We use RHEL for mission-critical equipment. Equipment that can be down a day until someone can get around to restoring a backup uses CentOS (support laptops/desktops/servers, etc.).
Finally. I've been running RHEL6 Beta on my new work laptop and was about to give up hope on this and literally was going to install Fedora 14 in the next few hours.
I will be installing Fedora 14 for my personal laptops (two down last weekend, two to go. We're a family of 4 kids, 2 adults).
But, instead I will be installed RHEL6 tonight for my work laptop and Friday for my work desktop (currently on Fedora 12, which is pretty much on par for the versioning as RHEL6). We've got spare EL licenses for server not yet deployed, so I'll use those until CentOS 6 ships. Once it does, I'll side-grade and free up the EL licenses.
Interesting, I've never heard of RHEL referred to as "RELL" as they do in this promo video: RHEL6 promo video
They make it too easy to get credit based on stolen credentials. The banks should demand token based authentication for online transactions. There are solutions that will send a one time PIN to a smart phone so a separate dongle isn't even necessary.
What you can do once you have had "identify fraud" committed against you is tell the 3 credit bureaus that this has occurred and that you require all new accounts to be verified over the phone.
The downside is that you cannot walk into a store and get a contract-based cell phone or even Clear wireless without a credit check, so that means you have to wait a day for them to call (my experience). Some places turn it around right there on the spot (Verizon).
But you have to have had "identity fraud" committed before they'll let you put that statement on your account.
Both Citibank and BankAmerica offer "virtual" credit card numbers that you can use online. They expire in 1-2 months, and with BofA you can set a limit.
An option like this in person would be nice, such that a store or restaurant can process your single transaction for a certain amount, but then after that the number be useless (stopping skimmers). If credit card companies wanted to get smart about fraud, this is what they'd do.
How long did it take for Ethereal "brand name" to be eclipsed by Wireshark? In the end, Wireshark is just a better name anyway, but perhaps that's just because it took over. Brand and name is only worth so much.
The point of the first poster is that the phrase "Separation of Church and State" by Thomas Jefferson had nothing to do with keeping the church out of the state until 1947 when the Supreme Court re-interpreted the meaning of it. The phrase and concept previous to this meant that the state could not tell the church what to do or believe, nor that there was any established state denomination. The whole concept came about as the state in many causes would outlaw a specific denomination and only allow worship in a specific, state sanctioned, denomination.
To understand why this was so important you have to look back before the Constitution to the Colonies, most of which had an established state religion, and in some cases, the Dutch colony of New Netherland (New York) had even outlawed anything other than the Dutch Reformed Church and imprisoned people (Quakers).
The Senate Chaplin page sums it up: "Throughout the years, the United States Senate has honored the historic separation of Church and State, but not the separation of God and State."
I don't think anyone surveyed that said yes understood what they were talking about.
That means you'd also be turning off phone and TV service to many people.
For instance, I couldn't get cell service where I live, but VoIP works just fine as does my mini cell-site, which both require the internet to work.
95% of my bills are paid online (only one local bill is left, and I'm actually part of the project rolling out e-billing by the end of this year), and soon to be 100%. Once that last one goes online, I'll be 100% paperless. All I get in the mail now, except that one bill, is junk mail. I literally check my mail once a month.
The majority of the power companies buy and sell power online and have co-located services with companies to broker this. None of that will work without the Internet.
A large portion of the power companies use the internet to read meters (via different cell technologies connected to specialized APs).
Not to mention this isn't China. There is no "kill switch" and I think private businesses would fight tooth and nail against such a thing being installed. Short of declaring Martial Law, I'd think this would be way out of line.
The best way to deal with any sort of problem is the way it is always done: let the Internet Engineers do their thing and solve it.
The only thing the government can do is help make ICANN enforce the requirement that legitimate contact info be listed, and take away domains where they don't do this. If ICANN won't do this, take away their authority and give it to someone else who will.
Make it so we can track down the legal entity who is in charge of trouble, even if the ISP/Registrar doesn't want to reveal it.
Huh? Since when did UUNET/Verizon and Sprint stop being ISPs? I turned up circuits to both recently. They'll gladly sell you service, just call up and order a T1 or bigger.
Just because you don't want to buy what they're selling doesn't make them not an ISP.
Com'on, how often do closet switches fail? And when they do fail, what can that local PC really do anyway? Edit an open document, but that's it, because nothing should be stored locally anyway, it should be on a server that is backed up. Email is on a centralized server getting backed up (you might have it cached on laptops, but still, nothing live happening). Realistically, how much work really takes place when your closest network switch goes down? You should have spares of those and it should take less than 30 minutes to swap it out (really, even less, but I mean from the first report to the completely replaced and config loaded for centralized backup, and all the physically patch cables replaced).
No matter what sort of setup (centralized or not), you should should have dual fibers to each switch, going to redundant upstream switches with redundant servers and uplinks beyond them.
A single closet switch should cause 24 - 48 hosts to go offline, and that's it. No other switch should even be noticed if you're doing it right (or if the switch is not a hard fail, constantly rebooting or having some other odd problem, but then you should be using proper network monitoring equipment and able to pin-point that rather fast as well).
Yes, I know what I'm doing. Been doing it a long time (12 years, CCNP, CCDP, CCVP, MCSE going back to the NT4 days), thousands of mid-range and dozens of enterprise-class customers.
RHEL was never affected. Red Hat BugID 630551 states: "This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5 as it did not include upstream commit 7034632d that introduced the problem. It did not affect Red Hat Enterprise MRG as the/dev/sequencer device file is restricted to root access only."
Further, Red Hat states for CVE-2010-3080 that the commit upstream that brought the bug back was never allowed into Red Hat kernels: "This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5 as it did not include upstream commit 7034632d that introduced the problem."
I guess you get what you pay for.
I'll be curious to see in the next few days if downstream from Red Hat followed Red Hat's same kernel compile options. Some prominent downstream versions would be CentOS and Oracle's OEL.
Here's the thing, when you have kids, you end up friending a ton of people you know marginally. You also find out a lot of things that you can have talks with your kids about (not mentioning any names in those talks, just bring up the topic in general... "hey, what would you do if you found out some of your friends did such and such?").
My kids don't have Facebook accounts, but most of their IRL friends at school and church do.
But I think this shows that you shouldn't put anything online that you don't want to put right in front of your house. Don't put up a flier "gone out of town 3 weeks" on your front door and don't put it on Facebook either. Share the photos when you get back.
Sounds like a good topic for me and my family to talk about at dinner tonight.
As I'm sure you know, it is not mandated a specific place that someone is ordered to go to, but rather at least one organization, whichever it may be, to get help. There are plenty, so don't be daft.
I'd go a step further. If they're so clueless as to get a DUI in the first place, that is not their first time driving drunk, it is just their first time getting caught, you need a more severe punishment
The next year they should have no license and pay to have one devices installed of these installed (so the rest of their family can still drive), and they should not be allowed to drive, period. They should have to show proof that you're taking the bus, taxi, or having a family member drive for you.
After a next year of AA (which won't solve the problem, but at least can force them to go where they can get help), then they can petition to get their license back, having proven they've jumped through all these hoops showing they got rides another way, making AA meetings, etc.
Should they fail to prove it, they might be facing jail time and/or be forced to pay for a PI to randomly watch them and report on what they're doing for the next year.
I'm tired of all these whiners saying they don't want to be watched. No one wants to watch them, we just don't want to end up dead because people can't figure out how long not to drive after getting loaded.
After 3 DUIs they should lose the ability to get a license for life, period. By the time they get your 3rd DUI, they've probably driving drunk at least a dozen times for each time they got caught, if not more.
Just because they don't hit someone doesn't make this a victimless crime either - there are victims, all the time, and it is just a matter of time until they do hit someone.
My bad, as others pointed out in other threads here. Verizon owns GTE, which is a root CA in these browsers. GTE has issued the Intermediate CA to Etisalat.
About the best thing you could do is use a VPN when in any places controlled by Etisalat and proxy your connection through that.
I agree 100% regarding SSL CAs should have been based on a DNS hierarchy.
But there is nothing to stop that from occurring, now that the root is signed, dot-gov, dot-edu, dot-org, dot-biz, dot-us, and may other ccTLDs are signed and available for the domain owners to add their DS keys into the zone to establish a chain of trust from the root all the way down. Dot-com and dot-net are soon to follow in the next year.
What is missing right now is extending that trust model all the way down to the stub-resolvers built into the OS and/or browser. While there have been a few add-ons, they're not well maintained, and a bit of a kludge (slow as well).
SSH already has had the ability to verify host key fingerprint signatures based on DNSSEC (SSHFP records). I believe it won't be long until SSL/web browsers will have a method such as this. I could see Firefox being the first to do so, as they have no money ties, but time will tell.
Before we didn't have DNSSEC implemented, and there was no incentive to add such a DNSSEC SSL Cert model to browsers. Now we finally do. Self-signed certs or self-issued CAs will be perfectly acceptable once browsers can verify them based on their DNS hierachy, just as you are saying we should be using them. All it will take is having the root "." DNS trust anchor in your browser, and you'll never need another Root CA again, especially not from countries that are hostile and/or not trust worthy.
Etisalat is not in IE, Firefox, Opera, etc., but just devices managed by Verizon. But your point is still valid. CNNIC is in them all, and IMHO is not to be trusted.
What's worse, unless you disable automatic Root Certificate Authorities, Windows XP SP2 and other versions automatically add them back in when there are updates, even though you deleted them. With Vista, you cannot even delete some Root CAs.
SCADA systems are the type of things that control nuclear reactors, power generation, power distribution, water distribution, and many more.
For this reason the Siemens attack used a USB method, as typically SCADA systems are either heavily firewalled and/or air-gapped. Sneaker-net should be the only way to get into those networks when done right, and even then sneaker-net methods should be very restricted.
They could not just reset the password. The routers/switches were configured with "no service password-recovery" and could not just be reset. If they had been, it would have wiped out the configuration on all of the devices and all of the agencies depending on them would have been down.
If the device configurations had been properly backed up and documented somewhere, this would not have been a problem (I don't know one way or another, but clearly no one in charge knew if they were or had enough of a clue). I didn't follow the case that closely, but even Cisco was involved and couldn't solve the problem (which is a good thing, you don't want a vendor to be able to recovery a configuration in a situation like that).
The point of a "no service password-recovery" is to prevent unauthorized access to a router/switch and configuration tampering. It is required in more secure environments, especially ones with FIPS and other requirements.
There is nothing wrong with "no service password-recovery", so long as you have the configurations backed up and others know where those backups are (documentation), such that if you are hit by a bus things can be properly maintained.
The gTLD servers and Registries/Registrars for them are a far cry different than the Root servers. You could do with some educating yourself and get up to speed on just what the Root servers do, how they are maintained, and just who may make changes.
For instance, the K.root-servers.net isn't even located in the US and is totally under physical control of the EU.
Read up before you start saying just anything about the Root servers.
I don't think the US would or even could make changes to the Root. For one, the international community would pull the plug on any control the US has over it, and second, the Operators themselves would not do so and take their responsibility a bit higher than Registrars.
Slashdot Mirror
We use RHEL for mission-critical equipment. Equipment that can be down a day until someone can get around to restoring a backup uses CentOS (support laptops/desktops/servers, etc.).
Nitpicking:
RH6 (aka Red Hat Linux) came out in 1999.
RHEL6 (aka Red Hat Enterprise Linux) came out today.
Actually, there was no RHEL1 but the first version was actually RH6.2E, released in 2000, but still not the RHEL6 released today.
Finally. I've been running RHEL6 Beta on my new work laptop and was about to give up hope on this and literally was going to install Fedora 14 in the next few hours.
I will be installing Fedora 14 for my personal laptops (two down last weekend, two to go. We're a family of 4 kids, 2 adults).
But, instead I will be installed RHEL6 tonight for my work laptop and Friday for my work desktop (currently on Fedora 12, which is pretty much on par for the versioning as RHEL6). We've got spare EL licenses for server not yet deployed, so I'll use those until CentOS 6 ships. Once it does, I'll side-grade and free up the EL licenses.
Interesting, I've never heard of RHEL referred to as "RELL" as they do in this promo video: RHEL6 promo video
They make it too easy to get credit based on stolen credentials. The banks should demand token based authentication for online transactions. There are solutions that will send a one time PIN to a smart phone so a separate dongle isn't even necessary.
What you can do once you have had "identify fraud" committed against you is tell the 3 credit bureaus that this has occurred and that you require all new accounts to be verified over the phone.
The downside is that you cannot walk into a store and get a contract-based cell phone or even Clear wireless without a credit check, so that means you have to wait a day for them to call (my experience). Some places turn it around right there on the spot (Verizon).
But you have to have had "identity fraud" committed before they'll let you put that statement on your account.
Both Citibank and BankAmerica offer "virtual" credit card numbers that you can use online. They expire in 1-2 months, and with BofA you can set a limit.
An option like this in person would be nice, such that a store or restaurant can process your single transaction for a certain amount, but then after that the number be useless (stopping skimmers). If credit card companies wanted to get smart about fraud, this is what they'd do.
Find a decent candidate and do a write-in. A number of my votes went to write-ins.
How long did it take for Ethereal "brand name" to be eclipsed by Wireshark? In the end, Wireshark is just a better name anyway, but perhaps that's just because it took over. Brand and name is only worth so much.
The point of the first poster is that the phrase "Separation of Church and State" by Thomas Jefferson had nothing to do with keeping the church out of the state until 1947 when the Supreme Court re-interpreted the meaning of it. The phrase and concept previous to this meant that the state could not tell the church what to do or believe, nor that there was any established state denomination. The whole concept came about as the state in many causes would outlaw a specific denomination and only allow worship in a specific, state sanctioned, denomination.
http://en.wikipedia.org/wiki/Separation_of_church_and_state_in_the_United_States#Jefferson.2C_Madison.2C_and_the_.22wall_of_separation.22
To understand why this was so important you have to look back before the Constitution to the Colonies, most of which had an established state religion, and in some cases, the Dutch colony of New Netherland (New York) had even outlawed anything other than the Dutch Reformed Church and imprisoned people (Quakers).
http://en.wikipedia.org/wiki/Separation_of_church_and_state_in_the_United_States#Colonial_support_for_separation
This is so clearly seen in the fact that there is a Chaplin for both the Senate and the Congress, even to this day.
http://www.senate.gov/reference/office/chaplain.htm
http://chaplain.house.gov/
The Senate Chaplin page sums it up:
"Throughout the years, the United States Senate has honored the historic separation of Church and State, but not the separation of God and State."
I'm not sure where they got their page count info from. Google shows it is 450 pages long:
Google Shopping.
I don't think anyone surveyed that said yes understood what they were talking about.
That means you'd also be turning off phone and TV service to many people.
For instance, I couldn't get cell service where I live, but VoIP works just fine as does my mini cell-site, which both require the internet to work.
95% of my bills are paid online (only one local bill is left, and I'm actually part of the project rolling out e-billing by the end of this year), and soon to be 100%. Once that last one goes online, I'll be 100% paperless. All I get in the mail now, except that one bill, is junk mail. I literally check my mail once a month.
The majority of the power companies buy and sell power online and have co-located services with companies to broker this. None of that will work without the Internet.
A large portion of the power companies use the internet to read meters (via different cell technologies connected to specialized APs).
Not to mention this isn't China. There is no "kill switch" and I think private businesses would fight tooth and nail against such a thing being installed. Short of declaring Martial Law, I'd think this would be way out of line.
The best way to deal with any sort of problem is the way it is always done: let the Internet Engineers do their thing and solve it.
The only thing the government can do is help make ICANN enforce the requirement that legitimate contact info be listed, and take away domains where they don't do this. If ICANN won't do this, take away their authority and give it to someone else who will.
Make it so we can track down the legal entity who is in charge of trouble, even if the ISP/Registrar doesn't want to reveal it.
Huh? Since when did UUNET/Verizon and Sprint stop being ISPs? I turned up circuits to both recently. They'll gladly sell you service, just call up and order a T1 or bigger.
Just because you don't want to buy what they're selling doesn't make them not an ISP.
Com'on, how often do closet switches fail? And when they do fail, what can that local PC really do anyway? Edit an open document, but that's it, because nothing should be stored locally anyway, it should be on a server that is backed up. Email is on a centralized server getting backed up (you might have it cached on laptops, but still, nothing live happening). Realistically, how much work really takes place when your closest network switch goes down? You should have spares of those and it should take less than 30 minutes to swap it out (really, even less, but I mean from the first report to the completely replaced and config loaded for centralized backup, and all the physically patch cables replaced).
No matter what sort of setup (centralized or not), you should should have dual fibers to each switch, going to redundant upstream switches with redundant servers and uplinks beyond them.
A single closet switch should cause 24 - 48 hosts to go offline, and that's it. No other switch should even be noticed if you're doing it right (or if the switch is not a hard fail, constantly rebooting or having some other odd problem, but then you should be using proper network monitoring equipment and able to pin-point that rather fast as well).
Yes, I know what I'm doing. Been doing it a long time (12 years, CCNP, CCDP, CCVP, MCSE going back to the NT4 days), thousands of mid-range and dozens of enterprise-class customers.
Too bad the god-like Kim John Il cannot rain manna down to feed his people, or feed his people, period.
175.45.179.68
They appear to like RHEL:
175.45.176.6
175.45.176.7
RHEL was never affected. Red Hat BugID 630551 states: /dev/sequencer device file is restricted to root access only."
"This issue did not affect the version of Linux kernel as shipped with Red Hat
Enterprise Linux 3, 4, and 5 as it did not include upstream commit 7034632d
that introduced the problem. It did not affect Red Hat Enterprise MRG as the
Further, Red Hat states for CVE-2010-3080 that the commit upstream that brought the bug back was never allowed into Red Hat kernels:
"This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5 as it did not include upstream commit 7034632d that introduced the problem."
I guess you get what you pay for.
I'll be curious to see in the next few days if downstream from Red Hat followed Red Hat's same kernel compile options. Some prominent downstream versions would be CentOS and Oracle's OEL.
It's not anywhere near as straight-forward as that. Furthermore, peer pressure is difficult even with the best parenting.
Yeah, because that is so easy to predict.
Here's the thing, when you have kids, you end up friending a ton of people you know marginally. You also find out a lot of things that you can have talks with your kids about (not mentioning any names in those talks, just bring up the topic in general... "hey, what would you do if you found out some of your friends did such and such?").
My kids don't have Facebook accounts, but most of their IRL friends at school and church do.
But I think this shows that you shouldn't put anything online that you don't want to put right in front of your house. Don't put up a flier "gone out of town 3 weeks" on your front door and don't put it on Facebook either. Share the photos when you get back.
Sounds like a good topic for me and my family to talk about at dinner tonight.
As I'm sure you know, it is not mandated a specific place that someone is ordered to go to, but rather at least one organization, whichever it may be, to get help. There are plenty, so don't be daft.
I'd go a step further. If they're so clueless as to get a DUI in the first place, that is not their first time driving drunk, it is just their first time getting caught, you need a more severe punishment
The next year they should have no license and pay to have one devices installed of these installed (so the rest of their family can still drive), and they should not be allowed to drive, period. They should have to show proof that you're taking the bus, taxi, or having a family member drive for you.
After a next year of AA (which won't solve the problem, but at least can force them to go where they can get help), then they can petition to get their license back, having proven they've jumped through all these hoops showing they got rides another way, making AA meetings, etc.
Should they fail to prove it, they might be facing jail time and/or be forced to pay for a PI to randomly watch them and report on what they're doing for the next year.
I'm tired of all these whiners saying they don't want to be watched. No one wants to watch them, we just don't want to end up dead because people can't figure out how long not to drive after getting loaded.
After 3 DUIs they should lose the ability to get a license for life, period. By the time they get your 3rd DUI, they've probably driving drunk at least a dozen times for each time they got caught, if not more.
Just because they don't hit someone doesn't make this a victimless crime either - there are victims, all the time, and it is just a matter of time until they do hit someone.
My bad, as others pointed out in other threads here. Verizon owns GTE, which is a root CA in these browsers. GTE has issued the Intermediate CA to Etisalat.
About the best thing you could do is use a VPN when in any places controlled by Etisalat and proxy your connection through that.
I agree 100% regarding SSL CAs should have been based on a DNS hierarchy.
But there is nothing to stop that from occurring, now that the root is signed, dot-gov, dot-edu, dot-org, dot-biz, dot-us, and may other ccTLDs are signed and available for the domain owners to add their DS keys into the zone to establish a chain of trust from the root all the way down. Dot-com and dot-net are soon to follow in the next year.
What is missing right now is extending that trust model all the way down to the stub-resolvers built into the OS and/or browser. While there have been a few add-ons, they're not well maintained, and a bit of a kludge (slow as well).
SSH already has had the ability to verify host key fingerprint signatures based on DNSSEC (SSHFP records). I believe it won't be long until SSL/web browsers will have a method such as this. I could see Firefox being the first to do so, as they have no money ties, but time will tell.
Before we didn't have DNSSEC implemented, and there was no incentive to add such a DNSSEC SSL Cert model to browsers. Now we finally do. Self-signed certs or self-issued CAs will be perfectly acceptable once browsers can verify them based on their DNS hierachy, just as you are saying we should be using them. All it will take is having the root "." DNS trust anchor in your browser, and you'll never need another Root CA again, especially not from countries that are hostile and/or not trust worthy.
Etisalat is not in IE, Firefox, Opera, etc., but just devices managed by Verizon. But your point is still valid. CNNIC is in them all, and IMHO is not to be trusted.
What's worse, unless you disable automatic Root Certificate Authorities, Windows XP SP2 and other versions automatically add them back in when there are updates, even though you deleted them. With Vista, you cannot even delete some Root CAs.
Some criticisms here.
I'd suggest using a US-based webproxy service so your web traffic appears to come from the US.
SCADA systems are the type of things that control nuclear reactors, power generation, power distribution, water distribution, and many more.
For this reason the Siemens attack used a USB method, as typically SCADA systems are either heavily firewalled and/or air-gapped. Sneaker-net should be the only way to get into those networks when done right, and even then sneaker-net methods should be very restricted.
Siemens HMI/SCADA.
They could not just reset the password. The routers/switches were configured with "no service password-recovery" and could not just be reset. If they had been, it would have wiped out the configuration on all of the devices and all of the agencies depending on them would have been down.
If the device configurations had been properly backed up and documented somewhere, this would not have been a problem (I don't know one way or another, but clearly no one in charge knew if they were or had enough of a clue). I didn't follow the case that closely, but even Cisco was involved and couldn't solve the problem (which is a good thing, you don't want a vendor to be able to recovery a configuration in a situation like that).
The point of a "no service password-recovery" is to prevent unauthorized access to a router/switch and configuration tampering. It is required in more secure environments, especially ones with FIPS and other requirements.
no service password-recovery
There is nothing wrong with "no service password-recovery", so long as you have the configurations backed up and others know where those backups are (documentation), such that if you are hit by a bus things can be properly maintained.
The gTLD servers and Registries/Registrars for them are a far cry different than the Root servers. You could do with some educating yourself and get up to speed on just what the Root servers do, how they are maintained, and just who may make changes.
For instance, the K.root-servers.net isn't even located in the US and is totally under physical control of the EU.
Read up before you start saying just anything about the Root servers.
I don't think the US would or even could make changes to the Root. For one, the international community would pull the plug on any control the US has over it, and second, the Operators themselves would not do so and take their responsibility a bit higher than Registrars.