I strongly reccomend steering clear of fvwm2 - IceWM is a better choice in basically every way, I think it even has a smaller disk and RAM footprint actually.
I've got 486 thin clients running Debian with IceWM, using ROX as a GUI file manager. Of course, they also run OpenOffice and Mozilla:-) but I expect you wouldn't be using those. The 486s network boot off a read-only NFS root, then fire up X and do an -query to the XDMCP server (running gdm) so all they're really running is XFree86 4.
StarOffice and OpenOffice DO have a preloader that's runnable on system boot. Its only available under windows, and I've heard some concerns about reliabiliy under win98, but it does exist.
Linux users who use GNOME or at least the GNOME panel can also load some sort of applet to perform the same function. Can't help you more, sorry, until someone comes out with a "wm-ooo-preloader" or even better a completely user-invisible one.
I recently sent a messsge From: john.howard@parliament.gov.au (bogus), Date:'d 10 years in the future, to the entire company just to prove that very point. EMAIL HEADERS ARE COMPLETELY UNDER THE SENDER'S CONTROL, much more so than even a postcard. And that's not accounting for webmail.... They can be changed in transit, too. So unless a message is S/MIME or PGP signed, it can't be trusted.
If email addrs were on the electoral role, politicians might deal with their email more and make the assumption that because my addr is "bob.smith123@hotmail.com" I was bob smith. Whoops.
The other key problem is that many people change email addresses too often.
Unless we have a PKI (yeah, right) it just won't work - and I really hope they don't try because they won't understand all the issues and do more harm than good.
As anybody living in Austalia knows, Telstra are scum. They gouge every cent they can, and they're single-handedly responsable for making broadband here almost prohibitively expensive.
I almost hope they'll decide to use new Windows $3000 (per MB RAM required, min 512MB) so that they'll go broke, the gov't will resume full ownership of the infrastructure, and we get a working telecommunications system again.
Because IP masqueraded links are relatively easy to identify. There is a certain range of high UDP ports that are used to masq udp traffic to internal hosts, so a lot of traffic on those ports strongly suggests a link with multiple masq'd hosts behind it.
Just do a tcpdump on your firewall's eth1 (or ppp0 if you're an unlucky bastard) and watch...
Sure its not proof ; but when have cable / dsl companies needed _proof_ ? The ToS of every ISP on earth includes a "we can change the ToS when we want" clause, and a "we can kick you if we feel like it clause".
... just look at Telstra in Australia. Its hell - the "average user" apparently uses <300mb/month, so thats the baseline charge for ADSL service. 1G is vaguely reasonable, then they start gouging you as if each gig _per_ _month_ has a large monetary cost to them.
Bytecharges can be useful to force users to self-regulate their useage, but too often provides use them as an excuse to turn your broaband service into a "modem on speed" - ie get your email really fast, but don't think about using stuff you used to do on your 56k like internet radio.
a 3G cap is absurd ; it prevents users from doing anything interesting with the link. Even listening to 24kbps internet radio a lot will run you _well_ over that cap. 15G is more reasonable ; remember the 'net isn't just used to transfer "files", its not 15G of new stuff to store on the user's hdd with <insert file "sharing" software here>. I can use vnc to admin the NT server at work (*ick*) over 56k - its painful but it works. When my ADSL goes in soon, I won't be able to because of the stupid bytecharging.
Be very careful what you ask for, you might just get it.
The ISP is selling you access, at a fixed monthly fee, to a xxxkbps pipe to do with what you will. If they've been stupid enough to not set limits on what you can do with it beyond that and relied on the assumption that you will use it within their "average" user's parameters, its their mistake.
Now if they'd put it in the Terms of Service in the first place, fair enough you signed the thing, they can limit what you're doing. But if they didn't, its poor business planning and no problem of yours.
The ISP has no right to blame the user for their BAD ASSUMPTIONS on usage!
We had a doozy along these lines in Australia a while ago. From what I heard (no guarantees re accuracy), Rupert Murdoch ( a media baron here ) managed to force a Perth ISP to stop offering wireless internet access to large areas of the city because he held the licences to digital media broadcasts and persuaded some idiot judge that the ISP was infringing because it was _possible_ to get digiatal video news etc via their network.
Yay! I'm IT Manager for a local newspaper. We cover the "rich bastard" suburbs of Perth, Western Australia.
While we focus on the news that is (a) locally relevant and (b) of interest to our readership, we also have some rules about our coverage. (Please note, I'm not a decision maker in this):
(1) NO SCIENTOLOGY, EVER (2) NO media-buzz or political hype / bullshit like "War on terror" (washes out mouth)
Beyond this, there is an effort to report fairly ethically. Its always harder to tell when you're within the organisation, but I think it mostly succeeds.
Unfortunately, this is almost impossible in the "big media".
Please note that Milgrim's test would never be allowed under current psych research rules in any country I'm aware of. I'm sure there are some that'd allow it, but the point is: the test was _wrong_, really hurting the subjects, and could not be performed now.
I agree on that: win2k and XP are pretty decent and stable OS's. My reason for not using them is (a) I'm cheap, (b) I don't want to give $ to MS as I don't like their tactics and won't implicitly endorse them by buying their products and (c) I _will_ _not_ agree to the licences on their software, esp WinXP.
MS has become technically competent, though still troubled by security issues - but the concerns over the quality of their products have been taken over by concerns over their ethics, intent and whether you can trust them.
The program installs there, yes... the data can be somewhat harder to find. Common locations are system's Application Data folders, user profiles' Application Data folders, the program's install dir or a subdir of it, My Documents (again user profile or system), or somewhere else hidden in the user profile info.
This is, however, the fault of app authors, and I've run into some _really_ badly written linux apps too, both open source and not.
Gnutella, etc are not networks confined to the USA, and make no distinctions about national borders. A DoS attack of any kind launched by, say, the RIAA in the USA affects _all_ users, even where such attacks are illegal, the use of the software is legal, etc.
As usual, American senators fail to see this - after all, they can do whatever they want to the rest of the world without consequence, right? *sigh*
Given the recent willingness worldwide to cry "terrorist!" at anything and everything, and the somewhat... flexible... definition the word has taken on (read: anybody we don't like), it could be argued that the USA is about to legalize "cyber-terrorist attacks on other countries". It'd be funny, if only the people responsible for these laws would actually get the joke.
First, technical vunrabilities and exploits. There's fun with MSN Messenger to be had, for one thing - and I'm not confidant all the holes in that are closed. Anyway, do you trust your users to keep software up-to-date?
Second, they're downloading and installing programs off the internet. Big no-no. If they want software, I'll usually gladly install a properly checked and scanned copy. Most users dont understand the difference between ICQ and, say Bonzi Buddy (or Sircam, the new web camera viewer!). The "users will not install software" thing is policy, but I think its a very important policy to have unless you like spyware and viri on your business LAN.
Third: our dear friend social engineering. Most of the users at work are intelligent and paranoid enough not to be fooled by this (journalists) but what about the advertising staff? Its a lot harder to trick people into revealing things over email than over IM, and a lot easier to figure out what happened if it does happen. Luckily at work the advertising ppl run 486s which struggle to run telnet + Eudora so IM is not a possibility. Still, it bears thinking about.
I actually allow IM on our network, so long as I'm consulted and they use the software I provide. Any protocol allowed, but file downloads will be punished by being hung up by the toes and flayed for 3 days with a ribbon cable:-/ . This allows me to educate users before they use the software on things like file download risks, and it allows me to quickly pull the plug on the IM software if an exploit is discovered. I've had to do this twice with MSN messenger - but its still allowed on the LAN, since if I don't allow it I'll have to go and hunt out users anyway, which would be an unpleasant and heavy-handed way of dealing with the problem.
Sometimes you can manage a risk better by allowing users to do it openly, giving you the chance to educate them and giving you the info you need in case somthing goes wrong, rather than issuing orders to the effect that "thou shalt not."
This assumes, of course, that there is no other obsticle to allowing it, like the aforementioned law firm issue.
BTW it makes me _furious_ that IM clients are designed to bypass firewalls and make it hard for admins to block them. I would like to be able to block a given client in case of a security hole discovery etc, but can't w/o blocking the whole IP range. Why the hell can't they all be set to go through an HTTP proxy? That way I could even virus scan the (forbidden) file transfers.
The patch would've taken 5 minutes. The rest of the time is them (a) hoping nobody else will notice so they don't have to admit it, (b) preparing a binary patch for a bazillion different system configs, (c) testing it on a bazillion different system configs and (d) sticking their heads back in the sand.
I love the way MS claims that windows is unified and consistent. Why, then, is it so hard to patch?
It's a heap overrun. Very hard to exploit to exec custom code, all you can really do is crash the server. Not that that's a good thing... interesting to see that IIS5 auto-restarts too (so that an attacker can compromise the binary then crash the server so it re-loads?)
MS actually _overplays_ this one in the release. For once. Too bad they claim its newly discovered.
OTOH the moz bug is (a) not in mozilla but in X as mentioned elsewhere, (b) not really fixed, just workarounded in mozilla and (c) A TOTALLY DIFFERENT ISSUE.
OTOH the IIS bug was an overrun and would be a 5min patch.
Windows: NT Domain logon. win98 users can safely save stuff to "my documents", desktop, etc and its all transparently mirrored on the server and backed up. Pretty sure its much the same for win2k.
Linux/Unix: duh! homedir over snfs
MacOS 9: A really, really, big stick is needed, combined with readily accessable, easy network storage. One thing that helps is turning off any local file sharing services on the machines so if they want to exchange files, they've got to use the server. Training, repetition. Big sticks. I just had a graphical demonstration that made getting the newspaper out on time a nightmare - and I didn't even have to arrange it. Downside: 48hours straigt at work. I hate macs. It ate its own hdd (directory corruption).
Alternately you can netboot the macs and lock them down pretty tight etc I think but this is beyond my experience.
Please read this and consider carefully if you really want to roll out wireless networking. Think security. Think performance. Think reliability. Think about still being able to sleep at night.
Key points not made clearly in the article:
(a)Setting up a wireless LAN is like taking some cat5 from the switch and running it to plugs in your walls, on the street, and in the neighbours' houses. You lose _all_ physical security.
(b) you become vunerable to RF intererence, both intentional and accidental. DoS could be hard to trace.
(c) even with WEP, etc, your internal LAN must be treated with DMZ level security as you never know who's listening. IPSec VPN a must. WEP could be secure - but there are several well documented problems with it even in its current incarnation.
(d) Personal firewalls on all windows boxes would be strongly reccomended, there is a cost in this too.
Above all this, you've got to factor in performance. 54MBps (11MBps is a joke after overheads, not worth the bother) + WEP & MAC-layer overheads of up to 50% + IPSec VPN overheads (maybe 10-20% more again?). You'll have 20-30MBps shared between all clients on each access-point, hub style. Ever used a hub (instead of a switch?). they _suck_. Well, unless you like to find out where the guy in the next office gets his pr()n *grin*
Is shared 20MBit enough for most of your clients? is it worth a hybrid wired/wireless setup for the clients that need more throughput? Is the reduced hardware and cabling cost worth the security issues, security costs, etc?
Heck, what if an employee puts in a cool new kind of fluro light or something and fizz, down goes the LAN. Imagine debugging that!
Wireless might be more of an option in a year or so if the standards people and vendors get moving and agree on a decent, two-way-authenticating system that doesn't leak too much info and is reasonably robust. Currently, I'd never reccomend wireless LANs for anything other than a "guest access" subnet firewalled off carefully from the rest of the LAN and requiring a password for any 'net access (all forced through a proxy of course).
... because any user at work could now whack in an 802.11b card into their ethernet-connected laptop and open up a whole new attack point into the corprate LAN.
I love the idea of the project, but there will be a lot of sobbing network admins out there having to deploy full lockdown environments, personal firewalls on laptops, etc.
... so just imagine what it must be like in Australia. Here we're under the thumb of your laws thanks to a legislature that thinks we're an American state (but are even stupider, so we end up with stunningly badly drafted laws) but we don't get any vote or say in the US laws.
US passes law. Aust citizens protest and are ignored because "the US did it" so: Aust passes same law drafted even worse.
I never thought I'd say this, but at least for Australia, US citizens really can "save the world".
Slashdot Mirror
I strongly reccomend steering clear of fvwm2 - IceWM is a better choice in basically every way, I think it even has a smaller disk and RAM footprint actually.
I've got 486 thin clients running Debian with IceWM, using ROX as a GUI file manager. Of course, they also run OpenOffice and Mozilla :-) but I expect you wouldn't be using those. The 486s network boot off a read-only NFS root, then fire up X and do an -query to the XDMCP server (running gdm) so all they're really running is XFree86 4.
StarOffice and OpenOffice DO have a preloader that's runnable on system boot. Its only available under windows, and I've heard some concerns about reliabiliy under win98, but it does exist.
Linux users who use GNOME or at least the GNOME panel can also load some sort of applet to perform the same function. Can't help you more, sorry, until someone comes out with a "wm-ooo-preloader" or even better a completely user-invisible one.
Take a look at our website for more info.
I recently sent a messsge
From: john.howard@parliament.gov.au
(bogus), Date:'d 10 years in the future, to the entire company just to prove that very point. EMAIL HEADERS ARE COMPLETELY UNDER THE SENDER'S CONTROL, much more so than even a postcard. And that's not accounting for webmail.... They can be changed in transit, too. So unless a message is S/MIME or PGP signed, it can't be trusted.
If email addrs were on the electoral role, politicians might deal with their email more and make the assumption that because my addr is "bob.smith123@hotmail.com" I was bob smith. Whoops.
The other key problem is that many people change email addresses too often.
Unless we have a PKI (yeah, right) it just won't work - and I really hope they don't try because they won't understand all the issues and do more harm than good.
OK, i take the windows bit back ;-)
However telstra's costs falling only translate to one thing - greater profits for telstra. No better service or anything, I'm confident of that.
As anybody living in Austalia knows, Telstra are scum. They gouge every cent they can, and they're single-handedly responsable for making broadband here almost prohibitively expensive.
I almost hope they'll decide to use new Windows $3000 (per MB RAM required, min 512MB) so that they'll go broke, the gov't will resume full ownership of the infrastructure, and we get a working telecommunications system again.
I can dream, can't I?
Because IP masqueraded links are relatively easy to identify. There is a certain range of high UDP ports that are used to masq udp traffic to internal hosts, so a lot of traffic on those ports strongly suggests a link with multiple masq'd hosts behind it.
Just do a tcpdump on your firewall's eth1 (or ppp0 if you're an unlucky bastard) and watch...
Sure its not proof ; but when have cable / dsl companies needed _proof_ ? The ToS of every ISP on earth includes a "we can change the ToS when we want" clause, and a "we can kick you if we feel like it clause".
... just look at Telstra in Australia. Its hell - the "average user" apparently uses <300mb/month, so thats the baseline charge for ADSL service. 1G is vaguely reasonable, then they start gouging you as if each gig _per_ _month_ has a large monetary cost to them.
Bytecharges can be useful to force users to self-regulate their useage, but too often provides use them as an excuse to turn your broaband service into a "modem on speed" - ie get your email really fast, but don't think about using stuff you used to do on your 56k like internet radio.
a 3G cap is absurd ; it prevents users from doing anything interesting with the link. Even listening to 24kbps internet radio a lot will run you _well_ over that cap. 15G is more reasonable ; remember the 'net isn't just used to transfer "files", its not 15G of new stuff to store on the user's hdd with <insert file "sharing" software here>. I can use vnc to admin the NT server at work (*ick*) over 56k - its painful but it works. When my ADSL goes in soon, I won't be able to because of the stupid bytecharging.
Be very careful what you ask for, you might just get it.
that you seem to have missed.
The ISP is selling you access, at a fixed monthly fee, to a xxxkbps pipe to do with what you will. If they've been stupid enough to not set limits on what you can do with it beyond that and relied on the assumption that you will use it within their "average" user's parameters, its their mistake.
Now if they'd put it in the Terms of Service in the first place, fair enough you signed the thing, they can limit what you're doing. But if they didn't, its poor business planning and no problem of yours.
The ISP has no right to blame the user for their BAD ASSUMPTIONS on usage!
We had a doozy along these lines in Australia a while ago. From what I heard (no guarantees re accuracy), Rupert Murdoch ( a media baron here ) managed to force a Perth ISP to stop offering wireless internet access to large areas of the city because he held the licences to digital media broadcasts and persuaded some idiot judge that the ISP was infringing because it was _possible_ to get digiatal video news etc via their network.
*sigh*
Yay!
I'm IT Manager for a local newspaper. We cover the "rich bastard" suburbs of Perth, Western Australia.
While we focus on the news that is (a) locally relevant and (b) of interest to our readership, we also have some rules about our coverage. (Please note, I'm not a decision maker in this):
(1) NO SCIENTOLOGY, EVER
(2) NO media-buzz or political hype / bullshit like "War on terror" (washes out mouth)
Beyond this, there is an effort to report fairly ethically. Its always harder to tell when you're within the organisation, but I think it mostly succeeds.
Unfortunately, this is almost impossible in the "big media".
Please note that Milgrim's test would never be allowed under current psych research rules in any country I'm aware of. I'm sure there are some that'd allow it, but the point is: the test was _wrong_, really hurting the subjects, and could not be performed now.
Presonally this test sends shivers down my spine.
I agree on that: win2k and XP are pretty decent and stable OS's. My reason for not using them is (a) I'm cheap, (b) I don't want to give $ to MS as I don't like their tactics and won't implicitly endorse them by buying their products and (c) I _will_ _not_ agree to the licences on their software, esp WinXP.
MS has become technically competent, though still troubled by security issues - but the concerns over the quality of their products have been taken over by concerns over their ethics, intent and whether you can trust them.
The program installs there, yes... the data can be somewhat harder to find. Common locations are system's Application Data folders, user profiles' Application Data folders, the program's install dir or a subdir of it, My Documents (again user profile or system), or somewhere else hidden in the user profile info.
This is, however, the fault of app authors, and I've run into some _really_ badly written linux apps too, both open source and not.
Gnutella, etc are not networks confined to the USA, and make no distinctions about national borders. A DoS attack of any kind launched by, say, the RIAA in the USA affects _all_ users, even where such attacks are illegal, the use of the software is legal, etc.
As usual, American senators fail to see this - after all, they can do whatever they want to the rest of the world without consequence, right? *sigh*
Given the recent willingness worldwide to cry "terrorist!" at anything and everything, and the somewhat... flexible... definition the word has taken on (read: anybody we don't like), it could be argued that the USA is about to legalize "cyber-terrorist attacks on other countries". It'd be funny, if only the people responsible for these laws would actually get the joke.
kkkkKen....
*grin*
Security concerns with IM are very real.
:-/ . This allows me to educate users before they use the software on things like file download risks, and it allows me to quickly pull the plug on the IM software if an exploit is discovered. I've had to do this twice with MSN messenger - but its still allowed on the LAN, since if I don't allow it I'll have to go and hunt out users anyway, which would be an unpleasant and heavy-handed way of dealing with the problem.
First, technical vunrabilities and exploits. There's fun with MSN Messenger to be had, for one thing - and I'm not confidant all the holes in that are closed. Anyway, do you trust your users to keep software up-to-date?
Second, they're downloading and installing programs off the internet. Big no-no. If they want software, I'll usually gladly install a properly checked and scanned copy. Most users dont understand the difference between ICQ and, say Bonzi Buddy (or Sircam, the new web camera viewer!). The "users will not install software" thing is policy, but I think its a very important policy to have unless you like spyware and viri on your business LAN.
Third: our dear friend social engineering. Most of the users at work are intelligent and paranoid enough not to be fooled by this (journalists) but what about the advertising staff? Its a lot harder to trick people into revealing things over email than over IM, and a lot easier to figure out what happened if it does happen. Luckily at work the advertising ppl run 486s which struggle to run telnet + Eudora so IM is not a possibility. Still, it bears thinking about.
I actually allow IM on our network, so long as I'm consulted and they use the software I provide. Any protocol allowed, but file downloads will be punished by being hung up by the toes and flayed for 3 days with a ribbon cable
Sometimes you can manage a risk better by allowing users to do it openly, giving you the chance to educate them and giving you the info you need in case somthing goes wrong, rather than issuing orders to the effect that "thou shalt not."
This assumes, of course, that there is no other obsticle to allowing it, like the aforementioned law firm issue.
BTW it makes me _furious_ that IM clients are designed to bypass firewalls and make it hard for admins to block them. I would like to be able to block a given client in case of a security hole discovery etc, but can't w/o blocking the whole IP range. Why the hell can't they all be set to go through an HTTP proxy? That way I could even virus scan the (forbidden) file transfers.
The patch would've taken 5 minutes. The rest of the time is them (a) hoping nobody else will notice so they don't have to admit it, (b) preparing a binary patch for a bazillion different system configs, (c) testing it on a bazillion different system configs and (d) sticking their heads back in the sand.
I love the way MS claims that windows is unified and consistent. Why, then, is it so hard to patch?
It's a heap overrun. Very hard to exploit to exec custom code, all you can really do is crash the server. Not that that's a good thing... interesting to see that IIS5 auto-restarts too (so that an attacker can compromise the binary then crash the server so it re-loads?)
MS actually _overplays_ this one in the release. For once. Too bad they claim its newly discovered.
OTOH the moz bug is (a) not in mozilla but in X as mentioned elsewhere, (b) not really fixed, just workarounded in mozilla and (c) A TOTALLY DIFFERENT ISSUE.
OTOH the IIS bug was an overrun and would be a 5min patch.
Windows: NT Domain logon. win98 users can safely save stuff to "my documents", desktop, etc and its all transparently mirrored on the server and backed up. Pretty sure its much the same for win2k.
:-) (well I expect so)
Linux/Unix: duh! homedir over snfs
MacOS 9: A really, really, big stick is needed, combined with readily accessable, easy network storage. One thing that helps is turning off any local file sharing services on the machines so if they want to exchange files, they've got to use the server. Training, repetition. Big sticks. I just had a graphical demonstration that made getting the newspaper out on time a nightmare - and I didn't even have to arrange it. Downside: 48hours straigt at work. I hate macs. It ate its own hdd (directory corruption).
Alternately you can netboot the macs and lock them down pretty tight etc I think but this is beyond my experience.
MacOSX: see Unix/Linux
Please read this and consider carefully if you really want to roll out wireless networking. Think security. Think performance. Think reliability. Think about still being able to sleep at night.
Key points not made clearly in the article:
(a)Setting up a wireless LAN is like taking some cat5 from the switch and running it to plugs in your walls, on the street, and in the neighbours' houses. You lose _all_ physical security.
(b) you become vunerable to RF intererence, both intentional and accidental. DoS could be hard to trace.
(c) even with WEP, etc, your internal LAN must be treated with DMZ level security as you never know who's listening. IPSec VPN a must. WEP could be secure - but there are several well documented problems with it even in its current incarnation.
(d) Personal firewalls on all windows boxes would be strongly reccomended, there is a cost in this too.
Above all this, you've got to factor in performance. 54MBps (11MBps is a joke after overheads, not worth the bother) + WEP & MAC-layer overheads of up to 50% + IPSec VPN overheads (maybe 10-20% more again?). You'll have 20-30MBps shared between all clients on each access-point, hub style. Ever used a hub (instead of a switch?). they _suck_. Well, unless you like to find out where the guy in the next office gets his pr()n *grin*
Is shared 20MBit enough for most of your clients? is it worth a hybrid wired/wireless setup for the clients that need more throughput? Is the reduced hardware and cabling cost worth the security issues, security costs, etc?
Heck, what if an employee puts in a cool new kind of fluro light or something and fizz, down goes the LAN. Imagine debugging that!
Wireless might be more of an option in a year or so if the standards people and vendors get moving and agree on a decent, two-way-authenticating system that doesn't leak too much info and is reasonably robust. Currently, I'd never reccomend wireless LANs for anything other than a "guest access" subnet firewalled off carefully from the rest of the LAN and requiring a password for any 'net access (all forced through a proxy of course).
... because any user at work could now whack in an 802.11b card into their ethernet-connected laptop and open up a whole new attack point into the corprate LAN.
I love the idea of the project, but there will be a lot of sobbing network admins out there having to deploy full lockdown environments, personal firewalls on laptops, etc.
... so just imagine what it must be like in Australia. Here we're under the thumb of your laws thanks to a legislature that thinks we're an American state (but are even stupider, so we end up with stunningly badly drafted laws) but we don't get any vote or say in the US laws.
US passes law.
Aust citizens protest and are ignored because "the US did it" so:
Aust passes same law drafted even worse.
I never thought I'd say this, but at least for Australia, US citizens really can "save the world".
*sigh*
Heh. The guy would have to be a 500 foot tall gorilla covered with soft down if the number of copies we got is any indication...