see also the canonical text on the subject
on
Pro MySQL
·
· Score: 4, Informative
(aside from mysql.com/doc/ of course): Zawodny's "High Performance MySQL", from O'Reilly. Highly recommended for DBAs and sysadmins looking to design, build and operate MySQL clusters, do backups and replication, and generally squeeze the most performance they can out of MySQL (and to a lesser degree, out of LAMP in general).
(no, the other rule one) use the right tool for the job. The author apparently wants to do what he does in Windows, but with Linux - this makes no sense to me. If all you want to do is what you're already doing in Windows, why bother to run something else? Just run Windows (or OS X) - you'll be able to do all the "exciting" consumer-grade stuff the author makes a fuss about (Outlook - woohoo! iTunes - hold me back!), and those of us who are interested in boring things like render farms, security research, virtualization, managing large-scale networks and getting actual work done (hello, CLI) will continue to be "bored" with UN*X, as we have been for 30 years.:)
The author appears to be a prime candidate for Windows or OS X - he has no apparently interest in the free software philosophy, or in the underlying power of UN*X, so why is he wasting his time running Linux (aside from finding a source of obvious and long-since-negated whining material)?/me rolls his eyes
yeah, I have a mac. No, I didn't buy it myself. No, I don't have an i{whatever}. I like my iBook because it runs UN*X with no tweaking required beyond initial setup. It behaves like a consumer desktop OS (read: runs MS Office for work-related junk) when I want it to, and behaves like a BSD workstation (read: transparent terms, decent package management and all the CLI and OS tools I expect a real workstation to have) when I want it to. Basically, it Just Works, which has become a major feature for me the past few years...
Re:Rackmount firewall hardware recommendations?
on
OpenBSD 3.9 Released
·
· Score: 2, Informative
for a really secure wireless connection, you may want to take a look at authpf(8), and use ssh to tunnel all your traffic (at least between your laptop and the gateway).
Re:Rackmount firewall hardware recommendations?
on
OpenBSD 3.9 Released
·
· Score: 1
oh, and you may also wish to check out Soekris gear - highly secure (run the OS from a RAM filesystem, set your CF media to read-only), very small, 12W power requirements, the net4801 (for example) ships with 3 fxp(4) interfaces and a miniPCI slot that can take either a wireless card or a hardware crypto accelerator (200Mbps AES-256 at line speed with near zero CPU overhead). Search the archives for Soekris and you'll get quite a few results.
Re:Rackmount firewall hardware recommendations?
on
OpenBSD 3.9 Released
·
· Score: 2, Informative
eRacks and Hawk are two of the commonly-suggested vendors that sell machines with hardware specifically chosen for OpenBSD compat (and will even pre-install, if that's your thing). I'd suggest any 1U generic box built in the last 5 years with 512-1024MB of RAM. Good NICs are going to be more important than CPU (fxp(4) is a good choice; see the misc@openbsd.org archives, since this question comes up regularly). Either of the above vendors (or others; check Google for "openbsd rackmount server") should be able to get you a 1U box with a good quad-port card in it (use the built-in port(s) for the management channel). Get a pair of identical machines and set up carp(4) so they can do failover and you should be set. You can terminate VPNs using isakmpd(8) or you can just use OpenSSH (supports tunneling any arbitrary traffic, including layer 2 stuff, as of v4.3).
as of version 4.3 (released a few months ago), OpenSSH can now tunnel _any_ arbitrary traffic (including layer 2 traffic) over SSH. The syntax is about as simple as traditional SSH port forwarding, although the developers note that it may not be suitable for latency-sensitive apps (e.g. VoIP) due to the crypto overhead.
Fixes the one weakness in sudo (lack of logging on root shells) that people have been complaining about for years. Log everything that happens in a root shell (sudo -s, sudo/bin/bash, etc.), including keystrokes within editor sessions, as well as timing information (exactly when and how quickly things were typed), and playback recorded sessions later. My favorite use of sudosh is to do something particularly complicated within sudosh so that it's recorded, and then tell junior admins to go replay the session to see what I did, and in what order.
Ironically, the only system it doesn't seem to compile on yet is OpenBSD (possibly Free and Net as well; haven't checked) - although I hear Todd Miller may be planning to incorporate the sudosh functionality into the sudo code tree.
I've been running OpenBSD on Sony VAIO laptops (PCG-SR17 and PCG-F560) for years (since OpenBSD-2.7 anyway; fall 2000) with great results. I have them both in dualboot setups with whatever version of Windows shipped on them, to preserve some of the more interesting software bits that Sony bundles (as well as DVD playback, which wasn't really available back in 2000 on OpenBSD, via a PCMCIA DVD-ROM).
I had a [very] brief stint at a turkey processing plant one summer (about 2 weeks) before I got into system administration and networking. Without going into too much detail, let's just say:
factory kept at 35 degrees F
I frequently stood in half an inch of water and turkey guts
you do not want to know what is done with the turkey that doesn't appear in the nice deli-sliced turkey breast packages in your grocery store. Seriously. Two words: vacuum cleaner.
boredom got to be so bad after a few days that I would try to work out random square roots in my head to keep my mind occupied whilst toting 200 pound empty gray plastic bins (used to hold turkey carcasses on ice) over to the washing station. I am not making this up, and I'm also not a big fan of arithmetic.
woke up before 5 AM daily in order to drive to this place. I had a "uniform" of clothes I wore only to work and nowhere else, and I left them outside the house because they were soaked with turkey water, the smell of which no amount of cleaning could remove. My car was unsuitable for human habitation.
The immigrants that I worked with, mainly from south of the border, speaking little to no English, were VASTLY more intelligent than the local boys that worked there. After a few days, I just didn't say anything to anybody - conversation with the English speakers was simply too painful, and my Spanish isn't good enough for extended dialogue.
the final straw was the mandatory overtime on not just Saturday but Sunday as well. 2 weekends in a row.
Suffice to say, I have a very deep respect for the immigrants that many of us Americans look down on, doing jobs we'd never do, and being thankful for the opportunity. Those of us born in the States have been impossibly blessed by that fact alone.
"Some nice suggestions made by big names in the software industry have been included, such as creating more easily traceable methods of people (i.e. trying to eliminate online anonimity) as a method of preventing hackers. One suggestion which I thought was partictularly interesting involved a bounty system whereby a price would be put on 'hacker's heads', incentivating other hackers to go after them and bring them forward."
These suggestions appear to be good, but they attack the symptom (hackers exploiting holes) rather than the real problem (consistently bad software). Until and unless the real problem is fixed, no amount of bounties, tracking or other attempts to keep people from abusing the system will have much effect.
There will always be ways to get around security controls, and as long as Microsoft is providing clever attackers with millions upon millions of easily controllable zombie hosts, the problem - and its symptoms - will not go away. Trying to force people to not take advantage of holes just waiting to be exploited is a losing proposition.
All this energy wasted dreaming up ways to prevent blackhats from taking advantage of Microsoft's lack of interest in security would be much better spent looking at ways to prevent such widespread and continual holes from being foisted upon the public in the first place.
Every time a new worm comes out (bi-monthly, it seems), I keep wondering how much abuse people will take before they 1) decide to stop paying for the privilege of being abused, and 2) realize where the abuse is coming from. I know I'm preaching to the choir on this one, but I blew off some steam with a rant this morning. Enjoy.
if your named was running in a chroot jail to begin with. Like, say, OpenBSD's. The more vulnerabilities I see published, the more I see the truth in what Bruce Schneier was talking about when he noted that total security can not be achieved, and the the goal of developers should instead be software and systems that fail gracefully.
Running your daemons with restricted privs, in a chroot jail, is a great example of software that fails gracefully.
Sean Donelan wrote an excellent piece on requirements for various degrees of uptime in NOCs. It's not too specific, but it gives a good idea of the numbers involved. Read it here.
Apparently my submission of this same story was too late, but I included a link to the FTC proposal to create a national registry of numbers that telemarketers CANNOT call. They have extended the public comment period, so go make yourself heard.
It's important to remember that just because there may be no shortage of candidates with CS degrees, MCSE, , that does NOT mean there is an equally sufficient number of skilled, gifted or CLUEFUL individuals for a given position.
The real shortage, in my experience, is not in the number of people getting into the IT field - we have more than ever before. In fact, we're practically flooded in comparison with recent years. But we're not being flooded with clueful, knowledgeable, SKILLFUL sysadmins/network admins/engineers. Most of the tide, like *any* popular movement, is filled with people who are along because it's popular, pays well, or because they want to get in on "the next big thing."
The individuals who are here because they love what they're doing, would be doing it for free if they weren't making a career out of it, and have a firm grasp on the cluebat still seem to be fairly few and far between.
A degree/certification doth not a competent admin/engineer make.
This story, while it has some new links, is basically a duplicate of the story I posted back in May on the same subject.
http://slashdot.org/bsd/00/05/09/053244.shtml
The ORA story on OpenBSD (in fact, the whole series) is pretty good, as would be expected from ORA. However, it's not much new information in comparison to the earlier story, and the howto at 2600.org.au.
Actually, I have only installed OpenBSD once, and Linux at least a couple dozen times. I rarely get the linux install right the first time, but I got OpenBSD on there, right, the first time, and it autodetected all my hardware. Almost no tweaking was required on my part to get it running (that came later with ipf and ipnat). All my hardware (2 different nics, sound card, video card, pretty generic) was supported off the bat. Again, no downloads or tweaking required. All in all, one of the better installation experiences I've had, especially considering there was no GUI and no manual. Just the FAQ from openbsd.org which I'd printed out the day before.
I had much more trouble with the 2-3 installs I did for Linux-Mandrake 6.0, with it's lovely GUI, than I did with OpenBSD.
A bit more research will reveal some interesting facts - for example, IPv6 switchover will *not* have to be forced. Why? Because it's designed to be COMPLETELY backwards-compatible with existing IPv4 protocol and hardware. As to address space... ISPs won't be able to charge for what they don't have; namely v4 address space, which will be disappearing shortly. The analogy of IPv6 to mass counterfeiting is completely off the mark. IPv6 is superior in countless ways to IPv4, and ANYBODY that has done any kind of research into it will not dispute that fact, even people that might stand to make a few bucks (temporarily) from the shortage of IPv4 addresses. Do what was suggested by a previous poster - take a couple hours and read up on this issue at: 6bone.net IPv6.net IPv6.com All of those pages have a good number of links to sites that will provide detailed explanations of the issues involved here.
well spoken, sir. In my own (admittedly limited) experience, the people who are most enjoying all the hype KNOW it's hype. They're not being tricked, or suckered, or manipulated by The Man and Corporate Money(tm). People get excited about what they choose to be excited about. In my area, the people most excited and who are buying into the hype to the greatest degree AREN'T naive kids or teens trying to own more merchandise than their peers - those who are the most manic tend to be people from about my age (23) to about 10 or 15 years older, who remember how much fun the HYPE (and the movies) were as a kid, and are trying to relive it now. The actual movie itself is NOT the biggest part of what's going on here, and we need to remember that. To a great degree, what makes Star Wars and its assorted sequels and other similar movies so much fun and so wildly successful is precisely the hype that people are criticizing. HYPE IS FUN! PEOPLE LIKE TO GET EXCITED! While I certainly agree that the KFC/PH/TB ad was in poor taste, I'm not going to stop eating Tacos in protest. Let's keep this in perspective - the same people who are screaming "It's just a movie! Get a life!" need to remember "It's just hype! No big deal!" The "desecration" of the Star Wars mythos by commercialization is what people seem to be upset about. To that I say - why did any movie ever get put on such a high spiritual pedestal to begin with? It IS just a movie - so let's have fun with it, enjoy the hype, poke fun at the dweebs who've been in line for two weeks or more, but take the entire debate with a grain (or three) of salt. I'm personally not buying merchandise (I'm too poor) but I enjoy seeing the excitement of people who do, and listening to all the hype by kids from 4 to 44. It's not often that a single event can so thoroughly capture the interest of such a wide demographic group. Ack, that was too long-winded. Well, in closing: HYPE IS NOT EVIL. HYPE IS JUST HYPE. Enjoy it if you can, ignore it if you can't, but don't get all bent out of shape because it's there. The Star Wars series was never intended to be one of non-hype "artsy" type films. Let's stop being offended because people are reacting to it as could be expected.
are definitely the root cause of this problem, you are absolutely right. Unfortunately, history has shown conclusively that morality cannot be legislated (the War On Drugs (tm), etc), it must come from within and from the society as a whole. Both sides on the gun control issue need to stop stating the problem (kids - and people in general - killing others) and a *single* cause or statistic, and look at the ENTIRE issue, and ALL the facts and causes that are relevant. Anybody can quote statistics to support virtually ANY position. Doesn't make it relevant, though.
Slashdot Mirror
(aside from mysql.com/doc/ of course):
Zawodny's "High Performance MySQL", from O'Reilly. Highly recommended for DBAs and sysadmins looking to design, build and operate MySQL clusters, do backups and replication, and generally squeeze the most performance they can out of MySQL (and to a lesser degree, out of LAMP in general).
(no, the other rule one) use the right tool for the job. The author apparently wants to do what he does in Windows, but with Linux - this makes no sense to me. If all you want to do is what you're already doing in Windows, why bother to run something else? Just run Windows (or OS X) - you'll be able to do all the "exciting" consumer-grade stuff the author makes a fuss about (Outlook - woohoo! iTunes - hold me back!), and those of us who are interested in boring things like render farms, security research, virtualization, managing large-scale networks and getting actual work done (hello, CLI) will continue to be "bored" with UN*X, as we have been for 30 years. :)
/me rolls his eyes
The author appears to be a prime candidate for Windows or OS X - he has no apparently interest in the free software philosophy, or in the underlying power of UN*X, so why is he wasting his time running Linux (aside from finding a source of obvious and long-since-negated whining material)?
http://jwz.org/images/iProduct.gif
...
'nuff said.
yeah, I have a mac. No, I didn't buy it myself. No, I don't have an i{whatever}. I like my iBook because it runs UN*X with no tweaking required beyond initial setup. It behaves like a consumer desktop OS (read: runs MS Office for work-related junk) when I want it to, and behaves like a BSD workstation (read: transparent terms, decent package management and all the CLI and OS tools I expect a real workstation to have) when I want it to. Basically, it Just Works, which has become a major feature for me the past few years
for a really secure wireless connection, you may want to take a look at authpf(8), and use ssh to tunnel all your traffic (at least between your laptop and the gateway).
oh, and you may also wish to check out Soekris gear - highly secure (run the OS from a RAM filesystem, set your CF media to read-only), very small, 12W power requirements, the net4801 (for example) ships with 3 fxp(4) interfaces and a miniPCI slot that can take either a wireless card or a hardware crypto accelerator (200Mbps AES-256 at line speed with near zero CPU overhead). Search the archives for Soekris and you'll get quite a few results.
eRacks and Hawk are two of the commonly-suggested vendors that sell machines with hardware specifically chosen for OpenBSD compat (and will even pre-install, if that's your thing). I'd suggest any 1U generic box built in the last 5 years with 512-1024MB of RAM. Good NICs are going to be more important than CPU (fxp(4) is a good choice; see the misc@openbsd.org archives, since this question comes up regularly). Either of the above vendors (or others; check Google for "openbsd rackmount server") should be able to get you a 1U box with a good quad-port card in it (use the built-in port(s) for the management channel). Get a pair of identical machines and set up carp(4) so they can do failover and you should be set. You can terminate VPNs using isakmpd(8) or you can just use OpenSSH (supports tunneling any arbitrary traffic, including layer 2 stuff, as of v4.3).
as of version 4.3 (released a few months ago), OpenSSH can now tunnel _any_ arbitrary traffic (including layer 2 traffic) over SSH. The syntax is about as simple as traditional SSH port forwarding, although the developers note that it may not be suitable for latency-sensitive apps (e.g. VoIP) due to the crypto overhead.
Fixes the one weakness in sudo (lack of logging on root shells) that people have been complaining about for years. Log everything that happens in a root shell (sudo -s, sudo /bin/bash, etc.), including keystrokes within editor sessions, as well as timing information (exactly when and how quickly things were typed), and playback recorded sessions later. My favorite use of sudosh is to do something particularly complicated within sudosh so that it's recorded, and then tell junior admins to go replay the session to see what I did, and in what order.
Ironically, the only system it doesn't seem to compile on yet is OpenBSD (possibly Free and Net as well; haven't checked) - although I hear Todd Miller may be planning to incorporate the sudosh functionality into the sudo code tree.
I've been running OpenBSD on Sony VAIO laptops (PCG-SR17 and PCG-F560) for years (since OpenBSD-2.7 anyway; fall 2000) with great results. I have them both in dualboot setups with whatever version of Windows shipped on them, to preserve some of the more interesting software bits that Sony bundles (as well as DVD playback, which wasn't really available back in 2000 on OpenBSD, via a PCMCIA DVD-ROM).
See http://darkuncle.net/OpenBSD/ for details.
--
- factory kept at 35 degrees F
- I frequently stood in half an inch of water and turkey guts
- you do not want to know what is done with the turkey that doesn't appear in the nice deli-sliced turkey breast packages in your grocery store. Seriously. Two words: vacuum cleaner.
- boredom got to be so bad after a few days that I would try to work out random square roots in my head to keep my mind occupied whilst toting 200 pound empty gray plastic bins (used to hold turkey carcasses on ice) over to the washing station. I am not making this up, and I'm also not a big fan of arithmetic.
- woke up before 5 AM daily in order to drive to this place. I had a "uniform" of clothes I wore only to work and nowhere else, and I left them outside the house because they were soaked with turkey water, the smell of which no amount of cleaning could remove. My car was unsuitable for human habitation.
- The immigrants that I worked with, mainly from south of the border, speaking little to no English, were VASTLY more intelligent than the local boys that worked there. After a few days, I just didn't say anything to anybody - conversation with the English speakers was simply too painful, and my Spanish isn't good enough for extended dialogue.
- the final straw was the mandatory overtime on not just Saturday but Sunday as well. 2 weekends in a row.
Suffice to say, I have a very deep respect for the immigrants that many of us Americans look down on, doing jobs we'd never do, and being thankful for the opportunity. Those of us born in the States have been impossibly blessed by that fact alone.There will always be ways to get around security controls, and as long as Microsoft is providing clever attackers with millions upon millions of easily controllable zombie hosts, the problem - and its symptoms - will not go away. Trying to force people to not take advantage of holes just waiting to be exploited is a losing proposition.
All this energy wasted dreaming up ways to prevent blackhats from taking advantage of Microsoft's lack of interest in security would be much better spent looking at ways to prevent such widespread and continual holes from being foisted upon the public in the first place.
Every time a new worm comes out (bi-monthly, it seems), I keep wondering how much abuse people will take before they 1) decide to stop paying for the privilege of being abused, and 2) realize where the abuse is coming from. I know I'm preaching to the choir on this one, but I blew off some steam with a rant this morning. Enjoy.
if your named was running in a chroot jail to begin with. Like, say, OpenBSD's. The more vulnerabilities I see published, the more I see the truth in what Bruce Schneier was talking about when he noted that total security can not be achieved, and the the goal of developers should instead be software and systems that fail gracefully.
Running your daemons with restricted privs, in a chroot jail, is a great example of software that fails gracefully.
Sean Donelan wrote an excellent piece on requirements for various degrees of uptime in NOCs. It's not too specific, but it gives a good idea of the numbers involved.
Read it here.
Apparently my submission of this same story was too late, but I included a link to the FTC proposal to create a national registry of numbers that telemarketers CANNOT call. They have extended the public comment period, so go make yourself heard.
http://darkuncle.net/ac3dec/
okay, one more time:
'MCSE, [insert pointless certification here],'
grrr
that should have read 'CS degrees, MCSE, ,'
forgot to uncheck HTML formatting. D'oh.
It's important to remember that just because there may be no shortage of candidates with CS degrees, MCSE, , that does NOT mean there is an equally sufficient number of skilled, gifted or CLUEFUL individuals for a given position. The real shortage, in my experience, is not in the number of people getting into the IT field - we have more than ever before. In fact, we're practically flooded in comparison with recent years. But we're not being flooded with clueful, knowledgeable, SKILLFUL sysadmins/network admins/engineers. Most of the tide, like *any* popular movement, is filled with people who are along because it's popular, pays well, or because they want to get in on "the next big thing." The individuals who are here because they love what they're doing, would be doing it for free if they weren't making a career out of it, and have a firm grasp on the cluebat still seem to be fairly few and far between. A degree/certification doth not a competent admin/engineer make.
This story, while it has some new links, is basically a duplicate of the story I posted back in May on the same subject. http://slashdot.org/bsd/00/05/09/053244.shtml The ORA story on OpenBSD (in fact, the whole series) is pretty good, as would be expected from ORA. However, it's not much new information in comparison to the earlier story, and the howto at 2600.org.au.
Actually, I have only installed OpenBSD once, and Linux at least a couple dozen times. I rarely get the linux install right the first time, but I got OpenBSD on there, right, the first time, and it autodetected all my hardware. Almost no tweaking was required on my part to get it running (that came later with ipf and ipnat). All my hardware (2 different nics, sound card, video card, pretty generic) was supported off the bat. Again, no downloads or tweaking required. All in all, one of the better installation experiences I've had, especially considering there was no GUI and no manual. Just the FAQ from openbsd.org which I'd printed out the day before.
I had much more trouble with the 2-3 installs I did for Linux-Mandrake 6.0, with it's lovely GUI, than I did with OpenBSD.
A bit more research will reveal some interesting facts - for example, IPv6 switchover will *not* have to be forced. Why? Because it's designed to be COMPLETELY backwards-compatible with existing IPv4 protocol and hardware. As to address space ... ISPs won't be able to charge for what they don't have; namely v4 address space, which will be disappearing shortly. The analogy of IPv6 to mass counterfeiting is completely off the mark. IPv6 is superior in countless ways to IPv4, and ANYBODY that has done any kind of research into it will not dispute that fact, even people that might stand to make a few bucks (temporarily) from the shortage of IPv4 addresses. Do what was suggested by a previous poster - take a couple hours and read up on this issue at: 6bone.net
IPv6.net
IPv6.com
All of those pages have a good number of links to sites that will provide detailed explanations of the issues involved here.
well spoken, sir. In my own (admittedly limited) experience, the people who are most enjoying all the hype KNOW it's hype. They're not being tricked, or suckered, or manipulated by The Man and Corporate Money(tm). People get excited about what they choose to be excited about. In my area, the people most excited and who are buying into the hype to the greatest degree AREN'T naive kids or teens trying to own more merchandise than their peers - those who are the most manic tend to be people from about my age (23) to about 10 or 15 years older, who remember how much fun the HYPE (and the movies) were as a kid, and are trying to relive it now. The actual movie itself is NOT the biggest part of what's going on here, and we need to remember that. To a great degree, what makes Star Wars and its assorted sequels and other similar movies so much fun and so wildly successful is precisely the hype that people are criticizing. HYPE IS FUN! PEOPLE LIKE TO GET EXCITED! While I certainly agree that the KFC/PH/TB ad was in poor taste, I'm not going to stop eating Tacos in protest. Let's keep this in perspective - the same people who are screaming "It's just a movie! Get a life!" need to remember "It's just hype! No big deal!" The "desecration" of the Star Wars mythos by commercialization is what people seem to be upset about. To that I say - why did any movie ever get put on such a high spiritual pedestal to begin with? It IS just a movie - so let's have fun with it, enjoy the hype, poke fun at the dweebs who've been in line for two weeks or more, but take the entire debate with a grain (or three) of salt. I'm personally not buying merchandise (I'm too poor) but I enjoy seeing the excitement of people who do, and listening to all the hype by kids from 4 to 44. It's not often that a single event can so thoroughly capture the interest of such a wide demographic group. Ack, that was too long-winded. Well, in closing: HYPE IS NOT EVIL. HYPE IS JUST HYPE. Enjoy it if you can, ignore it if you can't, but don't get all bent out of shape because it's there. The Star Wars series was never intended to be one of non-hype "artsy" type films. Let's stop being offended because people are reacting to it as could be expected.
Time to pull out the ol' video library and check the film titles (it's Wrath of Khan - and I'm not even a serious trekker)
are definitely the root cause of this problem, you are absolutely right.
Unfortunately, history has shown conclusively that morality cannot be legislated (the War On Drugs (tm), etc), it must come from within and from the society as a whole.
Both sides on the gun control issue need to stop stating the problem (kids - and people in general - killing others) and a *single* cause or statistic, and look at the ENTIRE issue, and ALL the facts and causes that are relevant.
Anybody can quote statistics to support virtually ANY position. Doesn't make it relevant, though.