sample questions to show up on the test, but I was wondering if they are at
least indicative of the quality of the exams.

> Are certifications worth it?  Time will tell.  I am unemployed... so
> I have some time to kill... training may be an avenue of employment
> for me... so it made sense for me.  Trust me... I know of several
> people in NTLUG that could run circles around me on that Network
> exam!  Whether they want to get an LCA is their business.  My point
> is that their reputation goes before them very well... having
> a certification sometimes can help people who do not know a person's
> reputation to take them more seriously esp. when first getting
> a foot into the doorway of an opportunity.

Yes.  But also, it is in our best interest to promote the best certs
possible, so that we do not someday find ourselves in the position many of
our MS-using colleagues are in where they must routinely jump through the
ridiculous hoops of the MCSE because their employer won't talk to them
without it.  These tests are awful and primarily exist as another way for
MS to make money.

-- 
Jeremy Blosser