Hence, weather or not it is secure, is all a matter of opinion. Personally, I think if you can't run SSH out in the open, you shouldn't run it thru an obscurity filter.
We have no SSH configured on our outside network. Not with OTP, not from only allowed IP's. Not from only a specific port. Not with KnownHosts only. Not with known RSA keys only.
You want on, you've gotta be in the building. It'd be nice to fix problems while remote, but it's just not an option because of the security problems it presents. I live within a mile of the building, specifically so not having remote access isn't a big deal. I can go from sleeping in bed, to in the building in less then 10 minutes. It's a pain for small problems. However, it's small issue in comparison to dealing with a full blown network breakin due to SSH.
On occasion, I believe we have had someone local build an SSH tunnel that we can VPN thru onto our network. However, someone who already had access had to initiate the connection by hand with the correct IP. That's only allowed if we voice authenticate from you.
Hmmm, it's probably hard to do on a large enough scale, without getting caught that it's worth the spammers while. However, breaking into a router isn't terrible difficult. At which point, yes, you could pull this off. Forging an IP, just involves getting a router that is upstream compromised from the receiver, and setting up a tunnel to it. Now, I don't have to guess the sequence number or any of that non-sense. Just start a TCP connection, run it like normal. Since I'm at a major upstream router for that mail server, all I have to do is capture the packets destined for the connections I initiated, and forward the ones that didn't. No sequence number guessing at all. There are enough hacks out there for Cisco routers that don't get upgraded, that I'm willing to bet it could be pulled off at an impressive scale. The biggest problem will be having an IP packet escape and having the real IP send a TCP error that closes the connection.
Finally, it's not merely about forging IP's. You also could forge DNS entries. Which isn't that hard (especially if they served up real answers for the non-SPF/txt requests). As someone who'se been hacked by a DNS poison attack, clearly it's possible. Most DNS transactions are done via UDP, which isn't the most secure way to do transactions.
Again, this all comes down to who do I trust. I don't trust everyone on the internet to do this properly. If nothing else, you'll just cause the spammers to sign up for a one time domain name setup the SPF, spew their spam. Sign up for a new domain name, setup the SPF, spew their spam. They can use register.com to run the DNS, handing out lists of approved zombie computer IP's as approved for sending spam. (They've now handed you a list of computers to black list, but I'm not sure how good an idea that is).
It's a zero sum game. If it is easy for me to do, it's easy for the spammer to do. Thus it will be broken by the spammers. The only way to truely put a hurting on spammers it to change the economics of it significantly. Explain how SPF does that to me. Sending e-mail that is encrypted, changes how much money it takes to send bulk e-mail. Allowing for mailing lists to essentially opt out of that keeps the economics sane for them.
Two points. Technically speaking the ISP could do all of it for you. There is no need for you to know your GPG key (it's useless to you). They could do everything but setup the mailing list keys. At which point, once this setup is common enough, I'm sure ISP's will automate this. Just verify the most commonly used keys that didn't get accepted. Add them to the known white list you trust at the ISP level. Technically, there is no need for an individual to have a single key. The ISP could have only 1 key, or could have 1 key for 10 users.
This technically speaking won't stop SPAM. However, it will change the economics of it.
Finally, filtering SMTP 25 has been done for ages on plenty of networks. I've had it done to me when I was in Rolla, MO in 1998 or so.
Again the problem is that I can't control all the networks in the world. I can only control mine. I want a solution that puts me in control. I have no interest in a solution that involves me trusting the entire internet.
Hmmm, "Sender Pays" is a technical fiasco. There's a reason that micro payment doesn't exist. The only reason send pays works just fine for the US Post Office. Because there is only one party to buy postage from, and you buy it, and tack something physical on a real piece of mail.
What charge are you going to have for sending a piece of mail? Is it a penny? What happens one you get charged a penny for a piece of mail you didn't send? What happens when you get charged a penny a quarter of a million times for a piece of mail you didn't send? How does the ISP keep track of who racked up the charges? How does the ISP bill the consumers for it?
Because I might have to make fiscal transactions with say 500-10000 different financial institutions, that will have a transaction fee that far exceeds what any sane person would be willing to pay to send a piece of mail. So once you solve this minor issue, that lots of people have been working on for years, it might just work. (E-Mail might be just the leverage you need to pull this off, micro payments have never really had a killer app).
However, enforcing someone to do a math problem has an absolutely trivial solution to new hardware. Make the problem harder. Nearly all of the problems involve doing some type of math problem. Want to make it more expensive. Require them to do the same problem, but with bigger numbers. Your next problem, is that Spammers will pay $20K to get custom built hardware to do the problems orders of magnitude faster then any generic piece of hardware could do it.
Finally, the easiest way, is to get all outgoing SMTP servers to add an X-Header signature to all e-mails. This e-mail minus the X-Header's digital digest with the private key on a public web of trust is "XYZ". Now your problem is that you've created an incentive for people to steal private keys. The private keys will have to be kept in pretty much in the clear somewhere on the machine (which will be a problem).
Now you've just made the size of each e-mail significantly large (most signatures are a 1-4K if I remember correctly).
Now you have to solve the PKI problem
Finally, my preferred solution, is to force the sender to sign the mail using the GPG key I give them. Technically speaking, they could sign it with any key they want, but I white list in any signature using my public key, and the public keys that are used on the mailing lists I'd like to follow. Then mailing lists only have to sign one mail message and send lots of duplicates of that single signature. Now, getting past my SPAM filter requires that you deal with an object that I control. So if Yahoo gets their private key stolen, some spammer will start spewing SPAM that can get past nearly all ISP's spam filters where the SMTP just signs the mail. In my system, I couldn't care less. My public/private (which is only used for this, I have another one for authenticating who I am), has no value. I'll gladly post both of them to the net. I can make it easy for people who I can to send me mail, and all my mail has some form of digitial checksum on it. All of which is good. My only problem would be if someone found a mailing lists private key. All I'd have to do is then tell the admin that his key has been compromised and somebody is sending SPAM with it.
I'm not fond of SPF, because all someone has to do is be able to forge an IP, which isn't particularly difficult. I can't control all the nasty corners of the internet. I can control what key I force you to use, and I can control what lists I put on my trusted key list if they cause problems for me.
The biggest problem with my solution is that it requires everyone to change how they work. Technically all they have to do is go fiddle with sendmail a bit, and add an outgoing X-Header, I can use that to white list people in until it reaches critical mass. Then I can just black list anybody who doesn't do that to outgoing mail.
Your kidding right? Tolkein's stories have been widely read, and been considered with high reguard for 40 years (they we're written and published between 1940-1955 if I remember correctly). Tolkein did one of the original translations of Beowulf, and is the one who published papers showing that it should be considered one of the great stories.
Tolkein's one of the most widely published books, and one of the more widely read books world wide. Tolkein wrote it to be a mythology for the British. That is to say, a mythology that the British could say was originally their own. Tolkein from what I've read was always searching for old original stories from Britain. That's how he turned up Beowulf. He wrote a child's story in "The Hobbit", and so many people requested more information about that world, about the time, that he expanded it to be one of the largest and most comprehensive stories of the time. Tolkein is the bench mark that any author would be happy to match.
I've got my original copy of LoTR's. It was one my brother read, that my sister read, that my other sister read. The one that I read, the one that I've loaned to lots of other people. My copy is from the mid 1970's, it's one my brother stole from the High School library, and it sure isn't a first printing. LoTR's was a major book the day it was published. If you didn't know about it in High School, that doesn't well known, or serious literature. Next I suppose you'll tell me about Quantum Mechanics and the Theory of relativity are "new theories", because they didn't teach them to you in your High School science class.
They don't make you read it in High School, but possibly that has something to do with the fact that it's 1500 pages long, and takes a great deal of time to read? Ever notice that most schools never require you to read novels longer then about 250 pages? It's a time commitment issue. No high school I know makes you read "Ulyesses" either (the book that is well over a thousand pages, that covers a single days events during the Civil War era). That doesn't mean it's not considered "serious literature" (as crappy as I hear it is to read).
The truely sad part about that, is that from what I saw in Kill Bill Vol. 1, they probably should have just editted the damn thing down into a single 2.5 hour movie. I'm pretty sure the first movie had at least 35-55 minutes of content that could have been dropped out.
Hmmm, how many people will I get to explain this to. Stability and security upgrades being easy to apply has nothing to do with "production deployable" (think of production deployable as being the opposite of "hobbist").
For what it's worth, I hate Debian. Tried to install it once, and it was a horrible experience. I've run a couple of Knoppix ISO's because they had some neat security tools on them that I could check for rootkits with. The exact same arguments I'm going to make involving Debian, could be made with Suse, the old "RedHat Linux", RHEL. I only contrasted Fedora with Debian, because that is what the post I was responding to brought up. He said it was in the same class as Debian in terms of "non-hobbist", and it isn't.
Fedora core could never, ever crash, and it wouldn't be production deployable.
Fedora core could never ever have a zero day exploit, and have always have a security fix ready and available the moment a security problem is found by a cracker. It still wouldn't be production deployable.
Fedora Core's modius operandi (MO) is keep on the upgrade treadmill. That is fundamentally counter to "production deployable". Here try this one one for size:
Use a third party module for Apache. Apply apache Fedora Core's upgrades. It's possible, that your third party module no long works because the new Apache version is not longer binary compatible with the old Apache version. I've tracked project that constantly change the Apache API/ABI (subversion). If Fedora kept pace with Subversion and Apache, they could really screw up third party modules for Apache. So now my options are:
Not use the third party module (which isn't an option, if I could have done that, I would have in the beginning).
Run an insecure old version of Apache.
Attempt to either patch the old version of Apache, or find someone else who already has done that and use theirs, or follow their instructions.
From that point on, I will forever have to do my own fixes for Apache until I can get a new version of the third party module that works with Fedora Core's upgraded module. Even if I have the source to the third party module, I'll have to remember to rebuild it. That's still a pain.
That is a case in point, of where Debian Stable (as out of date as it is), would be superior to the policy that Fedora Core professes to follow.
Even if Fedora never crashed, and always promptly had security fixes, the above scenerio is precisely why it isn't "production deployable".
We can go thru the same process with how long security fixes are going to be provided for:
I don't ever upgrade distro's in place. I have 24x7 machines, if something goes wrong, I'm screwed. I build new machines, migrate services so that there is very minimal downtime. That's production deployable. When Debian releases a Stable Release, it'll be 2-3 years until they'll release a new stable (much to the chagrin of Debian users). That means, you only have to do that process every 2-3 years (which nicely matches our new hardware purchasing time table).
With Fedora Core, I either have to upgrade in place, with no safty net (other then tape backup), or I have to do the migrations every 6-9 months to ensure that Fedora will be providing me with security fixes. That's not "production deployable".
Fedora Core can be the end all, be all of Linux distributions in terms of uptime, stability, and timely security fixes. However, that doesn't move it out of the category of "hobbiest". What moves it out of the category of "hobbiest", is security upgrades will never, ever break the system. Security upgrades will be provided for that version for at least X months, where X is larger then 18-24 months. Fedora core doesn't fit the bill.
Tell me what a pleasure Fedora Core 1 is 18 months from now. Tell me about how no security fix they release has ever cause an hour of downtime. Tell me that Fedora Legacy is working flawlessly, and is still supporting Fedora
I'm not sure if you are ranting at me and being a Debian zealot. I steer people away from Debian. I bleed RedHat blue so to speak. I saw the light somewhere around RedHat 5.2 or so. Never looked back. I'll read RedHat for everything. I own every copy of RedHat as a boxed set since 5.2 or so. I've even got a copy of the the Professional desktop that is sold via retail chain stores. I'm a rah, rah RedHat guy. Got it! I can be a zealot for RedHat at points, but never ever for Debian.
You are failing to connect the dots... That sentence in the grandparent where I said: "I've never used debian, except for a Knoppix CD" (I've booted Knoppix precisely twice to check the two security based knoppix ISO's). Which portion of that sentence didn't you understand. I'll gladly diagram it for you. Not that I've gone and personally attacked you, you can respond to that being a strawman. At least then you'll have a leg to stand on.
I'm not a Debian Bigot. I'm not a Fedora critic either. I've never actually run Fedora (I've followed the mailing lists, and answered questions about it, but never actually installed it, even though I have a local mirror of it at home).
Fedora has specific policies that run directly counter to the concept of "production quality, enterprise ready" in my humble opinion. Debian has qualities that jump up and down and scream: "Production Quality, enterprise ready".
Now, Fedora might well move away from the original intents that RedHat laid down for them. Fedora is in fact a "bleeding edge" distro. It's designed to be that way, and stay that way, if they hold true to the core believes laid out at the Fedora website. Which leads me to the conclusion, that "Fedora is no more hobbist the Debian" to be intellectually dishonest. Which is what my post explained. Fedora core is designed to be a moving target to push that distribution far ahead. If you don't want to play ball, you'll fall behind, and Fedora won't come back and help you. Fedora Legacy might, but I want to see their track record before I start saying nice things about them.
RedHat has done lots of good for the OSS community. It's why I own all their recent products. It's why we run RHEL at my office (because I insisted we purchase it). However, that does not make all things RedHat infalliable. If you want to go see a nice bit of zealotry, try reading your own post. I've been nice and polite (barring the first couple of paragraphs of this post).
I never said Fedora isn't stable. I never said Fedora isn't secure. What I said is that Fedora isn't "production ready", because on an ongoing basis, it is the projects policy to do things that are fundamentally counter to ensuring that upgrading your system for security updates will never break the system. I said that Fedora has a written policy to not support systems for long enough for me to be comfortable deploying them for production use. I don't like distro upgrades. I do new installs and migrate services.
RedHat carefully designed Fedora specifically so it can't ever be depended upon for sane production use. They took all that best qualities of "RedHat Linux" and added fixed all the things that drove people nuts about it, and called that "RHEL". They took all the parts that are leftover, and turned them into "Fedora Core". Fedora makes a number of problems that people complained about "RedHat Linux", and made them worse.
People used to complain, RedHat had too many releases too often, so it is hard to stay current. Fedora Core makes this problem worse.
People used to complain RedHat doesn't support their products for long enough. Fedora made this worse.
RedHat at least used to guarantee binary compatibility of security fixes. Fedora Core doesn't.
The reasons people used to think that "RedHat Linux" wasn't good for production use got worse via Fedora Core, not better. Fedora Core's fundamental operation princepal appears to be "upgrade to the lastest greatest stuff, and we will fix it". Y
I've seen Fedora Legacy. It's nice and all, but until it has some kind of track record that doesn't count as "production ready" to me. It could be wonderful, but I highly doubt it will stand up to Debian in terms of long term highly stable distributions. I don't like Debian, and I don't use it.
I've got serious concerns about their ability to support the sheer number (4 of Core releases, probably for 3-6 platforms for each release once it gets going) of distro's that Fedora Core is putting out over a two year period. It's part of the reason that RedHat gave up RedHat Linux, it's the reason they had the EOL policies they did. It was too many distro's to support.
I'm a lot more likely to follow White Box Linux (or any of the other RHEL rebuilds) then I ever would be to follow Fedora Core for a production server. I'm a lot more comfortable with building and signing my own binary packages from a RedHat SRPM when a security fix needs to happen then dealing with the fallout of upgrading packages.
Fedora Core made a decision, and the doc's I'd read made it clear to me they understood the repercusions of not backporting a fix. They deliniated them, and then said: "This is a cutting edge platform, if you want stability, use RHEL". Some of that is RedHat's sales pitch. However, I've read the documentation, if they do what they set out in their plan, I'll happily pass. I won't even bother using it at home. It really is run like it is for a home distro. Just like I wouldn't run Debian Unstable/Testing on production machines, even though I know they are pretty reliable, I'm still not doing it.
There's a reason that Debian only has one "Stable" (yes it's for 9 platforms), supporting multiples of them is time consuming. Also if they supported 3 of them, it go back to 2.0 kernel series if I remeber correctly.
It's also not *really* a hobby distro, any more than Debian is.
I take exception to that point. Debian has a very, very long history of doing two things:
1. Debian Stable is a long standing distro with support best measured in multiple years. Fedora Core says 6 months of support.
2. Debian always backports security fixes to the stable. Fedora Core's policy is explicity to upgrade to the latest packages (even if that means your config files are now broken, and the API/ABI is incompatible so plugins).
I know that Debian at one point had a very abrupt EOL notice (on the order of a month or two), when they transitioned from one stable to another. Which would be really annoying, but if it only happened every 2-3 years, I'd deal with it.
I'm not much of a Debian user. In fact, I've never used it, other then a Knoppix live distro.
I can't honestly recommend to anyone I know to use Fedora on any machine but one they use at home. That having upgrade problems and downtime is acceptable. Fedora Core's development model is very, very unfriendly to deploying in a production environment, especially if it's any place where security is a concern. I suppoes I could use it someplace where I didn't have a net connection, but I don't know of too many machines that don't have a net connection.
Nope, not ready for production. For two reasons, that have nothing to do with it's stability while running:
First, it has 6 month support cycles. You have problems, after the first 6 months, don't expect the Fedora Core people to be obliged to help you.
Second, the standard security fix policy is: upgrade to the latest package, never backport the fix to the released package.
It's more work then it's worth to upgrade machines every 6 months. It's worth me personally paying the $400 a machine to get the extra sleep I'll get from not having to work all the OT to test the upgrades.
Second, I want a security fix that is a complete drop in replacement, barring incredible circumstances (or me doing something that was completely bone headed), it should never break.
Your kidding right? I mean, you've up and lost your mind if you think x86 is getting pushed out of the server market. x86 is making in roads by all accounts into the server market.
If you mean, ia32 is losing out to x86-64 and ia64. I suppose you have a point. How long until all drivers for Windows are compiled for all three OS'es? Besides the fact, that all of those chipsets have a compatibility mode for ia32 (not that I want my OS to switch to it to run a driver). Besides, until the ia64 comes down a long way in price a lot of people are going to be using P4 Xeon's, or whatever follows up the P4 line for high end consumer hardware. High end consumer hardware is always cheaper, and will always have a place in high end servers. Just because it's too cheap, because of the sheer volumne of chips sold. Until Intel ships only ia64 chips, the x86 line will always have a place at the server table.
x86 never had much market share in a true enterprise server market until recently. All real "servers" came from DEC, Sun, HP, IBM, Cray, SGI, and various other computer vendors. Intel chips are finally starting keeping pace with other CPU makers. In the Pentium I/II era, the Alpha's clearly just crushed anything made by Intel at floating point and integer math. Well the Alpha line is effectively dead now. Pretty much everybody but IBM and Sun have stopped making chips (SGI, HP, and Tandem are all porting to ia64). Does Motorolla still make chips worth talking about? I know they used to make some of the G[34] chips or MoBo's for Apple, but then stopped and IBM picked up the slack.
Sure the ARM is around made, but it surely isn't a server chip. What precisely do you think is going to own the market? The UltraSparc? The POWER chips IBM makes? Whatever in the hell goes in IBM mainframes? ia32/ia64/x86-64 chips are where it'll all end up.
As to if ATI is in the dark about NVidia does its thing? No probably not. All NVidia wants is a 6-12 month lead where ATI can't get a product to market with the same features. In the video card market that's enough to sell billions of dollars in cards.
Uhhh, creating Linux took years. Creating a viable piece of software that someone will pay for takes a lot of effort, and a lot of time.
Without some form of savings/income to draw upon, one can't develop software on their own (Free or not). You don't get a net connection for free. You don't get parts for free. You don't get to live rent free. If you do, you probably didn't need the job you so unluckly lost.
People work for a variety of reasons. Most of them are because they need income to barter for other goods and services.
Software that takes 6 months for one guy to slap together, isn't going to impress anybody who has an IT background. They'll see it's obviously only 6 man months of work...;-)
Most people I know don't have 6 months worth of income available to them as cash they can easily spend. Getting 6 months of time together while working full time at a job is difficult at best. Especially if you work a time demanding IT job.
Sorry, I debunked an obviously false statement you are using as the only support for your argument. So you can think it's offtopic if you want (which you are correct, this is way offtopic from IPv6 Success stories).
Capitalistic society here in the US. All it takes is one or two ISP's to offer them for free. Hell, all it takes is a couple of ISP's. I mean, take your argument and apply it to 20 years ago to banks and checking:
No one will ever offer free checking at banks. It's a good revenue stream, and they won't give it up.
Fast forward to the present. When I went bank shopping 6 months ago, I couldn't find a bank that would charge me for anything as long as I kept $500 in a checking or savings account. What happened in the intervening 20 years is that, banks started to figure out that giving away free checking was a good idea. Only billing business customers for transaction fees, and letting personal checking, was a good way to attract deposits, and payroll checks. Guess who makes money on payroll checks? The bank who holds the checking account. Everytime you write a check to a credit card company, who makes money. Yep, your bank does. There is a transaction fee every time a check moves.
Banks just realized that getting more business by attracting "consumers" was a good idea. That it was in their best interests to lose money per transaction on free checking accounts, because of the associated fees they make up for later because of the sheer volume of accounts they get.
Now, IP's are a scarce commodity right now (in the sense that they don't grow on trees), and they cost ISP's money. They have a right to pass that charge along (they could alternatively, just raise everyone's price $2 per month, and let you have up to 3 of them, because most people would never use them). It costs a lot of money to do the paperwork, to keep up the paperwork, and to pay the fees associated with getting a/20 (which is the smallest block you can get them in from ARIN). The first ISP that figures out that by offering customers 10,000 static IP's to do what they will with and gains market share, and makes more money, will drive everyone else to do it. That's capitalism for you.
Once it costs the ISP's $20,000 to get a block of 2 Billion IP's in it, it really doesn't make any sense to charge extra for them, if giving them away free will attract new customers. I'd bet money you'd be willing to change ISP's if they just gave you 1,000 IP's for free with your $40 a month account.
The cable provider in my area provides me with a real IP. The IP is mostly static (it changes very infrequently), and I'm not NAT'ed onto the network (I have to traverse a 10.0.0.0/8 network to get onto the internet, but that is just what they use to construct their transit network, so they can always just re-number, and/or re-organize without affecting customers, or wasting public IP's. That is one of the original intents of reserving the 10/8 network). If I am NAT'ed, it's done at both ends. The IP on the eth0 interface is the same as is reported by "www.whatismyip.com". So if they do NAT, at the very least, I know my own public IP that I can give out to other people to connect to me with. Not sure if I am firewalled or not. I'm pretty sure I am, but I don't bother running services.
Well, in the US, most of the people who get cell phone plans, couldn't afford the hardware. Thus, some of the price is rolled into the 2 year contract that you have to pay an additional 150-300 dollars to get out of early.
Most of the people I know who have Cell phones, couldn't afford $500 CDN, and pay more for minutes. Cell phone companies are trying to bring in new users, so they sell the phones cheap, figuring they'll make it up over time while they make a profit on the service.
Second, the US market probably has more cell phones in the top 20-40 markets then Canada has people period. So a lot of fixed costs have to be amortized over fewer people in Canada.
Finally, everything the in US wireless market appears to be about taking it in the shorts to gain market share, and to gain volume, to drive prices down. So they are investing (read losing their shirts) tons, and tons of money, trying to steal customers away from the other carriers, and make money on slim margins. Where as the Canadian market appears to be trying to sustain profitability at a much smaller volume. This means that Canadian service is probably a much better investment (from a business perspective). 5-10 years ago, cell service was a lot more expensive down here then it is now. Pricing for service is probably about the same. Not sure about the phone pricing.
Yeah, but that first customer is really expensive.
Also if you truely believe that "zero-cost" to add a customer, you should never go into business for yourself.
It costs plenty to add a customer every time. More head ends, more trenchs, more cable. A lot of those are paid before you ask for service by the cable company as an investment. So technically they have already paid it by the time you get it hooked up, but that's because they footed the bill for you well ahead of time.
Furthermore, the content that you get, costs them per subscriber. It costs them money to bill you, to do collections, to deal with you when you call and complain about service being crappy.
Plus lots of things, like Cable have such huge costs, that they have to 5 million customers before they make a profit. Cover ongoing facilities costs.
Billing works the way it does, because it is the most efficient way to for that good to be traded. It's a capitalist society, if you can make more money giving away cable and satalite feeds "because there is no cost to adding additional customers", then by all means go for it. I'm sure there's a VC out there if you have a good business plan.
It's simple. Just take the boots off during the metal detector test. Put them thru the scanner like your carry on bags, just like you do with all other metal objects.
I put absolutely everything I have with me except for one credit card, $50.00 in cash, and my drivers license, and my ticket home in my carry on bag. My keys, my wallet, my change. My leatherman tool (yes, they have let me get that on a plane, if it's in my bag when they do the scan).
I took my shoes off, and put them on the belt too after my first experience with being wanded down. I just asked in the Atlanta airport, and they said that was a great idea to avoid the slow down.
Then, I watch for everything that happens to my bag to ensure nobody takes off with it (common thief trick is to have you put your bag on while someone else is making the scanner go off, so your bag can be walked off with while they take five minutes at the security check point). I think that has stopped now that making the security check point go off gets you wanded down, rather then trying to re-check everyone.
I've only done it a handful of times, but it always worked for me. I'm not thrilled about being barefoot, but it worked for my trip to pickup my bag, and saved me about 10-15 minutes even with untying and re-tying my boots.
Yes, I normally write all delete statements in the form:
delete from table where ( primary key ) IN ( SELECT primary key FROM table WHERE clause )
I always write the select statement first, then I got back and edit in the delete portion of it.
Just like if I am thinking clearly, all rm commands are written as this:
find . [ clauses to limit to only the files I want ] -print
find . [ clause to limit find ] -type f -exec rm {} \; -print
This will remove files first. Then remove the directories using:
find . [ clause ] -type d -exec rmdir {} \;
It's a lot slower, and takes one process per file to do the delete, but it sure is a lot safer then throwing around wild cards. Any time I'm working on our production database, the way in which I am willing to remove files changes.
If you know there are no spaces, or other odd characters in the files:
That or I do ls [wildcard], then edit the history to change the ls to rm, so I don't have to retype the wildcard again. I can also compare them in history mode.
I've built a RedHat kickstart CD that loads the kickstart file via HTTP of a web server. You can write a pre-install script to massage the disks (using either python or shell, probably anything you want, but python and shell are the only to utilities I know are there, in shell you are limited to mostly busy box utilities).
You can use the redhat-config-kickstart to help you build a default install package set (and to build the kickstart file).
Then you can run a post install script (also specified in the kickstart script). Generally, I always make my pre/post scripts wget the script I really want them to run. This gives me a bit more flexibility. (Actually I've never written a pre-install script, only posts).
In the post install scripts, I've used wget to download the set of scripts/config files I wanted to replace (I recommend using a tarfile that you unpack from the filesystem, use diff to apply patches to all of the config files, or use sed to edit the config files).
From there, it's relatively simple matter of deciding what you want changed and how you want it to work. I generally make sure to install AutoRPM, and the autorpm config files that point to my local package repository. Thus anything I can make into an RPM, I can get deployed onto remote machines in mass. I create one extra AutoRPM package pool for each class of machine, so I can put custom packages by machine type onto each machine.
Either use PXE boot, or boot from CD. The CD image to do a kickstart style install is on the first RedHat CD. Look for the isolinux directory and create your own ISO (if you edit the files to put ks=http://kickstart.server.com/kickstart/file, then it's completely unattended). Or you can use the prebuilt images in/images, but then you have to fiddle with the command line a bit from CD. I've never done a PXE boot for installation of a machine (used it for building X-terminals, but not for this).
There needs to be a reboot in there somewhere, otherwise, your just fooling yourself into believeing it's secure, because it's installed.
I always end up rebooting manually, on glibc, ldd, and kernel security fixes. Generally pam changes too. Those are libraries that get sucked into early binaries and never get restarted. I suppose I could reboot into single user mode for everything but the kernel, but a reboot is a good idea anyways.
No, I've pointed out, that if it was really worth that much, it would actually be creating jobs, and it wouldn't actually be that valuable. But it isn't. While it's a cost that is passed on, it's better to spend the money. The GDP counts the money every time it's spent.
So in a very technical sense, it is good for the economy. You might not like that, but it really doesn't change the facts. However, I was using that argument to show that his facts are absurd, by following them to their conclusion.
Yes, some of the cost is passed onto the consumer. Which fiddles with taxes, and some other things. However, the economic argument, that SPAM has a strangle hold on our economy to an appreciable percentage (>0.1%) of our GDP is laughable. If this guys is using this as his message people will laugh at him for being a lunatic. They'll associate other people who talk about the costs of SPAM with this craziness.
SPAM is bad. SPAM is a waste of time. Clearly it is highly efficient, and very good at making money by all accounts (for the SPAMMERS). Thus that free market economist in me things, there is a lesson in there somewhere.
Where I work, in total, the entire IT staff which deals with the company, and all of the bandwidth and software does a pretty good job of filtering all SPAM out, costs the company a total of $10K a month. Total expenditures of the company $220K a month. We are a Web based company. We are completely driven by web technology, and e-mail based communications. Of that $10K a month, I'd say we spend a total of $50-500/month in time dealing with SPAM and total bandwidth lost to SPAM. Which leads me to believe that SPAM isn't nearly the economic problem this guy claims it is.
I get probaby 200 SPAMs a day, and I'd love to not get them. However, it'd only save me about 2-3 minutes a day.
Mitnik clearly broke the law. Last time I checked, sending UCE wasn't illegal until recently on a national basis. I assume you are talking about Merylin (The guy who worked at Intel, and has a really low Slashdot Id). That case was laughable, and is spurious. I wouldn't want to use that as a reason to chase spammers.
Furthermore, they didn't steal any money from anyone. They wasted time, but that's about it. Idiot drivers do that all time.
Spammers should be drug out onto the street and beaten with sticks for it, but they aren't ruining the American Economy, that's the long and short of it.
Uhhh, I hate to beat you with a stick labelled economics, but I'm going to do it anyways....
I remember when RAM was $200 for an 8MB SIMM (yes, SIMM, 60ns 72pin EDO). I remember how you could pickup 16MB of ram for around $120. I'm pretty sure that got to where you could get the same type of RAM, about 64MB for $75. That was because they we're selling hordes of it, so the one time costs we're amortized across more units, and there was less risk of overproducing.
Now the price is pretty outrageous. I know similar things happened for 30pin memory. I know that 30pin was going for $5-10MB at a time when DIMM's we're around $1 per MB. That's because reliable 30pin memory was hard to find, and not made in large volume.
Now for CD's, the same thing happens. When everyone stops buying CD's, and the backstock runs out, the price of CD's won't be $0.12. He's worried about the price never getting to $0.12, and instead moving in the other direction, because of it's scarcity.
Go try buying audio tapes. They aren't as cheap as they used to be. And it's not all inflation. The other thing to remember, is that at least some of the cheapness of CD's was due to the strong dollar (CD prices dropped from $10 in 1995 to $0.25 in 2001). That's also a timeframe when US currency was gaining value relative to the foreign currency. Thus all imports got cheaper. It's part of the reason why computer prices fell so much in the US. They got cheaper to produce, and things are more efficient. However, just assuming that prices of parts will drop, and stay low long after they are produced in volume is a false economy.
Lets start with: "I agree with everything you have to say in terms of Spam pushing the costs onto the receivers of the e-mail."
Now, that we've got that out of the way, please, please, please, stop exaggerating the problem to the point of insanity in terms of cost.
Last time I checked, the world GDP is roughly $4 Quadrillion (a 16 digit number) dollars a year, I'm willing to go on record right now, and say that there is no way SPAM represents 1% of the world's economy.
According to http://www.bea.gov (gov't economic data collector), the 2002 GDP was $10 Trillion (roughly the 14 digit number you claimed Spam cost on a yearly basis).
I'm willing to bet that 25% of all Spam is recieved by some one in the U.S.
That means that 25% of the US economy is represented via SPAM. If that is actually true, stopping SPAM would cause a world wide depression of a magnitude never before conceived of. You should never ever stop SPAM if it actually constituted that much of the US economy. The costs of SPAM are actually, money that is spent, and is recorded as a profit by some other company, or is money spent on an employee. It's only bad if the profit or employee are in another country.
It's very, very important that the money be spent. The entire economy works when the money moves around it. The economy doesn't work when money sits in big piles. If what you are saying is true, Intel, Microsoft, Dell, IBM, and millions of IT workers worldwide owe their corporate profits, and personal paychecks directly to SPAM. Pardon me if I call nonsense at this point.
I'm going to go on record saying, that's patently false, but it's the only logical conclusion of what you are saying. Thus, what your saying is absurd. I'm willing to admit what you are saying is true in it's basic premise, but the details are a bit irrational.
SPAM, might cost lots of money. However, a lot of that money is going to an ISP. It's not like it's lost money that is never found. It's not like the Spammers get that money. IT companies do, sysadmins do, all kinds of people get that money.
If spamming up and disappeared, you are claiming that a huge portion of the national GDP would evaporate, because 99% of all that money is just cycling around the system. Somebody in the US got paid that money. That's really, really good for the US economy. That money not going around is really, really, really bad.
It's surely not being embezzled by the Spammers. Spammers only get the money from the morons who pay them (either by paying referral fees for advertising, or from the people who actually purchase a product from them).
Yes SPAM represents an inefficiency in the economy, but, it can't be of the magnitude you are talking about. Most of the inefficiency is given to other corporations, or given to employees as money to be respent in the economy. All of which is good. About the only people who truely would lose out is, people who run small business with no employees (thus dealing with SPAM costs them money directly, and prevents them from generating value that contributed to the GDP, however the portion that goes to the ISP is actually a contribution to the GDP, and thus good for the economy).
No, but the porn viewers out there, purchased a lot of the TV's when they were in the $10-15K price range for Hi-Def of any kind, and are the ones who pushed production up enough to get them into a feasible price range for the average AV junkie.
Go look at the early adoptors of a ton of technology, you'll find, gamers, the military, and pornography junkies.
Lots of early movies we're in fact pornographic. A lot of early money in the film industry was made of pornographic movies. I'd cite it, but I learned that on the "History Channel".
VHS tapes... Know what drove down the prices on VHS players and tapes? Pornography.
Who are the early adaptors on DVD's? Pornographers.
Who drives highend video quality on like HDTV? Uhh, yep, that's them Porno-heads.
Who uses all of the high end technology in DVD's? Pornographers. Other then "The Matrix", I've never heard of a movie that uses the "Angle" feature in a movie (I've never seen it in the Matrix, but I didnt' really care that much to look for it). However, I hear it's used most often in pornography.
Who drove a lot of the work on early video compression, Pornographers. Who do you think the early adoptors on new codec's are? Porn heads.
I'm not saying they did the work, but they are the early adoptors that spend outrageous sums of money, to make it viable economically for the masses. Which is what this guy is talking about.
They are the ones who beta test all kinds of new technology. Pornography is the driving force behind nearly all Hi-Fi multimedia upgrades.
Communication is relagated to a secondary position in my mind, precisely because that's almost never an early adoptor reason, it's a mass market reason. Early adoptors are critical to pushing new technology. Pornheads, gamers, and the military are the three easy to identify people who are always into the latest greatest cutting edge technology.
Just like Warz people are part of the reason you can buy a CDROM burner for what they cost. It's my understanding that some of that was driven by pornography because it was easy, save archival. It was easy to transport. It was easy to duplicate and charge money for.
Slashdot Mirror
Hence, weather or not it is secure, is all a matter of opinion. Personally, I think if you can't run SSH out in the open, you shouldn't run it thru an obscurity filter.
We have no SSH configured on our outside network. Not with OTP, not from only allowed IP's. Not from only a specific port. Not with KnownHosts only. Not with known RSA keys only.
You want on, you've gotta be in the building. It'd be nice to fix problems while remote, but it's just not an option because of the security problems it presents. I live within a mile of the building, specifically so not having remote access isn't a big deal. I can go from sleeping in bed, to in the building in less then 10 minutes. It's a pain for small problems. However, it's small issue in comparison to dealing with a full blown network breakin due to SSH.
On occasion, I believe we have had someone local build an SSH tunnel that we can VPN thru onto our network. However, someone who already had access had to initiate the connection by hand with the correct IP. That's only allowed if we voice authenticate from you.
Kirby
Finally, it's not merely about forging IP's. You also could forge DNS entries. Which isn't that hard (especially if they served up real answers for the non-SPF/txt requests). As someone who'se been hacked by a DNS poison attack, clearly it's possible. Most DNS transactions are done via UDP, which isn't the most secure way to do transactions.
Again, this all comes down to who do I trust. I don't trust everyone on the internet to do this properly. If nothing else, you'll just cause the spammers to sign up for a one time domain name setup the SPF, spew their spam. Sign up for a new domain name, setup the SPF, spew their spam. They can use register.com to run the DNS, handing out lists of approved zombie computer IP's as approved for sending spam. (They've now handed you a list of computers to black list, but I'm not sure how good an idea that is).
It's a zero sum game. If it is easy for me to do, it's easy for the spammer to do. Thus it will be broken by the spammers. The only way to truely put a hurting on spammers it to change the economics of it significantly. Explain how SPF does that to me. Sending e-mail that is encrypted, changes how much money it takes to send bulk e-mail. Allowing for mailing lists to essentially opt out of that keeps the economics sane for them.
Kirby
This technically speaking won't stop SPAM. However, it will change the economics of it.
Finally, filtering SMTP 25 has been done for ages on plenty of networks. I've had it done to me when I was in Rolla, MO in 1998 or so.
Again the problem is that I can't control all the networks in the world. I can only control mine. I want a solution that puts me in control. I have no interest in a solution that involves me trusting the entire internet.
Kirby
What charge are you going to have for sending a piece of mail? Is it a penny? What happens one you get charged a penny for a piece of mail you didn't send? What happens when you get charged a penny a quarter of a million times for a piece of mail you didn't send? How does the ISP keep track of who racked up the charges? How does the ISP bill the consumers for it?
Because I might have to make fiscal transactions with say 500-10000 different financial institutions, that will have a transaction fee that far exceeds what any sane person would be willing to pay to send a piece of mail. So once you solve this minor issue, that lots of people have been working on for years, it might just work. (E-Mail might be just the leverage you need to pull this off, micro payments have never really had a killer app).
However, enforcing someone to do a math problem has an absolutely trivial solution to new hardware. Make the problem harder. Nearly all of the problems involve doing some type of math problem. Want to make it more expensive. Require them to do the same problem, but with bigger numbers. Your next problem, is that Spammers will pay $20K to get custom built hardware to do the problems orders of magnitude faster then any generic piece of hardware could do it.
Finally, the easiest way, is to get all outgoing SMTP servers to add an X-Header signature to all e-mails. This e-mail minus the X-Header's digital digest with the private key on a public web of trust is "XYZ". Now your problem is that you've created an incentive for people to steal private keys. The private keys will have to be kept in pretty much in the clear somewhere on the machine (which will be a problem).
Now you've just made the size of each e-mail significantly large (most signatures are a 1-4K if I remember correctly).
Now you have to solve the PKI problem
Finally, my preferred solution, is to force the sender to sign the mail using the GPG key I give them. Technically speaking, they could sign it with any key they want, but I white list in any signature using my public key, and the public keys that are used on the mailing lists I'd like to follow. Then mailing lists only have to sign one mail message and send lots of duplicates of that single signature. Now, getting past my SPAM filter requires that you deal with an object that I control. So if Yahoo gets their private key stolen, some spammer will start spewing SPAM that can get past nearly all ISP's spam filters where the SMTP just signs the mail. In my system, I couldn't care less. My public/private (which is only used for this, I have another one for authenticating who I am), has no value. I'll gladly post both of them to the net. I can make it easy for people who I can to send me mail, and all my mail has some form of digitial checksum on it. All of which is good. My only problem would be if someone found a mailing lists private key. All I'd have to do is then tell the admin that his key has been compromised and somebody is sending SPAM with it.
I'm not fond of SPF, because all someone has to do is be able to forge an IP, which isn't particularly difficult. I can't control all the nasty corners of the internet. I can control what key I force you to use, and I can control what lists I put on my trusted key list if they cause problems for me.
The biggest problem with my solution is that it requires everyone to change how they work. Technically all they have to do is go fiddle with sendmail a bit, and add an outgoing X-Header, I can use that to white list people in until it reaches critical mass. Then I can just black list anybody who doesn't do that to outgoing mail.
Kirby
Tolkein's one of the most widely published books, and one of the more widely read books world wide. Tolkein wrote it to be a mythology for the British. That is to say, a mythology that the British could say was originally their own. Tolkein from what I've read was always searching for old original stories from Britain. That's how he turned up Beowulf. He wrote a child's story in "The Hobbit", and so many people requested more information about that world, about the time, that he expanded it to be one of the largest and most comprehensive stories of the time. Tolkein is the bench mark that any author would be happy to match.
I've got my original copy of LoTR's. It was one my brother read, that my sister read, that my other sister read. The one that I read, the one that I've loaned to lots of other people. My copy is from the mid 1970's, it's one my brother stole from the High School library, and it sure isn't a first printing. LoTR's was a major book the day it was published. If you didn't know about it in High School, that doesn't well known, or serious literature. Next I suppose you'll tell me about Quantum Mechanics and the Theory of relativity are "new theories", because they didn't teach them to you in your High School science class.
They don't make you read it in High School, but possibly that has something to do with the fact that it's 1500 pages long, and takes a great deal of time to read? Ever notice that most schools never require you to read novels longer then about 250 pages? It's a time commitment issue. No high school I know makes you read "Ulyesses" either (the book that is well over a thousand pages, that covers a single days events during the Civil War era). That doesn't mean it's not considered "serious literature" (as crappy as I hear it is to read).
Kirby
Kirby
For what it's worth, I hate Debian. Tried to install it once, and it was a horrible experience. I've run a couple of Knoppix ISO's because they had some neat security tools on them that I could check for rootkits with. The exact same arguments I'm going to make involving Debian, could be made with Suse, the old "RedHat Linux", RHEL. I only contrasted Fedora with Debian, because that is what the post I was responding to brought up. He said it was in the same class as Debian in terms of "non-hobbist", and it isn't.
Fedora core could never, ever crash, and it wouldn't be production deployable.
Fedora core could never ever have a zero day exploit, and have always have a security fix ready and available the moment a security problem is found by a cracker. It still wouldn't be production deployable.
Fedora Core's modius operandi (MO) is keep on the upgrade treadmill. That is fundamentally counter to "production deployable". Here try this one one for size:
Use a third party module for Apache. Apply apache Fedora Core's upgrades. It's possible, that your third party module no long works because the new Apache version is not longer binary compatible with the old Apache version. I've tracked project that constantly change the Apache API/ABI (subversion). If Fedora kept pace with Subversion and Apache, they could really screw up third party modules for Apache. So now my options are:
Not use the third party module (which isn't an option, if I could have done that, I would have in the beginning).
Run an insecure old version of Apache.
Attempt to either patch the old version of Apache, or find someone else who already has done that and use theirs, or follow their instructions.
From that point on, I will forever have to do my own fixes for Apache until I can get a new version of the third party module that works with Fedora Core's upgraded module. Even if I have the source to the third party module, I'll have to remember to rebuild it. That's still a pain.
That is a case in point, of where Debian Stable (as out of date as it is), would be superior to the policy that Fedora Core professes to follow.
Even if Fedora never crashed, and always promptly had security fixes, the above scenerio is precisely why it isn't "production deployable".
We can go thru the same process with how long security fixes are going to be provided for:
I don't ever upgrade distro's in place. I have 24x7 machines, if something goes wrong, I'm screwed. I build new machines, migrate services so that there is very minimal downtime. That's production deployable. When Debian releases a Stable Release, it'll be 2-3 years until they'll release a new stable (much to the chagrin of Debian users). That means, you only have to do that process every 2-3 years (which nicely matches our new hardware purchasing time table).
With Fedora Core, I either have to upgrade in place, with no safty net (other then tape backup), or I have to do the migrations every 6-9 months to ensure that Fedora will be providing me with security fixes. That's not "production deployable".
Fedora Core can be the end all, be all of Linux distributions in terms of uptime, stability, and timely security fixes. However, that doesn't move it out of the category of "hobbiest". What moves it out of the category of "hobbiest", is security upgrades will never, ever break the system. Security upgrades will be provided for that version for at least X months, where X is larger then 18-24 months. Fedora core doesn't fit the bill.
Tell me what a pleasure Fedora Core 1 is 18 months from now. Tell me about how no security fix they release has ever cause an hour of downtime. Tell me that Fedora Legacy is working flawlessly, and is still supporting Fedora
You are failing to connect the dots... That sentence in the grandparent where I said: "I've never used debian, except for a Knoppix CD" (I've booted Knoppix precisely twice to check the two security based knoppix ISO's). Which portion of that sentence didn't you understand. I'll gladly diagram it for you. Not that I've gone and personally attacked you, you can respond to that being a strawman. At least then you'll have a leg to stand on.
I'm not a Debian Bigot. I'm not a Fedora critic either. I've never actually run Fedora (I've followed the mailing lists, and answered questions about it, but never actually installed it, even though I have a local mirror of it at home).
Fedora has specific policies that run directly counter to the concept of "production quality, enterprise ready" in my humble opinion. Debian has qualities that jump up and down and scream: "Production Quality, enterprise ready".
Now, Fedora might well move away from the original intents that RedHat laid down for them. Fedora is in fact a "bleeding edge" distro. It's designed to be that way, and stay that way, if they hold true to the core believes laid out at the Fedora website. Which leads me to the conclusion, that "Fedora is no more hobbist the Debian" to be intellectually dishonest. Which is what my post explained. Fedora core is designed to be a moving target to push that distribution far ahead. If you don't want to play ball, you'll fall behind, and Fedora won't come back and help you. Fedora Legacy might, but I want to see their track record before I start saying nice things about them.
RedHat has done lots of good for the OSS community. It's why I own all their recent products. It's why we run RHEL at my office (because I insisted we purchase it). However, that does not make all things RedHat infalliable. If you want to go see a nice bit of zealotry, try reading your own post. I've been nice and polite (barring the first couple of paragraphs of this post).
I never said Fedora isn't stable. I never said Fedora isn't secure. What I said is that Fedora isn't "production ready", because on an ongoing basis, it is the projects policy to do things that are fundamentally counter to ensuring that upgrading your system for security updates will never break the system. I said that Fedora has a written policy to not support systems for long enough for me to be comfortable deploying them for production use. I don't like distro upgrades. I do new installs and migrate services.
RedHat carefully designed Fedora specifically so it can't ever be depended upon for sane production use. They took all that best qualities of "RedHat Linux" and added fixed all the things that drove people nuts about it, and called that "RHEL". They took all the parts that are leftover, and turned them into "Fedora Core". Fedora makes a number of problems that people complained about "RedHat Linux", and made them worse.
People used to complain, RedHat had too many releases too often, so it is hard to stay current. Fedora Core makes this problem worse.
People used to complain RedHat doesn't support their products for long enough. Fedora made this worse.
RedHat at least used to guarantee binary compatibility of security fixes. Fedora Core doesn't.
The reasons people used to think that "RedHat Linux" wasn't good for production use got worse via Fedora Core, not better. Fedora Core's fundamental operation princepal appears to be "upgrade to the lastest greatest stuff, and we will fix it". Y
I've got serious concerns about their ability to support the sheer number (4 of Core releases, probably for 3-6 platforms for each release once it gets going) of distro's that Fedora Core is putting out over a two year period. It's part of the reason that RedHat gave up RedHat Linux, it's the reason they had the EOL policies they did. It was too many distro's to support.
I'm a lot more likely to follow White Box Linux (or any of the other RHEL rebuilds) then I ever would be to follow Fedora Core for a production server. I'm a lot more comfortable with building and signing my own binary packages from a RedHat SRPM when a security fix needs to happen then dealing with the fallout of upgrading packages.
Fedora Core made a decision, and the doc's I'd read made it clear to me they understood the repercusions of not backporting a fix. They deliniated them, and then said: "This is a cutting edge platform, if you want stability, use RHEL". Some of that is RedHat's sales pitch. However, I've read the documentation, if they do what they set out in their plan, I'll happily pass. I won't even bother using it at home. It really is run like it is for a home distro. Just like I wouldn't run Debian Unstable/Testing on production machines, even though I know they are pretty reliable, I'm still not doing it.
There's a reason that Debian only has one "Stable" (yes it's for 9 platforms), supporting multiples of them is time consuming. Also if they supported 3 of them, it go back to 2.0 kernel series if I remeber correctly.
Kirby
I take exception to that point. Debian has a very, very long history of doing two things:
1. Debian Stable is a long standing distro with support best measured in multiple years. Fedora Core says 6 months of support.
2. Debian always backports security fixes to the stable. Fedora Core's policy is explicity to upgrade to the latest packages (even if that means your config files are now broken, and the API/ABI is incompatible so plugins).
I know that Debian at one point had a very abrupt EOL notice (on the order of a month or two), when they transitioned from one stable to another. Which would be really annoying, but if it only happened every 2-3 years, I'd deal with it.
I'm not much of a Debian user. In fact, I've never used it, other then a Knoppix live distro.
I can't honestly recommend to anyone I know to use Fedora on any machine but one they use at home. That having upgrade problems and downtime is acceptable. Fedora Core's development model is very, very unfriendly to deploying in a production environment, especially if it's any place where security is a concern. I suppoes I could use it someplace where I didn't have a net connection, but I don't know of too many machines that don't have a net connection.
Kirby
First, it has 6 month support cycles. You have problems, after the first 6 months, don't expect the Fedora Core people to be obliged to help you.
Second, the standard security fix policy is: upgrade to the latest package, never backport the fix to the released package.
It's more work then it's worth to upgrade machines every 6 months. It's worth me personally paying the $400 a machine to get the extra sleep I'll get from not having to work all the OT to test the upgrades.
Second, I want a security fix that is a complete drop in replacement, barring incredible circumstances (or me doing something that was completely bone headed), it should never break.
Kirby
If you mean, ia32 is losing out to x86-64 and ia64. I suppose you have a point. How long until all drivers for Windows are compiled for all three OS'es? Besides the fact, that all of those chipsets have a compatibility mode for ia32 (not that I want my OS to switch to it to run a driver). Besides, until the ia64 comes down a long way in price a lot of people are going to be using P4 Xeon's, or whatever follows up the P4 line for high end consumer hardware. High end consumer hardware is always cheaper, and will always have a place in high end servers. Just because it's too cheap, because of the sheer volumne of chips sold. Until Intel ships only ia64 chips, the x86 line will always have a place at the server table.
x86 never had much market share in a true enterprise server market until recently. All real "servers" came from DEC, Sun, HP, IBM, Cray, SGI, and various other computer vendors. Intel chips are finally starting keeping pace with other CPU makers. In the Pentium I/II era, the Alpha's clearly just crushed anything made by Intel at floating point and integer math. Well the Alpha line is effectively dead now. Pretty much everybody but IBM and Sun have stopped making chips (SGI, HP, and Tandem are all porting to ia64). Does Motorolla still make chips worth talking about? I know they used to make some of the G[34] chips or MoBo's for Apple, but then stopped and IBM picked up the slack.
Sure the ARM is around made, but it surely isn't a server chip. What precisely do you think is going to own the market? The UltraSparc? The POWER chips IBM makes? Whatever in the hell goes in IBM mainframes? ia32/ia64/x86-64 chips are where it'll all end up.
As to if ATI is in the dark about NVidia does its thing? No probably not. All NVidia wants is a 6-12 month lead where ATI can't get a product to market with the same features. In the video card market that's enough to sell billions of dollars in cards.
Kirby
Without some form of savings/income to draw upon, one can't develop software on their own (Free or not). You don't get a net connection for free. You don't get parts for free. You don't get to live rent free. If you do, you probably didn't need the job you so unluckly lost.
People work for a variety of reasons. Most of them are because they need income to barter for other goods and services.
Software that takes 6 months for one guy to slap together, isn't going to impress anybody who has an IT background. They'll see it's obviously only 6 man months of work... ;-)
Most people I know don't have 6 months worth of income available to them as cash they can easily spend. Getting 6 months of time together while working full time at a job is difficult at best. Especially if you work a time demanding IT job.
Kirby
Capitalistic society here in the US. All it takes is one or two ISP's to offer them for free. Hell, all it takes is a couple of ISP's. I mean, take your argument and apply it to 20 years ago to banks and checking:
No one will ever offer free checking at banks. It's a good revenue stream, and they won't give it up.
Fast forward to the present. When I went bank shopping 6 months ago, I couldn't find a bank that would charge me for anything as long as I kept $500 in a checking or savings account. What happened in the intervening 20 years is that, banks started to figure out that giving away free checking was a good idea. Only billing business customers for transaction fees, and letting personal checking, was a good way to attract deposits, and payroll checks. Guess who makes money on payroll checks? The bank who holds the checking account. Everytime you write a check to a credit card company, who makes money. Yep, your bank does. There is a transaction fee every time a check moves.
Banks just realized that getting more business by attracting "consumers" was a good idea. That it was in their best interests to lose money per transaction on free checking accounts, because of the associated fees they make up for later because of the sheer volume of accounts they get.
Now, IP's are a scarce commodity right now (in the sense that they don't grow on trees), and they cost ISP's money. They have a right to pass that charge along (they could alternatively, just raise everyone's price $2 per month, and let you have up to 3 of them, because most people would never use them). It costs a lot of money to do the paperwork, to keep up the paperwork, and to pay the fees associated with getting a /20 (which is the smallest block you can get them in from ARIN). The first ISP that figures out that by offering customers 10,000 static IP's to do what they will with and gains market share, and makes more money, will drive everyone else to do it. That's capitalism for you.
Once it costs the ISP's $20,000 to get a block of 2 Billion IP's in it, it really doesn't make any sense to charge extra for them, if giving them away free will attract new customers. I'd bet money you'd be willing to change ISP's if they just gave you 1,000 IP's for free with your $40 a month account.
The cable provider in my area provides me with a real IP. The IP is mostly static (it changes very infrequently), and I'm not NAT'ed onto the network (I have to traverse a 10.0.0.0/8 network to get onto the internet, but that is just what they use to construct their transit network, so they can always just re-number, and/or re-organize without affecting customers, or wasting public IP's. That is one of the original intents of reserving the 10/8 network). If I am NAT'ed, it's done at both ends. The IP on the eth0 interface is the same as is reported by "www.whatismyip.com". So if they do NAT, at the very least, I know my own public IP that I can give out to other people to connect to me with. Not sure if I am firewalled or not. I'm pretty sure I am, but I don't bother running services.
Kirby
Most of the people I know who have Cell phones, couldn't afford $500 CDN, and pay more for minutes. Cell phone companies are trying to bring in new users, so they sell the phones cheap, figuring they'll make it up over time while they make a profit on the service.
Second, the US market probably has more cell phones in the top 20-40 markets then Canada has people period. So a lot of fixed costs have to be amortized over fewer people in Canada.
Finally, everything the in US wireless market appears to be about taking it in the shorts to gain market share, and to gain volume, to drive prices down. So they are investing (read losing their shirts) tons, and tons of money, trying to steal customers away from the other carriers, and make money on slim margins. Where as the Canadian market appears to be trying to sustain profitability at a much smaller volume. This means that Canadian service is probably a much better investment (from a business perspective). 5-10 years ago, cell service was a lot more expensive down here then it is now. Pricing for service is probably about the same. Not sure about the phone pricing.
Kirby
Also if you truely believe that "zero-cost" to add a customer, you should never go into business for yourself.
It costs plenty to add a customer every time. More head ends, more trenchs, more cable. A lot of those are paid before you ask for service by the cable company as an investment. So technically they have already paid it by the time you get it hooked up, but that's because they footed the bill for you well ahead of time.
Furthermore, the content that you get, costs them per subscriber. It costs them money to bill you, to do collections, to deal with you when you call and complain about service being crappy.
Plus lots of things, like Cable have such huge costs, that they have to 5 million customers before they make a profit. Cover ongoing facilities costs.
Billing works the way it does, because it is the most efficient way to for that good to be traded. It's a capitalist society, if you can make more money giving away cable and satalite feeds "because there is no cost to adding additional customers", then by all means go for it. I'm sure there's a VC out there if you have a good business plan.
Kirby
I put absolutely everything I have with me except for one credit card, $50.00 in cash, and my drivers license, and my ticket home in my carry on bag. My keys, my wallet, my change. My leatherman tool (yes, they have let me get that on a plane, if it's in my bag when they do the scan).
I took my shoes off, and put them on the belt too after my first experience with being wanded down. I just asked in the Atlanta airport, and they said that was a great idea to avoid the slow down.
Then, I watch for everything that happens to my bag to ensure nobody takes off with it (common thief trick is to have you put your bag on while someone else is making the scanner go off, so your bag can be walked off with while they take five minutes at the security check point). I think that has stopped now that making the security check point go off gets you wanded down, rather then trying to re-check everyone.
I've only done it a handful of times, but it always worked for me. I'm not thrilled about being barefoot, but it worked for my trip to pickup my bag, and saved me about 10-15 minutes even with untying and re-tying my boots.
Kirby
delete from table where ( primary key ) IN ( SELECT primary key FROM table WHERE clause )
I always write the select statement first, then I got back and edit in the delete portion of it.
Just like if I am thinking clearly, all rm commands are written as this:
find . [ clauses to limit to only the files I want ] -print
find . [ clause to limit find ] -type f -exec rm {} \; -print
This will remove files first. Then remove the directories using:
find . [ clause ] -type d -exec rmdir {} \;
It's a lot slower, and takes one process per file to do the delete, but it sure is a lot safer then throwing around wild cards. Any time I'm working on our production database, the way in which I am willing to remove files changes.
If you know there are no spaces, or other odd characters in the files:
That or I do ls [wildcard], then edit the history to change the ls to rm, so I don't have to retype the wildcard again. I can also compare them in history mode.
Kirby
You can use the redhat-config-kickstart to help you build a default install package set (and to build the kickstart file).
Then you can run a post install script (also specified in the kickstart script). Generally, I always make my pre/post scripts wget the script I really want them to run. This gives me a bit more flexibility. (Actually I've never written a pre-install script, only posts).
In the post install scripts, I've used wget to download the set of scripts/config files I wanted to replace (I recommend using a tarfile that you unpack from the filesystem, use diff to apply patches to all of the config files, or use sed to edit the config files).
From there, it's relatively simple matter of deciding what you want changed and how you want it to work. I generally make sure to install AutoRPM, and the autorpm config files that point to my local package repository. Thus anything I can make into an RPM, I can get deployed onto remote machines in mass. I create one extra AutoRPM package pool for each class of machine, so I can put custom packages by machine type onto each machine.
Either use PXE boot, or boot from CD. The CD image to do a kickstart style install is on the first RedHat CD. Look for the isolinux directory and create your own ISO (if you edit the files to put ks=http://kickstart.server.com/kickstart/file, then it's completely unattended). Or you can use the prebuilt images in /images, but then you have to fiddle with the command line a bit from CD. I've never done a PXE boot for installation of a machine (used it for building X-terminals, but not for this).
Kirby
I always end up rebooting manually, on glibc, ldd, and kernel security fixes. Generally pam changes too. Those are libraries that get sucked into early binaries and never get restarted. I suppose I could reboot into single user mode for everything but the kernel, but a reboot is a good idea anyways.
Kirby
So in a very technical sense, it is good for the economy. You might not like that, but it really doesn't change the facts. However, I was using that argument to show that his facts are absurd, by following them to their conclusion.
Yes, some of the cost is passed onto the consumer. Which fiddles with taxes, and some other things. However, the economic argument, that SPAM has a strangle hold on our economy to an appreciable percentage (>0.1%) of our GDP is laughable. If this guys is using this as his message people will laugh at him for being a lunatic. They'll associate other people who talk about the costs of SPAM with this craziness.
SPAM is bad. SPAM is a waste of time. Clearly it is highly efficient, and very good at making money by all accounts (for the SPAMMERS). Thus that free market economist in me things, there is a lesson in there somewhere.
Where I work, in total, the entire IT staff which deals with the company, and all of the bandwidth and software does a pretty good job of filtering all SPAM out, costs the company a total of $10K a month. Total expenditures of the company $220K a month. We are a Web based company. We are completely driven by web technology, and e-mail based communications. Of that $10K a month, I'd say we spend a total of $50-500/month in time dealing with SPAM and total bandwidth lost to SPAM. Which leads me to believe that SPAM isn't nearly the economic problem this guy claims it is.
I get probaby 200 SPAMs a day, and I'd love to not get them. However, it'd only save me about 2-3 minutes a day.
Mitnik clearly broke the law. Last time I checked, sending UCE wasn't illegal until recently on a national basis. I assume you are talking about Merylin (The guy who worked at Intel, and has a really low Slashdot Id). That case was laughable, and is spurious. I wouldn't want to use that as a reason to chase spammers.
Furthermore, they didn't steal any money from anyone. They wasted time, but that's about it. Idiot drivers do that all time.
Spammers should be drug out onto the street and beaten with sticks for it, but they aren't ruining the American Economy, that's the long and short of it.
Kirby
I remember when RAM was $200 for an 8MB SIMM (yes, SIMM, 60ns 72pin EDO). I remember how you could pickup 16MB of ram for around $120. I'm pretty sure that got to where you could get the same type of RAM, about 64MB for $75. That was because they we're selling hordes of it, so the one time costs we're amortized across more units, and there was less risk of overproducing.
Now the price is pretty outrageous. I know similar things happened for 30pin memory. I know that 30pin was going for $5-10MB at a time when DIMM's we're around $1 per MB. That's because reliable 30pin memory was hard to find, and not made in large volume.
Now for CD's, the same thing happens. When everyone stops buying CD's, and the backstock runs out, the price of CD's won't be $0.12. He's worried about the price never getting to $0.12, and instead moving in the other direction, because of it's scarcity.
Go try buying audio tapes. They aren't as cheap as they used to be. And it's not all inflation. The other thing to remember, is that at least some of the cheapness of CD's was due to the strong dollar (CD prices dropped from $10 in 1995 to $0.25 in 2001). That's also a timeframe when US currency was gaining value relative to the foreign currency. Thus all imports got cheaper. It's part of the reason why computer prices fell so much in the US. They got cheaper to produce, and things are more efficient. However, just assuming that prices of parts will drop, and stay low long after they are produced in volume is a false economy.
Kirby
Now, that we've got that out of the way, please, please, please, stop exaggerating the problem to the point of insanity in terms of cost.
Last time I checked, the world GDP is roughly $4 Quadrillion (a 16 digit number) dollars a year, I'm willing to go on record right now, and say that there is no way SPAM represents 1% of the world's economy.
According to http://www.bea.gov (gov't economic data collector), the 2002 GDP was $10 Trillion (roughly the 14 digit number you claimed Spam cost on a yearly basis).
I'm willing to bet that 25% of all Spam is recieved by some one in the U.S. That means that 25% of the US economy is represented via SPAM. If that is actually true, stopping SPAM would cause a world wide depression of a magnitude never before conceived of. You should never ever stop SPAM if it actually constituted that much of the US economy. The costs of SPAM are actually, money that is spent, and is recorded as a profit by some other company, or is money spent on an employee. It's only bad if the profit or employee are in another country.
It's very, very important that the money be spent. The entire economy works when the money moves around it. The economy doesn't work when money sits in big piles. If what you are saying is true, Intel, Microsoft, Dell, IBM, and millions of IT workers worldwide owe their corporate profits, and personal paychecks directly to SPAM. Pardon me if I call nonsense at this point.
I'm going to go on record saying, that's patently false, but it's the only logical conclusion of what you are saying. Thus, what your saying is absurd. I'm willing to admit what you are saying is true in it's basic premise, but the details are a bit irrational.
SPAM, might cost lots of money. However, a lot of that money is going to an ISP. It's not like it's lost money that is never found. It's not like the Spammers get that money. IT companies do, sysadmins do, all kinds of people get that money.
If spamming up and disappeared, you are claiming that a huge portion of the national GDP would evaporate, because 99% of all that money is just cycling around the system. Somebody in the US got paid that money. That's really, really good for the US economy. That money not going around is really, really, really bad.
It's surely not being embezzled by the Spammers. Spammers only get the money from the morons who pay them (either by paying referral fees for advertising, or from the people who actually purchase a product from them).
Yes SPAM represents an inefficiency in the economy, but, it can't be of the magnitude you are talking about. Most of the inefficiency is given to other corporations, or given to employees as money to be respent in the economy. All of which is good. About the only people who truely would lose out is, people who run small business with no employees (thus dealing with SPAM costs them money directly, and prevents them from generating value that contributed to the GDP, however the portion that goes to the ISP is actually a contribution to the GDP, and thus good for the economy).
Kirby
Kirby
Lots of early movies we're in fact pornographic. A lot of early money in the film industry was made of pornographic movies. I'd cite it, but I learned that on the "History Channel".
VHS tapes... Know what drove down the prices on VHS players and tapes? Pornography.
Who are the early adaptors on DVD's? Pornographers.
Who drives highend video quality on like HDTV? Uhh, yep, that's them Porno-heads.
Who uses all of the high end technology in DVD's? Pornographers. Other then "The Matrix", I've never heard of a movie that uses the "Angle" feature in a movie (I've never seen it in the Matrix, but I didnt' really care that much to look for it). However, I hear it's used most often in pornography.
Who drove a lot of the work on early video compression, Pornographers. Who do you think the early adoptors on new codec's are? Porn heads.
I'm not saying they did the work, but they are the early adoptors that spend outrageous sums of money, to make it viable economically for the masses. Which is what this guy is talking about.
They are the ones who beta test all kinds of new technology. Pornography is the driving force behind nearly all Hi-Fi multimedia upgrades.
Communication is relagated to a secondary position in my mind, precisely because that's almost never an early adoptor reason, it's a mass market reason. Early adoptors are critical to pushing new technology. Pornheads, gamers, and the military are the three easy to identify people who are always into the latest greatest cutting edge technology.
Just like Warz people are part of the reason you can buy a CDROM burner for what they cost. It's my understanding that some of that was driven by pornography because it was easy, save archival. It was easy to transport. It was easy to duplicate and charge money for.
Yep, lots of them paved the way on broadband.
Kirby