...actually, we've been stung by some crap coming via either acrobat reader or flash since those last two exploits were noted. Our users are all unprivileged. Windows was fully patched, SAV up-to-date, etc. This stuff is ready and willing to run with limited rights. It doesn't hose the machine, as you can simply kill the local registry hive to clean it (worst case), but it was nasty none-the-less.
Not saying GP wasn't running as admin, but it's not necessarily a requirement for these nasties any more.
I personally know of no other company that has such an initiative (would be awesome to see MS do the same though, but somehow I'm not entirely hopeful that we'll see that day).
...with Hotmail, you're lucky to get your data in to begin with. Smartscreen my a$$.
While I _mostly_ agree with this, a nice policy management (configuration management mostly) tool is also essential when dealing with lots of boxes. You want a new setting for all Gnome desktops, simply add it to the policy tool and let it distributed any required config files or run commands to change the setting, etc. This type of thing used to be done with things like: for h in $all_my_hosts; do ssh $h/tweak/some/setting; done
CFEngine and Puppet and friends are a nicer way of doing this. They're "self documenting" in that your write the code and then you can later very easily see when you added some configuration bits, etc...version control your configuration management scripts and you get even better tracking of who did what and when. (A side question: How does one do the version control type stuff in AD?)
While kickstart is great (I use it), it only goes so far. Having a policy manager on top of that (installed and configured in the kickstart) is a beautiful thing!
I was going to say CFEngine, but that's only because it's what I'm currently using. I'd love to move to puppet but at the time we deployed CFEngine, puppet wasn't ready for all the things we needed it to do (windows and solaris in addition to linux)...this has likely changed now, but we've got a lot of cf scripts that would need conversion.
Whichever tool is chosen (there are others in this space too), I believe this is the correct answer. I know that CFEngine scares a lot of people off (and maybe puppet does too?), but it is an excellent way to manage a large set of hosts.
middle school kids. They don't have to grok it, they just have to have the chance to be inspired by it. Also...if the principal ran into you in
Although, I thinking grokking is an important part, you're exactly right. Inspiration is sorely lacking for most kids in a north american education system (I won't speak for other parts of the world here). Only a few lucky ones have something grab their imaginations in such a way that they're turned on to self learning, etc. If only 'inspiring others' was something easily taught and passed on...
While I don't consider my UID low, I do remember signal11. Man he/she was annoying! What about Jon Katz..? Ok, I've obvioulsy been hanging around for far too long.
preferred my 286 processor with DOS 3.5 and XTree Gold:)
I still remember XTree Gold fondly...that was one hell of a file manager with some extra goodies tacked in (hex + text editting, etc). People always raved about Norton Commander, but I'd take XTree any day. I think it would still hold up well today...When it came to working with multiple files at the same time it was great. It's use of Ctrl or Alt to work with the current file or the currently selected files (I don't remember the specifics), etc was a very intuitive way to organize the keyboard shortcuts.
Renaming of replacement files happens at boot...windows can't delete open files like unix can, thus the new dll's can't be put in place until reboot. You should be safe in that regard. If windows is able to swap the file, then nothing is currently using it.
I'm servicing 3 computer labs consisting of roughly 100 workstations here, all with a Samba/Linux backend. I have nothing but praise for Samba and would highly recommend it to anyone. I have some native clients and some that are housed in a vmware image. I have cross platform printing, cross platform credentials (thanks to password sync) and cross platform ~/. What's not to like?
The only downside is that until v4 hits the streets, we can't do full AD. We could of course get around this by dropping in a single 2k3 box to be the DC, but we'd like to avoid that if possible. I'm really looking forward to v4, as AD is one of the good things MS has done, imo (standards adherence aside)!
I seem to recall seeing somewhere that/sbin meaning 'system binary' is a relatively new term also, the original being 'static binary.' I don't recall where I read this (some other/. thread?) and can't be bothered to google, but I'll throw it out there anyway.
As a mail admin at a Canadian university, we're hesitant to go with any of these services. The fact that the data would live on servers in the US run by US companies and subject to their laws kinda leaves a sour taste in our mouths...especially post September 11. That hasn't stopped other Canadian universites from going with Campus GMail.
220... EHLO f.q.d.n. 220 OK MAIL FROM: (<> or postmaster or recipient) 220 OK RCPT TO: (the apparent sender) (220 OK or 550 bad user... or etc) QUIT
The last status code indicates whether that address is permitted on the remote MX or not. The problem here is greylisting by the remote MX...it's better to only teergrub/tarpit connections you can't remotely verify these days rather than drop them outright. The escalation of the spam was has made sender verification not as fool proof as it used to be.
By lacky, surely you mean a pfy? (Hopefully I've just introduced someone to a whole nights worth of wasted time filled with lots of good laughs/groans.)
Didn't they have to have the product available before the end of 2006 to meet contractual obligations with some companies that signed up for a 'get new ms stuff cheap' program a few years back? I don't recall the name of the program, but basically it means that 'subscribers' would get severely discounted prices on future products if they pay a sum up front.
I could be wrong. This is from memory and I haven't googled for anything either.
Slashdot Mirror
No need sir. Obscure references to early work are most welcome.
Thanks
-Ben
Adobe Reader...making sendmail look good since 2004! :)
-Ben
...actually, we've been stung by some crap coming via either acrobat reader or flash since those last two exploits were noted. Our users are all unprivileged. Windows was fully patched, SAV up-to-date, etc. This stuff is ready and willing to run with limited rights. It doesn't hose the machine, as you can simply kill the local registry hive to clean it (worst case), but it was nasty none-the-less.
Not saying GP wasn't running as admin, but it's not necessarily a requirement for these nasties any more.
-Ben
I personally know of no other company that has such an initiative (would be awesome to see MS do the same though, but somehow I'm not entirely hopeful that we'll see that day).
A disgruntled mail admin.
-Ben
You mean just like Windows 7? <grin>
-Ben
We're using v2 also, but a friend and I were recently discussing v3 and he pointed me at http://www.cfengine.org/downloads/cf3-reference.html#Upgrading-from-cfengine-2, which seems to indicate that there is decent support to transition between the two versions, thus doing incremental changeover.
I haven't looked further into it, but on the surface, it looks like a good option.
-Ben
While I _mostly_ agree with this, a nice policy management (configuration management mostly) tool is also essential when dealing with lots of boxes. You want a new setting for all Gnome desktops, simply add it to the policy tool and let it distributed any required config files or run commands to change the setting, etc. This type of thing used to be done with things like: for h in $all_my_hosts; do ssh $h /tweak/some/setting; done
CFEngine and Puppet and friends are a nicer way of doing this. They're "self documenting" in that your write the code and then you can later very easily see when you added some configuration bits, etc...version control your configuration management scripts and you get even better tracking of who did what and when. (A side question: How does one do the version control type stuff in AD?)
While kickstart is great (I use it), it only goes so far. Having a policy manager on top of that (installed and configured in the kickstart) is a beautiful thing!
-Ben
I was going to say CFEngine, but that's only because it's what I'm currently using. I'd love to move to puppet but at the time we deployed CFEngine, puppet wasn't ready for all the things we needed it to do (windows and solaris in addition to linux)...this has likely changed now, but we've got a lot of cf scripts that would need conversion.
Whichever tool is chosen (there are others in this space too), I believe this is the correct answer. I know that CFEngine scares a lot of people off (and maybe puppet does too?), but it is an excellent way to manage a large set of hosts.
-Ben
middle school kids. They don't have to grok it, they just have to have the chance to be inspired by it. Also...if the principal ran into you in
Although, I thinking grokking is an important part, you're exactly right. Inspiration is sorely lacking for most kids in a north american education system (I won't speak for other parts of the world here). Only a few lucky ones have something grab their imaginations in such a way that they're turned on to self learning, etc. If only 'inspiring others' was something easily taught and passed on...
-Ben
While I don't consider my UID low, I do remember signal11. Man he/she was annoying! What about Jon Katz..? Ok, I've obvioulsy been hanging around for far too long.
-Ben
I actually took this to mean that even MS employees needed a bribe to run Vista! :) *ducks*
-Ben
I still remember XTree Gold fondly...that was one hell of a file manager with some extra goodies tacked in (hex + text editting, etc). People always raved about Norton Commander, but I'd take XTree any day. I think it would still hold up well today...When it came to working with multiple files at the same time it was great. It's use of Ctrl or Alt to work with the current file or the currently selected files (I don't remember the specifics), etc was a very intuitive way to organize the keyboard shortcuts.
Thanks for the good memories!
-Ben
Speaking of bad taste, check this out: http://rants-raves.net/2007/09/james-brolin-happy-911-wtf.html
What an idiot!
-Ben
Renaming of replacement files happens at boot...windows can't delete open files like unix can, thus the new dll's can't be put in place until reboot. You should be safe in that regard. If windows is able to swap the file, then nothing is currently using it.
-Ben
Or...you could just tweak the setting so that it applies patches but waits for permission to reboot. Group Policy (gpedit.msc) somewhere...
Not perfect, but it seems a best of breed given the available options.
-Ben
You mean it's not a Finite State machine?
-Ben
I'm servicing 3 computer labs consisting of roughly 100 workstations here, all with a Samba/Linux backend. I have nothing but praise for Samba and would highly recommend it to anyone. I have some native clients and some that are housed in a vmware image. I have cross platform printing, cross platform credentials (thanks to password sync) and cross platform ~/. What's not to like?
The only downside is that until v4 hits the streets, we can't do full AD. We could of course get around this by dropping in a single 2k3 box to be the DC, but we'd like to avoid that if possible. I'm really looking forward to v4, as AD is one of the good things MS has done, imo (standards adherence aside)!
-Ben
I seem to recall seeing somewhere that /sbin meaning 'system binary' is a relatively new term also, the original being 'static binary.' I don't recall where I read this (some other /. thread?) and can't be bothered to google, but I'll throw it out there anyway.
-Ben
As a mail admin at a Canadian university, we're hesitant to go with any of these services. The fact that the data would live on servers in the US run by US companies and subject to their laws kinda leaves a sour taste in our mouths...especially post September 11. That hasn't stopped other Canadian universites from going with Campus GMail.
-Ben
But I use Ruby you insensitive clod!
irb(main):001:0> 1000000000000000+1000000000000000
=> 2000000000000000
Guess I should get that cup of coffee now, eh?
-Ben
You mean 'i' right?
-Ben
+1 smartass
A good nitpick here and there is good for everyone! Thanks for the morning laugh.
-Ben
220 ...
EHLO f.q.d.n.
220 OK
MAIL FROM: (<> or postmaster or recipient)
220 OK
RCPT TO: (the apparent sender)
(220 OK or 550 bad user... or etc)
QUIT
The last status code indicates whether that address is permitted on the remote MX or not. The problem here is greylisting by the remote MX...it's better to only teergrub/tarpit connections you can't remotely verify these days rather than drop them outright. The escalation of the spam was has made sender verification not as fool proof as it used to be.
-Ben
By lacky, surely you mean a pfy? (Hopefully I've just introduced someone to a whole nights worth of wasted time filled with lots of good laughs/groans.)
-Ben
Didn't they have to have the product available before the end of 2006 to meet contractual obligations with some companies that signed up for a 'get new ms stuff cheap' program a few years back? I don't recall the name of the program, but basically it means that 'subscribers' would get severely discounted prices on future products if they pay a sum up front.
I could be wrong. This is from memory and I haven't googled for anything either.
-Ben