What about the mom/pop ISPs that don't want to get sued for not 'removing the copyrighted media from their network' once they've been notified by the DMCA 'police?' They are legally responsible for making sure the content is removed from their network one way or another. For this 'group' of companies, it's either piss off a few of your most (bandwidth) expensive customers, or face a potentially (extremely) expensive lawsuit.
A lot of posters are suggesting allowing Kazaa on the author's network, but ratelimiting it. This question is really to you. Have you received complaints from the DMCA 'police' yet? If so, how have you responded--if at all--to the complaint?
Typically, I've heard of ISPs sending notices to customers asking them to remove the offending material. If the customer continues to download/share copyrighted material most ISPs will terminate the customers account. If the bandwidth isn't an issue and the customers business is valuable, it would make more sense to block Kazaa (for that customer; if you can't get them to stop sharing copyrighted content).
I did some googling in mid-November of last year and came across some interesting usenet posts relating to the topic. One poster went through all the normal ports that Kazaa used and blocked each one. Then s/he noticed that it used port 80. Later I ran into some docs where someone was using iptables (there was a post on one of the snort mailing lists about this as well) to block Kazaa traffic using '-m' and the 'X-Kazaa' header that it uses. I haven't had time to play with this though.:(
I'm in the middle of migrating a a few thousand accounts from Maildir format spools to Cyrus. I did some hunting on search.cpan.org and found Mail::IMAPClient. The documentation is very concise and the module works like a charm.:)
That said, I think you could achieve your goal a lot easier with a run of the mill MUA like mozilla/evolution. If at first you don't succeed, google for a solution!
I have 2 CapitalOne Gold cards that my family uses. I will be cancelling them too. I used to keep an old version of Netscape on the box just so that I could access their site for online payments. I even went so far as to email their support and ask them if they had any plans to support Mozilla, but they responded in the negative. It's odd that a site built with php (it still is, right?) wouldn't support an open source browser.
Our other cards are with Providian and Discover. Providian's website works really well under Mozilla and their telephone cusomter service is excellent. We don't use the Discover card that often, so I don't remember how well that site works with Mozilla.:\
The telco that I work for, Ringgold Telephone Company, is deploying video services over coppyer, including video on demand (VOD) right now.
</shameless plug>
I think the nicest feature of these services is VOD. With VOD you'll never have to go to the video store again. I don't know about everyone else, but this will save me a lot of money in late fees. And with VOD you don't loose any of the features of a DVD/VHS tape, you can still pause, fast forward, rewind, etc.
DHCP is not designed as an authentication protocol, and probably should not be used as such. From what I read, it seemed like the poster was having scalability problems using DHCP as an authentication protocol, which is to say that he was having problems getting it to do something it wasn't designed to.
I would have to agree. DHCP was not designed as an authentication protocol, however, for the purpose in question (giving authorized users access to the network), it works acceptably.
It seems like changing your MAC before you send out the DHCP request would result in a denial-of-service, stealing away the IP of the person who owns the MAC you just set, since the static ARP entry gets added after the DHCP server ACKs the REQ....
You make a vaild point. Keep in mind that you would have to guess the other customer's MAC because sniffing would do no good.
This is one of the reasons that moving to circuit-id based auth. The customer would never have to worry about their MAC at all.
Were a malicious user to be able to guess MACs, our tech support guys would be pretty quick to notice a pattern in the complaints (I've setup dhcpd to log circuit-id with each request) and we would deactivate the customers circuit. The other option would be to setup a daemon to watch the log for x number of requests from unknown clients from a specific circuit id.
Also, note that the poster didn't detail any specific setup like you did, leaving it pretty open for interpretation.
Again, you're correct. Your comments about scalaability were made with and educated guess about this persons network config as were mine. My point was that DHCP _can_ be effectively, efficiently and securely be used in this environment.
Why not just have the DHCP server query the database directly then you NEVER have to restart that DHCP server.
Good question. I like to use software in as native of a form as possible as a rule. By 'native form' I mean being able to 'tar zxvf x;./configure [options];make;make install' because when it comes time for a security update, I don't want to have to be the one porting a patch to a new version of a package. I'm a sys admin, not a C/C++ programmer. I can write code, but it's not what I do best. When this feature becomes mainstream, I will definitely look at it, but like the patch that I mentioned (for spawning an external program) in another thread, I won't be implementing it in production until it comes with stock DHCPD.
Shouldn't your php front end do the error checking and tell the guy reading from the script(level 1 tech support) that the number he just entered it not a valid MAC address.
It does now.;)
On the X minute waiting period. It's 5 minutes. The tech can configure their MUA while he's waiting.
Someone wrote a patch (for ISC DHCPD) that would let you call an external program when a lease was granted. Check the mailing list archive on marc.theaimsgroup.com.
I think this guys best bet (if he decides to go with bridge1483/DHCP) is secured arp. See my main post for more info...
That in addition to not being scalable or sustainable, this scheme is not secure, either.
Scalable/Sustainable:
Please tell that to the big cable providers. Post some messages on the ISC-DHCPD list. Let some of the users with larger networks tell you how scalable it is.
Secure:
We're using secured arp. You can't steal IPs when your provider is using secured arp on the router directly connected to the DSLAMs. When the router 'sees' the DHCP ACK from the DHCP server, it adds a static arp entry for your MAC/IP to _your_ ATM circuit. DHCP requests are sent directly to the router (dhcp/relay) which converts the request to unicast. In our environment (DSL, not cable) there is no physical way for one customer to 'get in the middle' of any one elses connection to cause problems like this.
I work for a telco that was in the same situation in June of 2000. I elected to go with DHCP/bridge1483 because:
* it cost less - (PPPoE clients aren't cheap; yes, I know about raspppoe, but it doesn't run on some platforms last time I checked)
* has fewer things that can break (nic, driver, ?), hence lowering support costs
* doesn't require any software installation on any platform that I know of (almost any modern os has a DHCP client; yes, XP ships with a PPPoE client)
* gives users more bandwidth/has less layer 2 overhead (I did some research then (06/2002) and what I found seemed to indicate that the processing overhead (yeah, yeah, get a faster CPU), and layer 2 overhead of PPPoE were noticeable bottlenecks when compared to 1483. Anyone care to drum up some links (for or against!), I don't really have the time.
We setup a mysql db with all the fields we needed and I wrote a perl script that runs under cron to rebuild the dhcpd config every 5 minutes. I really need to set this up with timestamps so that it only rebuilds when things are changed, but I haven't gotten around to it yet (bad me!). I paid a friend (because I didn't have time) to write the php interface to the db and we give our tech support guys access to the db. NOTE: filter the mac/IP address fields for valid values or you will break your config.:\ You'd be suprised how much damage a little 'fat finger' can do when you're restarting your dhcp server as well as how many people really don't understand what a valid MAC address is.
With that said. I've enabled option-82 relaying on all of the devices between our 'DSL router' (RedBack SMS1800) and the dhcp server. I'm now getting the ATM circuit-id for each customer in the relayed dhcp discover packets. When I get the time, I'm going to switch authentication to circuit-id so that customers don't have to call in every time their MAC changes (new pc; new nic) and to streamline the install process (nobody has to call in and tell our techs their MAC. The account would just work once provisioned.
We're up to (insert random low 4 digit number) users and not having any problems with it. If you do go with redback (if you have a cisco/juniper, just get an atm blade for it...), make sure you enable secured arp and get the SRAM card to cache the arp tables for maintenance reboots. Secured-arp will stop people from using a MAC that the dhcp server hasn't sent a 'dhcp ack' to. Secured-arp, coupled with 'deny unknown clients' in your dhcpd.conf should resolve issues like that. I'm sure cisco/juniper routers support secured-arp, but I haven't had the need to set it up on mine, so I don't know.
It was in interupt call to 19h, IIRC. I wrote a little password program with Quick C (*shudder*) using inline asm back in the day. It would reboot the machine if you entered the wrong password.
I'm not too familiar with VMS, but Linux can and IRIX might (not support is mentioned for it) be able to use the pam_ldap/nss_ldap modules from padl.com to authenticate against Active Directory. IIRC, this requires SFU, but I could be wrong. There is a document about it in the tarball for nss_ldap.
Here's some links to Linux/AD integration from padl.com's doc section:
I currently in the process of relocating (so my wife can finish her MS) to Illinois from the South...:)
Here's the scoop that my company's accountants and lawyers dug up. I'm not a lawyer or an accountant (insert the rest of the standard disclaimer here)...
Since I will be residing in Illinois, I will pay Illinois state taxes (and Chicago Income taxes as well:\). My employer had to get a tax id from the state of Illinois. AFIAK, that's all that was required in my situation.
My employer was even nice enough to transfer my health insurance into a group local to Chicago!
If you have the time, I'd like to see the business case (numbers) for this and some details on how you're using the backend box to access the citrix server (solaris based metaframe client?; I'm not really that familiar with citrix). Where's the break even point (number of clients) for justifying the cost of redundant backend servers?
I'm not involved with this group, but from what I hear of other ISPs implementing this, it works well. It allows you to set headers based on it's own message rating system, sends checksums of messages that it thinks are spam to a clearing house (DCC), and uses checksums that match 'mass'
email that have been rated as spam to mark messages that have been sent to a lot of people. This lets the user filter the garbage to a folder
in their MUA if they want. It can also delete them server side.
Someone that uses this please correct me if I'm wrong.
I was wrong about the swap partition.
I admit that.
I don't usually play with linux on desktops. I install it (with a swap partition) and it runs. It's a workstation and a development platform for me.
I hontestly don't remember the option of a swap file being mentioned in the docs I read when I started installing linux.
Most of the systems that I install linux on _need_ a large swap partition.
Having an opinion doesn't make someone arrogant.
While the author (I really meant to be gender inspecific, sorry about that) did graze over some of the details of the system, this was not an 'extensive review.'
I should have taken the time to make that point (my main one) more clear.
The article was, however, very informative.
My attemt was not to be a troll, honest.
Personally, this is the most uninformed and uneducated review of a linux distribution I have ever read.
However, I hope that future versions of Lycoris will use a file automatically for their swap space instead of a real partition - in addition to the / partition. This will greatly simplify the installation process for many users and won't fragment their hard drives.
What is that supposed to mean?
Am I out of the loop or does linux support swap files (as opposed to partitions) now?
How much 'simpler' would it really make it anyway. It doensn't fragment the disk, put the swap at the end and be done with it.
It get's better:
It took 2 minutes to mount two FAT32 partitions (9 and 18 GB respectively), while the rest of the OS loading did not take more than 40 seconds. A shame really - I hope this (inconvenience mostly) will be fixed or altered to a faster algorithm.
I don't know what's wrong with the mounting issue, but what kind of faster algorithm is he talking about here?
I've noticed a lot of people complaining about spam originating from UUNet's network. I've observed this problem for a few weeks now as well, so I called their abuse group and asked them why their dialup pools were not in MAPS DUL (which I use). The representative told methat they were moving around their dialup pools and their entries in the DUL would be updated shortly.
That's a pretty immature way to react. We aren't born with any knowledge. We spent time accumulating it. You have just spent your time accumulating information about other things. That's not something that you can change overnight either. Play with it. Check out PPPKit on sunsite. Look at the scripts that it generates for you. Learn from someone elses work. Then help someone else along.
I've had netscape disappear off of my desktop, but never have I had it kill/lockup my box completely. I don't know what kind of hardware you run (or what kernel), but your box must have serious problems. BTW, do you run it as root? pointer
Slashdot Mirror
What about the mom/pop ISPs that don't want to get sued for not 'removing the copyrighted media from their network' once they've been notified by the DMCA 'police?' They are legally responsible for making sure the content is removed from their network one way or another. For this 'group' of companies, it's either piss off a few of your most (bandwidth) expensive customers, or face a potentially (extremely) expensive lawsuit.
A lot of posters are suggesting allowing Kazaa on the author's network, but ratelimiting it. This question is really to you. Have you received complaints from the DMCA 'police' yet? If so, how have you responded--if at all--to the complaint?
:(
/pointer
Typically, I've heard of ISPs sending notices to customers asking them to remove the offending material. If the customer continues to download/share copyrighted material most ISPs will terminate the customers account. If the bandwidth isn't an issue and the customers business is valuable, it would make more sense to block Kazaa (for that customer; if you can't get them to stop sharing copyrighted content).
I did some googling in mid-November of last year and came across some interesting usenet posts relating to the topic. One poster went through all the normal ports that Kazaa used and blocked each one. Then s/he noticed that it used port 80. Later I ran into some docs where someone was using iptables (there was a post on one of the snort mailing lists about this as well) to block Kazaa traffic using '-m' and the 'X-Kazaa' header that it uses. I haven't had time to play with this though.
Good luck and please let us know what you find.
I'm in the middle of migrating a a few thousand accounts from Maildir format spools to Cyrus. I did some hunting on search.cpan.org and found Mail::IMAPClient. The documentation is very concise and the module works like a charm. :)
/pointer
That said, I think you could achieve your goal a lot easier with a run of the mill MUA like mozilla/evolution. If at first you don't succeed, google for a solution!
Here's a mirror, while it lasts.
I have 2 CapitalOne Gold cards that my family uses. I will be cancelling them too. I used to keep an old version of Netscape on the box just so that I could access their site for online payments. I even went so far as to email their support and ask them if they had any plans to support Mozilla, but they responded in the negative. It's odd that a site built with php (it still is, right?) wouldn't support an open source browser.
:\
/pointer
Our other cards are with Providian and Discover. Providian's website works really well under Mozilla and their telephone cusomter service is excellent. We don't use the Discover card that often, so I don't remember how well that site works with Mozilla.
It could be used for a queue disk for your MTA.
The telco that I work for, Ringgold Telephone Company, is deploying video services over coppyer, including video on demand (VOD) right now.
</shameless plug>
I think the nicest feature of these services is VOD. With VOD you'll never have to go to the video store again. I don't know about everyone else, but this will save me a lot of money in late fees. And with VOD you don't loose any of the features of a DVD/VHS tape, you can still pause, fast forward, rewind, etc.
DHCP is not designed as an authentication protocol, and probably should not be used as such. From what I read, it seemed like the poster was having scalability problems using DHCP as an authentication protocol, which is to say that he was having problems getting it to do something it wasn't designed to.
...
I would have to agree. DHCP was not designed as an authentication protocol, however, for the purpose in question (giving authorized users access to the network), it works acceptably.
It seems like changing your MAC before you send out the DHCP request would result in a denial-of-service, stealing away the IP of the person who owns the MAC you just set, since the static ARP entry gets added after the DHCP server ACKs the REQ.
You make a vaild point. Keep in mind that you would have to guess the other customer's MAC because sniffing would do no good.
This is one of the reasons that moving to circuit-id based auth. The customer would never have to worry about their MAC at all.
Were a malicious user to be able to guess MACs, our tech support guys would be pretty quick to notice a pattern in the complaints (I've setup dhcpd to log circuit-id with each request) and we would deactivate the customers circuit. The other option would be to setup a daemon to watch the log for x number of requests from unknown clients from a specific circuit id.
Also, note that the poster didn't detail any specific setup like you did, leaving it pretty open for interpretation.
Again, you're correct. Your comments about scalaability were made with and educated guess about this persons network config as were mine. My point was that DHCP _can_ be effectively, efficiently and securely be used in this environment.
Why not just have the DHCP server query the database directly then you NEVER have to restart that DHCP server.
;)
/pointer
Good question. I like to use software in as native of a form as possible as a rule. By 'native form' I mean being able to 'tar zxvf x;./configure [options];make;make install' because when it comes time for a security update, I don't want to have to be the one porting a patch to a new version of a package. I'm a sys admin, not a C/C++ programmer. I can write code, but it's not what I do best. When this feature becomes mainstream, I will definitely look at it, but like the patch that I mentioned (for spawning an external program) in another thread, I won't be implementing it in production until it comes with stock DHCPD.
Shouldn't your php front end do the error checking and tell the guy reading from the script(level 1 tech support) that the number he just entered it not a valid MAC address.
It does now.
On the X minute waiting period. It's 5 minutes. The tech can configure their MUA while he's waiting.
Someone wrote a patch (for ISC DHCPD) that would let you call an external program when a lease was granted. Check the mailing list archive on marc.theaimsgroup.com.
/pointer
I think this guys best bet (if he decides to go with bridge1483/DHCP) is secured arp. See my main post for more info...
That in addition to not being scalable or sustainable, this scheme is not secure, either.
/pointer
Scalable/Sustainable:
Please tell that to the big cable providers. Post some messages on the ISC-DHCPD list. Let some of the users with larger networks tell you how scalable it is.
Secure:
We're using secured arp. You can't steal IPs when your provider is using secured arp on the router directly connected to the DSLAMs. When the router 'sees' the DHCP ACK from the DHCP server, it adds a static arp entry for your MAC/IP to _your_ ATM circuit. DHCP requests are sent directly to the router (dhcp/relay) which converts the request to unicast. In our environment (DSL, not cable) there is no physical way for one customer to 'get in the middle' of any one elses connection to cause problems like this.
I work for a telco that was in the same situation in June of 2000. I elected to go with DHCP/bridge1483 because:
:\ You'd be suprised how much damage a little 'fat finger' can do when you're restarting your dhcp server as well as how many people really don't understand what a valid MAC address is.
/pointer
* it cost less - (PPPoE clients aren't cheap; yes, I know about raspppoe, but it doesn't run on some platforms last time I checked)
* has fewer things that can break (nic, driver, ?), hence lowering support costs
* doesn't require any software installation on any platform that I know of (almost any modern os has a DHCP client; yes, XP ships with a PPPoE client)
* gives users more bandwidth/has less layer 2 overhead (I did some research then (06/2002) and what I found seemed to indicate that the processing overhead (yeah, yeah, get a faster CPU), and layer 2 overhead of PPPoE were noticeable bottlenecks when compared to 1483. Anyone care to drum up some links (for or against!), I don't really have the time.
We setup a mysql db with all the fields we needed and I wrote a perl script that runs under cron to rebuild the dhcpd config every 5 minutes. I really need to set this up with timestamps so that it only rebuilds when things are changed, but I haven't gotten around to it yet (bad me!). I paid a friend (because I didn't have time) to write the php interface to the db and we give our tech support guys access to the db. NOTE: filter the mac/IP address fields for valid values or you will break your config.
With that said. I've enabled option-82 relaying on all of the devices between our 'DSL router' (RedBack SMS1800) and the dhcp server. I'm now getting the ATM circuit-id for each customer in the relayed dhcp discover packets. When I get the time, I'm going to switch authentication to circuit-id so that customers don't have to call in every time their MAC changes (new pc; new nic) and to streamline the install process (nobody has to call in and tell our techs their MAC. The account would just work once provisioned.
We're up to (insert random low 4 digit number) users and not having any problems with it. If you do go with redback (if you have a cisco/juniper, just get an atm blade for it...), make sure you enable secured arp and get the SRAM card to cache the arp tables for maintenance reboots. Secured-arp will stop people from using a MAC that the dhcp server hasn't sent a 'dhcp ack' to. Secured-arp, coupled with 'deny unknown clients' in your dhcpd.conf should resolve issues like that. I'm sure cisco/juniper routers support secured-arp, but I haven't had the need to set it up on mine, so I don't know.
Just my 2c. Good Luck!
It was in interupt call to 19h, IIRC.
I wrote a little password program with Quick C (*shudder*) using inline asm back in the day.
It would reboot the machine if you entered the wrong password.
I'm not too familiar with VMS, but Linux can and IRIX might (not support is mentioned for it) be able to use the pam_ldap/nss_ldap modules from padl.com to authenticate against Active Directory. IIRC, this requires SFU, but I could be wrong. There is a document about it in the tarball for nss_ldap.
/pointer
Here's some links to Linux/AD integration from padl.com's doc section:
Active Directory and Linux
Linux-AD Integration
Active Directory and nss_ldap
I currently in the process of relocating (so my wife can finish her MS) to Illinois from the South... :)
:\). My employer had to get a tax id from the state of Illinois. AFIAK, that's all that was required in my situation.
Here's the scoop that my company's accountants and lawyers dug up. I'm not a lawyer or an accountant (insert the rest of the standard disclaimer here)...
Since I will be residing in Illinois, I will pay Illinois state taxes (and Chicago Income taxes as well
My employer was even nice enough to transfer my health insurance into a group local to Chicago!
-pointer
If you have the time, I'd like to see the business case (numbers) for this and some details on how you're using the backend box to access the citrix server (solaris based metaframe client?; I'm not really that familiar with citrix). Where's the break even point (number of clients) for justifying the cost of redundant backend servers?
-pointer (spamisbad@NOSPAM-catt.com)
That actually depends on your MTA...
(IIRC) qmail, for example, would send 250 separate messages in this instance.
SpamAssassin
I'm not involved with this group, but from what I hear of other ISPs implementing this, it works well. It allows you to set headers based on it's own message rating system, sends checksums of messages that it thinks are spam to a clearing house (DCC), and uses checksums that match 'mass' email that have been rated as spam to mark messages that have been sent to a lot of people. This lets the user filter the garbage to a folder in their MUA if they want. It can also delete them server side.
Someone that uses this please correct me if I'm wrong.
I was wrong about the swap partition.
I admit that.
I don't usually play with linux on desktops. I install it (with a swap partition) and it runs. It's a workstation and a development platform for me.
I hontestly don't remember the option of a swap file being mentioned in the docs I read when I started installing linux.
Most of the systems that I install linux on _need_ a large swap partition.
Having an opinion doesn't make someone arrogant.
While the author (I really meant to be gender inspecific, sorry about that) did graze over some of the details of the system, this was not an 'extensive review.'
I should have taken the time to make that point (my main one) more clear.
The article was, however, very informative.
My attemt was not to be a troll, honest.
Pointer
Personally, this is the most uninformed and uneducated review of a linux distribution I have ever read.
However, I hope that future versions of Lycoris will use a file automatically for their swap space instead of a real partition - in addition to the / partition. This will greatly simplify the installation process for many users and won't fragment their hard drives.
What is that supposed to mean?
Am I out of the loop or does linux support swap files (as opposed to partitions) now?
How much 'simpler' would it really make it anyway. It doensn't fragment the disk, put the swap at the end and be done with it.
It get's better:
It took 2 minutes to mount two FAT32 partitions (9 and 18 GB respectively), while the rest of the OS loading did not take more than 40 seconds. A shame really - I hope this (inconvenience mostly) will be fixed or altered to a faster algorithm.
I don't know what's wrong with the mounting issue, but what kind of faster algorithm is he talking about here?
</rant>
Pointer
Check out subversion.
It's CVS, but better and based on WebDAV for RPC and BerkeleyDB for storage.
Cheers,
pointer
I've noticed a lot of people complaining about spam originating from UUNet's network.
I've observed this problem for a few weeks now as well, so I called their abuse group
and asked them why their dialup pools were not in MAPS DUL (which I use). The
representative told methat they were moving around their dialup pools and their
entries in the DUL would be updated shortly.
Cheers,
pointer
Just the facts:
$ uptime
8:26am up 158 days, 6:39, 7 users, load average: 0.23, 0.05, 0.02
$ uname -a
Linux XXXXXXXXX 2.4.7 #13 SMP Sun Aug 12 03:11:03 EDT 2001 i686 unknown
I haven't had time to update the kernel or reboot the box...
The only problem I had with 2.4.x was with the DAC960 drivers. After that its been running flawlessly for months.
That's a pretty immature way to react. We aren't born with any knowledge. We spent time accumulating it. You have just spent your time accumulating information about other things. That's not something that you can change overnight either. Play with it. Check out PPPKit on sunsite. Look at the scripts that it generates for you. Learn from someone elses work. Then help someone else along.
pointer
I've had netscape disappear off of my desktop, but never have I had it kill/lockup my box completely. I don't know what kind of hardware you run (or what kernel), but your box must have serious problems. BTW, do you run it as root? pointer