If they won't listen to you, suggest that implementing such a complicated system may cause security problems and fight to have a security analyst come in to give it a once over. Where you as admin can be written off as 'over-reacting' when a 'high priced consulting company' makes the same recommendation in their report people take notice. Sad, but true. First thing I usually do on an engagement is try to talk to the admins and see what their security concerns are. If they're valid and within scope, I try to address them.
As someone that uses both extensively I've got some nitpicks.
1) No problem there. I prefer FreeBSD install, but Open is good too.
2) Limits that come to mind right now are SMP, some of the advanced routing (VRRP)... I'm sure there's more I've bumped up against, but I'm only on my second cup of coffee.
3) OpenBSD simply doesn't have all the bells and whistles that Linux or FreeBSD has. A recent version of Wine for instance, or OpenOffice (although I've read it can be compiled on Linux and copied over). And frankly comparing OpenBSD X11 to a Linux dist X11 (FreeBSD is somewhere in between) you'd see OpenBSD looses that race.
4) Huh? How is "patch -p0/path/to/patch" any harder on OpenBSD than FreeBSD? As someone that uses both daily, I use exactly the same commands and utilities (CVS, CVSUP, Mergemaster, make...) on both systems. Please explain why the bar to proper maintenance on OpenBSD is higher?
Same situation up here in Southern Ontario. The last job I interviewed for (made it to the second cut) had over 500 resumes in response to a posting for one position.
I used to work at an IBM shop that sold Ambras. I was the store technician. When I saw a customer (usually not one of mine) leaving with one I'd say "See you soon."
Ambra was a wholly owned subsidiary of IBM. The components were higher-end commodity PC parts, the kind that I'd put into a desktop for a friend. Something weird was going on in that plant though because I saw 1/3rd failure rate in them (far higher than I'd expect based on the hardware). I think(know) that has more to do with the death of the Ambra line than cutting in to PS/2 PC sales. In our store at least, we tried very hard not to sell one.
You are right though about bundling OS/2 with their machines. There were limited platforms that you could get OS/2 bundled with, and generally they weren't stocked in a store. I was the only OS/2 user in our store, and most of the store techs at the other stores knew nothing about it. Which was sort of nice because I got to play with OS/2 alot. "OS/2 you need to see Bri at our other store." Our IBM sponsored OS/2 training was limited to a one day seminar. IBM as a whole did not support OS/2 when I was there.
It's too bad because OS/2 was a great system, I ran across a IVR running OS/2 last year. It was like meeting an old friend, and then clubbing him over the head like a baby seal. I was brought on to upgrade those boxes to NT because of IBM dropping support. The thing that speaks well of the OS/2 system is that no one in the rather sizeable IT staff knew anything about it. It had been set up years ago, and the person that implemented it moved on. It just sat there day in, day out routing callers without ever having to be touched.
After checking out your homepage I will of course defer to your knowledge. It's been a while since I've been in front of a Meridian terminal (and even longer since I've had to bounce one) so I'm sure I must've been thinking of the MAX/ACD boot prompts. Closest google search I could get said the M1 runs "an OS with it's roots in Unix and C/Pascal". Want to fill that gap in my memory for me? SYS IV based?
In the last two years I've had to migrate 6 boxes (2 OS/2, the rest *nix variants) to NT because the platforms were no longer supported. BTW, the OS/2 boxes were the most reliable IVRs I've ever supported. The last place I supported telecom the only *nix system was the Nortel switch itself. Everything else was NT based. I'd say that demonstrates the rush to NT by telecom vendors.
Glad you're happy. Some of us look with longing back to those non-tech jobs. I worked in a blast furnace and coke ovens at the local steel mill for a few years after I left high school, I also worked construction as a labourer. If either of those companies had called me anytime in the last 3 years, I wouldn't have even cleaned out my desk before leaving. I'd just have been gone *poof*. "Where's Brian?" "I don't know, he said something about needing work boots and then left."
I'm not sure what exactly it is about the IT industry. Maybe it's that something I used to LOVE has become drudgery. Maybe it's the fact that you never get away from your work (what with pagers and cellphones)... Maybe it's something about management practices. All I know is that I'm not the only one. I've had the same conversation many times with people that have been in the business about the same length of time that I have. All are skilled, largely self-taught, and could probably get another job in the industry the next day. They got in it for the love of what they were doing. Now many of them are looking at the guy doing the landscaping and thinking "Geez, I wish that was me."
I'm hopeful though. I quit my last employer (an IT security consultancy) last month. Right now I'm trying to find something that doesn't involve any computer work. Hopefully I can find something and be done with the industry completely.
I think the most telling stat is that over 50% of Mac users have been online for over 5 years. I think this is indicative of one of the problems Apple has. Your average Mac user has owned Macs forever and likely will continue to own a Mac as long as he can find a working one. However, Apple attracts very few new users. "I want to buy a computer" has come to mean "I want to buy an i386 based system." Joe Six-pack buys a Dell, a Gateway, or a generic clone for his kids when they say they want a computer. While he probably knows that something called a Mac exists, it's unlikely there's ever any serious consideration of buying one.
Theo and team seem confident in Sendmail's security. They've spent upwards of 30 hours going through the source and reporting bugs. That's why it's included in the default install. Keep in mind that you can easily disable sendmail and go to postfix or another mail transfer agent through the ports tree if you don't trust Theo's judgement. An email regarding the why's of using Sendmail versus another MTA are here.
I implement sendmail all the time, and I work in an IT security shop. Set up properly, it's rock solid. My pen-tester co-workers have the same knee-jerk reaction to sendmail that you have. They heard somewhere that sendmail is insecure... Funny though, not one of them has been able to penetrate any of my OpenBSD boxes, through sendmail or any other avenue. These are guys that walk through firewalls and IIS webservers in moments. They're so good at this, that we give a money back guarantee, we don't get in, it's free. If OpenBSD gets popular, we might start losing money.
This comment would mean more if you knew what you're talking about. Secure FTP is a file transfer protocol through a SSH tunnel. There's no resemblance to FTP other than the command set. It runs through an SSH tunnel, so there's no security issue and based on the ability to chose one of many encryption algorithms I'd say it's more secure that a https transfer. There's no multiple ports, all data is transfered through port 22.
For the record, when I'm not at a *nix command line I like SecureFX by Van Dyke.
Slashdot Mirror
If they won't listen to you, suggest that implementing such a complicated system may cause security problems and fight to have a security analyst come in to give it a once over. Where you as admin can be written off as 'over-reacting' when a 'high priced consulting company' makes the same recommendation in their report people take notice. Sad, but true. First thing I usually do on an engagement is try to talk to the admins and see what their security concerns are. If they're valid and within scope, I try to address them.
You take that back! I'm winning the lottery this weekend for sure.
Sigh, Slashdot keeps dropping the ''in the command line, but you get the drift.
Errr, of course that should be "patch -p0 /path/to/patch". See afformentioned coffee deficiency.
As someone that uses both extensively I've got some nitpicks.
/path/to/patch" any harder on OpenBSD than FreeBSD? As someone that uses both daily, I use exactly the same commands and utilities (CVS, CVSUP, Mergemaster, make...) on both systems. Please explain why the bar to proper maintenance on OpenBSD is higher?
1) No problem there. I prefer FreeBSD install, but Open is good too.
2) Limits that come to mind right now are SMP, some of the advanced routing (VRRP)... I'm sure there's more I've bumped up against, but I'm only on my second cup of coffee.
3) OpenBSD simply doesn't have all the bells and whistles that Linux or FreeBSD has. A recent version of Wine for instance, or OpenOffice (although I've read it can be compiled on Linux and copied over). And frankly comparing OpenBSD X11 to a Linux dist X11 (FreeBSD is somewhere in between) you'd see OpenBSD looses that race.
4) Huh? How is "patch -p0
I'd have thought my comment would get a +1 Informative.
Same situation up here in Southern Ontario. The last job I interviewed for (made it to the second cut) had over 500 resumes in response to a posting for one position.
Take up landscaping.
I used to work at an IBM shop that sold Ambras. I was the store technician. When I saw a customer (usually not one of mine) leaving with one I'd say "See you soon."
Ambra was a wholly owned subsidiary of IBM. The components were higher-end commodity PC parts, the kind that I'd put into a desktop for a friend. Something weird was going on in that plant though because I saw 1/3rd failure rate in them (far higher than I'd expect based on the hardware). I think(know) that has more to do with the death of the Ambra line than cutting in to PS/2 PC sales. In our store at least, we tried very hard not to sell one.
You are right though about bundling OS/2 with their machines. There were limited platforms that you could get OS/2 bundled with, and generally they weren't stocked in a store. I was the only OS/2 user in our store, and most of the store techs at the other stores knew nothing about it. Which was sort of nice because I got to play with OS/2 alot. "OS/2 you need to see Bri at our other store." Our IBM sponsored OS/2 training was limited to a one day seminar. IBM as a whole did not support OS/2 when I was there.
It's too bad because OS/2 was a great system, I ran across a IVR running OS/2 last year. It was like meeting an old friend, and then clubbing him over the head like a baby seal. I was brought on to upgrade those boxes to NT because of IBM dropping support. The thing that speaks well of the OS/2 system is that no one in the rather sizeable IT staff knew anything about it. It had been set up years ago, and the person that implemented it moved on. It just sat there day in, day out routing callers without ever having to be touched.
After checking out your homepage I will of course defer to your knowledge. It's been a while since I've been in front of a Meridian terminal (and even longer since I've had to bounce one) so I'm sure I must've been thinking of the MAX/ACD boot prompts. Closest google search I could get said the M1 runs "an OS with it's roots in Unix and C/Pascal". Want to fill that gap in my memory for me? SYS IV based?
Underneath the MML is SYSV in a Nortel PBX.
In the last two years I've had to migrate 6 boxes (2 OS/2, the rest *nix variants) to NT because the platforms were no longer supported. BTW, the OS/2 boxes were the most reliable IVRs I've ever supported. The last place I supported telecom the only *nix system was the Nortel switch itself. Everything else was NT based. I'd say that demonstrates the rush to NT by telecom vendors.
Glad you're happy. Some of us look with longing back to those non-tech jobs. I worked in a blast furnace and coke ovens at the local steel mill for a few years after I left high school, I also worked construction as a labourer. If either of those companies had called me anytime in the last 3 years, I wouldn't have even cleaned out my desk before leaving. I'd just have been gone *poof*. "Where's Brian?" "I don't know, he said something about needing work boots and then left."
I'm not sure what exactly it is about the IT industry. Maybe it's that something I used to LOVE has become drudgery. Maybe it's the fact that you never get away from your work (what with pagers and cellphones)... Maybe it's something about management practices. All I know is that I'm not the only one. I've had the same conversation many times with people that have been in the business about the same length of time that I have. All are skilled, largely self-taught, and could probably get another job in the industry the next day. They got in it for the love of what they were doing. Now many of them are looking at the guy doing the landscaping and thinking "Geez, I wish that was me."
I'm hopeful though. I quit my last employer (an IT security consultancy) last month. Right now I'm trying to find something that doesn't involve any computer work. Hopefully I can find something and be done with the industry completely.
I think the most telling stat is that over 50% of Mac users have been online for over 5 years. I think this is indicative of one of the problems Apple has. Your average Mac user has owned Macs forever and likely will continue to own a Mac as long as he can find a working one. However, Apple attracts very few new users. "I want to buy a computer" has come to mean "I want to buy an i386 based system." Joe Six-pack buys a Dell, a Gateway, or a generic clone for his kids when they say they want a computer. While he probably knows that something called a Mac exists, it's unlikely there's ever any serious consideration of buying one.
I seriously doubt that. Mine (PR37729) is 24 days old and hasn't been touched yet.
Sendmail in OpenBSD hasn't run as root since 2.9.
Theo and team seem confident in Sendmail's security. They've spent upwards of 30 hours going through the source and reporting bugs. That's why it's included in the default install. Keep in mind that you can easily disable sendmail and go to postfix or another mail transfer agent through the ports tree if you don't trust Theo's judgement. An email regarding the why's of using Sendmail versus another MTA are here.
I implement sendmail all the time, and I work in an IT security shop. Set up properly, it's rock solid. My pen-tester co-workers have the same knee-jerk reaction to sendmail that you have. They heard somewhere that sendmail is insecure... Funny though, not one of them has been able to penetrate any of my OpenBSD boxes, through sendmail or any other avenue. These are guys that walk through firewalls and IIS webservers in moments. They're so good at this, that we give a money back guarantee, we don't get in, it's free. If OpenBSD gets popular, we might start losing money.
Futureshop has them for $39.99 Canadian.
So does picobsd EmBSD won't fit on a floppy but it's a shrunk down version of OpenBSD. Seems like the closedBSD guys are reinventing the wheel.
This comment would mean more if you knew what you're talking about. Secure FTP is a file transfer protocol through a SSH tunnel. There's no resemblance to FTP other than the command set. It runs through an SSH tunnel, so there's no security issue and based on the ability to chose one of many encryption algorithms I'd say it's more secure that a https transfer. There's no multiple ports, all data is transfered through port 22.
For the record, when I'm not at a *nix command line I like SecureFX by Van Dyke.