I have an AMI MegaRAC G2 installed in one of my co-lo servers at The Planet (Dallas, TX).
It is a standard half-length PCI card that is a looks like a ATI Rage XL graphics card to the host operating system with a VGA connector on the back of the card in case you really need to hook a monitor up to it.
(you do need to be able to disable the onboard VGA on the server - if it has it)
The real magic is with the cards' mini USB connector - cable it up to any USB port on the server and the card will emulate a USB keyboard, USB mouse and a USB CD-ROM (great for operating system re-installs if you prefer Windows!).
On the internal side, the card has a feature connector that allows 'pass-thru' to the servers' reset and power jumper pins.
Because of the feature connector, the card can perform a proper hardware reset and power-cycle via 'pass-thru' to the server PWR_ON/RESET pins if the server manufacturer actually has bothered to put standard pins on their server board like most OEM motherboards have - the card can survive short power outages with the aid of its' dinky onboard battery that can last 30 minutes without power.
My only bugbear with the G2 is that it has a horrible tendency to fall over if it is 'unprotected' from the Internet - if you can protect it from unwanted traffic by ACLs on an upstream router, I can heartily recommend it.
The G3 is meant to have an onboard firewall but my e-mails to American Megatrends over the last few days have been rudely ignored.
Another thing...
The firmware for both cards is based on uClinux and various other GPL'd softwares... no mention of any source on American Megatrend's website although they do quote the GPL license on their download page.
So to sum up:
High-quality card. Average firmware. Manufacturer has piss-poor GPL attitude. Manufacturer has tendency not to reply to e-mails.
I hope this information is helpful to at least some readers.
Domain Name: PROSCO.NET
Created on: 04-OCT-04 Expires on: 04-OCT-05
Last Updated on: 04-OCT-04
Obviously, SCO feels that they aren't going to be around after this date... or one would think they would at least have bothered to splash out the extra cash for a 2-year reg rather than just a 1-year reg.
Disclaimer: I work for Checkpoint's No. 1 reseller.
The Linux versions of all Checkpoint products (FireWall-1 4.1, Checkpoint NG) achieve their functionality by means of a binary module which is loaded into the kernel at runtime. This is expressly permitted by Linus as an exception to the GPL license which ships with Linux.
Of course, Checkpoint also produce their own cut-down version of Red Hat Linux 7.0 (known as SecurePlatform) which is designed to turn any standard PC into a fully functioning Checkpoint NG install with the minimum of effort.
The copy of the GPL license contained in the root of the CD filesystem asks that you e-mail gpl-source@checkpoint.com for instructions on where to obtain the source.
I did so... and within 24 hours, I received a password-protected login to a Checkpoint FTP server which contained all the relevant source RPMS (and the Checkpoint-written patches) for SecurePlatform.
So, the answer is no - to the best of my knowledge Checkpoint have not violated the GPL.
American Megatrends use uClinux (also GPL licensed) as a core part of their firmware for the AMI MegaRAC G2 Remote Processor (http://www.ami.com/megarac/).
I only discovered this by running 'strings' on the firmware and found references to uClinux and a variety of other GPL stuff.
There is NO mention of the GPL in the product manual or on the packaging which contains the CD with a backup copy of the firmware.
I asked for copies of any GPL sources (and associated changes) which the MegaRAC G2 used - to their credit, I received a very nice diff which only covered changes to files which already exist in the uClinux distribution.
Unfortunately, those changes include the addition of header files which the modified kernel relies on - header files which I wasn't given and further requests for them have been ignored. So, even with the 'source' which I was given, I can't use it to produce an identical binary as to that contained in the firmware image which was supplied to me.
For those readers who are interested in purchasing one or more MegaRAC G2s, I suggest you ask your AMI dealer why it took them over eight weeks to patch a vulnerability which allowed *any* remote user to gain full access to the system console and also why the product is prone to frequent hangs which are not recoverable unless you unplug all power from the server and card until the onboard battery drains.
The vulnerability is so simple to exploit - start up the GTK+ remote console utility that came on the CD and point it to the IP address of any MegaRAC G2 card.... that's it. No prompt for a username or password. Nothing. Instant console access.
... then again, I suppose it just goes to show the quality of the code which their engineers are kicking out to the end-users:-(
Your internal hosts require TXT records adding to their relevant.in-addr.arpa zones which tell the remote gateway that another machine is responsible for opportunistic encryption. The remote gateway will encrypt packets to that host (i.e. 1.2.3.4), at that point, the packets will be decrypted and can be safely inspected for nasty stuff like Nimda, Code Red or the latest M$ worm currently doing the rounds on the Internet.
You can even specify multiple IPsec gateways in case there are several entry points into a network, like the above (just like MX records) - for purposes of failover, etc, etc.
So, what you say about removing the option of network level filtering - not strictly true. It totally depends on how you implement opportunistic encryption on your network.
...and I thought the article was referring to the originalBoston College!
I only mention this as I was a student at the above and silent password logging TSRs were rampant on their network.
Oh yeah, and their entire collection of staff/student mailboxes and the mailspool were made available via an anonymous read/write network share if you knew enough about Novell Netware to manually map a drive.
This is what any prospective spammer gets when he hits my SMTP service.
If they don't like these terms, they can just disconnect and bother somebody else.
220-xxxxxxx.xxxxxxx.xxx ESMTP 220- 220-This system is located in the United Kingdom and access is governed by 220-the Computer Misuse Act 1990. 220- 220-All users connecting to this service must comply with the Acceptable Use 220-Policy found at http://xxxxxxx.xxxxxxx.xxx/pages/aup.php. Hostile attacks 220-against this system will be reported to your ISP and the relevant legal 220-authorities. 220- 220-Anybody wishing to send UBE/UCE to a mailbox on this server does so with 220-the understanding that I reserve the right to claim £50 (or the monetary 220-equivalent in native currency) per message from the sender. 220- 220-By sending mail through this server, you waive all confidentiality claims 220 in the message and grant reproduction rights to the recipient.
Most of my customers run Microsoft Exchange and typically don't configure it properly. I can honestly say that over 75% of the open relays which I have had to temporarily firewall from the Internet have been running some variant of Microsoft Exchange.
As all of these customers are using some form of permanent connectivity (not dialup), they have no real need of a smarthost. A smarthost, for those of you who don't know, is normally provided for machines which don't have the ability to relay themselves or for a mailserver connecting via dialup.
In the latter case, it is quicker for a user with a 56k modem to send at full speed to a smarthost which sits on their ISP's network and then disconnect from the Internet rather than wait several hours for the heavily-loaded ISDN line that the remote site is using to get around to accepting the mail.
In any case, as these customers had permanent connectivity, I configured Postfix to reject based on headers:/Microsoft\ Exchange/ REJECT We do not relay messages for Microsoft Exchange servers./with\ Internet\ Mail\ Service/ REJECT We do not relay messages for Microsoft Exchange servers.
The first regexp catches Microsoft Exchange 2000 - the second catches all other Exchange versions which are in common use today.
The machine is strictly an outbound relay only - so it doesn't reject incoming mail from other Microsoft Exchange users. It has cut abuse reports by well over 60% regarding spam complaints which claim that the our smarthost is a spam conduit and this policy has only solicited complaints from a few customers who are convinced that Microsoft Exchange cannot relay to the Internet without a smarthost.
Of course, the other thing you can do is run up a simple script which will go through your MTA logs and automatically scan for open relays on those IP addresses which have connected to it over the last 24 hours. Some people might argue that this in itself is an invasion of their network but personally I see nothing wrong in an ISP ensuring that customers using its' smarthost are operating within full compliance with their AUP.
P.S. Customers who object to this policy are advised that they can 'opt-out', however, we still test if we receive a spam complaint with full headers implicating one of their servers.
If that server in their IP address space is verified to be open - we reserve the right to block all inbound SMTP into their address space from the rest of the Internet.
I know that a lot of people will condemn this policy - except that we have only had two people give us grief over it. Even then, they calmed down when they had it explained to them why open relays were a bad thing for the Internet in general. We are happy. Our customers are happy.
Besides, most manufacturers won't repair a damaged TFT if it is damaged while in transit and the manufacturers' recommended precautions about using a container designed for the task haven't been followed.
Yet another reason to hang on to those boxes, kids!
1:) Care to supply me with the date of manufacture of your iBook ?
2:) I only wish I was trolling.... I have better things to do than write a shitload of fictional bad-mouthing against Apple for the amusement of others. The Apple techs didn't even bother booting the machine up to test if writing a CD worked (their own admission). Maybe I should say that writing a CD works but it cannot be read in anything afterwards - I have tried cdrecord on Mandrake 8.2/PPC, Toast on MacOS 9 and MacOS X and even iTunes.
Yes, I have tried writing at 1x and even using a variety of CD-R and CD-RW media... trust me... the drive is screwed.
3:) MacOS X only runs on Apple hardware. Therefore, those readers who advocate the use of MacOS X over Linux and FreeBSD are logically the owners of Apple hardware. If the response I received from Apple Technical Support is typical of that company, I can only pity those readers for being customers of such an uncaring corporate.
My original post is the absolute truth and I stand by my words.
I purchased an Apple iBook Dual USB in August last year and noticed that the CD tray door was misaligned on one side.
Repeated visits to the retailer over this period resulted in repeated denials of the fault (even though the display model in the store also suffered from a fault with the CD tray door). In the end, I sent the machine back to Apple in disgust.
Result ? - apparently it is 'within acceptable specifications' to have a CD tray door that does not close properly - therefore it was sent back to me in exactly the same state. Numerous complaints have been made by other users on the discussion forums at http://www.apple.com/support/ but as far as Apple are concerned, there is no fault.
So, to all of you readers who are forever praising MacOS X and its' so-called superiority over Linux and FreeBSD - I pity you. How can you support a company that will quite happily take £1,700 ($2470 USD) and supply a piece of hardware that clearly isn't manufactured to do the job which it is advertised for ?
The support is terrible - why the fuck do I always buy hardware from companies who seem to think that running their 'Diagnostic CD' will fix problems such as broken CD trays, power supplies with smoke coming out of them and monitors which flicker red at the slightest vibration ?
Considering the fact that I absolutely hate lawyers, I have been left with no choice by Apple to call mine and threaten them with legal action over the Sale and Supply of Goods Act 1994 (I live in the UK).
I sincerely hope that I can do 'em over on false advertising - as in iTunes marketing slogan 'Rip.. Mix.. Burn'.
I can rip... mix... but how can I burn anything on a drive which doesn't even f***ing shut properly !?!?
Anybody else here who isn't satisfied with the build quality of their Apple iBook ?
This was submitted earlier....
on
ORBZ Shuts Down
·
· Score: 0, Offtopic
2002-03-20 08:58:41 ORBZ shut down in response to legal threats (articles,spam) (rejected)
I am in the process of building the final 8.2 isos.
These isos will be tested this week-end, and released on Monday if OK.
As a consequence if you find some free minutes this week-end and test
all the uploads that have been done today, and report any regression,
that would be quite a great help.
Yah, a great reason to shut off the internet for up to 4 million people. So your fucking firewall logs will be smaller. Eat shit. Not everyone on @home is a fucking moron, ya know.
I don't think anybody can deny that the 24/8 netblock contains the biggest source of DoS attacks, open relays, warez FTP servers, Nimda-infected boxen, open SOCKS proxies, Usenet spammers, and the largest army of zombies (trojan-infected PCs) on the Internet today. You are quite correct about not everybody on @home being a moron... a lot of my friends in the U.S. use @home as their service provider... but they knew this was coming and decided to change to something else (even dialup) before the big switch was flicked!
Did I point out that I don't need a measly 512kbit/s of bandwidth at home because the company I work for has a 155Mbit/s pipe ? - perhaps I should laugh in your general direction that at the time I write this my connection will work in the morning and yours will not:-p
My connection gets used for just two things: remote login to other machines and multiplayer gaming. You get lower latencies with ISDN than you do with cable.. so even if you offered me a cable modem, one, I don't need the bandwidth and I don't need the higher latencies a cable connection would give me.
I don't find any of this particularly funny, but everybody who reads this forum knows that Excite@Home has been teetering on the edge for some time... if you haven't made suitable arrangements for a replacement service provider, then tough nuggies to you.
PS: Please die
Sorry. I don't do requests.
PPS: In the likely event that you decide to respond because you need to defend your manly-hood, dont bother, I will not read it. I am not here to have a conversation, just pointing out that you are a moron.
Too bad. I didn't read your pathetic notice until I got to the bottom of your equally pathetic reply. If you don't want to read my reply then that is perfectly okay with me... the whole point of a discussion forum is that people share thoughts and ideas... you didn't bring much to this discussion and you just happen to reinforce my view of the typical @Home user (apologies to all those who don't fit that category and actually have a clue on how to secure an Internet-connected machine).
Over 90% of the port probes, failed SMTP relay attempts and other malicious shit come into my network from 24/8.
As far as I am concerned, it finally looks like abuse@home.come has made good on its promise to terminate the service of the abusers (as well as their other users.. unfortunately). A bit extreme, yes, but at least my machines will have smaller firewall logs!
If it was any other provider, yes, I would sympathise with the other subscribers who will be losing their IP connectivity - however, I have heard enough of the Excite@Home users on Slashdot criticize their own service provider to be able to counter any flames this post may encourage.
As someone who handles all the abuse@ e-mail for a reasonably-sized UK ISP; I have yet to receive any kind of intelligent reply from my counterparts at Excite@Home regarding any of the incidents I have forwarded to them. Complete and utter fuckwits.
You want an open WinGate to launch a DoS at a network of your choice ? - Excite@Home has loads! You want an open M$ SMTP service to relay your spam through ? - Excite@Home has thousands!
As a part of the global Internet community, they bring more problems than what they are worth to exchange traffic with.
Admittedly, I may only have experienced unfriendly behaviour from a minority of their users, but from I have seen of Excite@Home and their technical competence.. for the rest of you who are still using them as an ISP - I have four words for you....
FIND A BETTER ISP!
Plus, before you whinge and moan that cable is your only broadband option... I will just point out that I am still using dual-channel ISDN (128kbps up/down) and I wouldn't switch to DSL if my telco gave it to me for free... their service is shit but at least they can do ISDN right.
Call me pedantic, but I would rather have a reliable service than a we-are-down-99%-of-the-time-but-we-are-mega-bloody -fast-the-other-1%-of-the-time type of service... which is the kind of impression I have been given from the recounted experiences of most Excite@Home subscribers that I have spoken to.
It's a nice idea but I have been trying to join the 6bone for absolutely ages now.
My upstream ISP (Demon Internet) is a participant in the 6bone network; so I e-mailed their 6bone contact and requested a small allocation of IPv6 addresses with which I could use on my internal network (all Linux; therefore all capable of IPv4).
I received no response from them whatsoever after three seperate e-mails. I *want* to switch away from IPv4, but my upstream ISP won't let me, while they are making out to the outside world that they are 'spearheading' the IPv6 revolution by announcing that they are a member of the 6bone.
Yes, I have considered applying to other 6bone networks, such as JANET and other UK ISPs, but my upstream ISP would have been ideal for my IPv4IPv6 tunnel (zero routing overheads). Besides, it is a matter of principle.
Anybody running a 6bone site reading this care to comment ? - before you say it, yes, I fulfil the criteria for joining the 6bone (according to http://www.6bone.net/ anyway).
FYI, the 'stupid ANSI penguin' only shows up when attempting to login at the local console (i.e. monitor connected *directly* to the host video adapter).
It does not show up when attempting to telnet in to the machine.. just a basic 'Welcome to Linux Mandrake' blurb, etc, etc.
I am one of those Mandrake users who will pull the latest ISO within a few hours of its release (often I have to wait for a mirror to get it though as my connection to Mandrakesoft's servers is quite slow).
Until Mandrakesoft put up their 'Donations' page; I had not paid Mandrakesoft a single penny for their services - unfortunately there is no incentive to buy a boxed distro when you already have the software on freshly-burnt CD-R's.
(I know about Mandrake Powerpack - but it offers nothing that I cannot get elsewhere)
When I consider that I could potentially spend the equivalent of seven day's wages on a license to run Windows 2000 Advanced Server; it makes me feel guilty that I can download a significantly superior operating system from the Internet for next to nothing.
I have no objection to paying Mandrakesoft the same amount of money I would be paying to Microsoft in order to keep up to date with their 'latest and greatest' piece of crap. Here is how my donations are distributed:
30% - Kernel 30% - Advanced Extranet Server 30% - Security/Crypto 10% - No preference
I am only contributing to the development of the software I use; so in the end, I will benefit from the my donation and the donations of others... personally I don't see what the problem is ?
I am tired of reading that people should 'expect' Linux distributions to be free - excepting Debian (which is produced for the community by the community); most other distributions are produced by large corporates like Red Hat and Mandrake. I don't think many people understand the work that goes into producing a mix of kernel/userspace programs/GUI apps that just *works* straight out of the box. I don't mind supporting a company that provides exactly what I want and means I have to do less work at the end of the day in order to get it running... my time is money... and if their distro saves me even two hours a day by easing configuration and installation, it deserves some financial recompense.
Before all the GPL stalwarts start getting their flamethrowers out and attempt to give me a good roasting - the GPL prohibits charging for software under its license (except for duplication costs).
But, what if I *want* to pay for GPL software ?
Does the GPL take away my freedom to pay for software that I think is of commercial quality; so I can give the authors something to show my appreciation for their efforts ?
It also helps Mandrakesoft determine what people use their product for and helps them concentrate development on those parts that people appreciate the most.
As Mandrakesoft have already said, donations are entirely voluntary. So why the hell did this make the Slashdot front page ?.
Because anybody that uses a hosting provider who cheerfully admit that they themselves don't even know what they are running on their servers as an operating system really needs to seriously consider the technical competence of the admin(s) running the servers!
Glide was an API that was fully open to anybody that cared to develop for it; only the libraries were closed source... except that changed when 3Dfx open-sourced it.
I downloaded a free SDK for Glide when I bought my original Voodoo1 and couldn't find any license restrictions (apart from the usual 'do-not-reverse-engineer-this-code' paragraphs!), so no, it wasn't proprietary. You can liken it to DirectX if you want, the includes/libraries are freely available from Microsoft, but you can't actually get the source to see how the runtime really works.
A proprietary API such as 'undocumented' Win32 calls is completely different to a proprietary standard which is only used by one company's products. Anybody can write Glide code, just don't expect it to run on anybody elses cards but 3Dfx's.
If Glide is so bad, why did Creative go to all the trouble of writing a 100% compatible Glide wrapper for Windows 95/98 machines using nVidia cards ? (see here if you want more info)
Additionally, when 3Dfx introduced Glide, DirectX was just a twinkle in Billy G's eye, and most people ran their games under DOS. Therefore, it was logical that 3Dfx, as the market-leader, created an API that made it easier for developers to write for their cards... it's called 'looking after your own product'.
I didn't buy the Voodoo5 5500 so I could get shit-hot-masturbatingly-high frame rates on Super Kill'em Up XII; I bought it because it was the *fastest* 3D card available with the best (but not necessarily complete) support under Linux without the drivers crashing every five minutes.
So, nope, by buying a Voodoo5 I was supporting a company that has provided me with a stable graphics platform for the past three years and quick response times to driver bugs; compare that with a company that refused to answer my e-mails and is completely unresponsive to calls to open up the specs of their chipsets.
As for support, I have full 3D, extremely fast 2D, ability to run Glide stuff (although I only use this with certain apps) and the warm fuzzy feeling that I can run multiple OpenGL apps on my display without worrying that it is gonna crash!
Your comment says a lot about supporting open-source, doesn't it ?
I purchased a Voodoo5 5500 not because I saw 3Dfx commercials (I'm in the U.K. and we don't get them); but because they allowed Daryll Strauss (who implemented Glide for Linux) to open-source his code and 3Dfx provided XFree86 developers with full documentation for the whole Voodoo range.
Which is more than nVidia have done; and which is why you will find full and comprehensive support for *all* Voodoo cards in XFree86 4.0x - and that is more than you get with nVidia; who are always a full XFree86 release behind with their 'closed-source' drivers!
I got rid of my TNT2 when I found out that nVidia couldn't even be bothered to support the XRender extension with their 0.9.5 driver release and nobody at nVidia would reply to my e-mails asking if/when it would be supported. The XFree86 2D-only support provided support for XRender but then I couldn't use the 3D acceleration of the TNT2 for anything.
Indeed, my computer doesn't crash now while playing Unreal Tournament using OpenGL with the Voodoo5 - why ? - because nVidia's drivers don't fully support SMP and freely admit in the driver README file that it can cause random lockups on SMP machines.
Add to that the number of problems people have been experiencing with these drivers, enough to add comments to the Freshmeat project page here.
If I am going to experience random lockups while using my machine; then I might as well be running Windows:-P
P.S. No, j00 d0n't 0wn a11 u5 3Dfx u53r5, nVidia does (seeing as though they bought out 3Dfx), so get yer facts straight!
Slashdot Mirror
I have an AMI MegaRAC G2 installed in one of my co-lo servers at The Planet (Dallas, TX).
It is a standard half-length PCI card that is a looks like a ATI Rage XL graphics card to the host operating system with a VGA connector on the back of the card in case you really need to hook a monitor up to it.
(you do need to be able to disable the onboard VGA on the server - if it has it)
The real magic is with the cards' mini USB connector - cable it up to any USB port on the server and the card will emulate a USB keyboard, USB mouse and a USB CD-ROM (great for operating system re-installs if you prefer Windows!).
On the internal side, the card has a feature connector that allows 'pass-thru' to the servers' reset and power jumper pins.
Because of the feature connector, the card can perform a proper hardware reset and power-cycle via 'pass-thru' to the server PWR_ON/RESET pins if the server manufacturer actually has bothered to put standard pins on their server board like most OEM motherboards have - the card can survive short power outages with the aid of its' dinky onboard battery that can last 30 minutes without power.
My only bugbear with the G2 is that it has a horrible tendency to fall over if it is 'unprotected' from the Internet - if you can protect it from unwanted traffic by ACLs on an upstream router, I can heartily recommend it.
The G3 is meant to have an onboard firewall but my e-mails to American Megatrends over the last few days have been rudely ignored.
Another thing...
The firmware for both cards is based on uClinux and various other GPL'd softwares... no mention of any source on American Megatrend's website although they do quote the GPL license on their download page.
So to sum up:
High-quality card.
Average firmware.
Manufacturer has piss-poor GPL attitude.
Manufacturer has tendency not to reply to e-mails.
I hope this information is helpful to at least some readers.
Created on: 04-OCT-04
Expires on: 04-OCT-05
Last Updated on: 04-OCT-04
Obviously, SCO feels that they aren't going to be around after this date... or one would think they would at least have bothered to splash out the extra cash for a 2-year reg rather than just a 1-year reg.
The Linux versions of all Checkpoint products (FireWall-1 4.1, Checkpoint NG) achieve their functionality by means of a binary module which is loaded into the kernel at runtime. This is expressly permitted by Linus as an exception to the GPL license which ships with Linux.
Of course, Checkpoint also produce their own cut-down version of Red Hat Linux 7.0 (known as SecurePlatform) which is designed to turn any standard PC into a fully functioning Checkpoint NG install with the minimum of effort.
The copy of the GPL license contained in the root of the CD filesystem asks that you e-mail gpl-source@checkpoint.com for instructions on where to obtain the source.
I did so... and within 24 hours, I received a password-protected login to a Checkpoint FTP server which contained all the relevant source RPMS (and the Checkpoint-written patches) for SecurePlatform.
So, the answer is no - to the best of my knowledge Checkpoint have not violated the GPL.
I only discovered this by running 'strings' on the firmware and found references to uClinux and a variety of other GPL stuff.
There is NO mention of the GPL in the product manual or on the packaging which contains the CD with a backup copy of the firmware.
I asked for copies of any GPL sources (and associated changes) which the MegaRAC G2 used - to their credit, I received a very nice diff which only covered changes to files which already exist in the uClinux distribution.
Unfortunately, those changes include the addition of header files which the modified kernel relies on - header files which I wasn't given and further requests for them have been ignored. So, even with the 'source' which I was given, I can't use it to produce an identical binary as to that contained in the firmware image which was supplied to me.
For those readers who are interested in purchasing one or more MegaRAC G2s, I suggest you ask your AMI dealer why it took them over eight weeks to patch a vulnerability which allowed *any* remote user to gain full access to the system console and also why the product is prone to frequent hangs which are not recoverable unless you unplug all power from the server and card until the onboard battery drains.
The vulnerability is so simple to exploit - start up the GTK+ remote console utility that came on the CD and point it to the IP address of any MegaRAC G2 card.... that's it. No prompt for a username or password. Nothing. Instant console access.
Another host (i.e. your firewall) can perform the opportunistic encryption on behalf of hosts which are situated behind it ('protected' network).
Like so:
1.2.168.192.in-addr.arpa. 86400 IN PTR host-1.internal.example.com.T 8/brFphT36NAZPATajiFC7rT8c7406HCOphVHkMA79BfwPNGX5 kFDfL0kF7aD5YWlXQZdN+vX5uQVPxs7ogECKKd8ftGPNbmarzD 8T0YvnTpgh8F1R7Svot9VIjT1xLR4cD9b4Vy4h9CvgOmSMR9p6 TShKnPAfO2I6G3y3TsykeLi3feExMGs+Tsf9EkLG8schHf89Uq p0eB" "09oQCr3wDtB0Hzk3FzvKhCtuNxStzwWOrlAsHzTx5gZIM780r iEjk7S02WSS5QGl+m73fKWnvcIGUtrZkLCoGhlOxGI+bDAjJf8 x0GMUkK3Xw/nPVh"
T 8/brFphT36NAZPATajiFC7rT8c7406HCOphVHkMA79BfwPNGX5 kFDfL0kF7aD5YWlXQZdN+vX5uQVPxs7ogECKKd8ftGPNbmarzD 8T0YvnTpgh8F1R7Svot9VIjT1xLR4cD9b4Vy4h9CvgOmSMR9p6 TShKnPAfO2I6G3y3TsykeLi3feExMGs+Tsf9EkLG8schHf89Uq p0eB" "09oQCr3wDtB0Hzk3FzvKhCtuNxStzwWOrlAsHzTx5gZIM780r iEjk7S02WSS5QGl+m73fKWnvcIGUtrZkLCoGhlOxGI+bDAjJf8 x0GMUkK3Xw/nPVh"
1.2.168.192.in-addr.arpa. 86400 IN TXT "X-IPsec-Server(10)=1.2.3.4" " AQOyyasaWR008nNRlK9ldRo6ZsbvLXVajgHc1rjrkqIq9hu70
1.2.168.192.in-addr.arpa. 86400 IN TXT "X-IPsec-Server(20)=5.6.7.8" " AQOyyasaWR008nNRlK9ldRo6ZsbvLXVajgHc1rjrkqIq9hu70
Your internal hosts require TXT records adding to their relevant .in-addr.arpa zones which tell the remote gateway that another machine is responsible for opportunistic encryption. The remote gateway will encrypt packets to that host (i.e. 1.2.3.4), at that point, the packets will be decrypted and can be safely inspected for nasty stuff like Nimda, Code Red or the latest M$ worm currently doing the rounds on the Internet.
You can even specify multiple IPsec gateways in case there are several entry points into a network, like the above (just like MX records) - for purposes of failover, etc, etc.
So, what you say about removing the option of network level filtering - not strictly true. It totally depends on how you implement opportunistic encryption on your network.
I only mention this as I was a student at the above and silent password logging TSRs were rampant on their network.
Oh yeah, and their entire collection of staff/student mailboxes and the mailspool were made available via an anonymous read/write network share if you knew enough about Novell Netware to manually map a drive.
To clarify, Boston (in Massachusetts, United States) was named after Boston (in Lincolnshire, United Kingdom) - more information can be found here.
Yep, 'ACME Toothpick Co.' was definitely Galactix.
I even think this is the game that cdipierr is talking about - it even had the opening and closing 'doors' - if you can call them that!
Tyrian ?
It was originally distributed by Epic Megagames (of Unreal Tournament fame) but I don't know who has the rights to it now.
This is *definitely* one game which I would buy again if it was updated to run on Linux (or worst case, Win32).
This is what any prospective spammer gets when he hits my SMTP service.
If they don't like these terms, they can just disconnect and bother somebody else.
220-xxxxxxx.xxxxxxx.xxx ESMTP
220-
220-This system is located in the United Kingdom and access is governed by
220-the Computer Misuse Act 1990.
220-
220-All users connecting to this service must comply with the Acceptable Use
220-Policy found at http://xxxxxxx.xxxxxxx.xxx/pages/aup.php. Hostile attacks
220-against this system will be reported to your ISP and the relevant legal
220-authorities.
220-
220-Anybody wishing to send UBE/UCE to a mailbox on this server does so with
220-the understanding that I reserve the right to claim £50 (or the monetary
220-equivalent in native currency) per message from the sender.
220-
220-By sending mail through this server, you waive all confidentiality claims
220 in the message and grant reproduction rights to the recipient.
This is an easy one.
/Microsoft\ Exchange/ REJECT We do not relay messages for Microsoft Exchange servers. /with\ Internet\ Mail\ Service/ REJECT We do not relay messages for Microsoft Exchange servers.
Most of my customers run Microsoft Exchange and typically don't configure it properly. I can honestly say that over 75% of the open relays which I have had to temporarily firewall from the Internet have been running some variant of Microsoft Exchange.
As all of these customers are using some form of permanent connectivity (not dialup), they have no real need of a smarthost. A smarthost, for those of you who don't know, is normally provided for machines which don't have the ability to relay themselves or for a mailserver connecting via dialup.
In the latter case, it is quicker for a user with a 56k modem to send at full speed to a smarthost which sits on their ISP's network and then disconnect from the Internet rather than wait several hours for the heavily-loaded ISDN line that the remote site is using to get around to accepting the mail.
In any case, as these customers had permanent connectivity, I configured Postfix to reject based on headers:
The first regexp catches Microsoft Exchange 2000 - the second catches all other Exchange versions which are in common use today.
The machine is strictly an outbound relay only - so it doesn't reject incoming mail from other Microsoft Exchange users. It has cut abuse reports by well over 60% regarding spam complaints which claim that the our smarthost is a spam conduit and this policy has only solicited complaints from a few customers who are convinced that Microsoft Exchange cannot relay to the Internet without a smarthost.
Of course, the other thing you can do is run up a simple script which will go through your MTA logs and automatically scan for open relays on those IP addresses which have connected to it over the last 24 hours. Some people might argue that this in itself is an invasion of their network but personally I see nothing wrong in an ISP ensuring that customers using its' smarthost are operating within full compliance with their AUP.
P.S. Customers who object to this policy are advised that they can 'opt-out', however, we still test if we receive a spam complaint with full headers implicating one of their servers.
If that server in their IP address space is verified to be open - we reserve the right to block all inbound SMTP into their address space from the rest of the Internet.
I know that a lot of people will condemn this policy - except that we have only had two people give us grief over it. Even then, they calmed down when they had it explained to them why open relays were a bad thing for the Internet in general. We are happy. Our customers are happy.
Case closed.
Two words - "original packaging".
Besides, most manufacturers won't repair a damaged TFT if it is damaged while in transit and the manufacturers' recommended precautions about using a container designed for the task haven't been followed.
Yet another reason to hang on to those boxes, kids!
2:) I only wish I was trolling.... I have better things to do than write a shitload of fictional bad-mouthing against Apple for the amusement of others. The Apple techs didn't even bother booting the machine up to test if writing a CD worked (their own admission). Maybe I should say that writing a CD works but it cannot be read in anything afterwards - I have tried cdrecord on Mandrake 8.2/PPC, Toast on MacOS 9 and MacOS X and even iTunes.
Yes, I have tried writing at 1x and even using a variety of CD-R and CD-RW media... trust me... the drive is screwed.
3:) MacOS X only runs on Apple hardware. Therefore, those readers who advocate the use of MacOS X over Linux and FreeBSD are logically the owners of Apple hardware. If the response I received from Apple Technical Support is typical of that company, I can only pity those readers for being customers of such an uncaring corporate.
My original post is the absolute truth and I stand by my words.
Repeated visits to the retailer over this period resulted in repeated denials of the fault (even though the display model in the store also suffered from a fault with the CD tray door). In the end, I sent the machine back to Apple in disgust.
Result ? - apparently it is 'within acceptable specifications' to have a CD tray door that does not close properly - therefore it was sent back to me in exactly the same state. Numerous complaints have been made by other users on the discussion forums at http://www.apple.com/support/ but as far as Apple are concerned, there is no fault.
So, to all of you readers who are forever praising MacOS X and its' so-called superiority over Linux and FreeBSD - I pity you. How can you support a company that will quite happily take £1,700 ($2470 USD) and supply a piece of hardware that clearly isn't manufactured to do the job which it is advertised for ?
The support is terrible - why the fuck do I always buy hardware from companies who seem to think that running their 'Diagnostic CD' will fix problems such as broken CD trays, power supplies with smoke coming out of them and monitors which flicker red at the slightest vibration ?
Considering the fact that I absolutely hate lawyers, I have been left with no choice by Apple to call mine and threaten them with legal action over the Sale and Supply of Goods Act 1994 (I live in the UK).
I sincerely hope that I can do 'em over on false advertising - as in iTunes marketing slogan 'Rip.. Mix.. Burn'.
I can rip... mix... but how can I burn anything on a drive which doesn't even f***ing shut properly !?!?
Anybody else here who isn't satisfied with the build quality of their Apple iBook ?
2002-03-20 08:58:41 ORBZ shut down in response to legal threats (articles,spam) (rejected)
List: mandrake-cooker
Subject: [Cooker] 8.2
From: Warly <warly@mandrakesoft.com>
Date: 2002-03-15 18:07:56
[Download message RAW]
I am in the process of building the final 8.2 isos.
These isos will be tested this week-end, and released on Monday if OK.
As a consequence if you find some free minutes this week-end and test all the uploads that have been done today, and report any regression, that would be quite a great help.
--
Warly
The original can be found here.
This won't work if somebody has sent you a message by way of BCC (Blind Carbon Copy).
I don't think anybody can deny that the 24/8 netblock contains the biggest source of DoS attacks, open relays, warez FTP servers, Nimda-infected boxen, open SOCKS proxies, Usenet spammers, and the largest army of zombies (trojan-infected PCs) on the Internet today. You are quite correct about not everybody on @home being a moron... a lot of my friends in the U.S. use @home as their service provider... but they knew this was coming and decided to change to something else (even dialup) before the big switch was flicked!
I laugh in your general direction.
Would you want DSL from these people ?
BT's Colossus's knees wobble
UK hit by major ADSL outage
Did I point out that I don't need a measly 512kbit/s of bandwidth at home because the company I work for has a 155Mbit/s pipe ? - perhaps I should laugh in your general direction that at the time I write this my connection will work in the morning and yours will not :-p
My connection gets used for just two things: remote login to other machines and multiplayer gaming. You get lower latencies with ISDN than you do with cable.. so even if you offered me a cable modem, one, I don't need the bandwidth and I don't need the higher latencies a cable connection would give me.
I don't find any of this particularly funny, but everybody who reads this forum knows that Excite@Home has been teetering on the edge for some time... if you haven't made suitable arrangements for a replacement service provider, then tough nuggies to you.
PS: Please die
Sorry. I don't do requests.
PPS: In the likely event that you decide to respond because you need to defend your manly-hood, dont bother, I will not read it. I am not here to have a conversation, just pointing out that you are a moron.
Too bad. I didn't read your pathetic notice until I got to the bottom of your equally pathetic reply. If you don't want to read my reply then that is perfectly okay with me... the whole point of a discussion forum is that people share thoughts and ideas... you didn't bring much to this discussion and you just happen to reinforce my view of the typical @Home user (apologies to all those who don't fit that category and actually have a clue on how to secure an Internet-connected machine).
Thank you.
As far as I am concerned, it finally looks like abuse@home.come has made good on its promise to terminate the service of the abusers (as well as their other users.. unfortunately). A bit extreme, yes, but at least my machines will have smaller firewall logs!
If it was any other provider, yes, I would sympathise with the other subscribers who will be losing their IP connectivity - however, I have heard enough of the Excite@Home users on Slashdot criticize their own service provider to be able to counter any flames this post may encourage.
As someone who handles all the abuse@ e-mail for a reasonably-sized UK ISP; I have yet to receive any kind of intelligent reply from my counterparts at Excite@Home regarding any of the incidents I have forwarded to them. Complete and utter fuckwits.
You want an open WinGate to launch a DoS at a network of your choice ? - Excite@Home has loads!
You want an open M$ SMTP service to relay your spam through ? - Excite@Home has thousands!
As a part of the global Internet community, they bring more problems than what they are worth to exchange traffic with.
Admittedly, I may only have experienced unfriendly behaviour from a minority of their users, but from I have seen of Excite@Home and their technical competence.. for the rest of you who are still using them as an ISP - I have four words for you....
FIND A BETTER ISP!
Plus, before you whinge and moan that cable is your only broadband option... I will just point out that I am still using dual-channel ISDN (128kbps up/down) and I wouldn't switch to DSL if my telco gave it to me for free... their service is shit but at least they can do ISDN right.
Call me pedantic, but I would rather have a reliable service than a we-are-down-99%-of-the-time-but-we-are-mega-bloody -fast-the-other-1%-of-the-time type of service... which is the kind of impression I have been given from the recounted experiences of most Excite@Home subscribers that I have spoken to.
My upstream ISP (Demon Internet) is a participant in the 6bone network; so I e-mailed their 6bone contact and requested a small allocation of IPv6 addresses with which I could use on my internal network (all Linux; therefore all capable of IPv4).
I received no response from them whatsoever after three seperate e-mails. I *want* to switch away from IPv4, but my upstream ISP won't let me, while they are making out to the outside world that they are 'spearheading' the IPv6 revolution by announcing that they are a member of the 6bone.
Yes, I have considered applying to other 6bone networks, such as JANET and other UK ISPs, but my upstream ISP would have been ideal for my IPv4IPv6 tunnel (zero routing overheads). Besides, it is a matter of principle.
Anybody running a 6bone site reading this care to comment ? - before you say it, yes, I fulfil the criteria for joining the 6bone (according to http://www.6bone.net/ anyway).
It does not show up when attempting to telnet in to the machine.. just a basic 'Welcome to Linux Mandrake' blurb, etc, etc.
So copies obtained from #warez aren't vulnerable ?
Nice to know that n4u9h7y w4r3z is useful for summat :)
Until Mandrakesoft put up their 'Donations' page; I had not paid Mandrakesoft a single penny for their services - unfortunately there is no incentive to buy a boxed distro when you already have the software on freshly-burnt CD-R's.
(I know about Mandrake Powerpack - but it offers nothing that I cannot get elsewhere)
When I consider that I could potentially spend the equivalent of seven day's wages on a license to run Windows 2000 Advanced Server; it makes me feel guilty that I can download a significantly superior operating system from the Internet for next to nothing.
I have no objection to paying Mandrakesoft the same amount of money I would be paying to Microsoft in order to keep up to date with their 'latest and greatest' piece of crap. Here is how my donations are distributed:
30% - Kernel
30% - Advanced Extranet Server
30% - Security/Crypto
10% - No preference
I am only contributing to the development of the software I use; so in the end, I will benefit from the my donation and the donations of others... personally I don't see what the problem is ?
I am tired of reading that people should 'expect' Linux distributions to be free - excepting Debian (which is produced for the community by the community); most other distributions are produced by large corporates like Red Hat and Mandrake. I don't think many people understand the work that goes into producing a mix of kernel/userspace programs/GUI apps that just *works* straight out of the box. I don't mind supporting a company that provides exactly what I want and means I have to do less work at the end of the day in order to get it running... my time is money... and if their distro saves me even two hours a day by easing configuration and installation, it deserves some financial recompense.
Before all the GPL stalwarts start getting their flamethrowers out and attempt to give me a good roasting - the GPL prohibits charging for software under its license (except for duplication costs).
But, what if I *want* to pay for GPL software ?
Does the GPL take away my freedom to pay for software that I think is of commercial quality; so I can give the authors something to show my appreciation for their efforts ?
It also helps Mandrakesoft determine what people use their product for and helps them concentrate development on those parts that people appreciate the most.
As Mandrakesoft have already said, donations are entirely voluntary. So why the hell did this make the Slashdot front page ?.
RedHat Linux 2.0.34 ?
Glide was an API that was fully open to anybody that cared to develop for it; only the libraries were closed source... except that changed when 3Dfx open-sourced it.
I downloaded a free SDK for Glide when I bought my original Voodoo1 and couldn't find any license restrictions (apart from the usual 'do-not-reverse-engineer-this-code' paragraphs!), so no, it wasn't proprietary. You can liken it to DirectX if you want, the includes/libraries are freely available from Microsoft, but you can't actually get the source to see how the runtime really works.
A proprietary API such as 'undocumented' Win32 calls is completely different to a proprietary standard which is only used by one company's products. Anybody can write Glide code, just don't expect it to run on anybody elses cards but 3Dfx's.
If Glide is so bad, why did Creative go to all the trouble of writing a 100% compatible Glide wrapper for Windows 95/98 machines using nVidia cards ? (see here if you want more info)
Additionally, when 3Dfx introduced Glide, DirectX was just a twinkle in Billy G's eye, and most people ran their games under DOS. Therefore, it was logical that 3Dfx, as the market-leader, created an API that made it easier for developers to write for their cards... it's called 'looking after your own product'.
I didn't buy the Voodoo5 5500 so I could get shit-hot-masturbatingly-high frame rates on Super Kill'em Up XII; I bought it because it was the *fastest* 3D card available with the best (but not necessarily complete) support under Linux without the drivers crashing every five minutes.
So, nope, by buying a Voodoo5 I was supporting a company that has provided me with a stable graphics platform for the past three years and quick response times to driver bugs; compare that with a company that refused to answer my e-mails and is completely unresponsive to calls to open up the specs of their chipsets.
As for support, I have full 3D, extremely fast 2D, ability to run Glide stuff (although I only use this with certain apps) and the warm fuzzy feeling that I can run multiple OpenGL apps on my display without worrying that it is gonna crash!
I purchased a Voodoo5 5500 not because I saw 3Dfx commercials (I'm in the U.K. and we don't get them); but because they allowed Daryll Strauss (who implemented Glide for Linux) to open-source his code and 3Dfx provided XFree86 developers with full documentation for the whole Voodoo range.
Which is more than nVidia have done; and which is why you will find full and comprehensive support for *all* Voodoo cards in XFree86 4.0x - and that is more than you get with nVidia; who are always a full XFree86 release behind with their 'closed-source' drivers!
I got rid of my TNT2 when I found out that nVidia couldn't even be bothered to support the XRender extension with their 0.9.5 driver release and nobody at nVidia would reply to my e-mails asking if/when it would be supported. The XFree86 2D-only support provided support for XRender but then I couldn't use the 3D acceleration of the TNT2 for anything.
Indeed, my computer doesn't crash now while playing Unreal Tournament using OpenGL with the Voodoo5 - why ? - because nVidia's drivers don't fully support SMP and freely admit in the driver README file that it can cause random lockups on SMP machines.
Add to that the number of problems people have been experiencing with these drivers, enough to add comments to the Freshmeat project page here.
If I am going to experience random lockups while using my machine; then I might as well be running Windows :-P
P.S. No, j00 d0n't 0wn a11 u5 3Dfx u53r5, nVidia does (seeing as though they bought out 3Dfx), so get yer facts straight!