The trick is taking an OEM XP disk installing from scratch and connect to the internet before getting patched.
In many cases your box will be borked before you've even downloaded your first update.
This is completely true, I've had to build a firewall specificially for rebuilds as our PCs get infected by other machines on our own network within a few minutes of power up.
Yeah I know, somewhere between posting the line that read "or allows binary only redistribution without including source code and modifications for commercial gain" went missing.
If you've been given a MSSQL based ASP app, its usually straightforward to port to postgres, as they have a similar feature set for most typical web bsaed apps.
The bridging support (with Spanning tree I believe), vlans and carp all make OpenBSD a rather wonderful bit of network glue. Its all polished, complete and and works out of the box (no kernel recompiles or add-on tools).
I've never had any stability problems with any operating system on typical loads, be it any BSD, Linux or Windows NT/2000/2003, that have not had a root cause directly related to hardware, drivers or noisy network links.
You cannot differentiate between operating systems based upon stability as they are all roughly equal.
Disks pop, UPS fries, ram goes bad, server accidently gets connected via phone cord, but never do servers spontaneously crash on well supported hardware.
An old x86 would in theory be fast enough for cell phones etc, whilst still being relatively low power.
The reason why other cpu's do so well in mobile phones is that they are in a physically SMALL package and have ALOT of integrated peripherals, ie. RS232 for SIM card, large built in flash memory, infrared and so on. which reduces the amount of support circuitry and cost.
The x86 was just not designed for this, all bolt on extras that have no place in a small unit.
As for economies of scale, equipment manufacturers all have their own requirements, so total requirements for a particular configuration will be in the millions rather than tens or hundreds of millions.
The truth of the low end microcontroller/processor market is that no one despite selling zillions of units to cell phones manufacturers is making a great deal of money and are unlikely to ever do as well as intel with their x86 line, as the margins are not there and the cell phone companies are always squeezing them hard (as they in turn are being squeezed by the phone service providers for cheapo handsets)
Its the month after christmas, debt levels in the UK will be high due to the christmas splurge, if you also consider that alot of people take time off around the christmas holiday which might either be unpaid or lower the amount of overtime it's easy to see that the average amount of debt will be higher.
People who are paid monthly are usually paid at the end of the month. So this will be the peak.
Credit card statements from the decmember spend will also be dropping on door mats.
Weather across the UK is fairly uniform and its been miserable for weeks.
MySQL is GPLed, GPL rules apply. So if you wanted to include MySQL as part of your product you can, as long as you provide source / modifications as usual.
If you wish to alter or integrate mysql and not use the GPL terms then you can then purchase a license to do this.
If you want to backup a database you either need to stop the database server prior to your backup or do a mysql_dump / pg_dump / whatever to get a clean copy of the database and then back that up. Anything else is asking for trouble.
If you are really interested in that level of uptime then you can usually justify the spend on an additional server, particularly if your old one has been running for 5 years and isn't on a proper maintenance contract.
>Linux doesn't have that great of support, it has some companies with for-fee support, but it doesn't have the support of hardware manufacturers. I'd rather have Windows level of support, you know, where drivers are just there.
Rubbish. Linux & BSDs offer true plug and play, for the most part if a piece of hardware is supported its auto-detected during boot with no driver required.
An interesting case in point is Knoppix and Thinstation both of these distributions auto-detect really well and Thinstation is amazing for a 13MB network boot image.
The BSDs in a roundabout way often support more hardware off the install disk due to far frequent releases (3 to 6 months or so).
If I bought a new PC today I'd have to wait for the _next_ release of windows for all my hardware to be supported out of the box. With FreeBSD I'd be waiting 2-3 months and in all likelyhood it would be supported by the previous release anyway.
Support for multi-media gizmos is of course excluded and I'm referring to server class hardware.
You've failed to mention the false positive rate. I've had sketchy performance so far with messagelabs SPAM checking, the false postive rate is so high that I've had to switch off all their SPAM checks.
If your serious about revoking admin then I guess you'll have to go through app by app and set permissions on the registry etc. yourself.
I can't imagine there are too many essential apps in use that are that old.
I quite agree with your comments though, the unix way of doing this is far better, although recent releases of windows are now emulating this behavior with documents and settings and HKCU.
We are not locking down our machines as such and we regularly pay the price for it. Thankfully we are slowly migrating over to terminal services which puts the control back over to us as oppose to the departmental IT guy.
If they _need_ local admin rights then charge them 3 to 5 times their usual per-desktop costs on the basis that having local admin rights means that you'll be rebuilding the machine more frequently when they fuck it up.
Otherwise consider installing something like deepfreeze so that can screw around with their machine all the like, but gets fully restored when the machine is rebooted.
Yeah its called greylisting and it works very well.
You store the connecting IP, sender and recipient address in a database and temporarily reject the first time you see that combination for a configurable time (1 second is currently good enough)
A good greylisting engine will strip the last byte of the subnet incase mail is retried from different hosts in a mail cluster, for this reason its not a good idea to use the HELO address.
Greylisting stops almost all SPAM and pretty much all virus traffic as viruses also have weak SMTP engines that can't deal with temporary failures. In practice the only viruses I've found that make it through greylisting either bounced messages or from some ISPs that transparent proxy outgoing e-mail.
The SPAM that remains is easily handled by blacklists or SPAM Assassin as these SPAMs are sent through properly configured mail servers, so they are likely to be in domain or IP blacklists.
Given that a good proportion of SPAM is sent through zombied windows machines even if a SPAM is re-sent 30 minutes later it'll take a lot more work for a spammer to ensure that the same message is sent out twice by the same zombie.
Its baffling me why greylisting isn't the first line of protection for alot more people, its simple to setup (use postgrey with postfix) and is less prone to error and unobtrusive and higher in performance than virtually any other SPAM detection technique. Setting up and accepting three lines of text and checking against a database is certainly alot less performance overhead than invoking a virus scanner and spam assassin.
Of course spammers will always evolve, repeatedly sending the message from the same host would be enough to get the message through and those not using greylisting would now get twice as much SPAM, but that also means that a spammers throughput has been halved.
If grey listing is combined with a few select blacklists (including the excellent rhs.mailpolice.com URL list), plus SPAM assassin your closer to 100% and there are a great deal less false positives.
Another interesting approach I've used is to use rhs.mailpolice.com on our web cache, so that any URLs requested are checked against the SPAM blocklist. This blocks any inline images which might either offend or used as a call back for address verification, it also means that even if a phishing SPAM makes it through by the time the user reads it they are unable to view the page as its in the blocklist.
I put a similar point across, the volley was that if you suspect that someone is performing an illegal activity you should involve the authorities straight away and not perform any internal investigation leaving it the authorities to perform the investigation.
I have trouble seeing how a corporate policy can permit this as it is technically breaking the law. Most of the time corporate policy is very conservative.
For instance what happens if the criminal turns around and says that the internal investigator planted the information?
Here's something perhaps even more worrying than purely breaking the law, an employee doing an internal investigation images the disk to networked storage (SAN or similar), then has a look at the laptop, data is found but the internal investigator has messed up the disk. The police then request the network storage server as evidence in the investigation. It can be VERY hard to fight this as most of the police on the front line dealing with these sorts of investigations are not very technical and not very concerned about the disruption caused by removing your storage for 6 months.
I guess the other inevitable angle is that some sicko uses his "internal investigator" status to look at what he likes. There would have to be some very good procedures in place.
Hmm. Do you have authorisation from the police to do this? One point raised by a local IT group was that if IT staff view ILLEGAL (ie. Child Pornography) content as a result of an internal forensics investigation then they could also be prosecuted.
This might be a UK only issue, but I'm interested in finding out if this is the case elsewhere and it maybe something you haven't thought about.
On the other hand greylisting wiith something like postgrey (http://isg.ee.ethz.ch/tools/postgrey/) stops pretty much all spam and viruses. After switching on greylisting our virus scanner only has 10 viruses a day to scan (usually bounces or from braindead ISP's who transparent proxy outgoing mail from dialup customers) instead of the 10 a minute previously. The only remaining "newsletter" SPAM can be easily handled by SpamAssassin or even tools within the mail client such as Outlooks built in Spam Checking or domain blocking.
Greylisting relies on the fact that most SPAM is not being sent by open SMTP relays any more, a surprising amount of SPAM is being sent through open web proxy servers or windows bot nets, as these are not real MTAs they can't deal with errors properly.
Of course spammers will adapt to greylisting but in the meantime its extremely effective.
The control of running your own system is artificial, you won't be able to achieve the same levels of availability that Google, Yahoo, MSN etc. can offer you.
Cheap generic hosting can seem quite expensive if you lose your job and that will be the time you might need your e-mail the most. Cheap hosting will not give you the same levels of availability that the big webmail companies give you for free. The hosting company could go bankrupt or your server suffers a disk crash and your left without e-mail.
Personally I have my mail from domains forwarded to gmail, then set a reply address. Its cheap and reliable.
Slashdot Mirror
Your obviously well patched.
The trick is taking an OEM XP disk installing from scratch and connect to the internet before getting patched.
In many cases your box will be borked before you've even downloaded your first update.
This is completely true, I've had to build a firewall specificially for rebuilds as our PCs get infected by other machines on our own network within a few minutes of power up.
Jason
Yeah I know, somewhere between posting the line that read "or allows binary only redistribution without including source code and modifications for commercial gain" went missing.
Jason.
Hmm. PHP, Apache, Postgres, Webmin, Perl, Bind, DHCP, Zope and in a half hearted way sendmail are all BSD licensed.
Thats almost all of the key software in a typical linux based web hosting environment as well as some of the most popular open sourced software.
There are obviously more license choices than the GPL.
Jason.
I've used postgresql on windows.
If you've been given a MSSQL based ASP app, its usually straightforward to port to postgres, as they have a similar feature set for most typical web bsaed apps.
Jason.
The bridging support (with Spanning tree I believe), vlans and carp all make OpenBSD a rather wonderful bit of network glue. Its all polished, complete and and works out of the box (no kernel recompiles or add-on tools).
This is where OpenBSD really shines.
Jason.
I've never had any stability problems with any operating system on typical loads, be it any BSD, Linux or Windows NT/2000/2003, that have not had a root cause directly related to hardware, drivers or noisy network links.
You cannot differentiate between operating systems based upon stability as they are all roughly equal.
Disks pop, UPS fries, ram goes bad, server accidently gets connected via phone cord, but never do servers spontaneously crash on well supported hardware.
Jason
An old x86 would in theory be fast enough for cell phones etc, whilst still being relatively low power.
The reason why other cpu's do so well in mobile phones is that they are in a physically SMALL package and have ALOT of integrated peripherals, ie. RS232 for SIM card, large built in flash memory, infrared and so on. which reduces the amount of support circuitry and cost.
The x86 was just not designed for this, all bolt on extras that have no place in a small unit.
As for economies of scale, equipment manufacturers all have their own requirements, so total requirements for a particular configuration will be in the millions rather than tens or hundreds of millions.
The truth of the low end microcontroller/processor market is that no one despite selling zillions of units to cell phones manufacturers is making a great deal of money and are unlikely to ever do as well as intel with their x86 line, as the margins are not there and the cell phone companies are always squeezing them hard (as they in turn are being squeezed by the phone service providers for cheapo handsets)
Jason
Its the month after christmas, debt levels in the UK will be high due to the christmas splurge, if you also consider that alot of people take time off around the christmas holiday which might either be unpaid or lower the amount of overtime it's easy to see that the average amount of debt will be higher.
People who are paid monthly are usually paid at the end of the month. So this will be the peak.
Credit card statements from the decmember spend will also be dropping on door mats.
Weather across the UK is fairly uniform and its been miserable for weeks.
I actually think the guy is on to something.
Jason.
MySQL is GPLed, GPL rules apply. So if you wanted to include MySQL as part of your product you can, as long as you provide source / modifications as usual.
If you wish to alter or integrate mysql and not use the GPL terms then you can then purchase a license to do this.
If you want to backup a database you either need to stop the database server prior to your backup or do a mysql_dump / pg_dump / whatever to get a clean copy of the database and then back that up. Anything else is asking for trouble.
Jason
You should really have a look at the dump command.
Do a full backup to your large additional disk.
Then do hourly, daily or weekly (or both using dump levels) incremental backups.
You've then got the benefit of being able to restore the whole system or pull out a single file from a point in time.
The high end tape jukebox backup systems are not that dissimilar to dump.
Jason.
If you are really interested in that level of uptime then you can usually justify the spend on an additional server, particularly if your old one has been running for 5 years and isn't on a proper maintenance contract.
Jason
http://it.slashdot.org/article.pl?sid=04/12/21/01
You quite sure about that?
Jason
>Linux doesn't have that great of support, it has some companies with for-fee support, but it doesn't have the support of hardware manufacturers. I'd rather have Windows level of support, you know, where drivers are just there.
Rubbish. Linux & BSDs offer true plug and play, for the most part if a piece of hardware is supported its auto-detected during boot with no driver required.
An interesting case in point is Knoppix and Thinstation both of these distributions auto-detect really well and Thinstation is amazing for a 13MB network boot image.
The BSDs in a roundabout way often support more hardware off the install disk due to far frequent releases (3 to 6 months or so).
If I bought a new PC today I'd have to wait for the _next_ release of windows for all my hardware to be supported out of the box. With FreeBSD I'd be waiting 2-3 months and in all likelyhood it would be supported by the previous release anyway.
Support for multi-media gizmos is of course excluded and I'm referring to server class hardware.
Jason.
-By the way, does anyone know how easy/difficult it is nowadays to get WiFi hardware that lets you choose your own MAC address?)
It's a standard feature in almost all any device with a MAC address including WiFi & Wired.
MAC address filtering is a useful additional layer of security but I wouldn't rely on it.
Jason
You've failed to mention the false positive rate. I've had sketchy performance so far with messagelabs SPAM checking, the false postive rate is so high that I've had to switch off all their SPAM checks.
I can't fault their virus checking though.
Jason.
If your serious about revoking admin then I guess you'll have to go through app by app and set permissions on the registry etc. yourself.
I can't imagine there are too many essential apps in use that are that old.
I quite agree with your comments though, the unix way of doing this is far better, although recent releases of windows are now emulating this behavior with documents and settings and HKCU.
We are not locking down our machines as such and we regularly pay the price for it. Thankfully we are slowly migrating over to terminal services which puts the control back over to us as oppose to the departmental IT guy.
If they _need_ local admin rights then charge them 3 to 5 times their usual per-desktop costs on the basis that having local admin rights means that you'll be rebuilding the machine more frequently when they fuck it up.
Otherwise consider installing something like deepfreeze so that can screw around with their machine all the like, but gets fully restored when the machine is rebooted.
If its really urgent get them to send the mail again, it'll come straight through.
Yeah its called greylisting and it works very well.
You store the connecting IP, sender and recipient address in a database and temporarily reject the first time you see that combination for a configurable time (1 second is currently good enough)
A good greylisting engine will strip the last byte of the subnet incase mail is retried from different hosts in a mail cluster, for this reason its not a good idea to use the HELO address.
Greylisting stops almost all SPAM and pretty much all virus traffic as viruses also have weak SMTP engines that can't deal with temporary failures. In practice the only viruses I've found that make it through greylisting either bounced messages or from some ISPs that transparent proxy outgoing e-mail.
The SPAM that remains is easily handled by blacklists or SPAM Assassin as these SPAMs are sent through properly configured mail servers, so they are likely to be in domain or IP blacklists.
Given that a good proportion of SPAM is sent through zombied windows machines even if a SPAM is re-sent 30 minutes later it'll take a lot more work for a spammer to ensure that the same message is sent out twice by the same zombie.
Its baffling me why greylisting isn't the first line of protection for alot more people, its simple to setup (use postgrey with postfix) and is less prone to error and unobtrusive and higher in performance than virtually any other SPAM detection technique. Setting up and accepting three lines of text and checking against a database is certainly alot less performance overhead than invoking a virus scanner and spam assassin.
Of course spammers will always evolve, repeatedly sending the message from the same host would be enough to get the message through and those not using greylisting would now get twice as much SPAM, but that also means that a spammers throughput has been halved.
If grey listing is combined with a few select blacklists (including the excellent rhs.mailpolice.com URL list), plus SPAM assassin your closer to 100% and there are a great deal less false positives.
Another interesting approach I've used is to use rhs.mailpolice.com on our web cache, so that any URLs requested are checked against the SPAM blocklist. This blocks any inline images which might either offend or used as a call back for address verification, it also means that even if a phishing SPAM makes it through by the time the user reads it they are unable to view the page as its in the blocklist.
Jason.
I put a similar point across, the volley was that if you suspect that someone is performing an illegal activity you should involve the authorities straight away and not perform any internal investigation leaving it the authorities to perform the investigation.
I have trouble seeing how a corporate policy can permit this as it is technically breaking the law. Most of the time corporate policy is very conservative.
For instance what happens if the criminal turns around and says that the internal investigator planted the information?
Here's something perhaps even more worrying than purely breaking the law, an employee doing an internal investigation images the disk to networked storage (SAN or similar), then has a look at the laptop, data is found but the internal investigator has messed up the disk. The police then request the network storage server as evidence in the investigation. It can be VERY hard to fight this as most of the police on the front line dealing with these sorts of investigations are not very technical and not very concerned about the disruption caused by removing your storage for 6 months.
I guess the other inevitable angle is that some sicko uses his "internal investigator" status to look at what he likes. There would have to be some very good procedures in place.
_shrugs_
Hmm. Do you have authorisation from the police to do this? One point raised by a local IT group was that if IT staff view ILLEGAL (ie. Child Pornography) content as a result of an internal forensics investigation then they could also be prosecuted.
This might be a UK only issue, but I'm interested in finding out if this is the case elsewhere and it maybe something you haven't thought about.
Jason.
Greylisting relies on the fact that most SPAM is not being sent by open SMTP relays any more, a surprising amount of SPAM is being sent through open web proxy servers or windows bot nets, as these are not real MTAs they can't deal with errors properly.
Of course spammers will adapt to greylisting but in the meantime its extremely effective.
Jason
Plus removing perl saves alot of disk space in the minimal system which really helps if your trying to run on a 32MByte flash card for instance.
The control of running your own system is artificial, you won't be able to achieve the same levels of availability that Google, Yahoo, MSN etc. can offer you.
Cheap generic hosting can seem quite expensive if you lose your job and that will be the time you might need your e-mail the most. Cheap hosting will not give you the same levels of availability that the big webmail companies give you for free. The hosting company could go bankrupt or your server suffers a disk crash and your left without e-mail.
Personally I have my mail from domains forwarded to gmail, then set a reply address. Its cheap and reliable.