...this kind of thing was easier. i mean it's great and all: using cheap (as in cost) components, some intellegent construction teams, etc, but in alot of places (even towns that are SMALLER) this is still impossible.
where I live, I can't run new cables everywhere. I can't even purchase the right to do this, and even if I can get the zoning permits I STILL can't do this.
[and not can as in a question of ability, but can as in the whiny i-don-t-want-to-face-the-consequences]
this is because we have a town charter that specifically keeps us technologically backwards (we didn't start getting streetlights until there was the closest this town has seen to a riot since the civil war) - our own telco office continue to use the same wiring that was installed in the 1950's.
Our local cable company was only allowed to "service" existing cable- and they've been VERY VERY Slowly "servicing it" with fibre. I'm 58 kilofeet from the CO (about 12 more from the cable company) and I still can't get a cable modem [i wouldn't want to - but more on that another time]
an interesting project that happened recently: called network maryland was bid-won to Level 3 networking (gloriously known as crap thanks to the business practices of most of their clients) - they ran fibre through most of maryland and stopped less than 30 miles from my town -- and have no intention of continuing (btw: i'm still quite a ways from the shoreline).
i can't tap into that because it's their bandwidth, and i can't purchase it from them because they're not selling (and don't have to - it's already sold to the government) - which as you'll remember won't let me run my own wires because of stupid charters.
now if i wanted to run cross-lada cables (outside of town boundaries) i COULD do that- but it wouldn't do me any good because i couldn't bring a line INTO town.
so i'm stuck with a maximum bandwidth purchase of "only a T1 at a time" (and our little cove will run out soon -- there isn't even a full DS3 running into this entire area) from telco, or I can purchase some of the cable company (who actually has less bandwidth than my company) -
or
or
or nothing. we've tried to convince our town "hall" of doing something like this (gigabit ethernet), and we've tried offering to pay for it.
i suppose we could move, but that's a lot of hassle too -- and we'd be giving up our local business.
or we could get some kind of FEDERAL responsibility -- get the whole fucking nation up.
[at this point: you should realize that i, like many of my peers like to pretend that only the US matters... infact: i actually hate it here, but that should only be so apparent]
so what do we do? how can we sell "this" to our town? how do we get our buerocratic slugs to take something like this.
more importantly, how was this sold in NZ? and how was it sold in other places it was used?
I wrote a DNS server that relies completely on LDAP called ldapdns. it's a live gateway, so it's ALWAYS up to date. the best thing about managing DNS over LDAP is that users can manage their own DNS and even create new subdomains!
actually, i'm quite amazed that this topic came up because a centralized directory mechanism can make administration _MUCH_ easier. i'm actually very suprised that most unixes (including linux) don't do anything better than NIS(+).
LDAP became the mechanism by which I manage my own network with greater ease: i use LDAP with NSS for user management (and allow users thereby to manage themselves). i use LDAP for DNS (of course:), i use LDAP to manage certificates, and employee information, and i also use LDAP to keep track of customers (for billing).
i've had to write a lot of my own shit to make it work (billing, and DNS - but now the DNS is gpl'd so youall can be happy with it), but alot of it DOES already exist. using NSS and PAM, you can manage users with ldap, and with vpopmail/qmailpatches you can run mail over ldap.
as for useradd/userdel/etc -- you simply don't need them. you can write a very simple shell script to ldapadd new users and delete and modify them (as i have done).
as for browsers: i happen to like GQ. but tbh, i don't do much browsing (i like robots). there's a java one floating around that works very much like Microsoft's LDAP browser (but free).
anyway, i'll spit my plug again:
LDAPDNS: FREE (GPL) LDAP-BASED DNS FOR EASIER ADMINISTRATION: ldapdns IS WHAT YOU NEED. USE IT BLAH BLAH BLAH
but really: ldap works great. it takes some balls to pull the switch (maybe someone will make it easier), but it is well worth it in the long run.
one of the problems that many people have with "strong passwords" is *NOT* their lack of a strong kinesthetic memory- I can ``remember'' any password simply by typing it: sound familiar?
Problem is that this has NOTHING AT ALL to do with how you actually pull out that memory. I mean, having this strong kinesthetics allows you to keep that password in your head, but it does nothing for pulling it out (unless you ALWAYS use the same password... more on this later)
What triggers that memory really has to be one of four things: A sound, an image, a phrase (written), or a touch. That's not true, at least with me (functional keyed-retreival) but most people at least fall into those four.
This is a cue that your mind uses to pull out those memories at the appropriate moment. The feedback starts and you can whip out your password completely automatically, right?
Some "realistic solutions" to these problems include: BIOMETRICS - which don't require ANY memory, SINGLE LOGIN - which limit the number of cues needed, ASSYMETRIC-KEY - which relies on math, etc, etc.
I say "realistic" because people have used them and they DO work. They don't affect that memory pathway in and of itself, but instead rely on more durable pathways (e.g. outside of the person:)
Unrealistic methods? Pictorial passwords. Besides the obvious that they're useless to the blind, many (dare I say most? nah, I couldn't find those numbers) people lack a visual eidetic. This means that they're very easy to confuse with similar images - because they cannot be used as triggers for their memory- They simply cannot remember seeing that.
Surely, they can remember the memory of seeing, or the act, maybe if they described it to themselves (common: turning a visual cue into an audio one, but this is time consuming and rarely works for long) - point being, it pushes WAY too much emphesis on only one cue.
With our current method, I gain some visual cues; input fields on the left, on the right, a popup, etc. I also gain some functional cues (mail related? do I know these people? am I these people? was this just a test?)
I then turn all these cues into the blinding flash of realization that sends my fingertips into a frenzy typing out the appropriate login and password for wherever I'm at. (except on slashdot, i'm a wuss... i use cookies:D)
My cues may not be the same as everyone elses' but everyone does have cues. I think that changing the focus of WHAT we remember is less important than changing the cues by which we DO remember.
it's not perfect, but it divides the filesystem (mostly) by maintainer - similarly to how packages are already deployed. but beyond that, it creates symlinks into one directory (in his example:/command) to keep $PATH sane.
package management _still_ makes my life easier- i don't like to hunt around packages manually. but if the filesystem mimicks the packages, we have solved the three biggest problems with package management at the same time:
incorrect dependancy names (moot: all other packages have a formed-name)
deleting too much (packages are stacked into seperate directories)
what happens when the package database goes "poof"
i'm not saying don't use package management. i'm not saying don't use rpm. i'm actually agreeing with the topic for once and suggesting that we actually do need to change the filesystem.
you're missing the point. if you fix ALL of binds bugs (or better still- replace all copies of bind with djbdns) DNS still won't be fixed. the security problems with DNS will still exist- not the least of which being DOS attacks.
and of course dan's been saying it for years. he's a bright guy, and i think you're quite dense for following the masses and suggesting otherwise.
however, to replace DNS, we'd also need to change the clients, and that's a slow operation... all that i am suggesting is let's not waste time worrying about BIND's problems. fix the root of the problem- a design issue....
i've already started using my own workaround. hopefully people will notice and catch on....
a lot of slashdotters have pointed out this is a non-issue; as far as writing scripts goes, so long as you are "careful" you won't run into any problems.
right? i mean exactly how hard is it, knowing, loving, and using bash to click-off the parts of your programmer mind that deal with the bashism shortcuts you take for granted?
as a programmer, i frequently need a few steps to shift gears. i'll be working for four or five hours on some C, flip into a perl program and find myself (quite unconsciously) dropping some $char@act%ers*. they're deceptively similar languages in construct, and i must say "okay, now i'm writing perl" or java or bash or forth or whatever.
this is not to suggest that our friend in need is without hope; that even if he had a real bourne shell he would still make mistakes. this simply illustrates that it's more difficult to avoid those mistakes EVEN WITH the knowledge.
if you're a non-programmer, don't bother responding to me, because it's hopeless to think you'll understand... just because you can quote the linked faq doesn't mean you actually understand it.
the case of typing export out is such a silly one that I often make the same error: i have a rather large administration tool that runs on NT, 2000, Solaris, Linux, and OpenBSD. It's goal is to unify their various differences so that administration can remain (roughly) the same.
as such, it's a myriad of shell scripts, 300-400 line C programs, perl programs, wrappers, and whatnot. the MOST COMMON PROBLEM that I deal with is because I develop initially on a Linux system. Linux is extremely developer friendly (perhaps because it was developed for developers, but that's a hiyku waiting about that i'm not going to release today) - and solaris, NT, and 2000 are not (again, YOU can disagree; I know many hailstorm developers that love the new windows platform. you're still wrong.)
however. i did mention that there was hope, and to that i will now digress: your application (whatever it is) must SOMEHOW share some commonalities with the platforms in which you wish it to run.
if your application is a C program: write your installer in C. or better still? write makefiles. perl program? even easier: you have a shell (perl, well, sort of). if your program is a bash script (and i'll pity you if it is) you simply require the use of bash.
i make my administration tool work on many platforms by making those platforms more similar- that way the jump is shorter.
i also have the added benefit of being able to test my changes. they go from my development machine to a staging system (one of each flavor) and from there onto the production webs.
i can't very well suggest that you "avoid making mistakes", and if I suggest "ash" or "zsh" or "csh" i'm simply suggesting that you require something else. i'm not going to have any allusions about it, however: if it doesn't work, use something else ANYTHING else. even if that means you need to slap solaris on a machine (for bourne), or perhaps stealing the *bsd's shell.
you have more than your two (obvious) options- in extremeties and in directions. remember your goal first, and then find out what problems exist.
it's quite funny actually. DJB has gained so much by creating qmail that when he released djbdns, users blindly followed into it expecting it to be void of security holes.
the biggest problems with DNS on the internet have NOTHING to do with the software used. the protocol itself is quite insecure- and what's worse is that this isn't news!
one thing that certainly needs to change is this silly concept of recursive-resolvers; they change the responses, and thus it's next to impossible to determine which is the "Real" resolver.
thanks to sequence prediction, and because DNS servers/clients don't have any "other" protection, it's quite trivial to smash or alter someone's dns tables (during a zone transfer), or redirect users someplace else (when doing recursion).
what we need is a cryptographic method of "signing" requests. root nameservers should maintain keys in addition to NS rrs. And what bind calls "root hints" should contain the keys of the root nameservers. this way, we can digitally sign responses so that their authenticity can be verified. moreover, if packet-space is limited (and even though a "most" queries should have a hundread or three bytes free) we could always just store a hash of the signature. but that's getting too far into implimentation.
the basic droll is that we need something BETTER than dns... not just new software, but a new design...
and plus, by implimenting crypto into the name services, we'll be able to finally keep the french off the internet.
(for those of you lacking any kind of crypto-political background: the french aren't allowed ANY cryptography.... and you thought US export control was bad!)
i have a coworker. yes, this is to say that i have a job (contrary to popular belief), but infact this coworker aimed to achieve cisco and solaris certification a while back. he could not accept the rationale in which he failed.
his complaints were centered around "SH*T, all the test was on the gui. i don't have to know that SH*t in order to administer slowaris" (yes reader, you have either thought this, or heard this before; and i'll pity the former)...
he's the kind of *nix user that thinks anything with a gui is a waste of his time; he abhores "redhat" (because of it's users) and yet refuses to learn any kind of a logical-thought process that would allow him to automate his workspace. yes, this poor sap actually prefers to TYPE tedious and repetitious configuration entries in an apache httpd.conf -- and even more sad, he can only type at a measly two-fingered rate of ~ 10-15 wpm.
this attitude helps for an explain: his "goal", or what would make him happiest in a "tech job" was being started out at 40k$USD per/year salaried, where he could come to work around 1030-1100, work till 1600 and do nothing but fu*k around with his enlightenment theme all day. of course, it DOES take him all day EVERY day to do it as even my employer can type faster. (who, by the way, is up to 4-5 fingers at a time. i'm very proud.)
what's even more pitiful is that he honestly believes that there are people at his skill-level (which you will have to take my word as to be rather deficient in good unix guru points) making significantly more than he presently does (a meager helpdesk pay; and again you will take my word that he's STILL being paid too much).
and i tell him, "surely a few years ago, you could go with that excuse for experience that you have and find a nice 3-4 month job in a cubicle before the company going under, but that was the boom of the fad!"
his response has always been "but anyplace would pay more that this SH*Thole!"
and so he quit. it took him 3 months before he crawled back (and took a pay-cut)- but yet he still didn't learn. his convictions lead him to the belief that he was just lazy.
yes folks, this miserable cretian would rather consider himself a lazy fool, than a stupid one. not that i wouldn't per-say, but that i would prefer not to have any allusions about either:D
which brings me to the point. work is that thing you do that pays the bills. i happen to enjoy my work; i get to write software that does things that nobody else is doing- and that facinates me enough to keep my job. in my job: i am an important person, with an important task.
this is my mission. a rather good mission. companies do rather well when they simply decide to make an excellent product. yet with this boom for the internet "fad", that just wasn't in ANYONE's mission. it was to "get online" and "get E" and ERP and lots more ands than i feel like typing.
this intangable mission escaped these startups; all they saw was a bunch of long-haired hippies in cubicles with club-lighting and music.
but anyone with some decent thought can tell you that's not how a business is run; and to the intellectually challenged: i'm not saying successful businesses cannot have club-music and nerf cannons, but that this cannot be the pinnicle of their mission.
i happen to work for an internet-based company. it would certainly fit anyone's description of a tech-job. and yet, i never sought a tech-job in my life. i'm a programmer, and by some respects a rather good one. (by others, a lousy one, but that's only incidental:D)
if you're serious about finding "fun work", then trust that it does exist. i won't work anyplace i enjoy, and i DO enjoy where i work. but if you're looking for a company who's business model is "fun", then you're looking for a temp job- just please stop kidding yourself about it.
timing-based attacks aren't new; most people can remember time-based attacks regarding TCP sequence prediction (older windows, IRIX, many others) and so of course the initial reaction is that we need to make XXX protocol (fill this one in with SSH) not-suceptible to this attack.
oddly enough, there's nothing about the SSH protocol that's to blame; only a matter of convenience in implimentation: SSH sends one packet at a time so that things can seem as speedy as possible. this is common with interactive protocols, and I should say "a good thing".
if people think it's too big a deal, several "code" things can be done: either batch up several keystrongs (turning up the compression level is one way with some ssh clients), or modify SSH to add some white-noise when keystrokes are being emitted slowly. a third one could be to impliment local flow control (^Q/^S) so that SSH would burst passwords together.
unfortunately, the first two of these can actually slow things down a bit, and the third just seems silly (and i don't think emacs users would like having their precious confusing control keys taken away or quoted)...
i've noticed a lot of people pumping up all kinds of products; free ones, proprietary, and even a bunch of asses advertising their own hosting provider (couldn't resist, but at least i admit i'm an ass.), but the question of whether there are similar projects out there...
webmin and similar products don't count, because if you don't know unix, you shouldn't run it, let alone administer it, LET ALONE THAT, and try and run a business using it.
web hosting is a business. no mather which way you look, and while I have found several (many of the ones listed elsewhere on this page), most tend to coerce you into using their hosting solution(tm), instead of bending to your system.
if you're serious about doing web-hosting, build a platform. take redhat, or debian, or solaris, or whatever you like/know, and build your system. use whatever components you feel comfortable with; but don't worry about a gui. make shell scripts for your timid users. writing a few dozen perl/shell scripts to help out users is a good idea(tm), and if you absolutely want a web-based interface, it's a simple matter to write some web-glue for that.
truth here: if you think you can build a successful web-hosting company _without_ spending time on it (e.g. purchasing your components), you've definately got another thing coming, and you will run into it sooner or later.
so take my advise, give the users the capacity for control first, then make your own damn pages to actually make it easy on them. any other route spells disaster for the future.
and as a closing note, i *hate* all those 3$...5$...10$ hosting providers with a unprofessional-looking website, and some shoddy NT/IIS based or Redhat+RedhatServer(blah) garbage (hacked in five flat. guaranteed), and expect to stick around. all they do is waste people's time... and if you fuck up early, you'll make it harder on yourself in the future.
chances are, they think that they can give you more responsibilities without a bigger paycheck; they probably KNOW that you are competent at your job, but are hoping that you would make the jump of logic that you did.
quit telling them "I just don't want to do it", tell them how much they can expect to pay for someone in that position (who works for a larger company, etc)... Something like "Hey, I'll take it, but I'll make the money for the job. Place me at a (insert value plus 25K$USD for the ass) and I'll take it... Otherwise, keep me where I'm at and pay that much for someone else, I really don't care."
It worked for me, and it can work for you. It started with them hiring somebody completely incompetant (at the salary they wanted me to work at) that blew out the mail server (a jackass NT IS guy that thought that because the case opened, the hard drives must be hot-swappable- YOINK!)
He lasted two weeks, and they decided to fork out the better dollar for the better work.
pshaw; there's no sound in space, so how could it be faster than anything that measures it's distance with a quantum so close to zero that it makes no odds?
[BUSH] The war on drugs began with my father, and I will continue that struggle on behalf of the american people. I don't believe this war is in our own streets; It's in foreign military relations!
[GORE] I invented drugs.
(2)
[BUSH] My father wanted me not to be known as a racist, but instead as anti-sematic! Hey, we got that witch-girl in oaklahoma on trial, didn't we?
[GORE] We should protect all religions equally; they don't require special rights, and they shouldn't be given them.
(3)
[BUSH] My dad got lower taxes.
[GORE] I invented lower taxes.
(4)
[BUSH] The electoral collage has been reformed. Don't you guys know I'm going to be president? Hey dad! When do I get to push the button?
[GORE] We need to stay focused on the issues. Perot had more than "enough" money at his disposal, and I believe that's what truly proves that we have the greatest nation in the world.
(5)
[BUSH] When do I get to rule the world dad! You said I could do it! You said!!!!
[GORE] I invented the internet.
(6)
[BUSH] You promised! You promised! You promised!
[GORE] I invented encryption.
(7)
[BUSH] You promised! You promised! You promised!
[GORE] As more and more companies wish to do business with the united states, more and more companies gain a better understanding on how to do business with america. Monoplies are not inherently bad, they simply are not adaquitely controlled, and that is something I plan to rectify.
(8)
[BUSH] Oh, sorry... What was the last question? Oh, asteroids. Yeah, we need to relive the star-wars project just for this reason. And to help engage foreign military policies, and to strengthen our own military hold as good americans.
[GORE] I invented Asteroids[tm].
(9)
[BUSH] Something about a thousand points of light. It sounds great!
[GORE] People still want conflict. The media proves this! But as media begins to embrace my internet, we will get more into personal ideas and ideals that can do nothing but improve our quality of life, and the flow of information. This is our mission: To inform and understand. And we are already doing a great job of it!
[US-]english is only the choice of the internet generation (sic sic sic...) because the internet is free. in the US, the general populous (or what we percieve it is) belives that speech is free. so i believe that people who live in the US tend to treat all speech as free.
now, the problem with english is that nobody in the US speaks it. Or at least, very few speak it properly. Even fewer write it properly. This post is completely incorrect english, but most readers aren't bothered by this. they know to read what i mean, not what i actually wrote.
but machines can't do this... not without making the same leaps of faith that we human beings take for granted so often. and while everyone knows this, they still try and make the machines dumber.
yes, i do mean dumber. machines (as now) are extremely smart; they don't make mistakes. so this means that while you are reading anything, including this post, you are making many mistakes. it is only by making these mistakes that you're able to read this.
this isn't new news; we've known this for years. which is why we have made so many different programming languages, each encompassing an extremely strict (by englishes standards) notation by which the message is understood.
writing code in itself is not all that difficult (far easier than reading english, in many ways). so maybe we should be focusing on that movement; making ourselves (humans) smarter, instead of the computer dumber.
of course, you can read what I've written, and know that this is a horrible idea, but in the past 100 years, the english language(s) has metamorphed into so many different dialects that we may even put the chinese to shame. we have our share of slang and coloquialisms (sp?) too, and because the computer doesn't understand them, we are stupid for using them.
It is only in the past few months that the FISH started translating "Login" as "beginning activity" instead of "logarithm".
but as i've mentioned, it isn't just the coloquialisms the machine has to interpret: the computer must be taught to THINK.
in short: purely-MT will be going nowhere for a long time so long as Eliza sums up computer AI.
The usefulness of an encrypted filesystem is limited to removeable media and pseudodisks (e.g. those created using the kernel loopback driver). It's been pointed out that many people actually want to encrypt their entire hard drive (or an entire partition) which seems to me to be the biggest waste of cycles there is. But then again, as soon as we classify hard disks as removable (like there aren't hardware locks with similar effectiveness) media it seems to quickly become warrented.
Of course, this makes a nasty assumption that if you're going to encrypt your disk, you've already got the reason for it. But before I go too far into that, let me quickly point out that network filesystems and encrypted filesystems cannot be considered complimentary. NFS, AFS, and CIFS (all commonly referred to as network filesystems) bear no resemblence with block devices for the very reason that (all) network block devices themselves are extremely ineffecient. Not only is it a waste of bandwidth, but also a waste of cycles for the client (assumed: servers usually have more cycles than clients. if they don't, you have other problems).
But crypto on NFS and friends all involve themselves with encrypting the network traffic, instead of the individual segments of the files, or the disk-blocks they refer to.
Mr. Blue mentions that he wishes to encrypt his laptop disk for the sake of security. And being a laptop it can immediatly be considered removable media (snicker). And while the most common reason that laptops are stolen are infact for the hardware (e.g. resale), the lap-jacker may be technologically inclined (as is becoming more common) and wish to sneak out creditcard numbers and other goodies out of the disk before sale.
So now that I have finally established both cause and reason to encrypt, I can finally target a technological issue of performance.
By simply creating your disk IMAGE, you are slowing down your system. The goal is to slow it down the least. The the least way is to (on login, presumably) decrypt the entire image into a ramdisk (or other element that will be nuked on reboot - such as a swapfile) and use the decrypted image instead. Before anyone says this is a stupid idea (what if they use a boot floppy), remember that unless you have a lot of ram, your decrypted secrets would be in your swap ANYWAY.
So bypassing the obvious of disabling floppy boot, the attacker can still take out the hard disk and put it in another machine. Since your data hasn't been wiped by boot (and/or is still in swap), you
would then need the filesystem and the swap to stay in ciphered form (to make sure all of your data is protected). So in addition, you must keep your swapfile in cipherspace (snicker) so that the bad people can't get there either.
Which still allows us to keep most of our "work data" in unencrypted space (ramdisk) because when portions of our ramdisk need swapping, they'll be reciphered anyway. And if you weren't thinking about swap, you're faster still.
So, the short answer (if you read this far, you deserve it by now) is that your filesystem will go as slow as you need it to. That is to say that if you are protecting from your laptop being stolen,
using a ramdisk for sensitive files is probably good enough (my portable penguin uses PGP to store my ramdisk when sleeping. the ramdisk was 24m which was good enough for my ssh password lists, keys,/etc/passwd and friends). if you need more protection, you're going to go slower (encrypting swap), and slower (encrypting the entire disk), and slower still (embeding your laptop in a cement block and droping it into the ocean).
I seriously do not know how Sony can expect to sell anything this incomplete! This AIBO is just another example of Sony neglecting to include the features most desired in a Robot Companion. It has no apron, the blinking red lights aren't sticking out of it's neck, and I suspect that those plastic hooves don't have wheels hidden under them...
It seems interesting to me that people might think that certificates would work differently in Apache-SSL v.s. Apache+mod_ssl. More so when they both use the same API for performing the crypto layer to read/write the certificate files (SSLeay; now known as OpenSSL).
I've also tried to think about how one could guage the differences objectivly. As far as I've seen, neither seems any faster (which would make sense being that they both use OpenSSL for the "real work"), and I can't think of any features that one has that the other doesn't; and I'm not talking about configuration directives, I'm talking about XXX obtains information YYY and logs it, but product ZZZ doesn't. I'd love to see some enlightenment on that note.
And on that note (karma and enlightenment, that is) I have had no difficulties with either in installation, or uninstallation, or even configuration. I do however like having the "SSL Module". It's quite handy when duplicating disks. I just flip a flag in my configuration files instead of having to recompile Apache. But other than that, I can't see any reason why you would pick one over the other.
Maybe it would be constructive (ooh, big word!) if people posted WHY they use Apache+SSL or WHY they use Apache+mod_ssl instead of just listing off angry posts, and turning my display into a voting log.
To say it another way, I don't think that anyone is interested in why YOU use Apache-SSL or YOU use Apache+mod_ssl. I know that I'm not! Instead, I'd like to hear WHY you use Apache-SSL, or WHY you use Apache+mod_ssl.
Slashdot Mirror
...this kind of thing was easier. i mean it's great and all: using cheap (as in cost) components, some intellegent construction teams, etc, but in alot of places (even towns that are SMALLER) this is still impossible.
where I live, I can't run new cables everywhere. I can't even purchase the right to do this, and even if I can get the zoning permits I STILL can't do this.
[and not can as in a question of ability, but can as in the whiny i-don-t-want-to-face-the-consequences]
this is because we have a town charter that specifically keeps us technologically backwards (we didn't start getting streetlights until there was the closest this town has seen to a riot since the civil war) - our own telco office continue to use the same wiring that was installed in the 1950's.
Our local cable company was only allowed to "service" existing cable- and they've been VERY VERY Slowly "servicing it" with fibre. I'm 58 kilofeet from the CO (about 12 more from the cable company) and I still can't get a cable modem [i wouldn't want to - but more on that another time]
an interesting project that happened recently: called network maryland was bid-won to Level 3 networking (gloriously known as crap thanks to the business practices of most of their clients) - they ran fibre through most of maryland and stopped less than 30 miles from my town -- and have no intention of continuing (btw: i'm still quite a ways from the shoreline).
i can't tap into that because it's their bandwidth, and i can't purchase it from them because they're not selling (and don't have to - it's already sold to the government) - which as you'll remember won't let me run my own wires because of stupid charters.
now if i wanted to run cross-lada cables (outside of town boundaries) i COULD do that- but it wouldn't do me any good because i couldn't bring a line INTO town.
so i'm stuck with a maximum bandwidth purchase of "only a T1 at a time" (and our little cove will run out soon -- there isn't even a full DS3 running into this entire area) from telco, or I can purchase some of the cable company (who actually has less bandwidth than my company) -
or
or
or nothing. we've tried to convince our town "hall" of doing something like this (gigabit ethernet), and we've tried offering to pay for it.
i suppose we could move, but that's a lot of hassle too -- and we'd be giving up our local business.
or we could get some kind of FEDERAL responsibility -- get the whole fucking nation up.
[at this point: you should realize that i, like many of my peers like to pretend that only the US matters... infact: i actually hate it here, but that should only be so apparent]
so what do we do? how can we sell "this" to our town? how do we get our buerocratic slugs to take something like this.
more importantly, how was this sold in NZ? and how was it sold in other places it was used?
actually, i'm quite amazed that this topic came up because a centralized directory mechanism can make administration _MUCH_ easier. i'm actually very suprised that most unixes (including linux) don't do anything better than NIS(+).
LDAP became the mechanism by which I manage my own network with greater ease: i use LDAP with NSS for user management (and allow users thereby to manage themselves). i use LDAP for DNS (of course :), i use LDAP to manage certificates, and employee information, and i also use LDAP to keep track of customers (for billing).
i've had to write a lot of my own shit to make it work (billing, and DNS - but now the DNS is gpl'd so youall can be happy with it), but alot of it DOES already exist. using NSS and PAM, you can manage users with ldap, and with vpopmail/qmailpatches you can run mail over ldap.
as for useradd/userdel/etc -- you simply don't need them. you can write a very simple shell script to ldapadd new users and delete and modify them (as i have done).
as for browsers: i happen to like GQ. but tbh, i don't do much browsing (i like robots). there's a java one floating around that works very much like Microsoft's LDAP browser (but free).
anyway, i'll spit my plug again:
LDAPDNS: FREE (GPL) LDAP-BASED DNS FOR EASIER ADMINISTRATION: ldapdns IS WHAT YOU NEED. USE IT BLAH BLAH BLAH
but really: ldap works great. it takes some balls to pull the switch (maybe someone will make it easier), but it is well worth it in the long run.
one of the problems that many people have with "strong passwords" is *NOT* their lack of a strong kinesthetic memory- I can ``remember'' any password simply by typing it: sound familiar?
:)
:D)
Problem is that this has NOTHING AT ALL to do with how you actually pull out that memory. I mean, having this strong kinesthetics allows you to keep that password in your head, but it does nothing for pulling it out (unless you ALWAYS use the same password... more on this later)
What triggers that memory really has to be one of four things: A sound, an image, a phrase (written), or a touch. That's not true, at least with me (functional keyed-retreival) but most people at least fall into those four.
This is a cue that your mind uses to pull out those memories at the appropriate moment. The feedback starts and you can whip out your password completely automatically, right?
Some "realistic solutions" to these problems include: BIOMETRICS - which don't require ANY memory, SINGLE LOGIN - which limit the number of cues needed, ASSYMETRIC-KEY - which relies on math, etc, etc.
I say "realistic" because people have used them and they DO work. They don't affect that memory pathway in and of itself, but instead rely on more durable pathways (e.g. outside of the person
Unrealistic methods? Pictorial passwords. Besides the obvious that they're useless to the blind, many (dare I say most? nah, I couldn't find those numbers) people lack a visual eidetic. This means that they're very easy to confuse with similar images - because they cannot be used as triggers for their memory- They simply cannot remember seeing that.
Surely, they can remember the memory of seeing, or the act, maybe if they described it to themselves (common: turning a visual cue into an audio one, but this is time consuming and rarely works for long) - point being, it pushes WAY too much emphesis on only one cue.
With our current method, I gain some visual cues; input fields on the left, on the right, a popup, etc. I also gain some functional cues (mail related? do I know these people? am I these people? was this just a test?)
I then turn all these cues into the blinding flash of realization that sends my fingertips into a frenzy typing out the appropriate login and password for wherever I'm at. (except on slashdot, i'm a wuss... i use cookies
My cues may not be the same as everyone elses' but everyone does have cues. I think that changing the focus of WHAT we remember is less important than changing the cues by which we DO remember.
(There, I think that makes more sense now)
http://cr.yp.to/slash.html
it's not perfect, but it divides the filesystem (mostly) by maintainer - similarly to how packages are already deployed. but beyond that, it creates symlinks into one directory (in his example: /command) to keep $PATH sane.
package management _still_ makes my life easier- i don't like to hunt around packages manually. but if the filesystem mimicks the packages, we have solved the three biggest problems with package management at the same time:
i'm not saying don't use package management. i'm not saying don't use rpm. i'm actually agreeing with the topic for once and suggesting that we actually do need to change the filesystem.
you're missing the point. if you fix ALL of binds bugs (or better still- replace all copies of bind with djbdns) DNS still won't be fixed. the security problems with DNS will still exist- not the least of which being DOS attacks.
and of course dan's been saying it for years. he's a bright guy, and i think you're quite dense for following the masses and suggesting otherwise.
however, to replace DNS, we'd also need to change the clients, and that's a slow operation... all that i am suggesting is let's not waste time worrying about BIND's problems. fix the root of the problem- a design issue....
i've already started using my own workaround. hopefully people will notice and catch on....
a lot of slashdotters have pointed out this is a non-issue; as far as writing scripts goes, so long as you are "careful" you won't run into any problems.
right? i mean exactly how hard is it, knowing, loving, and using bash to click-off the parts of your programmer mind that deal with the bashism shortcuts you take for granted?
as a programmer, i frequently need a few steps to shift gears. i'll be working for four or five hours on some C, flip into a perl program and find myself (quite unconsciously) dropping some $char@act%ers*. they're deceptively similar languages in construct, and i must say "okay, now i'm writing perl" or java or bash or forth or whatever.
this is not to suggest that our friend in need is without hope; that even if he had a real bourne shell he would still make mistakes. this simply illustrates that it's more difficult to avoid those mistakes EVEN WITH the knowledge.
if you're a non-programmer, don't bother responding to me, because it's hopeless to think you'll understand... just because you can quote the linked faq doesn't mean you actually understand it.
the case of typing export out is such a silly one that I often make the same error: i have a rather large administration tool that runs on NT, 2000, Solaris, Linux, and OpenBSD. It's goal is to unify their various differences so that administration can remain (roughly) the same.
as such, it's a myriad of shell scripts, 300-400 line C programs, perl programs, wrappers, and whatnot. the MOST COMMON PROBLEM that I deal with is because I develop initially on a Linux system. Linux is extremely developer friendly (perhaps because it was developed for developers, but that's a hiyku waiting about that i'm not going to release today) - and solaris, NT, and 2000 are not (again, YOU can disagree; I know many hailstorm developers that love the new windows platform. you're still wrong.)
however. i did mention that there was hope, and to that i will now digress: your application (whatever it is) must SOMEHOW share some commonalities with the platforms in which you wish it to run.
if your application is a C program: write your installer in C. or better still? write makefiles. perl program? even easier: you have a shell (perl, well, sort of). if your program is a bash script (and i'll pity you if it is) you simply require the use of bash.
i make my administration tool work on many platforms by making those platforms more similar- that way the jump is shorter.
i also have the added benefit of being able to test my changes. they go from my development machine to a staging system (one of each flavor) and from there onto the production webs.
i can't very well suggest that you "avoid making mistakes", and if I suggest "ash" or "zsh" or "csh" i'm simply suggesting that you require something else. i'm not going to have any allusions about it, however: if it doesn't work, use something else ANYTHING else. even if that means you need to slap solaris on a machine (for bourne), or perhaps stealing the *bsd's shell.
you have more than your two (obvious) options- in extremeties and in directions. remember your goal first, and then find out what problems exist.
best of luck
it's quite funny actually. DJB has gained so much by creating qmail that when he released djbdns, users blindly followed into it expecting it to be void of security holes.
the biggest problems with DNS on the internet have NOTHING to do with the software used. the protocol itself is quite insecure- and what's worse is that this isn't news!
one thing that certainly needs to change is this silly concept of recursive-resolvers; they change the responses, and thus it's next to impossible to determine which is the "Real" resolver.
thanks to sequence prediction, and because DNS servers/clients don't have any "other" protection, it's quite trivial to smash or alter someone's dns tables (during a zone transfer), or redirect users someplace else (when doing recursion).
what we need is a cryptographic method of "signing" requests. root nameservers should maintain keys in addition to NS rrs. And what bind calls "root hints" should contain the keys of the root nameservers. this way, we can digitally sign responses so that their authenticity can be verified. moreover, if packet-space is limited (and even though a "most" queries should have a hundread or three bytes free) we could always just store a hash of the signature. but that's getting too far into implimentation.
the basic droll is that we need something BETTER than dns... not just new software, but a new design...
and plus, by implimenting crypto into the name services, we'll be able to finally keep the french off the internet.
(for those of you lacking any kind of crypto-political background: the french aren't allowed ANY cryptography.... and you thought US export control was bad!)
i have a coworker. yes, this is to say that i have a job (contrary to popular belief), but infact this coworker aimed to achieve cisco and solaris certification a while back. he could not accept the rationale in which he failed.
:D
:D)
his complaints were centered around "SH*T, all the test was on the gui. i don't have to know that SH*t in order to administer slowaris" (yes reader, you have either thought this, or heard this before; and i'll pity the former)...
he's the kind of *nix user that thinks anything with a gui is a waste of his time; he abhores "redhat" (because of it's users) and yet refuses to learn any kind of a logical-thought process that would allow him to automate his workspace. yes, this poor sap actually prefers to TYPE tedious and repetitious configuration entries in an apache httpd.conf -- and even more sad, he can only type at a measly two-fingered rate of ~ 10-15 wpm.
this attitude helps for an explain: his "goal", or what would make him happiest in a "tech job" was being started out at 40k$USD per/year salaried, where he could come to work around 1030-1100, work till 1600 and do nothing but fu*k around with his enlightenment theme all day. of course, it DOES take him all day EVERY day to do it as even my employer can type faster. (who, by the way, is up to 4-5 fingers at a time. i'm very proud.)
what's even more pitiful is that he honestly believes that there are people at his skill-level (which you will have to take my word as to be rather deficient in good unix guru points) making significantly more than he presently does (a meager helpdesk pay; and again you will take my word that he's STILL being paid too much).
and i tell him, "surely a few years ago, you could go with that excuse for experience that you have and find a nice 3-4 month job in a cubicle before the company going under, but that was the boom of the fad!"
his response has always been "but anyplace would pay more that this SH*Thole!"
and so he quit. it took him 3 months before he crawled back (and took a pay-cut)- but yet he still didn't learn. his convictions lead him to the belief that he was just lazy.
yes folks, this miserable cretian would rather consider himself a lazy fool, than a stupid one. not that i wouldn't per-say, but that i would prefer not to have any allusions about either
which brings me to the point. work is that thing you do that pays the bills. i happen to enjoy my work; i get to write software that does things that nobody else is doing- and that facinates me enough to keep my job. in my job: i am an important person, with an important task.
this is my mission. a rather good mission. companies do rather well when they simply decide to make an excellent product. yet with this boom for the internet "fad", that just wasn't in ANYONE's mission. it was to "get online" and "get E" and ERP and lots more ands than i feel like typing.
this intangable mission escaped these startups; all they saw was a bunch of long-haired hippies in cubicles with club-lighting and music.
but anyone with some decent thought can tell you that's not how a business is run; and to the intellectually challenged: i'm not saying successful businesses cannot have club-music and nerf cannons, but that this cannot be the pinnicle of their mission.
i happen to work for an internet-based company. it would certainly fit anyone's description of a tech-job. and yet, i never sought a tech-job in my life. i'm a programmer, and by some respects a rather good one. (by others, a lousy one, but that's only incidental
if you're serious about finding "fun work", then trust that it does exist. i won't work anyplace i enjoy, and i DO enjoy where i work. but if you're looking for a company who's business model is "fun", then you're looking for a temp job- just please stop kidding yourself about it.
timing-based attacks aren't new; most people can remember time-based attacks regarding TCP sequence prediction (older windows, IRIX, many others) and so of course the initial reaction is that we need to make XXX protocol (fill this one in with SSH) not-suceptible to this attack.
oddly enough, there's nothing about the SSH protocol that's to blame; only a matter of convenience in implimentation: SSH sends one packet at a time so that things can seem as speedy as possible. this is common with interactive protocols, and I should say "a good thing".
if people think it's too big a deal, several "code" things can be done: either batch up several keystrongs (turning up the compression level is one way with some ssh clients), or modify SSH to add some white-noise when keystrokes are being emitted slowly. a third one could be to impliment local flow control (^Q/^S) so that SSH would burst passwords together.
unfortunately, the first two of these can actually slow things down a bit, and the third just seems silly (and i don't think emacs users would like having their precious confusing control keys taken away or quoted)...
i've noticed a lot of people pumping up all kinds of products; free ones, proprietary, and even a bunch of asses advertising their own hosting provider (couldn't resist, but at least i admit i'm an ass.), but the question of whether there are similar projects out there...
webmin and similar products don't count, because if you don't know unix, you shouldn't run it, let alone administer it, LET ALONE THAT, and try and run a business using it.
web hosting is a business. no mather which way you look, and while I have found several (many of the ones listed elsewhere on this page), most tend to coerce you into using their hosting solution(tm), instead of bending to your system.
if you're serious about doing web-hosting, build a platform. take redhat, or debian, or solaris, or whatever you like/know, and build your system. use whatever components you feel comfortable with; but don't worry about a gui. make shell scripts for your timid users. writing a few dozen perl/shell scripts to help out users is a good idea(tm), and if you absolutely want a web-based interface, it's a simple matter to write some web-glue for that.
truth here: if you think you can build a successful web-hosting company _without_ spending time on it (e.g. purchasing your components), you've definately got another thing coming, and you will run into it sooner or later.
so take my advise, give the users the capacity for control first, then make your own damn pages to actually make it easy on them. any other route spells disaster for the future.
and as a closing note, i *hate* all those 3$...5$...10$ hosting providers with a unprofessional-looking website, and some shoddy NT/IIS based or Redhat+RedhatServer(blah) garbage (hacked in five flat. guaranteed), and expect to stick around. all they do is waste people's time... and if you fuck up early, you'll make it harder on yourself in the future.
chances are, they think that they can give you more responsibilities without a bigger paycheck; they probably KNOW that you are competent at your job, but are hoping that you would make the jump of logic that you did.
quit telling them "I just don't want to do it", tell them how much they can expect to pay for someone in that position (who works for a larger company, etc)... Something like "Hey, I'll take it, but I'll make the money for the job. Place me at a (insert value plus 25K$USD for the ass) and I'll take it... Otherwise, keep me where I'm at and pay that much for someone else, I really don't care."
It worked for me, and it can work for you. It started with them hiring somebody completely incompetant (at the salary they wanted me to work at) that blew out the mail server (a jackass NT IS guy that thought that because the case opened, the hard drives must be hot-swappable- YOINK!)
He lasted two weeks, and they decided to fork out the better dollar for the better work.
So when can I see the source for CCVS?
pshaw; there's no sound in space, so how could it be faster than anything that measures it's distance with a quantum so close to zero that it makes no odds?
(1)
[BUSH] The war on drugs began with my father, and I will continue that struggle on behalf of the american people. I don't believe this war is in our own streets; It's in foreign military relations!
[GORE] I invented drugs.
(2)
[BUSH] My father wanted me not to be known as a racist, but instead as anti-sematic! Hey, we got that witch-girl in oaklahoma on trial, didn't we?
[GORE] We should protect all religions equally; they don't require special rights, and they shouldn't be given them.
(3)
[BUSH] My dad got lower taxes.
[GORE] I invented lower taxes.
(4)
[BUSH] The electoral collage has been reformed. Don't you guys know I'm going to be president? Hey dad! When do I get to push the button?
[GORE] We need to stay focused on the issues. Perot had more than "enough" money at his disposal, and I believe that's what truly proves that we have the greatest nation in the world.
(5)
[BUSH] When do I get to rule the world dad! You said I could do it! You said!!!!
[GORE] I invented the internet.
(6)
[BUSH] You promised! You promised! You promised!
[GORE] I invented encryption.
(7)
[BUSH] You promised! You promised! You promised!
[GORE] As more and more companies wish to do business with the united states, more and more companies gain a better understanding on how to do business with america. Monoplies are not inherently bad, they simply are not adaquitely controlled, and that is something I plan to rectify.
(8)
[BUSH] Oh, sorry... What was the last question? Oh, asteroids. Yeah, we need to relive the star-wars project just for this reason. And to help engage foreign military policies, and to strengthen our own military hold as good americans.
[GORE] I invented Asteroids[tm].
(9)
[BUSH] Something about a thousand points of light. It sounds great!
[GORE] People still want conflict. The media proves this! But as media begins to embrace my internet, we will get more into personal ideas and ideals that can do nothing but improve our quality of life, and the flow of information. This is our mission: To inform and understand. And we are already doing a great job of it!
[BUSH] bdah, bdha, that's all folks!
[GORE] I invented folks.
[US-]english is only the choice of the internet generation (sic sic sic...) because the internet is free. in the US, the general populous (or what we percieve it is) belives that speech is free. so i believe that people who live in the US tend to treat all speech as free.
now, the problem with english is that nobody in the US speaks it. Or at least, very few speak it properly. Even fewer write it properly. This post is completely incorrect english, but most readers aren't bothered by this. they know to read what i mean, not what i actually wrote.
but machines can't do this... not without making the same leaps of faith that we human beings take for granted so often. and while everyone knows this, they still try and make the machines dumber.
yes, i do mean dumber. machines (as now) are extremely smart; they don't make mistakes. so this means that while you are reading anything, including this post, you are making many mistakes. it is only by making these mistakes that you're able to read this.
this isn't new news; we've known this for years. which is why we have made so many different programming languages, each encompassing an extremely strict (by englishes standards) notation by which the message is understood.
writing code in itself is not all that difficult (far easier than reading english, in many ways). so maybe we should be focusing on that movement; making ourselves (humans) smarter, instead of the computer dumber.
of course, you can read what I've written, and know that this is a horrible idea, but in the past 100 years, the english language(s) has metamorphed into so many different dialects that we may even put the chinese to shame. we have our share of slang and coloquialisms (sp?) too, and because the computer doesn't understand them, we are stupid for using them.
It is only in the past few months that the FISH started translating "Login" as "beginning activity" instead of "logarithm".
but as i've mentioned, it isn't just the coloquialisms the machine has to interpret: the computer must be taught to THINK.
in short: purely-MT will be going nowhere for a long time so long as Eliza sums up computer AI.
The usefulness of an encrypted filesystem is limited to removeable media and pseudodisks (e.g. those created using the kernel loopback driver). It's been pointed out that many people actually want to encrypt their entire hard drive (or an entire partition) which seems to me to be the biggest waste of cycles there is. But then again, as soon as we classify hard disks as removable (like there aren't hardware locks with similar effectiveness) media it seems to quickly become warrented.
/etc/passwd and friends). if you need more protection, you're going to go slower (encrypting swap), and slower (encrypting the entire disk), and slower still (embeding your laptop in a cement block and droping it into the ocean).
Of course, this makes a nasty assumption that if you're going to encrypt your disk, you've already got the reason for it. But before I go too far into that, let me quickly point out that network filesystems and encrypted filesystems cannot be considered complimentary. NFS, AFS, and CIFS (all commonly referred to as network filesystems) bear no resemblence with block devices for the very reason that (all) network block devices themselves are extremely ineffecient. Not only is it a waste of bandwidth, but also a waste of cycles for the client (assumed: servers usually have more cycles than clients. if they don't, you have other problems).
But crypto on NFS and friends all involve themselves with encrypting the network traffic, instead of the individual segments of the files, or the disk-blocks they refer to.
Mr. Blue mentions that he wishes to encrypt his laptop disk for the sake of security. And being a laptop it can immediatly be considered removable media (snicker). And while the most common reason that laptops are stolen are infact for the hardware (e.g. resale), the lap-jacker may be technologically inclined (as is becoming more common) and wish to sneak out creditcard numbers and other goodies out of the disk before sale.
So now that I have finally established both cause and reason to encrypt, I can finally target a technological issue of performance.
By simply creating your disk IMAGE, you are slowing down your system. The goal is to slow it down the least. The the least way is to (on login, presumably) decrypt the entire image into a ramdisk (or other element that will be nuked on reboot - such as a swapfile) and use the decrypted image instead. Before anyone says this is a stupid idea (what if they use a boot floppy), remember that unless you have a lot of ram, your decrypted secrets would be in your swap ANYWAY.
So bypassing the obvious of disabling floppy boot, the attacker can still take out the hard disk and put it in another machine. Since your data hasn't been wiped by boot (and/or is still in swap), you
would then need the filesystem and the swap to stay in ciphered form (to make sure all of your data is protected). So in addition, you must keep your swapfile in cipherspace (snicker) so that the bad people can't get there either.
Which still allows us to keep most of our "work data" in unencrypted space (ramdisk) because when portions of our ramdisk need swapping, they'll be reciphered anyway. And if you weren't thinking about swap, you're faster still.
So, the short answer (if you read this far, you deserve it by now) is that your filesystem will go as slow as you need it to. That is to say that if you are protecting from your laptop being stolen,
using a ramdisk for sensitive files is probably good enough (my portable penguin uses PGP to store my ramdisk when sleeping. the ramdisk was 24m which was good enough for my ssh password lists, keys,
I seriously do not know how Sony can expect to sell anything this incomplete! This AIBO is just another example of Sony neglecting to include the features most desired in a Robot Companion. It has no apron, the blinking red lights aren't sticking out of it's neck, and I suspect that those plastic hooves don't have wheels hidden under them...
It seems interesting to me that people might think that certificates would work differently in Apache-SSL v.s. Apache+mod_ssl. More so when they both use the same API for performing the crypto layer to read/write the certificate files (SSLeay; now known as OpenSSL).
I've also tried to think about how one could guage the differences objectivly. As far as I've seen, neither seems any faster (which would make sense being that they both use OpenSSL for the "real work"), and I can't think of any features that one has that the other doesn't; and I'm not talking about configuration directives, I'm talking about XXX obtains information YYY and logs it, but product ZZZ doesn't. I'd love to see some enlightenment on that note.
And on that note (karma and enlightenment, that is) I have had no difficulties with either in installation, or uninstallation, or even configuration. I do however like having the "SSL Module". It's quite handy when duplicating disks. I just flip a flag in my configuration files instead of having to recompile Apache. But other than that, I can't see any reason why you would pick one over the other.
Maybe it would be constructive (ooh, big word!) if people posted WHY they use Apache+SSL or WHY they use Apache+mod_ssl instead of just listing off angry posts, and turning my display into a voting log.
To say it another way, I don't think that anyone is interested in why YOU use Apache-SSL or YOU use Apache+mod_ssl. I know that I'm not! Instead, I'd like to hear WHY you use Apache-SSL, or WHY you use Apache+mod_ssl.