Re:Gotta love SSH tunneling
on
SSH Tunnels How-to?
·
· Score: 5, Informative
This is exactly what I do, and let me tell you what: It's saved my ass a few times.
I also run two browser profiles with one being the proxied and one being normal, with different shortcuts to each. I separate the instances so my employer still sees a lot of traffic so they don't get suspicious. The work-related ones get me to lots of vendors sites, googling for solutions, etc.
I use a sh script to start my second one. It looks for an already open port just in case I killed the browser accidently and don't need to re-establish the tunnel. It re-establishes if it needs to.
You could also proxy your IM messages through these, though I haven't gone to that length yet. Here's my sh script:
#!/bin/sh
STAT=`netstat -an | grep 8888`; if [ "$STAT" = "" ];
then
I've heard blowfish is slower, but it doesn't seem to be when you're just browsing. Feel free to experiment. Others with more knowledge as to what's faster, please let me know.
I haven't purchased or even bought TFB, but there are some things I wonder:
1. Is apache 2's layout covered? I understand it, because it's intuitive to me because I've been working with huge numbers of virtual hosts for years, but many of my friends/coworkers get confused by the whole sites-enabled/sites-available thing.
2. Is it covered that apache and apache2 can coexist and the gotchas of such a setup?
3. Do you cover the areas where sysadmins can get bitten? For instance, if I have hundreds of gigs and millions of files in my/home directory, do you mention that it's a good idea disable the cron that searches every night for setuid files, etc, otherwise the load will kill the machine?
4. Do you go into the updating suggestions? For instance, is it a good idea to run apt-get update; apt-get upgrade in a cron? If not, do you suggest we log in everyday and do it? Or is there a utility you include in your book that can list the updates available for that specific machine and email it to an admin everday? How about reporting it to something like hobbit?
I could go on...and on...but I'm anxious to hear your responses.
Now, any good sysadmin knows that he shouldn't be running 2.6 yet, which renders most of the 2.6 vulnerabilities moot for gauging the security of a linux box. When 2.4 was riddled with holes, we used 2.2, and so on.
Another thing good sysadmins should do to minimize threats is to chroot all of his daemons as well as not provide them with logon shells and huge 100+ character pwgen'd passwords - effectively negating the vulnerability from a server standpoint.
Those are just two of the things Linux offers us that M$ software does not. To say that local exploits on the newest kernel should be humbling to the linux community because it's no better than Microsoft's latest "stable" OS is ignorance in just about every way.
Bad news. This way is a bad way to do it and I'll tell you why:
Complancency. Your department will work to get everything stable, then stop. They'll never touch those apps/servers/machines again because they know that stability is paramount and any changes are bad. What happens in 5 years when you software is 12 versions behind and your hardware is so old it starts dropping like flies?
The truth is, upgrading/changing/migrating is not something that can be stopped easily and cheaply. One or two years is fine, but you also have to make sure your employees understand the everchanging landscape and the big picture and keep working for that IT Nirvana of having identical devel and prod environments, good uptimes, new servers, more disk space, improved apps, etc.
At one of the places I worked, the uptime on the border routers was so important their version of IOS was 8 or so years old. Why should they change it? Uptime is the most important thing right? Well, how about security vulnerabilities? Or how about that dreaded day when an upgrade is compulsory? Are you going to hope all of the old IOS commands still work the same way or even still exist?
Dozens? No. Several? Yes. Dozen? About that. How many would M$ products have if as many eyes analyzed it relentlessly? A metric assload. Take the partial 2k source code for an example.
And since you're no evolutionist, you won't get offended right? You've got a better explanation, apparently. Perhaps some magical creature just created us out of the blue, perhaps? Nothing you can disprove, unlike the assertions in this article.
You realize that as long as the server relays for you, it doesn't generally matter what server you use, right? I mean, joe isp generally doesn't care if you send as fred@isp.net or billclinton@whitehouse.gov, so what's the big deal?
I realize that you may want a choice, like, say, my first account's SMTP server is slow and tags some of my mail as spam - but then, why would you want to use it anyway?
Unless, of course, some of accounts you're using utilize the excuse-for-a-solution SPF.
You should try using evolution. I recently switched to that from using thunderbird for 1.5 years, and kmail before that. At this rate, it'll be a long time before I switch again.
Let me know when you can go to the store and pick up a copy of that OS.
I might actually be interested in that. Considering that Apple can get such a rabid fan base and said fan base lets them get away with so many absurd vulnerabilities ( http://www.osvbd.org/ ), I'd say that windows is probably more secure on PPC than OSX is.
But then again, I'll get modded down despite my ability to distil the truth, because/. has grown so much of a following. Perhaps it's because the smarter people moved to a different site? Maybe the ones who moved away are the ones who could form their own opinions based on the facts ( http://www.osvbd.org/ )?
Those are just public vulnerabilities...but if you hang around in the right spots you already know that many more zero days exist for OSX than any other os.
You mean well built hardware like the g4 cube? Or maybe the scratchable ipod? The infamous (Both Desktop and Portable) LCDs? I wonder how often the logic board fails? What about the Imac power button issue?
The truth is, Apple is not infallable, and it's zealotry to claim as much.
Personally, I would have stuck with a nice IBM EXP, Dell StorEdge, or better yet: SATA drives and a nice, proven, reliable Netapp.
The fact that it's news because apple got it's first commericial Xserve sale in it's life is absurd, but common place on good ol' apple dot.
Send it bad form then, just let them know it's not perfect and you haven't spent any time on it lately.
A lot of time, patches show there is some commited interest in a feature and developers are a lot more likely to implement a feature if a patch (Even if it's old/incomplete/imperfect) is sent as opposed to some half-hearted request.
Bollocks! You'd never be able to convince me that some guy can run a business AND have a hobby! It's IMPOSSIBLE! What's next? Next you're gonna tell me he's posting on internet forums on his days off!
Basically, he has an exit strategy. Something a lot of people with businesses/investments don't have. An exit strategy is essential and following it is even more essential. Personally, I applaud him for such a move. He might lose some money on it (Costs of shutting down, lost profits), but chances are good that he's probably going to be correct more often than not on the signals he's getting. Sometimes it's just better to quit while you're ahead, especially in a case like this when he can see some clouds moving in.
If you look at the etymology of the word, you can get a good idea as to why it's spelled with an a instead of an e. The mere knowledge of where the word comes from will serve as an excellent mnemonic device for spelling it correctly when the times come. I myself suffered from the same condition up until about 2 years ago.
I prefer IM over the phone. In fact, I regularly demand it instead. IM is so much more convienent because it's not an atomic action, the phone is. I do have to drop what I'm doing to answer my coworkers question. I can finish the last 10 seconds of work on my widget, then alt-tab over to what he asked. I can then reply back, he can finish his widget work and read it. Phone calls demand your immediate attention and go poorly when you can't give it. It's also a bit more convenient than email. No sending or receiving, no waiting for message delays and most importantly, I know everyone on my contact list, so it's probably not spam,I know it's pretty important, etc.
Kopete makes instant messaging especially great. The little conversation bubble is non-intrusive and you can group chats so you only have one window instead of 12 windows for 12 conversations with 12 people.
It's also meaningless because it unfairly groups Apple in with Linux/Unix. Solaris might have its share of bugs, and linux surely has exploits more often than we'd like, but if you browse through the Apple vulnerabilites, you'd see that most of them are blatent, stupid oversights that people should be fired for. I wouldn't be suprised if Apple has the majority in the unix/linux group - commonalities aside.
Apple needs to get someone who knows a thing about security, because the false belief "its unix its secure" is about to crumble.
DJB writes his software exactly like he wants. No features, no options, etc. Qmail needs special patches that he hasn't blessed to read from ldap. Djbdns won't even listen on a different port unless you edit the code manually.
Calling his code secure is like buying a 1929 Model A and saying the wiring is reliable. There is nothing outside of the coil/spark plugs. The power windows/locks/brakes/steering/fuel pump never fail, because it's impossible for them to.
Plus it's always nice when you get to deny that flaws exist in your software and your rabid fan guild protect you to the death.
A better example of a secure code writer is W. Venema or even Torvalds.
Space exploration is not even close with the current state of technology. We will go to space easily with better tech in the future but not now. I am shorting Bezos and his company at the first sight of weakness.
Quite the condradiction, don't you think? I mean, how are you supposed to figure out what kinda tech you need for space flight unless you go and try it? And are we just supposed to casually develop tech for this? Much like the power industry is so focused on alternative power? (not!).
The simply truth is, necessity is the mother of invention. This seems like a chicken and the egg problem, but it isn't really. We need to get out there and look around, explore, experiment. Once we start doing this, we'll start solving problems. Once we start solving problems, things start to roll. Think about the evolution of boats.
There were probably civilizations full of people who completely disagreed with some of the people designing (bigger, faster, sturdier) boats thousands of years ago. Thinking there was no useful purpose of them, the naysays just sat around and bitched about how useless the boat-builders actions were. The same thing with the horseless carriage - we already have everything we want with horses - what possible good could the work you're doing be?
It's true that people like you need to exist statistically - the ones that bitch and point out all of the flaws in the useless shit dreamers talk about - so they probably don't even listen to you naysayers anymore - and for good reason. If people like you ran society, we probably wouldn't even have wheels because we've got enough people to haul those stone blocks the 80km they need to travel.
Fortunately for us, some people have imaginations.
Ohh...right..if someone demonstrates something, they clearly have an intimate understanding of it. Just like car salesmen can tell you the principles of how an automatic transmission works, or a radio shack employee can describe the interworkings of a fm reciever.
IIRC, (What the salesman told me), you've paid for the chassis at around the 5th blade purchase if you're going up against some x336s. Of course, you need a architecture where you can live without local disks on each machine.
Slashdot Mirror
This is exactly what I do, and let me tell you what: It's saved my ass a few times.
/usr/local/firefox/firefox -P encrypted
I also run two browser profiles with one being the proxied and one being normal, with different shortcuts to each. I separate the instances so my employer still sees a lot of traffic so they don't get suspicious. The work-related ones get me to lots of vendors sites, googling for solutions, etc.
I use a sh script to start my second one. It looks for an already open port just in case I killed the browser accidently and don't need to re-establish the tunnel. It re-establishes if it needs to.
You could also proxy your IM messages through these, though I haven't gone to that length yet. Here's my sh script:
#!/bin/sh
STAT=`netstat -an | grep 8888`;
if [ "$STAT" = "" ];
then
#friendshomemachine
# ssh -L 8888:127.0.0.1:8888 friendshomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &
#mine
ssh -L 8888:127.0.0.1:8888 myhomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &
#friendshomemachine
# ssh -c blowfish-cbc -C -f -N -L 8888:127.0.0.1:8888 friendshomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &
#mward
# ssh -c blowfish-cbc -C -f -N -L 8888:127.0.0.1:8888 friendshomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &
fi
I've heard blowfish is slower, but it doesn't seem to be when you're just browsing. Feel free to experiment. Others with more knowledge as to what's faster, please let me know.
I haven't purchased or even bought TFB, but there are some things I wonder:
/home directory, do you mention that it's a good idea disable the cron that searches every night for setuid files, etc, otherwise the load will kill the machine?
1. Is apache 2's layout covered? I understand it, because it's intuitive to me because I've been working with huge numbers of virtual hosts for years, but many of my friends/coworkers get confused by the whole sites-enabled/sites-available thing.
2. Is it covered that apache and apache2 can coexist and the gotchas of such a setup?
3. Do you cover the areas where sysadmins can get bitten? For instance, if I have hundreds of gigs and millions of files in my
4. Do you go into the updating suggestions? For instance, is it a good idea to run apt-get update; apt-get upgrade in a cron? If not, do you suggest we log in everyday and do it? Or is there a utility you include in your book that can list the updates available for that specific machine and email it to an admin everday? How about reporting it to something like hobbit?
I could go on...and on...but I'm anxious to hear your responses.
Now, any good sysadmin knows that he shouldn't be running 2.6 yet, which renders most of the 2.6 vulnerabilities moot for gauging the security of a linux box. When 2.4 was riddled with holes, we used 2.2, and so on.
Another thing good sysadmins should do to minimize threats is to chroot all of his daemons as well as not provide them with logon shells and huge 100+ character pwgen'd passwords - effectively negating the vulnerability from a server standpoint.
Those are just two of the things Linux offers us that M$ software does not. To say that local exploits on the newest kernel should be humbling to the linux community because it's no better than Microsoft's latest "stable" OS is ignorance in just about every way.
Bad news. This way is a bad way to do it and I'll tell you why:
Complancency. Your department will work to get everything stable, then stop. They'll never touch those apps/servers/machines again because they know that stability is paramount and any changes are bad. What happens in 5 years when you software is 12 versions behind and your hardware is so old it starts dropping like flies?
The truth is, upgrading/changing/migrating is not something that can be stopped easily and cheaply. One or two years is fine, but you also have to make sure your employees understand the everchanging landscape and the big picture and keep working for that IT Nirvana of having identical devel and prod environments, good uptimes, new servers, more disk space, improved apps, etc.
At one of the places I worked, the uptime on the border routers was so important their version of IOS was 8 or so years old. Why should they change it? Uptime is the most important thing right? Well, how about security vulnerabilities? Or how about that dreaded day when an upgrade is compulsory? Are you going to hope all of the old IOS commands still work the same way or even still exist?
Say what???
- 2005-3257 Date? 2005-10-17
- 2005-2490 (and 2492, both with sendmsg) Date? 2005-09-09
- 2005-1768 Date? 2005-07-11
Just about weekly? I beg to differ. Last local root exploit:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE
The one before:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN
How about the one before?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN
Perhaps you'd like to backup your claim?
Dozens? No. Several? Yes. Dozen? About that. How many would M$ products have if as many eyes analyzed it relentlessly? A metric assload. Take the partial 2k source code for an example.
I bought google at $216...and it was a darling stock then...are you saying I shouldn't have bought it and later sold it?
And since you're no evolutionist, you won't get offended right? You've got a better explanation, apparently. Perhaps some magical creature just created us out of the blue, perhaps? Nothing you can disprove, unlike the assertions in this article.
You realize that as long as the server relays for you, it doesn't generally matter what server you use, right? I mean, joe isp generally doesn't care if you send as fred@isp.net or billclinton@whitehouse.gov, so what's the big deal?
I realize that you may want a choice, like, say, my first account's SMTP server is slow and tags some of my mail as spam - but then, why would you want to use it anyway?
Unless, of course, some of accounts you're using utilize the excuse-for-a-solution SPF.
You should try using evolution. I recently switched to that from using thunderbird for 1.5 years, and kmail before that. At this rate, it'll be a long time before I switch again.
Let me know when you can go to the store and pick up a copy of that OS.
I might actually be interested in that. Considering that Apple can get such a rabid fan base and said fan base lets them get away with so many absurd vulnerabilities ( http://www.osvbd.org/ ), I'd say that windows is probably more secure on PPC than OSX is.
But then again, I'll get modded down despite my ability to distil the truth, because
Those are just public vulnerabilities...but if you hang around in the right spots you already know that many more zero days exist for OSX than any other os.
chown removes set*id bits.
You forgot The Daily Show!!!!
The only source for news. Although, it's generally available on bittorrent.
Except that a few 1.5B here and a few 1.5B here lead to us raising the debt limit:
p e=politicsNews&storyID=2005-12-29T225501Z_01_KNE98 2458_RTRUKOC_0_US-ECONOMY-DEBTLIMIT.xml
http://today.reuters.com/News/newsArticle.aspx?ty
I don't know about you, but I'm not a big fan of that.
You mean well built hardware like the g4 cube? Or maybe the scratchable ipod? The infamous (Both Desktop and Portable) LCDs? I wonder how often the logic board fails? What about the Imac power button issue?
The truth is, Apple is not infallable, and it's zealotry to claim as much.
Personally, I would have stuck with a nice IBM EXP, Dell StorEdge, or better yet: SATA drives and a nice, proven, reliable Netapp.
The fact that it's news because apple got it's first commericial Xserve sale in it's life is absurd, but common place on good ol' apple dot.
Send it bad form then, just let them know it's not perfect and you haven't spent any time on it lately.
A lot of time, patches show there is some commited interest in a feature and developers are a lot more likely to implement a feature if a patch (Even if it's old/incomplete/imperfect) is sent as opposed to some half-hearted request.
Bollocks! You'd never be able to convince me that some guy can run a business AND have a hobby! It's IMPOSSIBLE! What's next? Next you're gonna tell me he's posting on internet forums on his days off!
He has another comment here:3 75640
http://slashdot.org/comments.pl?sid=172698&cid=14
Basically, he has an exit strategy. Something a lot of people with businesses/investments don't have. An exit strategy is essential and following it is even more essential. Personally, I applaud him for such a move. He might lose some money on it (Costs of shutting down, lost profits), but chances are good that he's probably going to be correct more often than not on the signals he's getting. Sometimes it's just better to quit while you're ahead, especially in a case like this when he can see some clouds moving in.
If you look at the etymology of the word, you can get a good idea as to why it's spelled with an a instead of an e. The mere knowledge of where the word comes from will serve as an excellent mnemonic device for spelling it correctly when the times come. I myself suffered from the same condition up until about 2 years ago.
I prefer IM over the phone. In fact, I regularly demand it instead. IM is so much more convienent because it's not an atomic action, the phone is. I do have to drop what I'm doing to answer my coworkers question. I can finish the last 10 seconds of work on my widget, then alt-tab over to what he asked. I can then reply back, he can finish his widget work and read it. Phone calls demand your immediate attention and go poorly when you can't give it. It's also a bit more convenient than email. No sending or receiving, no waiting for message delays and most importantly, I know everyone on my contact list, so it's probably not spam,I know it's pretty important, etc.
Kopete makes instant messaging especially great. The little conversation bubble is non-intrusive and you can group chats so you only have one window instead of 12 windows for 12 conversations with 12 people.
It's also meaningless because it unfairly groups Apple in with Linux/Unix. Solaris might have its share of bugs, and linux surely has exploits more often than we'd like, but if you browse through the Apple vulnerabilites, you'd see that most of them are blatent, stupid oversights that people should be fired for. I wouldn't be suprised if Apple has the majority in the unix/linux group - commonalities aside.
Apple needs to get someone who knows a thing about security, because the false belief "its unix its secure" is about to crumble.
DJB writes his software exactly like he wants. No features, no options, etc. Qmail needs special patches that he hasn't blessed to read from ldap. Djbdns won't even listen on a different port unless you edit the code manually.
Calling his code secure is like buying a 1929 Model A and saying the wiring is reliable. There is nothing outside of the coil/spark plugs. The power windows/locks/brakes/steering/fuel pump never fail, because it's impossible for them to.
Plus it's always nice when you get to deny that flaws exist in your software and your rabid fan guild protect you to the death.
A better example of a secure code writer is W. Venema or even Torvalds.
http://ubuntulinux.org/
So you can sleep at night...
Space exploration is not even close with the current state of technology. We will go to space easily with better tech in the future but not now. I am shorting Bezos and his company at the first sight of weakness.
Quite the condradiction, don't you think? I mean, how are you supposed to figure out what kinda tech you need for space flight unless you go and try it? And are we just supposed to casually develop tech for this? Much like the power industry is so focused on alternative power? (not!).
The simply truth is, necessity is the mother of invention. This seems like a chicken and the egg problem, but it isn't really. We need to get out there and look around, explore, experiment. Once we start doing this, we'll start solving problems. Once we start solving problems, things start to roll. Think about the evolution of boats.
There were probably civilizations full of people who completely disagreed with some of the people designing (bigger, faster, sturdier) boats thousands of years ago. Thinking there was no useful purpose of them, the naysays just sat around and bitched about how useless the boat-builders actions were. The same thing with the horseless carriage - we already have everything we want with horses - what possible good could the work you're doing be?
It's true that people like you need to exist statistically - the ones that bitch and point out all of the flaws in the useless shit dreamers talk about - so they probably don't even listen to you naysayers anymore - and for good reason. If people like you ran society, we probably wouldn't even have wheels because we've got enough people to haul those stone blocks the 80km they need to travel.
Fortunately for us, some people have imaginations.
Ohh...right..if someone demonstrates something, they clearly have an intimate understanding of it.
Just like car salesmen can tell you the principles of how an automatic transmission works, or a radio shack employee can describe the interworkings of a fm reciever.
Ibm's blade center takes dual opteron cards. 14 blades (28(x2 for dual core) Procs) in a 7u space.
http://www.ibm.com/servers/eserver/bladecenter/
IIRC, (What the salesman told me), you've paid for the chassis at around the 5th blade purchase if you're going up against some x336s. Of course, you need a architecture where you can live without local disks on each machine.