Matt has very little influence on the future of the FreeBSD kernel. That work which he has done over the last two years or so was mainly maintenance.
I'm sure this will get modded down, but that's a pretty gutless statement to make, and really isn't supported by the commit logs. Though, when it's time for Core to toss someone under the bus...
To be sure, there is plenty of history with Matt, much of it not great. He's simply not a team developer. However, I honesty hope there's more to this and this than there appears to be.
One wonders when Core is going to stop acting parents and start acting like leaders.
My observation is that the comments about X being slow are really related to OS X being slower than, usually, OS 9 on the same hardware. This is, of course, true but it is a lot like saying that Winders NT/2000/XP is slow when compared to Win95 on the same hardware. Unfortunately, features aren't free.
Well, after spending nearly 3 minutes looking, I found this handy PDF, which tells you to configure the ldap thingy in AD (however the hell you do that). There also seems to be an Active Directory schema option in Directory Access when configuring LDAP servers.
No, I've not tried it as I don't have anything which talks Active[sic] Directory, so YMMV.
I honestly don't think it's that simple. Why are release notes up for it? Why did I get 10 submissions celebrating it's release? So, oops, sorry, really don't do it for me, no, not yet.
Actually, it is just that simple. There is an explanation for all of this.
Why did you get 10 submissions that the release was out? Because the release has been tagged in the cvs tree, that's why. This doesn't mean that it's been released, just that we know what versions of what files (may) make up the release. It may only take an hour of so to build the release itself, but it takes a lot longer to build all the packages, get the stuff shipped to the mirrors and all the other things the RE people have to do before they can announce the release.
Why are the release notes on the website? Easy, the website is part of the cvs tree. The website build system has been building the release notes for 4.6-RELEASE for weeks (if not months). With that said, I note that the 4.6 release notes are NOT linked anywhere, but it does provide access to the handy release schedule.
Part if the issue here, IMO, is the transparency of the Project itself (this is a good thing). People can see the release happening in real time as each part is completed, so I can see how some people would jump the gun a bit and start submitting stuff to/. before the RE process has completed.
As for Murray? Well, I understand his feelings, but I may have taken a different path to the same result...
Which explains the awful IO cache[sic] performance seen during this "benchmark". According to my math, the author set aside nearly 17K of RAM for mbufs. This will materially effect network and file IO performance. Honestly, I'm impressed the system actually stayed up under load with this stupid of a setting.
Oh.. and LINT has a maxusers setting on 10 (plus a comment about not using LINT to build a kernel). GENERIC's is 32. Considering what this guy's bio says and the end of the story, I have a hard time believing this is really is an honest mistake.
While I'm sure this bill will get a lot of press, the simple fact
is, it has very little chance of passing, much less getting out of
committee and to the House floor. Why? Well, there's a lot of
problems.
First, the Texas Legislature only meets every 2 years (and only
meets for about the first 5 months of the year, at that). And
while a lot of people want to change this, dumb bills like this
are the perfect reason[1]. This is clearly a reaction to an
annoyance. Once the author goes home, the bill dies and he'll
never re-file it. Meanwhile, the important bills get through because
there's political pressure to move them.
Second, this would, of course, drive 2 of the state's largest employers
nuts, as well as annoy the oddly powerful ISP lobby (ISPs hate nothing more
than to have to support Censorware. It seems to cause nothing but
complaints.)
Third, and most important, the bill (as written) is simply NOT
enforceable. Under certain readings of the bill, I could say that
EVERY operating system has Cencorware built in. All you have to
do is remove the default gateway, and there you go no more access
to porn sites. Further, what about machines bought out of state
and shipped in? What about machines built in state and shipped
out of state? Do these have to have the Censorware included?
[1] How many times and your state assembly done something dumb? It happens
less often here.
The choice of pig latin is an intresting one, though it would have not been mine. IMO, it would seem more logical to use something like rot 13. At least then, it would be easier to move to another "encryption" method (just increase or decrease the rotation factor -- this could even be done on the fly on a client level should someone figure work out the protocal issues).
>How long would it take to get a replacement PS from Compaq?
Depending on your maintenance contract anywhere from 2 hours to 2 days. This is one of the reasons this isn't such a bad solution
if you want a Linux cluster. Compaq has a excellent service unit. It's about the only thing left from Dec other than Storage works
[now gutted, mostly], and the Alpha line [though nothing new has been released that wasn't already being designed at the time of the
purchase]. Honestly I don't see VA Linux beating Compaq on this point.
Of course, I'd also like to see this product with Alphas, though that would never happen lest TruCluster sales would slip further.
I personally find this article interesting for the simple fact that
I'm a Systems Engineer at one of the Undernet sites that was forced
to delink last week because of the DDoS on our Undernet server[1].
I've read most of the comments, and must say that most of them are
lacking in the kind of content that the ordinator of the article
has requested. In fact, most of them border on immature (which must
be why most of them are moderated to a 1 or a 2). With that said,
many comments had useful incites, though they are defiantly not news
to anyone close to any IRC network.
First of all let me state that I have as little to do with the actual
operation of the Undernet server or the network as a whole as
possible. That role if fulfilled by another group who works very
hard with a real task and literaily deals with IRC problems in
their personal time, so it's hard for me to comment on the politics
of their situation. I can however, comment on the politics, and a
few technical details (For certain reasons, I'm more than a little
vage in what we observed during the attack) of the situation I
was involved with at the time. What follows is somewhat of a
chronology of the event.
Hr 1 - 3. The attack started pretty slowly. So slowly that it
really didn't set of any alarms, though some customers on remote
parts of the network did notice high latency, and a bit of packet
loss. This was enough to start looking around, but not really enough
to suspect an attack.
3:00 - 3:15: Connectivity is lost to nearly any network that
requires crossing a border router. The traffic stats from the border
routers show that nearly every bit of connectivity is full company
wide. It was clear that at this point that this was probably an
attack, though it was unknown what was being attacked, or where it
was coming from.
3:15 - 4:00: Using historical data the sources of the attack were
identified. Using this data, we initiated contact with each provider
we have connectivity from to request filters be placed in their
network to block the attacks. At the same time the company's
tech support call center is overwellmed with calls from customers
experiencing various problems. Further, all the major application
servers (mail, news, etc) are also nearly unusable since they no
longer have connectivity to the remote machines they were talking
to. As a topper, one of the noisier (literaily) network monitoring
programs our NOCC uses has gone into "make random noises mode."
This is due, in large part, to the nearly 600 alarms it thinks
exist because of connectivity problems to the rest of the network.
4:45: I remove the FDDI cables from the FDDI card in the IRC
server.
4:00 - 4:30: The attack is starting to dissipate. It's theorized
that it's because the machine that was being attacked was no longer
on the Net. Also about this time, the distributed filtering should
start taking place.
6:00: After spending a couple of hours cleaning up the mess that
such an attack leaves on all the other machines I receive the
standard email from the security people requesting time estimates
for my labor on this afternoon's Comedy Hernia Hit.
This chronology is reflective of nearly every other DDoS attack I've
experienced in the last 12 months. It's clearly frustrating, and
a complete waste of my time (especially since it was my last working
day before a very rare vacation), and it should be pretty clear
why I don't want IRC servers on a network I have to maintain.
Let me be clear, at no point was the server itself ever effected
(other than, I assume it lost connectivity to it's hub during the
attack), but nearly other major application was affected in some
way, and it definitely caused a lot of paying customers to not get
the service they pay for.
Someone suggested that we need to prevent people from "rooting"
machines in order to prevent these attacks. The poster is correct,
this is what we need to do. Anyone have any ideas how to prevent
this? I know all the machines on my network are secure, but I
can't control machines I don't maintain. And that's just the
problem. This isn't about the host sites securing their network,
most of them do and the ones who don't learn quickly that they have
to. Adding (more) security features to the application (ircd) also
isn't the answer, as the machine itself was never affected. Hunting
down the initiator of the attack only prevents that person from
attacking anything for a while, like the death penality I see no
indication that it's a real deturiant to the crime. Quite honestly,
I too am at a loss as to what, if anything, will ultimately solve
the problem short of completely abandoning the technological foundations
that the Internet was built on.
As for law enforcement, they are generally quite interested in such
attacks[2], but they have clear guidlines in what they can and can
not get involved in (you have to show a capial loss grater than a
specificed amount). In this case I know these guildlines were
met, but generally these investigations go nowhere because the trail
often leads to cracked machines that have no usefull telemetry of
the attack, or the intrusion. I have often thought that companies
who fail the maintain basic security on their network should be
held liable to damages to other networks in these situations, but
even that is quite troublesom.
Of course, there is one method that solves this problem, at least
for me. It was to remove the service from our network. As a
Sysadmin who has customer's who pay to use other services I have
no trouble with this. As someone who tries to be a useful member
of the "Internet Community" I have serous issues with this method.
In this case, no good deed goes unpunished.
[1] In fact, I personally pulled the FDDI cables out of the machine
during the attack once we determined the machine that was the
[2] Though, sometimes you have to work to make contacts with people smart
enough to care.
> 1. Those individuals can not remove the material, and it appears that preventing individual commenters from being able to remove their comments was an explicit design decision made by the developers of this site.
This is an interesting point, and actually causes me to consider the Usenet case, and how slashdot differers greatly from this. If Slashdot is going to maintain that the content posted by users is owned by users, then the users need to have complete control over their content (they do own it, after all). This is clearly not the case (n o 'cancel' or 'supersede' provision in SlashCode).
As someone who is constantly involved in both the Operations and the Policy Enforcement of a Large, Commercial Usenet News Provider(tm), there is one other issue that I don't think has actually been raised here. If Slashdot wishes to use the common carrier argument (most News providers do, at least of the Usenet kind), then the moderation system violates the basic premise of this argument (I'll note that a Slander case involving Prodogy is the precedent M$ would most likely use in this case). I'll also point out that this argument may be invalid with the newfangled DMCA, though that's something that needs to be tested in ligitation.
I can think of one other argument. Slashdot could maintain that all posters on Slashdot have an inherent copyright on their posts, and therefore M$ needs to go after the posters of the material(s) in question. The only thing that breaks this, is again, the moderation system. Slashdot could contend that Slashdot (as an organization) does not actually moderate posts (at least the type of posts in question), and that the actually users of the site are the real moderators (some what true, IMO), BUT, again, there large holes in this argument. Several years ago AOL was sued over slanderous statements made in an AOL chat room. AOL contended that the AOL Guides(tm) were individuals, and AOL (as a company) was then NOT liable for the guides negelance in moderation. AOL lost, and the basis for the finding was simple. AOL gave the individuals themselves the tools to moderate other users, and therefore they were acting on behalf of the Company. I beleave the same holds true for Slashdot.
My real suggestion? Do what Yahoo recently when they were sued for liable because someone posted untrue statements on one of their stock ticker chat boards: Claim that Slashdot has no control over content, and the person they really need to go after is the poster, and if you (M$) provides the right kind of paper, then maybe we can give you some type of information on the poster of the content. Oh, and just to be nice, we've removed the material in question since you've asked. The next step to this is to move towards more of a common carrier model, that being one of absolutely no moderation of any sort, PLUS the ability for users to self moderate (as a user I can remove of alter my own comments, but no one else's), and then be very careful about what records are kept on user accounts and even where the records in question are stored. This is actually very close to what all the commercial news providers are moving towards to limit possible damage from liable and DCMA suits.
[1] I'll point out at this juncture, that I don't have, nor do I want, a law degree.
Slashdot Mirror
I'm sure this will get modded down, but that's a pretty gutless statement to make, and really isn't supported by the commit logs. Though, when it's time for Core to toss someone under the bus...
To be sure, there is plenty of history with Matt, much of it not great. He's simply not a team developer. However, I honesty hope there's more to this and this than there appears to be.
One wonders when Core is going to stop acting parents and start acting like leaders.
My observation is that the comments about X being slow are really related to OS X being slower than, usually, OS 9 on the same hardware. This is, of course, true but it is a lot like saying that Winders NT/2000/XP is slow when compared to Win95 on the same hardware. Unfortunately, features aren't free.
No, I've not tried it as I don't have anything which talks Active[sic] Directory, so YMMV.
Well, this.
Actually, it is just that simple. There is an explanation for all of this.
Why did you get 10 submissions that the release was out? Because the release has been tagged in the cvs tree, that's why. This doesn't mean that it's been released, just that we know what versions of what files (may) make up the release. It may only take an hour of so to build the release itself, but it takes a lot longer to build all the packages, get the stuff shipped to the mirrors and all the other things the RE people have to do before they can announce the release.
Why are the release notes on the website? Easy, the website is part of the cvs tree. The website build system has been building the release notes for 4.6-RELEASE for weeks (if not months). With that said, I note that the 4.6 release notes are NOT linked anywhere, but it does provide access to the handy release schedule.
Part if the issue here, IMO, is the transparency of the Project itself (this is a good thing). People can see the release happening in real time as each part is completed, so I can see how some people would jump the gun a bit and start submitting stuff to
As for Murray? Well, I understand his feelings, but I may have taken a different path to the same result...
MAXUSERS was set to 20!!
Which explains the awful IO cache[sic] performance seen during this "benchmark". According to my math, the author set aside nearly 17K of RAM for mbufs. This will materially effect network and file IO performance. Honestly, I'm impressed the system actually stayed up under load with this stupid of a setting.
Oh.. and LINT has a maxusers setting on 10 (plus a comment about not using LINT to build a kernel). GENERIC's is 32. Considering what this guy's bio says and the end of the story, I have a hard time believing this is really is an honest mistake.
While I'm sure this bill will get a lot of press, the simple fact is, it has very little chance of passing, much less getting out of committee and to the House floor. Why? Well, there's a lot of problems.
First, the Texas Legislature only meets every 2 years (and only meets for about the first 5 months of the year, at that). And while a lot of people want to change this, dumb bills like this are the perfect reason[1]. This is clearly a reaction to an annoyance. Once the author goes home, the bill dies and he'll never re-file it. Meanwhile, the important bills get through because there's political pressure to move them.
Second, this would, of course, drive 2 of the state's largest employers nuts, as well as annoy the oddly powerful ISP lobby (ISPs hate nothing more than to have to support Censorware. It seems to cause nothing but complaints.)
Third, and most important, the bill (as written) is simply NOT enforceable. Under certain readings of the bill, I could say that EVERY operating system has Cencorware built in. All you have to do is remove the default gateway, and there you go no more access to porn sites. Further, what about machines bought out of state and shipped in? What about machines built in state and shipped out of state? Do these have to have the Censorware included?
[1] How many times and your state assembly done something dumb? It happens less often here.
The choice of pig latin is an intresting one, though it would have not been mine. IMO, it would seem more logical to use something like rot 13. At least then, it would be easier to move to another "encryption" method (just increase or decrease the rotation factor -- this could even be done on the fly on a client level should someone figure work out the protocal issues).
Your plan has merrit. However, if you carry it out I'll then be forced to sue you for infringing on my pie throwing and revenge patents.
>How long would it take to get a replacement PS from Compaq?
Depending on your maintenance contract anywhere from 2 hours to 2 days. This is one of the reasons this isn't such a bad solution if you want a Linux cluster. Compaq has a excellent service unit. It's about the only thing left from Dec other than Storage works [now gutted, mostly], and the Alpha line [though nothing new has been released that wasn't already being designed at the time of the purchase]. Honestly I don't see VA Linux beating Compaq on this point.
Of course, I'd also like to see this product with Alphas, though that would never happen lest TruCluster sales would slip further.
I personally find this article interesting for the simple fact that I'm a Systems Engineer at one of the Undernet sites that was forced to delink last week because of the DDoS on our Undernet server[1]. I've read most of the comments, and must say that most of them are lacking in the kind of content that the ordinator of the article has requested. In fact, most of them border on immature (which must be why most of them are moderated to a 1 or a 2). With that said, many comments had useful incites, though they are defiantly not news to anyone close to any IRC network.
First of all let me state that I have as little to do with the actual operation of the Undernet server or the network as a whole as possible. That role if fulfilled by another group who works very hard with a real task and literaily deals with IRC problems in their personal time, so it's hard for me to comment on the politics of their situation. I can however, comment on the politics, and a few technical details (For certain reasons, I'm more than a little vage in what we observed during the attack) of the situation I was involved with at the time. What follows is somewhat of a chronology of the event.
Hr 1 - 3. The attack started pretty slowly. So slowly that it really didn't set of any alarms, though some customers on remote parts of the network did notice high latency, and a bit of packet loss. This was enough to start looking around, but not really enough to suspect an attack.
3:00 - 3:15: Connectivity is lost to nearly any network that requires crossing a border router. The traffic stats from the border routers show that nearly every bit of connectivity is full company wide. It was clear that at this point that this was probably an attack, though it was unknown what was being attacked, or where it was coming from.
3:15 - 4:00: Using historical data the sources of the attack were identified. Using this data, we initiated contact with each provider we have connectivity from to request filters be placed in their network to block the attacks. At the same time the company's tech support call center is overwellmed with calls from customers experiencing various problems. Further, all the major application servers (mail, news, etc) are also nearly unusable since they no longer have connectivity to the remote machines they were talking to. As a topper, one of the noisier (literaily) network monitoring programs our NOCC uses has gone into "make random noises mode." This is due, in large part, to the nearly 600 alarms it thinks exist because of connectivity problems to the rest of the network.
4:45: I remove the FDDI cables from the FDDI card in the IRC server.
4:00 - 4:30: The attack is starting to dissipate. It's theorized that it's because the machine that was being attacked was no longer on the Net. Also about this time, the distributed filtering should start taking place.
6:00: After spending a couple of hours cleaning up the mess that such an attack leaves on all the other machines I receive the standard email from the security people requesting time estimates for my labor on this afternoon's Comedy Hernia Hit.
This chronology is reflective of nearly every other DDoS attack I've experienced in the last 12 months. It's clearly frustrating, and a complete waste of my time (especially since it was my last working day before a very rare vacation), and it should be pretty clear why I don't want IRC servers on a network I have to maintain.
Let me be clear, at no point was the server itself ever effected (other than, I assume it lost connectivity to it's hub during the attack), but nearly other major application was affected in some way, and it definitely caused a lot of paying customers to not get the service they pay for.
Someone suggested that we need to prevent people from "rooting" machines in order to prevent these attacks. The poster is correct, this is what we need to do. Anyone have any ideas how to prevent this? I know all the machines on my network are secure, but I can't control machines I don't maintain. And that's just the problem. This isn't about the host sites securing their network, most of them do and the ones who don't learn quickly that they have to. Adding (more) security features to the application (ircd) also isn't the answer, as the machine itself was never affected. Hunting down the initiator of the attack only prevents that person from attacking anything for a while, like the death penality I see no indication that it's a real deturiant to the crime. Quite honestly, I too am at a loss as to what, if anything, will ultimately solve the problem short of completely abandoning the technological foundations that the Internet was built on.
As for law enforcement, they are generally quite interested in such attacks[2], but they have clear guidlines in what they can and can not get involved in (you have to show a capial loss grater than a specificed amount). In this case I know these guildlines were met, but generally these investigations go nowhere because the trail often leads to cracked machines that have no usefull telemetry of the attack, or the intrusion. I have often thought that companies who fail the maintain basic security on their network should be held liable to damages to other networks in these situations, but even that is quite troublesom.
Of course, there is one method that solves this problem, at least for me. It was to remove the service from our network. As a Sysadmin who has customer's who pay to use other services I have no trouble with this. As someone who tries to be a useful member of the "Internet Community" I have serous issues with this method. In this case, no good deed goes unpunished.
[1] In fact, I personally pulled the FDDI cables out of the machine during the attack once we determined the machine that was the
[2] Though, sometimes you have to work to make contacts with people smart enough to care.
> 1. Those individuals can not remove the material, and it appears that preventing individual commenters from being able to remove their comments was an explicit design decision made by the developers of this site.
This is an interesting point, and actually causes me to consider the Usenet case, and how slashdot differers greatly from this. If Slashdot is going to maintain that the content posted by users is owned by users, then the users need to have complete control over their content (they do own it, after all). This is clearly not the case (n o 'cancel' or 'supersede' provision in SlashCode).
As someone who is constantly involved in both the Operations and the Policy Enforcement of a Large, Commercial Usenet News Provider(tm), there is one other issue that I don't think has actually been raised here. If Slashdot wishes to use the common carrier argument (most News providers do, at least of the Usenet kind), then the moderation system violates the basic premise of this argument (I'll note that a Slander case involving Prodogy is the precedent M$ would most likely use in this case). I'll also point out that this argument may be invalid with the newfangled DMCA, though that's something that needs to be tested in ligitation.
I can think of one other argument. Slashdot could maintain that all posters on Slashdot have an inherent copyright on their posts, and therefore M$ needs to go after the posters of the material(s) in question. The only thing that breaks this, is again, the moderation system. Slashdot could contend that Slashdot (as an organization) does not actually moderate posts (at least the type of posts in question), and that the actually users of the site are the real moderators (some what true, IMO), BUT, again, there large holes in this argument. Several years ago AOL was sued over slanderous statements made in an AOL chat room. AOL contended that the AOL Guides(tm) were individuals, and AOL (as a company) was then NOT liable for the guides negelance in moderation. AOL lost, and the basis for the finding was simple. AOL gave the individuals themselves the tools to moderate other users, and therefore they were acting on behalf of the Company. I beleave the same holds true for Slashdot.
My real suggestion? Do what Yahoo recently when they were sued for liable because someone posted untrue statements on one of their stock ticker chat boards: Claim that Slashdot has no control over content, and the person they really need to go after is the poster, and if you (M$) provides the right kind of paper, then maybe we can give you some type of information on the poster of the content. Oh, and just to be nice, we've removed the material in question since you've asked. The next step to this is to move towards more of a common carrier model, that being one of absolutely no moderation of any sort, PLUS the ability for users to self moderate (as a user I can remove of alter my own comments, but no one else's), and then be very careful about what records are kept on user accounts and even where the records in question are stored. This is actually very close to what all the commercial news providers are moving towards to limit possible damage from liable and DCMA suits.
[1] I'll point out at this juncture, that I don't have, nor do I want, a law degree.