We're all very busy dealing with actually running our business, as well as interacting with the press, but I figured I'd respond to some of the questions raised here, as I'm a frequent reader of slashdot (check out my profile)
1) How do we know it's not a hoax?
Well, look at the people involved. Within the cypherpunks, data networking, and security industries, we're all very well known.
2) Can't you just be destroyed by an Iraqi chemical attack, wayward 747, etc, or have your links cut?
Defense against denial of service can never be fully accomplished, but we try very hard. HavenCo intends to have multiple sites (do you have a small country which wants free high-speed networking for all your citizens, in trade for autonomy over a few acres of remote land? Contact us!) We have up to 5 locations lined up now. Plus, we can always set up our secure facilities inside other people's colo sites.
We promise to not allow machines to be *compromised*, as far as confidentiality or integrity -- if someone tries to tamper with a service, be it a paid-off staff member, a raiding Church of Scientology commando group, or whatever, the server's contents will be destroyed.
More info on how this will be done shall be presented at a conference this summer, and in a white paper, by myself. How to do it is relatively well known in the crypto/tamper-resistance community, but no one has deployed it yet.
3) Your AUP bans obscenity/etc.?
There has been a bit of internal confusion over that.
Basically, we are planning to have sites in many countries. Content illegal in the country in which we have the server cannot be hosted at the site.
For instance: Sealand. Kiddie porn is explicitly banned, but other than that, I don't know if anything is banned. In the UK, all UK-illegal content will be banned. In the US, same thing. Which is why we'll be putting facilities in *many* countries, with diverse laws.
The only things which *we* as HavenCo specifically ban from our facilities globally are spam, network attacks, and the like. Many of our founders have participated in spammer hunts in the past, and it would be hypocritical for us to offer a safe haven for spammers.
4) These fake sites...
Principality-sealand.net and telebase.es/sealand are run by criminals who attempted to take Sealand by force
5) Aren't you just being paranoid?
Um, we're not *just* being paranoid, but by being overly paranoid ourselves, our customers can relax. Seems like a fair trade.
Hopefully motorola will ship these with no system-wide default (or easily guessable) passwords, and with spoofing protection outbound.
The trend toward faster and faster network connections sold as "appliances" puts a lot more responsibility on the manufacturer to make sure default configurations are suitable for users, and won't contribute to DDoS, etc.
It's possible the external casing of the unit will absorb a good fraction of any impact energy, though -- it looks like it's made of plastic.
Laptops are known to survive 1m falls onto ceramic tile, provided non-essential plastic pieces of the case take the impact, crack or chip, and thus suck up a lot of the energy.
I certainly wouldn't want to *throw* this thing to the ground, but I think dropping it from waist or shoulder height onto concrete isn't going to do much more than crack/chip/break the housing, and possibly the LCD.
I'd be rather amused if Ford, in giving its assembly-line workers computers, ended up sparking their interest in doing side businesses on the Internet, like selling stuff on eBay, writing web pages, maybe writing code, etc., initially as a hobby, then making money from it, and soon making more money than at Ford:)
Actually, Ford is usually trying to cut back its labor force anyway, so perhaps this isn't such a bad thing for them. And of course some people will end up using those new computer skills to work in other more computer-centric positions within Ford, which is good for Ford.
I've been looking at getting a loaded Inspirion 7500 (512mb ram, 75gb disk, 650mhz pIII, 1400x1050 screen!) as a primary development machine. The only thing I don't like is the pointing device, but I suppose I can carry an IBM clicky keyboard with trackpoint, too.
Has anyone had any luck running VMware 2.0 beta on one of these beasts? I like to use vmware to do kernel hacking without losing my xmms and emacs buffers:) It's a lot less annoying to lose a VMware machine than a desktop to a kernel bug, and disks can be checkpointed. VMware the company says laptops are a bad idea, but the Inspirion 7500 is studlier than almost any desktop!
Remember, these things are heavy:( 10 pounds configured, and *big*.
One fact which all the search engines must realize, as well as cache companies like Inktomi and Akamai, is that the Internet is becoming increasingly dynamically-generated, personalized, and transactional -- exactly the kind of content least suited for static spider-driven search engines and static cache technology.
Perhaps this will be the first Internet subcategory to fall from vastly overinflated stock valuations due to technical change.
Given how intrusive search engines can be (you want to download every single file in the Cypherpunks Archives? That's about 100k and growing!), and how similar a lot of what they're doing is, it would be really nice if the search engines banded together and shared their raw data over a private extranet, rather than every single spider anyone with a spare PC decides to run pillaging my website in turn. It's not such a big deal for a well connected site like mine, but for people on the end of a 9.6kbps link in the developing world, search engine hits can impose a high burden, but one which must be borne to have one's content searchable.
The sites could still differentiate themselves in spider technology by using their own custom formats, analysis, etc., but ideally, whenever one downloaded a page via http from an end-user server, it would be available to the other search engines automatically over private, high speed links. By doing this, they'd all be able to update more frequently, yet reduce overall load on the net as a whole.
I suspect this will be more of a problem, not less one one, in the future, and despite the pitched competition in the search engine industry, it'd be nice to see them work together to improve the quality of the net as a whole. After all, it's not a zero sum game!
Physical people and property don't move offshore. It would be pretty hard to beat someone's wife from 6 000 miles away.
A better parallel would be "we should legalize sending death threats via email because otherwise people will just send death threats from offshore". That argument breaks down precisely at the point where the email stops being a random piece of email (legal) and is a direct "immediate and palpable entreaty to or threat of violent action", which is already a criminal act, and is covered by existing law.
You mean like China does to the outside world? All those evil, capitalist sites? Sites where people speak freely about their governments? Even sites like slashdot?
Or what a country like Iran would do given the chance -- if a woman had a picture of herself wearing an andover.net t-shirt and shorts, it'd be banned.
These firewalls are already pretty regularly penetrated; cryptography and steganography only make it easier. Someone could host content offshore, relayed through any third-party country like the UK or India, and then redistribute it through the US. Unless you can get *everyone* in the world to blackhole route a site, it'll find a way through, especially if it's valuable data. During the recent Kosovo war, Serbian sites were still on the net, after all -- including free radio sites mirrored in Amsterdam detailing the plight of those trapped in the crossfire.
After all, one person's "evil vile filithy trash" is another's message of freedom. Systems like ZKS Freedom will only make it harder to censor the net.
If people want to protect privacy, they should do it themselves, using Freedom, throwaway accounts, or Junkbuster; they should run crying to the government to do it for them.
As with the US crypto export laws, as with the EU privacy regulations (where companies are not allowed to maintain databases of customers or use such information for focused marketing) and Texas's on again, off again status as far as selling DMV information to outside parties (Public Data) and E-Banking (ebanking.com (luxembourg)), and countless internet casinos and porn sites, these regulations will have an unintended consequence -- drive these businesses offshore.
No longer does the US and EU have a monopoly on high-speed internet connectivity; it's possible for any business selling valuable data illegal in the US/EU to colocate a machine in a less-regulated country, such as Anguilla, or Costa Rica, or many others, employ a few locals to maintain it, and pay admittedly higher rates for satellite or undersea cable connectivity. In exchange, pay lower or no taxes, have no government interference in your business, etc.
Sure, this only makes sense for certain kinds of data, data for which people are willing to pay money, but that's the only interesting data, anyway. When a T1 costs $100k/month, running an online gambling site making $3m/month is a lot better business than letting people leech mp3s.
In the end, it's futile to try to restrict businesses like this; all doubleclick would need to do is contract with an offshore tracking company, connected to the net over a 128kbps satellite link, something they could set up for $20k/month, and put that machine anywhere in the world -- even on the back of a boat. If they need help, they should email me -- I've lived in Anguilla, the erstwhile datahaven, and know a thing or two about such things:) The situation is only getting better, as far as offshore colocation goes, as the major governments get more and more restrictive and bandwidth becomes more widely distributed -- in a few years, every country in Africa will have fiber-optic connectivity via redundant SONET, and that gives the prospective colocator a lot of potentially friendly and cash-starved countries to negotiate with who wouldn't care about the difference between online advertising and online pornography.
The net views regulation as damage and routes around it -- cypherpunks.
Well, the original post was about using racks as an end-user at home just for organizational purposes.
I'm putting together some mp3 mixing stuff for raves when they start up again in the bay area once the rainy season ends, and you can bet it'll be rackmounted (or possibly just a good laptop with an AES/XBU or optical out PC Card soundcard, or firewire mixing board)
Racks are also great for portable use as lan analyzers, packet generators, etc.; although luggables with PCI slots or even laptops with cardbus 100mbps ethernet have started to cut into this territory.
Most of the reason the cheapest rackmount case out there is the Antec 4U IPC rack (ipc 3480 with pp303x 300watt power supply, $239 at McGlen Micro, here is the target market: servers.
People who are buying a server and putting it in colo don't mind spending a couple hundred extra dollars to get a high-quality case; they usually go in high-vibration, high RF environments and thus need to be substantially more durable than desktop/tower cases. Additionally, they generally have dust/cooling requirements which are substantial -- adding 6 fans to a system raises the price. Rackmount cases are all-metal, just like the best desktop cases, rather than plastic; plastic would disintegrate rapidly in a datacenter.
The ATX/rackmount form factor is rather complex to engineer, compared to a desktop or tower case; it has to support a lot of weight. There are some tower case with rails conversion kits, like for the macintosh minitowers, but those are rather specialty. They also tend to come with higher-end power supplies, something which also adds to the cost, and locking doors over drive bays.
Also, the number of units of rackmount case sold is much lower than desktop and minitower, raising the price.
If you want cheap racking, I'd suggest using rack shelves and putting minitowers in, or using wire shelves and regular minitowers. Most of the beowulf systems out there use shelves and minitowers, rather than racks, for cost reasons. Unless you're going in a facility with existing 19" racking, there's no reason to do racks. Stainless steel wire shelving looks almost as sexy as 19" racks, and can actually fit more machines per unit volume than 4U rackmount boxes. The shelving itself is cheaper, too.
Additionally, if you're putting a machine in colo, the prices are usually such that spending $500 on one of the 2U cases rather than a cheap 4U case will pay off in the long run. It's for this reason that Yahoo originally designed their 2U high custom case -- they have thousands of machines in colo, and when you pay $50-150/U/month, saving 2U per machine adds up quick! People are even going to 1U now; there's allegedly a Compaq DS10 in 1U rather than 3U on the way, which I plan to buy in quantity for colo use.
Stamps are most likely not an issue -- US stamps have a chemical (phosphorous, I believe) which fluoresces under blacklight (UV), used in USPS machines to detect the presence of a stamp. It's this, not the visual pattern, which is used in the automatic machines. It's only in the event a letter is processed manually and under suspicion that the stamp itself would be examined up close by a human, I believe.
Electronic postage indicia are another matter entirely.
By the way, don't try any of this -- the US Postal Inspectors will beat you down harder than even the DEA.
Re:Everything old is new again -- Wanted!
on
Interface Zen
·
· Score: 1
I used to have one of these; IBM sells them on its website. Although I haven't checked recently.
I'm currently using an IBM RS/6000 320 keyboard. PS/2, big, clicky, nice, but doesn't have the integrated trackpoint, black color, etc.
Perhaps I should buy myself one of the IBM with trackpoint keyboards as an xmas present. If only I could find a TEMPEST shielded one....
Sadly, the group developing the Final Scratch seems to have fallen apart over internal issues during the commercialization process -- hopes for final scratch production now hinge on a random large company picking up the idea and running with it, from what I've heard.
I still want one, even if the label on the side says "Pioneer":)
Um, this is why you use DIFFERENT KEYS PER ENCRYPTION. If you do DES 3 times with 3 different keys, you have 3-key 3DES with 168 bits of keylength.
This does not suck. The only weakness is a faster attack than brute force on DES itself. Given that DES is probably the most studied symmetric cipher in the world, I think that risk is acceptably low.
If you just encrypt over and over again with the same key, you may lose. There was a suggestion at one point to do 3DES with 2 keys, but there is only one ordering which provides reasonable security, and there is a storage for compute tradeoff which makes this questionable.
Insist on 3-key 3DES. Of course, 5-key 5DES will be even more secure, as would 7-key 7DES.
Cryptography is NOT black magic. You need to understand what you're doing, true, but it's no more complicated than advanced compiler design or routing protocol design. Don't go into it blindly, but if you read a book like the Handbook of Applied Cryptography, you're on the road to clue.
I use GnuPG on a daily (exclusive) basis. It certainly has some reliability issues sometimes, far more than PGP, Inc.'s product. I've only had the system break during upgrades, and once it works it works quite well. The bugs are all very apparent to the user, like the thing just refusing to sign or use a key, rather than things which could open security holes.
Overall, I'd be more comfortable using GnuPG, since I can easily audit the source (it's smaller and easier to understand), support the GPL, and tell people worldwide to use the same product, than using a PGP, Inc. product.
Being a little bit on the edge to push a good thing like a GPL'd OpenPGP implementation is worth a bit of sacrifice, too.
So, once one separates key distribution from trust relationships, another interesting question comes up:
Should I, as a user, sign the key of, say, Ben Laurie (apache-ssl, openssl guy), saying I know him (I'd say yes), and that he's generally a good guy?
Or, is it more important that I sign the *code* also, saying I've reviewed it and it seems reasonable?
I think people should do both -- I'd be far happier if there were signatures from everyone who seriously looked at the code for security purposes on the code they reviewed, rather than just on someone's key.
These are really two separate problems, but both need to be solved.
At MIT, Lenny Foner and others were working on a system to allow people to individually sign/audit small subsections of a large security program. This seems more reasonable than a system where people have to look at all the code, or sign none of it. As long as design is sufficiently encapsulated (ideal from a security perspective, but not always possible), it should be possible to review only a single module. A build system could then be constructed to require a threshold number of signatures from a set of people you trust, but not necessarily the same individuals reviewing the whole program.
This is really the next step in cryptographic signatures -- "signature management" to go along with trust management. To do it, one would need a patched build system, and potentially also a standard for signatures and keys to include *why* they are being signed, not just that there is a valid cryptographic signature. I could sign an Anonymous Coward's code to assert I believe it is secure without knowing the identity of the Anonymous Coward. *This* is the main advantage of a decentralized freeform system like PGP (yay openpgp! yay gnupg!) over a rigidly enforced corporate hierarchy like x.509.
Debian has gone far beyond most corporations in its use of PGP tools to verify developers (I think Red Hat has as well). This is the next step...
One should really split this into two issues: * "certification" -- individuals and organizations should certify the PGP public keys of software authors based on various criteria; I sign people I know, others might sign people who they're willing to vouch for as good people, etc.
* "distribution" -- getting people to upload their keys to a keyserver or other repository. This does *not* require any trust. One could run a slashdot key server, or use the existing key server infrastructure.
Do not merge the functionality! Otherwise you'll end up with x.509. CAs, and all the attendant crap. PGP uses the web of trust for a reason.
Slashdot Mirror
Hi. I'm Ryan Lackey, CTO of HavenCo.
We're all very busy dealing with actually running
our business, as well as interacting with the
press, but I figured I'd respond to some of the
questions raised here, as I'm a frequent reader
of slashdot (check out my profile)
1) How do we know it's not a hoax?
Well, look at the people involved. Within the
cypherpunks, data networking, and security industries, we're all very well known.
2) Can't you just be destroyed by an Iraqi chemical attack, wayward 747, etc, or have your
links cut?
Defense against denial of service can never be
fully accomplished, but we try very hard. HavenCo
intends to have multiple sites (do you have a
small country which wants free high-speed networking for all your citizens, in trade for
autonomy over a few acres of remote land? Contact
us!) We have up to 5 locations lined up now.
Plus, we can always set up our secure facilities
inside other people's colo sites.
We promise to not allow machines to be *compromised*, as far as confidentiality or
integrity -- if someone tries to tamper with
a service, be it a paid-off staff member, a raiding Church of Scientology commando group, or
whatever, the server's contents will be destroyed.
More info on how this will be done shall be presented at a conference this summer, and in
a white paper, by myself. How to do it is relatively well known in the crypto/tamper-resistance community, but no one
has deployed it yet.
3) Your AUP bans obscenity/etc.?
There has been a bit of internal confusion over
that.
Basically, we are planning to have sites in many
countries. Content illegal in the country in
which we have the server cannot be hosted at
the site.
For instance: Sealand. Kiddie porn is explicitly
banned, but other than that, I don't know if anything is banned. In the UK, all UK-illegal
content will be banned. In the US, same thing.
Which is why we'll be putting facilities in
*many* countries, with diverse laws.
The only things which *we* as HavenCo specifically
ban from our facilities globally are spam, network
attacks, and the like. Many of our founders have
participated in spammer hunts in the past, and
it would be hypocritical for us to offer a safe
haven for spammers.
4) These fake sites...
Principality-sealand.net and telebase.es/sealand
are run by criminals who attempted to take Sealand
by force
5) Aren't you just being paranoid?
Um, we're not *just* being paranoid, but by being
overly paranoid ourselves, our customers can
relax. Seems like a fair trade.
Hopefully motorola will ship these with
no system-wide default (or easily guessable)
passwords, and with spoofing protection outbound.
The trend toward faster and faster network
connections sold as "appliances" puts a lot more
responsibility on the manufacturer to make sure
default configurations are suitable for users,
and won't contribute to DDoS, etc.
It's possible the external casing of the unit
will absorb a good fraction of any impact
energy, though -- it looks like it's made of
plastic.
Laptops are known to survive 1m falls onto
ceramic tile, provided non-essential plastic
pieces of the case take the impact, crack or
chip, and thus suck up a lot of the energy.
I certainly wouldn't want to *throw* this thing
to the ground, but I think dropping it from
waist or shoulder height onto concrete isn't
going to do much more than crack/chip/break
the housing, and possibly the LCD.
I'd be rather amused if Ford, in giving its :)
assembly-line workers computers, ended up
sparking their interest in doing side businesses
on the Internet, like selling stuff on eBay,
writing web pages, maybe writing code, etc.,
initially as a hobby, then making money from it,
and soon making more money than at Ford
Actually, Ford is usually trying to cut back
its labor force anyway, so perhaps this isn't
such a bad thing for them. And of course some
people will end up using those new computer skills
to work in other more computer-centric positions
within Ford, which is good for Ford.
Thanks, Dell! Thanks, Linuxcare!
:) It's a lot less
:( 10 pounds
I've been looking at getting a loaded Inspirion
7500 (512mb ram, 75gb disk, 650mhz pIII, 1400x1050
screen!) as a primary development machine. The
only thing I don't like is the pointing
device, but I suppose I can carry an IBM clicky
keyboard with trackpoint, too.
Has anyone had any luck running VMware 2.0 beta
on one of these beasts? I like to use vmware
to do kernel hacking without losing my
xmms and emacs buffers
annoying to lose a VMware machine than a desktop
to a kernel bug, and disks can be checkpointed.
VMware the company says laptops are a bad idea,
but the Inspirion 7500 is studlier than almost
any desktop!
Remember, these things are heavy
configured, and *big*.
One fact which all the search engines must
realize, as well as cache companies like
Inktomi and Akamai, is that the Internet is
becoming increasingly dynamically-generated,
personalized, and transactional -- exactly the
kind of content least suited for static
spider-driven search engines and static cache
technology.
Perhaps this will be the first Internet
subcategory to fall from vastly overinflated
stock valuations due to technical change.
Given how intrusive search engines can be
(you want to download every single file
in the
Cypherpunks Archives? That's about 100k and
growing!), and how similar a lot of what they're
doing is, it would be really nice if the search
engines banded together and shared their raw data
over a private extranet, rather than every single
spider anyone with a spare PC decides to run
pillaging my website in turn. It's not such
a big deal for a well connected site like mine,
but for people on the end of a 9.6kbps link in
the developing world, search engine hits can
impose a high burden, but one which must be
borne to have one's content searchable.
The sites could still differentiate themselves
in spider technology by using their own custom
formats, analysis, etc., but ideally, whenever
one downloaded a page via http from an end-user
server, it would be available to the other
search engines automatically over private, high
speed links. By doing this, they'd all be able
to update more frequently, yet reduce overall
load on the net as a whole.
I suspect this will be more of a problem, not
less one one, in the future, and despite
the pitched competition in the search engine
industry, it'd be nice to see them work together
to improve the quality of the net as a whole.
After all, it's not a zero sum game!
Physical people and property don't move offshore.
It would be pretty hard to beat someone's
wife from 6 000 miles away.
A better parallel would be "we should legalize
sending death threats via email because otherwise
people will just send death threats from offshore". That argument breaks down precisely
at the point where the email stops being a
random piece of email (legal) and is a direct
"immediate and palpable entreaty to or threat of
violent action", which is already a criminal act,
and is covered by existing law.
You mean like China does to the outside world?
All those evil, capitalist sites? Sites where
people speak freely about their governments?
Even sites like slashdot?
Or what a country like Iran would do given the
chance -- if a woman had a picture of herself
wearing an andover.net t-shirt and shorts, it'd
be banned.
These firewalls are already pretty regularly
penetrated; cryptography and steganography only
make it easier. Someone could host content
offshore, relayed through any third-party country
like the UK or India, and then redistribute it
through the US. Unless you can get *everyone*
in the world to blackhole route a site, it'll
find a way through, especially if it's valuable
data. During the recent Kosovo war, Serbian
sites were still on the net, after all -- including free radio sites mirrored in Amsterdam
detailing the plight of those trapped in the
crossfire.
After all, one person's "evil vile filithy trash"
is another's message of freedom. Systems like
ZKS Freedom
will only make it harder to censor the net.
If people want to protect privacy, they should
do it themselves, using Freedom, throwaway accounts, or Junkbuster; they should run crying
to the government to do it for them.
As with the US crypto export laws,
:) The
as with the EU privacy regulations
(where companies are not allowed to maintain
databases of customers or use such information for
focused marketing) and Texas's on again, off again
status as far as selling DMV information to
outside parties (Public Data)
and E-Banking (ebanking.com (luxembourg)),
and countless internet casinos and porn sites,
these regulations will have an unintended
consequence -- drive these businesses offshore.
No longer does the US and EU have a monopoly
on high-speed internet connectivity; it's possible
for any business selling valuable data illegal
in the US/EU to colocate a machine in a
less-regulated country, such as Anguilla, or
Costa Rica, or many others, employ a few locals
to maintain it, and pay admittedly higher rates
for satellite or undersea cable connectivity.
In exchange, pay lower or no taxes, have no
government interference in your business, etc.
Sure, this only makes sense for certain kinds of
data, data for which people are willing to pay
money, but that's the only interesting data,
anyway. When a T1 costs $100k/month, running
an online gambling site making $3m/month is a
lot better business than letting people
leech mp3s.
In the end, it's futile to try to restrict
businesses like this; all doubleclick would need
to do is contract with an offshore tracking
company, connected to the net over a 128kbps
satellite link, something they could set up
for $20k/month, and put that machine anywhere
in the world -- even on the back of a boat.
If they need help, they should email me -- I've
lived in Anguilla, the erstwhile datahaven, and
know a thing or two about such things
situation is only getting better, as far as
offshore colocation goes, as the major governments
get more and more restrictive and bandwidth
becomes more widely distributed -- in a few years,
every country in Africa will have fiber-optic
connectivity via redundant SONET, and that
gives the prospective colocator a lot of
potentially friendly and cash-starved countries
to negotiate with who wouldn't care about
the difference between online advertising and
online pornography.
The net views regulation as damage and routes
around it -- cypherpunks.
Well, the original post was about using racks
as an end-user at home just for organizational
purposes.
I'm putting together some mp3 mixing stuff for
raves when they start up again in the bay area
once the rainy season ends, and you can bet it'll
be rackmounted (or possibly just a good laptop
with an AES/XBU or optical out PC Card soundcard,
or firewire mixing board)
Racks are also great for portable use as lan
analyzers, packet generators, etc.; although
luggables with PCI slots or even laptops with
cardbus 100mbps ethernet have started to cut
into this territory.
1U (1.75"), since the U is the standard of
19" rackspace.
1U high machines include:
* Cobalt RAQ for approximately $1k
* Soon, a DS10 (466mhz alpha 21264) from Compaq
for approximately $2-3k
* Various 1-PCI-slot celeron-based PCs:
One
Altavista comes up with a bunch of links for
+1U +Rackmount +MicroATX Use the web.
Good question.
Most of the reason the cheapest rackmount case out
there is the Antec 4U IPC rack (ipc 3480 with
pp303x 300watt power supply, $239 at McGlen Micro,
here is the target market: servers.
People who are buying a server and putting it
in colo don't mind spending a couple hundred extra
dollars to get a high-quality case; they usually
go in high-vibration, high RF environments and
thus need to be substantially more durable than
desktop/tower cases. Additionally, they
generally have dust/cooling requirements which
are substantial -- adding 6 fans to a system
raises the price. Rackmount cases are all-metal,
just like the best desktop cases, rather than
plastic; plastic would disintegrate rapidly in
a datacenter.
The ATX/rackmount form factor is rather complex
to engineer, compared to a desktop or tower case;
it has to support a lot of weight. There are
some tower case with rails conversion kits, like
for the macintosh minitowers, but those are
rather specialty. They also tend to come with
higher-end power supplies, something which also
adds to the cost, and locking doors over drive
bays.
Also, the number of units of rackmount case sold
is much lower than desktop and minitower, raising
the price.
If you want cheap racking, I'd suggest using rack
shelves and putting minitowers in, or using
wire shelves and regular minitowers. Most of
the beowulf systems out there use shelves and
minitowers, rather than racks, for cost reasons.
Unless you're going in a facility with existing
19" racking, there's no reason to do racks.
Stainless steel wire shelving looks almost as
sexy as 19" racks, and can actually fit more
machines per unit volume than 4U rackmount boxes.
The shelving itself is cheaper, too.
Additionally, if you're putting a machine in colo,
the prices are usually such that spending $500
on one of the 2U cases rather than a cheap 4U
case will pay off in the long run. It's for
this reason that Yahoo originally designed their
2U high custom case -- they have thousands of
machines in colo, and when you pay $50-150/U/month, saving 2U per machine adds up
quick! People are even going to 1U now; there's
allegedly a Compaq DS10 in 1U rather than 3U on
the way, which I plan to buy in quantity for colo
use.
Stamps are most likely not an issue -- US stamps
have a chemical (phosphorous, I believe) which
fluoresces under blacklight (UV), used in
USPS machines to detect the presence of a stamp.
It's this, not the visual pattern, which is used
in the automatic machines. It's only in the
event a letter is processed manually and
under suspicion that the stamp itself would
be examined up close by a human, I believe.
Electronic postage indicia are another matter
entirely.
By the way, don't try any of this -- the US
Postal Inspectors will beat you down harder than
even the DEA.
I used to have one of these; IBM sells
them on its website. Although I haven't
checked recently.
I'm currently using an IBM RS/6000 320 keyboard.
PS/2, big, clicky, nice, but doesn't have
the integrated trackpoint, black color, etc.
Perhaps I should buy myself one of the
IBM with trackpoint keyboards as an xmas
present. If only I could find a TEMPEST
shielded one....
Sadly, the group developing the Final Scratch
:)
seems to have fallen apart over internal issues
during the commercialization process -- hopes
for final scratch production now hinge on a
random large company picking up the idea and
running with it, from what I've heard.
I still want one, even if the label on the
side says "Pioneer"
Um, this is why you use DIFFERENT KEYS PER
ENCRYPTION. If you do DES 3 times with
3 different keys, you have 3-key 3DES with
168 bits of keylength.
This does not suck. The only weakness is a
faster attack than brute force on DES itself.
Given that DES is probably the most studied
symmetric cipher in the world, I think that
risk is acceptably low.
If you just encrypt over and over again with the
same key, you may lose. There was a suggestion
at one point to do 3DES with 2 keys, but there
is only one ordering which provides reasonable
security, and there is a storage for compute
tradeoff which makes this questionable.
Insist on 3-key 3DES. Of course, 5-key 5DES
will be even more secure, as would 7-key 7DES.
Cryptography is NOT black magic. You need to
understand what you're doing, true, but it's no
more complicated than advanced compiler design
or routing protocol design. Don't go into it
blindly, but if you read a book like
the Handbook of Applied Cryptography, you're
on the road to clue.
I use GnuPG on a daily (exclusive) basis.
It certainly has some reliability issues
sometimes, far more than PGP, Inc.'s product.
I've only had the system break during upgrades,
and once it works it works quite well. The bugs
are all very apparent to the user, like the thing
just refusing to sign or use a key, rather than
things which could open security holes.
Overall, I'd be more comfortable using GnuPG,
since I can easily audit the source (it's smaller
and easier to understand), support the GPL,
and tell people worldwide to use the same
product, than using a PGP, Inc. product.
Being a little bit on the edge to push a good
thing like a GPL'd OpenPGP implementation is
worth a bit of sacrifice, too.
So, once one separates key distribution from
trust relationships, another interesting question
comes up:
Should I, as a user, sign the key of, say,
Ben Laurie (apache-ssl, openssl guy), saying I
know him (I'd say yes), and that he's generally
a good guy?
Or, is it more important that I sign the *code*
also, saying I've reviewed it and it seems
reasonable?
I think people should do both -- I'd be far
happier if there were signatures from everyone
who seriously looked at the code for security
purposes on the code they reviewed, rather than
just on someone's key.
These are really two separate problems, but both
need to be solved.
At MIT, Lenny Foner and others were working on
a system to allow people to individually sign/audit small subsections of a large security
program. This seems more reasonable than
a system where people have to look at all the code, or sign none of it. As long as design
is sufficiently encapsulated (ideal from a
security perspective, but not always possible),
it should be possible to review only a single module. A build system could then be constructed
to require a threshold number of signatures from
a set of people you trust, but not necessarily
the same individuals reviewing the whole program.
This is really the next step in cryptographic
signatures -- "signature management" to go along
with trust management. To do it, one would need
a patched build system, and potentially also
a standard for signatures and keys to include
*why* they are being signed, not just that there
is a valid cryptographic signature. I could
sign an Anonymous Coward's code to assert I believe it is secure without knowing the identity
of the Anonymous Coward. *This* is the main
advantage of a decentralized freeform system like
PGP (yay openpgp! yay gnupg!) over a rigidly
enforced corporate hierarchy like x.509.
Debian has gone far beyond most corporations in
its use of PGP tools to verify developers (I think
Red Hat has as well). This is the next step...
1024D/4096g 0xD2E0301F Ryan Lackey
B8B8 3D95 F940 9760 C64B DE90 07AD B307 D2E0 301F
One should really split this into two issues:
* "certification" -- individuals and organizations
should certify the PGP public keys of software
authors based on various criteria; I sign people
I know, others might sign people who they're
willing to vouch for as good people, etc.
* "distribution" -- getting people to upload
their keys to a keyserver or other repository.
This does *not* require any trust. One could
run a slashdot key server, or use the existing
key server infrastructure.
Do not merge the functionality! Otherwise you'll
end up with x.509. CAs, and all the attendant
crap. PGP uses the web of trust for a reason.