Archive for the ‘Tech’ Category

The new struggles facing open source

The religious wars have faded, as new conflicts around control, code ‘sharecropping,’ ‘fauxpen source,’ and n00b-sniping arise

The early days of open source were fraught with religious animosities we feared would tear apart the movement: free software fundamentalists haggling with open source pragmatists over how many Apache licenses would fit on the head of a pin. But once commercial interests moved in to plunder for profit, the challenges faced by open source pivoted toward issues of control.

While those fractious battles are largely over, giving way to an era of relative peace, this seeming tranquility may prove more dangerous to the open source movement than squabbling ever did.
[ Explore the top 10 rookie open source projects of 2015, the most exciting new ventures percolating today. | Stay atop the latest developments in open source with InfoWorld’s Open Source newsletter. ]

Indeed, underneath this superficial calm, plenty of tensions simmer. Some are the legacy of the past decade of open source warfare. Others, however, break new ground and arguably threaten open source far more than the GPL-vs.-Apache battle ever did.
How we got here: From purity to profit

The different sides used to be clear. Richard Stallman chaired the committee on free software purity while Eric S. Raymond inspired the open source movement.

Both sides rigidly held to their cause. And both sides draped themselves in a different licensing flag: GPL for the free software purists, BSD/Apache for the open sourcerors.

Not surprising, the increasing popularity of both camps stirred significant financial interest; thus, the profit motive came to open source. VCs prowled for projects with enough downloads to justify a support-and-service business model. Companies like Alfresco, JBoss, XenSource, and Zimbra sprang up to capitalize on the industry’s interest in open source, with developers increasingly wary of their be-suited new neighbors.

As these startups grew toward IPOs, however, the support-and-service model ran out of gas, as 451 Research analyst Matt Aslett warned. Then began the “open source plus proprietary add-ons” era of open source, with companies building “enterprise versions” of open source projects, withholding features for paid subscribers. The dreaded Open Core model was born, and the industry set out to tear itself apart over accusations of bait-and-switch and proprietization of open source.
The era of milquetoast open source

Excoriating fellow open source proponents on a grand stage over grand themes seems at this point a figment of the past. Infighting has become more contained, almost on a project-by-project basis. The GPL has steadily diminished in importance as developers have opted for the laissez-faire approach of Apache-style licensing. Commercial interests run rampant in open source. It’s how open source is done these days — which may be the fundamental issue facing open source today.

As free software advocate Glyn Moody argues, a certain amount of tension in open source is desirable because a lack of tension “means people don’t care anymore.” He’s right, but what belies this semblance of open source as a happy, if bland, family today is a shift away from passionate arguments about freedom and toward a more calculated conflict over control.
The rise of the company man

Control as a central issue for open source finds its roots in past debates over Open Core. While free sourcers and open sourcerors might have disagreed on the optimal license to guide a development community, both aligned on the need to keep corporate interests from controlling a project’s community. This mistrust of corporate influence over open source code persists to this day, but as it turns out, corporate influence — and control — is both a blessing and a curse.

While 12.4 percent of development on the Linux kernel is done by unaffiliated developers, presumably out of the kindness of their hearts, most of the kernel is written by developers paid by Intel, Red Hat, and others. While I’m sure they would like to contribute regardless of a paycheck, the reality is that most can’t afford to write software for fun.

This principle applies to most any open source project of any significance. OpenStack? HP, Red Hat, and Mirantis combine for nearly 50 percent of all code contributions. Apache Software Foundation projects like Cassandra (Facebook, DataStax, and so on), Hadoop (Cloudera, Hortonworks, MapR), and others all depend heavily on corporate patronage.

Open source software, in other words, may be free to use, but it’s not free to build.

Still, some dislike the corporate influence for another, more troublesome reason. “I think pretty soon we’re going to see how bad it is when every successful [open source] project is backed by a company, most of which fail,” declares Puppet Labs founder and CEO Luke Kanies.

Kanies makes an astute point: A project may be very successful, but that won’t necessarily translate into a financial bonanza for its primary contributors. If the company owns the copyright and other intellectual property rights behind a project, then fails — well, the dot-org fails with the dot-biz.

That’s one major reason we’ve seen foundations become such a big deal. Foundations, however, are not without their issues.
Cloaking corporate interests in foundational garb

In the past few years, foundations have become the vanity plate of corporate open source. While some companies successfully push code to a true community-led foundation (OpenStack comes to mind), others use foundations as a facade for “fauxpen source.”

One recent example is the Open Data Platform, which amounts to a gathering of big companies trying to fund Hadoop distributions that rival Cloudera and MapR. As Gartner analysts Merv Adrian and Nick Heudecker see it, ODP “is clearly for vendors, by vendors,” and they rightfully worry that “[b]asing an open data platform on a single vendor’s packaging casts some doubt on ‘open.'”

Not that ODP is alone in this. Plenty of foundations essentially serve the interests of a single vendor, whatever their ability to gather a few heavy-pocketed friends to go through the motions of “community.”

Like the OpenCore concerns of the first 10 years of open source, corporate foundations rub raw the free spirits in the open source world, because such foundations set up an asymmetric power structure. It makes little difference if copyright assignment flows to a single company or a foundation led by a single company, the effect is the same: The would-be contributor amounts to a particularly powerless digital sharecropper.

This isn’t the only tension in foundation land.
Controlling the code

One of the primary reasons for going to a foundation is to make project governance open and predictable. Many projects, however, eschew governance or licensing altogether. The so-called GitHub generation has been happy to load the code repository with software of unknown licensing pedigree. While GitHub has been trying to reverse this trend toward license-free development, it persists.

Even where a license exists, GitHub “communities” stand in contrast to more formal foundations. In the latter, governance is central to its existence. In the former, relatively no governance exists.

Is this bad?
As Red Hat chief architect Steve Watt notes, “Obviously, the project author is entitled to that prerogative, but the model makes potential contributors anxious about governance.”

In other words, we don’t worry as much anymore about a project’s license, which was the way corporations would seek to control use of the code. Control of projects has shifted from the code itself to governance around the code.

But it’s not only The Man that makes open source a minefield.
With communities like this …

The final, and perhaps most entrenched, tension facing open source today stems from a problem we’ve always had, but which has become more pronounced in the past few years: The open source welcome committee is not always welcoming.

It has always been the case that some projects have leaders who can be fearsome to cross. Anyone who has had Linus Torvalds tell them, “*YOU* are full of bull—-,” knows that open source requires a thick skin.

But things have gotten worse.

No, not because project leads are increasingly rude or callous, but because there are far more newbies in any given project. As one HackerNews commenter notes, “[S]mall projects get lots of, well, basically useless people who need tons of hand-holding to get anything accomplished. I see the upside for them, but I don’t see the upside for me.”

Dealing with high volumes of would-be contributors with limited experience strains the patience of the best of leaders, and well, sometimes those leaders aren’t the best, as this broadside from OpenLDAP’s Howard Chu shows:

If you post to this list and your message is deemed off-topic or insufficiently researched, you *will* be chided, mocked, and denigrated. There *is* such a thing as a stupid question. If you don’t read what’s in front of you, if you ignore the list charter, or the text of the welcome message that is sent to every new subscriber, you will be publicly mocked and made unwelcome.

As one example, half of all contributors to the Linux kernel in the past year are new contributors. This same phenomenon is playing out across the industry, and “Newbies Not Welcome!” signs like Chu’s aren’t a great way to accommodate the influx of those who want to participate but don’t yet know how.

Ultimately, open source isn’t about code. It’s about community, and as Bert Hubert suggests, “community is the best predictor of the future of a project.” That community isn’t fostered by jerk project leads or corporate overlords pretending to be friendly foundations. It’s the heart of today’s biggest challenges in open source — as it was in the last decade.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at

What can you do when the insider threat is IT itself?

IT pros are not always the good guys, and when they go bad, the damage is immense.

IT is charged with keeping threats at bay, from both traditional external hackers and, increasingly, company insiders. One insider that is too often overlooked is IT itself. Look around your IT department – can you trust every single person there?

It turns out that a notable portion of insider breaches come from technical staff: 6% from developers and another 6% from admins, according to the latest Verizon Data Breach Investigations Report. The report shows that many of these breaches come from privilege abuse, although there are still plenty of other techniques IT staffers use. Great importance should be given to the moral character of your IT admins, after all, they do hold a lot of power at their fingertips, especially when a sizeable chunk of the business goes through IT systems.

In a recent Infoworld column, Roger A. Grimes offered a few war stories and some bits of advice on how to hire truly trustworthy IT pros and spot the bad seeds.

“When someone you admired, trusted, and invested yourself in ends up embezzling from the company, illegally accessing private emails, or using customer credit card data to buy computer equipment for their home, your incorrectly placed trust in that person will haunt you,” Grimes wrote. One person he hired had not disclosed that he had a criminal record, and only after a background check had he learned. By then, the person had already been employed.:

“The one employee I kept on after they committed this transgression ended up stealing thousands of dollars in computer equipment from the company,” he wrote. “I found out when he asked me to drop by his house to help diagnose possible malware on his home computer. When I entered his abode, I saw that he had a multi-thousand-dollar computer rack, computers, and networking equipment identical to what we had at work. When he realized I recognized the equipment, his expression was clear. It had been a mistake to invite me to his house, at least without first hiding the stolen equipment.”

Grimes suggests that background checks are very important when hiring IT staff, and he warns against hire candidates who have been found to have lied, or those who always have something bad to say about their previous employers. Grimes also recommends keeping an eye out for current employees who know too much about things they probably shouldn’t.

Some years back, I covered this topic in a 2006 cover story for Redmond magazine: IT Gone Bad. The stories came straight from IT pros themselves and gave a good overview of what goes on behind the curtain of admin privileges.

“We have a network guy who monitors everyone’s Internet usage. Most employees don’t know this because our boss tells everyone that there’s no one monitoring the Internet and that he doesn’t want to know anyway, but this network guy always seems to know what everyone is surfing for. He even talks about it with other employees,” said an IT pro interviewed for the article.

In another case, a school district IT director and a co-worker conspired to defraud the system.
“They had a computer consulting business they ran on the side and would leave the district several times a day to work on client computers without taking vacation time,” an IT source revealed. “They discovered the program eBlaster, which records everything you do on the computer and attaches key logs, screenshots, Internet usage and a lot of other info in an email and sends it to a specified address for review. This was initially used to monitor users suspected of spending too much time surfing the Internet or inappropriate email. It was put on the CFO, COO, and superintendent’s computer. It’s also suspected that it was put on a few of the school board members’ computers.”

This was done in order to advance their career by either blackmail or through special knowledge they gained from all the information they harvested.

With so many businesses relying on tech as a means of communication, the computer network can be a treasure trove of sensitive data, easily accessible by IT admins. Trust is of utmost importance, but what else can you do, and how does Verizon suggest you block breaches, including those from the inside?

“The first step in protecting your data is in knowing where it is and who has access to it,” the report reads. “From this, build controls to protect it and detect misuse. It won’t prevent determined insiders (because they have access to it already), but there are many other benefits that warrant doing it.”

That’s good advice, and I take it to mean that even IT should fall under strict data access privilege policies, and all network activity, including that from IT, should be tracked for security threats.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at

Six entry-level cybersecurity job seeker failings

Here’s how many cybersecurity entry-level job seekers fail to make a great first impression.

When it comes to hiring, enterprise security teams can use all of the help that they can rally. But when it comes to hiring entry-level talent, that’s not as easy as it may seem.

According to a poll last summer of 1,000 18–26 year olds conducted by Zogby Analytics and underwritten by Raytheon, about 40 percent of Millennials reported they would like to enter a career that makes the Internet safer, but roughly two-thirds of them said they aren’t sure exactly what the cybersecurity profession is, and 64 percent said that they did not have access to the classes necessary to build the skills required for a career in information security.

That means, at least when it comes to the entry-level information security market, that there will be many job applicants continuing to enter the field with backgrounds that lack formal information security training. This echoes what we hear when we speak with CISOs and others who often hire security talent.

With all of this in mind, we recently reached out to those CISOs to see if there was a common thread of mistakes among information security career newcomers who are in the job market. Here’s what we found:

1. Fail to show oneself as a team player
Sounds like a no-brainer, right? But it’s not. Many of the hiring executives we spoke with say that personality can – and often does – trump technical assets. This is especially true as more and more information security roles interface with the rest of the business. It’s essential that applicants be themselves – amiable, articulate, and able to prove that they can work with different areas within the organization.

2. Sell one’s self as a jack-of-all-trades
“Entry level applicants across almost all verticals of information security make the mistake of trying to be a one-size-fits-all candidate,” says Boris Sverdlik, head of security at Oscar Insurance. “Security is broken up across many verticals and even among those who are experienced, it’s almost impossible to be well versed in all aspects,” he says. “The most annoying candidate is the arrogant know-it-all,” says Brian Martin, founder atDigital Trust, LLC. “I don’t mind arrogance when it’s earned, but not in a kid who’s never been tested. In cases where we’ve tried to work with these types, it hasn’t ended well.”

If you have interests in many skills in information security, highlight a couple that best meet the needs of the organization.

3. Falling flat on job search and interviewing basics
For many CISOs, such as Martin Fisher, manager of IT security at Northside Hospital, it is common for potential hires to harm themselves by flunking the basics of job seeking. “On resumes, misspell HIPAA, and I’ll toss the resume,” Fisher says. He also says that he too often encounters typos, punctuation errors, and resumes laden with information that’s not relevant to the role being offered.
INSIDER: 15 ways to screw up a job interview

Mike Kearn, principal security architect at US Bank, cited what job seekers don’t do when it comes to the basics of interviewing. “When I offer them an opportunity near the end of the interview to ask me anything, and I emphasize the word ‘anything,’ the majority ask me softball kinds of questions about culture or why I like working there. Missed opportunity on their part,” he says.

4. Believe certifications and degrees matter more than practical skills
“Many think that I care more about their degree or certifications than actual skills,” Kearn says, while others are under the misguided assumption that a degree or a certification equals a job. It doesn’t.”

Likewise, many entry-level applicants think technology is the hammer to squash every security risk nail. “Too many think that the solution to most problems is a technology control, rather than people and processes,” says Eric Cowperthwaite, former CISO for Providence Health and Services and currently advanced security and strategy VP at Core Security Inc.

Ben Rothke, senior eGRC consultant at Nettitude Group and former CISO, agrees. “The technology tools they have experience with are the definitive techniques for approaching information security. Not every security problem can be fixed by a firewall or IDS,” says Rothke.

5. Stretch the truth
This one certainly isn’t exclusive to information security, but it is especially silly to try to pull this off on experience security professionals who tend to be a suspicious bunch by nature. “You’ll notice that they tend to exaggerate their experience to impress hiring managers; some range from slight fibs to full-blown lies,” says Sverdlik.
Have you ever caught a candidate in a lie?

Yes, but yet they continued with the charadeYes, and they admitted to it No VoteView

Kearn concurs: “A lot of them attempt to inflate or enhance their resume by saying they know someone and are connected via LinkedIn. But when I press them on it, because I actually know the individual personally, they cave almost immediately.”

6. Don’t understand the highly interpersonal nature of infosec
Many entry-level applications come from workers in small businesses, and they are not prepared for or don’t seem to understand how large enterprises function. That’s fine, and part of the learning process for new professionals – but keep an open and learning mindset when it comes to practicing information security at a larger enterprise. “A lot of people have expressed ways to do business that simply won’t work in a large enterprise. Typically, the person would be very direct toward people who want an exception to security policy, avoid collaboration, avoid discovering why the person wants the exception, and just dictate behavior,” says Cowperthwaite.

“They often don’t realize that their excitement and sometimes irrational exuberance around all things information security is not shared by most people in the organization,” Rothke says.

In the end, perhaps the most important thing is to be one’s self. “Show that you have a passion for security, be it examining logs, performing code review or risk assessments, or even administering security appliances. If you are good at critical thinking and have a good technical background, learning the rest is easy,” says Sverdlik.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at

7 timeless lessons of programming ‘graybeards’

Heed the wisdom of your programming elders, or suffer the consequences of fundamentally flawed code

In one episode 1.06 of the HBO series “Silicon Valley,” Richard, the founder of a startup, gets into a bind and turns for help to a boy who looks 13 or 14.

The boy genius takes one look at Richard and says, “I thought you’d be younger. What are you, 25?”

“26,” Richard replies.


The software industry venerates the young. If you have a family, you’re too old to code. If you’re pushing 30 or even 25, you’re already over the hill.

Alas, the whippersnappers aren’t always the best solution. While their brains are full of details about the latest, trendiest architectures, frameworks, and stacks, they lack fundamental experience with how software really works and doesn’t. These experiences come only after many lost weeks of frustration borne of weird and inexplicable bugs.

Like the viewers of “Silicon Valley,” who by the end of episode 1.06 get the satisfaction of watching the boy genius crash and burn, many of us programming graybeards enjoy a wee bit of schadenfraude when those who have ignored us for being “past our prime” end up with a flaming pile of code simply because they didn’t listen to their programming elders.
ALSO ON NETWORK WORLD: How to lure tech talent with employee benefits, perks

In the spirit of sharing or to simply wag a wise finger at the young folks once again, here are several lessons that can’t be learned by jumping on the latest hype train for a few weeks. They are known only to geezers who need two hexadecimal digits to write their age.
Memory matters

It wasn’t so long ago that computer RAM was measured in megabytes not gigabytes. When I built my first computer (a Sol-20), it was measured in kilobytes. There were about 64 RAM chips on that board and each had about 18 pins. I don’t recall the exact number, but I remember soldering every last one of them myself. When I messed up, I had to resolder until the memory test passed.

When you jump through hoops like that for RAM, you learn to treat it like gold. Kids today allocate RAM left and right. They leave pointers dangling and don’t clean up their data structures because memory seems cheap. They know they click on a button and the hypervisor adds another 16GB to the cloud instance. Why should anyone programming today care about RAM when Amazon will rent you an instance with 244GB?

But there’s always a limit to what the garbage collector will do, exactly as there’s a limit to how many times a parent will clean up your room. You can allocate a big heap, but eventually you need to clean up the memory. If you’re wasteful and run through RAM like tissues in flu season, the garbage collector could seize up grinding through that 244GB.

Then there’s the danger of virtual memory. Your software will run 100 to 1,000 times slower if the computer runs out of RAM and starts swapping out to disk. Virtual memory is great in theory, but slower than sludge in practice. Programmers today need to recognize that RAM is still precious. If they don’t, the software that runs quickly during development will slow to a crawl when the crowds show up. Your work simply won’t scale. These days, everything is about being able to scale. Manage your memory before your software or service falls apart.

The marketing folks selling the cloud like to pretend the cloud is a kind of computing heaven where angels move data with a blink. If you want to store your data, they’re ready to sell you a simple Web service that will provide permanent, backed-up storage and you won’t need to ever worry about it.

They may be right in that you might not need to worry about it, but you’ll certainly need to wait for it. All traffic in and out of computers takes time. Computer networks are drastically slower than the traffic between the CPU and the local disk drive.

Programming graybeards grew up in a time when the Internet didn’t exist. FidoNet would route your message by dialing up another computer that might be closer to the destination. Your data would take days to make its way across the country, squawking and whistling through modems along the way. This painful experience taught them that the right solution is to perform as much computation as you can locally and write to a distant Web service only when everything is as small and final as possible. Today’s programmers can take a tip from these hard-earned lessons of the past by knowing, like the programming graybeards, that the promises of cloud storage are dangerous and should be avoided until the last possible millisecond.
Compilers have bugs

When things go haywire, the problem more often than not resides in our code. We forgot to initialize something, or we forgot to check for a null pointer. Whatever the specific reason, every programmer knows, when our software falls over, it’s our own dumb mistake — period.

As it turns out, the most maddening errors aren’t our fault. Sometimes the blame lies squarely on the compiler or the interpreter. While compilers and interpreters are relatively stable, they’re not perfect. The stability of today’s compilers and interpreters has been hard-earned. Unfortunately, taking this stability for granted has become the norm.

It’s important to remember they too can be wrong and consider this when debugging the code. If you don’t know it could be the compiler’s fault, you can spend days or weeks pulling out your hair. Old programmers learned long ago that sometimes the best route for debugging an issue involves testing not our code but our tools. If you put implicit trust in the compiler and give no thought to the computations it is making to render your code, you can spend days or weeks pulling out your hair in search of a bug in your work that doesn’t exist. The young kids, alas, will learn this soon enough.

Long ago, I heard that IBM did a study on usability and found that people’s minds will start to wander after 100 milliseconds. Is it true? I asked a search engine, but the Internet hung and I forgot to try again.

Anyone who ever used IBM’s old green-screen apps hooked up to an IBM mainframe knows that IBM built its machines as if this 100-millisecond mind-wandering threshold was a fact hard-wired in our brains. They fretted over the I/O circuitry. When they sold the mainframes, they issued spec sheets that counted how many I/O channels were in the box, in the same way car manufacturers count cylinders in the engines. Sure, the machines crashed, exactly like modern ones, but when they ran smoothly, the data flew out of these channels directly to the users.

I have witnessed at least one programming whippersnapper defend a new AJAX-heavy project that was bogged down by too many JavaScript libraries and data flowing to the browser. It’s not fair, they often retort, to compare their slow-as-sludge innovations with the old green-screen terminals that they have replaced. The rest of the company should stop complaining. After all, we have better graphics and more colors in our apps. It’s true — the cool, CSS-enabled everything looks great, but users hate it because it’s slow.
The real Web is never as fast as the office network

Modern websites can be time pigs. It can often take several seconds for the megabytes of JavaScript libraries to arrive. Then the browser has to push these multilayered megabytes through a JIT compiler. If we could add up all of the time the world spends recompiling jQuery, it could be thousands or even millions of years.

This is an easy mistake for programmers who are in love with browser-based tools that employ AJAX everywhere. It all looks great in the demo at the office. After all, the server is usually on the desk back in the cubicle. Sometimes the “server” is running on localhost. Of course, the files arrive with the snap of a finger and everything looks great, even when the boss tests it from the corner office.

But the users on a DSL line or at the end of a cellular connection routed through an overloaded tower? They’re still waiting for the libraries to arrive. When it doesn’t arrive in a few milliseconds, they’re off to some article on TMZ.

On one project, I ran into trouble with an issue exactly like Richard in “Silicon Valley” and I turned to someone below the drinking age who knew Greasemonkey backward and forward. He rewrote our code and sent it back. After reading through the changes, I realized he had made it look more elegant but the algorithmic complexity went from O(n) to O(n^2). He was sticking data in a list in order to match things. It looked pretty, but it would get very slow as n got large.

Algorithm complexity is one thing that college courses in computer science do well. Alas, many high school kids haven’t picked this up while teaching themselves Ruby or CoffeeScript in a weekend. Complexity analysis may seem abstruse and theoretical, but it can make a big difference as projects scale. Everything looks great when n is small. Exactly as code can run quickly when there’s enough memory, bad algorithms can look zippy in testing. But when the users multiply, it’s a nightmare to wait on an algorithm that takes O(n^2) or, even worse, O(n^3).

When I asked our boy genius whether he meant to turn the matching process into a quadratic algorithm, he scratched his head. He wasn’t sure what we were talking about. After we replaced his list with a hash table, all was well again. He’s probably old enough to understand by now.
Libraries can suck

The people who write libraries don’t always have your best interest at heart. They’re trying to help, but they’re often building something for the world, not your pesky little problem. They often end up building a Swiss Army knife that can handle many different versions of the problem, not something optimized for your issue. That’s good engineering and great coding, but it can be slow.

If you’re not paying attention, libraries can drag your code into a slow swamp and you won’t even know it. I once had a young programmer mock my code because I wrote 10 lines to pick characters out of a string.

“I can do that with a regular expression and one line of code,” he boasted. “Ten-to-one improvement.” He didn’t consider the way that his one line of code would parse and reparse that regular expression every single time it was called. He simply thought he was writing one line of code and I was writing 10.

Libraries and APIs can be great when used appropriately. But if they’re used in the inner loops, they can have a devastating effect on speed and you won’t know why.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at


Oldest dot-com address sits sadly underused 30 years after its historic registration

Someone had to go first, so on March 15, 1985, Lisp computer maker Symbolics, Inc., registered the Internet’s first dot-com address:

Someone had to go first, so on March 15, 1985, Lisp computer maker Symbolics, Inc., registered the Internet’s first dot-com address:
job searching akamai

The Cambridge-headquartered company went out of business about a decade ago (though remnants live on) and in August 2009 the address was sold for an undisclosed sum to Investments, whose CEO Aron Meystedt said in a press release: “For us to own the first domain is very special to our company, and we feel blessed for having the ability to obtain this unique property.”

Today it looks like more of a white elephant than a blessing, what with a largely empty “cityscape” design and a blog that hasn’t been updated in two years. Yet Meystedt remains optimistic, at least outwardly.

“We created the city concept to make browsing the site fun, but it also could grow into a revenue-generating property if we allow advertisers to sponsor elements in the cityscape,” he says.

The design includes clickable elements that reward the visitor with nuggets of information about the Internet, such as: “Gmail first launched on April 1st, 2004. It was widely assumed the service was an April Fools Day joke.”

Not exactly Reddit’s “Today I Learned.”

“As far as traffic, the daily visitors can range from several hundred to several thousand,” Meystedt says. “This usually depends on how well is circulated on social media or news blogs.”

And that probably picks up around March 15.

The problem here appears obvious: is not Plymouth Rock; it would appear to be valuable – at least in a business sense – only if you’re running a company called Symbolics.

I asked Meystedt if might be for sale.

“We have no plans to sell the name at this time.”

Make him an offer.


MCTS Training, MCITP Trainnig

Best Microsoft MTA Certification, Microsoft MCTS Training at

The Big Question Rises How To Become Microsoft, Cisco, ComTIA Certified

The big question rises how to become the Microsoft certified , All Microsoft certifications are acquired by simply taking a series of exams. If you can self-study for said exams, and then pass them, then you can acquire the certification for the mere cost of the exam (and maybe whatever self-study materials you purchase).

You’ll also need, at minimum (in addition to the MCTS), the CompTIA A+, Network+ and Security+ certs; as well as the Cisco CCNA cert.

Microsoft Certified Technology Specialist (MCTS) – This is the basic entry point of Microsoft Certifications. You only need to pass a single certification test to be considered an MCTS and there are numerous different courses and certifications that would grant you this after passing one. If you are shooting for some of the higher certifications that will be discussed below, then you’ll get this on your way there.

Microsoft Certified Professional Developer (MCPD) – This certification was Microsoft’s previous “Developer Certification” meaning that this was the highest certification that was offered that consisted strictly of development-related material. Receiving it involved passing four exams within specific areas (based on the focus of your certification). You can find the complete list of courses and paths required for the MCPD here.

Microsoft Certified Solutions Developer (MCSD) – This is Microsoft’s most recent “Developer Certification” which will replace the MCPD Certification (which is being deprecated / retired in July of 2013). The MCSD focuses within three major areas of very recent Microsoft development technologies and would likely be the best to persue if you wanted to focus on current and emerging skills that will be relevant in the coming years. You can find the complete list of courses and paths required for the MCSD here.

The Microsoft Certifications that you listed are basically all of the major ones within the realm of development. I’ll cover each of the major ones and what they are :

Most people, however, take some kind of course. Some colleges — especially career and some community colleges — offer such courses (though usually they’re non-credit). Other providers of such courses are private… some of them Microsoft Certified vendors of one type or another, who offer the courses in such settings as sitting around a conference table in their offices. Still others specialize in Microsoft certification training, and so have nice classrooms set up in their offices.

There are also some online (and other forms of distance learning) courses to help prepare for the exams.

The cost of taking classes to prepare can vary wildly. Some are actually free (or very nearly so), while others can cost hundreds of dollars. It all just depends on the provider.

And here’s a Google search of MCTS training resources (which can be mind-numbing in their sheer numbers and types, so be careful what you choose):

There are some pretty good, yet relatively inexpensive, ways to get vendor certificate training. Be careful not to sign-up for something expensive and involved when something cheaper — like subscribing to an “all the certificates you care to study for one flat rate” web site — would, in addition to purchasing a study guide or two at a bookstore, likely be better.

If you want a career in IT, then you need to have both an accredited degree in same (preferably a bachelors over an associates), and also a variety of IT certifications. The MCTS is but one that you will need.

You should probably also get the Microsoft MCSE and/or MCSA. The ICS CISSP. And the ITIL.

There are others, but if you have those, you’ll be evidencing a broad range of IT expertise that will be useful, generally. Then, in addition, if the particular IT job in which you end-up requires additional specialist certification, then you can get that, too (hopefully at the expense of your employer who requires it of you).

Then, whenever (if ever) you’re interested in a masters in IT, here’s something really cool of which you should be aware…

There’s a big (and fully-accredited, fully-legitimate) university in Australia which has partnered with Microsoft and several other vendors to structure distance learning degrees which include various certifications; and in which degrees, considerable amounts of credit may be earned simply by acquiring said certifications. It’s WAY cool.

One can, for example, get up to half of the credit toward a Masters degree in information technology by simply getting an MCSE (though the exams which make it up must be certain ones which correspond with the university’s courses). I’ve always said that if one were going to get an MCSE, first consult the web site of this university and make sure that one takes the specific MCSE exams that this school requires so that if ever one later decided to enter said school’s masters program, one will have already earned up to half its degree’s credits by simply having the MCSE under his/her belt. Is that cool, or what?

I wouldn’t rely on them over experience (which is far and away the most valuable asset out there) but they are worth pursuing especially if you don’t feel like you have enough experience and need to demonstrate that you have the necessary skills to land a position as a developer.

If you are going to pursue a certification, I would recommend going after the MCSD (Web Applications Track) as it is a very recent certification that focuses on several emerging technologies that will still be very relevant (if not more-so) in the coming years. You’ll pick up the MCTS along the way and then you’ll have both of those under your belt. MCPD would be very difficult to achieve based on the short time constraints (passing four quite difficult tests within just a few months is feasible, but I don’t believe that it is worth it since it will be “retired” soon after).

No job experience at all is necessary for any of the Microsoft Certifications, you can take them at any time as long as you feel confident enough with the materials of the specific exam you should be fine. The tests are quite difficult by most standards and typically cover large amounts of material, but with what it sounds like a good bit of time to study and prepare you should be fine.

Certifications, in addition to degrees, are so important in the IT field, now, that one may almost no longer get a job in that field without both. The certifications, though, are so important that one who has a little IT experience can get a pretty good job even without a degree as long as he has all the right certs. But don’t do that. Definitely get the degree… and not merely an associates. Get the bachelors in IT; and make sure it’s from a “regionally” accredited school.

Then get the certs I mentioned (being mindful, if you think you’ll ever get an IT masters, to take the specific exams that that Strut masters program requires so that you’ll have already earned up to half the credit just from the certs).

If you already have two years of experience in working in the .NET environment, a certification isn’t going to guarantee that you will get employed, a salary increase or any other bonuses for achieving the honor. However, it can help supplement your resume by indicating that you are familiar with specific technologies enough to apply them in real-world applications to solve problems.

If your ready for career change and looking for Microsoft MCTS Training, Microsoft MCITP Training or any other Microsoft Certification preparation get the best online training from they offer all Microsoft, Cisco, Comptia certification exams training in just one Unlimited Life Time Access Pack, included self study training kits including, Q&A, Study Guides, Testing Engines, Videos, Audio, Preparation Labs for over 2000+ exams, save your money on boot camps, training institutes, It’s also save your traveling and time. All training materials are “Guaranteed” to pass your exams and get you certified on the fist attempt, due to best training they become no1 site 2012.

MCTS Training, MCITP Trainnig

Best Microsoft MTA Certification, Microsoft MCTS Training at

IT certifications that deliver higher pay 2015

Certifications abound in the IT industry, but they are not all equal. To help you find the ones that will result in the most financial gain, twice a year we look at which certifications are poised for the biggest growth.

2015’s Hottest IT Certification
Ever wonder how much that certification is worth? While it’s hard to put a dollar sign on certifications, CompTIA offers some insight in the results from a recent survey.

65 percent of employers use IT certifications to differentiate between equally qualified candidates
72 percent of employers use IT certifications as a requirement for certain job roles
60 percent of organizations often use IT certifications to confirm a candidate’s subject matter knowledge or expertise
66 percent of employers consider IT certifications to be very valuable — a dramatic increase from the 30 percent in 2011

Numbers like these make it hard to discount the validity of certifications. That said, all certifications are not equal, which is why twice a year we look at which certifications are poised for growth over the next six to 12 months. And with 2015 upon us, we turn to Foote Partners and its recently released “IT Skills Demand and Pay Trends Report” to find out which certifications will carry the most weight throughout 2015 in terms of pay and demand.

“The hot list is put together by looking at 3-6-12 month value growth vectors then vetting it via interviews with about 400 CIOs and other decision makers on their skills investment plans for 2015,” says David Foote, chief analyst and research officer with Foote Partners.

“Historical pay premium performance is only one of many factors we consider in forecasting. It is normal in our forecasting that 50 percent or more of the skills showing the most growth in the prior three months and six months do not make our Hot List of skills that we are certain will increase in value in next 6 months,” says Foote.

Citrix Certified Enterprise Engineer for Virtualization
Citrix Systems, a leader in the software virtualization niche, owned 56 percent of the virtualization market as of January 2014. That number highlights why demand and pay premiums for this certification is so strong and expected to grow. However, this certification has been retired as of November 2014, replaced by Citrix Certified Professional – Virtualization (CCP-V).

“The value of this certification is in the confirmed ability of the owner to be able to implement and validate varied Citrix implementations. Strongly recommend for experienced engineers looking to validate their skills and ability to design and support complex implementations,” says Elaine Cheng, CIO at the CFA Institute.

CompTIA Security+
Security should be at the forefront of every CIO’s mind. In fact, pay value for this certification based on Foote Partners data has grown 40 percent over the last 12 months and is expected to continue to rise. “A solid certification that shows an understanding of best practice security approaches across several areas. This is a great second-level certification for the individual wanting to expand into the security aspect of IT,” says Cheng.

GIAC Certified Windows Security Administrator
Although Windows is behind in the mobile game, it still dominates the desktop and the enterprise and Microsoft is making strides towards being more mobile-centric. Combine that with mounting security risks and it’s easy to see why the GIAC Certified Windows Security Administrator should continue to be in demand.

“This is a broad and complex certification that a successful Windows engineer should have. It is in no way an easy exam and truly validates a strong engineer skill set across all aspects of Windows security. Our own engineers have tried for this exam several times. It is challenging and a high bar to meet,” says Cheng.

Certified Computer Examiner
Cybercrime, privacy and data security have been in he headlines over the past couple of years. Many analysts believe that 2015 is the year where organizations are going to spend more of their IT budgets on security. This vendor-neutral certification, open to both law enforcement and non-law enforcement personnel, created by the International Society of Forensic Computer Examiners, is yet another in the field of forensics that is rapidly growing in industry recognition.

AWS Certified SysOps Administrator-Associate (Cloud)
According to a recent ComputerWorld cloud computing is second only to security on the list of areas where CIOs plan to spend their money. Most organizations have deployed or are researching some cloud infrastructure, making it a great area in which to specialize. “This is a great entry-level certification for individuals looking to show an understanding of the Amazon Cloud solution for the IaaS solutions. It should be a recommended certification for any engineer supporting AWS,” says Cheng.

EC-Council Certified Security Analyst
Another security certification makes the list. This is one of the certifications that Foote says will pay off particularly well in 2015.

“In the case of security-related certifications such as CyberSecurity Forensic Analyst and Certified Ethical Hacker, [EC-Council Certified Security Analyst] is a requirement for companies because of the specific nature of the training/knowledge provided throughout the curriculum of the certification itself. Most of the requirements that ask for specific certifications are originated from organizations that must follow Security Compliance guidelines mandated by the government: HIPPA, SOX and PCI-DSS to name a few examples. It definitely makes it tougher for both the company and the recruiting firms from a supply standpoint because there is a higher demand than supply of these certified individuals across the industry,” says Katie Powers, national delivery manager of Network Infrastructure Services with TEKsystems.

Mongo DB Certified DBA
A recent Capegemini survey of 225 companies found that most organizations struggle to get actionable results from their big data initiatives. In fact, only 27 percent of those organizations described their big data initiatives as successful. Don’t be discouraged, however, if a career in big data is what you want. Big data is still growing and an additional fact to come out of the survey is that 60 percent of executives interviewed expect big data will disrupt their business within the next three years.

“With the continued need for security trained resources, explosion of the data and the need for tools and applications to manage and make this valuable for the business, increased consumption of the cloud – the need for structured avenues to train existing resources in new technologies as it relates to these areas has become critical,” says Bhavani Amirthalingam, vice president, NAM Region at Schneider Electric.

Microsoft Certified Solution Developer: Applications Lifecycle Management
MSCDs or Microsoft Certified Solution Developers have passed exams to prove their ability to design and develop business applications using Microsoft’s suite of development tools that are within Microsoft platforms but also extends beyond what would be considered traditional platforms. IT pros who specialize in application lifecycle management help to increase overall efficiency and produce better overall products.

“At Schneider, Oracle and Microsoft technology would be key areas of interest,” says Amirthalingam.

Cisco Certified Design Associate
The CCDA is a vendor-specific certification that teaches students Cisco network design fundamentals. The main focus is on designing basic campus, data center, security, voice and wireless networks. Value/Demand has risen 16.7 percent in the last six months and, according to Foote Partners data, demand will continue to increase throughout 2015.

Certified in the Governance of Enterprise IT
A recent Capegemini survey of 225 companies found that most organizations struggle to get actionable results from their big data initiatives. In fact, only 27 percent of those organizations described their big data initiatives as successful. Don’t be discouraged, however, if a career in big data is what you want. Big data is still growing and an additional fact to come out of the survey is that 60 percent of executives interviewed expect big data will disrupt their business within the next three years.

“With the continued need for security trained resources, explosion of the data and the need for tools and applications to manage and make this valuable for the business, increased consumption of the cloud – the need for structured avenues to train existing resources in new technologies as it relates to these areas has become critical,” says Bhavani Amirthalingam, vice president, NAM Region at Schneider Electric.

Most Recent Additions to Foote Partner’s Hot List
In our most recent conversation with Foote, shortly before publishing this report, he said he was digging deeper into his data and interviewing process and called out these certifications as well, predicting them to be growth areas in 2015.

Below is the most recent data on certifications that just became available.

Lean Six Sigma 0% 7.1% 15.4%


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at

Can the enterprise allow employees to use the public cloud?

The theme today isn’t about enterprise clouds that are my normal topic, but instead, clouds where end users fly. Face it – your users are in their own clouds. Is that a nervous tic I see on your face?

iCloud OwnCloud


Magic sauce

Store my files

Store your files

Store our files

Mix them all together

Stir with random care

You said that file is where?
I find this harrowing. Users face no real way, without a lot of work that they’re disinclined to do or even understand, to know if a personal device’s files will be stored securely in any particular cloud provider’s bin.

There are no standards. No seals of approvals worth spit. Random selection will take place, with a bias towards something your operating system provider conveniently provides.

Or maybe the home machine is a Mac (see: iCloud) and the office machine runs Windows 7, and the phone is an Android. People interchange files frequently from one device to another without thinking about the ramifications of a differing cloud provider. More copies are better, of course, because people want the convenience of just getting their files, photos, music, videos, and yes, work products, on demand. Demand is for now, not hauling out another device, booting it up, waiting for a logon, logging in (too many machines don’t require passwords), maybe a signal, then maneuvering to some deep folder to fetch a file. Convenience rules.

This flies in the face of the hopes, dreams, and practical realities of security officers, policy makers, and IT professionals everywhere. It also explains the successful business model behind every convenience store in the world – time pressure.

There are ways to keep sensitive data from finding its way into someone’s messy cloud cache, ranging from draconian to astute. Much depends on the values an organization imposes on its users. Yes, they have to be based on trust, and yes, people – even organized and thoughtful people – can be messy with data assets.

Sophisticated data loss prevention schemes are in place in some environments. Others force users to logon to virtual sessions and work within the ostensibly safe boundaries of those sessions. Some use sophisticated document or work-product tracking. Others force and use seriously sophisticated, often OS-based, policy controls (ex: Microsoft’s Group Policy Objects) in an effort to impose moats around applications and, hopefully, their data. Swimming moats gets an airborne drone when clipboards are enabled…a trick I’ve had recently demonstrated to me.

Can you implement an approved cloud? How would you judge it? Encryption on the wire in addition to in-storage? Who do you whitelist?

My values, and those of most of my colleagues, say not to allow any organizational data to end up stored in places we don’t control and can’t audit – period, end of page, and job, if we catch you. Like BYOD, I also recognize that users will be users, and policies vary on the issue from draconian (yeah, you’re fired) to “this is our list of approved sites.” Don’t use XY or Z, as they’re unapproved, meaning blacklisting cloud storage.

If you get a chance, tell me which you – or your employer – might approve of, and why, in three sentences or less. You can also say things like: “No Way, I’ll be shot at dawn if I say this, but…” and/or if they would (Upworthy alert) Change This One Thing.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at


Google relaxes strict bug disclosure rules after Microsoft grievances

After dust-up between the companies over bug revelations, Google offers 14-day grace period before going public

Google today relaxed its strict 90-day vulnerability disclosure that put it at odds with rival Microsoft last month, saying it would give vendors a 14-day grace period if they promised to fix a flaw within the two-week stretch.

“If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch,” Google’s Project Zero team said today in a blog post.

“Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+),” the team added.

Google will also not reveal a vulnerability on weekends and U.S. public holidays, even if the timetable expires on those days.

Although Microsoft welcomed Google’s modifications, it continued to disagree with Project Zero’s patch-or-we-publish attitude. “While it is positive to see aspects of disclosure practices adjust, we disagree with arbitrary deadlines because each security issue is unique and end-to-end update development and testing time varies,” said Chris Betz, senior director of the Microsoft Security Response Center (MSRC), in a statement today. “When finders release proof-of-concept exploit code, or other information publically before a solution is in place, the risk of attacks against customers goes up.”

“These were the right things to do,” said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy, in a Friday interview. “Weekends and holidays are obvious. It’s true that the bad guys never sleep but you have to account for those days. And I like the grace period idea. It shows that Google is communicating with vendors.”

Project Zero is composed of several Google security engineers — including many of its most notable researchers — who investigate not only the company’s own software, but that of other vendors as well. Previously, its policy was to start a 90-day clock when it reported a flaw to an outside vendor, then publicly posted details and sample attack code at the expiration if the vulnerability had not been patched.

Over several weeks starting on Dec. 29 2014, Project Zero revealed numerous bugs in Windows before Microsoft patched them.

That quickly drew the ire of Microsoft. After Project Zero disclosed a Windows vulnerability on Jan. 11 — two days before Microsoft was set to patch it — the latter lashed out.

“We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix,” said Betz said at the time. “[Google’s] decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result.”

MCTS Training, MCITP Trainnig

Best Microsoft MTA Certification, Microsoft 98-375 Training at

Had the new grace period been in place, some but not all of the Windows vulnerabilities disclosed by Project Zero this year would have been kept under wraps until Microsoft had patched them, including the one Betz was angry about last month.

Some, however, would have still been revealed prior to patching.
One of those vulnerabilities had been reported to Microsoft on Oct. 17, with an expiration date of Jan. 15, when Google automatically unveiled details and proof-of-concept attack code. At the time, Project Zero’s bug tracker asserted that while Microsoft had initially intended to patch the vulnerability on Jan. 13, it pulled the fix “due to compatibility issues” and rescheduled it for the Feb. 10 collection. It was, in fact, patched earlier this week.

A two-week grace would not have helped Microsoft in that case.

But the grace period should answer critics who took Project Zero to task for its hard-liner policy.

“Microsoft is never going to get a fix into the first Patch Tuesday after a report, nor in the second depending on the timing,” said Chet Wisniewski, a security researcher with Sophos, in a January interview. Because of Microsoft’s similar-rigid Patch Tuesday schedule — the second Tuesday of each month — Google’s disclosure deadline could “push right against the deadline almost every time,” Wisniewski argued.

The automated disclosure system also removed the human element, critics said. “Google’s pretty big on things being automated, versus people-driven processes,” pointed out John Pescatore, director of emerging security trends at the SANS Institute, also in a January interview on Project Zero’s approach.

Wisniewski thought there was another reason for the automated disclosure, and the resulting inflexibility.

“If Google made it automatic, then it can’t be accused of being vindictive,” said Wisniewski, referring to previous clashes between Google security engineers and Microsoft, when that charge had been leveled against the former after they revealed bugs without giving Microsoft more than a few days to patch.

Storms saw the grace period as evidence that Google realized the all-automatic disclosure process wasn’t appropriate.

“It’s a ‘gimme,’ as in the vendor saying, ‘Gimme a break, I’m so close to a patch,'” said Storms of the additional time. “You have to consider the goal, which is not to shame people, but to get things fixed. [The grace period] adds a human element to it, which is necessary.”

As of Friday, there were two vulnerabilities on the Project Zero bug tracker that had exceeded the 90-day deadline. Both were for flaws in Adobe’s Reader; Adobe had patched the bugs in December in the Windows version of Reader, but has not yet addressed the same vulnerabilities in the OS X version of the PDF program.

Best Top-Paying and most in demand for Certifications 2014 – 2015

Best Top-Paying and most in demand for Certifications 2014 – 2015

It’s always a good idea to take stock of your skills, your pay, and your certifications. To that end, following is a review of 15 of the top-paying certifications for 2014. With each certification, you’ll find the average (mean) salary and a brief description.

Based on the 2014 IT Skills and Salary Survey conducted by Global Knowledge and Penton and completed in October 2013, the rankings below are derived from certifications that received the minimum number of responses to be statistically relevant. Certain certifications pay more but are not represented due to their exclusive nature. Examples include Cisco Certified Internetworking Expert (CCIE) and VMware Certified Design Expert (VCDX). This was a nationwide survey, and variations exist based on where you work, years of experience, and company type (government, non profit, etc.).

1. Certified in Risk and Information Systems Control (CRISC) – $118,253
The non-profit group ISACA offers CRISC certification, much in the way that CompTIA manages the A+ and Network+ certifications. Formerly, “ISACA” stood for Information Systems Audit and Control Association, but now they’ve gone acronym only.

The CRISC certification is designed for IT professionals, project managers, and others whose job it is to identify and manage risks through appropriate Information Systems (IS) controls, covering the entire lifecycle, from design to implementation to ongoing maintenance. It measures two primary areas: risk and IS controls. Similar to the IS control lifecycle, the risk area spans the gamut from identification and assessment of the scope and likelihood of a particular risk to monitoring for it and responding to it if/when it occurs.

Since CRISC’s introduction in 2010, more than 17,000 people worldwide have earned this credential, The demand for people with these skills and the relatively small supply of those who have them result in this being the highest salary for any certification on our list this year.

To obtain CRISC certification, you must have at least three years of experience in at least three of the five areas that the certification covers, and you must pass the exam, which is only offered twice a year. This is not a case where you can just take a class and get certified. Achieving CRISC certification requires effort and years of planning.

2. Certified Information Security Manager (CISM) – $114,844

ISACA also created CISM certification. It’s aimed at management more than the IT professional and focuses on security strategy and assessing the systems and policies in place more than it focuses on the person who actually implements those policies using a particular vendor’s platform.

More than 23,000 people have been certified since its introduction in 2002, making it a highly sought after area with a relatively small supply of certified individuals. In addition, the exam is only offered three times a year in one of approximately 240 locations, making taking the exam more of a challenge than many other certification exams. It also requires at least five years of experience in IS, with at least three of those as a security manager. As with CRISC, requirements for CISM certification demand effort and years of planning.

3. Certified Information Systems Auditor (CISA) – $112,040
The third highest-paying certification is also from ISACA; this one is for IS auditors. CISA certification is ISACA’s oldest, dating back to 1978, with more than 106,000 people certified since its inception. CISA certification requires at least five years of experience in IS auditing, control, or security in addition to passing an exam that is only offered three times per year.

The CISA certification is usually obtained by those whose job responsibilities include auditing, monitoring, controlling, and/or assessing IT and/or business systems. It is designed to test the candidate’s ability to manage vulnerabilities, ensure compliance with standards, and propose controls, processes, and updates to a company’s policies to ensure compliance with accepted IT and business standards.

4. Six Sigma Green Belt – $109,165
Six Sigma is a process of analyzing defects (anything outside a customer’s specifications) in a production (manufacturing) process, with a goal of no more than 3.4 defects per million “opportunities” or chances for a defect to occur. The basic idea is to measure defects, analyze why they occurred, and then fix the issue and repeat. There is a process for improving existing processes and a slightly modified version for new processes or major changes. Motorola pioneered the concept in the mid-1980s, and many companies have since followed their examples to improve quality.

This certification is different from the others in this list, as it is not IT specific. Instead, it is primarily focused on manufacturing and producing better quality products.

There is no organization that owns Six Sigma certification per se, so the specific skills and number of levels of mastery vary depending on which organization or certifying company is used. Still, the entry level is typically Green Belt and the progression is to Black Belt and Master Black Belt. Champions are responsible for Six Sigma projects across the entire organization and report to senior management.

5. Project Management Professional (PMP) – $108,525
The PMP certification was created and is administered by the Project Management Institute (PMI®), and it is the most recognized project management certification available. There are more than half a million active PMPs in 193 countries worldwide.

The PMP certification exam tests five areas relating to the lifecycle of a project: initiating, planning, executing, monitoring and controlling, and closing. PMP certification is for running any kind of project, and it is not specialized into sub types, such as manufacturing, construction, or IT.

To become certified, individuals must have 35 hours of PMP-related training along with 7,500 hours of project management experience (if they have less than a bachelor’s degree) or 4,500 hours of project management experience with a bachelor’s or higher. PMP certification is another that requires years of planning and effort.

6. Certified Scrum Master – $107,396
Another project management-related certification, Certified Scrum Master is focused on software (application) development.

Scrum is a rugby term; it’s a means for restarting a game after a minor rules violation or after the ball is no longer in play (for example, when it goes out of bounds). In software development, Scrum is a project management process that is designed to act in a similar manner for software (application development) projects in which a customer often changes his or her mind during the development process.

In traditional project management, the request to change something impacts the entire project and must be renegotiated-a time-consuming and potentially expensive way to get the changes incorporated. There is also a single project manager.

In Scrum, however, there is not a single project manager. Instead, the team works together to reach the stated goal. The team should be co-located so members may interact frequently, and it should include representatives from all necessary disciplines (developers, product owners, experts in various areas required by the application, etc.).

Where PMP tries to identify everything up front and plan for a way to get the project completed, Scrum takes the approach that the requirements will change during the project lifecycle and that unexpected issues will arise. Rather than holding up the process, Scrum takes the approach that the problem the application is trying to solve will never be completely defined and understood, so team members must do the best they can with the time and budget available and by quickly adapting to change.

So where does the Scrum Master fit in? Also known as a servant-leader, the Scrum Master has two main duties: to protect the team from outside influences that would impede the project (the servant) and to chair the meetings and encourage the team to continually improve (the leader).

Certified Scrum Master certification was created and is managed by the Scrum Alliance and requires the individual to attend a class taught by a certified Scrum trainer and to pass the associated exam.

7. Citrix Certified Enterprise Engineer (CCEE) – $104,240
The CCEE certification is a legacy certification from Citrix that proves expertise in XenApp 6, XenDesktop 5, and XenServer 6 via the Citrix Certified Administrator (CCS) exams for each, the Citrix Certified Advanced Administrator (CCAA) for XenApp 6, and an engineering (advanced implementation-type) exam around implementing, securing, managing, monitoring, and troubleshooting a complete virtualization solution using Citrix products.

Those certified in this area are encouraged to upgrade their certification to the App and Desktop track instead, which focuses on just XenDesktop, taking one exam to become a Citrix Certified Professional – Apps and Desktops (CCP-AD). At this point though, the CCEE is available as long as the exams are available for the older versions of the products listed.

8. Citrix Certified Administrator (CCA) for Citrix NetScaler – $103,904
The CCA for NetScaler certification has been discontinued for NetScaler 9, and those with a current certification are encouraged to upgrade to the new Citrix Certified Professional – Networking (CCP-N). In any case, those with this certification have the ability to implement, manage, and optimize NetScaler networking performance and optimization, including the ability to support app and desktop solutions. As the Citrix certification program is being overhauled, refer to to view the certifications available, upgrade paths, etc.

9. Certified Ethical Hacker (CEH) – $103,822
The International Council of E-Commerce Consultants (EC-Council) created and manages CEH certification. It is designed to test the candidate’s abilities to prod for holes, weaknesses, and vulnerabilities in a company’s network defenses using techniques and methods that hackers employ. The difference between a hacker and a CEH is that a hacker wants to cause damage, steal information, etc., while the CEH wants to fix the deficiencies found. Given the many attacks, the great volume of personal data at risk, and the legal liabilities possible, the need for CEHs is quite high, hence the salaries offered.

10. ITIL v3 Foundation – $97,682
IT Infrastructure Library (ITIL®) was created by England’s government in the 1980s to standardize IT management. It is a set of best practices for aligning the services IT provides with the needs of the organization. It is broad based, covering everything from availability and capacity management to change and incident management, in addition to application and IT operations management.

It is known as a library because it is composed of a set of books. Over the last 30 years, it has become the most widely used framework for IT management in the world. ITIL standards are owned by AXELOS, a joint venture company created by the Cabinet Office on behalf of Her Majesty’s Government in the United Kingdom and Capita plc, but they have authorized partners who provide education, training, and certification. The governing body defined the certification tiers, but they leave it to the accredited partners to develop the training and certification around that framework.

The Foundation certification is the entry-level one and provides a broad-based understanding of the IT lifecycle and the concepts and terminology surrounding it. Anyone wishing for higher-level certifications must have this level first, thus people may have higher certifications and still list this certification in the survey, which may skew the salary somewhat.

For information on ITIL in general, please refer to Exams for certification are run by ITIL-certified examination institutes as previously mentioned; for a list of them, please refer to

11. Citrix Certified Administrator (CCA) for Citrix XenServer – $97,578
The CCA for XenServer certification is available for version 6 and is listed as a legacy certification, but Citrix has yet to announce an upgrade path to their new certification structure. Those with a CCA for Citrix XenServer have the ability to install, configure, administer, maintain, and troubleshoot a XenServer deployment, including Provisioning Services. As the Citrix certification program is being overhauled, refer to to view the certifications available, upgrade paths, etc.

12. ITIL Expert Certification – $96,194
The ITIL Expert certification builds on ITIL Foundation certification (see number 10 above). It is interesting that ITIL Expert pays less on average than ITIL Foundation certification. Again, I suspect the salary results may be somewhat skewed depending on the certifications actually held and the fact that everyone who is ITIL certified must be at least ITIL Foundation certified.

To become an ITIL Expert, you must pass the ITIL Foundation exam as well as the capstone exam, Managing Across the Lifecycle. Along the way, you will earn intermediate certifications of your choosing in any combination of the Lifecycle and Capability tracks. You must earn at least 22 credits, of which Foundation accounts for two and the Managing Across the Lifecycle exam counts for five. The other exams count for three each (in the Intermediate Lifecycle track) or four each (in the Intermediate Capability track) and can be earned in any order and combination, though the official guide suggests six recommended options. The guide is available at by clicking on the English – ITIL Qualification Scheme Brochure link.

13. Cisco Certified Design Associate (CCDA) – $95,602
Cisco’s certification levels are Entry, Associate, Professional, Expert, and Architect. Those who obtain this Associate-level certification are typically network design engineers, technicians, or support technicians. They are expected to design basic campus-type networks and be familiar with routing and switching, security, voice and video, wireless connectivity, and IP (both v4 and v6). They often work as part of a team with those who have higher-level Cisco certifications.

To achieve CCDA certification, you must have earned one of the following: Cisco Certified Entry Networking Technician (CCENT), the lowest-level certification and the foundation for a career in networking); Cisco Certified Network Associate Routing and Switching (CCNA R&S); or any Cisco Certified Internetwork Expert (CCIE), the highest level of certification at Cisco.
You must also pass a single exam.

14. Microsoft Certified Systems Engineer (MCSE) – $95,276
This certification ranked number 14 with an average salary of $95,505 for those who didn’t list an associated Windows version and $94,922 for those who listed MCSE on Windows 2003, for the weighted average of $95,276 listed above.

The Microsoft Certified Systems Engineer is an old certification and is no longer attainable. It has been replaced by the Microsoft Certified Solutions Expert (yes, also MCSE). The Engineer certification was valid for Windows NT 3.51 – 2003, and the new Expert certification is for Windows 2012. There is an upgrade path if you are currently an MCSA or MCITP on Windows 2008. There is no direct upgrade path from the old MCSE to the new MCSE.

15. Citrix Certified Administrator (CCA) for Citrix XenDesktop – $95,094
The CCA for XenDesktop certification is available for versions 4 (in Chinese and Japanese only) and 5 (in many languages including English). Those with a current certification are encouraged to upgrade to the new Citrix Certified Associate – Apps and Desktops (CCA-AD). In any case, those with this certification have the ability to install, administer, and troubleshoot a XenDesktop deployment, including Provisioning Services and the Desktop Delivery Controller as well as XenServer and XenApp. As the Citrix certification program is being overhauled, refer to to view the certifications available, upgrade paths, etc.

Rounding Out the Top 25

A few popular certifications just missed the Top 15 cut due to a low total number of responses or an average (mean) pay just outside the threshold. Due to their popularity, I have included them for informational purposes.

Certification Average Pay
CISSP: Certified Information Systems Security Professional $114,287

MCSE: Microsoft Certified Systems Engineer 2003 $94,922

RHCSA: Red Hat Certified System Administrator $94,802

VCP-DCV: VMware Certified Professional – Data Center Virtualization $94,515

JNCIA: Juniper Networks Certified Internet Associate $94,492

MCTS: Windows Server 2008 Applications Infrastructure Configuration $91,948

MCITP: Enterprise Administrator $91,280

CCNP: Cisco Certified Network Professional $90,833

WCNA: Wireshark Certified Network Analyst $88,716

CCNA R&S: Cisco Certified Network Associ te Routing and Switching $81,308

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCSE Training at