Slashdot Mirror

Does a two year stint at the ISC maintaining the BIND 8 resolver and tree propagation code count? Moreover, I'd like to think that there are those who are perhaps younger and smarter than me who might be able to "fuck with" and actually do something new with the given software. That's what open source is all about.

Oh, I get it now. You are spreading FUD about Dan's software because he can write secure DNS software and you can't?

I take it DJB was on the committee then :)

It seems to me that most of the participants in this discussion are ignoring the elephant in the room. Does a software EULA have any import? It's my understanding that no EULA has ever been held up in court. They're just a scare tactic, as
this page seems to indicate. So I can mod my XBox out the wazoo and M$oft can do nothing about it.

I realize that qmail wouldn't solve the problem of modified tarballs that allow trojans to come alive during builds (that's what md5s are for), but if you're really worried about security you'd probably be using qmail anyway. If you can prove me, the author, and everyone else who has a qmail fetish wrong, there's a prize in it for you.

After the number of open e-mail relays I've had to deal with, sendmail leaves a sour taste in my mouth. Using the blacklist that has no real regulation on it doesn't seem to help, either. Closing a relay makes users upset. Sendmail is a lose-lose situation, and now there's a trojan in it to top it off. Wee!

See export.cr.yp.to for the case status, mailing-list information, background documents, where to send descriptions of your experiences, etc.

but if you can handle strings in C as easily as in java, please post a link the the libraries you are using. strings suck so much in C, I have to use C++. C++ sucks ass for strings too, so I'm left with java and perl.

http://cr.yp.to/lib/stralloc.html

See our helpful friends (ahem) down at RSA. Dan Bernstein has more here.

You should be using maildirs

Look at clockspeed as an alternative to other NTP clients. It's a package of programs that allow a computer to calculate any skew in its own clock, so it doesn't have to constantly query an NTP server for the accurate time.

You may find that you won't need an in-house NTP server after all.

Use qmail as the MTA. It's way more secure, and more compatible with with cutting edge virus scanners and spam filters like spamassassin.

Ideally your exchange server should end up being nothing more than a storage place for email (seems like you're doing that). I'll be doing this in about two weeks at my company, too. Good luck!

I don't know whether ISOC would use the Buggy Internet Name Daemon or not, but I know Paul Vixie would definitely use it. Here is Dan Berstein's feelings about BIND: http://cr.yp.to/djbdns/blurb/unbind.html . I know from personal experience that BIND is big, slow, and the config files are a nightmare, whereas Dan's djbdns is wonderful. I hope whoever get's .org will use djbdns.

Noodle

Great. So the Apache group has once again proven that they can deliver both a slow and insecure web server. How many more security holes will Apache have before it is "secure"? And when will Apache deliver truly high performance by having a non blocking I/O model?

What are our choices for web servers on UNIX platforms? Unfortunately, not many good ones. It looks like if you want speed, fast dynamic content and lots of configurability then Zeus Web Server is the only real option. The downside is that it's not open source and has a hefty price tag (although it is well worth it).

Boa is a nice, simple, fast web server that supports dynamic content through CGI's (so not much performance). publicfile's httpd is about the ultimate small, simple, fast and secure web server that supports only static content. If you must have a secure web server, this it (for example, defcon.org uses it). While it is a blocking server, it's small size (two data pages) should lead to performance comparable to that of larger, non blocking servers.

Great. So the Apache group has once again proven that they can deliver both a slow and insecure web server. How many more security holes will Apache have before it is "secure"? And when will Apache deliver truly high performance by having a non blocking I/O model?

What are our choices for web servers on UNIX platforms? Unfortunately, not many good ones. It looks like if you want speed, fast dynamic content and lots of configurability then Zeus Web Server is the only real option. The downside is that it's not open source and has a hefty price tag (although it is well worth it).

Boa is a nice, simple, fast web server that supports dynamic content through CGI's (so not much performance). publicfile's httpd is about the ultimate small, simple, fast and secure web server that supports only static content. If you must have a secure web server, this it (for example, defcon.org uses it). While it is a blocking server, it's small size (two data pages) should lead to performance comparable to that of larger, non blocking servers.

Great. So the Apache group has once again proven that they can deliver both a slow and insecure web server. How many more security holes will Apache have before it is "secure"? And when will Apache deliver truly high performance by having a non blocking I/O model?

What are our choices for web servers on UNIX platforms? Unfortunately, not many good ones. It looks like if you want speed, fast dynamic content and lots of configurability then Zeus Web Server is the only real option. The downside is that it's not open source and has a hefty price tag (although it is well worth it).

Boa is a nice, simple, fast web server that supports dynamic content through CGI's (so not much performance). publicfile's httpd is about the ultimate small, simple, fast and secure web server that supports only static content. If you must have a secure web server, this it (for example, defcon.org uses it). While it is a blocking server, it's small size (two data pages) should lead to performance comparable to that of larger, non blocking servers.

I am astonished that anyone would publish this obvious use of mesh routing as if it were an interesting new result; I am annoyed that my grant proposal has been characterized as presenting slower algorithms than it actually does; and I am particularly disappointed in Lenstra and Shamir for publishing their paper after I informed them in plain language that their claim of an ``improvement'' was false.

qmail.

I used to think /.ers were just being paranoid about this kinda stuff untill I realized that my DSL providor, Bellsouth, was blocking access to biz.yahoo.com and comments.fuckedcompany.com. They do this by not resolving (or somehow blocking the resolving of) these hosts.

It's easy enough to set up your own DNS cache and use that. Not only does it bypass your ISP's name servers, but since fewer DNS queries will need to go out onto the Internet, you should also see a slight increase in browsing speed.

It's not that bad if only you do it, but if everyone on the Internet did it, DNS traffic would increase a lot.

Yes, DNS traffic would increase, but that would not affect the general bandwidth much. What is the cost of adding a couple hundred bytes of DNS to an HTTP session? It would hardly be measurable. The overhead for an email might be as high as a few percent.

It also might slow down lookups somewhat when people access your site, since their local server won't cache your DNS info for very long.

That's true. The first lookup may add a few hundred milliseconds to the web session, and that might be enough to be noticable. Nobody would notice with email, though.

It also means if your DNS server is down, your site will become inaccessible in short order.

That's why you are supposed to have multiple DNS servers in different locations. Now, many of us don't do that because of various reasons, and that means that we do not allow our DNS servers to fail.

One other common objection to small TTL times is that the DNS server will not be able to keep up with the load. Keep in mind that each DNS query represents many web server or email sessions. If you simply scale up your DNS servers along with your other servers, load should not be a problem. At some point, you will need to move DNS off that 100mhz 486 box :-)

According to our good friend Dan Bernstein, a Pentium-III 550 with 350 megs of DNS data was serving 500 DNS requests per second, which is 30,000 per minute. How fast are your webservers :-)

I remember a while back, one of my clients needed to move a bunch of dns records from one server to another. Took me ~ 45 minutes to write a php shell script using REGEX to create new bind zone records for over 300 domains, and convert them - records intact, complete, ready to restart named.

Since there are "no crypto restrictions in the US" my MCS professor can teach cryptography again? Last i checked such was not the case.

Only Bernstein could think that an ASCII representation of Pascal strings is original.

D00d! An ASCII representation of Pascal strings?!? What will djb think of next? Hash tables? (:

Hanging my head in shame, I'm one of those "still inventing his own application layer protocols". ASN.1 and RPC were also supposed to save me from doing this. Lately, I've found I've been implementing my own protocols using the concept of netstrings to suit my admittedly low-level needs better. Sadly, as XML and its derivatives mushroom in complexity, I find them less appealing.

Well, for one thing, NTP has the year 2036 problem. Additionally, unless it's been fixed in the meantime, NTP has trouble with leap seconds. Until those two things are fixed, why bother using NTP? DJB's TAICLOCK protocol and clockspeed and taiclockd daemons seem to be a better choice.

Well, for one thing, NTP has the year 2036 problem. Additionally, unless it's been fixed in the meantime, NTP has trouble with leap seconds. Until those two things are fixed, why bother using NTP? DJB's TAICLOCK protocol and clockspeed and taiclockd daemons seem to be a better choice.

Well, for one thing, NTP has the year 2036 problem. Additionally, unless it's been fixed in the meantime, NTP has trouble with leap seconds. Until those two things are fixed, why bother using NTP? DJB's TAICLOCK protocol and clockspeed and taiclockd daemons seem to be a better choice.

Well, for one thing, NTP has the year 2036 problem. Additionally, unless it's been fixed in the meantime, NTP has trouble with leap seconds. Until those two things are fixed, why bother using NTP? DJB's TAICLOCK protocol and clockspeed and taiclockd daemons seem to be a better choice.

djb's clockspeed

By the author of qmail. Though it doesn't get at much attention as the author's bigger projects, it is written with the same attention to efficiency, simplicity, and correctness.

Well, seeing that you are running OS X exclusively, I'd like to ask you if you don't see any difference in performance when you compare Linux and OS X. I surely do with my iBook 2, but that's perhaps because I am using a G3-based machine.

Just for reference, here are some links describing problems that I have with MacOS X and/or the iBook:

http://slashdot.org/comments.pl?sid=33385&cid=3607 384
http://lists.debian.org/debian-powerpc/2002/debian -powerpc-200206/msg00106.html
http://lists.debian.org/debian-powerpc/2002/debian -powerpc-200205/msg00146.html
href="http://cr.yp.to/hardware/ppc.html
http://cr.yp.to/hardware/advice.html

The last two articles aren't written by me, of course, but by D.J. Bernstein, who has a deep understanding of various architectures.

Anyway, I would appreciate any help regarding the problems listed above, especially those addressed in the first link.

Well, seeing that you are running OS X exclusively, I'd like to ask you if you don't see any difference in performance when you compare Linux and OS X. I surely do with my iBook 2, but that's perhaps because I am using a G3-based machine.

Just for reference, here are some links describing problems that I have with MacOS X and/or the iBook:

http://slashdot.org/comments.pl?sid=33385&cid=3607 384
http://lists.debian.org/debian-powerpc/2002/debian -powerpc-200206/msg00106.html
http://lists.debian.org/debian-powerpc/2002/debian -powerpc-200205/msg00146.html
href="http://cr.yp.to/hardware/ppc.html
http://cr.yp.to/hardware/advice.html

The last two articles aren't written by me, of course, but by D.J. Bernstein, who has a deep understanding of various architectures.

Anyway, I would appreciate any help regarding the problems listed above, especially those addressed in the first link.

Dan J Bernstein creator of qmail has a protocol change to reduce the cost of spam to isp's and receivers and put the onus on the sources to cut down.

Heres an overview... Internet Mail 2000

Attempts like this just make encrypted messaging protocols more desired. SMTP is just old, slow, rusty, and stupid. See here: IM2000

Look at /package.

Now that you mention it...from NAV/Exchange on one of our servers earlier today:

Sender of the infected attachment: ******
Recipient of the infected attachment: ******
Subject of the message: W32.Klez.E removal tools
One or more attachments were quarantined. Attachment install.exe was Quarantined for the following reasons:
Virus W32.Klez.H@mm was found.

I had something similar show up at home a few days ago. IIRC, Klez grabs the subject line for its mail from a random (?) message in your inbox, so it must've gotten lucky to go out identifying itself as something that'd remove itself. (I think my copy called itself a Nimda removal tool.)

(Of course, I run qmail and mutt instead of Exchange and Lookout, so Klez has been little more than an inbox-filling annoyance for me.)

A lot (if not all) internet businesses will depend on DNS working fine. And just 1 guy can bring it down? Why? How?

I'm getting rather offtopic, but it's not like the DNS is the most secure system in the world anyway.

1. What level of version compatibility guarantees are to be made. Can a unified systems administration tool suite be created?
   
2. Suppose that I want to "try before I buy" a new version of a package, and wish to run the new release in parallel with the release I currently use. Currently, most package management schemes do not make this easy in the Linux world, will your approach support installing builds from other vendors or installing multiple versions of the same program/library in a single directory tree?
   

could we please stop this needless bashing of MS

MS should be bashed...it's like the diner that tries to sell rancid water and stale bread for $100(us). They use whatever means necessary to beat down their competition, so almost all of the other diners (or food producers) have gone out of business or are struggling. You can get better food from homeless shelters for free.

If you want to make a better comparison of MS vs open source then take 80-90% of _all_ open source programs and compare the number of flaws to MS' flaws.

Probably 80-90% of all open source programs are made by one or more of: script kiddies, teenagers playing around, hobbists, power users, people that bought "Learn to Program C in 21 Days" who now think they are "experts", and the people can't program so they start a project on SourceForge with a basic description and hope someone bites. None of these people should be expected to create a decent, bug-free program. For you to even think MS needs to be compared with them shows how backwards your position is.

Anyone and their cat can start an open source project in their garage. It doesn't mean anyone will use these programs, and it is absurd to compare those projects with a funded company that has paid professional programmers. However, from what I've seen, Microsoft would barely scratch by with even this test. If compared with the commonly used (and made by real programmers) Open Source projects, Microsoft wouldn't even have a chance.

Take a simple program like "BitchX," an IRC client.

I've used it before. Not to dis the guy who made it (BitchX isn't too bad an effort), but it does seem a bit script kiddie-like. In fact only a script kiddie would choose such a name. ;-) In fact read their page: "BitchX was started by Trench and HappyCrappy as a script for the ircII client."

It has had countless security issues, and IRC has been around since '89 or so.

Why don't you compare BitchX with Microsoft's IRC client--assuming they still have one. All I remember about it was almost no features and stupid cartoons. BitchX has lots of features. Not that I'm saying they should be compared, BitchX is made by script kiddies after all--in fact they seem to want to be known as script kiddies--just look at their page!

We like to conveniently forget about sendmail and bind

What kind of dumbfuck would use sendmail or bind on their servers??? There are plenty of alternatives to those programs...

there is no equal or objective comparison between MS and "Linux" (or whatever you want to define as the yardstick of security.. which is typically "Linux" on /.) in terms of security.

There is no equal or objective comparison between the two because MS doesn't care about security or bugs! Whatever Linus would call a "Brown Paper Bag Bug", Bill calls a "feature". ...and I don't think most slashdot readers define Linux as a "yardstick of security". That would be something more like OpenBSD, who kick the hell out of Microsoft in terms of paranoia and therefore security. Numbers from bug reports aren't a good comparison between them either--the OpenBSD people seem to raise hell when they find the tiniest potential exploit, while Microsoft won't even acknowledge the most horrid of bugs/exploits and will only release a patch if they are embarrassed into it.

could we please stop this needless bashing of MS

MS should be bashed...it's like the diner that tries to sell rancid water and stale bread for $100(us). They use whatever means necessary to beat down their competition, so almost all of the other diners (or food producers) have gone out of business or are struggling. You can get better food from homeless shelters for free.

If you want to make a better comparison of MS vs open source then take 80-90% of _all_ open source programs and compare the number of flaws to MS' flaws.

Probably 80-90% of all open source programs are made by one or more of: script kiddies, teenagers playing around, hobbists, power users, people that bought "Learn to Program C in 21 Days" who now think they are "experts", and the people can't program so they start a project on SourceForge with a basic description and hope someone bites. None of these people should be expected to create a decent, bug-free program. For you to even think MS needs to be compared with them shows how backwards your position is.

Anyone and their cat can start an open source project in their garage. It doesn't mean anyone will use these programs, and it is absurd to compare those projects with a funded company that has paid professional programmers. However, from what I've seen, Microsoft would barely scratch by with even this test. If compared with the commonly used (and made by real programmers) Open Source projects, Microsoft wouldn't even have a chance.

Take a simple program like "BitchX," an IRC client.

I've used it before. Not to dis the guy who made it (BitchX isn't too bad an effort), but it does seem a bit script kiddie-like. In fact only a script kiddie would choose such a name. ;-) In fact read their page: "BitchX was started by Trench and HappyCrappy as a script for the ircII client."

It has had countless security issues, and IRC has been around since '89 or so.

Why don't you compare BitchX with Microsoft's IRC client--assuming they still have one. All I remember about it was almost no features and stupid cartoons. BitchX has lots of features. Not that I'm saying they should be compared, BitchX is made by script kiddies after all--in fact they seem to want to be known as script kiddies--just look at their page!

We like to conveniently forget about sendmail and bind

What kind of dumbfuck would use sendmail or bind on their servers??? There are plenty of alternatives to those programs...

there is no equal or objective comparison between MS and "Linux" (or whatever you want to define as the yardstick of security.. which is typically "Linux" on /.) in terms of security.

There is no equal or objective comparison between the two because MS doesn't care about security or bugs! Whatever Linus would call a "Brown Paper Bag Bug", Bill calls a "feature". ...and I don't think most slashdot readers define Linux as a "yardstick of security". That would be something more like OpenBSD, who kick the hell out of Microsoft in terms of paranoia and therefore security. Numbers from bug reports aren't a good comparison between them either--the OpenBSD people seem to raise hell when they find the tiniest potential exploit, while Microsoft won't even acknowledge the most horrid of bugs/exploits and will only release a patch if they are embarrassed into it.

Sendmail /DID/ have a bad record... but it barely rates a mention these days. Time to bring yourself into the current day rather than trying to suck the rotten marrow out of last century's carcass.

Why bother giving sendmail another crack at making your system rootable when it's such a pain in the ass to set up in the first place? I'd rather install qmail and get on with life.

For anybody following bugtraq this was an important issue, obviously, ma it was mixed with tons of other security issues

it seems that every software (well, almost: god bless djb) has security bugs, and usually (obviously) concenrning input from outside (being "outside" client input to the server or vice-versa).

tons of white-papers have been released pointig out which errors drive to which vulnerabilities, mailing lists and forums do exist about this.

Forgetting for a while that we are "just humans" and we are prone to ewwows... is there something deeper? Something in how we design the software? Something wrong in how we relate to writing software?

Every time a vuln hits the news I just ask myself if something will change... if we will finally break free from insecure-programming issues, eventually redirecting more brain power to innovation, rather than stabilization of what already exixst?

is qmail controversial?

Qmail is probably secure. The controversial issues that I can think of are these:

1. The license doesn't allow one to distribute binaries of modified source. This pretty much keeps it out of Linux distributions, because they need to modify the default layout, etc. There's other annoying bits about his licenses. See http://cr.yp.to/distributors.html for info.
2. It has (or perhaps used to, maybe this has been fixed) some pretty abusive behaviors when delivering mail to lots of users on the same host.

Yeah, not to mention the fact that when they said this was Bernstein's NFS, the first thing I thought was, "Okay, what has the author of qmail gotten his fingers into this time?"

courier-imap doesn't use a non-standard format.
see the maildir spec.

Yes, and there is a VERY good reason why it does that:

Are you sure that you want to be using Postfix? I don't...

Absolutely. click here for a demonstration. I haven't yet used a browser that could handle the links on that page. I share your disgust.

Dan Bernstein has a proposal for internationalized domain names which solves this problem and many other problems. It's called IDNC3. IDN stands for ``internationalized domain name.'' C3 stands for ``clean, careful, conservative.''

Riiiiight. That's why in the last 3 months, just as an example, my mail server has rejected almost 50 attempts to mail djb991227@scream.org - by the SAME outfit (networkpromotion.com).

And get this - they all came from VERP addresses, so if they *did* have a clue, they could've done bounce processing, etc.

If anybody didn't draw the obvious conclusion, that particular address existed briefly, over 2 years ago. It's been gone for 2+ years. And networkpromotions.com didn't *start* trying to spam it until this February.

If spammers were good at screening addresses, my server wouldn't be logging those failed attempts. Or the failed attempts to addresses that have *never* existed in various domains I run. Or the failed attempts to things that aren't even addresses, but Usenet message-ID's.

Not to say that "legit" businesses do much better at this, of course!

-Dan

How the hell do people cope with Daylight Savings Time? How do you indicate whether 1:30 AM is the /FIRST/ 1:30 AM, or the /SECOND/ 1:30 AM, when Daylight Savings Time hits?

You don't, plain and simple. Nasty things like time formatting and conversions should only be done when necessary, i.e. to display it to a user. No sane program (or programmer) would try to keep track of time in that format internally. The most common method of storing time is to use a UNIX timestamp, which is the number of seconds after the UNIX epoch ("1970-01-01 00:00:00 GMT"). The problem with this approach is that in 2038, a signed 32-bit number will overflow. It also means that times before 1970 and after the beginning of 2038 cannot be stored.

How the hell do people cope with Daylight Savings Time? How do you indicate whether 1:30 AM is the /FIRST/ 1:30 AM, or the /SECOND/ 1:30 AM, when Daylight Savings Time hits?

You don't, plain and simple. Nasty things like time formatting and conversions should only be done when necessary, i.e. to display it to a user. No sane program (or programmer) would try to keep track of time in that format internally. The most common method of storing time is to use a UNIX timestamp, which is the number of seconds after the UNIX epoch ("1970-01-01 00:00:00 GMT"). The problem with this approach is that in 2038, a signed 32-bit number will overflow. It also means that times before 1970 and after the beginning of 2038 cannot be stored.

D.J. Bernstein makes a case here on the merits of ECC. And his description of a "standard workstation" shows that ECC memory isn't that much more expensive.