Make sure you can get where the door controller is at in the event of a hard powerfailure. Don't rely on a UPS to help you with this.
Otherwise plan on finding clever ways to hit the emergency door lock release button from outside the door area, and then plan on crawling through the ceiling to get to where the cardsystem is at.
FWIW, the door system I am complaining about was put in before I got there. It was easier to change employers than to get that stuff changed after the fact.
Oh, and don't underestimate the ease of breaking into your place. I've done it with mine using a myriad of ways, including a dowel rod to push the emergency release button our firecode mandated us to have (the suite was inside a larger building, and the doors chosen for cosmetic reasons allowed a small gap through which you could stick things); using a heated water baloon taped to a drinking straw or two, wiggled in front of the motion sensor that opened the door when someone approached it from the inside; having the building maintainance staff trigger the system's fire alarm doorlock override system from the fire panel; or in one case, just waiting until the UPS the door magnets were on lost power and then walking right in.
Also, never underestimate the vulnerability of the doorhandle lock if you use the type of doorlocks that sit in the doorjamb and simply make it so the always-locked door can be opened.
And don't forget the human element. You may want to ensure your doors have some sort of mechanism to alert security if they are propped open. You may want to install a local buzzer to discourage such practices.
Altigen PBXen are awesome. There's been a lot of things that bugged me here or there, but amusingly enough they were easily worked around with features used in bastardized ways, or even better, by simply reading the manual I can see "oh, I didn't think to look there, I'm such a dork", and the feature was there the whole time.
I just sacrificed my entire weekend to an OS upgrade on our system. Ours is of similar vintage to yours (2000) and there were some problems out of the gate, mostly regarding raid controller firmware versions, and some other stuff. But the system crapped out during the update because we didn't powercycle the system fully after a raid card firmware update (and it didn't ask us to either... so...) and it suddenly zapped the config on the raid card, and trashed our disks so bad they now report their size to be "0 MB" when attached to a different system with a normal SCSI card, and one of them doesn't identify anymore.
Beware also if you ever upgrade the OS to 2k (if it's not already) that you can't have a card set to card # 0. I don't know why. But if you do, it won't detect any of your cards. Start your card numbering at 1. The good part is that if you remove card 0, and set it to something like 12, the system figures out that card 0 is gone, sets all the extensions attached to it to virtuals, and doesn't lose any other extensions on the system. I just told my users "If your phone doesn't work this morning, just hit #27 and enter what it's asking for". Even after spending 36 hours straight fixing the hardware, I can say that in 4 years, that's the only serious complaint I've ever had with the system, and I still recommend it (and I've only been done fixing this for less than 12 hours). I really wish it had more press, since it's a really neat machine, and serves well to legitimize the idea that a PBX can be run on a computer, and still be damn stable.
If only the fucker supported SIP rather than H323, I could have affordable IP extensions.:-)
I'm pretty satisfied with our Altigen phone system. It's had its occasional blips of issues over the years, but they were few and far between, and you just can't beat the point and click management of it. I've been using asterisk since June of last year, and I still like our Altigen more, even though I think the asterisk machine is far more flexible and fun to play with. The altigen stuff is easy, gives neat features like screen popups on inbound calls for windows users, and i've seen tons of documentation talking about integration with Microsoft Exchange. I've been meaning to experiment with that, but even without all that, it's still awesome, and incredibly easy to use even for people who don't understand how phonesystems work. My phone impaired but otherwise quite techie coworker has no trouble dealing with the basic management aspects of the system when I'm out. I'm stronger at the system because I understand how the phone companies and the technologies like PRI and VoIP work, but 99% of what I do on the system pretty much anyone could do, because they make it easy without sacrificing too much power.
If someone put out a replacement to the linksys boxen that simply blocked non-established connections, people would. When v6 comes, people are going to look to replace their Linksys machines with more linksys hardware that does similar things for v6. And it will, without NAT.
voicepulse.com also does it. Hell, *I* provide VoIP SIP termination. It's not that difficult.
NAT is the bane of getting stuff like this working and operational. Just because we've found a way to work around NAT doesn't mean it's easy, or desirable. And only one side can be behind a NAT. If you try to make both behind a NAT, it breaks horribly. I've tried it.
Exactly. Linksys will produce a box that filters IPv6 traffic for you in a similar manner, but you'll have a public, static IP, and more than one host behind it can properly do IPSEC, and all kinds of nifty stuff. You could use the box to protect a few servers, all of which are on public IPv6 addresses listening on port 80. People who seen the internet before consumer ISPs started restricting how address space was used understand the potential, and know what we lost when people started accepting NAT.
Block packets going to it. It doesn't need NAT to do this, it simply needs to have all ports blocked that aren't supposed to be providing public services. I have quite a few machines that are running on the outside of NAT, and simply blocking off things like portmapper and stuff like that (or *shock horror* not running them to begin with because it's unnecessary) means that I'm actually just as secure as you, if not more. -AND- I can do useful things with protocols like SIP, H.323, and other things that were designed to work in a peer to peer sort of way, rather than client/server.
This won't do a damn bit of good about this problem..net and.com are still delegated to Verisign's GTLD servers, and you'll still get wildcarded. This is *NOT* a root server issue, but a GTLD issue for.net and.com. No matter what bastardized root server confederation you can come up with, it won't help you here.
The kernel is capable of bootstrapping itself if written raw to a floppy disk (or at least it was at one time).
Hardcode your rules in the kernel. Set your IP address as the NIC is detected, and when IPTABLES is initialized, do so with a default set of rules which matches your requirements exactly. Don't forget to make ip_forward default to 1 instead of 0! (It used to, in 2.0.x series kernels with forwarding enabled in kernel)
Change the part of the kernel which starts/sbin/init to simply run "while (1) { sleep 1; };"
But now we're stepping into the level of pedantics that only a slashdot user could appreciate.
The idea was to demonstrate you don't need a useable OS to run a system. It could be very simple to make a kernel that does only forward packets after inspecting them with IPtables, and if I were better at C programming, I'd demonstrate.
Besides, as far as I know, stallman's reminders are to reinforce the idea of calling it "GNU/Linux" rather than just Linux. Not to challenge some kernel hacker to write an implementation that is self running.
Wrong. I've used a linux machine when init had died, and only the kernel was working and running. Even parts of the kernel were dead and locked. I've been sitting at a kernel oops where I was still routing, blocking, and natting packets via the machine using iptables.
I could easily set up a machine where there is only a few executables, and replace/sbin/init with a program that loaded my IPtables policies and went into a "while (1) { sleep 1000; };" loop. Control it with the power switch. The filesystem's not dirty because it never went read/write.
Hell, my linux firewall already is using bridging code to filter packets without having a valid IP address to attack it. It's crashed multiple times where I couldn't manage it, but it was working just fine.
My Yaesu VX-1R HT came with schematics in the box. I know what you're saying about tinkering, but the idea that I can trace a problem back and maybe fix a part in the RF stage is still a possibility, if I had to, despite how hard the surface mount components make this. *grumble*
What I meant to say is that they can't insert headers in the middle of other Recieved headers. Once it starts traveling through relays, there's a reliable set of headers next to each other. Generally it's fairly obvious where they begin spoofing headers, because they all often suck at it.
They do forge Received lines, all the time, but they're easy to identify. They can't make them appear in the same way that other received headers appear. I wish I had a good example, but examine your headers carefully, it's generally pretty obvious.:-)
I've seen his house. I got a bunch of information on him I shouldn't have, and went to track down his house. It's just off 15 mile not too far from Haggerty.
actually, Beta is still in use heavily in the television industry. Many reporters carry around video cameras with Betamax decks in them. It may be digital Betamax now, but it is still Betamax.
I liked the installer from progeny, but the issue I had is that it wouldn't recognise a raid device as a root partition. It had boot support, it could see the device, but it listed I had no drives. It was a Mylex RAID controller. I know most people don't have these on their desktop, but if the controller is detected, it should at least be useable for installation.:-/
I think the shell does this if you are logged in under a UID that no longer exists in/etc/passwd. I got this not too long ago when there was a machine at work that was so hosed it couldn't get a free file handle to open/etc/passwd. I logged in and it told me "You do not exist. Go away."
It seemed no-so-humorous at the time, but I laugh now when I think about it.
nonsense. alot of colo providers offer bandwidth cheap because you don't have to pay for the local loop, and they buy bandwidth "in bulk". If you get 3mb committed, burstable to 10, billed at 95th percentile, you can usually get halfway decent prices in a colo center.
I know two of the organizers personally. They're planning to make it even better this year, with better speakers, more organization, and less random vandalism. I understand they are also going to have a commons area this time, other than the heavily smoke filled network room. The price is up $10 this year, but it's going to be well worth it. That and forno already said he'd be a speaker again next year (just not a keynote;-) ). I'd suggest if you live in the midwest, especially Michigan, this is the place to go.:-)
What you were using was NFS. This is something entirely different where the programs are running on the server, and load faster than a mofo. All that goes across the net are the screen, sound, keyboard, and mouse. Kinda like a network based KVM.
:-) I've been known to from time to time. I used to karma whore back in 1999-2000 (but I wasn't good at it:-) ) and lately I've just checked here from time to time.
Climbing gear would be too suspicious, plus we want to leave all the gear on the poles, we just want to find out how to make them respond to us and become under our control - then you write a script to do it, and get a cherry picker and run the script on all the poletops to assume control of the network, then it's open and available for public use.:-)
Granted there may be things that make this impractical (not counting the number of nodes you potentially might have to do this on (sayy... Pontiac to Madison Heights and Southfield for example) but in the end it might be worth it if we get the affirmative word that they're not gonna light up DTW again.:-)
Slashdot Mirror
Make sure you can get where the door controller is at in the event of a hard powerfailure. Don't rely on a UPS to help you with this.
Otherwise plan on finding clever ways to hit the emergency door lock release button from outside the door area, and then plan on crawling through the ceiling to get to where the cardsystem is at.
FWIW, the door system I am complaining about was put in before I got there. It was easier to change employers than to get that stuff changed after the fact.
Oh, and don't underestimate the ease of breaking into your place. I've done it with mine using a myriad of ways, including a dowel rod to push the emergency release button our firecode mandated us to have (the suite was inside a larger building, and the doors chosen for cosmetic reasons allowed a small gap through which you could stick things); using a heated water baloon taped to a drinking straw or two, wiggled in front of the motion sensor that opened the door when someone approached it from the inside; having the building maintainance staff trigger the system's fire alarm doorlock override system from the fire panel; or in one case, just waiting until the UPS the door magnets were on lost power and then walking right in.
Also, never underestimate the vulnerability of the doorhandle lock if you use the type of doorlocks that sit in the doorjamb and simply make it so the always-locked door can be opened.
And don't forget the human element. You may want to ensure your doors have some sort of mechanism to alert security if they are propped open. You may want to install a local buzzer to discourage such practices.
Altigen PBXen are awesome. There's been a lot of things that bugged me here or there, but amusingly enough they were easily worked around with features used in bastardized ways, or even better, by simply reading the manual I can see "oh, I didn't think to look there, I'm such a dork", and the feature was there the whole time.
:-)
I just sacrificed my entire weekend to an OS upgrade on our system. Ours is of similar vintage to yours (2000) and there were some problems out of the gate, mostly regarding raid controller firmware versions, and some other stuff. But the system crapped out during the update because we didn't powercycle the system fully after a raid card firmware update (and it didn't ask us to either... so...) and it suddenly zapped the config on the raid card, and trashed our disks so bad they now report their size to be "0 MB" when attached to a different system with a normal SCSI card, and one of them doesn't identify anymore.
Beware also if you ever upgrade the OS to 2k (if it's not already) that you can't have a card set to card # 0. I don't know why. But if you do, it won't detect any of your cards. Start your card numbering at 1. The good part is that if you remove card 0, and set it to something like 12, the system figures out that card 0 is gone, sets all the extensions attached to it to virtuals, and doesn't lose any other extensions on the system. I just told my users "If your phone doesn't work this morning, just hit #27 and enter what it's asking for". Even after spending 36 hours straight fixing the hardware, I can say that in 4 years, that's the only serious complaint I've ever had with the system, and I still recommend it (and I've only been done fixing this for less than 12 hours). I really wish it had more press, since it's a really neat machine, and serves well to legitimize the idea that a PBX can be run on a computer, and still be damn stable.
If only the fucker supported SIP rather than H323, I could have affordable IP extensions.
I'm pretty satisfied with our Altigen phone system. It's had its occasional blips of issues over the years, but they were few and far between, and you just can't beat the point and click management of it. I've been using asterisk since June of last year, and I still like our Altigen more, even though I think the asterisk machine is far more flexible and fun to play with. The altigen stuff is easy, gives neat features like screen popups on inbound calls for windows users, and i've seen tons of documentation talking about integration with Microsoft Exchange. I've been meaning to experiment with that, but even without all that, it's still awesome, and incredibly easy to use even for people who don't understand how phonesystems work. My phone impaired but otherwise quite techie coworker has no trouble dealing with the basic management aspects of the system when I'm out. I'm stronger at the system because I understand how the phone companies and the technologies like PRI and VoIP work, but 99% of what I do on the system pretty much anyone could do, because they make it easy without sacrificing too much power.
If someone put out a replacement to the linksys boxen that simply blocked non-established connections, people would. When v6 comes, people are going to look to replace their Linksys machines with more linksys hardware that does similar things for v6. And it will, without NAT.
voicepulse.com also does it. Hell, *I* provide VoIP SIP termination. It's not that difficult.
NAT is the bane of getting stuff like this working and operational. Just because we've found a way to work around NAT doesn't mean it's easy, or desirable. And only one side can be behind a NAT. If you try to make both behind a NAT, it breaks horribly. I've tried it.
NAT is an abomination, and needs to go away. NAT isn't security, NAT isn't firewalling, and NAT certainly breaks more things than it fixes. Thousands of innovative applications don't work because there's too much of an installed base of NAT machines. Microsoft is developing an application that installs an IPv6 stack on your machine, provides a tunnel to the IPv6 network through Microsoft technology called Teredo, so that peer to peer stuff will work right again. The fact the largest software company in the world has to go to these lengths says something.
Exactly. Linksys will produce a box that filters IPv6 traffic for you in a similar manner, but you'll have a public, static IP, and more than one host behind it can properly do IPSEC, and all kinds of nifty stuff. You could use the box to protect a few servers, all of which are on public IPv6 addresses listening on port 80. People who seen the internet before consumer ISPs started restricting how address space was used understand the potential, and know what we lost when people started accepting NAT.
And I personally can't wait to have it back.
Block packets going to it. It doesn't need NAT to do this, it simply needs to have all ports blocked that aren't supposed to be providing public services. I have quite a few machines that are running on the outside of NAT, and simply blocking off things like portmapper and stuff like that (or *shock horror* not running them to begin with because it's unnecessary) means that I'm actually just as secure as you, if not more. -AND- I can do useful things with protocols like SIP, H.323, and other things that were designed to work in a peer to peer sort of way, rather than client/server.
This won't do a damn bit of good about this problem. .net and .com are still delegated to Verisign's GTLD servers, and you'll still get wildcarded. This is *NOT* a root server issue, but a GTLD issue for .net and .com.
No matter what bastardized root server confederation you can come up with, it won't help you here.
The kernel is capable of bootstrapping itself if written raw to a floppy disk (or at least it was at one time).
/sbin/init to simply run "while (1) { sleep 1; };"
Hardcode your rules in the kernel. Set your IP address as the NIC is detected, and when IPTABLES is initialized, do so with a default set of rules which matches your requirements exactly. Don't forget to make ip_forward default to 1 instead of 0! (It used to, in 2.0.x series kernels with forwarding enabled in kernel)
Change the part of the kernel which starts
But now we're stepping into the level of pedantics that only a slashdot user could appreciate.
The idea was to demonstrate you don't need a useable OS to run a system. It could be very simple to make a kernel that does only forward packets after inspecting them with IPtables, and if I were better at C programming, I'd demonstrate.
Besides, as far as I know, stallman's reminders are to reinforce the idea of calling it "GNU/Linux" rather than just Linux. Not to challenge some kernel hacker to write an implementation that is self running.
Wrong. I've used a linux machine when init had died, and only the kernel was working and running. Even parts of the kernel were dead and locked.
/sbin/init with a program that loaded my IPtables policies and went into a "while (1) { sleep 1000; };" loop. Control it with the power switch. The filesystem's not dirty because it never went read/write.
I've been sitting at a kernel oops where I was still routing, blocking, and natting packets via the machine using iptables.
I could easily set up a machine where there is only a few executables, and replace
Hell, my linux firewall already is using bridging code to filter packets without having a valid IP address to attack it. It's crashed multiple times where I couldn't manage it, but it was working just fine.
My Yaesu VX-1R HT came with schematics in the box. I know what you're saying about tinkering, but the idea that I can trace a problem back and maybe fix a part in the RF stage is still a possibility, if I had to, despite how hard the surface mount components make this. *grumble*
Indeed. We'll have to see what ever gets done with that.
What I meant to say is that they can't insert headers in the middle of other Recieved headers. Once it starts traveling through relays, there's a reliable set of headers next to each other. Generally it's fairly obvious where they begin spoofing headers, because they all often suck at it.
They do forge Received lines, all the time, but they're easy to identify. They can't make them appear in the same way that other received headers appear. I wish I had a good example, but examine your headers carefully, it's generally pretty obvious. :-)
I've seen his house. I got a bunch of information on him I shouldn't have, and went to track down his house. It's just off 15 mile not too far from Haggerty.
actually, Beta is still in use heavily in the television industry. Many reporters carry around video cameras with Betamax decks in them. It may be digital Betamax now, but it is still Betamax.
I liked the installer from progeny, but the issue I had is that it wouldn't recognise a raid device as a root partition. It had boot support, it could see the device, but it listed I had no drives. It was a Mylex RAID controller. I know most people don't have these on their desktop, but if the controller is detected, it should at least be useable for installation. :-/
scary when an onion article seems all too real, isn't it? :-)
I think the shell does this if you are logged in under a UID that no longer exists in /etc/passwd. I got this not too long ago when there was a machine at work that was so hosed it couldn't get a free file handle to open /etc/passwd. I logged in and it told me "You do not exist. Go away."
It seemed no-so-humorous at the time, but I laugh now when I think about it.
My M-Series does that all the time. I gotta get it working again though. It died sometime when I was doing all my moving in the last few years.
nonsense. alot of colo providers offer bandwidth cheap because you don't have to pay for the local loop, and they buy bandwidth "in bulk".
If you get 3mb committed, burstable to 10, billed at 95th percentile, you can usually get halfway decent prices in a colo center.
I know two of the organizers personally. They're planning to make it even better this year, with better speakers, more organization, and less random vandalism. I understand they are also going to have a commons area this time, other than the heavily smoke filled network room. ;-) ). :-)
The price is up $10 this year, but it's going to be well worth it. That and forno already said he'd be a speaker again next year (just not a keynote
I'd suggest if you live in the midwest, especially Michigan, this is the place to go.
I remember this too.
What you were using was NFS. This is something entirely different where the programs are running on the server, and load faster than a mofo. All that goes across the net are the screen, sound, keyboard, and mouse. Kinda like a network based KVM.
:-) I've been known to from time to time. I used to karma whore back in 1999-2000 (but I wasn't good at it :-) ) and lately I've just checked here from time to time.
:-)
:-)
Climbing gear would be too suspicious, plus we want to leave all the gear on the poles, we just want to find out how to make them respond to us and become under our control - then you write a script to do it, and get a cherry picker and run the script on all the poletops to assume control of the network, then it's open and available for public use.
Granted there may be things that make this impractical (not counting the number of nodes you potentially might have to do this on (sayy... Pontiac to Madison Heights and Southfield for example) but in the end it might be worth it if we get the affirmative word that they're not gonna light up DTW again.