"If you haven't learned yet, don't use wu-ftpd (or sendmail, or BIND, or any number of other common widespread programs that are so scrutinized that they develop root exploits every other week)."
So, what you're advocating, then, is security by obscurity, in effect.
I don't think that Sendmail, bind, etc. have security holes merely beacause they are more closely scrutinized--it's really more becuase they were written way back when in a more "gentle time" when authors didn't have to worry so much about stack smashing, buffer overflows, and all the other tricks so common today. These applications come from a older codebase--it's hard to retrofit secure programming practices onto older code. It's much easier to design with security in mind from the beginning. Consider the example of qmail as compared to sendmail. Where sendmail is basically one large, privleged binary that handles all aspects of mail delivery, qmail is actually a group of smaller, lesser-privleged binaries that handle one specific component of the mail delivery process. Same goal, different philosophies, less root holes (I think none to date for qmail). As many other posters have pointed out, there are similar alternatives to wu-ftpd that were designed with security in mind from the beginning, and therefore simply don't have root holes to be discovered--no matter how closely they're scrutinized.
RPMs really aren't that big of a secret. They're basically just a cpio archive with some headers/install scripts inluded.
Use rpm2cpio to (or have someone with RPM installed do it for you) extract the source code and patches you need from the source RPM (SRPM) with this little trick:
You have to make it work first for proof of concept, then figure out how to make it secure.
I disagree. It's far more easy to maintain security if something has been developed with security in mind from the beginning. Trying to retrofit security onto an application/system/protocol/network/whatever is a slow, painful, and usually impossible process, especially if the source code isn't available and the developers have retired/died/moved on.
I don't even think a lot of *existing* application would run...
Yes, I've seen this before. In a university environment I used to work in, we tried to lock down the registry...we had to make so many exceptions for various application that required full registry access to run (scary), that by the end of the semester we gave up on locking down and went back to rebuilding the systems nightly (which introduced a whole group of other messes...)
Try thinking about a wedding reception, do you see them playing mp3's at the ball?
Depends on the D.J. you hire. Many of the semi-formal and even formal functions I've attended in the past two years have used professional D.J.s. It used to be that you'd see these guys lugging in box after box of vinyl or CDs. Now, it's a laptop or desktop with tons of storage chock full of MP3s. One guy was pretty good at the last function I attended. He would challenge the crowd to come up and search his MP3 database for a song he didn't have. I think he was stumped only about 5 times the whole night. I bet he went home and filled in those 5 little gaps in his collection that very night. Next time, he'll be able to provide those requested songs, and with each new gig he plays, he gets more and more suggestions for bettering his collection.
Since my upgrade to RH 7.1, try as I might, I cannot get the RHN to work from behind a http proxy. Yes, I've set the http_proxy env variable and modified the appropriate files in/etc/sysconfig/rhn to reflect the correct proxy information.
From home with a direct connection, I have no problems.
Just remember, any programmer could do a System Admin's job, but we have better uses for our time.
Yeah, right. Developers are the ones who like to assign null passwords and "chmod 777" everything so that annoying little things like system security and permissions don't get in the way of their code-monkeying. Of course, once they get root'ed, or someone recursively deletes an entire code tree that was mode 777, who do they turn to for salvation? The sysadmin.
I seem to recall someone on the Tower-Talk (Ham Radio) list mention something about using passive RF directors run from inside to the outside of buildings, underground tunnels, etc. It was basically coax with holes in the shield used to provide a passive RF path to the outside.
...but recently, I've come to the realization that I don't type a whole heck of a lot, compared to some others. Maybe because I'm a sysadmin, not a coder, but...I seem to spend most of my time reading/surfing/researching solutions, not actually typing.
On big typing days, however, I do find the wrists getting a little sore, so I try to keep things positioned properly to minimize the damage.
I know what you mean about trying to find decent desks. Most seem to be geared toward the "single-keyboard secretary" user. I have three keyboards (need to get the employer to spring for a KVM switch, I guess) I notice I get a little more distressed when I'm using one of the keyboards on the desktop instead of the little pull-out keyboard tray.
Unfortunately, the radio spectrum is a limited resource, at least at the current level of radio frequency (RF) technology. It would be great if the wireless industries would look into expanding into new technologies and bands that have never been seen before...but...at least in the last few years, the method used by commercial interests has been to lobby (read: bribe) congress for permission to encroach upon amateur radio allocations. Eventually, I suspect the amateur radio spectrum will be chipped away by commercial interests with millions of dollars to throw around. Random musing: Didn't I hear somewhere that the FCC is having some trouble collecting the money promised by the cellular/wireless winners of the spectrum auctions?
If the Electoral College was a... ...software system which looked great, performed for twenty years without fail, and then suddenly crashed, fucking up lots of valuable data, would we still use it?
No, better yet: We would run to the new system (the implementation of which probably caused the old system to crash in the first place) with open arms, eagerly shedding all vestigages of the older, reliable system in favor of the new one which crashed much more frequently, but had lots of pretty colors and pictures for the masses to gawk at.
..the product specifically asks if you want to email ALL of your email contacts. Maybe a lot of people just didn't bother to read the message...
Most of the truly non-technical users I've run across don't read pop-up messages at all. Rather, they seem to click wildly about, trying to get the annoying message boxes out of their way so they can get back to their E-Mail or web surfing.
I can't think of how many times I've asked people who call for help: "What did the message in the little window that popped up say?"
"I don't know, I just clicked on 'OK' until it went away," tends to be the inevitable answer.
If users aren't reading error, warning or informational messages, I guess there's not much any of us can do about it--how do you protect a user from their own carelessness?
So, even if Microsoft does ask "do you want to do this?", many users might end up shotgunning E-mail all over the place,and not even realize it.
For me, nothing beats the Linux community's best support model: free E-Mail lists. Have a problem? Ask a question on the right list, and odds are you'll get several good responses in just a few moments that start out
"No problem. I just worked through this problem last week...here's what I did..."
Beats paid, per-incident-charge phone-support monkeys hands down every time.
Before everyone gets excited about doing this project, please take the time to understand that Amateur Radio is specifically prohibited from being used to carry commercial communications. Be mindful that what constitutes "commercial" communications is subject to interpretation. Note also, that encryption *may* be prohibited under this regulation (No SSL for you!)
Here's an excerpt of the relevant federal regulation:
(a) No amateur station shall transmit:
(1) Communications specifically prohibited elsewhere in this Part; (2) Communications for hire or for material compensation, direct or indirect, paid or promised, except as otherwise provided in these rules; (3) Communications in which the station licensee or control operator has a pecuniary interest, including communications on behalf of an employer. Amateur operators may, however, notify other amateur operators of the availability for sale or trade of apparatus normally used in an amateur station, provided that such activity is not conducted on a regular basis; (4) Music using a phone emission except as specifically provided elsewhere in this Section; communications intended to facilitate a criminal act; messages in codes or ciphers intended to obscure the meaning thereof, except as otherwise provided herein; obscene or indecent words or language; or false or deceptive messages, signals or identification; (5) Communications, on a regular basis, which could reasonably be furnished alternatively through other radio services.
I had plugged the printer into the UPS on accident and everytime that sucker warmed up to start printing it would overload the power and shutdown the UPS...
You might want to have a tech check out the UPS/batteries, etc. I've seen more than one UPS fry because a big laser printer was plugged into it. The UPS looks and acts fine as long as it has power, but the batteries don't hold a charge worth a crap. We figured that out the hard way during the next power outage.
Red Hat tends to do things a little bit differently, I believe it has to do with the initial ramdisk (initrd) setup they use to load modules on boot-up.
So don't judge me by how effective my IT support team may or may not be.
Steven, while it may not be "fair", the fact remains that people will judge you by the web presense of the organization to which you have choosen to so closely identify yourself with. Especially given the tone of your first post, where you basically sold yourself off as the expert that the experts came to for help, you should expect this sort of harsh judgment from a technical audience.
The current state of your organization's web presence needs to be fixed, or you need to stop including it in your user profile and postings. Until either one of these things happens, you will continue to be judged by your web site.
Lean on your IT people to pick up the ball they dropped and get things up to speed--a stale web site reflects poorly not only on you, but on all at jjjjulius.com.
Time to roll your own E-Mail system. Send and receive E-Mail at your Linux box directly. That's what I usually do. I rely on E-Mail for far too much to trust that the NT servers won't take a blue-screen vacation.
Slashdot Mirror
"If you haven't learned yet, don't use wu-ftpd (or sendmail, or BIND, or any number of other common widespread programs that are so scrutinized that they develop root exploits every other week)."
So, what you're advocating, then, is security by obscurity, in effect. I don't think that Sendmail, bind, etc. have security holes merely beacause they are more closely scrutinized--it's really more becuase they were written way back when in a more "gentle time" when authors didn't have to worry so much about stack smashing, buffer overflows, and all the other tricks so common today. These applications come from a older codebase--it's hard to retrofit secure programming practices onto older code. It's much easier to design with security in mind from the beginning. Consider the example of qmail as compared to sendmail. Where sendmail is basically one large, privleged binary that handles all aspects of mail delivery, qmail is actually a group of smaller, lesser-privleged binaries that handle one specific component of the mail delivery process. Same goal, different philosophies, less root holes (I think none to date for qmail). As many other posters have pointed out, there are similar alternatives to wu-ftpd that were designed with security in mind from the beginning, and therefore simply don't have root holes to be discovered--no matter how closely they're scrutinized.
RPMs really aren't that big of a secret. They're basically just a cpio archive with some headers/install scripts inluded.
Use rpm2cpio to (or have someone with RPM installed do it for you) extract the source code and patches you need from the source RPM (SRPM) with this little trick:
rpm2cpio wu-ftpd-2.6.1-20.src.rpm | cpio -i
You have to make it work first for proof of concept, then figure out how to make it secure.
I disagree. It's far more easy to maintain security if something has been developed with security in mind from the beginning. Trying to retrofit security onto an application/system/protocol/network/whatever is a slow, painful, and usually impossible process, especially if the source code isn't available and the developers have retired/died/moved on.
I don't even think a lot of *existing* application would run...
Yes, I've seen this before. In a university environment I used to work in, we tried to lock down the registry...we had to make so many exceptions for various application that required full registry access to run (scary), that by the end of the semester we gave up on locking down and went back to rebuilding the systems nightly (which introduced a whole group of other messes...)
Is larceny a felony? I believe you can only make a citizen's arrest for a felony-level crime.
So, I click to read more about this story, and I get a NuSphere Mysql banner ad at the top. Heh.
Try thinking about a wedding reception, do you see them playing mp3's at the ball?
Depends on the D.J. you hire. Many of the semi-formal and even formal functions I've attended in the past two years have used professional D.J.s. It used to be that you'd see these guys lugging in box after box of vinyl or CDs. Now, it's a laptop or desktop with tons of storage chock full of MP3s. One guy was pretty good at the last function I attended. He would challenge the crowd to come up and search his MP3 database for a song he didn't have. I think he was stumped only about 5 times the whole night. I bet he went home and filled in those 5 little gaps in his collection that very night. Next time, he'll be able to provide those requested songs, and with each new gig he plays, he gets more and more suggestions for bettering his collection.
Since my upgrade to RH 7.1, try as I might, I cannot get the RHN to work from behind a http proxy. Yes, I've set the http_proxy env variable and modified the appropriate files in /etc/sysconfig/rhn to reflect the correct proxy information.
From home with a direct connection, I have no problems.
In terms of server load, how does rsync compare to ftp or http on large file transfers like these ISO images?
Anyone know of a decently connected rsync mirror?
Just remember, any programmer could do a System Admin's job, but we have better uses for our time.
Yeah, right. Developers are the ones who like to assign null passwords and "chmod 777" everything so that annoying little things like system security and permissions don't get in the way of their code-monkeying. Of course, once they get root'ed, or someone recursively deletes an entire code tree that was mode 777, who do they turn to for salvation? The sysadmin.
Pardon the nit-picking, but...the correct title is Perl for System Administration, not "Perl for System Administrators".
I seem to recall someone on the Tower-Talk (Ham Radio) list mention something about using passive RF directors run from inside to the outside of buildings, underground tunnels, etc. It was basically coax with holes in the shield used to provide a passive RF path to the outside.
...but recently, I've come to the realization that I don't type a whole heck of a lot, compared to some others. Maybe because I'm a sysadmin, not a coder, but...I seem to spend most of my time reading/surfing/researching solutions, not actually typing.
On big typing days, however, I do find the wrists getting a little sore, so I try to keep things positioned properly to minimize the damage.
I know what you mean about trying to find decent desks. Most seem to be geared toward the "single-keyboard secretary" user. I have three keyboards (need to get the employer to spring for a KVM switch, I guess) I notice I get a little more distressed when I'm using one of the keyboards on the desktop instead of the little pull-out keyboard tray.
Unfortunately, the radio spectrum is a limited resource, at least at the current level of radio frequency (RF) technology. It would be great if the wireless industries would look into expanding into new technologies and bands that have never been seen before...but...at least in the last few years, the method used by commercial interests has been to lobby (read: bribe) congress for permission to encroach upon amateur radio allocations. Eventually, I suspect the amateur radio spectrum will be chipped away by commercial interests with millions of dollars to throw around. Random musing: Didn't I hear somewhere that the FCC is having some trouble collecting the money promised by the cellular/wireless winners of the spectrum auctions?
The Twin Cities Linux Users Group hosts social gatherings frequently. Check it out.
If the Electoral College was a ...
...software system which looked great, performed for twenty years without fail, and then suddenly crashed, fucking up lots of valuable data, would we still use it?
No, better yet: We would run to the new system (the implementation of which probably caused the old system to crash in the first place) with open arms, eagerly shedding all vestigages of the older, reliable system in favor of the new one which crashed much more frequently, but had lots of pretty colors and pictures for the masses to gawk at.
Don't believe me? Please see: Windows NT.
..the product specifically asks if you want to email ALL of your email contacts. Maybe a lot of people just didn't bother to read the message...
Most of the truly non-technical users I've run across don't read pop-up messages at all. Rather, they seem to click wildly about, trying to get the annoying message boxes out of their way so they can get back to their E-Mail or web surfing.
I can't think of how many times I've asked people who call for help: "What did the message in the little window that popped up say?"
"I don't know, I just clicked on 'OK' until it went away," tends to be the inevitable answer.
If users aren't reading error, warning or informational messages, I guess there's not much any of us can do about it--how do you protect a user from their own carelessness?
So, even if Microsoft does ask "do you want to do this?", many users might end up shotgunning E-mail all over the place,and not even realize it.
Qmail works best with DJB's tcpserver. Much better performance, and easy to set up.
For me, nothing beats the Linux community's best support model: free E-Mail lists. Have a problem? Ask a question on the right list, and odds are you'll get several good responses in just a few moments that start out
"No problem. I just worked through this problem last week...here's what I did..."
Beats paid, per-incident-charge phone-support monkeys hands down every time.
Before everyone gets excited about doing this project, please take the time to understand that Amateur Radio is specifically prohibited from being used to carry commercial communications. Be mindful that what constitutes "commercial" communications is subject to interpretation. Note also, that encryption *may* be prohibited under this regulation (No SSL for you!)
Here's an excerpt of the relevant federal regulation:
(a) No amateur station shall transmit:
(1) Communications specifically prohibited elsewhere in this Part;
(2) Communications for hire or for material compensation, direct or indirect, paid or promised, except as otherwise provided in these rules;
(3) Communications in which the station licensee or control operator has a pecuniary interest, including communications on behalf of an employer. Amateur operators may, however, notify other amateur operators of the availability for sale or trade of apparatus normally used in an amateur station, provided that such activity is not conducted on a regular basis;
(4) Music using a phone emission except as specifically provided elsewhere in this Section; communications intended to facilitate a criminal act; messages in codes or ciphers intended to obscure the meaning thereof, except as otherwise provided herein; obscene or indecent words or language; or false or deceptive messages, signals or identification;
(5) Communications, on a regular basis, which could reasonably be furnished alternatively through other radio services.
The full regulation can be found here.
Chuck Milam, KF9FR
I had plugged the printer into the UPS on accident and everytime that sucker warmed up to start printing it would overload the power and shutdown the UPS...
You might want to have a tech check out the UPS/batteries, etc. I've seen more than one UPS fry because a big laser printer was plugged into it. The UPS looks and acts fine as long as it has power, but the batteries don't hold a charge worth a crap. We figured that out the hard way during the next power outage.
Are you by chance running a Red Hat distribution?
Red Hat tends to do things a little bit differently, I believe it has to do with the initial ramdisk (initrd) setup they use to load modules on boot-up.
Check Here for the Red Hat-specific kernel building HOWTO.
So don't judge me by how effective my IT support team may or may not be.
Steven, while it may not be "fair", the fact remains that people will judge you by the web presense of the organization to which you have choosen to so closely identify yourself with. Especially given the tone of your first post, where you basically sold yourself off as the expert that the experts came to for help, you should expect this sort of harsh judgment from a technical audience.
The current state of your organization's web presence needs to be fixed, or you need to stop including it in your user profile and postings. Until either one of these things happens, you will continue to be judged by your web site.
Lean on your IT people to pick up the ball they dropped and get things up to speed--a stale web site reflects poorly not only on you, but on all at jjjjulius.com.
Time to roll your own E-Mail system. Send and receive E-Mail at your Linux box directly. That's what I usually do. I rely on E-Mail for far too much to trust that the NT servers won't take a blue-screen vacation.